[ { "path": ".dockerignore", "content": "docs/vendor\ndocs/_site\ndist/\n.history/\n" }, { "path": ".editorconfig", "content": "# EditorConfig helps developers define and maintain consistent\n# coding styles between different editors and IDEs\n# editorconfig.org\n\nroot = true\n\n[*]\nend_of_line = lf\ncharset = utf-8\ntrim_trailing_whitespace = true\ninsert_final_newline = true\nindent_style = space\nindent_size = 2\n\n[*.go]\nindent_style = tab\n\n[internal/output/testdata/*.md]\ntrim_trailing_whitespace = false\n\n[Makefile]\nindent_style = tab" }, { "path": ".gemini/config.yaml", "content": "have_fun: false\ncode_review:\n disable: false\n comment_severity_threshold: MEDIUM\n max_review_comments: -1\n pull_request_opened:\n help: false\n summary: false\n code_review: false\n include_drafts: true\nignore_patterns: []\n" }, { "path": ".github/PULL_REQUEST_TEMPLATE/PULL_REQUEST_TEMPLATE.md", "content": "## Overview\n\n**Please create an issue to discuss the proposed changes before sending a pull request.**\n\nA brief description of the changes in this pull request. What is the purpose of this PR? What issue does it fix?\n\nFixes # (issue)\n\n## Details\n\nProvide a more detailed description of the changes. This can include:\n\n- The approach taken to solve the problem.\n- Any technical details that are relevant to the review.\n- Before and after screenshots (if applicable).\n\n## Testing\n\nPlease describe the tests that you ran to verify your changes. For example:\n\n- I have added unit tests for the new functionality.\n- I have run the existing test suite and all tests pass.\n- I have manually tested the changes in the following way: ...\n\n## Checklist\n\n- [ ] I have signed the [Contributor License Agreement](https://cla.developers.google.com/).\n- [ ] I have run the linter using `./scripts/run_lints.sh`.\n- [ ] I have run the unit tests using `./scripts/run_tests.sh`.\n- [ ] I have made my commits and PR title follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification.\n" }, { "path": ".github/workflows/cassettes.yml", "content": "name: Cassettes\n\non:\n schedule:\n - cron: \"47 20 * * *\"\n workflow_dispatch:\nconcurrency:\n # Pushing new changes to a branch will cancel any in-progress CI runs\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n update:\n permissions:\n contents: write # to fetch and commit code\n actions: write # to manually dispatch checks on the pull request\n pull-requests: write # Create pull requests\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - run: ./scripts/run_tests.sh || true\n env:\n TEST_ACCEPTANCE: true\n TEST_VCR_MODE: recordonly\n UPDATE_SNAPS: always\n - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0\n with:\n token: ${{ secrets.PR_TOKEN_BOT }}\n title: \"test: update cassettes\"\n body: >\n The cassettes have changed, probably due to OSV advisories being changed.\n\n Please review the differences to make sure that they're expected!\n branch: \"bot/update-cassettes\"\n author: \"osv-robot \"\n commit-message: \"test: update cassettes\"\n" }, { "path": ".github/workflows/checks.yml", "content": "# Copyright 2021 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Checks\n\non:\n push:\n branches: [\"main\", \"v1\", \"mcp\"]\n pull_request:\n # The branches below must be a subset of the branches above\n branches: [\"main\", \"v1\", \"mcp\"]\n workflow_dispatch:\n\nconcurrency:\n # Pushing new changes to a branch will cancel any in-progress CI runs\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n ensure_snapshots_are_being_cleaned:\n permissions:\n contents: read # to fetch code (actions/checkout)\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - run: scripts/report_uncleaned_snapshots.py\n filenames:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - run: |\n find . -mindepth 1 ! -regex '.*/[#@A-Za-z0-9._-]*' -print0 \\\n | xargs -0 -I{} bash -c \\\n 'printf \"::error file=%q::This filename contains undesired characters\\n\" \"$1\" && false' _ {}\n format:\n permissions:\n contents: read # to fetch code (actions/checkout)\n name: prettier\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - name: Run format action\n uses: ./.github/workflows/format-action\n tidy:\n permissions:\n contents: read # to fetch code (actions/checkout)\n name: go mod tidy\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - run: go mod tidy -diff\n lint:\n permissions:\n contents: read # to fetch code (actions/checkout)\n name: golangci-lint\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - name: Run lint action\n uses: ./.github/workflows/lint-action\n prepare_test_image_testdata:\n permissions:\n contents: read # to fetch code (actions/checkout)\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - run: scripts/build_test_images.sh\n - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0\n with:\n name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }}\n path: cmd/osv-scanner/scan/image/testdata/*.tar\n retention-days: 1\n tests:\n permissions:\n contents: read # to fetch code (actions/checkout)\n needs:\n - prepare_test_image_testdata\n name: Run unit tests\n strategy:\n fail-fast: false\n matrix:\n os: [ubuntu-latest, macos-latest, windows-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1\n with:\n pattern: image-testdata-${{ github.run_number }}-*\n path: cmd/osv-scanner/scan/image/testdata/\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - name: Run test action\n uses: ./.github/workflows/test-action\n with:\n codecov_token: ${{ secrets.CODECOV_TOKEN }}\n docker:\n permissions:\n contents: read # to fetch code (actions/checkout)\n runs-on: ubuntu-latest\n env:\n # Required for buildx on docker 19.x\n DOCKER_CLI_EXPERIMENTAL: \"enabled\"\n steps:\n - name: Checkout\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0\n - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0\n - name: Run GoReleaser\n id: run-goreleaser\n uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0\n with:\n distribution: goreleaser\n version: \"~> v2\"\n args: release --clean --snapshot\n - env:\n ARTIFACTS: ${{ steps.run-goreleaser.outputs.artifacts }}\n run: |\n echo \"$ARTIFACTS\" > output.json\n jq -r '.[] | select(\n .type == \"Docker Image\" and\n .goarch == \"amd64\" and\n .goos == \"linux\" and\n .extra.DockerConfig.dockerfile == \"goreleaser.dockerfile\"\n ) | .name' output.json | while read -r image; do\n echo \"Testing image $image\"\n\n exit_code=0\n docker run -v ${PWD}:/src $image -L /src/go.mod || exit_code=$?\n\n # fail if we get a non-zero exit code other than \"vulnerabilities were found\"\n if [[ $exit_code -ne 0 && $exit_code -ne 1 ]]; then\n exit $exit_code\n fi\n done\n" }, { "path": ".github/workflows/codeql-analysis.yml", "content": "# For most projects, this workflow file will not need changing; you simply need\n# to commit it to your repository.\n#\n# You may wish to alter this file to override the set of languages analyzed,\n# or to provide custom queries or build logic.\n#\n# ******** NOTE ********\n# We have attempted to detect the languages in your repository. Please check\n# the `language` matrix defined below to confirm you have the correct set of\n# supported CodeQL languages.\n#\nname: \"CodeQL\"\n\non:\n push:\n branches: [main, v1]\n pull_request:\n # The branches below must be a subset of the branches above\n branches: [main, v1]\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n analyze:\n name: Analyze\n runs-on: ubuntu-latest\n permissions:\n actions: read\n contents: read\n security-events: write\n\n strategy:\n fail-fast: false\n matrix:\n language: [\"go\"]\n # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]\n # Learn more about CodeQL language support at https://git.io/codeql-language-support\n\n steps:\n - name: Checkout repository\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n # Update go to the latest version to support minor go versions is go.mod file\n - name: Install Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: go.mod\n # Initializes the CodeQL tools for scanning.\n - name: Initialize CodeQL\n uses: github/codeql-action/init@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0\n with:\n languages: ${{ matrix.language }}\n # If you wish to specify custom queries, you can do so here or in a config file.\n # By default, queries listed here will override any specified in a config file.\n # Prefix the list here with \"+\" to use these queries and those in the config file.\n # queries: ./path/to/local/query, your-org/your-repo/queries@main\n\n # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).\n # If this step fails, then you should remove it and run the build manually (see below)\n - name: Autobuild\n uses: github/codeql-action/autobuild@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0\n\n # ℹī¸ Command-line programs to run using the OS shell.\n # 📚 https://git.io/JvXDl\n\n # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines\n # and modify them (or add more) to build your code if your project\n # uses a compiled language\n\n #- run: |\n # make bootstrap\n # make release\n\n - name: Perform CodeQL Analysis\n uses: github/codeql-action/analyze@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0\n" }, { "path": ".github/workflows/dependencies.yml", "content": "name: Dependencies\n\non:\n schedule:\n - cron: \"47 18 * * *\"\n workflow_dispatch:\nconcurrency:\n # Pushing new changes to a branch will cancel any in-progress CI runs\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n update:\n permissions:\n contents: write # to fetch and commit code\n actions: write # to manually dispatch checks on the pull request\n pull-requests: write # Create pull requests\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - run: |\n latest_commit=$(git ls-remote https://github.com/google/osv-scalibr.git HEAD | cut -f1)\n echo \"updating osv-scalibr to $latest_commit\"\n go get github.com/google/osv-scalibr@\"$latest_commit\"\n echo \"latest_scalibr_commit=$latest_commit\" >> \"$GITHUB_ENV\"\n go mod tidy\n - run: go test ./cmd/osv-scanner/ -run 'Test_run$' || true\n env:\n TEST_ACCEPTANCE: true\n TEST_VCR_MODE: replaywithnewepisodes\n UPDATE_SNAPS: always\n - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0\n with:\n token: ${{ secrets.PR_TOKEN_BOT }}\n title: \"feat: update osv-scalibr\"\n body: >\n This updates `osv-scalibr` to https://github.com/google/osv-scalibr/commit/${{ env.latest_scalibr_commit }}\n branch: \"bot/update-scalibr\"\n author: \"osv-robot \"\n commit-message: \"feat: update osv-scalibr to ${{ env.latest_scalibr_commit }}\"\n delete-branch: true\n" }, { "path": ".github/workflows/format-action/action.yml", "content": "# Copyright 2023 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: format\ndescription: \"Runs file formatters\"\n\nruns:\n using: composite\n steps:\n - name: Run formatters\n shell: bash\n run: ./scripts/run_formatters.sh\n" }, { "path": ".github/workflows/goreleaser-nightly.yml", "content": "name: Release nightly github action image\n\non:\n schedule:\n # we want the nightly builds only on work days\n - cron: \"0 0 * * 2-6\"\n # Allow us to manually call the workflow\n workflow_dispatch:\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n goreleaser:\n outputs:\n hashes: ${{ steps.hash.outputs.hashes }}\n permissions:\n packages: write # for goreleaser/goreleaser-action to publish docker images\n runs-on: ubuntu-latest\n env:\n # Required for buildx on docker 19.x\n DOCKER_CLI_EXPERIMENTAL: \"enabled\"\n steps:\n - name: Checkout\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n persist-credentials: false\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0\n - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0\n - name: ghcr-login\n uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0\n with:\n registry: ghcr.io\n username: ${{ github.repository_owner }}\n password: ${{ secrets.GITHUB_TOKEN }}\n - name: Run GoReleaser\n id: run-goreleaser\n uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0\n with:\n distribution: goreleaser\n version: \"~> v2\"\n # Essentially do a snapshot release, but still push the docker images\n # Skipping validate skips checks that the current commit has a tag\n args: release --clean --config .goreleaser-nightly.yml --skip validate,announce\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" }, { "path": ".github/workflows/goreleaser.yml", "content": "name: Release new version\n\non:\n push:\n tags:\n - \"*\" # triggers only if push new tag version, like `v0.8.4`\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n goreleaser:\n outputs:\n hashes: ${{ steps.hash.outputs.hashes }}\n permissions:\n contents: write # for goreleaser/goreleaser-action to create a GitHub release\n packages: write # for goreleaser/goreleaser-action to publish docker images\n runs-on: ubuntu-latest\n env:\n # Required for buildx on docker 19.x\n DOCKER_CLI_EXPERIMENTAL: \"enabled\"\n steps:\n - name: Checkout\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n fetch-depth: 0\n persist-credentials: false\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0\n - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0\n - name: ghcr-login\n uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0\n with:\n registry: ghcr.io\n username: ${{ github.repository_owner }}\n password: ${{ secrets.GITHUB_TOKEN }}\n - name: Detect stable tag\n id: detect_stable\n # Extracts tag name from git ref and check tag is stable\n # semantic version pattern (vMAJOR.MINOR.PATCH, e.g., v1.2.3)\n run: |\n TAG=\"${GITHUB_REF_NAME}\"\n if [[ \"$TAG\" =~ ^v[0-9]+\\.[0-9]+\\.[0-9]+$ ]]; then\n echo \"STABLE=true\" >> $GITHUB_ENV\n else\n echo \"STABLE=false\" >> $GITHUB_ENV\n fi\n - name: Run GoReleaser\n id: run-goreleaser\n uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0\n with:\n distribution: goreleaser\n version: \"~> v2\"\n args: release --clean\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n STABLE: ${{ env.STABLE }}\n - name: Generate subject\n id: hash\n env:\n ARTIFACTS: \"${{ steps.run-goreleaser.outputs.artifacts }}\"\n run: |\n set -euo pipefail\n checksum_file=$(echo \"$ARTIFACTS\" | jq -r '.[] | select (.type==\"Checksum\") | .path')\n echo \"hashes=$(cat $checksum_file | base64 -w0)\" >> \"$GITHUB_OUTPUT\"\n provenance:\n needs: [goreleaser]\n permissions:\n actions: read # To read the workflow path.\n id-token: write # To sign the provenance.\n contents: write # To add assets to a release.\n uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0\n with:\n base64-subjects: \"${{ needs.goreleaser.outputs.hashes }}\"\n upload-assets: true # upload to a new release\n draft-release: true # upload to a new draft release\n" }, { "path": ".github/workflows/links.yml", "content": "name: Check markdown links\n\non:\n push:\n paths:\n - \"**.md\"\n pull_request:\n paths:\n - \"**.md\"\n schedule:\n - cron: \"45 22 * * 1,4\"\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n check:\n permissions:\n contents: read # to fetch code (actions/checkout)\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1.1.2\n with:\n use-quiet-mode: \"yes\"\n base-branch: \"main\"\n check-modified-files-only: ${{ github.event_name == 'schedule' && 'yes' || 'no'}}\n" }, { "path": ".github/workflows/lint-action/action.yml", "content": "# Copyright 2023 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: lint\ndescription: \"Runs go lints\"\n\nruns:\n using: composite\n steps:\n - name: Run golangci-lint\n uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0\n with:\n version-file: .golangci-lint-version\n args: --timeout=5m\n" }, { "path": ".github/workflows/osv-scanner-reusable-pr.yml", "content": "# Copyright 2023 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action\n\nname: OSV-Scanner PR scanning reusable\n\n# These are the permissions required by this reusable workflow to function.\n#\n# You should include a copy of this block next to any `uses:` of this workflow\npermissions:\n contents: read # to fetch code (actions/checkout)\n security-events: write # for uploading SARIF files (github/codeql-action/upload-sarif)\n\non:\n workflow_call:\n inputs:\n scan-args:\n description: \"Custom osv-scanner arguments (See https://google.github.io/osv-scanner/usage/ for options, you cannot set --format or --output-file)\"\n type: string\n default: |-\n -r\n ./\n results-file-name:\n description: \"File name of the result SARIF file\"\n type: string\n default: results.sarif\n upload-sarif:\n description: \"Whether to upload to Security > Code Scanning\"\n type: boolean\n required: false\n default: true\n fail-on-vuln:\n description: \"Whether to fail the action on vulnerability found\"\n type: boolean\n default: true\n\njobs:\n scan-pr:\n runs-on: ubuntu-latest\n steps:\n - run: |\n echo \"### This action is deprecated\" >> $GITHUB_STEP_SUMMARY\n echo \"Please use https://github.com/google/osv-scanner-action instead\" >> $GITHUB_STEP_SUMMARY\n false\n" }, { "path": ".github/workflows/osv-scanner-reusable.yml", "content": "# Copyright 2023 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action\n\nname: OSV-Scanner scanning reusable\n\n# These are the permissions required by this reusable workflow to function.\n#\n# You should include a copy of this block next to any `uses:` of this workflow\npermissions:\n contents: read # to fetch code (actions/checkout)\n security-events: write # for uploading SARIF files (github/codeql-action/upload-sarif)\n\non:\n workflow_call:\n inputs:\n scan-args:\n description: \"Custom osv-scanner arguments (See https://google.github.io/osv-scanner/usage/ for options, you cannot set --format or --output-file)\"\n type: string\n default: |-\n -r\n ./\n results-file-name:\n description: \"File name of the result SARIF file\"\n type: string\n default: results.sarif\n download-artifact:\n description: \"Optional artifact to download for scanning\"\n required: false\n default: \"\"\n type: string\n upload-sarif:\n description: \"Whether to upload to Security > Code Scanning\"\n type: boolean\n required: false\n default: true\n fail-on-vuln:\n description: \"Whether to fail the action on vulnerability found\"\n type: boolean\n default: true\n\njobs:\n osv-scan:\n runs-on: ubuntu-latest\n steps:\n - run: |\n echo \"### This action is deprecated\" >> $GITHUB_STEP_SUMMARY\n echo \"Please use https://github.com/google/osv-scanner-action instead\" >> $GITHUB_STEP_SUMMARY\n false\n" }, { "path": ".github/workflows/osv-scanner-unified-action.yml", "content": "# Copyright 2023 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: OSV-Scanner Scheduled Scan\n\non:\n pull_request:\n branches: [\"main\", \"v1\", \"mcp\"]\n schedule:\n - cron: \"12 12 * * 1\"\n push:\n branches: [\"main\", \"v1\", \"mcp\"]\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n scan-scheduled:\n permissions:\n contents: read # to fetch code (actions/checkout)\n security-events: write # for uploading SARIF files\n actions: read\n if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}\n # If you want to copy this config, highly suggest pinning this to a release rather than tracking the nightly branch.\n uses: \"google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@nightly\"\n scan-pr:\n permissions:\n contents: read # to fetch code (actions/checkout)\n security-events: write # for uploading SARIF files\n actions: read\n if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}\n # If you want to copy this config, highly suggest pinning this to a release rather than tracking the nightly branch.\n uses: \"google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@nightly\"\n" }, { "path": ".github/workflows/prerelease-check.yml", "content": "name: Pre-release check\n\non:\n workflow_dispatch:\n inputs:\n version:\n description: \"The version tag to release, (e.g. v1.2.3)\"\n required: true\n type: string\n commit:\n description: \"The commit hash to release\"\n required: true\n type: string\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n osv-scan:\n permissions:\n contents: read # to fetch code (actions/checkout)\n security-events: write # for uploading SARIF files\n actions: read\n uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@main\n with:\n # Only scan the top level go.mod file without recursively scanning directories since\n # this is pipeline is about releasing the go module and binary\n scan-args: |-\n ./\n\n links:\n permissions:\n contents: read # to fetch code (actions/checkout)\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1.1.2\n with:\n use-quiet-mode: \"yes\"\n base-branch: \"main\"\n format:\n permissions:\n contents: read # to fetch code (actions/checkout)\n name: prettier\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - name: Run lint action\n uses: ./.github/workflows/format-action\n tidy:\n permissions:\n contents: read # to fetch code (actions/checkout)\n name: go mod tidy\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - run: go mod tidy -diff\n lint:\n permissions:\n contents: read # to fetch code (actions/checkout)\n name: golangci-lint\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n ref: ${{ inputs.commit }}\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - name: Run lint action\n uses: ./.github/workflows/lint-action\n prepare_test_image_testdata:\n permissions:\n contents: read # to fetch code (actions/checkout)\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - run: scripts/build_test_images.sh\n - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0\n with:\n name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }}\n path: cmd/osv-scanner/scan/image/testdata/*.tar\n retention-days: 1\n tests:\n permissions:\n contents: read # to fetch code (actions/checkout)\n name: Run unit tests\n needs:\n - prepare_test_image_testdata\n strategy:\n fail-fast: false\n matrix:\n os: [ubuntu-latest, macos-latest, windows-latest]\n runs-on: ${{ matrix.os }}\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n ref: ${{ inputs.commit }}\n - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1\n with:\n name: image-testdata-${{ github.run_number }}-${{ github.run_attempt }}\n path: cmd/osv-scanner/scan/image/testdata/\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - name: Run test action\n uses: ./.github/workflows/test-action\n with:\n codecov_token: ${{ secrets.CODECOV_TOKEN }}\n generators:\n permissions:\n contents: read # to fetch code (actions/checkout)\n name: (re)generate code\n runs-on: ubuntu-latest\n steps:\n - name: Check out code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n ref: ${{ inputs.commit }}\n - name: Set up Go\n uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - name: Run generators\n run: go generate ./...\n - run: |\n git diff --name-only \\\n | xargs -I '{}' bash -c \\\n 'echo \"::error file={}::This needs to be regenerated by running \\`go generate ./...\\`\" && false'\n release-helper:\n permissions:\n contents: read # to fetch code (actions/checkout)\n runs-on: ubuntu-latest\n needs:\n - format\n - lint\n - tests\n - osv-scan\n steps:\n - name: Print Scripts\n env:\n OUTPUT: |\n git fetch upstream &&\n git tag ${{ inputs.version }} ${{ inputs.commit }} &&\n git push upstream ${{ inputs.version }}\n shell: bash\n run: |\n echo $OUTPUT\n" }, { "path": ".github/workflows/renovate-validator.yml", "content": "name: Renovate Config Validator\n\non:\n push:\n branches: [main, v2]\n paths:\n - \"renovate.json\"\n pull_request:\n branches: [main, v2]\n paths:\n - \"renovate.json\"\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n validate:\n runs-on: ubuntu-latest\n permissions:\n contents: read # to fetch code (actions/checkout)\n steps:\n - name: Checkout code\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n\n - name: Set up Nodes.js\n uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0\n with:\n node-version: latest\n\n - name: Validate Renovate Config\n run: npx --yes --package renovate -- renovate-config-validator\n" }, { "path": ".github/workflows/scorecards.yml", "content": "# This workflow uses actions that are not certified by GitHub. They are provided\n# by a third-party and are governed by separate terms of service, privacy\n# policy, and support documentation.\n\nname: Scorecards supply-chain security\non:\n # For Branch-Protection check. Only the default branch is supported. See\n # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection\n branch_protection_rule:\n # To guarantee Maintained check is occasionally updated. See\n # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained\n schedule:\n - cron: \"32 22 * * 6\"\n push:\n branches: [\"main\"]\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n analysis:\n name: Scorecards analysis\n runs-on: ubuntu-latest\n permissions:\n # Needed to upload the results to code-scanning dashboard.\n security-events: write\n # Needed to publish results and get a badge (see publish_results below).\n id-token: write\n # Uncomment the permissions below if installing in a private repository.\n # contents: read\n # actions: read\n\n steps:\n - name: \"Checkout code\"\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n\n - name: \"Run analysis\"\n uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3\n with:\n results_file: results.sarif\n results_format: sarif\n # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:\n # - you want to enable the Branch-Protection check on a *public* repository, or\n # - you are installing Scorecards on a *private* repository\n # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.\n # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}\n\n # Public repositories:\n # - Publish results to OpenSSF REST API for easy access by consumers\n # - Allows the repository to include the Scorecard badge.\n # - See https://github.com/ossf/scorecard-action#publishing-results.\n # For private repositories:\n # - `publish_results` will always be set to `false`, regardless\n # of the value entered here.\n publish_results: true\n\n # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF\n # format to the repository Actions tab.\n - name: \"Upload artifact\"\n uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0\n with:\n name: SARIF file\n path: results.sarif\n retention-days: 5\n\n # Upload the results to GitHub's code scanning dashboard.\n - name: \"Upload to code-scanning\"\n uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0\n with:\n sarif_file: results.sarif\n" }, { "path": ".github/workflows/snapshots.yml", "content": "name: Snapshots\n\non:\n schedule:\n - cron: \"47 18 * * *\"\n workflow_dispatch:\nconcurrency:\n # Pushing new changes to a branch will cancel any in-progress CI runs\n group: ${{ github.workflow }}-${{ github.ref }}\n cancel-in-progress: true\n\n# Restrict jobs in this workflow to have no permissions by default; permissions\n# should be granted per job as needed using a dedicated `permissions` block\npermissions: {}\n\njobs:\n update:\n permissions:\n contents: write # to fetch and commit code\n actions: write # to manually dispatch checks on the pull request\n pull-requests: write # Create pull requests\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0\n with:\n go-version-file: \"go.mod\"\n check-latest: true\n - run: ./scripts/run_tests.sh || true\n env:\n TEST_ACCEPTANCE: true\n TEST_VCR_MODE: replaywithnewepisodes\n UPDATE_SNAPS: always\n - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0\n with:\n token: ${{ secrets.PR_TOKEN_BOT }}\n title: \"test: update snapshots\"\n body: >\n The snapshots have changed, probably due to OSV advisories being changed.\n\n Please review the differences to make sure that they're expected!\n branch: \"bot/update-snapshots\"\n author: \"osv-robot \"\n commit-message: \"test: update snapshots\"\n" }, { "path": ".github/workflows/staleness.yml", "content": "name: \"Close stale issues and PRs\"\n\npermissions: read-all\n\non:\n schedule:\n - cron: \"0 * * * *\"\n\njobs:\n stale:\n permissions:\n issues: write\n pull-requests: write\n runs-on: ubuntu-latest\n steps:\n - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0\n with:\n days-before-stale: 60\n days-before-close: 14\n operations-per-run: 100\n remove-stale-when-updated: true\n exempt-issue-labels: \"good first issue,V2 Wishlist,backlog\"\n exempt-all-assignees: true\n ignore-updates: false\n stale-issue-label: stale\n stale-issue-message: |\n This issue has not had any activity for 60 days and will be automatically closed in two weeks\n\n See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.\n stale-pr-label: stale\n stale-pr-message: |\n This pull request has not had any activity for 60 days and will be automatically closed in two weeks\n close-issue-label: \"autoclosed\"\n close-issue-message: |\n Automatically closing stale issue\n close-pr-label: \"autoclosed\"\n close-pr-message: |\n Automatically closing stale pull request\n" }, { "path": ".github/workflows/test-action/action.yml", "content": "# Copyright 2023 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: test\ndescription: \"Runs go tests\"\n\ninputs:\n codecov_token:\n description: \"Token for uploading coverage reports to Codecov\"\n required: true\n\nruns:\n using: composite\n steps:\n - name: Run go test\n shell: bash\n env:\n TEST_ACCEPTANCE: true\n run: ./scripts/run_tests.sh\n - name: Upload coverage to Codecov\n uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2\n with:\n token: ${{ inputs.codecov_token }}\n fail_ci_if_error: true\n" }, { "path": ".github/workflows/title.yml", "content": "# Copyright 2024 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nname: Title\n\non:\n # `pull_request_target` is only required when editing PRs from forks.\n pull_request:\n types:\n - opened\n - edited\n - reopened\n\npermissions:\n pull-requests: read\n\njobs:\n check:\n runs-on: ubuntu-latest\n steps:\n - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1\n env:\n GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}\n" }, { "path": ".github/workflows/zizmor.yml", "content": "name: GitHub Actions Security Analysis with zizmor 🌈\n\non:\n pull_request:\n paths: [\".github/workflows/**\"]\n push:\n branches: [\"main\"]\n\npermissions: {}\n\njobs:\n zizmor:\n runs-on: ubuntu-latest\n permissions:\n security-events: write\n contents: read\n actions: read\n steps:\n - name: Checkout repository\n uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2\n with:\n persist-credentials: false\n\n - name: Run zizmor 🌈\n uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2\n" }, { "path": ".gitignore", "content": ".history/\n.vscode/\n.idea/\n/dist/\n/osv-scanner\n/temp\n/coverage.out\n/coverage.html\n*.tar\n*.pprof\n.go-version\nnode_modules\n\nosv-scalibr-portal\n\n# we don't want to check in this file as it's very very large\n/internal/semantic/testdata/redhat-versions-generated.txt\n" }, { "path": ".golangci-lint-version", "content": "v2.9\n" }, { "path": ".golangci.yaml", "content": "version: \"2\"\n\nlinters:\n default: all\n # prettier-ignore\n disable:\n - cyclop #\n - err113 # will re-add later (another-rex)\n - exhaustruct # overkill (g-rath)\n - forcetypeassert # too hard (g-rath)\n - funlen #\n - funcorder #\n - gochecknoglobals # disagree with, for non changing variables (another-rex)\n - gocognit #\n - goconst # not everything should be a constant\n - gocyclo #\n - godot # comments are fine without full stops (g-rath)\n - godox # to-do comments are fine (g-rath)\n - ireturn # disagree with, sort of (g-rath)\n - lll # line length is hard (g-rath)\n - maintidx #\n - mnd # not every number is magic (g-rath)\n - nestif #\n - noinlineerr #\n - nonamedreturns # disagree with, for now (another-rex)\n - tagliatelle # we're parsing data from external sources (g-rath)\n - testpackage # will re-add later (another-rex)\n - varnamelen # maybe later (g-rath)\n - wrapcheck # too difficult, will re-add later (another-rex)\n - wsl # disagree with, for now (g-rath)\n - wsl_v5 # disagree with, for now (g-rath)\n settings:\n depguard:\n rules:\n regexp:\n files:\n - \"!**/internal/cachedregexp/**\"\n - \"!**/internal/testutility/normalize.go\"\n - \"!**/pkg/osvscanner/exclude.go\"\n deny:\n - pkg: regexp\n desc: Use github.com/google/osv-scanner/v2/internal/cachedregexp instead\n exhaustive:\n default-signifies-exhaustive: true\n forbidigo:\n forbid:\n - pattern: ^testing.T.Skip\n pkg: ^testing$\n msg: go-snaps needs to know the test has been skipped, so use `testutility.Skip` instead\n - pattern: ^os.Getwd\n pkg: ^os$\n msg: use `testutility.GetCurrentWorkingDirectory`\n analyze-types: true\n gocritic:\n disabled-checks:\n - ifElseChain\n govet:\n enable-all: true\n disable:\n - fieldalignment\n - shadow\n nlreturn:\n block-size: 2\n revive:\n rules:\n - name: increment-decrement\n disabled: true\n - name: blank-imports\n disabled: false\n - name: context-as-argument\n disabled: false\n - name: context-keys-type\n disabled: false\n - name: dot-imports\n disabled: false\n - name: empty-block\n disabled: false\n - name: error-naming\n disabled: false\n - name: error-return\n disabled: false\n - name: error-strings\n disabled: false\n - name: errorf\n disabled: false\n - name: exported\n disabled: false\n arguments:\n # TODO: get these all enabled\n - \"check-private-receivers\"\n # - \"check-public-interface\"\n - \"disable-checks-on-constants\"\n - \"disable-checks-on-functions\"\n - \"disable-checks-on-methods\"\n - \"disable-checks-on-types\"\n - \"disable-checks-on-variables\"\n - name: import-alias-naming\n disabled: false\n - name: import-shadowing\n disabled: false\n - name: indent-error-flow\n disabled: false\n - name: package-comments\n disabled: false\n - name: range\n disabled: false\n - name: receiver-naming\n disabled: false\n - name: redefines-builtin-id\n disabled: false\n - name: redundant-test-main-exit\n disabled: false\n - name: superfluous-else\n disabled: false\n - name: time-naming\n disabled: false\n - name: unexported-return\n disabled: false\n - name: unreachable-code\n disabled: false\n - name: unused-parameter\n disabled: false\n - name: use-any\n disabled: false\n - name: var-declaration\n disabled: false\n - name: var-naming\n disabled: false\n arguments:\n - [] # AllowList\n - [] # DenyList\n - - skip-package-name-checks: true\n exclusions:\n generated: lax\n presets:\n - common-false-positives\n - legacy\n - std-error-handling\n rules:\n - path: _test\\.go\n linters:\n - dupl\n - path-except: _test\\.go\n text: use `testutility.GetCurrentWorkingDirectory`\n paths:\n - internal/thirdparty/\n - third_party$\n - builtin$\n - examples$\n\nformatters:\n enable:\n - gofmt\n - goimports\n exclusions:\n generated: lax\n paths:\n - internal/thirdparty/\n - third_party$\n - builtin$\n - examples$\n\nissues:\n max-issues-per-linter: 0\n max-same-issues: 0\n" }, { "path": ".goreleaser-nightly.yml", "content": "version: 2\n\nbefore:\n hooks:\n - go mod tidy\nbuilds:\n - main: ./cmd/osv-scanner/\n id: osv-scanner\n binary: osv-scanner\n env:\n # goreleaser does not work with CGO, it could also complicate\n # usage by users in CI/CD systems like Terraform Cloud where\n # they are unable to install libraries.\n - CGO_ENABLED=0\n - GO111MODULE=on\n mod_timestamp: \"{{ .CommitTimestamp }}\"\n flags:\n - -trimpath\n ldflags:\n - \"-s -w\"\n - \"-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}.nightly\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}\"\n goos:\n - linux\n goarch:\n - amd64\n - main: ./cmd/osv-scanner/\n id: osv-scanner-action\n binary: osv-scanner-action\n env:\n # goreleaser does not work with CGO, it could also complicate\n # usage by users in CI/CD systems like Terraform Cloud where\n # they are unable to install libraries.\n - CGO_ENABLED=0\n - GO111MODULE=on\n mod_timestamp: \"{{ .CommitTimestamp }}\"\n flags:\n - -trimpath\n ldflags:\n - \"-s -w\"\n - \"-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}.nightly_GHAction\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}\"\n goos:\n - linux\n goarch:\n - amd64\n - main: ./cmd/osv-reporter/\n id: osv-reporter\n binary: osv-reporter\n env: # osv-reporter for github action\n - CGO_ENABLED=0\n - GO111MODULE=on\n mod_timestamp: \"{{ .CommitTimestamp }}\"\n flags:\n - -trimpath\n ldflags:\n - \"-s -w\"\n - \"-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}\"\n goos:\n - linux\n goarch:\n - amd64\n\ndockers:\n # Main osv-scanner\n - image_templates:\n - \"ghcr.io/google/osv-scanner:nightly\"\n dockerfile: goreleaser.dockerfile\n use: buildx\n build_flag_templates:\n - \"--pull\"\n - \"--label=org.opencontainers.image.title=osv-scanner\"\n - \"--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev\"\n - \"--label=org.opencontainers.image.licenses=Apache License 2.0\"\n - \"--label=org.opencontainers.image.created={{.Date}}\"\n - \"--label=org.opencontainers.image.name={{.ProjectName}}\"\n - \"--label=org.opencontainers.image.revision={{.FullCommit}}\"\n - \"--label=org.opencontainers.image.version={{.Version}}\"\n - \"--label=org.opencontainers.image.source={{.GitURL}}\"\n - \"--label=org.opencontainers.image.url={{.GitURL}}\"\n - \"--platform=linux/amd64\"\n # Github Action\n - image_templates:\n - \"ghcr.io/google/osv-scanner-action:nightly\"\n dockerfile: goreleaser-action.dockerfile\n use: buildx\n extra_files:\n - exit_code_redirect.sh\n build_flag_templates:\n - \"--pull\"\n - \"--label=org.opencontainers.image.title=osv-scanner-action\"\n - \"--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev\"\n - \"--label=org.opencontainers.image.licenses=Apache-2.0\"\n - \"--label=org.opencontainers.image.created={{.Date}}\"\n - \"--label=org.opencontainers.image.name={{.ProjectName}}\"\n - \"--label=org.opencontainers.image.revision={{.FullCommit}}\"\n - \"--label=org.opencontainers.image.version={{.Version}}\"\n - \"--label=org.opencontainers.image.source={{.GitURL}}\"\n - \"--label=org.opencontainers.image.url={{.GitURL}}\"\n - \"--platform=linux/amd64\"\n goarch: amd64\n\nrelease:\n disable: true\nchangelog:\n disable: true\n" }, { "path": ".goreleaser.yml", "content": "version: 2\n\nbefore:\n hooks:\n - go mod tidy\nbuilds:\n - main: ./cmd/osv-scanner/\n id: osv-scanner\n binary: osv-scanner\n env:\n # goreleaser does not work with CGO, it could also complicate\n # usage by users in CI/CD systems like Terraform Cloud where\n # they are unable to install libraries.\n - CGO_ENABLED=0\n - GO111MODULE=on\n mod_timestamp: \"{{ .CommitTimestamp }}\"\n flags:\n - -trimpath\n ldflags:\n - \"-s -w\"\n - \"-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}\"\n goos:\n # Further testing before supporting freebsd\n # - freebsd\n - windows\n - linux\n - darwin\n goarch:\n - amd64\n # 32bit does not compile at the moment because of spdx dependency\n # - '386'\n # Further testing before supporting arm\n # - arm\n - arm64\n - main: ./cmd/osv-scanner/\n id: osv-scanner-action\n binary: osv-scanner-action\n env:\n # goreleaser does not work with CGO, it could also complicate\n # usage by users in CI/CD systems like Terraform Cloud where\n # they are unable to install libraries.\n - CGO_ENABLED=0\n - GO111MODULE=on\n mod_timestamp: \"{{ .CommitTimestamp }}\"\n flags:\n - -trimpath\n ldflags:\n - \"-s -w\"\n - \"-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}_GHAction\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}\"\n goos:\n - linux\n goarch:\n - amd64\n - main: ./cmd/osv-reporter/\n id: osv-reporter\n binary: osv-reporter\n env: # osv-reporter for github action\n - CGO_ENABLED=0\n - GO111MODULE=on\n mod_timestamp: \"{{ .CommitTimestamp }}\"\n flags:\n - -trimpath\n ldflags:\n - \"-s -w\"\n - \"-X github.com/google/osv-scanner/v2/internal/version.OSVVersion={{.Version}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.commit={{.Commit}}\"\n - \"-X github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd.date={{.CommitDate}}\"\n goos:\n - linux\n goarch:\n - amd64\n\ndockers:\n # Arch: amd64\n - image_templates:\n - \"ghcr.io/google/osv-scanner:{{ .Tag }}-amd64\"\n dockerfile: goreleaser.dockerfile\n use: buildx\n build_flag_templates:\n - \"--pull\"\n - \"--label=org.opencontainers.image.title=osv-scanner\"\n - \"--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev\"\n - \"--label=org.opencontainers.image.licenses=Apache License 2.0\"\n - \"--label=org.opencontainers.image.created={{.Date}}\"\n - \"--label=org.opencontainers.image.name={{.ProjectName}}\"\n - \"--label=org.opencontainers.image.revision={{.FullCommit}}\"\n - \"--label=org.opencontainers.image.version={{.Version}}\"\n - \"--label=org.opencontainers.image.source={{.GitURL}}\"\n - \"--label=org.opencontainers.image.url={{.GitURL}}\"\n - \"--platform=linux/amd64\"\n # Arch: arm64\n - image_templates:\n - \"ghcr.io/google/osv-scanner:{{ .Tag }}-arm64\"\n dockerfile: goreleaser.dockerfile\n use: buildx\n build_flag_templates:\n - \"--pull\"\n - \"--label=org.opencontainers.image.title=osv-scanner\"\n - \"--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev\"\n - \"--label=org.opencontainers.image.licenses=Apache-2.0\"\n - \"--label=org.opencontainers.image.created={{.Date}}\"\n - \"--label=org.opencontainers.image.name={{.ProjectName}}\"\n - \"--label=org.opencontainers.image.revision={{.FullCommit}}\"\n - \"--label=org.opencontainers.image.version={{.Version}}\"\n - \"--label=org.opencontainers.image.source={{.GitURL}}\"\n - \"--label=org.opencontainers.image.url={{.GitURL}}\"\n - \"--platform=linux/arm64\"\n goarch: arm64\n # Github Action\n - image_templates:\n - \"ghcr.io/google/osv-scanner-action:{{ .Tag }}\"\n dockerfile: goreleaser-action.dockerfile\n use: buildx\n extra_files:\n - exit_code_redirect.sh\n build_flag_templates:\n - \"--pull\"\n - \"--label=org.opencontainers.image.title=osv-scanner-action\"\n - \"--label=org.opencontainers.image.description=Vulnerability scanner written in Go which uses the data provided by https://osv.dev\"\n - \"--label=org.opencontainers.image.licenses=Apache-2.0\"\n - \"--label=org.opencontainers.image.created={{.Date}}\"\n - \"--label=org.opencontainers.image.name={{.ProjectName}}\"\n - \"--label=org.opencontainers.image.revision={{.FullCommit}}\"\n - \"--label=org.opencontainers.image.version={{.Version}}\"\n - \"--label=org.opencontainers.image.source={{.GitURL}}\"\n - \"--label=org.opencontainers.image.url={{.GitURL}}\"\n - \"--platform=linux/amd64\"\n goarch: amd64\n\ndocker_manifests:\n - name_template: \"ghcr.io/google/osv-scanner:{{ .Tag }}\"\n image_templates:\n - \"ghcr.io/google/osv-scanner:{{ .Tag }}-amd64\"\n - \"ghcr.io/google/osv-scanner:{{ .Tag }}-arm64\"\n - name_template: \"ghcr.io/google/osv-scanner:latest\"\n image_templates:\n - \"ghcr.io/google/osv-scanner:{{ .Tag }}-amd64\"\n - \"ghcr.io/google/osv-scanner:{{ .Tag }}-arm64\"\n - name_template: \"ghcr.io/google/osv-scanner:stable\"\n image_templates:\n - \"ghcr.io/google/osv-scanner:{{ .Tag }}-amd64\"\n - \"ghcr.io/google/osv-scanner:{{ .Tag }}-arm64\"\n skip_push: \"{{ ne .Env.STABLE `true` }}\"\n\narchives:\n - formats: binary\n name_template: \"{{ .Binary }}_{{ .Os }}_{{ .Arch }}\"\n ids:\n - osv-scanner\nchecksum:\n name_template: \"{{ .ProjectName }}_SHA256SUMS\"\n algorithm: sha256\nrelease:\n draft: true\nchangelog:\n disable: false\n" }, { "path": ".pre-commit-hooks.yaml", "content": "---\n- id: osv-scanner\n name: osv-scanner\n description: Scan the current working directory for vulnerable dependencies\n entry: osv-scanner\n always_run: true\n pass_filenames: false\n language: golang\n args:\n - \"scan\"\n - \"source\"\n - \"--format=vertical\"\n - \"--recursive\"\n - \"--verbosity=error\"\n - \".\"\n" }, { "path": ".prettierignore", "content": "**/testdata/**\n/docs/vendor/**\n/docs/_sites/**\n/internal/output/html/*.gohtml\n" }, { "path": ".prettierrc.json", "content": "{\n \"$schema\": \"https://json.schemastore.org/prettierrc\",\n \"singleQuote\": false,\n \"proseWrap\": \"preserve\",\n \"endOfLine\": \"lf\",\n \"arrowParens\": \"avoid\",\n \"trailingComma\": \"none\",\n \"htmlWhitespaceSensitivity\": \"ignore\"\n}\n" }, { "path": "CHANGELOG.md", "content": "# v2.3.4\n\n### Features:\n\n- [Feature #2571](https://github.com/google/osv-scanner/pull/2571) Enable transitive scanning for Python requirements.txt files using the deps.dev API.\n- [Feature #2649](https://github.com/google/osv-scanner/pull/2649) Add ability to allow unsafe plugins, logging a warning when any unsafe plugin is enabled.\n\n### Fixes:\n\n- [Bug #2630](https://github.com/google/osv-scanner/pull/2630) Improve startup performance on Windows Terminal by updating lipgloss.\n- [Bug #2599](https://github.com/google/osv-scanner/pull/2599) Ensure the package deprecation enricher respects the same configuration as other plugins.\n- [Bug #2600](https://github.com/google/osv-scanner/pull/2600) Ensure the Java extractor plugin for call analysis respects the same configuration as other plugins.\n\n### Misc:\n\n- Update osv-scalibr from v0.4.2 to v0.4.5. Release notes: [v0.4.3](https://github.com/google/osv-scalibr/releases/tag/v0.4.3), [v0.4.4](https://github.com/google/osv-scalibr/releases/tag/v0.4.4), [v0.4.5](https://github.com/google/osv-scalibr/releases/tag/v0.4.5).\n\n# v2.3.3\n\n### Features:\n\n- [Feature #2458](https://github.com/google/osv-scanner/pull/2458) Add `--exclude` flag to skip paths during scanning.\n- [Feature #2477](https://github.com/google/osv-scanner/pull/2477) Add `pylock` extractor.\n- [Feature #2475](https://github.com/google/osv-scanner/pull/2475) Add base image info to container scanning output header (in table, markdown and vertical formats).\n\n### Misc:\n\n- Update Go version to 1.25.7.\n- Update osv-scalibr from v0.4.1 to v0.4.2. [Release note](https://github.com/google/osv-scalibr/releases/tag/v0.4.2).\n- Refactor to better align with osv-scalibr plugins and inventory data structure.\n\n# v2.3.2\n\nThis release includes performance improvements for local scanning, reducing memory usage and avoiding unnecessary advisory loading. It also fixes issues with MCP's get_vulnerability_details tool, git queries in `osv-scanner.json`, and ignore entry tracking, along with documentation updates.\n\n### Fixes:\n\n- [Bug #2415](https://github.com/google/osv-scanner/pull/2415) Add more PURL-to-ecosystem mappings\n- [Bug #2422](https://github.com/google/osv-scanner/pull/2422) MCP error for get_vulnerability_id because type definition is incorrect.\n- [Bug #2460](https://github.com/google/osv-scanner/pull/2460) Enable osv-scanner.json git queries\n- [Bug #2456](https://github.com/google/osv-scanner/pull/2456) Properly track if an ignore entry has been used\n- [Bug #2450](https://github.com/google/osv-scanner/pull/2450) **Performance:** Avoid loading the entire advisory unless it will actually be used\n- [Bug #2445](https://github.com/google/osv-scanner/pull/2445) **Performance:** Don't read the entire zip into memory\n- [Bug #2433](https://github.com/google/osv-scanner/pull/2433) Allow specifying user agent in v2 osvscanner package\n\n### Misc:\n\n- [Misc #2453](https://github.com/google/osv-scanner/pull/2453) Switch from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3\n- [Misc #2447](https://github.com/google/osv-scanner/pull/2447) Include `bun.lock` as a supported lockfile\n- [Misc #2444](https://github.com/google/osv-scanner/pull/2444) Document GoVersionOverride in configuration.md\n\n# v2.3.1\n\n### Features:\n\n- [Feature #2370](https://github.com/google/osv-scanner/pull/2370) Add support for the `packagedeprecation` plugin via the new `--experimental-flag-deprecated-packages` flag. The result is available in all output formats except SPDX.\n\n### Fixes:\n\n- [Bug #2395](https://github.com/google/osv-scanner/pull/2395) Fix license scanning to correctly match new `deps.dev` package names.\n- [Bug #2333](https://github.com/google/osv-scanner/pull/2333) Deduplicate SARIF outputs for GitHub.\n- [Bug #2259](https://github.com/google/osv-scanner/pull/2259) Fix lookup of Go packages with major versions by including the subpath of Go PURLs, preventing false positives.\n\n### Misc:\n\n- Updated Go version to v1.25.5 to support Go reachability analysis for the latest version.\n\n# v2.3.0\n\nThis release migrates to the new `osv.dev` and `osv-schema` proto bindings for its internal data models ([#2328](https://github.com/google/osv-scanner/pull/2328)). This is primarily an internal change and should not impact users.\n\n### Features:\n\n- [Feature #2321](https://github.com/google/osv-scanner/pull/2321) Add support for license checks for RubyGems.\n- [Feature #2294](https://github.com/google/osv-scanner/pull/2294) Replace `requirementsenhanceable` extractor with transitive enricher.\n- [Feature #2344](https://github.com/google/osv-scanner/pull/2344) Use `osduplicate` annotators.\n\n### Fixes:\n\n- [Bug #2329](https://github.com/google/osv-scanner/pull/2329) Add `--ignore-scripts` flag to npm lockfile generation.\n- [Bug #2311](https://github.com/google/osv-scanner/pull/2311) Improve logic for `--all-packages` flag.\n- [Bug #2309](https://github.com/google/osv-scanner/pull/2309) Exit with a non-zero code when showing help.\n- [Bug #2316](https://github.com/google/osv-scanner/pull/2316) Pre-commit hook now defaults to scanning current directory instead of failing.\n- [Bug #1507 (osv-scalibr)](https://github.com/google/osv-scalibr/pull/1507) Interpolate Maven projects before extracting repositories.\n\n# v2.2.4\n\n### Features:\n\n- [Feature #2256](https://github.com/google/osv-scanner/pull/2256) Add experimental OSV-Scanner MCP server. (`osv-scanner experimental-mcp`)\n- [Feature #2284](https://github.com/google/osv-scanner/pull/2284) Update `osv-scalibr` integration, replacing `baseimagematch` with the base image enricher.\n- [Feature #2216](https://github.com/google/osv-scanner/pull/2216) Warn when vulnerabilities specified in the ignore config are not found during a scan (fixes \\#2206).\n\n### Fixes:\n\n- [Bug #2305](https://github.com/google/osv-scanner/pull/2305) Ignore common protocols and `.git` suffix when checking if an advisory affects a git repository (fixes \\#2291).\n- [Bug #2300](https://github.com/google/osv-scanner/pull/2300) Ensure the global logger is used in `cmdlogger` and `osv-scalibr` when set (fixes \\#2081).\n- [Bug #2295](https://github.com/google/osv-scanner/pull/2295) Fix Go stdlib license result matching (fixes \\#2191).\n\n# v2.2.3\n\n### Features:\n\n- [Feature #2209](https://github.com/google/osv-scanner/pull/2209) Add support for resolving git packages that have a version specified.\n- [Feature #2210](https://github.com/google/osv-scanner/pull/2210) Make the `--experimental-plugins` flag additive by default, and introduce a new `--experimental-no-default-plugins` flag.\n- [Feature #2203](https://github.com/google/osv-scanner/pull/2203) Update `osv-scalibr` to 0.3.4 for improved dependency extraction. See osv-scalibr changelog for additional information.\n\n### Fixes:\n\n- [Bug #2214](https://github.com/google/osv-scanner/pull/2214) Fix issue where `input.Path` was incorrectly constructed on Windows when using the `-L` flag.\n- [Fix #2241](https://github.com/google/osv-scanner/pull/2241) **Performance:** Greatly reduce memory usage in the local matcher by only loading advisories relevant to the packages being scanned.\n\n# v2.2.2\n\n### Features:\n\n- [Feature #2113](https://github.com/google/osv-scanner/pull/2113) Add support for Java reachability analysis to identify uncalled vulnerabilities in JAR files.\n- [Feature #2177](https://github.com/google/osv-scanner/pull/2177) Automatically parse `osv-scanner-custom.json` files as `osv-scanner.json` custom lockfiles.\n\n### Fixes:\n\n- [Bug #2204](https://github.com/google/osv-scanner/pull/2204) Add a warning to guide users to the correct GitHub Action.\n- [Bug #2202](https://github.com/google/osv-scanner/pull/2202) Fix incorrect exit code when unimportant vulnerabilities are found in non-container scans.\n- [Bug #2188](https://github.com/google/osv-scanner/pull/2188) Fix handling of absolute paths on Windows.\n\n# v2.2.1\n\n### Fixes\n\n- [Bug #2151](https://github.com/google/osv-scanner/issues/2151) Filter by ecosystem before querying.\n\n# v2.2.0\n\nOSV-Scanner now supports all OSV-Scalibr features behind experimental flags (`--experimental-plugins`, see details [here](https://google.github.io/osv-scanner/experimental/manual-plugin-selection/))!\n\n### Features:\n\n- [Feature #2146](https://github.com/google/osv-scanner/pull/2146) Allow manual OSV-Scalibr plugin selection.\n- [Feature #2144](https://github.com/google/osv-scanner/pull/2144) Add OSV-Scalibr version to osv-scanner --version output.\n- [Feature #2021](https://github.com/google/osv-scanner/pull/2021) Add experimental support for running OSV-Scalibr detectors.\n- [Feature #2079](https://github.com/google/osv-scanner/pull/2079) Fall back to offline extractor if the transitive one fails, so at least direct dependencies are returned.\n- [Feature #2032](https://github.com/google/osv-scanner/pull/2032) Add summary section at the top of outputs and a 'Fixed Version' column.\n- [Feature #2076](https://github.com/google/osv-scanner/pull/2076) Support Ubuntu severity type.\n\n### Fixes:\n\n- [Bug #2141](https://github.com/google/osv-scanner/pull/2141) Fix OSV-Scanner json scans not matching with correct ecosystem.\n- [Bug #2084](https://github.com/google/osv-scanner/pull/2084) Show absolute paths when scanning containers.\n- [Bug #2126](https://github.com/google/osv-scanner/pull/2126) Log and preserve package count before continuing on db error.\n- [Bug #2095](https://github.com/google/osv-scanner/pull/2095) Pass through plugin capabilities correctly.\n- [Bug #2051](https://github.com/google/osv-scanner/pull/2051) Properly flag if running on Linux or Mac OSs for plugin compatibility.\n- [Bug #2072](https://github.com/google/osv-scanner/pull/2072) Add missing \"text\" property in description fields.\n- [Bug #2068](https://github.com/google/osv-scanner/pull/2068) Change links in output to go to the specific vulnerability page instead of the list page.\n- [Bug #2064](https://github.com/google/osv-scanner/pull/2064) Fix SARIF v3 output to include results.\n\n### API Changes:\n\n- [API Change #2096](https://github.com/google/osv-scanner/pull/2096) Allow log handler to be overridden.\n\n# v2.1.0\n\n### Features:\n\n- [Feature #2038](https://github.com/google/osv-scanner/pull/2038) Add CycloneDX location field to the output source string.\n- [Feature #2036](https://github.com/google/osv-scanner/pull/2036) Include upstream source information in vulnerability grouping to improve accuracy.\n- [Feature #1970](https://github.com/google/osv-scanner/pull/1970) Hide unimportant vulnerabilities by default to reduce noise, and adds a `--show-all-vulns` flag to show all.\n- [Feature #2003](https://github.com/google/osv-scanner/pull/2003) Add experimental summary output format for the reporter.\n- [Feature #1988](https://github.com/google/osv-scanner/pull/1988) Add support for CycloneDX 1.6 report format.\n- [Feature #1987](https://github.com/google/osv-scanner/pull/1987) Add support for `gems.locked` files used by Bundler.\n- [Feature #1980](https://github.com/google/osv-scanner/pull/1980) Enable transitive dependency extraction for Python `requirements.txt` files.\n- [Feature #1961](https://github.com/google/osv-scanner/pull/1961) Deprecate the `--sbom` flag in favor of the existing `-L/--lockfile` flag for scanning SBOMs.\n- [Feature #1963](https://github.com/google/osv-scanner/pull/1963) Stabilize various experimental fields in the output by moving them out of the experimental struct.\n- [Feature #1957](https://github.com/google/osv-scanner/pull/1957) Use a dedicated exit code for invalid configuration files.\n\n### Fixes:\n\n- [Bug #2046](https://github.com/google/osv-scanner/pull/2046) Correctly set the user agent string for all outgoing requests.\n- [Bug #2019](https://github.com/google/osv-scanner/pull/2019) Use more natural language in the descriptions for extractor-related flags.\n- [Bug #1982](https://github.com/google/osv-scanner/pull/1982) Correctly parse Ubuntu package information with suffixes (e.g. `:Pro`, `:LTS`).\n- [Bug #2000](https://github.com/google/osv-scanner/pull/2000) Ensure CDATA content in XML is correctly outputted in guided remediation.\n- [Bug #1949](https://github.com/google/osv-scanner/pull/1949) Fix filtering of package types in vulnerability counts.\n\n# v2.0.3\n\n### Features:\n\n- [Feature #1943](https://github.com/google/osv-scanner/pull/1943) Added a flag to suppress \"no package sources found\" error.\n- [Feature #1844](https://github.com/google/osv-scanner/pull/1844) Allow flags to be passed after scan targets, e.g. `osv-scanner ./scan-this-dir --format=vertical`, by updating to cli/v3\n- [Feature #1882](https://github.com/google/osv-scanner/pull/1882) Added a `stable` tag to container images for releases that follow semantic versioning.\n- [Feature #1846](https://github.com/google/osv-scanner/pull/1846) Experimental: Add `--experimental-extractors` and `--experimental-disable-extractors` flags to allow for more granular control over which OSV-Scalibr dependency extractors are used.\n\n### Fixes:\n\n- [Bug #1856](https://github.com/google/osv-scanner/pull/1856) Improve XML output by guessing and matching the indentation of existing `` elements.\n- [Bug #1850](https://github.com/google/osv-scanner/pull/1850) Prevent escaping of single quotes in XML attributes for better readability and correctness.\n- [Bug #1922](https://github.com/google/osv-scanner/pull/1922) Prevent a potential panic in `MatchVulnerabilities` when the API response is nil, particularly on timeout.\n- [Bug #1916](https://github.com/google/osv-scanner/pull/1916) Add the \"ubuntu\" namespace to the debian purl type to correctly parse dpkg BOMs generated on Ubuntu.\n- [Bug #1871](https://github.com/google/osv-scanner/pull/1871) Ensure inventories are sorted by PURL in addition to name and version to prevent incorrect deduplication of packages.\n- [Bug #1919](https://github.com/google/osv-scanner/pull/1919) Improve error reporting by including the underlying error when the response body from a Maven registry cannot be read.\n- [Bug #1857](https://github.com/google/osv-scanner/pull/1857) Fix an issue where SPDX output is not correctly outputted because it was getting overwritten.\n- [Bug #1873](https://github.com/google/osv-scanner/pull/1873) Fix the GitHub Action to not ignore general errors during execution.\n- [Bug #1955](https://github.com/google/osv-scanner/pull/1955) Fix issue causing error messages to be spammed when not running in a git repository.\n- [Bug #1930](https://github.com/google/osv-scanner/pull/1930) Fix issue where Maven client loses auth data during extraction.\n\n### Misc:\n\n- Update dependencies and updated golang to 1.24.4\n\n# v2.0.2\n\n### Fixes:\n\n- [Bug #1842](https://github.com/google/osv-scanner/pull/1842) Fix an issue in the GitHub Action where call analysis for Go projects using the `tool` directive (Go 1.24+) in `go.mod` files would fail. The scanner image has been updated to use a newer Go version.\n- [Bug #1806](https://github.com/google/osv-scanner/pull/1806) Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.\n- [Fix #1825](https://github.com/google/osv-scanner/pull/1825), [#1809](https://github.com/google/osv-scanner/pull/1809), [#1805](https://github.com/google/osv-scanner/pull/1805), [#1803](https://github.com/google/osv-scanner/pull/1803), [#1787](https://github.com/google/osv-scanner/pull/1787) Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.\n\n# v2.0.1\n\n### Features:\n\n- [Feature #1730](https://github.com/google/osv-scanner/pull/1730) Add support for extracting dependencies from .NET `packages.config` and `packages.lock.json` files.\n- [Feature #1770](https://github.com/google/osv-scanner/pull/1770) Add support for extracting dependencies from rust binaries compiled with cargo-auditable.\n- [Feature #1761](https://github.com/google/osv-scanner/pull/1761) Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.\n\n### Fixes:\n\n- [Bug #1752](https://github.com/google/osv-scanner/pull/1752) Fix paging depth issue when querying the osv.dev API.\n- [Bug #1747](https://github.com/google/osv-scanner/pull/1747) Ensure osv-reporter prints warnings instead of errors for certain messages to return correct exit code (related to [osv-scanner-action#65](https://github.com/google/osv-scanner-action/issues/65)).\n- [Bug #1717](https://github.com/google/osv-scanner/pull/1717) Fix issue where nested CycloneDX components were not being parsed.\n- [Bug #1744](https://github.com/google/osv-scanner/pull/1744) Fix issue where empty CycloneDX SBOMs was causing a panic.\n- [Bug #1726](https://github.com/google/osv-scanner/pull/1726) De-duplicate references in CycloneDX report output for improved validity.\n- [Bug #1727](https://github.com/google/osv-scanner/pull/1727) Remove automatic opening of HTML reports in the browser (fixes [#1721](https://github.com/google/osv-scanner/issues/1721)).\n- [Bug #1735](https://github.com/google/osv-scanner/pull/1735) Require a tag when scanning container images to prevent potential errors.\n\n### Docs:\n\n- [Docs #1753](https://github.com/google/osv-scanner/pull/1753) Correct documentation for the OSV-Scanner GitHub Action (fixes [osv-scanner-action#68](https://github.com/google/osv-scanner-action/issues/68)).\n- [Docs #1743](https://github.com/google/osv-scanner/pull/1743) Minor grammar fixes in documentation.\n\n### API Changes:\n\n- [API Change #1763](https://github.com/google/osv-scanner/pull/1763) Made the SourceType enum public.\n\n# OSV-Scanner v2.0.0\n\nThis release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.\n\n**Important:** This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive **[Migration Guide](https://google.github.io/osv-scanner/migration-guide.html)** to ensure a smooth upgrade.\n\n### Features:\n\n- **Layer and base image-aware container scanning:**\n - Rewritten support for Debian, Ubuntu, and Alpine container images.\n - Layer level analysis and vulnerability breakdown.\n - Supports Go, Java, Node, and Python artifacts within supported distros.\n - Base image identification via `deps.dev`.\n - Usage: `osv-scanner scan image :`\n- **Interactive HTML output:**\n - Severity breakdown, package/ID/importance filtering, vulnerability details.\n - Container image layer filtering, layer info, base image identification.\n - Usage: `osv-scanner scan --serve ...`\n- **Guided Remediation for Maven pom.xml:**\n - Remediate direct and transitive dependencies (non-interactive mode).\n - New `override` remediation strategy.\n - Support for reading/writing `pom.xml` and parent POM files.\n - Private registry support for Maven metadata.\n - Machine-readable output for guided remediation.\n- **Enhanced Dependency Extraction with `osv-scalibr`:**\n - Haskell: `cabal.project.freeze`, `stack.yaml.lock`\n - .NET: `deps.json`\n - Python: `uv.lock`\n - Artifacts: `node_module`s, Python wheels, Java uber jars, Go binaries\n- [Feature #1636](https://github.com/google/osv-scanner/pull/1636) `osv-scanner update` command for updating the local vulnerability database (formerly experimental).\n- [Feature #1582](https://github.com/google/osv-scanner/pull/1582) Add container scanning information to vertical output format.\n- [Feature #1587](https://github.com/google/osv-scanner/pull/1587) Add support for severity in SARIF report format.\n- [Feature #1569](https://github.com/google/osv-scanner/pull/1569) Add support for `bun.lock` lockfiles.\n- [Feature #1547](https://github.com/google/osv-scanner/pull/1547) Add experimental config support to the `scan image` command.\n- [Feature #1557](https://github.com/google/osv-scanner/pull/1557) Allow setting port number with `--serve` using the new `--port` flag.\n\n### Breaking Changes:\n\n- [Feature #1670](https://github.com/google/osv-scanner/pull/1670) Guided remediation now defaults to non-interactive mode; use the `--interactive` flag for interactive mode.\n- [Feature #1670](https://github.com/google/osv-scanner/pull/1686) Removed the `--verbosity=verbose` verbosity level.\n- [Feature #1673](https://github.com/google/osv-scanner/pull/1673) & [Feature #1664](https://github.com/google/osv-scanner/pull/1664) All previous experimental flags are now out of experimental, and the experimental flag mechanism has been removed.\n- [Feature #1651](https://github.com/google/osv-scanner/pull/1651) Multiple license flags have been merged into a single `--license` flag.\n- [Feature #1666](https://github.com/google/osv-scanner/pull/1666) API: `reporter` removed; logging now uses `slog`, which can be overridden.\n- [Feature #1638](https://github.com/google/osv-scanner/pull/1638) API: Deprecated packages removed, including `lockfile` (migrated to `OSV-Scalibr`).\n\n### Improvements:\n\n- [Feature #1561](https://github.com/google/osv-scanner/pull/1561) Updated HTML report for better contrast and usability (from beta2).\n- [Feature #1584](https://github.com/google/osv-scanner/pull/1584) Make skipping the root git repository the default behavior (from beta2).\n- [Feature #1648](https://github.com/google/osv-scanner/pull/1648) Updated HTML report styling to improve contrast (from rc1).\n\n### Fixes:\n\n- [Fix #1598](https://github.com/google/osv-scanner/pull/1598) Fix table output vulnerability ordering.\n- [Fix #1616](https://github.com/google/osv-scanner/pull/1616) Filter out Ubuntu unimportant vulnerabilities.\n- [Fix #1585](https://github.com/google/osv-scanner/pull/1585) Fixed issue where base images are occasionally duplicated.\n- [Fix #1597](https://github.com/google/osv-scanner/pull/1597) Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the `bom.xml` filename.\n- [Fix #1566](https://github.com/google/osv-scanner/pull/1566) Fixed issue where offline scanning returns different results from online scanning.\n- [Fix #1538](https://github.com/google/osv-scanner/pull/1538) Reduce memory usage when using guided remediation.\n\nWe encourage everyone to upgrade to OSV-Scanner v2.0.0 and experience these powerful new capabilities! As always, your feedback is invaluable, so please don't hesitate to share your thoughts and suggestions.\n\n- [General V2 feedback](https://github.com/google/osv-scanner/discussions/1529)\n- [Container scanning feedback](https://github.com/google/osv-scanner/discussions/1521)\n\n# v2.0.0-rc1\n\nOur first release candidate for OSV-Scanner V2, which includes various breaking changes osv-scanner to help future proof osv-scanner in V2! See the changelog for beta1 and beta2 for the full list of changes.\n\nWe've also added a migration guide here: https://google.github.io/osv-scanner/migration-guide.html\n\n### Changes:\n\n- [Feature #1670](https://github.com/google/osv-scanner/pull/1670) Guided remediation now makes non-interactive the default mode, and adds the `--interactive` flag.\n- [Feature #1670](https://github.com/google/osv-scanner/pull/1686) Removes the `--verbosity=verbose` verbosity level.\n- [Feature #1673](https://github.com/google/osv-scanner/pull/1673) & [Feature #1664](https://github.com/google/osv-scanner/pull/1664) Moves all our experimental flags out of experimental, and removes the experimental flags.\n- [Feature #1651](https://github.com/google/osv-scanner/pull/1651) License flags have been merged into a single license flag. See `--help` or migration guide for more details.\n\n### Features:\n\n- [Feature #1636](https://github.com/google/osv-scanner/pull/1636) `osv-scanner update` command has been released as an experimental feature.\n- [Feature #1582](https://github.com/google/osv-scanner/pull/1582) Add container scanning related information to vertical output format.\n- [Feature #1587](https://github.com/google/osv-scanner/pull/1587) Add support for severity in SARIF report format.\n\n### Fixes\n\n- [Fix #1677](https://github.com/google/osv-scanner/pull/1677) Fix OS filter for HTML report.\n- [Fix #1598](https://github.com/google/osv-scanner/pull/1598) Fix table output vulnerability ordering.\n- [Fix #1661](https://github.com/google/osv-scanner/pull/1661) Add spinner to iframs in the HTML report.\n- [Fix #1648](https://github.com/google/osv-scanner/pull/1648) Updated HTML report styling to improve contrast.\n- [Fix #1616](https://github.com/google/osv-scanner/pull/1616) Display git scanning results in HTML report.\n- [Fix #1616](https://github.com/google/osv-scanner/pull/1616) Filter out Ubuntu unimportant vulnerabilities.\n\n### API changes\n\n- [Feature #1666](https://github.com/google/osv-scanner/pull/1666) Removes `reporter`, all logging now goes through slog, which you can override to change the output.\n- [Feature #1638](https://github.com/google/osv-scanner/pull/1638) All deprecated packages have been removed from the osv-scanner module, this includes the `lockfile` package, which has been migrated to the `OSV-Scalibr` library.\n\n# v2.0.0-beta2\n\nThis second beta release brings a series of fixes and improvements to the previous release.\n\n### Improvements:\n\n- [Feature #1561](https://github.com/google/osv-scanner/pull/1561) Updated HTML report for better contrast and usability\n- [Feature #1569](https://github.com/google/osv-scanner/pull/1569) Add support for bun.lock lockfiles.\n- [Feature #1584](https://github.com/google/osv-scanner/pull/1584) Make skip root git repository the default behavior.\n- [Feature #1547](https://github.com/google/osv-scanner/pull/1547) Add experimental config support to the image command.\n- [Feature #1557](https://github.com/google/osv-scanner/pull/1557) Allow setting port number when using the `--serve` flag with the new `--port` flag.\n\n### Fixes\n\n- [Fix #1585](https://github.com/google/osv-scanner/pull/1585) Fixed issue where base images are occasionally duplicated.\n- [Fix #1597](https://github.com/google/osv-scanner/pull/1597) Fixed issue where SBOM parsers are not correctly parsing CycloneDX files when using the `bom.xml` filename.\n- [Fix #1566](https://github.com/google/osv-scanner/pull/1566) Fixed issue where offline scanning returns different results from online scanning.\n- [Fix #1538](https://github.com/google/osv-scanner/pull/1538) Reduce memory usage when using guided remediation.\n\n# v2.0.0-beta1\n\nThe first beta of OSV-Scanner V2 is here! This beta release introduces significant enhancements, including refactored dependency extraction capabilities, container image scanning, and guided remediation for Maven.\n\nThis beta release does _not_ introduce any breaking CLI changes and the beta period is expected to last approximately one month. However, as this is a beta release, there may be breaking changes breaking changes in the final release compared to the first beta.\n\nWe encourage you to try out these new features and would appreciate any feedback you might have on our discussion topics:\n\n- [General V2 feedback](https://github.com/google/osv-scanner/discussions/1529)\n- [Container scanning feedback](https://github.com/google/osv-scanner/discussions/1521)\n\n### Layer and base image-aware container scanning\n\nA significant new feature is a rewritten, layer-aware container scanning support for Debian, Ubuntu, and Alpine container images. OSV-Scanner can now analyze container images to provide:\n\n- Layers where a package was first introduced\n- Layer history and commands\n- Base images the image is based on\n- OS/Distro the container is running on\n\nThis layer analysis leverages [OSV-Scalibr](https://github.com/google/osv-scalibr), and supports the following OSes and languages:\n| Distro Support | Language Artifacts Support |\n| -------------- | -------------------------- |\n| Alpine OS | Go |\n| Debian | Java |\n| Ubuntu | Node |\n| | Python |\n\nBase image identification also leverages a new experimental API provided by https://deps.dev.\n\nFor usage, run the new `scan image` command:\n\n```\nosv-scanner scan image :\n```\n\nCheck out our [documentation](https://google.github.io/osv-scanner/usage/scan-image) for more details.\n\n### Interactive HTML output\n\nA new, interactive HTML output is now available. This provides a lot more interactivity and information compared to terminal only outputs, including:\n\n- Severity breakdown\n- Package and ID filtering\n- Vulnerability importance filtering\n- Full vulnerability advisory entries\n\nAnd additionally for container image scanning:\n\n- Layer filtering\n- Image layer information\n- Base image identification\n\n![Screenshot of HTML output for container image scanning](./docs/images/html-container-output.png)\n\n### Guided Remediation for Maven pom.xml\n\nLast year we released a feature called [guided remediation](https://osv.dev/blog/posts/announcing-guided-remediation-in-osv-scanner/) for npm. We have now expanded support to Maven pom.xml.\n\nWith guided remediation support for Maven, you can remediate vulnerabilities in both direct and transitive dependencies through direct version updates or overriding versions through dependency management.\n\nWe’ve introduced a few new features for our Maven support:\n\n- A new remediation strategy `override` is introduced.\n- Support for reading and writing pom.xml files, including writing changes to local parent pom files.\n- Private registry can be specified to fetch Maven metadata.\n\nThe guided remediation support for Maven is only available in the non-interactive mode. For basic usage, run the following command:\n\n```\nosv-scanner fix --non-interactive --strategy=override -M path/to/pom.xml\n```\n\nWe also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow.\n\nFor more usage details on guided remediation, please see our [documentation](https://google.github.io/osv-scanner/experimental/guided-remediation/).\n\n### Enhanced Dependency Extraction with `osv-scalibr`\n\nWith the help from [OSV-Scalibr](https://github.com/google/osv-scalibr), we now also have expanded support for the kinds of dependencies we can extract from projects and containers:\n\n#### Source manifests and lockfiles\n\n- Haskell: `cabal.project.freeze`, `stack.yaml.lock`\n- .NET: `deps.json`\n- Python: `uv.lock`\n\n#### Artifacts\n\n- node_modules\n- Python wheels\n- Java uber jars\n- Go binaries\n\nThe full list of supported formats can be found [here](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/).\n\nThe first beta doesn’t enable every single extractor currently available in OSV-Scalibr today. We’ll continue to add more leading up to the final 2.0.0 release.\n\nOSV-Scalibr also makes it incredibly easy to add new extractors. Please file a [feature request](https://github.com/google/osv-scalibr/issues) if a format you’re interested in is missing!\n\n# v1.9.1\n\n### Features:\n\n- [Feature #1295](https://github.com/google/osv-scanner/pull/1295) Support offline database in fix subcommand.\n- [Feature #1342](https://github.com/google/osv-scanner/pull/1342) Add `--experimental-offline-vulnerabilities` and `--experimental-no-resolve` flags.\n- [Feature #1045](https://github.com/google/osv-scanner/pull/1045) Support private registries for Maven.\n- [Feature #1226](https://github.com/google/osv-scanner/pull/1226) Support support `vulnerabilities.ignore` in package overrides.\n\n### Fixes:\n\n- [Bug #604](https://github.com/google/osv-scanner/pull/604) Use correct path separator in SARIF output when on Windows.\n- [Bug #330](https://github.com/google/osv-scanner/pull/330) Warn about and ignore duplicate entries in SBOMs.\n- [Bug #1325](https://github.com/google/osv-scanner/pull/1325) Set CharsetReader and Entity when reading pom.xml.\n- [Bug #1310](https://github.com/google/osv-scanner/pull/1310) Update spdx license ids.\n- [Bug #1288](https://github.com/google/osv-scanner/pull/1288) Sort sbom packages by PURL.\n- [Bug #1285](https://github.com/google/osv-scanner/pull/1285) Improve handling if `docker` exits with a non-zero code when trying to scan images\n\n### API Changes:\n\n- Deprecate auxillary public packages: As part of the V2 update described above, we have started deprecating some of the auxillary packages\n which are not commonly used to give us more room to make better API designs. These include:\n - `config`\n - `depsdev`\n - `grouper`\n - `spdx`\n\n# v1.9.0\n\n### Features:\n\n- [Feature #1243](https://github.com/google/osv-scanner/pull/1243) Allow explicitly ignoring the license of a package in config with `license.ignore = true`.\n- [Feature #1249](https://github.com/google/osv-scanner/pull/1249) Error if configuration file has unknown properties.\n- [Feature #1271](https://github.com/google/osv-scanner/pull/1271) Assume `.txt` files with \"requirements\" in their name are `requirements.txt` files\n\n### Fixes:\n\n- [Bug #1242](https://github.com/google/osv-scanner/pull/1242) Announce when a config file is invalid and exit with a non-zero code.\n- [Bug #1241](https://github.com/google/osv-scanner/pull/1241) Display `(no reason given)` when there is no reason in the override config.\n- [Bug #1252](https://github.com/google/osv-scanner/pull/1252) Don't allow `LoadPath` to be set via config file.\n- [Bug #1279](https://github.com/google/osv-scanner/pull/1279) Report all ecosystems without local databases in one single line.\n- [Bug #1283](https://github.com/google/osv-scanner/pull/1283) Output invalid PURLs when scanning SBOMs.\n- [Bug #1278](https://github.com/google/osv-scanner/pull/1278) Apply go version override to _all_ instances of the `stdlib`.\n\n### Misc:\n\n- [#1253](https://github.com/google/osv-scanner/pull/1253) Deprecate `ParseX()` functions in `pkg/lockfile` in favor of their `Extract` equivalents.\n- [#1290](https://github.com/google/osv-scanner/pull/1290) Bump maximum number of concurrent requests to the OSV.dev API.\n\n# v1.8.5:\n\n### Features:\n\n- [Feature #1160](https://github.com/google/osv-scanner/pull/1160) Support fetching snapshot versions from a Maven registry.\n- [Feature #1177](https://github.com/google/osv-scanner/pull/1177) Support composite-based package overrides. This allows for ignoring entire manifests when scanning.\n- [Feature #1210](https://github.com/google/osv-scanner/pull/1210) Add FIXED-VULN-IDS to guided remediation non-interactive output.\n\n### Fixes:\n\n- [Bug #1220](https://github.com/google/osv-scanner/issues/1220) Fix govulncheck calls on C code.\n- [Bug #1236](https://github.com/google/osv-scanner/pull/1236) Alpine package scanning now falls back to latest release version if no release version can be found.\n\n# v1.8.4:\n\n### Features:\n\n- [Feature #1177](https://github.com/google/osv-scanner/pull/1177) Adds `--upgrade-config` flag for configuring allowed upgrades on a per-package basis. Also hide & deprecate previous `--disallow-major-upgrades` and `--disallow-package-upgrades` flags.\n\n### Fixes:\n\n- [Bug #1123](https://github.com/google/osv-scanner/issues/1123) Issue when running osv-scanner on project running with golang 1.22 #1123\n\n### Misc:\n\n- [Feature #638](https://github.com/google/osv-scanner/issues/638) Update go policy to use stable go version for builds (updated to go 1.23)\n\n# v1.8.3:\n\n### Features:\n\n- [Feature #889](https://github.com/google/osv-scanner/pull/889) OSV-Scanner now provides \"vertical\" output format!\n\n### Fixes:\n\n- [Bug #1115](https://github.com/google/osv-scanner/issues/1115) Ensure that `semantic` is passed a valid `models.Ecosystem`.\n- [Bug #1140](https://github.com/google/osv-scanner/pull/1140) Add Maven dependency management to override client.\n- [Bug #1149](https://github.com/google/osv-scanner/pull/1149) Handle Maven parent relative path.\n\n### Misc:\n\n- [Feature #1091](https://github.com/google/osv-scanner/pull/1091) Improved the runtime of DiffVulnerabilityResults. Thanks @neilnaveen!\n- [Feature #1125](https://github.com/google/osv-scanner/pull/1125) Workflow for stale issue and PR management.\n\n# v1.8.2:\n\n### Features:\n\n- [Feature #1014](https://github.com/google/osv-scanner/pull/1014) Adding CycloneDX 1.4 and 1.5 output format. Thanks @marcwieserdev!\n\n### Fixes:\n\n- [Bug #769](https://github.com/google/osv-scanner/issues/769) Fixed missing vulnerabilities for debian purls for `--experimental-local-db`.\n- [Bug #1055](https://github.com/google/osv-scanner/issues/1055) Ensure that `package` exists in `affected` property.\n- [Bug #1072](https://github.com/google/osv-scanner/issues/1072) Filter out unimportant vulnerabilities from vuln group.\n- [Bug #1077](https://github.com/google/osv-scanner/issues/1077) Fix rate osv-scanner deadlock.\n- [Bug #924](https://github.com/google/osv-scanner/issues/924) Ensure that npm dependencies retain their \"production\" grouping.\n\n# v1.8.0/v1.8.1:\n\n### Features:\n\n- [Feature #35](https://github.com/google/osv-scanner/issues/35)\n OSV-Scanner now scans transitive dependencies in Maven `pom.xml` files!\n See [our documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#transitive-dependency-scanning) for more information.\n- [Feature #944](https://github.com/google/osv-scanner/pull/944)\n The `osv-scanner.toml` configuration file can now filter specific packages with new `[[PackageOverrides]]` sections:\n ```toml\n [[PackageOverrides]]\n # The package name, version, and ecosystem to match against\n name = \"lib\"\n # If version is not set or empty, it will match every version\n version = \"1.0.0\"\n ecosystem = \"Go\"\n # Ignore this package entirely, including license scanning\n ignore = true\n # Override the license of the package\n # This is not used if ignore = true\n license.override = [\"MIT\", \"0BSD\"]\n # effectiveUntil = 2022-11-09 # Optional exception expiry date\n reason = \"abc\"\n ```\n\n### Minor Updates\n\n- [Feature #1039](https://github.com/google/osv-scanner/pull/1039) The `--experimental-local-db` flag has been removed and replaced with a new flag `--experimental-download-offline-databases` which better reflects what the flag does.\n To replicate the behavior of the original `--experimental-local-db` flag, replace it with both `--experimental-offline --experimental-download-offline-databases` flags. This will run osv-scanner in offline mode, but download the latest version of the vulnerability databases before scanning.\n\n### Fixes:\n\n- [Bug #1000](https://github.com/google/osv-scanner/pull/1000) Standard dependencies now correctly override `dependencyManagement` dependencies when scanning `pom.xml` files in offline mode.\n\n# v1.7.4:\n\n### Features:\n\n- [Feature #943](https://github.com/google/osv-scanner/pull/943) Support scanning gradle/verification-metadata.xml files.\n\n### Misc:\n\n- [Bug #968](https://github.com/google/osv-scanner/issues/968) Hide unimportant Debian vulnerabilities to reduce noise.\n\n# v1.7.3:\n\n### Features:\n\n- [Feature #934](https://github.com/google/osv-scanner/pull/934) add support for PNPM v9 lockfiles.\n\n### Fixes:\n\n- [Bug #938](https://github.com/google/osv-scanner/issues/938) Ensure the sarif output has a stable order.\n- [Bug #922](https://github.com/google/osv-scanner/issues/922) Support filtering on alias IDs in Guided Remediation.\n\n# v1.7.2:\n\n### Fixes:\n\n- [Bug #899](https://github.com/google/osv-scanner/issues/899) Guided Remediation: Parse paths in npmrc auth fields correctly.\n- [Bug #908](https://github.com/google/osv-scanner/issues/908) Fix rust call analysis by explicitly disabling stripping of debug info.\n- [Bug #914](https://github.com/google/osv-scanner/issues/914) Fix regression for go call analysis introduced in 1.7.0.\n\n# v1.7.1:\n\n(There is no Github release for this version)\n\n### Fixes\n\n- [Bug #856](https://github.com/google/osv-scanner/issues/856)\n Add retry logic to make calls to OSV.dev API more resilient. This combined with changes in OSV.dev's API should result in much less timeout errors.\n\n### API Features\n\n- [Feature #781](https://github.com/google/osv-scanner/pull/781)\n add `MakeVersionRequestsWithContext()`\n- [Feature #857](https://github.com/google/osv-scanner/pull/857)\n API and networking related errors now has their own error and exit code (Exit Code 129)\n\n# v1.7.0:\n\n### Features\n\n- [Feature #352](https://github.com/google/osv-scanner/issues/352) Guided Remediation\n Introducing our new experimental guided remediation feature on `osv-scanner fix` subcommand.\n See our [docs](https://google.github.io/osv-scanner/experimental/guided-remediation/) for detailed usage instructions.\n\n- [Feature #805](https://github.com/google/osv-scanner/pull/805)\n Include CVSS MaxSeverity in JSON output.\n\n### Fixes\n\n- [Bug #818](https://github.com/google/osv-scanner/pull/818)\n Align GoVulncheck Go version with go.mod.\n\n- [Bug #797](https://github.com/google/osv-scanner/pull/797)\n Don't traverse gitignored dirs for gitignore files.\n\n### Miscellaneous\n\n- [#831](https://github.com/google/osv-scanner/pull/831)\n Remove version number from the release binary name.\n\n# v1.6.2:\n\n### Features\n\n- [Feature #694](https://github.com/google/osv-scanner/pull/694)\n Add subcommands! OSV-Scanner now has subcommands! The base command has been moved to `scan` (currently the only commands is `scan`).\n By default if you do not pass in a command, `scan` will be used, so CLI remains backwards compatible.\n\n This is a building block to adding the guided remediation feature. See [issue #352](https://github.com/google/osv-scanner/issues/352)\n for more details!\n\n- [Feature #776](https://github.com/google/osv-scanner/pull/776)\n Add pdm lockfile support.\n\n### API Features\n\n- [Feature #754](https://github.com/google/osv-scanner/pull/754)\n Add dependency groups to flattened vulnerabilities output.\n\n# v1.6.0:\n\n### Features\n\n- [Feature #694](https://github.com/google/osv-scanner/pull/694)\n Add support for NuGet lock files version 2.\n\n- [Feature #655](https://github.com/google/osv-scanner/pull/655)\n Scan and report dependency groups (e.g. \"dev dependencies\") for vulnerabilities.\n\n- [Feature #702](https://github.com/google/osv-scanner/pull/702)\n Created an option to skip/disable upload to code scanning.\n\n- [Feature #732](https://github.com/google/osv-scanner/pull/732)\n Add option to not fail on vulnerability being found for GitHub Actions.\n\n- [Feature #729](https://github.com/google/osv-scanner/pull/729)\n Verify the spdx licenses passed in to the license allowlist.\n\n### Fixes\n\n- [Bug #736](https://github.com/google/osv-scanner/pull/736)\n Show ecosystem and version even if git is shown if the info exists.\n\n- [Bug #703](https://github.com/google/osv-scanner/pull/703)\n Return an error if both license scanning and local/offline scanning is enabled simultaneously.\n\n- [Bug #718](https://github.com/google/osv-scanner/pull/718)\n Fixed parsing of SBOMs generated by the latest CycloneDX.\n\n- [Bug #704](https://github.com/google/osv-scanner/pull/704)\n Get go stdlib version from go.mod.\n\n### API Features\n\n- [Feature #727](https://github.com/google/osv-scanner/pull/727)\n Changes to `Reporter` methods to add verbosity levels and to deprecate functions.\n\n# v1.5.0:\n\n### Features\n\n- [Feature #501](https://github.com/google/osv-scanner/pull/501)\n Add experimental license scanning support! See https://osv.dev/blog/posts/introducing-license-scanning-with-osv-scanner/ for more information!\n- [Feature #642](https://github.com/google/osv-scanner/pull/642)\n Support scanning `renv` files for the R language ecosystem.\n- [Feature #513](https://github.com/google/osv-scanner/pull/513)\n Stabilize call analysis for Go! The experimental `--experimental-call-analysis` flag has now been updated to:\n ```\n --call-analysis=\n --no-call-analysis=\n ```\n with call analysis for Go enabled by default. See https://google.github.io/osv-scanner/usage/#scanning-with-call-analysis for the documentation!\n- [Feature #676](https://github.com/google/osv-scanner/pull/676)\n Simplify return codes:\n - Return 0 if there are no findings or errors.\n - Return 1 if there are any findings (license violations or vulnerabilities).\n - Return 128 if no packages are found.\n- [Feature #651](https://github.com/google/osv-scanner/pull/651)\n CVSS v4.0 support.\n- [Feature #60](https://github.com/google/osv-scanner/pull/60)\n [Pre-commit hook](https://pre-commit.com/) support.\n\n### Fixes\n\n- [Bug #639](https://github.com/google/osv-scanner/issues/639)\n We now filter local packages from scans, and report the filtering of those packages.\n- [Bug #645](https://github.com/google/osv-scanner/issues/645)\n Properly handle file/url paths on Windows.\n- [Bug #660](https://github.com/google/osv-scanner/issues/660)\n Remove noise from failed lockfile parsing.\n- [Bug #649](https://github.com/google/osv-scanner/issues/649)\n No longer include vendored libraries in C/C++ package analysis.\n- [Bug #634](https://github.com/google/osv-scanner/issues/634)\n Fix filtering of aliases to also include non OSV aliases\n\n### Miscellaneous\n\n- The minimum go version has been updated to go1.21 from go1.18.\n\n# v1.4.3:\n\n### Features\n\n- [Feature #621](https://github.com/google/osv-scanner/pull/621)\n Add support for scanning vendored C/C++ files.\n- [Feature #581](https://github.com/google/osv-scanner/pull/581)\n Scan submodules commit hashes.\n\n### Fixes\n\n- [Bug #626](https://github.com/google/osv-scanner/issues/626)\n Fix gitignore matching for root directory\n- [Bug #622](https://github.com/google/osv-scanner/issues/622)\n Go binary not found should not be an error\n- [Bug #588](https://github.com/google/osv-scanner/issues/588)\n handle npm/yarn aliased packages\n- [Bug #607](https://github.com/google/osv-scanner/pull/607)\n fix: remove some extra newlines in sarif report\n\n# v1.4.2:\n\n### Fixes\n\n- [Bug #574](https://github.com/google/osv-scanner/issues/574)\n Support versions with build metadata in `yarn.lock` files\n- [Bug #599](https://github.com/google/osv-scanner/issues/599)\n Add name field to sarif rule output\n\n# v1.4.1:\n\n### Features\n\n- [Feature #534](https://github.com/google/osv-scanner/pull/534)\n New SARIF format that separates out individual vulnerabilities, see https://github.com/google/osv-scanner/issues/216\n- [Experimental Feature #57](https://github.com/google/osv-scanner/issues/57) Experimental Github Action!\n Have a look at https://google.github.io/osv-scanner/experimental/ for how to use the new Github Action in your repo.\n Experimental, so might change with only a minor update.\n\n### API Features\n\n- [Feature #557](https://github.com/google/osv-scanner/pull/557) Add new ecosystems, and a slice containing all of them.\n\n# v1.4.0:\n\n### Features\n\n- [Feature #183](https://github.com/google/osv-scanner/pull/183)\n Add (experimental) offline mode! See [our documentation](https://google.github.io/osv-scanner/experimental/#offline-mode) for how to use it.\n- [Feature #452](https://github.com/google/osv-scanner/pull/452)\n Add (experimental) rust call analysis, detect whether vulnerable functions are actually called in your Rust project! See [our documentation](https://google.github.io/osv-scanner/experimental/#call-analysis-in-rust) for limitations and how to use this.\n- [Feature #484](https://github.com/google/osv-scanner/pull/484) Detect the installed `go` version and checks for vulnerabilities in the standard library.\n- [Feature #505](https://github.com/google/osv-scanner/pull/505) OSV-Scanner doesn't support your lockfile format? You can now use your own parser for your format, and create an intermediate `osv-scanner.json` for osv-scanner to scan. See [our documentation](https://google.github.io/osv-scanner/usage/#custom-lockfiles) for instructions.\n\n### API Features\n\n- [Feature #451](https://github.com/google/osv-scanner/pull/451) The lockfile package now support extracting dependencies directly from any io.Reader, removing the requirement of a file path.\n\n### Fixes\n\n- [Bug #457](https://github.com/google/osv-scanner/pull/457)\n Fix PURL mapping for Alpine packages\n- [Bug #462](https://github.com/google/osv-scanner/pull/462)\n Use correct plural and singular forms based on count\n\n# v1.3.6:\n\n### Minor Updates\n\n- [Feature #431](https://github.com/google/osv-scanner/pull/431)\n Update GoVulnCheck integration.\n- [Feature #439](https://github.com/google/osv-scanner/pull/439)\n Create `models.PURLToPackage()`, and deprecate `osvscanner.PURLToPackage()`.\n\n### Fixes\n\n- [Feature #439](https://github.com/google/osv-scanner/pull/439)\n Fix `PURLToPackage` not returning the full namespace of packages in ecosystems\n that use them (e.g. golang).\n\n# v1.3.5:\n\n### Features\n\n- [Feature #409](https://github.com/google/osv-scanner/pull/409)\n Adds an additional column to the table output which shows the severity if available.\n\n### API Features\n\n- [Feature #424](https://github.com/google/osv-scanner/pull/424)\n- [Feature #417](https://github.com/google/osv-scanner/pull/417)\n- [Feature #417](https://github.com/google/osv-scanner/pull/417)\n - Update the models package to better reflect the osv schema, including:\n - Add the withdrawn field\n - Improve timestamp serialization\n - Add related field\n - Add additional ecosystem constants\n - Add new reference types\n - Add YAML tags\n\n# v1.3.4:\n\n### Minor Updates\n\n- [Feature #390](https://github.com/google/osv-scanner/pull/390) Add an\n user agent to OSV API requests.\n\n# v1.3.3:\n\n### Fixes\n\n- [Bug #369](https://github.com/google/osv-scanner/issues/369) Fix\n requirements.txt misparsing lines that contain `--hash`.\n- [Bug #237](https://github.com/google/osv-scanner/issues/237) Clarify when no\n vulnerabilities are found.\n- [Bug #354](https://github.com/google/osv-scanner/issues/354) Fix cycle in\n requirements.txt causing infinite recursion.\n- [Bug #367](https://github.com/google/osv-scanner/issues/367) Fix panic when\n parsing empty lockfile.\n\n### API Features\n\n- [Feature #357](https://github.com/google/osv-scanner/pull/357) Update\n `pkg/osv` to allow overriding the http client / transport\n\n# v1.3.2:\n\n### Fixes\n\n- [Bug #341](https://github.com/google/osv-scanner/pull/341) Make the reporter\n public to allow calling DoScan with non nil reporters.\n- [Bug #335](https://github.com/google/osv-scanner/issues/335) Improve SBOM\n parsing and relaxing name requirements when explicitly scanning with\n `--sbom`.\n- [Bug #333](https://github.com/google/osv-scanner/issues/333) Improve\n scanning speed for regex heavy lockfiles by caching regex compilation.\n- [Bug #349](https://github.com/google/osv-scanner/pull/349) Improve SBOM\n documentation and error messages.\n\n# v1.3.1:\n\n### Fixes\n\n- [Bug #319](https://github.com/google/osv-scanner/issues/319) Fix\n segmentation fault when parsing CycloneDX without dependencies.\n\n# v1.3.0:\n\n### Major Features:\n\n- [Feature #198](https://github.com/google/osv-scanner/pull/198) GoVulnCheck\n integration! Try it out when scanning go code by adding the\n `--experimental-call-analysis` flag.\n- [Feature #260](https://github.com/google/osv-scanner/pull/198) Support `-r`\n flag in `requirements.txt` files.\n- [Feature #300](https://github.com/google/osv-scanner/pull/300) Make\n `IgnoredVulns` also ignore aliases.\n- [Feature #304](https://github.com/google/osv-scanner/pull/304) OSV-Scanner\n now runs faster when there's multiple vulnerabilities.\n\n### Fixes\n\n- [Bug #249](https://github.com/google/osv-scanner/issues/249) Support yarn\n locks with quoted properties.\n- [Bug #232](https://github.com/google/osv-scanner/issues/232) Parse nested\n CycloneDX components correctly.\n- [Bug #257](https://github.com/google/osv-scanner/issues/257) More specific\n cyclone dx parsing.\n- [Bug #256](https://github.com/google/osv-scanner/issues/256) Avoid panic\n when parsing `file:` dependencies in `pnpm` lockfiles.\n- [Bug #261](https://github.com/google/osv-scanner/issues/261) Deduplicate\n packages that appear multiple times in `Pipenv.lock` files.\n- [Bug #267](https://github.com/google/osv-scanner/issues/267) Properly handle\n comparing zero versions in Maven.\n- [Bug #279](https://github.com/google/osv-scanner/issues/279) Trim leading\n zeros off when comparing numerical components in Maven versions.\n- [Bug #291](https://github.com/google/osv-scanner/issues/291) Check if PURL\n is valid before adding it to queries.\n- [Bug #293](https://github.com/google/osv-scanner/issues/293) Avoid infinite\n loops parsing Maven poms with syntax errors\n- [Bug #295](https://github.com/google/osv-scanner/issues/295) Set version in\n the source code, this allows version to be displayed in most package\n managers.\n- [Bug #297](https://github.com/google/osv-scanner/issues/297) Support Pipenv\n develop packages without versions.\n\n### API Features\n\n- [Feature #310](https://github.com/google/osv-scanner/pull/310) Improve the\n OSV models to allow for 3rd party use of the library.\n\n# v1.2.0:\n\n### Major Features:\n\n- [Feature #168](https://github.com/google/osv-scanner/pull/168) Support for\n scanning debian package status file, usually located in\n `/var/lib/dpkg/status`. Thanks @cmaritan\n- [Feature #94](https://github.com/google/osv-scanner/pull/94) Specify what\n parser should be used in `--lockfile`.\n- [Feature #158](https://github.com/google/osv-scanner/pull/158) Specify\n output format to use with the `--format` flag.\n- [Feature #165](https://github.com/google/osv-scanner/pull/165) Respect\n `.gitignore` files by default when scanning.\n- [Feature #156](https://github.com/google/osv-scanner/pull/156) Support\n markdown table output format. Thanks @deftdawg\n- [Feature #59](https://github.com/google/osv-scanner/pull/59) Support\n `conan.lock` lockfiles and ecosystem Thanks @SSE4\n- Updated documentation! Check it out here:\n https://google.github.io/osv-scanner/\n\n### Minor Updates:\n\n- [Feature #178](https://github.com/google/osv-scanner/pull/178) Support SPDX\n 2.3.\n- [Feature #221](https://github.com/google/osv-scanner/pull/221) Support\n dependencyManagement section in Maven poms.\n- [Feature #167](https://github.com/google/osv-scanner/pull/167) Make\n osvscanner API library public.\n- [Feature #141](https://github.com/google/osv-scanner/pull/141) Retry OSV API\n calls to mitigate transient network issues. Thanks @davift\n- [Feature #220](https://github.com/google/osv-scanner/pull/220) Vulnerability\n output is ordered deterministically.\n- [Feature #179](https://github.com/google/osv-scanner/pull/179) Log number of\n packages scanned from SBOM.\n- General dependency updates\n\n### Fixes\n\n- [Bug #161](https://github.com/google/osv-scanner/pull/161) Exit with non\n zero exit code when there is a general error.\n- [Bug #185](https://github.com/google/osv-scanner/pull/185) Properly omit\n Source from JSON output.\n\n# v1.1.0:\n\nThis update adds support for NuGet ecosystem and various bug fixes by the\ncommunity.\n\n- [Feature #98](https://github.com/google/osv-scanner/pull/98): Support for\n NuGet ecosystem.\n- [Feature #71](https://github.com/google/osv-scanner/issues/71): Now supports\n Pipfile.lock scanning.\n- [Bug #85](https://github.com/google/osv-scanner/issues/85): Even better\n support for narrow terminals by shortening osv.dev URLs.\n- [Bug #105](https://github.com/google/osv-scanner/issues/105): Fix rare cases\n of too many open file handles.\n- [Bug #131](https://github.com/google/osv-scanner/pull/131): Fix table\n highlighting overflow.\n- [Bug #101](https://github.com/google/osv-scanner/issues/101): Now supports\n 32 bit systems.\n\n# v1.0.2\n\nThis is a minor patch release to mitigate human readable output issues on narrow\nterminals (#85).\n\n- [Bug #85](https://github.com/google/osv-scanner/issues/85): Better support\n for narrow terminals.\n\n# v1.0.1\n\nVarious bug fixes and improvements. Many thanks to the amazing contributions and\nsuggestions from the community!\n\n- Feature: ARM64 builds are now also available!\n- [Feature #46](https://github.com/google/osv-scanner/pull/46): Gradle\n lockfile support.\n- [Feature #50](https://github.com/google/osv-scanner/pull/46): Add version\n command.\n- [Bug #52](https://github.com/google/osv-scanner/issues/52): Fixes 0 exit\n code being wrongly emitted when vulnerabilities are present.\n" }, { "path": "CONTRIBUTING.md", "content": "# How to Contribute\n\nWe'd love to accept your patches and contributions to this project. There are\njust a few small guidelines you need to follow.\n\n## Contributor License Agreement\n\nContributions to this project must be accompanied by a Contributor License\nAgreement. You (or your employer) retain the copyright to your contribution;\nthis simply gives us permission to use and redistribute your contributions as\npart of the project. Head over to to see\nyour current agreements on file or to sign a new one.\n\nYou generally only need to submit a CLA once, so if you've already submitted one\n(even if it was for a different project), you probably don't need to do it\nagain.\n\n## Code reviews\n\nAll submissions, including submissions by project members, require review. We\nuse GitHub pull requests for this purpose. Consult\n[GitHub Help](https://help.github.com/articles/about-pull-requests/) for more\ninformation on using pull requests.\n\nWhen creating a pull request, please use the provided\n[pull request template](/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md)\nand fill out the sections to ensure a smooth review process.\n\nFor any new feature, please create an issue first to discuss the proposed changes\nbefore proceeding to make a pull request. This helps ensure that your contribution\nis aligned with the project's goals and avoids duplicate work.\n\n## Community Guidelines\n\nThis project follows\n[Google's Open Source Community Guidelines](https://opensource.google.com/conduct/).\n\n## Contributing documentation\n\nPlease review the documentation [README](docs/README.md) for more information about contributing to documentation.\n\n## Contributing code\n\n### Prerequisites\n\nInstall:\n\n1. [Go](https://go.dev/) 1.21+, use `go version` to check.\n2. [GoReleaser](https://goreleaser.com/) (Optional, only if you want reproducible builds).\n\n> **Note**\n>\n> The scripts within `/scripts` expect to be run from the root of the repository\n\n### Building\n\n#### Build using only `go`\n\nRun the following in the project directory:\n\n```shell\n./scripts/build.sh\n```\n\nProduces `osv-scanner` binary in the project directory.\n\n#### Build using `goreleaser`\n\nRun the following in the project directory:\n\n```shell\n./scripts/build_snapshot.sh\n```\n\nSee GoReleaser [documentation](https://goreleaser.com/cmd/goreleaser_build/) for build options.\n\nYou can also reproduce the downloadable builds by checking out the specific tag and running `goreleaser build`,\nusing the same Go version as the one used during the actual release (see goreleaser workflows).\n\n### Running tests\n\nTo run tests:\n\n```shell\nmake test\n```\n\nTo see a list of all tests and other available Makefile targets, you can run:\n\n```shell\nmake help\n```\n\nTo get consistent test results, please run with `GOTOOLCHAIN=go`.\n\nThe `Makefile` defines several modes you can use to change how tests run:\n\n- `SNAPS=true`: Update snapshot tests.\n- `ACC=true`: Run acceptance tests that require additional dependencies.\n- `SHORT=false`: Run the full test suite instead of the default short suite.\n- `VCR=`: Set the VCR recording mode (see below).\n\nBy default, tests that require additional dependencies beyond the go toolchain are skipped.\nEnable these tests by running:\n\n```shell\nmake test ACC=true\n```\n\nYou can generate an HTML coverage report by running:\n\n```shell\n./scripts/generate_coverage_report.sh\n```\n\nYou can regenerate snapshots by running tests with `SNAPS=true`:\n\n```shell\nmake test SNAPS=true\n```\n\nNote that some long-running tests may be skipped and their snapshots will not be updated. To update all snapshots, use:\n\n```shell\nmake update-snapshots\n# Equivalent to: make test SNAPS=true SHORT=false\n```\n\nTo update all snapshots for all tests, matching the CI test environment, use:\n\n```shell\nmake refresh-all\n```\n\n`cmd` tests use [`go-vcr`](https://github.com/dnaeon/go-vcr) to provide a custom `http.Client` for osv.dev requests to the `querybulk` endpoint which uses\nsnapshots of requests called cassettes to reduce noise from changes to advisories while still providing a high degree\nof confidence.\n\nYou can control the recording behaviour by passing `VCR=` as an argument to `make test`.\nThe `` can be one of the [supported modes](https://github.com/dnaeon/go-vcr/blob/v4/pkg/recorder/recorder.go#L51),\nspecified either by [its name without the `Mode` suffix or by its int value](./cmd/osv-scanner/internal/testcmd/vcr.go#L16).\n\n```shell\n# Example: Disable VCR tests to passthrough network requests\nmake test VCR=Passthrough\n```\n\nThe default mode locally is `ReplayWithNewEpisodes`, meaning existing interactions will be replayed while any new ones will\nbe recorded and added to the existing cassette; when running in CI, the default mode is `ReplayOnly` meaning an error will be\nraised if an http interaction is missing from a test's cassette.\n\nIf adding a lockfile with known vulnerabilities for test data, also add an [`osv-scanner.toml`](https://google.github.io/osv-scanner/configuration/) config file to exclude those vulnerabilities from scans of the repository.\n\n### Linting\n\nTo lint your code, run\n\n```shell\n./scripts/run_lints.sh\n```\n\n### Making commits\n\nPlease follow the [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) specification when squashing commits during a merge. This is typically the commit merged into the main branch and is often based on the PR title. Doing so helps us to automate processes like changelog generation and ensures a clear and consistent commit history.\n\nSome types: `feat:`, `fix:`, `docs:`, `chore:`, `refactor:`, and others.\n\n## Contributing documentation\n\nPlease follow these steps to successfully contribute documentation.\n\n1. Fork the repository.\n2. Make desired documentation changes.\n3. Preview the changes by spinning up a GitHub page for your fork, building from your working branch.\n \n - On your fork, go to the settings tab and then the GitHub page settings. Sample URL: https://github.com/{your-github-profile}/osv-scanner/settings/pages\n - Under \"Build and deployment\" select \"Deploy from a branch\"\n - Set the branch to your working branch\n - Set the github page to build from the \"/docs\" folder\n - Hit save and wait for your site to build\n - Once it is ready, click the link and preview the docs\n\n![Image shows the UI settings for building the GitHub page, which is described in step 3 of the contributing documentation instructions.](docs/images/github-page.png)\n\n4. If you are satisfied with the changes, open a PR.\n5. In the PR, link to your fork's GitHub page, so we can preview the changes.\n\nFor information on how to run the documentation locally, please see our [documentation readme](https://github.com/google/osv-scanner/blob/main/docs/README.md/#running-docs-locally).\n" }, { "path": "Dockerfile", "content": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nFROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039 AS builder\n\nWORKDIR /src\nCOPY ./go.mod ./go.sum ./\nRUN go mod download\n\nCOPY ./ ./\nRUN go build -o osv-scanner ./cmd/osv-scanner/\n\nFROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659\n\nRUN apk --no-cache add ca-certificates git && \\\n git config --global --add safe.directory '*'\n\nWORKDIR /root/\nCOPY --from=builder /src/osv-scanner .\n\nENTRYPOINT [\"/root/osv-scanner\"]\n" }, { "path": "LICENSE", "content": "\n Apache License\n Version 2.0, January 2004\n http://www.apache.org/licenses/\n\n TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION\n\n 1. Definitions.\n\n \"License\" shall mean the terms and conditions for use, reproduction,\n and distribution as defined by Sections 1 through 9 of this document.\n\n \"Licensor\" shall mean the copyright owner or entity authorized by\n the copyright owner that is granting the License.\n\n \"Legal Entity\" shall mean the union of the acting entity and all\n other entities that control, are controlled by, or are under common\n control with that entity. For the purposes of this definition,\n \"control\" means (i) the power, direct or indirect, to cause the\n direction or management of such entity, whether by contract or\n otherwise, or (ii) ownership of fifty percent (50%) or more of the\n outstanding shares, or (iii) beneficial ownership of such entity.\n\n \"You\" (or \"Your\") shall mean an individual or Legal Entity\n exercising permissions granted by this License.\n\n \"Source\" form shall mean the preferred form for making modifications,\n including but not limited to software source code, documentation\n source, and configuration files.\n\n \"Object\" form shall mean any form resulting from mechanical\n transformation or translation of a Source form, including but\n not limited to compiled object code, generated documentation,\n and conversions to other media types.\n\n \"Work\" shall mean the work of authorship, whether in Source or\n Object form, made available under the License, as indicated by a\n copyright notice that is included in or attached to the work\n (an example is provided in the Appendix below).\n\n \"Derivative Works\" shall mean any work, whether in Source or Object\n form, that is based on (or derived from) the Work and for which the\n editorial revisions, annotations, elaborations, or other modifications\n represent, as a whole, an original work of authorship. For the purposes\n of this License, Derivative Works shall not include works that remain\n separable from, or merely link (or bind by name) to the interfaces of,\n the Work and Derivative Works thereof.\n\n \"Contribution\" shall mean any work of authorship, including\n the original version of the Work and any modifications or additions\n to that Work or Derivative Works thereof, that is intentionally\n submitted to Licensor for inclusion in the Work by the copyright owner\n or by an individual or Legal Entity authorized to submit on behalf of\n the copyright owner. For the purposes of this definition, \"submitted\"\n means any form of electronic, verbal, or written communication sent\n to the Licensor or its representatives, including but not limited to\n communication on electronic mailing lists, source code control systems,\n and issue tracking systems that are managed by, or on behalf of, the\n Licensor for the purpose of discussing and improving the Work, but\n excluding communication that is conspicuously marked or otherwise\n designated in writing by the copyright owner as \"Not a Contribution.\"\n\n \"Contributor\" shall mean Licensor and any individual or Legal Entity\n on behalf of whom a Contribution has been received by Licensor and\n subsequently incorporated within the Work.\n\n 2. Grant of Copyright License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n copyright license to reproduce, prepare Derivative Works of,\n publicly display, publicly perform, sublicense, and distribute the\n Work and such Derivative Works in Source or Object form.\n\n 3. Grant of Patent License. Subject to the terms and conditions of\n this License, each Contributor hereby grants to You a perpetual,\n worldwide, non-exclusive, no-charge, royalty-free, irrevocable\n (except as stated in this section) patent license to make, have made,\n use, offer to sell, sell, import, and otherwise transfer the Work,\n where such license applies only to those patent claims licensable\n by such Contributor that are necessarily infringed by their\n Contribution(s) alone or by combination of their Contribution(s)\n with the Work to which such Contribution(s) was submitted. If You\n institute patent litigation against any entity (including a\n cross-claim or counterclaim in a lawsuit) alleging that the Work\n or a Contribution incorporated within the Work constitutes direct\n or contributory patent infringement, then any patent licenses\n granted to You under this License for that Work shall terminate\n as of the date such litigation is filed.\n\n 4. Redistribution. You may reproduce and distribute copies of the\n Work or Derivative Works thereof in any medium, with or without\n modifications, and in Source or Object form, provided that You\n meet the following conditions:\n\n (a) You must give any other recipients of the Work or\n Derivative Works a copy of this License; and\n\n (b) You must cause any modified files to carry prominent notices\n stating that You changed the files; and\n\n (c) You must retain, in the Source form of any Derivative Works\n that You distribute, all copyright, patent, trademark, and\n attribution notices from the Source form of the Work,\n excluding those notices that do not pertain to any part of\n the Derivative Works; and\n\n (d) If the Work includes a \"NOTICE\" text file as part of its\n distribution, then any Derivative Works that You distribute must\n include a readable copy of the attribution notices contained\n within such NOTICE file, excluding those notices that do not\n pertain to any part of the Derivative Works, in at least one\n of the following places: within a NOTICE text file distributed\n as part of the Derivative Works; within the Source form or\n documentation, if provided along with the Derivative Works; or,\n within a display generated by the Derivative Works, if and\n wherever such third-party notices normally appear. The contents\n of the NOTICE file are for informational purposes only and\n do not modify the License. You may add Your own attribution\n notices within Derivative Works that You distribute, alongside\n or as an addendum to the NOTICE text from the Work, provided\n that such additional attribution notices cannot be construed\n as modifying the License.\n\n You may add Your own copyright statement to Your modifications and\n may provide additional or different license terms and conditions\n for use, reproduction, or distribution of Your modifications, or\n for any such Derivative Works as a whole, provided Your use,\n reproduction, and distribution of the Work otherwise complies with\n the conditions stated in this License.\n\n 5. Submission of Contributions. Unless You explicitly state otherwise,\n any Contribution intentionally submitted for inclusion in the Work\n by You to the Licensor shall be under the terms and conditions of\n this License, without any additional terms or conditions.\n Notwithstanding the above, nothing herein shall supersede or modify\n the terms of any separate license agreement you may have executed\n with Licensor regarding such Contributions.\n\n 6. Trademarks. This License does not grant permission to use the trade\n names, trademarks, service marks, or product names of the Licensor,\n except as required for reasonable and customary use in describing the\n origin of the Work and reproducing the content of the NOTICE file.\n\n 7. Disclaimer of Warranty. Unless required by applicable law or\n agreed to in writing, Licensor provides the Work (and each\n Contributor provides its Contributions) on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or\n implied, including, without limitation, any warranties or conditions\n of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A\n PARTICULAR PURPOSE. You are solely responsible for determining the\n appropriateness of using or redistributing the Work and assume any\n risks associated with Your exercise of permissions under this License.\n\n 8. Limitation of Liability. In no event and under no legal theory,\n whether in tort (including negligence), contract, or otherwise,\n unless required by applicable law (such as deliberate and grossly\n negligent acts) or agreed to in writing, shall any Contributor be\n liable to You for damages, including any direct, indirect, special,\n incidental, or consequential damages of any character arising as a\n result of this License or out of the use or inability to use the\n Work (including but not limited to damages for loss of goodwill,\n work stoppage, computer failure or malfunction, or any and all\n other commercial damages or losses), even if such Contributor\n has been advised of the possibility of such damages.\n\n 9. Accepting Warranty or Additional Liability. While redistributing\n the Work or Derivative Works thereof, You may choose to offer,\n and charge a fee for, acceptance of support, warranty, indemnity,\n or other liability obligations and/or rights consistent with this\n License. However, in accepting such obligations, You may act only\n on Your own behalf and on Your sole responsibility, not on behalf\n of any other Contributor, and only if You agree to indemnify,\n defend, and hold each Contributor harmless for any liability\n incurred by, or claims asserted against, such Contributor by reason\n of your accepting any such warranty or additional liability.\n\n END OF TERMS AND CONDITIONS\n\n APPENDIX: How to apply the Apache License to your work.\n\n To apply the Apache License to your work, attach the following\n boilerplate notice, with the fields enclosed by brackets \"[]\"\n replaced with your own identifying information. (Don't include\n the brackets!) The text should be enclosed in the appropriate\n comment syntax for the file format. We also recommend that a\n file or class name and description of purpose be included on the\n same \"printed page\" as the copyright notice for easier\n identification within third-party archives.\n\n Copyright [yyyy] [name of copyright owner]\n\n Licensed under the Apache License, Version 2.0 (the \"License\");\n you may not use this file except in compliance with the License.\n You may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\n Unless required by applicable law or agreed to in writing, software\n distributed under the License is distributed on an \"AS IS\" BASIS,\n WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n See the License for the specific language governing permissions and\n limitations under the License.\n" }, { "path": "Makefile", "content": "export PATH := $(PATH):$(shell go env GOPATH)/bin\n\n# Default - run help\n.DEFAULT_GOAL := help\n\n# Defaults for test\nSHORT ?= true\nSNAPS ?= false\nACC ?= false\nVCR ?= ReplayWithNewEpisodes\n\nhelp: ## Show this help message\n\t@awk 'BEGIN {FS = \":.*##\"; printf \"\\nUsage:\\n make \\033[36m\\033[0m\\n\"} \\\n\t\t/^[a-zA-Z_0-9-]+:.*?##/ { printf \" \\033[36m%-20s\\033[0m %s\\n\", $$1, $$2 } \\\n\t\t/^## / { printf \" %-20s %s\\n\", \"\", substr($$0, 4) }' $(MAKEFILE_LIST)\n\n## Prevents make from trying to interpret the targets as files\n.PHONY: build scanner lint lint-fix format clean local-docs test update-snapshots refresh-all help\n\nbuild: ## Build scanner\n\tscripts/build.sh\n\nscanner: ## Run scanner (Usage: make scanner ARGS=\"\")\n\tgo run ./cmd/osv-scanner $(ARGS)\n\nlint: ## Run lints\n\tscripts/run_lints.sh\n\nlint-fix: ## Run lints and fix\n\tscripts/run_lints.sh --fix\n\nformat: ## Run formatters\n\tscripts/run_formatters.sh\n\nclean: ## Clean build artifacts\n\trm -f osv-scanner\n\trm -f cmd/osv-scanner/scan/image/testdata/test-*.tar\n\nlocal-docs: ## Run local docs\n\tscripts/run_local_docs.sh\n\ntest: ## Run tests\n## Options:\n## SNAPS=true Update snapshots (Default: false)\n## ACC=true Run acceptance tests (Default: false)\n## SHORT=false Run full tests (Default: true)\n## VCR=mode VCR mode (Default: ReplayWithNewEpisodes):\n## - 0|RecordOnly: Record new cassettes\n## - 1|ReplayOnly: Replay cassettes, error if missing\n## - 2|ReplayWithNewEpisodes: Replay, record if missing\n## - 3|RecordOnce: Record if missing\n## - 4|Passthrough: Disable VCR\n\t@export TEST_VCR_MODE=$(VCR); \\\n\tif [ \"$(SNAPS)\" = \"true\" ]; then export UPDATE_SNAPS=true; fi; \\\n\tif [ \"$(ACC)\" = \"true\" ]; then export TEST_ACCEPTANCE=true; fi; \\\n\tARGS=\"\"; \\\n\tif [ \"$(SHORT)\" = \"true\" ]; then ARGS=\"$$ARGS -short\"; fi; \\\n\tscripts/run_tests.sh $$ARGS\n\nupdate-snapshots: ## Update all snapshots (Equivalent to make test SNAPS=true SHORT=false)\n\t$(MAKE) test SNAPS=true SHORT=false\n\nrefresh-all: ## Refresh all snaps, matching CI test (Usage: make refresh-all REBUILD_IMAGES=true)\n\t@if [ \"$(REBUILD_IMAGES)\" = \"true\" ]; then $(MAKE) clean; fi\n\t$(MAKE) test ACC=true SHORT=false VCR=RecordOnly SNAPS=true\n" }, { "path": "README.md", "content": "\n \n \n \n\n\n---\n\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/google/osv-scanner/badge)](https://scorecard.dev/viewer/?uri=github.com/google/osv-scanner)\n[![Go Report Card](https://goreportcard.com/badge/github.com/google/osv-scanner)](https://goreportcard.com/report/github.com/google/osv-scanner)\n[![codecov](https://codecov.io/gh/google/osv-scanner/graph/badge.svg?token=C8IDVX9LP5)](https://codecov.io/gh/google/osv-scanner)\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n[![GitHub Release](https://img.shields.io/github/v/release/google/osv-scanner)](https://github.com/google/osv-scanner/releases)\n\nUse OSV-Scanner to find existing vulnerabilities affecting your project's dependencies.\nOSV-Scanner provides an officially supported frontend to the [OSV database](https://osv.dev/) and CLI interface to [OSV-Scalibr](https://github.com/google/osv-scalibr) that connects a project’s list of dependencies with the vulnerabilities that affect them.\n\nOSV-Scanner supports a wide range of project types, package managers and features, including but not limited to:\n\n- **Languages:** C/C++, Dart, Elixir, Go, Java, Javascript, PHP, Python, R, Ruby, Rust.\n- **Package Managers:** npm, pip, yarn, maven, go modules, cargo, gem, composer, nuget and others.\n- **Operating Systems:** Detects vulnerabilities in OS packages on Linux systems.\n- **Containers:** Scans container images for vulnerabilities in their base images and included packages.\n- **Guided Remediation:** Provides recommendations for package version upgrades based on criteria such as dependency depth, minimum severity, fix strategy, and return on investment.\n\nOSV-Scanner uses the extensible [OSV-Scalibr](https://github.com/google/osv-scalibr) library under the hood to provide this functionality. If a language or package manager is not supported currently, please file a [feature request.](https://github.com/google/osv-scanner/issues)\n\n#### Underlying database\n\nThe underlying database, [OSV.dev](https://osv.dev/) has several benefits in comparison with closed source advisory databases and scanners:\n\n- Covering most open source language and OS ecosystems (including [Git](https://osv.dev/list?q=&ecosystem=GIT)), it’s comprehensive.\n- Each advisory comes from an open and authoritative source (e.g. [GitHub Security Advisories](https://github.com/github/advisory-database), [RustSec Advisory Database](https://github.com/rustsec/advisory-db), [Ubuntu security notices](https://github.com/canonical/ubuntu-security-notices/tree/main/osv))\n- Anyone can suggest improvements to advisories, resulting in a very high quality database.\n- The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages\n\nThe above all results in accurate and actionable vulnerability notifications, which reduces the time needed to resolve them. Check out [OSV.dev](https://osv.dev/) for more details!\n\n## Basic installation\n\nTo install OSV-Scanner, please refer to the [installation section](https://google.github.io/osv-scanner/installation) of our documentation. OSV-Scanner releases can be found on the [releases page](https://github.com/google/osv-scanner/releases) of the GitHub repository. The recommended method is to download a prebuilt binary for your platform. Alternatively, you can use\n`go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest` to build it from source.\n\n## Key Features\n\nFor more information, please read our [detailed documentation](https://google.github.io/osv-scanner) to learn how to use OSV-Scanner. For detailed information about each feature, click their titles in this README.\n\nPlease note: These are the instructions for the latest OSV-Scanner V2 beta. If you are using V1, checkout the V1 [README](https://github.com/google/osv-scanner-v1) and [documentation](https://google.github.io/osv-scanner-v1/) instead.\n\n### [Scanning a source directory](https://google.github.io/osv-scanner/usage)\n\n```bash\n$ osv-scanner scan source -r /path/to/your/dir\n```\n\nThis command will recursively scan the specified directory for any supported package files, such as `package.json`, `go.mod`, `pom.xml`, etc. and output any discovered vulnerabilities.\n\nOSV-Scanner has the option of using call analysis to determine if a vulnerable function is actually being used in the project, resulting in fewer false positives, and actionable alerts.\n\nOSV-Scanner can also detect vendored C/C++ code for vulnerability scanning. See [here](https://google.github.io/osv-scanner/usage/#cc-scanning) for details.\n\n#### Supported Lockfiles\n\nOSV-Scanner supports 11+ language ecosystems and 19+ lockfile types. To check if your ecosystem is covered, please check out our [detailed documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#supported-lockfiles).\n\n### [Container Scanning](https://google.github.io/osv-scanner/usage/scan-image)\n\nOSV-Scanner also supports comprehensive, layer-aware scanning for container images to detect vulnerabilities the following operating system packages and language-specific dependencies.\n\n| Distro Support | Language Artifacts Support |\n| -------------- | -------------------------- |\n| Alpine OS | Go |\n| Debian | Java |\n| Ubuntu | Node |\n| | Python |\n\nSee the [full documentation](https://google.github.io/osv-scanner/supported-languages-and-lockfiles/#supported-artifacts) for details on support.\n\n**Usage**:\n\n```bash\n$ osv-scanner scan image my-image-name:tag\n```\n\n![screencast of html output of container scanning](https://github.com/user-attachments/assets/8bb95366-27ec-45d1-86ed-e42890f2fb46)\n\n### [License Scanning](https://google.github.io/osv-scanner/usage/license-scanning/)\n\nCheck your dependencies' licenses using deps.dev data. For a summary:\n\n```bash\nosv-scanner --licenses path/to/repository\n```\n\nTo check against an allowed license list (SPDX format):\n\n```bash\nosv-scanner --licenses=\"MIT,Apache-2.0\" path/to/directory\n```\n\n### [Offline Scanning](https://google.github.io/osv-scanner/usage/offline-mode/)\n\nScan your project against a local OSV database. No network connection is required after the initial database download. The database can also be manually downloaded.\n\n```bash\nosv-scanner --offline --download-offline-databases ./path/to/your/dir\n```\n\n### [Guided Remediation](https://google.github.io/osv-scanner/experimental/guided-remediation/) (Experimental)\n\nOSV-Scanner provides guided remediation, a feature that suggests package version upgrades based on criteria such as dependency depth, minimum severity, fix strategy, and return on investment.\nWe currently support remediating vulnerabilities in the following files:\n\n| Ecosystem | File Format (Type) | Supported Remediation Strategies |\n| :-------- | :----------------------------- | :---------------------------------------------------------------------------------------------------------------- |\n| npm | `package-lock.json` (lockfile) | [`in-place`](https://google.github.io/osv-scanner/experimental/guided-remediation/#in-place-lockfile-remediation) |\n| npm | `package.json` (manifest) | [`relock`](https://google.github.io/osv-scanner/experimental/guided-remediation/#in-place-lockfile-remediation) |\n| Maven | `pom.xml` (manifest) | [`override`](https://google.github.io/osv-scanner/experimental/guided-remediation/#override-dependency-versions) |\n\nThis is available as a headless CLI command, as well as an interactive mode.\n\n#### Example (for npm)\n\n```bash\n$ osv-scanner fix \\\n --max-depth=3 \\\n --min-severity=5 \\\n --ignore-dev \\\n --strategy=in-place \\\n -L path/to/package-lock.json\n```\n\n#### Interactive mode (for npm)\n\n```bash\n$ osv-scanner fix \\\n -M path/to/package.json \\\n -L path/to/package-lock.json\n```\n\n\"Screenshot\n\n## Data Sources and Privacy\n\nOSV-Scanner communicates with the following external services during operation:\n\n### [OSV.dev API](https://osv.dev/)\n\nThe primary data source for vulnerability information. OSV-Scanner queries this API to check packages for known vulnerabilities and to identify vendored C/C++ dependencies. Data sent includes package names, versions, ecosystems, and file hashes. Use [`--offline` mode](https://google.github.io/osv-scanner/usage/offline-mode/) to disable network requests and scan against a local database instead.\n\n### [deps.dev API](https://docs.deps.dev/api/)\n\nUsed for supplementary package information:\n\n- **Dependency resolution**: Resolves dependency graphs for vulnerability scanning and remediation\n- **Container image scanning**: Queries container image metadata for vulnerability detection\n- **License scanning** (`--licenses` flag): Retrieves license information for packages\n- **Package deprecation**: Checks if packages are deprecated\n\nData sent includes package names, versions, and ecosystems. No source code is transmitted.\n\n### Package Registries\n\nWhen using native registry for dependency resolution (instead of deps.dev), OSV-Scanner may query:\n\n| Registry | URL | Used For |\n| ------------- | ------------------------------ | ------------------------------------ |\n| Maven Central | `repo.maven.apache.org/maven2` | Maven package metadata and POM files |\n| npm Registry | `registry.npmjs.org` | npm package metadata |\n| PyPI | `pypi.org` | Python package metadata |\n\n## Contribute\n\n### Report Problems\n\nIf you have what looks like a bug, please use the [GitHub issue tracking system](https://github.com/google/osv-scanner/issues). Before you file an issue, please search existing issues to see if your issue is already covered.\n\n### Contributing code to `osv-scanner`\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for documentation on how to contribute code.\n\n## Star History\n\n[![Star History Chart](https://api.star-history.com/svg?repos=google/osv-scanner&type=Date)](https://www.star-history.com/#google/osv-scanner&Date)\n" }, { "path": "action.dockerfile", "content": "# Copyright 2023 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action\nFROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039\n\nRUN mkdir /src\nWORKDIR /src\n\nCOPY ./go.mod /src/go.mod\nCOPY ./go.sum /src/go.sum\nRUN go mod download\n\nCOPY ./ /src/\nRUN go build -o osv-scanner ./cmd/osv-scanner/\nRUN go build -o osv-reporter ./cmd/osv-reporter/\n\nFROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659\nRUN apk --no-cache add \\\n ca-certificates \\\n git \\\n bash\n\n# Allow git to run on mounted directories\nRUN git config --global --add safe.directory '*'\n\nWORKDIR /root/\nCOPY --from=0 /src/osv-scanner ./\nCOPY --from=0 /src/osv-reporter ./\nCOPY ./exit_code_redirect.sh ./\n\nENV PATH=\"${PATH}:/root\"\n\nENTRYPOINT [\n \"bash\",\n \"-c\",\n \"echo 'WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action' && /root/exit_code_redirect.sh\"\n]\n" }, { "path": "actions/reporter/action.yml", "content": "# Currently experimental.\nname: \"osv-scanner-reporter\"\ndescription: \"Specialized reporting of scanner results for github actions\"\ninputs:\n scan-args:\n description: \"Arguments to osv-scanner, separated by new line\"\n required: true\nruns:\n using: \"docker\"\n image: \"../../action.dockerfile\"\n entrypoint: /root/osv-reporter\n args:\n - \"${{ inputs.scan-args }}\"\n" }, { "path": "actions/scanner/action.yml", "content": "# Currently experimental.\n# WARNING, this workflow is for legacy purposes. To view the current workflow see: https://github.com/google/osv-scanner-action\nname: \"osv-scanner\"\ndescription: \"Scans your directory against the OSV database (Experimental)\"\ninputs:\n scan-args:\n description: \"Arguments to osv-scanner, separated by new line\"\n default: |-\n --recursive\n ./\nruns:\n using: \"docker\"\n image: \"../../action.dockerfile\"\n args:\n - ${{ inputs.scan-args }}\n" }, { "path": "cmd/osv-reporter/main.go", "content": "// Package main implements the osv-reporter command, which generates GitHub Action\n// output for OSV scanner results.\npackage main\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"log/slog\"\n\t\"os\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/ci\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/reporter\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner\"\n\t\"github.com/urfave/cli/v3\"\n\t\"golang.org/x/term\"\n)\n\nvar (\n\t// Update this variable when doing a release\n\tcommit = \"n/a\"\n\tdate = \"n/a\"\n)\n\n// splitLastArg splits the last argument by new lines and appends the split\n// elements onto args and returns it\nfunc splitLastArg(args []string) []string {\n\tlastArg := args[len(args)-1]\n\tlastArgSplits := strings.Split(lastArg, \"\\n\")\n\targs = append(args[:len(args)-1], lastArgSplits...)\n\n\treturn args\n}\n\nfunc run(args []string, stdout, stderr io.Writer) int {\n\tlogger := cmdlogger.New(stdout, stderr)\n\n\tslog.SetDefault(slog.New(logger))\n\n\t// Allow multiple arguments to be defined by github actions by splitting the last argument\n\t// by new lines.\n\targs = splitLastArg(args)\n\n\tcli.VersionPrinter = func(cmd *cli.Command) {\n\t\tcmdlogger.Infof(\"osv-scanner version: %s\", cmd.Version)\n\t\tcmdlogger.Infof(\"commit: %s\", commit)\n\t\tcmdlogger.Infof(\"built at: %s\", date)\n\t}\n\n\tapp := &cli.Command{\n\t\tName: \"osv-scanner-action-reporter\",\n\t\tVersion: version.OSVVersion,\n\t\tUsage: \"(Experimental) generates github action output\",\n\t\tDescription: \"(Experimental) Used specifically to generate github action output \",\n\t\tSuggest: true,\n\t\tWriter: stdout,\n\t\tErrWriter: stderr,\n\t\tFlags: []cli.Flag{\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"old\",\n\t\t\t\tUsage: \"the old osv json output\",\n\t\t\t\tTakesFile: true,\n\t\t\t\tRequired: false,\n\t\t\t\tDefaultText: \"\",\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"new\",\n\t\t\t\tUsage: \"the new osv json output\",\n\t\t\t\tTakesFile: true,\n\t\t\t\tRequired: true,\n\t\t\t},\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tName: \"output-files\",\n\t\t\t\tUsage: \"used to save files to various formats (--output-files=[format]:[path],[format]:[path]...).\\n\" +\n\t\t\t\t\t\"See available formats in osv-scanner (default output 'sarif').\\n\" +\n\t\t\t\t\t\"In output paths, there are two special options to output to terminal - '#stdout' and '#stderr'.\",\n\t\t\t\tTakesFile: true,\n\t\t\t},\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tName: \"output\",\n\t\t\t\tUsage: \"[DEPRECATED] (Use \\\"--output-files\\\" instead)\",\n\t\t\t\tTakesFile: true,\n\t\t\t\tAction: func(_ context.Context, _ *cli.Command, _ []string) error {\n\t\t\t\t\tcmdlogger.Warnf(\"Warning: --output has been deprecated in favor of --output-files\")\n\n\t\t\t\t\treturn nil\n\t\t\t\t},\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"gh-annotations\",\n\t\t\t\tUsage: \"[DEPRECATED] (Use `--output-files=gh-annotations:#stderr`) prints github action annotations\",\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"fail-on-vuln\",\n\t\t\t\tUsage: \"whether to return 1 when vulnerabilities are found\",\n\t\t\t\tDefaultText: \"true\",\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"all-vulns\",\n\t\t\t\tUsage: \"show all vulnerabilities including unimportant and uncalled ones\",\n\t\t\t},\n\t\t},\n\t\tAction: func(_ context.Context, cmd *cli.Command) error {\n\t\t\tvar termWidth int\n\t\t\tvar err error\n\t\t\tif stdoutAsFile, ok := stdout.(*os.File); ok {\n\t\t\t\ttermWidth, _, err = term.GetSize(int(stdoutAsFile.Fd()))\n\t\t\t\tif err != nil { // If output is not a terminal,\n\t\t\t\t\ttermWidth = 0\n\t\t\t\t}\n\t\t\t}\n\n\t\t\toldPath := cmd.String(\"old\")\n\t\t\tnewPath := cmd.String(\"new\")\n\n\t\t\toldVulns := models.VulnerabilityResults{}\n\t\t\tif oldPath != \"\" {\n\t\t\t\toldVulns, err = ci.LoadVulnResults(oldPath)\n\t\t\t\tif err != nil {\n\t\t\t\t\tcmdlogger.Warnf(\"failed to open old results at %s: %v - likely because target branch has no lockfiles.\", oldPath, err)\n\t\t\t\t\t// Do not return, assume there is no oldVulns (which will display all new vulns).\n\t\t\t\t\toldVulns = models.VulnerabilityResults{}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tnewVulns, err := ci.LoadVulnResults(newPath)\n\t\t\tif err != nil {\n\t\t\t\tcmdlogger.Warnf(\"failed to open new results at %s: %v - likely because previous step failed.\", newPath, err)\n\t\t\t\tnewVulns = models.VulnerabilityResults{}\n\t\t\t\t// Do not return a non zero error code.\n\t\t\t}\n\n\t\t\tvar diffVulns models.VulnerabilityResults\n\n\t\t\tdiffVulnOccurrences := ci.DiffVulnerabilityResultsByOccurrences(oldVulns, newVulns)\n\t\t\tif len(diffVulnOccurrences) == 0 {\n\t\t\t\t// There are actually no new vulns, no need to do full diff\n\t\t\t\t//\n\t\t\t\t// Since `DiffVulnerabilityResultsByUniqueVulnCount` does not account for Source or Package,\n\t\t\t\t// this actually changes the results in some cases, e.g.\n\t\t\t\t//\n\t\t\t\t// When a lockfile is moved, `DiffVulnerabilityResults` will report the moved lockfile as having\n\t\t\t\t// a new vulnerability if the existing lockfile has a vulnerability. However this check will\n\t\t\t\t// report no vulnerabilities. This is desired behavior.\n\n\t\t\t\t// TODO: This will need to be not empty when we change osv-scanner to report all packages\n\t\t\t\tdiffVulns = models.VulnerabilityResults{}\n\t\t\t} else {\n\t\t\t\t// TODO: This will need to contain all scanned packages when we change osv-scanner to report all packages\n\t\t\t\tdiffVulns = ci.DiffVulnerabilityResults(oldVulns, newVulns)\n\t\t\t}\n\n\t\t\tshowAllVulns := cmd.Bool(\"all-vulns\")\n\n\t\t\tstdoutTaken := false\n\t\t\toutputPaths := cmd.StringSlice(\"output-files\")\n\n\t\t\tif len(outputPaths) == 0 {\n\t\t\t\toutputPaths = cmd.StringSlice(\"output\")\n\t\t\t}\n\n\t\t\tif len(outputPaths) != 0 {\n\t\t\t\tfor _, outputPath := range outputPaths {\n\t\t\t\t\tformat := \"sarif\"\n\t\t\t\t\t// Parses strings like: \"markdown:./output-path.md\n\t\t\t\t\tpreColon, postColon, found := strings.Cut(outputPath, \":\")\n\t\t\t\t\tif found {\n\t\t\t\t\t\toutputPath = postColon\n\t\t\t\t\t\tformat = preColon\n\t\t\t\t\t}\n\n\t\t\t\t\tvar writer io.Writer\n\t\t\t\t\tvar err error\n\n\t\t\t\t\tswitch outputPath {\n\t\t\t\t\tcase \"#stdout\":\n\t\t\t\t\t\twriter = stdout\n\t\t\t\t\t\tstdoutTaken = true\n\t\t\t\t\tcase \"#stderr\":\n\t\t\t\t\t\twriter = stderr\n\t\t\t\t\t\tstdoutTaken = true\n\t\t\t\t\tdefault:\n\t\t\t\t\t\twriter, err = os.Create(outputPath)\n\t\t\t\t\t}\n\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to create output file: %w\", err)\n\t\t\t\t\t}\n\t\t\t\t\ttermWidth = 0\n\n\t\t\t\t\tif errPrint := reporter.PrintResult(&diffVulns, format, writer, termWidth, showAllVulns); errPrint != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to write output: %w\", errPrint)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif !stdoutTaken {\n\t\t\t\tif errPrint := reporter.PrintResult(&diffVulns, \"table\", stdout, termWidth, showAllVulns); errPrint != nil {\n\t\t\t\t\treturn fmt.Errorf(\"failed to write output: %w\", errPrint)\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif cmd.Bool(\"gh-annotations\") {\n\t\t\t\tif errPrint := reporter.PrintResult(&diffVulns, \"gh-annotations\", stderr, termWidth, showAllVulns); errPrint != nil {\n\t\t\t\t\treturn fmt.Errorf(\"failed to write output: %w\", errPrint)\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Default to true, only false when explicitly set to false\n\t\t\tfailOnVuln := !cmd.IsSet(\"fail-on-vuln\") || cmd.Bool(\"fail-on-vuln\")\n\n\t\t\t// Check if any is *not* called\n\t\t\tanyIsCalled := false\n\t\t\tfor _, vuln := range diffVulns.Flatten() {\n\t\t\t\tif vuln.GroupInfo.IsCalled() {\n\t\t\t\t\tanyIsCalled = true\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// if vulnerability exists it should return error\n\t\t\tif len(diffVulns.Results) > 0 && failOnVuln && anyIsCalled {\n\t\t\t\treturn osvscanner.ErrVulnerabilitiesFound\n\t\t\t}\n\n\t\t\treturn nil\n\t\t},\n\t}\n\n\terr := app.Run(context.Background(), args)\n\n\t// if the config is invalid, it's possible that is why any other errors\n\t// happened so that exit code takes priority\n\tif logger.HasErroredBecauseInvalidConfig() {\n\t\treturn 130\n\t}\n\n\tif err != nil {\n\t\tif errors.Is(err, osvscanner.ErrVulnerabilitiesFound) {\n\t\t\treturn 1\n\t\t}\n\n\t\tif errors.Is(err, osvscanner.ErrNoPackagesFound) {\n\t\t\tcmdlogger.Errorf(\"No package sources found, --help for usage information.\")\n\t\t\treturn 128\n\t\t}\n\n\t\tcmdlogger.Errorf(\"%v\", err)\n\t}\n\n\t// if we've been told to print an error, and not already exited with\n\t// a specific error code, then exit with a generic non-zero code\n\tif logger.HasErrored() {\n\t\treturn 127\n\t}\n\n\treturn 0\n}\n\nfunc main() {\n\tos.Exit(run(os.Args, os.Stdout, os.Stderr))\n}\n" }, { "path": "cmd/osv-reporter/main_test.go", "content": "package main\n\nimport (\n\t\"reflect\"\n\t\"testing\"\n)\n\nfunc Test_splitLastArg(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\targs []string\n\t\twant []string\n\t}{\n\t\t{\n\t\t\targs: []string{\n\t\t\t\t\"--test1\",\n\t\t\t\t\"--test2\",\n\t\t\t\t\"--test3\\n--test4\\n--test5\",\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\t\"--test1\",\n\t\t\t\t\"--test2\",\n\t\t\t\t\"--test3\",\n\t\t\t\t\"--test4\",\n\t\t\t\t\"--test5\",\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tif got := splitLastArg(tt.args); !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"splitLastArg() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "cmd/osv-scanner/__snapshots__/main_test.snap", "content": "\n[Test_run/#00 - 1]\nNAME:\n osv-scanner scan - scans projects and container images for dependencies, and checks them against the OSV database.\n\nUSAGE:\n osv-scanner scan [command [command options]]\n\nDESCRIPTION:\n scans projects and container images for dependencies, and checks them against the OSV database.\n\nCOMMANDS:\n source scans a source project's dependencies for known vulnerabilities using the OSV database.\n image detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally\n\nOPTIONS:\n --help, -h show help\n\n---\n\n[Test_run/#00 - 2]\n\n---\n\n[Test_run/#01 - 1]\nNAME:\n osv-scanner scan - scans projects and container images for dependencies, and checks them against the OSV database.\n\nUSAGE:\n osv-scanner scan [command [command options]]\n\nDESCRIPTION:\n scans projects and container images for dependencies, and checks them against the OSV database.\n\nCOMMANDS:\n source scans a source project's dependencies for known vulnerabilities using the OSV database.\n image detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally\n\nOPTIONS:\n --help, -h show help\n\n---\n\n[Test_run/#01 - 2]\n\n---\n\n[Test_run/version - 1]\nosv-scanner version: 2.3.4\nosv-scalibr version: 0.4.5\ncommit: n/a\nbuilt at: n/a\n\n---\n\n[Test_run/version - 2]\n\n---\n\n[Test_run_SubCommands/scan_with_a_flag - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[Test_run_SubCommands/scan_with_a_flag - 2]\nWarning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line.\n\n---\n\n[Test_run_SubCommands/with_no_subcommand - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[Test_run_SubCommands/with_no_subcommand - 2]\n\n---\n\n[Test_run_SubCommands/with_scan_subcommand - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[Test_run_SubCommands/with_scan_subcommand - 2]\nWarning: `scan` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `scan` is assumed to be a subcommand here. If you intended for `scan` to be an argument to `scan`, you must specify `scan scan` in your command line.\n\n---\n" }, { "path": "cmd/osv-scanner/fix/__snapshots__/command_test.snap", "content": "\n[TestCommand/errors_when_in_place_used_without_lockfile - 1]\n\n---\n\n[TestCommand/errors_when_in_place_used_without_lockfile - 2]\nin-place strategy requires lockfile\n\n---\n\n[TestCommand/errors_when_in_place_used_without_lockfile - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo /\"Error: no test specified/\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"6.2.0\"\n }\n}\n\n---\n\n[TestCommand/errors_when_override_used_without_manifest - 1]\n\n---\n\n[TestCommand/errors_when_override_used_without_manifest - 2]\noverride strategy requires manifest file\n\n---\n\n[TestCommand/errors_when_override_used_without_manifest - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"lockfileVersion\": 2,\n \"requires\": true,\n \"packages\": {\n \"\": {\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^6.2.0\"\n }\n },\n \"node_modules/ajv\": {\n \"version\": \"6.12.6\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz\",\n \"integrity\": \"sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==\",\n \"dependencies\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n },\n \"funding\": {\n \"type\": \"github\",\n \"url\": \"https://github.com/sponsors/epoberezkin\"\n }\n },\n \"node_modules/ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"node_modules/are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"dependencies\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"node_modules/assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\",\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"node_modules/aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"node_modules/balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"node_modules/bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"dependencies\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"node_modules/brace-expansion\": {\n \"version\": \"1.1.11\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz\",\n \"integrity\": \"sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==\",\n \"dependencies\": {\n \"balanced-match\": \"^1.0.0\",\n \"concat-map\": \"0.0.1\"\n }\n },\n \"node_modules/caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"node_modules/chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"node_modules/color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true,\n \"bin\": {\n \"color-support\": \"bin.js\"\n }\n },\n \"node_modules/combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"dependencies\": {\n \"delayed-stream\": \"~1.0.0\"\n },\n \"engines\": {\n \"node\": \">= 0.8\"\n }\n },\n \"node_modules/concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"node_modules/concat-stream\": {\n \"version\": \"1.5.0\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz\",\n \"integrity\": \"sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==\",\n \"engines\": [\n \"node >= 0.8\"\n ],\n \"dependencies\": {\n \"inherits\": \"~2.0.1\",\n \"readable-stream\": \"~2.0.0\",\n \"typedarray\": \"~0.0.5\"\n }\n },\n \"node_modules/console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"node_modules/core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"node_modules/dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \">=0.10\"\n }\n },\n \"node_modules/delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\",\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"dependencies\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"node_modules/emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"node_modules/extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"node_modules/extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\",\n \"engines\": [\n \"node >=0.6.0\"\n ]\n },\n \"node_modules/fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"node_modules/fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"node_modules/forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"dependencies\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n },\n \"engines\": {\n \"node\": \">= 0.12\"\n }\n },\n \"node_modules/fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"node_modules/function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"dependencies\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"node_modules/glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"dependencies\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \"*\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"dependencies\": {\n \"natives\": \"^1.1.3\"\n },\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\",\n \"engines\": {\n \"node\": \">=4\"\n }\n },\n \"node_modules/har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"deprecated\": \"this library is no longer supported\",\n \"dependencies\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"node_modules/hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"dependencies\": {\n \"function-bind\": \"^1.1.2\"\n },\n \"engines\": {\n \"node\": \">= 0.4\"\n }\n },\n \"node_modules/hosted-git-info\": {\n \"version\": \"2.1.4\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz\",\n \"integrity\": \"sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==\"\n },\n \"node_modules/http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n },\n \"engines\": {\n \"node\": \">=0.8\",\n \"npm\": \">=1.3.7\"\n }\n },\n \"node_modules/inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"dependencies\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"node_modules/is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"dependencies\": {\n \"hasown\": \"^2.0.0\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"node_modules/isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"node_modules/isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"node_modules/jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"node_modules/json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"node_modules/json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"node_modules/json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"node_modules/jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"dependencies\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n },\n \"engines\": {\n \"node\": \">=0.6.0\"\n }\n },\n \"node_modules/mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\",\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"dependencies\": {\n \"mime-db\": \"1.52.0\"\n },\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/minimatch\": {\n \"version\": \"3.1.2\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz\",\n \"integrity\": \"sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==\",\n \"dependencies\": {\n \"brace-expansion\": \"^1.1.7\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"dependencies\": {\n \"minimist\": \"^1.2.6\"\n },\n \"bin\": {\n \"mkdirp\": \"bin/cmd.js\"\n }\n },\n \"node_modules/natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\",\n \"deprecated\": \"This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.\"\n },\n \"node_modules/normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"node_modules/npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n }\n },\n \"node_modules/npm-package-arg/node_modules/hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n },\n \"node_modules/npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"dependencies\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n },\n \"optionalDependencies\": {\n \"npmlog\": \"\"\n }\n },\n \"node_modules/npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"dependencies\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"dependencies\": {\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\",\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"node_modules/performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"node_modules/process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"node_modules/psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"node_modules/punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\",\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\",\n \"engines\": {\n \"node\": \">=0.6\"\n }\n },\n \"node_modules/readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"dependencies\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"node_modules/request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"deprecated\": \"request has been deprecated, see https://github.com/request/request/issues/3142\",\n \"dependencies\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n },\n \"engines\": {\n \"node\": \">= 6\"\n }\n },\n \"node_modules/resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"dependencies\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n },\n \"bin\": {\n \"resolve\": \"bin/resolve\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"dependencies\": {\n \"glob\": \"^7.1.3\"\n },\n \"bin\": {\n \"rimraf\": \"bin.js\"\n }\n },\n \"node_modules/safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"node_modules/safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"node_modules/semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\",\n \"bin\": {\n \"semver\": \"bin/semver\"\n }\n },\n \"node_modules/set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"node_modules/signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=14\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"dependencies\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"node_modules/spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"dependencies\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"node_modules/sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"dependencies\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n },\n \"bin\": {\n \"sshpk-conv\": \"bin/sshpk-conv\",\n \"sshpk-sign\": \"bin/sshpk-sign\",\n \"sshpk-verify\": \"bin/sshpk-verify\"\n },\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"dependencies\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"node_modules/string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"dependencies\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"dependencies\": {\n \"ansi-regex\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\",\n \"engines\": {\n \"node\": \">= 0.4\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"dependencies\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n },\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"dependencies\": {\n \"safe-buffer\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"node_modules/typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"node_modules/uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"dependencies\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"node_modules/util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"node_modules/uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\",\n \"deprecated\": \"Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.\",\n \"bin\": {\n \"uuid\": \"bin/uuid\"\n }\n },\n \"node_modules/validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"dependencies\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"node_modules/verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"engines\": [\n \"node >=0.6.0\"\n ],\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n }\n },\n \"node_modules/verror/node_modules/core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n },\n \"node_modules/wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"dependencies\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"node_modules/wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n },\n \"dependencies\": {\n \"ajv\": {\n \"version\": \"6.12.6\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz\",\n \"integrity\": \"sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==\",\n \"requires\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n }\n },\n \"ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true\n },\n \"aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true\n },\n \"asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"requires\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\"\n },\n \"asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\"\n },\n \"aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"requires\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"brace-expansion\": {\n \"version\": \"1.1.11\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz\",\n \"integrity\": \"sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==\",\n \"requires\": {\n \"balanced-match\": \"^1.0.0\",\n \"concat-map\": \"0.0.1\"\n }\n },\n \"caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true\n },\n \"combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"requires\": {\n \"delayed-stream\": \"~1.0.0\"\n }\n },\n \"concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"concat-stream\": {\n \"version\": \"1.5.0\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz\",\n \"integrity\": \"sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==\",\n \"requires\": {\n \"inherits\": \"~2.0.1\",\n \"readable-stream\": \"~2.0.0\",\n \"typedarray\": \"~0.0.5\"\n }\n },\n \"console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\"\n },\n \"ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"requires\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\"\n },\n \"fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\"\n },\n \"form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"requires\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n }\n },\n \"fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\"\n },\n \"gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"requires\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n }\n },\n \"getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"requires\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n }\n },\n \"graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"requires\": {\n \"natives\": \"^1.1.3\"\n }\n },\n \"har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\"\n },\n \"har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"requires\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n }\n },\n \"has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"requires\": {\n \"function-bind\": \"^1.1.2\"\n }\n },\n \"hosted-git-info\": {\n \"version\": \"2.1.4\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz\",\n \"integrity\": \"sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==\"\n },\n \"http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n }\n },\n \"inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"requires\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"requires\": {\n \"hasown\": \"^2.0.0\"\n }\n },\n \"is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true\n },\n \"is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"requires\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n }\n },\n \"mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\"\n },\n \"mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"requires\": {\n \"mime-db\": \"1.52.0\"\n }\n },\n \"minimatch\": {\n \"version\": \"3.1.2\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz\",\n \"integrity\": \"sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==\",\n \"requires\": {\n \"brace-expansion\": \"^1.1.7\"\n }\n },\n \"minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\"\n },\n \"mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"requires\": {\n \"minimist\": \"^1.2.6\"\n }\n },\n \"natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\"\n },\n \"normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"requires\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"requires\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n },\n \"dependencies\": {\n \"hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n }\n }\n },\n \"npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"requires\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"npmlog\": \"\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n }\n },\n \"npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"requires\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n }\n },\n \"oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\"\n },\n \"once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"requires\": {\n \"wrappy\": \"1\"\n }\n },\n \"path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\"\n },\n \"path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\"\n },\n \"qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\"\n },\n \"readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"requires\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"requires\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n }\n },\n \"resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"requires\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n }\n },\n \"retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\"\n },\n \"rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"requires\": {\n \"glob\": \"^7.1.3\"\n }\n },\n \"safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\"\n },\n \"set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true\n },\n \"slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\"\n },\n \"spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"requires\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"requires\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"requires\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n }\n },\n \"string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"requires\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"requires\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n }\n },\n \"strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"requires\": {\n \"ansi-regex\": \"^5.0.1\"\n }\n },\n \"supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\"\n },\n \"tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"requires\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n }\n },\n \"tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"requires\": {\n \"safe-buffer\": \"^5.0.1\"\n }\n },\n \"tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"requires\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\"\n },\n \"validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"requires\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n },\n \"dependencies\": {\n \"core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n }\n }\n },\n \"wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"requires\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n }\n}\n\n---\n\n[TestCommand/errors_when_relax_used_without_manifest - 1]\n\n---\n\n[TestCommand/errors_when_relax_used_without_manifest - 2]\nrelax strategy requires manifest file\n\n---\n\n[TestCommand/errors_when_relax_used_without_manifest - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"lockfileVersion\": 2,\n \"requires\": true,\n \"packages\": {\n \"\": {\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^6.2.0\"\n }\n },\n \"node_modules/ajv\": {\n \"version\": \"6.12.6\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz\",\n \"integrity\": \"sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==\",\n \"dependencies\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n },\n \"funding\": {\n \"type\": \"github\",\n \"url\": \"https://github.com/sponsors/epoberezkin\"\n }\n },\n \"node_modules/ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"node_modules/are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"dependencies\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"node_modules/assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\",\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"node_modules/aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"node_modules/balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"node_modules/bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"dependencies\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"node_modules/brace-expansion\": {\n \"version\": \"1.1.11\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz\",\n \"integrity\": \"sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==\",\n \"dependencies\": {\n \"balanced-match\": \"^1.0.0\",\n \"concat-map\": \"0.0.1\"\n }\n },\n \"node_modules/caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"node_modules/chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"node_modules/color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true,\n \"bin\": {\n \"color-support\": \"bin.js\"\n }\n },\n \"node_modules/combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"dependencies\": {\n \"delayed-stream\": \"~1.0.0\"\n },\n \"engines\": {\n \"node\": \">= 0.8\"\n }\n },\n \"node_modules/concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"node_modules/concat-stream\": {\n \"version\": \"1.5.0\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz\",\n \"integrity\": \"sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==\",\n \"engines\": [\n \"node >= 0.8\"\n ],\n \"dependencies\": {\n \"inherits\": \"~2.0.1\",\n \"readable-stream\": \"~2.0.0\",\n \"typedarray\": \"~0.0.5\"\n }\n },\n \"node_modules/console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"node_modules/core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"node_modules/dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \">=0.10\"\n }\n },\n \"node_modules/delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\",\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"dependencies\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"node_modules/emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"node_modules/extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"node_modules/extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\",\n \"engines\": [\n \"node >=0.6.0\"\n ]\n },\n \"node_modules/fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"node_modules/fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"node_modules/forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"dependencies\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n },\n \"engines\": {\n \"node\": \">= 0.12\"\n }\n },\n \"node_modules/fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"node_modules/function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"dependencies\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"node_modules/glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"dependencies\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \"*\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"dependencies\": {\n \"natives\": \"^1.1.3\"\n },\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\",\n \"engines\": {\n \"node\": \">=4\"\n }\n },\n \"node_modules/har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"deprecated\": \"this library is no longer supported\",\n \"dependencies\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"node_modules/hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"dependencies\": {\n \"function-bind\": \"^1.1.2\"\n },\n \"engines\": {\n \"node\": \">= 0.4\"\n }\n },\n \"node_modules/hosted-git-info\": {\n \"version\": \"2.1.4\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz\",\n \"integrity\": \"sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==\"\n },\n \"node_modules/http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n },\n \"engines\": {\n \"node\": \">=0.8\",\n \"npm\": \">=1.3.7\"\n }\n },\n \"node_modules/inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"dependencies\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"node_modules/is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"dependencies\": {\n \"hasown\": \"^2.0.0\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"node_modules/isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"node_modules/isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"node_modules/jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"node_modules/json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"node_modules/json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"node_modules/json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"node_modules/jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"dependencies\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n },\n \"engines\": {\n \"node\": \">=0.6.0\"\n }\n },\n \"node_modules/mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\",\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"dependencies\": {\n \"mime-db\": \"1.52.0\"\n },\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/minimatch\": {\n \"version\": \"3.1.2\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz\",\n \"integrity\": \"sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==\",\n \"dependencies\": {\n \"brace-expansion\": \"^1.1.7\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"dependencies\": {\n \"minimist\": \"^1.2.6\"\n },\n \"bin\": {\n \"mkdirp\": \"bin/cmd.js\"\n }\n },\n \"node_modules/natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\",\n \"deprecated\": \"This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.\"\n },\n \"node_modules/normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"node_modules/npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n }\n },\n \"node_modules/npm-package-arg/node_modules/hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n },\n \"node_modules/npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"dependencies\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n },\n \"optionalDependencies\": {\n \"npmlog\": \"\"\n }\n },\n \"node_modules/npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"dependencies\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"dependencies\": {\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\",\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"node_modules/performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"node_modules/process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"node_modules/psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"node_modules/punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\",\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\",\n \"engines\": {\n \"node\": \">=0.6\"\n }\n },\n \"node_modules/readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"dependencies\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"node_modules/request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"deprecated\": \"request has been deprecated, see https://github.com/request/request/issues/3142\",\n \"dependencies\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n },\n \"engines\": {\n \"node\": \">= 6\"\n }\n },\n \"node_modules/resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"dependencies\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n },\n \"bin\": {\n \"resolve\": \"bin/resolve\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"dependencies\": {\n \"glob\": \"^7.1.3\"\n },\n \"bin\": {\n \"rimraf\": \"bin.js\"\n }\n },\n \"node_modules/safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"node_modules/safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"node_modules/semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\",\n \"bin\": {\n \"semver\": \"bin/semver\"\n }\n },\n \"node_modules/set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"node_modules/signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=14\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"dependencies\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"node_modules/spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"dependencies\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"node_modules/sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"dependencies\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n },\n \"bin\": {\n \"sshpk-conv\": \"bin/sshpk-conv\",\n \"sshpk-sign\": \"bin/sshpk-sign\",\n \"sshpk-verify\": \"bin/sshpk-verify\"\n },\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"dependencies\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"node_modules/string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"dependencies\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"dependencies\": {\n \"ansi-regex\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\",\n \"engines\": {\n \"node\": \">= 0.4\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"dependencies\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n },\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"dependencies\": {\n \"safe-buffer\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"node_modules/typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"node_modules/uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"dependencies\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"node_modules/util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"node_modules/uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\",\n \"deprecated\": \"Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.\",\n \"bin\": {\n \"uuid\": \"bin/uuid\"\n }\n },\n \"node_modules/validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"dependencies\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"node_modules/verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"engines\": [\n \"node >=0.6.0\"\n ],\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n }\n },\n \"node_modules/verror/node_modules/core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n },\n \"node_modules/wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"dependencies\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"node_modules/wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n },\n \"dependencies\": {\n \"ajv\": {\n \"version\": \"6.12.6\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz\",\n \"integrity\": \"sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==\",\n \"requires\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n }\n },\n \"ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true\n },\n \"aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true\n },\n \"asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"requires\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\"\n },\n \"asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\"\n },\n \"aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"requires\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"brace-expansion\": {\n \"version\": \"1.1.11\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz\",\n \"integrity\": \"sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==\",\n \"requires\": {\n \"balanced-match\": \"^1.0.0\",\n \"concat-map\": \"0.0.1\"\n }\n },\n \"caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true\n },\n \"combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"requires\": {\n \"delayed-stream\": \"~1.0.0\"\n }\n },\n \"concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"concat-stream\": {\n \"version\": \"1.5.0\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz\",\n \"integrity\": \"sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==\",\n \"requires\": {\n \"inherits\": \"~2.0.1\",\n \"readable-stream\": \"~2.0.0\",\n \"typedarray\": \"~0.0.5\"\n }\n },\n \"console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\"\n },\n \"ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"requires\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\"\n },\n \"fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\"\n },\n \"form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"requires\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n }\n },\n \"fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\"\n },\n \"gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"requires\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n }\n },\n \"getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"requires\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n }\n },\n \"graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"requires\": {\n \"natives\": \"^1.1.3\"\n }\n },\n \"har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\"\n },\n \"har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"requires\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n }\n },\n \"has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"requires\": {\n \"function-bind\": \"^1.1.2\"\n }\n },\n \"hosted-git-info\": {\n \"version\": \"2.1.4\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz\",\n \"integrity\": \"sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==\"\n },\n \"http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n }\n },\n \"inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"requires\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"requires\": {\n \"hasown\": \"^2.0.0\"\n }\n },\n \"is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true\n },\n \"is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"requires\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n }\n },\n \"mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\"\n },\n \"mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"requires\": {\n \"mime-db\": \"1.52.0\"\n }\n },\n \"minimatch\": {\n \"version\": \"3.1.2\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz\",\n \"integrity\": \"sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==\",\n \"requires\": {\n \"brace-expansion\": \"^1.1.7\"\n }\n },\n \"minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\"\n },\n \"mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"requires\": {\n \"minimist\": \"^1.2.6\"\n }\n },\n \"natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\"\n },\n \"normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"requires\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"requires\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n },\n \"dependencies\": {\n \"hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n }\n }\n },\n \"npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"requires\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"npmlog\": \"\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n }\n },\n \"npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"requires\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n }\n },\n \"oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\"\n },\n \"once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"requires\": {\n \"wrappy\": \"1\"\n }\n },\n \"path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\"\n },\n \"path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\"\n },\n \"qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\"\n },\n \"readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"requires\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"requires\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n }\n },\n \"resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"requires\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n }\n },\n \"retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\"\n },\n \"rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"requires\": {\n \"glob\": \"^7.1.3\"\n }\n },\n \"safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\"\n },\n \"set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true\n },\n \"slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\"\n },\n \"spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"requires\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"requires\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"requires\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n }\n },\n \"string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"requires\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"requires\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n }\n },\n \"strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"requires\": {\n \"ansi-regex\": \"^5.0.1\"\n }\n },\n \"supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\"\n },\n \"tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"requires\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n }\n },\n \"tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"requires\": {\n \"safe-buffer\": \"^5.0.1\"\n }\n },\n \"tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"requires\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\"\n },\n \"validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"requires\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n },\n \"dependencies\": {\n \"core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n }\n }\n },\n \"wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"requires\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n }\n}\n\n---\n\n[TestCommand/errors_when_relock_used_without_manifest - 1]\n\n---\n\n[TestCommand/errors_when_relock_used_without_manifest - 2]\nrelax strategy requires manifest file\n\n---\n\n[TestCommand/errors_when_relock_used_without_manifest - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"lockfileVersion\": 2,\n \"requires\": true,\n \"packages\": {\n \"\": {\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^6.2.0\"\n }\n },\n \"node_modules/ajv\": {\n \"version\": \"6.12.6\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz\",\n \"integrity\": \"sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==\",\n \"dependencies\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n },\n \"funding\": {\n \"type\": \"github\",\n \"url\": \"https://github.com/sponsors/epoberezkin\"\n }\n },\n \"node_modules/ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"node_modules/are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"dependencies\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"node_modules/assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\",\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"node_modules/aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"node_modules/balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"node_modules/bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"dependencies\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"node_modules/brace-expansion\": {\n \"version\": \"1.1.11\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz\",\n \"integrity\": \"sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==\",\n \"dependencies\": {\n \"balanced-match\": \"^1.0.0\",\n \"concat-map\": \"0.0.1\"\n }\n },\n \"node_modules/caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"node_modules/chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"node_modules/color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true,\n \"bin\": {\n \"color-support\": \"bin.js\"\n }\n },\n \"node_modules/combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"dependencies\": {\n \"delayed-stream\": \"~1.0.0\"\n },\n \"engines\": {\n \"node\": \">= 0.8\"\n }\n },\n \"node_modules/concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"node_modules/concat-stream\": {\n \"version\": \"1.5.0\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz\",\n \"integrity\": \"sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==\",\n \"engines\": [\n \"node >= 0.8\"\n ],\n \"dependencies\": {\n \"inherits\": \"~2.0.1\",\n \"readable-stream\": \"~2.0.0\",\n \"typedarray\": \"~0.0.5\"\n }\n },\n \"node_modules/console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"node_modules/core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"node_modules/dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \">=0.10\"\n }\n },\n \"node_modules/delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\",\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"dependencies\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"node_modules/emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"node_modules/extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"node_modules/extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\",\n \"engines\": [\n \"node >=0.6.0\"\n ]\n },\n \"node_modules/fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"node_modules/fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"node_modules/forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"dependencies\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n },\n \"engines\": {\n \"node\": \">= 0.12\"\n }\n },\n \"node_modules/fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"node_modules/function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"dependencies\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"node_modules/glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"dependencies\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \"*\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"dependencies\": {\n \"natives\": \"^1.1.3\"\n },\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\",\n \"engines\": {\n \"node\": \">=4\"\n }\n },\n \"node_modules/har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"deprecated\": \"this library is no longer supported\",\n \"dependencies\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"node_modules/hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"dependencies\": {\n \"function-bind\": \"^1.1.2\"\n },\n \"engines\": {\n \"node\": \">= 0.4\"\n }\n },\n \"node_modules/hosted-git-info\": {\n \"version\": \"2.1.4\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz\",\n \"integrity\": \"sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==\"\n },\n \"node_modules/http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n },\n \"engines\": {\n \"node\": \">=0.8\",\n \"npm\": \">=1.3.7\"\n }\n },\n \"node_modules/inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"dependencies\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"node_modules/is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"dependencies\": {\n \"hasown\": \"^2.0.0\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"node_modules/isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"node_modules/isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"node_modules/jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"node_modules/json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"node_modules/json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"node_modules/json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"node_modules/jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"dependencies\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n },\n \"engines\": {\n \"node\": \">=0.6.0\"\n }\n },\n \"node_modules/mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\",\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"dependencies\": {\n \"mime-db\": \"1.52.0\"\n },\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/minimatch\": {\n \"version\": \"3.1.2\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz\",\n \"integrity\": \"sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==\",\n \"dependencies\": {\n \"brace-expansion\": \"^1.1.7\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"dependencies\": {\n \"minimist\": \"^1.2.6\"\n },\n \"bin\": {\n \"mkdirp\": \"bin/cmd.js\"\n }\n },\n \"node_modules/natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\",\n \"deprecated\": \"This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.\"\n },\n \"node_modules/normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"node_modules/npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n }\n },\n \"node_modules/npm-package-arg/node_modules/hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n },\n \"node_modules/npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"dependencies\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n },\n \"optionalDependencies\": {\n \"npmlog\": \"\"\n }\n },\n \"node_modules/npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"dependencies\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"dependencies\": {\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\",\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"node_modules/performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"node_modules/process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"node_modules/psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"node_modules/punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\",\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\",\n \"engines\": {\n \"node\": \">=0.6\"\n }\n },\n \"node_modules/readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"dependencies\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"node_modules/request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"deprecated\": \"request has been deprecated, see https://github.com/request/request/issues/3142\",\n \"dependencies\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n },\n \"engines\": {\n \"node\": \">= 6\"\n }\n },\n \"node_modules/resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"dependencies\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n },\n \"bin\": {\n \"resolve\": \"bin/resolve\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"dependencies\": {\n \"glob\": \"^7.1.3\"\n },\n \"bin\": {\n \"rimraf\": \"bin.js\"\n }\n },\n \"node_modules/safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"node_modules/safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"node_modules/semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\",\n \"bin\": {\n \"semver\": \"bin/semver\"\n }\n },\n \"node_modules/set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"node_modules/signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=14\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"dependencies\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"node_modules/spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"dependencies\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"node_modules/sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"dependencies\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n },\n \"bin\": {\n \"sshpk-conv\": \"bin/sshpk-conv\",\n \"sshpk-sign\": \"bin/sshpk-sign\",\n \"sshpk-verify\": \"bin/sshpk-verify\"\n },\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"dependencies\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"node_modules/string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"dependencies\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"dependencies\": {\n \"ansi-regex\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\",\n \"engines\": {\n \"node\": \">= 0.4\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"dependencies\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n },\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"dependencies\": {\n \"safe-buffer\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"node_modules/typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"node_modules/uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"dependencies\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"node_modules/util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"node_modules/uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\",\n \"deprecated\": \"Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.\",\n \"bin\": {\n \"uuid\": \"bin/uuid\"\n }\n },\n \"node_modules/validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"dependencies\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"node_modules/verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"engines\": [\n \"node >=0.6.0\"\n ],\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n }\n },\n \"node_modules/verror/node_modules/core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n },\n \"node_modules/wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"dependencies\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"node_modules/wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n },\n \"dependencies\": {\n \"ajv\": {\n \"version\": \"6.12.6\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz\",\n \"integrity\": \"sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==\",\n \"requires\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n }\n },\n \"ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true\n },\n \"aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true\n },\n \"asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"requires\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\"\n },\n \"asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\"\n },\n \"aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"requires\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"brace-expansion\": {\n \"version\": \"1.1.11\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz\",\n \"integrity\": \"sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==\",\n \"requires\": {\n \"balanced-match\": \"^1.0.0\",\n \"concat-map\": \"0.0.1\"\n }\n },\n \"caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true\n },\n \"combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"requires\": {\n \"delayed-stream\": \"~1.0.0\"\n }\n },\n \"concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"concat-stream\": {\n \"version\": \"1.5.0\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.5.0.tgz\",\n \"integrity\": \"sha512-litEocitzYgqQ0IPaoLw+tCHcVcJJYW05+SAhH+LS9qutSC7iuejvawts3cUYQycZbRbLsjG8mCJLQi2KX5kEw==\",\n \"requires\": {\n \"inherits\": \"~2.0.1\",\n \"readable-stream\": \"~2.0.0\",\n \"typedarray\": \"~0.0.5\"\n }\n },\n \"console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\"\n },\n \"ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"requires\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\"\n },\n \"fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\"\n },\n \"form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"requires\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n }\n },\n \"fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\"\n },\n \"gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"requires\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n }\n },\n \"getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"requires\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n }\n },\n \"graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"requires\": {\n \"natives\": \"^1.1.3\"\n }\n },\n \"har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\"\n },\n \"har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"requires\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n }\n },\n \"has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"requires\": {\n \"function-bind\": \"^1.1.2\"\n }\n },\n \"hosted-git-info\": {\n \"version\": \"2.1.4\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.1.4.tgz\",\n \"integrity\": \"sha512-4R9eDu2ytsDMdo7nQXHrpK1347y3nu/ThXZ4tjpkUTsZnzoIIQprnPOM65c20oInjmocLuEGBIbPsesYCqibag==\"\n },\n \"http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n }\n },\n \"inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"requires\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"requires\": {\n \"hasown\": \"^2.0.0\"\n }\n },\n \"is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true\n },\n \"is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"requires\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n }\n },\n \"mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\"\n },\n \"mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"requires\": {\n \"mime-db\": \"1.52.0\"\n }\n },\n \"minimatch\": {\n \"version\": \"3.1.2\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz\",\n \"integrity\": \"sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==\",\n \"requires\": {\n \"brace-expansion\": \"^1.1.7\"\n }\n },\n \"minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\"\n },\n \"mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"requires\": {\n \"minimist\": \"^1.2.6\"\n }\n },\n \"natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\"\n },\n \"normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"requires\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"requires\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n },\n \"dependencies\": {\n \"hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n }\n }\n },\n \"npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"requires\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"npmlog\": \"\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n }\n },\n \"npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"requires\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n }\n },\n \"oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\"\n },\n \"once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"requires\": {\n \"wrappy\": \"1\"\n }\n },\n \"path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\"\n },\n \"path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\"\n },\n \"qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\"\n },\n \"readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"requires\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"requires\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n }\n },\n \"resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"requires\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n }\n },\n \"retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\"\n },\n \"rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"requires\": {\n \"glob\": \"^7.1.3\"\n }\n },\n \"safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\"\n },\n \"set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true\n },\n \"slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\"\n },\n \"spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"requires\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"requires\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"requires\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n }\n },\n \"string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"requires\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"requires\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n }\n },\n \"strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"requires\": {\n \"ansi-regex\": \"^5.0.1\"\n }\n },\n \"supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\"\n },\n \"tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"requires\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n }\n },\n \"tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"requires\": {\n \"safe-buffer\": \"^5.0.1\"\n }\n },\n \"tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"requires\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\"\n },\n \"validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"requires\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n },\n \"dependencies\": {\n \"core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n }\n }\n },\n \"wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"requires\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n }\n}\n\n---\n\n[TestCommand/errors_with_invalid_data_source - 1]\n\n---\n\n[TestCommand/errors_with_invalid_data_source - 2]\nunsupported data-source \"github\" - must be one of: deps.dev, native\n\n---\n\n[TestCommand/errors_with_unsupported_format - 1]\n\n---\n\n[TestCommand/errors_with_unsupported_format - 2]\nunsupported output format \"yaml\" - must be one of: text, json\n\n---\n\n[TestCommand/errors_with_unsupported_strategy - 1]\n\n---\n\n[TestCommand/errors_with_unsupported_strategy - 2]\nunsupported strategy \"force\" - must be one of: in-place, relax, override\n\n---\n\n[TestCommand/fix_non-interactive_in-place_package-lock.json - 1]\nScanning /package-lock.json...\nFound 12 vulnerabilities matching the filter\nCan fix 7/12 matching vulnerabilities by changing 5 dependencies\nUPGRADED-PACKAGE: minimatch,3.1.2,3.1.5\nUPGRADED-PACKAGE: ajv,6.12.6,6.14.0\nUPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.12\nUPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1\nUPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9\nFIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw\nREMAINING-VULNS: 5\nUNFIXABLE-VULNS: 7\nRewriting /package-lock.json...\n\n---\n\n[TestCommand/fix_non-interactive_in-place_package-lock.json - 2]\n\n---\n\n[TestCommand/fix_non-interactive_in-place_package-lock.json - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"lockfileVersion\": 2,\n \"requires\": true,\n \"packages\": {\n \"\": {\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^6.2.0\"\n }\n },\n \"node_modules/ajv\": {\n \"version\": \"6.14.0\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz\",\n \"integrity\": \"sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==\",\n \"dependencies\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n },\n \"funding\": {\n \"type\": \"github\",\n \"url\": \"https://github.com/sponsors/epoberezkin\"\n }\n },\n \"node_modules/ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"node_modules/are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"dependencies\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"node_modules/assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\",\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"node_modules/aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"node_modules/balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"node_modules/bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"dependencies\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"node_modules/brace-expansion\": {\n \"version\": \"1.1.12\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz\",\n \"integrity\": \"sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==\",\n \"dependencies\": {\n \"concat-map\": \"0.0.1\",\n \"balanced-match\": \"^1.0.0\"\n }\n },\n \"node_modules/caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"node_modules/chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"node_modules/color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true,\n \"bin\": {\n \"color-support\": \"bin.js\"\n }\n },\n \"node_modules/combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"dependencies\": {\n \"delayed-stream\": \"~1.0.0\"\n },\n \"engines\": {\n \"node\": \">= 0.8\"\n }\n },\n \"node_modules/concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"node_modules/concat-stream\": {\n \"version\": \"1.6.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz\",\n \"integrity\": \"sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==\",\n \"engines\": [\n \"node >= 0.8\"\n ],\n \"dependencies\": {\n \"inherits\": \"^2.0.3\",\n \"typedarray\": \"^0.0.6\",\n \"readable-stream\": \"^2.2.2\"\n }\n },\n \"node_modules/console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"node_modules/core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"node_modules/dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \">=0.10\"\n }\n },\n \"node_modules/delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\",\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"dependencies\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"node_modules/emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"node_modules/extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"node_modules/extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\",\n \"engines\": [\n \"node >=0.6.0\"\n ]\n },\n \"node_modules/fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"node_modules/fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"node_modules/forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"dependencies\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n },\n \"engines\": {\n \"node\": \">= 0.12\"\n }\n },\n \"node_modules/fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"node_modules/function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"dependencies\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"node_modules/glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"dependencies\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \"*\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"dependencies\": {\n \"natives\": \"^1.1.3\"\n },\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\",\n \"engines\": {\n \"node\": \">=4\"\n }\n },\n \"node_modules/har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"deprecated\": \"this library is no longer supported\",\n \"dependencies\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"node_modules/hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"dependencies\": {\n \"function-bind\": \"^1.1.2\"\n },\n \"engines\": {\n \"node\": \">= 0.4\"\n }\n },\n \"node_modules/hosted-git-info\": {\n \"version\": \"2.8.9\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz\",\n \"integrity\": \"sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==\"\n },\n \"node_modules/http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n },\n \"engines\": {\n \"node\": \">=0.8\",\n \"npm\": \">=1.3.7\"\n }\n },\n \"node_modules/inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"dependencies\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"node_modules/is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"dependencies\": {\n \"hasown\": \"^2.0.0\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"node_modules/isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"node_modules/isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"node_modules/jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"node_modules/json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"node_modules/json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"node_modules/json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"node_modules/jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"dependencies\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n },\n \"engines\": {\n \"node\": \">=0.6.0\"\n }\n },\n \"node_modules/mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\",\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"dependencies\": {\n \"mime-db\": \"1.52.0\"\n },\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/minimatch\": {\n \"version\": \"3.1.5\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz\",\n \"integrity\": \"sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==\",\n \"dependencies\": {\n \"brace-expansion\": \"^1.1.7\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"dependencies\": {\n \"minimist\": \"^1.2.6\"\n },\n \"bin\": {\n \"mkdirp\": \"bin/cmd.js\"\n }\n },\n \"node_modules/natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\",\n \"deprecated\": \"This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.\"\n },\n \"node_modules/normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"node_modules/npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n }\n },\n \"node_modules/npm-package-arg/node_modules/hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n },\n \"node_modules/npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"dependencies\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n },\n \"optionalDependencies\": {\n \"npmlog\": \"\"\n }\n },\n \"node_modules/npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"dependencies\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"dependencies\": {\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\",\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"node_modules/performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"node_modules/process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"node_modules/psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"node_modules/punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\",\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\",\n \"engines\": {\n \"node\": \">=0.6\"\n }\n },\n \"node_modules/readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"dependencies\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"node_modules/request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"deprecated\": \"request has been deprecated, see https://github.com/request/request/issues/3142\",\n \"dependencies\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n },\n \"engines\": {\n \"node\": \">= 6\"\n }\n },\n \"node_modules/resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"dependencies\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n },\n \"bin\": {\n \"resolve\": \"bin/resolve\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"dependencies\": {\n \"glob\": \"^7.1.3\"\n },\n \"bin\": {\n \"rimraf\": \"bin.js\"\n }\n },\n \"node_modules/safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"node_modules/safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"node_modules/semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\",\n \"bin\": {\n \"semver\": \"bin/semver\"\n }\n },\n \"node_modules/set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"node_modules/signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=14\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"dependencies\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"node_modules/spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"dependencies\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"node_modules/sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"dependencies\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n },\n \"bin\": {\n \"sshpk-conv\": \"bin/sshpk-conv\",\n \"sshpk-sign\": \"bin/sshpk-sign\",\n \"sshpk-verify\": \"bin/sshpk-verify\"\n },\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"dependencies\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"node_modules/string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"dependencies\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"dependencies\": {\n \"ansi-regex\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\",\n \"engines\": {\n \"node\": \">= 0.4\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"dependencies\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n },\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"dependencies\": {\n \"safe-buffer\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"node_modules/typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"node_modules/uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"dependencies\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"node_modules/util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"node_modules/uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\",\n \"deprecated\": \"Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.\",\n \"bin\": {\n \"uuid\": \"bin/uuid\"\n }\n },\n \"node_modules/validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"dependencies\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"node_modules/verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"engines\": [\n \"node >=0.6.0\"\n ],\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n }\n },\n \"node_modules/verror/node_modules/core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n },\n \"node_modules/wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"dependencies\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"node_modules/wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n },\n \"dependencies\": {\n \"ajv\": {\n \"version\": \"6.14.0\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz\",\n \"integrity\": \"sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==\",\n \"requires\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n }\n },\n \"ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true\n },\n \"aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true\n },\n \"asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"requires\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\"\n },\n \"asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\"\n },\n \"aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"requires\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"brace-expansion\": {\n \"version\": \"1.1.12\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz\",\n \"integrity\": \"sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==\",\n \"requires\": {\n \"concat-map\": \"0.0.1\",\n \"balanced-match\": \"^1.0.0\"\n }\n },\n \"caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true\n },\n \"combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"requires\": {\n \"delayed-stream\": \"~1.0.0\"\n }\n },\n \"concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"concat-stream\": {\n \"version\": \"1.6.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz\",\n \"integrity\": \"sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==\",\n \"requires\": {\n \"inherits\": \"^2.0.3\",\n \"typedarray\": \"^0.0.6\",\n \"readable-stream\": \"^2.2.2\"\n }\n },\n \"console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\"\n },\n \"ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"requires\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\"\n },\n \"fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\"\n },\n \"form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"requires\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n }\n },\n \"fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\"\n },\n \"gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"requires\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n }\n },\n \"getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"requires\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n }\n },\n \"graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"requires\": {\n \"natives\": \"^1.1.3\"\n }\n },\n \"har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\"\n },\n \"har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"requires\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n }\n },\n \"has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"requires\": {\n \"function-bind\": \"^1.1.2\"\n }\n },\n \"hosted-git-info\": {\n \"version\": \"2.8.9\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz\",\n \"integrity\": \"sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==\"\n },\n \"http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n }\n },\n \"inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"requires\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"requires\": {\n \"hasown\": \"^2.0.0\"\n }\n },\n \"is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true\n },\n \"is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"requires\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n }\n },\n \"mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\"\n },\n \"mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"requires\": {\n \"mime-db\": \"1.52.0\"\n }\n },\n \"minimatch\": {\n \"version\": \"3.1.5\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz\",\n \"integrity\": \"sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==\",\n \"requires\": {\n \"brace-expansion\": \"^1.1.7\"\n }\n },\n \"minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\"\n },\n \"mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"requires\": {\n \"minimist\": \"^1.2.6\"\n }\n },\n \"natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\"\n },\n \"normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"requires\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"requires\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n },\n \"dependencies\": {\n \"hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n }\n }\n },\n \"npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"requires\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"npmlog\": \"\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n }\n },\n \"npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"requires\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n }\n },\n \"oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\"\n },\n \"once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"requires\": {\n \"wrappy\": \"1\"\n }\n },\n \"path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\"\n },\n \"path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\"\n },\n \"qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\"\n },\n \"readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"requires\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"requires\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n }\n },\n \"resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"requires\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n }\n },\n \"retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\"\n },\n \"rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"requires\": {\n \"glob\": \"^7.1.3\"\n }\n },\n \"safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\"\n },\n \"set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true\n },\n \"slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\"\n },\n \"spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"requires\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"requires\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"requires\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n }\n },\n \"string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"requires\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"requires\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n }\n },\n \"strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"requires\": {\n \"ansi-regex\": \"^5.0.1\"\n }\n },\n \"supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\"\n },\n \"tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"requires\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n }\n },\n \"tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"requires\": {\n \"safe-buffer\": \"^5.0.1\"\n }\n },\n \"tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"requires\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\"\n },\n \"validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"requires\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n },\n \"dependencies\": {\n \"core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n }\n }\n },\n \"wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"requires\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n }\n}\n\n---\n\n[TestCommand/fix_non-interactive_json_in-place_package-lock.json - 1]\n{\n \"path\": \"/package-lock.json\",\n \"ecosystem\": \"npm\",\n \"strategy\": \"in-place\",\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-23c5-xmqv-rm74\",\n \"packages\": [\n {\n \"name\": \"minimatch\",\n \"version\": \"3.1.2\"\n }\n ]\n },\n {\n \"id\": \"GHSA-2g4f-4pwh-qvx6\",\n \"packages\": [\n {\n \"name\": \"ajv\",\n \"version\": \"6.12.6\"\n }\n ]\n },\n {\n \"id\": \"GHSA-43f8-2h32-f4cj\",\n \"packages\": [\n {\n \"name\": \"hosted-git-info\",\n \"version\": \"2.1.4\"\n }\n ]\n },\n {\n \"id\": \"GHSA-43f8-2h32-f4cj\",\n \"packages\": [\n {\n \"name\": \"hosted-git-info\",\n \"version\": \"1.6.0\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-6rw7-vpxm-498p\",\n \"packages\": [\n {\n \"name\": \"qs\",\n \"version\": \"6.5.3\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-72xf-g2v4-qvf3\",\n \"packages\": [\n {\n \"name\": \"tough-cookie\",\n \"version\": \"2.5.0\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-c2qf-rxjj-qqgw\",\n \"packages\": [\n {\n \"name\": \"semver\",\n \"version\": \"4.3.6\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-c6rq-rjc2-86v2\",\n \"packages\": [\n {\n \"name\": \"chownr\",\n \"version\": \"0.0.2\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-fjxv-7rqg-78g4\",\n \"packages\": [\n {\n \"name\": \"form-data\",\n \"version\": \"2.3.3\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-g74r-ffvr-5q9f\",\n \"packages\": [\n {\n \"name\": \"concat-stream\",\n \"version\": \"1.5.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-p8p7-x288-28g6\",\n \"packages\": [\n {\n \"name\": \"request\",\n \"version\": \"2.88.2\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-v6h2-p8h4-qcjw\",\n \"packages\": [\n {\n \"name\": \"brace-expansion\",\n \"version\": \"1.1.11\"\n }\n ]\n }\n ],\n \"patches\": [\n {\n \"packageUpdates\": [\n {\n \"name\": \"minimatch\",\n \"versionFrom\": \"3.1.2\",\n \"versionTo\": \"3.1.5\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-23c5-xmqv-rm74\",\n \"packages\": [\n {\n \"name\": \"minimatch\",\n \"version\": \"3.1.2\"\n }\n ]\n },\n {\n \"id\": \"GHSA-3ppc-4f35-3m26\",\n \"packages\": [\n {\n \"name\": \"minimatch\",\n \"version\": \"3.1.2\"\n }\n ]\n },\n {\n \"id\": \"GHSA-7r86-cg39-jmmj\",\n \"packages\": [\n {\n \"name\": \"minimatch\",\n \"version\": \"3.1.2\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"ajv\",\n \"versionFrom\": \"6.12.6\",\n \"versionTo\": \"6.14.0\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-2g4f-4pwh-qvx6\",\n \"packages\": [\n {\n \"name\": \"ajv\",\n \"version\": \"6.12.6\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"brace-expansion\",\n \"versionFrom\": \"1.1.11\",\n \"versionTo\": \"1.1.12\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-v6h2-p8h4-qcjw\",\n \"packages\": [\n {\n \"name\": \"brace-expansion\",\n \"version\": \"1.1.11\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"concat-stream\",\n \"versionFrom\": \"1.5.0\",\n \"versionTo\": \"1.6.1\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-g74r-ffvr-5q9f\",\n \"packages\": [\n {\n \"name\": \"concat-stream\",\n \"version\": \"1.5.0\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"hosted-git-info\",\n \"versionFrom\": \"2.1.4\",\n \"versionTo\": \"2.8.9\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-43f8-2h32-f4cj\",\n \"packages\": [\n {\n \"name\": \"hosted-git-info\",\n \"version\": \"2.1.4\"\n }\n ]\n }\n ]\n }\n ]\n}\n\n---\n\n[TestCommand/fix_non-interactive_json_in-place_package-lock.json - 2]\nScanning /package-lock.json...\nRewriting /package-lock.json...\n\n---\n\n[TestCommand/fix_non-interactive_json_in-place_package-lock.json - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"lockfileVersion\": 2,\n \"requires\": true,\n \"packages\": {\n \"\": {\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^6.2.0\"\n }\n },\n \"node_modules/ajv\": {\n \"version\": \"6.14.0\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz\",\n \"integrity\": \"sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==\",\n \"dependencies\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n },\n \"funding\": {\n \"type\": \"github\",\n \"url\": \"https://github.com/sponsors/epoberezkin\"\n }\n },\n \"node_modules/ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"node_modules/are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"dependencies\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"node_modules/assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\",\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"node_modules/aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"node_modules/balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"node_modules/bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"dependencies\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"node_modules/brace-expansion\": {\n \"version\": \"1.1.12\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz\",\n \"integrity\": \"sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==\",\n \"dependencies\": {\n \"concat-map\": \"0.0.1\",\n \"balanced-match\": \"^1.0.0\"\n }\n },\n \"node_modules/caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"node_modules/chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"node_modules/color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true,\n \"bin\": {\n \"color-support\": \"bin.js\"\n }\n },\n \"node_modules/combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"dependencies\": {\n \"delayed-stream\": \"~1.0.0\"\n },\n \"engines\": {\n \"node\": \">= 0.8\"\n }\n },\n \"node_modules/concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"node_modules/concat-stream\": {\n \"version\": \"1.6.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz\",\n \"integrity\": \"sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==\",\n \"engines\": [\n \"node >= 0.8\"\n ],\n \"dependencies\": {\n \"inherits\": \"^2.0.3\",\n \"typedarray\": \"^0.0.6\",\n \"readable-stream\": \"^2.2.2\"\n }\n },\n \"node_modules/console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"node_modules/core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"node_modules/dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \">=0.10\"\n }\n },\n \"node_modules/delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\",\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"dependencies\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"node_modules/emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"node_modules/extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"node_modules/extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\",\n \"engines\": [\n \"node >=0.6.0\"\n ]\n },\n \"node_modules/fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"node_modules/fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"node_modules/forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"dependencies\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n },\n \"engines\": {\n \"node\": \">= 0.12\"\n }\n },\n \"node_modules/fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"node_modules/function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"dependencies\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"node_modules/glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"dependencies\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \"*\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"dependencies\": {\n \"natives\": \"^1.1.3\"\n },\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\",\n \"engines\": {\n \"node\": \">=4\"\n }\n },\n \"node_modules/har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"deprecated\": \"this library is no longer supported\",\n \"dependencies\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"node_modules/hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"dependencies\": {\n \"function-bind\": \"^1.1.2\"\n },\n \"engines\": {\n \"node\": \">= 0.4\"\n }\n },\n \"node_modules/hosted-git-info\": {\n \"version\": \"2.8.9\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz\",\n \"integrity\": \"sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==\"\n },\n \"node_modules/http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n },\n \"engines\": {\n \"node\": \">=0.8\",\n \"npm\": \">=1.3.7\"\n }\n },\n \"node_modules/inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"dependencies\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"node_modules/is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"dependencies\": {\n \"hasown\": \"^2.0.0\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"node_modules/isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"node_modules/isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"node_modules/jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"node_modules/json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"node_modules/json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"node_modules/json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"node_modules/jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"dependencies\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n },\n \"engines\": {\n \"node\": \">=0.6.0\"\n }\n },\n \"node_modules/mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\",\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"dependencies\": {\n \"mime-db\": \"1.52.0\"\n },\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/minimatch\": {\n \"version\": \"3.1.5\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz\",\n \"integrity\": \"sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==\",\n \"dependencies\": {\n \"brace-expansion\": \"^1.1.7\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"dependencies\": {\n \"minimist\": \"^1.2.6\"\n },\n \"bin\": {\n \"mkdirp\": \"bin/cmd.js\"\n }\n },\n \"node_modules/natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\",\n \"deprecated\": \"This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.\"\n },\n \"node_modules/normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"node_modules/npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n }\n },\n \"node_modules/npm-package-arg/node_modules/hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n },\n \"node_modules/npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"dependencies\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n },\n \"optionalDependencies\": {\n \"npmlog\": \"\"\n }\n },\n \"node_modules/npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"dependencies\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"dependencies\": {\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\",\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"node_modules/performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"node_modules/process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"node_modules/psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"node_modules/punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\",\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\",\n \"engines\": {\n \"node\": \">=0.6\"\n }\n },\n \"node_modules/readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"dependencies\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"node_modules/request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"deprecated\": \"request has been deprecated, see https://github.com/request/request/issues/3142\",\n \"dependencies\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n },\n \"engines\": {\n \"node\": \">= 6\"\n }\n },\n \"node_modules/resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"dependencies\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n },\n \"bin\": {\n \"resolve\": \"bin/resolve\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"dependencies\": {\n \"glob\": \"^7.1.3\"\n },\n \"bin\": {\n \"rimraf\": \"bin.js\"\n }\n },\n \"node_modules/safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"node_modules/safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"node_modules/semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\",\n \"bin\": {\n \"semver\": \"bin/semver\"\n }\n },\n \"node_modules/set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"node_modules/signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=14\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"dependencies\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"node_modules/spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"dependencies\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"node_modules/sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"dependencies\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n },\n \"bin\": {\n \"sshpk-conv\": \"bin/sshpk-conv\",\n \"sshpk-sign\": \"bin/sshpk-sign\",\n \"sshpk-verify\": \"bin/sshpk-verify\"\n },\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"dependencies\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"node_modules/string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"dependencies\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"dependencies\": {\n \"ansi-regex\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\",\n \"engines\": {\n \"node\": \">= 0.4\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"dependencies\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n },\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"dependencies\": {\n \"safe-buffer\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"node_modules/typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"node_modules/uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"dependencies\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"node_modules/util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"node_modules/uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\",\n \"deprecated\": \"Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.\",\n \"bin\": {\n \"uuid\": \"bin/uuid\"\n }\n },\n \"node_modules/validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"dependencies\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"node_modules/verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"engines\": [\n \"node >=0.6.0\"\n ],\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n }\n },\n \"node_modules/verror/node_modules/core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n },\n \"node_modules/wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"dependencies\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"node_modules/wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n },\n \"dependencies\": {\n \"ajv\": {\n \"version\": \"6.14.0\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz\",\n \"integrity\": \"sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==\",\n \"requires\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n }\n },\n \"ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true\n },\n \"aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true\n },\n \"asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"requires\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\"\n },\n \"asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\"\n },\n \"aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"requires\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"brace-expansion\": {\n \"version\": \"1.1.12\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz\",\n \"integrity\": \"sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==\",\n \"requires\": {\n \"concat-map\": \"0.0.1\",\n \"balanced-match\": \"^1.0.0\"\n }\n },\n \"caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true\n },\n \"combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"requires\": {\n \"delayed-stream\": \"~1.0.0\"\n }\n },\n \"concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"concat-stream\": {\n \"version\": \"1.6.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz\",\n \"integrity\": \"sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==\",\n \"requires\": {\n \"inherits\": \"^2.0.3\",\n \"typedarray\": \"^0.0.6\",\n \"readable-stream\": \"^2.2.2\"\n }\n },\n \"console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\"\n },\n \"ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"requires\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\"\n },\n \"fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\"\n },\n \"form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"requires\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n }\n },\n \"fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\"\n },\n \"gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"requires\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n }\n },\n \"getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"requires\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n }\n },\n \"graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"requires\": {\n \"natives\": \"^1.1.3\"\n }\n },\n \"har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\"\n },\n \"har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"requires\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n }\n },\n \"has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"requires\": {\n \"function-bind\": \"^1.1.2\"\n }\n },\n \"hosted-git-info\": {\n \"version\": \"2.8.9\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz\",\n \"integrity\": \"sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==\"\n },\n \"http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n }\n },\n \"inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"requires\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"requires\": {\n \"hasown\": \"^2.0.0\"\n }\n },\n \"is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true\n },\n \"is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"requires\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n }\n },\n \"mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\"\n },\n \"mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"requires\": {\n \"mime-db\": \"1.52.0\"\n }\n },\n \"minimatch\": {\n \"version\": \"3.1.5\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz\",\n \"integrity\": \"sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==\",\n \"requires\": {\n \"brace-expansion\": \"^1.1.7\"\n }\n },\n \"minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\"\n },\n \"mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"requires\": {\n \"minimist\": \"^1.2.6\"\n }\n },\n \"natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\"\n },\n \"normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"requires\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"requires\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n },\n \"dependencies\": {\n \"hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n }\n }\n },\n \"npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"requires\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"npmlog\": \"\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n }\n },\n \"npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"requires\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n }\n },\n \"oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\"\n },\n \"once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"requires\": {\n \"wrappy\": \"1\"\n }\n },\n \"path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\"\n },\n \"path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\"\n },\n \"qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\"\n },\n \"readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"requires\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"requires\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n }\n },\n \"resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"requires\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n }\n },\n \"retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\"\n },\n \"rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"requires\": {\n \"glob\": \"^7.1.3\"\n }\n },\n \"safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\"\n },\n \"set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true\n },\n \"slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\"\n },\n \"spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"requires\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"requires\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"requires\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n }\n },\n \"string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"requires\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"requires\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n }\n },\n \"strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"requires\": {\n \"ansi-regex\": \"^5.0.1\"\n }\n },\n \"supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\"\n },\n \"tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"requires\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n }\n },\n \"tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"requires\": {\n \"safe-buffer\": \"^5.0.1\"\n }\n },\n \"tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"requires\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\"\n },\n \"validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"requires\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n },\n \"dependencies\": {\n \"core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n }\n }\n },\n \"wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"requires\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n }\n}\n\n---\n\n[TestCommand/fix_non-interactive_json_override_pom.xml - 1]\n{\n \"path\": \"/pom.xml\",\n \"ecosystem\": \"Maven\",\n \"strategy\": \"override\",\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-2x83-r56g-cv47\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-78wr-2p64-hpwj\",\n \"packages\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"version\": \"2.5\"\n }\n ]\n },\n {\n \"id\": \"GHSA-7r82-7xv7-xcpj\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-8vhq-qq4p-grq3\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"version\": \"3.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-cfh5-3ghh-wfjx\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-fmj5-wv96-r2ch\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-g6ph-x5wf-g337\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"version\": \"3.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-gp7f-rwcx-9369\",\n \"packages\": [\n {\n \"name\": \"org.jsoup:jsoup\",\n \"version\": \"1.14.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-gw85-4gmf-m7rh\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-gwrp-pvrq-jmwv\",\n \"packages\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"version\": \"2.5\"\n }\n ]\n },\n {\n \"id\": \"GHSA-jcwr-x25h-x5fh\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"version\": \"3.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-m72m-mhq2-9p6c\",\n \"packages\": [\n {\n \"name\": \"org.jsoup:jsoup\",\n \"version\": \"1.14.1\"\n }\n ]\n }\n ],\n \"patches\": [\n {\n \"packageUpdates\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"versionFrom\": \"4.0\",\n \"versionTo\": \"4.5.13\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-2x83-r56g-cv47\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-7r82-7xv7-xcpj\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-cfh5-3ghh-wfjx\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-fmj5-wv96-r2ch\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-gw85-4gmf-m7rh\",\n \"packages\": [\n {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"version\": \"4.0\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"versionFrom\": \"3.0\",\n \"versionTo\": \"3.0.24\",\n \"transitive\": false\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-8vhq-qq4p-grq3\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"version\": \"3.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-g6ph-x5wf-g337\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"version\": \"3.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-jcwr-x25h-x5fh\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"version\": \"3.0\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"versionFrom\": \"2.5\",\n \"versionTo\": \"2.14.0\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-78wr-2p64-hpwj\",\n \"packages\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"version\": \"2.5\"\n }\n ]\n },\n {\n \"id\": \"GHSA-gwrp-pvrq-jmwv\",\n \"packages\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"version\": \"2.5\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"org.jsoup:jsoup\",\n \"versionFrom\": \"1.14.1\",\n \"versionTo\": \"1.15.3\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-gp7f-rwcx-9369\",\n \"packages\": [\n {\n \"name\": \"org.jsoup:jsoup\",\n \"version\": \"1.14.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-m72m-mhq2-9p6c\",\n \"packages\": [\n {\n \"name\": \"org.jsoup:jsoup\",\n \"version\": \"1.14.1\"\n }\n ]\n }\n ]\n }\n ]\n}\n\n---\n\n[TestCommand/fix_non-interactive_json_override_pom.xml - 2]\nResolving /pom.xml...\nRewriting /pom.xml...\n\n---\n\n[TestCommand/fix_non-interactive_json_override_pom.xml - 3]\n\n 4.0.0\n\n dev.osv\n osv-fix\n 1\n\n \n 4.5.13\n \n\n \n \n \n commons-io\n commons-io\n 2.14.0\n \n \n org.jsoup\n jsoup\n 1.15.3\n \n \n org.apache.httpcomponents\n httpclient\n ${httpclient.version}\n \n \n \n\n \n \n org.apache.maven.wagon\n wagon-http\n 3.0.0\n \n \n org.codehaus.plexus\n plexus-utils\n 3.0.24\n \n \n\n\n---\n\n[TestCommand/fix_non-interactive_json_relax_package.json - 1]\n{\n \"path\": \"/package.json\",\n \"ecosystem\": \"npm\",\n \"strategy\": \"relax\",\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-43f8-2h32-f4cj\",\n \"packages\": [\n {\n \"name\": \"hosted-git-info\",\n \"version\": \"1.6.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-6rw7-vpxm-498p\",\n \"packages\": [\n {\n \"name\": \"qs\",\n \"version\": \"6.5.5\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-72xf-g2v4-qvf3\",\n \"packages\": [\n {\n \"name\": \"tough-cookie\",\n \"version\": \"2.5.0\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-c2qf-rxjj-qqgw\",\n \"packages\": [\n {\n \"name\": \"semver\",\n \"version\": \"4.3.6\"\n }\n ]\n },\n {\n \"id\": \"GHSA-c6rq-rjc2-86v2\",\n \"packages\": [\n {\n \"name\": \"chownr\",\n \"version\": \"0.0.2\"\n }\n ]\n },\n {\n \"id\": \"GHSA-fjxv-7rqg-78g4\",\n \"packages\": [\n {\n \"name\": \"form-data\",\n \"version\": \"2.3.3\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-p8p7-x288-28g6\",\n \"packages\": [\n {\n \"name\": \"request\",\n \"version\": \"2.88.2\"\n }\n ],\n \"unactionable\": true\n }\n ],\n \"patches\": [\n {\n \"packageUpdates\": [\n {\n \"name\": \"npm-registry-client\",\n \"versionFrom\": \"6.2.0\",\n \"versionTo\": \"^7.5.0\",\n \"transitive\": false\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-43f8-2h32-f4cj\",\n \"packages\": [\n {\n \"name\": \"hosted-git-info\",\n \"version\": \"1.6.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-c2qf-rxjj-qqgw\",\n \"packages\": [\n {\n \"name\": \"semver\",\n \"version\": \"4.3.6\"\n }\n ]\n },\n {\n \"id\": \"GHSA-c6rq-rjc2-86v2\",\n \"packages\": [\n {\n \"name\": \"chownr\",\n \"version\": \"0.0.2\"\n }\n ]\n }\n ]\n }\n ]\n}\n\n---\n\n[TestCommand/fix_non-interactive_json_relax_package.json - 2]\nResolving /package.json...\nRewriting /package.json...\n\n---\n\n[TestCommand/fix_non-interactive_json_relax_package.json - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo /\"Error: no test specified/\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^7.5.0\"\n }\n}\n\n---\n\n[TestCommand/fix_non-interactive_override_pom.xml - 1]\nResolving /pom.xml...\nFound 12 vulnerabilities matching the filter\nCan fix 12/12 matching vulnerabilities by overriding 4 dependencies\nOVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13\nOVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.0.24\nOVERRIDE-PACKAGE: commons-io:commons-io,2.14.0\nOVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3\nFIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c\nREMAINING-VULNS: 0\nUNFIXABLE-VULNS: 0\nRewriting /pom.xml...\n\n---\n\n[TestCommand/fix_non-interactive_override_pom.xml - 2]\n\n---\n\n[TestCommand/fix_non-interactive_override_pom.xml - 3]\n\n 4.0.0\n\n dev.osv\n osv-fix\n 1\n\n \n 4.5.13\n \n\n \n \n \n commons-io\n commons-io\n 2.14.0\n \n \n org.jsoup\n jsoup\n 1.15.3\n \n \n org.apache.httpcomponents\n httpclient\n ${httpclient.version}\n \n \n \n\n \n \n org.apache.maven.wagon\n wagon-http\n 3.0.0\n \n \n org.codehaus.plexus\n plexus-utils\n 3.0.24\n \n \n\n\n---\n\n[TestCommand/fix_non-interactive_relax_package.json - 1]\nResolving /package.json...\nFound 7 vulnerabilities matching the filter\nCan fix 3/7 matching vulnerabilities by changing 1 dependencies\nUPGRADED-PACKAGE: npm-registry-client,6.2.0,^7.5.0\nFIXED-VULN-IDS: GHSA-43f8-2h32-f4cj,GHSA-c2qf-rxjj-qqgw,GHSA-c6rq-rjc2-86v2\nREMAINING-VULNS: 4\nUNFIXABLE-VULNS: 4\nRewriting /package.json...\n\n---\n\n[TestCommand/fix_non-interactive_relax_package.json - 2]\n\n---\n\n[TestCommand/fix_non-interactive_relax_package.json - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo /\"Error: no test specified/\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^7.5.0\"\n }\n}\n\n---\n\n[TestCommand/fix_non_interactive_in_place_package_lock_json_with_native_data_source - 1]\nScanning /package-lock.json...\nFound 12 vulnerabilities matching the filter\nCan fix 7/12 matching vulnerabilities by changing 5 dependencies\nUPGRADED-PACKAGE: minimatch,3.1.2,3.1.5\nUPGRADED-PACKAGE: ajv,6.12.6,6.14.0\nUPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.12\nUPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1\nUPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9\nFIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw\nREMAINING-VULNS: 5\nUNFIXABLE-VULNS: 7\nRewriting /package-lock.json...\n\n---\n\n[TestCommand/fix_non_interactive_in_place_package_lock_json_with_native_data_source - 2]\n\n---\n\n[TestCommand/fix_non_interactive_in_place_package_lock_json_with_native_data_source - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"lockfileVersion\": 2,\n \"requires\": true,\n \"packages\": {\n \"\": {\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^6.2.0\"\n }\n },\n \"node_modules/ajv\": {\n \"version\": \"6.14.0\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz\",\n \"integrity\": \"sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==\",\n \"dependencies\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n },\n \"funding\": {\n \"type\": \"github\",\n \"url\": \"https://github.com/sponsors/epoberezkin\"\n }\n },\n \"node_modules/ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"node_modules/are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"dependencies\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"node_modules/assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\",\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"node_modules/aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"node_modules/balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"node_modules/bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"dependencies\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"node_modules/brace-expansion\": {\n \"version\": \"1.1.12\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz\",\n \"integrity\": \"sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==\",\n \"dependencies\": {\n \"concat-map\": \"0.0.1\",\n \"balanced-match\": \"^1.0.0\"\n }\n },\n \"node_modules/caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"node_modules/chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"node_modules/color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true,\n \"bin\": {\n \"color-support\": \"bin.js\"\n }\n },\n \"node_modules/combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"dependencies\": {\n \"delayed-stream\": \"~1.0.0\"\n },\n \"engines\": {\n \"node\": \">= 0.8\"\n }\n },\n \"node_modules/concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"node_modules/concat-stream\": {\n \"version\": \"1.6.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz\",\n \"integrity\": \"sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==\",\n \"engines\": [\n \"node >= 0.8\"\n ],\n \"dependencies\": {\n \"inherits\": \"^2.0.3\",\n \"typedarray\": \"^0.0.6\",\n \"readable-stream\": \"^2.2.2\"\n }\n },\n \"node_modules/console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"node_modules/core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"node_modules/dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \">=0.10\"\n }\n },\n \"node_modules/delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\",\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"dependencies\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"node_modules/emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"node_modules/extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"node_modules/extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\",\n \"engines\": [\n \"node >=0.6.0\"\n ]\n },\n \"node_modules/fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"node_modules/fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"node_modules/forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"dependencies\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n },\n \"engines\": {\n \"node\": \">= 0.12\"\n }\n },\n \"node_modules/fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"node_modules/function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"dependencies\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"node_modules/glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"dependencies\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \"*\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"dependencies\": {\n \"natives\": \"^1.1.3\"\n },\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\",\n \"engines\": {\n \"node\": \">=4\"\n }\n },\n \"node_modules/har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"deprecated\": \"this library is no longer supported\",\n \"dependencies\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"node_modules/hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"dependencies\": {\n \"function-bind\": \"^1.1.2\"\n },\n \"engines\": {\n \"node\": \">= 0.4\"\n }\n },\n \"node_modules/hosted-git-info\": {\n \"version\": \"2.8.9\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz\",\n \"integrity\": \"sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==\"\n },\n \"node_modules/http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n },\n \"engines\": {\n \"node\": \">=0.8\",\n \"npm\": \">=1.3.7\"\n }\n },\n \"node_modules/inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"dependencies\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"node_modules/is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"dependencies\": {\n \"hasown\": \"^2.0.0\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"node_modules/isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"node_modules/isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"node_modules/jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"node_modules/json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"node_modules/json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"node_modules/json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"node_modules/jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"dependencies\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n },\n \"engines\": {\n \"node\": \">=0.6.0\"\n }\n },\n \"node_modules/mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\",\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"dependencies\": {\n \"mime-db\": \"1.52.0\"\n },\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/minimatch\": {\n \"version\": \"3.1.5\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz\",\n \"integrity\": \"sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==\",\n \"dependencies\": {\n \"brace-expansion\": \"^1.1.7\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"dependencies\": {\n \"minimist\": \"^1.2.6\"\n },\n \"bin\": {\n \"mkdirp\": \"bin/cmd.js\"\n }\n },\n \"node_modules/natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\",\n \"deprecated\": \"This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.\"\n },\n \"node_modules/normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"node_modules/npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n }\n },\n \"node_modules/npm-package-arg/node_modules/hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n },\n \"node_modules/npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"dependencies\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n },\n \"optionalDependencies\": {\n \"npmlog\": \"\"\n }\n },\n \"node_modules/npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"dependencies\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"dependencies\": {\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\",\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"node_modules/performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"node_modules/process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"node_modules/psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"node_modules/punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\",\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\",\n \"engines\": {\n \"node\": \">=0.6\"\n }\n },\n \"node_modules/readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"dependencies\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"node_modules/request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"deprecated\": \"request has been deprecated, see https://github.com/request/request/issues/3142\",\n \"dependencies\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n },\n \"engines\": {\n \"node\": \">= 6\"\n }\n },\n \"node_modules/resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"dependencies\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n },\n \"bin\": {\n \"resolve\": \"bin/resolve\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"dependencies\": {\n \"glob\": \"^7.1.3\"\n },\n \"bin\": {\n \"rimraf\": \"bin.js\"\n }\n },\n \"node_modules/safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"node_modules/safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"node_modules/semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\",\n \"bin\": {\n \"semver\": \"bin/semver\"\n }\n },\n \"node_modules/set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"node_modules/signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=14\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"dependencies\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"node_modules/spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"dependencies\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"node_modules/sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"dependencies\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n },\n \"bin\": {\n \"sshpk-conv\": \"bin/sshpk-conv\",\n \"sshpk-sign\": \"bin/sshpk-sign\",\n \"sshpk-verify\": \"bin/sshpk-verify\"\n },\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"dependencies\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"node_modules/string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"dependencies\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"dependencies\": {\n \"ansi-regex\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\",\n \"engines\": {\n \"node\": \">= 0.4\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"dependencies\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n },\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"dependencies\": {\n \"safe-buffer\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"node_modules/typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"node_modules/uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"dependencies\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"node_modules/util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"node_modules/uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\",\n \"deprecated\": \"Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.\",\n \"bin\": {\n \"uuid\": \"bin/uuid\"\n }\n },\n \"node_modules/validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"dependencies\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"node_modules/verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"engines\": [\n \"node >=0.6.0\"\n ],\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n }\n },\n \"node_modules/verror/node_modules/core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n },\n \"node_modules/wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"dependencies\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"node_modules/wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n },\n \"dependencies\": {\n \"ajv\": {\n \"version\": \"6.14.0\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz\",\n \"integrity\": \"sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==\",\n \"requires\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n }\n },\n \"ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true\n },\n \"aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true\n },\n \"asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"requires\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\"\n },\n \"asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\"\n },\n \"aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"requires\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"brace-expansion\": {\n \"version\": \"1.1.12\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz\",\n \"integrity\": \"sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==\",\n \"requires\": {\n \"concat-map\": \"0.0.1\",\n \"balanced-match\": \"^1.0.0\"\n }\n },\n \"caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true\n },\n \"combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"requires\": {\n \"delayed-stream\": \"~1.0.0\"\n }\n },\n \"concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"concat-stream\": {\n \"version\": \"1.6.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz\",\n \"integrity\": \"sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==\",\n \"requires\": {\n \"inherits\": \"^2.0.3\",\n \"typedarray\": \"^0.0.6\",\n \"readable-stream\": \"^2.2.2\"\n }\n },\n \"console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\"\n },\n \"ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"requires\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\"\n },\n \"fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\"\n },\n \"form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"requires\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n }\n },\n \"fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\"\n },\n \"gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"requires\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n }\n },\n \"getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"requires\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n }\n },\n \"graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"requires\": {\n \"natives\": \"^1.1.3\"\n }\n },\n \"har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\"\n },\n \"har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"requires\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n }\n },\n \"has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"requires\": {\n \"function-bind\": \"^1.1.2\"\n }\n },\n \"hosted-git-info\": {\n \"version\": \"2.8.9\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz\",\n \"integrity\": \"sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==\"\n },\n \"http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n }\n },\n \"inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"requires\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"requires\": {\n \"hasown\": \"^2.0.0\"\n }\n },\n \"is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true\n },\n \"is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"requires\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n }\n },\n \"mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\"\n },\n \"mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"requires\": {\n \"mime-db\": \"1.52.0\"\n }\n },\n \"minimatch\": {\n \"version\": \"3.1.5\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz\",\n \"integrity\": \"sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==\",\n \"requires\": {\n \"brace-expansion\": \"^1.1.7\"\n }\n },\n \"minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\"\n },\n \"mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"requires\": {\n \"minimist\": \"^1.2.6\"\n }\n },\n \"natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\"\n },\n \"normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"requires\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"requires\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n },\n \"dependencies\": {\n \"hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n }\n }\n },\n \"npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"requires\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"npmlog\": \"\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n }\n },\n \"npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"requires\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n }\n },\n \"oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\"\n },\n \"once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"requires\": {\n \"wrappy\": \"1\"\n }\n },\n \"path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\"\n },\n \"path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\"\n },\n \"qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\"\n },\n \"readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"requires\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"requires\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n }\n },\n \"resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"requires\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n }\n },\n \"retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\"\n },\n \"rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"requires\": {\n \"glob\": \"^7.1.3\"\n }\n },\n \"safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\"\n },\n \"set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true\n },\n \"slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\"\n },\n \"spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"requires\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"requires\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"requires\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n }\n },\n \"string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"requires\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"requires\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n }\n },\n \"strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"requires\": {\n \"ansi-regex\": \"^5.0.1\"\n }\n },\n \"supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\"\n },\n \"tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"requires\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n }\n },\n \"tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"requires\": {\n \"safe-buffer\": \"^5.0.1\"\n }\n },\n \"tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"requires\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\"\n },\n \"validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"requires\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n },\n \"dependencies\": {\n \"core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n }\n }\n },\n \"wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"requires\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n }\n}\n\n---\n\n[TestCommand/fix_non_interactive_override_pom_xml_with_native_data_source - 1]\nResolving /pom.xml...\nFound 12 vulnerabilities matching the filter\nCan fix 12/12 matching vulnerabilities by overriding 4 dependencies\nOVERRIDE-PACKAGE: org.apache.httpcomponents:httpclient,4.5.13\nOVERRIDE-PACKAGE: org.codehaus.plexus:plexus-utils,3.0.24\nOVERRIDE-PACKAGE: commons-io:commons-io,2.14.0\nOVERRIDE-PACKAGE: org.jsoup:jsoup,1.15.3\nFIXED-VULN-IDS: GHSA-2x83-r56g-cv47,GHSA-78wr-2p64-hpwj,GHSA-7r82-7xv7-xcpj,GHSA-8vhq-qq4p-grq3,GHSA-cfh5-3ghh-wfjx,GHSA-fmj5-wv96-r2ch,GHSA-g6ph-x5wf-g337,GHSA-gp7f-rwcx-9369,GHSA-gw85-4gmf-m7rh,GHSA-gwrp-pvrq-jmwv,GHSA-jcwr-x25h-x5fh,GHSA-m72m-mhq2-9p6c\nREMAINING-VULNS: 0\nUNFIXABLE-VULNS: 0\nRewriting /pom.xml...\n\n---\n\n[TestCommand/fix_non_interactive_override_pom_xml_with_native_data_source - 2]\n\n---\n\n[TestCommand/fix_non_interactive_override_pom_xml_with_native_data_source - 3]\n\n 4.0.0\n\n dev.osv\n osv-fix\n 1\n\n \n 4.5.13\n \n\n \n \n \n commons-io\n commons-io\n 2.14.0\n \n \n org.jsoup\n jsoup\n 1.15.3\n \n \n org.apache.httpcomponents\n httpclient\n ${httpclient.version}\n \n \n \n\n \n \n org.apache.maven.wagon\n wagon-http\n 3.0.0\n \n \n org.codehaus.plexus\n plexus-utils\n 3.0.24\n \n \n\n\n---\n\n[TestCommand/no_args_provided - 1]\n\n---\n\n[TestCommand/no_args_provided - 2]\nmanifest or lockfile is required\n\n---\n\n[TestCommand_OfflineDatabase/fix_non_interactive_in_place_package_lock_json_with_offline_vulns - 1]\nLoaded npm local db from /osv-scanner/npm/all.zip\nScanning /package-lock.json...\nFound 12 vulnerabilities matching the filter\nCan fix 7/12 matching vulnerabilities by changing 5 dependencies\nUPGRADED-PACKAGE: minimatch,3.1.2,3.1.5\nUPGRADED-PACKAGE: ajv,6.12.6,6.14.0\nUPGRADED-PACKAGE: brace-expansion,1.1.11,1.1.12\nUPGRADED-PACKAGE: concat-stream,1.5.0,1.6.1\nUPGRADED-PACKAGE: hosted-git-info,2.1.4,2.8.9\nFIXED-VULN-IDS: GHSA-23c5-xmqv-rm74,GHSA-2g4f-4pwh-qvx6,GHSA-3ppc-4f35-3m26,GHSA-43f8-2h32-f4cj,GHSA-7r86-cg39-jmmj,GHSA-g74r-ffvr-5q9f,GHSA-v6h2-p8h4-qcjw\nREMAINING-VULNS: 5\nUNFIXABLE-VULNS: 7\nRewriting /package-lock.json...\n\n---\n\n[TestCommand_OfflineDatabase/fix_non_interactive_in_place_package_lock_json_with_offline_vulns - 2]\n\n---\n\n[TestCommand_OfflineDatabase/fix_non_interactive_in_place_package_lock_json_with_offline_vulns - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"lockfileVersion\": 2,\n \"requires\": true,\n \"packages\": {\n \"\": {\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^6.2.0\"\n }\n },\n \"node_modules/ajv\": {\n \"version\": \"6.14.0\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz\",\n \"integrity\": \"sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==\",\n \"dependencies\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n },\n \"funding\": {\n \"type\": \"github\",\n \"url\": \"https://github.com/sponsors/epoberezkin\"\n }\n },\n \"node_modules/ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"node_modules/are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"dependencies\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"node_modules/assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\",\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"node_modules/aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"node_modules/balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"node_modules/bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"dependencies\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"node_modules/brace-expansion\": {\n \"version\": \"1.1.12\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz\",\n \"integrity\": \"sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==\",\n \"dependencies\": {\n \"concat-map\": \"0.0.1\",\n \"balanced-match\": \"^1.0.0\"\n }\n },\n \"node_modules/caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"node_modules/chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"node_modules/color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true,\n \"bin\": {\n \"color-support\": \"bin.js\"\n }\n },\n \"node_modules/combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"dependencies\": {\n \"delayed-stream\": \"~1.0.0\"\n },\n \"engines\": {\n \"node\": \">= 0.8\"\n }\n },\n \"node_modules/concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"node_modules/concat-stream\": {\n \"version\": \"1.6.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz\",\n \"integrity\": \"sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==\",\n \"engines\": [\n \"node >= 0.8\"\n ],\n \"dependencies\": {\n \"inherits\": \"^2.0.3\",\n \"typedarray\": \"^0.0.6\",\n \"readable-stream\": \"^2.2.2\"\n }\n },\n \"node_modules/console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"node_modules/core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"node_modules/dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \">=0.10\"\n }\n },\n \"node_modules/delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\",\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"dependencies\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"node_modules/emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"node_modules/extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"node_modules/extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\",\n \"engines\": [\n \"node >=0.6.0\"\n ]\n },\n \"node_modules/fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"node_modules/fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"node_modules/forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"dependencies\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n },\n \"engines\": {\n \"node\": \">= 0.12\"\n }\n },\n \"node_modules/fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"node_modules/function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"dependencies\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"node_modules/glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"dependencies\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n },\n \"engines\": {\n \"node\": \"*\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"dependencies\": {\n \"natives\": \"^1.1.3\"\n },\n \"engines\": {\n \"node\": \">=0.4.0\"\n }\n },\n \"node_modules/har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\",\n \"engines\": {\n \"node\": \">=4\"\n }\n },\n \"node_modules/har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"deprecated\": \"this library is no longer supported\",\n \"dependencies\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"node_modules/hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"dependencies\": {\n \"function-bind\": \"^1.1.2\"\n },\n \"engines\": {\n \"node\": \">= 0.4\"\n }\n },\n \"node_modules/hosted-git-info\": {\n \"version\": \"2.8.9\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz\",\n \"integrity\": \"sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==\"\n },\n \"node_modules/http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n },\n \"engines\": {\n \"node\": \">=0.8\",\n \"npm\": \">=1.3.7\"\n }\n },\n \"node_modules/inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"dependencies\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"node_modules/is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"dependencies\": {\n \"hasown\": \"^2.0.0\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"node_modules/isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"node_modules/isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"node_modules/jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"node_modules/json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"node_modules/json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"node_modules/json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"node_modules/jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"dependencies\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n },\n \"engines\": {\n \"node\": \">=0.6.0\"\n }\n },\n \"node_modules/mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\",\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"dependencies\": {\n \"mime-db\": \"1.52.0\"\n },\n \"engines\": {\n \"node\": \">= 0.6\"\n }\n },\n \"node_modules/minimatch\": {\n \"version\": \"3.1.5\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz\",\n \"integrity\": \"sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==\",\n \"dependencies\": {\n \"brace-expansion\": \"^1.1.7\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\",\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"dependencies\": {\n \"minimist\": \"^1.2.6\"\n },\n \"bin\": {\n \"mkdirp\": \"bin/cmd.js\"\n }\n },\n \"node_modules/natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\",\n \"deprecated\": \"This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.\"\n },\n \"node_modules/normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"node_modules/npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"dependencies\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n }\n },\n \"node_modules/npm-package-arg/node_modules/hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n },\n \"node_modules/npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"dependencies\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n },\n \"optionalDependencies\": {\n \"npmlog\": \"\"\n }\n },\n \"node_modules/npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"dependencies\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n },\n \"engines\": {\n \"node\": \"^14.17.0 || ^16.13.0 || >=18.0.0\"\n }\n },\n \"node_modules/oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"dependencies\": {\n \"wrappy\": \"1\"\n }\n },\n \"node_modules/path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\",\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"node_modules/performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"node_modules/process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"node_modules/psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"node_modules/punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\",\n \"engines\": {\n \"node\": \">=6\"\n }\n },\n \"node_modules/qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\",\n \"engines\": {\n \"node\": \">=0.6\"\n }\n },\n \"node_modules/readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"dependencies\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"node_modules/request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"deprecated\": \"request has been deprecated, see https://github.com/request/request/issues/3142\",\n \"dependencies\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n },\n \"engines\": {\n \"node\": \">= 6\"\n }\n },\n \"node_modules/resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"dependencies\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n },\n \"bin\": {\n \"resolve\": \"bin/resolve\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"dependencies\": {\n \"glob\": \"^7.1.3\"\n },\n \"bin\": {\n \"rimraf\": \"bin.js\"\n }\n },\n \"node_modules/safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"node_modules/safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"node_modules/semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\",\n \"bin\": {\n \"semver\": \"bin/semver\"\n }\n },\n \"node_modules/set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"node_modules/signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true,\n \"engines\": {\n \"node\": \">=14\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/isaacs\"\n }\n },\n \"node_modules/slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\",\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"dependencies\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"node_modules/spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"dependencies\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"node_modules/spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"node_modules/sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"dependencies\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n },\n \"bin\": {\n \"sshpk-conv\": \"bin/sshpk-conv\",\n \"sshpk-sign\": \"bin/sshpk-sign\",\n \"sshpk-verify\": \"bin/sshpk-verify\"\n },\n \"engines\": {\n \"node\": \">=0.10.0\"\n }\n },\n \"node_modules/string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"dependencies\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"node_modules/string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"dependencies\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"dependencies\": {\n \"ansi-regex\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \">=8\"\n }\n },\n \"node_modules/supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\",\n \"engines\": {\n \"node\": \">= 0.4\"\n },\n \"funding\": {\n \"url\": \"https://github.com/sponsors/ljharb\"\n }\n },\n \"node_modules/tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"dependencies\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n },\n \"engines\": {\n \"node\": \">=0.8\"\n }\n },\n \"node_modules/tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"dependencies\": {\n \"safe-buffer\": \"^5.0.1\"\n },\n \"engines\": {\n \"node\": \"*\"\n }\n },\n \"node_modules/tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"node_modules/typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"node_modules/uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"dependencies\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"node_modules/util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"node_modules/uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\",\n \"deprecated\": \"Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.\",\n \"bin\": {\n \"uuid\": \"bin/uuid\"\n }\n },\n \"node_modules/validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"dependencies\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"node_modules/verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"engines\": [\n \"node >=0.6.0\"\n ],\n \"dependencies\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n }\n },\n \"node_modules/verror/node_modules/core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n },\n \"node_modules/wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"dependencies\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"node_modules/wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n },\n \"dependencies\": {\n \"ajv\": {\n \"version\": \"6.14.0\",\n \"resolved\": \"https://registry.npmjs.org/ajv/-/ajv-6.14.0.tgz\",\n \"integrity\": \"sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==\",\n \"requires\": {\n \"fast-deep-equal\": \"^3.1.1\",\n \"fast-json-stable-stringify\": \"^2.0.0\",\n \"json-schema-traverse\": \"^0.4.1\",\n \"uri-js\": \"^4.2.2\"\n }\n },\n \"ansi-regex\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz\",\n \"integrity\": \"sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==\",\n \"optional\": true\n },\n \"aproba\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/aproba/-/aproba-2.0.0.tgz\",\n \"integrity\": \"sha512-lYe4Gx7QT+MKGbDsA+Z+he/Wtef0BiwDOlK/XkBrdfsh9J/jPPXbX0tE9x9cl27Tmu5gg3QUbUrQYa/y+KOHPQ==\",\n \"optional\": true\n },\n \"are-we-there-yet\": {\n \"version\": \"4.0.2\",\n \"resolved\": \"https://registry.npmjs.org/are-we-there-yet/-/are-we-there-yet-4.0.2.tgz\",\n \"integrity\": \"sha512-ncSWAawFhKMJDTdoAeOV+jyW1VCMj5QIAwULIBV0SSR7B/RLPPEQiknKcg/RIIZlUQrxELpsxMiTUoAQ4sIUyg==\",\n \"optional\": true\n },\n \"asn1\": {\n \"version\": \"0.2.6\",\n \"resolved\": \"https://registry.npmjs.org/asn1/-/asn1-0.2.6.tgz\",\n \"integrity\": \"sha512-ix/FxPn0MDjeyJ7i/yoHGFt/EX6LyNbxSEhPPXODPL+KB0VPk86UYfL0lMdy+KCnv+fmvIzySwaK5COwqVbWTQ==\",\n \"requires\": {\n \"safer-buffer\": \"~2.1.0\"\n }\n },\n \"assert-plus\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/assert-plus/-/assert-plus-1.0.0.tgz\",\n \"integrity\": \"sha512-NfJ4UzBCcQGLDlQq7nHxH+tv3kyZ0hHQqF5BO6J7tNJeP5do1llPr8dZ8zHonfhAu0PHAdMkSo+8o0wxg9lZWw==\"\n },\n \"asynckit\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/asynckit/-/asynckit-0.4.0.tgz\",\n \"integrity\": \"sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==\"\n },\n \"aws-sign2\": {\n \"version\": \"0.7.0\",\n \"resolved\": \"https://registry.npmjs.org/aws-sign2/-/aws-sign2-0.7.0.tgz\",\n \"integrity\": \"sha512-08kcGqnYf/YmjoRhfxyu+CLxBjUtHLXLXX/vUfx9l2LYzG3c1m61nrpyFUZI6zeS+Li/wWMMidD9KgrqtGq3mA==\"\n },\n \"aws4\": {\n \"version\": \"1.12.0\",\n \"resolved\": \"https://registry.npmjs.org/aws4/-/aws4-1.12.0.tgz\",\n \"integrity\": \"sha512-NmWvPnx0F1SfrQbYwOi7OeaNGokp9XhzNioJ/CSBs8Qa4vxug81mhJEAVZwxXuBmYB5KDRfMq/F3RR0BIU7sWg==\"\n },\n \"balanced-match\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz\",\n \"integrity\": \"sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==\"\n },\n \"bcrypt-pbkdf\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/bcrypt-pbkdf/-/bcrypt-pbkdf-1.0.2.tgz\",\n \"integrity\": \"sha512-qeFIXtP4MSoi6NLqO12WfqARWWuCKi2Rn/9hJLEmtB5yTNr9DqFWkJRCf2qShWzPeAMRnOgCrq0sg/KLv5ES9w==\",\n \"requires\": {\n \"tweetnacl\": \"^0.14.3\"\n }\n },\n \"brace-expansion\": {\n \"version\": \"1.1.12\",\n \"resolved\": \"https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz\",\n \"integrity\": \"sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==\",\n \"requires\": {\n \"concat-map\": \"0.0.1\",\n \"balanced-match\": \"^1.0.0\"\n }\n },\n \"caseless\": {\n \"version\": \"0.12.0\",\n \"resolved\": \"https://registry.npmjs.org/caseless/-/caseless-0.12.0.tgz\",\n \"integrity\": \"sha512-4tYFyifaFfGacoiObjJegolkwSU4xQNGbVgUiNYVUxbQ2x2lUsFvY4hVgVzGiIe6WLOPqycWXA40l+PWsxthUw==\"\n },\n \"chownr\": {\n \"version\": \"0.0.2\",\n \"resolved\": \"https://registry.npmjs.org/chownr/-/chownr-0.0.2.tgz\",\n \"integrity\": \"sha512-4sa7ZJ+/DavveVRsu49tUbYvLn5cS75w8gLQr14jXlFxSNbuoY7G6gPjcVfgdQ+c4BW02b0hXV5nOXYFD7Fmpw==\"\n },\n \"color-support\": {\n \"version\": \"1.1.3\",\n \"resolved\": \"https://registry.npmjs.org/color-support/-/color-support-1.1.3.tgz\",\n \"integrity\": \"sha512-qiBjkpbMLO/HL68y+lh4q0/O1MZFj2RX6X/KmMa3+gJD3z+WwI1ZzDHysvqHGS3mP6mznPckpXmw1nI9cJjyRg==\",\n \"optional\": true\n },\n \"combined-stream\": {\n \"version\": \"1.0.8\",\n \"resolved\": \"https://registry.npmjs.org/combined-stream/-/combined-stream-1.0.8.tgz\",\n \"integrity\": \"sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==\",\n \"requires\": {\n \"delayed-stream\": \"~1.0.0\"\n }\n },\n \"concat-map\": {\n \"version\": \"0.0.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz\",\n \"integrity\": \"sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==\"\n },\n \"concat-stream\": {\n \"version\": \"1.6.1\",\n \"resolved\": \"https://registry.npmjs.org/concat-stream/-/concat-stream-1.6.1.tgz\",\n \"integrity\": \"sha512-gslSSJx03QKa59cIKqeJO9HQ/WZMotvYJCuaUULrLpjj8oG40kV2Z+gz82pVxlTkOADi4PJxQPPfhl1ELYrrXw==\",\n \"requires\": {\n \"inherits\": \"^2.0.3\",\n \"typedarray\": \"^0.0.6\",\n \"readable-stream\": \"^2.2.2\"\n }\n },\n \"console-control-strings\": {\n \"version\": \"1.1.0\",\n \"resolved\": \"https://registry.npmjs.org/console-control-strings/-/console-control-strings-1.1.0.tgz\",\n \"integrity\": \"sha512-ty/fTekppD2fIwRvnZAVdeOiGd1c7YXEixbgJTNzqcxJWKQnjJ/V1bNEEE6hygpM3WjwHFUVK6HTjWSzV4a8sQ==\",\n \"optional\": true\n },\n \"core-util-is\": {\n \"version\": \"1.0.3\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.3.tgz\",\n \"integrity\": \"sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==\"\n },\n \"dashdash\": {\n \"version\": \"1.14.1\",\n \"resolved\": \"https://registry.npmjs.org/dashdash/-/dashdash-1.14.1.tgz\",\n \"integrity\": \"sha512-jRFi8UDGo6j+odZiEpjazZaWqEal3w/basFjQHQEwVtZJGDpxbH1MeYluwCS8Xq5wmLJooDlMgvVarmWfGM44g==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"delayed-stream\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/delayed-stream/-/delayed-stream-1.0.0.tgz\",\n \"integrity\": \"sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==\"\n },\n \"ecc-jsbn\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/ecc-jsbn/-/ecc-jsbn-0.1.2.tgz\",\n \"integrity\": \"sha512-eh9O+hwRHNbG4BLTjEl3nw044CkGm5X6LoaCf7LPp7UU8Qrt47JYNi6nPX8xjW97TKGKm1ouctg0QSpZe9qrnw==\",\n \"requires\": {\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.1.0\"\n }\n },\n \"emoji-regex\": {\n \"version\": \"8.0.0\",\n \"resolved\": \"https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz\",\n \"integrity\": \"sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==\",\n \"optional\": true\n },\n \"extend\": {\n \"version\": \"3.0.2\",\n \"resolved\": \"https://registry.npmjs.org/extend/-/extend-3.0.2.tgz\",\n \"integrity\": \"sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==\"\n },\n \"extsprintf\": {\n \"version\": \"1.3.0\",\n \"resolved\": \"https://registry.npmjs.org/extsprintf/-/extsprintf-1.3.0.tgz\",\n \"integrity\": \"sha512-11Ndz7Nv+mvAC1j0ktTa7fAb0vLyGGX+rMHNBYQviQDGU0Hw7lhctJANqbPhu9nV9/izT/IntTgZ7Im/9LJs9g==\"\n },\n \"fast-deep-equal\": {\n \"version\": \"3.1.3\",\n \"resolved\": \"https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz\",\n \"integrity\": \"sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==\"\n },\n \"fast-json-stable-stringify\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz\",\n \"integrity\": \"sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==\"\n },\n \"forever-agent\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/forever-agent/-/forever-agent-0.6.1.tgz\",\n \"integrity\": \"sha512-j0KLYPhm6zeac4lz3oJ3o65qvgQCcPubiyotZrXqEaG4hNagNYO8qdlUrX5vwqv9ohqeT/Z3j6+yW067yWWdUw==\"\n },\n \"form-data\": {\n \"version\": \"2.3.3\",\n \"resolved\": \"https://registry.npmjs.org/form-data/-/form-data-2.3.3.tgz\",\n \"integrity\": \"sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==\",\n \"requires\": {\n \"asynckit\": \"^0.4.0\",\n \"combined-stream\": \"^1.0.6\",\n \"mime-types\": \"^2.1.12\"\n }\n },\n \"fs.realpath\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz\",\n \"integrity\": \"sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==\"\n },\n \"function-bind\": {\n \"version\": \"1.1.2\",\n \"resolved\": \"https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz\",\n \"integrity\": \"sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==\"\n },\n \"gauge\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/gauge/-/gauge-5.0.1.tgz\",\n \"integrity\": \"sha512-CmykPMJGuNan/3S4kZOpvvPYSNqSHANiWnh9XcMU2pSjtBfF0XzZ2p1bFAxTbnFxyBuPxQYHhzwaoOmUdqzvxQ==\",\n \"optional\": true,\n \"requires\": {\n \"aproba\": \"^1.0.3 || ^2.0.0\",\n \"color-support\": \"^1.1.3\",\n \"console-control-strings\": \"^1.1.0\",\n \"has-unicode\": \"^2.0.1\",\n \"signal-exit\": \"^4.0.1\",\n \"string-width\": \"^4.2.3\",\n \"strip-ansi\": \"^6.0.1\",\n \"wide-align\": \"^1.1.5\"\n }\n },\n \"getpass\": {\n \"version\": \"0.1.7\",\n \"resolved\": \"https://registry.npmjs.org/getpass/-/getpass-0.1.7.tgz\",\n \"integrity\": \"sha512-0fzj9JxOLfJ+XGLhR8ze3unN0KZCgZwiSSDz168VERjK8Wl8kVSdcu2kspd4s4wtAa1y/qrVRiAA0WclVsu0ng==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\"\n }\n },\n \"glob\": {\n \"version\": \"7.2.3\",\n \"resolved\": \"https://registry.npmjs.org/glob/-/glob-7.2.3.tgz\",\n \"integrity\": \"sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==\",\n \"requires\": {\n \"fs.realpath\": \"^1.0.0\",\n \"inflight\": \"^1.0.4\",\n \"inherits\": \"2\",\n \"minimatch\": \"^3.1.1\",\n \"once\": \"^1.3.0\",\n \"path-is-absolute\": \"^1.0.0\"\n }\n },\n \"graceful-fs\": {\n \"version\": \"3.0.12\",\n \"resolved\": \"https://registry.npmjs.org/graceful-fs/-/graceful-fs-3.0.12.tgz\",\n \"integrity\": \"sha512-J55gaCS4iTTJfTXIxSVw3EMQckcqkpdRv3IR7gu6sq0+tbC363Zx6KH/SEwXASK9JRbhyZmVjJEVJIOxYsB3Qg==\",\n \"requires\": {\n \"natives\": \"^1.1.3\"\n }\n },\n \"har-schema\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/har-schema/-/har-schema-2.0.0.tgz\",\n \"integrity\": \"sha512-Oqluz6zhGX8cyRaTQlFMPw80bSJVG2x/cFb8ZPhUILGgHka9SsokCCOQgpveePerqidZOrT14ipqfJb7ILcW5Q==\"\n },\n \"har-validator\": {\n \"version\": \"5.1.5\",\n \"resolved\": \"https://registry.npmjs.org/har-validator/-/har-validator-5.1.5.tgz\",\n \"integrity\": \"sha512-nmT2T0lljbxdQZfspsno9hgrG3Uir6Ks5afism62poxqBM6sDnMEuPmzTq8XN0OEwqKLLdh1jQI3qyE66Nzb3w==\",\n \"requires\": {\n \"ajv\": \"^6.12.3\",\n \"har-schema\": \"^2.0.0\"\n }\n },\n \"has-unicode\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/has-unicode/-/has-unicode-2.0.1.tgz\",\n \"integrity\": \"sha512-8Rf9Y83NBReMnx0gFzA8JImQACstCYWUplepDa9xprwwtmgEZUF0h/i5xSA625zB/I37EtrswSST6OXxwaaIJQ==\",\n \"optional\": true\n },\n \"hasown\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/hasown/-/hasown-2.0.1.tgz\",\n \"integrity\": \"sha512-1/th4MHjnwncwXsIW6QMzlvYL9kG5e/CpVvLRZe4XPa8TOUNbCELqmvhDmnkNsAjwaG4+I8gJJL0JBvTTLO9qA==\",\n \"requires\": {\n \"function-bind\": \"^1.1.2\"\n }\n },\n \"hosted-git-info\": {\n \"version\": \"2.8.9\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-2.8.9.tgz\",\n \"integrity\": \"sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==\"\n },\n \"http-signature\": {\n \"version\": \"1.2.0\",\n \"resolved\": \"https://registry.npmjs.org/http-signature/-/http-signature-1.2.0.tgz\",\n \"integrity\": \"sha512-CAbnr6Rz4CYQkLYUtSNXxQPUH2gK8f3iWexVlsnMeD+GjlsQ0Xsy1cOX+mN3dtxYomRy21CiOzU8Uhw6OwncEQ==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"jsprim\": \"^1.2.2\",\n \"sshpk\": \"^1.7.0\"\n }\n },\n \"inflight\": {\n \"version\": \"1.0.6\",\n \"resolved\": \"https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz\",\n \"integrity\": \"sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==\",\n \"requires\": {\n \"once\": \"^1.3.0\",\n \"wrappy\": \"1\"\n }\n },\n \"inherits\": {\n \"version\": \"2.0.4\",\n \"resolved\": \"https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz\",\n \"integrity\": \"sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==\"\n },\n \"is-core-module\": {\n \"version\": \"2.13.1\",\n \"resolved\": \"https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz\",\n \"integrity\": \"sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==\",\n \"requires\": {\n \"hasown\": \"^2.0.0\"\n }\n },\n \"is-fullwidth-code-point\": {\n \"version\": \"3.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz\",\n \"integrity\": \"sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==\",\n \"optional\": true\n },\n \"is-typedarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/is-typedarray/-/is-typedarray-1.0.0.tgz\",\n \"integrity\": \"sha512-cyA56iCMHAh5CdzjJIa4aohJyeO1YbwLi3Jc35MmRU6poroFjIGZzUzupGiRPOjgHg9TLu43xbpwXk523fMxKA==\"\n },\n \"isarray\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz\",\n \"integrity\": \"sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==\"\n },\n \"isstream\": {\n \"version\": \"0.1.2\",\n \"resolved\": \"https://registry.npmjs.org/isstream/-/isstream-0.1.2.tgz\",\n \"integrity\": \"sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g==\"\n },\n \"jsbn\": {\n \"version\": \"0.1.1\",\n \"resolved\": \"https://registry.npmjs.org/jsbn/-/jsbn-0.1.1.tgz\",\n \"integrity\": \"sha512-UVU9dibq2JcFWxQPA6KCqj5O42VOmAY3zQUfEKxU0KpTGXwNoCjkX1e13eHNvw/xPynt6pU0rZ1htjWTNTSXsg==\"\n },\n \"json-schema\": {\n \"version\": \"0.4.0\",\n \"resolved\": \"https://registry.npmjs.org/json-schema/-/json-schema-0.4.0.tgz\",\n \"integrity\": \"sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==\"\n },\n \"json-schema-traverse\": {\n \"version\": \"0.4.1\",\n \"resolved\": \"https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz\",\n \"integrity\": \"sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==\"\n },\n \"json-stringify-safe\": {\n \"version\": \"5.0.1\",\n \"resolved\": \"https://registry.npmjs.org/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz\",\n \"integrity\": \"sha512-ZClg6AaYvamvYEE82d3Iyd3vSSIjQ+odgjaTzRuO3s7toCdFKczob2i0zCh7JE8kWn17yvAWhUVxvqGwUalsRA==\"\n },\n \"jsprim\": {\n \"version\": \"1.4.2\",\n \"resolved\": \"https://registry.npmjs.org/jsprim/-/jsprim-1.4.2.tgz\",\n \"integrity\": \"sha512-P2bSOMAc/ciLz6DzgjVlGJP9+BrJWu5UDGK70C2iweC5QBIeFf0ZXRvGjEj2uYgrY2MkAAhsSWHDWlFtEroZWw==\",\n \"requires\": {\n \"assert-plus\": \"1.0.0\",\n \"extsprintf\": \"1.3.0\",\n \"json-schema\": \"0.4.0\",\n \"verror\": \"1.10.0\"\n }\n },\n \"mime-db\": {\n \"version\": \"1.52.0\",\n \"resolved\": \"https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz\",\n \"integrity\": \"sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==\"\n },\n \"mime-types\": {\n \"version\": \"2.1.35\",\n \"resolved\": \"https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz\",\n \"integrity\": \"sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==\",\n \"requires\": {\n \"mime-db\": \"1.52.0\"\n }\n },\n \"minimatch\": {\n \"version\": \"3.1.5\",\n \"resolved\": \"https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz\",\n \"integrity\": \"sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==\",\n \"requires\": {\n \"brace-expansion\": \"^1.1.7\"\n }\n },\n \"minimist\": {\n \"version\": \"1.2.8\",\n \"resolved\": \"https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz\",\n \"integrity\": \"sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==\"\n },\n \"mkdirp\": {\n \"version\": \"0.5.6\",\n \"resolved\": \"https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz\",\n \"integrity\": \"sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==\",\n \"requires\": {\n \"minimist\": \"^1.2.6\"\n }\n },\n \"natives\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/natives/-/natives-1.1.6.tgz\",\n \"integrity\": \"sha512-6+TDFewD4yxY14ptjKaS63GVdtKiES1pTPyxn9Jb0rBqPMZ7VcCiooEhPNsr+mqHtMGxa/5c/HhcC4uPEUw/nA==\"\n },\n \"normalize-package-data\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-2.5.0.tgz\",\n \"integrity\": \"sha512-/5CMN3T0R4XTj4DcGaexo+roZSdSFW/0AOOTROrjxzCG1wrWXEsGbRKevjlIL+ZDE4sZlJr5ED4YW0yqmkK+eA==\",\n \"requires\": {\n \"hosted-git-info\": \"^2.1.4\",\n \"resolve\": \"^1.10.0\",\n \"semver\": \"2 || 3 || 4 || 5\",\n \"validate-npm-package-license\": \"^3.0.1\"\n }\n },\n \"npm-package-arg\": {\n \"version\": \"3.1.1\",\n \"resolved\": \"https://registry.npmjs.org/npm-package-arg/-/npm-package-arg-3.1.1.tgz\",\n \"integrity\": \"sha512-jOIv9ddxThaiiI6WH2kLOsUL0vpA1rb7laRZO45OxSzGAj1ouiW0uQLq4zK2LR82pjeBO64VmEHHgUXHkyCQRw==\",\n \"requires\": {\n \"hosted-git-info\": \"^1.5.3\",\n \"semver\": \"4\"\n },\n \"dependencies\": {\n \"hosted-git-info\": {\n \"version\": \"1.6.0\",\n \"resolved\": \"https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-1.6.0.tgz\",\n \"integrity\": \"sha512-hX2w5jrEx2C64DRfLMb5OKHrZ8ReEkssfcjmrSHVih7dH1FD/qVn3/DfqLRQme2/CXBgpN/iApgAhpdaY+rCRQ==\"\n }\n }\n },\n \"npm-registry-client\": {\n \"version\": \"6.2.0\",\n \"resolved\": \"https://registry.npmjs.org/npm-registry-client/-/npm-registry-client-6.2.0.tgz\",\n \"integrity\": \"sha512-zFrsY9IAR3prA7lwKBWZXi/SdxPBbAQXFqQsbgGZXzECUda/8jVW2x3EfD+2h70o/PGio4K6rYvC/A/IoT1IOA==\",\n \"requires\": {\n \"chownr\": \"0\",\n \"concat-stream\": \"^1.4.6\",\n \"graceful-fs\": \"^3.0.0\",\n \"mkdirp\": \"^0.5.0\",\n \"normalize-package-data\": \"~1.0.1 || ^2.0.0\",\n \"npm-package-arg\": \"^3.0.0\",\n \"npmlog\": \"\",\n \"once\": \"^1.3.0\",\n \"request\": \"^2.47.0\",\n \"retry\": \"^0.6.1\",\n \"rimraf\": \"2\",\n \"semver\": \"2 >=2.2.1 || 3.x || 4\",\n \"slide\": \"^1.1.3\"\n }\n },\n \"npmlog\": {\n \"version\": \"7.0.1\",\n \"resolved\": \"https://registry.npmjs.org/npmlog/-/npmlog-7.0.1.tgz\",\n \"integrity\": \"sha512-uJ0YFk/mCQpLBt+bxN88AKd+gyqZvZDbtiNxk6Waqcj2aPRyfVx8ITawkyQynxUagInjdYT1+qj4NfA5KJJUxg==\",\n \"optional\": true,\n \"requires\": {\n \"are-we-there-yet\": \"^4.0.0\",\n \"console-control-strings\": \"^1.1.0\",\n \"gauge\": \"^5.0.0\",\n \"set-blocking\": \"^2.0.0\"\n }\n },\n \"oauth-sign\": {\n \"version\": \"0.9.0\",\n \"resolved\": \"https://registry.npmjs.org/oauth-sign/-/oauth-sign-0.9.0.tgz\",\n \"integrity\": \"sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==\"\n },\n \"once\": {\n \"version\": \"1.4.0\",\n \"resolved\": \"https://registry.npmjs.org/once/-/once-1.4.0.tgz\",\n \"integrity\": \"sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==\",\n \"requires\": {\n \"wrappy\": \"1\"\n }\n },\n \"path-is-absolute\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz\",\n \"integrity\": \"sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==\"\n },\n \"path-parse\": {\n \"version\": \"1.0.7\",\n \"resolved\": \"https://registry.npmjs.org/path-parse/-/path-parse-1.0.7.tgz\",\n \"integrity\": \"sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==\"\n },\n \"performance-now\": {\n \"version\": \"2.1.0\",\n \"resolved\": \"https://registry.npmjs.org/performance-now/-/performance-now-2.1.0.tgz\",\n \"integrity\": \"sha512-7EAHlyLHI56VEIdK57uwHdHKIaAGbnXPiw0yWbarQZOKaKpvUIgW0jWRVLiatnM+XXlSwsanIBH/hzGMJulMow==\"\n },\n \"process-nextick-args\": {\n \"version\": \"2.0.1\",\n \"resolved\": \"https://registry.npmjs.org/process-nextick-args/-/process-nextick-args-2.0.1.tgz\",\n \"integrity\": \"sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==\"\n },\n \"psl\": {\n \"version\": \"1.9.0\",\n \"resolved\": \"https://registry.npmjs.org/psl/-/psl-1.9.0.tgz\",\n \"integrity\": \"sha512-E/ZsdU4HLs/68gYzgGTkMicWTLPdAftJLfJFlLUAAKZGkStNU72sZjT66SnMDVOfOWY/YAoiD7Jxa9iHvngcag==\"\n },\n \"punycode\": {\n \"version\": \"2.3.1\",\n \"resolved\": \"https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz\",\n \"integrity\": \"sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==\"\n },\n \"qs\": {\n \"version\": \"6.5.3\",\n \"resolved\": \"https://registry.npmjs.org/qs/-/qs-6.5.3.tgz\",\n \"integrity\": \"sha512-qxXIEh4pCGfHICj1mAJQ2/2XVZkjCDTcEgfoSQxc/fYivUZxTkk7L3bDBJSoNrEzXI17oUO5Dp07ktqE5KzczA==\"\n },\n \"readable-stream\": {\n \"version\": \"2.3.8\",\n \"resolved\": \"https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz\",\n \"integrity\": \"sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==\",\n \"requires\": {\n \"core-util-is\": \"~1.0.0\",\n \"inherits\": \"~2.0.3\",\n \"isarray\": \"~1.0.0\",\n \"process-nextick-args\": \"~2.0.0\",\n \"safe-buffer\": \"~5.1.1\",\n \"string_decoder\": \"~1.1.1\",\n \"util-deprecate\": \"~1.0.1\"\n }\n },\n \"request\": {\n \"version\": \"2.88.2\",\n \"resolved\": \"https://registry.npmjs.org/request/-/request-2.88.2.tgz\",\n \"integrity\": \"sha512-MsvtOrfG9ZcrOwAW+Qi+F6HbD0CWXEh9ou77uOb7FM2WPhwT7smM833PzanhJLsgXjN89Ir6V2PczXNnMpwKhw==\",\n \"requires\": {\n \"aws-sign2\": \"~0.7.0\",\n \"aws4\": \"^1.8.0\",\n \"caseless\": \"~0.12.0\",\n \"combined-stream\": \"~1.0.6\",\n \"extend\": \"~3.0.2\",\n \"forever-agent\": \"~0.6.1\",\n \"form-data\": \"~2.3.2\",\n \"har-validator\": \"~5.1.3\",\n \"http-signature\": \"~1.2.0\",\n \"is-typedarray\": \"~1.0.0\",\n \"isstream\": \"~0.1.2\",\n \"json-stringify-safe\": \"~5.0.1\",\n \"mime-types\": \"~2.1.19\",\n \"oauth-sign\": \"~0.9.0\",\n \"performance-now\": \"^2.1.0\",\n \"qs\": \"~6.5.2\",\n \"safe-buffer\": \"^5.1.2\",\n \"tough-cookie\": \"~2.5.0\",\n \"tunnel-agent\": \"^0.6.0\",\n \"uuid\": \"^3.3.2\"\n }\n },\n \"resolve\": {\n \"version\": \"1.22.8\",\n \"resolved\": \"https://registry.npmjs.org/resolve/-/resolve-1.22.8.tgz\",\n \"integrity\": \"sha512-oKWePCxqpd6FlLvGV1VU0x7bkPmmCNolxzjMf4NczoDnQcIWrAF+cPtZn5i6n+RfD2d9i0tzpKnG6Yk168yIyw==\",\n \"requires\": {\n \"is-core-module\": \"^2.13.0\",\n \"path-parse\": \"^1.0.7\",\n \"supports-preserve-symlinks-flag\": \"^1.0.0\"\n }\n },\n \"retry\": {\n \"version\": \"0.6.1\",\n \"resolved\": \"https://registry.npmjs.org/retry/-/retry-0.6.1.tgz\",\n \"integrity\": \"sha512-txv1qsctZq8ei9J/uCXgaKKFPjlBB0H2hvtnzw9rjKWFNUFtKh59WprXxpAeAey3/QeWwHdxMFqStPaOAgy+dA==\"\n },\n \"rimraf\": {\n \"version\": \"2.7.1\",\n \"resolved\": \"https://registry.npmjs.org/rimraf/-/rimraf-2.7.1.tgz\",\n \"integrity\": \"sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==\",\n \"requires\": {\n \"glob\": \"^7.1.3\"\n }\n },\n \"safe-buffer\": {\n \"version\": \"5.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz\",\n \"integrity\": \"sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==\"\n },\n \"safer-buffer\": {\n \"version\": \"2.1.2\",\n \"resolved\": \"https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz\",\n \"integrity\": \"sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==\"\n },\n \"semver\": {\n \"version\": \"4.3.6\",\n \"resolved\": \"https://registry.npmjs.org/semver/-/semver-4.3.6.tgz\",\n \"integrity\": \"sha512-IrpJ+yoG4EOH8DFWuVg+8H1kW1Oaof0Wxe7cPcXW3x9BjkN/eVo54F15LyqemnDIUYskQWr9qvl/RihmSy6+xQ==\"\n },\n \"set-blocking\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz\",\n \"integrity\": \"sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==\",\n \"optional\": true\n },\n \"signal-exit\": {\n \"version\": \"4.1.0\",\n \"resolved\": \"https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz\",\n \"integrity\": \"sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==\",\n \"optional\": true\n },\n \"slide\": {\n \"version\": \"1.1.6\",\n \"resolved\": \"https://registry.npmjs.org/slide/-/slide-1.1.6.tgz\",\n \"integrity\": \"sha512-NwrtjCg+lZoqhFU8fOwl4ay2ei8PaqCBOUV3/ektPY9trO1yQ1oXEfmHAhKArUVUr/hOHvy5f6AdP17dCM0zMw==\"\n },\n \"spdx-correct\": {\n \"version\": \"3.2.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz\",\n \"integrity\": \"sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==\",\n \"requires\": {\n \"spdx-expression-parse\": \"^3.0.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-exceptions\": {\n \"version\": \"2.4.0\",\n \"resolved\": \"https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.4.0.tgz\",\n \"integrity\": \"sha512-hcjppoJ68fhxA/cjbN4T8N6uCUejN8yFw69ttpqtBeCbF3u13n7mb31NB9jKwGTTWWnt9IbRA/mf1FprYS8wfw==\"\n },\n \"spdx-expression-parse\": {\n \"version\": \"3.0.1\",\n \"resolved\": \"https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz\",\n \"integrity\": \"sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==\",\n \"requires\": {\n \"spdx-exceptions\": \"^2.1.0\",\n \"spdx-license-ids\": \"^3.0.0\"\n }\n },\n \"spdx-license-ids\": {\n \"version\": \"3.0.17\",\n \"resolved\": \"https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.17.tgz\",\n \"integrity\": \"sha512-sh8PWc/ftMqAAdFiBu6Fy6JUOYjqDJBJvIhpfDMyHrr0Rbp5liZqd4TjtQ/RgfLjKFZb+LMx5hpml5qOWy0qvg==\"\n },\n \"sshpk\": {\n \"version\": \"1.18.0\",\n \"resolved\": \"https://registry.npmjs.org/sshpk/-/sshpk-1.18.0.tgz\",\n \"integrity\": \"sha512-2p2KJZTSqQ/I3+HX42EpYOa2l3f8Erv8MWKsy2I9uf4wA7yFIkXRffYdsx86y6z4vHtV8u7g+pPlr8/4ouAxsQ==\",\n \"requires\": {\n \"asn1\": \"~0.2.3\",\n \"assert-plus\": \"^1.0.0\",\n \"bcrypt-pbkdf\": \"^1.0.0\",\n \"dashdash\": \"^1.12.0\",\n \"ecc-jsbn\": \"~0.1.1\",\n \"getpass\": \"^0.1.1\",\n \"jsbn\": \"~0.1.0\",\n \"safer-buffer\": \"^2.0.2\",\n \"tweetnacl\": \"~0.14.0\"\n }\n },\n \"string_decoder\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz\",\n \"integrity\": \"sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==\",\n \"requires\": {\n \"safe-buffer\": \"~5.1.0\"\n }\n },\n \"string-width\": {\n \"version\": \"4.2.3\",\n \"resolved\": \"https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz\",\n \"integrity\": \"sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==\",\n \"optional\": true,\n \"requires\": {\n \"emoji-regex\": \"^8.0.0\",\n \"is-fullwidth-code-point\": \"^3.0.0\",\n \"strip-ansi\": \"^6.0.1\"\n }\n },\n \"strip-ansi\": {\n \"version\": \"6.0.1\",\n \"resolved\": \"https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz\",\n \"integrity\": \"sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==\",\n \"optional\": true,\n \"requires\": {\n \"ansi-regex\": \"^5.0.1\"\n }\n },\n \"supports-preserve-symlinks-flag\": {\n \"version\": \"1.0.0\",\n \"resolved\": \"https://registry.npmjs.org/supports-preserve-symlinks-flag/-/supports-preserve-symlinks-flag-1.0.0.tgz\",\n \"integrity\": \"sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==\"\n },\n \"tough-cookie\": {\n \"version\": \"2.5.0\",\n \"resolved\": \"https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz\",\n \"integrity\": \"sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g==\",\n \"requires\": {\n \"psl\": \"^1.1.28\",\n \"punycode\": \"^2.1.1\"\n }\n },\n \"tunnel-agent\": {\n \"version\": \"0.6.0\",\n \"resolved\": \"https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz\",\n \"integrity\": \"sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==\",\n \"requires\": {\n \"safe-buffer\": \"^5.0.1\"\n }\n },\n \"tweetnacl\": {\n \"version\": \"0.14.5\",\n \"resolved\": \"https://registry.npmjs.org/tweetnacl/-/tweetnacl-0.14.5.tgz\",\n \"integrity\": \"sha512-KXXFFdAbFXY4geFIwoyNK+f5Z1b7swfXABfL7HXCmoIWMKU3dmS26672A4EeQtDzLKy7SXmfBu51JolvEKwtGA==\"\n },\n \"typedarray\": {\n \"version\": \"0.0.6\",\n \"resolved\": \"https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz\",\n \"integrity\": \"sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==\"\n },\n \"uri-js\": {\n \"version\": \"4.4.1\",\n \"resolved\": \"https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz\",\n \"integrity\": \"sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==\",\n \"requires\": {\n \"punycode\": \"^2.1.0\"\n }\n },\n \"util-deprecate\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz\",\n \"integrity\": \"sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==\"\n },\n \"uuid\": {\n \"version\": \"3.4.0\",\n \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-3.4.0.tgz\",\n \"integrity\": \"sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==\"\n },\n \"validate-npm-package-license\": {\n \"version\": \"3.0.4\",\n \"resolved\": \"https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz\",\n \"integrity\": \"sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==\",\n \"requires\": {\n \"spdx-correct\": \"^3.0.0\",\n \"spdx-expression-parse\": \"^3.0.0\"\n }\n },\n \"verror\": {\n \"version\": \"1.10.0\",\n \"resolved\": \"https://registry.npmjs.org/verror/-/verror-1.10.0.tgz\",\n \"integrity\": \"sha512-ZZKSmDAEFOijERBLkmYfJ+vmk3w+7hOLYDNkRCuRuMJGEmqYNCNLyBBFwWKVMhfwaEF3WOd0Zlw86U/WC/+nYw==\",\n \"requires\": {\n \"assert-plus\": \"^1.0.0\",\n \"core-util-is\": \"1.0.2\",\n \"extsprintf\": \"^1.2.0\"\n },\n \"dependencies\": {\n \"core-util-is\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/core-util-is/-/core-util-is-1.0.2.tgz\",\n \"integrity\": \"sha512-3lqz5YjWTYnW6dlDa5TLaTCcShfar1e40rmcJVwCBJC6mWlFuj0eCHIElmG1g5kyuJ/GD+8Wn4FFCcz4gJPfaQ==\"\n }\n }\n },\n \"wide-align\": {\n \"version\": \"1.1.5\",\n \"resolved\": \"https://registry.npmjs.org/wide-align/-/wide-align-1.1.5.tgz\",\n \"integrity\": \"sha512-eDMORYaPNZ4sQIuuYPDHdQvf4gyCF9rEEV/yPxGfwPkRodwEgiMUUXTx/dex+Me0wxx53S+NgUHaP7y3MGlDmg==\",\n \"optional\": true,\n \"requires\": {\n \"string-width\": \"^1.0.2 || 2 || 3 || 4\"\n }\n },\n \"wrappy\": {\n \"version\": \"1.0.2\",\n \"resolved\": \"https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz\",\n \"integrity\": \"sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==\"\n }\n }\n}\n\n---\n\n[TestCommand_OfflineDatabase/fix_non_interactive_relax_package_json_with_offline_vulns - 1]\nLoaded npm local db from /osv-scanner/npm/all.zip\nResolving /package.json...\nFound 7 vulnerabilities matching the filter\nCan fix 3/7 matching vulnerabilities by changing 1 dependencies\nUPGRADED-PACKAGE: npm-registry-client,6.2.0,^7.5.0\nFIXED-VULN-IDS: GHSA-43f8-2h32-f4cj,GHSA-c2qf-rxjj-qqgw,GHSA-c6rq-rjc2-86v2\nREMAINING-VULNS: 4\nUNFIXABLE-VULNS: 4\nRewriting /package.json...\n\n---\n\n[TestCommand_OfflineDatabase/fix_non_interactive_relax_package_json_with_offline_vulns - 2]\n\n---\n\n[TestCommand_OfflineDatabase/fix_non_interactive_relax_package_json_with_offline_vulns - 3]\n{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo /\"Error: no test specified/\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"^7.5.0\"\n }\n}\n\n---\n" }, { "path": "cmd/osv-scanner/fix/command.go", "content": "// Package fix implements the `fix` command for osv-scanner.\n// It scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them.\npackage fix\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"time\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scalibr/inventory/osvecosystem\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/depsdev\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/lockfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/util\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/urfave/cli/v3\"\n\t\"golang.org/x/term\"\n\t\"osv.dev/bindings/go/osvdev\"\n)\n\ntype strategy string\n\nconst (\n\tstrategyInPlace strategy = \"in-place\"\n\tstrategyRelax strategy = \"relax\"\n\tstrategyOverride strategy = \"override\"\n)\n\nvar strategies = []string{string(strategyInPlace), string(strategyRelax), string(strategyOverride)}\n\nconst (\n\tvulnCategory = \"Vulnerability Selection Options:\"\n\tupgradeCategory = \"Dependency Upgrade Options:\"\n\tautoModeCategory = \"non-interactive options:\" // intentionally lowercase to force it to sort after the other categories\n)\n\ntype osvFixOptions struct {\n\tremediation.Options\n\n\tClient client.ResolutionClient\n\tManifest string\n\tManifestRW manifest.ReadWriter\n\tLockfile string\n\tLockfileRW lockfile.ReadWriter\n\tNoIntroduce bool\n\tOutputJSON bool\n\tStdout io.Writer\n\tStderr io.Writer\n}\n\nfunc Command(stdout, stderr io.Writer, _ *http.Client) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"fix\",\n\t\tUsage: \"scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them\",\n\t\tDescription: \"scans a manifest and/or lockfile for vulnerabilities and suggests changes for remediating them\",\n\t\tFlags: []cli.Flag{\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"manifest\",\n\t\t\t\tAliases: []string{\"M\"},\n\t\t\t\tUsage: \"manifest file to remediate vulnerabilities in\",\n\t\t\t\tTakesFile: true,\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"lockfile\",\n\t\t\t\tAliases: []string{\"L\"},\n\t\t\t\tUsage: \"lockfile to remediate vulnerabilities in\",\n\t\t\t\tTakesFile: true,\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"data-source\",\n\t\t\t\tUsage: \"source to fetch package information from; value can be: deps.dev, native\",\n\t\t\t\tValue: \"deps.dev\",\n\t\t\t\tAction: func(_ context.Context, _ *cli.Command, s string) error {\n\t\t\t\t\tif s != \"deps.dev\" && s != \"native\" {\n\t\t\t\t\t\treturn fmt.Errorf(\"unsupported data-source \\\"%s\\\" - must be one of: deps.dev, native\", s)\n\t\t\t\t\t}\n\n\t\t\t\t\treturn nil\n\t\t\t\t},\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"maven-registry\",\n\t\t\t\tUsage: \"URL of the default Maven registry to fetch metadata\",\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"non-interactive\",\n\t\t\t\tUsage: \"[DEPRECATED] run in the non-interactive mode\",\n\t\t\t\tHidden: true,\n\t\t\t\tValue: true,\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"interactive\",\n\t\t\t\tUsage: \"run in the interactive mode\",\n\t\t\t\tAction: func(_ context.Context, _ *cli.Command, b bool) error {\n\t\t\t\t\tif b && !term.IsTerminal(int(os.Stdin.Fd())) {\n\t\t\t\t\t\treturn errors.New(\"interactive mode only to be run in a terminal\")\n\t\t\t\t\t}\n\n\t\t\t\t\treturn nil\n\t\t\t\t},\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"format\",\n\t\t\t\tAliases: []string{\"f\"},\n\t\t\t\tUsage: \"sets the non-interactive output format; value can be: text, json\",\n\t\t\t\tValue: \"text\",\n\t\t\t\tAction: func(_ context.Context, _ *cli.Command, s string) error {\n\t\t\t\t\tif s == \"text\" || s == \"json\" {\n\t\t\t\t\t\tif s == \"json\" {\n\t\t\t\t\t\t\tcmdlogger.SendEverythingToStderr()\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\treturn nil\n\t\t\t\t\t}\n\n\t\t\t\t\treturn fmt.Errorf(\"unsupported output format \\\"%s\\\" - must be one of: text, json\", s)\n\t\t\t\t},\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tCategory: autoModeCategory,\n\t\t\t\tName: \"strategy\",\n\t\t\t\tUsage: \"remediation approach to use; value can be: \" + strings.Join(strategies, \", \"),\n\t\t\t\tAction: func(_ context.Context, cmd *cli.Command, s string) error {\n\t\t\t\t\tswitch strategy(s) {\n\t\t\t\t\tcase strategyInPlace:\n\t\t\t\t\t\tif !cmd.IsSet(\"lockfile\") {\n\t\t\t\t\t\t\treturn fmt.Errorf(\"%s strategy requires lockfile\", strategyInPlace)\n\t\t\t\t\t\t}\n\t\t\t\t\tcase strategy(\"relock\"): // renamed\n\t\t\t\t\t\tfallthrough\n\t\t\t\t\tcase strategyRelax:\n\t\t\t\t\t\tif !cmd.IsSet(\"manifest\") {\n\t\t\t\t\t\t\treturn fmt.Errorf(\"%s strategy requires manifest file\", strategyRelax)\n\t\t\t\t\t\t}\n\t\t\t\t\tcase strategyOverride:\n\t\t\t\t\t\tif !cmd.IsSet(\"manifest\") {\n\t\t\t\t\t\t\treturn fmt.Errorf(\"%s strategy requires manifest file\", strategyOverride)\n\t\t\t\t\t\t}\n\t\t\t\t\tdefault:\n\t\t\t\t\t\treturn fmt.Errorf(\"unsupported strategy \\\"%s\\\" - must be one of: %s\", s, strings.Join(strategies, \", \"))\n\t\t\t\t\t}\n\n\t\t\t\t\treturn nil\n\t\t\t\t},\n\t\t\t},\n\t\t\t&cli.IntFlag{\n\t\t\t\tCategory: autoModeCategory,\n\t\t\t\tName: \"apply-top\",\n\t\t\t\tUsage: \"apply the top N patches\",\n\t\t\t\tValue: -1,\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tCategory: autoModeCategory,\n\t\t\t\tName: \"no-introduce\",\n\t\t\t\tUsage: \"exclude patches that would introduce new vulnerabilities\",\n\t\t\t},\n\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tCategory: upgradeCategory,\n\t\t\t\tName: \"upgrade-config\",\n\t\t\t\tUsage: \"the allowed package upgrades, in the format `[package-name:]level`. If package-name is omitted, level is applied to all packages. level must be one of (major, minor, patch, none).\",\n\t\t\t\tDefaultText: \"major\",\n\t\t\t},\n\t\t\t&cli.IntFlag{\n\t\t\t\tCategory: vulnCategory,\n\t\t\t\tName: \"max-depth\",\n\t\t\t\tUsage: \"maximum dependency depth of vulnerabilities to consider\",\n\t\t\t\tValue: -1,\n\t\t\t},\n\t\t\t&cli.Float64Flag{\n\t\t\t\tCategory: vulnCategory,\n\t\t\t\tName: \"min-severity\",\n\t\t\t\tUsage: \"minimum CVSS score of vulnerabilities to consider\",\n\t\t\t\tValue: 0,\n\t\t\t\tDefaultText: \"0.0\",\n\t\t\t},\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tCategory: vulnCategory,\n\t\t\t\tName: \"vulns\",\n\t\t\t\tUsage: \"explicit list of vulnerability IDs to consider\",\n\t\t\t},\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tCategory: vulnCategory,\n\t\t\t\tName: \"ignore-vulns\",\n\t\t\t\tUsage: \"list of vulnerability IDs to ignore\",\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tCategory: vulnCategory,\n\t\t\t\tName: \"ignore-dev\",\n\t\t\t\tUsage: \"ignore vulnerabilities affecting only development dependencies\",\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tCategory: vulnCategory,\n\t\t\t\tName: \"maven-fix-management\",\n\t\t\t\tUsage: \"(pom.xml) also remediate vulnerabilities in dependencyManagement packages that do not appear in the resolved dependency graph\",\n\t\t\t},\n\t\t\t// Offline database flags, copied from osv-scanner scan\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"offline-vulnerabilities\",\n\t\t\t\tAliases: []string{\"offline\"},\n\t\t\t\tUsage: \"checks for vulnerabilities using local databases that are already cached\",\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"download-offline-databases\",\n\t\t\t\tUsage: \"downloads vulnerability databases for offline comparison\",\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"local-db-path\",\n\t\t\t\tUsage: \"sets the path that local databases should be stored\",\n\t\t\t\tHidden: true,\n\t\t\t},\n\t\t},\n\t\tAction: func(ctx context.Context, cmd *cli.Command) error {\n\t\t\treturn action(ctx, cmd, stdout, stderr)\n\t\t},\n\t}\n}\n\nfunc action(ctx context.Context, cmd *cli.Command, stdout, stderr io.Writer) error {\n\tif !cmd.IsSet(\"manifest\") && !cmd.IsSet(\"lockfile\") {\n\t\treturn errors.New(\"manifest or lockfile is required\")\n\t}\n\n\topts := osvFixOptions{\n\t\tOptions: remediation.Options{\n\t\t\tResolveOpts: resolution.ResolveOpts{\n\t\t\t\tMavenManagement: cmd.Bool(\"maven-fix-management\"),\n\t\t\t},\n\t\t\tIgnoreVulns: cmd.StringSlice(\"ignore-vulns\"),\n\t\t\tExplicitVulns: cmd.StringSlice(\"vulns\"),\n\t\t\tDevDeps: !cmd.Bool(\"ignore-dev\"),\n\t\t\tMinSeverity: cmd.Float64(\"min-severity\"),\n\t\t\tMaxDepth: cmd.Int(\"max-depth\"),\n\t\t\tUpgradeConfig: upgrade.ParseUpgradeConfig(cmd.StringSlice(\"upgrade-config\")),\n\t\t},\n\t\tManifest: cmd.String(\"manifest\"),\n\t\tLockfile: cmd.String(\"lockfile\"),\n\t\tNoIntroduce: cmd.Bool(\"no-introduce\"),\n\t\tOutputJSON: cmd.String(\"format\") == \"json\",\n\t\tStdout: stdout,\n\t\tStderr: stderr,\n\t}\n\n\tsystem := resolve.UnknownSystem\n\tif opts.Lockfile != \"\" {\n\t\trw, err := lockfile.GetReadWriter(opts.Lockfile)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topts.LockfileRW = rw\n\t\tsystem = rw.System()\n\t}\n\n\tif opts.Manifest != \"\" {\n\t\trw, err := manifest.GetReadWriter(opts.Manifest, cmd.String(\"maven-registry\"))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topts.ManifestRW = rw\n\t\t// Prefer the manifest's system over the lockfile's.\n\t\t// TODO: make sure they match\n\t\tsystem = rw.System()\n\t}\n\n\tswitch cmd.String(\"data-source\") {\n\tcase \"deps.dev\":\n\t\tcl, err := client.NewDepsDevClient(depsdev.DepsdevAPI, \"osv-scanner_fix/\"+version.OSVVersion)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\topts.Client.DependencyClient = cl\n\tcase \"native\":\n\t\tswitch system {\n\t\tcase resolve.NPM:\n\t\t\tvar workDir string\n\t\t\t// Prefer to use the manifest's directory if available.\n\t\t\tif opts.Manifest != \"\" {\n\t\t\t\tworkDir = filepath.Dir(opts.Manifest)\n\t\t\t} else {\n\t\t\t\tworkDir = filepath.Dir(opts.Lockfile)\n\t\t\t}\n\t\t\tcl, err := client.NewNpmRegistryClient(workDir)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\topts.Client.DependencyClient = cl\n\t\tcase resolve.Maven:\n\t\t\tcl, err := client.NewMavenRegistryClient(cmd.String(\"maven-registry\"))\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\topts.Client.DependencyClient = cl\n\t\tcase resolve.UnknownSystem:\n\t\t\tfallthrough\n\t\tdefault:\n\t\t\treturn fmt.Errorf(\"native data-source currently unsupported for %s ecosystem\", system.String())\n\t\t}\n\t}\n\n\tuserAgent := \"osv-scanner_fix/\" + version.OSVVersion\n\tif cmd.Bool(\"offline-vulnerabilities\") {\n\t\tmatcher, err := localmatcher.NewLocalMatcher(\n\t\t\tcmd.String(\"local-db-path\"),\n\t\t\tuserAgent,\n\t\t\tcmd.Bool(\"download-offline-databases\"),\n\t\t)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\teco, ok := util.OSVEcosystem[system]\n\t\tif !ok {\n\t\t\t// Something's very wrong if we hit this\n\t\t\tpanic(\"unhandled resolve.Ecosystem: \" + system.String())\n\t\t}\n\t\tif err := matcher.LoadEcosystem(ctx, osvecosystem.Parsed{Ecosystem: eco}); err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\topts.Client.VulnerabilityMatcher = matcher\n\t} else {\n\t\tconfig := osvdev.DefaultConfig()\n\t\tconfig.UserAgent = userAgent\n\t\topts.Client.VulnerabilityMatcher = &osvmatcher.CachedOSVMatcher{\n\t\t\tClient: osvdev.OSVClient{\n\t\t\t\tHTTPClient: http.DefaultClient,\n\t\t\t\tConfig: config,\n\t\t\t\tBaseHostURL: osvdev.DefaultBaseURL,\n\t\t\t},\n\t\t\tInitialQueryTimeout: 5 * time.Minute,\n\t\t}\n\t}\n\n\tif cmd.Bool(\"interactive\") {\n\t\treturn interactiveMode(ctx, opts)\n\t}\n\n\tmaxUpgrades := cmd.Int(\"apply-top\")\n\n\tstrategy := strategy(cmd.String(\"strategy\"))\n\tif strategy == \"relock\" { // renamed\n\t\tstrategy = strategyRelax\n\t}\n\n\tif !cmd.IsSet(\"strategy\") {\n\t\t// Choose a default strategy based on the manifest/lockfile provided.\n\t\tswitch {\n\t\tcase remediation.SupportsRelax(opts.ManifestRW):\n\t\t\tstrategy = strategyRelax\n\t\tcase remediation.SupportsOverride(opts.ManifestRW):\n\t\t\tstrategy = strategyOverride\n\t\tcase remediation.SupportsInPlace(opts.LockfileRW):\n\t\t\tstrategy = strategyInPlace\n\t\tdefault:\n\t\t\treturn errors.New(\"no supported remediation strategies for manifest/lockfile\")\n\t\t}\n\t}\n\n\tswitch strategy {\n\tcase strategyRelax:\n\t\treturn autoRelax(ctx, opts, maxUpgrades)\n\tcase strategyInPlace:\n\t\treturn autoInPlace(ctx, opts, maxUpgrades)\n\tcase strategyOverride:\n\t\treturn autoOverride(ctx, opts, maxUpgrades)\n\tdefault:\n\t\t// The strategy flag should already be validated by this point.\n\t\tpanic(fmt.Sprintf(\"non-interactive mode attempted to run with unhandled strategy: \\\"%s\\\"\", cmd.String(\"strategy\")))\n\t}\n}\n" }, { "path": "cmd/osv-scanner/fix/command_test.go", "content": "package fix_test\n\nimport (\n\t\"context\"\n\t\"os\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/fix\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nfunc matchFile(t *testing.T, file string) {\n\tt.Helper()\n\tb, err := os.ReadFile(file)\n\tif err != nil {\n\t\tt.Fatalf(\"could not read test file: %v\", err)\n\t}\n\ttestutility.NewSnapshot().WithCRLFReplacement().MatchText(t, string(b))\n}\n\nfunc TestCommand(t *testing.T) {\n\tt.Parallel()\n\n\ttestutility.SkipIfShort(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"no_args_provided\",\n\t\t\tArgs: []string{\"\", \"fix\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non-interactive_in-place_package-lock.json\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=in-place\", \"-L\", \"./testdata/in-place-npm/package-lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non_interactive_in_place_package_lock_json_with_native_data_source\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=in-place\", \"--data-source\", \"native\", \"-L\", \"./testdata/in-place-npm/package-lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non-interactive_relax_package.json\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=relax\", \"-M\", \"./testdata/relax-npm/package.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non-interactive_override_pom.xml\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=override\", \"-M\", \"./testdata/override-maven/pom.xml\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non_interactive_override_pom_xml_with_native_data_source\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=override\", \"--data-source\", \"native\", \"-M\", \"./testdata/override-maven/pom.xml\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non-interactive_json_in-place_package-lock.json\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=in-place\", \"--format=json\", \"-L\", \"./testdata/in-place-npm/package-lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non-interactive_json_relax_package.json\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=relax\", \"--format=json\", \"-M\", \"./testdata/relax-npm/package.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non-interactive_json_override_pom.xml\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=override\", \"--format=json\", \"-M\", \"./testdata/override-maven/pom.xml\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"errors_with_invalid_data_source\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--data-source=github\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"errors_with_unsupported_format\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--format=yaml\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"errors_with_unsupported_strategy\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=force\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"errors_when_in_place_used_without_lockfile\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=in-place\", \"-M\", \"./testdata/relax-npm/package.json\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"errors_when_relock_used_without_manifest\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=relock\", \"-L\", \"./testdata/in-place-npm/package-lock.json\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"errors_when_relax_used_without_manifest\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=relax\", \"-L\", \"./testdata/in-place-npm/package-lock.json\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"errors_when_override_used_without_manifest\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=override\", \"-L\", \"./testdata/in-place-npm/package-lock.json\"},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\t// fix action overwrites files, copy them to a temporary directory\n\t\t\ttestDir := testutility.CreateTestDir(t)\n\n\t\t\tlockfile := testcmd.CopyFileFlagTo(t, tt, \"-L\", testDir)\n\t\t\tmanifest := testcmd.CopyFileFlagTo(t, tt, \"-M\", testDir)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\n\t\t\tif lockfile != \"\" {\n\t\t\t\tmatchFile(t, lockfile)\n\t\t\t}\n\t\t\tif manifest != \"\" {\n\t\t\t\tmatchFile(t, manifest)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestCommand_OfflineDatabase(t *testing.T) {\n\tt.Parallel()\n\n\ttestutility.SkipIfShort(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"fix_non_interactive_in_place_package_lock_json_with_offline_vulns\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=in-place\", \"--offline-vulnerabilities\", \"--download-offline-databases\", \"-L\", \"./testdata/in-place-npm/package-lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"fix_non_interactive_relax_package_json_with_offline_vulns\",\n\t\t\tArgs: []string{\"\", \"fix\", \"--strategy=relax\", \"--offline-vulnerabilities\", \"--download-offline-databases\", \"-M\", \"./testdata/relax-npm/package.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\t// fix action overwrites files, copy them to a temporary directory\n\t\t\ttestDir := testutility.CreateTestDir(t)\n\n\t\t\tlockfile := testcmd.CopyFileFlagTo(t, tt, \"-L\", testDir)\n\t\t\tmanifest := testcmd.CopyFileFlagTo(t, tt, \"-M\", testDir)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\n\t\t\tif lockfile != \"\" {\n\t\t\t\tmatchFile(t, lockfile)\n\t\t\t}\n\t\t\tif manifest != \"\" {\n\t\t\t\tmatchFile(t, manifest)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc parseFlags(t *testing.T, flags []string, arguments []string) (*cli.Command, error) {\n\t// This is a bit hacky: make a mock App with only the flags we care about.\n\t// Then use app.RunAndMatchSnapshots() to parse the flags into the cli.Context, which is returned.\n\tt.Helper()\n\tappFlags := make([]cli.Flag, 0, len(flags))\n\tfor _, f := range fix.Command(nil, nil, nil).Flags {\n\t\tif slices.ContainsFunc(f.Names(), func(s string) bool { return slices.Contains(flags, s) }) {\n\t\t\tappFlags = append(appFlags, f)\n\t\t}\n\t}\n\tvar parsedCmd *cli.Command\n\tapp := cli.Command{\n\t\tFlags: appFlags,\n\t\tAction: func(_ context.Context, cmd *cli.Command) error {\n\t\t\tt.Helper()\n\t\t\tparsedCmd = cmd\n\n\t\t\treturn nil\n\t\t},\n\t}\n\terr := app.Run(t.Context(), append([]string{\"\"}, arguments...))\n\n\treturn parsedCmd, err\n}\n\nfunc Test_parseUpgradeConfig(t *testing.T) {\n\tt.Parallel()\n\n\tflags := []string{\"upgrade-config\"}\n\n\ttests := []struct {\n\t\tname string\n\t\targs []string\n\t\twant map[string]upgrade.Level\n\t}{\n\t\t{\n\t\t\tname: \"default_behaviour\",\n\t\t\targs: []string{},\n\t\t\twant: map[string]upgrade.Level{\n\t\t\t\t\"foo\": upgrade.Major,\n\t\t\t\t\"bar\": upgrade.Major,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"general_level_config\",\n\t\t\targs: []string{\"--upgrade-config=minor\"},\n\t\t\twant: map[string]upgrade.Level{\n\t\t\t\t\"foo\": upgrade.Minor,\n\t\t\t\t\"bar\": upgrade.Minor,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"all_levels\",\n\t\t\targs: []string{\n\t\t\t\t\"--upgrade-config\", \"major:major\",\n\t\t\t\t\"--upgrade-config\", \"minor:minor\",\n\t\t\t\t\"--upgrade-config\", \"patch:patch\",\n\t\t\t\t\"--upgrade-config\", \"none:none\",\n\t\t\t},\n\t\t\twant: map[string]upgrade.Level{\n\t\t\t\t\"major\": upgrade.Major,\n\t\t\t\t\"minor\": upgrade.Minor,\n\t\t\t\t\"patch\": upgrade.Patch,\n\t\t\t\t\"none\": upgrade.None,\n\t\t\t\t\"other\": upgrade.Major,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"package_takes_precedence_over_general\",\n\t\t\targs: []string{\n\t\t\t\t\"--upgrade-config\", \"pkg1:minor\",\n\t\t\t\t\"--upgrade-config\", \"none\",\n\t\t\t\t\"--upgrade-config\", \"pkg2:major\",\n\t\t\t},\n\t\t\twant: map[string]upgrade.Level{\n\t\t\t\t\"pkg1\": upgrade.Minor,\n\t\t\t\t\"pkg2\": upgrade.Major,\n\t\t\t\t\"pkg3\": upgrade.None,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"package_names_with_colons\",\n\t\t\targs: []string{\n\t\t\t\t\"--upgrade-config=none:patch:minor:major\",\n\t\t\t\t\"--upgrade-config=none:patch:minor\",\n\t\t\t\t\"--upgrade-config=none:patch\",\n\t\t\t\t\"--upgrade-config=none\",\n\t\t\t},\n\t\t\twant: map[string]upgrade.Level{\n\t\t\t\t\"none:patch:minor\": upgrade.Major,\n\t\t\t\t\"none:patch\": upgrade.Minor,\n\t\t\t\t\"none\": upgrade.Patch,\n\t\t\t\t\"other\": upgrade.None,\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tcmd, err := parseFlags(t, flags, tt.args)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"error parsing flags: %v\", err)\n\t\t\t}\n\t\t\tconfig := upgrade.ParseUpgradeConfig(cmd.StringSlice(\"upgrade-config\"))\n\t\t\tfor pkg, want := range tt.want {\n\t\t\t\tif got := config.Get(pkg); got != want {\n\t\t\t\t\tt.Errorf(\"Config.Get(%s) got = %v, want %v\", pkg, got, want)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "cmd/osv-scanner/fix/interactive.go", "content": "package fix\n\nimport (\n\t\"context\"\n\t\"errors\"\n\n\ttea \"charm.land/bubbletea/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n)\n\n// TODO: currently, it's impossible to undo commands\n// Need to think about how to support this\n\nfunc interactiveMode(ctx context.Context, opts osvFixOptions) error {\n\tif !remediation.SupportsRelax(opts.ManifestRW) && !remediation.SupportsInPlace(opts.LockfileRW) {\n\t\tif remediation.SupportsOverride(opts.ManifestRW) {\n\t\t\treturn errors.New(\"override strategy is not supported in interactive mode\")\n\t\t}\n\n\t\treturn errors.New(\"no supported remediation strategies found\")\n\t}\n\n\tcl := opts.Client\n\tp := tea.NewProgram(newModel(ctx, opts, cl))\n\tm, err := p.Run()\n\tif err != nil {\n\t\treturn err\n\t}\n\t// It doesn't look like it's possible to make p.Run() return a custom error,\n\t// so we store fatal errors on the model itself.\n\treturn m.(model).err\n}\n" }, { "path": "cmd/osv-scanner/fix/model.go", "content": "package fix\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\n\t\"charm.land/bubbles/v2/help\"\n\t\"charm.land/bubbles/v2/key\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"charm.land/lipgloss/v2\"\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\tmanif \"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/tui\"\n\t\"golang.org/x/term\"\n)\n\n//nolint:recvcheck\ntype model struct {\n\t//nolint:containedctx\n\tctx context.Context // Context, mostly used in deps.dev functions\n\toptions osvFixOptions // options, from command line\n\tcl client.ResolutionClient // graph client used for deps.dev functions\n\tlockfileGraph *resolve.Graph\n\n\ttermWidth int // width of the whole terminal\n\ttermHeight int // height of the whole terminal\n\n\tmainViewWidth int // width of the main view\n\tmainViewHeight int // height of the main view\n\tmainViewStyle lipgloss.Style // border style to render the main view\n\n\tinfoViewWidth int // width of the secondary info view\n\tinfoViewHeight int // height of the info view\n\tinfoViewStyle lipgloss.Style // border style to render the info view\n\n\thelp help.Model // help text renderer\n\n\tst modelState // current state of program\n\terr error // set if a fatal error occurs within the program\n\twriting bool // whether the model is currently shelling out writing lockfile/manifest file\n\n\tinPlaceResult *remediation.InPlaceResult // results & patches from minimal / in-place resolution\n\trelockBaseRes *resolution.Result // Base relock result, matching the current manifest on disk\n\trelockBaseResErrs []resolution.NodeError // Errors in base relock result\n}\n\nfunc newModel(ctx context.Context, opts osvFixOptions, cl client.ResolutionClient) model {\n\tmainViewStyle := lipgloss.NewStyle().\n\t\tBorderStyle(lipgloss.RoundedBorder()).\n\t\tPadding(tui.ViewVPad, tui.ViewHPad)\n\n\tinfoViewStyle := lipgloss.NewStyle().\n\t\tBorderStyle(lipgloss.RoundedBorder()).\n\t\tPadding(tui.ViewVPad, tui.ViewHPad)\n\n\tm := model{\n\t\tctx: ctx,\n\t\toptions: opts,\n\t\tcl: cl,\n\t\tst: &stateInitialize{},\n\t\tmainViewStyle: mainViewStyle,\n\t\tinfoViewStyle: infoViewStyle,\n\t\thelp: help.New(),\n\t}\n\tw, h, err := term.GetSize(int(os.Stdout.Fd()))\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tm.setTermSize(w, h)\n\n\treturn m\n}\n\nfunc (m *model) setTermSize(w, h int) {\n\tm.termWidth = w\n\tm.termHeight = h\n\n\t// The internal rendering space of the views occupy a percentage of the terminal width\n\tviewWidth := max(int(float64(w)*tui.ViewWidthPct), tui.ViewMinWidth)\n\t// The internal height is constant\n\tviewHeight := tui.ViewMinHeight\n\n\t// The total width/height, including the whitespace padding and border characters on each side\n\tpaddedWidth := viewWidth + 2*tui.ViewHPad + 2\n\tpaddedHeight := viewHeight + 2*tui.ViewVPad + 2\n\n\t// resize the views to the calculated dimensions\n\tm.mainViewWidth = viewWidth\n\tm.mainViewHeight = viewHeight\n\tm.mainViewStyle = m.mainViewStyle.Width(paddedWidth).Height(paddedHeight)\n\n\tm.infoViewWidth = viewWidth\n\tm.infoViewHeight = viewHeight\n\tm.infoViewStyle = m.infoViewStyle.Width(paddedWidth).Height(paddedHeight)\n\n\tm.st.Resize(m.mainViewWidth, m.mainViewHeight)\n\tm.st.ResizeInfo(m.infoViewWidth, m.infoViewHeight)\n}\n\nfunc (m *model) getBorderStyles() (lipgloss.Style, lipgloss.Style) {\n\tif m.st.IsInfoFocused() {\n\t\tm.infoViewStyle = m.infoViewStyle.UnsetBorderForeground()\n\t\tm.mainViewStyle = m.mainViewStyle.BorderForeground(tui.ColorDisabled)\n\t} else {\n\t\tm.infoViewStyle = m.infoViewStyle.BorderForeground(tui.ColorDisabled)\n\t\tm.mainViewStyle = m.mainViewStyle.UnsetBorderForeground()\n\t}\n\n\treturn m.mainViewStyle, m.infoViewStyle\n}\n\n// TODO: Handle all errors better, instead of just quitting on any error\nfunc errorAndExit(m model, err error) (tea.Model, tea.Cmd) {\n\tm.err = err\n\treturn m, tea.Quit\n}\n\nfunc (m model) Init() tea.Cmd {\n\treturn m.st.Init(m)\n}\n\nfunc (m model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {\n\tswitch msg := msg.(type) {\n\tcase tea.KeyPressMsg:\n\t\tswitch {\n\t\tcase msg.String() == \"ctrl+c\": // always quit on ctrl+c\n\t\t\treturn m, tea.Quit\n\t\tcase key.Matches(msg, tui.Keys.Help): // toggle help\n\t\t\tm.help.ShowAll = !m.help.ShowAll\n\t\t}\n\tcase tea.WindowSizeMsg:\n\t\tm.setTermSize(msg.Width, msg.Height)\n\t}\n\n\treturn m.st.Update(m, msg)\n}\n\nfunc (m model) View() tea.View {\n\t// render both views side-by-side\n\tmainStyle, infoStyle := m.getBorderStyles()\n\tmainView := mainStyle.Render(m.st.View(m))\n\tinfoView := infoStyle.Render(m.st.InfoView())\n\tview := lipgloss.JoinHorizontal(lipgloss.Top, mainView, infoView)\n\n\t// If we can't fit both side-by-side, only render the focused view\n\tif lipgloss.Width(view) > m.termWidth {\n\t\tif m.st.IsInfoFocused() {\n\t\t\tview = infoView\n\t\t} else {\n\t\t\tview = mainView\n\t\t}\n\t}\n\n\t// add the help to the bottom\n\tview = lipgloss.JoinVertical(lipgloss.Center, view, m.help.View(tui.Keys))\n\n\tv := tea.NewView(lipgloss.Place(m.termWidth, m.termHeight, lipgloss.Center, lipgloss.Center, view))\n\tv.AltScreen = true\n\n\treturn v\n}\n\ntype modelState interface {\n\tInit(m model) tea.Cmd\n\tUpdate(m model, msg tea.Msg) (tea.Model, tea.Cmd)\n\tView(m model) string\n\tResize(w, h int)\n\n\tInfoView() string\n\tResizeInfo(w, h int)\n\tIsInfoFocused() bool\n}\n\ntype inPlaceResolutionMsg struct {\n\tres remediation.InPlaceResult\n\tg *resolve.Graph\n\terr error\n}\n\nfunc doInPlaceResolution(ctx context.Context, cl client.ResolutionClient, opts osvFixOptions) tea.Msg {\n\tlf, err := depfile.OpenLocalDepFile(opts.Lockfile)\n\tif err != nil {\n\t\treturn inPlaceResolutionMsg{err: err}\n\t}\n\tdefer lf.Close()\n\tg, err := opts.LockfileRW.Read(lf)\n\tif err != nil {\n\t\treturn inPlaceResolutionMsg{err: err}\n\t}\n\tres, err := remediation.ComputeInPlacePatches(ctx, cl, g, opts.Options)\n\n\treturn inPlaceResolutionMsg{res, g, err}\n}\n\ntype doRelockMsg struct {\n\tres *resolution.Result\n\terr error\n}\n\nfunc doRelock(ctx context.Context, cl client.ResolutionClient, m manif.Manifest, opts resolution.ResolveOpts, matchFn func(resolution.Vulnerability) bool) tea.Msg {\n\tres, err := resolution.Resolve(ctx, cl, m, opts)\n\tif err != nil {\n\t\treturn doRelockMsg{nil, err}\n\t}\n\n\tif err := cl.WriteCache(m.FilePath); err != nil {\n\t\treturn doRelockMsg{nil, err}\n\t}\n\n\tres.FilterVulns(matchFn)\n\n\treturn doRelockMsg{res, nil}\n}\n\nfunc doInitialRelock(ctx context.Context, opts osvFixOptions) tea.Msg {\n\tf, err := depfile.OpenLocalDepFile(opts.Manifest)\n\tif err != nil {\n\t\treturn doRelockMsg{err: err}\n\t}\n\tdefer f.Close()\n\tm, err := opts.ManifestRW.Read(f)\n\tif err != nil {\n\t\treturn doRelockMsg{err: err}\n\t}\n\tclient.PreFetch(ctx, opts.Client, m.Requirements, m.FilePath)\n\n\treturn doRelock(ctx, opts.Client, m, opts.ResolveOpts, opts.MatchVuln)\n}\n\n// tui.ViewModel for showing non-interactive strings\ntype infoStringView string\n\nfunc (s infoStringView) Update(tea.Msg) (tui.ViewModel, tea.Cmd) { return s, nil }\nfunc (s infoStringView) View() string { return string(s) }\nfunc (s infoStringView) Resize(int, int) {}\n\nvar emptyInfoView = infoStringView(\"\")\n\nfunc resolutionErrorView(res *resolution.Result, errs []resolution.NodeError) tui.ViewModel {\n\tif len(errs) == 0 {\n\t\treturn emptyInfoView\n\t}\n\ts := strings.Builder{}\n\ts.WriteString(\"The following errors were encountered during resolution which may impact results:\\n\")\n\tfor _, e := range errs {\n\t\tnode := res.Graph.Nodes[e.NodeID]\n\t\tfmt.Fprintf(&s, \"Error when resolving %s@%s:\\n\", node.Version.Name, node.Version.Version)\n\t\treq := e.Error.Req\n\t\tif strings.Contains(req.Version, \":\") {\n\t\t\t// this will be the case with unsupported npm requirements e.g. `file:...`, `git+https://...`\n\t\t\t// TODO: don't rely on resolution to propagate these errors\n\t\t\t// No easy access to the `knownAs` field to find which package this corresponds to\n\t\t\tfmt.Fprintf(&s, \"\\tSkipped resolving unsupported version specification: %s\\n\", req.Version)\n\t\t} else {\n\t\t\tfmt.Fprintf(&s, \"\\t%v: %s@%s\\n\", e.Error.Error, req.Name, req.Version)\n\t\t}\n\t}\n\n\treturn infoStringView(s.String())\n}\n\ntype writeMsg struct {\n\terr error\n}\n" }, { "path": "cmd/osv-scanner/fix/noninteractive.go", "content": "package fix\n\nimport (\n\t\"cmp\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"maps\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/identifiers\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\tlf \"github.com/google/osv-scanner/v2/internal/resolution/lockfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/util\"\n)\n\nfunc autoInPlace(ctx context.Context, opts osvFixOptions, maxUpgrades int) error {\n\tif !remediation.SupportsInPlace(opts.LockfileRW) {\n\t\treturn fmt.Errorf(\"%s strategy is not supported for lockfile\", strategyInPlace)\n\t}\n\n\tcmdlogger.Infof(\"Scanning %s...\", opts.Lockfile)\n\tvar outputResult fixOutput\n\toutputResult.Path = opts.Lockfile\n\toutputResult.Ecosystem = util.OSVEcosystem[opts.LockfileRW.System()]\n\toutputResult.Strategy = strategyInPlace\n\n\tf, err := depfile.OpenLocalDepFile(opts.Lockfile)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tg, err := opts.LockfileRW.Read(f)\n\tf.Close()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tres, err := remediation.ComputeInPlacePatches(ctx, opts.Client, g, opts.Options)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tpatches := autoChooseInPlacePatches(res, maxUpgrades, &outputResult)\n\n\tif err := printResult(outputResult, opts); err != nil {\n\t\tcmdlogger.Errorf(\"failed writing output\")\n\t\treturn err\n\t}\n\n\tcmdlogger.Infof(\"Rewriting %s...\", opts.Lockfile)\n\n\treturn lf.Overwrite(opts.LockfileRW, opts.Lockfile, patches)\n}\n\n// returns the top {maxUpgrades} compatible patches, and populates outputResult.\n// if maxUpgrades is < 0, do as many patches as possible\nfunc autoChooseInPlacePatches(res remediation.InPlaceResult, maxUpgrades int, outputResult *fixOutput) []lf.DependencyPatch {\n\t// Keep track of the VersionKeys we've already patched so we know which patches are incompatible\n\tseenVKs := make(map[resolve.VersionKey]bool)\n\n\tuniqueVulns := make(map[packageOutput]struct{})\n\tvar patches []lf.DependencyPatch\n\n\tfor _, p := range res.Patches {\n\t\tvk := resolve.VersionKey{\n\t\t\tPackageKey: p.Pkg,\n\t\t\tVersion: p.OrigVersion,\n\t\t}\n\n\t\t// add each of the resolved vulnKeys to the set of unique vulns\n\t\tfor _, rv := range p.ResolvedVulns {\n\t\t\tp := packageOutput{Name: vk.Name, Version: vk.Version}\n\t\t\tif _, ok := uniqueVulns[p]; ok {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tuniqueVulns[p] = struct{}{}\n\t\t\toutputResult.Vulnerabilities = append(outputResult.Vulnerabilities, vulnOutput{\n\t\t\t\tID: rv.OSV.GetId(),\n\t\t\t\tPackages: []packageOutput{p},\n\t\t\t\tUnactionable: false,\n\t\t\t})\n\t\t}\n\n\t\t// If we still are picking more patches, and we haven't already patched this specific version,\n\t\t// then add this patch to our final set of patches and count the vulnerabilities\n\t\tif maxUpgrades != 0 && !seenVKs[vk] {\n\t\t\tseenVKs[vk] = true\n\t\t\tpatches = append(patches, p.DependencyPatch)\n\t\t\tmaxUpgrades--\n\n\t\t\tvulns := make([]vulnOutput, len(p.ResolvedVulns))\n\t\t\tfor i, v := range p.ResolvedVulns {\n\t\t\t\tvulns[i].ID = v.OSV.GetId()\n\t\t\t\tvulns[i].Packages = []packageOutput{{Name: p.Pkg.Name, Version: p.OrigVersion}}\n\t\t\t\tvulns[i].Unactionable = false\n\t\t\t}\n\t\t\tsortVulns(vulns)\n\t\t\toutputResult.Patches = append(outputResult.Patches, patchOutput{\n\t\t\t\tPackageUpdates: []updatePackageOutput{{Name: p.Pkg.Name, VersionFrom: p.OrigVersion, VersionTo: p.NewVersion, Transitive: true}},\n\t\t\t\tFixed: vulns,\n\t\t\t})\n\t\t}\n\t}\n\n\t// Add unactionable vulns to output\n\tfor _, vuln := range res.Unfixable {\n\t\tv := makeResultVuln(vuln)\n\t\tv.Unactionable = true\n\t\toutputResult.Vulnerabilities = append(outputResult.Vulnerabilities, v)\n\t}\n\tsortVulns(outputResult.Vulnerabilities)\n\n\treturn patches\n}\n\nfunc autoRelax(ctx context.Context, opts osvFixOptions, maxUpgrades int) error {\n\tif !remediation.SupportsRelax(opts.ManifestRW) {\n\t\treturn fmt.Errorf(\"%s strategy is not supported for manifest\", strategyRelax)\n\t}\n\n\tcmdlogger.Infof(\"Resolving %s...\", opts.Manifest)\n\tvar outputResult fixOutput\n\toutputResult.Path = opts.Manifest\n\toutputResult.Ecosystem = util.OSVEcosystem[opts.ManifestRW.System()]\n\toutputResult.Strategy = strategyRelax\n\n\tf, err := depfile.OpenLocalDepFile(opts.Manifest)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tmanif, err := opts.ManifestRW.Read(f)\n\tf.Close()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient.PreFetch(ctx, opts.Client, manif.Requirements, manif.FilePath)\n\tres, err := resolution.Resolve(ctx, opts.Client, manif, opts.ResolveOpts)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tres.FilterVulns(opts.MatchVuln)\n\t// TODO: count vulnerabilities per unique version as scan action does\n\n\tallPatches, err := remediation.ComputeRelaxPatches(ctx, opts.Client, res, opts.Options)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif opts.NoIntroduce {\n\t\tallPatches = removeVulnIntroducingPatches(allPatches)\n\t}\n\n\tpopulateResultVulns(&outputResult, res, allPatches)\n\n\tif err := opts.Client.WriteCache(manif.FilePath); err != nil {\n\t\tcmdlogger.Warnf(\"WARNING: failed to write resolution cache: %v\", err)\n\t}\n\n\tdepPatches := autoChooseRelaxPatches(allPatches, maxUpgrades, &outputResult)\n\n\tif err := printResult(outputResult, opts); err != nil {\n\t\tcmdlogger.Errorf(\"failed writing output\")\n\t\treturn err\n\t}\n\n\tif len(depPatches) == 0 {\n\t\treturn nil\n\t}\n\n\tcmdlogger.Infof(\"Rewriting %s...\", opts.Manifest)\n\tif err := manifest.Overwrite(opts.ManifestRW, opts.Manifest, manifest.Patch{Manifest: &manif, Deps: depPatches}); err != nil {\n\t\treturn err\n\t}\n\n\tif opts.Lockfile != \"\" {\n\t\t// We only recreate the lockfile if we know a lockfile already exists\n\t\t// or we've been given a command to run.\n\t\tcmdlogger.Infof(\"Shelling out to regenerate lockfile...\")\n\t\tcmd, err := regenerateLockfileCmd(ctx, opts)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tcmd.Stdout = opts.Stdout\n\t\tcmd.Stderr = opts.Stderr\n\t\tcmdlogger.Infof(\"Executing `%s`...\", cmd)\n\t\terr = cmd.Run()\n\t\tif err == nil {\n\t\t\treturn nil\n\t\t}\n\n\t\tcmdlogger.Warnf(\"Install failed. Trying again with `--legacy-peer-deps`...\")\n\t\tcmd, err = regenerateLockfileCmd(ctx, opts)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tcmd.Args = append(cmd.Args, \"--legacy-peer-deps\")\n\t\tcmd.Stdout = opts.Stdout\n\t\tcmd.Stderr = opts.Stderr\n\n\t\treturn cmd.Run()\n\t}\n\n\treturn nil\n}\n\n// returns the top {maxUpgrades} compatible patches, and populates outputResult\n// if maxUpgrades is < 0, do as many patches as possible\nfunc autoChooseRelaxPatches(diffs []resolution.Difference, maxUpgrades int, outputResult *fixOutput) []manifest.DependencyPatch {\n\tvar patches []manifest.DependencyPatch\n\tpkgChanged := make(map[resolve.VersionKey]bool) // dependencies we've already applied a patch to\n\n\tfor _, diff := range diffs {\n\t\t// If we are not picking any more patches, or this patch is incompatible with existing patches, skip adding it to the patch list.\n\t\t// A patch is incompatible if any of its changed packages have already been changed by an existing patch.\n\t\tif maxUpgrades == 0 || slices.ContainsFunc(diff.Deps, func(dp manifest.DependencyPatch) bool {\n\t\t\treturn pkgChanged[resolve.VersionKey{PackageKey: dp.Pkg, Version: dp.OrigRequire}]\n\t\t}) {\n\t\t\tcontinue\n\t\t}\n\n\t\tvar p patchOutput\n\t\t// Add all individual package patches to the final patch list, and add the vulns this is anticipated to resolve\n\t\tfor _, dp := range diff.Deps {\n\t\t\tpatches = append(patches, dp)\n\t\t\tpkgChanged[resolve.VersionKey{PackageKey: dp.Pkg, Version: dp.OrigRequire}] = true\n\t\t\tp.PackageUpdates = append(p.PackageUpdates, updatePackageOutput{\n\t\t\t\tName: dp.Pkg.Name,\n\t\t\t\tVersionFrom: dp.OrigRequire,\n\t\t\t\tVersionTo: dp.NewRequire,\n\t\t\t\tTransitive: false,\n\t\t\t})\n\t\t}\n\t\tfor _, vuln := range diff.RemovedVulns {\n\t\t\tp.Fixed = append(p.Fixed, makeResultVuln(vuln))\n\t\t}\n\t\tsortVulns(p.Fixed)\n\t\tfor _, v := range diff.AddedVulns {\n\t\t\tp.Introduced = append(p.Introduced, makeResultVuln(v))\n\t\t}\n\t\tsortVulns(p.Introduced)\n\t\toutputResult.Patches = append(outputResult.Patches, p)\n\t\tmaxUpgrades--\n\t}\n\n\treturn patches\n}\n\nfunc autoOverride(ctx context.Context, opts osvFixOptions, maxUpgrades int) error {\n\tif !remediation.SupportsOverride(opts.ManifestRW) {\n\t\treturn errors.New(\"override strategy is not supported for manifest\")\n\t}\n\n\tcmdlogger.Infof(\"Resolving %s...\", opts.Manifest)\n\tvar outputResult fixOutput\n\toutputResult.Path = opts.Manifest\n\toutputResult.Ecosystem = util.OSVEcosystem[opts.ManifestRW.System()]\n\toutputResult.Strategy = strategyOverride\n\tf, err := depfile.OpenLocalDepFile(opts.Manifest)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tmanif, err := opts.ManifestRW.Read(f)\n\tf.Close()\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif opts.ManifestRW.System() == resolve.Maven {\n\t\t// Update Maven registries based on the repositories defined in pom.xml,\n\t\t// as well as the repositories merged from parent pom.xml.\n\t\t// TODO: add registries defined in settings.xml\n\t\t// https://github.com/google/osv-scanner/issues/1269\n\t\tspecific, ok := manif.EcosystemSpecific.(manifest.MavenManifestSpecific)\n\t\tif ok {\n\t\t\tregistries := make([]client.Registry, len(specific.Repositories))\n\t\t\tfor i, repo := range specific.Repositories {\n\t\t\t\tregistries[i] = datasource.MavenRegistry{\n\t\t\t\t\tURL: string(repo.URL),\n\t\t\t\t\tID: string(repo.ID),\n\t\t\t\t\tReleasesEnabled: repo.Releases.Enabled.Boolean(),\n\t\t\t\t\tSnapshotsEnabled: repo.Snapshots.Enabled.Boolean(),\n\t\t\t\t}\n\t\t\t}\n\t\t\tif err := opts.Client.AddRegistries(registries); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\tclient.PreFetch(ctx, opts.Client, manif.Requirements, manif.FilePath)\n\tres, err := resolution.Resolve(ctx, opts.Client, manif, opts.ResolveOpts)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tres.FilterVulns(opts.MatchVuln)\n\t// TODO: count vulnerabilities per unique version as scan action does\n\n\tallPatches, err := remediation.ComputeOverridePatches(ctx, opts.Client, res, opts.Options)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif opts.NoIntroduce {\n\t\tallPatches = removeVulnIntroducingPatches(allPatches)\n\t}\n\n\tpopulateResultVulns(&outputResult, res, allPatches)\n\n\tif err := opts.Client.WriteCache(manif.FilePath); err != nil {\n\t\tcmdlogger.Warnf(\"WARNING: failed to write resolution cache: %v\", err)\n\t}\n\n\tdepPatches := autoChooseOverridePatches(allPatches, maxUpgrades, &outputResult)\n\n\tif err := printResult(outputResult, opts); err != nil {\n\t\tcmdlogger.Errorf(\"failed writing output\")\n\t\treturn err\n\t}\n\n\tif len(depPatches) == 0 {\n\t\treturn nil\n\t}\n\n\tcmdlogger.Infof(\"Rewriting %s...\", opts.Manifest)\n\tif err := manifest.Overwrite(opts.ManifestRW, opts.Manifest, manifest.Patch{Manifest: &manif, Deps: depPatches}); err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc autoChooseOverridePatches(diffs []resolution.Difference, maxUpgrades int, outputResult *fixOutput) []manifest.DependencyPatch {\n\tif maxUpgrades == 0 {\n\t\treturn nil\n\t}\n\n\tvar patches []manifest.DependencyPatch\n\tpkgChanged := make(map[resolve.PackageKey]bool) // dependencies we've already applied a patch to\n\tfixedVulns := make(map[string]struct{}) // vulns that have already been fixed by a patch\n\tfor _, diff := range diffs {\n\t\t// If this patch is incompatible with existing patches, skip adding it to the patch list.\n\n\t\t// A patch is incompatible if any of its changed packages have already been changed by an existing patch.\n\t\tif slices.ContainsFunc(diff.Deps, func(dp manifest.DependencyPatch) bool { return pkgChanged[dp.Pkg] }) {\n\t\t\tcontinue\n\t\t}\n\t\t// A patch is also incompatible if any fixed vulnerability has already been fixed by another patch.\n\t\t// This would happen if updating the version of one package has a side effect of also updating or removing one of its vulnerable dependencies.\n\t\t// e.g. We have {foo@1 -> bar@1}, and two possible patches [foo@3, bar@2].\n\t\t// Patching foo@3 makes {foo@3 -> bar@3}, which also fixes the vulnerability in bar.\n\t\t// Applying both patches would force {foo@3 -> bar@2}, which is less desirable.\n\t\tif slices.ContainsFunc(diff.RemovedVulns, func(rv resolution.Vulnerability) bool { _, ok := fixedVulns[rv.OSV.GetId()]; return ok }) {\n\t\t\tcontinue\n\t\t}\n\n\t\tvar p patchOutput\n\t\t// Add all individual package patches to the final patch list, and track the vulns this is anticipated to fix.\n\t\tfor _, dp := range diff.Deps {\n\t\t\tpatches = append(patches, dp)\n\t\t\tpkgChanged[dp.Pkg] = true\n\n\t\t\tpkgUpdate := updatePackageOutput{\n\t\t\t\tName: dp.Pkg.Name,\n\t\t\t\tVersionFrom: dp.OrigResolved,\n\t\t\t\tVersionTo: dp.NewRequire,\n\t\t\t\tTransitive: true,\n\t\t\t}\n\t\t\t// Check if this is a direct dependency\n\t\t\tfor _, req := range diff.Original.Manifest.Requirements {\n\t\t\t\tif req.PackageKey == dp.Pkg && !req.Type.HasAttr(dep.MavenDependencyOrigin) {\n\t\t\t\t\tpkgUpdate.Transitive = false\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\t\t\tp.PackageUpdates = append(p.PackageUpdates, pkgUpdate)\n\t\t}\n\t\tfor _, vuln := range diff.RemovedVulns {\n\t\t\tfixedVulns[vuln.OSV.GetId()] = struct{}{}\n\t\t\tp.Fixed = append(p.Fixed, makeResultVuln(vuln))\n\t\t}\n\t\tsortVulns(p.Fixed)\n\t\tfor _, vuln := range diff.AddedVulns {\n\t\t\tp.Introduced = append(p.Introduced, makeResultVuln(vuln))\n\t\t}\n\t\tsortVulns(p.Introduced)\n\t\toutputResult.Patches = append(outputResult.Patches, p)\n\n\t\tmaxUpgrades--\n\t\tif maxUpgrades == 0 {\n\t\t\tbreak\n\t\t}\n\t}\n\n\treturn patches\n}\n\nfunc sortVulns(vulns []vulnOutput) {\n\tslices.SortFunc(vulns, func(a, b vulnOutput) int {\n\t\treturn identifiers.IDSortFunc(a.ID, b.ID)\n\t})\n}\n\nfunc makeResultVuln(vuln resolution.Vulnerability) vulnOutput {\n\tv := vulnOutput{\n\t\tID: vuln.OSV.GetId(),\n\t}\n\n\taffected := make(map[packageOutput]struct{})\n\tfor _, sg := range vuln.Subgraphs {\n\t\tvk := sg.Nodes[sg.Dependency].Version\n\t\taffected[packageOutput{Name: vk.Name, Version: vk.Version}] = struct{}{}\n\t}\n\tv.Packages = slices.AppendSeq(make([]packageOutput, 0, len(affected)), maps.Keys(affected))\n\tslices.SortFunc(v.Packages, func(a, b packageOutput) int {\n\t\tif c := cmp.Compare(a.Name, b.Name); c != 0 {\n\t\t\treturn c\n\t\t}\n\n\t\treturn cmp.Compare(a.Version, b.Version)\n\t})\n\n\treturn v\n}\n\nfunc populateResultVulns(outputResult *fixOutput, res *resolution.Result, allPatches []resolution.Difference) {\n\t// Resolution errors\n\tfor _, err := range res.Errors() {\n\t\tnode := res.Graph.Nodes[err.NodeID]\n\t\toutputResult.Errors = append(outputResult.Errors, errorOutput{\n\t\t\tPackage: packageOutput{\n\t\t\t\tName: node.Version.Name,\n\t\t\t\tVersion: node.Version.Version,\n\t\t\t},\n\t\t\tRequirement: packageOutput{\n\t\t\t\tName: err.Error.Req.Name,\n\t\t\t\tVersion: err.Error.Req.Version,\n\t\t\t},\n\t\t\tError: err.Error.Error,\n\t\t})\n\t}\n\n\t// Vulnerabilities\n\tvulns := make(map[string]vulnOutput, len(res.Vulns))\n\toutputResult.Vulnerabilities = make([]vulnOutput, len(res.Vulns))\n\tfor _, vuln := range res.Vulns {\n\t\tv := makeResultVuln(vuln)\n\t\tv.Unactionable = true\n\t\tvulns[v.ID] = v\n\t}\n\n\t// Determine if vulnerabilities are actionable\n\tfor _, p := range allPatches {\n\t\tfor _, vuln := range p.RemovedVulns {\n\t\t\tif v, ok := vulns[vuln.OSV.GetId()]; ok {\n\t\t\t\tv.Unactionable = false\n\t\t\t\tvulns[vuln.OSV.GetId()] = v\n\t\t\t}\n\t\t}\n\t}\n\n\toutputResult.Vulnerabilities = slices.Collect(maps.Values(vulns))\n\tsortVulns(outputResult.Vulnerabilities)\n}\n\nfunc removeVulnIntroducingPatches(patches []resolution.Difference) []resolution.Difference {\n\treturn slices.DeleteFunc(patches, func(diff resolution.Difference) bool { return len(diff.AddedVulns) > 0 })\n}\n" }, { "path": "cmd/osv-scanner/fix/output.go", "content": "package fix\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n)\n\n// fixOutput is a description of changes made by guided remediation to a manifest/lockfile.\ntype fixOutput struct {\n\tPath string `json:\"path\"` // path to the manifest/lockfile.\n\tEcosystem osvconstants.Ecosystem `json:\"ecosystem\"` // the OSV ecosystem of the file (npm, Maven)\n\tStrategy strategy `json:\"strategy\"` // the remediation strategy that was used.\n\tVulnerabilities []vulnOutput `json:\"vulnerabilities\"` // vulns detected in the initial manifest/lockfile.\n\tPatches []patchOutput `json:\"patches\"` // list of dependency patches that were applied.\n\tErrors []errorOutput `json:\"errors,omitempty\"` // non-fatal errors encountered in initial resolution.\n}\n\n// vulnOutput represents a vulnerability that was found in a project.\ntype vulnOutput struct {\n\tID string `json:\"id\"` // the OSV ID of the vulnerability.\n\tPackages []packageOutput `json:\"packages\"` // the list of packages in the dependency graph this vuln affects.\n\tUnactionable bool `json:\"unactionable,omitempty\"` // true if no fix patch available, or if constraints would prevent one.\n}\n\n// patchOutput represents an isolated patch to one or more dependencies that fixes one or more vulns.\ntype patchOutput struct {\n\tPackageUpdates []updatePackageOutput `json:\"packageUpdates\"` // dependencies that were updated.\n\tFixed []vulnOutput `json:\"fixed\"` // vulns fixed by this patch.\n\tIntroduced []vulnOutput `json:\"introduced,omitempty\"` // vulns introduced by this patch.\n}\n\n// packageOutput represents a package that was found in a project.\ntype packageOutput struct {\n\tName string `json:\"name\"` // name of the dependency.\n\tVersion string `json:\"version\"` // version of the dependency in the graph.\n}\n\n// updatePackageOutput represents a package that was updated by a patch.\ntype updatePackageOutput struct {\n\tName string `json:\"name\"` // name of dependency being updated.\n\tVersionFrom string `json:\"versionFrom\"` // version of the dependency before the patch.\n\tVersionTo string `json:\"versionTo\"` // version of the dependency after the patch.\n\tTransitive bool `json:\"transitive\"` // false if this package is a direct dependency, true if indirect.\n}\n\n// errorOutput represents an error encountered during the initial resolution of the dependency graph.\ntype errorOutput struct {\n\tPackage packageOutput `json:\"package\"` // the package that caused the error.\n\tRequirement packageOutput `json:\"requirement\"` // the requirement of the package that errored.\n\tError string `json:\"error\"` // the error string.\n\t// e.g.\n\t// errorOutput{\n\t// \t Package: affectedPackage{\"foo\", \"1.2.3\"},\n\t// \t Requirement: affectedPackage{\"bar\", \">2.0.0\"},\n\t//\t Error: \"could not find a version that satisfies requirement >2.0.0 for package bar\",\n\t// }\n}\n\nfunc printResult(outputResult fixOutput, opts osvFixOptions) error {\n\tif opts.OutputJSON {\n\t\treturn outputJSON(opts.Stdout, outputResult)\n\t}\n\n\treturn outputText(opts.Stdout, outputResult)\n}\n\nfunc outputText(_ io.Writer, out fixOutput) error {\n\tif len(out.Errors) > 0 {\n\t\tcmdlogger.Warnf(\"WARNING: encountered %d errors during dependency resolution:\", len(out.Errors))\n\t\tfor _, err := range out.Errors {\n\t\t\tcmdlogger.Errorf(\"Error when resolving %s@%s:\", err.Package.Name, err.Package.Version)\n\t\t\tif strings.Contains(err.Requirement.Version, \":\") {\n\t\t\t\t// this will be the case with unsupported npm requirements e.g. `file:...`, `git+https://...`\n\t\t\t\t// TODO: don't rely on resolution to propagate these errors\n\t\t\t\t// No easy access to the `knownAs` field to find which package this corresponds to\n\t\t\t\tcmdlogger.Errorf(\"\\tSkipped resolving unsupported version specification: %s\", err.Requirement.Version)\n\t\t\t} else {\n\t\t\t\tcmdlogger.Errorf(\"\\t%v: %s@%s\", err.Error, err.Requirement.Name, err.Requirement.Version)\n\t\t\t}\n\t\t}\n\t}\n\n\tnVulns := len(out.Vulnerabilities)\n\n\tcmdlogger.Infof(\"Found %d vulnerabilities matching the filter\", nVulns)\n\n\tif len(out.Patches) == 0 {\n\t\tcmdlogger.Infof(\"No dependency patches are possible\")\n\t\tcmdlogger.Infof(\"REMAINING-VULNS: %d\", nVulns)\n\t\tcmdlogger.Infof(\"UNFIXABLE-VULNS: %d\", nVulns)\n\n\t\treturn nil\n\t}\n\n\tchangedDeps := 0\n\tvar fixedVulns []string\n\tfor _, patch := range out.Patches {\n\t\tchangedDeps += len(patch.PackageUpdates)\n\t\tfor _, v := range patch.Fixed {\n\t\t\tfixedVulns = append(fixedVulns, v.ID)\n\t\t}\n\t}\n\n\tif out.Strategy == strategyOverride {\n\t\tcmdlogger.Infof(\"Can fix %d/%d matching vulnerabilities by overriding %d dependencies\", len(fixedVulns), nVulns, changedDeps)\n\t\tfor _, patch := range out.Patches {\n\t\t\tfor _, pkg := range patch.PackageUpdates {\n\t\t\t\tcmdlogger.Infof(\"OVERRIDE-PACKAGE: %s,%s\", pkg.Name, pkg.VersionTo)\n\t\t\t}\n\t\t}\n\t} else {\n\t\tcmdlogger.Infof(\"Can fix %d/%d matching vulnerabilities by changing %d dependencies\", len(fixedVulns), nVulns, changedDeps)\n\t\tfor _, patch := range out.Patches {\n\t\t\tfor _, pkg := range patch.PackageUpdates {\n\t\t\t\tcmdlogger.Infof(\"UPGRADED-PACKAGE: %s,%s,%s\", pkg.Name, pkg.VersionFrom, pkg.VersionTo)\n\t\t\t}\n\t\t}\n\t}\n\tslices.Sort(fixedVulns)\n\tcmdlogger.Infof(\"FIXED-VULN-IDS: %s\", strings.Join(fixedVulns, \",\"))\n\tcmdlogger.Infof(\"REMAINING-VULNS: %d\", nVulns-len(fixedVulns))\n\n\tnUnfixable := 0\n\tfor _, v := range out.Vulnerabilities {\n\t\tif v.Unactionable {\n\t\t\tnUnfixable++\n\t\t}\n\t}\n\tcmdlogger.Infof(\"UNFIXABLE-VULNS: %d\", nUnfixable)\n\n\treturn nil\n}\n\nfunc outputJSON(w io.Writer, out fixOutput) error {\n\tencoder := json.NewEncoder(w)\n\tencoder.SetIndent(\"\", \" \")\n\n\treturn encoder.Encode(out)\n}\n" }, { "path": "cmd/osv-scanner/fix/regen_lockfile.go", "content": "package fix\n\nimport (\n\t\"context\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n)\n\nfunc regenerateLockfileCmd(ctx context.Context, opts osvFixOptions) (*exec.Cmd, error) {\n\t// TODO: this is npm-specific and hacky\n\t// delete existing package-lock & node_modules directory to force npm to do a clean install\n\tdir := filepath.Dir(opts.Manifest)\n\tif err := os.RemoveAll(filepath.Join(dir, \"package-lock.json\")); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := os.RemoveAll(filepath.Join(dir, \"node_modules\")); err != nil {\n\t\treturn nil, err\n\t}\n\t// TODO: need to also remove node_modules/ in workspace packages\n\n\tc := exec.CommandContext(ctx, \"npm\", \"install\", \"--package-lock-only\", \"--ignore-scripts\")\n\tc.Dir = dir\n\n\treturn c, nil\n}\n" }, { "path": "cmd/osv-scanner/fix/state-choose-in-place-patches.go", "content": "package fix\n\nimport (\n\t\"fmt\"\n\t\"slices\"\n\n\t\"charm.land/bubbles/v2/key\"\n\t\"charm.land/bubbles/v2/table\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"charm.land/lipgloss/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/tui\"\n)\n\ntype stateChooseInPlacePatches struct {\n\tstateInPlace *stateInPlaceResult\n\n\ttable table.Model // in-place table to render\n\tpatchIdx []int // for each flattened patch, its index into unflattened patches\n\tvulnsInfos []tui.ViewModel // vulns info views corresponding to each flattened patch\n\n\tfocusedInfo tui.ViewModel // the infoview that is currently focused, nil if not focused\n\n\tviewWidth int // width for rendering (same as model.mainViewWidth)\n}\n\nfunc (st *stateChooseInPlacePatches) Init(m model) tea.Cmd {\n\t// pre-computation of flattened patches and vulns\n\tfor idx, p := range m.inPlaceResult.Patches {\n\t\tfor i := range p.ResolvedVulns {\n\t\t\tst.patchIdx = append(st.patchIdx, idx)\n\t\t\tst.vulnsInfos = append(st.vulnsInfos, tui.NewVulnInfo(&p.ResolvedVulns[i]))\n\t\t}\n\t}\n\n\t// grab the table out of the InPlaceInfo, so it looks consistent\n\t// TODO: Re-use this in a less hacky way\n\tst.table = tui.NewInPlaceInfo(*m.inPlaceResult).Model\n\t// insert the select/deselect all row, and a placeholder row for the 'done' line\n\tr := st.table.Rows()\n\tr = slices.Insert(r, 0, table.Row{\"\", \"\", \"\"})\n\tr = append(r, table.Row{\"\", \"\", \"\"})\n\tst.table.SetRows(r)\n\n\tst.updateTableRows(m)\n\tst.Resize(m.mainViewWidth, m.mainViewHeight)\n\tst.ResizeInfo(m.infoViewWidth, m.infoViewHeight)\n\n\treturn nil\n}\n\nfunc (st *stateChooseInPlacePatches) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) {\n\tvar cmd tea.Cmd\n\tif msg, ok := msg.(tea.KeyPressMsg); ok {\n\t\tswitch {\n\t\tcase key.Matches(msg, tui.Keys.SwitchView):\n\t\t\tif st.IsInfoFocused() {\n\t\t\t\tst.focusedInfo = nil\n\t\t\t\tst.table.Focus()\n\t\t\t} else if view, canFocus := st.currentInfoView(); canFocus {\n\t\t\t\tst.focusedInfo = view\n\t\t\t\tst.table.Blur() // ignore key presses when the info view is focused\n\t\t\t}\n\t\tcase st.IsInfoFocused():\n\t\t\tst.focusedInfo, cmd = st.focusedInfo.Update(msg)\n\t\t\t// VulnInfo returns nil as the model when it wants to exit, instead of the CloseViewModel Cmd\n\t\t\t// if it quits, we need to re-focus the table\n\t\t\tif st.focusedInfo == nil {\n\t\t\t\tst.table.Focus()\n\t\t\t}\n\t\tcase key.Matches(msg, tui.Keys.Quit):\n\t\t\t// go back to in-place results\n\t\t\tm.st = st.stateInPlace\n\t\t\treturn m, nil\n\n\t\tcase key.Matches(msg, tui.Keys.Select):\n\t\t\tif st.table.Cursor() == len(st.table.Rows())-1 { // hit enter on done line\n\t\t\t\t// go back to in-place results\n\t\t\t\tm.st = st.stateInPlace\n\t\t\t\treturn m, nil\n\t\t\t}\n\t\t\tif st.table.Cursor() == 0 { // select/deselect all\n\t\t\t\t// if nothing is selected, set everything to true, otherwise set everything to false\n\t\t\t\tselection := !slices.Contains(st.stateInPlace.selectedChanges, true)\n\t\t\t\tfor i := range st.stateInPlace.selectedChanges {\n\t\t\t\t\tst.stateInPlace.selectedChanges[i] = selection\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tst.toggleSelection(st.table.Cursor() - 1)\n\t\t\t}\n\t\t\tst.updateTableRows(m)\n\t\t}\n\t}\n\t// update the table\n\tt, c := st.table.Update(msg)\n\tst.table = t\n\n\treturn m, tea.Batch(cmd, c)\n}\n\nfunc (st *stateChooseInPlacePatches) View(_ model) string {\n\ttableStr := lipgloss.PlaceHorizontal(st.viewWidth, lipgloss.Center, st.table.View())\n\treturn lipgloss.JoinVertical(lipgloss.Left,\n\t\ttableStr,\n\t\ttui.RenderSelectorOption(st.table.Cursor() == len(st.table.Rows())-1, \" > \", \"%s\", \"Done\"),\n\t)\n}\n\nfunc (st *stateChooseInPlacePatches) InfoView() string {\n\tv, _ := st.currentInfoView()\n\treturn v.View()\n}\n\nfunc (st *stateChooseInPlacePatches) updateTableRows(m model) {\n\t// update the checkbox for each row\n\trows := st.table.Rows()\n\tanySelected := false\n\tfor i, pIdx := range st.patchIdx {\n\t\t// don't render a checkbox on the empty lines\n\t\tif rows[i+1][0] == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tvar checkBox string\n\t\tif st.stateInPlace.selectedChanges[pIdx] {\n\t\t\tcheckBox = \"[x]\"\n\t\t\tanySelected = true\n\t\t} else {\n\t\t\tcheckBox = \"[ ]\"\n\t\t}\n\t\trows[i+1][0] = fmt.Sprintf(\"%s %s\", checkBox, m.inPlaceResult.Patches[pIdx].Pkg.Name)\n\t}\n\t// show select all only if nothing is selected,\n\t// show deselect all if anything is selected\n\tif anySelected {\n\t\trows[0][0] = \"DESELECT ALL\"\n\t} else {\n\t\trows[0][0] = \"SELECT ALL\"\n\t}\n\tst.table.SetRows(rows)\n\t// there is no table.Columns() method, so I can't resize the columns to fit the checkbox properly :(\n}\n\nfunc (st *stateChooseInPlacePatches) toggleSelection(idx int) {\n\t// TODO: Prevent selection of multiple (incompatible) patches for same package version\n\ti := st.patchIdx[idx]\n\tst.stateInPlace.selectedChanges[i] = !st.stateInPlace.selectedChanges[i]\n}\n\nfunc (st *stateChooseInPlacePatches) currentInfoView() (view tui.ViewModel, canFocus bool) {\n\tif c := st.table.Cursor(); c > 0 && c < len(st.table.Rows())-1 {\n\t\treturn st.vulnsInfos[c-1], true\n\t}\n\n\treturn emptyInfoView, false\n}\n\nfunc (st *stateChooseInPlacePatches) Resize(w, h int) {\n\tst.viewWidth = w\n\tst.table.SetWidth(w)\n\tst.table.SetHeight(h - 1) // -1 to account for 'Done' line at bottom\n}\n\nfunc (st *stateChooseInPlacePatches) ResizeInfo(w, h int) {\n\tfor _, info := range st.vulnsInfos {\n\t\tinfo.Resize(w, h)\n\t}\n}\n\nfunc (st *stateChooseInPlacePatches) IsInfoFocused() bool {\n\treturn st.focusedInfo != nil\n}\n" }, { "path": "cmd/osv-scanner/fix/state-choose-strategy.go", "content": "package fix\n\nimport (\n\t\"fmt\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\n\t\"charm.land/bubbles/v2/key\"\n\t\"charm.land/bubbles/v2/textinput\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/tui\"\n)\n\ntype stateChooseStrategy struct {\n\tcursorPos int // TODO: use an enum\n\tcanRelock bool\n\n\tvulnList tui.ViewModel\n\tinPlaceInfo tui.ViewModel\n\trelockFixVulns tui.ViewModel\n\terrorsView tui.ViewModel\n\n\tdepthInput textinput.Model\n\tseverityInput textinput.Model\n\n\tfocusedInfo tui.ViewModel // the infoview that is currently focused, nil if not focused\n}\n\nconst (\n\tstateChooseInfo = iota\n\tstateChooseErrors\n\tstateChooseInPlace\n\tstateChooseRelock\n\tstateChooseDepth\n\tstateChooseSeverity\n\tstateChooseDev\n\tstateChooseApplyCriteria\n\tstateChooseQuit\n\tstateChooseEnd\n)\n\nfunc (st *stateChooseStrategy) Init(m model) tea.Cmd {\n\tst.cursorPos = stateChooseInPlace\n\t// pre-generate the info views for each option\n\n\t// make a slice of vuln pointers for the all vulnerabilities list\n\t// TODO: be consistent & efficient with how we pass resolution.Vulnerabilities around\n\tvar allVulns []*resolution.Vulnerability\n\tfor _, p := range m.inPlaceResult.Patches {\n\t\tfor i := range p.ResolvedVulns {\n\t\t\tallVulns = append(allVulns, &p.ResolvedVulns[i])\n\t\t}\n\t}\n\tfor i := range m.inPlaceResult.Unfixable {\n\t\tallVulns = append(allVulns, &m.inPlaceResult.Unfixable[i])\n\t}\n\tst.vulnList = tui.NewVulnList(allVulns, \"\")\n\n\t// make the in-place view\n\tst.inPlaceInfo = tui.NewInPlaceInfo(*m.inPlaceResult)\n\n\tif m.options.Manifest != \"\" {\n\t\t// find the vulns fixed by relocking to show on the relock hover\n\t\tst.canRelock = true\n\t\tvar relockFixes []*resolution.Vulnerability\n\t\tfor _, v := range allVulns {\n\t\t\tif !slices.ContainsFunc(m.relockBaseRes.Vulns, func(r resolution.Vulnerability) bool {\n\t\t\t\treturn r.OSV.GetId() == v.OSV.GetId()\n\t\t\t}) {\n\t\t\t\trelockFixes = append(relockFixes, v)\n\t\t\t}\n\t\t}\n\t\tst.relockFixVulns = tui.NewVulnList(relockFixes, \"Relocking fixes the following vulns:\")\n\t\tst.ResizeInfo(m.infoViewWidth, m.infoViewHeight)\n\t} else {\n\t\tst.canRelock = false\n\t\tst.relockFixVulns = infoStringView(\"Re-run with manifest to resolve vulnerabilities by re-locking\")\n\t}\n\n\tst.depthInput = textinput.New()\n\tst.depthInput.CharLimit = 3\n\tst.depthInput.SetValue(strconv.Itoa(m.options.MaxDepth))\n\n\tst.severityInput = textinput.New()\n\tst.severityInput.CharLimit = 4\n\tst.severityInput.SetValue(strconv.FormatFloat(m.options.MinSeverity, 'g', -1, 64))\n\n\tst.errorsView = resolutionErrorView(m.relockBaseRes, m.relockBaseResErrs)\n\n\treturn nil\n}\n\nfunc (st *stateChooseStrategy) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) {\n\tswitch msg := msg.(type) {\n\tcase tui.ViewModelCloseMsg:\n\t\t// info view wants to quit, just unfocus it\n\t\tst.focusedInfo = nil\n\tcase tea.KeyPressMsg:\n\t\tswitch {\n\t\tcase key.Matches(msg, tui.Keys.SwitchView):\n\t\t\tif st.IsInfoFocused() {\n\t\t\t\tst.focusedInfo = nil\n\t\t\t} else if view, canFocus := st.currentInfoView(); canFocus {\n\t\t\t\tst.focusedInfo = view\n\t\t\t}\n\t\tcase st.IsInfoFocused():\n\t\t\tvar cmd tea.Cmd\n\t\t\tst.focusedInfo, cmd = st.focusedInfo.Update(msg)\n\n\t\t\treturn m, cmd\n\t\tcase key.Matches(msg, tui.Keys.Quit):\n\t\t\t// only quit if the cursor is over the quit line\n\t\t\tif st.cursorPos == stateChooseQuit {\n\t\t\t\treturn m, tea.Quit\n\t\t\t}\n\t\t\t// otherwise move the cursor to the quit line if it's not already there\n\t\t\tst.cursorPos = stateChooseQuit\n\t\tcase key.Matches(msg, tui.Keys.Select):\n\t\t\t// enter key was pressed, parse input\n\t\t\treturn st.parseInput(m)\n\t\t// move the cursor and show the corresponding info view\n\t\tcase key.Matches(msg, tui.Keys.Up):\n\t\t\tif st.cursorPos > stateChooseInfo {\n\t\t\t\tst.cursorPos--\n\t\t\t\t// Resolution errors aren't rendered if there are none\n\t\t\t\tif st.cursorPos == stateChooseErrors && len(m.relockBaseResErrs) == 0 {\n\t\t\t\t\tst.cursorPos--\n\t\t\t\t}\n\t\t\t}\n\t\t\tst.UpdateTextFocus()\n\t\tcase key.Matches(msg, tui.Keys.Down):\n\t\t\tif st.cursorPos < stateChooseEnd-1 {\n\t\t\t\tst.cursorPos++\n\t\t\t\tif st.cursorPos == stateChooseErrors && len(m.relockBaseResErrs) == 0 {\n\t\t\t\t\tst.cursorPos++\n\t\t\t\t}\n\t\t\t}\n\t\t\tst.UpdateTextFocus()\n\t\t}\n\t}\n\n\tcmds := make([]tea.Cmd, 0, 2)\n\tvar cmd tea.Cmd\n\tst.depthInput, cmd = st.depthInput.Update(msg)\n\tcmds = append(cmds, cmd)\n\n\tst.severityInput, cmd = st.severityInput.Update(msg)\n\tcmds = append(cmds, cmd)\n\n\treturn m, tea.Batch(cmds...)\n}\n\nfunc (st *stateChooseStrategy) UpdateTextFocus() {\n\tst.depthInput.Blur()\n\tst.severityInput.Blur()\n\n\tswitch st.cursorPos {\n\tcase stateChooseDepth:\n\t\tst.depthInput.Focus()\n\tcase stateChooseSeverity:\n\t\tst.severityInput.Focus()\n\t}\n}\n\nfunc (st *stateChooseStrategy) IsInfoFocused() bool {\n\treturn st.focusedInfo != nil\n}\n\nfunc (st *stateChooseStrategy) currentInfoView() (view tui.ViewModel, canFocus bool) {\n\tswitch st.cursorPos {\n\tcase stateChooseInfo: // info line\n\t\treturn st.vulnList, true\n\tcase stateChooseErrors:\n\t\treturn st.errorsView, false\n\tcase stateChooseInPlace: // in-place\n\t\treturn st.inPlaceInfo, true\n\tcase stateChooseRelock: // relock\n\t\treturn st.relockFixVulns, st.canRelock\n\tcase stateChooseQuit: // quit\n\t\treturn infoStringView(\"Exit Guided Remediation\"), false\n\tdefault:\n\t\treturn emptyInfoView, false\n\t}\n}\n\nfunc (st *stateChooseStrategy) parseInput(m model) (tea.Model, tea.Cmd) {\n\tvar cmd tea.Cmd\n\tswitch st.cursorPos {\n\tcase stateChooseInfo: // info line, focus on info view\n\t\tst.focusedInfo = st.vulnList\n\tcase stateChooseInPlace: // in-place\n\t\t// initially have every change be selected to be applied\n\t\tselected := make([]bool, len(m.inPlaceResult.Patches))\n\t\tfor i := range selected {\n\t\t\tselected[i] = true\n\t\t}\n\t\tm.st = &stateInPlaceResult{inPlaceInfo: st.inPlaceInfo, selectedChanges: selected}\n\t\tcmd = m.st.Init(m)\n\tcase stateChooseRelock: // relock\n\t\tif st.canRelock {\n\t\t\tm.st = &stateRelockResult{}\n\t\t\tcmd = m.st.Init(m)\n\t\t}\n\tcase stateChooseDev:\n\t\tm.options.DevDeps = !m.options.DevDeps\n\tcase stateChooseApplyCriteria:\n\t\tmaxDepth, err := strconv.Atoi(st.depthInput.Value())\n\t\tif err == nil {\n\t\t\tm.options.MaxDepth = maxDepth\n\t\t}\n\n\t\tminSeverity, err := strconv.ParseFloat(st.severityInput.Value(), 64)\n\t\tif err == nil {\n\t\t\tm.options.MinSeverity = minSeverity\n\t\t}\n\n\t\t// Reset state. TODO: Add a spinner and do this I/O as a command.\n\t\tres, err := remediation.ComputeInPlacePatches(m.ctx, m.cl, m.lockfileGraph, m.options.Options)\n\t\tif err != nil {\n\t\t\tpanic(err)\n\t\t}\n\t\tm.inPlaceResult = &res\n\n\t\tm.relockBaseRes.FilterVulns(m.options.MatchVuln)\n\n\t\tm.st = &stateChooseStrategy{}\n\t\tcmd = m.st.Init(m)\n\tcase stateChooseQuit: // quit line\n\t\tcmd = tea.Quit\n\t}\n\n\treturn m, cmd\n}\n\nfunc (st *stateChooseStrategy) View(m model) string {\n\tvulnCount := m.inPlaceResult.VulnCount()\n\tfixCount := vulnCount.Total() - len(m.inPlaceResult.Unfixable)\n\tpkgChange := len(m.inPlaceResult.Patches)\n\n\ts := strings.Builder{}\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateChooseInfo,\n\t\t\"\",\n\t\tfmt.Sprintf(\"Found %%s in lockfile (%d direct, %d transitive, %d dev only) matching the criteria.\\n\", vulnCount.Direct, vulnCount.Transitive, vulnCount.Dev),\n\t\tfmt.Sprintf(\"%d vulnerabilities\", vulnCount.Total()),\n\t))\n\tif len(m.relockBaseResErrs) > 0 {\n\t\ts.WriteString(tui.RenderSelectorOption(\n\t\t\tst.cursorPos == stateChooseErrors,\n\t\t\t\"\",\n\t\t\t\"WARNING: Encountered %s during graph resolution.\\n\",\n\t\t\tfmt.Sprintf(\"%d errors\", len(m.relockBaseResErrs)),\n\t\t))\n\t}\n\ts.WriteString(\"\\n\")\n\ts.WriteString(\"Actions:\\n\")\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateChooseInPlace,\n\t\t\" > \",\n\t\tfmt.Sprintf(\"%%s (fixes %d/%d vulns, changes %d packages)\\n\", fixCount, vulnCount.Total(), pkgChange),\n\t\t\"Modify lockfile in-place\",\n\t))\n\n\t// TODO: skip choseStrategy when relocking is unavailable\n\tif st.canRelock {\n\t\t// TODO: In-place and relock count vulns differently; this number is wrong\n\t\trelockFix := vulnCount.Total() - len(m.relockBaseRes.Vulns)\n\t\ts.WriteString(tui.RenderSelectorOption(\n\t\t\tst.cursorPos == stateChooseRelock,\n\t\t\t\" > \",\n\t\t\tfmt.Sprintf(\"%%s (fixes %d/%d vulns) and try direct dependency upgrades\\n\", relockFix, vulnCount.Total()),\n\t\t\t\"Re-lock project\",\n\t\t))\n\t} else {\n\t\ts.WriteString(tui.RenderSelectorOption(\n\t\t\tst.cursorPos == stateChooseRelock,\n\t\t\t\" > \",\n\t\t\ttui.DisabledTextStyle.Render(\"Cannot re-lock - missing manifest file\\n\"),\n\t\t))\n\t}\n\ts.WriteString(\"\\n\")\n\ts.WriteString(\"Criteria:\\n\")\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateChooseDepth,\n\t\t\" > \",\n\t\tfmt.Sprintf(\"%%s: %s\\n\", st.depthInput.View()),\n\t\t\"Max dependency depth\",\n\t))\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateChooseSeverity,\n\t\t\" > \",\n\t\tfmt.Sprintf(\"%%s: %s\\n\", st.severityInput.View()),\n\t\t\"Min CVSS score\",\n\t))\n\n\tdevString := \"YES\"\n\tif m.options.DevDeps {\n\t\tdevString = \"NO\"\n\t}\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateChooseDev,\n\t\t\" > \",\n\t\tfmt.Sprintf(\"%%s: %s\\n\", devString),\n\t\t\"Exclude dev only\",\n\t))\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateChooseApplyCriteria,\n\t\t\" > \",\n\t\t\"%s\\n\",\n\t\t\"Apply criteria\",\n\t))\n\n\ts.WriteString(\"\\n\")\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateChooseQuit,\n\t\t\"> \",\n\t\t\"%s\\n\",\n\t\t\"quit\",\n\t))\n\n\treturn s.String()\n}\n\nfunc (st *stateChooseStrategy) InfoView() string {\n\tv, _ := st.currentInfoView()\n\treturn v.View()\n}\n\nfunc (st *stateChooseStrategy) Resize(_, _ int) {}\n\nfunc (st *stateChooseStrategy) ResizeInfo(w, h int) {\n\tst.vulnList.Resize(w, h)\n\tst.inPlaceInfo.Resize(w, h)\n\tst.relockFixVulns.Resize(w, h)\n}\n" }, { "path": "cmd/osv-scanner/fix/state-in-place-result.go", "content": "package fix\n\nimport (\n\t\"fmt\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"charm.land/bubbles/v2/key\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\tlockf \"github.com/google/osv-scanner/v2/internal/resolution/lockfile\"\n\t\"github.com/google/osv-scanner/v2/internal/tui\"\n)\n\ntype stateInPlaceResult struct {\n\tcursorPos int // TODO: use an enum\n\tcanRelock bool\n\n\tselectedChanges []bool // in-place changes to be applied\n\n\tvulnList tui.ViewModel\n\tinPlaceInfo tui.ViewModel\n\trelockFixVulns tui.ViewModel\n\n\tfocusedInfo tui.ViewModel // the infoview that is currently focused, nil if not focused\n}\n\nconst (\n\tstateInPlaceFixed = iota\n\tstateInPlaceRemain\n\tstateInPlaceChoice\n\tstateInPlaceWrite\n\tstateInPlaceRelock\n\tstateInPlaceQuit\n\tstateInPlaceEnd\n)\n\nfunc (st *stateInPlaceResult) Init(m model) tea.Cmd {\n\t// pre-generate the info views for each option\n\t// inPlaceInfo is given to this by stateChooseStrategy when it makes this struct\n\t// Get the list of remaining vulns\n\tvulns := make([]*resolution.Vulnerability, len(m.inPlaceResult.Unfixable))\n\tfor i := range m.inPlaceResult.Unfixable {\n\t\tvulns[i] = &m.inPlaceResult.Unfixable[i]\n\t}\n\tst.vulnList = tui.NewVulnList(vulns, \"\")\n\n\t// recompute the vulns fixed by relocking after the in-place update\n\tif m.options.Manifest != \"\" {\n\t\tst.canRelock = true\n\t\tvar relockFixes []*resolution.Vulnerability\n\t\tfor _, v := range vulns {\n\t\t\tif !slices.ContainsFunc(m.relockBaseRes.Vulns, func(r resolution.Vulnerability) bool {\n\t\t\t\treturn r.OSV.GetId() == v.OSV.GetId()\n\t\t\t}) {\n\t\t\t\trelockFixes = append(relockFixes, v)\n\t\t\t}\n\t\t}\n\t\tst.relockFixVulns = tui.NewVulnList(relockFixes, \"Relocking fixes the following vulns:\")\n\t} else {\n\t\tst.canRelock = false\n\t\tst.relockFixVulns = infoStringView(\"Re-run with manifest to resolve vulnerabilities by re-locking\")\n\t}\n\n\tst.cursorPos = stateInPlaceChoice\n\tst.ResizeInfo(m.infoViewWidth, m.infoViewHeight)\n\n\treturn nil\n}\n\nfunc (st *stateInPlaceResult) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) {\n\tvar cmd tea.Cmd\n\tswitch msg := msg.(type) {\n\tcase writeMsg: // just finished writing & installing the lockfile\n\t\tif msg.err != nil {\n\t\t\treturn errorAndExit(m, msg.err)\n\t\t}\n\t\tm.writing = false\n\t\t// remove the written in-place changes\n\t\tvar newPatches []remediation.InPlacePatch\n\t\tfor i, selected := range st.selectedChanges {\n\t\t\tif !selected {\n\t\t\t\tnewPatches = append(newPatches, m.inPlaceResult.Patches[i])\n\t\t\t}\n\t\t}\n\t\tm.inPlaceResult.Patches = newPatches\n\t\t// unselect all changes\n\t\tst.selectedChanges = make([]bool, len(newPatches))\n\t\t// regenerate the in-place info panel\n\t\tst.inPlaceInfo = tui.NewInPlaceInfo(*m.inPlaceResult)\n\n\t\treturn m, cmd\n\n\tcase tui.ViewModelCloseMsg:\n\t\t// info view wants to quit, just unfocus it\n\t\tst.focusedInfo = nil\n\tcase tea.KeyPressMsg:\n\t\tswitch {\n\t\tcase key.Matches(msg, tui.Keys.SwitchView):\n\t\t\tif st.IsInfoFocused() {\n\t\t\t\tst.focusedInfo = nil\n\t\t\t} else if view, canFocus := st.currentInfoView(); canFocus {\n\t\t\t\tst.focusedInfo = view\n\t\t\t}\n\t\tcase st.IsInfoFocused():\n\t\t\tst.focusedInfo, cmd = st.focusedInfo.Update(msg)\n\t\tcase key.Matches(msg, tui.Keys.Quit):\n\t\t\t// only quit if the cursor is over the quit line\n\t\t\tif st.cursorPos == stateInPlaceQuit {\n\t\t\t\treturn m, tea.Quit\n\t\t\t}\n\t\t\t// move the cursor to the quit line if it's not already there\n\t\t\tst.cursorPos = stateInPlaceQuit\n\t\tcase key.Matches(msg, tui.Keys.Select):\n\t\t\t// enter key was pressed, parse input\n\t\t\treturn st.parseInput(m)\n\t\t// move the cursor and show the corresponding info view\n\t\tcase key.Matches(msg, tui.Keys.Up):\n\t\t\tif st.cursorPos > stateInPlaceFixed {\n\t\t\t\tst.cursorPos--\n\t\t\t}\n\t\tcase key.Matches(msg, tui.Keys.Down):\n\t\t\tif st.cursorPos < stateInPlaceEnd-1 {\n\t\t\t\tst.cursorPos++\n\t\t\t}\n\t\t}\n\t}\n\n\treturn m, cmd\n}\n\nfunc (st *stateInPlaceResult) currentInfoView() (view tui.ViewModel, canFocus bool) {\n\tswitch st.cursorPos {\n\tcase stateInPlaceFixed: // info - fixed vulns\n\t\treturn st.inPlaceInfo, true\n\tcase stateInPlaceRemain: // info - remaining vulns\n\t\treturn st.vulnList, true\n\tcase stateInPlaceChoice: // choose changes\n\t\treturn infoStringView(\"Choose which changes to apply\"), false\n\tcase stateInPlaceWrite: // write\n\t\treturn infoStringView(\"Write changes to lockfile\"), false\n\tcase stateInPlaceRelock: // relock\n\t\treturn st.relockFixVulns, st.canRelock\n\tcase stateInPlaceQuit: // quit\n\t\treturn infoStringView(\"Exit Guided Remediation\"), false\n\tdefault:\n\t\treturn emptyInfoView, false\n\t}\n}\n\nfunc (st *stateInPlaceResult) parseInput(m model) (tea.Model, tea.Cmd) {\n\tvar cmd tea.Cmd\n\tswitch st.cursorPos {\n\tcase stateInPlaceFixed, stateInPlaceRemain: // info lines, focus info view\n\t\tv, _ := st.currentInfoView()\n\t\tst.focusedInfo = v\n\tcase stateInPlaceChoice: // choose specific patches\n\t\tm.st = &stateChooseInPlacePatches{stateInPlace: st}\n\t\tcmd = m.st.Init(m)\n\tcase stateInPlaceWrite: // write\n\t\tm.writing = true\n\t\tcmd = func() tea.Msg { return st.write(m) }\n\tcase stateInPlaceRelock: // relock\n\t\tif st.canRelock {\n\t\t\tm.st = &stateRelockResult{}\n\t\t\tcmd = m.st.Init(m)\n\t\t}\n\tcase stateInPlaceQuit: // quit\n\t\tcmd = tea.Quit\n\t}\n\n\treturn m, cmd\n}\n\nfunc (st *stateInPlaceResult) View(m model) string {\n\tif m.writing {\n\t\treturn \"\"\n\t}\n\tremainCount := len(m.inPlaceResult.Unfixable)\n\tfixCount := m.inPlaceResult.VulnCount().Total() - remainCount\n\tpkgCount := len(m.inPlaceResult.Patches)\n\tnSelected := 0\n\tfor _, s := range st.selectedChanges {\n\t\tif s {\n\t\t\tnSelected++\n\t\t}\n\t}\n\n\ts := strings.Builder{}\n\ts.WriteString(\"IN-PLACE\\n\") // TODO: better page title/layout\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateInPlaceFixed,\n\t\t\"\",\n\t\tfmt.Sprintf(\"%%s can be changed, fixing %d vulnerabilities\\n\", fixCount),\n\t\tfmt.Sprintf(\"%d packages\", pkgCount),\n\t))\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateInPlaceRemain,\n\t\t\"\",\n\t\t\"%s remain\\n\",\n\t\tfmt.Sprintf(\"%d vulnerabilities\", remainCount),\n\t))\n\n\ts.WriteString(\"\\n\")\n\n\ts.WriteString(\"Actions:\\n\")\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateInPlaceChoice,\n\t\t\" > \",\n\t\t\"%s which changes to apply\\n\",\n\t\t\"Choose\",\n\t))\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateInPlaceWrite,\n\t\t\" > \",\n\t\tfmt.Sprintf(\"%%s %d changes to lockfile\\n\", nSelected),\n\t\t\"Write\",\n\t))\n\tif st.canRelock {\n\t\ts.WriteString(tui.RenderSelectorOption(\n\t\t\tst.cursorPos == stateInPlaceRelock,\n\t\t\t\" > \",\n\t\t\t\"%s the whole project instead\\n\",\n\t\t\t\"Relock\",\n\t\t))\n\t} else {\n\t\ts.WriteString(tui.RenderSelectorOption(\n\t\t\tst.cursorPos == stateInPlaceRelock,\n\t\t\t\" > \",\n\t\t\ttui.DisabledTextStyle.Render(\"Cannot re-lock - missing manifest file\\n\"),\n\t\t))\n\t}\n\ts.WriteString(\"\\n\")\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.cursorPos == stateInPlaceQuit,\n\t\t\"> \",\n\t\t\"%s without saving changes\\n\",\n\t\t\"quit\",\n\t))\n\n\treturn s.String()\n}\n\nfunc (st *stateInPlaceResult) InfoView() string {\n\tv, _ := st.currentInfoView()\n\treturn v.View()\n}\n\nfunc (st *stateInPlaceResult) Resize(_, _ int) {}\n\nfunc (st *stateInPlaceResult) ResizeInfo(w, h int) {\n\tst.inPlaceInfo.Resize(w, h)\n\tst.vulnList.Resize(w, h)\n\tst.relockFixVulns.Resize(w, h)\n}\n\nfunc (st *stateInPlaceResult) IsInfoFocused() bool {\n\treturn st.focusedInfo != nil\n}\n\n// TODO: Work out a better way to output npm commands\nfunc (st *stateInPlaceResult) write(m model) tea.Msg {\n\tvar changes []lockf.DependencyPatch\n\tfor i, p := range m.inPlaceResult.Patches {\n\t\tif st.selectedChanges[i] {\n\t\t\tchanges = append(changes, p.DependencyPatch)\n\t\t}\n\t}\n\n\tif err := lockf.Overwrite(m.options.LockfileRW, m.options.Lockfile, changes); err != nil {\n\t\treturn writeMsg{err}\n\t}\n\n\treturn writeMsg{nil}\n}\n" }, { "path": "cmd/osv-scanner/fix/state-initialize.go", "content": "package fix\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"charm.land/bubbles/v2/spinner\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/tui\"\n)\n\ntype stateInitialize struct {\n\tspinner spinner.Model // the loading spinner used to show progress\n}\n\nfunc (st *stateInitialize) Init(m model) tea.Cmd {\n\t// create the loading spinner\n\tst.spinner = tui.NewSpinner()\n\tcmds := []tea.Cmd{st.spinner.Tick}\n\n\t// TODO: both in-place/relock could potentially be done in parallel\n\tif m.options.Lockfile != \"\" {\n\t\t// if we have a lockfile, start calculating the in-place updates\n\t\tcmds = append(cmds, func() tea.Msg {\n\t\t\treturn doInPlaceResolution(m.ctx, m.cl, m.options)\n\t\t})\n\t} else {\n\t\t// if we don't have a lockfile, start calculating the relock result\n\t\tcmds = append(cmds, func() tea.Msg {\n\t\t\treturn doInitialRelock(m.ctx, m.options)\n\t\t})\n\t}\n\n\treturn tea.Batch(cmds...)\n}\n\nfunc (st *stateInitialize) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) {\n\tvar cmds []tea.Cmd\n\tswitch msg := msg.(type) {\n\t// in-place resolution finished\n\tcase inPlaceResolutionMsg:\n\t\tif msg.err != nil {\n\t\t\treturn errorAndExit(m, msg.err)\n\t\t}\n\t\t// set the result and start the relock computation\n\t\tm.lockfileGraph = msg.g\n\t\tm.inPlaceResult = &msg.res\n\t\tif m.options.Manifest != \"\" {\n\t\t\tcmds = append(cmds, func() tea.Msg {\n\t\t\t\treturn doInitialRelock(m.ctx, m.options)\n\t\t\t})\n\t\t} else {\n\t\t\t// TODO: skip choose strategy, go straight to in-place\n\t\t\tm.st = &stateChooseStrategy{}\n\t\t\tcmds = append(cmds, m.st.Init(m))\n\t\t}\n\n\t// relocking finished\n\tcase doRelockMsg:\n\t\tif msg.err != nil {\n\t\t\treturn errorAndExit(m, msg.err)\n\t\t}\n\t\t// set the result and go to next state\n\t\tm.relockBaseRes = msg.res\n\t\tm.relockBaseResErrs = m.relockBaseRes.Errors()\n\t\tif m.options.Lockfile == \"\" {\n\t\t\tm.st = &stateRelockResult{}\n\t\t\tcmds = append(cmds, m.st.Init(m))\n\t\t} else {\n\t\t\tm.st = &stateChooseStrategy{}\n\t\t\tcmds = append(cmds, m.st.Init(m))\n\t\t}\n\t}\n\tvar c tea.Cmd\n\tst.spinner, c = st.spinner.Update(msg)\n\tcmds = append(cmds, c)\n\n\treturn m, tea.Batch(cmds...)\n}\n\nfunc (st *stateInitialize) View(m model) string {\n\ts := strings.Builder{}\n\tif m.options.Lockfile == \"\" {\n\t\ts.WriteString(\"No lockfile provided. Assuming re-lock.\\n\")\n\t} else {\n\t\tfmt.Fprintf(&s, \"Scanning %s \", tui.SelectedTextStyle.Render(m.options.Lockfile))\n\t\tif m.inPlaceResult == nil {\n\t\t\ts.WriteString(st.spinner.View())\n\t\t\ts.WriteString(\"\\n\")\n\n\t\t\treturn s.String()\n\t\t}\n\t\ts.WriteString(\"✓\\n\")\n\t}\n\n\tfmt.Fprintf(&s, \"Resolving %s \", tui.SelectedTextStyle.Render(m.options.Manifest))\n\tif m.relockBaseRes == nil {\n\t\ts.WriteString(st.spinner.View())\n\t\ts.WriteString(\"\\n\")\n\t} else {\n\t\ts.WriteString(\"✓\\n\")\n\t}\n\t// TODO: show non-fatal resolution errors somewhere\n\n\treturn s.String()\n}\n\nfunc (st *stateInitialize) InfoView() string { return \"\" }\nfunc (st *stateInitialize) Resize(_, _ int) {}\nfunc (st *stateInitialize) ResizeInfo(_, _ int) {}\nfunc (st *stateInitialize) IsInfoFocused() bool { return false }\n" }, { "path": "cmd/osv-scanner/fix/state-relock-result.go", "content": "package fix\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"strings\"\n\n\t\"charm.land/bubbles/v2/key\"\n\t\"charm.land/bubbles/v2/spinner\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"charm.land/lipgloss/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\tmanif \"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/tui\"\n)\n\ntype stateRelockResult struct {\n\tcurrRes *resolution.Result // In-progress relock result, with user-selected patches applied\n\tcurrErrs []resolution.NodeError // In-progress relock errors\n\tpatches []resolution.Difference // current possible patches applicable to relockCurrRes\n\tpatchesDone bool // whether the relockPatches has finished being computed\n\tnumUnfixable int // count of unfixable vulns, for rendering\n\n\tspinner spinner.Model\n\tcursorPos int // TODO: use an enum ?\n\tselectedPatches map[int]struct{} // currently pending selected patches\n\tviewWidth int // width for rendering (same as model.mainViewWidth)\n\n\tvulnList tui.ViewModel\n\tunfixableList tui.ViewModel\n\tpatchInfo []tui.ViewModel\n\tresolveErrors tui.ViewModel\n\n\tfocusedInfo tui.ViewModel // the infoview that is currently focused, nil if not focused\n}\n\nconst (\n\tstateRelockRemain = iota\n\tstateRelockUnfixable\n\tstateRelockErrors\n\tstateRelockPatches\n\tstateRelockApply\n\tstateRelockWrite\n\tstateRelockQuit\n\tstateRelockEnd\n)\n\n// gets the cursor position, accounting for the arbitrary number of relockPatches\n// returns stateRelockPatches if over ANY of the relockPatches\nfunc (st *stateRelockResult) getEffectiveCursor() int {\n\tif st.cursorPos < stateRelockPatches {\n\t\treturn st.cursorPos\n\t}\n\n\tif len(st.patches) == 0 {\n\t\t// skip over stateRelockPatches and stateRelockApply\n\t\treturn st.cursorPos + 2\n\t}\n\n\tif st.cursorPos < stateRelockPatches+len(st.patches) {\n\t\treturn stateRelockPatches\n\t}\n\n\treturn st.cursorPos - len(st.patches) + 1\n}\n\n// sets the cursor to the effective position, accounting for the arbitrary number of relockPatches\n// setting to stateRelockPatches will go to first patch\nfunc (st *stateRelockResult) setEffectiveCursor(pos int) {\n\tswitch {\n\tcase pos <= stateRelockPatches:\n\t\tst.cursorPos = pos\n\tcase len(st.patches) == 0:\n\t\tst.cursorPos = pos - 2\n\tdefault:\n\t\tst.cursorPos = pos + len(st.patches) - 1\n\t}\n}\n\n// get the index of the patch the cursor is currently over\nfunc (st *stateRelockResult) getPatchIndex() int {\n\treturn st.cursorPos - stateRelockPatches\n}\n\nfunc (st *stateRelockResult) Init(m model) tea.Cmd {\n\tst.currRes = m.relockBaseRes\n\tst.currErrs = m.relockBaseResErrs\n\tst.resolveErrors = resolutionErrorView(st.currRes, st.currErrs)\n\tst.patchesDone = false\n\tst.spinner = tui.NewSpinner()\n\tst.cursorPos = -1\n\tst.selectedPatches = make(map[int]struct{})\n\tst.viewWidth = m.mainViewWidth\n\n\t// Make the vulnerability list view model\n\tvulns := make([]*resolution.Vulnerability, len(st.currRes.Vulns))\n\tfor i := range st.currRes.Vulns {\n\t\tvulns[i] = &st.currRes.Vulns[i]\n\t}\n\tst.vulnList = tui.NewVulnList(vulns, \"\")\n\tst.ResizeInfo(m.infoViewWidth, m.infoViewHeight)\n\n\treturn tea.Batch(\n\t\tfunc() tea.Msg {\n\t\t\treturn doComputeRelockPatches(m.ctx, m.cl, st.currRes, m.options)\n\t\t}, // start computing possible patches\n\t\tst.spinner.Tick, // spin the spinner\n\t)\n}\n\nfunc (st *stateRelockResult) Update(m model, msg tea.Msg) (tea.Model, tea.Cmd) {\n\tvar cmd tea.Cmd\n\tswitch msg := msg.(type) {\n\tcase doRelockMsg: // finished resolving (after selecting multiple patches)\n\t\tif msg.err != nil {\n\t\t\treturn errorAndExit(m, msg.err)\n\t\t}\n\t\tst.currRes = msg.res\n\t\t// recreate the vuln list info view\n\t\tvulns := make([]*resolution.Vulnerability, len(st.currRes.Vulns))\n\t\tfor i := range st.currRes.Vulns {\n\t\t\tvulns[i] = &st.currRes.Vulns[i]\n\t\t}\n\t\tst.vulnList = tui.NewVulnList(vulns, \"\")\n\t\tst.currErrs = st.currRes.Errors()\n\t\tst.resolveErrors = resolutionErrorView(st.currRes, st.currErrs)\n\t\t// Compute possible patches again\n\t\tst.patchesDone = false\n\t\tcmd = func() tea.Msg {\n\t\t\treturn doComputeRelockPatches(m.ctx, m.cl, st.currRes, m.options)\n\t\t}\n\tcase relockPatchMsg: // patch computation done\n\t\tif msg.err != nil {\n\t\t\treturn errorAndExit(m, msg.err)\n\t\t}\n\t\tst.patches = msg.patches\n\t\tclear(st.selectedPatches)\n\t\tst.buildPatchInfoViews(m)\n\t\tst.patchesDone = true\n\t\tif len(st.patches) > 0 {\n\t\t\t// place the cursor on the first patch\n\t\t\tst.setEffectiveCursor(stateRelockPatches)\n\t\t} else {\n\t\t\t// no patches, place the cursor on the 'write' line\n\t\t\tst.setEffectiveCursor(stateRelockWrite)\n\t\t}\n\n\tcase writeMsg: // just finished writing & installing the manifest\n\t\tif msg.err != nil {\n\t\t\treturn errorAndExit(m, msg.err)\n\t\t}\n\t\tm.writing = false\n\t\tm.relockBaseRes = st.currRes // relockBaseRes must match what is in the package.json\n\t\tm.relockBaseResErrs = m.relockBaseRes.Errors()\n\t\tclear(st.selectedPatches)\n\n\tcase tui.ViewModelCloseMsg:\n\t\t// info view wants to quit, just unfocus it\n\t\tst.focusedInfo = nil\n\tcase tea.KeyPressMsg:\n\t\tif !st.patchesDone { // Don't accept input in the middle of computation\n\t\t\treturn m, nil\n\t\t}\n\t\tswitch {\n\t\tcase key.Matches(msg, tui.Keys.SwitchView):\n\t\t\tif st.IsInfoFocused() {\n\t\t\t\tst.focusedInfo = nil\n\t\t\t} else if view, canFocus := st.currentInfoView(); canFocus {\n\t\t\t\tst.focusedInfo = view\n\t\t\t}\n\t\tcase st.IsInfoFocused():\n\t\t\tst.focusedInfo, cmd = st.focusedInfo.Update(msg)\n\t\tcase key.Matches(msg, tui.Keys.Quit):\n\t\t\t// only quit if the cursor is over the quit line\n\t\t\tif st.getEffectiveCursor() == stateRelockQuit {\n\t\t\t\treturn m, tea.Quit\n\t\t\t}\n\t\t\t// move the cursor to the quit line if it's not already there\n\t\t\tst.setEffectiveCursor(stateRelockQuit)\n\t\tcase key.Matches(msg, tui.Keys.Select): // enter key pressed\n\t\t\treturn st.parseInput(m)\n\t\t// move the cursor\n\t\tcase key.Matches(msg, tui.Keys.Up):\n\t\t\tif st.getEffectiveCursor() > stateRelockRemain {\n\t\t\t\tst.cursorPos--\n\t\t\t\tif st.getEffectiveCursor() == stateRelockErrors && len(st.currErrs) == 0 {\n\t\t\t\t\tst.cursorPos--\n\t\t\t\t}\n\t\t\t}\n\t\tcase key.Matches(msg, tui.Keys.Down):\n\t\t\tif st.getEffectiveCursor() < stateRelockEnd-1 {\n\t\t\t\tst.cursorPos++\n\t\t\t\tif st.getEffectiveCursor() == stateRelockErrors && len(st.currErrs) == 0 {\n\t\t\t\t\tst.cursorPos++\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\tvar c tea.Cmd\n\tst.spinner, c = st.spinner.Update(msg)\n\n\treturn m, tea.Batch(cmd, c)\n}\n\nfunc (st *stateRelockResult) currentInfoView() (view tui.ViewModel, canFocus bool) {\n\tswitch st.getEffectiveCursor() {\n\tcase stateRelockRemain: // remaining vulns\n\t\treturn st.vulnList, true\n\tcase stateRelockUnfixable: // unfixable vulns\n\t\treturn st.unfixableList, true\n\tcase stateRelockErrors:\n\t\treturn st.resolveErrors, false\n\tcase stateRelockPatches: // one of the patches\n\t\treturn st.patchInfo[st.getPatchIndex()], true\n\tcase stateRelockApply:\n\t\treturn infoStringView(\"Apply the selected patches and recompute vulnerabilities\"), false\n\tcase stateRelockWrite:\n\t\treturn infoStringView(\"Shell out to write manifest & lockfile\"), false\n\tcase stateRelockQuit:\n\t\treturn infoStringView(\"Exit Guided Remediation\"), false\n\tdefault:\n\t\treturn emptyInfoView, false // invalid (panic?)\n\t}\n}\n\nfunc (st *stateRelockResult) buildPatchInfoViews(m model) {\n\t// create the info view for each of the patches\n\t// and the unfixable vulns\n\tst.patchInfo = nil\n\tfor _, p := range st.patches {\n\t\tst.patchInfo = append(st.patchInfo, tui.NewRelockInfo(p))\n\t}\n\n\tunfixableVulns := relockUnfixableVulns(st.patches)\n\tst.unfixableList = tui.NewVulnList(unfixableVulns, \"\")\n\tst.numUnfixable = len(unfixableVulns)\n\tst.ResizeInfo(m.infoViewWidth, m.infoViewHeight)\n}\n\nfunc relockUnfixableVulns(diffs []resolution.Difference) []*resolution.Vulnerability {\n\tif len(diffs) == 0 {\n\t\treturn nil\n\t}\n\t// find every vuln ID fixed in any patch\n\tfixableVulnIDs := make(map[string]struct{})\n\tfor _, diff := range diffs {\n\t\tfor _, v := range diff.RemovedVulns {\n\t\t\tfixableVulnIDs[v.OSV.GetId()] = struct{}{}\n\t\t}\n\t}\n\n\t// select only vulns that aren't fixed in any patch\n\tvar unfixable []*resolution.Vulnerability\n\tfor i, v := range diffs[0].Original.Vulns {\n\t\tif _, ok := fixableVulnIDs[v.OSV.GetId()]; !ok {\n\t\t\tunfixable = append(unfixable, &diffs[0].Original.Vulns[i])\n\t\t}\n\t}\n\n\treturn unfixable\n}\n\nfunc (st *stateRelockResult) parseInput(m model) (tea.Model, tea.Cmd) {\n\tvar cmd tea.Cmd\n\tswitch st.getEffectiveCursor() {\n\tcase stateRelockRemain: // vuln line, focus info view\n\t\tst.focusedInfo = st.vulnList\n\tcase stateRelockUnfixable: // unfixable vulns line, focus info ciew\n\t\tst.focusedInfo = st.unfixableList\n\tcase stateRelockPatches: // patch selected\n\t\tidx := st.getPatchIndex()\n\t\tif _, ok := st.selectedPatches[idx]; ok { // if already selected, deselect it\n\t\t\tdelete(st.selectedPatches, idx)\n\t\t} else if st.patchCompatible(idx) { // if it's compatible with current other selections, select it\n\t\t\tst.selectedPatches[idx] = struct{}{}\n\t\t}\n\tcase stateRelockApply: // apply changes\n\t\tif len(st.selectedPatches) > 0 {\n\t\t\tm, cmd = st.relaxChoice(m)\n\t\t}\n\tcase stateRelockWrite: // write\n\t\tm.writing = true\n\t\tcmd = func() tea.Msg { return st.write(m) }\n\tcase stateRelockQuit: // quit\n\t\tcmd = tea.Quit\n\t}\n\n\treturn m, cmd\n}\n\nfunc (st *stateRelockResult) relaxChoice(m model) (model, tea.Cmd) {\n\tif len(st.selectedPatches) == 1 {\n\t\t// If it's just a single patch, we've already computed the relock result\n\t\tfor i := range st.selectedPatches { // selectedPatches is a map, iterate for the single key\n\t\t\tst.currRes = st.patches[i].New\n\t\t\tst.currErrs = st.currRes.Errors()\n\t\t\tst.resolveErrors = resolutionErrorView(st.currRes, st.currErrs)\n\t\t\t// recreate vuln list view\n\t\t\tvulns := make([]*resolution.Vulnerability, len(st.currRes.Vulns))\n\t\t\tfor i := range st.currRes.Vulns {\n\t\t\t\tvulns[i] = &st.currRes.Vulns[i]\n\t\t\t}\n\t\t\tst.vulnList = tui.NewVulnList(vulns, \"\")\n\t\t\t// Need to compute the possible patches from here\n\t\t\treturn m, func() tea.Msg {\n\t\t\t\treturn doComputeRelockPatches(m.ctx, m.cl, st.currRes, m.options)\n\t\t\t}\n\t\t}\n\t}\n\n\t// Compute combined changes and re-resolve the graph\n\tmanifest := st.currRes.Manifest.Clone()\n\tfor i := range st.selectedPatches {\n\t\tfor _, dp := range st.patches[i].Deps {\n\t\t\tfor idx := range manifest.Requirements {\n\t\t\t\trv := manifest.Requirements[idx]\n\t\t\t\tif rv.Name == dp.Pkg.Name && rv.Version == dp.OrigRequire {\n\t\t\t\t\trv.Version = dp.NewRequire\n\t\t\t\t\tmanifest.Requirements[idx] = rv\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\tst.currRes = nil\n\n\treturn m, func() tea.Msg {\n\t\treturn doRelock(m.ctx, m.cl, manifest, m.options.ResolveOpts, m.options.MatchVuln)\n\t}\n}\n\nfunc (st *stateRelockResult) View(m model) string {\n\tif m.writing {\n\t\treturn \"\"\n\t}\n\ts := strings.Builder{}\n\ts.WriteString(\"RELOCK\\n\")\n\tif st.currRes == nil {\n\t\ts.WriteString(\"Resolving dependency graph \")\n\t\ts.WriteString(st.spinner.View())\n\t\ts.WriteString(\"\\n\")\n\n\t\treturn s.String()\n\t}\n\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.getEffectiveCursor() == stateRelockRemain,\n\t\t\"\",\n\t\t\"%s remain\\n\",\n\t\tfmt.Sprintf(\"%d vulnerabilities\", len(st.currRes.Vulns)),\n\t))\n\n\t// TODO: Show current staged changes\n\n\tif !st.patchesDone {\n\t\ts.WriteString(\"\\n\")\n\t\ts.WriteString(\"Computing possible patches \")\n\t\ts.WriteString(st.spinner.View())\n\t\ts.WriteString(\"\\n\")\n\n\t\treturn s.String()\n\t}\n\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.getEffectiveCursor() == stateRelockUnfixable,\n\t\t\"\",\n\t\t\"%s are unfixable\\n\",\n\t\tfmt.Sprintf(\"%d vulnerabilities\", st.numUnfixable),\n\t))\n\n\tif len(st.currErrs) > 0 {\n\t\ts.WriteString(tui.RenderSelectorOption(\n\t\t\tst.cursorPos == stateRelockErrors,\n\t\t\t\"\",\n\t\t\t\"WARNING: Encountered %s during graph resolution.\\n\",\n\t\t\tfmt.Sprintf(\"%d errors\", len(st.currErrs)),\n\t\t))\n\t}\n\ts.WriteString(\"\\n\")\n\n\tif len(st.patches) == 0 {\n\t\ts.WriteString(\"No remaining vulnerabilities can be fixed.\\n\")\n\t} else {\n\t\ts.WriteString(\"Actions:\\n\")\n\t\tpatchStrs := make([]string, len(st.patches))\n\t\tfor i, patch := range st.patches {\n\t\t\tvar checkBox string\n\t\t\tif _, ok := st.selectedPatches[i]; ok {\n\t\t\t\tcheckBox = \"[x]\"\n\t\t\t} else {\n\t\t\t\tcheckBox = \"[ ]\"\n\t\t\t}\n\t\t\tif !st.patchCompatible(i) {\n\t\t\t\tcheckBox = tui.DisabledTextStyle.Render(checkBox)\n\t\t\t}\n\t\t\tcheckBox = tui.RenderSelectorOption(\n\t\t\t\tst.cursorPos == stateRelockPatches+i,\n\t\t\t\t\" > \",\n\t\t\t\t\"%s \",\n\t\t\t\tcheckBox,\n\t\t\t)\n\t\t\ttext := diffString(patch)\n\t\t\tvar textSt lipgloss.Style\n\t\t\tif st.patchCompatible(i) {\n\t\t\t\ttextSt = lipgloss.NewStyle()\n\t\t\t} else {\n\t\t\t\ttextSt = tui.DisabledTextStyle\n\t\t\t}\n\t\t\ttext = textSt.Width(st.viewWidth - lipgloss.Width(checkBox)).Render(text)\n\t\t\tpatchStrs[i] = lipgloss.JoinHorizontal(lipgloss.Top, checkBox, text)\n\t\t}\n\t\ts.WriteString(lipgloss.JoinVertical(lipgloss.Left, patchStrs...))\n\t\ts.WriteString(\"\\n\")\n\n\t\tif len(st.selectedPatches) > 0 {\n\t\t\ts.WriteString(tui.RenderSelectorOption(\n\t\t\t\tst.getEffectiveCursor() == stateRelockApply,\n\t\t\t\t\"> \",\n\t\t\t\t\"%s pending patches\\n\",\n\t\t\t\t\"Apply\",\n\t\t\t))\n\t\t} else {\n\t\t\ts.WriteString(tui.RenderSelectorOption(\n\t\t\t\tst.getEffectiveCursor() == stateRelockApply,\n\t\t\t\t\"> \",\n\t\t\t\ttui.DisabledTextStyle.Render(\"No pending patches\")+\"\\n\",\n\t\t\t))\n\t\t}\n\t}\n\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.getEffectiveCursor() == stateRelockWrite,\n\t\t\"> \",\n\t\t\"%s changes to manifest\\n\",\n\t\t\"Write\",\n\t))\n\ts.WriteString(\"\\n\")\n\ts.WriteString(tui.RenderSelectorOption(\n\t\tst.getEffectiveCursor() == stateRelockQuit,\n\t\t\"> \",\n\t\t\"%s without saving changes\\n\",\n\t\t\"quit\",\n\t))\n\n\treturn s.String()\n}\n\nfunc diffString(diff resolution.Difference) string {\n\tvar depStr string\n\tif len(diff.Deps) == 1 {\n\t\tdep := diff.Deps[0]\n\t\tdepStr = fmt.Sprintf(\"%s@%s → @%s\", dep.Pkg.Name, dep.OrigRequire, dep.NewRequire)\n\t} else {\n\t\tdepStr = fmt.Sprintf(\"%d packages\", len(diff.Deps))\n\t}\n\tstr := fmt.Sprintf(\"Upgrading %s resolves %d vulns\", depStr, len(diff.RemovedVulns))\n\tif len(diff.AddedVulns) > 0 {\n\t\tstr += fmt.Sprintf(\" but introduces %d new vulns\", len(diff.AddedVulns))\n\t}\n\n\treturn str\n}\n\nfunc (st *stateRelockResult) InfoView() string {\n\tv, _ := st.currentInfoView()\n\treturn v.View()\n}\n\n// check if a patch is compatible with the currently selected patches\n// i.e. if none of the direct dependencies in the current patch appear in the already selected patches\nfunc (st *stateRelockResult) patchCompatible(idx int) bool {\n\tif _, ok := st.selectedPatches[idx]; ok {\n\t\t// already selected, it must be compatible\n\t\treturn true\n\t}\n\t// find any shared direct dependency packages\n\tpatch := st.patches[idx]\n\tfor i := range st.selectedPatches {\n\t\tcurr := st.patches[i]\n\t\tfor _, dep := range curr.Deps {\n\t\t\tfor _, newDep := range patch.Deps {\n\t\t\t\tif dep.Pkg == newDep.Pkg {\n\t\t\t\t\treturn false\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn true\n}\n\nfunc (st *stateRelockResult) Resize(w, _ int) {\n\tst.viewWidth = w\n}\n\nfunc (st *stateRelockResult) ResizeInfo(w, h int) {\n\tst.vulnList.Resize(w, h)\n\tfor _, info := range st.patchInfo {\n\t\tinfo.Resize(w, h)\n\t}\n}\n\nfunc (st *stateRelockResult) IsInfoFocused() bool {\n\treturn st.focusedInfo != nil\n}\n\n// TODO: Work out a better way to output npm commands\nfunc (st *stateRelockResult) write(m model) tea.Msg {\n\tchanges := m.relockBaseRes.CalculateDiff(st.currRes)\n\tif err := manif.Overwrite(m.options.ManifestRW, m.options.Manifest, changes.Patch); err != nil {\n\t\treturn writeMsg{err}\n\t}\n\n\tif m.options.Lockfile == \"\" {\n\t\t// TODO: there's no user feedback to show this was successful\n\t\treturn writeMsg{nil}\n\t}\n\n\t// TODO: This will be moved to osv-scalibr, which might have context already\n\tc, err := regenerateLockfileCmd(context.TODO(), m.options)\n\tif err != nil {\n\t\treturn writeMsg{err}\n\t}\n\n\treturn tea.ExecProcess(c, func(err error) tea.Msg {\n\t\tif err != nil {\n\t\t\t// try again with \"--legacy-peer-deps\"\n\t\t\tc, err := regenerateLockfileCmd(context.TODO(), m.options)\n\t\t\tif err != nil {\n\t\t\t\treturn writeMsg{err}\n\t\t\t}\n\t\t\tc.Args = append(c.Args, \"--legacy-peer-deps\")\n\n\t\t\treturn tea.ExecProcess(c, func(err error) tea.Msg { return writeMsg{err} })()\n\t\t}\n\n\t\treturn writeMsg{err}\n\t})()\n}\n\ntype relockPatchMsg struct {\n\tpatches []resolution.Difference\n\terr error\n}\n\n// Find all groups of dependency bumps required to resolve each vulnerability individually\nfunc doComputeRelockPatches(ctx context.Context, cl client.ResolutionClient, currRes *resolution.Result, opts osvFixOptions) relockPatchMsg {\n\tpatches, err := remediation.ComputeRelaxPatches(ctx, cl, currRes, opts.Options)\n\tif err != nil {\n\t\treturn relockPatchMsg{err: err}\n\t}\n\n\treturn relockPatchMsg{patches: patches}\n}\n" }, { "path": "cmd/osv-scanner/fix/testdata/in-place-npm/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/fix/testdata/override-maven/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/fix/testdata/override-maven/pom.xml", "content": "\n 4.0.0\n\n dev.osv\n osv-fix\n 1\n\n \n 4.0\n \n\n \n \n \n org.jsoup\n jsoup\n 1.14.1\n \n \n org.apache.httpcomponents\n httpclient\n ${httpclient.version}\n \n \n \n\n \n \n org.apache.maven.wagon\n wagon-http\n 3.0.0\n \n \n org.codehaus.plexus\n plexus-utils\n 3.0\n \n \n\n" }, { "path": "cmd/osv-scanner/fix/testdata/relax-npm/package.json", "content": "{\n \"name\": \"osv-fix\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"npm-registry-client\": \"6.2.0\"\n }\n}\n" }, { "path": "cmd/osv-scanner/fix/testmain_test.go", "content": "package fix_test\n\nimport (\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/fix\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tconfig.OSVScannerConfigName = \"osv-scanner-test.toml\"\n\n\tslog.SetDefault(slog.New(testlogger.New()))\n\ttestcmd.CommandsUnderTest = []cmd.CommandBuilder{fix.Command}\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "cmd/osv-scanner/internal/cmd/__snapshots__/helpers_test.snap", "content": "\n[Test_insertDefaultCommand - 1]\n\n---\n\n[Test_insertDefaultCommand - 2]\n\n---\n\n[Test_insertDefaultCommand - 3]\n\n---\n\n[Test_insertDefaultCommand - 4]\n\n---\n\n[Test_insertDefaultCommand - 5]\n\n---\n\n[Test_insertDefaultCommand - 6]\nWarning: `helpers.go` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. `helpers.go` is assumed to be a subcommand here. If you intended for `helpers.go` to be an argument to `default`, you must specify `default helpers.go` in your command line.\n\n---\n\n[Test_insertDefaultCommand - 7]\n\n---\n\n[Test_insertDefaultCommand - 8]\n\n---\n\n[Test_insertDefaultCommand - 9]\n\n---\n\n[Test_insertDefaultCommand - 10]\n\n---\n\n[Test_insertDefaultCommand - 11]\n\n---\n\n[Test_insertDefaultCommand - 12]\n\n---\n\n[Test_insertDefaultCommand - 13]\n\n---\n\n[Test_insertDefaultCommand - 14]\n\n---\n\n[Test_insertDefaultCommand - 15]\n\n---\n\n[Test_insertDefaultCommand - 16]\n\n---\n" }, { "path": "cmd/osv-scanner/internal/cmd/helpers.go", "content": "// Package cmd provides helper functions for the osv-scanner CLI commands.\npackage cmd\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"slices\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nfunc getCustomHelpTemplate() string {\n\treturn `\nNAME:\n\t{{.Name}} - {{.Usage}}\n\nUSAGE:\n\t{{.Name}} {{if .VisibleFlags}}[global options]{{end}}{{if .Commands}} command [command options]{{end}}\n\nEXAMPLES:\n\t# Scan a source directory\n\t$ {{.Name}} scan source -r \n\n\t# Scan a source directory in offline mode\n\t$ {{.Name}} scan source --offline-vulnerabilities --download-offline-database -r \n\n\t# Scan a container image\n\t$ {{.Name}} scan image \n\n\t# Scan a local image archive (e.g. a tar file) and generate HTML output\n\t$ {{.Name}} scan image --serve --archive \n\n\t# Fix vulnerabilities in a manifest file and lockfile (non-interactive mode)\n\t$ {{.Name}} fix -M -L \n\n\tFor full usage details, please refer to the help command of each subcommand (e.g. {{.Name}} scan --help).\n\n\tAlternatively, you can access the detailed documentation here: https://google.github.io/osv-scanner/\n\nVERSION:\n\t{{.Version}}\n\nCOMMANDS:\n{{range .Commands}}{{if and (not .HideHelp) (not .Hidden)}} {{join .Names \", \"}}{{ \"\\t\"}}{{.Usage}}{{ \"\\n\" }}{{end}}{{end}}\n{{if .VisibleFlags}}\nGLOBAL OPTIONS:\n\t{{range .VisibleFlags}} {{.}}{{end}}\n{{end}}\n`\n}\n\n// Gets all valid commands and global options for OSV-Scanner.\nfunc getAllCommands(commands []*cli.Command) []string {\n\t// Adding all subcommands\n\tallCommands := make([]string, 0, len(commands))\n\tfor _, command := range commands {\n\t\tallCommands = append(allCommands, command.Name)\n\t}\n\n\t// Adding help command and help flags\n\tfor _, flag := range cli.HelpFlag.Names() {\n\t\tallCommands = append(allCommands, flag) // help command\n\t\tallCommands = append(allCommands, \"-\"+flag) // help flag\n\t\tallCommands = append(allCommands, \"--\"+flag) // help flag\n\t}\n\n\t// Adding version flags\n\tfor _, flag := range cli.VersionFlag.Names() {\n\t\tallCommands = append(allCommands, \"-\"+flag)\n\t\tallCommands = append(allCommands, \"--\"+flag)\n\t}\n\n\treturn allCommands\n}\n\n// warnIfCommandAmbiguous warns the user if the command they are trying to run\n// exists as both a subcommand and as a file on the filesystem.\n// If this is the case, the command is assumed to be a subcommand.\nfunc warnIfCommandAmbiguous(command, defaultCommand string, stderr io.Writer) {\n\tif _, err := os.Stat(command); err == nil {\n\t\t// todo this should be using slog.Warn, maybe...\n\t\tfmt.Fprintf(stderr, \"Warning: `%[1]s` exists as both a subcommand of OSV-Scanner and as a file on the filesystem. \"+\n\t\t\t\"`%[1]s` is assumed to be a subcommand here. If you intended for `%[1]s` to be an argument to `%[2]s`, \"+\n\t\t\t\"you must specify `%[2]s %[1]s` in your command line.\\n\", command, defaultCommand)\n\t}\n}\n\n// Inserts the default command to args if no command is specified.\nfunc insertDefaultCommand(args []string, commands []*cli.Command, defaultCommand string, stderr io.Writer) []string {\n\t// Do nothing if no command or file name is provided.\n\tif len(args) < 2 {\n\t\treturn args\n\t}\n\n\tallCommands := getAllCommands(commands)\n\tcommand := args[1]\n\t// If no command is provided, use the default command and subcommand.\n\tif !slices.Contains(allCommands, command) {\n\t\t// Avoids modifying args in-place, as some unit tests rely on its original value for multiple calls.\n\t\targsTmp := make([]string, len(args)+2)\n\t\tcopy(argsTmp[3:], args[1:])\n\t\targsTmp[1] = defaultCommand\n\t\t// Set the default subCommand of Scan\n\t\targsTmp[2] = scan.DefaultSubcommand\n\n\t\t// Executes the cli app with the new args.\n\t\treturn argsTmp\n\t}\n\n\twarnIfCommandAmbiguous(command, defaultCommand, stderr)\n\n\t// If only the default command is provided without its subcommand, append the subcommand.\n\tif command == defaultCommand {\n\t\tif len(args) < 3 {\n\t\t\t// Indicates that only \"osv-scanner scan\" was provided, without a subcommand or filename\n\t\t\treturn args\n\t\t}\n\n\t\tsubcommand := args[2]\n\t\t// Default to the \"source\" subcommand if none is provided.\n\t\tif !slices.Contains(scan.Subcommands, subcommand) {\n\t\t\targsTmp := make([]string, len(args)+1)\n\t\t\tcopy(argsTmp[3:], args[2:])\n\t\t\targsTmp[1] = defaultCommand\n\t\t\targsTmp[2] = scan.DefaultSubcommand\n\n\t\t\treturn argsTmp\n\t\t}\n\n\t\t// Print a warning message if subcommand exist on the filesystem.\n\t\twarnIfCommandAmbiguous(subcommand, scan.DefaultSubcommand, stderr)\n\t}\n\n\treturn args\n}\n" }, { "path": "cmd/osv-scanner/internal/cmd/helpers_test.go", "content": "package cmd\n\nimport (\n\t\"bytes\"\n\t\"log/slog\"\n\t\"reflect\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nfunc Test_insertDefaultCommand(t *testing.T) {\n\tt.Parallel()\n\n\tcommands := []*cli.Command{\n\t\t{Name: \"default\"},\n\t\t{Name: \"helpers.go\"},\n\t\t{Name: \"scan\"},\n\t}\n\tdefaultCommand := \"default\"\n\n\ttests := []struct {\n\t\toriginalArgs []string\n\t\twantArgs []string\n\t}{\n\t\t// test when default command is specified\n\t\t{\n\t\t\toriginalArgs: []string{\"\", \"default\", \"file\"},\n\t\t\twantArgs: []string{\"\", \"default\", \"source\", \"file\"},\n\t\t},\n\t\t// test when command is not specified\n\t\t{\n\t\t\toriginalArgs: []string{\"\", \"file\"},\n\t\t\twantArgs: []string{\"\", \"default\", \"source\", \"file\"},\n\t\t},\n\t\t// test when command is also a filename\n\t\t{\n\t\t\toriginalArgs: []string{\"\", \"helpers.go\"},\n\t\t\twantArgs: []string{\"\", \"helpers.go\"},\n\t\t},\n\t\t// test when subcommand is also a filename\n\t\t{\n\t\t\toriginalArgs: []string{\"\", \"default\", \"image\"},\n\t\t\twantArgs: []string{\"\", \"default\", \"image\"},\n\t\t},\n\t\t// test when command is not valid\n\t\t{\n\t\t\toriginalArgs: []string{\"\", \"invalid\"},\n\t\t\twantArgs: []string{\"\", \"default\", \"source\", \"invalid\"},\n\t\t},\n\t\t// test when command is a built-in option\n\t\t{\n\t\t\toriginalArgs: []string{\"\", \"--version\"},\n\t\t\twantArgs: []string{\"\", \"--version\"},\n\t\t},\n\t\t{\n\t\t\toriginalArgs: []string{\"\", \"-h\"},\n\t\t\twantArgs: []string{\"\", \"-h\"},\n\t\t},\n\t\t{\n\t\t\toriginalArgs: []string{\"\", \"help\"},\n\t\t\twantArgs: []string{\"\", \"help\"},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tstdout := &bytes.Buffer{}\n\t\tstderr := &bytes.Buffer{}\n\n\t\tlogger := cmdlogger.New(stdout, stderr)\n\n\t\tslog.SetDefault(slog.New(logger))\n\n\t\targsActual := insertDefaultCommand(tt.originalArgs, commands, defaultCommand, stderr)\n\t\tif !reflect.DeepEqual(argsActual, tt.wantArgs) {\n\t\t\tt.Errorf(\"Test Failed. Details:\\n\"+\n\t\t\t\t\"Args (Got): %s\\n\"+\n\t\t\t\t\"Args (Want): %s\\n\", argsActual, tt.wantArgs)\n\t\t}\n\t\ttestutility.NewSnapshot().MatchText(t, stdout.String())\n\t\ttestutility.NewSnapshot().MatchText(t, stderr.String())\n\t}\n}\n" }, { "path": "cmd/osv-scanner/internal/cmd/run.go", "content": "package cmd\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"io\"\n\t\"log/slog\"\n\t\"net/http\"\n\t\"testing\"\n\n\tscalibr \"github.com/google/osv-scalibr/version\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nvar (\n\tcommit = \"n/a\"\n\tdate = \"n/a\"\n)\n\ntype CommandBuilder = func(stdout, stderr io.Writer, client *http.Client) *cli.Command\n\nfunc Run(args []string, stdout, stderr io.Writer, client *http.Client, commands []CommandBuilder) int {\n\t// --- Setup Logger ---\n\tlogHandler := cmdlogger.New(stdout, stderr)\n\n\t// If in testing mode, set logger via Handler\n\t// Otherwise, set default global logger\n\tif testing.Testing() {\n\t\thandler, ok := slog.Default().Handler().(*testlogger.Handler)\n\t\tif !ok {\n\t\t\tpanic(\"Test failed to initialize default logger with Handler\")\n\t\t}\n\n\t\thandler.AddInstance(logHandler)\n\t\tdefer handler.Delete()\n\t} else {\n\t\tslog.SetDefault(slog.New(logHandler))\n\t}\n\t// ---\n\n\tcli.HelpPrinter = func(w io.Writer, templ string, data any) {\n\t\tcmdlogger.SetHasErrored()\n\t\tcli.HelpPrinterCustom(w, templ, data, nil)\n\t}\n\n\tcli.VersionPrinter = func(cmd *cli.Command) {\n\t\tcmdlogger.Infof(\"osv-scanner version: %s\", cmd.Version)\n\t\tcmdlogger.Infof(\"osv-scalibr version: %s\", scalibr.ScannerVersion)\n\t\tcmdlogger.Infof(\"commit: %s\", commit)\n\t\tcmdlogger.Infof(\"built at: %s\", date)\n\t}\n\n\tcmds := make([]*cli.Command, 0, len(commands))\n\tfor _, cmd := range commands {\n\t\tcmds = append(cmds, cmd(stdout, stderr, client))\n\t}\n\n\tapp := &cli.Command{\n\t\tName: \"osv-scanner\",\n\t\tVersion: version.OSVVersion,\n\t\tUsage: \"scans various mediums for dependencies and checks them against the OSV database\",\n\t\tSuggest: true,\n\t\tWriter: stdout,\n\t\tErrWriter: stderr,\n\t\tDefaultCommand: \"scan\",\n\t\tCommands: cmds,\n\n\t\tCustomRootCommandHelpTemplate: getCustomHelpTemplate(),\n\t}\n\n\t// If ExitErrHandler is not set, cli will use the default cli.HandleExitCoder.\n\t// This is not ideal as cli.HandleExitCoder checks if the error implements cli.ExitCode interface.\n\t//\n\t// 99% of the time, this is fine, as we do not implement cli.ExitCode in our errors, so errors pass through\n\t// that handler untouched.\n\t// However, because of Go's duck typing, any error that happens to have a ExitCode() function\n\t// (e.g. *exec.ExitError) will be assumed to implement cli.ExitCode interface and cause the program to exit\n\t// early without proper error handling.\n\t//\n\t// This removes the handler entirely so that behavior will not unexpectedly happen.\n\tapp.ExitErrHandler = func(_ context.Context, _ *cli.Command, _ error) {}\n\n\targs = insertDefaultCommand(args, app.Commands, app.DefaultCommand, stderr)\n\n\terr := app.Run(context.Background(), args)\n\n\t// if the config is invalid, it's possible that is why any other errors\n\t// happened so that exit code takes priority\n\tif logHandler.HasErroredBecauseInvalidConfig() {\n\t\treturn 130\n\t}\n\n\tif err != nil {\n\t\tswitch {\n\t\tcase errors.Is(err, osvscanner.ErrVulnerabilitiesFound):\n\t\t\treturn 1\n\t\tcase errors.Is(err, osvscanner.ErrNoPackagesFound):\n\t\t\tcmdlogger.Errorf(\"No package sources found, --help for usage information.\")\n\t\t\treturn 128\n\t\tcase errors.Is(err, osvscanner.ErrAPIFailed):\n\t\t\tcmdlogger.Errorf(\"%v\", err)\n\t\t\treturn 129\n\t\t}\n\t\tcmdlogger.Errorf(\"%v\", err)\n\t}\n\n\t// if we've been told to print an error, and not already exited with\n\t// a specific error code, then exit with a generic non-zero code\n\tif logHandler.HasErrored() {\n\t\treturn 127\n\t}\n\n\treturn 0\n}\n" }, { "path": "cmd/osv-scanner/internal/cmd/testmain_test.go", "content": "package cmd\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "cmd/osv-scanner/internal/helper/callanalysis_parser.go", "content": "package helper\n\nvar stableCallAnalysisStates = map[string]bool{\n\t\"go\": true,\n\t\"rust\": false,\n\t\"jar\": false,\n}\n\n// CreateCallAnalysisStates creates a map to record if languages are enabled or disabled for call analysis\nfunc CreateCallAnalysisStates(enabledCallAnalysis []string, disabledCallAnalysis []string) map[string]bool {\n\tcallAnalysisStates := make(map[string]bool)\n\n\tfor _, language := range enabledCallAnalysis {\n\t\tcallAnalysisStates[language] = true\n\t}\n\n\tfor _, language := range disabledCallAnalysis {\n\t\tcallAnalysisStates[language] = false\n\t}\n\n\tenableAll, containsAll := callAnalysisStates[\"all\"]\n\tfor language, isStable := range stableCallAnalysisStates {\n\t\tif _, exists := callAnalysisStates[language]; !exists {\n\t\t\tcallAnalysisStates[language] = isStable || enableAll\n\t\t}\n\t\tif containsAll && !enableAll {\n\t\t\tcallAnalysisStates[language] = false\n\t\t}\n\t}\n\tdelete(callAnalysisStates, \"all\")\n\n\treturn callAnalysisStates\n}\n" }, { "path": "cmd/osv-scanner/internal/helper/callanalysis_parser_test.go", "content": "package helper\n\nimport (\n\t\"reflect\"\n\t\"testing\"\n)\n\nfunc TestCreateCallAnalysisStates(t *testing.T) {\n\tt.Parallel()\n\ttestCases := []struct {\n\t\tenabledCallAnalysis []string\n\t\tdisabledCallAnalysis []string\n\t\texpectedCallAnalysisStates map[string]bool\n\t}{\n\t\t{\n\t\t\tenabledCallAnalysis: []string{\"go\", \"rust\"},\n\t\t\tdisabledCallAnalysis: []string{},\n\t\t\texpectedCallAnalysisStates: map[string]bool{\n\t\t\t\t\"go\": true,\n\t\t\t\t\"rust\": true,\n\t\t\t\t\"jar\": false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tenabledCallAnalysis: []string{\"all\"},\n\t\t\tdisabledCallAnalysis: []string{\"rust\"},\n\t\t\texpectedCallAnalysisStates: map[string]bool{\n\t\t\t\t\"go\": true,\n\t\t\t\t\"rust\": false,\n\t\t\t\t\"jar\": true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tenabledCallAnalysis: []string{},\n\t\t\tdisabledCallAnalysis: []string{\"all\"},\n\t\t\texpectedCallAnalysisStates: map[string]bool{\n\t\t\t\t\"go\": false,\n\t\t\t\t\"rust\": false,\n\t\t\t\t\"jar\": false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tenabledCallAnalysis: []string{},\n\t\t\tdisabledCallAnalysis: []string{\"rust\"},\n\t\t\texpectedCallAnalysisStates: map[string]bool{\n\t\t\t\t\"go\": true,\n\t\t\t\t\"rust\": false,\n\t\t\t\t\"jar\": false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tenabledCallAnalysis: []string{\"all\", \"rust\"},\n\t\t\tdisabledCallAnalysis: []string{\"go\"},\n\t\t\texpectedCallAnalysisStates: map[string]bool{\n\t\t\t\t\"go\": false,\n\t\t\t\t\"rust\": true,\n\t\t\t\t\"jar\": true,\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, testCase := range testCases {\n\t\tactualCallAnalysisStates := CreateCallAnalysisStates(testCase.enabledCallAnalysis, testCase.disabledCallAnalysis)\n\n\t\tif !reflect.DeepEqual(actualCallAnalysisStates, testCase.expectedCallAnalysisStates) {\n\t\t\tt.Errorf(\"expected call analysis states to be %v, but got %v\", testCase.expectedCallAnalysisStates, actualCallAnalysisStates)\n\t\t}\n\t}\n}\n" }, { "path": "cmd/osv-scanner/internal/helper/flags.go", "content": "package helper\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/reporter\"\n\t\"github.com/urfave/cli/v3\"\n)\n\n// offlineFlags is a map of flags which require network access to operate,\n// with the values to set them to in order to disable them\nvar offlineFlags = map[string]string{\n\t\"offline-vulnerabilities\": \"true\",\n\t\"no-resolve\": \"true\",\n}\n\n// a \"boolean or list\" flag whose presence indicates a summary of licenses should\n// be printed, and whose (optional) value will be a comma-delimited list of licenses\n// that should be considered allowed\ntype allowedLicencesFlag struct {\n\tallowlist []string\n}\n\nfunc (g *allowedLicencesFlag) Get() any {\n\treturn g\n}\n\nfunc (g *allowedLicencesFlag) Set(value string) error {\n\tif value == \"\" || value == \"false\" || value == \"true\" {\n\t\tg.allowlist = nil\n\t} else {\n\t\tg.allowlist = strings.Split(value, \",\")\n\t}\n\n\treturn nil\n}\n\n// IsBoolFlag indicates that it is valid to use this flag in a boolean context\n// and is what lets us accept both enable/disable and list-of-licenses values\nfunc (g *allowedLicencesFlag) IsBoolFlag() bool {\n\treturn true\n}\n\nfunc (g *allowedLicencesFlag) String() string {\n\treturn strings.Join(g.allowlist, \",\")\n}\n\n// BuildCommonScanFlags returns a slice of flags which are common to all scan (sub)commands\nfunc BuildCommonScanFlags(defaultExtractors []string) []cli.Flag {\n\treturn []cli.Flag{\n\t\t&cli.StringFlag{\n\t\t\tName: \"config\",\n\t\t\tUsage: \"set/override config file\",\n\t\t\tTakesFile: true,\n\t\t},\n\t\t&cli.StringFlag{\n\t\t\tName: \"format\",\n\t\t\tAliases: []string{\"f\"},\n\t\t\tUsage: \"sets the output format; value can be: \" + strings.Join(reporter.Format(), \", \"),\n\t\t\tValue: \"table\",\n\t\t\tAction: func(_ context.Context, _ *cli.Command, s string) error {\n\t\t\t\tif slices.Contains(reporter.Format(), s) {\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\n\t\t\t\treturn fmt.Errorf(\"unsupported output format \\\"%s\\\" - must be one of: %s\", s, strings.Join(reporter.Format(), \", \"))\n\t\t\t},\n\t\t\t// todo: ideally this should be an action, but we need to ensure it is done first\n\t\t\t// currently for some reason flag actions are not always invoked in the same order\n\t\t\tValidator: func(s string) error {\n\t\t\t\tif slices.Contains(reporter.Format(), s) && (s != \"vertical\" && s != \"table\" && s != \"markdown\") {\n\t\t\t\t\tcmdlogger.SendEverythingToStderr()\n\t\t\t\t}\n\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"serve\",\n\t\t\tUsage: \"output as HTML result and serve it locally\",\n\t\t},\n\t\t&cli.StringFlag{\n\t\t\tName: \"port\",\n\t\t\tUsage: \"port number to use when serving HTML report (default: 8000)\",\n\t\t\tAction: func(_ context.Context, _ *cli.Command, p string) error {\n\t\t\t\tservePort = p\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\t&cli.StringFlag{\n\t\t\tName: \"output\",\n\t\t\tUsage: \"[DEPRECATED] (Use \\\"--output-file\\\" instead) saves the result to the given file path\",\n\t\t\tTakesFile: true,\n\t\t\tAction: func(_ context.Context, _ *cli.Command, _ string) error {\n\t\t\t\tcmdlogger.Warnf(\"Warning: --output has been deprecated in favor of --output-file\")\n\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\t&cli.StringFlag{\n\t\t\tName: \"output-file\",\n\t\t\tUsage: \"saves the result to the given file path\",\n\t\t\tTakesFile: true,\n\t\t},\n\t\t&cli.StringFlag{\n\t\t\tName: \"verbosity\",\n\t\t\tUsage: \"specify the level of information that should be provided during runtime; value can be: \" + strings.Join(cmdlogger.Levels(), \", \"),\n\t\t\tValue: \"info\",\n\t\t\tAction: func(_ context.Context, _ *cli.Command, s string) error {\n\t\t\t\tlvl, err := cmdlogger.ParseLevel(s)\n\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\n\t\t\t\tcmdlogger.SetLevel(lvl)\n\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"offline\",\n\t\t\tUsage: \"run in offline mode, disabling any features requiring network access\",\n\t\t\tAction: func(_ context.Context, cmd *cli.Command, b bool) error {\n\t\t\t\tif !b {\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\t\t\t\t// Disable the features requiring network access.\n\t\t\t\tfor flag, value := range offlineFlags {\n\t\t\t\t\t// TODO(michaelkedar): do something if the flag was already explicitly set.\n\n\t\t\t\t\t// Skip setting the flag if the current command doesn't have it.\n\t\t\t\t\tif !slices.ContainsFunc(cmd.Flags, func(f cli.Flag) bool {\n\t\t\t\t\t\treturn slices.Contains(f.Names(), flag)\n\t\t\t\t\t}) {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\n\t\t\t\t\tif err := cmd.Set(flag, value); err != nil {\n\t\t\t\t\t\tpanic(fmt.Sprintf(\"failed setting offline flag %s to %s: %v\", flag, value, err))\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\treturn nil\n\t\t\t},\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"offline-vulnerabilities\",\n\t\t\tUsage: \"checks for vulnerabilities using local databases that are already cached\",\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"download-offline-databases\",\n\t\t\tUsage: \"downloads vulnerability databases for offline comparison\",\n\t\t},\n\t\t&cli.StringFlag{\n\t\t\tName: \"local-db-path\",\n\t\t\tUsage: \"sets the path that local databases should be stored\",\n\t\t\tHidden: true,\n\t\t},\n\t\t&cli.StringSliceFlag{\n\t\t\tName: \"call-analysis\",\n\t\t\tUsage: \"Enable call analysis for specific languages (e.g. --call-analysis=go). Supported: go, rust (*). (*) Will run build scripts.\",\n\t\t},\n\t\t&cli.StringSliceFlag{\n\t\t\tName: \"no-call-analysis\",\n\t\t\tUsage: \"disables call graph analysis\",\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"no-resolve\",\n\t\t\tUsage: \"disable transitive dependency resolution of manifest files\",\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"allow-no-lockfiles\",\n\t\t\tUsage: \"has the scanner consider no lockfiles being found as ok\",\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"all-packages\",\n\t\t\tUsage: \"when json output is selected, prints all packages\",\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"all-vulns\",\n\t\t\tUsage: \"show all vulnerabilities including unimportant and uncalled ones\",\n\t\t},\n\t\t&cli.GenericFlag{\n\t\t\tName: \"licenses\",\n\t\t\tUsage: \"report on licenses based on an allowlist\",\n\t\t\tValue: &allowedLicencesFlag{},\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"experimental-flag-deprecated-packages\",\n\t\t\tUsage: \"report if package versions are deprecated\",\n\t\t},\n\t\t&cli.StringSliceFlag{\n\t\t\tName: \"experimental-plugins\",\n\t\t\tUsage: \"list of specific plugins and presets of plugins to use\",\n\t\t\tValue: defaultExtractors,\n\t\t},\n\t\t&cli.StringSliceFlag{\n\t\t\tName: \"experimental-disable-plugins\",\n\t\t\tUsage: \"list of specific plugins and presets of plugins to not use\",\n\t\t},\n\t\t&cli.BoolFlag{\n\t\t\tName: \"experimental-no-default-plugins\",\n\t\t\tUsage: \"disable default plugins, instead using only those enabled by --experimental-plugins\",\n\t\t},\n\t}\n}\n" }, { "path": "cmd/osv-scanner/internal/helper/getters.go", "content": "package helper\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/spdx\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nfunc GetScanLicensesAllowlist(cmd *cli.Command) ([]string, error) {\n\tif !cmd.IsSet(\"licenses\") {\n\t\treturn []string{}, nil\n\t}\n\n\tallowlist := cmd.Generic(\"licenses\").(*allowedLicencesFlag).allowlist\n\n\tif len(allowlist) == 0 {\n\t\treturn []string{}, nil\n\t}\n\n\tif unrecognized := spdx.Unrecognized(allowlist); len(unrecognized) > 0 {\n\t\treturn nil, fmt.Errorf(\"--licenses requires comma-separated spdx licenses. The following license(s) are not recognized as spdx: %s\", strings.Join(unrecognized, \",\"))\n\t}\n\n\tif cmd.Bool(\"offline\") {\n\t\tallowlist = []string{}\n\t}\n\n\treturn allowlist, nil\n}\n\nfunc GetCommonScannerActions(cmd *cli.Command, scanLicensesAllowlist []string) osvscanner.ScannerActions {\n\tcallAnalysisStates := CreateCallAnalysisStates(cmd.StringSlice(\"call-analysis\"), cmd.StringSlice(\"no-call-analysis\"))\n\n\treturn osvscanner.ScannerActions{\n\t\tIncludeGitRoot: cmd.Bool(\"include-git-root\"),\n\t\tConfigOverridePath: cmd.String(\"config\"),\n\t\tShowAllPackages: cmd.Bool(\"all-packages\"),\n\t\tShowAllVulns: cmd.Bool(\"all-vulns\"),\n\t\tCompareOffline: cmd.Bool(\"offline-vulnerabilities\"),\n\t\tDownloadDatabases: cmd.Bool(\"download-offline-databases\"),\n\t\tLocalDBPath: cmd.String(\"local-db-path\"),\n\t\tScanLicensesSummary: cmd.IsSet(\"licenses\"),\n\t\tScanLicensesAllowlist: scanLicensesAllowlist,\n\t\tCallAnalysisStates: callAnalysisStates,\n\t}\n}\n\nfunc GetExperimentalScannerActions(cmd *cli.Command, client *http.Client) osvscanner.ExperimentalScannerActions {\n\treturn osvscanner.ExperimentalScannerActions{\n\t\tPluginsEnabled: cmd.StringSlice(\"experimental-plugins\"),\n\t\tPluginsDisabled: cmd.StringSlice(\"experimental-disable-plugins\"),\n\t\tPluginsNoDefaults: cmd.Bool(\"experimental-no-default-plugins\"),\n\t\tHTTPClient: client,\n\t\tFlagDeprecatedPackages: cmd.Bool(\"experimental-flag-deprecated-packages\"),\n\t}\n}\n" }, { "path": "cmd/osv-scanner/internal/helper/misc.go", "content": "// Package helper provides helper functions for the osv-scanner CLI.\npackage helper\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"time\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/reporter\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"golang.org/x/term\"\n)\n\n// sets default port(8000) as a global variable\nvar (\n\tservePort = \"8000\" // default port\n)\n\n// ServeHTML serves the single HTML file for remote accessing.\n// The program will keep running to serve the HTML report on localhost\n// until the user manually terminates it (e.g. using Ctrl+C).\nfunc ServeHTML(outputPath string) {\n\tlocalhostURL := fmt.Sprintf(\"http://localhost:%s/\", servePort)\n\tcmdlogger.Infof(\"Serving HTML report at %s\", localhostURL)\n\tcmdlogger.Infof(\"If you are accessing remotely, use the following SSH command:\")\n\tcmdlogger.Infof(\"`ssh -L local_port:destination_server_ip:%s ssh_server_hostname`\", servePort)\n\tserver := &http.Server{\n\t\tAddr: \":\" + servePort,\n\t\tHandler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\t\thttp.ServeFile(w, r, outputPath)\n\t\t}),\n\t\tReadHeaderTimeout: 3 * time.Second,\n\t}\n\tif err := server.ListenAndServe(); err != nil {\n\t\tcmdlogger.Errorf(\"Failed to start server: %v\", err)\n\t}\n}\n\nfunc PrintResult(stdout, stderr io.Writer, outputPath, format string, diffVulns *models.VulnerabilityResults, showAllVulns bool) error {\n\ttermWidth := 0\n\tvar err error\n\tif outputPath != \"\" { // Output is definitely a file\n\t\tstdout, err = os.Create(outputPath)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to create output file: %w\", err)\n\t\t}\n\t} else { // Output might be a terminal\n\t\tif stdoutAsFile, ok := stdout.(*os.File); ok {\n\t\t\ttermWidth, _, err = term.GetSize(int(stdoutAsFile.Fd()))\n\t\t\tif err != nil { // If output is not a terminal,\n\t\t\t\ttermWidth = 0\n\t\t\t}\n\t\t}\n\t}\n\n\twriter := stdout\n\n\tif format == \"gh-annotations\" {\n\t\twriter = stderr\n\t}\n\n\treturn reporter.PrintResult(diffVulns, format, writer, termWidth, showAllVulns)\n}\n" }, { "path": "cmd/osv-scanner/internal/testcmd/case.go", "content": "// Package testcmd provides utilities for testing osv-scanner CLI commands.\npackage testcmd\n\nimport (\n\t\"net/http\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\ntype Case struct {\n\tName string\n\tArgs []string\n\tExit int\n\n\t// ReplaceRules are only used for JSON output\n\tReplaceRules []testutility.JSONReplaceRule\n\n\tHTTPClient *http.Client\n}\n\n// findFirstValueOfFlag returns the value of the first instance of the given flag\n// in the test case arguments, if it is present at all\nfunc (c Case) findFirstValueOfFlag(f string) string {\n\tfor i, arg := range c.Args {\n\t\tif after, ok := strings.CutPrefix(arg, f+\"=\"); ok {\n\t\t\treturn after\n\t\t}\n\n\t\tif arg == f && i < len(c.Args) {\n\t\t\treturn c.Args[i+1]\n\t\t}\n\t}\n\n\treturn \"\"\n}\n" }, { "path": "cmd/osv-scanner/internal/testcmd/copy.go", "content": "package testcmd\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n)\n\nfunc copyFile(from, to string) (string, error) {\n\tb, err := os.ReadFile(from)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"could not read test file: %w\", err)\n\t}\n\n\tif err := os.WriteFile(to, b, 0600); err != nil {\n\t\treturn \"\", fmt.Errorf(\"could not copy test file: %w\", err)\n\t}\n\n\treturn to, nil\n}\n\n// CopyFileFlagTo creates a copy of the file pointed to by the given flag (if present\n// in the test case arguments) in the given directory, updating all references\n// in the arguments before returning the new path.\n//\n// Values that include \"does_not_exist\" are assumed to be for testing when the\n// flag is given the path to a file or directory that does not exist, and so\n// are ignored as if the flag was not given a value at all\nfunc CopyFileFlagTo(t *testing.T, tc Case, flagName string, dir string) string {\n\tt.Helper()\n\n\tflagValue := tc.findFirstValueOfFlag(flagName)\n\n\tif flagValue == \"\" || strings.Contains(flagValue, \"does_not_exist\") {\n\t\treturn \"\"\n\t}\n\n\tnewPath, err := copyFile(flagValue, filepath.Join(dir, filepath.Base(flagValue)))\n\n\tif err != nil {\n\t\tt.Fatalf(\"%v\", err)\n\t}\n\n\tfor i := range tc.Args {\n\t\ttc.Args[i] = strings.ReplaceAll(tc.Args[i], flagValue, newPath)\n\t}\n\n\treturn newPath\n}\n" }, { "path": "cmd/osv-scanner/internal/testcmd/git.go", "content": "package testcmd\n\nimport (\n\t\"io/fs\"\n\t\"os\"\n\t\"path/filepath\"\n\n\t\"github.com/go-git/go-git/v5\"\n)\n\nfunc SetupGitFixtures() (func(), error) {\n\t// ensure a git repository doesn't already exist in the testdata directory,\n\t// in case we didn't get a chance to clean-up properly in the last run\n\tos.RemoveAll(\"./testdata/.git\")\n\n\ttoRemove := []string{\"./testdata/.git\"}\n\n\tcleaner := func() {\n\t\tfor _, p := range toRemove {\n\t\t\tos.RemoveAll(p)\n\t\t}\n\t}\n\n\t// temporarily make the testdata folder a git repository to prevent gitignore files messing with tests\n\t_, err := git.PlainInit(\"./testdata\", false)\n\tif err != nil {\n\t\treturn cleaner, err\n\t}\n\n\tvar gitIgnoreFiles []string\n\n\t// walk the testdata to find all test .gitignore files that should be copied before tests run\n\terr = filepath.Walk(\"./testdata\", func(path string, info fs.FileInfo, err error) error {\n\t\tif err == nil && !info.IsDir() && filepath.Base(path) == \"test.gitignore\" {\n\t\t\tgitIgnoreFiles = append(gitIgnoreFiles, path)\n\t\t}\n\n\t\treturn nil\n\t})\n\n\tif err != nil {\n\t\treturn cleaner, err\n\t}\n\n\tfor _, f := range gitIgnoreFiles {\n\t\tgitignoreFile, err := copyFile(f, filepath.Join(filepath.Dir(f), \".gitignore\"))\n\n\t\tif err != nil {\n\t\t\treturn cleaner, err\n\t\t}\n\n\t\ttoRemove = append(toRemove, gitignoreFile)\n\t}\n\n\treturn cleaner, nil\n}\n" }, { "path": "cmd/osv-scanner/internal/testcmd/run.go", "content": "package testcmd\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"sort\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/urfave/cli/v3\"\n)\n\n// CommandsUnderTest should be set in TestMain by every cmd package test\nvar CommandsUnderTest []cmd.CommandBuilder\n\n// fetchCommandsToTest returns the commands that should be tested, ensuring that\n// the default \"scan\" command is included to avoid a panic\nfunc fetchCommandsToTest() []cmd.CommandBuilder {\n\tfor _, builder := range CommandsUnderTest {\n\t\tcommand := builder(nil, nil, nil)\n\n\t\tif command.Name == \"scan\" {\n\t\t\treturn CommandsUnderTest\n\t\t}\n\t}\n\n\treturn append(CommandsUnderTest, func(_, _ io.Writer, _ *http.Client) *cli.Command {\n\t\treturn &cli.Command{\n\t\t\tName: \"scan\",\n\t\t\tAction: func(_ context.Context, _ *cli.Command) error {\n\t\t\t\treturn errors.New(\"\")\n\t\t\t},\n\t\t}\n\t})\n}\n\nfunc run(t *testing.T, tc Case) (string, string) {\n\tt.Helper()\n\n\tstdout := &bytes.Buffer{}\n\tstderr := &bytes.Buffer{}\n\n\tec := cmd.Run(tc.Args, stdout, stderr, tc.HTTPClient, fetchCommandsToTest())\n\n\tif ec != tc.Exit {\n\t\tt.Errorf(\"cli exited with code %d, not %d\", ec, tc.Exit)\n\t\tt.Errorf(\"stdout: %s\", stdout.String())\n\t\tt.Errorf(\"stderr: %s\", stderr.String())\n\t}\n\n\treturn stdout.String(), stderr.String()\n}\n\nfunc RunAndNormalize(t *testing.T, tc Case) (string, string) {\n\tt.Helper()\n\n\tstdout, stderr := run(t, tc)\n\n\tstdout = normalizeDirScanOrder(t, stdout)\n\tstderr = normalizeDirScanOrder(t, stderr)\n\n\tif len(tc.ReplaceRules) > 0 {\n\t\tif len(stdout) == 0 || !json.Valid([]byte(stdout)) {\n\t\t\tt.Fatalf(\"invalid JSON when expecting json\\n stdout: %s\\n stderr: %s\", stdout, stderr)\n\t\t}\n\n\t\tstdout = normalizeJSON(t, stdout, tc.ReplaceRules...)\n\t}\n\n\tstdout = normalizeUUID(t, stdout)\n\n\treturn stdout, stderr\n}\n\nfunc RunAndMatchSnapshots(t *testing.T, tc Case) {\n\tt.Helper()\n\n\tstdout, stderr := RunAndNormalize(t, tc)\n\n\ttestutility.NewSnapshot().MatchText(t, stdout)\n\ttestutility.NewSnapshot().WithWindowsReplacements(map[string]string{\n\t\t\"CreateFile\": \"stat\",\n\t}).MatchText(t, stderr)\n}\n\n// normalizeJSON runs the given JSONReplaceRules on the given JSON input and returns the normalized JSON string\nfunc normalizeJSON(t *testing.T, jsonInput string, jsonReplaceRules ...testutility.JSONReplaceRule) string {\n\tt.Helper()\n\n\tfor _, rule := range jsonReplaceRules {\n\t\tjsonInput = testutility.ReplaceJSONInput(t, jsonInput, rule.Path, rule.ReplaceFunc)\n\t}\n\n\tjsonFormatted := bytes.Buffer{}\n\terr := json.Indent(&jsonFormatted, []byte(jsonInput), \"\", \" \")\n\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to marshal JSON: %s\", err)\n\t}\n\n\treturn jsonFormatted.String()\n}\n\n// Sorts the output between directory scan markers to allow for consistent test results when doing unsorted dir walks\nfunc normalizeDirScanOrder(t *testing.T, input string) string {\n\tt.Helper()\n\n\tinputLines := strings.Split(input, \"\\n\")\n\n\tvar completeOutput = make([]string, 0, len(inputLines))\n\tvar dirScanHolder []string\n\tprintingDirScanLogs := false\n\n\tfor _, line := range inputLines {\n\t\tif strings.Contains(line, testlogger.BeginDirectoryScan) {\n\t\t\tif printingDirScanLogs {\n\t\t\t\tt.Fatalf(\"directory scan began twice before finishing?\")\n\t\t\t}\n\t\t\tprintingDirScanLogs = true\n\n\t\t\tcontinue\n\t\t}\n\n\t\tif strings.Contains(line, testlogger.EndDirectoryScan) {\n\t\t\tif !printingDirScanLogs {\n\t\t\t\tt.Fatalf(\"directory scan ended before starting?\")\n\t\t\t}\n\n\t\t\tprintingDirScanLogs = false\n\t\t\tsort.Strings(dirScanHolder)\n\t\t\tcompleteOutput = append(completeOutput, dirScanHolder...)\n\t\t\tdirScanHolder = nil\n\n\t\t\tcontinue\n\t\t}\n\n\t\tif printingDirScanLogs {\n\t\t\tdirScanHolder = append(dirScanHolder, line)\n\n\t\t\tcontinue\n\t\t}\n\n\t\tcompleteOutput = append(completeOutput, line)\n\t}\n\n\treturn strings.Join(completeOutput, \"\\n\")\n}\n\n// normalizeUUID normalizes each unique instance of uuid string into it's own placeholder, so relations are preserved.\nfunc normalizeUUID(t *testing.T, input string) string {\n\tt.Helper()\n\n\tuuidV4Regexp := cachedregexp.MustCompile(\n\t\t\"[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89ABab][0-9a-fA-F]{3}-[0-9a-fA-F]{12}\")\n\n\tuuidMapping := map[string]int{}\n\tallUUIDs := uuidV4Regexp.FindAllString(input, -1)\n\n\tfor _, id := range allUUIDs {\n\t\tif _, ok := uuidMapping[id]; ok {\n\t\t\tcontinue\n\t\t}\n\n\t\t// Create a incrementing uuid mapping for each unique uuid we encounter\n\t\tuuidMapping[id] = len(uuidMapping)\n\t}\n\n\treplacerRules := make([]string, 0, len(uuidMapping)*2)\n\tfor s, i := range uuidMapping {\n\t\treplacerRules = append(replacerRules, s, fmt.Sprintf(\"uuid-placeholder-%d\", i))\n\t}\n\n\treturn strings.NewReplacer(replacerRules...).Replace(input)\n}\n" }, { "path": "cmd/osv-scanner/internal/testcmd/vcr.go", "content": "package testcmd\n\nimport (\n\t\"bytes\"\n\t\"cmp\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"reflect\"\n\t\"slices\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/tidwall/pretty\"\n\t\"go.yaml.in/yaml/v4\"\n\t\"gopkg.in/dnaeon/go-vcr.v4/pkg/cassette\"\n\t\"gopkg.in/dnaeon/go-vcr.v4/pkg/recorder\"\n)\n\nfunc determineRecorderMode() recorder.Mode {\n\tswitch strings.ToLower(os.Getenv(\"TEST_VCR_MODE\")) {\n\tcase \"recordonly\", \"0\":\n\t\treturn recorder.ModeRecordOnly\n\tcase \"replayonly\", \"1\":\n\t\treturn recorder.ModeReplayOnly\n\tcase \"replaywithnewepisodes\", \"2\":\n\t\treturn recorder.ModeReplayWithNewEpisodes\n\tcase \"recordonce\", \"3\":\n\t\treturn recorder.ModeRecordOnce\n\tcase \"passthrough\", \"4\":\n\t\treturn recorder.ModePassthrough\n\t}\n\n\tif _, inCI := os.LookupEnv(\"CI\"); inCI {\n\t\treturn recorder.ModeReplayOnly\n\t}\n\n\treturn recorder.ModeReplayWithNewEpisodes\n}\n\n// withHeadersTripper adds extra headers to requests before they're done by the wrapped http.Client\ntype withHeadersTripper struct {\n\twrapper http.Client\n\theaders map[string]string\n}\n\nfunc (wht withHeadersTripper) RoundTrip(request *http.Request) (*http.Response, error) {\n\tfor key, value := range wht.headers {\n\t\trequest.Header.Set(key, value)\n\t}\n\n\treturn wht.wrapper.Do(request)\n}\n\nvar _ http.RoundTripper = withHeadersTripper{}\n\n// WithTestNameHeader wraps the given http.Client with an http.RoundTripper that\n// adds a custom header to every request with the name of the test being run\nfunc WithTestNameHeader(t *testing.T, client http.Client) *http.Client {\n\tt.Helper()\n\n\treturn &http.Client{Transport: withHeadersTripper{\n\t\twrapper: client,\n\t\theaders: map[string]string{\"X-Test-Name\": t.Name()},\n\t}}\n}\n\n// this is cassette.Interaction without its ID field\ntype withoutID struct {\n\tRequest cassette.Request `yaml:\"request\"`\n\tResponse cassette.Response `yaml:\"response\"`\n}\n\n// custom marshaller to make cassettes pretty and to omit the \"id\" field from interactions\n// for a smaller diff since we don't care about their order\nfunc marshalCassettes(in any) (out []byte, err error) {\n\tcass, ok := in.(*cassette.Cassette)\n\tif !ok {\n\t\treturn nil, fmt.Errorf(\"expected *cassette.Cassette, got %T\", in)\n\t}\n\n\tinteractions := make([]withoutID, len(cass.Interactions))\n\tfor i, interaction := range cass.Interactions {\n\t\tinteractions[i] = withoutID{\n\t\t\tRequest: interaction.Request,\n\t\t\tResponse: interaction.Response,\n\t\t}\n\t}\n\n\tinput := struct {\n\t\tVersion int `yaml:\"version\"`\n\t\tInteractions []withoutID `yaml:\"interactions\"`\n\t}{Version: cass.Version, Interactions: interactions}\n\n\tvar buf bytes.Buffer\n\tenc := yaml.NewEncoder(&buf)\n\tenc.SetIndent(2)\n\tif err := enc.Encode(input); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn buf.Bytes(), nil\n}\n\n// InsertCassette returns an http.Client backed by a [recorder.Recorder] which\n// will record and (re)play responses from a cassette based on the tests name\nfunc InsertCassette(t *testing.T) *http.Client {\n\tt.Helper()\n\n\tpath := filepath.Join(\"testdata/cassettes\", strings.ReplaceAll(t.Name(), \"/\", \"_\"))\n\n\tr, err := recorder.New(\n\t\tpath,\n\t\trecorder.WithMarshalFunc(marshalCassettes),\n\t\trecorder.WithSkipRequestLatency(true),\n\t\trecorder.WithMode(determineRecorderMode()),\n\t\trecorder.WithPassthrough(func(req *http.Request) bool {\n\t\t\t// exclude requests for info on a specific vuln since they can be quite large\n\t\t\t// and their changes should be less impactful to our snapshots than the query\n\t\t\t// endpoint, as those reqs are what results in specific vulns being looked up\n\t\t\treturn strings.HasPrefix(req.URL.Path, \"/v1/vulns/\")\n\t\t}),\n\t\trecorder.WithMatcher(matcher),\n\t\trecorder.WithHook(func(i *cassette.Interaction) error {\n\t\t\t// remove headers that are not important to reduce cassette size and noise\n\t\t\tfor _, header := range []string{\n\t\t\t\t\"Alt-Svc\",\n\t\t\t\t\"Grpc-Accept-Encoding\",\n\t\t\t\t\"Grpc-Message\",\n\t\t\t\t\"Grpc-Status\",\n\t\t\t\t\"Server\",\n\t\t\t\t\"Traceparent\",\n\t\t\t\t\"X-Cloud-Trace-Context\",\n\t\t\t\t\"X-Envoy-Decorator-Operation\",\n\t\t\t\t\"Date\",\n\t\t\t} {\n\t\t\t\tdelete(i.Response.Headers, header)\n\t\t\t}\n\n\t\t\tfor header := range i.Response.Headers {\n\t\t\t\tif strings.HasPrefix(header, \"X-Google-\") {\n\t\t\t\t\tdelete(i.Response.Headers, header)\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tdelete(i.Request.Headers, \"User-Agent\")\n\n\t\t\t// Force copy of default options, as we don't want to change the global variable\n\t\t\tprettyOptions := *pretty.DefaultOptions\n\t\t\tprettyOptions.SortKeys = true\n\n\t\t\ti.Request.Body = string(pretty.PrettyOptions([]byte(i.Request.Body), &prettyOptions))\n\t\t\ti.Request.ContentLength = int64(len(i.Request.Body))\n\n\t\t\t// use a static duration since we don't care about replicating latency\n\t\t\ti.Response.Duration = 0\n\t\t\ti.Response.Body = string(pretty.PrettyOptions([]byte(i.Response.Body), &prettyOptions))\n\n\t\t\treturn nil\n\t\t}, recorder.AfterCaptureHook),\n\t)\n\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tt.Cleanup(func() {\n\t\tif err := r.Stop(); err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\n\t\tsortCassetteInteractions(t, path)\n\t})\n\n\treturn r.GetDefaultClient()\n}\n\n// sortCassetteInteractions reorders the interactions in the given cassette, based\n// on the X-Test-Name header to help reduce the diff when interactions are changed\nfunc sortCassetteInteractions(t *testing.T, path string) {\n\tt.Helper()\n\n\tcass, err := cassette.Load(strings.TrimSuffix(path, \".yaml\"))\n\tif err != nil {\n\t\tt.Fatalf(\"failed to load %s: %v\", path, err)\n\t}\n\n\tcass.MarshalFunc = marshalCassettes\n\n\t// we don't need to worry about the interaction ids as they get updated as part of saving\n\tslices.SortFunc(cass.Interactions, func(a, b *cassette.Interaction) int {\n\t\treturn cmp.Compare(a.Request.Headers.Get(\"X-Test-Name\"), b.Request.Headers.Get(\"X-Test-Name\"))\n\t})\n\n\tif err = cass.Save(); err != nil {\n\t\tt.Fatalf(\"failed to write %s: %v\", path, err)\n\t}\n}\n\n// Simplified matcher, which only looks at:\n// - Method\n// - URL\n// - Headers\n// - Body\nfunc matcher(r *http.Request, i cassette.Request) bool {\n\tif r.Method != i.Method {\n\t\treturn false\n\t}\n\n\tif r.URL.String() != i.URL {\n\t\treturn false\n\t}\n\n\trequestHeader := r.Header.Clone()\n\tcassetteRequestHeaders := i.Headers.Clone()\n\n\tfor _, header := range []string{\n\t\t\"User-Agent\",\n\t\t\"Content-Length\",\n\t} {\n\t\tdelete(requestHeader, header)\n\t\tdelete(cassetteRequestHeaders, header)\n\t}\n\n\tif !reflect.DeepEqual(requestHeader, cassetteRequestHeaders) {\n\t\treturn false\n\t}\n\n\tif !matchBody(r, i) {\n\t\treturn false\n\t}\n\n\treturn true\n}\n\nfunc matchBody(r *http.Request, i cassette.Request) bool {\n\tif r.Body != nil {\n\t\tvar buffer bytes.Buffer\n\t\tif _, err := buffer.ReadFrom(r.Body); err != nil {\n\t\t\treturn false\n\t\t}\n\n\t\tr.Body = io.NopCloser(bytes.NewBuffer(buffer.Bytes()))\n\n\t\tif !bytes.Equal(\n\t\t\tpretty.PrettyOptions(buffer.Bytes(), &pretty.Options{SortKeys: true}),\n\t\t\tpretty.PrettyOptions([]byte(i.Body), &pretty.Options{SortKeys: true}),\n\t\t) {\n\t\t\treturn false\n\t\t}\n\t} else if len(i.Body) != 0 {\n\t\treturn false\n\t}\n\n\treturn true\n}\n" }, { "path": "cmd/osv-scanner/main.go", "content": "package main\n\nimport (\n\t\"os\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/fix\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/mcp\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/update\"\n)\n\nfunc main() {\n\tos.Exit(\n\t\tcmd.Run(os.Args, os.Stdout, os.Stderr, nil, []cmd.CommandBuilder{\n\t\t\tscan.Command,\n\t\t\tfix.Command,\n\t\t\tupdate.Command,\n\t\t\tmcp.Command,\n\t\t}),\n\t)\n}\n" }, { "path": "cmd/osv-scanner/main_test.go", "content": "// main cannot be accessed directly, so cannot use main_test\npackage main\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n)\n\n//nolint:paralleltest\nfunc Test_run(t *testing.T) {\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"\",\n\t\t\tArgs: []string{\"\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"\",\n\t\t\tArgs: []string{\"--help\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"version\",\n\t\t\tArgs: []string{\"\", \"--version\"},\n\t\t\tExit: 0,\n\t\t},\n\t}\n\n\t// No parallel because --version output is not thread safe.\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc Test_run_SubCommands(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t// without subcommands\n\t\t{\n\t\t\tName: \"with_no_subcommand\",\n\t\t\tArgs: []string{\"\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// with scan subcommand\n\t\t{\n\t\t\tName: \"with_scan_subcommand\",\n\t\t\tArgs: []string{\"\", \"scan\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// scan with a flag\n\t\t{\n\t\t\tName: \"scan_with_a_flag\",\n\t\t\tArgs: []string{\"\", \"scan\", \"--recursive\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// TODO: add tests for other future subcommands\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n" }, { "path": "cmd/osv-scanner/mcp/__snapshots__/integration_test.snap", "content": "\n[TestIntegration_MCP_SSE_Subprocess/GetVulnerabilityDetails - 1]\n{\n \"content\": [\n {\n \"type\": \"text\",\n \"text\": \"{\\n \\\"schema_version\\\": \\\"1.7.3\\\",\\n \\\"id\\\": \\\"GO-2023-1558\\\",\\n \\\"published\\\": \\\"2023-02-14T19:41:21Z\\\",\\n \\\"modified\\\": \\\"2024-05-20T16:03:47Z\\\",\\n \\\"aliases\\\": [\\\"CVE-2023-23626\\\", \\\"GHSA-2h6c-j3gf-xp9r\\\"],\\n \\\"summary\\\": \\\"Denial of service via malformed size parameters in github.com/ipfs/go-bitfield\\\",\\n \\\"details\\\": \\\"When feeding untrusted user input into the size parameter of NewBitfield and FromBytes functions, an attacker can trigger panics.\\\\n\\\\nThis happens when the size is a not a multiple of 8 or is negative.\\\\n\\\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\\\",\\n \\\"affected\\\": [\\n {\\n \\\"package\\\": {\\n \\\"name\\\": \\\"github.com/ipfs/go-bitfield\\\",\\n \\\"ecosystem\\\": \\\"Go\\\",\\n \\\"purl\\\": \\\"pkg:golang/github.com/ipfs/go-bitfield\\\"\\n },\\n \\\"ranges\\\": [\\n {\\n \\\"type\\\": \\\"SEMVER\\\",\\n \\\"events\\\": [\\n {\\n \\\"introduced\\\": \\\"0\\\"\\n },\\n {\\n \\\"fixed\\\": \\\"1.1.0\\\"\\n }\\n ]\\n }\\n ],\\n \\\"ecosystem_specific\\\": {\\n \\\"imports\\\": [\\n {\\n \\\"path\\\": \\\"github.com/ipfs/go-bitfield\\\",\\n \\\"symbols\\\": [\\\"FromBytes\\\", \\\"NewBitfield\\\"]\\n }\\n ]\\n },\\n \\\"database_specific\\\": {\\n \\\"source\\\": \\\"https://vuln.go.dev/ID/GO-2023-1558.json\\\"\\n }\\n }\\n ],\\n \\\"references\\\": [\\n {\\n \\\"type\\\": \\\"ADVISORY\\\",\\n \\\"url\\\": \\\"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\\\"\\n },\\n {\\n \\\"type\\\": \\\"FIX\\\",\\n \\\"url\\\": \\\"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\\"\\n }\\n ],\\n \\\"database_specific\\\": {\\n \\\"review_status\\\": \\\"REVIEWED\\\",\\n \\\"url\\\": \\\"https://pkg.go.dev/vuln/GO-2023-1558\\\"\\n },\\n \\\"credits\\\": [\\n {\\n \\\"name\\\": \\\"Jorropo\\\"\\n }\\n ]\\n}\\n\"\n }\n ]\n}\n---\n\n[TestIntegration_MCP_SSE_Subprocess/ScanVulnerableDependencies - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\nGo\n\nlockfile:/testdata/go-project/go.mod: found 1 package with issues\n\n github.com/ipfs/go-bitfield@1.0.0 has the following known vulnerabilities:\n GO-2023-1558: Denial of service via malformed size parameters in github.com/ipfs/go-bitfield\n Severity: '5.9'; Minimal Fix Version: '1.1.0';\n\n 1 known vulnerability found in lockfile:/testdata/go-project/go.mod\nHiding 9 number of vulnerabilities deemed unimportant, use --all-vulns to show them.\n\n\n---\n" }, { "path": "cmd/osv-scanner/mcp/command.go", "content": "// Package mcp implements the `mcp` command for osv-scanner.\npackage mcp\n\nimport (\n\t\"context\"\n\t_ \"embed\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"net/http\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner\"\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n\t\"github.com/modelcontextprotocol/go-sdk/mcp\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"github.com/tidwall/pretty\"\n\t\"github.com/urfave/cli/v3\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n\t\"osv.dev/bindings/go/osvdev\"\n)\n\nvar (\n\tvulnCacheMu sync.RWMutex\n\tvulnCacheMap = make(map[string]*osvschema.Vulnerability)\n)\n\n// Command is the entry point for the `mcp` subcommand.\nfunc Command(_, _ io.Writer, _ *http.Client) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"experimental-mcp\",\n\t\tUsage: \"Run osv-scanner as an MCP service (experimental)\",\n\t\tDescription: \"Run osv-scanner as an MCP service, speaking the MCP protocol over stdin/stdout.\",\n\t\tFlags: []cli.Flag{\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"sse\",\n\t\t\t\tDefaultText: \"localhost:8080\",\n\t\t\t\tValue: \"localhost:8080\",\n\t\t\t\tUsage: \"The listening address for the SSE server, e.g. localhost:8080\",\n\t\t\t},\n\t\t},\n\t\tAction: action,\n\t}\n}\n\n// scanVulnerableDependenciesInput is the input for the scan_vulnerable_dependencies tool.\ntype scanVulnerableDependenciesInput struct {\n\tPaths []string `json:\"paths\" jsonschema:\"A list of absolute or relative path to a file or directory to scan.\"`\n\tIgnoreGlobPatterns []string `json:\"ignore_glob_patterns\" jsonschema:\"A list of glob patterns to ignore when scanning.\"`\n\tRecursive bool `json:\"recursive\" jsonschema:\"Scans directory recursively\"`\n}\n\nfunc action(ctx context.Context, cmd *cli.Command) error {\n\ts := mcp.NewServer(&mcp.Implementation{\n\t\tName: \"OSV-Scanner\", Version: version.OSVVersion,\n\t}, nil)\n\n\tmcp.AddTool(s, &mcp.Tool{\n\t\tName: \"scan_vulnerable_dependencies\",\n\t\tDescription: \"Scans a source directory for vulnerable dependencies.\" +\n\t\t\t\" Walks the given directory and uses osv.dev to query for vulnerabilities matching the found dependencies.\" +\n\t\t\t\" Use this tool to check that the user's project is not depending on known vulnerable code.\",\n\t}, handleScan)\n\n\t// TODO(another-rex): Ideally both of the following tools would be resources, but gemini-cli does not support those yet.\n\tmcp.AddTool(s, &mcp.Tool{\n\t\tName: \"get_vulnerability_details\",\n\t\tDescription: \"Retrieves the full JSON details for a given vulnerability ID.\",\n\t}, handleVulnIDRetrieval)\n\n\tmcp.AddTool(s, &mcp.Tool{\n\t\tName: \"ignore_vulnerability\",\n\t\tDescription: \"Provides instructions for writing a config file to exclude vulnerabilities from the scan report.\",\n\t}, handleIgnoreVulnerability)\n\n\ts.AddPrompt(&mcp.Prompt{\n\t\tName: \"scan_deps\",\n\t\tDescription: \"Scans your project dependencies for known vulnerabilities.\",\n\t}, handleScanDepsPrompt)\n\n\t// Provide two options, sse on a network port, or stdio.\n\tif cmd.IsSet(\"sse\") {\n\t\tsseAddr := cmd.String(\"sse\")\n\t\tcmdlogger.Infof(\"Starting SSE server on %s\", sseAddr)\n\t\thandler := mcp.NewSSEHandler(func(_ *http.Request) *mcp.Server {\n\t\t\treturn s\n\t\t}, nil)\n\t\tsrv := &http.Server{\n\t\t\tAddr: sseAddr,\n\t\t\tHandler: handler,\n\t\t\tReadTimeout: 30 * time.Second,\n\t\t\tWriteTimeout: 30 * time.Second,\n\t\t\tIdleTimeout: 120 * time.Second,\n\t\t}\n\t\tif err := srv.ListenAndServe(); err != nil {\n\t\t\tcmdlogger.Errorf(\"mcp error: %s\", err)\n\t\t\treturn err\n\t\t}\n\t} else {\n\t\tcmdlogger.SendEverythingToStderr()\n\t\tcmdlogger.Infof(\"Starting MCP server on stdio\")\n\t\tif err := s.Run(ctx, &mcp.StdioTransport{}); err != nil {\n\t\t\tcmdlogger.Errorf(\"mcp error: %s\", err)\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc handleScan(_ context.Context, _ *mcp.CallToolRequest, input *scanVulnerableDependenciesInput) (*mcp.CallToolResult, any, error) {\n\tstatsCollector := fileOpenedLogger{}\n\n\taction := osvscanner.ScannerActions{\n\t\tDirectoryPaths: input.Paths,\n\t\tScanLicensesSummary: false,\n\t\tExperimentalScannerActions: osvscanner.ExperimentalScannerActions{\n\t\t\tStatsCollector: &statsCollector,\n\t\t},\n\t\tCallAnalysisStates: map[string]bool{\n\t\t\t\"go\": true,\n\t\t},\n\t\tRecursive: input.Recursive,\n\t}\n\n\t//nolint:contextcheck // passing the context in would be a breaking change\n\tscanResults, err := osvscanner.DoScan(action)\n\tif err != nil && !errors.Is(err, osvscanner.ErrVulnerabilitiesFound) {\n\t\treturn nil, nil, fmt.Errorf(\"failed to run scanner: %w\", err)\n\t}\n\n\tvulnCacheMu.Lock()\n\tfor _, vuln := range scanResults.Flatten() {\n\t\tvulnCacheMap[vuln.Vulnerability.GetId()] = vuln.Vulnerability\n\t}\n\tvulnCacheMu.Unlock()\n\n\tif err == nil {\n\t\treturn &mcp.CallToolResult{\n\t\t\tContent: []mcp.Content{\n\t\t\t\t&mcp.TextContent{Text: \"No issues found\"},\n\t\t\t},\n\t\t}, nil, nil\n\t}\n\n\tbuf := strings.Builder{}\n\n\tfor _, s := range statsCollector.collectedLines {\n\t\tbuf.WriteString(s + \"\\n\")\n\t}\n\n\ttext.DisableColors()\n\toutput.PrintVerticalResults(&scanResults, &buf, false)\n\n\treturn &mcp.CallToolResult{\n\t\tContent: []mcp.Content{\n\t\t\t&mcp.TextContent{Text: buf.String()},\n\t\t},\n\t}, nil, nil\n}\n\n// getVulnerabilityDetailsInput is the input for the get_vulnerability_details tool.\ntype getVulnerabilityDetailsInput struct {\n\tVulnID string `json:\"vuln_id\" jsonschema:\"The OSV vulnerability ID to retrieve details for.\"`\n}\n\nfunc handleVulnIDRetrieval(ctx context.Context, _ *mcp.CallToolRequest, input *getVulnerabilityDetailsInput) (*mcp.CallToolResult, any, error) {\n\tvulnCacheMu.RLock()\n\tvuln, found := vulnCacheMap[input.VulnID]\n\tvulnCacheMu.RUnlock()\n\tif !found {\n\t\tvar err error\n\t\tvuln, err = osvdev.DefaultClient().GetVulnByID(ctx, input.VulnID)\n\t\tif err != nil {\n\t\t\treturn nil, nil, fmt.Errorf(\"vulnerability with ID %s not found: %w\", input.VulnID, err)\n\t\t}\n\n\t\tvulnCacheMu.Lock()\n\t\tvulnCacheMap[input.VulnID] = vuln\n\t\tvulnCacheMu.Unlock()\n\t}\n\n\tjsonBytes, err := protojson.Marshal(vuln)\n\tif err != nil {\n\t\treturn nil, nil, err\n\t}\n\tprettyJSON := pretty.Pretty(jsonBytes)\n\n\treturn &mcp.CallToolResult{\n\t\tContent: []mcp.Content{\n\t\t\t&mcp.TextContent{\n\t\t\t\tText: string(prettyJSON),\n\t\t\t},\n\t\t},\n\t}, nil, nil\n}\n\n// ignoreVulnerabilityInput is a placeholder to enable the tool call,\n// as it seems like go-sdk mcp does not support a tool call with no arguments.\ntype ignoreVulnerabilityInput struct {\n\t// Extra field is needed as a placeholder to prevent the llm from erroring when calling the tool\n\tVerbose bool `json:\"verbose\" jsonschema:\"ignore this parameter\"`\n}\n\n//go:embed configuration-instructions.md\nvar configInstructions string\n\n// handleIgnoreVulnerability does not perform any actual actions, but instead provides the instructions of how\n// to write an ignore file to the LLM using this tool, so that it can correctly write the ignore file.\nfunc handleIgnoreVulnerability(_ context.Context, _ *mcp.CallToolRequest, _ *ignoreVulnerabilityInput) (*mcp.CallToolResult, any, error) {\n\treturn &mcp.CallToolResult{\n\t\tContent: []mcp.Content{\n\t\t\t&mcp.TextContent{Text: configInstructions},\n\t\t},\n\t}, nil, nil\n}\n\n// scanDepsPrompt is the prompt that is sent to the AI model when the scan_deps prompt is requested.\n//\n//go:embed scan-deps-prompt.md\nvar scanDepsPrompt string\n\nfunc handleScanDepsPrompt(_ context.Context, _ *mcp.GetPromptRequest) (*mcp.GetPromptResult, error) {\n\treturn &mcp.GetPromptResult{\n\t\tDescription: \"Dependency vulnerability analysis\",\n\t\tMessages: []*mcp.PromptMessage{\n\t\t\t{\n\t\t\t\tRole: \"assistant\",\n\t\t\t\tContent: &mcp.TextContent{\n\t\t\t\t\tText: scanDepsPrompt,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}, nil\n}\n" }, { "path": "cmd/osv-scanner/mcp/configuration-instructions.md", "content": "---\nlayout: page\npermalink: /configuration/\nnav_order: 5\n---\n\n# Configuration\n\nTo configure scanning, place an osv-scanner.toml file in the scanned file's directory. This does not propagate to child directories.\n\n**Example:**\n\n```\n/Cargo.lock\n/osv-scanner.toml (1)\n/child-dir/go.mod\n/child-dir/osv-scanner.toml (2)\n/child-dir/nested-dir/package-lock.json\n```\n\n`osv-scanner.toml (1)` will only apply to `Cargo.lock`, `osv-scanner.toml (2)` will only apply to `go.mod`, and no config will apply to `package-lock.json`.\n\nTo override `osv-scanner.toml` files, pass the `--config=/path/to/config.toml` flag with the path to the configuration you want to apply instead, this will apply `config.toml` to all files parsed, and ignore `osv-scanner.toml` in all directories.\n\n## Ignore vulnerabilities by ID\n\nTo ignore a vulnerability, enter the ID under the `IgnoreVulns` key. Optionally, add an expiry date or reason.\n\n### Example\n\n```toml\n[[IgnoredVulns]]\nid = \"GO-2022-0968\"\n# ignoreUntil = 2022-11-09 # Optional exception expiry date\nreason = \"No ssh servers are connected to or hosted in Go lang\"\n\n[[IgnoredVulns]]\nid = \"GO-2022-1059\"\n# ignoreUntil = 2022-11-09 # Optional exception expiry date\nreason = \"No external http servers are written in Go lang.\"\n```\n\nIgnoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability.\n" }, { "path": "cmd/osv-scanner/mcp/integration_test.go", "content": "package mcp_test\n\nimport (\n\t\"context\"\n\t\"net\"\n\t\"net/http\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/modelcontextprotocol/go-sdk/mcp\"\n)\n\n// TestIntegration_MCP_SSE_Subprocess validates the experimental-mcp command by:\n// 1. Building the binary.\n// 2. Starting it as an MCP server.\n// 3. Connecting a client.\n// 4. Running tools (scan_vulnerable_dependencies, get_vulnerability_details).\n//\n//nolint:paralleltest // This test is not parallelizable\nfunc TestIntegration_MCP_SSE_Subprocess(t *testing.T) {\n\tif testing.Short() {\n\t\ttestutility.Skip(t, \"skipping integration test in short mode\")\n\t}\n\n\tbinPath := buildTestBinary(t)\n\taddr := findFreePort(t)\n\n\t// Start the server\n\tctx, cancel := context.WithCancel(context.Background())\n\tdefer cancel()\n\n\tcmdRun := startMCPServer(t, ctx, binPath, addr)\n\tdefer func() {\n\t\tcancel()\n\t\t_ = cmdRun.Wait()\n\t}()\n\n\t// Wait for server to be ready\n\tbaseURL := \"http://\" + addr + \"/sse\"\n\twaitForServer(t, baseURL)\n\n\t// Connect Client\n\tclient := connectMCPClient(t, ctx, baseURL)\n\tdefer client.Close()\n\n\t// Use persistent testdata/go-project\n\ttestDataPath, err := filepath.Abs(\"testdata/go-project\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get absolute path: %v\", err)\n\t}\n\tif _, err := os.Stat(testDataPath); os.IsNotExist(err) {\n\t\tt.Fatalf(\"testdata/go-project does not exist at %s\", testDataPath)\n\t}\n\n\tvar vulnID string\n\n\t// Step 1: Scan for vulnerabilities\n\tt.Run(\"ScanVulnerableDependencies\", func(t *testing.T) {\n\t\tscanResult, err := client.CallTool(ctx, &mcp.CallToolParams{\n\t\t\tName: \"scan_vulnerable_dependencies\",\n\t\t\tArguments: map[string]any{\n\t\t\t\t\"paths\": []string{testDataPath},\n\t\t\t\t\"recursive\": true,\n\t\t\t\t\"ignore_glob_patterns\": []string{},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"call to scan_vulnerable_dependencies failed: %v\", err)\n\t\t}\n\n\t\tif len(scanResult.Content) == 0 {\n\t\t\tt.Fatal(\"scan result content is empty\")\n\t\t}\n\n\t\ttextRes, ok := scanResult.Content[0].(*mcp.TextContent)\n\t\tif !ok {\n\t\t\tt.Fatalf(\"expected TextContent, got %T\", scanResult.Content[0])\n\t\t}\n\n\t\toutput := textRes.Text\n\t\tt.Logf(\"Scan completed. Output length: %d\", len(output))\n\t\ttestutility.NewSnapshot().MatchText(t, output)\n\n\t\tvulnID = \"GO-2023-1558\"\n\t})\n\n\t// Step 2: Get details for the found vulnerability\n\tt.Run(\"GetVulnerabilityDetails\", func(t *testing.T) {\n\t\tdetailsResult, err := client.CallTool(ctx, &mcp.CallToolParams{\n\t\t\tName: \"get_vulnerability_details\",\n\t\t\tArguments: map[string]any{\n\t\t\t\t\"vuln_id\": vulnID,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"call to get_vulnerability_details failed: %v\", err)\n\t\t}\n\n\t\tif len(detailsResult.Content) == 0 {\n\t\t\tt.Log(\"Details Result Content is empty\")\n\t\t\treturn\n\t\t}\n\n\t\tt.Logf(\"Details Result Content: %v\", detailsResult.Content[0])\n\t\ttestutility.NewSnapshot().MatchJSON(t, detailsResult)\n\t})\n}\n\n// buildTestBinary builds the osv-scanner binary to a temporary directory.\nfunc buildTestBinary(t *testing.T) string {\n\tt.Helper()\n\ttempDir := t.TempDir()\n\tbinPath := filepath.Join(tempDir, \"osv-scanner-mcp-test\")\n\tif runtime.GOOS == \"windows\" {\n\t\tbinPath += \".exe\"\n\t}\n\n\t// We use the full package path to ensure we build the correct main package.\n\tcmdBuild := exec.CommandContext(\n\t\tcontext.Background(),\n\t\t\"go\",\n\t\t\"build\",\n\t\t\"-ldflags\",\n\t\t\"-X 'github.com/google/osv-scanner/v2/internal/config.OSVScannerConfigName=osv-scanner-test.toml'\",\n\t\t\"-o\",\n\t\tbinPath,\n\t\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner\",\n\t)\n\tcmdBuild.Stdout = os.Stdout\n\tcmdBuild.Stderr = os.Stderr\n\tif err := cmdBuild.Run(); err != nil {\n\t\tt.Fatalf(\"failed to build binary: %v\", err)\n\t}\n\n\treturn binPath\n}\n\n// findFreePort lets the OS choose a free port and returns the address string (e.g. \"127.0.0.1:12345\").\nfunc findFreePort(t *testing.T) string {\n\tt.Helper()\n\tvar lc net.ListenConfig\n\tln, err := lc.Listen(context.Background(), \"tcp\", \"localhost:0\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to listen: %v\", err)\n\t}\n\taddr := ln.Addr().String()\n\tln.Close()\n\n\treturn addr\n}\n\n// startMCPServer starts the mcp server in a subprocess.\n//\n//nolint:revive // t should be the first argument\nfunc startMCPServer(t *testing.T, ctx context.Context, binPath, addr string) *exec.Cmd {\n\tt.Helper()\n\tcmdRun := exec.CommandContext(ctx, binPath, \"experimental-mcp\", \"--sse\", addr)\n\tcmdRun.Stderr = os.Stderr\n\tcmdRun.Stdout = os.Stdout\n\n\tt.Logf(\"Starting MCP server on %s\", addr)\n\tif err := cmdRun.Start(); err != nil {\n\t\tt.Fatalf(\"failed to start server: %v\", err)\n\t}\n\n\treturn cmdRun\n}\n\n// connectMCPClient connects to the MCP server via SSE.\n//\n//nolint:revive // t should be the first argument\nfunc connectMCPClient(t *testing.T, ctx context.Context, baseURL string) *mcp.ClientSession {\n\tt.Helper()\n\ttransport := &mcp.SSEClientTransport{\n\t\tEndpoint: baseURL,\n\t}\n\n\tclient := mcp.NewClient(&mcp.Implementation{\n\t\tName: \"test-client\",\n\t\tVersion: \"1.0.0\",\n\t}, nil)\n\n\tsession, err := client.Connect(ctx, transport, nil)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to connect to MCP server: %v\", err)\n\t}\n\n\treturn session\n}\n\nfunc waitForServer(t *testing.T, url string) {\n\tt.Helper()\n\tdeadline := time.Now().Add(15 * time.Second)\n\tfor time.Now().Before(deadline) {\n\t\t//nolint:gosec,noctx // This is a test with a local URL\n\t\tresp, err := http.Get(url)\n\t\tif err == nil {\n\t\t\tresp.Body.Close()\n\t\t\treturn\n\t\t}\n\t\ttime.Sleep(100 * time.Millisecond)\n\t}\n\tt.Fatalf(\"server failed to start listening at %s within timeout\", url)\n}\n" }, { "path": "cmd/osv-scanner/mcp/scan-deps-prompt.md", "content": "You are a highly skilled senior security analyst.\nYour primary task is to conduct a security audit of the vulnerabilities in the dependencies of this project.\nUtilizing your skillset, you must operate by strictly following the operating principles defined in your context.\n\n**Step 1: Perform initial scan**\n\nUse the scan_vulnerable_dependencies with recursive on the project, always use the absolute path.\nThis will return a report of all the relevant lockfiles and all vulnerable dependencies in those files.\n\n**Step 2: Analyse the report**\n\nGo through the report and determine the relevant project lockfiles (ignoring lockfiles in test directories),\nand prioritise which vulnerability to fix based on the description and severity.\nIf more information is needed about a vulnerability, use get_vulnerability_details.\n\n**Step 3: Prioritisation**\n\nGive advice on which vulnerabilities to prioritise fixing, and general advice on how to go about fixing\nthem by updating. Don't try to automatically update for the user without input.\n" }, { "path": "cmd/osv-scanner/mcp/stats.go", "content": "package mcp\n\nimport (\n\t\"fmt\"\n\t\"path/filepath\"\n\n\t\"github.com/google/osv-scalibr/stats\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n)\n\ntype fileOpenedLogger struct {\n\tstats.NoopCollector\n\n\tcollectedLines []string\n}\n\nvar _ stats.Collector = &fileOpenedLogger{}\n\nfunc (c *fileOpenedLogger) AfterExtractorRun(_ string, extractorstats *stats.AfterExtractorStats) {\n\tif extractorstats.Error != nil { // Don't log scanned if error occurred\n\t\treturn\n\t}\n\n\tpkgsFound := len(extractorstats.Inventory.Packages)\n\n\tc.collectedLines = append(c.collectedLines,\n\t\tfmt.Sprintf(\n\t\t\t\"Scanned %s file and found %d %s\",\n\t\t\tfilepath.Join(extractorstats.Root, extractorstats.Path),\n\t\t\tpkgsFound,\n\t\t\toutput.Form(pkgsFound, \"package\", \"packages\"),\n\t\t))\n}\n" }, { "path": "cmd/osv-scanner/mcp/testdata/go-project/go.mod", "content": "module example.com/test\n\ngo 1.25.3\n\nrequire github.com/ipfs/go-bitfield v1.0.0\n" }, { "path": "cmd/osv-scanner/mcp/testdata/go-project/go.sum", "content": "github.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ=\ngithub.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus=\n" }, { "path": "cmd/osv-scanner/mcp/testdata/go-project/main.go", "content": "package main\n\nimport (\n\t\"github.com/ipfs/go-bitfield\"\n)\n\nfunc main() {\n\t_ = bitfield.NewBitfield(1)\n}\n" }, { "path": "cmd/osv-scanner/mcp/testdata/go-project/osv-scanner-test.toml", "content": "\n" }, { "path": "cmd/osv-scanner/mcp/testdata/go-project/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/mcp/testmain_test.go", "content": "package mcp_test\n\nimport (\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/mcp\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tslog.SetDefault(slog.New(testlogger.New()))\n\t// This is technically not necessary, as we are running mcp via a subprocess\n\ttestcmd.CommandsUnderTest = []cmd.CommandBuilder{mcp.Command}\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "cmd/osv-scanner/scan/__snapshots__/command_test.snap", "content": "\n[TestCommand_SubCommands/scan_with_a_flag - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand_SubCommands/scan_with_a_flag - 2]\n\n---\n\n[TestCommand_SubCommands/with_no_arguments - 1]\nNAME:\n osv-scanner scan - scans projects and container images for dependencies, and checks them against the OSV database.\n\nUSAGE:\n osv-scanner scan [command [command options]]\n\nDESCRIPTION:\n scans projects and container images for dependencies, and checks them against the OSV database.\n\nCOMMANDS:\n source scans a source project's dependencies for known vulnerabilities using the OSV database.\n image detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally\n\nOPTIONS:\n --help, -h show help\n\n---\n\n[TestCommand_SubCommands/with_no_arguments - 2]\n\n---\n\n[TestCommand_SubCommands/with_no_subcommand - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand_SubCommands/with_no_subcommand - 2]\n\n---\n\n[TestCommand_SubCommands/with_scan_subcommand - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand_SubCommands/with_scan_subcommand - 2]\n\n---\n" }, { "path": "cmd/osv-scanner/scan/command.go", "content": "// Package scan implements the `scan` command for osv-scanner.\npackage scan\n\nimport (\n\t\"io\"\n\t\"net/http\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/image\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nconst sourceSubCommand = \"source\"\n\nconst DefaultSubcommand = sourceSubCommand\n\nvar Subcommands = []string{sourceSubCommand, \"image\"}\n\nfunc Command(stdout, stderr io.Writer, client *http.Client) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"scan\",\n\t\tUsage: \"scans projects and container images for dependencies, and checks them against the OSV database.\",\n\t\tDescription: \"scans projects and container images for dependencies, and checks them against the OSV database.\",\n\t\tCommands: []*cli.Command{\n\t\t\tsource.Command(stdout, stderr, client),\n\t\t\timage.Command(stdout, stderr, client),\n\t\t},\n\t}\n}\n" }, { "path": "cmd/osv-scanner/scan/command_test.go", "content": "package scan_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n)\n\n// Tests all subcommands here.\nfunc TestCommand_SubCommands(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"with_no_arguments\",\n\t\t\tArgs: []string{\"\", \"scan\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t// without subcommands\n\t\t{\n\t\t\tName: \"with_no_subcommand\",\n\t\t\tArgs: []string{\"\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// with scan subcommand\n\t\t{\n\t\t\tName: \"with_scan_subcommand\",\n\t\t\tArgs: []string{\"\", \"scan\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// scan with a flag\n\t\t{\n\t\t\tName: \"scan_with_a_flag\",\n\t\t\tArgs: []string{\"\", \"scan\", \"--recursive\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// TODO: add tests for other future subcommands\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n" }, { "path": "cmd/osv-scanner/scan/image/__snapshots__/command_test.snap", "content": "\n[TestCommand_Docker/Fake_alpine_image - 1]\nChecking if docker image (\"alpine:non-existent-tag\") exists locally...\n\n---\n\n[TestCommand_Docker/Fake_alpine_image - 2]\nDocker command exited with code (\"/usr/bin/docker pull -q alpine:non-existent-tag\"): 1\nSTDERR:\n> Error response from daemon: manifest for alpine:non-existent-tag not found: manifest unknown: manifest unknown\nfailed to pull container image: failed to run docker command\n\n---\n\n[TestCommand_Docker/Fake_image_entirely - 1]\nChecking if docker image (\"this-image-definitely-does-not-exist-abcde:with-tag\") exists locally...\n\n---\n\n[TestCommand_Docker/Fake_image_entirely - 2]\nDocker command exited with code (\"/usr/bin/docker pull -q this-image-definitely-does-not-exist-abcde:with-tag\"): 1\nSTDERR:\n> Error response from daemon: pull access denied for this-image-definitely-does-not-exist-abcde, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\nfailed to pull container image: failed to run docker command\n\n---\n\n[TestCommand_Docker/Real_Alpine_image - 1]\nChecking if docker image (\"alpine:3.18.9\") exists locally...\nSaving docker image (\"alpine:3.18.9\") to temporary file...\nScanning image \"alpine:3.18.9\"\n\n\nContainer Scanning Result (Alpine Linux v3.18) (Based on \"alpine\" image):\nTotal 2 packages affected by 3 known vulnerabilities (0 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n3 vulnerabilities can be fixed.\n\n\nAlpine:v3.18\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| musl | 1.2.4-r2 | Fix Available | 1 | musl, musl-utils | # 0 Layer | alpine |\n| openssl | 3.1.7-r0 | Fix Available | 2 | libcrypto3, libssl3 | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_Docker/Real_Alpine_image - 2]\n\n---\n\n[TestCommand_Docker/Real_empty_image_with_no_tag,_invalid_scan_target - 1]\n\n---\n\n[TestCommand_Docker/Real_empty_image_with_no_tag,_invalid_scan_target - 2]\n\"hello-world\" is not a tagged image name\n\n---\n\n[TestCommand_Docker/Real_empty_image_with_tag - 1]\nChecking if docker image (\"hello-world:linux\") exists locally...\nSaving docker image (\"hello-world:linux\") to temporary file...\nScanning image \"hello-world:linux\"\n\n---\n\n[TestCommand_Docker/Real_empty_image_with_tag - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_Docker/no_image_argument - 1]\n\n---\n\n[TestCommand_Docker/no_image_argument - 2]\nplease provide an image name or see the help document\n\n---\n\n[TestCommand_Docker/real_alpine_image_without_apk_extractor_enabled - 1]\nChecking if docker image (\"alpine:3.18.9\") exists locally...\nSaving docker image (\"alpine:3.18.9\") to temporary file...\nScanning image \"alpine:3.18.9\"\n\n---\n\n[TestCommand_Docker/real_alpine_image_without_apk_extractor_enabled - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_Docker/real_empty_image_with_tag_and_allow_no_lockfiles_flag - 1]\nChecking if docker image (\"hello-world:linux\") exists locally...\nSaving docker image (\"hello-world:linux\") to temporary file...\nScanning image \"hello-world:linux\"\nNo package sources found\nNo issues found\n\n---\n\n[TestCommand_Docker/real_empty_image_with_tag_and_allow_no_lockfiles_flag - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/add_extractors - 1]\nScanning local image tarball \"testdata/test-alpine-sbom.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.10) (Based on \"alpine\" image):\nTotal 2 packages affected by 4 known vulnerabilities (2 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems.\n1 vulnerability can be fixed.\n\n\nAlpine\n+------------------------------------------------------------------------------------------------+\n| Source:sbom:/data/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n+---------+-------------------+------------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+------------------+------------+------------------+---------------+\n| zlib | 1.2.12-r1 | No fix available | 3 | # 2 Layer | -- |\n+---------+-------------------+------------------+------------+------------------+---------------+\nAlpine:v3.10\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/add_extractors - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out - 1]\nScanning local image tarball \"testdata/test-alpine-sbom.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.10) (Based on \"alpine\" image):\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n\nAlpine:v3.10\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out#01 - 1]\nScanning local image tarball \"testdata/test-alpine-sbom.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.10) (Based on \"alpine\" image):\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n\nAlpine:v3.10\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out#01 - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 1]\nScanning local image tarball \"testdata/test-alpine-sbom.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.10) (Based on \"alpine\" image):\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n\nAlpine:v3.10\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/add_extractors - 1]\nScanning local image tarball \"testdata/test-alpine-sbom.tar\"\n\nTotal 1 package affected by 3 known vulnerabilities (1 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------------------+\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.12-r1 | -- | data/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.12-r1 | -- | data/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.12-r1 | -- | data/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------------------+\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/add_extractors - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out - 2]\nat least one extractor must be enabled\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out#01 - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out#01 - 2]\nat least one extractor must be enabled\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 2]\nat least one extractor must be enabled\n\n---\n\n[TestCommand_HtmlFile - 1]\nScanning local image tarball \"./testdata/test-alpine.tar\"\nHTML output available at: /report.html\n\n---\n\n[TestCommand_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 1]\nScanning local image tarball \"./testdata/test-alpine.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.18) (Based on \"alpine\" image):\nTotal 5 packages affected by 65 known vulnerabilities (6 Critical, 33 High, 26 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n65 vulnerabilities can be fixed.\n\n\nAlpine:v3.18\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 2 | apk-tools | # 3 Layer | -- |\n| busybox | 1.30.1-r5 | Fix Available | 19 | busybox, ssl_client | # 3 Layer | -- |\n| musl | 1.1.22-r4 | Fix Available | 3 | musl, musl-utils | # 3 Layer | -- |\n| openssl | 1.1.1k-r0 | Fix Available | 39 | libcrypto1.1... (2) | # 3 Layer | -- |\n| zlib | 1.2.11-r1 | Fix Available | 2 | zlib | # 3 Layer | -- |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file - 2]\n\n---\n\n[TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_no_vulns_shown - 1]\nScanning local image tarball \"./testdata/test-ubuntu-20-04.tar\"\nPackage Ubuntu:20.04/util-linux/1:2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/coreutils/8.30-3ubuntu2 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/dpkg/1.19.7ubuntu3.2 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gnupg2/2.2.19-3ubuntu2.4 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/libgcrypt20/1.8.5-5ubuntu1.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gnutls28/3.6.13-2ubuntu1.12 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/lz4/1.9.2-2ubuntu0.20.04.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pcre2/10.34-7ubuntu0.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/systemd/245.4-4ubuntu3.24 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/libtasn1-6/4.16.0-2ubuntu0.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/systemd/245.4-4ubuntu3.24 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/perl/5.30.0-9ubuntu0.5 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/tar/1.30+dfsg-7ubuntu0.20.04.4 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/zlib/1:1.2.11.dfsg-2ubuntu1.5 has been filtered out because: Just want to test only unimportant vulns\nFiltered 38 ignored package/s from the scan.\n\n\nContainer Scanning Result (Ubuntu 20.04.6 LTS) (Based on \"ubuntu\" image):\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n\nHiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show them.\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_no_vulns_shown - 2]\n\n---\n\n[TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_only_unimportant_vulns_shown - 1]\nScanning local image tarball \"./testdata/test-ubuntu-20-04.tar\"\nPackage Ubuntu:20.04/util-linux/1:2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/coreutils/8.30-3ubuntu2 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/dpkg/1.19.7ubuntu3.2 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gnupg2/2.2.19-3ubuntu2.4 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/glibc/2.31-0ubuntu9.17 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/libgcrypt20/1.8.5-5ubuntu1.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gnutls28/3.6.13-2ubuntu1.12 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/lz4/1.9.2-2ubuntu0.20.04.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pam/1.3.1-5ubuntu4.7 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/pcre2/10.34-7ubuntu0.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/gcc-10/10.5.0-1ubuntu1~20.04 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/systemd/245.4-4ubuntu3.24 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/libtasn1-6/4.16.0-2ubuntu0.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/systemd/245.4-4ubuntu3.24 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/ncurses/6.2-0ubuntu2.1 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/shadow/1:4.8.1-1ubuntu5.20.04.5 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/perl/5.30.0-9ubuntu0.5 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/tar/1.30+dfsg-7ubuntu0.20.04.4 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/util-linux/2.34-0.1ubuntu9.6 has been filtered out because: Just want to test only unimportant vulns\nPackage Ubuntu:20.04/zlib/1:1.2.11.dfsg-2ubuntu1.5 has been filtered out because: Just want to test only unimportant vulns\nFiltered 38 ignored package/s from the scan.\n\n\nContainer Scanning Result (Ubuntu 20.04.6 LTS) (Based on \"ubuntu\" image):\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n\nFiltered Vulnerabilities:\n+---------+--------------+--------------------+---------------------+----------------+\n| PACKAGE | ECOSYSTEM | INSTALLED VERSION | FILTERED VULN COUNT | FILTER REASONS |\n+---------+--------------+--------------------+---------------------+----------------+\n| pcre3 | Ubuntu:20.04 | 2:8.39-12ubuntu0.1 | 1 | Unimportant |\n+---------+--------------+--------------------+---------------------+----------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_only_unimportant_vulns_shown - 2]\n\n---\n\n[TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar - 1]\nScanning local image tarball \"./testdata/test-ubuntu.tar\"\n\n\nContainer Scanning Result (Ubuntu 22.04.5 LTS) (Based on \"ubuntu\" image):\nTotal 22 packages affected by 48 known vulnerabilities (3 Critical, 14 High, 25 Medium, 3 Low, 3 Unknown) from 1 ecosystem.\n24 vulnerabilities can be fixed.\n\n\nUbuntu:22.04\n+---------------------------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/var/lib/dpkg/status |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n| coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu |\n| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu |\n| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |\n| glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu |\n| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu |\n| gnutls28 | 3.7.3-4ubuntu1.5 | Fix Available | 3 | libgnutls30 | # 4 Layer | ubuntu |\n| krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu |\n| libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu |\n| libgcrypt20 | 1.9.4-3ubuntu3 | No fix available | 1 | libgcrypt20 | # 4 Layer | ubuntu |\n| libtasn1-6 | 4.18.0-4build1 | Fix Available | 2 | libtasn1-6 | # 4 Layer | ubuntu |\n| libzstd | 1.4.8+dfsg-3build1 | No fix available | 1 | libzstd1 | # 4 Layer | ubuntu |\n| lz4 | 1.9.3-2build2 | No fix available | 1 | liblz4-1 | # 4 Layer | ubuntu |\n| ncurses | 6.3-2ubuntu0.1 | No fix available | 2 | libncurses6... (5) | # 4 Layer | ubuntu |\n| openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 6 | libssl3 | # 4 Layer | ubuntu |\n| pam | 1.4.0-11ubuntu2.5 | Partial fixes Available | 3 | libpam-modules... (4) | # 4 Layer | ubuntu |\n| pcre2 | 10.39-3ubuntu0.1 | No fix available | 1 | libpcre2-8-0 | # 4 Layer | ubuntu |\n| perl | 5.34.0-3ubuntu1.3 | Partial fixes Available | 3 | perl-base | # 4 Layer | ubuntu |\n| shadow | 1:4.8.1-2ubuntu2.2 | No fix available | 2 | login, passwd | # 4 Layer | ubuntu |\n| systemd | 249.11-0ubuntu3.12 | Partial fixes Available | 3 | libsystemd0... (2) | # 4 Layer | ubuntu |\n| tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu |\n| util-linux | 2.37.2-4ubuntu3.4 | Fix Available | 1 | libblkid1... (6) | # 4 Layer | ubuntu |\n| zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n\nHiding 5 number of vulnerabilities deemed unimportant, use --all-vulns to show them.\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar - 2]\n\n---\n\n[TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar_with_unimportant_vulns - 1]\nScanning local image tarball \"./testdata/test-ubuntu.tar\"\n\n\nContainer Scanning Result (Ubuntu 22.04.5 LTS) (Based on \"ubuntu\" image):\nTotal 22 packages affected by 48 known vulnerabilities (3 Critical, 14 High, 25 Medium, 3 Low, 3 Unknown) from 1 ecosystem.\n24 vulnerabilities can be fixed.\n\n\nUbuntu:22.04\n+---------------------------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/var/lib/dpkg/status |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n| coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu |\n| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu |\n| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |\n| glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu |\n| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu |\n| gnutls28 | 3.7.3-4ubuntu1.5 | Fix Available | 3 | libgnutls30 | # 4 Layer | ubuntu |\n| krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu |\n| libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu |\n| libgcrypt20 | 1.9.4-3ubuntu3 | No fix available | 1 | libgcrypt20 | # 4 Layer | ubuntu |\n| libtasn1-6 | 4.18.0-4build1 | Fix Available | 2 | libtasn1-6 | # 4 Layer | ubuntu |\n| libzstd | 1.4.8+dfsg-3build1 | No fix available | 1 | libzstd1 | # 4 Layer | ubuntu |\n| lz4 | 1.9.3-2build2 | No fix available | 1 | liblz4-1 | # 4 Layer | ubuntu |\n| ncurses | 6.3-2ubuntu0.1 | No fix available | 2 | libncurses6... (5) | # 4 Layer | ubuntu |\n| openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 6 | libssl3 | # 4 Layer | ubuntu |\n| pam | 1.4.0-11ubuntu2.5 | Partial fixes Available | 3 | libpam-modules... (4) | # 4 Layer | ubuntu |\n| pcre2 | 10.39-3ubuntu0.1 | No fix available | 1 | libpcre2-8-0 | # 4 Layer | ubuntu |\n| perl | 5.34.0-3ubuntu1.3 | Partial fixes Available | 3 | perl-base | # 4 Layer | ubuntu |\n| shadow | 1:4.8.1-2ubuntu2.2 | No fix available | 2 | login, passwd | # 4 Layer | ubuntu |\n| systemd | 249.11-0ubuntu3.12 | Partial fixes Available | 3 | libsystemd0... (2) | # 4 Layer | ubuntu |\n| tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu |\n| util-linux | 2.37.2-4ubuntu3.4 | Fix Available | 1 | libblkid1... (6) | # 4 Layer | ubuntu |\n| zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n\nFiltered Vulnerabilities:\n+---------+--------------+--------------------------+---------------------+----------------+\n| PACKAGE | ECOSYSTEM | INSTALLED VERSION | FILTERED VULN COUNT | FILTER REASONS |\n+---------+--------------+--------------------------+---------------------+----------------+\n| glibc | Ubuntu:22.04 | 2.35-0ubuntu3.8 | 1 | Unimportant |\n| krb5 | Ubuntu:22.04 | 1.19.2-2ubuntu0.4 | 2 | Unimportant |\n| pcre3 | Ubuntu:22.04 | 2:8.39-13ubuntu0.22.04.1 | 1 | Unimportant |\n| perl | Ubuntu:22.04 | 5.34.0-3ubuntu1.3 | 1 | Unimportant |\n+---------+--------------+--------------------------+---------------------+----------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar_with_unimportant_vulns - 2]\n\n---\n\n[TestCommand_OCIImage/Invalid_path - 1]\nScanning local image tarball \"../../testdata/locks-manyoci-image/no-file-here.tar\"\n\n---\n\n[TestCommand_OCIImage/Invalid_path - 2]\nfailed to load image from tarball with path \"../../testdata/locks-manyoci-image/no-file-here.tar\": open ../../testdata/locks-manyoci-image/no-file-here.tar: no such file or directory\n\n---\n\n[TestCommand_OCIImage/Scanning_Ubuntu_image_with_go_OS_packages_json - 1]\nScanning local image tarball \"./testdata/test-ubuntu-with-packages.tar\"\n\n\nContainer Scanning Result (Ubuntu 22.04.5 LTS) (Based on \"ubuntu\" image):\nTotal 22 packages affected by 48 known vulnerabilities (3 Critical, 14 High, 25 Medium, 3 Low, 3 Unknown) from 1 ecosystem.\n24 vulnerabilities can be fixed.\n\n\nUbuntu:22.04\n+---------------------------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/var/lib/dpkg/status |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n| coreutils | 8.32-4.1ubuntu1.2 | No fix available | 2 | coreutils | # 4 Layer | ubuntu |\n| dpkg | 1.21.1ubuntu2.3 | Partial fixes Available | 2 | dpkg | # 4 Layer | ubuntu |\n| gcc-12 | 12.3.0-1ubuntu1~22.04 | Partial fixes Available | 2 | gcc-12-base... (3) | # 4 Layer | ubuntu |\n| glibc | 2.35-0ubuntu3.8 | Fix Available | 3 | libc-bin, libc6 | # 4 Layer | ubuntu |\n| gnupg2 | 2.2.27-3ubuntu2.1 | Partial fixes Available | 5 | gpgv | # 4 Layer | ubuntu |\n| gnutls28 | 3.7.3-4ubuntu1.5 | Fix Available | 3 | libgnutls30 | # 4 Layer | ubuntu |\n| krb5 | 1.19.2-2ubuntu0.4 | Fix Available | 2 | libgssapi-krb5-2... (4) | # 4 Layer | ubuntu |\n| libcap2 | 1:2.44-1ubuntu0.22.04.1 | Fix Available | 1 | libcap2 | # 4 Layer | ubuntu |\n| libgcrypt20 | 1.9.4-3ubuntu3 | No fix available | 1 | libgcrypt20 | # 4 Layer | ubuntu |\n| libtasn1-6 | 4.18.0-4build1 | Fix Available | 2 | libtasn1-6 | # 4 Layer | ubuntu |\n| libzstd | 1.4.8+dfsg-3build1 | No fix available | 1 | libzstd1 | # 4 Layer | ubuntu |\n| lz4 | 1.9.3-2build2 | No fix available | 1 | liblz4-1 | # 4 Layer | ubuntu |\n| ncurses | 6.3-2ubuntu0.1 | No fix available | 2 | libncurses6... (5) | # 4 Layer | ubuntu |\n| openssl | 3.0.2-0ubuntu1.18 | Partial fixes Available | 6 | libssl3 | # 4 Layer | ubuntu |\n| pam | 1.4.0-11ubuntu2.5 | Partial fixes Available | 3 | libpam-modules... (4) | # 4 Layer | ubuntu |\n| pcre2 | 10.39-3ubuntu0.1 | No fix available | 1 | libpcre2-8-0 | # 4 Layer | ubuntu |\n| perl | 5.34.0-3ubuntu1.3 | Partial fixes Available | 3 | perl-base | # 4 Layer | ubuntu |\n| shadow | 1:4.8.1-2ubuntu2.2 | No fix available | 2 | login, passwd | # 4 Layer | ubuntu |\n| systemd | 249.11-0ubuntu3.12 | Partial fixes Available | 3 | libsystemd0... (2) | # 4 Layer | ubuntu |\n| tar | 1.34+dfsg-1ubuntu0.1.22.04.2 | No fix available | 1 | tar | # 4 Layer | ubuntu |\n| util-linux | 2.37.2-4ubuntu3.4 | Fix Available | 1 | libblkid1... (6) | # 4 Layer | ubuntu |\n| zlib | 1:1.2.11.dfsg-2ubuntu9.2 | No fix available | 1 | zlib1g | # 4 Layer | ubuntu |\n+----------------+------------------------------+-------------------------+------------+-------------------------+------------------+---------------+\n\nHiding 5 number of vulnerabilities deemed unimportant, use --all-vulns to show them.\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Scanning_Ubuntu_image_with_go_OS_packages_json - 2]\n\n---\n\n[TestCommand_OCIImage/Scanning_java_image_with_some_packages - 1]\nScanning local image tarball \"./testdata/test-java-full.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.21) (Based on \"eclipse-temurin\" image):\nTotal 25 packages affected by 73 known vulnerabilities (4 Critical, 29 High, 35 Medium, 4 Low, 1 Unknown) from 2 ecosystems.\n73 vulnerabilities can be fixed.\n\n\nMaven\n+-------------------------------------------------------------------------------------------------------------------------------+\n| Source:artifact:/app/target.jar |\n+-------------------------------------------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+-------------------------------------------+-------------------+---------------+------------+------------------+---------------+\n| com.fasterxml.jackson.core:jackson-core | 2.10.2 | Fix Available | 3 | # 12 Layer | -- |\n| com.google.protobuf:protobuf-java | 3.21.12 | Fix Available | 1 | # 12 Layer | -- |\n| com.nimbusds:nimbus-jose-jwt | 9.31 | Fix Available | 2 | # 12 Layer | -- |\n| commons-beanutils:commons-beanutils | 1.9.4 | Fix Available | 1 | # 12 Layer | -- |\n| dnsjava:dnsjava | 3.4.0 | Fix Available | 1 | # 12 Layer | -- |\n| io.netty:netty-codec | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |\n| io.netty:netty-codec-http | 4.1.100.Final | Fix Available | 3 | # 12 Layer | -- |\n| io.netty:netty-codec-http2 | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |\n| io.netty:netty-codec-smtp | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |\n| io.netty:netty-common | 4.1.100.Final | Fix Available | 2 | # 12 Layer | -- |\n| io.netty:netty-handler | 4.1.100.Final | Fix Available | 1 | # 12 Layer | -- |\n| org.apache.avro:avro | 1.9.2 | Fix Available | 2 | # 12 Layer | -- |\n| org.apache.commons:commons-compress | 1.21 | Fix Available | 2 | # 12 Layer | -- |\n| org.apache.commons:commons-configuration2 | 2.8.0 | Fix Available | 2 | # 12 Layer | -- |\n| org.apache.commons:commons-lang3 | 3.12.0 | Fix Available | 1 | # 12 Layer | -- |\n| org.eclipse.jetty:jetty-http | 9.4.53.v20231009 | Fix Available | 2 | # 12 Layer | -- |\n+-------------------------------------------+-------------------+---------------+------------+------------------+---------------+\nAlpine:v3.21\n+-----------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+----------------------------+------------------+-----------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+----------------------------+------------------+-----------------+\n| busybox | 1.37.0-r9 | Fix Available | 2 | busybox... (3) | # 0 Layer | alpine |\n| expat | 2.6.4-r0 | Fix Available | 6 | libexpat | # 5 Layer | eclipse-temurin |\n| gnupg | 2.4.7-r0 | Fix Available | 2 | gnupg... (11) | # 5 Layer | eclipse-temurin |\n| gnutls | 3.8.8-r0 | Fix Available | 7 | gnutls | # 5 Layer | eclipse-temurin |\n| libpng | 1.6.44-r0 | Fix Available | 8 | libpng | # 5 Layer | eclipse-temurin |\n| libtasn1 | 4.19.0-r2 | Fix Available | 2 | libtasn1 | # 5 Layer | eclipse-temurin |\n| musl | 1.2.5-r8 | Fix Available | 1 | musl, musl-utils | # 0 Layer | alpine |\n| openssl | 3.3.2-r4 | Fix Available | 15 | libcrypto3, libssl3... (3) | # 0 Layer | alpine |\n| sqlite | 3.47.1-r0 | Fix Available | 4 | sqlite-libs | # 5 Layer | eclipse-temurin |\n+----------------+-------------------+---------------+------------+----------------------------+------------------+-----------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Scanning_java_image_with_some_packages - 2]\n\n---\n\n[TestCommand_OCIImage/Scanning_python_image_with_no_packages - 1]\nScanning local image tarball \"./testdata/test-python-empty.tar\"\n\n\nContainer Scanning Result (Debian GNU/Linux 10 (buster)) (Based on \"python\" image):\nTotal 15 packages affected by 27 known vulnerabilities (0 Critical, 7 High, 4 Medium, 2 Low, 14 Unknown) from 2 ecosystems.\n27 vulnerabilities can be fixed.\n\n\nPyPI\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| pip | 23.0.1 | Fix Available | 3 | # 7 Layer | python |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+------------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl |\n+------------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+------------+-------------------+---------------+------------+------------------+---------------+\n| setuptools | 58.1.0 | Fix Available | 3 | # 7 Layer | python |\n+------------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| pip | 23.0.1 | Fix Available | 3 | # 13 Layer | python |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+------------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA |\n+------------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+------------+-------------------+---------------+------------+------------------+---------------+\n| setuptools | 58.1.0 | Fix Available | 3 | # 13 Layer | python |\n+------------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/wheel-0.40.0.dist-info/METADATA |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| wheel | 0.40.0 | Fix Available | 1 | # 13 Layer | python |\n+---------+-------------------+---------------+------------+------------------+---------------+\nDebian:10\n+-----------------------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/var/lib/dpkg/status |\n+------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+\n| debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | debian-archive-keyri... (1) | # 0 Layer | debian |\n| expat | 2.2.6-2+deb10u6 | Fix Available | 1 | libexpat1 | # 7 Layer | python |\n| glibc | 2.28-10+deb10u2 | Fix Available | 2 | libc-bin, libc6 | # 0 Layer | debian |\n| gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | libgnutls30 | # 0 Layer | debian |\n| ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | libncursesw6... (4) | # 0 Layer | debian |\n| openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | libssl1.1, openssl | # 4 Layer | python |\n| systemd | 241-7~deb10u9 | Fix Available | 1 | libsystemd0... (2) | # 0 Layer | debian |\n| tar | 1.30+dfsg-6 | Fix Available | 1 | tar | # 0 Layer | debian |\n| tzdata | 2021a-0+deb10u11 | Fix Available | 2 | tzdata | # 0 Layer | debian |\n| util-linux | 2.33.1-0.1 | Fix Available | 1 | fdisk, libblkid1... (8) | # 0 Layer | debian |\n+------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Scanning_python_image_with_no_packages - 2]\n\n---\n\n[TestCommand_OCIImage/Scanning_python_image_with_some_packages - 1]\nScanning local image tarball \"./testdata/test-python-full.tar\"\n\n\nContainer Scanning Result (Debian GNU/Linux 10 (buster)) (Based on \"python\" image):\nTotal 21 packages affected by 53 known vulnerabilities (1 Critical, 18 High, 16 Medium, 3 Low, 15 Unknown) from 2 ecosystems.\n53 vulnerabilities can be fixed.\n\n\nPyPI\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| pip | 23.0.1 | Fix Available | 3 | # 7 Layer | python |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+------------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl |\n+------------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+------------+-------------------+---------------+------------+------------------+---------------+\n| setuptools | 58.1.0 | Fix Available | 3 | # 7 Layer | python |\n+------------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/Django-1.11.29.dist-info/METADATA |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| django | 1.11.29 | Fix Available | 7 | # 17 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/Flask-0.12.2.dist-info/METADATA |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| flask | 0.12.2 | Fix Available | 4 | # 17 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/idna-2.7.dist-info/METADATA |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| idna | 2.7 | Fix Available | 1 | # 17 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| pip | 23.0.1 | Fix Available | 3 | # 13 Layer | python |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+----------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA |\n+----------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+----------+-------------------+---------------+------------+------------------+---------------+\n| requests | 2.20.0 | Fix Available | 3 | # 17 Layer | -- |\n+----------+-------------------+---------------+------------+------------------+---------------+\n+------------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA |\n+------------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+------------+-------------------+---------------+------------+------------------+---------------+\n| setuptools | 58.1.0 | Fix Available | 3 | # 13 Layer | python |\n+------------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/urllib3-1.24.3.dist-info/METADATA |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| urllib3 | 1.24.3 | Fix Available | 9 | # 17 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+----------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/werkzeug-3.1.4.dist-info/METADATA |\n+----------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+----------+-------------------+---------------+------------+------------------+---------------+\n| werkzeug | 3.1.4 | Fix Available | 2 | # 17 Layer | -- |\n+----------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/usr/local/lib/python3.9/site-packages/wheel-0.40.0.dist-info/METADATA |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| wheel | 0.40.0 | Fix Available | 1 | # 13 Layer | python |\n+---------+-------------------+---------------+------------+------------------+---------------+\nDebian:10\n+-----------------------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/var/lib/dpkg/status |\n+------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+\n| debian-archive-keyring | 2019.1+deb10u1 | Fix Available | 1 | debian-archive-keyri... (1) | # 0 Layer | debian |\n| expat | 2.2.6-2+deb10u6 | Fix Available | 1 | libexpat1 | # 7 Layer | python |\n| glibc | 2.28-10+deb10u2 | Fix Available | 2 | libc-bin, libc6 | # 0 Layer | debian |\n| gnutls28 | 3.6.7-4+deb10u10 | Fix Available | 2 | libgnutls30 | # 0 Layer | debian |\n| ncurses | 6.1+20181013-2+deb10u3 | Fix Available | 2 | libncursesw6... (4) | # 0 Layer | debian |\n| openssl | 1.1.1n-0+deb10u5 | Fix Available | 1 | libssl1.1, openssl | # 4 Layer | python |\n| systemd | 241-7~deb10u9 | Fix Available | 1 | libsystemd0... (2) | # 0 Layer | debian |\n| tar | 1.30+dfsg-6 | Fix Available | 1 | tar | # 0 Layer | debian |\n| tzdata | 2021a-0+deb10u11 | Fix Available | 2 | tzdata | # 0 Layer | debian |\n| util-linux | 2.33.1-0.1 | Fix Available | 1 | fdisk, libblkid1... (8) | # 0 Layer | debian |\n+------------------------+------------------------+---------------+------------+-----------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/Scanning_python_image_with_some_packages - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_image_with_go_binary - 1]\nScanning local image tarball \"./testdata/test-package-tracing.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.20) (Based on \"alpine\" image):\nTotal 9 packages affected by 213 known vulnerabilities (2 Critical, 6 High, 11 Medium, 2 Low, 192 Unknown) from 2 ecosystems.\n213 vulnerabilities can be fixed.\n\n\nGo\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/go/bin/more-vuln-overwrite-less-vuln |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| stdlib | 1.22.4 | Fix Available | 32 | # 9 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/go/bin/ptf-1.2.0 |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| stdlib | 1.22.4 | Fix Available | 32 | # 2 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/go/bin/ptf-1.3.0 |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| stdlib | 1.22.4 | Fix Available | 32 | # 4 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/go/bin/ptf-1.3.0-moved |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| stdlib | 1.22.4 | Fix Available | 32 | # 3 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/go/bin/ptf-1.4.0 |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| stdlib | 1.22.4 | Fix Available | 32 | # 2 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\n+---------------------------------------------------------------------------------------------+\n| Source:artifact:/go/bin/ptf-vulnerable |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+---------+-------------------+---------------+------------+------------------+---------------+\n| stdlib | 1.22.4 | Fix Available | 32 | # 7 Layer | -- |\n+---------+-------------------+---------------+------------+------------------+---------------+\nAlpine:v3.20\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| busybox | 1.36.1-r29 | Fix Available | 2 | busybox... (3) | # 0 Layer | alpine |\n| musl | 1.2.5-r0 | Fix Available | 1 | musl, musl-utils | # 0 Layer | alpine |\n| openssl | 3.3.1-r0 | Fix Available | 18 | libcrypto3, libssl3 | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_image_with_go_binary - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_insecure_alpine_image_with_detector_preset - 1]\nScanning local image tarball \"./testdata/test-alpine-etcshadow.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.10) (Based on \"alpine\" image):\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n\nAlpine:v3.10\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_insecure_alpine_image_with_detector_preset - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_disabled - 1]\nScanning local image tarball \"./testdata/test-alpine-etcshadow.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.10) (Based on \"alpine\" image):\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n\nAlpine:v3.10\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_disabled - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_enabled - 1]\nScanning local image tarball \"./testdata/test-alpine-etcshadow.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.10) (Based on \"alpine\" image):\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n\nAlpine:v3.10\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_enabled - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_insecure_alpine_image_without_detectors - 1]\nScanning local image tarball \"./testdata/test-alpine-etcshadow.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.10) (Based on \"alpine\" image):\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n\nAlpine:v3.10\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| apk-tools | 2.10.6-r0 | Fix Available | 1 | apk-tools | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_insecure_alpine_image_without_detectors - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages - 1]\nScanning local image tarball \"./testdata/test-node_modules-npm-empty.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.19) (Based on \"library/node\" image):\nTotal 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem.\n15 vulnerabilities can be fixed.\n\n\nAlpine:v3.19\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine |\n| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_npm_with_some_packages - 1]\nScanning local image tarball \"./testdata/test-node_modules-npm-full.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.19) (Based on \"library/node\" image):\nTotal 4 packages affected by 18 known vulnerabilities (3 Critical, 3 High, 10 Medium, 2 Low, 0 Unknown) from 2 ecosystems.\n17 vulnerabilities can be fixed.\n\n\nnpm\n+-------------------------------------------------------------------------------------------------+\n| Source:artifact:/prod/app/node_modules/.package-lock.json |\n+----------+-------------------+------------------+------------+------------------+---------------+\n| PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | INTRODUCED LAYER | IN BASE IMAGE |\n+----------+-------------------+------------------+------------+------------------+---------------+\n| cryo | 0.0.6 | No fix available | 1 | # 14 Layer | -- |\n| minimist | 0.0.8 | Fix Available | 2 | # 13 Layer | -- |\n+----------+-------------------+------------------+------------+------------------+---------------+\nAlpine:v3.19\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine |\n| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_npm_with_some_packages - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 1]\nScanning local image tarball \"./testdata/test-node_modules-pnpm-empty.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.19) (Based on \"library/node\" image):\nTotal 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem.\n15 vulnerabilities can be fixed.\n\n\nAlpine:v3.19\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine |\n| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_no_packages - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 1]\nScanning local image tarball \"./testdata/test-node_modules-pnpm-full.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.19) (Based on \"library/node\" image):\nTotal 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem.\n15 vulnerabilities can be fixed.\n\n\nAlpine:v3.19\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine |\n| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_some_packages - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 1]\nScanning local image tarball \"./testdata/test-node_modules-yarn-empty.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.19) (Based on \"library/node\" image):\nTotal 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem.\n15 vulnerabilities can be fixed.\n\n\nAlpine:v3.19\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine |\n| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_yarn_with_no_packages - 2]\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 1]\nScanning local image tarball \"./testdata/test-node_modules-yarn-full.tar\"\n\n\nContainer Scanning Result (Alpine Linux v3.19) (Based on \"library/node\" image):\nTotal 2 packages affected by 15 known vulnerabilities (1 Critical, 3 High, 9 Medium, 2 Low, 0 Unknown) from 1 ecosystem.\n15 vulnerabilities can be fixed.\n\n\nAlpine:v3.19\n+------------------------------------------------------------------------------------------------------------------------------+\n| Source:os:/lib/apk/db/installed |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| SOURCE PACKAGE | INSTALLED VERSION | FIX AVAILABLE | VULN COUNT | BINARY PACKAGES (COUNT) | INTRODUCED LAYER | IN BASE IMAGE |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n| busybox | 1.36.1-r15 | Fix Available | 6 | busybox... (3) | # 0 Layer | alpine |\n| openssl | 3.1.4-r5 | Fix Available | 9 | libcrypto3, libssl3 | # 0 Layer | alpine |\n+----------------+-------------------+---------------+------------+-------------------------+------------------+---------------+\n\nFor the most comprehensive scan results, we recommend using the HTML output: `osv-scanner scan image --serve `.\nYou can also view the full vulnerability list in your terminal with: `osv-scanner scan image --format vertical `.\n\n---\n\n[TestCommand_OCIImage/scanning_node_modules_using_yarn_with_some_packages - 2]\n\n---\n\n[TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/ensurepip/_bundled/pip-23.0.1-py3-none-any.whl\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pip\",\n \"version\": \"23.0.1\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 7\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"PYSEC-2023-228\",\n \"GHSA-4xh5-x5gv-qwph\",\n \"GHSA-6vgw-5pg2-w6jp\",\n \"GHSA-mq26-g339-26xf\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/ensurepip/_bundled/setuptools-58.1.0-py3-none-any.whl\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 7\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"PYSEC-2022-43012\",\n \"PYSEC-2025-49\",\n \"GHSA-5rjg-fvgr-3xxf\",\n \"GHSA-cx63-2mw6-8hw5\",\n \"GHSA-r9hx-vwmv-q579\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/Django-1.11.29.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"django\",\n \"version\": \"1.11.29\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 17\n }\n },\n \"groups\": 7,\n \"vulnerabilities\": [\n \"PYSEC-2021-98\",\n \"GHSA-68w8-qjq3-2gfm\",\n \"GHSA-6w2r-r2m5-xq5w\",\n \"GHSA-7xr5-9hcq-chf9\",\n \"GHSA-8x94-hmjh-97hq\",\n \"GHSA-frmv-pr5f-9mcr\",\n \"GHSA-qw25-v68c-qjf3\",\n \"GHSA-rrqc-c2jx-6jgv\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/Flask-0.12.2.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"flask\",\n \"version\": \"0.12.2\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 17\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"PYSEC-2018-66\",\n \"PYSEC-2019-179\",\n \"PYSEC-2023-62\",\n \"GHSA-562c-5r94-xh97\",\n \"GHSA-5wv5-4vpf-pj6m\",\n \"GHSA-68rp-wp8r-4726\",\n \"GHSA-m2qf-hxjv-5gpq\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/idna-2.7.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"idna\",\n \"version\": \"2.7\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 17\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"PYSEC-2024-60\",\n \"GHSA-jjg7-2v4v-x38h\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/pip-23.0.1.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pip\",\n \"version\": \"23.0.1\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 13\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"PYSEC-2023-228\",\n \"GHSA-4xh5-x5gv-qwph\",\n \"GHSA-6vgw-5pg2-w6jp\",\n \"GHSA-mq26-g339-26xf\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/requests-2.20.0.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"requests\",\n \"version\": \"2.20.0\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 17\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"PYSEC-2023-74\",\n \"GHSA-9hjg-9r4m-mvj7\",\n \"GHSA-9wx4-h78v-vm56\",\n \"GHSA-j8r2-6x86-q33q\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"setuptools\",\n \"version\": \"58.1.0\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 13\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"PYSEC-2022-43012\",\n \"PYSEC-2025-49\",\n \"GHSA-5rjg-fvgr-3xxf\",\n \"GHSA-cx63-2mw6-8hw5\",\n \"GHSA-r9hx-vwmv-q579\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/urllib3-1.24.3.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"urllib3\",\n \"version\": \"1.24.3\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 17\n }\n },\n \"groups\": 9,\n \"vulnerabilities\": [\n \"PYSEC-2020-148\",\n \"PYSEC-2021-108\",\n \"PYSEC-2023-192\",\n \"PYSEC-2023-212\",\n \"GHSA-2xpw-w6gg-jr37\",\n \"GHSA-34jh-p97f-mpxf\",\n \"GHSA-38jv-5279-wg99\",\n \"GHSA-g4mx-q9vg-27p4\",\n \"GHSA-gm62-xv2j-4w53\",\n \"GHSA-pq67-6m6q-mj2v\",\n \"GHSA-v845-jxx5-vc9f\",\n \"GHSA-wqvq-5m8c-6g24\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/werkzeug-3.1.4.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"werkzeug\",\n \"version\": \"3.1.4\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 17\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"GHSA-29vq-49wr-vm6x\",\n \"GHSA-87hc-h4r5-73f7\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/usr/local/lib/python3.9/site-packages/wheel-0.40.0.dist-info/METADATA\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"wheel\",\n \"version\": \"0.40.0\",\n \"ecosystem\": \"PyPI\",\n \"image_origin_details\": {\n \"index\": 13\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"GHSA-8rrh-rw8j-w5fx\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/var/lib/dpkg/status\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"debian-archive-keyring\",\n \"os_package_name\": \"debian-archive-keyring\",\n \"version\": \"2019.1+deb10u1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3482-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"fdisk\",\n \"version\": \"2.33.1-0.1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3782-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libblkid1\",\n \"version\": \"2.33.1-0.1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3782-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"glibc\",\n \"os_package_name\": \"libc-bin\",\n \"version\": \"2.28-10+deb10u2\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"DLA-3850-1\",\n \"DLA-3807-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"glibc\",\n \"os_package_name\": \"libc6\",\n \"version\": \"2.28-10+deb10u2\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"DLA-3850-1\",\n \"DLA-3807-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"expat\",\n \"os_package_name\": \"libexpat1\",\n \"version\": \"2.2.6-2+deb10u6\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 7\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3783-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libfdisk1\",\n \"version\": \"2.33.1-0.1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3782-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gnutls28\",\n \"os_package_name\": \"libgnutls30\",\n \"version\": \"3.6.7-4+deb10u10\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"DLA-3660-1\",\n \"DLA-3740-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libmount1\",\n \"version\": \"2.33.1-0.1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3782-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"libncursesw6\",\n \"version\": \"6.1+20181013-2+deb10u3\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"DLA-3682-1\",\n \"DLA-3586-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libsmartcols1\",\n \"version\": \"2.33.1-0.1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3782-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libssl1.1\",\n \"version\": \"1.1.1n-0+deb10u5\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3530-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"systemd\",\n \"os_package_name\": \"libsystemd0\",\n \"version\": \"241-7~deb10u9\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3474-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"libtinfo6\",\n \"version\": \"6.1+20181013-2+deb10u3\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"DLA-3682-1\",\n \"DLA-3586-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"systemd\",\n \"os_package_name\": \"libudev1\",\n \"version\": \"241-7~deb10u9\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3474-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libuuid1\",\n \"version\": \"2.33.1-0.1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3782-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"mount\",\n \"version\": \"2.33.1-0.1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3782-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"ncurses-base\",\n \"version\": \"6.1+20181013-2+deb10u3\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"DLA-3682-1\",\n \"DLA-3586-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"ncurses-bin\",\n \"version\": \"6.1+20181013-2+deb10u3\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"DLA-3682-1\",\n \"DLA-3586-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"openssl\",\n \"version\": \"1.1.1n-0+deb10u5\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3530-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"tar\",\n \"os_package_name\": \"tar\",\n \"version\": \"1.30+dfsg-6\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3755-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"tzdata\",\n \"os_package_name\": \"tzdata\",\n \"version\": \"2021a-0+deb10u11\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"DLA-3684-1\",\n \"DLA-3788-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"util-linux\",\n \"version\": \"2.33.1-0.1\",\n \"ecosystem\": \"Debian:10\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"DLA-3782-1\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"image_metadata\": {\n \"os\": \"Debian GNU/Linux 10 (buster)\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"ADD file:2818e508d01da218...\",\n \"is_empty\": false,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"CMD [/\"bash/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV PATH=/usr/local/bin:/...\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV LANG=C.UTF-8\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c set -eux; ...\",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV GPG_KEY=E3FF2839C048B...\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV PYTHON_VERSION=3.9.17\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c set -eux; ...\",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c set -eux; ...\",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV PYTHON_PIP_VERSION=23...\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV PYTHON_SETUPTOOLS_VER...\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV PYTHON_GET_PIP_URL=ht...\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV PYTHON_GET_PIP_SHA256...\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c set -eux; ...\",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"CMD [/\"python3/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"WORKDIR /app\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"COPY ./python-fixture/req...\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c pip instal...\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"COPY python-fixture/main....\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"\",\n \"command\": \"CMD [/\"python/\" /\"main.py/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 0\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"python\",\n \"tags\": null\n },\n {\n \"name\": \"debian\",\n \"tags\": null\n }\n ]\n }\n}\n\n---\n\n[TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages - 2]\nScanning local image tarball \"./testdata/test-python-full.tar\"\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_image_with_deprecated_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/app/rust_novuln_deprecated\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"url\",\n \"version\": \"2.5.3\",\n \"ecosystem\": \"crates.io\",\n \"deprecated\": true,\n \"image_origin_details\": {\n \"index\": 2\n }\n }\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/lib/apk/db/installed\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"busybox\",\n \"version\": \"1.37.0-r19\",\n \"ecosystem\": \"Alpine:v3.22\",\n \"commit\": \"bd8ab811155a6087ba7480103d89e2500e3cb0eb\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n },\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"busybox-binsh\",\n \"version\": \"1.37.0-r19\",\n \"ecosystem\": \"Alpine:v3.22\",\n \"commit\": \"bd8ab811155a6087ba7480103d89e2500e3cb0eb\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libcrypto3\",\n \"version\": \"3.5.4-r0\",\n \"ecosystem\": \"Alpine:v3.22\",\n \"commit\": \"8f330e62bd41c2ac23dbd866fea36fb8e22f8422\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 12,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2025-11187\",\n \"ALPINE-CVE-2025-15467\",\n \"ALPINE-CVE-2025-15468\",\n \"ALPINE-CVE-2025-15469\",\n \"ALPINE-CVE-2025-66199\",\n \"ALPINE-CVE-2025-68160\",\n \"ALPINE-CVE-2025-69418\",\n \"ALPINE-CVE-2025-69419\",\n \"ALPINE-CVE-2025-69420\",\n \"ALPINE-CVE-2025-69421\",\n \"ALPINE-CVE-2026-22795\",\n \"ALPINE-CVE-2026-22796\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libssl3\",\n \"version\": \"3.5.4-r0\",\n \"ecosystem\": \"Alpine:v3.22\",\n \"commit\": \"8f330e62bd41c2ac23dbd866fea36fb8e22f8422\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 12,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2025-11187\",\n \"ALPINE-CVE-2025-15467\",\n \"ALPINE-CVE-2025-15468\",\n \"ALPINE-CVE-2025-15469\",\n \"ALPINE-CVE-2025-66199\",\n \"ALPINE-CVE-2025-68160\",\n \"ALPINE-CVE-2025-69418\",\n \"ALPINE-CVE-2025-69419\",\n \"ALPINE-CVE-2025-69420\",\n \"ALPINE-CVE-2025-69421\",\n \"ALPINE-CVE-2026-22795\",\n \"ALPINE-CVE-2026-22796\"\n ]\n },\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"ssl_client\",\n \"version\": \"1.37.0-r19\",\n \"ecosystem\": \"Alpine:v3.22\",\n \"commit\": \"bd8ab811155a6087ba7480103d89e2500e3cb0eb\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"image_metadata\": {\n \"os\": \"Alpine Linux v3.22\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"ADD alpine-minirootfs-3.22.2-x86_64.tar.gz / # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"CMD [/\"/bin/sh/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"COPY /app/target/release/rust_novuln_deprecated /app/rust_novuln_deprecated # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"alpine\",\n \"tags\": null\n },\n {\n \"name\": \"alpine\",\n \"tags\": null\n }\n ]\n }\n}\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_image_with_deprecated_packages - 2]\nScanning local image tarball \"./testdata/test-image-with-deprecated.tar\"\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_image_with_go_binary - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/go/bin/ptf-1.4.0\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/BurntSushi/toml\",\n \"version\": \"1.4.0\",\n \"ecosystem\": \"Go\",\n \"image_origin_details\": {\n \"index\": 2\n }\n }\n },\n {\n \"package\": {\n \"name\": \"stdlib\",\n \"version\": \"1.22.4\",\n \"ecosystem\": \"Go\",\n \"image_origin_details\": {\n \"index\": 2\n }\n },\n \"groups\": 32,\n \"vulnerabilities\": [\n \"GO-2024-2963\",\n \"GO-2024-3105\",\n \"GO-2024-3106\",\n \"GO-2024-3107\",\n \"GO-2025-3373\",\n \"GO-2025-3420\",\n \"GO-2025-3447\",\n \"GO-2025-3563\",\n \"GO-2025-3750\",\n \"GO-2025-3751\",\n \"GO-2025-3849\",\n \"GO-2025-3956\",\n \"GO-2025-4006\",\n \"GO-2025-4007\",\n \"GO-2025-4008\",\n \"GO-2025-4009\",\n \"GO-2025-4010\",\n \"GO-2025-4011\",\n \"GO-2025-4012\",\n \"GO-2025-4013\",\n \"GO-2025-4014\",\n \"GO-2025-4015\",\n \"GO-2025-4155\",\n \"GO-2025-4175\",\n \"GO-2026-4337\",\n \"GO-2026-4340\",\n \"GO-2026-4341\",\n \"GO-2026-4342\",\n \"GO-2026-4403\",\n \"GO-2026-4601\",\n \"GO-2026-4602\",\n \"GO-2026-4603\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ptf\",\n \"version\": \"(devel)\",\n \"ecosystem\": \"Go\",\n \"image_origin_details\": {\n \"index\": 2\n }\n }\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/lib/apk/db/installed\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"alpine-baselayout\",\n \"os_package_name\": \"alpine-baselayout\",\n \"version\": \"3.6.5-r0\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"66187892e05b03a41d08e9acabd19b7576a1c875\",\n \"image_origin_details\": {\n \"index\": 0\n }\n }\n },\n {\n \"package\": {\n \"name\": \"alpine-baselayout\",\n \"os_package_name\": \"alpine-baselayout-data\",\n \"version\": \"3.6.5-r0\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"66187892e05b03a41d08e9acabd19b7576a1c875\",\n \"image_origin_details\": {\n \"index\": 0\n }\n }\n },\n {\n \"package\": {\n \"name\": \"alpine-keys\",\n \"os_package_name\": \"alpine-keys\",\n \"version\": \"2.4-r1\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"aab68f8c9ab434a46710de8e12fb3206e2930a59\",\n \"image_origin_details\": {\n \"index\": 0\n }\n }\n },\n {\n \"package\": {\n \"name\": \"apk-tools\",\n \"os_package_name\": \"apk-tools\",\n \"version\": \"2.14.4-r0\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"d435c805af8af4171438da3ec3429c094aac4c6e\",\n \"image_origin_details\": {\n \"index\": 0\n }\n }\n },\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"busybox\",\n \"version\": \"1.36.1-r29\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"1747c01fb96905f101c25609011589d28e01cbb8\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n },\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"busybox-binsh\",\n \"version\": \"1.36.1-r29\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"1747c01fb96905f101c25609011589d28e01cbb8\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ca-certificates\",\n \"os_package_name\": \"ca-certificates-bundle\",\n \"version\": \"20240226-r0\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"56fb003da0adcea3b59373ef6a633d0c5bfef3ac\",\n \"image_origin_details\": {\n \"index\": 0\n }\n }\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libcrypto3\",\n \"version\": \"3.3.1-r0\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"15cc530882e1e6f3dc8a77200ee8bd01cb98f53c\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 18,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-12797\",\n \"ALPINE-CVE-2024-13176\",\n \"ALPINE-CVE-2024-5535\",\n \"ALPINE-CVE-2024-6119\",\n \"ALPINE-CVE-2024-9143\",\n \"ALPINE-CVE-2025-15467\",\n \"ALPINE-CVE-2025-15468\",\n \"ALPINE-CVE-2025-66199\",\n \"ALPINE-CVE-2025-68160\",\n \"ALPINE-CVE-2025-69418\",\n \"ALPINE-CVE-2025-69419\",\n \"ALPINE-CVE-2025-69420\",\n \"ALPINE-CVE-2025-69421\",\n \"ALPINE-CVE-2025-9230\",\n \"ALPINE-CVE-2025-9231\",\n \"ALPINE-CVE-2025-9232\",\n \"ALPINE-CVE-2026-22795\",\n \"ALPINE-CVE-2026-22796\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libssl3\",\n \"version\": \"3.3.1-r0\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"15cc530882e1e6f3dc8a77200ee8bd01cb98f53c\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 18,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-12797\",\n \"ALPINE-CVE-2024-13176\",\n \"ALPINE-CVE-2024-5535\",\n \"ALPINE-CVE-2024-6119\",\n \"ALPINE-CVE-2024-9143\",\n \"ALPINE-CVE-2025-15467\",\n \"ALPINE-CVE-2025-15468\",\n \"ALPINE-CVE-2025-66199\",\n \"ALPINE-CVE-2025-68160\",\n \"ALPINE-CVE-2025-69418\",\n \"ALPINE-CVE-2025-69419\",\n \"ALPINE-CVE-2025-69420\",\n \"ALPINE-CVE-2025-69421\",\n \"ALPINE-CVE-2025-9230\",\n \"ALPINE-CVE-2025-9231\",\n \"ALPINE-CVE-2025-9232\",\n \"ALPINE-CVE-2026-22795\",\n \"ALPINE-CVE-2026-22796\"\n ]\n },\n {\n \"package\": {\n \"name\": \"musl\",\n \"os_package_name\": \"musl\",\n \"version\": \"1.2.5-r0\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"4fe5bdbe47b100daa6380f81c4c8ea3f99b61362\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2025-26519\"\n ]\n },\n {\n \"package\": {\n \"name\": \"musl\",\n \"os_package_name\": \"musl-utils\",\n \"version\": \"1.2.5-r0\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"4fe5bdbe47b100daa6380f81c4c8ea3f99b61362\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2025-26519\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pax-utils\",\n \"os_package_name\": \"scanelf\",\n \"version\": \"1.3.7-r2\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"e65a4f2d0470e70d862ef2b5c412ecf2cb9ad0a6\",\n \"image_origin_details\": {\n \"index\": 0\n }\n }\n },\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"ssl_client\",\n \"version\": \"1.36.1-r29\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"1747c01fb96905f101c25609011589d28e01cbb8\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n },\n {\n \"package\": {\n \"name\": \"zlib\",\n \"os_package_name\": \"zlib\",\n \"version\": \"1.3.1-r1\",\n \"ecosystem\": \"Alpine:v3.20\",\n \"commit\": \"fad2d175bd85eb4c5566765375392a7394dfbcf2\",\n \"image_origin_details\": {\n \"index\": 0\n }\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"image_metadata\": {\n \"os\": \"Alpine Linux v3.20\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"ADD file:33ebe56b967747a97dcec01bc2559962bee8823686c9739d26be060381bbb3ca in / \",\n \"is_empty\": false,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"CMD [/\"/bin/sh/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"COPY /work/ptf-1.4.0 /go/bin/ # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"alpine\",\n \"tags\": null\n },\n {\n \"name\": \"alpine\",\n \"tags\": null\n }\n ]\n }\n}\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_image_with_go_binary - 2]\nScanning local image tarball \"./testdata/test-go-binary.tar\"\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_detector_preset - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/lib/apk/db/installed\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"apk-tools\",\n \"os_package_name\": \"apk-tools\",\n \"version\": \"2.10.6-r0\",\n \"ecosystem\": \"Alpine:v3.10\",\n \"commit\": \"ee458ccae264321745e9622c759baf110130eb2f\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2021-36159\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"experimental_generic_findings\": [\n {\n \"Adv\": {\n \"ID\": {\n \"Publisher\": \"SCALIBR\",\n \"Reference\": \"etc-shadow-weakcredentials\"\n },\n \"Title\": \"Ensure all users have strong passwords configured\",\n \"Description\": \"The /etc/shadow file contains user account password hashes. These passwords must be strong and not easily guessable.\",\n \"Recommendation\": \"Run the following command to reset password for the reported users:/n# change password for USER: sudo passwd USER\",\n \"Sev\": 5\n },\n \"Target\": {\n \"Extra\": \"/etc/shadow: The following users have weak passwords:/nuser-bcrypt/n\"\n },\n \"Plugins\": [\n \"weakcredentials/etcshadow\"\n ],\n \"ExploitabilitySignals\": null\n }\n ],\n \"image_metadata\": {\n \"os\": \"Alpine Linux v3.10\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / \",\n \"is_empty\": false,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) CMD [/\"/bin/sh/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c echo 'user-bcrypt:$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG' /u003e/u003e /etc/shadow # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c echo 'user-descrypt:chERDiI95PGCQ' /u003e/u003e /etc/shadow # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"alpine\",\n \"tags\": null\n },\n {\n \"name\": \"alpine\",\n \"tags\": null\n }\n ]\n }\n}\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_detector_preset - 2]\nScanning local image tarball \"./testdata/test-alpine-etcshadow.tar\"\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_specific_detector_enabled - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/lib/apk/db/installed\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"apk-tools\",\n \"os_package_name\": \"apk-tools\",\n \"version\": \"2.10.6-r0\",\n \"ecosystem\": \"Alpine:v3.10\",\n \"commit\": \"ee458ccae264321745e9622c759baf110130eb2f\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2021-36159\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"experimental_generic_findings\": [\n {\n \"Adv\": {\n \"ID\": {\n \"Publisher\": \"SCALIBR\",\n \"Reference\": \"etc-shadow-weakcredentials\"\n },\n \"Title\": \"Ensure all users have strong passwords configured\",\n \"Description\": \"The /etc/shadow file contains user account password hashes. These passwords must be strong and not easily guessable.\",\n \"Recommendation\": \"Run the following command to reset password for the reported users:/n# change password for USER: sudo passwd USER\",\n \"Sev\": 5\n },\n \"Target\": {\n \"Extra\": \"/etc/shadow: The following users have weak passwords:/nuser-bcrypt/n\"\n },\n \"Plugins\": [\n \"weakcredentials/etcshadow\"\n ],\n \"ExploitabilitySignals\": null\n }\n ],\n \"image_metadata\": {\n \"os\": \"Alpine Linux v3.10\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / \",\n \"is_empty\": false,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) CMD [/\"/bin/sh/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c echo 'user-bcrypt:$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG' /u003e/u003e /etc/shadow # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c echo 'user-descrypt:chERDiI95PGCQ' /u003e/u003e /etc/shadow # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"alpine\",\n \"tags\": null\n },\n {\n \"name\": \"alpine\",\n \"tags\": null\n }\n ]\n }\n}\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_specific_detector_enabled - 2]\nScanning local image tarball \"./testdata/test-alpine-etcshadow.tar\"\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/lib/apk/db/installed\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"busybox\",\n \"version\": \"1.36.1-r15\",\n \"ecosystem\": \"Alpine:v3.19\",\n \"commit\": \"d1b6f274f29076967826e0ecf6ebcaa5d360272f\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 6,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2023-42363\",\n \"ALPINE-CVE-2023-42364\",\n \"ALPINE-CVE-2023-42365\",\n \"ALPINE-CVE-2023-42366\",\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n },\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"busybox-binsh\",\n \"version\": \"1.36.1-r15\",\n \"ecosystem\": \"Alpine:v3.19\",\n \"commit\": \"d1b6f274f29076967826e0ecf6ebcaa5d360272f\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 6,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2023-42363\",\n \"ALPINE-CVE-2023-42364\",\n \"ALPINE-CVE-2023-42365\",\n \"ALPINE-CVE-2023-42366\",\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libcrypto3\",\n \"version\": \"3.1.4-r5\",\n \"ecosystem\": \"Alpine:v3.19\",\n \"commit\": \"b784a22cad0c452586b438cb7a597d846fc09ff4\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 9,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-13176\",\n \"ALPINE-CVE-2024-2511\",\n \"ALPINE-CVE-2024-4603\",\n \"ALPINE-CVE-2024-4741\",\n \"ALPINE-CVE-2024-5535\",\n \"ALPINE-CVE-2024-6119\",\n \"ALPINE-CVE-2024-9143\",\n \"ALPINE-CVE-2025-9230\",\n \"ALPINE-CVE-2025-9232\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libssl3\",\n \"version\": \"3.1.4-r5\",\n \"ecosystem\": \"Alpine:v3.19\",\n \"commit\": \"b784a22cad0c452586b438cb7a597d846fc09ff4\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 9,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2024-13176\",\n \"ALPINE-CVE-2024-2511\",\n \"ALPINE-CVE-2024-4603\",\n \"ALPINE-CVE-2024-4741\",\n \"ALPINE-CVE-2024-5535\",\n \"ALPINE-CVE-2024-6119\",\n \"ALPINE-CVE-2024-9143\",\n \"ALPINE-CVE-2025-9230\",\n \"ALPINE-CVE-2025-9232\"\n ]\n },\n {\n \"package\": {\n \"name\": \"busybox\",\n \"os_package_name\": \"ssl_client\",\n \"version\": \"1.36.1-r15\",\n \"ecosystem\": \"Alpine:v3.19\",\n \"commit\": \"d1b6f274f29076967826e0ecf6ebcaa5d360272f\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"groups\": 6,\n \"vulnerabilities\": [\n \"ALPINE-CVE-2023-42363\",\n \"ALPINE-CVE-2023-42364\",\n \"ALPINE-CVE-2023-42365\",\n \"ALPINE-CVE-2023-42366\",\n \"ALPINE-CVE-2024-58251\",\n \"ALPINE-CVE-2025-46394\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/prod/app/node_modules/.package-lock.json\",\n \"type\": \"artifact\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"cryo\",\n \"version\": \"0.0.6\",\n \"ecosystem\": \"npm\",\n \"image_origin_details\": {\n \"index\": 14\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"GHSA-38f5-ghc2-fcmv\"\n ]\n },\n {\n \"package\": {\n \"name\": \"minimist\",\n \"version\": \"0.0.8\",\n \"ecosystem\": \"npm\",\n \"image_origin_details\": {\n \"index\": 13\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"GHSA-vh95-rmgr-6w4m\",\n \"GHSA-xvch-5gv4-984h\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"image_metadata\": {\n \"os\": \"Alpine Linux v3.19\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"ADD file:37a76ec18f988775...\",\n \"is_empty\": false,\n \"base_image_index\": 4\n },\n {\n \"diff_id\": \"\",\n \"command\": \"CMD [/\"/bin/sh/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 3\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV NODE_VERSION=20.11.1\",\n \"is_empty\": true,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /0addgroup -g 1000 no...\",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENV YARN_VERSION=1.22.19\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /0apk add --no-cache ...\",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"COPY file:4d192565a7220e1...\",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ENTRYPOINT [/\"docker-entry...\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"CMD [/\"node/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"ARG MANAGER_VERSION=10.2.4\",\n \"is_empty\": true,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"WORKDIR /prod/app\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN |1 MANAGER_VERSION=10...\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN |1 MANAGER_VERSION=10...\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN |1 MANAGER_VERSION=10...\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN |1 MANAGER_VERSION=10...\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN |1 MANAGER_VERSION=10...\",\n \"is_empty\": false,\n \"base_image_index\": 0\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"library/node\",\n \"tags\": null\n },\n {\n \"name\": \"ayan4m1/maven-node\",\n \"tags\": null\n },\n {\n \"name\": \"alpine\",\n \"tags\": null\n },\n {\n \"name\": \"alpine\",\n \"tags\": null\n }\n ]\n }\n}\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages - 2]\nScanning local image tarball \"./testdata/test-node_modules-npm-full.tar\"\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_ubuntu_image - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/var/lib/dpkg/status\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"coreutils\",\n \"os_package_name\": \"coreutils\",\n \"version\": \"8.32-4.1ubuntu1.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2016-2781\",\n \"UBUNTU-CVE-2025-5278\"\n ]\n },\n {\n \"package\": {\n \"name\": \"dpkg\",\n \"os_package_name\": \"dpkg\",\n \"version\": \"1.21.1ubuntu2.3\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7768-1\",\n \"UBUNTU-CVE-2025-6297\",\n \"UBUNTU-CVE-2026-2219\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gcc-12\",\n \"os_package_name\": \"gcc-12-base\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7700-1\",\n \"UBUNTU-CVE-2022-27943\",\n \"UBUNTU-CVE-2023-4039\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gnupg2\",\n \"os_package_name\": \"gpgv\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 5,\n \"vulnerabilities\": [\n \"USN-7412-1\",\n \"USN-7946-1\",\n \"UBUNTU-CVE-2022-3219\",\n \"UBUNTU-CVE-2025-30258\",\n \"UBUNTU-CVE-2025-68972\",\n \"UBUNTU-CVE-2025-68973\",\n \"USN-7412-2\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libblkid1\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"glibc\",\n \"os_package_name\": \"libc-bin\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-8005-1\",\n \"USN-7259-1\",\n \"USN-7541-1\",\n \"USN-7760-1\",\n \"UBUNTU-CVE-2016-20013\",\n \"UBUNTU-CVE-2025-0395\",\n \"UBUNTU-CVE-2025-15281\",\n \"UBUNTU-CVE-2025-4802\",\n \"UBUNTU-CVE-2025-8058\",\n \"UBUNTU-CVE-2026-0861\",\n \"UBUNTU-CVE-2026-0915\"\n ]\n },\n {\n \"package\": {\n \"name\": \"glibc\",\n \"os_package_name\": \"libc6\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-8005-1\",\n \"USN-7259-1\",\n \"USN-7541-1\",\n \"USN-7760-1\",\n \"UBUNTU-CVE-2016-20013\",\n \"UBUNTU-CVE-2025-0395\",\n \"UBUNTU-CVE-2025-15281\",\n \"UBUNTU-CVE-2025-4802\",\n \"UBUNTU-CVE-2025-8058\",\n \"UBUNTU-CVE-2026-0861\",\n \"UBUNTU-CVE-2026-0915\"\n ]\n },\n {\n \"package\": {\n \"name\": \"libcap2\",\n \"os_package_name\": \"libcap2\",\n \"version\": \"1:2.44-1ubuntu0.22.04.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-7287-1\",\n \"UBUNTU-CVE-2025-1390\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gcc-12\",\n \"os_package_name\": \"libgcc-s1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7700-1\",\n \"UBUNTU-CVE-2022-27943\",\n \"UBUNTU-CVE-2023-4039\"\n ]\n },\n {\n \"package\": {\n \"name\": \"libgcrypt20\",\n \"os_package_name\": \"libgcrypt20\",\n \"version\": \"1.9.4-3ubuntu3\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2024-2236\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gnutls28\",\n \"os_package_name\": \"libgnutls30\",\n \"version\": \"3.7.3-4ubuntu1.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7635-1\",\n \"USN-8043-1\",\n \"USN-7281-1\",\n \"UBUNTU-CVE-2024-12243\",\n \"UBUNTU-CVE-2025-14831\",\n \"UBUNTU-CVE-2025-32988\",\n \"UBUNTU-CVE-2025-32989\",\n \"UBUNTU-CVE-2025-32990\",\n \"UBUNTU-CVE-2025-6395\",\n \"UBUNTU-CVE-2025-9820\"\n ]\n },\n {\n \"package\": {\n \"name\": \"krb5\",\n \"os_package_name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7314-1\",\n \"USN-7257-1\",\n \"USN-7542-1\",\n \"UBUNTU-CVE-2018-5709\",\n \"UBUNTU-CVE-2024-26458\",\n \"UBUNTU-CVE-2024-26461\",\n \"UBUNTU-CVE-2024-3596\",\n \"UBUNTU-CVE-2025-24528\",\n \"UBUNTU-CVE-2025-3576\"\n ]\n },\n {\n \"package\": {\n \"name\": \"krb5\",\n \"os_package_name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7314-1\",\n \"USN-7257-1\",\n \"USN-7542-1\",\n \"UBUNTU-CVE-2018-5709\",\n \"UBUNTU-CVE-2024-26458\",\n \"UBUNTU-CVE-2024-26461\",\n \"UBUNTU-CVE-2024-3596\",\n \"UBUNTU-CVE-2025-24528\",\n \"UBUNTU-CVE-2025-3576\"\n ]\n },\n {\n \"package\": {\n \"name\": \"krb5\",\n \"os_package_name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7314-1\",\n \"USN-7257-1\",\n \"USN-7542-1\",\n \"UBUNTU-CVE-2018-5709\",\n \"UBUNTU-CVE-2024-26458\",\n \"UBUNTU-CVE-2024-26461\",\n \"UBUNTU-CVE-2024-3596\",\n \"UBUNTU-CVE-2025-24528\",\n \"UBUNTU-CVE-2025-3576\"\n ]\n },\n {\n \"package\": {\n \"name\": \"krb5\",\n \"os_package_name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7314-1\",\n \"USN-7257-1\",\n \"USN-7542-1\",\n \"UBUNTU-CVE-2018-5709\",\n \"UBUNTU-CVE-2024-26458\",\n \"UBUNTU-CVE-2024-26461\",\n \"UBUNTU-CVE-2024-3596\",\n \"UBUNTU-CVE-2025-24528\",\n \"UBUNTU-CVE-2025-3576\"\n ]\n },\n {\n \"package\": {\n \"name\": \"lz4\",\n \"os_package_name\": \"liblz4-1\",\n \"version\": \"1.9.3-2build2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2025-62813\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libmount1\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"libncurses6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"libncursesw6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pam\",\n \"os_package_name\": \"libpam-modules\",\n \"version\": \"1.4.0-11ubuntu2.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7580-1\",\n \"UBUNTU-CVE-2024-10041\",\n \"UBUNTU-CVE-2025-6020\",\n \"UBUNTU-CVE-2025-8941\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pam\",\n \"os_package_name\": \"libpam-modules-bin\",\n \"version\": \"1.4.0-11ubuntu2.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7580-1\",\n \"UBUNTU-CVE-2024-10041\",\n \"UBUNTU-CVE-2025-6020\",\n \"UBUNTU-CVE-2025-8941\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pam\",\n \"os_package_name\": \"libpam-runtime\",\n \"version\": \"1.4.0-11ubuntu2.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7580-1\",\n \"UBUNTU-CVE-2024-10041\",\n \"UBUNTU-CVE-2025-6020\",\n \"UBUNTU-CVE-2025-8941\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pam\",\n \"os_package_name\": \"libpam0g\",\n \"version\": \"1.4.0-11ubuntu2.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7580-1\",\n \"UBUNTU-CVE-2024-10041\",\n \"UBUNTU-CVE-2025-6020\",\n \"UBUNTU-CVE-2025-8941\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pcre2\",\n \"os_package_name\": \"libpcre2-8-0\",\n \"version\": \"10.39-3ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2022-41409\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pcre3\",\n \"os_package_name\": \"libpcre3\",\n \"version\": \"2:8.39-13ubuntu0.22.04.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2017-11164\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libsmartcols1\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.18\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 6,\n \"vulnerabilities\": [\n \"USN-7980-1\",\n \"USN-7786-1\",\n \"USN-7278-1\",\n \"UBUNTU-CVE-2024-13176\",\n \"UBUNTU-CVE-2024-41996\",\n \"UBUNTU-CVE-2024-9143\",\n \"UBUNTU-CVE-2025-15467\",\n \"UBUNTU-CVE-2025-27587\",\n \"UBUNTU-CVE-2025-68160\",\n \"UBUNTU-CVE-2025-69418\",\n \"UBUNTU-CVE-2025-69419\",\n \"UBUNTU-CVE-2025-69420\",\n \"UBUNTU-CVE-2025-69421\",\n \"UBUNTU-CVE-2025-9230\",\n \"UBUNTU-CVE-2026-22795\",\n \"UBUNTU-CVE-2026-22796\",\n \"UBUNTU-CVE-2026-2673\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gcc-12\",\n \"os_package_name\": \"libstdc++6\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7700-1\",\n \"UBUNTU-CVE-2022-27943\",\n \"UBUNTU-CVE-2023-4039\"\n ]\n },\n {\n \"package\": {\n \"name\": \"systemd\",\n \"os_package_name\": \"libsystemd0\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7559-1\",\n \"UBUNTU-CVE-2023-7008\",\n \"UBUNTU-CVE-2025-4598\",\n \"UBUNTU-CVE-2026-4105\"\n ]\n },\n {\n \"package\": {\n \"name\": \"libtasn1-6\",\n \"os_package_name\": \"libtasn1-6\",\n \"version\": \"4.18.0-4build1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7954-1\",\n \"USN-7275-1\",\n \"UBUNTU-CVE-2021-46848\",\n \"UBUNTU-CVE-2024-12133\",\n \"UBUNTU-CVE-2025-13151\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"libtinfo6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"systemd\",\n \"os_package_name\": \"libudev1\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7559-1\",\n \"UBUNTU-CVE-2023-7008\",\n \"UBUNTU-CVE-2025-4598\",\n \"UBUNTU-CVE-2026-4105\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libuuid1\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"libzstd\",\n \"os_package_name\": \"libzstd1\",\n \"version\": \"1.4.8+dfsg-3build1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2022-4899\"\n ]\n },\n {\n \"package\": {\n \"name\": \"shadow\",\n \"os_package_name\": \"login\",\n \"version\": \"1:4.8.1-2ubuntu2.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-29383\",\n \"UBUNTU-CVE-2024-56433\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"mount\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"ncurses-base\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"ncurses-bin\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"shadow\",\n \"os_package_name\": \"passwd\",\n \"version\": \"1:4.8.1-2ubuntu2.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-29383\",\n \"UBUNTU-CVE-2024-56433\"\n ]\n },\n {\n \"package\": {\n \"name\": \"perl\",\n \"os_package_name\": \"perl-base\",\n \"version\": \"5.34.0-3ubuntu1.3\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7434-1\",\n \"USN-7678-1\",\n \"UBUNTU-CVE-2023-31486\",\n \"UBUNTU-CVE-2023-47039\",\n \"UBUNTU-CVE-2024-56406\",\n \"UBUNTU-CVE-2025-40909\"\n ]\n },\n {\n \"package\": {\n \"name\": \"tar\",\n \"os_package_name\": \"tar\",\n \"version\": \"1.34+dfsg-1ubuntu0.1.22.04.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2025-45582\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"util-linux\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"zlib\",\n \"os_package_name\": \"zlib1g\",\n \"version\": \"1:1.2.11.dfsg-2ubuntu9.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2026-27171\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"image_metadata\": {\n \"os\": \"Ubuntu 22.04.5 LTS\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) ARG RELEASE\",\n \"is_empty\": true,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) ARG LAUNCHPAD_BUILD_ARCH\",\n \"is_empty\": true,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) LABEL org.opencontainers.image.ref.name=ubuntu\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) LABEL org.opencontainers.image.version=22.04\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"/bin/sh -c #(nop) ADD file:1b6c8c9518be42fa2afe5e241ca31677fce58d27cdfa88baa91a65a259be3637 in / \",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) CMD [/\"/bin/bash/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"ubuntu\",\n \"tags\": null\n },\n {\n \"name\": \"laurentsogeti/pod_showname_formation_ckad\",\n \"tags\": null\n }\n ]\n }\n}\n\n---\n\n[TestCommand_OCIImage_JSONFormat/scanning_ubuntu_image - 2]\nScanning local image tarball \"./testdata/test-ubuntu.tar\"\n\n---\n\n[TestCommand_OCIImage_JSONFormat/ubuntu_image_with_go_OS_packages_json - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/usr/bin/fzf\",\n \"type\": \"artifact\"\n },\n \"experimental_pes\": [\n {\n \"Plugin\": \"vex/os-duplicate/dpkg\",\n \"Justification\": 1,\n \"VulnIdentifiers\": null,\n \"MatchesAllVulns\": true\n }\n ],\n \"packages\": [\n {\n \"package\": {\n \"name\": \"stdlib\",\n \"version\": \"1.18.1\",\n \"ecosystem\": \"Go\",\n \"image_origin_details\": {\n \"index\": 7\n }\n },\n \"groups\": 84,\n \"vulnerabilities\": [\n \"GO-2022-0477\",\n \"GO-2022-0493\",\n \"GO-2022-0515\",\n \"GO-2022-0520\",\n \"GO-2022-0521\",\n \"GO-2022-0522\",\n \"GO-2022-0523\",\n \"GO-2022-0524\",\n \"GO-2022-0525\",\n \"GO-2022-0526\",\n \"GO-2022-0527\",\n \"GO-2022-0531\",\n \"GO-2022-0532\",\n \"GO-2022-0533\",\n \"GO-2022-0537\",\n \"GO-2022-0969\",\n \"GO-2022-1037\",\n \"GO-2022-1038\",\n \"GO-2022-1039\",\n \"GO-2022-1095\",\n \"GO-2022-1143\",\n \"GO-2022-1144\",\n \"GO-2023-1568\",\n \"GO-2023-1569\",\n \"GO-2023-1570\",\n \"GO-2023-1571\",\n \"GO-2023-1621\",\n \"GO-2023-1702\",\n \"GO-2023-1703\",\n \"GO-2023-1704\",\n \"GO-2023-1705\",\n \"GO-2023-1751\",\n \"GO-2023-1752\",\n \"GO-2023-1753\",\n \"GO-2023-1840\",\n \"GO-2023-1878\",\n \"GO-2023-1987\",\n \"GO-2023-2041\",\n \"GO-2023-2043\",\n \"GO-2023-2102\",\n \"GO-2023-2185\",\n \"GO-2023-2186\",\n \"GO-2023-2375\",\n \"GO-2023-2382\",\n \"GO-2024-2598\",\n \"GO-2024-2599\",\n \"GO-2024-2600\",\n \"GO-2024-2609\",\n \"GO-2024-2610\",\n \"GO-2024-2687\",\n \"GO-2024-2887\",\n \"GO-2024-2888\",\n \"GO-2024-2963\",\n \"GO-2024-3105\",\n \"GO-2024-3106\",\n \"GO-2024-3107\",\n \"GO-2025-3373\",\n \"GO-2025-3420\",\n \"GO-2025-3447\",\n \"GO-2025-3563\",\n \"GO-2025-3750\",\n \"GO-2025-3751\",\n \"GO-2025-3849\",\n \"GO-2025-3956\",\n \"GO-2025-4006\",\n \"GO-2025-4007\",\n \"GO-2025-4008\",\n \"GO-2025-4009\",\n \"GO-2025-4010\",\n \"GO-2025-4011\",\n \"GO-2025-4012\",\n \"GO-2025-4013\",\n \"GO-2025-4014\",\n \"GO-2025-4015\",\n \"GO-2025-4155\",\n \"GO-2025-4175\",\n \"GO-2026-4337\",\n \"GO-2026-4340\",\n \"GO-2026-4341\",\n \"GO-2026-4342\",\n \"GO-2026-4403\",\n \"GO-2026-4601\",\n \"GO-2026-4602\",\n \"GO-2026-4603\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/var/lib/dpkg/status\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"coreutils\",\n \"os_package_name\": \"coreutils\",\n \"version\": \"8.32-4.1ubuntu1.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2016-2781\",\n \"UBUNTU-CVE-2025-5278\"\n ]\n },\n {\n \"package\": {\n \"name\": \"dpkg\",\n \"os_package_name\": \"dpkg\",\n \"version\": \"1.21.1ubuntu2.3\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7768-1\",\n \"UBUNTU-CVE-2025-6297\",\n \"UBUNTU-CVE-2026-2219\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gcc-12\",\n \"os_package_name\": \"gcc-12-base\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7700-1\",\n \"UBUNTU-CVE-2022-27943\",\n \"UBUNTU-CVE-2023-4039\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gnupg2\",\n \"os_package_name\": \"gpgv\",\n \"version\": \"2.2.27-3ubuntu2.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 5,\n \"vulnerabilities\": [\n \"USN-7412-1\",\n \"USN-7946-1\",\n \"UBUNTU-CVE-2022-3219\",\n \"UBUNTU-CVE-2025-30258\",\n \"UBUNTU-CVE-2025-68972\",\n \"UBUNTU-CVE-2025-68973\",\n \"USN-7412-2\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libblkid1\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"glibc\",\n \"os_package_name\": \"libc-bin\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-8005-1\",\n \"USN-7259-1\",\n \"USN-7541-1\",\n \"USN-7760-1\",\n \"UBUNTU-CVE-2016-20013\",\n \"UBUNTU-CVE-2025-0395\",\n \"UBUNTU-CVE-2025-15281\",\n \"UBUNTU-CVE-2025-4802\",\n \"UBUNTU-CVE-2025-8058\",\n \"UBUNTU-CVE-2026-0861\",\n \"UBUNTU-CVE-2026-0915\"\n ]\n },\n {\n \"package\": {\n \"name\": \"glibc\",\n \"os_package_name\": \"libc6\",\n \"version\": \"2.35-0ubuntu3.8\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-8005-1\",\n \"USN-7259-1\",\n \"USN-7541-1\",\n \"USN-7760-1\",\n \"UBUNTU-CVE-2016-20013\",\n \"UBUNTU-CVE-2025-0395\",\n \"UBUNTU-CVE-2025-15281\",\n \"UBUNTU-CVE-2025-4802\",\n \"UBUNTU-CVE-2025-8058\",\n \"UBUNTU-CVE-2026-0861\",\n \"UBUNTU-CVE-2026-0915\"\n ]\n },\n {\n \"package\": {\n \"name\": \"libcap2\",\n \"os_package_name\": \"libcap2\",\n \"version\": \"1:2.44-1ubuntu0.22.04.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-7287-1\",\n \"UBUNTU-CVE-2025-1390\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gcc-12\",\n \"os_package_name\": \"libgcc-s1\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7700-1\",\n \"UBUNTU-CVE-2022-27943\",\n \"UBUNTU-CVE-2023-4039\"\n ]\n },\n {\n \"package\": {\n \"name\": \"libgcrypt20\",\n \"os_package_name\": \"libgcrypt20\",\n \"version\": \"1.9.4-3ubuntu3\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2024-2236\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gnutls28\",\n \"os_package_name\": \"libgnutls30\",\n \"version\": \"3.7.3-4ubuntu1.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7635-1\",\n \"USN-8043-1\",\n \"USN-7281-1\",\n \"UBUNTU-CVE-2024-12243\",\n \"UBUNTU-CVE-2025-14831\",\n \"UBUNTU-CVE-2025-32988\",\n \"UBUNTU-CVE-2025-32989\",\n \"UBUNTU-CVE-2025-32990\",\n \"UBUNTU-CVE-2025-6395\",\n \"UBUNTU-CVE-2025-9820\"\n ]\n },\n {\n \"package\": {\n \"name\": \"krb5\",\n \"os_package_name\": \"libgssapi-krb5-2\",\n \"version\": \"1.19.2-2ubuntu0.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7314-1\",\n \"USN-7257-1\",\n \"USN-7542-1\",\n \"UBUNTU-CVE-2018-5709\",\n \"UBUNTU-CVE-2024-26458\",\n \"UBUNTU-CVE-2024-26461\",\n \"UBUNTU-CVE-2024-3596\",\n \"UBUNTU-CVE-2025-24528\",\n \"UBUNTU-CVE-2025-3576\"\n ]\n },\n {\n \"package\": {\n \"name\": \"krb5\",\n \"os_package_name\": \"libk5crypto3\",\n \"version\": \"1.19.2-2ubuntu0.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7314-1\",\n \"USN-7257-1\",\n \"USN-7542-1\",\n \"UBUNTU-CVE-2018-5709\",\n \"UBUNTU-CVE-2024-26458\",\n \"UBUNTU-CVE-2024-26461\",\n \"UBUNTU-CVE-2024-3596\",\n \"UBUNTU-CVE-2025-24528\",\n \"UBUNTU-CVE-2025-3576\"\n ]\n },\n {\n \"package\": {\n \"name\": \"krb5\",\n \"os_package_name\": \"libkrb5-3\",\n \"version\": \"1.19.2-2ubuntu0.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7314-1\",\n \"USN-7257-1\",\n \"USN-7542-1\",\n \"UBUNTU-CVE-2018-5709\",\n \"UBUNTU-CVE-2024-26458\",\n \"UBUNTU-CVE-2024-26461\",\n \"UBUNTU-CVE-2024-3596\",\n \"UBUNTU-CVE-2025-24528\",\n \"UBUNTU-CVE-2025-3576\"\n ]\n },\n {\n \"package\": {\n \"name\": \"krb5\",\n \"os_package_name\": \"libkrb5support0\",\n \"version\": \"1.19.2-2ubuntu0.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7314-1\",\n \"USN-7257-1\",\n \"USN-7542-1\",\n \"UBUNTU-CVE-2018-5709\",\n \"UBUNTU-CVE-2024-26458\",\n \"UBUNTU-CVE-2024-26461\",\n \"UBUNTU-CVE-2024-3596\",\n \"UBUNTU-CVE-2025-24528\",\n \"UBUNTU-CVE-2025-3576\"\n ]\n },\n {\n \"package\": {\n \"name\": \"lz4\",\n \"os_package_name\": \"liblz4-1\",\n \"version\": \"1.9.3-2build2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2025-62813\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libmount1\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"libncurses6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"libncursesw6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pam\",\n \"os_package_name\": \"libpam-modules\",\n \"version\": \"1.4.0-11ubuntu2.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7580-1\",\n \"UBUNTU-CVE-2024-10041\",\n \"UBUNTU-CVE-2025-6020\",\n \"UBUNTU-CVE-2025-8941\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pam\",\n \"os_package_name\": \"libpam-modules-bin\",\n \"version\": \"1.4.0-11ubuntu2.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7580-1\",\n \"UBUNTU-CVE-2024-10041\",\n \"UBUNTU-CVE-2025-6020\",\n \"UBUNTU-CVE-2025-8941\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pam\",\n \"os_package_name\": \"libpam-runtime\",\n \"version\": \"1.4.0-11ubuntu2.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7580-1\",\n \"UBUNTU-CVE-2024-10041\",\n \"UBUNTU-CVE-2025-6020\",\n \"UBUNTU-CVE-2025-8941\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pam\",\n \"os_package_name\": \"libpam0g\",\n \"version\": \"1.4.0-11ubuntu2.5\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7580-1\",\n \"UBUNTU-CVE-2024-10041\",\n \"UBUNTU-CVE-2025-6020\",\n \"UBUNTU-CVE-2025-8941\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pcre2\",\n \"os_package_name\": \"libpcre2-8-0\",\n \"version\": \"10.39-3ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2022-41409\"\n ]\n },\n {\n \"package\": {\n \"name\": \"pcre3\",\n \"os_package_name\": \"libpcre3\",\n \"version\": \"2:8.39-13ubuntu0.22.04.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2017-11164\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libsmartcols1\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"openssl\",\n \"os_package_name\": \"libssl3\",\n \"version\": \"3.0.2-0ubuntu1.18\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 6,\n \"vulnerabilities\": [\n \"USN-7980-1\",\n \"USN-7786-1\",\n \"USN-7278-1\",\n \"UBUNTU-CVE-2024-13176\",\n \"UBUNTU-CVE-2024-41996\",\n \"UBUNTU-CVE-2024-9143\",\n \"UBUNTU-CVE-2025-15467\",\n \"UBUNTU-CVE-2025-27587\",\n \"UBUNTU-CVE-2025-68160\",\n \"UBUNTU-CVE-2025-69418\",\n \"UBUNTU-CVE-2025-69419\",\n \"UBUNTU-CVE-2025-69420\",\n \"UBUNTU-CVE-2025-69421\",\n \"UBUNTU-CVE-2025-9230\",\n \"UBUNTU-CVE-2026-22795\",\n \"UBUNTU-CVE-2026-22796\",\n \"UBUNTU-CVE-2026-2673\"\n ]\n },\n {\n \"package\": {\n \"name\": \"gcc-12\",\n \"os_package_name\": \"libstdc++6\",\n \"version\": \"12.3.0-1ubuntu1~22.04\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7700-1\",\n \"UBUNTU-CVE-2022-27943\",\n \"UBUNTU-CVE-2023-4039\"\n ]\n },\n {\n \"package\": {\n \"name\": \"systemd\",\n \"os_package_name\": \"libsystemd0\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7559-1\",\n \"UBUNTU-CVE-2023-7008\",\n \"UBUNTU-CVE-2025-4598\",\n \"UBUNTU-CVE-2026-4105\"\n ]\n },\n {\n \"package\": {\n \"name\": \"libtasn1-6\",\n \"os_package_name\": \"libtasn1-6\",\n \"version\": \"4.18.0-4build1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"USN-7954-1\",\n \"USN-7275-1\",\n \"UBUNTU-CVE-2021-46848\",\n \"UBUNTU-CVE-2024-12133\",\n \"UBUNTU-CVE-2025-13151\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"libtinfo6\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"systemd\",\n \"os_package_name\": \"libudev1\",\n \"version\": \"249.11-0ubuntu3.12\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 3,\n \"vulnerabilities\": [\n \"USN-7559-1\",\n \"UBUNTU-CVE-2023-7008\",\n \"UBUNTU-CVE-2025-4598\",\n \"UBUNTU-CVE-2026-4105\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"libuuid1\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"libzstd\",\n \"os_package_name\": \"libzstd1\",\n \"version\": \"1.4.8+dfsg-3build1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2022-4899\"\n ]\n },\n {\n \"package\": {\n \"name\": \"shadow\",\n \"os_package_name\": \"login\",\n \"version\": \"1:4.8.1-2ubuntu2.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-29383\",\n \"UBUNTU-CVE-2024-56433\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"mount\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"ncurses-base\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ncurses\",\n \"os_package_name\": \"ncurses-bin\",\n \"version\": \"6.3-2ubuntu0.1\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-50495\",\n \"UBUNTU-CVE-2025-6141\"\n ]\n },\n {\n \"package\": {\n \"name\": \"shadow\",\n \"os_package_name\": \"passwd\",\n \"version\": \"1:4.8.1-2ubuntu2.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2023-29383\",\n \"UBUNTU-CVE-2024-56433\"\n ]\n },\n {\n \"package\": {\n \"name\": \"perl\",\n \"os_package_name\": \"perl-base\",\n \"version\": \"5.34.0-3ubuntu1.3\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 4,\n \"vulnerabilities\": [\n \"USN-7434-1\",\n \"USN-7678-1\",\n \"UBUNTU-CVE-2023-31486\",\n \"UBUNTU-CVE-2023-47039\",\n \"UBUNTU-CVE-2024-56406\",\n \"UBUNTU-CVE-2025-40909\"\n ]\n },\n {\n \"package\": {\n \"name\": \"tar\",\n \"os_package_name\": \"tar\",\n \"version\": \"1.34+dfsg-1ubuntu0.1.22.04.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2025-45582\"\n ]\n },\n {\n \"package\": {\n \"name\": \"util-linux\",\n \"os_package_name\": \"util-linux\",\n \"version\": \"2.37.2-4ubuntu3.4\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"USN-8091-1\"\n ]\n },\n {\n \"package\": {\n \"name\": \"zlib\",\n \"os_package_name\": \"zlib1g\",\n \"version\": \"1:1.2.11.dfsg-2ubuntu9.2\",\n \"ecosystem\": \"Ubuntu:22.04\",\n \"image_origin_details\": {\n \"index\": 4\n }\n },\n \"groups\": 1,\n \"vulnerabilities\": [\n \"UBUNTU-CVE-2026-27171\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"image_metadata\": {\n \"os\": \"Ubuntu 22.04.5 LTS\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) ARG RELEASE\",\n \"is_empty\": true,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) ARG LAUNCHPAD_BUILD_ARCH\",\n \"is_empty\": true,\n \"base_image_index\": 2\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) LABEL org.opencontainers.image.ref.name=ubuntu\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) LABEL org.opencontainers.image.version=22.04\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"/bin/sh -c #(nop) ADD file:1b6c8c9518be42fa2afe5e241ca31677fce58d27cdfa88baa91a65a259be3637 in / \",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) CMD [/\"/bin/bash/\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"COPY ./sample-pkgs/fzf_0.29.0-1ubuntu0.1_amd64.deb /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c dpkg -i /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb /u0026/u0026 rm /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"ubuntu\",\n \"tags\": null\n },\n {\n \"name\": \"laurentsogeti/pod_showname_formation_ckad\",\n \"tags\": null\n }\n ]\n }\n}\n\n---\n\n[TestCommand_OCIImage_JSONFormat/ubuntu_image_with_go_OS_packages_json - 2]\nScanning local image tarball \"./testdata/test-ubuntu-with-packages.tar\"\n\n---\n" }, { "path": "cmd/osv-scanner/scan/image/command.go", "content": "// Package image implements the `image` subcommand of the `scan` command.\npackage image\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/helper\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nfunc Command(stdout, stderr io.Writer, client *http.Client) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"image\",\n\t\tUsage: \"detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally\",\n\t\tDescription: \"detects vulnerabilities in a container image's dependencies, pulling the image if it's not found locally\",\n\t\tFlags: append([]cli.Flag{\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"archive\",\n\t\t\t\tUsage: \"input a local archive image (e.g. a tar file)\",\n\t\t\t},\n\t\t}, helper.BuildCommonScanFlags([]string{\"artifact\"})...),\n\t\tArgsUsage: \"[image imageNameWithTag]\",\n\t\tAction: func(ctx context.Context, cmd *cli.Command) error {\n\t\t\treturn action(ctx, cmd, stdout, stderr, client)\n\t\t},\n\t}\n}\n\nfunc action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, client *http.Client) error {\n\tif cmd.Args().Len() == 0 {\n\t\treturn errors.New(\"please provide an image name or see the help document\")\n\t}\n\n\tisImageArchive := cmd.Bool(\"archive\")\n\timage := cmd.Args().First()\n\tif !isImageArchive && !strings.Contains(image, \":\") {\n\t\treturn fmt.Errorf(\"%q is not a tagged image name\", image)\n\t}\n\n\tformat := cmd.String(\"format\")\n\toutputPath := cmd.String(\"output-file\")\n\n\tif outputPath == \"\" {\n\t\toutputPath = cmd.String(\"output\")\n\t}\n\tserve := cmd.Bool(\"serve\")\n\tif serve {\n\t\tformat = \"html\"\n\t\tif outputPath == \"\" {\n\t\t\t// Create a temporary directory\n\t\t\ttmpDir, err := os.MkdirTemp(\"\", \"osv-scanner-result\")\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed creating temporary directory: %w\\n\"+\n\t\t\t\t\t\"Please use `--output-file result.html` to specify the output path\", err)\n\t\t\t}\n\n\t\t\t// Remove the created temporary directory after\n\t\t\tdefer os.RemoveAll(tmpDir)\n\t\t\toutputPath = filepath.Join(tmpDir, \"index.html\")\n\t\t}\n\t}\n\n\tscanLicensesAllowlist, err := helper.GetScanLicensesAllowlist(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tscannerAction := helper.GetCommonScannerActions(cmd, scanLicensesAllowlist)\n\n\tscannerAction.Image = cmd.Args().First()\n\tscannerAction.IsImageArchive = cmd.Bool(\"archive\")\n\tscannerAction.ExperimentalScannerActions = helper.GetExperimentalScannerActions(cmd, client)\n\tscannerAction.RequestUserAgent = \"osv-scanner_scan-image/\" + version.OSVVersion\n\tvar vulnResult models.VulnerabilityResults\n\t//nolint:contextcheck // passing the context in would be a breaking change\n\tvulnResult, err = osvscanner.DoContainerScan(scannerAction)\n\n\tif cmd.Bool(\"allow-no-lockfiles\") && errors.Is(err, osvscanner.ErrNoPackagesFound) {\n\t\tcmdlogger.Warnf(\"No package sources found\")\n\t\terr = nil\n\t}\n\n\tif err != nil && !errors.Is(err, osvscanner.ErrVulnerabilitiesFound) {\n\t\treturn err\n\t}\n\n\tif errPrint := helper.PrintResult(stdout, stderr, outputPath, format, &vulnResult, scannerAction.ShowAllVulns); errPrint != nil {\n\t\treturn fmt.Errorf(\"failed to write output: %w\", errPrint)\n\t}\n\n\t// Auto-open outputted HTML file for users.\n\tif outputPath != \"\" {\n\t\tif serve {\n\t\t\thelper.ServeHTML(outputPath)\n\t\t} else if format == \"html\" {\n\t\t\tcmdlogger.Infof(\"HTML output available at: %s\", outputPath)\n\t\t}\n\t}\n\n\t// This may be nil.\n\treturn err\n}\n" }, { "path": "cmd/osv-scanner/scan/image/command_test.go", "content": "package image_test\n\nimport (\n\t\"errors\"\n\t\"os\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) {\n\tt.Parallel()\n\ttestutility.SkipIfNotAcceptanceTesting(t, \"Requires docker to build the images\")\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"add_extractors\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx\",\n\t\t\t\t\"--experimental-plugins=sbom/cdx\",\n\t\t\t\t\"testdata/test-alpine-sbom.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx\",\n\t\t\t\t\"--experimental-plugins=sbom/cdx\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"testdata/test-alpine-sbom.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out_with_presets\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\",\n\t\t\t\t\"--experimental-plugins=sbom\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"testdata/test-alpine-sbom.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx,sbom/cdx\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"testdata/test-alpine-sbom.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_ExplicitExtractors_WithoutDefaults(t *testing.T) {\n\tt.Parallel()\n\n\ttestutility.SkipIfNotAcceptanceTesting(t, \"Requires docker to build the images\")\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"add_extractors\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx\",\n\t\t\t\t\"--experimental-plugins=sbom/cdx\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"testdata/test-alpine-sbom.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx\",\n\t\t\t\t\"--experimental-plugins=sbom/cdx\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"testdata/test-alpine-sbom.tar\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out_with_presets\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\",\n\t\t\t\t\"--experimental-plugins=sbom\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"testdata/test-alpine-sbom.tar\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx,sbom/cdx\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"testdata/test-alpine-sbom.tar\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_Docker(t *testing.T) {\n\tt.Parallel()\n\n\ttestutility.SkipIfNotAcceptanceTesting(t, \"Requires docker (also takes a long time to pull images)\")\n\ttestutility.SkipIfShort(t)\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"no_image_argument\",\n\t\t\tArgs: []string{\"\", \"image\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"Fake_alpine_image\",\n\t\t\tArgs: []string{\"\", \"image\", \"alpine:non-existent-tag\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"Fake_image_entirely\",\n\t\t\tArgs: []string{\"\", \"image\", \"this-image-definitely-does-not-exist-abcde:with-tag\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"Real_empty_image_with_no_tag,_invalid_scan_target\",\n\t\t\tArgs: []string{\"\", \"image\", \"hello-world\"},\n\t\t\tExit: 127, // Invalid scan target\n\t\t},\n\t\t{\n\t\t\tName: \"Real_empty_image_with_tag\",\n\t\t\tArgs: []string{\"\", \"image\", \"hello-world:linux\"},\n\t\t\tExit: 128, // No package found\n\t\t},\n\t\t{\n\t\t\tName: \"real_empty_image_with_tag_and_allow_no_lockfiles_flag\",\n\t\t\tArgs: []string{\"\", \"image\", \"--allow-no-lockfiles\", \"hello-world:linux\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"Real_Alpine_image\",\n\t\t\tArgs: []string{\"\", \"image\", \"alpine:3.18.9\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\t// this will result in an error about not being able to find any package sources\n\t\t\t// since we've requested the os/apk extractor disabled, and there's nothing else\n\t\t\t// in the image that we support extracting\n\t\t\tName: \"real_alpine_image_without_apk_extractor_enabled\",\n\t\t\tArgs: []string{\"\", \"image\", \"--experimental-disable-plugins=os/apk\", \"alpine:3.18.9\"},\n\t\t\tExit: 128,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\t// Only test on linux, and mac/windows CI/CD does not come with docker preinstalled\n\t\t\tif runtime.GOOS != \"linux\" {\n\t\t\t\ttestutility.Skip(t, \"Skipping Docker-based test as only Linux has Docker installed in CI\")\n\t\t\t}\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_OCIImage(t *testing.T) {\n\tt.Parallel()\n\ttestutility.SkipIfNotAcceptanceTesting(t, \"Requires docker to build the images\")\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"Invalid_path\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"../../testdata/locks-manyoci-image/no-file-here.tar\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"Alpine_3.10_image_tar_with_3.18_version_file\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-alpine.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Empty_Ubuntu_22.04_image_tar\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-ubuntu.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Empty_Ubuntu_22.04_image_tar_with_unimportant_vulns\",\n\t\t\tArgs: []string{\"\", \"image\", \"--all-vulns\", \"--archive\", \"./testdata/test-ubuntu.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Empty_Ubuntu_20.04_image_tar_with_only_unimportant_vulns_shown\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"--all-vulns\",\n\t\t\t\t\"--config=./testdata/ubuntu20-04-unimportant-config.toml\",\n\t\t\t\t\"--all-vulns\", \"./testdata/test-ubuntu-20-04.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\t// This tests that unimportant vulns are hidden properly\n\t\t\t// If the test is failing (reporting new important vulns), add the package that introduced the vuln as ignore=true to the config.toml\n\t\t\t// The package with unimportant vulns is pcre3, so if a new vulnerability appears for that package, don't ignore the entire package, just ignore the important vulnerability specifically.\n\t\t\tName: \"Empty_Ubuntu_20.04_image_tar_with_no_vulns_shown\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\",\n\t\t\t\t\"--config=./testdata/ubuntu20-04-unimportant-config.toml\",\n\t\t\t\t\"./testdata/test-ubuntu-20-04.tar\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// This tests that the fzf go binary is not being reported because it's a OS package\n\t\t\tName: \"Scanning_Ubuntu_image_with_go_OS_packages_json\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-ubuntu-with-packages.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Scanning_python_image_with_some_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-python-full.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Scanning_python_image_with_no_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-python-empty.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Scanning_java_image_with_some_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-java-full.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_node_modules_using_npm_with_no_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-node_modules-npm-empty.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_node_modules_using_npm_with_some_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-node_modules-npm-full.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_node_modules_using_yarn_with_no_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-node_modules-yarn-empty.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_node_modules_using_yarn_with_some_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-node_modules-yarn-full.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_node_modules_using_pnpm_with_no_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-node_modules-pnpm-empty.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_node_modules_using_pnpm_with_some_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-node_modules-pnpm-full.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_image_with_go_binary\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"./testdata/test-package-tracing.tar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_insecure_alpine_image_without_detectors\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--archive\", \"./testdata/test-alpine-etcshadow.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_insecure_alpine_image_with_specific_detector_enabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--experimental-plugins\", \"os/apk\",\n\t\t\t\t\"--experimental-plugins\", \"weakcredentials/etcshadow\",\n\t\t\t\t\"--archive\", \"./testdata/test-alpine-etcshadow.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_insecure_alpine_image_with_specific_detector_disabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--experimental-plugins\", \"os/apk\",\n\t\t\t\t\"--experimental-plugins\", \"weakcreds\",\n\t\t\t\t\"--experimental-disable-plugins\", \"weakcredentials/etcshadow\",\n\t\t\t\t\"--archive\", \"./testdata/test-alpine-etcshadow.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_insecure_alpine_image_with_detector_preset\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\",\n\t\t\t\t\"--experimental-plugins\", \"os/apk\",\n\t\t\t\t\"--experimental-plugins\", \"weakcreds\",\n\t\t\t\t\"--archive\", \"./testdata/test-alpine-etcshadow.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\t// point out that we need the images to be built and saved separately\n\t\t\tfor _, arg := range tt.Args {\n\t\t\t\tif strings.HasPrefix(arg, \"./testdata/\") && strings.HasSuffix(arg, \".tar\") {\n\t\t\t\t\tif _, err := os.Stat(arg); errors.Is(err, os.ErrNotExist) {\n\t\t\t\t\t\tt.Fatalf(\"%s does not exist - have you run scripts/build_test_images.sh?\", arg)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_OCIImage_JSONFormat(t *testing.T) {\n\tt.Parallel()\n\ttestutility.SkipIfNotAcceptanceTesting(t, \"Requires docker to build the images\")\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"Scanning_python_image_with_some_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"--format=json\", \"./testdata/test-python-full.tar\"},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t\ttestutility.OnlyFirstBaseImage,\n\t\t\t\ttestutility.AnyDiffID,\n\t\t\t\ttestutility.NormalizeHistoryCommand,\n\t\t\t\ttestutility.ShortenHistoryCommandLength,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_node_modules_using_npm_with_some_packages\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"--format=json\", \"./testdata/test-node_modules-npm-full.tar\"},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t\ttestutility.OnlyFirstBaseImage,\n\t\t\t\ttestutility.AnyDiffID,\n\t\t\t\ttestutility.NormalizeHistoryCommand,\n\t\t\t\ttestutility.ShortenHistoryCommandLength,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_image_with_go_binary\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"--all-packages\", \"--format=json\", \"./testdata/test-go-binary.tar\"},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t\ttestutility.OnlyFirstBaseImage,\n\t\t\t\ttestutility.AnyDiffID,\n\t\t\t\ttestutility.NormalizeHistoryCommand,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_ubuntu_image\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"--format=json\", \"./testdata/test-ubuntu.tar\"},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t\ttestutility.OnlyFirstBaseImage,\n\t\t\t\ttestutility.AnyDiffID,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// This tests that the fzf go binary is not being reported because it's a OS package\n\t\t\tName: \"ubuntu_image_with_go_OS_packages_json\",\n\t\t\tArgs: []string{\"\", \"image\", \"--archive\", \"--format=json\", \"./testdata/test-ubuntu-with-packages.tar\"},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t\ttestutility.OnlyFirstBaseImage,\n\t\t\t\ttestutility.AnyDiffID,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_insecure_alpine_image_with_specific_detector_enabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\", \"--format=json\",\n\t\t\t\t\"--experimental-plugins\", \"os/apk\",\n\t\t\t\t\"--experimental-plugins\", \"weakcredentials/etcshadow\",\n\t\t\t\t\"--archive\", \"./testdata/test-alpine-etcshadow.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t\ttestutility.OnlyFirstBaseImage,\n\t\t\t\ttestutility.AnyDiffID,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_insecure_alpine_image_with_detector_preset\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\", \"--format=json\",\n\t\t\t\t\"--experimental-plugins\", \"os/apk\",\n\t\t\t\t\"--experimental-plugins\", \"weakcreds\",\n\t\t\t\t\"--archive\", \"./testdata/test-alpine-etcshadow.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t\ttestutility.OnlyFirstBaseImage,\n\t\t\t\ttestutility.AnyDiffID,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_image_with_deprecated_packages\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"image\", \"--format=json\",\n\t\t\t\t\"--experimental-flag-deprecated-packages\",\n\t\t\t\t\"--archive\", \"./testdata/test-image-with-deprecated.tar\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t\ttestutility.OnlyFirstBaseImage,\n\t\t\t\ttestutility.AnyDiffID,\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\t// point out that we need the images to be built and saved separately\n\t\t\tfor _, arg := range tt.Args {\n\t\t\t\tif strings.HasPrefix(arg, \"./testdata/\") && strings.HasSuffix(arg, \".tar\") {\n\t\t\t\t\tif _, err := os.Stat(arg); errors.Is(err, os.ErrNotExist) {\n\t\t\t\t\t\tt.Fatalf(\"%s does not exist - have you run scripts/build_test_images.sh?\", arg)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_HtmlFile(t *testing.T) {\n\tt.Parallel()\n\ttestutility.SkipIfNotAcceptanceTesting(t, \"Needs built container images\")\n\n\ttestDir := testutility.CreateTestDir(t)\n\tclient := testcmd.InsertCassette(t)\n\n\t_, stderr := testcmd.RunAndNormalize(t, testcmd.Case{\n\t\tName: \"one_specific_supported_lockfile\",\n\t\tArgs: []string{\"\",\n\t\t\t\"image\", \"--format=html\", \"--output-file\", testDir + \"/report.html\",\n\t\t\t\"--archive\", \"./testdata/test-alpine.tar\",\n\t\t},\n\t\tExit: 1,\n\n\t\tHTTPClient: testcmd.WithTestNameHeader(t, *client),\n\t})\n\n\ttestutility.NewSnapshot().WithWindowsReplacements(map[string]string{\n\t\t\"CreateFile\": \"stat\",\n\t}).MatchText(t, stderr)\n\n\t_, err := os.Stat(testDir + \"/report.html\")\n\n\tif err != nil {\n\t\tt.Errorf(\"Unexpected %v\", err)\n\t}\n}\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/alpine-3.18-alpine-release", "content": "3.18.1\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/alpine-3.18-os-release", "content": "/ # cat /etc/os-release\nNAME=\"Alpine Linux\"\nID=alpine\nVERSION_ID=3.18.1\nPRETTY_NAME=\"Alpine Linux v3.18\"\nHOME_URL=\"https://alpinelinux.org/\"\nBUG_REPORT_URL=\"https://gitlab.alpinelinux.org/alpine/aports/-/issues\"\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_Docker.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2036\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.4-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20240226-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.2-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.13-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Docker/Real_Alpine_image\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 524\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"524\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_ExplicitExtractors_WithDefaults.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2031\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.12-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/add_extractors\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 364\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"364\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out#01\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_ExplicitExtractors_WithoutDefaults.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 146\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.12-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithoutDefaults/add_extractors\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 241\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"241\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_HtmlFile.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_HtmlFile\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 9123\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-30139\",\n \"modified\": \"2025-12-03T22:50:14.655691Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-28831\",\n \"modified\": \"2025-12-03T22:48:35.192485Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42374\",\n \"modified\": \"2025-12-03T22:49:03.048460Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42375\",\n \"modified\": \"2025-12-03T22:49:02.368046Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42378\",\n \"modified\": \"2025-12-03T22:49:02.812229Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42379\",\n \"modified\": \"2025-12-03T22:49:03.820223Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42380\",\n \"modified\": \"2025-12-03T22:49:02.273108Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42381\",\n \"modified\": \"2025-12-03T22:49:03.051591Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42382\",\n \"modified\": \"2025-12-03T22:49:04.080847Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42383\",\n \"modified\": \"2025-12-03T22:44:20.740566Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42384\",\n \"modified\": \"2025-12-03T22:49:04.436301Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42385\",\n \"modified\": \"2025-12-03T22:49:10.217079Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42386\",\n \"modified\": \"2025-12-03T22:49:10.486445Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-28391\",\n \"modified\": \"2025-12-03T22:49:51.276555Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-30065\",\n \"modified\": \"2025-12-03T22:50:17.721153Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-48174\",\n \"modified\": \"2025-12-03T22:51:16.750993Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-3711\",\n \"modified\": \"2025-12-03T22:48:47.560805Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-3712\",\n \"modified\": \"2025-12-03T22:48:49.466816Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-4044\",\n \"modified\": \"2025-12-03T22:48:53.587104Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-0778\",\n \"modified\": \"2025-12-03T22:51:07.769542Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1343\",\n \"modified\": \"2025-12-03T22:49:45.912660Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1434\",\n \"modified\": \"2025-12-03T22:49:45.753526Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1473\",\n \"modified\": \"2025-12-03T22:49:45.860197Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-2097\",\n \"modified\": \"2025-12-03T22:49:52.265196Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3358\",\n \"modified\": \"2025-12-03T22:50:26.362856Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3602\",\n \"modified\": \"2025-12-03T22:49:29.680146Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3786\",\n \"modified\": \"2025-12-03T22:49:30.746181Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3996\",\n \"modified\": \"2025-12-03T22:49:49.550771Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4203\",\n \"modified\": \"2025-12-03T22:50:09.259826Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4304\",\n \"modified\": \"2025-12-03T22:50:48.258567Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4450\",\n \"modified\": \"2025-12-03T22:50:58.174496Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0215\",\n \"modified\": \"2025-12-03T22:51:20.776116Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0216\",\n \"modified\": \"2025-12-03T22:51:17.381381Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0217\",\n \"modified\": \"2025-12-03T22:51:22.400597Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0286\",\n \"modified\": \"2025-12-03T22:51:24.172927Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0401\",\n \"modified\": \"2025-12-03T22:51:23.275814Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0464\",\n \"modified\": \"2025-12-03T22:51:31.741129Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0465\",\n \"modified\": \"2025-12-03T22:51:25.194508Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-1255\",\n \"modified\": \"2025-12-03T22:51:44.316240Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-2650\",\n \"modified\": \"2025-12-03T22:52:10.812098Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-2975\",\n \"modified\": \"2025-12-03T22:52:35.084843Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-3446\",\n \"modified\": \"2025-12-03T22:52:52.082224Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-3817\",\n \"modified\": \"2025-12-03T22:52:53.211969Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-5363\",\n \"modified\": \"2025-12-03T22:54:35.065257Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-5678\",\n \"modified\": \"2025-12-03T22:54:30.066451Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-6129\",\n \"modified\": \"2025-12-03T22:54:41.708177Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-6237\",\n \"modified\": \"2025-12-03T22:54:40.422752Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-0727\",\n \"modified\": \"2025-12-03T22:54:44.266485Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-3711\",\n \"modified\": \"2025-12-03T22:48:47.560805Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-3712\",\n \"modified\": \"2025-12-03T22:48:49.466816Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-4044\",\n \"modified\": \"2025-12-03T22:48:53.587104Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-0778\",\n \"modified\": \"2025-12-03T22:51:07.769542Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1343\",\n \"modified\": \"2025-12-03T22:49:45.912660Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1434\",\n \"modified\": \"2025-12-03T22:49:45.753526Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1473\",\n \"modified\": \"2025-12-03T22:49:45.860197Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-2097\",\n \"modified\": \"2025-12-03T22:49:52.265196Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3358\",\n \"modified\": \"2025-12-03T22:50:26.362856Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3602\",\n \"modified\": \"2025-12-03T22:49:29.680146Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3786\",\n \"modified\": \"2025-12-03T22:49:30.746181Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3996\",\n \"modified\": \"2025-12-03T22:49:49.550771Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4203\",\n \"modified\": \"2025-12-03T22:50:09.259826Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4304\",\n \"modified\": \"2025-12-03T22:50:48.258567Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4450\",\n \"modified\": \"2025-12-03T22:50:58.174496Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0215\",\n \"modified\": \"2025-12-03T22:51:20.776116Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0216\",\n \"modified\": \"2025-12-03T22:51:17.381381Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0217\",\n \"modified\": \"2025-12-03T22:51:22.400597Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0286\",\n \"modified\": \"2025-12-03T22:51:24.172927Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0401\",\n \"modified\": \"2025-12-03T22:51:23.275814Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0464\",\n \"modified\": \"2025-12-03T22:51:31.741129Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0465\",\n \"modified\": \"2025-12-03T22:51:25.194508Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-1255\",\n \"modified\": \"2025-12-03T22:51:44.316240Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-2650\",\n \"modified\": \"2025-12-03T22:52:10.812098Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-2975\",\n \"modified\": \"2025-12-03T22:52:35.084843Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-3446\",\n \"modified\": \"2025-12-03T22:52:52.082224Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-3817\",\n \"modified\": \"2025-12-03T22:52:53.211969Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-5363\",\n \"modified\": \"2025-12-03T22:54:35.065257Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-5678\",\n \"modified\": \"2025-12-03T22:54:30.066451Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-6129\",\n \"modified\": \"2025-12-03T22:54:41.708177Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-6237\",\n \"modified\": \"2025-12-03T22:54:40.422752Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-0727\",\n \"modified\": \"2025-12-03T22:54:44.266485Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2019-14697\",\n \"modified\": \"2025-12-03T22:44:35.333781Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2020-28928\",\n \"modified\": \"2025-12-03T22:47:06.985001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2019-14697\",\n \"modified\": \"2025-12-03T22:44:35.333781Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2020-28928\",\n \"modified\": \"2025-12-03T22:47:06.985001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-28831\",\n \"modified\": \"2025-12-03T22:48:35.192485Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42374\",\n \"modified\": \"2025-12-03T22:49:03.048460Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42375\",\n \"modified\": \"2025-12-03T22:49:02.368046Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42378\",\n \"modified\": \"2025-12-03T22:49:02.812229Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42379\",\n \"modified\": \"2025-12-03T22:49:03.820223Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42380\",\n \"modified\": \"2025-12-03T22:49:02.273108Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42381\",\n \"modified\": \"2025-12-03T22:49:03.051591Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42382\",\n \"modified\": \"2025-12-03T22:49:04.080847Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42383\",\n \"modified\": \"2025-12-03T22:44:20.740566Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42384\",\n \"modified\": \"2025-12-03T22:49:04.436301Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42385\",\n \"modified\": \"2025-12-03T22:49:10.217079Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42386\",\n \"modified\": \"2025-12-03T22:49:10.486445Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-28391\",\n \"modified\": \"2025-12-03T22:49:51.276555Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-30065\",\n \"modified\": \"2025-12-03T22:50:17.721153Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-48174\",\n \"modified\": \"2025-12-03T22:51:16.750993Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"9123\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.18\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Alpine_3.10_image_tar_with_3.18_version_file\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 9123\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-30139\",\n \"modified\": \"2025-12-03T22:50:14.655691Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-28831\",\n \"modified\": \"2025-12-03T22:48:35.192485Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42374\",\n \"modified\": \"2025-12-03T22:49:03.048460Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42375\",\n \"modified\": \"2025-12-03T22:49:02.368046Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42378\",\n \"modified\": \"2025-12-03T22:49:02.812229Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42379\",\n \"modified\": \"2025-12-03T22:49:03.820223Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42380\",\n \"modified\": \"2025-12-03T22:49:02.273108Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42381\",\n \"modified\": \"2025-12-03T22:49:03.051591Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42382\",\n \"modified\": \"2025-12-03T22:49:04.080847Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42383\",\n \"modified\": \"2025-12-03T22:44:20.740566Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42384\",\n \"modified\": \"2025-12-03T22:49:04.436301Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42385\",\n \"modified\": \"2025-12-03T22:49:10.217079Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42386\",\n \"modified\": \"2025-12-03T22:49:10.486445Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-28391\",\n \"modified\": \"2025-12-03T22:49:51.276555Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-30065\",\n \"modified\": \"2025-12-03T22:50:17.721153Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-48174\",\n \"modified\": \"2025-12-03T22:51:16.750993Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-3711\",\n \"modified\": \"2025-12-03T22:48:47.560805Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-3712\",\n \"modified\": \"2025-12-03T22:48:49.466816Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-4044\",\n \"modified\": \"2025-12-03T22:48:53.587104Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-0778\",\n \"modified\": \"2025-12-03T22:51:07.769542Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1343\",\n \"modified\": \"2025-12-03T22:49:45.912660Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1434\",\n \"modified\": \"2025-12-03T22:49:45.753526Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1473\",\n \"modified\": \"2025-12-03T22:49:45.860197Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-2097\",\n \"modified\": \"2025-12-03T22:49:52.265196Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3358\",\n \"modified\": \"2025-12-03T22:50:26.362856Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3602\",\n \"modified\": \"2025-12-03T22:49:29.680146Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3786\",\n \"modified\": \"2025-12-03T22:49:30.746181Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3996\",\n \"modified\": \"2025-12-03T22:49:49.550771Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4203\",\n \"modified\": \"2025-12-03T22:50:09.259826Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4304\",\n \"modified\": \"2025-12-03T22:50:48.258567Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4450\",\n \"modified\": \"2025-12-03T22:50:58.174496Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0215\",\n \"modified\": \"2025-12-03T22:51:20.776116Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0216\",\n \"modified\": \"2025-12-03T22:51:17.381381Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0217\",\n \"modified\": \"2025-12-03T22:51:22.400597Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0286\",\n \"modified\": \"2025-12-03T22:51:24.172927Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0401\",\n \"modified\": \"2025-12-03T22:51:23.275814Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0464\",\n \"modified\": \"2025-12-03T22:51:31.741129Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0465\",\n \"modified\": \"2025-12-03T22:51:25.194508Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-1255\",\n \"modified\": \"2025-12-03T22:51:44.316240Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-2650\",\n \"modified\": \"2025-12-03T22:52:10.812098Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-2975\",\n \"modified\": \"2025-12-03T22:52:35.084843Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-3446\",\n \"modified\": \"2025-12-03T22:52:52.082224Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-3817\",\n \"modified\": \"2025-12-03T22:52:53.211969Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-5363\",\n \"modified\": \"2025-12-03T22:54:35.065257Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-5678\",\n \"modified\": \"2025-12-03T22:54:30.066451Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-6129\",\n \"modified\": \"2025-12-03T22:54:41.708177Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-6237\",\n \"modified\": \"2025-12-03T22:54:40.422752Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-0727\",\n \"modified\": \"2025-12-03T22:54:44.266485Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-3711\",\n \"modified\": \"2025-12-03T22:48:47.560805Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-3712\",\n \"modified\": \"2025-12-03T22:48:49.466816Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-4044\",\n \"modified\": \"2025-12-03T22:48:53.587104Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-0778\",\n \"modified\": \"2025-12-03T22:51:07.769542Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1343\",\n \"modified\": \"2025-12-03T22:49:45.912660Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1434\",\n \"modified\": \"2025-12-03T22:49:45.753526Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-1473\",\n \"modified\": \"2025-12-03T22:49:45.860197Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-2097\",\n \"modified\": \"2025-12-03T22:49:52.265196Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3358\",\n \"modified\": \"2025-12-03T22:50:26.362856Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3602\",\n \"modified\": \"2025-12-03T22:49:29.680146Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3786\",\n \"modified\": \"2025-12-03T22:49:30.746181Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-3996\",\n \"modified\": \"2025-12-03T22:49:49.550771Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4203\",\n \"modified\": \"2025-12-03T22:50:09.259826Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4304\",\n \"modified\": \"2025-12-03T22:50:48.258567Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-4450\",\n \"modified\": \"2025-12-03T22:50:58.174496Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0215\",\n \"modified\": \"2025-12-03T22:51:20.776116Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0216\",\n \"modified\": \"2025-12-03T22:51:17.381381Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0217\",\n \"modified\": \"2025-12-03T22:51:22.400597Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0286\",\n \"modified\": \"2025-12-03T22:51:24.172927Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0401\",\n \"modified\": \"2025-12-03T22:51:23.275814Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0464\",\n \"modified\": \"2025-12-03T22:51:31.741129Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-0465\",\n \"modified\": \"2025-12-03T22:51:25.194508Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-1255\",\n \"modified\": \"2025-12-03T22:51:44.316240Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-2650\",\n \"modified\": \"2025-12-03T22:52:10.812098Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-2975\",\n \"modified\": \"2025-12-03T22:52:35.084843Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-3446\",\n \"modified\": \"2025-12-03T22:52:52.082224Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-3817\",\n \"modified\": \"2025-12-03T22:52:53.211969Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-5363\",\n \"modified\": \"2025-12-03T22:54:35.065257Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-5678\",\n \"modified\": \"2025-12-03T22:54:30.066451Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-6129\",\n \"modified\": \"2025-12-03T22:54:41.708177Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-6237\",\n \"modified\": \"2025-12-03T22:54:40.422752Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-0727\",\n \"modified\": \"2025-12-03T22:54:44.266485Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2019-14697\",\n \"modified\": \"2025-12-03T22:44:35.333781Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2020-28928\",\n \"modified\": \"2025-12-03T22:47:06.985001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2019-14697\",\n \"modified\": \"2025-12-03T22:44:35.333781Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2020-28928\",\n \"modified\": \"2025-12-03T22:47:06.985001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-28831\",\n \"modified\": \"2025-12-03T22:48:35.192485Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42374\",\n \"modified\": \"2025-12-03T22:49:03.048460Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42375\",\n \"modified\": \"2025-12-03T22:49:02.368046Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42378\",\n \"modified\": \"2025-12-03T22:49:02.812229Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42379\",\n \"modified\": \"2025-12-03T22:49:03.820223Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42380\",\n \"modified\": \"2025-12-03T22:49:02.273108Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42381\",\n \"modified\": \"2025-12-03T22:49:03.051591Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42382\",\n \"modified\": \"2025-12-03T22:49:04.080847Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42383\",\n \"modified\": \"2025-12-03T22:44:20.740566Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42384\",\n \"modified\": \"2025-12-03T22:49:04.436301Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42385\",\n \"modified\": \"2025-12-03T22:49:10.217079Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2021-42386\",\n \"modified\": \"2025-12-03T22:49:10.486445Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-28391\",\n \"modified\": \"2025-12-03T22:49:51.276555Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-30065\",\n \"modified\": \"2025-12-03T22:50:17.721153Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-48174\",\n \"modified\": \"2025-12-03T22:51:16.750993Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"9123\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 7442\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.0.10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"base-files\"\n },\n \"version\": \"11ubuntu5.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.47\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"bash\"\n },\n \"version\": \"5.0-6ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.10.2-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.73\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"debianutils\"\n },\n \"version\": \"4.9.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.7-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.7.0-1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"grep\"\n },\n \"version\": \"3.4-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.10-0ubuntu4.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.23\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.57\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"acl\"\n },\n \"version\": \"2.2.53-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.0.10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.4.48-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.5-2ubuntu6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.5-2ubuntu6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2.1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libxcrypt\"\n },\n \"version\": \"1:4.4.10-10ubuntu4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.6ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.251ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.3-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.2.0+dfsg-4ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.37-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.5.1+really3.5.1-2ubuntu0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.2.0-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.4-1ubuntu1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.5.1+really3.5.1-2ubuntu0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.23.20-1ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.16-1ubuntu2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.5.1-1ubuntu1~20.04.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libselinux\"\n },\n \"version\": \"3.0-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.0-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.0-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libsepol\"\n },\n \"version\": \"3.0-1ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libunistring\"\n },\n \"version\": \"0.9.10-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.4.4+dfsg-3ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"lsb\"\n },\n \"version\": \"11.1.0ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.4.20200120-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.16-1ubuntu2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"sed\"\n },\n \"version\": \"4.7-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.12+nmu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"2.96-2.1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"ubuntu-keyring\"\n },\n \"version\": \"2020.02.11.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_no_vulns_shown\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 256\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"256\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 7442\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.0.10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"base-files\"\n },\n \"version\": \"11ubuntu5.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.47\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"bash\"\n },\n \"version\": \"5.0-6ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.10.2-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.73\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"debianutils\"\n },\n \"version\": \"4.9.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.7-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.7.0-1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"grep\"\n },\n \"version\": \"3.4-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.10-0ubuntu4.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.23\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.57\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"acl\"\n },\n \"version\": \"2.2.53-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.0.10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.4.48-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.5-2ubuntu6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.5-2ubuntu6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2.1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libxcrypt\"\n },\n \"version\": \"1:4.4.10-10ubuntu4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.6ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.251ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.3-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.2.0+dfsg-4ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.37-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.5.1+really3.5.1-2ubuntu0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.2.0-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.4-1ubuntu1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.5.1+really3.5.1-2ubuntu0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.23.20-1ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.16-1ubuntu2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.5.1-1ubuntu1~20.04.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libselinux\"\n },\n \"version\": \"3.0-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.0-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.0-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libsepol\"\n },\n \"version\": \"3.0-1ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libunistring\"\n },\n \"version\": \"0.9.10-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.4.4+dfsg-3ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.45.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"lsb\"\n },\n \"version\": \"11.1.0ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.4.20200120-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.16-1ubuntu2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"sed\"\n },\n \"version\": \"4.7-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.12+nmu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"2.96-2.1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:20.04\",\n \"name\": \"ubuntu-keyring\"\n },\n \"version\": \"2020.02.11.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Empty_Ubuntu_20.04_image_tar_with_only_unimportant_vulns_shown\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 256\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"256\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 14065\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118ubuntu5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-files\"\n },\n \"version\": \"12ubuntu4.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.52build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bash\"\n },\n \"version\": \"5.1-6ubuntu1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"1:2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.32-4.1ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.11+git20210903+057cd650a4ed-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.79ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debianutils\"\n },\n \"version\": \"5.5-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.8-0ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.21.1ubuntu2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.8.0-1ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnupg2\"\n },\n \"version\": \"2.2.27-3ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"grep\"\n },\n \"version\": \"3.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.10-4ubuntu4.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.23ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.62\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"acl\"\n },\n \"version\": \"2.3.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.5.1-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-5build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2.2build3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap2\"\n },\n \"version\": \"1:2.44-1ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libxcrypt\"\n },\n \"version\": \"1:4.4.27-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.8ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.261ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.4.2-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.9.4-3ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.2.1+dfsg-3ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnutls28\"\n },\n \"version\": \"3.7.3-4ubuntu1.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.43-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.3.2-2build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"keyutils\"\n },\n \"version\": \"1.6.1-2ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lz4\"\n },\n \"version\": \"1.9.3-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.5-2ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libnsl\"\n },\n \"version\": \"1.3.0-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.24.0-6build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre2\"\n },\n \"version\": \"10.39-3ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-13ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.5.3-2ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libselinux\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsepol\"\n },\n \"version\": \"3.3-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.0.2-0ubuntu1.18\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.18.0-4build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libunistring\"\n },\n \"version\": \"1.0-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xxhash\"\n },\n \"version\": \"0.8.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.4.8+dfsg-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lsb\"\n },\n \"version\": \"11.1.0ubuntu4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.4.20200120-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"perl\"\n },\n \"version\": \"5.34.0-3ubuntu1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sed\"\n },\n \"version\": \"4.8-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.17\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"3.01-1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"tar\"\n },\n \"version\": \"1.34+dfsg-1ubuntu0.1.22.04.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ubuntu-keyring\"\n },\n \"version\": \"2021.03.26\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"usrmerge\"\n },\n \"version\": \"25ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"zlib\"\n },\n \"version\": \"1:1.2.11.dfsg-2ubuntu9.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 11965\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-2781\",\n \"modified\": \"2026-03-18T06:32:17.714169Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-5278\",\n \"modified\": \"2026-03-18T07:55:13.290684Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-6297\",\n \"modified\": \"2026-02-04T03:36:18.990840Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2219\",\n \"modified\": \"2026-03-14T09:17:58.405826Z\"\n },\n {\n \"id\": \"USN-7768-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-3219\",\n \"modified\": \"2026-01-20T17:26:42.776809Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-30258\",\n \"modified\": \"2026-02-04T04:30:17.426918Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68972\",\n \"modified\": \"2026-01-20T19:15:15.770361Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68973\",\n \"modified\": \"2026-02-05T00:30:28.335358Z\"\n },\n {\n \"id\": \"USN-7412-1\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7412-2\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7946-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-1390\",\n \"modified\": \"2026-02-04T04:28:50.933288Z\"\n },\n {\n \"id\": \"USN-7287-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-2236\",\n \"modified\": \"2026-01-20T17:51:42.649938Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-12243\",\n \"modified\": \"2026-02-04T02:53:36.843010Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-14831\",\n \"modified\": \"2026-02-28T05:58:56.935176Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32988\",\n \"modified\": \"2026-02-04T02:15:37.273955Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32989\",\n \"modified\": \"2026-02-04T03:37:18.739300Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32990\",\n \"modified\": \"2026-02-04T03:31:01.615385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6395\",\n \"modified\": \"2026-02-04T03:31:22.603031Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9820\",\n \"modified\": \"2026-02-28T06:16:45.816014Z\"\n },\n {\n \"id\": \"USN-7281-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7635-1\",\n \"modified\": \"2026-02-10T04:49:34Z\"\n },\n {\n \"id\": \"USN-8043-1\",\n \"modified\": \"2026-02-17T22:00:37.652199Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-62813\",\n \"modified\": \"2025-10-27T08:32:45.494712Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-41409\",\n \"modified\": \"2025-10-24T04:53:52Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-13176\",\n \"modified\": \"2026-03-09T11:29:11.736076Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-41996\",\n \"modified\": \"2026-02-06T21:00:29.439853Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-9143\",\n \"modified\": \"2026-03-09T11:29:50.088989Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15467\",\n \"modified\": \"2026-03-05T18:42:43.606385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-27587\",\n \"modified\": \"2026-02-06T21:55:03.879396Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68160\",\n \"modified\": \"2026-02-12T06:59:44.011039Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69418\",\n \"modified\": \"2026-02-06T22:01:44.179826Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69419\",\n \"modified\": \"2026-02-12T06:59:40.921557Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69420\",\n \"modified\": \"2026-02-12T06:58:38.833674Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69421\",\n \"modified\": \"2026-03-02T12:02:19.670699Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9230\",\n \"modified\": \"2026-03-09T12:25:45.048270Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22795\",\n \"modified\": \"2026-02-12T06:58:35.942634Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22796\",\n \"modified\": \"2026-02-12T06:59:02.005868Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2673\",\n \"modified\": \"2026-03-18T08:04:38.900604Z\"\n },\n {\n \"id\": \"USN-7278-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7786-1\",\n \"modified\": \"2026-02-10T04:50:09Z\"\n },\n {\n \"id\": \"USN-7980-1\",\n \"modified\": \"2026-03-02T11:56:15.392710Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2021-46848\",\n \"modified\": \"2026-02-12T06:44:04.921097Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-12133\",\n \"modified\": \"2026-02-12T06:31:24.332995Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-13151\",\n \"modified\": \"2026-02-12T06:43:59.770392Z\"\n },\n {\n \"id\": \"USN-7275-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7954-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-4899\",\n \"modified\": \"2025-09-08T16:49:53Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-31486\",\n \"modified\": \"2025-10-24T05:01:58Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-47039\",\n \"modified\": \"2025-10-24T05:02:19Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56406\",\n \"modified\": \"2026-02-04T02:50:55.689079Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-40909\",\n \"modified\": \"2026-02-04T02:15:05.324531Z\"\n },\n {\n \"id\": \"USN-7434-1\",\n \"modified\": \"2026-02-10T04:47:48Z\"\n },\n {\n \"id\": \"USN-7678-1\",\n \"modified\": \"2026-02-10T04:49:41Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-45582\",\n \"modified\": \"2026-01-20T18:59:29.811906Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2026-27171\",\n \"modified\": \"2026-02-27T09:59:13Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"11965\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 14065\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118ubuntu5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-files\"\n },\n \"version\": \"12ubuntu4.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.52build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bash\"\n },\n \"version\": \"5.1-6ubuntu1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"1:2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.32-4.1ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.11+git20210903+057cd650a4ed-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.79ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debianutils\"\n },\n \"version\": \"5.5-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.8-0ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.21.1ubuntu2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.8.0-1ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnupg2\"\n },\n \"version\": \"2.2.27-3ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"grep\"\n },\n \"version\": \"3.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.10-4ubuntu4.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.23ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.62\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"acl\"\n },\n \"version\": \"2.3.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.5.1-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-5build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2.2build3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap2\"\n },\n \"version\": \"1:2.44-1ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libxcrypt\"\n },\n \"version\": \"1:4.4.27-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.8ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.261ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.4.2-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.9.4-3ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.2.1+dfsg-3ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnutls28\"\n },\n \"version\": \"3.7.3-4ubuntu1.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.43-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.3.2-2build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"keyutils\"\n },\n \"version\": \"1.6.1-2ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lz4\"\n },\n \"version\": \"1.9.3-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.5-2ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libnsl\"\n },\n \"version\": \"1.3.0-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.24.0-6build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre2\"\n },\n \"version\": \"10.39-3ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-13ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.5.3-2ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libselinux\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsepol\"\n },\n \"version\": \"3.3-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.0.2-0ubuntu1.18\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.18.0-4build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libunistring\"\n },\n \"version\": \"1.0-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xxhash\"\n },\n \"version\": \"0.8.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.4.8+dfsg-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lsb\"\n },\n \"version\": \"11.1.0ubuntu4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.4.20200120-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"perl\"\n },\n \"version\": \"5.34.0-3ubuntu1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sed\"\n },\n \"version\": \"4.8-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.17\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"3.01-1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"tar\"\n },\n \"version\": \"1.34+dfsg-1ubuntu0.1.22.04.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ubuntu-keyring\"\n },\n \"version\": \"2021.03.26\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"usrmerge\"\n },\n \"version\": \"25ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"zlib\"\n },\n \"version\": \"1:1.2.11.dfsg-2ubuntu9.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Empty_Ubuntu_22.04_image_tar_with_unimportant_vulns\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 11965\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-2781\",\n \"modified\": \"2026-03-18T06:32:17.714169Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-5278\",\n \"modified\": \"2026-03-18T07:55:13.290684Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-6297\",\n \"modified\": \"2026-02-04T03:36:18.990840Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2219\",\n \"modified\": \"2026-03-14T09:17:58.405826Z\"\n },\n {\n \"id\": \"USN-7768-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-3219\",\n \"modified\": \"2026-01-20T17:26:42.776809Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-30258\",\n \"modified\": \"2026-02-04T04:30:17.426918Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68972\",\n \"modified\": \"2026-01-20T19:15:15.770361Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68973\",\n \"modified\": \"2026-02-05T00:30:28.335358Z\"\n },\n {\n \"id\": \"USN-7412-1\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7412-2\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7946-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-1390\",\n \"modified\": \"2026-02-04T04:28:50.933288Z\"\n },\n {\n \"id\": \"USN-7287-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-2236\",\n \"modified\": \"2026-01-20T17:51:42.649938Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-12243\",\n \"modified\": \"2026-02-04T02:53:36.843010Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-14831\",\n \"modified\": \"2026-02-28T05:58:56.935176Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32988\",\n \"modified\": \"2026-02-04T02:15:37.273955Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32989\",\n \"modified\": \"2026-02-04T03:37:18.739300Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32990\",\n \"modified\": \"2026-02-04T03:31:01.615385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6395\",\n \"modified\": \"2026-02-04T03:31:22.603031Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9820\",\n \"modified\": \"2026-02-28T06:16:45.816014Z\"\n },\n {\n \"id\": \"USN-7281-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7635-1\",\n \"modified\": \"2026-02-10T04:49:34Z\"\n },\n {\n \"id\": \"USN-8043-1\",\n \"modified\": \"2026-02-17T22:00:37.652199Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-62813\",\n \"modified\": \"2025-10-27T08:32:45.494712Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-41409\",\n \"modified\": \"2025-10-24T04:53:52Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-13176\",\n \"modified\": \"2026-03-09T11:29:11.736076Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-41996\",\n \"modified\": \"2026-02-06T21:00:29.439853Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-9143\",\n \"modified\": \"2026-03-09T11:29:50.088989Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15467\",\n \"modified\": \"2026-03-05T18:42:43.606385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-27587\",\n \"modified\": \"2026-02-06T21:55:03.879396Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68160\",\n \"modified\": \"2026-02-12T06:59:44.011039Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69418\",\n \"modified\": \"2026-02-06T22:01:44.179826Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69419\",\n \"modified\": \"2026-02-12T06:59:40.921557Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69420\",\n \"modified\": \"2026-02-12T06:58:38.833674Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69421\",\n \"modified\": \"2026-03-02T12:02:19.670699Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9230\",\n \"modified\": \"2026-03-09T12:25:45.048270Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22795\",\n \"modified\": \"2026-02-12T06:58:35.942634Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22796\",\n \"modified\": \"2026-02-12T06:59:02.005868Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2673\",\n \"modified\": \"2026-03-18T08:04:38.900604Z\"\n },\n {\n \"id\": \"USN-7278-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7786-1\",\n \"modified\": \"2026-02-10T04:50:09Z\"\n },\n {\n \"id\": \"USN-7980-1\",\n \"modified\": \"2026-03-02T11:56:15.392710Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2021-46848\",\n \"modified\": \"2026-02-12T06:44:04.921097Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-12133\",\n \"modified\": \"2026-02-12T06:31:24.332995Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-13151\",\n \"modified\": \"2026-02-12T06:43:59.770392Z\"\n },\n {\n \"id\": \"USN-7275-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7954-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-4899\",\n \"modified\": \"2025-09-08T16:49:53Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-31486\",\n \"modified\": \"2025-10-24T05:01:58Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-47039\",\n \"modified\": \"2025-10-24T05:02:19Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56406\",\n \"modified\": \"2026-02-04T02:50:55.689079Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-40909\",\n \"modified\": \"2026-02-04T02:15:05.324531Z\"\n },\n {\n \"id\": \"USN-7434-1\",\n \"modified\": \"2026-02-10T04:47:48Z\"\n },\n {\n \"id\": \"USN-7678-1\",\n \"modified\": \"2026-02-10T04:49:41Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-45582\",\n \"modified\": \"2026-01-20T18:59:29.811906Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2026-27171\",\n \"modified\": \"2026-02-27T09:59:13Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"11965\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 14321\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118ubuntu5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-files\"\n },\n \"version\": \"12ubuntu4.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.52build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bash\"\n },\n \"version\": \"5.1-6ubuntu1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"1:2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.32-4.1ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.11+git20210903+057cd650a4ed-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.79ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debianutils\"\n },\n \"version\": \"5.5-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.8-0ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.21.1ubuntu2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.8.0-1ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"fzf\"\n },\n \"version\": \"0.29.0-1ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.18.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnupg2\"\n },\n \"version\": \"2.2.27-3ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"grep\"\n },\n \"version\": \"3.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.10-4ubuntu4.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.23ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.62\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"acl\"\n },\n \"version\": \"2.3.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.5.1-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-5build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2.2build3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap2\"\n },\n \"version\": \"1:2.44-1ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libxcrypt\"\n },\n \"version\": \"1:4.4.27-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.8ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.261ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.4.2-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.9.4-3ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.2.1+dfsg-3ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnutls28\"\n },\n \"version\": \"3.7.3-4ubuntu1.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.43-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.3.2-2build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"keyutils\"\n },\n \"version\": \"1.6.1-2ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lz4\"\n },\n \"version\": \"1.9.3-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.5-2ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libnsl\"\n },\n \"version\": \"1.3.0-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.24.0-6build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre2\"\n },\n \"version\": \"10.39-3ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-13ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.5.3-2ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libselinux\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsepol\"\n },\n \"version\": \"3.3-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.0.2-0ubuntu1.18\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.18.0-4build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libunistring\"\n },\n \"version\": \"1.0-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xxhash\"\n },\n \"version\": \"0.8.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.4.8+dfsg-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lsb\"\n },\n \"version\": \"11.1.0ubuntu4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.4.20200120-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"perl\"\n },\n \"version\": \"5.34.0-3ubuntu1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sed\"\n },\n \"version\": \"4.8-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.17\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"3.01-1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"tar\"\n },\n \"version\": \"1.34+dfsg-1ubuntu0.1.22.04.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ubuntu-keyring\"\n },\n \"version\": \"2021.03.26\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"usrmerge\"\n },\n \"version\": \"25ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"zlib\"\n },\n \"version\": \"1:1.2.11.dfsg-2ubuntu9.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Scanning_Ubuntu_image_with_go_OS_packages_json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 17153\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-2781\",\n \"modified\": \"2026-03-18T06:32:17.714169Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-5278\",\n \"modified\": \"2026-03-18T07:55:13.290684Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-6297\",\n \"modified\": \"2026-02-04T03:36:18.990840Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2219\",\n \"modified\": \"2026-03-14T09:17:58.405826Z\"\n },\n {\n \"id\": \"USN-7768-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2022-0477\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0493\",\n \"modified\": \"2026-02-04T03:42:54.589715Z\"\n },\n {\n \"id\": \"GO-2022-0515\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0520\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0521\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0522\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0523\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0524\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0525\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0526\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0527\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0531\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0532\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0533\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0537\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0969\",\n \"modified\": \"2026-02-04T02:41:02.475503Z\"\n },\n {\n \"id\": \"GO-2022-1037\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-1038\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-1039\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-1095\",\n \"modified\": \"2026-02-04T04:25:45.960420Z\"\n },\n {\n \"id\": \"GO-2022-1143\",\n \"modified\": \"2026-02-04T04:08:13.589543Z\"\n },\n {\n \"id\": \"GO-2022-1144\",\n \"modified\": \"2026-02-04T04:29:40.352025Z\"\n },\n {\n \"id\": \"GO-2023-1568\",\n \"modified\": \"2026-02-04T02:54:08.789114Z\"\n },\n {\n \"id\": \"GO-2023-1569\",\n \"modified\": \"2026-02-04T03:22:48.161542Z\"\n },\n {\n \"id\": \"GO-2023-1570\",\n \"modified\": \"2026-02-04T02:57:33.465285Z\"\n },\n {\n \"id\": \"GO-2023-1571\",\n \"modified\": \"2026-02-04T03:36:14.767832Z\"\n },\n {\n \"id\": \"GO-2023-1621\",\n \"modified\": \"2026-02-04T02:47:06.125087Z\"\n },\n {\n \"id\": \"GO-2023-1702\",\n \"modified\": \"2026-02-04T03:43:08.732164Z\"\n },\n {\n \"id\": \"GO-2023-1703\",\n \"modified\": \"2026-02-04T04:24:15.366665Z\"\n },\n {\n \"id\": \"GO-2023-1704\",\n \"modified\": \"2026-02-04T04:39:41.032390Z\"\n },\n {\n \"id\": \"GO-2023-1705\",\n \"modified\": \"2026-02-04T03:44:01.631552Z\"\n },\n {\n \"id\": \"GO-2023-1751\",\n \"modified\": \"2026-02-04T04:31:56.779446Z\"\n },\n {\n \"id\": \"GO-2023-1752\",\n \"modified\": \"2026-02-04T03:50:58.841420Z\"\n },\n {\n \"id\": \"GO-2023-1753\",\n \"modified\": \"2026-02-04T02:22:30.446388Z\"\n },\n {\n \"id\": \"GO-2023-1840\",\n \"modified\": \"2026-02-04T03:48:08.792378Z\"\n },\n {\n \"id\": \"GO-2023-1878\",\n \"modified\": \"2026-02-04T04:31:14.443108Z\"\n },\n {\n \"id\": \"GO-2023-1987\",\n \"modified\": \"2026-02-04T03:58:58.871084Z\"\n },\n {\n \"id\": \"GO-2023-2041\",\n \"modified\": \"2026-02-04T04:25:22.510281Z\"\n },\n {\n \"id\": \"GO-2023-2043\",\n \"modified\": \"2026-02-04T04:11:02.549923Z\"\n },\n {\n \"id\": \"GO-2023-2102\",\n \"modified\": \"2026-02-04T03:49:27.289895Z\"\n },\n {\n \"id\": \"GO-2023-2185\",\n \"modified\": \"2026-02-04T02:59:25.590966Z\"\n },\n {\n \"id\": \"GO-2023-2186\",\n \"modified\": \"2026-02-04T03:56:59.969208Z\"\n },\n {\n \"id\": \"GO-2023-2375\",\n \"modified\": \"2026-02-04T03:57:11.083315Z\"\n },\n {\n \"id\": \"GO-2023-2382\",\n \"modified\": \"2026-02-04T03:33:11.274886Z\"\n },\n {\n \"id\": \"GO-2024-2598\",\n \"modified\": \"2026-02-04T03:12:08.722840Z\"\n },\n {\n \"id\": \"GO-2024-2599\",\n \"modified\": \"2026-02-04T02:21:09.533216Z\"\n },\n {\n \"id\": \"GO-2024-2600\",\n \"modified\": \"2026-02-04T02:34:41.672789Z\"\n },\n {\n \"id\": \"GO-2024-2609\",\n \"modified\": \"2026-02-04T04:37:13.773873Z\"\n },\n {\n \"id\": \"GO-2024-2610\",\n \"modified\": \"2026-02-04T03:09:18.870079Z\"\n },\n {\n \"id\": \"GO-2024-2687\",\n \"modified\": \"2026-02-04T04:09:31.762399Z\"\n },\n {\n \"id\": \"GO-2024-2887\",\n \"modified\": \"2026-01-28T03:27:17.746525Z\"\n },\n {\n \"id\": \"GO-2024-2888\",\n \"modified\": \"2026-01-28T03:27:17.560343Z\"\n },\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-3219\",\n \"modified\": \"2026-01-20T17:26:42.776809Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-30258\",\n \"modified\": \"2026-02-04T04:30:17.426918Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68972\",\n \"modified\": \"2026-01-20T19:15:15.770361Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68973\",\n \"modified\": \"2026-02-05T00:30:28.335358Z\"\n },\n {\n \"id\": \"USN-7412-1\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7412-2\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7946-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-1390\",\n \"modified\": \"2026-02-04T04:28:50.933288Z\"\n },\n {\n \"id\": \"USN-7287-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-2236\",\n \"modified\": \"2026-01-20T17:51:42.649938Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-12243\",\n \"modified\": \"2026-02-04T02:53:36.843010Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-14831\",\n \"modified\": \"2026-02-28T05:58:56.935176Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32988\",\n \"modified\": \"2026-02-04T02:15:37.273955Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32989\",\n \"modified\": \"2026-02-04T03:37:18.739300Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32990\",\n \"modified\": \"2026-02-04T03:31:01.615385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6395\",\n \"modified\": \"2026-02-04T03:31:22.603031Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9820\",\n \"modified\": \"2026-02-28T06:16:45.816014Z\"\n },\n {\n \"id\": \"USN-7281-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7635-1\",\n \"modified\": \"2026-02-10T04:49:34Z\"\n },\n {\n \"id\": \"USN-8043-1\",\n \"modified\": \"2026-02-17T22:00:37.652199Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-62813\",\n \"modified\": \"2025-10-27T08:32:45.494712Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-41409\",\n \"modified\": \"2025-10-24T04:53:52Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-13176\",\n \"modified\": \"2026-03-09T11:29:11.736076Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-41996\",\n \"modified\": \"2026-02-06T21:00:29.439853Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-9143\",\n \"modified\": \"2026-03-09T11:29:50.088989Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15467\",\n \"modified\": \"2026-03-05T18:42:43.606385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-27587\",\n \"modified\": \"2026-02-06T21:55:03.879396Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68160\",\n \"modified\": \"2026-02-12T06:59:44.011039Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69418\",\n \"modified\": \"2026-02-06T22:01:44.179826Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69419\",\n \"modified\": \"2026-02-12T06:59:40.921557Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69420\",\n \"modified\": \"2026-02-12T06:58:38.833674Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69421\",\n \"modified\": \"2026-03-02T12:02:19.670699Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9230\",\n \"modified\": \"2026-03-09T12:25:45.048270Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22795\",\n \"modified\": \"2026-02-12T06:58:35.942634Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22796\",\n \"modified\": \"2026-02-12T06:59:02.005868Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2673\",\n \"modified\": \"2026-03-18T08:04:38.900604Z\"\n },\n {\n \"id\": \"USN-7278-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7786-1\",\n \"modified\": \"2026-02-10T04:50:09Z\"\n },\n {\n \"id\": \"USN-7980-1\",\n \"modified\": \"2026-03-02T11:56:15.392710Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2021-46848\",\n \"modified\": \"2026-02-12T06:44:04.921097Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-12133\",\n \"modified\": \"2026-02-12T06:31:24.332995Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-13151\",\n \"modified\": \"2026-02-12T06:43:59.770392Z\"\n },\n {\n \"id\": \"USN-7275-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7954-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-4899\",\n \"modified\": \"2025-09-08T16:49:53Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-31486\",\n \"modified\": \"2025-10-24T05:01:58Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-47039\",\n \"modified\": \"2025-10-24T05:02:19Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56406\",\n \"modified\": \"2026-02-04T02:50:55.689079Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-40909\",\n \"modified\": \"2026-02-04T02:15:05.324531Z\"\n },\n {\n \"id\": \"USN-7434-1\",\n \"modified\": \"2026-02-10T04:47:48Z\"\n },\n {\n \"id\": \"USN-7678-1\",\n \"modified\": \"2026-02-10T04:49:41Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-45582\",\n \"modified\": \"2026-01-20T18:59:29.811906Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2026-27171\",\n \"modified\": \"2026-02-27T09:59:13Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"17153\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 29320\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"acl\"\n },\n \"version\": \"2.3.2-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.6.8-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.6.8-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"alpine-base\"\n },\n \"version\": \"3.21.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.6-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"brotli\"\n },\n \"version\": \"1.1.0-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.37.0-r9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.37.0-r9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20241121-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20241121-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"ch.qos.reload4j:reload4j\"\n },\n \"version\": \"1.2.22\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-annotations\"\n },\n \"version\": \"2.12.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-core\"\n },\n \"version\": \"2.10.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\"\n },\n \"version\": \"2.12.7.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.jaxrs:jackson-jaxrs-base\"\n },\n \"version\": \"2.12.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider\"\n },\n \"version\": \"2.12.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.module:jackson-module-jaxb-annotations\"\n },\n \"version\": \"2.12.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.woodstox:woodstox-core\"\n },\n \"version\": \"5.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.github.stephenc.jcip:jcip-annotations\"\n },\n \"version\": \"1.0-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.code.findbugs:jsr305\"\n },\n \"version\": \"3.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.code.gson:gson\"\n },\n \"version\": \"2.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.errorprone:error_prone_annotations\"\n },\n \"version\": \"2.18.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.guava:failureaccess\"\n },\n \"version\": \"1.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.guava:guava\"\n },\n \"version\": \"32.0.1-jre\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.guava:listenablefuture\"\n },\n \"version\": \"9999.0-empty-to-avoid-conflict-with-guava\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.j2objc:j2objc-annotations\"\n },\n \"version\": \"2.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.protobuf:protobuf-java\"\n },\n \"version\": \"3.21.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.re2j:re2j\"\n },\n \"version\": \"1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.nimbusds:nimbus-jose-jwt\"\n },\n \"version\": \"9.31\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.sun.jersey:jersey-client\"\n },\n \"version\": \"1.19.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.sun.jersey:jersey-core\"\n },\n \"version\": \"1.19.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.sun.jersey:jersey-servlet\"\n },\n \"version\": \"1.19.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-beanutils:commons-beanutils\"\n },\n \"version\": \"1.9.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-cli:commons-cli\"\n },\n \"version\": \"1.5.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-codec:commons-codec\"\n },\n \"version\": \"1.15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-collections:commons-collections\"\n },\n \"version\": \"3.2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-io:commons-io\"\n },\n \"version\": \"2.14.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-logging:commons-logging\"\n },\n \"version\": \"1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-net:commons-net\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"coreutils\"\n },\n \"version\": \"9.5-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"coreutils\"\n },\n \"version\": \"9.5-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"coreutils\"\n },\n \"version\": \"9.5-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"coreutils\"\n },\n \"version\": \"9.5-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"dnsjava:dnsjava\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"encodings\"\n },\n \"version\": \"1.0.7-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"font-dejavu\"\n },\n \"version\": \"2.37-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"fontconfig\"\n },\n \"version\": \"2.15.0-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"freetype\"\n },\n \"version\": \"2.13.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gdbm\"\n },\n \"version\": \"1.24-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gmp\"\n },\n \"version\": \"6.3.0-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnutls\"\n },\n \"version\": \"3.8.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.4.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.dropwizard.metrics:metrics-core\"\n },\n \"version\": \"3.2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-all\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-buffer\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-dns\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-haproxy\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-http\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-http2\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-memcache\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-mqtt\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-redis\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-smtp\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-socks\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-stomp\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-codec-xml\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-common\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-handler\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-handler-proxy\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-handler-ssl-ocsp\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-resolver\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-resolver-dns\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-resolver-dns-classes-macos\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-resolver-dns-native-macos\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport-classes-epoll\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport-classes-kqueue\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport-native-epoll\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport-native-kqueue\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport-native-unix-common\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport-rxtx\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport-sctp\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"io.netty:netty-transport-udt\"\n },\n \"version\": \"4.1.100.Final\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"jakarta.activation:jakarta.activation-api\"\n },\n \"version\": \"1.2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"jakarta.xml.bind:jakarta.xml.bind-api\"\n },\n \"version\": \"2.3.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"javax.servlet:javax.servlet-api\"\n },\n \"version\": \"3.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"javax.ws.rs:jsr311-api\"\n },\n \"version\": \"1.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"javax.xml.bind:jaxb-api\"\n },\n \"version\": \"2.2.11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libassuan\"\n },\n \"version\": \"2.5.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"attr\"\n },\n \"version\": \"2.5.2-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-r6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.3.2-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"expat\"\n },\n \"version\": \"2.6.4-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.4.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libfontenc\"\n },\n \"version\": \"1.1.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libgcrypt\"\n },\n \"version\": \"1.10.3-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.51-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.3.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"gettext\"\n },\n \"version\": \"0.22.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libksba\"\n },\n \"version\": \"1.6.7-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"openldap\"\n },\n \"version\": \"2.6.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.5_p20241006-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libpng\"\n },\n \"version\": \"1.6.44-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"cyrus-sasl\"\n },\n \"version\": \"2.1.28-r8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.3.2-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libtasn1\"\n },\n \"version\": \"4.19.0-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"libunistring\"\n },\n \"version\": \"1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"mkfontscale\"\n },\n \"version\": \"1.2.3-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.5-r8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"musl-locales\"\n },\n \"version\": \"0.1.0-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"musl-locales\"\n },\n \"version\": \"0.1.0-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.5-r8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.5_p20241006-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"npth\"\n },\n \"version\": \"1.6-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.3.2-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.avro:avro\"\n },\n \"version\": \"1.9.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.commons:commons-compress\"\n },\n \"version\": \"1.21\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.commons:commons-configuration2\"\n },\n \"version\": \"2.8.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.commons:commons-lang3\"\n },\n \"version\": \"3.12.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.commons:commons-math3\"\n },\n \"version\": \"3.6.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.commons:commons-text\"\n },\n \"version\": \"1.10.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.curator:curator-client\"\n },\n \"version\": \"5.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.curator:curator-framework\"\n },\n \"version\": \"5.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.curator:curator-recipes\"\n },\n \"version\": \"5.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop.thirdparty:hadoop-shaded-guava\"\n },\n \"version\": \"1.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop.thirdparty:hadoop-shaded-protobuf_3_21\"\n },\n \"version\": \"1.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-annotations\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-auth\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-client\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-common\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-hdfs-client\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-mapreduce-client-common\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-mapreduce-client-core\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-mapreduce-client-jobclient\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-yarn-api\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-yarn-client\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.hadoop:hadoop-yarn-common\"\n },\n \"version\": \"3.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.httpcomponents:httpclient\"\n },\n \"version\": \"4.5.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.httpcomponents:httpcore\"\n },\n \"version\": \"4.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-admin\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-client\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-common\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-core\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-crypto\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-identity\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-server\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-simplekdc\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerb-util\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerby-asn1\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerby-config\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerby-pkix\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerby-util\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:kerby-xdr\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.kerby:token-provider\"\n },\n \"version\": \"2.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.codehaus.mojo:animal-sniffer-annotations\"\n },\n \"version\": \"1.17\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.codehaus.woodstox:stax2-api\"\n },\n \"version\": \"4.2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty.websocket:websocket-api\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty.websocket:websocket-client\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty.websocket:websocket-common\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-client\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-http\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-io\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-security\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-servlet\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-util\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-util-ajax\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-webapp\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-xml\"\n },\n \"version\": \"9.4.53.v20231009\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jctools:jctools-core\"\n },\n \"version\": \"3.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline-builtins\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline-reader\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline-remote-ssh\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline-remote-telnet\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline-style\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline-terminal\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline-terminal-jansi\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.jline:jline-terminal-jna\"\n },\n \"version\": \"3.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.slf4j:slf4j-api\"\n },\n \"version\": \"1.7.36\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.slf4j:slf4j-reload4j\"\n },\n \"version\": \"1.7.36\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.25.5-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.25.5-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"pinentry\"\n },\n \"version\": \"1.3.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.8-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"skalibs\"\n },\n \"version\": \"2.14.3.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"sqlite\"\n },\n \"version\": \"3.47.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.37.0-r9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"tzdata\"\n },\n \"version\": \"2024b-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"unknown:unknown\"\n },\n \"version\": \"unknown\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"utmps\"\n },\n \"version\": \"0.1.2.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.21\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Scanning_java_image_with_some_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 10135\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-72hv-8253-57qq\",\n \"modified\": \"2026-03-04T15:06:51.908001Z\"\n },\n {\n \"id\": \"GHSA-h46c-h94j-95f3\",\n \"modified\": \"2026-02-04T03:44:39.385253Z\"\n },\n {\n \"id\": \"GHSA-wf8f-6423-gfxg\",\n \"modified\": \"2026-02-04T02:17:21.257294Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-735f-pc8j-v9w8\",\n \"modified\": \"2026-02-04T03:34:00.411610Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-gvpg-vgmx-xg6w\",\n \"modified\": \"2026-02-04T03:20:13.834799Z\"\n },\n {\n \"id\": \"GHSA-xwmg-2g98-w7v9\",\n \"modified\": \"2026-02-04T04:02:18.737097Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-wxr5-93ph-8wr9\",\n \"modified\": \"2026-02-04T02:26:01.067608Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-cfxw-4h78-h7fw\",\n \"modified\": \"2026-02-04T04:29:28.819325Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12243\",\n \"modified\": \"2026-02-24T08:30:42.520717Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-14831\",\n \"modified\": \"2026-02-24T08:30:41.701341Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-32988\",\n \"modified\": \"2026-02-24T08:16:54.971657Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-32989\",\n \"modified\": \"2026-02-24T08:17:41.640619Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-32990\",\n \"modified\": \"2026-02-24T08:17:41.697467Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-6395\",\n \"modified\": \"2026-02-24T08:17:38.778605Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9820\",\n \"modified\": \"2026-02-24T08:17:41.731734Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-68972\",\n \"modified\": \"2026-01-10T11:24:45.922788Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68973\",\n \"modified\": \"2026-01-08T11:18:08.318838Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-3p8m-j85q-pgmj\",\n \"modified\": \"2026-02-04T02:23:33.973208Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-5jpm-x58v-624v\",\n \"modified\": \"2026-02-04T02:17:39.757688Z\"\n },\n {\n \"id\": \"GHSA-84h7-rjj3-6jx4\",\n \"modified\": \"2026-02-04T03:25:14.697311Z\"\n },\n {\n \"id\": \"GHSA-fghv-69vj-qj49\",\n \"modified\": \"2026-02-04T03:04:04.888405Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-prj3-ccx8-p6x4\",\n \"modified\": \"2026-02-04T02:26:22.855609Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-jq43-27x9-3v86\",\n \"modified\": \"2026-02-04T04:27:03.146166Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-389x-839f-4rhx\",\n \"modified\": \"2026-02-04T04:31:00.174857Z\"\n },\n {\n \"id\": \"GHSA-xq3w-v528-46rv\",\n \"modified\": \"2026-02-04T03:40:54.362888Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4g8c-wm8x-jfhw\",\n \"modified\": \"2026-02-04T02:54:33.253775Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12797\",\n \"modified\": \"2025-12-03T22:55:03.634026Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9231\",\n \"modified\": \"2025-12-03T23:00:26.184987Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-8176\",\n \"modified\": \"2025-12-03T22:57:51.246966Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-59375\",\n \"modified\": \"2025-12-03T22:59:58.939558Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-24515\",\n \"modified\": \"2026-02-06T11:22:51.413545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-25210\",\n \"modified\": \"2026-03-13T06:29:27.213127Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-32777\",\n \"modified\": \"2026-03-18T15:30:30.767674Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-32778\",\n \"modified\": \"2026-03-18T15:30:27.849300Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-64505\",\n \"modified\": \"2025-12-08T15:11:42.598503Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-64506\",\n \"modified\": \"2025-12-08T15:14:01.131553Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-64720\",\n \"modified\": \"2025-12-08T15:14:12.627370Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-65018\",\n \"modified\": \"2025-12-08T15:14:18.487828Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66293\",\n \"modified\": \"2025-12-08T15:17:27.019257Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22695\",\n \"modified\": \"2026-01-22T19:30:03.621725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22801\",\n \"modified\": \"2026-01-22T19:30:04.012462Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-25646\",\n \"modified\": \"2026-02-24T12:00:36.302208Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12797\",\n \"modified\": \"2025-12-03T22:55:03.634026Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9231\",\n \"modified\": \"2025-12-03T23:00:26.184987Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12133\",\n \"modified\": \"2025-12-03T22:55:00.302559Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-13151\",\n \"modified\": \"2026-01-13T09:30:10.551660Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12797\",\n \"modified\": \"2025-12-03T22:55:03.634026Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9231\",\n \"modified\": \"2025-12-03T23:00:26.184987Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-r7pg-v2c8-mfg3\",\n \"modified\": \"2026-02-04T03:14:24.930542Z\"\n },\n {\n \"id\": \"GHSA-rhrv-645h-fjfh\",\n \"modified\": \"2026-02-04T02:43:50.522457Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4265-ccf5-phj5\",\n \"modified\": \"2026-02-04T03:44:24.716817Z\"\n },\n {\n \"id\": \"GHSA-4g9r-vxhx-9pgx\",\n \"modified\": \"2026-02-04T02:38:20.882397Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9w38-p64v-xpmv\",\n \"modified\": \"2026-02-04T03:05:15.000909Z\"\n },\n {\n \"id\": \"GHSA-xjp4-hw94-mvp5\",\n \"modified\": \"2026-02-04T04:32:34.354092Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-j288-q9x7-2f5v\",\n \"modified\": \"2026-02-04T03:18:02.851501Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-qh8g-58pp-2wxh\",\n \"modified\": \"2026-02-04T05:13:21.910792Z\"\n },\n {\n \"id\": \"GHSA-wjpw-4j6x-6rwh\",\n \"modified\": \"2026-03-09T11:29:07.402944Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-29087\",\n \"modified\": \"2025-11-19T06:21:22.290875Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-29088\",\n \"modified\": \"2025-11-19T06:21:22.419722Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-3277\",\n \"modified\": \"2025-11-19T06:21:22.993026Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-6965\",\n \"modified\": \"2026-02-05T02:19:39.445651Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"10135\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 12957\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"apt\"\n },\n \"version\": \"1.8.2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"base-files\"\n },\n \"version\": \"10.3+deb10u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.46\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"bash\"\n },\n \"version\": \"5.0-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"1:2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20200601~deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.30-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.10.2-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.71+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debian-archive-keyring\"\n },\n \"version\": \"2019.1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debianutils\"\n },\n \"version\": \"4.8.6.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.7-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.19.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.6.0+git+20190209-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gnupg2\"\n },\n \"version\": \"2.2.12-1+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"grep\"\n },\n \"version\": \"3.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.9-3+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.21\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.56+nmu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"acl\"\n },\n \"version\": \"2.2.53-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"apt\"\n },\n \"version\": \"1.8.2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.4.48-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.4-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.4-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.6-9.2~deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.28-10+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.28-10+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.249\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"expat\"\n },\n \"version\": \"2.2.6-2+deb10u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.2.1-9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"1:8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.8.4-5+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gdbm\"\n },\n \"version\": \"1.18.1-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.1.2+dfsg-4+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gnutls28\"\n },\n \"version\": \"3.6.7-4+deb10u10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.35-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.4.1-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.0.5-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"lz4\"\n },\n \"version\": \"1.8.3-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.4-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.4.1-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.23.15-2+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"readline\"\n },\n \"version\": \"7.0-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.3.3-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libselinux\"\n },\n \"version\": \"2.8-1+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"2.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"2.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsepol\"\n },\n \"version\": \"2.8-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sqlite3\"\n },\n \"version\": \"3.27.2-3+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1n-0+deb10u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"systemd\"\n },\n \"version\": \"241-7~deb10u9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.13-3+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"systemd\"\n },\n \"version\": \"241-7~deb10u9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libunistring\"\n },\n \"version\": \"0.9.10-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.3.8+dfsg-3+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.5-1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.3-17+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"netbase\"\n },\n \"version\": \"5.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1n-0+deb10u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.5-1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"perl\"\n },\n \"version\": \"5.28.1-6+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pip\"\n },\n \"version\": \"23.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pip\"\n },\n \"version\": \"23.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"readline\"\n },\n \"version\": \"7.0-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sed\"\n },\n \"version\": \"4.7-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"setuptools\"\n },\n \"version\": \"58.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"setuptools\"\n },\n \"version\": \"58.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"2.93-8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"tar\"\n },\n \"version\": \"1.30+dfsg-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"tzdata\"\n },\n \"version\": \"2021a-0+deb10u11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"wheel\"\n },\n \"version\": \"0.40.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1:1.2.11.dfsg-1+deb10u2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Scanning_python_image_with_no_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 3752\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3482-1\",\n \"modified\": \"2025-05-26T07:01:25.263124Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3807-1\",\n \"modified\": \"2026-03-09T01:21:14.798998Z\"\n },\n {\n \"id\": \"DLA-3850-1\",\n \"modified\": \"2026-03-09T01:19:52.798152Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3807-1\",\n \"modified\": \"2026-03-09T01:21:14.798998Z\"\n },\n {\n \"id\": \"DLA-3850-1\",\n \"modified\": \"2026-03-09T01:19:52.798152Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3783-1\",\n \"modified\": \"2026-03-09T01:21:52.762023Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3660-1\",\n \"modified\": \"2026-03-09T02:10:14.556560Z\"\n },\n {\n \"id\": \"DLA-3740-1\",\n \"modified\": \"2026-03-09T01:23:17.775568Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3474-1\",\n \"modified\": \"2026-03-09T01:20:13.950328Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3474-1\",\n \"modified\": \"2026-03-09T01:20:13.950328Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4xh5-x5gv-qwph\",\n \"modified\": \"2026-02-04T03:47:34.542520Z\"\n },\n {\n \"id\": \"GHSA-6vgw-5pg2-w6jp\",\n \"modified\": \"2026-02-16T17:11:10.097207Z\"\n },\n {\n \"id\": \"GHSA-mq26-g339-26xf\",\n \"modified\": \"2026-02-04T02:57:26.696931Z\"\n },\n {\n \"id\": \"PYSEC-2023-228\",\n \"modified\": \"2023-12-06T01:03:17.199012Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4xh5-x5gv-qwph\",\n \"modified\": \"2026-02-04T03:47:34.542520Z\"\n },\n {\n \"id\": \"GHSA-6vgw-5pg2-w6jp\",\n \"modified\": \"2026-02-16T17:11:10.097207Z\"\n },\n {\n \"id\": \"GHSA-mq26-g339-26xf\",\n \"modified\": \"2026-02-04T02:57:26.696931Z\"\n },\n {\n \"id\": \"PYSEC-2023-228\",\n \"modified\": \"2023-12-06T01:03:17.199012Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-5rjg-fvgr-3xxf\",\n \"modified\": \"2026-02-05T09:18:37.263234Z\"\n },\n {\n \"id\": \"GHSA-cx63-2mw6-8hw5\",\n \"modified\": \"2026-02-04T03:54:02.259111Z\"\n },\n {\n \"id\": \"GHSA-r9hx-vwmv-q579\",\n \"modified\": \"2026-02-04T03:03:25.892107Z\"\n },\n {\n \"id\": \"PYSEC-2022-43012\",\n \"modified\": \"2023-12-06T01:02:35.662444Z\"\n },\n {\n \"id\": \"PYSEC-2025-49\",\n \"modified\": \"2025-06-13T06:59:23.470501Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-5rjg-fvgr-3xxf\",\n \"modified\": \"2026-02-05T09:18:37.263234Z\"\n },\n {\n \"id\": \"GHSA-cx63-2mw6-8hw5\",\n \"modified\": \"2026-02-04T03:54:02.259111Z\"\n },\n {\n \"id\": \"GHSA-r9hx-vwmv-q579\",\n \"modified\": \"2026-02-04T03:03:25.892107Z\"\n },\n {\n \"id\": \"PYSEC-2022-43012\",\n \"modified\": \"2023-12-06T01:02:35.662444Z\"\n },\n {\n \"id\": \"PYSEC-2025-49\",\n \"modified\": \"2025-06-13T06:59:23.470501Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3755-1\",\n \"modified\": \"2026-03-09T01:18:04.185679Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3684-1\",\n \"modified\": \"2025-05-26T07:01:38.953691Z\"\n },\n {\n \"id\": \"DLA-3788-1\",\n \"modified\": \"2025-05-26T07:01:46.700929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-8rrh-rw8j-w5fx\",\n \"modified\": \"2026-02-04T03:06:55.268134Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"3752\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 14537\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"django\"\n },\n \"version\": \"1.11.29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"0.12.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"jinja2\"\n },\n \"version\": \"3.1.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"markupsafe\"\n },\n \"version\": \"3.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"werkzeug\"\n },\n \"version\": \"3.1.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"apt\"\n },\n \"version\": \"1.8.2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"base-files\"\n },\n \"version\": \"10.3+deb10u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.46\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"bash\"\n },\n \"version\": \"5.0-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"1:2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20200601~deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"certifi\"\n },\n \"version\": \"2025.11.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"chardet\"\n },\n \"version\": \"3.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"click\"\n },\n \"version\": \"8.1.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.30-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.10.2-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.71+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debian-archive-keyring\"\n },\n \"version\": \"2019.1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debianutils\"\n },\n \"version\": \"4.8.6.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.7-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.19.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.6.0+git+20190209-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gnupg2\"\n },\n \"version\": \"2.2.12-1+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"grep\"\n },\n \"version\": \"3.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.9-3+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.21\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"idna\"\n },\n \"version\": \"2.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.56+nmu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"itsdangerous\"\n },\n \"version\": \"2.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"acl\"\n },\n \"version\": \"2.2.53-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"apt\"\n },\n \"version\": \"1.8.2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.4.48-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.4-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.4-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.6-9.2~deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.28-10+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.28-10+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.249\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"expat\"\n },\n \"version\": \"2.2.6-2+deb10u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.2.1-9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"1:8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.8.4-5+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gdbm\"\n },\n \"version\": \"1.18.1-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.1.2+dfsg-4+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gnutls28\"\n },\n \"version\": \"3.6.7-4+deb10u10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.35-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.4.1-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.0.5-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"lz4\"\n },\n \"version\": \"1.8.3-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.4-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.4.1-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.23.15-2+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"readline\"\n },\n \"version\": \"7.0-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.3.3-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libselinux\"\n },\n \"version\": \"2.8-1+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"2.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"2.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsepol\"\n },\n \"version\": \"2.8-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sqlite3\"\n },\n \"version\": \"3.27.2-3+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1n-0+deb10u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"systemd\"\n },\n \"version\": \"241-7~deb10u9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.13-3+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"systemd\"\n },\n \"version\": \"241-7~deb10u9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libunistring\"\n },\n \"version\": \"0.9.10-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.3.8+dfsg-3+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.5-1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.3-17+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"netbase\"\n },\n \"version\": \"5.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1n-0+deb10u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.5-1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"perl\"\n },\n \"version\": \"5.28.1-6+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pip\"\n },\n \"version\": \"23.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pip\"\n },\n \"version\": \"23.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pytz\"\n },\n \"version\": \"2025.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"readline\"\n },\n \"version\": \"7.0-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"requests\"\n },\n \"version\": \"2.20.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sed\"\n },\n \"version\": \"4.7-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"setuptools\"\n },\n \"version\": \"58.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"setuptools\"\n },\n \"version\": \"58.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"2.93-8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"tar\"\n },\n \"version\": \"1.30+dfsg-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"tzdata\"\n },\n \"version\": \"2021a-0+deb10u11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"urllib3\"\n },\n \"version\": \"1.24.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"wheel\"\n },\n \"version\": \"0.40.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1:1.2.11.dfsg-1+deb10u2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/Scanning_python_image_with_some_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 6240\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68w8-qjq3-2gfm\",\n \"modified\": \"2024-09-20T15:46:52.557962Z\"\n },\n {\n \"id\": \"GHSA-6w2r-r2m5-xq5w\",\n \"modified\": \"2026-02-04T04:00:06.061990Z\"\n },\n {\n \"id\": \"GHSA-7xr5-9hcq-chf9\",\n \"modified\": \"2026-02-04T03:48:05.224740Z\"\n },\n {\n \"id\": \"GHSA-8x94-hmjh-97hq\",\n \"modified\": \"2026-02-04T02:45:55.690257Z\"\n },\n {\n \"id\": \"GHSA-frmv-pr5f-9mcr\",\n \"modified\": \"2025-11-27T09:10:30.649595Z\"\n },\n {\n \"id\": \"GHSA-qw25-v68c-qjf3\",\n \"modified\": \"2026-02-04T04:08:30.303132Z\"\n },\n {\n \"id\": \"GHSA-rrqc-c2jx-6jgv\",\n \"modified\": \"2024-10-30T19:23:59.139649Z\"\n },\n {\n \"id\": \"PYSEC-2021-98\",\n \"modified\": \"2023-12-06T01:01:16.755410Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-562c-5r94-xh97\",\n \"modified\": \"2025-02-21T05:29:40.872529Z\"\n },\n {\n \"id\": \"GHSA-5wv5-4vpf-pj6m\",\n \"modified\": \"2024-09-20T21:24:25.140560Z\"\n },\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2018-66\",\n \"modified\": \"2023-11-08T03:59:39.887416Z\"\n },\n {\n \"id\": \"PYSEC-2019-179\",\n \"modified\": \"2023-11-08T04:00:40.602062Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-29vq-49wr-vm6x\",\n \"modified\": \"2026-02-23T23:43:27.690386Z\"\n },\n {\n \"id\": \"GHSA-87hc-h4r5-73f7\",\n \"modified\": \"2026-02-04T03:18:07.993642Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3482-1\",\n \"modified\": \"2025-05-26T07:01:25.263124Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-jjg7-2v4v-x38h\",\n \"modified\": \"2026-02-04T03:49:45.087439Z\"\n },\n {\n \"id\": \"PYSEC-2024-60\",\n \"modified\": \"2024-07-11T17:42:33.704488Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3807-1\",\n \"modified\": \"2026-03-09T01:21:14.798998Z\"\n },\n {\n \"id\": \"DLA-3850-1\",\n \"modified\": \"2026-03-09T01:19:52.798152Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3807-1\",\n \"modified\": \"2026-03-09T01:21:14.798998Z\"\n },\n {\n \"id\": \"DLA-3850-1\",\n \"modified\": \"2026-03-09T01:19:52.798152Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3783-1\",\n \"modified\": \"2026-03-09T01:21:52.762023Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3660-1\",\n \"modified\": \"2026-03-09T02:10:14.556560Z\"\n },\n {\n \"id\": \"DLA-3740-1\",\n \"modified\": \"2026-03-09T01:23:17.775568Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3474-1\",\n \"modified\": \"2026-03-09T01:20:13.950328Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3474-1\",\n \"modified\": \"2026-03-09T01:20:13.950328Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4xh5-x5gv-qwph\",\n \"modified\": \"2026-02-04T03:47:34.542520Z\"\n },\n {\n \"id\": \"GHSA-6vgw-5pg2-w6jp\",\n \"modified\": \"2026-02-16T17:11:10.097207Z\"\n },\n {\n \"id\": \"GHSA-mq26-g339-26xf\",\n \"modified\": \"2026-02-04T02:57:26.696931Z\"\n },\n {\n \"id\": \"PYSEC-2023-228\",\n \"modified\": \"2023-12-06T01:03:17.199012Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4xh5-x5gv-qwph\",\n \"modified\": \"2026-02-04T03:47:34.542520Z\"\n },\n {\n \"id\": \"GHSA-6vgw-5pg2-w6jp\",\n \"modified\": \"2026-02-16T17:11:10.097207Z\"\n },\n {\n \"id\": \"GHSA-mq26-g339-26xf\",\n \"modified\": \"2026-02-04T02:57:26.696931Z\"\n },\n {\n \"id\": \"PYSEC-2023-228\",\n \"modified\": \"2023-12-06T01:03:17.199012Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9hjg-9r4m-mvj7\",\n \"modified\": \"2026-02-04T03:44:00.676479Z\"\n },\n {\n \"id\": \"GHSA-9wx4-h78v-vm56\",\n \"modified\": \"2026-02-04T02:43:42.271895Z\"\n },\n {\n \"id\": \"GHSA-j8r2-6x86-q33q\",\n \"modified\": \"2026-02-04T03:34:13.807518Z\"\n },\n {\n \"id\": \"PYSEC-2023-74\",\n \"modified\": \"2023-11-08T04:12:35.436175Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-5rjg-fvgr-3xxf\",\n \"modified\": \"2026-02-05T09:18:37.263234Z\"\n },\n {\n \"id\": \"GHSA-cx63-2mw6-8hw5\",\n \"modified\": \"2026-02-04T03:54:02.259111Z\"\n },\n {\n \"id\": \"GHSA-r9hx-vwmv-q579\",\n \"modified\": \"2026-02-04T03:03:25.892107Z\"\n },\n {\n \"id\": \"PYSEC-2022-43012\",\n \"modified\": \"2023-12-06T01:02:35.662444Z\"\n },\n {\n \"id\": \"PYSEC-2025-49\",\n \"modified\": \"2025-06-13T06:59:23.470501Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-5rjg-fvgr-3xxf\",\n \"modified\": \"2026-02-05T09:18:37.263234Z\"\n },\n {\n \"id\": \"GHSA-cx63-2mw6-8hw5\",\n \"modified\": \"2026-02-04T03:54:02.259111Z\"\n },\n {\n \"id\": \"GHSA-r9hx-vwmv-q579\",\n \"modified\": \"2026-02-04T03:03:25.892107Z\"\n },\n {\n \"id\": \"PYSEC-2022-43012\",\n \"modified\": \"2023-12-06T01:02:35.662444Z\"\n },\n {\n \"id\": \"PYSEC-2025-49\",\n \"modified\": \"2025-06-13T06:59:23.470501Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3755-1\",\n \"modified\": \"2026-03-09T01:18:04.185679Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3684-1\",\n \"modified\": \"2025-05-26T07:01:38.953691Z\"\n },\n {\n \"id\": \"DLA-3788-1\",\n \"modified\": \"2025-05-26T07:01:46.700929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-2xpw-w6gg-jr37\",\n \"modified\": \"2026-02-04T02:36:12.983430Z\"\n },\n {\n \"id\": \"GHSA-34jh-p97f-mpxf\",\n \"modified\": \"2026-02-04T03:37:44.850742Z\"\n },\n {\n \"id\": \"GHSA-38jv-5279-wg99\",\n \"modified\": \"2026-02-04T03:51:36.162029Z\"\n },\n {\n \"id\": \"GHSA-g4mx-q9vg-27p4\",\n \"modified\": \"2026-02-04T03:30:16.767903Z\"\n },\n {\n \"id\": \"GHSA-gm62-xv2j-4w53\",\n \"modified\": \"2026-02-04T03:37:15.919661Z\"\n },\n {\n \"id\": \"GHSA-pq67-6m6q-mj2v\",\n \"modified\": \"2026-02-04T04:38:01.163387Z\"\n },\n {\n \"id\": \"GHSA-v845-jxx5-vc9f\",\n \"modified\": \"2026-02-04T02:58:30.152562Z\"\n },\n {\n \"id\": \"GHSA-wqvq-5m8c-6g24\",\n \"modified\": \"2024-11-18T22:47:07.792720Z\"\n },\n {\n \"id\": \"PYSEC-2020-148\",\n \"modified\": \"2023-11-08T04:03:14.251187Z\"\n },\n {\n \"id\": \"PYSEC-2021-108\",\n \"modified\": \"2023-11-08T04:06:04.829992Z\"\n },\n {\n \"id\": \"PYSEC-2023-192\",\n \"modified\": \"2023-11-08T04:13:33.452167Z\"\n },\n {\n \"id\": \"PYSEC-2023-212\",\n \"modified\": \"2023-11-08T04:13:39.165450Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-8rrh-rw8j-w5fx\",\n \"modified\": \"2026-02-04T03:06:55.268134Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"6240\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 4149\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.6.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.6.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.4-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20240226-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/BurntSushi/toml\"\n },\n \"version\": \"1.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/BurntSushi/toml\"\n },\n \"version\": \"1.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/BurntSushi/toml\"\n },\n \"version\": \"1.3.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/BurntSushi/toml\"\n },\n \"version\": \"1.3.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/BurntSushi/toml\"\n },\n \"version\": \"1.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/BurntSushi/toml\"\n },\n \"version\": \"1.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.22.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.22.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.22.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.22.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.22.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.22.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.3.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.3.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"ptf\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"ptf\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"ptf\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"ptf\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"ptf\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"ptf\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_image_with_go_binary\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 15478\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12797\",\n \"modified\": \"2025-12-03T22:55:03.634026Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9231\",\n \"modified\": \"2025-12-03T23:00:26.184987Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12797\",\n \"modified\": \"2025-12-03T22:55:03.634026Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9231\",\n \"modified\": \"2025-12-03T23:00:26.184987Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"15478\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_insecure_alpine_image_with_detector_preset\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_disabled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_insecure_alpine_image_with_specific_detector_enabled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_insecure_alpine_image_without_detectors\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2344\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.0-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20230506-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.2-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_node_modules_using_npm_with_no_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2685\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2685\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2701\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.0-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20230506-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"cryo\"\n },\n \"version\": \"0.0.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.2-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"minimist\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"mkdirp\"\n },\n \"version\": \"0.5.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_node_modules_using_npm_with_some_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2922\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-38f5-ghc2-fcmv\",\n \"modified\": \"2023-11-08T04:00:20.055238Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-vh95-rmgr-6w4m\",\n \"modified\": \"2026-03-13T22:11:31.390433Z\"\n },\n {\n \"id\": \"GHSA-xvch-5gv4-984h\",\n \"modified\": \"2026-03-13T22:11:59.523514Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2922\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2344\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.0-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20230506-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.2-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_no_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2685\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2685\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2344\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.0-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20230506-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.2-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_node_modules_using_pnpm_with_some_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2685\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2685\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2344\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.0-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20230506-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.2-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_node_modules_using_yarn_with_no_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2685\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2685\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2344\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.0-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20230506-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.2-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage/scanning_node_modules_using_yarn_with_some_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2685\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2685\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/cassettes/TestCommand_OCIImage_JSONFormat.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 14537\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"django\"\n },\n \"version\": \"1.11.29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"0.12.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"jinja2\"\n },\n \"version\": \"3.1.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"markupsafe\"\n },\n \"version\": \"3.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"werkzeug\"\n },\n \"version\": \"3.1.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"apt\"\n },\n \"version\": \"1.8.2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"base-files\"\n },\n \"version\": \"10.3+deb10u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.46\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"bash\"\n },\n \"version\": \"5.0-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"1:2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20200601~deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"certifi\"\n },\n \"version\": \"2025.11.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"chardet\"\n },\n \"version\": \"3.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"click\"\n },\n \"version\": \"8.1.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.30-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.10.2-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.71+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debian-archive-keyring\"\n },\n \"version\": \"2019.1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"debianutils\"\n },\n \"version\": \"4.8.6.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.7-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.19.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.6.0+git+20190209-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gnupg2\"\n },\n \"version\": \"2.2.12-1+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"grep\"\n },\n \"version\": \"3.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.9-3+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.21\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"idna\"\n },\n \"version\": \"2.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.56+nmu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"itsdangerous\"\n },\n \"version\": \"2.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"acl\"\n },\n \"version\": \"2.2.53-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"apt\"\n },\n \"version\": \"1.8.2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.4.48-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.4-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"audit\"\n },\n \"version\": \"1:2.8.4-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.6-9.2~deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.28-10+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.28-10+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.249\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"expat\"\n },\n \"version\": \"2.2.6-2+deb10u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.2.1-9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"1:8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.8.4-5+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gdbm\"\n },\n \"version\": \"1.18.1-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.1.2+dfsg-4+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gnutls28\"\n },\n \"version\": \"3.6.7-4+deb10u10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.35-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.4.1-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.0.5-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"lz4\"\n },\n \"version\": \"1.8.3-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.4-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.4.1-1+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.23.15-2+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pam\"\n },\n \"version\": \"1.3.1-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"readline\"\n },\n \"version\": \"7.0-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.3.3-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libselinux\"\n },\n \"version\": \"2.8-1+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"2.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"2.8-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libsepol\"\n },\n \"version\": \"2.8-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sqlite3\"\n },\n \"version\": \"3.27.2-3+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.44.5-1+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1n-0+deb10u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"gcc-8\"\n },\n \"version\": \"8.3.0-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"systemd\"\n },\n \"version\": \"241-7~deb10u9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.13-3+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"systemd\"\n },\n \"version\": \"241-7~deb10u9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libunistring\"\n },\n \"version\": \"0.9.10-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.3.8+dfsg-3+deb10u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.5-1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.3-17+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.1+20181013-2+deb10u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"netbase\"\n },\n \"version\": \"5.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1n-0+deb10u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.5-1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"perl\"\n },\n \"version\": \"5.28.1-6+deb10u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pip\"\n },\n \"version\": \"23.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pip\"\n },\n \"version\": \"23.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pytz\"\n },\n \"version\": \"2025.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"readline\"\n },\n \"version\": \"7.0-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"requests\"\n },\n \"version\": \"2.20.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sed\"\n },\n \"version\": \"4.7-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"setuptools\"\n },\n \"version\": \"58.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"setuptools\"\n },\n \"version\": \"58.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"2.93-8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"tar\"\n },\n \"version\": \"1.30+dfsg-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"tzdata\"\n },\n \"version\": \"2021a-0+deb10u11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"urllib3\"\n },\n \"version\": \"1.24.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.33.1-0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"wheel\"\n },\n \"version\": \"0.40.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1:1.2.11.dfsg-1+deb10u2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage_JSONFormat/Scanning_python_image_with_some_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 6240\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68w8-qjq3-2gfm\",\n \"modified\": \"2024-09-20T15:46:52.557962Z\"\n },\n {\n \"id\": \"GHSA-6w2r-r2m5-xq5w\",\n \"modified\": \"2026-02-04T04:00:06.061990Z\"\n },\n {\n \"id\": \"GHSA-7xr5-9hcq-chf9\",\n \"modified\": \"2026-02-04T03:48:05.224740Z\"\n },\n {\n \"id\": \"GHSA-8x94-hmjh-97hq\",\n \"modified\": \"2026-02-04T02:45:55.690257Z\"\n },\n {\n \"id\": \"GHSA-frmv-pr5f-9mcr\",\n \"modified\": \"2025-11-27T09:10:30.649595Z\"\n },\n {\n \"id\": \"GHSA-qw25-v68c-qjf3\",\n \"modified\": \"2026-02-04T04:08:30.303132Z\"\n },\n {\n \"id\": \"GHSA-rrqc-c2jx-6jgv\",\n \"modified\": \"2024-10-30T19:23:59.139649Z\"\n },\n {\n \"id\": \"PYSEC-2021-98\",\n \"modified\": \"2023-12-06T01:01:16.755410Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-562c-5r94-xh97\",\n \"modified\": \"2025-02-21T05:29:40.872529Z\"\n },\n {\n \"id\": \"GHSA-5wv5-4vpf-pj6m\",\n \"modified\": \"2024-09-20T21:24:25.140560Z\"\n },\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2018-66\",\n \"modified\": \"2023-11-08T03:59:39.887416Z\"\n },\n {\n \"id\": \"PYSEC-2019-179\",\n \"modified\": \"2023-11-08T04:00:40.602062Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-29vq-49wr-vm6x\",\n \"modified\": \"2026-02-23T23:43:27.690386Z\"\n },\n {\n \"id\": \"GHSA-87hc-h4r5-73f7\",\n \"modified\": \"2026-02-04T03:18:07.993642Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3482-1\",\n \"modified\": \"2025-05-26T07:01:25.263124Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-jjg7-2v4v-x38h\",\n \"modified\": \"2026-02-04T03:49:45.087439Z\"\n },\n {\n \"id\": \"PYSEC-2024-60\",\n \"modified\": \"2024-07-11T17:42:33.704488Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3807-1\",\n \"modified\": \"2026-03-09T01:21:14.798998Z\"\n },\n {\n \"id\": \"DLA-3850-1\",\n \"modified\": \"2026-03-09T01:19:52.798152Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3807-1\",\n \"modified\": \"2026-03-09T01:21:14.798998Z\"\n },\n {\n \"id\": \"DLA-3850-1\",\n \"modified\": \"2026-03-09T01:19:52.798152Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3783-1\",\n \"modified\": \"2026-03-09T01:21:52.762023Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3660-1\",\n \"modified\": \"2026-03-09T02:10:14.556560Z\"\n },\n {\n \"id\": \"DLA-3740-1\",\n \"modified\": \"2026-03-09T01:23:17.775568Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3474-1\",\n \"modified\": \"2026-03-09T01:20:13.950328Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3474-1\",\n \"modified\": \"2026-03-09T01:20:13.950328Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3586-1\",\n \"modified\": \"2026-03-09T01:19:25.252973Z\"\n },\n {\n \"id\": \"DLA-3682-1\",\n \"modified\": \"2026-03-09T01:18:42.667623Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4xh5-x5gv-qwph\",\n \"modified\": \"2026-02-04T03:47:34.542520Z\"\n },\n {\n \"id\": \"GHSA-6vgw-5pg2-w6jp\",\n \"modified\": \"2026-02-16T17:11:10.097207Z\"\n },\n {\n \"id\": \"GHSA-mq26-g339-26xf\",\n \"modified\": \"2026-02-04T02:57:26.696931Z\"\n },\n {\n \"id\": \"PYSEC-2023-228\",\n \"modified\": \"2023-12-06T01:03:17.199012Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4xh5-x5gv-qwph\",\n \"modified\": \"2026-02-04T03:47:34.542520Z\"\n },\n {\n \"id\": \"GHSA-6vgw-5pg2-w6jp\",\n \"modified\": \"2026-02-16T17:11:10.097207Z\"\n },\n {\n \"id\": \"GHSA-mq26-g339-26xf\",\n \"modified\": \"2026-02-04T02:57:26.696931Z\"\n },\n {\n \"id\": \"PYSEC-2023-228\",\n \"modified\": \"2023-12-06T01:03:17.199012Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9hjg-9r4m-mvj7\",\n \"modified\": \"2026-02-04T03:44:00.676479Z\"\n },\n {\n \"id\": \"GHSA-9wx4-h78v-vm56\",\n \"modified\": \"2026-02-04T02:43:42.271895Z\"\n },\n {\n \"id\": \"GHSA-j8r2-6x86-q33q\",\n \"modified\": \"2026-02-04T03:34:13.807518Z\"\n },\n {\n \"id\": \"PYSEC-2023-74\",\n \"modified\": \"2023-11-08T04:12:35.436175Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-5rjg-fvgr-3xxf\",\n \"modified\": \"2026-02-05T09:18:37.263234Z\"\n },\n {\n \"id\": \"GHSA-cx63-2mw6-8hw5\",\n \"modified\": \"2026-02-04T03:54:02.259111Z\"\n },\n {\n \"id\": \"GHSA-r9hx-vwmv-q579\",\n \"modified\": \"2026-02-04T03:03:25.892107Z\"\n },\n {\n \"id\": \"PYSEC-2022-43012\",\n \"modified\": \"2023-12-06T01:02:35.662444Z\"\n },\n {\n \"id\": \"PYSEC-2025-49\",\n \"modified\": \"2025-06-13T06:59:23.470501Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-5rjg-fvgr-3xxf\",\n \"modified\": \"2026-02-05T09:18:37.263234Z\"\n },\n {\n \"id\": \"GHSA-cx63-2mw6-8hw5\",\n \"modified\": \"2026-02-04T03:54:02.259111Z\"\n },\n {\n \"id\": \"GHSA-r9hx-vwmv-q579\",\n \"modified\": \"2026-02-04T03:03:25.892107Z\"\n },\n {\n \"id\": \"PYSEC-2022-43012\",\n \"modified\": \"2023-12-06T01:02:35.662444Z\"\n },\n {\n \"id\": \"PYSEC-2025-49\",\n \"modified\": \"2025-06-13T06:59:23.470501Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3755-1\",\n \"modified\": \"2026-03-09T01:18:04.185679Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3684-1\",\n \"modified\": \"2025-05-26T07:01:38.953691Z\"\n },\n {\n \"id\": \"DLA-3788-1\",\n \"modified\": \"2025-05-26T07:01:46.700929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-2xpw-w6gg-jr37\",\n \"modified\": \"2026-02-04T02:36:12.983430Z\"\n },\n {\n \"id\": \"GHSA-34jh-p97f-mpxf\",\n \"modified\": \"2026-02-04T03:37:44.850742Z\"\n },\n {\n \"id\": \"GHSA-38jv-5279-wg99\",\n \"modified\": \"2026-02-04T03:51:36.162029Z\"\n },\n {\n \"id\": \"GHSA-g4mx-q9vg-27p4\",\n \"modified\": \"2026-02-04T03:30:16.767903Z\"\n },\n {\n \"id\": \"GHSA-gm62-xv2j-4w53\",\n \"modified\": \"2026-02-04T03:37:15.919661Z\"\n },\n {\n \"id\": \"GHSA-pq67-6m6q-mj2v\",\n \"modified\": \"2026-02-04T04:38:01.163387Z\"\n },\n {\n \"id\": \"GHSA-v845-jxx5-vc9f\",\n \"modified\": \"2026-02-04T02:58:30.152562Z\"\n },\n {\n \"id\": \"GHSA-wqvq-5m8c-6g24\",\n \"modified\": \"2024-11-18T22:47:07.792720Z\"\n },\n {\n \"id\": \"PYSEC-2020-148\",\n \"modified\": \"2023-11-08T04:03:14.251187Z\"\n },\n {\n \"id\": \"PYSEC-2021-108\",\n \"modified\": \"2023-11-08T04:06:04.829992Z\"\n },\n {\n \"id\": \"PYSEC-2023-192\",\n \"modified\": \"2023-11-08T04:13:33.452167Z\"\n },\n {\n \"id\": \"PYSEC-2023-212\",\n \"modified\": \"2023-11-08T04:13:39.165450Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-8rrh-rw8j-w5fx\",\n \"modified\": \"2026-02-04T03:06:55.268134Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"6240\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 6488\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.7.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.7.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"alpine-base\"\n },\n \"version\": \"3.22.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.9-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.37.0-r19\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.37.0-r19\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20250911-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"displaydoc\"\n },\n \"version\": \"0.2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"form_urlencoded\"\n },\n \"version\": \"1.2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"icu_collections\"\n },\n \"version\": \"2.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"icu_locale_core\"\n },\n \"version\": \"2.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"icu_normalizer\"\n },\n \"version\": \"2.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"icu_normalizer_data\"\n },\n \"version\": \"2.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"icu_properties\"\n },\n \"version\": \"2.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"icu_properties_data\"\n },\n \"version\": \"2.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"icu_provider\"\n },\n \"version\": \"2.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"idna\"\n },\n \"version\": \"1.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"idna_adapter\"\n },\n \"version\": \"1.2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.9-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.5.4-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.5.4-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"litemap\"\n },\n \"version\": \"0.8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.5-r10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.5-r10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"percent-encoding\"\n },\n \"version\": \"2.3.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"potential_utf\"\n },\n \"version\": \"0.1.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"proc-macro2\"\n },\n \"version\": \"1.0.103\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"quote\"\n },\n \"version\": \"1.0.42\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"rust_novuln_deprecated\"\n },\n \"version\": \"0.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.8-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"smallvec\"\n },\n \"version\": \"1.15.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.37.0-r19\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"stable_deref_trait\"\n },\n \"version\": \"1.2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"syn\"\n },\n \"version\": \"2.0.111\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"synstructure\"\n },\n \"version\": \"0.13.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"tinystr\"\n },\n \"version\": \"0.8.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"unicode-ident\"\n },\n \"version\": \"1.0.22\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"url\"\n },\n \"version\": \"2.5.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"utf8_iter\"\n },\n \"version\": \"1.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"writeable\"\n },\n \"version\": \"0.6.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"yoke\"\n },\n \"version\": \"0.8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"yoke-derive\"\n },\n \"version\": \"0.8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"zerofrom\"\n },\n \"version\": \"0.1.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"zerofrom-derive\"\n },\n \"version\": \"0.1.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"zerotrie\"\n },\n \"version\": \"0.2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"zerovec\"\n },\n \"version\": \"0.11.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"zerovec-derive\"\n },\n \"version\": \"0.11.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.22\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage_JSONFormat/scanning_image_with_deprecated_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2365\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-11187\",\n \"modified\": \"2026-01-30T11:15:53.799925Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15469\",\n \"modified\": \"2026-01-30T11:16:52.287694Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-11187\",\n \"modified\": \"2026-01-30T11:15:53.799925Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15469\",\n \"modified\": \"2026-01-30T11:16:52.287694Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2365\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2279\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.6.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.6.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.4-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20240226-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/BurntSushi/toml\"\n },\n \"version\": \"1.4.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.22.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.3.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.3.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.5-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"ptf\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.20\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage_JSONFormat/scanning_image_with_go_binary\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 5308\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12797\",\n \"modified\": \"2025-12-03T22:55:03.634026Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9231\",\n \"modified\": \"2025-12-03T23:00:26.184987Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-12797\",\n \"modified\": \"2025-12-03T22:55:03.634026Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15467\",\n \"modified\": \"2026-02-26T11:16:44.405477Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-15468\",\n \"modified\": \"2026-01-30T11:17:10.087231Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-66199\",\n \"modified\": \"2026-01-30T11:16:38.617961Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-68160\",\n \"modified\": \"2026-02-08T14:17:20.369697Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69418\",\n \"modified\": \"2026-02-08T14:17:22.909725Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69419\",\n \"modified\": \"2026-02-08T14:17:23.481787Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69420\",\n \"modified\": \"2026-02-08T14:17:16.244540Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-69421\",\n \"modified\": \"2026-02-08T14:17:06.852172Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9231\",\n \"modified\": \"2025-12-03T23:00:26.184987Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22795\",\n \"modified\": \"2026-02-08T14:17:23.817021Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22796\",\n \"modified\": \"2026-02-08T14:17:23.708503Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"5308\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_detector_preset\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1907\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.1.2-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.1-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.10.6-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20191127-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.1k-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"libtls-standalone\"\n },\n \"version\": \"2.9.1-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"musl\"\n },\n \"version\": \"1.1.22-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.2.3-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.30.1-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.10\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.11-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage_JSONFormat/scanning_insecure_alpine_image_with_specific_detector_enabled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 136\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2021-36159\",\n \"modified\": \"2025-12-03T22:50:23.251262Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"136\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 2701\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.3-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.14.0-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"ca-certificates\"\n },\n \"version\": \"20230506-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"cryo\"\n },\n \"version\": \"0.0.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"libc-dev\"\n },\n \"version\": \"0.7.2-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.1.4-r5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"gcc\"\n },\n \"version\": \"13.2.1_git20231014-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"minimist\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"mkdirp\"\n },\n \"version\": \"0.5.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.4_git20230717-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"pax-utils\"\n },\n \"version\": \"1.3.7-r2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"busybox\"\n },\n \"version\": \"1.36.1-r15\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine:v3.19\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.3.1-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage_JSONFormat/scanning_node_modules_using_npm_with_some_packages\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2922\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-38f5-ghc2-fcmv\",\n \"modified\": \"2023-11-08T04:00:20.055238Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2024-13176\",\n \"modified\": \"2026-02-08T14:17:02.498117Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-2511\",\n \"modified\": \"2025-12-03T22:55:31.105344Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4603\",\n \"modified\": \"2025-12-03T22:57:04.661877Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-4741\",\n \"modified\": \"2025-12-03T22:57:09.616922Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-5535\",\n \"modified\": \"2025-12-03T22:57:32.699825Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-6119\",\n \"modified\": \"2025-12-03T22:57:47.097001Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-9143\",\n \"modified\": \"2025-12-03T22:57:50.413061Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9230\",\n \"modified\": \"2026-02-08T14:17:13.655545Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-9232\",\n \"modified\": \"2026-02-08T14:17:23.776473Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-vh95-rmgr-6w4m\",\n \"modified\": \"2026-03-13T22:11:31.390433Z\"\n },\n {\n \"id\": \"GHSA-xvch-5gv4-984h\",\n \"modified\": \"2026-03-13T22:11:59.523514Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2023-42363\",\n \"modified\": \"2025-12-03T22:53:19.595031Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42364\",\n \"modified\": \"2025-12-03T22:53:16.639859Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42365\",\n \"modified\": \"2025-12-03T22:53:18.372883Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2023-42366\",\n \"modified\": \"2025-12-03T22:53:21.200830Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2024-58251\",\n \"modified\": \"2025-12-03T22:57:45.619122Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2025-46394\",\n \"modified\": \"2025-12-03T22:59:20.065296Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2922\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 14065\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118ubuntu5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-files\"\n },\n \"version\": \"12ubuntu4.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.52build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bash\"\n },\n \"version\": \"5.1-6ubuntu1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"1:2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.32-4.1ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.11+git20210903+057cd650a4ed-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.79ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debianutils\"\n },\n \"version\": \"5.5-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.8-0ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.21.1ubuntu2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.8.0-1ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnupg2\"\n },\n \"version\": \"2.2.27-3ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"grep\"\n },\n \"version\": \"3.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.10-4ubuntu4.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.23ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.62\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"acl\"\n },\n \"version\": \"2.3.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.5.1-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-5build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2.2build3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap2\"\n },\n \"version\": \"1:2.44-1ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libxcrypt\"\n },\n \"version\": \"1:4.4.27-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.8ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.261ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.4.2-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.9.4-3ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.2.1+dfsg-3ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnutls28\"\n },\n \"version\": \"3.7.3-4ubuntu1.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.43-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.3.2-2build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"keyutils\"\n },\n \"version\": \"1.6.1-2ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lz4\"\n },\n \"version\": \"1.9.3-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.5-2ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libnsl\"\n },\n \"version\": \"1.3.0-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.24.0-6build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre2\"\n },\n \"version\": \"10.39-3ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-13ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.5.3-2ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libselinux\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsepol\"\n },\n \"version\": \"3.3-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.0.2-0ubuntu1.18\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.18.0-4build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libunistring\"\n },\n \"version\": \"1.0-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xxhash\"\n },\n \"version\": \"0.8.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.4.8+dfsg-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lsb\"\n },\n \"version\": \"11.1.0ubuntu4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.4.20200120-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"perl\"\n },\n \"version\": \"5.34.0-3ubuntu1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sed\"\n },\n \"version\": \"4.8-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.17\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"3.01-1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"tar\"\n },\n \"version\": \"1.34+dfsg-1ubuntu0.1.22.04.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ubuntu-keyring\"\n },\n \"version\": \"2021.03.26\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"usrmerge\"\n },\n \"version\": \"25ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"zlib\"\n },\n \"version\": \"1:1.2.11.dfsg-2ubuntu9.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage_JSONFormat/scanning_ubuntu_image\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 11965\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-2781\",\n \"modified\": \"2026-03-18T06:32:17.714169Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-5278\",\n \"modified\": \"2026-03-18T07:55:13.290684Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-6297\",\n \"modified\": \"2026-02-04T03:36:18.990840Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2219\",\n \"modified\": \"2026-03-14T09:17:58.405826Z\"\n },\n {\n \"id\": \"USN-7768-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-3219\",\n \"modified\": \"2026-01-20T17:26:42.776809Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-30258\",\n \"modified\": \"2026-02-04T04:30:17.426918Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68972\",\n \"modified\": \"2026-01-20T19:15:15.770361Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68973\",\n \"modified\": \"2026-02-05T00:30:28.335358Z\"\n },\n {\n \"id\": \"USN-7412-1\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7412-2\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7946-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-1390\",\n \"modified\": \"2026-02-04T04:28:50.933288Z\"\n },\n {\n \"id\": \"USN-7287-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-2236\",\n \"modified\": \"2026-01-20T17:51:42.649938Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-12243\",\n \"modified\": \"2026-02-04T02:53:36.843010Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-14831\",\n \"modified\": \"2026-02-28T05:58:56.935176Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32988\",\n \"modified\": \"2026-02-04T02:15:37.273955Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32989\",\n \"modified\": \"2026-02-04T03:37:18.739300Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32990\",\n \"modified\": \"2026-02-04T03:31:01.615385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6395\",\n \"modified\": \"2026-02-04T03:31:22.603031Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9820\",\n \"modified\": \"2026-02-28T06:16:45.816014Z\"\n },\n {\n \"id\": \"USN-7281-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7635-1\",\n \"modified\": \"2026-02-10T04:49:34Z\"\n },\n {\n \"id\": \"USN-8043-1\",\n \"modified\": \"2026-02-17T22:00:37.652199Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-62813\",\n \"modified\": \"2025-10-27T08:32:45.494712Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-41409\",\n \"modified\": \"2025-10-24T04:53:52Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-13176\",\n \"modified\": \"2026-03-09T11:29:11.736076Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-41996\",\n \"modified\": \"2026-02-06T21:00:29.439853Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-9143\",\n \"modified\": \"2026-03-09T11:29:50.088989Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15467\",\n \"modified\": \"2026-03-05T18:42:43.606385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-27587\",\n \"modified\": \"2026-02-06T21:55:03.879396Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68160\",\n \"modified\": \"2026-02-12T06:59:44.011039Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69418\",\n \"modified\": \"2026-02-06T22:01:44.179826Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69419\",\n \"modified\": \"2026-02-12T06:59:40.921557Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69420\",\n \"modified\": \"2026-02-12T06:58:38.833674Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69421\",\n \"modified\": \"2026-03-02T12:02:19.670699Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9230\",\n \"modified\": \"2026-03-09T12:25:45.048270Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22795\",\n \"modified\": \"2026-02-12T06:58:35.942634Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22796\",\n \"modified\": \"2026-02-12T06:59:02.005868Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2673\",\n \"modified\": \"2026-03-18T08:04:38.900604Z\"\n },\n {\n \"id\": \"USN-7278-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7786-1\",\n \"modified\": \"2026-02-10T04:50:09Z\"\n },\n {\n \"id\": \"USN-7980-1\",\n \"modified\": \"2026-03-02T11:56:15.392710Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2021-46848\",\n \"modified\": \"2026-02-12T06:44:04.921097Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-12133\",\n \"modified\": \"2026-02-12T06:31:24.332995Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-13151\",\n \"modified\": \"2026-02-12T06:43:59.770392Z\"\n },\n {\n \"id\": \"USN-7275-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7954-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-4899\",\n \"modified\": \"2025-09-08T16:49:53Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-31486\",\n \"modified\": \"2025-10-24T05:01:58Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-47039\",\n \"modified\": \"2025-10-24T05:02:19Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56406\",\n \"modified\": \"2026-02-04T02:50:55.689079Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-40909\",\n \"modified\": \"2026-02-04T02:15:05.324531Z\"\n },\n {\n \"id\": \"USN-7434-1\",\n \"modified\": \"2026-02-10T04:47:48Z\"\n },\n {\n \"id\": \"USN-7678-1\",\n \"modified\": \"2026-02-10T04:49:41Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-45582\",\n \"modified\": \"2026-01-20T18:59:29.811906Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2026-27171\",\n \"modified\": \"2026-02-27T09:59:13Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"11965\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 14321\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.118ubuntu5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-files\"\n },\n \"version\": \"12ubuntu4.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.52build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bash\"\n },\n \"version\": \"5.1-6ubuntu1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"1:2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.32-4.1ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.11+git20210903+057cd650a4ed-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.79ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"debianutils\"\n },\n \"version\": \"5.5-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.8-0ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.21.1ubuntu2.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.8.0-1ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"fzf\"\n },\n \"version\": \"0.29.0-1ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.18.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnupg2\"\n },\n \"version\": \"2.2.27-3ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"grep\"\n },\n \"version\": \"3.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.10-4ubuntu4.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.23ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.62\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"acl\"\n },\n \"version\": \"2.3.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"apt\"\n },\n \"version\": \"2.4.13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"attr\"\n },\n \"version\": \"1:2.5.1-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"audit\"\n },\n \"version\": \"1:3.0.7-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"bzip2\"\n },\n \"version\": \"1.0.8-5build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"glibc\"\n },\n \"version\": \"2.35-0ubuntu3.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap-ng\"\n },\n \"version\": \"0.7.9-2.2build3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libcap2\"\n },\n \"version\": \"1:2.44-1ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libxcrypt\"\n },\n \"version\": \"1:4.4.27-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"db5.3\"\n },\n \"version\": \"5.3.28+dfsg1-0.8ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"cdebconf\"\n },\n \"version\": \"0.261ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libffi\"\n },\n \"version\": \"3.4.2-4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.9.4-3ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gmp\"\n },\n \"version\": \"2:6.2.1+dfsg-3ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gnutls28\"\n },\n \"version\": \"3.7.3-4ubuntu1.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libgpg-error\"\n },\n \"version\": \"1.43-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libidn2\"\n },\n \"version\": \"2.3.2-2build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"keyutils\"\n },\n \"version\": \"1.6.1-2ubuntu3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"krb5\"\n },\n \"version\": \"1.19.2-2ubuntu0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lz4\"\n },\n \"version\": \"1.9.3-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.5-2ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"nettle\"\n },\n \"version\": \"3.7.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libnsl\"\n },\n \"version\": \"1.3.0-2build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"p11-kit\"\n },\n \"version\": \"0.24.0-6build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pam\"\n },\n \"version\": \"1.4.0-11ubuntu2.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre2\"\n },\n \"version\": \"10.39-3ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-13ubuntu0.22.04.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libseccomp\"\n },\n \"version\": \"2.5.3-2ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libselinux\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsemanage\"\n },\n \"version\": \"3.3-1build2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libsepol\"\n },\n \"version\": \"3.3-1build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"openssl\"\n },\n \"version\": \"3.0.2-0ubuntu1.18\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"gcc-12\"\n },\n \"version\": \"12.3.0-1ubuntu1~22.04\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.18.0-4build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libtirpc\"\n },\n \"version\": \"1.3.2-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"systemd\"\n },\n \"version\": \"249.11-0ubuntu3.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libunistring\"\n },\n \"version\": \"1.0-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"xxhash\"\n },\n \"version\": \"0.8.1-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"libzstd\"\n },\n \"version\": \"1.4.8+dfsg-3build1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.46.5-2ubuntu1.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"lsb\"\n },\n \"version\": \"11.1.0ubuntu4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.4.20200120-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ncurses\"\n },\n \"version\": \"6.3-2ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"shadow\"\n },\n \"version\": \"1:4.8.1-2ubuntu2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"perl\"\n },\n \"version\": \"5.34.0-3ubuntu1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"procps\"\n },\n \"version\": \"2:3.3.17-6ubuntu2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sed\"\n },\n \"version\": \"4.8-1ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.17\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"sysvinit\"\n },\n \"version\": \"3.01-1ubuntu1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"tar\"\n },\n \"version\": \"1.34+dfsg-1ubuntu0.1.22.04.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"ubuntu-keyring\"\n },\n \"version\": \"2021.03.26\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"usrmerge\"\n },\n \"version\": \"25ubuntu2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.37.2-4ubuntu3.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu:22.04\",\n \"name\": \"zlib\"\n },\n \"version\": \"1:1.2.11.dfsg-2ubuntu9.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_OCIImage_JSONFormat/ubuntu_image_with_go_OS_packages_json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 17153\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-2781\",\n \"modified\": \"2026-03-18T06:32:17.714169Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-5278\",\n \"modified\": \"2026-03-18T07:55:13.290684Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-6297\",\n \"modified\": \"2026-02-04T03:36:18.990840Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2219\",\n \"modified\": \"2026-03-14T09:17:58.405826Z\"\n },\n {\n \"id\": \"USN-7768-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2022-0477\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0493\",\n \"modified\": \"2026-02-04T03:42:54.589715Z\"\n },\n {\n \"id\": \"GO-2022-0515\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0520\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0521\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0522\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0523\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0524\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0525\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0526\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0527\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0531\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0532\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0533\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0537\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-0969\",\n \"modified\": \"2026-02-04T02:41:02.475503Z\"\n },\n {\n \"id\": \"GO-2022-1037\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-1038\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-1039\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2022-1095\",\n \"modified\": \"2026-02-04T04:25:45.960420Z\"\n },\n {\n \"id\": \"GO-2022-1143\",\n \"modified\": \"2026-02-04T04:08:13.589543Z\"\n },\n {\n \"id\": \"GO-2022-1144\",\n \"modified\": \"2026-02-04T04:29:40.352025Z\"\n },\n {\n \"id\": \"GO-2023-1568\",\n \"modified\": \"2026-02-04T02:54:08.789114Z\"\n },\n {\n \"id\": \"GO-2023-1569\",\n \"modified\": \"2026-02-04T03:22:48.161542Z\"\n },\n {\n \"id\": \"GO-2023-1570\",\n \"modified\": \"2026-02-04T02:57:33.465285Z\"\n },\n {\n \"id\": \"GO-2023-1571\",\n \"modified\": \"2026-02-04T03:36:14.767832Z\"\n },\n {\n \"id\": \"GO-2023-1621\",\n \"modified\": \"2026-02-04T02:47:06.125087Z\"\n },\n {\n \"id\": \"GO-2023-1702\",\n \"modified\": \"2026-02-04T03:43:08.732164Z\"\n },\n {\n \"id\": \"GO-2023-1703\",\n \"modified\": \"2026-02-04T04:24:15.366665Z\"\n },\n {\n \"id\": \"GO-2023-1704\",\n \"modified\": \"2026-02-04T04:39:41.032390Z\"\n },\n {\n \"id\": \"GO-2023-1705\",\n \"modified\": \"2026-02-04T03:44:01.631552Z\"\n },\n {\n \"id\": \"GO-2023-1751\",\n \"modified\": \"2026-02-04T04:31:56.779446Z\"\n },\n {\n \"id\": \"GO-2023-1752\",\n \"modified\": \"2026-02-04T03:50:58.841420Z\"\n },\n {\n \"id\": \"GO-2023-1753\",\n \"modified\": \"2026-02-04T02:22:30.446388Z\"\n },\n {\n \"id\": \"GO-2023-1840\",\n \"modified\": \"2026-02-04T03:48:08.792378Z\"\n },\n {\n \"id\": \"GO-2023-1878\",\n \"modified\": \"2026-02-04T04:31:14.443108Z\"\n },\n {\n \"id\": \"GO-2023-1987\",\n \"modified\": \"2026-02-04T03:58:58.871084Z\"\n },\n {\n \"id\": \"GO-2023-2041\",\n \"modified\": \"2026-02-04T04:25:22.510281Z\"\n },\n {\n \"id\": \"GO-2023-2043\",\n \"modified\": \"2026-02-04T04:11:02.549923Z\"\n },\n {\n \"id\": \"GO-2023-2102\",\n \"modified\": \"2026-02-04T03:49:27.289895Z\"\n },\n {\n \"id\": \"GO-2023-2185\",\n \"modified\": \"2026-02-04T02:59:25.590966Z\"\n },\n {\n \"id\": \"GO-2023-2186\",\n \"modified\": \"2026-02-04T03:56:59.969208Z\"\n },\n {\n \"id\": \"GO-2023-2375\",\n \"modified\": \"2026-02-04T03:57:11.083315Z\"\n },\n {\n \"id\": \"GO-2023-2382\",\n \"modified\": \"2026-02-04T03:33:11.274886Z\"\n },\n {\n \"id\": \"GO-2024-2598\",\n \"modified\": \"2026-02-04T03:12:08.722840Z\"\n },\n {\n \"id\": \"GO-2024-2599\",\n \"modified\": \"2026-02-04T02:21:09.533216Z\"\n },\n {\n \"id\": \"GO-2024-2600\",\n \"modified\": \"2026-02-04T02:34:41.672789Z\"\n },\n {\n \"id\": \"GO-2024-2609\",\n \"modified\": \"2026-02-04T04:37:13.773873Z\"\n },\n {\n \"id\": \"GO-2024-2610\",\n \"modified\": \"2026-02-04T03:09:18.870079Z\"\n },\n {\n \"id\": \"GO-2024-2687\",\n \"modified\": \"2026-02-04T04:09:31.762399Z\"\n },\n {\n \"id\": \"GO-2024-2887\",\n \"modified\": \"2026-01-28T03:27:17.746525Z\"\n },\n {\n \"id\": \"GO-2024-2888\",\n \"modified\": \"2026-01-28T03:27:17.560343Z\"\n },\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-3219\",\n \"modified\": \"2026-01-20T17:26:42.776809Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-30258\",\n \"modified\": \"2026-02-04T04:30:17.426918Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68972\",\n \"modified\": \"2026-01-20T19:15:15.770361Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68973\",\n \"modified\": \"2026-02-05T00:30:28.335358Z\"\n },\n {\n \"id\": \"USN-7412-1\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7412-2\",\n \"modified\": \"2026-02-10T04:47:47Z\"\n },\n {\n \"id\": \"USN-7946-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2016-20013\",\n \"modified\": \"2026-02-03T07:12:11.178156Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-0395\",\n \"modified\": \"2026-02-06T21:35:29.229625Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15281\",\n \"modified\": \"2026-02-04T07:39:07.958164Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4802\",\n \"modified\": \"2026-02-04T04:09:49.871743Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8058\",\n \"modified\": \"2026-02-04T07:39:09.389770Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0861\",\n \"modified\": \"2026-02-04T07:39:03.415441Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-0915\",\n \"modified\": \"2026-02-23T00:02:27.504192Z\"\n },\n {\n \"id\": \"USN-7259-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7541-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n },\n {\n \"id\": \"USN-7760-1\",\n \"modified\": \"2026-02-10T04:49:49Z\"\n },\n {\n \"id\": \"USN-8005-1\",\n \"modified\": \"2026-02-23T00:13:53.339268Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-1390\",\n \"modified\": \"2026-02-04T04:28:50.933288Z\"\n },\n {\n \"id\": \"USN-7287-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-2236\",\n \"modified\": \"2026-01-20T17:51:42.649938Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-12243\",\n \"modified\": \"2026-02-04T02:53:36.843010Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-14831\",\n \"modified\": \"2026-02-28T05:58:56.935176Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32988\",\n \"modified\": \"2026-02-04T02:15:37.273955Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32989\",\n \"modified\": \"2026-02-04T03:37:18.739300Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-32990\",\n \"modified\": \"2026-02-04T03:31:01.615385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6395\",\n \"modified\": \"2026-02-04T03:31:22.603031Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9820\",\n \"modified\": \"2026-02-28T06:16:45.816014Z\"\n },\n {\n \"id\": \"USN-7281-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7635-1\",\n \"modified\": \"2026-02-10T04:49:34Z\"\n },\n {\n \"id\": \"USN-8043-1\",\n \"modified\": \"2026-02-17T22:00:37.652199Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2018-5709\",\n \"modified\": \"2025-10-24T04:46:51Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26458\",\n \"modified\": \"2026-02-04T03:00:45.815615Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-26461\",\n \"modified\": \"2026-02-04T04:19:35.724133Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-3596\",\n \"modified\": \"2026-02-04T04:28:06.065165Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-24528\",\n \"modified\": \"2026-02-04T04:40:58.959893Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-3576\",\n \"modified\": \"2026-02-04T02:50:47.063994Z\"\n },\n {\n \"id\": \"USN-7257-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7314-1\",\n \"modified\": \"2026-02-10T04:47:17Z\"\n },\n {\n \"id\": \"USN-7542-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-62813\",\n \"modified\": \"2025-10-27T08:32:45.494712Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-10041\",\n \"modified\": \"2026-01-20T19:07:32.667161Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6020\",\n \"modified\": \"2026-02-04T02:31:29.332885Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-8941\",\n \"modified\": \"2026-01-20T18:46:31.526274Z\"\n },\n {\n \"id\": \"USN-7580-1\",\n \"modified\": \"2026-02-10T04:49:00Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-41409\",\n \"modified\": \"2025-10-24T04:53:52Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2024-13176\",\n \"modified\": \"2026-03-09T11:29:11.736076Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-41996\",\n \"modified\": \"2026-02-06T21:00:29.439853Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-9143\",\n \"modified\": \"2026-03-09T11:29:50.088989Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-15467\",\n \"modified\": \"2026-03-05T18:42:43.606385Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-27587\",\n \"modified\": \"2026-02-06T21:55:03.879396Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-68160\",\n \"modified\": \"2026-02-12T06:59:44.011039Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69418\",\n \"modified\": \"2026-02-06T22:01:44.179826Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69419\",\n \"modified\": \"2026-02-12T06:59:40.921557Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69420\",\n \"modified\": \"2026-02-12T06:58:38.833674Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-69421\",\n \"modified\": \"2026-03-02T12:02:19.670699Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-9230\",\n \"modified\": \"2026-03-09T12:25:45.048270Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22795\",\n \"modified\": \"2026-02-12T06:58:35.942634Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-22796\",\n \"modified\": \"2026-02-12T06:59:02.005868Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-2673\",\n \"modified\": \"2026-03-18T08:04:38.900604Z\"\n },\n {\n \"id\": \"USN-7278-1\",\n \"modified\": \"2026-02-10T04:47:15Z\"\n },\n {\n \"id\": \"USN-7786-1\",\n \"modified\": \"2026-02-10T04:50:09Z\"\n },\n {\n \"id\": \"USN-7980-1\",\n \"modified\": \"2026-03-02T11:56:15.392710Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-27943\",\n \"modified\": \"2026-02-25T19:00:26.332370Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-4039\",\n \"modified\": \"2026-03-14T09:09:23.235151Z\"\n },\n {\n \"id\": \"USN-7700-1\",\n \"modified\": \"2026-02-10T04:49:46Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2021-46848\",\n \"modified\": \"2026-02-12T06:44:04.921097Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-12133\",\n \"modified\": \"2026-02-12T06:31:24.332995Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-13151\",\n \"modified\": \"2026-02-12T06:43:59.770392Z\"\n },\n {\n \"id\": \"USN-7275-1\",\n \"modified\": \"2026-02-10T04:46:30Z\"\n },\n {\n \"id\": \"USN-7954-1\",\n \"modified\": \"2026-02-10T04:50:47Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-7008\",\n \"modified\": \"2025-10-09T04:59:16Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-4598\",\n \"modified\": \"2026-02-04T02:49:04.264249Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2026-4105\",\n \"modified\": \"2026-03-18T08:05:12.098241Z\"\n },\n {\n \"id\": \"USN-7559-1\",\n \"modified\": \"2026-02-10T04:48:59Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2022-4899\",\n \"modified\": \"2025-09-08T16:49:53Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-50495\",\n \"modified\": \"2026-02-04T03:21:31.661318Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-6141\",\n \"modified\": \"2026-01-20T18:35:03.980742Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-29383\",\n \"modified\": \"2025-10-24T05:01:54Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56433\",\n \"modified\": \"2026-01-20T18:02:13.226633Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2023-31486\",\n \"modified\": \"2025-10-24T05:01:58Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2023-47039\",\n \"modified\": \"2025-10-24T05:02:19Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2024-56406\",\n \"modified\": \"2026-02-04T02:50:55.689079Z\"\n },\n {\n \"id\": \"UBUNTU-CVE-2025-40909\",\n \"modified\": \"2026-02-04T02:15:05.324531Z\"\n },\n {\n \"id\": \"USN-7434-1\",\n \"modified\": \"2026-02-10T04:47:48Z\"\n },\n {\n \"id\": \"USN-7678-1\",\n \"modified\": \"2026-02-10T04:49:41Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2025-45582\",\n \"modified\": \"2026-01-20T18:59:29.811906Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"USN-8091-1\",\n \"modified\": \"2026-03-13T23:29:29.779929Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2026-27171\",\n \"modified\": \"2026-02-27T09:59:13Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"17153\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/java-fixture/app/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/java-fixture/app/pom.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0-SNAPSHOT\n\n my-app\n https://osv.dev\n\n \n \n org.apache.hadoop\n hadoop-client\n 3.4.0\n \n \n org.apache.commons\n commons-compress\n 1.21\n \n \n \n \n \n maven-assembly-plugin\n \n \n \n com.mycompany.app.App\n \n \n \n jar-with-dependencies\n \n \n \n \n make-assembly\n package\n \n single\n \n \n \n \n \n \n\n \n 1.8\n 1.8\n \n\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/java-fixture/app/src/main/java/com/mycompany/app/App.java", "content": "package com.mycompany.app;\n\n/**\n * Hello world!\n *\n */\npublic class App\n{\n public static void main( String[] args )\n {\n System.out.println( \"Hello World!\" );\n }\n}\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/lockfile-fixture/alpine-zlib-16.cdx.json", "content": "{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"metadata\": {\n \"timestamp\": \"2025-07-08T05:23:38Z\",\n \"tools\": {\n \"components\": [\n {\n \"type\": \"application\",\n \"name\": \"SCALIBR\",\n \"externalReferences\": [\n {\n \"url\": \"https://github.com/google/osv-scalibr\",\n \"type\": \"website\"\n }\n ]\n }\n ]\n },\n \"authors\": [\n {}\n ],\n \"component\": {\n \"bom-ref\": \"a5add6de-55de-40a9-aa0d-1f03de5ab308\",\n \"type\": \"\",\n \"name\": \"\"\n }\n },\n \"components\": [\n {\n \"bom-ref\": \"6756e583-83d8-4a08-a573-d2e9506cbd93\",\n \"type\": \"library\",\n \"name\": \"zlib\",\n \"version\": \"1.2.12-r1\",\n \"purl\": \"pkg:apk/alpine/zlib@1.2.12-r1?arch=x86_64\\u0026distro=3.22.0\\u0026origin=zlib\",\n \"evidence\": {\n \"occurrences\": [\n {\n \"location\": \"lib/apk/db/installed\"\n }\n ]\n }\n }\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/lockfile-fixture/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/package-tracing-fixture/go.mod", "content": "module ptf\n\ngo 1.22.4\n\nrequire github.com/BurntSushi/toml v1.4.0\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/package-tracing-fixture/go.sum", "content": "github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=\ngithub.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/package-tracing-fixture/main.go", "content": "package main\n\nimport (\n\t\"os\"\n\n\t\"github.com/BurntSushi/toml\"\n)\n\nfunc main() {\n\ttoml.NewEncoder(os.Stdout)\n}\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/package-tracing-fixture/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/python-fixture/main.py", "content": "def main():\n return 'Hello, World!'\n\nif __name__ == '__main__':\n main()\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/python-fixture/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/python-fixture/requirements.txt", "content": "flask==0.12.2 # Vulnerable to CVE-2019-1010083\ndjango==1.11.29 # Vulnerable to CVE-2021-35042\nrequests==2.20.0 # Vulnerable to CVE-2018-18074\n\n# Transitive deps\ncertifi==2025.11.12\nchardet==3.0.4\nclick==8.1.8\nDjango==1.11.29\nFlask==0.12.2\nidna==2.7\nitsdangerous==2.2.0\nJinja2==3.1.6\nMarkupSafe==3.0.3\npytz==2025.2\nrequests==2.20.0\nurllib3==1.24.3\nWerkzeug==3.1.4\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-alpine-etcshadow.Dockerfile", "content": "FROM alpine:3.10@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98\n\nRUN echo 'user-bcrypt:$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG' >> /etc/shadow\nRUN echo 'user-descrypt:chERDiI95PGCQ' >> /etc/shadow\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-alpine-sbom.Dockerfile", "content": "FROM alpine:3.10@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98\n\nCOPY lockfile-fixture/alpine-zlib-16.cdx.json /data/alpine-zlib-16.cdx.json" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-alpine.Dockerfile", "content": "FROM alpine:3.10@sha256:451eee8bedcb2f029756dc3e9d73bab0e7943c1ac55cff3a4861c52a0fdd3e98\n\n# Switch the version to 3.18 to show the advisories published for the latest alpine versions\nCOPY \"alpine-3.18-alpine-release\" \"/etc/alpine-release\"\nCOPY \"alpine-3.18-os-release\" \"/etc/os-release\"\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-go-binary.Dockerfile", "content": "FROM golang:1.22.4-alpine3.20@sha256:ace6cc3fe58d0c7b12303c57afe6d6724851152df55e08057b43990b927ad5e8 AS build\n\nCOPY package-tracing-fixture/ /work\n\nRUN cd /work && go get github.com/BurntSushi/toml@v1.4.0 && go mod tidy\nRUN cd /work && go build .\nRUN cp /work/ptf /work/ptf-1.4.0\n\nFROM alpine:3.20.1@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0\n\nCOPY --from=build /work/ptf-1.4.0 /go/bin/\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-image-with-deprecated/Cargo.toml", "content": "[package]\nname = \"rust_novuln_deprecated\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n[dependencies]\nurl = \"2.5.3\" # This is a deprecated (yanked) version\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-image-with-deprecated/src/main.rs", "content": "use url::Url;\n\nfn main() {\n let _ = Url::parse(\"https://google.com\"); // Just something to make sure the url crate is in the binary\n println!(\"Hello, world!\");\n}\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-image-with-deprecated.Dockerfile", "content": "FROM rust:1.91.1-alpine3.22@sha256:8efbfb788786eeb127adc581394349c5fb567712156e0f8c2e499acadbc23756 AS builder\n\nRUN cargo install cargo-auditable\n\nWORKDIR /app\nCOPY test-image-with-deprecated/ .\n\n# Build project with auditable as per doc\nRUN cargo auditable build --release\n\nFROM alpine:3.22.2@sha256:4b7ce07002c69e8f3d704a9c5d6fd3053be500b7f1c69fc0d80990c2ad8dd412\nCOPY --from=builder /app/target/release/rust_novuln_deprecated /app/rust_novuln_deprecated\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-java-full.Dockerfile", "content": "# Use the official OpenJDK image as the base image\n# TODO: This has been deprecated and we might want to switch to another image\nFROM openjdk:25-jdk-slim@sha256:34f10f3a1a5b638184ebd1c5c1b4aa4c49616ae3e5c1e845f0ac18c5332b5c6f\n\nRUN apt update && apt install -y maven\n\n# Set the working directory inside the container\nWORKDIR /app\n\n# Copy the project files into the container\nCOPY ./java-fixture/app .\n\n# Download dependencies with maven\nRUN mvn clean package\n\nFROM eclipse-temurin:21-jre-alpine-3.21@sha256:7832115c38e9359db1156f94f9228fdf1341388f17dbd9df6c45727d233d1f5f\n\nWORKDIR /app\n\nCOPY --from=0 /app/target/my-app-1.0-SNAPSHOT-jar-with-dependencies.jar target.jar\n\n# Set the entry point to run the JAR file\nENTRYPOINT [\"java\", \"-jar\", \"target.jar\"]\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-node_modules-npm-empty.Dockerfile", "content": "FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c\n\nARG MANAGER_VERSION=\"10.2.4\"\n\nWORKDIR /prod/app\n\n# install the desired package manager\nRUN npm i -g \"npm@$MANAGER_VERSION\"\n\n# initialize the package.json using the manager\nRUN npm init -y\n\n# ensure that we finish fully installed\nRUN npm install\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-node_modules-npm-full.Dockerfile", "content": "FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c\n\nARG MANAGER_VERSION=\"10.2.4\"\n\nWORKDIR /prod/app\n\n# install the desired package manager\nRUN npm i -g \"npm@$MANAGER_VERSION\"\n\n# initialize the package.json using the manager\nRUN npm init -y\n\n# install a few dependencies at specific versions\nRUN npm i mkdirp@0.5.0\nRUN npm i -d cryo@0.0.6\n\n# ensure that we finish fully installed\nRUN npm install\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-node_modules-pnpm-empty.Dockerfile", "content": "FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c\n\nARG MANAGER_VERSION=\"8.15.4\"\n\nWORKDIR /prod/app\n\n# install the desired package manager\nRUN npm i -g \"pnpm@$MANAGER_VERSION\"\n\n# initialize the package.json using the manager\nRUN pnpm init\n\n# ensure that we finish fully installed\nRUN pnpm install\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-node_modules-pnpm-full.Dockerfile", "content": "FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c\n\nARG MANAGER_VERSION=\"8.15.4\"\n\nWORKDIR /prod/app\n\n# install the desired package manager\nRUN npm i -g \"pnpm@$MANAGER_VERSION\"\n\n# initialize the package.json using the manager\nRUN pnpm init\n\n# install a few dependencies at specific versions\nRUN pnpm add mkdirp@0.5.0\nRUN pnpm add -d cryo@0.0.6\n\n# ensure that we finish fully installed\nRUN pnpm install\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-node_modules-yarn-empty.Dockerfile", "content": "FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c\n\nARG MANAGER_VERSION=\"1.22.22\"\n\nWORKDIR /prod/app\n\n# install the desired package manager\nRUN npm i -g \"yarn@$MANAGER_VERSION\" --force\n\n# initialize the package.json using the manager\nRUN yarn init -y\n\n# ensure that we finish fully installed\nRUN yarn install\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-node_modules-yarn-full.Dockerfile", "content": "FROM node:20-alpine@sha256:c0a3badbd8a0a760de903e00cedbca94588e609299820557e72cba2a53dbaa2c\n\nARG MANAGER_VERSION=\"1.22.22\"\n\nWORKDIR /prod/app\n\n# install the desired package manager\nRUN npm i -g \"yarn@$MANAGER_VERSION\" --force\n\n# initialize the package.json using the manager\nRUN yarn init -y\n\n# install a few dependencies at specific versions\nRUN yarn add mkdirp@0.5.0\nRUN yarn add --dev cryo@0.0.6\n\n# ensure that we finish fully installed\nRUN yarn install\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-package-tracing.Dockerfile", "content": "FROM golang:1.22.4-alpine3.20@sha256:ace6cc3fe58d0c7b12303c57afe6d6724851152df55e08057b43990b927ad5e8 AS build\n\nCOPY package-tracing-fixture/ /work\n\nRUN cd /work && go get github.com/BurntSushi/toml@v1.4.0 && go mod tidy\nRUN cd /work && go build .\nRUN cp /work/ptf /work/ptf-1.4.0\n\nRUN cd /work && go get github.com/BurntSushi/toml@v1.3.0 && go mod tidy\nRUN cd /work && go build .\nRUN cp /work/ptf /work/ptf-1.3.0\n\nRUN cd /work && go get github.com/BurntSushi/toml@v1.2.0 && go mod tidy\nRUN cd /work && go build .\nRUN cp /work/ptf /work/ptf-1.2.0\n\n# RUN go install github.com/google/osv-scanner/cmd/osv-scanner@v1.3.0\n# RUN cp /go/bin/osv-scanner /go/bin/osv-scanner-1.3.0\n# RUN go install github.com/google/osv-scanner/cmd/osv-scanner@v1.8.1\n# RUN cp /go/bin/osv-scanner /go/bin/osv-scanner-1.8.1\n# RUN go install github.com/google/osv-scanner/cmd/osv-scanner@v1.5.0\n# RUN cp /go/bin/osv-scanner /go/bin/osv-scanner-1.5.0\n\nFROM alpine:3.20.1@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0\n\nCOPY --from=build /work/ptf-1.2.0 /work/ptf-1.3.0 /work/ptf-1.4.0 /go/bin/\n\n# This tests when a file that exists in the final layer doesn't exist in one intermediate layer\nRUN mv /go/bin/ptf-1.3.0 /go/bin/ptf-1.3.0-moved\nRUN cp /go/bin/ptf-1.3.0-moved /go/bin/ptf-1.3.0\n\n# This tests when a file only exist in a intermediate layer\nRUN cp /go/bin/ptf-1.3.0 /go/bin/ptf-1.3.0-copy\nRUN rm /go/bin/ptf-1.3.0-copy\n\n# This tests when a less vulnerable file overwrites a more vulnerable file\n# This tests when a less vulnerable file overwrites a more vulnerable file\nRUN cp /go/bin/ptf-1.3.0 /go/bin/ptf-vulnerable\nRUN cp /go/bin/ptf-1.4.0 /go/bin/ptf-vulnerable\n\n# This tests when a more vulnerable file overwrites a less vulnerable file\nRUN cp /go/bin/ptf-1.4.0 /go/bin/more-vuln-overwrite-less-vuln\nRUN cp /go/bin/ptf-1.2.0 /go/bin/more-vuln-overwrite-less-vuln\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-python-empty.Dockerfile", "content": "# Use the official Debian image as the base\nFROM python:3.9-slim-buster@sha256:320a7a4250aba4249f458872adecf92eea88dc6abd2d76dc5c0f01cac9b53990\n\n# Set the working directory in the container\nWORKDIR /app\n\n# Copy the rest of the application code into the container\nCOPY python-fixture/main.py main.py\n\n# Specify the command to run when the container starts\nCMD [\"python\", \"main.py\"]\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-python-full.Dockerfile", "content": "# Use the official Debian image as the base\nFROM python:3.9-slim-buster@sha256:320a7a4250aba4249f458872adecf92eea88dc6abd2d76dc5c0f01cac9b53990\n\n# Set the working directory in the container\nWORKDIR /app\n\n# Copy the requirements file into the container\nCOPY ./python-fixture/requirements.txt .\n\n# Install the Python dependencies\nRUN pip install --no-cache-dir -r requirements.txt\n\n# Copy the rest of the application code into the container\nCOPY python-fixture/main.py main.py\n\n# Specify the command to run when the container starts\nCMD [\"python\", \"main.py\"]\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-ubuntu-20-04.Dockerfile", "content": "FROM ubuntu:20.04@sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-ubuntu-with-packages.Dockerfile", "content": "FROM ubuntu:22.04@sha256:ed1544e454989078f5dec1bfdabd8c5cc9c48e0705d07b678ab6ae3fb61952d2\n\n# Install fzf from a existing build to keep it pinned to a specific version\nCOPY ./sample-pkgs/fzf_0.29.0-1ubuntu0.1_amd64.deb /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb\nRUN dpkg -i /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb && rm /tmp/fzf_0.29.0-1ubuntu0.1_amd64.deb\n\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/test-ubuntu.Dockerfile", "content": "FROM ubuntu:22.04@sha256:ed1544e454989078f5dec1bfdabd8c5cc9c48e0705d07b678ab6ae3fb61952d2\n" }, { "path": "cmd/osv-scanner/scan/image/testdata/ubuntu20-04-unimportant-config.toml", "content": "[[PackageOverrides]]\nname = \"coreutils\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"gcc-10\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"glibc\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"gnupg2\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"libgcrypt20\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"libtasn1-6\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"ncurses\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"pam\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"pcre2\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"perl\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"shadow\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"systemd\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"dpkg\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"gnutls28\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"tar\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"lz4\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"util-linux\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n\n[[PackageOverrides]]\nname = \"zlib\"\nreason = \"Just want to test only unimportant vulns\"\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/image/testmain_test.go", "content": "package image_test\n\nimport (\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/image\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tconfig.OSVScannerConfigName = \"osv-scanner-test.toml\"\n\n\tslog.SetDefault(slog.New(testlogger.New()))\n\ttestcmd.CommandsUnderTest = []cmd.CommandBuilder{image.Command}\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "cmd/osv-scanner/scan/source/__snapshots__/command_test.snap", "content": "\n[TestCommand/.gitignored_files - 1]\nScanning dir ./testdata/locks-gitignore\nScanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/.gitignored_files - 2]\n\n---\n\n[TestCommand/Empty_cyclonedx_1.4_output - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestCommand/Empty_cyclonedx_1.4_output - 2]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\n---\n\n[TestCommand/Empty_cyclonedx_1.5_output - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestCommand/Empty_cyclonedx_1.5_output - 2]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\n---\n\n[TestCommand/Empty_gh-annotations_output - 1]\n\n---\n\n[TestCommand/Empty_gh-annotations_output - 2]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\n---\n\n[TestCommand/Empty_sarif_output - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"/r/n\",\n \"/n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"properties\": {}\n}\n\n---\n\n[TestCommand/Empty_sarif_output - 2]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\n---\n\n[TestCommand/Empty_spdx_2.3_output - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/uuid-placeholder-0\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"2025-01-01T01:01:01Z\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestCommand/Empty_spdx_2.3_output - 2]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\n---\n\n[TestCommand/Go_project_with_an_overridden_go_version - 1]\nScanning dir ./testdata/go-project\nScanned /testdata/go-project/go.mod file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand/Go_project_with_an_overridden_go_version - 2]\n\n---\n\n[TestCommand/Go_project_with_an_overridden_go_version,_recursive - 1]\nScanning dir ./testdata/go-project\nScanned /testdata/go-project/go.mod file and found 1 package\nScanned /testdata/go-project/nested/go.mod file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand/Go_project_with_an_overridden_go_version,_recursive - 2]\n\n---\n\n[TestCommand/Go_project_with_an_overridden_go_version_and_licences - 1]\nScanning dir ./testdata/go-project\nScanned /testdata/go-project/go.mod file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+--------------+-------------------------+\n| BSD-3-Clause | 1 |\n+--------------+-------------------------+\n\n---\n\n[TestCommand/Go_project_with_an_overridden_go_version_and_licences - 2]\n\n---\n\n[TestCommand/PURL_SBOM_case_sensitivity_(api) - 1]\nScanning dir ./testdata/sbom-insecure/alpine.cdx.xml\nScanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\n\nTotal 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n\n---\n\n[TestCommand/PURL_SBOM_case_sensitivity_(api) - 2]\n\n---\n\n[TestCommand/PURL_SBOM_case_sensitivity_(local) - 1]\nScanning dir ./testdata/sbom-insecure/alpine.cdx.xml\nScanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages\nFiltered 1 local/unscannable package/s from the scan.\nLoaded Alpine local db from /osv-scanner/Alpine/all.zip\n\nTotal 2 packages affected by 9 known vulnerabilities (3 Critical, 5 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2016-9840 | 8.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2016-9841 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2016-9842 | 8.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2016-9843 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n\n---\n\n[TestCommand/PURL_SBOM_case_sensitivity_(local) - 2]\n\n---\n\n[TestCommand/Sarif_with_vulns - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///testdata/locks-many-with-insecure/package-lock.json\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"/r/n\",\n \"/n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///testdata/locks-many-with-insecure/package-lock.json\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'ansi-html@0.0.1' is vulnerable to 'CVE-2021-23424' (also known as 'GHSA-whgm-jr23-g3j9').\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"CVE-2021-23424\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"CVE-2021-23424\",\n \"GHSA-whgm-jr23-g3j9\"\n ],\n \"fullDescription\": {\n \"markdown\": \"This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\",\n \"text\": \"This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/CVE-2021-23424)**.\\n\\n## [GHSA-whgm-jr23-g3j9](https://osv.dev/GHSA-whgm-jr23-g3j9)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/testdata/locks-many-with-insecure/package-lock.json | ansi-html | 0.0.1 |\\n\\n## Remediation\\n\\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\\n\\n### Fixed Versions\\n\\n| Vulnerability ID | Package Name | Fixed Version |\\n| --- | --- | --- |\\n| GHSA-whgm-jr23-g3j9 | ansi-html | 0.0.8 |\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/testdata/locks-many-with-insecure/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2021-23424\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [CVE-2021-23424](https://osv.dev/CVE-2021-23424)**.\\n\\n## [GHSA-whgm-jr23-g3j9](https://osv.dev/GHSA-whgm-jr23-g3j9)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/testdata/locks-many-with-insecure/package-lock.json | ansi-html | 0.0.1 |\\n\\n## Remediation\\n\\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\\n\\n### Fixed Versions\\n\\n| Vulnerability ID | Package Name | Fixed Version |\\n| --- | --- | --- |\\n| GHSA-whgm-jr23-g3j9 | ansi-html | 0.0.8 |\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/testdata/locks-many-with-insecure/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2021-23424\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"CVE-2021-23424\",\n \"name\": \"CVE-2021-23424\",\n \"properties\": {\n \"security-severity\": \"7.5\"\n },\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"CVE-2021-23424: Uncontrolled Resource Consumption in ansi-html\",\n \"text\": \"CVE-2021-23424: Uncontrolled Resource Consumption in ansi-html\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"properties\": {}\n}\n\n---\n\n[TestCommand/Sarif_with_vulns - 2]\nScanning dir ./testdata/locks-many-with-insecure/package-lock.json\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand/Scan_locks-many - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand/Scan_locks-many - 2]\n\n---\n\n[TestCommand/all_supported_lockfiles_in_the_directory_should_be_checked - 1]\nScanning dir ./testdata/locks-many-with-invalid\nScanned /testdata/locks-many-with-invalid/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many-with-invalid/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand/all_supported_lockfiles_in_the_directory_should_be_checked - 2]\nError during extraction: (extracting as php/composerlock) /testdata/locks-many-with-invalid/composer.lock: could not extract: invalid character ',' looking for beginning of object key string\n\n---\n\n[TestCommand/config_file_can_be_broad - 1]\nScanning dir ./testdata/locks-many-with-insecure\nScanning dir ./testdata/locks-insecure\nScanning dir ./testdata/maven-transitive\nScanned /testdata/locks-insecure/bun.lock file and found 2 packages\nScanned /testdata/locks-insecure/composer.lock file and found 1 package\nScanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages\nScanned /testdata/locks-insecure/osv-scanner-flutter-deps.json file and found 3 packages\nScanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages\nScanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nScanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package\nScanned /testdata/maven-transitive/pom.xml file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\nPackage npm/has-flag/4.0.0 has been filtered out because: (no reason given)\nPackage npm/wrappy/1.0.2 has been filtered out because: (no reason given)\nPackage npm/ansi-html/0.0.1 has been filtered out because: (no reason given)\nPackage npm/balanced-match/1.0.2 has been filtered out because: (no reason given)\nPackage Maven/org.apache.logging.log4j:log4j-api/2.14.1 has been filtered out because: it makes the table output really really long\nPackage Maven/org.apache.logging.log4j:log4j-core/2.14.1 has been filtered out because: it makes the table output really really long\nPackage Maven/org.apache.logging.log4j:log4j-web/2.14.1 has been filtered out because: it makes the table output really really long\nFiltered 7 ignored package/s from the scan.\noverriding license for package Packagist/league/flysystem/1.0.8 with 0BSD\noverriding license for package Alpine/alpine-baselayout/3.4.0-r0 with MIT\noverriding license for package Alpine/alpine-baselayout-data/3.4.0-r0 with MIT\noverriding license for package Alpine/alpine-keys/2.4-r1 with MIT\noverriding license for package Alpine/apk-tools/2.12.10-r1 with MIT\noverriding license for package Alpine/busybox-binsh/1.36.1-r27 with MIT\noverriding license for package Alpine/ca-certificates-bundle/20220614-r4 with MIT\noverriding license for package Alpine/libc-utils/0.7.2-r3 with MIT\noverriding license for package Alpine/libcrypto3/3.0.8-r0 with MIT\noverriding license for package Alpine/libssl3/3.0.8-r0 with MIT\noverriding license for package Alpine/musl/1.2.3-r4 with MIT\noverriding license for package Alpine/musl-utils/1.2.3-r4 with MIT\noverriding license for package Alpine/scanelf/1.3.5-r1 with MIT\noverriding license for package Alpine/ssl_client/1.36.1-r27 with MIT\noverriding license for package Alpine/zlib/1.2.13-r0 with MIT\noverriding license for package Packagist/drupal/core/10.4.5 with 0BSD\noverriding license for package Packagist/drupal/simple_sitemap/4.2.1 with 0BSD\noverriding license for package Packagist/drupal/tfa/2.0.0-alpha4 with 0BSD\noverriding license for package Packagist/league/flysystem/1.0.8 with 0BSD\noverriding license for package Packagist/sentry/sdk/2.0.4 with 0BSD\noverriding license for package Packagist/theseer/tokenizer/1.1.3 with 0BSD\n\nTotal 6 packages affected by 10 known vulnerabilities (2 Critical, 2 High, 2 Medium, 3 Low, 1 Unknown) from 4 ecosystems.\n6 vulnerabilities can be fixed.\n\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+--------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+--------------------------------------------------+\n| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock |\n| https://osv.dev/DRUPAL-CORE-2025-005 | 2.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-83v7-c2cf-p9c2 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-006 | 5.9 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-m6vv-vcj8-w8m7 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-007 | 2.1 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-h89p-5896-f4q8 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-008 | 3.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-mhpg-hpj5-73r2 | | | | | | |\n| https://osv.dev/DRUPAL-CONTRIB-2025-083 | | Packagist | drupal/simple_sitemap | 4.2.1 | -- | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+--------------------------------------------------+\n+---------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+---------+-------------------------+\n| MIT | 15 |\n| 0BSD | 7 |\n| UNKNOWN | 5 |\n+---------+-------------------------+\n+-------------------+-----------+------------------------------------------------+--------------+-------------------------------------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+------------------------------------------------+--------------+-------------------------------------------------------+\n| 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-insecure/composer.lock |\n| UNKNOWN | Go | stdlib | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json |\n| UNKNOWN | Go | toolchain | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json |\n| UNKNOWN | | https://chromium.googlesource.com/chromium/src | | testdata/locks-insecure/osv-scanner-flutter-deps.json |\n| UNKNOWN | | https://github.com/brendan-duncan/archive.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json |\n| UNKNOWN | | https://github.com/flutter/buildroot.git | | testdata/locks-insecure/osv-scanner-flutter-deps.json |\n| 0BSD | Packagist | drupal/core | 10.4.5 | testdata/locks-many-with-insecure/composer.lock |\n| 0BSD | Packagist | drupal/simple_sitemap | 4.2.1 | testdata/locks-many-with-insecure/composer.lock |\n| 0BSD | Packagist | drupal/tfa | 2.0.0-alpha4 | testdata/locks-many-with-insecure/composer.lock |\n| 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-many-with-insecure/composer.lock |\n| 0BSD | Packagist | sentry/sdk | 2.0.4 | testdata/locks-many-with-insecure/composer.lock |\n| 0BSD | Packagist | theseer/tokenizer | 1.1.3 | testdata/locks-many-with-insecure/composer.lock |\n+-------------------+-----------+------------------------------------------------+--------------+-------------------------------------------------------+\n\n---\n\n[TestCommand/config_file_can_be_broad - 2]\n\n---\n\n[TestCommand/config_file_is_invalid - 1]\nScanning dir ./testdata/config-invalid\nScanned /testdata/config-invalid/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand/config_file_is_invalid - 2]\nIgnored invalid config file at /testdata/config-invalid/osv-scanner-test.toml because: toml: line 1: expected '.' or '=', but got '!' instead\n\n---\n\n[TestCommand/config_files_cannot_have_unknown_keys - 1]\n\n---\n\n[TestCommand/config_files_cannot_have_unknown_keys - 2]\nFailed to read config file: unknown keys in config file: RustVersionOverride, PackageOverrides.skip, PackageOverrides.license.skip\nunknown keys in config file: RustVersionOverride, PackageOverrides.skip, PackageOverrides.license.skip\n\n---\n\n[TestCommand/config_files_should_not_have_multiple_ignores_with_the_same_id - 1]\nwarning: ./testdata/osv-scanner-duplicate-config.toml has multiple ignores for GO-2022-0274 - only the first will be used!\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n./testdata/osv-scanner-duplicate-config.toml has unused ignores:\n - GO-2022-0274\n - GO-2022-0274\n - GHSA-whgm-jr23-g3j9\n - CVE-2025-26519\nNo issues found\n\n---\n\n[TestCommand/config_files_should_not_have_multiple_ignores_with_the_same_id - 2]\n\n---\n\n[TestCommand/cyclonedx_1.4_output - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/league/flysystem@1.0.8\",\n \"type\": \"library\",\n \"name\": \"league/flysystem\",\n \"version\": \"1.0.8\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/league/flysystem@1.0.8\"\n },\n {\n \"bom-ref\": \"pkg:golang/stdlib@1.99.9\",\n \"type\": \"library\",\n \"name\": \"stdlib\",\n \"version\": \"1.99.9\",\n \"licenses\": [],\n \"purl\": \"pkg:golang/stdlib@1.99.9\"\n },\n {\n \"bom-ref\": \"pkg:golang/toolchain@1.99.9\",\n \"type\": \"library\",\n \"name\": \"toolchain\",\n \"version\": \"1.99.9\",\n \"licenses\": [],\n \"purl\": \"pkg:golang/toolchain@1.99.9\"\n },\n {\n \"bom-ref\": \"pkg:npm/has-flag@4.0.0\",\n \"type\": \"library\",\n \"name\": \"has-flag\",\n \"version\": \"4.0.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/has-flag@4.0.0\"\n },\n {\n \"bom-ref\": \"pkg:npm/wrappy@1.0.2\",\n \"type\": \"library\",\n \"name\": \"wrappy\",\n \"version\": \"1.0.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/wrappy@1.0.2\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"references\": [\n {\n \"id\": \"CVE-2021-32708\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"method\": \"CVSSv3\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"description\": \"Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem\",\n \"detail\": \"### Impact\\n\\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\\n\\nThe conditions: \\n\\n- A user is allowed to supply the path or filename of an uploaded file.\\n- The supplied path or filename is not checked against unicode chars.\\n- The supplied pathname checked against an extension deny-list, not an allow-list.\\n- The supplied path or filename contains a unicode whitespace char in the extension.\\n- The uploaded file is stored in a directory that allows PHP code to be executed.\\n\\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\\n\\n### Patches\\n\\nThe unicode whitespace removal has been replaced with a rejection (exception).\\n\\nThe library has been patched in:\\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\\n\\n### Workarounds\\n\\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\\n\",\n \"advisories\": [\n {\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-32708\"\n }\n ],\n \"published\": \"2021-06-29T03:13:28Z\",\n \"updated\": \"2026-03-13T22:01:08Z\",\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": [\n {\n \"ref\": \"pkg:composer/league/flysystem\"\n }\n ]\n }\n ]\n}\n\n---\n\n[TestCommand/cyclonedx_1.4_output - 2]\nScanning dir ./testdata/locks-insecure\nScanned /testdata/locks-insecure/bun.lock file and found 2 packages\nScanned /testdata/locks-insecure/composer.lock file and found 1 package\nScanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand/cyclonedx_1.5_output - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/league/flysystem@1.0.8\",\n \"type\": \"library\",\n \"name\": \"league/flysystem\",\n \"version\": \"1.0.8\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/league/flysystem@1.0.8\"\n },\n {\n \"bom-ref\": \"pkg:golang/stdlib@1.99.9\",\n \"type\": \"library\",\n \"name\": \"stdlib\",\n \"version\": \"1.99.9\",\n \"licenses\": [],\n \"purl\": \"pkg:golang/stdlib@1.99.9\"\n },\n {\n \"bom-ref\": \"pkg:golang/toolchain@1.99.9\",\n \"type\": \"library\",\n \"name\": \"toolchain\",\n \"version\": \"1.99.9\",\n \"licenses\": [],\n \"purl\": \"pkg:golang/toolchain@1.99.9\"\n },\n {\n \"bom-ref\": \"pkg:npm/has-flag@4.0.0\",\n \"type\": \"library\",\n \"name\": \"has-flag\",\n \"version\": \"4.0.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/has-flag@4.0.0\"\n },\n {\n \"bom-ref\": \"pkg:npm/wrappy@1.0.2\",\n \"type\": \"library\",\n \"name\": \"wrappy\",\n \"version\": \"1.0.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/wrappy@1.0.2\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"references\": [\n {\n \"id\": \"CVE-2021-32708\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"method\": \"CVSSv3\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"description\": \"Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem\",\n \"detail\": \"### Impact\\n\\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\\n\\nThe conditions: \\n\\n- A user is allowed to supply the path or filename of an uploaded file.\\n- The supplied path or filename is not checked against unicode chars.\\n- The supplied pathname checked against an extension deny-list, not an allow-list.\\n- The supplied path or filename contains a unicode whitespace char in the extension.\\n- The uploaded file is stored in a directory that allows PHP code to be executed.\\n\\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\\n\\n### Patches\\n\\nThe unicode whitespace removal has been replaced with a rejection (exception).\\n\\nThe library has been patched in:\\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\\n\\n### Workarounds\\n\\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\\n\",\n \"advisories\": [\n {\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-32708\"\n }\n ],\n \"published\": \"2021-06-29T03:13:28Z\",\n \"updated\": \"2026-03-13T22:01:08Z\",\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": [\n {\n \"ref\": \"pkg:composer/league/flysystem\"\n }\n ]\n }\n ]\n}\n\n---\n\n[TestCommand/cyclonedx_1.5_output - 2]\nScanning dir ./testdata/locks-insecure\nScanned /testdata/locks-insecure/bun.lock file and found 2 packages\nScanned /testdata/locks-insecure/composer.lock file and found 1 package\nScanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand/exclude_with_exact_directory_name - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/exclude_with_exact_directory_name - 2]\n\n---\n\n[TestCommand/exclude_with_glob_pattern - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/exclude_with_glob_pattern - 2]\n\n---\n\n[TestCommand/exclude_with_invalid_regex_returns_error - 1]\nScanning dir ./testdata/locks-many\n---\n\n[TestCommand/exclude_with_invalid_regex_returns_error - 2]\nfailed to parse exclude patterns: invalid regex pattern \"[invalid\": error parsing regexp: missing closing ]: `[invalid`\n\n---\n\n[TestCommand/exclude_with_multiple_exact_directories - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/exclude_with_multiple_exact_directories - 2]\n\n---\n\n[TestCommand/exclude_with_multiple_pattern_types - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/exclude_with_multiple_pattern_types - 2]\n\n---\n\n[TestCommand/exclude_with_regex_pattern - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/exclude_with_regex_pattern - 2]\n\n---\n\n[TestCommand/folder_of_supported_sbom_with_only_unimportant - 1]\nScanning dir ./testdata/sbom-insecure/only-unimportant.spdx.json\nScanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand/folder_of_supported_sbom_with_only_unimportant - 2]\n\n---\n\n[TestCommand/folder_of_supported_sbom_with_only_unimportant#01 - 1]\nScanning dir ./testdata/sbom-insecure/only-unimportant.spdx.json\nScanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+--------------------+---------------+---------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+--------------------+---------------+---------------------------------------------------+\n| Unimportant vulnerabilities | | | | | | |\n+---------------------------------------+------+-----------+---------+--------------------+---------------+---------------------------------------------------+\n| https://osv.dev/UBUNTU-CVE-2017-11164 | 7.5 | Ubuntu | pcre3 | 2:8.39-12ubuntu0.1 | -- | testdata/sbom-insecure/only-unimportant.spdx.json |\n+---------------------------------------+------+-----------+---------+--------------------+---------------+---------------------------------------------------+\n\n---\n\n[TestCommand/folder_of_supported_sbom_with_only_unimportant#01 - 2]\n\n---\n\n[TestCommand/folder_of_supported_sbom_with_vulns - 1]\nScanning dir ./testdata/sbom-insecure/\nScanned /testdata/sbom-insecure/alpine-zlib-16.cdx.json file and found 1 package\nScanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages\nScanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages\nScanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package\nScanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages\nScanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 10 local/unscannable package/s from the scan.\n\nTotal 26 packages affected by 181 known vulnerabilities (21 Critical, 77 High, 56 Medium, 3 Low, 24 Unknown) from 4 ecosystems.\n11 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+\n| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.0 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | |\n| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | |\n| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | |\n| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | |\n| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | |\n| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | |\n| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | |\n| https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | |\n| https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | |\n| https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | |\n| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3910-1 | | | | | | |\n| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3263-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | |\n| https://osv.dev/DLA-3878-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4319-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | |\n| https://osv.dev/DLA-3530-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | |\n| https://osv.dev/DLA-3942-1 | | | | | | |\n| https://osv.dev/DLA-3942-2 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4176-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | |\n| https://osv.dev/DLA-3926-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3755-1 | | | | | | |\n| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+\n\n---\n\n[TestCommand/folder_of_supported_sbom_with_vulns - 2]\n\n---\n\n[TestCommand/gh-annotations_with_vulns - 1]\n\n---\n\n[TestCommand/gh-annotations_with_vulns - 2]\nScanning dir ./testdata/locks-many-with-insecure/package-lock.json\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n::error file=testdata/locks-many-with-insecure/package-lock.json::testdata/locks-many-with-insecure/package-lock.json%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+-----------+-------------------------------------+------+-----------------+---------------+%0A| ansi-html | https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | 0.0.1 | 0.0.8 |%0A+-----------+-------------------------------------+------+-----------------+---------------+\n---\n\n[TestCommand/go_packages_in_osv-scanner.json_format - 1]\nScanned /testdata/locks-insecure/osv-scanner.json file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 2 packages affected by 24 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 24 Unknown) from 1 ecosystem.\n24 vulnerabilities can be fixed.\n\n+------------------------------+------+-----------+-----------+---------+---------------+------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+------------------------------+------+-----------+-----------+---------+---------------+------------------------------------------+\n| https://osv.dev/GO-2025-3849 | | Go | stdlib | 1.24.4 | 1.24.6 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-3956 | | Go | stdlib | 1.24.4 | 1.24.6 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4006 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4007 | | Go | stdlib | 1.24.4 | 1.24.9 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4008 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4009 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4010 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4011 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4012 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4013 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4014 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4015 | | Go | stdlib | 1.24.4 | 1.24.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4155 | | Go | stdlib | 1.24.4 | 1.24.11 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-4175 | | Go | stdlib | 1.24.4 | 1.24.11 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4337 | | Go | stdlib | 1.24.4 | 1.24.13 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4340 | | Go | stdlib | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4341 | | Go | stdlib | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4342 | | Go | stdlib | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4601 | | Go | stdlib | 1.24.4 | 1.25.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4602 | | Go | stdlib | 1.24.4 | 1.25.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4603 | | Go | stdlib | 1.24.4 | 1.25.8 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2025-3828 | | Go | toolchain | 1.24.4 | 1.24.5 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4339 | | Go | toolchain | 1.24.4 | 1.24.12 | testdata/locks-insecure/osv-scanner.json |\n| https://osv.dev/GO-2026-4433 | | Go | toolchain | 1.24.4 | 1.24.13 | testdata/locks-insecure/osv-scanner.json |\n+------------------------------+------+-----------+-----------+---------+---------------+------------------------------------------+\n\n---\n\n[TestCommand/go_packages_in_osv-scanner.json_format - 2]\n\n---\n\n[TestCommand/help - 1]\nNAME:\n osv-scanner source - scans a source project's dependencies for known vulnerabilities using the OSV database.\n\nUSAGE:\n osv-scanner source [options] [directory1 directory2...]\n\nDESCRIPTION:\n scans a source project's dependencies for known vulnerabilities using the OSV database.\n\nOPTIONS:\n --lockfile string, -L string [ --lockfile string, -L string ] scan package lockfile on this path\n --sbom string, -S string [ --sbom string, -S string ] [DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec\n --recursive, -r check subdirectories\n --no-ignore also scan files that would be ignored by .gitignore\n --include-git-root include scanning git root (non-submoduled) repositories\n --experimental-exclude string [ --experimental-exclude string ] exclude directory paths during scanning; use g:pattern for glob, r:pattern for regex, or just dirname for exact match (can be repeated)\n --data-source string source to fetch package information from; value can be: deps.dev, native (default: \"deps.dev\")\n --maven-registry string URL of the default registry to fetch Maven metadata\n --config string set/override config file\n --format string, -f string sets the output format; value can be: table, html, vertical, json, markdown, sarif, gh-annotations, cyclonedx-1-4, cyclonedx-1-5, spdx-2-3 (default: \"table\")\n --serve output as HTML result and serve it locally\n --port string port number to use when serving HTML report (default: 8000)\n --output string [DEPRECATED] (Use \"--output-file\" instead) saves the result to the given file path\n --output-file string saves the result to the given file path\n --verbosity string specify the level of information that should be provided during runtime; value can be: error, warn, info (default: \"info\")\n --offline run in offline mode, disabling any features requiring network access\n --offline-vulnerabilities checks for vulnerabilities using local databases that are already cached\n --download-offline-databases downloads vulnerability databases for offline comparison\n --call-analysis string [ --call-analysis string ] Enable call analysis for specific languages (e.g. --call-analysis=go). Supported: go, rust (*). (*) Will run build scripts.\n --no-call-analysis string [ --no-call-analysis string ] disables call graph analysis\n --no-resolve disable transitive dependency resolution of manifest files\n --allow-no-lockfiles has the scanner consider no lockfiles being found as ok\n --all-packages when json output is selected, prints all packages\n --all-vulns show all vulnerabilities including unimportant and uncalled ones\n --licenses value report on licenses based on an allowlist\n --experimental-flag-deprecated-packages report if package versions are deprecated\n --experimental-plugins string [ --experimental-plugins string ] list of specific plugins and presets of plugins to use (default: \"lockfile\", \"sbom\", \"directory\")\n --experimental-disable-plugins string [ --experimental-disable-plugins string ] list of specific plugins and presets of plugins to not use\n --experimental-no-default-plugins disable default plugins, instead using only those enabled by --experimental-plugins\n --help, -h show help\n\n---\n\n[TestCommand/help - 2]\n\n---\n\n[TestCommand/ignores_without_reason_should_be_explicitly_called_out - 1]\nScanning dir ./testdata/locks-many-with-insecure/package-lock.json\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nPackage Packagist/sentry/sdk/2.0.4 has been filtered out because: (no reason given)\nFiltered 1 ignored package/s from the scan.\nGHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given)\nFiltered 1 vulnerability from output\nNo issues found\n\n---\n\n[TestCommand/ignores_without_reason_should_be_explicitly_called_out - 2]\n\n---\n\n[TestCommand/ignoring_.gitignore - 1]\nScanning dir ./testdata/locks-gitignore\nScanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/composer.lock file and found 1 package\nScanned /testdata/locks-gitignore/ignored/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/ignored/yarn.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/composer.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package\nScanned /testdata/locks-gitignore/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/ignoring_.gitignore - 2]\n\n---\n\n[TestCommand/invalid_--verbosity_value - 1]\n\n---\n\n[TestCommand/invalid_--verbosity_value - 2]\ninvalid verbosity level \"unknown\" - must be one of: error, warn, info\n\n---\n\n[TestCommand/json_output - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestCommand/json_output - 2]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\n---\n\n[TestCommand/nested_directories_are_checked_when_`--recursive`_is_passed - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/nested_directories_are_checked_when_`--recursive`_is_passed - 2]\n\n---\n\n[TestCommand/no_lockfiles_with_allow_flag_but_another_error_happens_is_not_fine - 1]\nScanning dir ./testdata/locks-none-does-not-exist\n\n---\n\n[TestCommand/no_lockfiles_with_allow_flag_but_another_error_happens_is_not_fine - 2]\nfailed to resolve path: stat /testdata/locks-none-does-not-exist: no such file or directory\n\n---\n\n[TestCommand/no_lockfiles_with_recursion_and_with_allow_flag_are_fine - 1]\nScanning dir ./testdata/locks-none\nScanned /testdata/locks-none/nested/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/no_lockfiles_with_recursion_and_with_allow_flag_are_fine - 2]\n\n---\n\n[TestCommand/no_lockfiles_with_recursion_but_without_allow_flag_are_fine - 1]\nScanning dir ./testdata/locks-none\nScanned /testdata/locks-none/nested/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/no_lockfiles_with_recursion_but_without_allow_flag_are_fine - 2]\n\n---\n\n[TestCommand/no_lockfiles_without_recursion_but_with_allow_flag_are_fine - 1]\nScanning dir ./testdata/locks-none\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo package sources found\nNo issues found\n\n---\n\n[TestCommand/no_lockfiles_without_recursion_but_with_allow_flag_are_fine - 2]\n\n---\n\n[TestCommand/no_lockfiles_without_recursion_or_allow_flag_give_an_error - 1]\nScanning dir ./testdata/locks-none\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand/no_lockfiles_without_recursion_or_allow_flag_give_an_error - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 1]\nWarning: --sbom has been deprecated in favor of -L\n\n---\n\n[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names - 2]\nFailed to parse SBOM \"./testdata/locks-many/composer.lock\": Invalid SBOM filename.\nIf you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification.\ninvalid SBOM filename: ./testdata/locks-many/composer.lock\n\n---\n\n[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 1]\n\n---\n\n[TestCommand/one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag - 2]\ncould not determine extractor, requested spdx\n\n---\n\n[TestCommand/one_specific_supported_lockfile - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand/one_specific_supported_lockfile - 2]\n\n---\n\n[TestCommand/one_specific_supported_lockfile_with_ignore - 1]\nScanning dir ./testdata/locks-test-ignore/package-lock.json\nScanned /testdata/locks-test-ignore/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-test-ignore/osv-scanner-test.toml\nCVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json)\nFiltered 1 vulnerability from output\nNo issues found\n\n---\n\n[TestCommand/one_specific_supported_lockfile_with_ignore - 2]\n\n---\n\n[TestCommand/one_specific_supported_lockfile_with_offline_explicitly_false - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand/one_specific_supported_lockfile_with_offline_explicitly_false - 2]\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 1]\nWarning: --sbom has been deprecated in favor of -L\nScanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\n\nTotal 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs - 2]\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 1]\nScanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\n\nTotal 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n+---------------------------------------+------+-----------+---------+-----------+---------------+------------------------------------------------+\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag - 2]\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 1]\nWarning: --sbom has been deprecated in favor of -L\nScanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 7 local/unscannable package/s from the scan.\nNo issues found\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_invalid_PURLs - 2]\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 1]\nScanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 7 local/unscannable package/s from the scan.\nNo issues found\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag - 2]\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_vulns - 1]\nWarning: --sbom has been deprecated in favor of -L\nScanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\n\nTotal 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_vulns - 2]\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag - 1]\nScanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\n\nTotal 2 packages affected by 5 known vulnerabilities (1 Critical, 3 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2018-25032 | 7.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n\n---\n\n[TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag - 2]\n\n---\n\n[TestCommand/one_specific_unsupported_lockfile - 1]\nScanning dir ./testdata/locks-many/not-a-lockfile.toml\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand/one_specific_unsupported_lockfile - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 2]\n\n---\n\n[TestCommand/output_format:_markdown_table - 1]\nScanning dir ./testdata/locks-many-with-insecure/package-lock.json\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json |\n\n---\n\n[TestCommand/output_format:_markdown_table - 2]\n\n---\n\n[TestCommand/output_format:_unsupported - 1]\n\n---\n\n[TestCommand/output_format:_unsupported - 2]\nunsupported output format \"unknown\" - must be one of: table, html, vertical, json, markdown, sarif, gh-annotations, cyclonedx-1-4, cyclonedx-1-5, spdx-2-3\n\n---\n\n[TestCommand/requirements.txt_can_have_all_kinds_of_names - 1]\nScanning dir ./testdata/locks-requirements\nScanned /testdata/locks-requirements/my-requirements.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements-dev.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements-transitive.txt file and found 4 packages\nScanned /testdata/locks-requirements/requirements.prod.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements.txt file and found 3 packages\nScanned /testdata/locks-requirements/the_requirements_for_test.txt file and found 1 package\nScanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages\n\nTotal 12 packages affected by 50 known vulnerabilities (5 Critical, 20 High, 20 Medium, 4 Low, 1 Unknown) from 1 ecosystem.\n50 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+\n| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/my-requirements.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/my-requirements.txt |\n| https://osv.dev/GHSA-3936-cmfr-pm3m | 8.7 | PyPI | black | 25.1.0 | 26.3.1 | testdata/locks-requirements/requirements-dev.txt |\n| https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | |\n| https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |\n| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements-transitive.txt |\n| https://osv.dev/PYSEC-2021-439 | 7.3 | PyPI | django | 2.2.24 | 2.2.25 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-v6rh-hp5x-86rv | | | | | | |\n| https://osv.dev/PYSEC-2022-1 | 8.7 | PyPI | django | 2.2.24 | 2.2.26 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-53qw-q765-4fww | | | | | | |\n| https://osv.dev/PYSEC-2022-19 | 6.1 | PyPI | django | 2.2.24 | 2.2.27 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-95rw-fx8r-36v6 | | | | | | |\n| https://osv.dev/PYSEC-2022-190 | 9.8 | PyPI | django | 2.2.24 | 2.2.28 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-2gwj-7jmv-h26r | | | | | | |\n| https://osv.dev/PYSEC-2022-191 | 9.8 | PyPI | django | 2.2.24 | 2.2.28 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-w24h-v9qh-8gxj | | | | | | |\n| https://osv.dev/PYSEC-2022-2 | 8.7 | PyPI | django | 2.2.24 | 2.2.26 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-8c5j-9r9f-c6w8 | | | | | | |\n| https://osv.dev/PYSEC-2022-20 | 8.7 | PyPI | django | 2.2.24 | 2.2.27 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-6cw3-g6wv-c2xv | | | | | | |\n| https://osv.dev/PYSEC-2022-3 | 6.9 | PyPI | django | 2.2.24 | 2.2.26 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-jrh2-hc4r-7jwx | | | | | | |\n| https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 2.2.24 | 4.2.24 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 2.2.24 | 4.2.22 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 2.2.24 | 3.2.15 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 2.2.24 | 4.2.26 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 2.2.24 | 4.2.26 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 2.2.24 | 4.2.16 | testdata/locks-requirements/requirements.prod.txt |\n| https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | |\n| https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |\n| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/PYSEC-2020-43 | 8.7 | PyPI | flask-cors | 1.0.0 | 3.0.9 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-xc3p-ff3m-f46v | | | | | | |\n| https://osv.dev/PYSEC-2024-71 | 8.7 | PyPI | flask-cors | 1.0.0 | 4.0.2 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-hxwh-jpp2-84pm | | | | | | |\n| https://osv.dev/GHSA-43qf-4rqw-9q2g | 5.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-7rxf-gvfg-47g4 | 4.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-84pr-m4jr-85g5 | 5.3 | PyPI | flask-cors | 1.0.0 | 4.0.1 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-8vgw-p6qm-5gr7 | 5.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/PYSEC-2020-73 | | PyPI | pandas | 0.23.4 | 1.0.4 | testdata/locks-requirements/unresolvable-requirements.txt |\n+-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+\n\n---\n\n[TestCommand/requirements.txt_can_have_all_kinds_of_names - 2]\n\n---\n\n[TestCommand/spdx_2.3_output - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/uuid-placeholder-0\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"2025-01-01T01:01:01Z\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"has-flag\",\n \"SPDXID\": \"SPDXRef-Package-has-flag-uuid-placeholder-2\",\n \"versionInfo\": \"4.0.0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/bunlock extractor from /testdata/locks-insecure/bun.lock\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/has-flag@4.0.0\"\n }\n ]\n },\n {\n \"name\": \"wrappy\",\n \"SPDXID\": \"SPDXRef-Package-wrappy-uuid-placeholder-3\",\n \"versionInfo\": \"1.0.2\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/bunlock extractor from /testdata/locks-insecure/bun.lock\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/wrappy@1.0.2\"\n }\n ]\n },\n {\n \"name\": \"league/flysystem\",\n \"SPDXID\": \"SPDXRef-Package-league-flysystem-uuid-placeholder-4\",\n \"versionInfo\": \"1.0.8\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the php/composerlock extractor from /testdata/locks-insecure/composer.lock\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/league%2Fflysystem@1.0.8\"\n }\n ]\n },\n {\n \"name\": \"stdlib\",\n \"SPDXID\": \"SPDXRef-Package-stdlib-uuid-placeholder-5\",\n \"versionInfo\": \"1.99.9\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the osv/osvscannerjson extractor from /testdata/locks-insecure/osv-scanner-custom.json\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:placeholder/stdlib@1.99.9\"\n }\n ]\n },\n {\n \"name\": \"toolchain\",\n \"SPDXID\": \"SPDXRef-Package-toolchain-uuid-placeholder-6\",\n \"versionInfo\": \"1.99.9\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the osv/osvscannerjson extractor from /testdata/locks-insecure/osv-scanner-custom.json\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:placeholder/toolchain@1.99.9\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relatedSpdxElement\": \"SPDXRef-Package-has-flag-uuid-placeholder-2\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-has-flag-uuid-placeholder-2\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relatedSpdxElement\": \"SPDXRef-Package-wrappy-uuid-placeholder-3\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-wrappy-uuid-placeholder-3\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relatedSpdxElement\": \"SPDXRef-Package-league-flysystem-uuid-placeholder-4\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-league-flysystem-uuid-placeholder-4\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relatedSpdxElement\": \"SPDXRef-Package-stdlib-uuid-placeholder-5\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-stdlib-uuid-placeholder-5\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relatedSpdxElement\": \"SPDXRef-Package-toolchain-uuid-placeholder-6\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-toolchain-uuid-placeholder-6\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestCommand/spdx_2.3_output - 2]\nScanning dir ./testdata/locks-insecure\nScanned /testdata/locks-insecure/bun.lock file and found 2 packages\nScanned /testdata/locks-insecure/composer.lock file and found 1 package\nScanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand/verbosity_level_=_error - 1]\nNo issues found\n\n---\n\n[TestCommand/verbosity_level_=_error - 2]\n\n---\n\n[TestCommand/verbosity_level_=_info - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand/verbosity_level_=_info - 2]\n\n---\n\n[TestCommandNonGit/one_specific_supported_lockfile - 1]\nScanning dir /composer.lock\nScanned /composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommandNonGit/one_specific_supported_lockfile - 2]\n\n---\n\n[TestCommand_CallAnalysis/Run_with_govulncheck - 1]\nScanning dir ./testdata/call-analysis-go-project\nScanned /testdata/call-analysis-go-project/go.mod file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nPackage Go/stdlib/1.19.99 has been filtered out because: Just want to test actual packages\nFiltered 1 ignored package/s from the scan.\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n+-------------------------------------+------+-----------+-----------------------------+---------+---------------+------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-----------------------------+---------+---------------+------------------------------------------+\n| https://osv.dev/GO-2023-1558 | 5.9 | Go | github.com/ipfs/go-bitfield | 1.0.0 | 1.1.0 | testdata/call-analysis-go-project/go.mod |\n| https://osv.dev/GHSA-2h6c-j3gf-xp9r | | | | | | |\n+-------------------------------------+------+-----------+-----------------------------+---------+---------------+------------------------------------------+\n\n---\n\n[TestCommand_CallAnalysis/Run_with_govulncheck - 2]\n\n---\n\n[TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled - 1]\nScanning dir ./testdata/call-analysis-go-project-all-uncalled\nScanned /testdata/call-analysis-go-project-all-uncalled/go.mod file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nPackage Go/stdlib/1.19.99 has been filtered out because: Just want to test actual packages\nFiltered 1 ignored package/s from the scan.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled - 2]\n\n---\n\n[TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled_but_enabled_all-vulns_flag - 1]\nScanning dir ./testdata/call-analysis-go-project-all-uncalled\nScanned /testdata/call-analysis-go-project-all-uncalled/go.mod file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nPackage Go/stdlib/1.19.99 has been filtered out because: Just want to test actual packages\nFiltered 1 ignored package/s from the scan.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+--------------------------+---------+---------------+-------------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+--------------------------+---------+---------------+-------------------------------------------------------+\n| Uncalled vulnerabilities | | | | | | |\n+-------------------------------------+------+-----------+--------------------------+---------+---------------+-------------------------------------------------------+\n| https://osv.dev/GO-2021-0053 | 8.6 | Go | github.com/gogo/protobuf | 1.3.1 | 1.3.2 | testdata/call-analysis-go-project-all-uncalled/go.mod |\n| https://osv.dev/GHSA-c3h9-896r-86jm | | | | | | |\n+-------------------------------------+------+-----------+--------------------------+---------+---------------+-------------------------------------------------------+\n\n---\n\n[TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled_but_enabled_all-vulns_flag - 2]\n\n---\n\n[TestCommand_CommitSupport/offline_uses_git_tags - 1]\nScanned /testdata/locks-git/osv-scanner.json file and found 11 packages\nLoaded GIT local db from /osv-scanner/GIT/all.zip\nSkipping commit scanning for: 45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0\n\nTotal 8 packages affected by 28 known vulnerabilities (5 Critical, 5 High, 11 Medium, 0 Low, 7 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------------+------+-----------+----------------------------+----------------------------+---------------+-------------------------------------+\n| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-4575 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-2673 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |\n+--------------------------------+------+-----------+---------------------------------------------------------+---------------+-------------------------------------+\n\n---\n\n[TestCommand_CommitSupport/offline_uses_git_tags - 2]\n\n---\n\n[TestCommand_CommitSupport/online_uses_git_commits - 1]\nScanned /testdata/locks-git/osv-scanner.json file and found 11 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 11 packages affected by 56 known vulnerabilities (7 Critical, 12 High, 23 Medium, 7 Low, 7 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------+\n| https://osv.dev/OSV-2018-389 | | GIT | git://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2018-389 | | GIT | github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2018-389 | | GIT | http://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2023-44398 | 8.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/PYSEC-2023-233 | | | | | |\n| https://osv.dev/CVE-2024-24826 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-25112 | 5.5 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-39695 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-26623 | 5.3 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-54080 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-55304 | 1.8 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-25884 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-27596 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-27631 | 2.7 | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2023-1161 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2024-340 | | GIT | https://github.com/Exiv2/exiv2@931a40a7 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2021-22569 | 5.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2022-1941 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2022-3171 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2022-3509 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2022-3510 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-2410 | 9.8 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-7254 | 7.5 | GIT | https://github.com/apache/orc@17b30e96 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/OSV-2018-389 | | GIT | https://github.com/boostorg/boost@1a9dda41 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-51757 | 9.3 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-61927 | 7.2 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-62410 | 9.4 | GIT | https://github.com/capricorn86/happy-dom.git@f8221103 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-12797 | 6.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@45fda76b | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-11187 | 6.1 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-15468 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-15469 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-66199 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9231 | 6.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2026-2673 | | GIT | https://github.com/openssl/openssl@aea7aaf2 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-24898 | 6.3 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler-fork/rust-openssl@3b064fdb | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2016-10931 | 8.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2018-20997 | 9.8 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2023-53159 | 9.1 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2023-6180 | 5.3 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |\n| https://osv.dev/CVE-2025-3416 | 3.7 | GIT | https://github.com/sfackler/rust-openssl@0f428d19 | -- | testdata/locks-git/osv-scanner.json |\n+--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------+\n\n---\n\n[TestCommand_CommitSupport/online_uses_git_commits - 2]\n\n---\n\n[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file - 1]\nScanning dir testdata/sbom-insecure/alpine.cdx.xml\nScanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\nCVE-2025-26519 and 1 alias have been filtered out because: (no reason given)\nCVE-2018-25032 and 1 alias have been filtered out because: (no reason given)\nFiltered 2 vulnerabilities from output\ntestdata/osv-scanner-partial-ignores-config.toml has unused ignores:\n - GO-2022-0274\n - CVE-2019-5188\n - CVE-2022-1304\n\nTotal 1 package affected by 3 known vulnerabilities (1 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n+---------------------------------------+------+-----------+---------+-----------+---------------+---------------------------------------+\n\n---\n\n[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file - 2]\n\n---\n\n[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file#01 - 1]\nScanning dir testdata/sbom-insecure\nScanned /testdata/sbom-insecure/alpine-zlib-16.cdx.json file and found 1 package\nScanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages\nScanned /testdata/sbom-insecure/bad-purls.cdx.xml file and found 15 packages\nScanned /testdata/sbom-insecure/only-unimportant.spdx.json file and found 1 package\nScanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages\nScanned /testdata/sbom-insecure/with-duplicates.cdx.xml file and found 17 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 10 local/unscannable package/s from the scan.\nCVE-2025-26519 and 1 alias have been filtered out because: (no reason given)\nCVE-2018-25032 and 1 alias have been filtered out because: (no reason given)\nCVE-2022-1304 and 2 aliases have been filtered out because: (no reason given)\nGO-2022-0274 and 2 aliases have been filtered out because: (no reason given)\nCVE-2025-26519 and 1 alias have been filtered out because: (no reason given)\nCVE-2018-25032 and 1 alias have been filtered out because: (no reason given)\nFiltered 8 vulnerabilities from output\ntestdata/osv-scanner-partial-ignores-config.toml has unused ignores:\n - CVE-2019-5188\n\nTotal 24 packages affected by 175 known vulnerabilities (21 Critical, 72 High, 55 Medium, 3 Low, 24 Unknown) from 4 ecosystems.\n10 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+\n| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | |\n| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | |\n| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | |\n| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | |\n| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | |\n| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | |\n| https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | |\n| https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | |\n| https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | |\n| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.12-r1 | -- | testdata/sbom-insecure/alpine-zlib-16.cdx.json:lib/apk/db/installed |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/with-duplicates.cdx.xml |\n| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3263-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | |\n| https://osv.dev/DLA-3878-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4319-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | |\n| https://osv.dev/DLA-3530-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | |\n| https://osv.dev/DLA-3942-1 | | | | | | |\n| https://osv.dev/DLA-3942-2 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4176-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | |\n| https://osv.dev/DLA-3926-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3755-1 | | | | | | |\n| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+---------------------------------------------------------------------+\n\n---\n\n[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file#01 - 2]\n\n---\n\n[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_multiple_files - 1]\nScanning dir testdata/sbom-insecure/alpine.cdx.xml\nScanning dir testdata/sbom-insecure/postgres-stretch.cdx.xml\nScanned /testdata/sbom-insecure/alpine.cdx.xml file and found 15 packages\nScanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 2 local/unscannable package/s from the scan.\nCVE-2025-26519 and 1 alias have been filtered out because: (no reason given)\nCVE-2018-25032 and 1 alias have been filtered out because: (no reason given)\nCVE-2022-1304 and 2 aliases have been filtered out because: (no reason given)\nGO-2022-0274 and 2 aliases have been filtered out because: (no reason given)\nFiltered 6 vulnerabilities from output\ntestdata/osv-scanner-partial-ignores-config.toml has unused ignores:\n - CVE-2019-5188\n\nTotal 22 packages affected by 169 known vulnerabilities (19 Critical, 70 High, 53 Medium, 3 Low, 24 Unknown) from 3 ecosystems.\n10 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | |\n| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | |\n| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | |\n| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | |\n| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | |\n| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | |\n| https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | |\n| https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | |\n| https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | |\n| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | |\n| https://osv.dev/ALPINE-CVE-2022-37434 | 9.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.10-r0 | -- | testdata/sbom-insecure/alpine.cdx.xml |\n| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3263-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | |\n| https://osv.dev/DLA-3878-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4319-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | |\n| https://osv.dev/DLA-3530-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | |\n| https://osv.dev/DLA-3942-1 | | | | | | |\n| https://osv.dev/DLA-3942-2 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4176-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | |\n| https://osv.dev/DLA-3926-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3755-1 | | | | | | |\n| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n\n---\n\n[TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_multiple_files - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/empty_plugins_flag_does_nothing - 2]\nIncorrect Usage: flag needs an argument: --experimental-plugins=\n\nflag needs an argument: --experimental-plugins=\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_specified_individually - 1]\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_specified_individually - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_specified_together - 1]\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_specified_together - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 1]\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/extractors_cancelled_out_with_presets - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 2]\nnot an exact name for a plugin: \"custom/extractor\"\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_disabled - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_disabled - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_enabled_and_the_defaults - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_enabled_and_the_defaults - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_different_extractor_enabled - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_different_extractor_enabled - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_specific_extractor_enabled - 1]\nScanning dir ./testdata/locks-many/package-lock.json\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_specific_extractor_enabled - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_parse_as_but_specific_extractor_disabled - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_parse_as_but_specific_extractor_disabled - 2]\ncould not determine extractor, requested package-lock.json\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/empty_plugins_flag_does_nothing - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/empty_plugins_flag_does_nothing - 2]\nIncorrect Usage: flag needs an argument: --experimental-plugins=\n\nflag needs an argument: --experimental-plugins=\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_specified_individually - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_specified_individually - 2]\nat least one extractor must be enabled\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_specified_together - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_specified_together - 2]\nat least one extractor must be enabled\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/extractors_cancelled_out_with_presets - 2]\nat least one extractor must be enabled\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_an_extractor_that_does_not_exist - 2]\nnot an exact name for a plugin: \"custom/extractor\"\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_disabled - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_disabled - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_enabled_and_no_defaults - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_enabled_and_no_defaults - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_different_extractor_enabled - 1]\nScanning dir ./testdata/locks-many/composer.lock\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_different_extractor_enabled - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_specific_extractor_enabled - 1]\nScanning dir ./testdata/locks-many/package-lock.json\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_specific_extractor_enabled - 2]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_parse_as_but_specific_extractor_disabled - 1]\n\n---\n\n[TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_parse_as_but_specific_extractor_disabled - 2]\ncould not determine extractor, requested package-lock.json\n\n---\n\n[TestCommand_Filter/Show_all_Packages_with_empty_config - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/testdata/locks-insecure/osv-scanner-with-unscannables.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"stdlib\",\n \"version\": \"1.999.1\",\n \"ecosystem\": \"Go\"\n }\n },\n {\n \"package\": {\n \"name\": \"toolchain\",\n \"version\": \"1.24.4\",\n \"ecosystem\": \"\"\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestCommand_Filter/Show_all_Packages_with_empty_config - 2]\nScanned /testdata/locks-insecure/osv-scanner-with-unscannables.json file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_false_no_vuln_json - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_false_no_vuln_json - 2]\nScanning dir ./testdata/exp-plugins-pkgdeprecate/clean/Cargo.lock\nScanned /testdata/exp-plugins-pkgdeprecate/clean/Cargo.lock file and found 5 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_npm_json - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/testdata/exp-plugins-pkgdeprecate/deprecated-npm/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"left-pad\",\n \"version\": \"1.3.0\",\n \"ecosystem\": \"npm\",\n \"deprecated\": true\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_npm_json - 2]\nScanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-npm/package-lock.json\nScanned /testdata/exp-plugins-pkgdeprecate/deprecated-npm/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_true_no_vuln_json - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"url\",\n \"version\": \"2.5.3\",\n \"ecosystem\": \"crates.io\",\n \"deprecated\": true\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_true_no_vuln_json - 2]\nScanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock\nScanned /testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock file and found 36 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_true_no_vuln_table - 1]\nScanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock\nScanned /testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock file and found 36 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nTotal 1 package deprecated.\n\n+------------------------------------------------------------------------------------------------+\n| Deprecated packages |\n+-----------+---------+---------+----------------------------------------------------------------+\n| ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-----------+---------+---------+----------------------------------------------------------------+\n| crates.io | url | 2.5.3 | testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock |\n+-----------+---------+---------+----------------------------------------------------------------+\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_true_no_vuln_table - 2]\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_true_with_vuln_json - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"net2\",\n \"version\": \"0.2.33\",\n \"ecosystem\": \"crates.io\",\n \"deprecated\": true\n },\n \"groups\": 2,\n \"vulnerabilities\": [\n \"RUSTSEC-2020-0016\",\n \"RUSTSEC-2020-0078\",\n \"GHSA-458v-4hrf-g3m4\",\n \"GHSA-c79c-gwph-gqfm\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_true_with_vuln_json - 2]\nScanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock\nScanned /testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock file and found 7 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_true_with_vuln_table - 1]\nScanning dir ./testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock\nScanned /testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock file and found 7 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 2 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n+-------------------------------------+------+-----------+---------+---------+---------------+--------------------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+---------+---------+---------------+--------------------------------------------------------------+\n| https://osv.dev/RUSTSEC-2020-0016 | | crates.io | net2 | 0.2.33 | -- | testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock |\n| https://osv.dev/RUSTSEC-2020-0078 | 5.5 | crates.io | net2 | 0.2.33 | 0.2.36 | testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock |\n| https://osv.dev/GHSA-458v-4hrf-g3m4 | | | | | | |\n| https://osv.dev/GHSA-c79c-gwph-gqfm | | | | | | |\n+-------------------------------------+------+-----------+---------+---------+---------------+--------------------------------------------------------------+\nTotal 1 package deprecated.\n\n+----------------------------------------------------------------------------------------------+\n| Deprecated packages |\n+-----------+---------+---------+--------------------------------------------------------------+\n| ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-----------+---------+---------+--------------------------------------------------------------+\n| crates.io | net2 | 0.2.33 | testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock |\n+-----------+---------+---------+--------------------------------------------------------------+\n\n---\n\n[TestCommand_FlagDeprecatedPackages/package_deprecated_true_with_vuln_table - 2]\n\n---\n\n[TestCommand_GithubActions/scanning_osv-scanner_custom_format - 1]\nScanned /testdata/locks-insecure/osv-scanner-flutter-deps.json file and found 3 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------------+------+-----------+----------------------------+-----------------------------+---------------+-------------------------------------------------------+\n| https://osv.dev/CVE-2023-39137 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git@9de7a054 | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json |\n| https://osv.dev/CVE-2023-39139 | 7.8 | GIT | https://github.com/brendan-duncan/archive.git@9de7a054 | -- | testdata/locks-insecure/osv-scanner-flutter-deps.json |\n+--------------------------------+------+-----------+----------------------------------------------------------+---------------+-------------------------------------------------------+\n\n---\n\n[TestCommand_GithubActions/scanning_osv-scanner_custom_format - 2]\n\n---\n\n[TestCommand_GithubActions/scanning_osv-scanner_custom_format_output_json - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///testdata/locks-insecure/osv-scanner-flutter-deps.json\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"/r/n\",\n \"/n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///testdata/locks-insecure/osv-scanner-flutter-deps.json\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'https://github.com/brendan-duncan/archive.git@9de7a054' is vulnerable to 'CVE-2023-39137' (also known as 'GHSA-r285-q736-9v95').\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"CVE-2023-39137\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///testdata/locks-insecure/osv-scanner-flutter-deps.json\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'https://github.com/brendan-duncan/archive.git@9de7a054' is vulnerable to 'CVE-2023-39139' (also known as 'GHSA-9v85-q87q-g4vg').\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"CVE-2023-39139\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"CVE-2023-39137\",\n \"GHSA-r285-q736-9v95\"\n ],\n \"fullDescription\": {\n \"markdown\": \"An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.\",\n \"text\": \"An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [CVE-2023-39137](https://osv.dev/CVE-2023-39137)**.\\n\\n## [CVE-2023-39137](https://osv.dev/CVE-2023-39137)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/testdata/locks-insecure/osv-scanner-flutter-deps.json | https://github.com/brendan-duncan/archive.git | 9de7a0544457c6aba755ccb65abb41b0dc1db70d |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/testdata/locks-insecure/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2023-39137\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [CVE-2023-39137](https://osv.dev/CVE-2023-39137)**.\\n\\n## [CVE-2023-39137](https://osv.dev/CVE-2023-39137)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/testdata/locks-insecure/osv-scanner-flutter-deps.json | https://github.com/brendan-duncan/archive.git | 9de7a0544457c6aba755ccb65abb41b0dc1db70d |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/testdata/locks-insecure/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2023-39137\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"CVE-2023-39137\",\n \"name\": \"CVE-2023-39137\",\n \"properties\": {\n \"security-severity\": \"7.8\"\n },\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"CVE-2023-39137\",\n \"text\": \"CVE-2023-39137\"\n }\n },\n {\n \"deprecatedIds\": [\n \"CVE-2023-39139\",\n \"GHSA-9v85-q87q-g4vg\"\n ],\n \"fullDescription\": {\n \"markdown\": \"An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.\",\n \"text\": \"An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [CVE-2023-39139](https://osv.dev/CVE-2023-39139)**.\\n\\n## [CVE-2023-39139](https://osv.dev/CVE-2023-39139)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/testdata/locks-insecure/osv-scanner-flutter-deps.json | https://github.com/brendan-duncan/archive.git | 9de7a0544457c6aba755ccb65abb41b0dc1db70d |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/testdata/locks-insecure/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2023-39139\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [CVE-2023-39139](https://osv.dev/CVE-2023-39139)**.\\n\\n## [CVE-2023-39139](https://osv.dev/CVE-2023-39139)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/testdata/locks-insecure/osv-scanner-flutter-deps.json | https://github.com/brendan-duncan/archive.git | 9de7a0544457c6aba755ccb65abb41b0dc1db70d |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/testdata/locks-insecure/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2023-39139\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"CVE-2023-39139\",\n \"name\": \"CVE-2023-39139\",\n \"properties\": {\n \"security-severity\": \"7.8\"\n },\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"CVE-2023-39139\",\n \"text\": \"CVE-2023-39139\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"properties\": {}\n}\n\n---\n\n[TestCommand_GithubActions/scanning_osv-scanner_custom_format_output_json - 2]\nScanned /testdata/locks-insecure/osv-scanner-flutter-deps.json file and found 3 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag - 1]\nScanned /testdata/locks-insecure/osv-scanner-custom-git-tag.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 40 known vulnerabilities (5 Critical, 15 High, 20 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+\n| https://osv.dev/CVE-2016-2177 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2016-2182 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2022-2274 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2022-3358 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2022-3996 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2022-4203 | 4.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2022-4304 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2022-4450 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-0215 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-0216 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-0217 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-0286 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-0401 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-0464 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-0465 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-0466 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-1255 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-2650 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-2975 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-3817 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-4807 | 7.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-5363 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-5678 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-6129 | 6.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2023-6237 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2024-13176 | 4.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2024-2511 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2024-4603 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2024-4741 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2024-5535 | 9.1 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2024-9143 | 4.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2025-15467 | 9.8 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2025-68160 | 4.7 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2025-69418 | 4.0 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2025-69419 | 7.4 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2025-69420 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2025-9230 | 7.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2025-9232 | 5.9 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2026-22795 | 5.5 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n| https://osv.dev/CVE-2026-22796 | 5.3 | GIT | github.com/openssl/openssl | openssl-3.0.4 | -- | testdata/locks-insecure/osv-scanner-custom-git-tag.json |\n+--------------------------------+------+-----------+----------------------------+---------------+---------------+---------------------------------------------------------+\n\n---\n\n[TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag - 2]\n\n---\n\n[TestCommand_HtmlFile - 1]\n\n---\n\n[TestCommand_HtmlFile - 2]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nHTML output available at: /report.html\n\n---\n\n[TestCommand_HtmlFile_Deprecated - 1]\n\n---\n\n[TestCommand_HtmlFile_Deprecated - 2]\nWarning: --output has been deprecated in favor of --output-file\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nHTML output available at: /report.html\n\n---\n\n[TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis - 1]\nScanning dir ./testdata/artifact/javareach_test.jar\nJava reachability enricher marked 14 packages as unreachable\nScanned /testdata/artifact/javareach_test.jar file and found 21 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nfailed to download package err jar not found: https://repo1.maven.org/maven2/com/example/hello-tester/1.0-SNAPSHOT/hello-tester-1.0-SNAPSHOT.jar\n\nTotal 4 packages affected by 55 known vulnerabilities (18 Critical, 30 High, 5 Medium, 2 Low, 0 Unknown) from 1 ecosystem.\n55 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n| https://osv.dev/GHSA-72hv-8253-57qq | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.18.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h46c-h94j-95f3 | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.15.0 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-288c-cq4h-88gq | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-4gq5-ch57-c2mg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-4w82-r329-3q67 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-57j2-w4cx-62h2 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.6.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5949-rw7g-wx7w | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5r5r-6hpj-8gg9 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5ww9-j83m-q7qx | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-645p-88qh-w398 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-6fpp-rgj9-8rwc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-85cw-hj65-qqv9 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-89qr-369f-5m5x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-8c4j-34r4-xr8g | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-8w26-6f25-cm9x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-9gph-22xh-8x98 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-9m6f-7xcq-8vf8 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-c8hm-7hpq-7jhg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cf6r-3wgc-h863 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cggj-fvv3-cqwv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cjjf-94ff-43w7 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cmfg-87vq-g5g4 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cvm9-fjm9-3572 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-f3j5-rmmp-3fc5 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.8.11.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-f9xh-2qgp-cq57 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-fmmc-742q-jg75 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-fqwf-pjwf-7vqv | 8.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gjmw-vf9h-g25v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gwp4-hfv6-p7hw | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gww7-p5w4-wrfv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h3cw-g4mq-c5x2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h592-38cm-4ggp | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h822-r4r5-v8jg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-jjjh-jjxp-wpff | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-m6x4-97wx-4q27 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-mph4-vhrx-mv67 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-mx7p-6679-8g3q | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-p43x-xfjf-5jhr | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-q93h-jc49-78gg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qjw2-hr98-qgfh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qr7j-h6gg-jmgc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-r3gr-cxrf-hg25 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-r695-7vr9-jgc2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rfx6-vp9g-rh7v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.2 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rgv9-q543-rqg4 | 8.2 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rpr3-cw39-3pxh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-v585-23hc-c647 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-vfqx-33qm-g869 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-w3f4-3q6j-rh82 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-wjpw-4j6x-6rwh | 3.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.31 | testdata/artifact/javareach_test.jar |\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n| Uncalled vulnerabilities | | | | | | |\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n| https://osv.dev/GHSA-c28r-hw5m-5gv3 | 7.9 | Maven | com.amazonaws:aws-java-sdk-s3 | 1.11.327 | 1.12.261 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-3gh6-v5v9-6v9j | 3.5 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gwcr-j4wh-j3cq | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.41 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-j26w-f9rq-mr2q | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.54 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-264p-99wq-f4j6 | 7.5 | Maven | software.amazon.ion:ion-java | 1.0.2 | -- | testdata/artifact/javareach_test.jar |\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n\n---\n\n[TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis - 2]\n\n---\n\n[TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis_and_disabled_enricher - 1]\nScanning dir ./testdata/artifact/javareach_test.jar\nScanned /testdata/artifact/javareach_test.jar file and found 21 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 8 packages affected by 61 known vulnerabilities (18 Critical, 32 High, 8 Medium, 3 Low, 0 Unknown) from 1 ecosystem.\n60 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n| https://osv.dev/GHSA-c28r-hw5m-5gv3 | 7.9 | Maven | com.amazonaws:aws-java-sdk-s3 | 1.11.327 | 1.12.261 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-72hv-8253-57qq | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.18.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h46c-h94j-95f3 | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.15.0 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-288c-cq4h-88gq | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-4gq5-ch57-c2mg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-4w82-r329-3q67 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-57j2-w4cx-62h2 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.6.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5949-rw7g-wx7w | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5r5r-6hpj-8gg9 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5ww9-j83m-q7qx | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-645p-88qh-w398 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-6fpp-rgj9-8rwc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-85cw-hj65-qqv9 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-89qr-369f-5m5x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-8c4j-34r4-xr8g | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-8w26-6f25-cm9x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-9gph-22xh-8x98 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-9m6f-7xcq-8vf8 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-c8hm-7hpq-7jhg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cf6r-3wgc-h863 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cggj-fvv3-cqwv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cjjf-94ff-43w7 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cmfg-87vq-g5g4 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cvm9-fjm9-3572 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-f3j5-rmmp-3fc5 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.8.11.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-f9xh-2qgp-cq57 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-fmmc-742q-jg75 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-fqwf-pjwf-7vqv | 8.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gjmw-vf9h-g25v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gwp4-hfv6-p7hw | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gww7-p5w4-wrfv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h3cw-g4mq-c5x2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h592-38cm-4ggp | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h822-r4r5-v8jg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-jjjh-jjxp-wpff | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-m6x4-97wx-4q27 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-mph4-vhrx-mv67 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-mx7p-6679-8g3q | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-p43x-xfjf-5jhr | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-q93h-jc49-78gg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qjw2-hr98-qgfh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qr7j-h6gg-jmgc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-r3gr-cxrf-hg25 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-r695-7vr9-jgc2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rfx6-vp9g-rh7v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.2 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rgv9-q543-rqg4 | 8.2 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rpr3-cw39-3pxh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-v585-23hc-c647 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-vfqx-33qm-g869 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-w3f4-3q6j-rh82 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-wjpw-4j6x-6rwh | 3.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.31 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-3gh6-v5v9-6v9j | 3.5 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gwcr-j4wh-j3cq | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.41 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-j26w-f9rq-mr2q | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.54 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-264p-99wq-f4j6 | 7.5 | Maven | software.amazon.ion:ion-java | 1.0.2 | -- | testdata/artifact/javareach_test.jar |\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n\n---\n\n[TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis_and_disabled_enricher - 2]\n\n---\n\n[TestCommand_JavareachArchive/jars_can_be_scanned_without_call_analysis - 1]\nScanning dir ./testdata/artifact/javareach_test.jar\nScanned /testdata/artifact/javareach_test.jar file and found 21 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 8 packages affected by 61 known vulnerabilities (18 Critical, 32 High, 8 Medium, 3 Low, 0 Unknown) from 1 ecosystem.\n60 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n| https://osv.dev/GHSA-c28r-hw5m-5gv3 | 7.9 | Maven | com.amazonaws:aws-java-sdk-s3 | 1.11.327 | 1.12.261 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-72hv-8253-57qq | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.18.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h46c-h94j-95f3 | 8.7 | Maven | com.fasterxml.jackson.core:jackson-core | 2.14.0 | 2.15.0 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-288c-cq4h-88gq | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-4gq5-ch57-c2mg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-4w82-r329-3q67 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-57j2-w4cx-62h2 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.6.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5949-rw7g-wx7w | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5r5r-6hpj-8gg9 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-5ww9-j83m-q7qx | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-645p-88qh-w398 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-6fpp-rgj9-8rwc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-85cw-hj65-qqv9 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-89qr-369f-5m5x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-8c4j-34r4-xr8g | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-8w26-6f25-cm9x | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-9gph-22xh-8x98 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-9m6f-7xcq-8vf8 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-c8hm-7hpq-7jhg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cf6r-3wgc-h863 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cggj-fvv3-cqwv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cjjf-94ff-43w7 | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cmfg-87vq-g5g4 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cvm9-fjm9-3572 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-f3j5-rmmp-3fc5 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.8.11.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-f9xh-2qgp-cq57 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-fmmc-742q-jg75 | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-fqwf-pjwf-7vqv | 8.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gjmw-vf9h-g25v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gwp4-hfv6-p7hw | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gww7-p5w4-wrfv | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h3cw-g4mq-c5x2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.6 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h592-38cm-4ggp | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-h822-r4r5-v8jg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-jjjh-jjxp-wpff | 7.5 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-m6x4-97wx-4q27 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-mph4-vhrx-mv67 | 5.9 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-mx7p-6679-8g3q | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.3 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-p43x-xfjf-5jhr | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-q93h-jc49-78gg | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.7 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qjw2-hr98-qgfh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qr7j-h6gg-jmgc | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-r3gr-cxrf-hg25 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-r695-7vr9-jgc2 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rfx6-vp9g-rh7v | 9.8 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.2 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rgv9-q543-rqg4 | 8.2 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.12.7.1 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-rpr3-cw39-3pxh | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.4 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-v585-23hc-c647 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-vfqx-33qm-g869 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.6.7.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-w3f4-3q6j-rh82 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.7.9.5 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-wh8g-3j2c-rqj5 | 8.1 | Maven | com.fasterxml.jackson.core:jackson-databind | 2.6.7.1 | 2.9.10.8 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-j288-q9x7-2f5v | 6.5 | Maven | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-7r82-7xv7-xcpj | 5.3 | Maven | org.apache.httpcomponents:httpclient | 4.5.5 | 4.5.13 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-cj7v-27pg-wf7q | 2.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.47 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-hmr7-m48g-48f6 | 5.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-qh8g-58pp-2wxh | 6.3 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.12 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-wjpw-4j6x-6rwh | 3.7 | Maven | org.eclipse.jetty:jetty-http | 9.4.40.v20210413 | 12.0.31 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-3gh6-v5v9-6v9j | 3.5 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.52 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-gwcr-j4wh-j3cq | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.41 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-j26w-f9rq-mr2q | 5.3 | Maven | org.eclipse.jetty:jetty-servlets | 9.4.40.v20210413 | 9.4.54 | testdata/artifact/javareach_test.jar |\n| https://osv.dev/GHSA-264p-99wq-f4j6 | 7.5 | Maven | software.amazon.ion:ion-java | 1.0.2 | -- | testdata/artifact/javareach_test.jar |\n+-------------------------------------+------+-----------+---------------------------------------------+------------------+---------------+--------------------------------------+\n\n---\n\n[TestCommand_JavareachArchive/jars_can_be_scanned_without_call_analysis - 2]\n\n---\n\n[TestCommand_Licenses/Licenses_in_summary_mode_json - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": true,\n \"allowlist\": []\n }\n },\n \"license_summary\": [\n {\n \"name\": \"MIT\",\n \"count\": 2\n },\n {\n \"name\": \"Apache-2.0\",\n \"count\": 1\n },\n {\n \"name\": \"CC0-1.0 OR MIT\",\n \"count\": 1\n }\n ]\n}\n\n---\n\n[TestCommand_Licenses/Licenses_in_summary_mode_json - 2]\nScanning dir ./testdata/locks-licenses/package-lock.json\nScanned /testdata/locks-licenses/package-lock.json file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_Licenses/Licenses_with_expressions - 1]\nScanning dir ./testdata/locks-licenses/package-lock.json\nScanned /testdata/locks-licenses/package-lock.json file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\noverriding license for package npm/babel/6.23.0 with MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)\noverriding license for package npm/human-signals/5.0.0 with LGPL-2.1-only OR MIT OR BSD-3-Clause\noverriding license for package npm/ms/2.1.3 with MIT WITH Bison-exception-2.2\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------------------------------------------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+---------------------------------------------+-------------------------+\n| CC0-1.0 OR MIT | 1 |\n| LGPL-2.1-only OR MIT OR BSD-3-Clause | 1 |\n| MIT AND (LGPL-2.1-or-later OR BSD-3-Clause) | 1 |\n| MIT WITH Bison-exception-2.2 | 1 |\n+---------------------------------------------+-------------------------+\n+------------------------------+-----------+---------+---------+-------------------------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+------------------------------+-----------+---------+---------+-------------------------------------------+\n| MIT WITH Bison-exception-2.2 | npm | ms | 2.1.3 | testdata/locks-licenses/package-lock.json |\n+------------------------------+-----------+---------+---------+-------------------------------------------+\n\n---\n\n[TestCommand_Licenses/Licenses_with_expressions - 2]\n\n---\n\n[TestCommand_Licenses/Licenses_with_invalid_expression_in_config - 1]\nScanning dir ./testdata/locks-licenses/package-lock.json\nScanned /testdata/locks-licenses/package-lock.json file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\noverriding license for package npm/babel/6.23.0 with MIT AND (LGPL-2.1-or-later OR BSD-3-Clause))\noverriding license for package npm/human-signals/5.0.0 with LGPL-2.1-only OR OR BSD-3-Clause\noverriding license for package npm/ms/2.1.3 with MIT WITH (Bison-exception-2.2 AND somethingelse)\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------------------------------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+--------------------------------------------------+-------------------------+\n| CC0-1.0 OR MIT | 1 |\n| LGPL-2.1-only OR OR BSD-3-Clause | 1 |\n| MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)) | 1 |\n| MIT WITH (Bison-exception-2.2 AND somethingelse) | 1 |\n+--------------------------------------------------+-------------------------+\n+--------------------------------------------------+-----------+---------------+---------+-------------------------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+--------------------------------------------------+-----------+---------------+---------+-------------------------------------------+\n| LGPL-2.1-only OR OR BSD-3-Clause | npm | human-signals | 5.0.0 | testdata/locks-licenses/package-lock.json |\n| MIT WITH (Bison-exception-2.2 AND somethingelse) | npm | ms | 2.1.3 | testdata/locks-licenses/package-lock.json |\n+--------------------------------------------------+-----------+---------------+---------+-------------------------------------------+\n\n---\n\n[TestCommand_Licenses/Licenses_with_invalid_expression_in_config - 2]\nlicense LGPL-2.1-only OR OR BSD-3-Clause for package npm/human-signals/5.0.0 is invalid: unexpected OR after OR\nlicense MIT WITH (Bison-exception-2.2 AND somethingelse) for package npm/ms/2.1.3 is invalid: unexpected ( after WITH\n\n---\n\n[TestCommand_Licenses/Licenses_with_invalid_licenses_in_flag - 1]\n\n---\n\n[TestCommand_Licenses/Licenses_with_invalid_licenses_in_flag - 2]\n--licenses requires comma-separated spdx licenses. The following license(s) are not recognized as spdx: something-something\n\n---\n\n[TestCommand_Licenses/No_license_violations_and_show-all-packages_in_json - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/testdata/locks-licenses/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"babel\",\n \"version\": \"6.23.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"human-signals\",\n \"version\": \"5.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"Apache-2.0\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ms\",\n \"version\": \"2.1.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"type-fest\",\n \"version\": \"4.26.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"CC0-1.0 OR MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": true,\n \"allowlist\": [\n \"MIT\",\n \"Apache-2.0\"\n ]\n }\n },\n \"license_summary\": [\n {\n \"name\": \"MIT\",\n \"count\": 2\n },\n {\n \"name\": \"Apache-2.0\",\n \"count\": 1\n },\n {\n \"name\": \"CC0-1.0 OR MIT\",\n \"count\": 1\n }\n ]\n}\n\n---\n\n[TestCommand_Licenses/No_license_violations_and_show-all-packages_in_json - 2]\nScanning dir ./testdata/locks-licenses/package-lock.json\nScanned /testdata/locks-licenses/package-lock.json file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_Licenses/No_vulnerabilities_but_license_violations_with_allowlist - 1]\nScanning dir ./testdata/locks-many/yarn.lock\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+---------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+---------+-------------------------+\n| MIT | 1 |\n+---------+-------------------------+\n+-------------------+-----------+----------------+---------+-------------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+----------------+---------+-------------------------------+\n| MIT | npm | balanced-match | 1.0.2 | testdata/locks-many/yarn.lock |\n+-------------------+-----------+----------------+---------+-------------------------------+\n\n---\n\n[TestCommand_Licenses/No_vulnerabilities_but_license_violations_with_allowlist - 2]\n\n---\n\n[TestCommand_Licenses/No_vulnerabilities_with_license_summary - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n+------------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+------------+-------------------------+\n| MIT | 2 |\n| Apache-2.0 | 1 |\n| UNKNOWN | 1 |\n+------------+-------------------------+\n\n---\n\n[TestCommand_Licenses/No_vulnerabilities_with_license_summary - 2]\n\n---\n\n[TestCommand_Licenses/No_vulnerabilities_with_license_summary_in_markdown - 1]\nScanning dir ./testdata/locks-many\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n| License | No. of package versions |\n| --- | ---:|\n| MIT | 2 |\n| Apache-2.0 | 1 |\n| UNKNOWN | 1 |\n\n---\n\n[TestCommand_Licenses/No_vulnerabilities_with_license_summary_in_markdown - 2]\n\n---\n\n[TestCommand_Licenses/Show_all_Packages_with_license_summary_in_json - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/testdata/locks-licenses/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"babel\",\n \"version\": \"6.23.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"human-signals\",\n \"version\": \"5.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"Apache-2.0\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ms\",\n \"version\": \"2.1.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"type-fest\",\n \"version\": \"4.26.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"CC0-1.0 OR MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": true,\n \"allowlist\": []\n }\n },\n \"license_summary\": [\n {\n \"name\": \"MIT\",\n \"count\": 2\n },\n {\n \"name\": \"Apache-2.0\",\n \"count\": 1\n },\n {\n \"name\": \"CC0-1.0 OR MIT\",\n \"count\": 1\n }\n ]\n}\n\n---\n\n[TestCommand_Licenses/Show_all_Packages_with_license_summary_in_json - 2]\nScanning dir ./testdata/locks-licenses/package-lock.json\nScanned /testdata/locks-licenses/package-lock.json file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_Licenses/Some_packages_with_ignored_licenses - 1]\nScanning dir ./testdata/locks-many\nScanning dir ./testdata/locks-insecure\nScanned /testdata/locks-insecure/bun.lock file and found 2 packages\nScanned /testdata/locks-insecure/composer.lock file and found 1 package\nScanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages\nScanned /testdata/locks-many/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many/composer.lock file and found 1 package\nScanned /testdata/locks-many/package-lock.json file and found 1 package\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nPackage npm/has-flag/4.0.0 has been filtered out because: (no reason given)\nPackage npm/wrappy/1.0.2 has been filtered out because: (no reason given)\nPackage npm/ansi-html/0.0.8 has been filtered out because: (no reason given)\nPackage npm/balanced-match/1.0.2 has been filtered out because: (no reason given)\nFiltered 4 ignored package/s from the scan.\noverriding license for package Packagist/league/flysystem/1.0.8 with 0BSD\noverriding license for package Packagist/sentry/sdk/2.0.4 with 0BSD\n\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems.\n1 vulnerability can be fixed.\n\n+-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+\n| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock |\n+-------------------------------------+------+-----------+------------------+---------+---------------+---------------------------------------+\n+---------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+---------+-------------------------+\n| 0BSD | 2 |\n| MIT | 1 |\n| UNKNOWN | 2 |\n+---------+-------------------------+\n+-------------------+-----------+------------------+---------+-------------------------------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+------------------+---------+-------------------------------------------------+\n| 0BSD | Packagist | league/flysystem | 1.0.8 | testdata/locks-insecure/composer.lock |\n| UNKNOWN | Go | stdlib | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json |\n| UNKNOWN | Go | toolchain | 1.99.9 | testdata/locks-insecure/osv-scanner-custom.json |\n| 0BSD | Packagist | sentry/sdk | 2.0.4 | testdata/locks-many/composer.lock |\n+-------------------+-----------+------------------+---------+-------------------------------------------------+\n\n---\n\n[TestCommand_Licenses/Some_packages_with_ignored_licenses - 2]\n\n---\n\n[TestCommand_Licenses/Some_packages_with_license_violations_and_show-all-packages_in_json - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/testdata/locks-licenses/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"babel\",\n \"version\": \"6.23.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"human-signals\",\n \"version\": \"5.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"Apache-2.0\"\n ]\n },\n {\n \"package\": {\n \"name\": \"ms\",\n \"version\": \"2.1.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"type-fest\",\n \"version\": \"4.26.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"CC0-1.0 OR MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": true,\n \"allowlist\": [\n \"MIT\"\n ]\n }\n },\n \"license_summary\": [\n {\n \"name\": \"MIT\",\n \"count\": 2\n },\n {\n \"name\": \"Apache-2.0\",\n \"count\": 1\n },\n {\n \"name\": \"CC0-1.0 OR MIT\",\n \"count\": 1\n }\n ]\n}\n\n---\n\n[TestCommand_Licenses/Some_packages_with_license_violations_and_show-all-packages_in_json - 2]\nScanning dir ./testdata/locks-licenses/package-lock.json\nScanned /testdata/locks-licenses/package-lock.json file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_Licenses/Some_packages_with_license_violations_in_json - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/testdata/locks-licenses/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"human-signals\",\n \"version\": \"5.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"Apache-2.0\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": true,\n \"allowlist\": [\n \"MIT\"\n ]\n }\n },\n \"license_summary\": [\n {\n \"name\": \"MIT\",\n \"count\": 2\n },\n {\n \"name\": \"Apache-2.0\",\n \"count\": 1\n },\n {\n \"name\": \"CC0-1.0 OR MIT\",\n \"count\": 1\n }\n ]\n}\n\n---\n\n[TestCommand_Licenses/Some_packages_with_license_violations_in_json - 2]\nScanning dir ./testdata/locks-licenses/package-lock.json\nScanned /testdata/locks-licenses/package-lock.json file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_Licenses/Vulnerabilities_and_all_license_violations_allowlisted - 1]\nScanning dir ./testdata/locks-many-with-insecure/package-lock.json\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json |\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n+------------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+------------+-------------------------+\n| Apache-2.0 | 1 |\n+------------+-------------------------+\n\n---\n\n[TestCommand_Licenses/Vulnerabilities_and_all_license_violations_allowlisted - 2]\n\n---\n\n[TestCommand_Licenses/Vulnerabilities_and_license_summary - 1]\nScanning dir ./testdata/locks-many-with-insecure/package-lock.json\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json |\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n+------------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+------------+-------------------------+\n| Apache-2.0 | 1 |\n+------------+-------------------------+\n\n---\n\n[TestCommand_Licenses/Vulnerabilities_and_license_summary - 2]\n\n---\n\n[TestCommand_Licenses/Vulnerabilities_and_license_violations_with_allowlist - 1]\nScanning dir ./testdata/locks-many-with-insecure/package-lock.json\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json |\n+-------------------------------------+------+-----------+-----------+---------+---------------+-----------------------------------------------------+\n+------------+-------------------------+\n| LICENSE | NO. OF PACKAGE VERSIONS |\n+------------+-------------------------+\n| Apache-2.0 | 1 |\n+------------+-------------------------+\n+-------------------+-----------+-----------+---------+-----------------------------------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+-----------+---------+-----------------------------------------------------+\n| Apache-2.0 | npm | ansi-html | 0.0.1 | testdata/locks-many-with-insecure/package-lock.json |\n+-------------------+-----------+-----------+---------+-----------------------------------------------------+\n\n---\n\n[TestCommand_Licenses/Vulnerabilities_and_license_violations_with_allowlist - 2]\n\n---\n\n[TestCommand_Licenses/When_offline_licenses_are_still_validated - 1]\n\n---\n\n[TestCommand_Licenses/When_offline_licenses_are_still_validated - 2]\n--licenses requires comma-separated spdx licenses. The following license(s) are not recognized as spdx: something-something\n\n---\n\n[TestCommand_Licenses/When_offline_licenses_cannot_be_checked - 1]\n\n---\n\n[TestCommand_Licenses/When_offline_licenses_cannot_be_checked - 2]\ncannot retrieve licenses locally\n\n---\n\n[TestCommand_Licenses/When_offline_licenses_summary_cannot_be_printed - 1]\n\n---\n\n[TestCommand_Licenses/When_offline_licenses_summary_cannot_be_printed - 2]\ncannot retrieve licenses locally\n\n---\n\n[TestCommand_LocalDatabases/.gitignored_files - 1]\nScanning dir ./testdata/locks-gitignore\nScanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package\nLoaded RubyGems local db from /osv-scanner/RubyGems/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/.gitignored_files - 2]\n\n---\n\n[TestCommand_LocalDatabases/.gitignored_files - 3]\nScanning dir ./testdata/locks-gitignore\nScanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package\nLoaded RubyGems local db from /osv-scanner/RubyGems/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/.gitignored_files - 4]\n\n---\n\n[TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 1]\nScanning dir ./testdata/locks-many-with-insecure\nScanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages\nScanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nScanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package\nFiltered 1 local/unscannable package/s from the scan.\nLoaded RubyGems local db from /osv-scanner/RubyGems/all.zip\nLoaded Alpine local db from /osv-scanner/Alpine/all.zip\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\n\nTotal 6 packages affected by 10 known vulnerabilities (1 Critical, 3 High, 2 Medium, 3 Low, 1 Unknown) from 3 ecosystems.\n6 vulnerabilities can be fixed.\n\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+\n| https://osv.dev/DRUPAL-CORE-2025-005 | 2.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-83v7-c2cf-p9c2 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-006 | 5.9 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-m6vv-vcj8-w8m7 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-007 | 2.1 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-h89p-5896-f4q8 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-008 | 3.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-mhpg-hpj5-73r2 | | | | | | |\n| https://osv.dev/DRUPAL-CONTRIB-2025-083 | | Packagist | drupal/simple_sitemap | 4.2.1 | -- | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json |\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+\n\n---\n\n[TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 2]\n\n---\n\n[TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 3]\nScanning dir ./testdata/locks-many-with-insecure\nScanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages\nScanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nScanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package\nFiltered 1 local/unscannable package/s from the scan.\nLoaded RubyGems local db from /osv-scanner/RubyGems/all.zip\nLoaded Alpine local db from /osv-scanner/Alpine/all.zip\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\n\nTotal 6 packages affected by 10 known vulnerabilities (1 Critical, 3 High, 2 Medium, 3 Low, 1 Unknown) from 3 ecosystems.\n6 vulnerabilities can be fixed.\n\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+\n| https://osv.dev/DRUPAL-CORE-2025-005 | 2.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-83v7-c2cf-p9c2 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-006 | 5.9 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-m6vv-vcj8-w8m7 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-007 | 2.1 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-h89p-5896-f4q8 | | | | | | |\n| https://osv.dev/DRUPAL-CORE-2025-008 | 3.7 | Packagist | drupal/core | 10.4.5 | 10.4.9 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-mhpg-hpj5-73r2 | | | | | | |\n| https://osv.dev/DRUPAL-CONTRIB-2025-083 | | Packagist | drupal/simple_sitemap | 4.2.1 | -- | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-many-with-insecure/composer.lock |\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-many-with-insecure/package-lock.json |\n| https://osv.dev/ALPINE-CVE-2025-26519 | 7.0 | Alpine | musl | 1.2.3-r4 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-22184 | 7.8 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n| https://osv.dev/ALPINE-CVE-2026-27171 | 5.5 | Alpine | zlib | 1.2.13-r0 | -- | testdata/locks-many-with-insecure/alpine.cdx.xml |\n+-----------------------------------------+------+-----------+-----------------------+-----------+---------------+-----------------------------------------------------+\n\n---\n\n[TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked - 4]\n\n---\n\n[TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked#01 - 1]\nScanning dir ./testdata/locks-many-with-invalid\nScanned /testdata/locks-many-with-invalid/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many-with-invalid/yarn.lock file and found 1 package\nLoaded RubyGems local db from /osv-scanner/RubyGems/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked#01 - 2]\nError during extraction: (extracting as php/composerlock) /testdata/locks-many-with-invalid/composer.lock: could not extract: invalid character ',' looking for beginning of object key string\n\n---\n\n[TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked#01 - 3]\nScanning dir ./testdata/locks-many-with-invalid\nScanned /testdata/locks-many-with-invalid/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many-with-invalid/yarn.lock file and found 1 package\nLoaded RubyGems local db from /osv-scanner/RubyGems/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand_LocalDatabases/all_supported_lockfiles_in_the_directory_should_be_checked#01 - 4]\nError during extraction: (extracting as php/composerlock) /testdata/locks-many-with-invalid/composer.lock: could not extract: invalid character ',' looking for beginning of object key string\n\n---\n\n[TestCommand_LocalDatabases/database_should_be_downloaded_only_when_offline_is_set - 1]\n\n---\n\n[TestCommand_LocalDatabases/database_should_be_downloaded_only_when_offline_is_set - 2]\ndatabases can only be downloaded when running in offline mode\n\n---\n\n[TestCommand_LocalDatabases/database_should_be_downloaded_only_when_offline_is_set - 3]\n\n---\n\n[TestCommand_LocalDatabases/database_should_be_downloaded_only_when_offline_is_set - 4]\ndatabases can only be downloaded when running in offline mode\n\n---\n\n[TestCommand_LocalDatabases/ignoring_.gitignore - 1]\nScanning dir ./testdata/locks-gitignore\nScanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/composer.lock file and found 1 package\nScanned /testdata/locks-gitignore/ignored/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/ignored/yarn.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/composer.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package\nScanned /testdata/locks-gitignore/yarn.lock file and found 1 package\nLoaded RubyGems local db from /osv-scanner/RubyGems/all.zip\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/ignoring_.gitignore - 2]\n\n---\n\n[TestCommand_LocalDatabases/ignoring_.gitignore - 3]\nScanning dir ./testdata/locks-gitignore\nScanned /testdata/locks-gitignore/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/composer.lock file and found 1 package\nScanned /testdata/locks-gitignore/ignored/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/ignored/yarn.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/Gemfile.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/composer.lock file and found 1 package\nScanned /testdata/locks-gitignore/subdir/yarn.lock file and found 1 package\nScanned /testdata/locks-gitignore/yarn.lock file and found 1 package\nLoaded RubyGems local db from /osv-scanner/RubyGems/all.zip\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/ignoring_.gitignore - 4]\n\n---\n\n[TestCommand_LocalDatabases/nested_directories_are_checked_when_`--recursive`_is_passed - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/nested_directories_are_checked_when_`--recursive`_is_passed - 2]\n\n---\n\n[TestCommand_LocalDatabases/nested_directories_are_checked_when_`--recursive`_is_passed - 3]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/nested/composer.lock file and found 1 package\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nLoaded npm local db from /osv-scanner/npm/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/nested_directories_are_checked_when_`--recursive`_is_passed - 4]\n\n---\n\n[TestCommand_LocalDatabases/one_specific_supported_lockfile - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/one_specific_supported_lockfile - 2]\n\n---\n\n[TestCommand_LocalDatabases/one_specific_supported_lockfile - 3]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/one_specific_supported_lockfile - 4]\n\n---\n\n[TestCommand_LocalDatabases/one_specific_supported_sbom_with_vulns - 1]\nScanning dir ./testdata/sbom-insecure/postgres-stretch.cdx.xml\nScanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages\nFiltered 1 local/unscannable package/s from the scan.\nLoaded Debian local db from /osv-scanner/Debian/all.zip\nLoaded Go local db from /osv-scanner/Go/all.zip\n\nTotal 21 packages affected by 168 known vulnerabilities (18 Critical, 70 High, 53 Medium, 3 Low, 24 Unknown) from 2 ecosystems.\n11 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.0 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | |\n| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | |\n| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | |\n| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | |\n| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | |\n| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | |\n| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | |\n| https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | |\n| https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | |\n| https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | |\n| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | |\n| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3910-1 | | | | | | |\n| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3263-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | |\n| https://osv.dev/DLA-3878-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4319-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | |\n| https://osv.dev/DLA-3530-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | |\n| https://osv.dev/DLA-3942-1 | | | | | | |\n| https://osv.dev/DLA-3942-2 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4176-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | |\n| https://osv.dev/DLA-3926-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3755-1 | | | | | | |\n| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n\n---\n\n[TestCommand_LocalDatabases/one_specific_supported_sbom_with_vulns - 2]\n\n---\n\n[TestCommand_LocalDatabases/one_specific_supported_sbom_with_vulns - 3]\nScanning dir ./testdata/sbom-insecure/postgres-stretch.cdx.xml\nScanned /testdata/sbom-insecure/postgres-stretch.cdx.xml file and found 136 packages\nFiltered 1 local/unscannable package/s from the scan.\nLoaded Debian local db from /osv-scanner/Debian/all.zip\nLoaded Go local db from /osv-scanner/Go/all.zip\n\nTotal 21 packages affected by 168 known vulnerabilities (18 Critical, 70 High, 53 Medium, 3 Low, 24 Unknown) from 2 ecosystems.\n11 vulnerabilities can be fixed.\n\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n| https://osv.dev/GO-2022-0274 | 6.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.0 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-v95c-p5hm-xq8f | | | | | | |\n| https://osv.dev/GO-2022-0452 | 5.9 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.2 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-f3fp-gc8g-vw66 | | | | | | |\n| https://osv.dev/GO-2023-1627 | 7.0 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-vpvm-3wq2-2wvm | | | | | | |\n| https://osv.dev/GO-2023-1682 | 2.5 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-m8cg-xc2p-r3fc | | | | | | |\n| https://osv.dev/GO-2023-1683 | 6.1 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.5 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-g2j6-57v7-gm8c | | | | | | |\n| https://osv.dev/GO-2024-2491 | 8.6 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.12 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-xr7r-f8xq-vfvv | | | | | | |\n| https://osv.dev/GO-2024-3110 | 4.8 | Go | github.com/opencontainers/runc | v1.0.1 | 1.1.14 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-jfvp-7x6p-h2pv | | | | | | |\n| https://osv.dev/GO-2025-4096 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-9493-h29p-rfm2 | | | | | | |\n| https://osv.dev/GO-2025-4097 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-qw9x-cqr3-wc7r | | | | | | |\n| https://osv.dev/GO-2025-4098 | 7.3 | Go | github.com/opencontainers/runc | v1.0.1 | 1.2.8 | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-cgrx-mc8f-2prm | | | | | | |\n| https://osv.dev/GO-2022-0493 | 5.3 | Go | golang.org/x/sys | v0.0.0-20210817142637-7d9622a276b7 | 0.0.0-20220412211240-33da011f77ad | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/GHSA-p782-xgp4-8hr8 | | | | | | |\n| https://osv.dev/DSA-4685-1 | 5.5 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4808-1 | 5.7 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0501 | 5.9 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-3462 | 8.1 | Debian | apt | 1.4.11 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3715 | 7.8 | Debian | bash | 4.4-5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2781 | 6.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0684 | 5.5 | Debian | coreutils | 8.26-3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3482-1 | | Debian | debian-archive-keyring | 2017.5+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5147-1 | 9.8 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-6297 | 8.2 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2219 | 7.5 | Debian | dpkg | 1.18.25 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4535-1 | 7.5 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-5188 | 6.7 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-1304 | 7.8 | Debian | e2fsprogs | 1.43.4-2+deb9u2 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3910-1 | | | | | | |\n| https://osv.dev/DSA-5122-1 | 8.8 | Debian | gzip | 1.6-5+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0379 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7526 | 6.8 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0495 | 4.7 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-13627 | 6.3 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-33560 | 7.5 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-40528 | 5.9 | Debian | libgcrypt20 | 1.7.6-2+deb9u4 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5863-1 | 5.3 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-10790 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6003 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-46848 | 9.1 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3263-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2025-13151 | 7.5 | Debian | libtasn1-6 | 4.10-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5142-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5271-1 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5391-1 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5990-1 | | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-3709 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2309 | | | | | | |\n| https://osv.dev/DLA-3878-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2016-9318 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-0663 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-15412 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16931 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-16932 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-18258 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5130 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-5969 | 4.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7375 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-7376 | 9.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-8872 | 9.1 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9047 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9048 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9049 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-9050 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14404 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-14567 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-19956 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-20388 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-7595 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3516 | 7.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3517 | 8.6 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3518 | 8.8 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3537 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3541 | 6.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-23308 | 7.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9714 | 5.5 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4319-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2026-0989 | 3.7 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0990 | 5.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-0992 | 2.9 | Debian | libxml2 | 2.9.4+dfsg1-2.2+deb9u6 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-1 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4539-3 | | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4661-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4807-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4855-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4875-1 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-4963-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5103-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5139-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5169-1 | 7.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5343-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5417-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5532-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5764-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6015-1 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-6113-1 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0732 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0734 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-0735 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-5407 | 4.7 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1543 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2019-1549 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2021-3450 | 7.4 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-2274 | 9.8 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3358 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3602 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3786 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-3996 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2022-4203 | 4.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0216 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0217 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-0401 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-1255 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-2975 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3446 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-3817 | | | | | | |\n| https://osv.dev/DLA-3530-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-5678 | 9.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-0727 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-2511 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4741 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-5535 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-9143 | | | | | | |\n| https://osv.dev/DLA-3942-1 | | | | | | |\n| https://osv.dev/DLA-3942-2 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2023-6129 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-6237 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-12797 | 6.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-13176 | 4.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4176-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2024-4603 | 5.3 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-11187 | 6.1 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15468 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-15469 | 5.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-4575 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-66199 | 5.9 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-9231 | 6.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-2673 | 7.5 | Debian | openssl | 1.1.0l-1~deb9u5 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5902-1 | 8.4 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12837 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-12883 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-12015 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18311 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18312 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18313 | 9.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-18314 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6797 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6798 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-6913 | 9.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10543 | 8.2 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-10878 | 8.6 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-12723 | 7.5 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2020-16156 | 8.1 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-31484 | | | | | | |\n| https://osv.dev/DLA-3926-1 | | | | | | |\n| https://osv.dev/DEBIAN-CVE-2021-36770 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-47038 | 7.8 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2025-40909 | 5.9 | Debian | perl | 5.24.1-3+deb9u7 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5135-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3072-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3189-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3316-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3422-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3600-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3651-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3764-1 | | Debian | postgresql-11 | 11.15-1.pgdg90+1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2017-17512 | 8.8 | Debian | sensible-utils | 0.0.9+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2018-20482 | 4.7 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2023-39804 | 6.2 | Debian | tar | 1.29b-1.1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3755-1 | | | | | | |\n| https://osv.dev/DLA-3051-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3134-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3161-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3366-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3412-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3684-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3788-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-3972-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4085-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4105-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4403-1 | | Debian | tzdata | 2021a-0+deb9u3 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DLA-4016-1 | | Debian | ucf | 3.0036 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5055-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5650-1 | 5.5 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2016-2779 | 7.8 | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2026-3184 | | Debian | util-linux | 2.29.2-1+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5123-1 | 8.8 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DSA-5895-1 | 8.7 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n| https://osv.dev/DEBIAN-CVE-2024-3094 | 10.0 | Debian | xz-utils | 5.2.2-1.2+deb9u1 | -- | testdata/sbom-insecure/postgres-stretch.cdx.xml |\n+---------------------------------------+------+-----------+--------------------------------+------------------------------------+-----------------------------------+-------------------------------------------------+\n\n---\n\n[TestCommand_LocalDatabases/one_specific_supported_sbom_with_vulns - 4]\n\n---\n\n[TestCommand_LocalDatabases/one_specific_unsupported_lockfile - 1]\nScanning dir ./testdata/locks-many/not-a-lockfile.toml\n\n---\n\n[TestCommand_LocalDatabases/one_specific_unsupported_lockfile - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_LocalDatabases/one_specific_unsupported_lockfile - 3]\nScanning dir ./testdata/locks-many/not-a-lockfile.toml\n\n---\n\n[TestCommand_LocalDatabases/one_specific_unsupported_lockfile - 4]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_LocalDatabases/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 1]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nLoaded npm local db from /osv-scanner/npm/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 2]\n\n---\n\n[TestCommand_LocalDatabases/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 3]\nScanning dir ./testdata/locks-one-with-nested\nScanned /testdata/locks-one-with-nested/yarn.lock file and found 1 package\nLoaded npm local db from /osv-scanner/npm/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion) - 4]\n\n---\n\n[TestCommand_LocalDatabases/output_format:_markdown_table - 1]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/output_format:_markdown_table - 2]\n\n---\n\n[TestCommand_LocalDatabases/output_format:_markdown_table - 3]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\nNo issues found\n\n---\n\n[TestCommand_LocalDatabases/output_format:_markdown_table - 4]\n\n---\n\n[TestCommand_LocalDatabases/output_with_json - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestCommand_LocalDatabases/output_with_json - 2]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\n\n---\n\n[TestCommand_LocalDatabases/output_with_json - 3]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestCommand_LocalDatabases/output_with_json - 4]\nScanning dir ./testdata/locks-many/composer.lock\nScanned /testdata/locks-many/composer.lock file and found 1 package\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nLoaded Packagist local db from /osv-scanner/Packagist/all.zip\n\n---\n\n[TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 1]\nScanning dir ./testdata/locks-requirements\nScanning dir ./testdata/locks-many-with-insecure\nScanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages\nScanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nScanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package\nScanned /testdata/locks-requirements/my-requirements.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements-dev.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements-transitive.txt file and found 4 packages\nScanned /testdata/locks-requirements/requirements.prod.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements.txt file and found 3 packages\nScanned /testdata/locks-requirements/the_requirements_for_test.txt file and found 1 package\nScanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages\nFiltered 1 local/unscannable package/s from the scan.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 2]\ncould not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\ncould not load db for Alpine ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\ncould not load db for Packagist ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\ncould not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\ncould not load db for PyPI ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\n\n---\n\n[TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 3]\nScanning dir ./testdata/locks-requirements\nScanning dir ./testdata/locks-many-with-insecure\nScanned /testdata/locks-many-with-insecure/Gemfile.lock file and found 1 package\nScanned /testdata/locks-many-with-insecure/alpine.cdx.xml file and found 15 packages\nScanned /testdata/locks-many-with-insecure/composer.lock file and found 6 packages\nScanned /testdata/locks-many-with-insecure/package-lock.json file and found 1 package\nScanned /testdata/locks-many-with-insecure/yarn.lock file and found 1 package\nScanned /testdata/locks-requirements/my-requirements.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements-dev.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements-transitive.txt file and found 4 packages\nScanned /testdata/locks-requirements/requirements.prod.txt file and found 1 package\nScanned /testdata/locks-requirements/requirements.txt file and found 3 packages\nScanned /testdata/locks-requirements/the_requirements_for_test.txt file and found 1 package\nScanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages\nFiltered 1 local/unscannable package/s from the scan.\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestCommand_LocalDatabases_AlwaysOffline/a_bunch_of_different_lockfiles_and_ecosystem - 4]\ncould not load db for RubyGems ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\ncould not load db for Alpine ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\ncould not load db for Packagist ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\ncould not load db for npm ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\ncould not load db for PyPI ecosystem: unable to fetch OSV database: no offline version of the OSV database is available\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/\"apk-installed\"_is_supported - 1]\nScanned /testdata/locks-many/installed file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/\"apk-installed\"_is_supported - 2]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/\"dpkg-status\"_is_supported - 1]\nScanned /testdata/locks-many/status file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/\"dpkg-status\"_is_supported - 2]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/absolute_paths_are_automatically_escaped_on_windows - 1]\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/absolute_paths_are_automatically_escaped_on_windows - 2]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/absolute_paths_can_have_explicit_parse_as - 1]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/absolute_paths_can_have_explicit_parse_as - 2]\nError during extraction: (extracting as javascript/packagelockjson) /testdata/locks-many/yarn.lock: could not extract: invalid character '#' looking for beginning of value\nextraction failed on specified lockfile\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/absolute_paths_work_with_explicit_escaping - 1]\nScanned /testdata/locks-many/yarn.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/absolute_paths_work_with_explicit_escaping - 2]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/empty_is_default - 1]\nScanned /testdata/locks-many/composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /testdata/locks-many/osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/empty_is_default - 2]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows) - 1]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows) - 2]\nfailed to resolve path: stat /path/to/my:file: no such file or directory\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)#01 - 1]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)#01 - 2]\nfailed to resolve path: stat /path/to/my:project/package-lock.json: no such file or directory\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/files_that_error_on_parsing_stop_parsable_files_from_being_checked - 1]\nScanning dir ./testdata/locks-insecure\nScanning dir ./testdata/locks-many\n---\n\n[TestCommand_LockfileWithExplicitParseAs/files_that_error_on_parsing_stop_parsable_files_from_being_checked - 2]\nError during extraction: (extracting as rust/cargolock) /testdata/locks-insecure/my-package-lock.json: could not extract: toml: line 1: expected '.' or '=', but got '{' instead\nextraction failed on specified lockfile\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic - 1]\nScanning dir ./testdata/locks-insecure\nScanned /testdata/locks-insecure/bun.lock file and found 2 packages\nScanned /testdata/locks-insecure/composer.lock file and found 1 package\nScanned /testdata/locks-insecure/my-package-lock.json file and found 1 package\nScanned /testdata/locks-insecure/my-yarn.lock file and found 1 package\nScanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 3 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems.\n3 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock |\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-package-lock.json |\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-yarn.lock |\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic - 2]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic_2 - 1]\nScanning dir ./testdata/locks-insecure\nScanned /testdata/locks-insecure/bun.lock file and found 2 packages\nScanned /testdata/locks-insecure/composer.lock file and found 1 package\nScanned /testdata/locks-insecure/my-package-lock.json file and found 1 package\nScanned /testdata/locks-insecure/my-yarn.lock file and found 1 package\nScanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 3 packages affected by 3 known vulnerabilities (1 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems.\n3 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock |\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-package-lock.json |\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-yarn.lock |\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic_2 - 2]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/one_lockfile_with_local_path - 1]\nScanned /testdata/locks-many/replace-local.mod file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nFiltered 1 local/unscannable package/s from the scan.\nNo issues found\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/one_lockfile_with_local_path - 2]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/parse-as_takes_priority,_even_if_it's_wrong - 1]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/parse-as_takes_priority,_even_if_it's_wrong - 2]\nError during extraction: (extracting as javascript/packagelockjson) /testdata/locks-many/yarn.lock: could not extract: invalid character '#' looking for beginning of value\nextraction failed on specified lockfile\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/unsupported_parse-as - 1]\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/unsupported_parse-as - 2]\ncould not determine extractor, requested my-file\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/when_an_explicit_parse-as_is_given,_it's_applied_to_that_file - 1]\nScanning dir ./testdata/locks-insecure\nScanned /testdata/locks-insecure/bun.lock file and found 2 packages\nScanned /testdata/locks-insecure/composer.lock file and found 1 package\nScanned /testdata/locks-insecure/my-package-lock.json file and found 1 package\nScanned /testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems.\n2 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n| https://osv.dev/GHSA-9f46-5r25-5wfm | 9.8 | Packagist | league/flysystem | 1.0.8 | 1.1.4 | testdata/locks-insecure/composer.lock |\n| https://osv.dev/GHSA-whgm-jr23-g3j9 | 7.5 | npm | ansi-html | 0.0.1 | 0.0.8 | testdata/locks-insecure/my-package-lock.json |\n+-------------------------------------+------+-----------+------------------+---------+---------------+----------------------------------------------+\n\n---\n\n[TestCommand_LockfileWithExplicitParseAs/when_an_explicit_parse-as_is_given,_it's_applied_to_that_file - 2]\n\n---\n\n[TestCommand_MoreLockfiles/Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned - 1]\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_MoreLockfiles/Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned - 2]\ncould not determine extractor suitable to this file: \"/testdata/locks-scalibr/Package.resolved\"\n\n---\n\n[TestCommand_MoreLockfiles/Podfile.lock_-_Unsupported_ecosystem,_should_not_be_scanned - 1]\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_MoreLockfiles/Podfile.lock_-_Unsupported_ecosystem,_should_not_be_scanned - 2]\ncould not determine extractor suitable to this file: \"/testdata/locks-scalibr/Podfile.lock\"\n\n---\n\n[TestCommand_MoreLockfiles/cabal.project.freeze - 1]\nScanned /testdata/locks-scalibr/cabal.project.freeze file and found 6 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n+--------------------------------+------+-----------+-----------------+---------+---------------+---------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------------+------+-----------+-----------------+---------+---------------+---------------------------------------------+\n| https://osv.dev/HSEC-2024-0009 | | Hackage | biscuit-haskell | 0.3.0.0 | 0.4.0.0 | testdata/locks-scalibr/cabal.project.freeze |\n+--------------------------------+------+-----------+-----------------+---------+---------------+---------------------------------------------+\n\n---\n\n[TestCommand_MoreLockfiles/cabal.project.freeze - 2]\n\n---\n\n[TestCommand_MoreLockfiles/depsjson - 1]\nScanned /testdata/locks-scalibr/depsjson file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n+-------------------------------------+------+-----------+--------------------------+---------+---------------+---------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+--------------------------+---------+---------------+---------------------------------+\n| https://osv.dev/GHSA-4cv2-4hjh-77rx | | NuGet | System.Linq.Dynamic.Core | 1.3.7 | 1.6.0 | testdata/locks-scalibr/depsjson |\n+-------------------------------------+------+-----------+--------------------------+---------+---------------+---------------------------------+\n\n---\n\n[TestCommand_MoreLockfiles/depsjson - 2]\n\n---\n\n[TestCommand_MoreLockfiles/gems.locked - 1]\nScanned /testdata/locks-scalibr/gems.locked file and found 26 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 2 packages affected by 6 known vulnerabilities (0 Critical, 2 High, 1 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n6 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+----------+---------+---------------+------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+----------+---------+---------------+------------------------------------+\n| https://osv.dev/GHSA-9m3q-rhmv-5q44 | 7.5 | RubyGems | json | 2.10.1 | 2.10.2 | testdata/locks-scalibr/gems.locked |\n| https://osv.dev/GHSA-353f-x4gh-cqq8 | | RubyGems | nokogiri | 1.18.2 | 1.18.9 | testdata/locks-scalibr/gems.locked |\n| https://osv.dev/GHSA-5w6v-399v-w3cc | | RubyGems | nokogiri | 1.18.2 | 1.18.8 | testdata/locks-scalibr/gems.locked |\n| https://osv.dev/GHSA-mrxw-mxhj-p664 | 7.8 | RubyGems | nokogiri | 1.18.2 | 1.18.4 | testdata/locks-scalibr/gems.locked |\n| https://osv.dev/GHSA-vvfq-8hwr-qm4m | | RubyGems | nokogiri | 1.18.2 | 1.18.3 | testdata/locks-scalibr/gems.locked |\n| https://osv.dev/GHSA-wx95-c6cv-8532 | 5.3 | RubyGems | nokogiri | 1.18.2 | 1.19.1 | testdata/locks-scalibr/gems.locked |\n+-------------------------------------+------+-----------+----------+---------+---------------+------------------------------------+\n\n---\n\n[TestCommand_MoreLockfiles/gems.locked - 2]\n\n---\n\n[TestCommand_MoreLockfiles/packages.config - 1]\nScanned /testdata/locks-scalibr/packages.config file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand_MoreLockfiles/packages.config - 2]\n\n---\n\n[TestCommand_MoreLockfiles/packages.lock.json - 1]\nScanned /testdata/locks-scalibr/packages.lock.json file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand_MoreLockfiles/packages.lock.json - 2]\n\n---\n\n[TestCommand_MoreLockfiles/stack.yaml.lock - 1]\nScanned /testdata/locks-scalibr/stack.yaml.lock file and found 4 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nNo issues found\n\n---\n\n[TestCommand_MoreLockfiles/stack.yaml.lock - 2]\n\n---\n\n[TestCommand_MoreLockfiles/uv.lock - 1]\nScanned /testdata/locks-scalibr/uv.lock file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 2 known vulnerabilities (0 Critical, 2 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n2 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+----------+---------+---------------+--------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+----------+---------+---------------+--------------------------------+\n| https://osv.dev/GHSA-7gcm-g887-7qv7 | 8.2 | PyPI | protobuf | 4.25.5 | 5.29.6 | testdata/locks-scalibr/uv.lock |\n| https://osv.dev/GHSA-8qvm-5x2c-j2w7 | 8.2 | PyPI | protobuf | 4.25.5 | 4.25.8 | testdata/locks-scalibr/uv.lock |\n+-------------------------------------+------+-----------+----------+---------+---------------+--------------------------------+\n\n---\n\n[TestCommand_MoreLockfiles/uv.lock - 2]\n\n---\n\n[TestCommand_Transitive/invalid_data_source_error - 1]\n\n---\n\n[TestCommand_Transitive/invalid_data_source_error - 2]\nunsupported data-source \"github\" - must be one of: deps.dev, native\n\n---\n\n[TestCommand_Transitive/pom.xml_enricher_requires_extractor - 1]\nScanning dir ./testdata/maven-transitive/abc.xml\n\n---\n\n[TestCommand_Transitive/pom.xml_enricher_requires_extractor - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_Transitive/pom.xml_multiple_registries - 1]\nScanned /testdata/maven-transitive/registry.xml file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 2 packages affected by 6 known vulnerabilities (2 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n6 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+\n| https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1 | Maven | com.google.android.gms:play-services-basement | 10.0.0 | 18.0.2 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.0 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-vc5p-v9hr-52mj | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.3 | testdata/maven-transitive/registry.xml |\n+-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+\n\n---\n\n[TestCommand_Transitive/pom.xml_multiple_registries - 2]\n\n---\n\n[TestCommand_Transitive/pom.xml_no_resolve_no_transitive - 1]\nScanning dir ./testdata/maven-transitive/pom.xml\nScanned /testdata/maven-transitive/pom.xml file and found 1 package\nNo issues found\n\n---\n\n[TestCommand_Transitive/pom.xml_no_resolve_no_transitive - 2]\n\n---\n\n[TestCommand_Transitive/pom.xml_non_utf8_encoding - 1]\nScanned /testdata/maven-transitive/encoding.xml file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 1 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n1 vulnerability can be fixed.\n\n+-------------------------------------+------+-----------+-------------+---------+---------------+----------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-------------+---------+---------------+----------------------------------------+\n| https://osv.dev/GHSA-269g-pwp5-87pp | 4.4 | Maven | junit:junit | 4.12 | 4.13.1 | testdata/maven-transitive/encoding.xml |\n+-------------------------------------+------+-----------+-------------+---------+---------------+----------------------------------------+\n\n---\n\n[TestCommand_Transitive/pom.xml_non_utf8_encoding - 2]\n\n---\n\n[TestCommand_Transitive/pom.xml_offline_no_transitive - 1]\nScanning dir ./testdata/maven-transitive/pom.xml\nScanned /testdata/maven-transitive/pom.xml file and found 1 package\nLoaded Maven local db from /osv-scanner/Maven/all.zip\nNo issues found\n\n---\n\n[TestCommand_Transitive/pom.xml_offline_no_transitive - 2]\n\n---\n\n[TestCommand_Transitive/pom.xml_transitive_default - 1]\nScanning dir ./testdata/maven-transitive/pom.xml\nScanned /testdata/maven-transitive/pom.xml file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 5 known vulnerabilities (2 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n5 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+\n| https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/pom.xml |\n| https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/pom.xml |\n| https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/pom.xml |\n| https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.0 | testdata/maven-transitive/pom.xml |\n| https://osv.dev/GHSA-vc5p-v9hr-52mj | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.3 | testdata/maven-transitive/pom.xml |\n+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+\n\n---\n\n[TestCommand_Transitive/pom.xml_transitive_default - 2]\n\n---\n\n[TestCommand_Transitive/pom.xml_transitive_explicit_lockfile - 1]\nScanned /testdata/maven-transitive/abc.xml file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 1 package affected by 5 known vulnerabilities (2 Critical, 1 High, 2 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n5 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+\n| https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/abc.xml |\n| https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/abc.xml |\n| https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/abc.xml |\n| https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.0 | testdata/maven-transitive/abc.xml |\n| https://osv.dev/GHSA-vc5p-v9hr-52mj | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.3 | testdata/maven-transitive/abc.xml |\n+-------------------------------------+------+-----------+-------------------------------------+---------+---------------+-----------------------------------+\n\n---\n\n[TestCommand_Transitive/pom.xml_transitive_explicit_lockfile - 2]\n\n---\n\n[TestCommand_Transitive/pom.xml_transitive_native_source - 1]\nScanned /testdata/maven-transitive/registry.xml file and found 2 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 2 packages affected by 6 known vulnerabilities (2 Critical, 1 High, 3 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n6 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+\n| https://osv.dev/GHSA-cm6r-892j-jv2g | 6.1 | Maven | com.google.android.gms:play-services-basement | 10.0.0 | 18.0.2 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-7rjr-3q55-vv33 | 9.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.16.0 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-8489-44mv-ggj8 | 6.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.1 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-jfh8-c2jp-5v3q | 10.0 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.15.0 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-p6xc-xr62-6r2g | 8.6 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.17.0 | testdata/maven-transitive/registry.xml |\n| https://osv.dev/GHSA-vc5p-v9hr-52mj | 6.3 | Maven | org.apache.logging.log4j:log4j-core | 2.14.1 | 2.25.3 | testdata/maven-transitive/registry.xml |\n+-------------------------------------+------+-----------+-----------------------------------------------+---------+---------------+----------------------------------------+\n\n---\n\n[TestCommand_Transitive/pom.xml_transitive_native_source - 2]\n\n---\n\n[TestCommand_Transitive/requirements.txt_enricher_requires_extractor - 1]\nScanning dir ./testdata/locks-requirements/requirements-transitive.txt\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\n---\n\n[TestCommand_Transitive/requirements.txt_enricher_requires_extractor - 2]\nNo package sources found, --help for usage information.\n\n---\n\n[TestCommand_Transitive/requirements.txt_no_resolve_no_transitive - 1]\nScanning dir ./testdata/locks-requirements/requirements.txt\nScanned /testdata/locks-requirements/requirements.txt file and found 3 packages\n\nTotal 3 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 6 Medium, 1 Low, 0 Unknown) from 1 ecosystem.\n12 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n| https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | |\n| https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |\n| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt |\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n\n---\n\n[TestCommand_Transitive/requirements.txt_no_resolve_no_transitive - 2]\n\n---\n\n[TestCommand_Transitive/requirements.txt_offline_no_transitive - 1]\nScanning dir ./testdata/locks-requirements/requirements.txt\nScanned /testdata/locks-requirements/requirements.txt file and found 3 packages\nLoaded PyPI local db from /osv-scanner/PyPI/all.zip\n\nTotal 3 packages affected by 12 known vulnerabilities (1 Critical, 4 High, 6 Medium, 1 Low, 0 Unknown) from 1 ecosystem.\n12 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n| https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | |\n| https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |\n| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt |\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n\n---\n\n[TestCommand_Transitive/requirements.txt_offline_no_transitive - 2]\n\n---\n\n[TestCommand_Transitive/requirements.txt_resolution_fallback - 1]\nScanning dir ./testdata/locks-requirements/unresolvable-requirements.txt\nScanned /testdata/locks-requirements/unresolvable-requirements.txt file and found 3 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 3 packages affected by 9 known vulnerabilities (0 Critical, 3 High, 4 Medium, 1 Low, 1 Unknown) from 1 ecosystem.\n9 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+\n| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/PYSEC-2020-43 | 8.7 | PyPI | flask-cors | 1.0.0 | 3.0.9 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-xc3p-ff3m-f46v | | | | | | |\n| https://osv.dev/PYSEC-2024-71 | 8.7 | PyPI | flask-cors | 1.0.0 | 4.0.2 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-hxwh-jpp2-84pm | | | | | | |\n| https://osv.dev/GHSA-43qf-4rqw-9q2g | 5.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-7rxf-gvfg-47g4 | 4.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-84pr-m4jr-85g5 | 5.3 | PyPI | flask-cors | 1.0.0 | 4.0.1 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/GHSA-8vgw-p6qm-5gr7 | 5.3 | PyPI | flask-cors | 1.0.0 | 6.0.0 | testdata/locks-requirements/unresolvable-requirements.txt |\n| https://osv.dev/PYSEC-2020-73 | | PyPI | pandas | 0.23.4 | 1.0.4 | testdata/locks-requirements/unresolvable-requirements.txt |\n+-------------------------------------+------+-----------+------------+---------+---------------+-----------------------------------------------------------+\n\n---\n\n[TestCommand_Transitive/requirements.txt_resolution_fallback - 2]\n\n---\n\n[TestCommand_Transitive/requirements.txt_transitive_default - 1]\nScanned /testdata/locks-requirements/requirements.txt file and found 3 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Medium, 1 Low, 1 Unknown) from 1 ecosystem.\n22 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n| https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | |\n| https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0.0 | 2.2.5 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0.0 | 3.1.3 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |\n| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7.0 | 3.7 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | |\n| https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-wqvq-5m8c-6g24 | | | | | | |\n| https://osv.dev/PYSEC-2021-108 | | PyPI | urllib3 | 1.24.3 | 1.26.5 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-192 | 8.1 | PyPI | urllib3 | 1.24.3 | 1.26.17 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-v845-jxx5-vc9f | | | | | | |\n| https://osv.dev/PYSEC-2023-212 | 5.7 | PyPI | urllib3 | 1.24.3 | 1.26.18 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-g4mx-q9vg-27p4 | | | | | | |\n| https://osv.dev/GHSA-2xpw-w6gg-jr37 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-34jh-p97f-mpxf | 4.4 | PyPI | urllib3 | 1.24.3 | 1.26.19 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-38jv-5279-wg99 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.3 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-gm62-xv2j-4w53 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-pq67-6m6q-mj2v | 5.3 | PyPI | urllib3 | 1.24.3 | 2.5.0 | testdata/locks-requirements/requirements.txt |\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n\n---\n\n[TestCommand_Transitive/requirements.txt_transitive_default - 2]\n\n---\n\n[TestCommand_Transitive/requirements.txt_transitive_native_source - 1]\nScanned /testdata/locks-requirements/requirements.txt file and found 3 packages\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\n\nTotal 5 packages affected by 22 known vulnerabilities (1 Critical, 9 High, 10 Medium, 1 Low, 1 Unknown) from 1 ecosystem.\n22 vulnerabilities can be fixed.\n\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n| https://osv.dev/PYSEC-2021-98 | 6.9 | PyPI | django | 1.11.29 | 2.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-68w8-qjq3-2gfm | | | | | | |\n| https://osv.dev/GHSA-6w2r-r2m5-xq5w | 7.1 | PyPI | django | 1.11.29 | 4.2.24 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-7xr5-9hcq-chf9 | 4.0 | PyPI | django | 1.11.29 | 4.2.22 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-8x94-hmjh-97hq | 8.8 | PyPI | django | 1.11.29 | 3.2.15 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-frmv-pr5f-9mcr | 9.1 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-qw25-v68c-qjf3 | 7.5 | PyPI | django | 1.11.29 | 4.2.26 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-rrqc-c2jx-6jgv | 6.3 | PyPI | django | 1.11.29 | 4.2.16 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-62 | 8.7 | PyPI | flask | 1.0 | 2.2.5 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-m2qf-hxjv-5gpq | | | | | | |\n| https://osv.dev/GHSA-68rp-wp8r-4726 | 2.3 | PyPI | flask | 1.0 | 3.1.3 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-74 | 6.1 | PyPI | requests | 2.20.0 | 2.31.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-j8r2-6x86-q33q | | | | | | |\n| https://osv.dev/GHSA-9hjg-9r4m-mvj7 | 5.3 | PyPI | requests | 2.20.0 | 2.32.4 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-9wx4-h78v-vm56 | 5.6 | PyPI | requests | 2.20.0 | 2.32.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2024-60 | 7.5 | PyPI | idna | 2.7 | 3.7 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-jjg7-2v4v-x38h | | | | | | |\n| https://osv.dev/PYSEC-2020-148 | 6.9 | PyPI | urllib3 | 1.24.3 | 1.25.9 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-wqvq-5m8c-6g24 | | | | | | |\n| https://osv.dev/PYSEC-2021-108 | | PyPI | urllib3 | 1.24.3 | 1.26.5 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/PYSEC-2023-192 | 8.1 | PyPI | urllib3 | 1.24.3 | 1.26.17 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-v845-jxx5-vc9f | | | | | | |\n| https://osv.dev/PYSEC-2023-212 | 5.7 | PyPI | urllib3 | 1.24.3 | 1.26.18 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-g4mx-q9vg-27p4 | | | | | | |\n| https://osv.dev/GHSA-2xpw-w6gg-jr37 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-34jh-p97f-mpxf | 4.4 | PyPI | urllib3 | 1.24.3 | 1.26.19 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-38jv-5279-wg99 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.3 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-gm62-xv2j-4w53 | 8.9 | PyPI | urllib3 | 1.24.3 | 2.6.0 | testdata/locks-requirements/requirements.txt |\n| https://osv.dev/GHSA-pq67-6m6q-mj2v | 5.3 | PyPI | urllib3 | 1.24.3 | 2.5.0 | testdata/locks-requirements/requirements.txt |\n+-------------------------------------+------+-----------+----------+---------+---------------+----------------------------------------------+\n\n---\n\n[TestCommand_Transitive/requirements.txt_transitive_native_source - 2]\n\n---\n\n[TestCommand_WithDetector_OffLinux/ssh_version_errors - 1]\nScanning dir /composer.lock\nScanned /composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_WithDetector_OffLinux/ssh_version_errors - 2]\n\n---\n\n[TestCommand_WithDetector_OffLinux/ssh_version_is_after_last_vuln_version - 1]\nScanning dir /composer.lock\nScanned /composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_WithDetector_OffLinux/ssh_version_is_after_last_vuln_version - 2]\n\n---\n\n[TestCommand_WithDetector_OffLinux/ssh_version_is_before_first_vuln_version - 1]\nScanning dir /composer.lock\nScanned /composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_WithDetector_OffLinux/ssh_version_is_before_first_vuln_version - 2]\n\n---\n\n[TestCommand_WithDetector_OnLinux/ssh_version_errors - 1]\nScanning dir /composer.lock\nCommand \"ssh -V\": exit status 1\nScanned /composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_WithDetector_OnLinux/ssh_version_errors - 2]\n\n---\n\n[TestCommand_WithDetector_OnLinux/ssh_version_is_after_last_vuln_version - 1]\nScanning dir /composer.lock\nScanned /composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_WithDetector_OnLinux/ssh_version_is_after_last_vuln_version - 2]\n\n---\n\n[TestCommand_WithDetector_OnLinux/ssh_version_is_before_first_vuln_version - 1]\nScanning dir /composer.lock\nScanned /composer.lock file and found 1 package\nWarning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\nLoaded filter from: /osv-scanner-test.toml\nNo issues found\n\n---\n\n[TestCommand_WithDetector_OnLinux/ssh_version_is_before_first_vuln_version - 2]\n\n---\n" }, { "path": "cmd/osv-scanner/scan/source/command.go", "content": "// Package source implements the `source` subcommand of the `scan` command.\npackage source\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/helper\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nfunc Command(stdout, stderr io.Writer, client *http.Client) *cli.Command {\n\treturn &cli.Command{\n\t\tName: \"source\",\n\t\tUsage: \"scans a source project's dependencies for known vulnerabilities using the OSV database.\",\n\t\tDescription: \"scans a source project's dependencies for known vulnerabilities using the OSV database.\",\n\t\tFlags: append([]cli.Flag{\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tName: \"lockfile\",\n\t\t\t\tAliases: []string{\"L\"},\n\t\t\t\tUsage: \"scan package lockfile on this path\",\n\t\t\t\tTakesFile: true,\n\t\t\t},\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tName: \"sbom\",\n\t\t\t\tAliases: []string{\"S\"},\n\t\t\t\tUsage: \"[DEPRECATED] scan sbom file on this path, the sbom file name must follow the relevant spec\",\n\t\t\t\tAction: func(_ context.Context, _ *cli.Command, _ []string) error {\n\t\t\t\t\tcmdlogger.Warnf(\"Warning: --sbom has been deprecated in favor of -L\")\n\n\t\t\t\t\treturn nil\n\t\t\t\t},\n\t\t\t\tTakesFile: true,\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"recursive\",\n\t\t\t\tAliases: []string{\"r\"},\n\t\t\t\tUsage: \"check subdirectories\",\n\t\t\t\tValue: false,\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"no-ignore\",\n\t\t\t\tUsage: \"also scan files that would be ignored by .gitignore\",\n\t\t\t\tValue: false,\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"include-git-root\",\n\t\t\t\tUsage: \"include scanning git root (non-submoduled) repositories\",\n\t\t\t\tValue: false,\n\t\t\t},\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tName: \"experimental-exclude\",\n\t\t\t\tUsage: \"exclude directory paths during scanning; use g:pattern for glob, r:pattern for regex, or just dirname for exact match (can be repeated)\",\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"data-source\",\n\t\t\t\tUsage: \"source to fetch package information from; value can be: deps.dev, native\",\n\t\t\t\tValue: \"deps.dev\",\n\t\t\t\tAction: func(_ context.Context, _ *cli.Command, s string) error {\n\t\t\t\t\tif s != \"deps.dev\" && s != \"native\" {\n\t\t\t\t\t\treturn fmt.Errorf(\"unsupported data-source \\\"%s\\\" - must be one of: deps.dev, native\", s)\n\t\t\t\t\t}\n\n\t\t\t\t\treturn nil\n\t\t\t\t},\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"maven-registry\",\n\t\t\t\tUsage: \"URL of the default registry to fetch Maven metadata\",\n\t\t\t},\n\t\t}, helper.BuildCommonScanFlags([]string{\"lockfile\", \"sbom\", \"directory\"})...),\n\t\tArgsUsage: \"[directory1 directory2...]\",\n\t\tAction: func(ctx context.Context, cmd *cli.Command) error {\n\t\t\treturn action(ctx, cmd, stdout, stderr, client)\n\t\t},\n\t}\n}\n\nfunc action(_ context.Context, cmd *cli.Command, stdout, stderr io.Writer, client *http.Client) error {\n\tformat := cmd.String(\"format\")\n\n\toutputPath := cmd.String(\"output-file\")\n\n\tif outputPath == \"\" {\n\t\toutputPath = cmd.String(\"output\")\n\t}\n\tserve := cmd.Bool(\"serve\")\n\tif serve {\n\t\tformat = \"html\"\n\t\tif outputPath == \"\" {\n\t\t\t// Create a temporary directory\n\t\t\ttmpDir, err := os.MkdirTemp(\"\", \"osv-scanner-result\")\n\t\t\tif err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed creating temporary directory: %w\\n\"+\n\t\t\t\t\t\"Please use `--output-file result.html` to specify the output path\", err)\n\t\t\t}\n\n\t\t\t// Remove the created temporary directory after\n\t\t\tdefer os.RemoveAll(tmpDir)\n\t\t\toutputPath = filepath.Join(tmpDir, \"index.html\")\n\t\t}\n\t}\n\n\tscanLicensesAllowlist, err := helper.GetScanLicensesAllowlist(cmd)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\texperimentalScannerActions := helper.GetExperimentalScannerActions(cmd, client)\n\texperimentalScannerActions.RequestUserAgent = \"osv-scanner_scan-source/\" + version.OSVVersion\n\texperimentalScannerActions.ExcludePatterns = cmd.StringSlice(\"experimental-exclude\")\n\t// Add `source` specific experimental configs\n\texperimentalScannerActions.TransitiveScanning = osvscanner.TransitiveScanningActions{\n\t\tDisabled: cmd.Bool(\"no-resolve\"),\n\t\tNativeDataSource: cmd.String(\"data-source\") == \"native\",\n\t\tMavenRegistry: cmd.String(\"maven-registry\"),\n\t}\n\n\tscannerAction := helper.GetCommonScannerActions(cmd, scanLicensesAllowlist)\n\n\tscannerAction.LockfilePaths = cmd.StringSlice(\"lockfile\")\n\t//nolint:staticcheck // ignore our own deprecated field\n\tscannerAction.SBOMPaths = cmd.StringSlice(\"sbom\")\n\tscannerAction.Recursive = cmd.Bool(\"recursive\")\n\tscannerAction.NoIgnore = cmd.Bool(\"no-ignore\")\n\tscannerAction.DirectoryPaths = cmd.Args().Slice()\n\tscannerAction.ExperimentalScannerActions = experimentalScannerActions\n\n\tvar vulnResult models.VulnerabilityResults\n\t//nolint:contextcheck // passing the context in would be a breaking change\n\tvulnResult, err = osvscanner.DoScan(scannerAction)\n\n\tif cmd.Bool(\"allow-no-lockfiles\") && errors.Is(err, osvscanner.ErrNoPackagesFound) {\n\t\tcmdlogger.Warnf(\"No package sources found\")\n\t\terr = nil\n\t}\n\n\tif err != nil && !errors.Is(err, osvscanner.ErrVulnerabilitiesFound) {\n\t\treturn err\n\t}\n\n\tif errPrint := helper.PrintResult(stdout, stderr, outputPath, format, &vulnResult, scannerAction.ShowAllVulns); errPrint != nil {\n\t\treturn fmt.Errorf(\"failed to write output: %w\", errPrint)\n\t}\n\n\t// Auto-open outputted HTML file for users.\n\tif outputPath != \"\" {\n\t\tif serve {\n\t\t\thelper.ServeHTML(outputPath)\n\t\t} else if format == \"html\" {\n\t\t\tcmdlogger.Infof(\"HTML output available at: %s\", outputPath)\n\t\t}\n\t}\n\n\t// This may be nil.\n\treturn err\n}\n" }, { "path": "cmd/osv-scanner/scan/source/command_test.go", "content": "package source_test\n\nimport (\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestCommand(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t// one specific supported lockfile\n\t\t{\n\t\t\tName: \"one_specific_supported_lockfile\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// one specific supported lockfile, explicitly not offline\n\t\t{\n\t\t\tName: \"one_specific_supported_lockfile_with_offline_explicitly_false\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline=false\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// one specific supported sbom with vulns\n\t\t{\n\t\t\tName: \"folder_of_supported_sbom_with_vulns\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/sbom-insecure/\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// one specific supported sbom with only unimportant\n\t\t{\n\t\t\tName: \"folder_of_supported_sbom_with_only_unimportant\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/sbom-insecure/only-unimportant.spdx.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// one specific supported sbom with only unimportant but with --all-vulns\n\t\t{\n\t\t\tName: \"folder_of_supported_sbom_with_only_unimportant\",\n\t\t\tArgs: []string{\"\", \"source\", \"--all-vulns\", \"./testdata/sbom-insecure/only-unimportant.spdx.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// one specific supported sbom with vulns\n\t\t{\n\t\t\tName: \"one_specific_supported_sbom_with_vulns\",\n\t\t\tArgs: []string{\"\", \"source\", \"--sbom\", \"./testdata/sbom-insecure/alpine.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"one_specific_supported_sbom_with_vulns_using_-L_flag\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/sbom-insecure/alpine.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// one specific supported sbom with vulns and invalid PURLs\n\t\t{\n\t\t\tName: \"one_specific_supported_sbom_with_invalid_PURLs\",\n\t\t\tArgs: []string{\"\", \"source\", \"--sbom\", \"./testdata/sbom-insecure/bad-purls.cdx.xml\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/sbom-insecure/bad-purls.cdx.xml\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// one specific supported sbom with duplicate PURLs\n\t\t{\n\t\t\tName: \"one_specific_supported_sbom_with_duplicate_PURLs\",\n\t\t\tArgs: []string{\"\", \"source\", \"--sbom\", \"./testdata/sbom-insecure/with-duplicates.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/sbom-insecure/with-duplicates.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// one file that does not match the supported sbom file names\n\t\t{\n\t\t\tName: \"one_file_that_does_not_match_the_supported_sbom_file_names\",\n\t\t\tArgs: []string{\"\", \"source\", \"--sbom\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"one_file_that_does_not_match_the_supported_sbom_file_names_using_-L_flag\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"spdx:./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t// one specific unsupported lockfile\n\t\t{\n\t\t\tName: \"one_specific_unsupported_lockfile\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-many/not-a-lockfile.toml\"},\n\t\t\tExit: 128,\n\t\t},\n\t\t// all supported lockfiles in the directory should be checked\n\t\t{\n\t\t\tName: \"Scan_locks-many\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-many\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// all supported lockfiles in the directory should be checked\n\t\t{\n\t\t\tName: \"all_supported_lockfiles_in_the_directory_should_be_checked\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-many-with-invalid\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t// no lockfiles present in a directory\n\t\t{\n\t\t\tName: \"no_lockfiles_without_recursion_or_allow_flag_give_an_error\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-none\"},\n\t\t\tExit: 128,\n\t\t},\n\t\t{\n\t\t\tName: \"no_lockfiles_without_recursion_but_with_allow_flag_are_fine\",\n\t\t\tArgs: []string{\"\", \"source\", \"--allow-no-lockfiles\", \"./testdata/locks-none\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"no_lockfiles_with_allow_flag_but_another_error_happens_is_not_fine\",\n\t\t\tArgs: []string{\"\", \"source\", \"--allow-no-lockfiles\", \"./testdata/locks-none-does-not-exist\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"no_lockfiles_with_recursion_but_without_allow_flag_are_fine\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"./testdata/locks-none\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"no_lockfiles_with_recursion_and_with_allow_flag_are_fine\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"--allow-no-lockfiles\", \"./testdata/locks-none\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// only the files in the given directories are checked by default (no recursion)\n\t\t{\n\t\t\tName: \"only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion)\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// nested directories are checked when `--recursive` is passed\n\t\t{\n\t\t\tName: \"nested_directories_are_checked_when_`--recursive`_is_passed\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// .gitignored files\n\t\t{\n\t\t\tName: \".gitignored_files\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"./testdata/locks-gitignore\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// ignoring .gitignore\n\t\t{\n\t\t\tName: \"ignoring_.gitignore\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"--no-ignore\", \"./testdata/locks-gitignore\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// experimental exclude flag tests\n\t\t{\n\t\t\tName: \"exclude_with_exact_directory_name\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"--experimental-exclude=nested\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"exclude_with_glob_pattern\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"--experimental-exclude=g:**/nested/**\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"exclude_with_regex_pattern\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"--experimental-exclude=r:/nested$\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"exclude_with_invalid_regex_returns_error\",\n\t\t\tArgs: []string{\"\", \"source\", \"--experimental-exclude=r:[invalid\", \"./testdata/locks-many\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"exclude_with_multiple_exact_directories\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"--experimental-exclude=nested\", \"--experimental-exclude=other\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"exclude_with_multiple_pattern_types\",\n\t\t\tArgs: []string{\"\", \"source\", \"--recursive\", \"--experimental-exclude=nested\", \"--experimental-exclude=g:**/vendor/**\", \"--experimental-exclude=r:\\\\.cache$\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"json_output\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"json\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// output format: sarif\n\t\t{\n\t\t\tName: \"Empty_sarif_output\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"sarif\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.ReplacePartialFingerprintHash,\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"Sarif_with_vulns\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"sarif\", \"./testdata/locks-many-with-insecure/package-lock.json\"},\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.ReplacePartialFingerprintHash,\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t// output format: gh-annotations\n\t\t{\n\t\t\tName: \"Empty_gh-annotations_output\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"gh-annotations\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"gh-annotations_with_vulns\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"gh-annotations\", \"./testdata/locks-many-with-insecure/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// output format: markdown table\n\t\t{\n\t\t\tName: \"output_format:_markdown_table\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"markdown\", \"./testdata/locks-many-with-insecure/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// output format: cyclonedx 1.4\n\t\t{\n\t\t\tName: \"Empty_cyclonedx_1.4_output\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"cyclonedx-1-4\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"cyclonedx_1.4_output\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-empty-config.toml\", \"--format\", \"cyclonedx-1-4\", \"--all-packages\", \"./testdata/locks-insecure\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// output format: cyclonedx 1.5\n\t\t{\n\t\t\tName: \"Empty_cyclonedx_1.5_output\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"cyclonedx-1-5\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"cyclonedx_1.5_output\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-empty-config.toml\", \"--format\", \"cyclonedx-1-5\", \"--all-packages\", \"./testdata/locks-insecure\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// output format: spdx 2.3\n\t\t{\n\t\t\tName: \"Empty_spdx_2.3_output\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"spdx-2-3\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.NormalizeCreateDateSPDX,\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"spdx_2.3_output\", // SPDX does not support outputting vulnerabilties\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-empty-config.toml\", \"--format\", \"spdx-2-3\", \"--all-packages\", \"./testdata/locks-insecure\"},\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.NormalizeCreateDateSPDX,\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t// output format: unsupported\n\t\t{\n\t\t\tName: \"output_format:_unsupported\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"unknown\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t// one specific supported lockfile with ignore\n\t\t{\n\t\t\tName: \"one_specific_supported_lockfile_with_ignore\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-test-ignore/package-lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"invalid_--verbosity_value\",\n\t\t\tArgs: []string{\"\", \"source\", \"--verbosity\", \"unknown\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"verbosity_level_=_error\",\n\t\t\tArgs: []string{\"\", \"source\", \"--verbosity\", \"error\", \"--format\", \"table\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"verbosity_level_=_info\",\n\t\t\tArgs: []string{\"\", \"source\", \"--verbosity\", \"info\", \"--format\", \"table\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"PURL_SBOM_case_sensitivity_(api)\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format\", \"table\", \"./testdata/sbom-insecure/alpine.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"PURL_SBOM_case_sensitivity_(local)\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"--format\", \"table\", \"./testdata/sbom-insecure/alpine.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// Go project with an overridden go version and licenses\n\t\t{\n\t\t\tName: \"Go_project_with_an_overridden_go_version_and_licences\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/go-project/go-version-config.toml\", \"--licenses\", \"./testdata/go-project\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// Go project with an overridden go version\n\t\t{\n\t\t\tName: \"Go_project_with_an_overridden_go_version\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/go-project/go-version-config.toml\", \"./testdata/go-project\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// Go project with an overridden go version, recursive\n\t\t{\n\t\t\tName: \"Go_project_with_an_overridden_go_version,_recursive\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/go-project/go-version-config.toml\", \"-r\", \"./testdata/go-project\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// broad config file that overrides a whole ecosystem\n\t\t{\n\t\t\tName: \"config_file_can_be_broad\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-composite-config.toml\", \"--licenses=MIT\", \"-L\", \"osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json\", \"./testdata/locks-many-with-insecure\", \"./testdata/locks-insecure\", \"./testdata/maven-transitive\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t// ignored vulnerabilities and packages without a reason should be called out\n\t\t{\n\t\t\tName: \"ignores_without_reason_should_be_explicitly_called_out\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-reasonless-ignores-config.toml\", \"./testdata/locks-many-with-insecure/package-lock.json\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// invalid config file\n\t\t{\n\t\t\tName: \"config_file_is_invalid\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/config-invalid\"},\n\t\t\tExit: 130,\n\t\t},\n\t\t// config file with unknown keys\n\t\t{\n\t\t\tName: \"config_files_cannot_have_unknown_keys\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-unknown-config.toml\", \"./testdata/locks-many\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t// config file with multiple ignores with the same id\n\t\t{\n\t\t\tName: \"config_files_should_not_have_multiple_ignores_with_the_same_id\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-duplicate-config.toml\", \"./testdata/locks-many\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t// a bunch of requirements.txt files with different names\n\t\t// --no-resolve is used as transitive resolution tests are in a separate section\n\t\t{\n\t\t\tName: \"requirements.txt_can_have_all_kinds_of_names\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-requirements\", \"--no-resolve\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"go_packages_in_osv-scanner.json_format\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"osv-scanner:./testdata/locks-insecure/osv-scanner.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"help\",\n\t\t\tArgs: []string{\"\", \"source\", \"--help\"},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_Config_UnusedIgnores(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"unused_ignores_are_reported_with_specific_config_and_file\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config\", \"testdata/osv-scanner-partial-ignores-config.toml\", \"testdata/sbom-insecure/alpine.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"unused_ignores_are_reported_with_specific_config_and_multiple_files\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config\", \"testdata/osv-scanner-partial-ignores-config.toml\", \"testdata/sbom-insecure/alpine.cdx.xml\", \"testdata/sbom-insecure/postgres-stretch.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"unused_ignores_are_reported_with_specific_config_and_file\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config\", \"testdata/osv-scanner-partial-ignores-config.toml\", \"testdata/sbom-insecure\"},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_JavareachArchive(t *testing.T) {\n\tt.Parallel()\n\n\ttestutility.SkipIfShort(t)\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"jars_can_be_scanned_without_call_analysis\",\n\t\t\tArgs: []string{\"\", \"source\", \"--all-vulns\", \"--experimental-plugins=artifact\", \"./testdata/artifact/javareach_test.jar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"jars_can_be_scanned_with_call_analysis\",\n\t\t\tArgs: []string{\"\", \"source\", \"--call-analysis=jar\", \"--all-vulns\", \"--experimental-plugins=artifact\", \"./testdata/artifact/javareach_test.jar\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"jars_can_be_scanned_with_call_analysis_and_disabled_enricher\",\n\t\t\tArgs: []string{\"\", \"source\", \"--call-analysis=jar\", \"--experimental-disable-plugins=reachability/java\", \"--all-vulns\", \"--experimental-plugins=artifact\", \"./testdata/artifact/javareach_test.jar\"},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_ExplicitExtractors_WithDefaults(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"empty_plugins_flag_does_nothing\",\n\t\t\tArgs: []string{\"\", \"source\", \"--experimental-plugins=\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out_specified_individually\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx\",\n\t\t\t\t\"--experimental-plugins=sbom/cdx\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t},\n\t\t\tExit: 128,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out_specified_together\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx,sbom/cdx\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t},\n\t\t\tExit: 128,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out_with_presets\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=sbom\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t},\n\t\t\tExit: 128,\n\t\t},\n\t\t{\n\t\t\t// this will scan all the lockfiles as we have not explicitly disabled the\n\t\t\t// default extractors for any of the other lockfiles\n\t\t\tName: \"scanning_directory_with_one_specific_extractor_enabled_and_the_defaults\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_directory_with_an_extractor_that_does_not_exist\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-plugins=custom/extractor\",\n\t\t\t\t\"--experimental-disable-plugins=custom/anotherextractor\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\t// this will scan just the package-lock.json and composer.lock files as\n\t\t\t// we've not enabled extractors for any of the other lockfiles\n\t\t\tName: \"scanning_directory_with_a_couple_of_specific_extractors_enabled_individually\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-plugins=php/composerlock\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this will scan just the package-lock.json and composer.lock files as\n\t\t\t// we've not enabled extractors for any of the other lockfiles\n\t\t\tName: \"scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson,php/composerlock\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this should result in all files within the directory being scanned\n\t\t\t// except for the package-lock.json\n\t\t\tName: \"scanning_directory_with_one_specific_extractor_disabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-disable-plugins=javascript/packagelockjson\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this will scan just the package lock, since we're requested that file specifically\n\t\t\tName: \"scanning_file_with_one_specific_extractor_enabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"./testdata/locks-many/package-lock.json\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this will result in no issues since we have left the default plugins enabled\n\t\t\tName: \"scanning_file_with_one_different_extractor_enabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"./testdata/locks-many/composer.lock\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this will result in an error about not being able to determine the extractor\n\t\t\t// since we've requested the file to be parsed with a specific extractor\n\t\t\t// that we've also disabled\n\t\t\tName: \"scanning_file_with_parse_as_but_specific_extractor_disabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-disable-plugins=javascript/packagelockjson\",\n\t\t\t\t\"-L\", \"package-lock.json:./testdata/locks-many/composer.lock\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_ExplicitExtractors_WithoutDefaults(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"empty_plugins_flag_does_nothing\",\n\t\t\tArgs: []string{\"\", \"source\", \"--experimental-no-default-plugins\", \"--experimental-plugins=\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out_specified_individually\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx\",\n\t\t\t\t\"--experimental-plugins=sbom/cdx\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out_specified_together\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=sbom/spdx,sbom/cdx\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"extractors_cancelled_out_with_presets\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=sbom\",\n\t\t\t\t\"--experimental-disable-plugins=sbom\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\t// this will scan just the package-lock.json file as we've explicitly\n\t\t\t// disabled the default extractors for any of the other lockfiles\n\t\t\tName: \"scanning_directory_with_one_specific_extractor_enabled_and_no_defaults\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_directory_with_an_extractor_that_does_not_exist\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-plugins=custom/extractor\",\n\t\t\t\t\"--experimental-disable-plugins=custom/anotherextractor\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\t// this will scan just the package-lock.json and composer.lock files as\n\t\t\t// we've not enabled extractors for any of the other lockfiles\n\t\t\tName: \"scanning_directory_with_a_couple_of_specific_extractors_enabled_individually\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-plugins=php/composerlock\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this will scan just the package-lock.json and composer.lock files as\n\t\t\t// we've not enabled extractors for any of the other lockfiles\n\t\t\tName: \"scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson,php/composerlock\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this should result in all files within the directory being scanned\n\t\t\t// except for the package-lock.json\n\t\t\tName: \"scanning_directory_with_one_specific_extractor_disabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-disable-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"./testdata/locks-many\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this will scan just the package lock, since we're requested that file\n\t\t\t// specifically and have enabled just that extractor\n\t\t\tName: \"scanning_file_with_one_specific_extractor_enabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"./testdata/locks-many/package-lock.json\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\t// this will result in an error about not being able to find any package sources\n\t\t\t// since we've requested a composer.lock be scanned without the extractor enabled\n\t\t\tName: \"scanning_file_with_one_different_extractor_enabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"./testdata/locks-many/composer.lock\",\n\t\t\t},\n\t\t\tExit: 128,\n\t\t},\n\t\t{\n\t\t\t// this will result in an error about not being able to determine the extractor\n\t\t\t// since we've requested the file to be parsed with a specific extractor\n\t\t\t// that we've also disabled\n\t\t\tName: \"scanning_file_with_parse_as_but_specific_extractor_disabled\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-disable-plugins=javascript/packagelockjson\",\n\t\t\t\t\"--experimental-no-default-plugins\",\n\t\t\t\t\"-L\", \"package-lock.json:./testdata/locks-many/composer.lock\",\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_CallAnalysis(t *testing.T) {\n\tt.Parallel()\n\n\t// This does require Go toolchain, but the whole project requires go toolchain,\n\t// so not an external dependency\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"Run_with_govulncheck\",\n\t\t\tArgs: []string{\"\", \"source\",\n\t\t\t\t\"--call-analysis=go\",\n\t\t\t\t\"--config=./testdata/osv-scanner-call-analysis-config.toml\",\n\t\t\t\t\"./testdata/call-analysis-go-project\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Run_with_govulncheck_all_uncalled\",\n\t\t\tArgs: []string{\"\", \"source\",\n\t\t\t\t\"--call-analysis=go\",\n\t\t\t\t\"--config=./testdata/osv-scanner-call-analysis-config.toml\",\n\t\t\t\t\"./testdata/call-analysis-go-project-all-uncalled\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"Run_with_govulncheck_all_uncalled_but_enabled_all-vulns_flag\",\n\t\t\tArgs: []string{\"\", \"source\",\n\t\t\t\t\"--call-analysis=go\",\n\t\t\t\t\"--all-vulns\",\n\t\t\t\t\"--config=./testdata/osv-scanner-call-analysis-config.toml\",\n\t\t\t\t\"./testdata/call-analysis-go-project-all-uncalled\"},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_LockfileWithExplicitParseAs(t *testing.T) {\n\tt.Parallel()\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"unsupported_parse-as\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"my-file:./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"empty_is_default\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\":\" + filepath.FromSlash(\"./testdata/locks-many/composer.lock\"),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\":\" + filepath.FromSlash(\"./path/to/my:file\"),\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"empty_works_as_an_escape_(no_fixture_because_it's_not_valid_on_Windows)\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\":\" + filepath.FromSlash(\"./path/to/my:project/package-lock.json\"),\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"one_lockfile_with_local_path\",\n\t\t\tArgs: []string{\"\", \"source\", \"--lockfile=go.mod:./testdata/locks-many/replace-local.mod\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"when_an_explicit_parse-as_is_given,_it's_applied_to_that_file\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\"package-lock.json:\" + filepath.FromSlash(\"./testdata/locks-insecure/my-package-lock.json\"),\n\t\t\t\tfilepath.FromSlash(\"./testdata/locks-insecure\"),\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"multiple,_+_output_order_is_deterministic\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\", \"package-lock.json:\" + filepath.FromSlash(\"./testdata/locks-insecure/my-package-lock.json\"),\n\t\t\t\t\"-L\", \"yarn.lock:\" + filepath.FromSlash(\"./testdata/locks-insecure/my-yarn.lock\"),\n\t\t\t\tfilepath.FromSlash(\"./testdata/locks-insecure\"),\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"multiple,_+_output_order_is_deterministic_2\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\", \"yarn.lock:\" + filepath.FromSlash(\"./testdata/locks-insecure/my-yarn.lock\"),\n\t\t\t\t\"-L\", \"package-lock.json:\" + filepath.FromSlash(\"./testdata/locks-insecure/my-package-lock.json\"),\n\t\t\t\tfilepath.FromSlash(\"./testdata/locks-insecure\"),\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"files_that_error_on_parsing_stop_parsable_files_from_being_checked\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\"Cargo.lock:\" + filepath.FromSlash(\"./testdata/locks-insecure/my-package-lock.json\"),\n\t\t\t\tfilepath.FromSlash(\"./testdata/locks-insecure\"),\n\t\t\t\tfilepath.FromSlash(\"./testdata/locks-many\"),\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"parse-as_takes_priority,_even_if_it's_wrong\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\"package-lock.json:\" + filepath.FromSlash(\"./testdata/locks-many/yarn.lock\"),\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"\\\"apk-installed\\\" is supported\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\"apk-installed:\" + filepath.FromSlash(\"./testdata/locks-many/installed\"),\n\t\t\t},\n\t\t\tExit: 0,\n\n\t\t\t// don't intercept requests for this case as the apk extractor reads the OS version\n\t\t\t// of the environment its being run in, and currently does not support being overridden\n\t\t\tHTTPClient: http.DefaultClient,\n\t\t},\n\t\t{\n\t\t\tName: \"\\\"dpkg-status\\\" is supported\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\"dpkg-status:\" + filepath.FromSlash(\"./testdata/locks-many/status\"),\n\t\t\t},\n\t\t\tExit: 0,\n\n\t\t\t// don't intercept requests for this case as the dpkg extractor reads the OS version\n\t\t\t// of the environment its being run in, and currently does not support being overridden\n\t\t\tHTTPClient: http.DefaultClient,\n\t\t},\n\t\t{\n\t\t\t// if this isn't true, the test would fail along the lines of\n\t\t\t// \"could not determine extractor, requested D\"\n\t\t\tName: \"absolute_paths_are_automatically_escaped_on_windows\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\tfilepath.FromSlash(filepath.Join(cwd, \"./testdata/locks-many/yarn.lock\")),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"absolute_paths_work_with_explicit_escaping\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\":\" + filepath.FromSlash(filepath.Join(cwd, \"./testdata/locks-many/yarn.lock\")),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"absolute_paths_can_have_explicit_parse_as\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\",\n\t\t\t\t\"source\",\n\t\t\t\t\"-L\",\n\t\t\t\t\"package-lock.json:\" + filepath.FromSlash(filepath.Join(cwd, \"./testdata/locks-many/yarn.lock\")),\n\t\t\t},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tif tt.HTTPClient == nil {\n\t\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\t\t\t}\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\n// TestCommand_GithubActions tests common actions the github actions reusable workflow will run\nfunc TestCommand_GithubActions(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"scanning_osv-scanner_custom_format\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_osv-scanner_custom_format_with_git_tag\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"osv-scanner:./testdata/locks-insecure/osv-scanner-custom-git-tag.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"scanning_osv-scanner_custom_format_output_json\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"osv-scanner:./testdata/locks-insecure/osv-scanner-flutter-deps.json\", \"--format=sarif\"},\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.ReplacePartialFingerprintHash,\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_LocalDatabases(t *testing.T) {\n\tt.Parallel()\n\n\ttestutility.SkipIfShort(t)\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"one_specific_supported_lockfile\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"one_specific_supported_sbom_with_vulns\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"./testdata/sbom-insecure/postgres-stretch.cdx.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"one_specific_unsupported_lockfile\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"./testdata/locks-many/not-a-lockfile.toml\"},\n\t\t\tExit: 128,\n\t\t},\n\t\t{\n\t\t\tName: \"all_supported_lockfiles_in_the_directory_should_be_checked\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"./testdata/locks-many-with-insecure\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"all_supported_lockfiles_in_the_directory_should_be_checked\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"./testdata/locks-many-with-invalid\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion)\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"nested_directories_are_checked_when_`--recursive`_is_passed\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"--recursive\", \"./testdata/locks-one-with-nested\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \".gitignored_files\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"--recursive\", \"./testdata/locks-gitignore\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"ignoring_.gitignore\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"--recursive\", \"--no-ignore\", \"./testdata/locks-gitignore\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"output_with_json\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"--format\", \"json\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"output_format:_markdown_table\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"--format\", \"markdown\", \"./testdata/locks-many/composer.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"database_should_be_downloaded_only_when_offline_is_set\",\n\t\t\tArgs: []string{\"\", \"source\", \"--download-offline-databases\", \"./testdata/locks-many\"},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttestDir := testutility.CreateTestDir(t)\n\t\t\told := tt.Args\n\t\t\ttt.Args = []string{\"\", \"source\", \"--local-db-path\", testDir}\n\t\t\ttt.Args = append(tt.Args, old[2:]...)\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\t// run each test twice since they should provide the same output,\n\t\t\t// and the second run should be fast as the db is already available\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_LocalDatabases_AlwaysOffline(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"a_bunch_of_different_lockfiles_and_ecosystem\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"./testdata/locks-requirements\", \"./testdata/locks-many-with-insecure\"},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\ttestDir := testutility.CreateTestDir(t)\n\t\t\told := tt.Args\n\t\t\ttt.Args = []string{\"\", \"source\", \"--local-db-path\", testDir}\n\t\t\ttt.Args = append(tt.Args, old[2:]...)\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\t// run each test twice since they should provide the same output,\n\t\t\t// and the second run should be fast as the db is already available\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_CommitSupport(t *testing.T) {\n\tt.Parallel()\n\n\ttestutility.SkipIfShort(t)\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"online_uses_git_commits\",\n\t\t\tArgs: []string{\"\", \"source\", \"--lockfile\", \"osv-scanner:./testdata/locks-git/osv-scanner.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"offline_uses_git_tags\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"--lockfile\", \"osv-scanner:./testdata/locks-git/osv-scanner.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_Licenses(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"No_vulnerabilities_with_license_summary\",\n\t\t\tArgs: []string{\"\", \"source\", \"--licenses\", \"./testdata/locks-many\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"No_vulnerabilities_with_license_summary_in_markdown\",\n\t\t\tArgs: []string{\"\", \"source\", \"--licenses\", \"--format=markdown\", \"./testdata/locks-many\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"Vulnerabilities_and_license_summary\",\n\t\t\tArgs: []string{\"\", \"source\", \"--licenses\", \"./testdata/locks-many-with-insecure/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Vulnerabilities_and_license_violations_with_allowlist\",\n\t\t\tArgs: []string{\"\", \"source\", \"--licenses=MIT\", \"./testdata/locks-many-with-insecure/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"No_vulnerabilities_but_license_violations_with_allowlist\",\n\t\t\tArgs: []string{\"\", \"source\", \"--licenses=Apache-2.0\", \"--config=./testdata/osv-scanner-empty-config.toml\", \"./testdata/locks-many/yarn.lock\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Vulnerabilities_and_all_license_violations_allowlisted\",\n\t\t\tArgs: []string{\"\", \"source\", \"--licenses=Apache-2.0\", \"./testdata/locks-many-with-insecure/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Some_packages_with_license_violations_and_show-all-packages_in_json\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format=json\", \"--licenses=MIT\", \"--all-packages\", \"./testdata/locks-licenses/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Some_packages_with_ignored_licenses\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-complex-licenses-config.toml\", \"--licenses=MIT\", \"./testdata/locks-many\", \"./testdata/locks-insecure\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Some_packages_with_license_violations_in_json\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format=json\", \"--licenses=MIT\", \"./testdata/locks-licenses/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"No_license_violations_and_show-all-packages_in_json\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format=json\", \"--licenses=MIT,Apache-2.0\", \"--all-packages\", \"./testdata/locks-licenses/package-lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"Show_all_Packages_with_license_summary_in_json\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format=json\", \"--licenses\", \"--all-packages\", \"./testdata/locks-licenses/package-lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"Licenses_in_summary_mode_json\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format=json\", \"--licenses\", \"./testdata/locks-licenses/package-lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"Licenses_with_expressions\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-expressive-licenses-config.toml\", \"--licenses=MIT,BSD-3-Clause\", \"./testdata/locks-licenses/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Licenses_with_invalid_licenses_in_flag\",\n\t\t\tArgs: []string{\"\", \"source\", \"--licenses=MIT,something-something\", \"./testdata/locks-licenses/package-lock.json\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"Licenses_with_invalid_expression_in_config\",\n\t\t\tArgs: []string{\"\", \"source\", \"--config=./testdata/osv-scanner-invalid-licenses-config.toml\", \"--licenses=MIT,BSD-3-Clause\", \"./testdata/locks-licenses/package-lock.json\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"When_offline_licenses_summary_cannot_be_printed\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--licenses\", \"./testdata/locks-many/package-lock.json\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"When_offline_licenses_cannot_be_checked\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--licenses=MIT\", \"./testdata/locks-many/package-lock.json\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"When_offline_licenses_are_still_validated\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--licenses=MIT,something-something\", \"./testdata/locks-many/package-lock.json\"},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_Transitive(t *testing.T) {\n\tt.Parallel()\n\n\ttestutility.SkipIfShort(t)\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"pom.xml_transitive_default\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/maven-transitive/pom.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"pom.xml_transitive_explicit_lockfile\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"pom.xml:./testdata/maven-transitive/abc.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"pom.xml_multiple_registries\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"pom.xml:./testdata/maven-transitive/registry.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"pom.xml_transitive_native_source\",\n\t\t\tArgs: []string{\"\", \"source\", \"--data-source=native\", \"-L\", \"pom.xml:./testdata/maven-transitive/registry.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"pom.xml_non_utf8_encoding\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"pom.xml:./testdata/maven-transitive/encoding.xml\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"pom.xml_no_resolve_no_transitive\",\n\t\t\tArgs: []string{\"\", \"source\", \"--no-resolve\", \"./testdata/maven-transitive/pom.xml\"},\n\t\t\t// Direct dependencies do not have any vulnerability.\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"pom.xml_offline_no_transitive\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"./testdata/maven-transitive/pom.xml\"},\n\t\t\t// Direct dependencies do not have any vulnerability.\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"pom.xml_enricher_requires_extractor\",\n\t\t\tArgs: []string{\"\", \"source\", \"--experimental-disable-plugins=java/pomxml\", \"./testdata/maven-transitive/abc.xml\"},\n\t\t\tExit: 128,\n\t\t},\n\t\t{\n\t\t\tName: \"invalid_data_source_error\",\n\t\t\tArgs: []string{\"\", \"source\", \"--data-source=github\", \"-L\", \"pom.xml:./testdata/maven-transitive/registry.xml\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"requirements.txt_transitive_default\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-requirements/requirements.txt\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"requirements.txt_transitive_native_source\",\n\t\t\tArgs: []string{\"\", \"source\", \"--data-source=native\", \"-L\", \"requirements.txt:./testdata/locks-requirements/requirements.txt\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"requirements.txt_no_resolve_no_transitive\",\n\t\t\tArgs: []string{\"\", \"source\", \"--no-resolve\", \"./testdata/locks-requirements/requirements.txt\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"requirements.txt_offline_no_transitive\",\n\t\t\tArgs: []string{\"\", \"source\", \"--offline\", \"--download-offline-databases\", \"./testdata/locks-requirements/requirements.txt\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"requirements.txt_enricher_requires_extractor\",\n\t\t\tArgs: []string{\"\", \"source\", \"--experimental-disable-plugins=python/requirements\", \"./testdata/locks-requirements/requirements-transitive.txt\"},\n\t\t\tExit: 128,\n\t\t},\n\t\t{\n\t\t\tName: \"requirements.txt_resolution_fallback\",\n\t\t\tArgs: []string{\"\", \"source\", \"./testdata/locks-requirements/unresolvable-requirements.txt\"},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_MoreLockfiles(t *testing.T) {\n\tt.Parallel()\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"uv.lock\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-scalibr/uv.lock\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"depsjson\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"deps.json:./testdata/locks-scalibr/depsjson\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"cabal.project.freeze\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-scalibr/cabal.project.freeze\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"stack.yaml.lock\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-scalibr/stack.yaml.lock\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"packages.config\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-scalibr/packages.config\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"packages.lock.json\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-scalibr/packages.lock.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"gems.locked\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-scalibr/gems.locked\"},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"Podfile.lock_-_Unsupported_ecosystem,_should_not_be_scanned\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-scalibr/Podfile.lock\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"Package.resolved_-_Unsupported_ecosystem,_should_not_be_scanned\",\n\t\t\tArgs: []string{\"\", \"source\", \"-L\", \"./testdata/locks-scalibr/Package.resolved\"},\n\t\t\tExit: 127,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommandNonGit(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\terr := os.CopyFS(testDir, os.DirFS(\"./testdata/locks-many\"))\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []testcmd.Case{\n\t\t// one specific supported lockfile\n\t\t{\n\t\t\tName: \"one_specific_supported_lockfile\",\n\t\t\tArgs: []string{\"\", \"source\", filepath.Join(testDir, \"composer.lock\")},\n\t\t\tExit: 0,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\ttt.HTTPClient = testcmd.WithTestNameHeader(t, *client)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_HtmlFile(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\tclient := testcmd.InsertCassette(t)\n\n\ttestcmd.RunAndMatchSnapshots(t, testcmd.Case{\n\t\tName: \"one_specific_supported_lockfile\",\n\t\tArgs: []string{\"\", \"source\", \"--format=html\", \"--output-file\", testDir + \"/report.html\", \"./testdata/locks-many/composer.lock\"},\n\t\tExit: 0,\n\n\t\tHTTPClient: testcmd.WithTestNameHeader(t, *client),\n\t})\n\n\t_, err := os.Stat(testDir + \"/report.html\")\n\n\tif err != nil {\n\t\tt.Errorf(\"Unexpected %v\", err)\n\t}\n}\n\nfunc TestCommand_HtmlFile_Deprecated(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\tclient := testcmd.InsertCassette(t)\n\n\ttestcmd.RunAndMatchSnapshots(t, testcmd.Case{\n\t\tName: \"one_specific_supported_lockfile\",\n\t\tArgs: []string{\"\", \"source\", \"--format=html\", \"--output\", testDir + \"/report.html\", \"./testdata/locks-many/composer.lock\"},\n\t\tExit: 0,\n\n\t\tHTTPClient: testcmd.WithTestNameHeader(t, *client),\n\t})\n\n\t_, err := os.Stat(testDir + \"/report.html\")\n\n\tif err != nil {\n\t\tt.Errorf(\"Unexpected %v\", err)\n\t}\n}\n\nfunc TestCommand_WithDetector_OnLinux(t *testing.T) {\n\tif runtime.GOOS != \"linux\" {\n\t\ttestutility.Skip(t, \"The detector in this test only works on Linux\")\n\t}\n\n\ttestDir := testutility.CreateTestDir(t)\n\terr := os.CopyFS(testDir, os.DirFS(\"./testdata/locks-many\"))\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\terr = os.CopyFS(testDir+\"/bin\", os.DirFS(\"./testdata/bin\"))\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []struct {\n\t\tName string\n\t\tArgs []string\n\t\tExit int\n\t\tSSHV string\n\t}{\n\t\t{\n\t\t\tName: \"ssh_version_is_before_first_vuln_version\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins\", \"php/composerlock\",\n\t\t\t\t\"--experimental-plugins\", \"cve/cve-2023-38408\",\n\t\t\t\tfilepath.Join(testDir, \"composer.lock\"),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t\tSSHV: \"OpenSSH_5.4 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022\",\n\t\t},\n\t\t{\n\t\t\tName: \"ssh_version_is_after_last_vuln_version\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins\", \"php/composerlock\",\n\t\t\t\t\"--experimental-plugins\", \"cve/cve-2023-38408\",\n\t\t\t\tfilepath.Join(testDir, \"composer.lock\"),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t\tSSHV: \"OpenSSH_9.3p2 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022\",\n\t\t},\n\t\t{\n\t\t\tName: \"ssh_version_errors\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins\", \"php/composerlock\",\n\t\t\t\t\"--experimental-plugins\", \"cve/cve-2023-38408\",\n\t\t\t\tfilepath.Join(testDir, \"composer.lock\"),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t\tSSHV: \"\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\t// append our bin directory to the start of the PATH variable\n\t\t\t// so that our fake ssh script will be invoked by the detector\n\t\t\tt.Setenv(\"PATH\", (testDir+\"/bin/:\")+os.Getenv(\"PATH\"))\n\t\t\tt.Setenv(\"OSV_SCANNER_TEST_SSH_VERSION_OUTPUT\", tt.SSHV)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, testcmd.Case{\n\t\t\t\tName: tt.Name,\n\t\t\t\tArgs: tt.Args,\n\t\t\t\tExit: tt.Exit,\n\n\t\t\t\tHTTPClient: testcmd.WithTestNameHeader(t, *client),\n\t\t\t})\n\t\t})\n\t}\n}\n\nfunc TestCommand_WithDetector_OffLinux(t *testing.T) {\n\tif runtime.GOOS == \"linux\" {\n\t\ttestutility.Skip(t, \"The detector in this test only works on non-linux\")\n\t}\n\n\ttestDir := testutility.CreateTestDir(t)\n\terr := os.CopyFS(testDir, os.DirFS(\"./testdata/locks-many\"))\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\terr = os.CopyFS(testDir+\"/bin\", os.DirFS(\"./testdata/bin\"))\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tclient := testcmd.InsertCassette(t)\n\n\ttests := []struct {\n\t\tName string\n\t\tArgs []string\n\t\tExit int\n\t\tSSHV string\n\t}{\n\t\t{\n\t\t\tName: \"ssh_version_is_before_first_vuln_version\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins\", \"php/composerlock\",\n\t\t\t\t\"--experimental-plugins\", \"cve/cve-2023-38408\",\n\t\t\t\tfilepath.Join(testDir, \"composer.lock\"),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t\tSSHV: \"OpenSSH_5.4 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022\",\n\t\t},\n\t\t{\n\t\t\tName: \"ssh_version_is_after_last_vuln_version\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins\", \"php/composerlock\",\n\t\t\t\t\"--experimental-plugins\", \"cve/cve-2023-38408\",\n\t\t\t\tfilepath.Join(testDir, \"composer.lock\"),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t\tSSHV: \"OpenSSH_9.3p2 Ubuntu-3ubuntu0.13, OpenSSL 3.0.2 15 Mar 2022\",\n\t\t},\n\t\t{\n\t\t\tName: \"ssh_version_errors\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\",\n\t\t\t\t\"--experimental-plugins\", \"php/composerlock\",\n\t\t\t\t\"--experimental-plugins\", \"cve/cve-2023-38408\",\n\t\t\t\tfilepath.Join(testDir, \"composer.lock\"),\n\t\t\t},\n\t\t\tExit: 0,\n\t\t\tSSHV: \"\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\t// append our bin directory to the start of the PATH variable\n\t\t\t// so that our fake ssh script will be invoked by the detector\n\t\t\tt.Setenv(\"PATH\", (testDir+\"/bin/:\")+os.Getenv(\"PATH\"))\n\t\t\tt.Setenv(\"OSV_SCANNER_TEST_SSH_VERSION_OUTPUT\", tt.SSHV)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, testcmd.Case{\n\t\t\t\tName: tt.Name,\n\t\t\t\tArgs: tt.Args,\n\t\t\t\tExit: tt.Exit,\n\n\t\t\t\tHTTPClient: testcmd.WithTestNameHeader(t, *client),\n\t\t\t})\n\t\t})\n\t}\n}\n\nfunc TestCommand_Filter(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"Show_all_Packages_with_empty_config\",\n\t\t\tArgs: []string{\"\", \"source\", \"--format=json\", \"--all-packages\", \"--config=./testdata/osv-scanner-empty-config.toml\", \"--lockfile=osv-scanner:./testdata/locks-insecure/osv-scanner-with-unscannables.json\"},\n\t\t\tExit: 0,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n\nfunc TestCommand_FlagDeprecatedPackages(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"package_deprecated_false_no_vuln_json\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\", \"--format=json\",\n\t\t\t\t\"--experimental-flag-deprecated-packages\",\n\t\t\t\t\"./testdata/exp-plugins-pkgdeprecate/clean/Cargo.lock\",\n\t\t\t},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"package_deprecated_true_no_vuln_json\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\", \"--format=json\",\n\t\t\t\t\"--experimental-flag-deprecated-packages\",\n\t\t\t\t\"./testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"package_deprecated_true_with_vuln_json\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\", \"--format=json\",\n\t\t\t\t\"--experimental-flag-deprecated-packages\",\n\t\t\t\t\"./testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"package_deprecated_npm_json\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\", \"--format=json\",\n\t\t\t\t\"--experimental-flag-deprecated-packages\",\n\t\t\t\t\"./testdata/exp-plugins-pkgdeprecate/deprecated-npm/package-lock.json\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t\tReplaceRules: []testutility.JSONReplaceRule{\n\t\t\t\ttestutility.GroupsAsArrayLen,\n\t\t\t\ttestutility.OnlyIDVulnsRule,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"package_deprecated_true_no_vuln_table\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\", \"--format=table\",\n\t\t\t\t\"--experimental-flag-deprecated-packages\",\n\t\t\t\t\"./testdata/exp-plugins-pkgdeprecate/deprecated-novuln/Cargo.lock\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t\t{\n\t\t\tName: \"package_deprecated_true_with_vuln_table\",\n\t\t\tArgs: []string{\n\t\t\t\t\"\", \"source\", \"--format=table\",\n\t\t\t\t\"--experimental-flag-deprecated-packages\",\n\t\t\t\t\"./testdata/exp-plugins-pkgdeprecate/deprecated-vuln/Cargo.lock\",\n\t\t\t},\n\t\t\tExit: 1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\t\t})\n\t}\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/.goignore", "content": "call-analysis-go-project\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/artifact/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/bin/ssh", "content": "#!/usr/bin/env bash\n\n# this is a fake ssh used in some tests, which outputs the value of the\n# $OSV_SCANNER_TEST_SSH_VERSION_OUTPUT environment variable, unless it\n# is empty in which case the script exits with code 1 as if it errored\n\nif [ -z $OSV_SCANNER_TEST_SSH_VERSION_OUTPUT ]; then\n exit 1\nfi\n\necho \"$OSV_SCANNER_TEST_SSH_VERSION_OUTPUT\"\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/go.mod", "content": "module github.com/ossf-tests/osv-e2e\n\ngo 1.19\n\nrequire github.com/gogo/protobuf v1.3.1\n\nrequire github.com/ipfs/go-bitfield v1.0.0\n\nrequire golang.org/x/image v0.4.0 // indirect\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/go.sum", "content": "github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=\ngithub.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=\ngithub.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ=\ngithub.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus=\ngithub.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=\ngithub.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=\ngithub.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=\ngolang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ=\ngolang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4=\ngolang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=\ngolang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=\ngolang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=\ngolang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/main.go", "content": "package main\n\nimport (\n\t\"log\"\n\t\"net/http\"\n\n\t\"github.com/gogo/protobuf/plugin/unmarshal\"\n\t\"github.com/gogo/protobuf/version\"\n\t\"github.com/ipfs/go-bitfield\"\n)\n\nfunc main() {\n\tprint(version.AtLeast(\"v1.2.3\"))\n\tunmarshal.NewUnmarshal()\n\n\tbitfield.NewBitfield(14)\n\n\t// Test stdlib\n\terr := http.ListenAndServe(\":8080\", nil)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/call-analysis-go-project/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/go.mod", "content": "module github.com/ossf-tests/osv-e2e\n\ngo 1.19\n\nrequire github.com/gogo/protobuf v1.3.1\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/go.sum", "content": "github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=\ngithub.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=\ngithub.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ=\ngithub.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus=\ngithub.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=\ngithub.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=\ngithub.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=\ngolang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ=\ngolang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4=\ngolang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=\ngolang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=\ngolang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=\ngolang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/main.go", "content": "package main\n\nimport (\n\t\"log\"\n\t\"net/http\"\n\n\t\"github.com/gogo/protobuf/plugin/unmarshal\"\n\t\"github.com/gogo/protobuf/version\"\n)\n\nfunc main() {\n\tprint(version.AtLeast(\"v1.2.3\"))\n\tunmarshal.NewUnmarshal()\n\n\t// Test stdlib\n\terr := http.ListenAndServe(\":8080\", nil)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/call-analysis-go-project-all-uncalled/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 270\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/.gitignored_files\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Empty_cyclonedx_1.4_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Empty_cyclonedx_1.5_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Empty_gh-annotations_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Empty_sarif_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Empty_spdx_2.3_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 141\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.21.7\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Go_project_with_an_overridden_go_version\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2545\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2598\",\n \"modified\": \"2026-02-04T03:12:08.722840Z\"\n },\n {\n \"id\": \"GO-2024-2599\",\n \"modified\": \"2026-02-04T02:21:09.533216Z\"\n },\n {\n \"id\": \"GO-2024-2600\",\n \"modified\": \"2026-02-04T02:34:41.672789Z\"\n },\n {\n \"id\": \"GO-2024-2609\",\n \"modified\": \"2026-02-04T04:37:13.773873Z\"\n },\n {\n \"id\": \"GO-2024-2610\",\n \"modified\": \"2026-02-04T03:09:18.870079Z\"\n },\n {\n \"id\": \"GO-2024-2687\",\n \"modified\": \"2026-02-04T04:09:31.762399Z\"\n },\n {\n \"id\": \"GO-2024-2887\",\n \"modified\": \"2026-01-28T03:27:17.746525Z\"\n },\n {\n \"id\": \"GO-2024-2888\",\n \"modified\": \"2026-01-28T03:27:17.560343Z\"\n },\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"2545\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 260\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.21.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.21.7\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Go_project_with_an_overridden_go_version,_recursive\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 5077\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2598\",\n \"modified\": \"2026-02-04T03:12:08.722840Z\"\n },\n {\n \"id\": \"GO-2024-2599\",\n \"modified\": \"2026-02-04T02:21:09.533216Z\"\n },\n {\n \"id\": \"GO-2024-2600\",\n \"modified\": \"2026-02-04T02:34:41.672789Z\"\n },\n {\n \"id\": \"GO-2024-2609\",\n \"modified\": \"2026-02-04T04:37:13.773873Z\"\n },\n {\n \"id\": \"GO-2024-2610\",\n \"modified\": \"2026-02-04T03:09:18.870079Z\"\n },\n {\n \"id\": \"GO-2024-2687\",\n \"modified\": \"2026-02-04T04:09:31.762399Z\"\n },\n {\n \"id\": \"GO-2024-2887\",\n \"modified\": \"2026-01-28T03:27:17.746525Z\"\n },\n {\n \"id\": \"GO-2024-2888\",\n \"modified\": \"2026-01-28T03:27:17.560343Z\"\n },\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2598\",\n \"modified\": \"2026-02-04T03:12:08.722840Z\"\n },\n {\n \"id\": \"GO-2024-2599\",\n \"modified\": \"2026-02-04T02:21:09.533216Z\"\n },\n {\n \"id\": \"GO-2024-2600\",\n \"modified\": \"2026-02-04T02:34:41.672789Z\"\n },\n {\n \"id\": \"GO-2024-2609\",\n \"modified\": \"2026-02-04T04:37:13.773873Z\"\n },\n {\n \"id\": \"GO-2024-2610\",\n \"modified\": \"2026-02-04T03:09:18.870079Z\"\n },\n {\n \"id\": \"GO-2024-2687\",\n \"modified\": \"2026-02-04T04:09:31.762399Z\"\n },\n {\n \"id\": \"GO-2024-2887\",\n \"modified\": \"2026-01-28T03:27:17.746525Z\"\n },\n {\n \"id\": \"GO-2024-2888\",\n \"modified\": \"2026-01-28T03:27:17.560343Z\"\n },\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"5077\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 141\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.21.7\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Go_project_with_an_overridden_go_version_and_licences\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2545\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GO-2024-2598\",\n \"modified\": \"2026-02-04T03:12:08.722840Z\"\n },\n {\n \"id\": \"GO-2024-2599\",\n \"modified\": \"2026-02-04T02:21:09.533216Z\"\n },\n {\n \"id\": \"GO-2024-2600\",\n \"modified\": \"2026-02-04T02:34:41.672789Z\"\n },\n {\n \"id\": \"GO-2024-2609\",\n \"modified\": \"2026-02-04T04:37:13.773873Z\"\n },\n {\n \"id\": \"GO-2024-2610\",\n \"modified\": \"2026-02-04T03:09:18.870079Z\"\n },\n {\n \"id\": \"GO-2024-2687\",\n \"modified\": \"2026-02-04T04:09:31.762399Z\"\n },\n {\n \"id\": \"GO-2024-2887\",\n \"modified\": \"2026-01-28T03:27:17.746525Z\"\n },\n {\n \"id\": \"GO-2024-2888\",\n \"modified\": \"2026-01-28T03:27:17.560343Z\"\n },\n {\n \"id\": \"GO-2024-2963\",\n \"modified\": \"2026-02-04T03:37:39.895574Z\"\n },\n {\n \"id\": \"GO-2024-3105\",\n \"modified\": \"2026-02-24T16:29:04.364011Z\"\n },\n {\n \"id\": \"GO-2024-3106\",\n \"modified\": \"2026-02-24T16:29:04.606789Z\"\n },\n {\n \"id\": \"GO-2024-3107\",\n \"modified\": \"2026-02-24T16:29:04.677030Z\"\n },\n {\n \"id\": \"GO-2025-3373\",\n \"modified\": \"2026-02-17T16:13:53.362266Z\"\n },\n {\n \"id\": \"GO-2025-3420\",\n \"modified\": \"2026-02-17T16:13:53.083304Z\"\n },\n {\n \"id\": \"GO-2025-3447\",\n \"modified\": \"2026-02-04T04:23:04.020664Z\"\n },\n {\n \"id\": \"GO-2025-3563\",\n \"modified\": \"2026-02-17T16:13:52.395126Z\"\n },\n {\n \"id\": \"GO-2025-3750\",\n \"modified\": \"2026-02-04T03:28:12.135241Z\"\n },\n {\n \"id\": \"GO-2025-3751\",\n \"modified\": \"2026-02-17T16:13:52.185280Z\"\n },\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4403\",\n \"modified\": \"2026-02-06T09:40:56.765821Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"2545\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1852\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/PURL_SBOM_case_sensitivity_(api)\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 433\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"433\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Sarif_with_vulns\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 95\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"95\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 521\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/Scan_locks-many\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 270\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/all_supported_lockfiles_in_the_directory_should_be_checked\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 3372\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"commit\": \"4579d5538f06c5ef615a15bc67ebb9ac0523a973\"\n },\n {\n \"commit\": \"9de7a0544457c6aba755ccb65abb41b0dc1db70d\"\n },\n {\n \"commit\": \"5d60bd2eb4642b64d00c845e5ca9f1ea41fd6db6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.13-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"drupal/core\"\n },\n \"version\": \"10.4.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"drupal/simple_sitemap\"\n },\n \"version\": \"4.2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"drupal/tfa\"\n },\n \"version\": \"2.0.0-alpha4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"theseer/tokenizer\"\n },\n \"version\": \"1.1.3\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/config_file_can_be_broad\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 1281\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2023-39137\",\n \"modified\": \"2026-03-15T14:11:43.205446Z\"\n },\n {\n \"id\": \"CVE-2023-39139\",\n \"modified\": \"2026-03-14T12:08:30.752661Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DRUPAL-CORE-2025-005\",\n \"modified\": \"2025-12-10T23:41:07.744028Z\"\n },\n {\n \"id\": \"DRUPAL-CORE-2025-006\",\n \"modified\": \"2025-12-10T23:41:16.689525Z\"\n },\n {\n \"id\": \"DRUPAL-CORE-2025-007\",\n \"modified\": \"2025-12-10T23:41:19.050806Z\"\n },\n {\n \"id\": \"DRUPAL-CORE-2025-008\",\n \"modified\": \"2025-12-10T23:41:00.167393Z\"\n },\n {\n \"id\": \"GHSA-83v7-c2cf-p9c2\",\n \"modified\": \"2025-12-10T23:41:07.744028Z\"\n },\n {\n \"id\": \"GHSA-h89p-5896-f4q8\",\n \"modified\": \"2025-12-10T23:41:19.050806Z\"\n },\n {\n \"id\": \"GHSA-m6vv-vcj8-w8m7\",\n \"modified\": \"2025-12-10T23:41:16.689525Z\"\n },\n {\n \"id\": \"GHSA-mhpg-hpj5-73r2\",\n \"modified\": \"2026-02-03T03:15:35.495869Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DRUPAL-CONTRIB-2025-083\",\n \"modified\": \"2025-12-10T23:41:32.857305Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"1281\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/config_file_is_invalid\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 521\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/config_files_should_not_have_multiple_ignores_with_the_same_id\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 638\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"has-flag\"\n },\n \"version\": \"4.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"wrappy\"\n },\n \"version\": \"1.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.99.9\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/cyclonedx_1.4_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 107\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"107\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 638\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"has-flag\"\n },\n \"version\": \"4.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"wrappy\"\n },\n \"version\": \"1.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.99.9\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/cyclonedx_1.5_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 107\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"107\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 278\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/exclude_with_exact_directory_name\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 278\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/exclude_with_glob_pattern\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 278\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/exclude_with_multiple_exact_directories\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 278\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/exclude_with_multiple_pattern_types\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 149\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/exclude_with_regex_pattern\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 156\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12ubuntu0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/folder_of_supported_sbom_with_only_unimportant\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 97\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"97\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 156\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12ubuntu0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/folder_of_supported_sbom_with_only_unimportant#01\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 97\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"97\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 23023\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.12-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.115\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"apt\"\n },\n \"version\": \"1.4.11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"base-files\"\n },\n \"version\": \"9.9+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.43\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"bash\"\n },\n \"version\": \"4.4-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"bsdutils\"\n },\n \"version\": \"1:2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.26-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.8-2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.61\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debian-archive-keyring\"\n },\n \"version\": \"2017.5+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debianutils\"\n },\n \"version\": \"4.8.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.5-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dirmngr\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.18.25\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"e2fslibs\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.6.0+git+20161106-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gcc-6-base\"\n },\n \"version\": \"6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/opencontainers/runc\"\n },\n \"version\": \"v1.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/tianon/gosu\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gnupg-agent\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/sys\"\n },\n \"version\": \"v0.0.0-20210817142637-7d9622a276b7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gpgv\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"grep\"\n },\n \"version\": \"2.27-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.6-5+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.18+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.48\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libacl1\"\n },\n \"version\": \"2.2.52-3+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libapt-pkg5.0\"\n },\n \"version\": \"1.4.11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libassuan0\"\n },\n \"version\": \"2.4.3-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libattr1\"\n },\n \"version\": \"1:2.4.47-2+b2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libaudit-common\"\n },\n \"version\": \"1:2.6.7-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libaudit1\"\n },\n \"version\": \"1:2.6.7-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libblkid1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libbsd0\"\n },\n \"version\": \"0.8.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libbz2-1.0\"\n },\n \"version\": \"1.0.6-8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc-bin\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc-l10n\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc6\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libcap-ng0\"\n },\n \"version\": \"0.7.7-3+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libcomerr2\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libdb5.3\"\n },\n \"version\": \"5.3.28-12+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libdebconfclient0\"\n },\n \"version\": \"0.227\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libedit2\"\n },\n \"version\": \"3.1-20160903-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libfdisk1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libffi6\"\n },\n \"version\": \"3.2.1-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgcc1\"\n },\n \"version\": \"1:6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.7.6-2+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgdbm3\"\n },\n \"version\": \"1.8.3-14\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgmp10\"\n },\n \"version\": \"2:6.1.2+dfsg-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgnutls30\"\n },\n \"version\": \"3.5.8-5+deb9u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgpg-error0\"\n },\n \"version\": \"1.26-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgssapi-krb5-2\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libhogweed4\"\n },\n \"version\": \"3.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libicu57\"\n },\n \"version\": \"57.1-6+deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libidn11\"\n },\n \"version\": \"1.33-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libjson-perl\"\n },\n \"version\": \"2.90-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libk5crypto3\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkeyutils1\"\n },\n \"version\": \"1.5.9-9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkrb5-3\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkrb5support0\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libksba8\"\n },\n \"version\": \"1.3.5-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libldap-2.4-2\"\n },\n \"version\": \"2.4.44+dfsg-5+deb9u8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libldap-common\"\n },\n \"version\": \"2.4.44+dfsg-5+deb9u8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libllvm6.0\"\n },\n \"version\": \"1:6.0-1~bpo9+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"liblz4-1\"\n },\n \"version\": \"0.0~r131-2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"liblzma5\"\n },\n \"version\": \"5.2.2-1.2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libmount1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libncurses5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libncursesw5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnettle6\"\n },\n \"version\": \"3.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnpth0\"\n },\n \"version\": \"1.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnss-wrapper\"\n },\n \"version\": \"1.1.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libp11-kit0\"\n },\n \"version\": \"0.23.3-2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-modules\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-modules-bin\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-runtime\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam0g\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpcre3\"\n },\n \"version\": \"2:8.39-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libperl5.24\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpq5\"\n },\n \"version\": \"14.2-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libreadline7\"\n },\n \"version\": \"7.0-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsasl2-2\"\n },\n \"version\": \"2.1.27~101-g0780600+dfsg-3+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsasl2-modules-db\"\n },\n \"version\": \"2.1.27~101-g0780600+dfsg-3+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libselinux1\"\n },\n \"version\": \"2.6-3+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsemanage-common\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsemanage1\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsepol1\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsmartcols1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsqlite3-0\"\n },\n \"version\": \"3.16.2-5+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libss2\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libssl1.1\"\n },\n \"version\": \"1.1.0l-1~deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libstdc++6\"\n },\n \"version\": \"6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsystemd0\"\n },\n \"version\": \"232-25+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.10-1.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libtinfo5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libudev1\"\n },\n \"version\": \"232-25+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libustr-1.0-1\"\n },\n \"version\": \"1.0.4-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libuuid1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libxml2\"\n },\n \"version\": \"2.9.4+dfsg1-2.2+deb9u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libxslt1.1\"\n },\n \"version\": \"1.1.29-2.1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libzstd1\"\n },\n \"version\": \"1.1.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"locales\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"login\"\n },\n \"version\": \"1:4.4-4.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"lsb-base\"\n },\n \"version\": \"9.20161125\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.3-17+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"mount\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"multiarch-support\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ncurses-base\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ncurses-bin\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"netbase\"\n },\n \"version\": \"5.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.0l-1~deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"passwd\"\n },\n \"version\": \"1:4.4-4.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl-base\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl-modules-5.24\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"pgdg-keyring\"\n },\n \"version\": \"2018.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"pinentry-curses\"\n },\n \"version\": \"1.0.0-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-11\"\n },\n \"version\": \"11.15-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-client-11\"\n },\n \"version\": \"11.15-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-client-common\"\n },\n \"version\": \"238.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-common\"\n },\n \"version\": \"238.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"readline-common\"\n },\n \"version\": \"7.0-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sed\"\n },\n \"version\": \"4.4-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.9+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ssl-cert\"\n },\n \"version\": \"1.0.39\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sysvinit-utils\"\n },\n \"version\": \"2.88dsf-59.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"tar\"\n },\n \"version\": \"1.29b-1.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"tzdata\"\n },\n \"version\": \"2021a-0+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ucf\"\n },\n \"version\": \"3.0036\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.2-1.2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"zlib1g\"\n },\n \"version\": \"1:1.2.8.dfsg-5+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"zstd\"\n },\n \"version\": \"1.1.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/folder_of_supported_sbom_with_vulns\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 22298\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2011-3374\",\n \"modified\": \"2026-03-17T02:42:42.368242Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0501\",\n \"modified\": \"2025-11-19T02:04:24.786271Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-3462\",\n \"modified\": \"2025-11-19T02:02:50.288367Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-27350\",\n \"modified\": \"2025-11-19T01:06:21.507844Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-3810\",\n \"modified\": \"2025-11-19T01:08:53.168851Z\"\n },\n {\n \"id\": \"DSA-4685-1\",\n \"modified\": \"2026-03-09T02:09:03.263738Z\"\n },\n {\n \"id\": \"DSA-4808-1\",\n \"modified\": \"2026-03-09T02:11:17.119108Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2019-18276\",\n \"modified\": \"2025-11-19T01:19:06.470662Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3715\",\n \"modified\": \"2026-03-17T02:47:45.184492Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-2781\",\n \"modified\": \"2026-03-17T02:44:35.752995Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-18018\",\n \"modified\": \"2026-03-17T02:45:06.555217Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-0684\",\n \"modified\": \"2025-11-19T01:02:00.374806Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-5278\",\n \"modified\": \"2026-03-17T02:52:23.723753Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3482-1\",\n \"modified\": \"2025-05-26T07:01:25.263124Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1664\",\n \"modified\": \"2025-11-20T10:15:48.083782Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6297\",\n \"modified\": \"2026-03-17T02:50:41.230667Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-2219\",\n \"modified\": \"2026-03-14T15:06:12.109941Z\"\n },\n {\n \"id\": \"DLA-3022-1\",\n \"modified\": \"2026-03-09T01:23:37.553205Z\"\n },\n {\n \"id\": \"DSA-5147-1\",\n \"modified\": \"2026-03-09T02:10:11.335992Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2019-5094\",\n \"modified\": \"2025-11-19T02:02:52.019166Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-5188\",\n \"modified\": \"2025-11-19T01:01:51.904490Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-1304\",\n \"modified\": \"2025-11-20T10:15:47.847878Z\"\n },\n {\n \"id\": \"DLA-3910-1\",\n \"modified\": \"2026-03-09T01:22:32.343795Z\"\n },\n {\n \"id\": \"DSA-4535-1\",\n \"modified\": \"2026-03-09T02:10:12.902574Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9493-h29p-rfm2\",\n \"modified\": \"2026-02-04T03:47:55.536228Z\"\n },\n {\n \"id\": \"GHSA-cgrx-mc8f-2prm\",\n \"modified\": \"2026-02-04T02:50:45.342760Z\"\n },\n {\n \"id\": \"GHSA-f3fp-gc8g-vw66\",\n \"modified\": \"2026-02-04T04:15:59.735117Z\"\n },\n {\n \"id\": \"GHSA-g2j6-57v7-gm8c\",\n \"modified\": \"2026-02-04T02:43:58.212471Z\"\n },\n {\n \"id\": \"GHSA-jfvp-7x6p-h2pv\",\n \"modified\": \"2026-02-04T03:12:37.981869Z\"\n },\n {\n \"id\": \"GHSA-m8cg-xc2p-r3fc\",\n \"modified\": \"2026-02-04T03:29:19.767788Z\"\n },\n {\n \"id\": \"GHSA-qw9x-cqr3-wc7r\",\n \"modified\": \"2026-02-04T02:13:22.313241Z\"\n },\n {\n \"id\": \"GHSA-v95c-p5hm-xq8f\",\n \"modified\": \"2026-03-13T22:16:11.684125Z\"\n },\n {\n \"id\": \"GHSA-vpvm-3wq2-2wvm\",\n \"modified\": \"2026-02-04T02:53:37.613379Z\"\n },\n {\n \"id\": \"GHSA-xr7r-f8xq-vfvv\",\n \"modified\": \"2026-02-04T03:18:48.377509Z\"\n },\n {\n \"id\": \"GO-2022-0274\",\n \"modified\": \"2026-02-04T02:26:28.343240Z\"\n },\n {\n \"id\": \"GO-2022-0452\",\n \"modified\": \"2026-02-04T03:17:02.340230Z\"\n },\n {\n \"id\": \"GO-2023-1627\",\n \"modified\": \"2026-02-04T03:58:42.107712Z\"\n },\n {\n \"id\": \"GO-2023-1682\",\n \"modified\": \"2026-02-04T02:59:23.815900Z\"\n },\n {\n \"id\": \"GO-2023-1683\",\n \"modified\": \"2026-02-04T04:01:58.343687Z\"\n },\n {\n \"id\": \"GO-2024-2491\",\n \"modified\": \"2026-02-04T02:39:00.262696Z\"\n },\n {\n \"id\": \"GO-2024-3110\",\n \"modified\": \"2026-02-04T02:23:26.560077Z\"\n },\n {\n \"id\": \"GO-2025-4096\",\n \"modified\": \"2026-02-04T03:11:33.546218Z\"\n },\n {\n \"id\": \"GO-2025-4097\",\n \"modified\": \"2026-02-04T03:00:55.376695Z\"\n },\n {\n \"id\": \"GO-2025-4098\",\n \"modified\": \"2026-02-04T02:52:46.004719Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-p782-xgp4-8hr8\",\n \"modified\": \"2026-02-04T04:15:14.486111Z\"\n },\n {\n \"id\": \"GO-2022-0493\",\n \"modified\": \"2026-02-04T03:42:54.589715Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1271\",\n \"modified\": \"2025-11-20T10:15:47.940295Z\"\n },\n {\n \"id\": \"DSA-5122-1\",\n \"modified\": \"2026-03-09T02:09:10.163691Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-0379\",\n \"modified\": \"2025-11-19T01:06:25.120079Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7526\",\n \"modified\": \"2025-11-19T02:04:40.318681Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0495\",\n \"modified\": \"2025-11-19T02:04:27.207183Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6829\",\n \"modified\": \"2026-03-10T05:05:47.263837Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-13627\",\n \"modified\": \"2025-11-19T01:12:35.581705Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-33560\",\n \"modified\": \"2026-03-10T05:07:08.938163Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-40528\",\n \"modified\": \"2025-11-19T01:01:59.995618Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-2236\",\n \"modified\": \"2026-03-10T05:09:58.705229Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-10790\",\n \"modified\": \"2025-11-19T01:01:57.855157Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-1000654\",\n \"modified\": \"2025-11-19T02:02:40.642360Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6003\",\n \"modified\": \"2025-11-19T01:06:22.990063Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-46848\",\n \"modified\": \"2025-11-20T10:15:14.681077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-12133\",\n \"modified\": \"2025-11-20T10:17:02.620233Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-13151\",\n \"modified\": \"2026-01-20T05:13:20.502324Z\"\n },\n {\n \"id\": \"DLA-3263-1\",\n \"modified\": \"2026-03-09T01:22:34.273046Z\"\n },\n {\n \"id\": \"DLA-4061-1\",\n \"modified\": \"2026-03-09T01:20:16.124977Z\"\n },\n {\n \"id\": \"DSA-5863-1\",\n \"modified\": \"2026-03-09T02:08:50.747280Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-3709\",\n \"modified\": \"2025-11-20T10:12:11.931996Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2016-9318\",\n \"modified\": \"2025-11-19T02:02:45.582059Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-0663\",\n \"modified\": \"2025-11-19T02:02:52.056836Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-15412\",\n \"modified\": \"2025-11-19T01:08:49.499099Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-16931\",\n \"modified\": \"2025-11-19T02:04:25.542166Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-16932\",\n \"modified\": \"2025-11-19T01:04:39.458229Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-18258\",\n \"modified\": \"2025-11-19T01:08:48.927062Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-5130\",\n \"modified\": \"2025-11-19T01:03:12.822124Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-5969\",\n \"modified\": \"2025-11-19T01:08:52.062516Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7375\",\n \"modified\": \"2025-11-19T02:02:48.011785Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7376\",\n \"modified\": \"2025-11-19T02:01:17.016443Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-8872\",\n \"modified\": \"2025-11-19T02:04:31.920669Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9047\",\n \"modified\": \"2025-11-19T02:04:30.335407Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9048\",\n \"modified\": \"2025-11-19T01:19:09.303210Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9049\",\n \"modified\": \"2025-11-19T01:03:12.259406Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9050\",\n \"modified\": \"2025-11-19T01:08:53.069573Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-14404\",\n \"modified\": \"2025-11-19T01:12:32.274520Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-14567\",\n \"modified\": \"2025-11-19T01:08:49.660035Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-19956\",\n \"modified\": \"2025-11-19T02:01:17.970372Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-20388\",\n \"modified\": \"2025-11-19T02:04:37.363509Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-24977\",\n \"modified\": \"2025-11-19T02:04:41.266003Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-7595\",\n \"modified\": \"2025-11-19T02:04:29.271836Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3516\",\n \"modified\": \"2025-11-19T02:01:14.946107Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3517\",\n \"modified\": \"2025-11-19T01:12:34.981900Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3518\",\n \"modified\": \"2025-11-19T01:19:08.645337Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3537\",\n \"modified\": \"2025-11-19T02:04:30.248276Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3541\",\n \"modified\": \"2025-11-19T02:04:36.614917Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2309\",\n \"modified\": \"2025-11-20T10:15:28.694644Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-23308\",\n \"modified\": \"2025-11-20T10:15:29.029152Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-29824\",\n \"modified\": \"2025-11-20T10:15:52.814213Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-40303\",\n \"modified\": \"2025-11-20T10:16:01.982632Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-40304\",\n \"modified\": \"2025-11-20T10:16:01.918054Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-49043\",\n \"modified\": \"2025-11-20T10:16:12.358770Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-28484\",\n \"modified\": \"2025-11-20T10:16:35.199991Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-29469\",\n \"modified\": \"2025-11-20T10:17:34.943682Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-39615\",\n \"modified\": \"2025-11-20T10:16:41.593841Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-45322\",\n \"modified\": \"2025-11-20T10:16:44.891362Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-25062\",\n \"modified\": \"2025-11-20T10:17:04.986212Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-34459\",\n \"modified\": \"2025-11-20T10:17:41.570595Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-56171\",\n \"modified\": \"2025-11-20T10:17:48.605695Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-24928\",\n \"modified\": \"2025-11-20T10:18:05.778161Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-27113\",\n \"modified\": \"2025-11-20T10:18:06.358243Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-32414\",\n \"modified\": \"2025-11-20T10:18:08.076077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-32415\",\n \"modified\": \"2025-11-20T10:18:08.251077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-49794\",\n \"modified\": \"2025-11-20T10:18:23.322205Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-49796\",\n \"modified\": \"2025-11-20T10:18:23.585429Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6021\",\n \"modified\": \"2025-11-20T10:18:26.314947Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6170\",\n \"modified\": \"2025-11-20T10:18:26.670728Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-8732\",\n \"modified\": \"2025-12-14T10:13:26.467517Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9714\",\n \"modified\": \"2026-01-10T14:08:12.148171Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0989\",\n \"modified\": \"2026-01-16T11:05:07.928323Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0990\",\n \"modified\": \"2026-01-16T11:05:23.527352Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0992\",\n \"modified\": \"2026-01-16T11:05:10.515041Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-1757\",\n \"modified\": \"2026-02-03T11:16:44.779248Z\"\n },\n {\n \"id\": \"DLA-3012-1\",\n \"modified\": \"2026-03-09T01:20:46.878115Z\"\n },\n {\n \"id\": \"DLA-3172-1\",\n \"modified\": \"2026-03-09T01:19:54.747665Z\"\n },\n {\n \"id\": \"DLA-3405-1\",\n \"modified\": \"2026-03-09T01:01:29.748040Z\"\n },\n {\n \"id\": \"DLA-3878-1\",\n \"modified\": \"2026-03-09T01:20:38.676387Z\"\n },\n {\n \"id\": \"DLA-4064-1\",\n \"modified\": \"2026-03-09T01:20:30.558703Z\"\n },\n {\n \"id\": \"DLA-4146-1\",\n \"modified\": \"2026-03-09T01:22:43.732573Z\"\n },\n {\n \"id\": \"DLA-4251-1\",\n \"modified\": \"2026-03-09T02:11:12.986866Z\"\n },\n {\n \"id\": \"DLA-4319-1\",\n \"modified\": \"2025-09-30T22:17:08.381361Z\"\n },\n {\n \"id\": \"DSA-5142-1\",\n \"modified\": \"2026-03-09T02:10:58.737631Z\"\n },\n {\n \"id\": \"DSA-5271-1\",\n \"modified\": \"2026-03-09T02:10:55.154283Z\"\n },\n {\n \"id\": \"DSA-5391-1\",\n \"modified\": \"2026-03-09T02:09:39.164621Z\"\n },\n {\n \"id\": \"DSA-5949-1\",\n \"modified\": \"2026-03-09T02:09:32.257423Z\"\n },\n {\n \"id\": \"DSA-5990-1\",\n \"modified\": \"2025-08-29T13:01:48.117026Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2018-0732\",\n \"modified\": \"2025-11-19T02:02:54.249966Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0734\",\n \"modified\": \"2025-11-19T02:02:43.768735Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0735\",\n \"modified\": \"2025-11-19T01:19:04.251217Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-5407\",\n \"modified\": \"2025-11-19T01:02:00.203143Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1543\",\n \"modified\": \"2025-11-19T01:12:34.981629Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1547\",\n \"modified\": \"2025-11-19T01:12:35.687253Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1549\",\n \"modified\": \"2025-11-19T01:04:40.924710Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1551\",\n \"modified\": \"2025-11-19T01:19:08.067279Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1563\",\n \"modified\": \"2025-11-19T02:04:34.392400Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-1967\",\n \"modified\": \"2025-11-19T02:04:38.886020Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-1971\",\n \"modified\": \"2025-11-19T02:04:28.520483Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-23840\",\n \"modified\": \"2025-11-19T01:03:14.356310Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-23841\",\n \"modified\": \"2025-11-19T02:02:54.160482Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3449\",\n \"modified\": \"2025-11-19T01:04:41.495834Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3450\",\n \"modified\": \"2025-11-19T02:01:16.123253Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3711\",\n \"modified\": \"2025-11-20T10:15:44.121033Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3712\",\n \"modified\": \"2025-11-20T10:15:44.130193Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-4160\",\n \"modified\": \"2025-11-20T10:15:10.185497Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-0778\",\n \"modified\": \"2025-11-20T10:15:47.332694Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-1292\",\n \"modified\": \"2025-11-20T10:15:25.471825Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2068\",\n \"modified\": \"2025-11-20T10:15:27.022420Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2097\",\n \"modified\": \"2025-11-20T10:15:27.065089Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2274\",\n \"modified\": \"2025-11-19T02:02:45.418259Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3358\",\n \"modified\": \"2025-11-19T01:06:25.721124Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3602\",\n \"modified\": \"2025-11-19T01:12:35.687556Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3786\",\n \"modified\": \"2025-11-19T01:19:02.748977Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3996\",\n \"modified\": \"2025-11-19T02:01:16.596616Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4203\",\n \"modified\": \"2025-11-19T02:01:16.313531Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4304\",\n \"modified\": \"2025-11-20T10:16:04.313466Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4450\",\n \"modified\": \"2025-11-20T10:16:05.367442Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0215\",\n \"modified\": \"2025-11-20T10:16:27.838296Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0216\",\n \"modified\": \"2025-11-19T02:04:35.947667Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0217\",\n \"modified\": \"2025-11-19T01:12:37.272749Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0286\",\n \"modified\": \"2025-11-20T10:16:27.985311Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0401\",\n \"modified\": \"2025-11-19T01:12:36.298552Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0464\",\n \"modified\": \"2025-11-20T10:16:28.057931Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0465\",\n \"modified\": \"2025-11-20T10:16:28.143046Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0466\",\n \"modified\": \"2025-11-20T10:16:28.053837Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-1255\",\n \"modified\": \"2025-11-19T01:08:49.387669Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-2650\",\n \"modified\": \"2025-11-20T10:17:34.439123Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-2975\",\n \"modified\": \"2025-11-20T10:16:36.112183Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-3446\",\n \"modified\": \"2025-11-20T10:16:38.860251Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-3817\",\n \"modified\": \"2025-11-20T10:17:35.737266Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-5363\",\n \"modified\": \"2025-11-20T10:16:59.430619Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-5678\",\n \"modified\": \"2025-11-20T10:17:38.719690Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-6129\",\n \"modified\": \"2025-11-20T10:17:39.029757Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-6237\",\n \"modified\": \"2025-11-20T10:17:39.218097Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-0727\",\n \"modified\": \"2025-11-20T10:17:01.258658Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-12797\",\n \"modified\": \"2025-11-19T02:04:36.131726Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-13176\",\n \"modified\": \"2026-03-17T02:49:44.824285Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-2511\",\n \"modified\": \"2025-11-20T10:17:05.139581Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-4603\",\n \"modified\": \"2025-11-20T10:17:43.955114Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-4741\",\n \"modified\": \"2025-11-20T10:17:26.990307Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-5535\",\n \"modified\": \"2025-11-20T10:17:48.194687Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-6119\",\n \"modified\": \"2025-11-20T10:17:53.824117Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-9143\",\n \"modified\": \"2025-11-20T10:17:55.864918Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-11187\",\n \"modified\": \"2026-03-17T02:47:10.761659Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15467\",\n \"modified\": \"2026-03-17T02:51:11.866899Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15468\",\n \"modified\": \"2026-03-17T02:51:12.304672Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15469\",\n \"modified\": \"2026-03-17T02:51:12.299847Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-27587\",\n \"modified\": \"2026-03-17T02:51:34.552234Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-4575\",\n \"modified\": \"2025-11-19T02:02:43.971243Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-66199\",\n \"modified\": \"2026-03-17T02:52:26.091887Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-68160\",\n \"modified\": \"2026-03-17T02:50:42.645267Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69418\",\n \"modified\": \"2026-03-17T02:51:22.404226Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69419\",\n \"modified\": \"2026-03-17T02:51:22.497785Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69420\",\n \"modified\": \"2026-03-17T02:51:22.651361Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69421\",\n \"modified\": \"2026-03-17T02:51:22.561721Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9230\",\n \"modified\": \"2026-03-17T02:51:39.764914Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9231\",\n \"modified\": \"2026-03-17T02:51:39.727656Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9232\",\n \"modified\": \"2026-03-17T02:51:39.882696Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-22795\",\n \"modified\": \"2026-03-17T02:51:47.646020Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-22796\",\n \"modified\": \"2026-03-17T02:51:47.743030Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-2673\",\n \"modified\": \"2026-03-18T09:03:28.363302Z\"\n },\n {\n \"id\": \"DLA-3008-1\",\n \"modified\": \"2026-03-09T01:23:33.375630Z\"\n },\n {\n \"id\": \"DLA-3325-1\",\n \"modified\": \"2026-03-09T01:19:40.983935Z\"\n },\n {\n \"id\": \"DLA-3449-1\",\n \"modified\": \"2026-03-09T01:22:47.322805Z\"\n },\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n },\n {\n \"id\": \"DLA-3942-1\",\n \"modified\": \"2026-03-09T01:22:40.686044Z\"\n },\n {\n \"id\": \"DLA-3942-2\",\n \"modified\": \"2026-03-09T01:21:01.728730Z\"\n },\n {\n \"id\": \"DLA-4176-1\",\n \"modified\": \"2026-03-09T01:20:23.459313Z\"\n },\n {\n \"id\": \"DLA-4321-1\",\n \"modified\": \"2025-10-03T16:33:24.717173Z\"\n },\n {\n \"id\": \"DLA-4490-1\",\n \"modified\": \"2026-02-23T10:30:28.927832Z\"\n },\n {\n \"id\": \"DSA-4539-1\",\n \"modified\": \"2026-03-09T02:09:20.276054Z\"\n },\n {\n \"id\": \"DSA-4539-3\",\n \"modified\": \"2025-05-26T07:05:14.261652Z\"\n },\n {\n \"id\": \"DSA-4661-1\",\n \"modified\": \"2026-03-09T02:08:53.792348Z\"\n },\n {\n \"id\": \"DSA-4807-1\",\n \"modified\": \"2026-03-09T02:10:20.442914Z\"\n },\n {\n \"id\": \"DSA-4855-1\",\n \"modified\": \"2026-03-09T02:11:29.405206Z\"\n },\n {\n \"id\": \"DSA-4875-1\",\n \"modified\": \"2026-03-09T02:10:05.387501Z\"\n },\n {\n \"id\": \"DSA-4963-1\",\n \"modified\": \"2026-03-09T02:10:15.488747Z\"\n },\n {\n \"id\": \"DSA-5103-1\",\n \"modified\": \"2026-03-09T02:09:42.407559Z\"\n },\n {\n \"id\": \"DSA-5139-1\",\n \"modified\": \"2026-03-09T02:09:17.334653Z\"\n },\n {\n \"id\": \"DSA-5169-1\",\n \"modified\": \"2026-03-09T02:09:37.692763Z\"\n },\n {\n \"id\": \"DSA-5343-1\",\n \"modified\": \"2026-03-09T02:09:47.149297Z\"\n },\n {\n \"id\": \"DSA-5417-1\",\n \"modified\": \"2026-03-09T02:09:39.950679Z\"\n },\n {\n \"id\": \"DSA-5532-1\",\n \"modified\": \"2026-03-09T02:08:31.395482Z\"\n },\n {\n \"id\": \"DSA-5764-1\",\n \"modified\": \"2026-03-09T02:09:02.723874Z\"\n },\n {\n \"id\": \"DSA-6015-1\",\n \"modified\": \"2025-10-01T13:32:01.848986Z\"\n },\n {\n \"id\": \"DSA-6113-1\",\n \"modified\": \"2026-01-27T20:30:04.397078Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2011-4116\",\n \"modified\": \"2025-11-20T10:10:50.058601Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-12837\",\n \"modified\": \"2025-11-19T01:03:14.361068Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-12883\",\n \"modified\": \"2025-11-19T01:12:38.323688Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-12015\",\n \"modified\": \"2025-11-19T02:02:49.033339Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18311\",\n \"modified\": \"2025-11-19T01:12:36.918544Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18312\",\n \"modified\": \"2025-11-19T02:04:33.584277Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18313\",\n \"modified\": \"2025-11-19T01:06:24.154928Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18314\",\n \"modified\": \"2025-11-19T01:12:35.416886Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6797\",\n \"modified\": \"2025-11-19T02:04:23.831823Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6798\",\n \"modified\": \"2025-11-19T02:02:49.628171Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6913\",\n \"modified\": \"2025-11-19T02:02:50.593437Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-10543\",\n \"modified\": \"2025-11-19T01:04:39.904198Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-10878\",\n \"modified\": \"2025-11-19T01:12:35.457057Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-12723\",\n \"modified\": \"2025-11-19T02:02:47.094787Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-16156\",\n \"modified\": \"2025-11-20T10:14:36.701112Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-36770\",\n \"modified\": \"2025-11-20T10:15:44.080114Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-48522\",\n \"modified\": \"2025-11-19T01:08:52.915564Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-31484\",\n \"modified\": \"2025-11-20T10:17:35.627220Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-31486\",\n \"modified\": \"2026-03-17T02:48:35.857896Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-47038\",\n \"modified\": \"2025-11-20T10:16:46.343364Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-56406\",\n \"modified\": \"2025-11-20T10:17:48.686371Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-40909\",\n \"modified\": \"2025-11-20T10:18:21.143971Z\"\n },\n {\n \"id\": \"DLA-3926-1\",\n \"modified\": \"2026-03-09T01:20:46.118633Z\"\n },\n {\n \"id\": \"DSA-5902-1\",\n \"modified\": \"2026-03-09T02:09:19.793163Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3072-1\",\n \"modified\": \"2026-03-09T01:22:24.680239Z\"\n },\n {\n \"id\": \"DLA-3189-1\",\n \"modified\": \"2025-05-26T07:01:07.887113Z\"\n },\n {\n \"id\": \"DLA-3316-1\",\n \"modified\": \"2025-05-26T07:01:13.127412Z\"\n },\n {\n \"id\": \"DLA-3422-1\",\n \"modified\": \"2026-03-09T01:20:56.692752Z\"\n },\n {\n \"id\": \"DLA-3600-1\",\n \"modified\": \"2026-03-09T01:17:49.966197Z\"\n },\n {\n \"id\": \"DLA-3651-1\",\n \"modified\": \"2026-03-09T01:18:05.310519Z\"\n },\n {\n \"id\": \"DLA-3764-1\",\n \"modified\": \"2026-03-09T01:23:22.273526Z\"\n },\n {\n \"id\": \"DSA-5135-1\",\n \"modified\": \"2026-03-09T02:11:21.646978Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-17512\",\n \"modified\": \"2025-11-19T02:04:30.656495Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2005-2541\",\n \"modified\": \"2026-03-17T02:42:47.789952Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-20482\",\n \"modified\": \"2025-11-19T02:02:47.070832Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-9923\",\n \"modified\": \"2025-11-19T02:02:53.559001Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-20193\",\n \"modified\": \"2025-11-19T01:01:55.139356Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-48303\",\n \"modified\": \"2025-11-20T10:16:07.552593Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-39804\",\n \"modified\": \"2025-11-20T10:16:41.587973Z\"\n },\n {\n \"id\": \"DLA-3755-1\",\n \"modified\": \"2026-03-09T01:18:04.185679Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3051-1\",\n \"modified\": \"2025-05-26T07:01:56.257796Z\"\n },\n {\n \"id\": \"DLA-3134-1\",\n \"modified\": \"2025-05-26T07:01:01.500124Z\"\n },\n {\n \"id\": \"DLA-3161-1\",\n \"modified\": \"2025-05-26T07:01:03.882213Z\"\n },\n {\n \"id\": \"DLA-3366-1\",\n \"modified\": \"2025-05-26T07:01:17.027142Z\"\n },\n {\n \"id\": \"DLA-3412-1\",\n \"modified\": \"2025-05-26T07:01:20.109212Z\"\n },\n {\n \"id\": \"DLA-3684-1\",\n \"modified\": \"2025-05-26T07:01:38.953691Z\"\n },\n {\n \"id\": \"DLA-3788-1\",\n \"modified\": \"2025-05-26T07:01:46.700929Z\"\n },\n {\n \"id\": \"DLA-3972-1\",\n \"modified\": \"2025-05-26T07:02:05.284676Z\"\n },\n {\n \"id\": \"DLA-4085-1\",\n \"modified\": \"2025-05-26T07:02:10.958749Z\"\n },\n {\n \"id\": \"DLA-4105-1\",\n \"modified\": \"2025-05-26T07:02:13.921097Z\"\n },\n {\n \"id\": \"DLA-4403-1\",\n \"modified\": \"2025-12-12T10:13:37.154747Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-4016-1\",\n \"modified\": \"2025-05-26T07:02:06.504254Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-2779\",\n \"modified\": \"2025-11-19T01:12:38.591462Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-7738\",\n \"modified\": \"2025-11-20T10:13:54.493707Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-37600\",\n \"modified\": \"2025-11-19T02:02:43.997954Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3995\",\n \"modified\": \"2025-11-20T10:15:45.587792Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3996\",\n \"modified\": \"2025-11-20T10:15:45.602424Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-0563\",\n \"modified\": \"2026-03-17T02:46:43.123134Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-28085\",\n \"modified\": \"2025-11-20T10:17:41.612682Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-14104\",\n \"modified\": \"2026-03-05T17:00:58.361610Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-3184\",\n \"modified\": \"2026-02-26T09:30:44.219098Z\"\n },\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n },\n {\n \"id\": \"DSA-5055-1\",\n \"modified\": \"2026-03-09T02:10:40.826335Z\"\n },\n {\n \"id\": \"DSA-5650-1\",\n \"modified\": \"2026-03-09T02:08:30.371343Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1271\",\n \"modified\": \"2025-11-20T10:15:47.940295Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-3094\",\n \"modified\": \"2025-11-19T01:12:34.542011Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-31115\",\n \"modified\": \"2025-11-20T10:18:07.484724Z\"\n },\n {\n \"id\": \"DSA-5123-1\",\n \"modified\": \"2026-03-09T02:10:46.054497Z\"\n },\n {\n \"id\": \"DSA-5895-1\",\n \"modified\": \"2026-03-09T02:08:52.515269Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"22298\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/gh-annotations_with_vulns\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 95\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"95\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 263\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.24.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.24.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/go_packages_in_osv-scanner.json_format\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 1549\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GO-2025-3849\",\n \"modified\": \"2026-02-04T02:26:50.866679Z\"\n },\n {\n \"id\": \"GO-2025-3956\",\n \"modified\": \"2026-02-04T04:33:27.340869Z\"\n },\n {\n \"id\": \"GO-2025-4006\",\n \"modified\": \"2026-02-17T16:13:53.018755Z\"\n },\n {\n \"id\": \"GO-2025-4007\",\n \"modified\": \"2026-02-17T13:58:48.676604Z\"\n },\n {\n \"id\": \"GO-2025-4008\",\n \"modified\": \"2026-02-17T13:58:48.077685Z\"\n },\n {\n \"id\": \"GO-2025-4009\",\n \"modified\": \"2026-02-13T02:58:48.571208Z\"\n },\n {\n \"id\": \"GO-2025-4010\",\n \"modified\": \"2026-02-13T21:28:48.362505Z\"\n },\n {\n \"id\": \"GO-2025-4011\",\n \"modified\": \"2026-02-17T13:58:47.352598Z\"\n },\n {\n \"id\": \"GO-2025-4012\",\n \"modified\": \"2026-02-17T13:58:47.721658Z\"\n },\n {\n \"id\": \"GO-2025-4013\",\n \"modified\": \"2026-02-17T13:58:47.501939Z\"\n },\n {\n \"id\": \"GO-2025-4014\",\n \"modified\": \"2026-03-18T11:44:08.816200Z\"\n },\n {\n \"id\": \"GO-2025-4015\",\n \"modified\": \"2026-02-17T16:13:53.510662Z\"\n },\n {\n \"id\": \"GO-2025-4155\",\n \"modified\": \"2026-03-18T11:44:08.473909Z\"\n },\n {\n \"id\": \"GO-2025-4175\",\n \"modified\": \"2026-02-04T04:38:59.126121Z\"\n },\n {\n \"id\": \"GO-2026-4337\",\n \"modified\": \"2026-03-18T11:44:08.657377Z\"\n },\n {\n \"id\": \"GO-2026-4340\",\n \"modified\": \"2026-02-04T02:58:11.702669Z\"\n },\n {\n \"id\": \"GO-2026-4341\",\n \"modified\": \"2026-03-18T11:44:08.749079Z\"\n },\n {\n \"id\": \"GO-2026-4342\",\n \"modified\": \"2026-03-17T10:28:56.226379Z\"\n },\n {\n \"id\": \"GO-2026-4601\",\n \"modified\": \"2026-03-10T10:43:54.660319Z\"\n },\n {\n \"id\": \"GO-2026-4602\",\n \"modified\": \"2026-03-10T10:43:54.463365Z\"\n },\n {\n \"id\": \"GO-2026-4603\",\n \"modified\": \"2026-03-10T10:43:54.330461Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GO-2025-3828\",\n \"modified\": \"2026-02-04T03:33:13.542630Z\"\n },\n {\n \"id\": \"GO-2026-4339\",\n \"modified\": \"2026-02-04T04:20:19.626029Z\"\n },\n {\n \"id\": \"GO-2026-4433\",\n \"modified\": \"2026-03-02T10:44:08.411132Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"1549\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/ignores_without_reason_should_be_explicitly_called_out\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 95\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"95\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1024\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/ignoring_.gitignore\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 37\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"37\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/json_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 278\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/nested_directories_are_checked_when_`--recursive`_is_passed\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/no_lockfiles_with_recursion_and_with_allow_flag_are_fine\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/no_lockfiles_with_recursion_but_without_allow_flag_are_fine\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_lockfile\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_lockfile_with_ignore\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 95\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"95\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_lockfile_with_offline_explicitly_false\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1852\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_sbom_with_duplicate_PURLs\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 433\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"433\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1852\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_sbom_with_duplicate_PURLs_using_-L_flag\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 433\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"433\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1073\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_sbom_with_invalid_PURLs\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 37\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"37\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1073\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_sbom_with_invalid_PURLs_using_-L_flag\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 37\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"37\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1852\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_sbom_with_vulns\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 433\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"433\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1852\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/one_specific_supported_sbom_with_vulns_using_-L_flag\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 433\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"433\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 149\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/only_the_files_in_the_given_directories_are_checked_by_default_(no_recursion)\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/output_format:_markdown_table\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 95\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"95\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1712\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"black\"\n },\n \"version\": \"25.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"django\"\n },\n \"version\": \"1.11.29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"numpy\"\n },\n \"version\": \"2.3.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"requests\"\n },\n \"version\": \"2.20.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"django\"\n },\n \"version\": \"2.2.24\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"django\"\n },\n \"version\": \"1.11.29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"requests\"\n },\n \"version\": \"2.20.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"numpy\"\n },\n \"version\": \"2.3.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask-cors\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pandas\"\n },\n \"version\": \"0.23.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/requirements.txt_can_have_all_kinds_of_names\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 4809\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-3936-cmfr-pm3m\",\n \"modified\": \"2026-03-16T16:44:03.077621Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68w8-qjq3-2gfm\",\n \"modified\": \"2024-09-20T15:46:52.557962Z\"\n },\n {\n \"id\": \"GHSA-6w2r-r2m5-xq5w\",\n \"modified\": \"2026-02-04T04:00:06.061990Z\"\n },\n {\n \"id\": \"GHSA-7xr5-9hcq-chf9\",\n \"modified\": \"2026-02-04T03:48:05.224740Z\"\n },\n {\n \"id\": \"GHSA-8x94-hmjh-97hq\",\n \"modified\": \"2026-02-04T02:45:55.690257Z\"\n },\n {\n \"id\": \"GHSA-frmv-pr5f-9mcr\",\n \"modified\": \"2025-11-27T09:10:30.649595Z\"\n },\n {\n \"id\": \"GHSA-qw25-v68c-qjf3\",\n \"modified\": \"2026-02-04T04:08:30.303132Z\"\n },\n {\n \"id\": \"GHSA-rrqc-c2jx-6jgv\",\n \"modified\": \"2024-10-30T19:23:59.139649Z\"\n },\n {\n \"id\": \"PYSEC-2021-98\",\n \"modified\": \"2023-12-06T01:01:16.755410Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9hjg-9r4m-mvj7\",\n \"modified\": \"2026-02-04T03:44:00.676479Z\"\n },\n {\n \"id\": \"GHSA-9wx4-h78v-vm56\",\n \"modified\": \"2026-02-04T02:43:42.271895Z\"\n },\n {\n \"id\": \"GHSA-j8r2-6x86-q33q\",\n \"modified\": \"2026-02-04T03:34:13.807518Z\"\n },\n {\n \"id\": \"PYSEC-2023-74\",\n \"modified\": \"2023-11-08T04:12:35.436175Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-2gwj-7jmv-h26r\",\n \"modified\": \"2025-02-21T05:41:10.759178Z\"\n },\n {\n \"id\": \"GHSA-53qw-q765-4fww\",\n \"modified\": \"2024-09-20T16:09:39.890846Z\"\n },\n {\n \"id\": \"GHSA-6cw3-g6wv-c2xv\",\n \"modified\": \"2024-09-20T15:47:27.155401Z\"\n },\n {\n \"id\": \"GHSA-6w2r-r2m5-xq5w\",\n \"modified\": \"2026-02-04T04:00:06.061990Z\"\n },\n {\n \"id\": \"GHSA-7xr5-9hcq-chf9\",\n \"modified\": \"2026-02-04T03:48:05.224740Z\"\n },\n {\n \"id\": \"GHSA-8c5j-9r9f-c6w8\",\n \"modified\": \"2025-02-21T05:29:59.213830Z\"\n },\n {\n \"id\": \"GHSA-8x94-hmjh-97hq\",\n \"modified\": \"2026-02-04T02:45:55.690257Z\"\n },\n {\n \"id\": \"GHSA-95rw-fx8r-36v6\",\n \"modified\": \"2024-09-20T15:47:46.984048Z\"\n },\n {\n \"id\": \"GHSA-frmv-pr5f-9mcr\",\n \"modified\": \"2025-11-27T09:10:30.649595Z\"\n },\n {\n \"id\": \"GHSA-jrh2-hc4r-7jwx\",\n \"modified\": \"2024-09-20T12:22:54.101910Z\"\n },\n {\n \"id\": \"GHSA-qw25-v68c-qjf3\",\n \"modified\": \"2026-02-04T04:08:30.303132Z\"\n },\n {\n \"id\": \"GHSA-rrqc-c2jx-6jgv\",\n \"modified\": \"2024-10-30T19:23:59.139649Z\"\n },\n {\n \"id\": \"GHSA-v6rh-hp5x-86rv\",\n \"modified\": \"2024-11-19T05:35:04.095106Z\"\n },\n {\n \"id\": \"GHSA-w24h-v9qh-8gxj\",\n \"modified\": \"2025-02-21T05:41:01.294618Z\"\n },\n {\n \"id\": \"PYSEC-2021-439\",\n \"modified\": \"2023-12-06T01:01:41.266810Z\"\n },\n {\n \"id\": \"PYSEC-2022-1\",\n \"modified\": \"2023-12-06T01:01:43.028018Z\"\n },\n {\n \"id\": \"PYSEC-2022-19\",\n \"modified\": \"2023-12-06T01:01:58.226668Z\"\n },\n {\n \"id\": \"PYSEC-2022-190\",\n \"modified\": \"2023-12-06T01:02:11.594317Z\"\n },\n {\n \"id\": \"PYSEC-2022-191\",\n \"modified\": \"2023-12-06T01:02:11.666037Z\"\n },\n {\n \"id\": \"PYSEC-2022-2\",\n \"modified\": \"2023-12-06T01:01:43.088680Z\"\n },\n {\n \"id\": \"PYSEC-2022-20\",\n \"modified\": \"2023-12-06T01:02:02.697371Z\"\n },\n {\n \"id\": \"PYSEC-2022-3\",\n \"modified\": \"2023-12-06T01:01:43.819827Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68w8-qjq3-2gfm\",\n \"modified\": \"2024-09-20T15:46:52.557962Z\"\n },\n {\n \"id\": \"GHSA-6w2r-r2m5-xq5w\",\n \"modified\": \"2026-02-04T04:00:06.061990Z\"\n },\n {\n \"id\": \"GHSA-7xr5-9hcq-chf9\",\n \"modified\": \"2026-02-04T03:48:05.224740Z\"\n },\n {\n \"id\": \"GHSA-8x94-hmjh-97hq\",\n \"modified\": \"2026-02-04T02:45:55.690257Z\"\n },\n {\n \"id\": \"GHSA-frmv-pr5f-9mcr\",\n \"modified\": \"2025-11-27T09:10:30.649595Z\"\n },\n {\n \"id\": \"GHSA-qw25-v68c-qjf3\",\n \"modified\": \"2026-02-04T04:08:30.303132Z\"\n },\n {\n \"id\": \"GHSA-rrqc-c2jx-6jgv\",\n \"modified\": \"2024-10-30T19:23:59.139649Z\"\n },\n {\n \"id\": \"PYSEC-2021-98\",\n \"modified\": \"2023-12-06T01:01:16.755410Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9hjg-9r4m-mvj7\",\n \"modified\": \"2026-02-04T03:44:00.676479Z\"\n },\n {\n \"id\": \"GHSA-9wx4-h78v-vm56\",\n \"modified\": \"2026-02-04T02:43:42.271895Z\"\n },\n {\n \"id\": \"GHSA-j8r2-6x86-q33q\",\n \"modified\": \"2026-02-04T03:34:13.807518Z\"\n },\n {\n \"id\": \"PYSEC-2023-74\",\n \"modified\": \"2023-11-08T04:12:35.436175Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-43qf-4rqw-9q2g\",\n \"modified\": \"2026-02-04T02:30:19.251090Z\"\n },\n {\n \"id\": \"GHSA-7rxf-gvfg-47g4\",\n \"modified\": \"2026-02-04T04:27:15.173118Z\"\n },\n {\n \"id\": \"GHSA-84pr-m4jr-85g5\",\n \"modified\": \"2026-02-04T02:57:32.875272Z\"\n },\n {\n \"id\": \"GHSA-8vgw-p6qm-5gr7\",\n \"modified\": \"2026-02-04T02:42:09.564281Z\"\n },\n {\n \"id\": \"GHSA-hxwh-jpp2-84pm\",\n \"modified\": \"2026-02-04T02:15:39.891834Z\"\n },\n {\n \"id\": \"GHSA-xc3p-ff3m-f46v\",\n \"modified\": \"2024-09-20T20:01:25.449661Z\"\n },\n {\n \"id\": \"PYSEC-2020-43\",\n \"modified\": \"2025-10-09T07:22:50.566622Z\"\n },\n {\n \"id\": \"PYSEC-2024-71\",\n \"modified\": \"2025-10-09T08:27:44.186589Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"PYSEC-2020-73\",\n \"modified\": \"2023-11-08T04:02:12.263851Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"4809\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 638\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"has-flag\"\n },\n \"version\": \"4.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"wrappy\"\n },\n \"version\": \"1.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.99.9\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/spdx_2.3_output\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 107\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"107\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/verbosity_level_=_error\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand/verbosity_level_=_info\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommandNonGit.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommandNonGit/one_specific_supported_lockfile\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CallAnalysis.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 427\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\"\n },\n \"version\": \"1.3.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\"\n },\n \"version\": \"0.4.0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_CallAnalysis/Run_with_govulncheck\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 798\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2026-02-04T02:43:17.273837Z\"\n },\n {\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2026-02-04T03:28:45.369468Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-11-08T04:11:41.796349Z\"\n },\n {\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9phm-fm57-rhg8\",\n \"modified\": \"2026-02-04T03:56:37.185672Z\"\n },\n {\n \"id\": \"GHSA-j3p8-6mrq-6g7h\",\n \"modified\": \"2024-05-20T21:54:17Z\"\n },\n {\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2024-05-20T21:46:58Z\"\n },\n {\n \"id\": \"GHSA-x92r-3vfx-4cv3\",\n \"modified\": \"2024-05-20T21:54:21Z\"\n },\n {\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2023-1989\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2023-1990\",\n \"modified\": \"2024-05-20T16:03:47Z\"\n },\n {\n \"id\": \"GO-2024-2937\",\n \"modified\": \"2026-02-04T03:54:25.251608Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"798\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 158\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\"\n },\n \"version\": \"1.3.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 158\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2026-02-04T02:43:17.273837Z\"\n },\n {\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2026-02-04T03:28:45.369468Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"158\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 158\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\"\n },\n \"version\": \"1.3.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_CallAnalysis/Run_with_govulncheck_all_uncalled_but_enabled_all-vulns_flag\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 158\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2026-02-04T02:43:17.273837Z\"\n },\n {\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2026-02-04T03:28:45.369468Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"158\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_CommitSupport.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 814\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"commit\": \"1a9dda41fbfb0dfbec17ab6afeba8138265395f7\"\n },\n {\n \"commit\": \"1a9dda41fbfb0dfbec17ab6afeba8138265395f7\"\n },\n {\n \"commit\": \"1a9dda41fbfb0dfbec17ab6afeba8138265395f7\"\n },\n {\n \"commit\": \"931a40a746f5678dcc4625b06a2eb25fa4f00b34\"\n },\n {\n \"commit\": \"17b30e96476be70b8773b2b807bab857fd3ceb39\"\n },\n {\n \"commit\": \"1a9dda41fbfb0dfbec17ab6afeba8138265395f7\"\n },\n {\n \"commit\": \"f82211036f434593c69b8e3680ea65203a46d315\"\n },\n {\n \"commit\": \"45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0\"\n },\n {\n \"commit\": \"aea7aaf2abb04789f5868cbabec406ea43aa84bf\"\n },\n {\n \"commit\": \"3b064fdb022912bbb98f5b8d9d111aeb6fec8f79\"\n },\n {\n \"commit\": \"0f428d190410263e4daa65b917c0e84707a9c0ef\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_CommitSupport/online_uses_git_commits\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 3821\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"OSV-2018-389\",\n \"modified\": \"2022-04-13T03:04:40.912286Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"OSV-2018-389\",\n \"modified\": \"2022-04-13T03:04:40.912286Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"OSV-2018-389\",\n \"modified\": \"2022-04-13T03:04:40.912286Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2023-44398\",\n \"modified\": \"2026-03-14T12:15:05.895469Z\"\n },\n {\n \"id\": \"CVE-2024-24826\",\n \"modified\": \"2026-03-14T12:31:29.719981Z\"\n },\n {\n \"id\": \"CVE-2024-25112\",\n \"modified\": \"2026-03-14T12:27:30.328627Z\"\n },\n {\n \"id\": \"CVE-2024-39695\",\n \"modified\": \"2026-03-14T12:34:50.263863Z\"\n },\n {\n \"id\": \"CVE-2025-26623\",\n \"modified\": \"2026-03-08T15:58:57.067224Z\"\n },\n {\n \"id\": \"CVE-2025-54080\",\n \"modified\": \"2026-03-08T15:58:53.801236Z\"\n },\n {\n \"id\": \"CVE-2025-55304\",\n \"modified\": \"2026-03-08T15:59:02.674652Z\"\n },\n {\n \"id\": \"CVE-2026-25884\",\n \"modified\": \"2026-03-08T15:58:58.717366Z\"\n },\n {\n \"id\": \"CVE-2026-27596\",\n \"modified\": \"2026-03-03T02:56:32.656501Z\"\n },\n {\n \"id\": \"CVE-2026-27631\",\n \"modified\": \"2026-03-08T16:18:26.088498Z\"\n },\n {\n \"id\": \"OSV-2023-1161\",\n \"modified\": \"2025-03-18T00:34:06.623648Z\"\n },\n {\n \"id\": \"OSV-2024-340\",\n \"modified\": \"2026-03-18T14:24:19.040933Z\"\n },\n {\n \"id\": \"PYSEC-2023-233\",\n \"modified\": \"2025-10-09T08:26:40.736495Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2021-22569\",\n \"modified\": \"2026-03-15T14:08:15.471655Z\"\n },\n {\n \"id\": \"CVE-2022-1941\",\n \"modified\": \"2026-03-15T22:44:13.683347Z\"\n },\n {\n \"id\": \"CVE-2022-3171\",\n \"modified\": \"2026-03-14T15:01:36.349851Z\"\n },\n {\n \"id\": \"CVE-2022-3509\",\n \"modified\": \"2026-03-14T11:46:42.854777Z\"\n },\n {\n \"id\": \"CVE-2022-3510\",\n \"modified\": \"2026-03-14T11:46:31.172987Z\"\n },\n {\n \"id\": \"CVE-2024-2410\",\n \"modified\": \"2026-03-14T12:30:27.419430Z\"\n },\n {\n \"id\": \"CVE-2024-7254\",\n \"modified\": \"2026-03-12T17:24:46.870042Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"OSV-2018-389\",\n \"modified\": \"2022-04-13T03:04:40.912286Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2024-51757\",\n \"modified\": \"2026-03-14T12:38:40.503950Z\"\n },\n {\n \"id\": \"CVE-2025-61927\",\n \"modified\": \"2026-03-14T12:44:19.001278Z\"\n },\n {\n \"id\": \"CVE-2025-62410\",\n \"modified\": \"2025-12-05T10:21:14.984236Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2024-12797\",\n \"modified\": \"2026-03-15T14:13:01.994465Z\"\n },\n {\n \"id\": \"CVE-2024-13176\",\n \"modified\": \"2026-03-15T22:49:27.674006Z\"\n },\n {\n \"id\": \"CVE-2024-9143\",\n \"modified\": \"2026-03-15T22:52:44.104304Z\"\n },\n {\n \"id\": \"CVE-2025-9230\",\n \"modified\": \"2026-03-15T21:45:01.944849Z\"\n },\n {\n \"id\": \"CVE-2025-9231\",\n \"modified\": \"2026-03-15T21:45:14.388367Z\"\n },\n {\n \"id\": \"CVE-2025-9232\",\n \"modified\": \"2026-03-15T22:22:16.665069Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2025-11187\",\n \"modified\": \"2026-03-13T22:14:04.753650Z\"\n },\n {\n \"id\": \"CVE-2025-15467\",\n \"modified\": \"2026-03-15T22:51:41.488774Z\"\n },\n {\n \"id\": \"CVE-2025-15468\",\n \"modified\": \"2026-03-15T22:51:46.393921Z\"\n },\n {\n \"id\": \"CVE-2025-15469\",\n \"modified\": \"2026-03-15T14:52:52.732682Z\"\n },\n {\n \"id\": \"CVE-2025-66199\",\n \"modified\": \"2026-03-15T14:15:22.516013Z\"\n },\n {\n \"id\": \"CVE-2025-68160\",\n \"modified\": \"2026-03-15T22:52:16.241316Z\"\n },\n {\n \"id\": \"CVE-2025-69418\",\n \"modified\": \"2026-03-15T22:52:15.052519Z\"\n },\n {\n \"id\": \"CVE-2025-69419\",\n \"modified\": \"2026-03-15T22:52:23.255585Z\"\n },\n {\n \"id\": \"CVE-2025-69420\",\n \"modified\": \"2026-03-15T14:54:02.448397Z\"\n },\n {\n \"id\": \"CVE-2025-9230\",\n \"modified\": \"2026-03-15T21:45:01.944849Z\"\n },\n {\n \"id\": \"CVE-2025-9231\",\n \"modified\": \"2026-03-15T21:45:14.388367Z\"\n },\n {\n \"id\": \"CVE-2025-9232\",\n \"modified\": \"2026-03-15T22:22:16.665069Z\"\n },\n {\n \"id\": \"CVE-2026-22795\",\n \"modified\": \"2026-03-15T14:55:17.107605Z\"\n },\n {\n \"id\": \"CVE-2026-22796\",\n \"modified\": \"2026-03-15T22:54:02.133546Z\"\n },\n {\n \"id\": \"CVE-2026-2673\",\n \"modified\": \"2026-03-15T14:54:45.482332Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2023-53159\",\n \"modified\": \"2026-03-11T18:20:56.090230Z\"\n },\n {\n \"id\": \"CVE-2023-6180\",\n \"modified\": \"2026-03-13T21:59:51.199646Z\"\n },\n {\n \"id\": \"CVE-2025-24898\",\n \"modified\": \"2026-02-04T02:18:45.944425Z\"\n },\n {\n \"id\": \"CVE-2025-3416\",\n \"modified\": \"2026-03-14T15:04:13.605678Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2016-10931\",\n \"modified\": \"2026-03-14T09:18:29.278606Z\"\n },\n {\n \"id\": \"CVE-2018-20997\",\n \"modified\": \"2026-03-14T09:29:08.646634Z\"\n },\n {\n \"id\": \"CVE-2023-53159\",\n \"modified\": \"2026-03-11T18:20:56.090230Z\"\n },\n {\n \"id\": \"CVE-2023-6180\",\n \"modified\": \"2026-03-13T21:59:51.199646Z\"\n },\n {\n \"id\": \"CVE-2025-3416\",\n \"modified\": \"2026-03-14T15:04:13.605678Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"3821\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Config_UnusedIgnores.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1852\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 433\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"433\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 23023\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.12-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Ubuntu\",\n \"name\": \"pcre3\"\n },\n \"version\": \"2:8.39-12ubuntu0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.115\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"apt\"\n },\n \"version\": \"1.4.11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"base-files\"\n },\n \"version\": \"9.9+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.43\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"bash\"\n },\n \"version\": \"4.4-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"bsdutils\"\n },\n \"version\": \"1:2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.26-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.8-2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.61\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debian-archive-keyring\"\n },\n \"version\": \"2017.5+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debianutils\"\n },\n \"version\": \"4.8.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.5-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dirmngr\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.18.25\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"e2fslibs\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.6.0+git+20161106-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gcc-6-base\"\n },\n \"version\": \"6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/opencontainers/runc\"\n },\n \"version\": \"v1.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/tianon/gosu\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gnupg-agent\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/sys\"\n },\n \"version\": \"v0.0.0-20210817142637-7d9622a276b7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gpgv\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"grep\"\n },\n \"version\": \"2.27-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.6-5+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.18+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.48\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libacl1\"\n },\n \"version\": \"2.2.52-3+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libapt-pkg5.0\"\n },\n \"version\": \"1.4.11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libassuan0\"\n },\n \"version\": \"2.4.3-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libattr1\"\n },\n \"version\": \"1:2.4.47-2+b2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libaudit-common\"\n },\n \"version\": \"1:2.6.7-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libaudit1\"\n },\n \"version\": \"1:2.6.7-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libblkid1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libbsd0\"\n },\n \"version\": \"0.8.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libbz2-1.0\"\n },\n \"version\": \"1.0.6-8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc-bin\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc-l10n\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc6\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libcap-ng0\"\n },\n \"version\": \"0.7.7-3+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libcomerr2\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libdb5.3\"\n },\n \"version\": \"5.3.28-12+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libdebconfclient0\"\n },\n \"version\": \"0.227\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libedit2\"\n },\n \"version\": \"3.1-20160903-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libfdisk1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libffi6\"\n },\n \"version\": \"3.2.1-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgcc1\"\n },\n \"version\": \"1:6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.7.6-2+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgdbm3\"\n },\n \"version\": \"1.8.3-14\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgmp10\"\n },\n \"version\": \"2:6.1.2+dfsg-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgnutls30\"\n },\n \"version\": \"3.5.8-5+deb9u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgpg-error0\"\n },\n \"version\": \"1.26-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgssapi-krb5-2\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libhogweed4\"\n },\n \"version\": \"3.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libicu57\"\n },\n \"version\": \"57.1-6+deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libidn11\"\n },\n \"version\": \"1.33-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libjson-perl\"\n },\n \"version\": \"2.90-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libk5crypto3\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkeyutils1\"\n },\n \"version\": \"1.5.9-9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkrb5-3\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkrb5support0\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libksba8\"\n },\n \"version\": \"1.3.5-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libldap-2.4-2\"\n },\n \"version\": \"2.4.44+dfsg-5+deb9u8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libldap-common\"\n },\n \"version\": \"2.4.44+dfsg-5+deb9u8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libllvm6.0\"\n },\n \"version\": \"1:6.0-1~bpo9+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"liblz4-1\"\n },\n \"version\": \"0.0~r131-2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"liblzma5\"\n },\n \"version\": \"5.2.2-1.2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libmount1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libncurses5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libncursesw5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnettle6\"\n },\n \"version\": \"3.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnpth0\"\n },\n \"version\": \"1.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnss-wrapper\"\n },\n \"version\": \"1.1.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libp11-kit0\"\n },\n \"version\": \"0.23.3-2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-modules\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-modules-bin\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-runtime\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam0g\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpcre3\"\n },\n \"version\": \"2:8.39-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libperl5.24\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpq5\"\n },\n \"version\": \"14.2-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libreadline7\"\n },\n \"version\": \"7.0-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsasl2-2\"\n },\n \"version\": \"2.1.27~101-g0780600+dfsg-3+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsasl2-modules-db\"\n },\n \"version\": \"2.1.27~101-g0780600+dfsg-3+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libselinux1\"\n },\n \"version\": \"2.6-3+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsemanage-common\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsemanage1\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsepol1\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsmartcols1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsqlite3-0\"\n },\n \"version\": \"3.16.2-5+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libss2\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libssl1.1\"\n },\n \"version\": \"1.1.0l-1~deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libstdc++6\"\n },\n \"version\": \"6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsystemd0\"\n },\n \"version\": \"232-25+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.10-1.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libtinfo5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libudev1\"\n },\n \"version\": \"232-25+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libustr-1.0-1\"\n },\n \"version\": \"1.0.4-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libuuid1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libxml2\"\n },\n \"version\": \"2.9.4+dfsg1-2.2+deb9u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libxslt1.1\"\n },\n \"version\": \"1.1.29-2.1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libzstd1\"\n },\n \"version\": \"1.1.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"locales\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"login\"\n },\n \"version\": \"1:4.4-4.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"lsb-base\"\n },\n \"version\": \"9.20161125\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.3-17+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"mount\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"multiarch-support\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ncurses-base\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ncurses-bin\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"netbase\"\n },\n \"version\": \"5.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.0l-1~deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"passwd\"\n },\n \"version\": \"1:4.4-4.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl-base\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl-modules-5.24\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"pgdg-keyring\"\n },\n \"version\": \"2018.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"pinentry-curses\"\n },\n \"version\": \"1.0.0-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-11\"\n },\n \"version\": \"11.15-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-client-11\"\n },\n \"version\": \"11.15-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-client-common\"\n },\n \"version\": \"238.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-common\"\n },\n \"version\": \"238.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"readline-common\"\n },\n \"version\": \"7.0-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sed\"\n },\n \"version\": \"4.4-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.9+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ssl-cert\"\n },\n \"version\": \"1.0.39\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sysvinit-utils\"\n },\n \"version\": \"2.88dsf-59.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"tar\"\n },\n \"version\": \"1.29b-1.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"tzdata\"\n },\n \"version\": \"2021a-0+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ucf\"\n },\n \"version\": \"3.0036\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.2-1.2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"zlib1g\"\n },\n \"version\": \"1:1.2.8.dfsg-5+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"zstd\"\n },\n \"version\": \"1.1.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_file#01\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 22298\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"UBUNTU-CVE-2017-11164\",\n \"modified\": \"2026-01-20T16:49:00.053545Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2011-3374\",\n \"modified\": \"2026-03-17T02:42:42.368242Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0501\",\n \"modified\": \"2025-11-19T02:04:24.786271Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-3462\",\n \"modified\": \"2025-11-19T02:02:50.288367Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-27350\",\n \"modified\": \"2025-11-19T01:06:21.507844Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-3810\",\n \"modified\": \"2025-11-19T01:08:53.168851Z\"\n },\n {\n \"id\": \"DSA-4685-1\",\n \"modified\": \"2026-03-09T02:09:03.263738Z\"\n },\n {\n \"id\": \"DSA-4808-1\",\n \"modified\": \"2026-03-09T02:11:17.119108Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2019-18276\",\n \"modified\": \"2025-11-19T01:19:06.470662Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3715\",\n \"modified\": \"2026-03-17T02:47:45.184492Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-2781\",\n \"modified\": \"2026-03-17T02:44:35.752995Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-18018\",\n \"modified\": \"2026-03-17T02:45:06.555217Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-0684\",\n \"modified\": \"2025-11-19T01:02:00.374806Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-5278\",\n \"modified\": \"2026-03-17T02:52:23.723753Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3482-1\",\n \"modified\": \"2025-05-26T07:01:25.263124Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1664\",\n \"modified\": \"2025-11-20T10:15:48.083782Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6297\",\n \"modified\": \"2026-03-17T02:50:41.230667Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-2219\",\n \"modified\": \"2026-03-14T15:06:12.109941Z\"\n },\n {\n \"id\": \"DLA-3022-1\",\n \"modified\": \"2026-03-09T01:23:37.553205Z\"\n },\n {\n \"id\": \"DSA-5147-1\",\n \"modified\": \"2026-03-09T02:10:11.335992Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2019-5094\",\n \"modified\": \"2025-11-19T02:02:52.019166Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-5188\",\n \"modified\": \"2025-11-19T01:01:51.904490Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-1304\",\n \"modified\": \"2025-11-20T10:15:47.847878Z\"\n },\n {\n \"id\": \"DLA-3910-1\",\n \"modified\": \"2026-03-09T01:22:32.343795Z\"\n },\n {\n \"id\": \"DSA-4535-1\",\n \"modified\": \"2026-03-09T02:10:12.902574Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9493-h29p-rfm2\",\n \"modified\": \"2026-02-04T03:47:55.536228Z\"\n },\n {\n \"id\": \"GHSA-cgrx-mc8f-2prm\",\n \"modified\": \"2026-02-04T02:50:45.342760Z\"\n },\n {\n \"id\": \"GHSA-f3fp-gc8g-vw66\",\n \"modified\": \"2026-02-04T04:15:59.735117Z\"\n },\n {\n \"id\": \"GHSA-g2j6-57v7-gm8c\",\n \"modified\": \"2026-02-04T02:43:58.212471Z\"\n },\n {\n \"id\": \"GHSA-jfvp-7x6p-h2pv\",\n \"modified\": \"2026-02-04T03:12:37.981869Z\"\n },\n {\n \"id\": \"GHSA-m8cg-xc2p-r3fc\",\n \"modified\": \"2026-02-04T03:29:19.767788Z\"\n },\n {\n \"id\": \"GHSA-qw9x-cqr3-wc7r\",\n \"modified\": \"2026-02-04T02:13:22.313241Z\"\n },\n {\n \"id\": \"GHSA-v95c-p5hm-xq8f\",\n \"modified\": \"2026-03-13T22:16:11.684125Z\"\n },\n {\n \"id\": \"GHSA-vpvm-3wq2-2wvm\",\n \"modified\": \"2026-02-04T02:53:37.613379Z\"\n },\n {\n \"id\": \"GHSA-xr7r-f8xq-vfvv\",\n \"modified\": \"2026-02-04T03:18:48.377509Z\"\n },\n {\n \"id\": \"GO-2022-0274\",\n \"modified\": \"2026-02-04T02:26:28.343240Z\"\n },\n {\n \"id\": \"GO-2022-0452\",\n \"modified\": \"2026-02-04T03:17:02.340230Z\"\n },\n {\n \"id\": \"GO-2023-1627\",\n \"modified\": \"2026-02-04T03:58:42.107712Z\"\n },\n {\n \"id\": \"GO-2023-1682\",\n \"modified\": \"2026-02-04T02:59:23.815900Z\"\n },\n {\n \"id\": \"GO-2023-1683\",\n \"modified\": \"2026-02-04T04:01:58.343687Z\"\n },\n {\n \"id\": \"GO-2024-2491\",\n \"modified\": \"2026-02-04T02:39:00.262696Z\"\n },\n {\n \"id\": \"GO-2024-3110\",\n \"modified\": \"2026-02-04T02:23:26.560077Z\"\n },\n {\n \"id\": \"GO-2025-4096\",\n \"modified\": \"2026-02-04T03:11:33.546218Z\"\n },\n {\n \"id\": \"GO-2025-4097\",\n \"modified\": \"2026-02-04T03:00:55.376695Z\"\n },\n {\n \"id\": \"GO-2025-4098\",\n \"modified\": \"2026-02-04T02:52:46.004719Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-p782-xgp4-8hr8\",\n \"modified\": \"2026-02-04T04:15:14.486111Z\"\n },\n {\n \"id\": \"GO-2022-0493\",\n \"modified\": \"2026-02-04T03:42:54.589715Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1271\",\n \"modified\": \"2025-11-20T10:15:47.940295Z\"\n },\n {\n \"id\": \"DSA-5122-1\",\n \"modified\": \"2026-03-09T02:09:10.163691Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-0379\",\n \"modified\": \"2025-11-19T01:06:25.120079Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7526\",\n \"modified\": \"2025-11-19T02:04:40.318681Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0495\",\n \"modified\": \"2025-11-19T02:04:27.207183Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6829\",\n \"modified\": \"2026-03-10T05:05:47.263837Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-13627\",\n \"modified\": \"2025-11-19T01:12:35.581705Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-33560\",\n \"modified\": \"2026-03-10T05:07:08.938163Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-40528\",\n \"modified\": \"2025-11-19T01:01:59.995618Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-2236\",\n \"modified\": \"2026-03-10T05:09:58.705229Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-10790\",\n \"modified\": \"2025-11-19T01:01:57.855157Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-1000654\",\n \"modified\": \"2025-11-19T02:02:40.642360Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6003\",\n \"modified\": \"2025-11-19T01:06:22.990063Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-46848\",\n \"modified\": \"2025-11-20T10:15:14.681077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-12133\",\n \"modified\": \"2025-11-20T10:17:02.620233Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-13151\",\n \"modified\": \"2026-01-20T05:13:20.502324Z\"\n },\n {\n \"id\": \"DLA-3263-1\",\n \"modified\": \"2026-03-09T01:22:34.273046Z\"\n },\n {\n \"id\": \"DLA-4061-1\",\n \"modified\": \"2026-03-09T01:20:16.124977Z\"\n },\n {\n \"id\": \"DSA-5863-1\",\n \"modified\": \"2026-03-09T02:08:50.747280Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-3709\",\n \"modified\": \"2025-11-20T10:12:11.931996Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2016-9318\",\n \"modified\": \"2025-11-19T02:02:45.582059Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-0663\",\n \"modified\": \"2025-11-19T02:02:52.056836Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-15412\",\n \"modified\": \"2025-11-19T01:08:49.499099Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-16931\",\n \"modified\": \"2025-11-19T02:04:25.542166Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-16932\",\n \"modified\": \"2025-11-19T01:04:39.458229Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-18258\",\n \"modified\": \"2025-11-19T01:08:48.927062Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-5130\",\n \"modified\": \"2025-11-19T01:03:12.822124Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-5969\",\n \"modified\": \"2025-11-19T01:08:52.062516Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7375\",\n \"modified\": \"2025-11-19T02:02:48.011785Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7376\",\n \"modified\": \"2025-11-19T02:01:17.016443Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-8872\",\n \"modified\": \"2025-11-19T02:04:31.920669Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9047\",\n \"modified\": \"2025-11-19T02:04:30.335407Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9048\",\n \"modified\": \"2025-11-19T01:19:09.303210Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9049\",\n \"modified\": \"2025-11-19T01:03:12.259406Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9050\",\n \"modified\": \"2025-11-19T01:08:53.069573Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-14404\",\n \"modified\": \"2025-11-19T01:12:32.274520Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-14567\",\n \"modified\": \"2025-11-19T01:08:49.660035Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-19956\",\n \"modified\": \"2025-11-19T02:01:17.970372Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-20388\",\n \"modified\": \"2025-11-19T02:04:37.363509Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-24977\",\n \"modified\": \"2025-11-19T02:04:41.266003Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-7595\",\n \"modified\": \"2025-11-19T02:04:29.271836Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3516\",\n \"modified\": \"2025-11-19T02:01:14.946107Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3517\",\n \"modified\": \"2025-11-19T01:12:34.981900Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3518\",\n \"modified\": \"2025-11-19T01:19:08.645337Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3537\",\n \"modified\": \"2025-11-19T02:04:30.248276Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3541\",\n \"modified\": \"2025-11-19T02:04:36.614917Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2309\",\n \"modified\": \"2025-11-20T10:15:28.694644Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-23308\",\n \"modified\": \"2025-11-20T10:15:29.029152Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-29824\",\n \"modified\": \"2025-11-20T10:15:52.814213Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-40303\",\n \"modified\": \"2025-11-20T10:16:01.982632Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-40304\",\n \"modified\": \"2025-11-20T10:16:01.918054Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-49043\",\n \"modified\": \"2025-11-20T10:16:12.358770Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-28484\",\n \"modified\": \"2025-11-20T10:16:35.199991Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-29469\",\n \"modified\": \"2025-11-20T10:17:34.943682Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-39615\",\n \"modified\": \"2025-11-20T10:16:41.593841Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-45322\",\n \"modified\": \"2025-11-20T10:16:44.891362Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-25062\",\n \"modified\": \"2025-11-20T10:17:04.986212Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-34459\",\n \"modified\": \"2025-11-20T10:17:41.570595Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-56171\",\n \"modified\": \"2025-11-20T10:17:48.605695Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-24928\",\n \"modified\": \"2025-11-20T10:18:05.778161Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-27113\",\n \"modified\": \"2025-11-20T10:18:06.358243Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-32414\",\n \"modified\": \"2025-11-20T10:18:08.076077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-32415\",\n \"modified\": \"2025-11-20T10:18:08.251077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-49794\",\n \"modified\": \"2025-11-20T10:18:23.322205Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-49796\",\n \"modified\": \"2025-11-20T10:18:23.585429Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6021\",\n \"modified\": \"2025-11-20T10:18:26.314947Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6170\",\n \"modified\": \"2025-11-20T10:18:26.670728Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-8732\",\n \"modified\": \"2025-12-14T10:13:26.467517Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9714\",\n \"modified\": \"2026-01-10T14:08:12.148171Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0989\",\n \"modified\": \"2026-01-16T11:05:07.928323Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0990\",\n \"modified\": \"2026-01-16T11:05:23.527352Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0992\",\n \"modified\": \"2026-01-16T11:05:10.515041Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-1757\",\n \"modified\": \"2026-02-03T11:16:44.779248Z\"\n },\n {\n \"id\": \"DLA-3012-1\",\n \"modified\": \"2026-03-09T01:20:46.878115Z\"\n },\n {\n \"id\": \"DLA-3172-1\",\n \"modified\": \"2026-03-09T01:19:54.747665Z\"\n },\n {\n \"id\": \"DLA-3405-1\",\n \"modified\": \"2026-03-09T01:01:29.748040Z\"\n },\n {\n \"id\": \"DLA-3878-1\",\n \"modified\": \"2026-03-09T01:20:38.676387Z\"\n },\n {\n \"id\": \"DLA-4064-1\",\n \"modified\": \"2026-03-09T01:20:30.558703Z\"\n },\n {\n \"id\": \"DLA-4146-1\",\n \"modified\": \"2026-03-09T01:22:43.732573Z\"\n },\n {\n \"id\": \"DLA-4251-1\",\n \"modified\": \"2026-03-09T02:11:12.986866Z\"\n },\n {\n \"id\": \"DLA-4319-1\",\n \"modified\": \"2025-09-30T22:17:08.381361Z\"\n },\n {\n \"id\": \"DSA-5142-1\",\n \"modified\": \"2026-03-09T02:10:58.737631Z\"\n },\n {\n \"id\": \"DSA-5271-1\",\n \"modified\": \"2026-03-09T02:10:55.154283Z\"\n },\n {\n \"id\": \"DSA-5391-1\",\n \"modified\": \"2026-03-09T02:09:39.164621Z\"\n },\n {\n \"id\": \"DSA-5949-1\",\n \"modified\": \"2026-03-09T02:09:32.257423Z\"\n },\n {\n \"id\": \"DSA-5990-1\",\n \"modified\": \"2025-08-29T13:01:48.117026Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2018-0732\",\n \"modified\": \"2025-11-19T02:02:54.249966Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0734\",\n \"modified\": \"2025-11-19T02:02:43.768735Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0735\",\n \"modified\": \"2025-11-19T01:19:04.251217Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-5407\",\n \"modified\": \"2025-11-19T01:02:00.203143Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1543\",\n \"modified\": \"2025-11-19T01:12:34.981629Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1547\",\n \"modified\": \"2025-11-19T01:12:35.687253Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1549\",\n \"modified\": \"2025-11-19T01:04:40.924710Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1551\",\n \"modified\": \"2025-11-19T01:19:08.067279Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1563\",\n \"modified\": \"2025-11-19T02:04:34.392400Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-1967\",\n \"modified\": \"2025-11-19T02:04:38.886020Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-1971\",\n \"modified\": \"2025-11-19T02:04:28.520483Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-23840\",\n \"modified\": \"2025-11-19T01:03:14.356310Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-23841\",\n \"modified\": \"2025-11-19T02:02:54.160482Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3449\",\n \"modified\": \"2025-11-19T01:04:41.495834Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3450\",\n \"modified\": \"2025-11-19T02:01:16.123253Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3711\",\n \"modified\": \"2025-11-20T10:15:44.121033Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3712\",\n \"modified\": \"2025-11-20T10:15:44.130193Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-4160\",\n \"modified\": \"2025-11-20T10:15:10.185497Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-0778\",\n \"modified\": \"2025-11-20T10:15:47.332694Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-1292\",\n \"modified\": \"2025-11-20T10:15:25.471825Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2068\",\n \"modified\": \"2025-11-20T10:15:27.022420Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2097\",\n \"modified\": \"2025-11-20T10:15:27.065089Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2274\",\n \"modified\": \"2025-11-19T02:02:45.418259Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3358\",\n \"modified\": \"2025-11-19T01:06:25.721124Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3602\",\n \"modified\": \"2025-11-19T01:12:35.687556Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3786\",\n \"modified\": \"2025-11-19T01:19:02.748977Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3996\",\n \"modified\": \"2025-11-19T02:01:16.596616Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4203\",\n \"modified\": \"2025-11-19T02:01:16.313531Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4304\",\n \"modified\": \"2025-11-20T10:16:04.313466Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4450\",\n \"modified\": \"2025-11-20T10:16:05.367442Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0215\",\n \"modified\": \"2025-11-20T10:16:27.838296Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0216\",\n \"modified\": \"2025-11-19T02:04:35.947667Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0217\",\n \"modified\": \"2025-11-19T01:12:37.272749Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0286\",\n \"modified\": \"2025-11-20T10:16:27.985311Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0401\",\n \"modified\": \"2025-11-19T01:12:36.298552Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0464\",\n \"modified\": \"2025-11-20T10:16:28.057931Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0465\",\n \"modified\": \"2025-11-20T10:16:28.143046Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0466\",\n \"modified\": \"2025-11-20T10:16:28.053837Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-1255\",\n \"modified\": \"2025-11-19T01:08:49.387669Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-2650\",\n \"modified\": \"2025-11-20T10:17:34.439123Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-2975\",\n \"modified\": \"2025-11-20T10:16:36.112183Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-3446\",\n \"modified\": \"2025-11-20T10:16:38.860251Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-3817\",\n \"modified\": \"2025-11-20T10:17:35.737266Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-5363\",\n \"modified\": \"2025-11-20T10:16:59.430619Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-5678\",\n \"modified\": \"2025-11-20T10:17:38.719690Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-6129\",\n \"modified\": \"2025-11-20T10:17:39.029757Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-6237\",\n \"modified\": \"2025-11-20T10:17:39.218097Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-0727\",\n \"modified\": \"2025-11-20T10:17:01.258658Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-12797\",\n \"modified\": \"2025-11-19T02:04:36.131726Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-13176\",\n \"modified\": \"2026-03-17T02:49:44.824285Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-2511\",\n \"modified\": \"2025-11-20T10:17:05.139581Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-4603\",\n \"modified\": \"2025-11-20T10:17:43.955114Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-4741\",\n \"modified\": \"2025-11-20T10:17:26.990307Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-5535\",\n \"modified\": \"2025-11-20T10:17:48.194687Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-6119\",\n \"modified\": \"2025-11-20T10:17:53.824117Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-9143\",\n \"modified\": \"2025-11-20T10:17:55.864918Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-11187\",\n \"modified\": \"2026-03-17T02:47:10.761659Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15467\",\n \"modified\": \"2026-03-17T02:51:11.866899Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15468\",\n \"modified\": \"2026-03-17T02:51:12.304672Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15469\",\n \"modified\": \"2026-03-17T02:51:12.299847Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-27587\",\n \"modified\": \"2026-03-17T02:51:34.552234Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-4575\",\n \"modified\": \"2025-11-19T02:02:43.971243Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-66199\",\n \"modified\": \"2026-03-17T02:52:26.091887Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-68160\",\n \"modified\": \"2026-03-17T02:50:42.645267Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69418\",\n \"modified\": \"2026-03-17T02:51:22.404226Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69419\",\n \"modified\": \"2026-03-17T02:51:22.497785Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69420\",\n \"modified\": \"2026-03-17T02:51:22.651361Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69421\",\n \"modified\": \"2026-03-17T02:51:22.561721Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9230\",\n \"modified\": \"2026-03-17T02:51:39.764914Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9231\",\n \"modified\": \"2026-03-17T02:51:39.727656Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9232\",\n \"modified\": \"2026-03-17T02:51:39.882696Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-22795\",\n \"modified\": \"2026-03-17T02:51:47.646020Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-22796\",\n \"modified\": \"2026-03-17T02:51:47.743030Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-2673\",\n \"modified\": \"2026-03-18T09:03:28.363302Z\"\n },\n {\n \"id\": \"DLA-3008-1\",\n \"modified\": \"2026-03-09T01:23:33.375630Z\"\n },\n {\n \"id\": \"DLA-3325-1\",\n \"modified\": \"2026-03-09T01:19:40.983935Z\"\n },\n {\n \"id\": \"DLA-3449-1\",\n \"modified\": \"2026-03-09T01:22:47.322805Z\"\n },\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n },\n {\n \"id\": \"DLA-3942-1\",\n \"modified\": \"2026-03-09T01:22:40.686044Z\"\n },\n {\n \"id\": \"DLA-3942-2\",\n \"modified\": \"2026-03-09T01:21:01.728730Z\"\n },\n {\n \"id\": \"DLA-4176-1\",\n \"modified\": \"2026-03-09T01:20:23.459313Z\"\n },\n {\n \"id\": \"DLA-4321-1\",\n \"modified\": \"2025-10-03T16:33:24.717173Z\"\n },\n {\n \"id\": \"DLA-4490-1\",\n \"modified\": \"2026-02-23T10:30:28.927832Z\"\n },\n {\n \"id\": \"DSA-4539-1\",\n \"modified\": \"2026-03-09T02:09:20.276054Z\"\n },\n {\n \"id\": \"DSA-4539-3\",\n \"modified\": \"2025-05-26T07:05:14.261652Z\"\n },\n {\n \"id\": \"DSA-4661-1\",\n \"modified\": \"2026-03-09T02:08:53.792348Z\"\n },\n {\n \"id\": \"DSA-4807-1\",\n \"modified\": \"2026-03-09T02:10:20.442914Z\"\n },\n {\n \"id\": \"DSA-4855-1\",\n \"modified\": \"2026-03-09T02:11:29.405206Z\"\n },\n {\n \"id\": \"DSA-4875-1\",\n \"modified\": \"2026-03-09T02:10:05.387501Z\"\n },\n {\n \"id\": \"DSA-4963-1\",\n \"modified\": \"2026-03-09T02:10:15.488747Z\"\n },\n {\n \"id\": \"DSA-5103-1\",\n \"modified\": \"2026-03-09T02:09:42.407559Z\"\n },\n {\n \"id\": \"DSA-5139-1\",\n \"modified\": \"2026-03-09T02:09:17.334653Z\"\n },\n {\n \"id\": \"DSA-5169-1\",\n \"modified\": \"2026-03-09T02:09:37.692763Z\"\n },\n {\n \"id\": \"DSA-5343-1\",\n \"modified\": \"2026-03-09T02:09:47.149297Z\"\n },\n {\n \"id\": \"DSA-5417-1\",\n \"modified\": \"2026-03-09T02:09:39.950679Z\"\n },\n {\n \"id\": \"DSA-5532-1\",\n \"modified\": \"2026-03-09T02:08:31.395482Z\"\n },\n {\n \"id\": \"DSA-5764-1\",\n \"modified\": \"2026-03-09T02:09:02.723874Z\"\n },\n {\n \"id\": \"DSA-6015-1\",\n \"modified\": \"2025-10-01T13:32:01.848986Z\"\n },\n {\n \"id\": \"DSA-6113-1\",\n \"modified\": \"2026-01-27T20:30:04.397078Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2011-4116\",\n \"modified\": \"2025-11-20T10:10:50.058601Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-12837\",\n \"modified\": \"2025-11-19T01:03:14.361068Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-12883\",\n \"modified\": \"2025-11-19T01:12:38.323688Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-12015\",\n \"modified\": \"2025-11-19T02:02:49.033339Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18311\",\n \"modified\": \"2025-11-19T01:12:36.918544Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18312\",\n \"modified\": \"2025-11-19T02:04:33.584277Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18313\",\n \"modified\": \"2025-11-19T01:06:24.154928Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18314\",\n \"modified\": \"2025-11-19T01:12:35.416886Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6797\",\n \"modified\": \"2025-11-19T02:04:23.831823Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6798\",\n \"modified\": \"2025-11-19T02:02:49.628171Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6913\",\n \"modified\": \"2025-11-19T02:02:50.593437Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-10543\",\n \"modified\": \"2025-11-19T01:04:39.904198Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-10878\",\n \"modified\": \"2025-11-19T01:12:35.457057Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-12723\",\n \"modified\": \"2025-11-19T02:02:47.094787Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-16156\",\n \"modified\": \"2025-11-20T10:14:36.701112Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-36770\",\n \"modified\": \"2025-11-20T10:15:44.080114Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-48522\",\n \"modified\": \"2025-11-19T01:08:52.915564Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-31484\",\n \"modified\": \"2025-11-20T10:17:35.627220Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-31486\",\n \"modified\": \"2026-03-17T02:48:35.857896Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-47038\",\n \"modified\": \"2025-11-20T10:16:46.343364Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-56406\",\n \"modified\": \"2025-11-20T10:17:48.686371Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-40909\",\n \"modified\": \"2025-11-20T10:18:21.143971Z\"\n },\n {\n \"id\": \"DLA-3926-1\",\n \"modified\": \"2026-03-09T01:20:46.118633Z\"\n },\n {\n \"id\": \"DSA-5902-1\",\n \"modified\": \"2026-03-09T02:09:19.793163Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3072-1\",\n \"modified\": \"2026-03-09T01:22:24.680239Z\"\n },\n {\n \"id\": \"DLA-3189-1\",\n \"modified\": \"2025-05-26T07:01:07.887113Z\"\n },\n {\n \"id\": \"DLA-3316-1\",\n \"modified\": \"2025-05-26T07:01:13.127412Z\"\n },\n {\n \"id\": \"DLA-3422-1\",\n \"modified\": \"2026-03-09T01:20:56.692752Z\"\n },\n {\n \"id\": \"DLA-3600-1\",\n \"modified\": \"2026-03-09T01:17:49.966197Z\"\n },\n {\n \"id\": \"DLA-3651-1\",\n \"modified\": \"2026-03-09T01:18:05.310519Z\"\n },\n {\n \"id\": \"DLA-3764-1\",\n \"modified\": \"2026-03-09T01:23:22.273526Z\"\n },\n {\n \"id\": \"DSA-5135-1\",\n \"modified\": \"2026-03-09T02:11:21.646978Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-17512\",\n \"modified\": \"2025-11-19T02:04:30.656495Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2005-2541\",\n \"modified\": \"2026-03-17T02:42:47.789952Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-20482\",\n \"modified\": \"2025-11-19T02:02:47.070832Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-9923\",\n \"modified\": \"2025-11-19T02:02:53.559001Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-20193\",\n \"modified\": \"2025-11-19T01:01:55.139356Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-48303\",\n \"modified\": \"2025-11-20T10:16:07.552593Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-39804\",\n \"modified\": \"2025-11-20T10:16:41.587973Z\"\n },\n {\n \"id\": \"DLA-3755-1\",\n \"modified\": \"2026-03-09T01:18:04.185679Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3051-1\",\n \"modified\": \"2025-05-26T07:01:56.257796Z\"\n },\n {\n \"id\": \"DLA-3134-1\",\n \"modified\": \"2025-05-26T07:01:01.500124Z\"\n },\n {\n \"id\": \"DLA-3161-1\",\n \"modified\": \"2025-05-26T07:01:03.882213Z\"\n },\n {\n \"id\": \"DLA-3366-1\",\n \"modified\": \"2025-05-26T07:01:17.027142Z\"\n },\n {\n \"id\": \"DLA-3412-1\",\n \"modified\": \"2025-05-26T07:01:20.109212Z\"\n },\n {\n \"id\": \"DLA-3684-1\",\n \"modified\": \"2025-05-26T07:01:38.953691Z\"\n },\n {\n \"id\": \"DLA-3788-1\",\n \"modified\": \"2025-05-26T07:01:46.700929Z\"\n },\n {\n \"id\": \"DLA-3972-1\",\n \"modified\": \"2025-05-26T07:02:05.284676Z\"\n },\n {\n \"id\": \"DLA-4085-1\",\n \"modified\": \"2025-05-26T07:02:10.958749Z\"\n },\n {\n \"id\": \"DLA-4105-1\",\n \"modified\": \"2025-05-26T07:02:13.921097Z\"\n },\n {\n \"id\": \"DLA-4403-1\",\n \"modified\": \"2025-12-12T10:13:37.154747Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-4016-1\",\n \"modified\": \"2025-05-26T07:02:06.504254Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-2779\",\n \"modified\": \"2025-11-19T01:12:38.591462Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-7738\",\n \"modified\": \"2025-11-20T10:13:54.493707Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-37600\",\n \"modified\": \"2025-11-19T02:02:43.997954Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3995\",\n \"modified\": \"2025-11-20T10:15:45.587792Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3996\",\n \"modified\": \"2025-11-20T10:15:45.602424Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-0563\",\n \"modified\": \"2026-03-17T02:46:43.123134Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-28085\",\n \"modified\": \"2025-11-20T10:17:41.612682Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-14104\",\n \"modified\": \"2026-03-05T17:00:58.361610Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-3184\",\n \"modified\": \"2026-02-26T09:30:44.219098Z\"\n },\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n },\n {\n \"id\": \"DSA-5055-1\",\n \"modified\": \"2026-03-09T02:10:40.826335Z\"\n },\n {\n \"id\": \"DSA-5650-1\",\n \"modified\": \"2026-03-09T02:08:30.371343Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1271\",\n \"modified\": \"2025-11-20T10:15:47.940295Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-3094\",\n \"modified\": \"2025-11-19T01:12:34.542011Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-31115\",\n \"modified\": \"2025-11-20T10:18:07.484724Z\"\n },\n {\n \"id\": \"DSA-5123-1\",\n \"modified\": \"2026-03-09T02:10:46.054497Z\"\n },\n {\n \"id\": \"DSA-5895-1\",\n \"modified\": \"2026-03-09T02:08:52.515269Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"22298\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 19884\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-baselayout-data\"\n },\n \"version\": \"3.4.0-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"alpine-keys\"\n },\n \"version\": \"2.4-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"apk-tools\"\n },\n \"version\": \"2.12.10-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"busybox-binsh\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ca-certificates-bundle\"\n },\n \"version\": \"20220614-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libc-utils\"\n },\n \"version\": \"0.7.2-r3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libcrypto3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"libssl3\"\n },\n \"version\": \"3.0.8-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"musl-utils\"\n },\n \"version\": \"1.2.3-r4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"scanelf\"\n },\n \"version\": \"1.3.5-r1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"ssl_client\"\n },\n \"version\": \"1.36.1-r27\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Alpine\",\n \"name\": \"zlib\"\n },\n \"version\": \"1.2.10-r0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"adduser\"\n },\n \"version\": \"3.115\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"apt\"\n },\n \"version\": \"1.4.11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"base-files\"\n },\n \"version\": \"9.9+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"base-passwd\"\n },\n \"version\": \"3.5.43\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"bash\"\n },\n \"version\": \"4.4-5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"bsdutils\"\n },\n \"version\": \"1:2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"coreutils\"\n },\n \"version\": \"8.26-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dash\"\n },\n \"version\": \"0.5.8-2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debconf\"\n },\n \"version\": \"1.5.61\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debian-archive-keyring\"\n },\n \"version\": \"2017.5+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"debianutils\"\n },\n \"version\": \"4.8.1.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"diffutils\"\n },\n \"version\": \"1:3.5-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dirmngr\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"dpkg\"\n },\n \"version\": \"1.18.25\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"e2fslibs\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"e2fsprogs\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"findutils\"\n },\n \"version\": \"4.6.0+git+20161106-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gcc-6-base\"\n },\n \"version\": \"6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/opencontainers/runc\"\n },\n \"version\": \"v1.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/tianon/gosu\"\n },\n \"version\": \"(devel)\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gnupg\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gnupg-agent\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/sys\"\n },\n \"version\": \"v0.0.0-20210817142637-7d9622a276b7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gpgv\"\n },\n \"version\": \"2.1.18-8~deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"grep\"\n },\n \"version\": \"2.27-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"gzip\"\n },\n \"version\": \"1.6-5+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"hostname\"\n },\n \"version\": \"3.18+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"init-system-helpers\"\n },\n \"version\": \"1.48\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libacl1\"\n },\n \"version\": \"2.2.52-3+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libapt-pkg5.0\"\n },\n \"version\": \"1.4.11\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libassuan0\"\n },\n \"version\": \"2.4.3-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libattr1\"\n },\n \"version\": \"1:2.4.47-2+b2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libaudit-common\"\n },\n \"version\": \"1:2.6.7-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libaudit1\"\n },\n \"version\": \"1:2.6.7-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libblkid1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libbsd0\"\n },\n \"version\": \"0.8.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libbz2-1.0\"\n },\n \"version\": \"1.0.6-8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc-bin\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc-l10n\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libc6\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libcap-ng0\"\n },\n \"version\": \"0.7.7-3+b1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libcomerr2\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libdb5.3\"\n },\n \"version\": \"5.3.28-12+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libdebconfclient0\"\n },\n \"version\": \"0.227\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libedit2\"\n },\n \"version\": \"3.1-20160903-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libfdisk1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libffi6\"\n },\n \"version\": \"3.2.1-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgcc1\"\n },\n \"version\": \"1:6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgcrypt20\"\n },\n \"version\": \"1.7.6-2+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgdbm3\"\n },\n \"version\": \"1.8.3-14\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgmp10\"\n },\n \"version\": \"2:6.1.2+dfsg-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgnutls30\"\n },\n \"version\": \"3.5.8-5+deb9u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgpg-error0\"\n },\n \"version\": \"1.26-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libgssapi-krb5-2\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libhogweed4\"\n },\n \"version\": \"3.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libicu57\"\n },\n \"version\": \"57.1-6+deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libidn11\"\n },\n \"version\": \"1.33-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libjson-perl\"\n },\n \"version\": \"2.90-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libk5crypto3\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkeyutils1\"\n },\n \"version\": \"1.5.9-9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkrb5-3\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libkrb5support0\"\n },\n \"version\": \"1.15-1+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libksba8\"\n },\n \"version\": \"1.3.5-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libldap-2.4-2\"\n },\n \"version\": \"2.4.44+dfsg-5+deb9u8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libldap-common\"\n },\n \"version\": \"2.4.44+dfsg-5+deb9u8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libllvm6.0\"\n },\n \"version\": \"1:6.0-1~bpo9+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"liblz4-1\"\n },\n \"version\": \"0.0~r131-2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"liblzma5\"\n },\n \"version\": \"5.2.2-1.2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libmount1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libncurses5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libncursesw5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnettle6\"\n },\n \"version\": \"3.3-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnpth0\"\n },\n \"version\": \"1.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libnss-wrapper\"\n },\n \"version\": \"1.1.3-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libp11-kit0\"\n },\n \"version\": \"0.23.3-2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-modules\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-modules-bin\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam-runtime\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpam0g\"\n },\n \"version\": \"1.1.8-3.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpcre3\"\n },\n \"version\": \"2:8.39-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libperl5.24\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libpq5\"\n },\n \"version\": \"14.2-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libreadline7\"\n },\n \"version\": \"7.0-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsasl2-2\"\n },\n \"version\": \"2.1.27~101-g0780600+dfsg-3+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsasl2-modules-db\"\n },\n \"version\": \"2.1.27~101-g0780600+dfsg-3+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libselinux1\"\n },\n \"version\": \"2.6-3+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsemanage-common\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsemanage1\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsepol1\"\n },\n \"version\": \"2.6-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsmartcols1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsqlite3-0\"\n },\n \"version\": \"3.16.2-5+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libss2\"\n },\n \"version\": \"1.43.4-2+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libssl1.1\"\n },\n \"version\": \"1.1.0l-1~deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libstdc++6\"\n },\n \"version\": \"6.3.0-18+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libsystemd0\"\n },\n \"version\": \"232-25+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libtasn1-6\"\n },\n \"version\": \"4.10-1.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libtinfo5\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libudev1\"\n },\n \"version\": \"232-25+deb9u13\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libustr-1.0-1\"\n },\n \"version\": \"1.0.4-6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libuuid1\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libxml2\"\n },\n \"version\": \"2.9.4+dfsg1-2.2+deb9u6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libxslt1.1\"\n },\n \"version\": \"1.1.29-2.1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"libzstd1\"\n },\n \"version\": \"1.1.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"locales\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"login\"\n },\n \"version\": \"1:4.4-4.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"lsb-base\"\n },\n \"version\": \"9.20161125\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"mawk\"\n },\n \"version\": \"1.3.3-17+b3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"mount\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"multiarch-support\"\n },\n \"version\": \"2.24-11+deb9u4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ncurses-base\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ncurses-bin\"\n },\n \"version\": \"6.0+20161126-1+deb9u2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"netbase\"\n },\n \"version\": \"5.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"openssl\"\n },\n \"version\": \"1.1.0l-1~deb9u5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"passwd\"\n },\n \"version\": \"1:4.4-4.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl-base\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"perl-modules-5.24\"\n },\n \"version\": \"5.24.1-3+deb9u7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"pgdg-keyring\"\n },\n \"version\": \"2018.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"pinentry-curses\"\n },\n \"version\": \"1.0.0-2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-11\"\n },\n \"version\": \"11.15-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-client-11\"\n },\n \"version\": \"11.15-1.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-client-common\"\n },\n \"version\": \"238.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"postgresql-common\"\n },\n \"version\": \"238.pgdg90+1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"readline-common\"\n },\n \"version\": \"7.0-3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sed\"\n },\n \"version\": \"4.4-1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sensible-utils\"\n },\n \"version\": \"0.0.9+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ssl-cert\"\n },\n \"version\": \"1.0.39\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"sysvinit-utils\"\n },\n \"version\": \"2.88dsf-59.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"tar\"\n },\n \"version\": \"1.29b-1.1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"tzdata\"\n },\n \"version\": \"2021a-0+deb9u3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"ucf\"\n },\n \"version\": \"3.0036\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"util-linux\"\n },\n \"version\": \"2.29.2-1+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"xz-utils\"\n },\n \"version\": \"5.2.2-1.2+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"zlib1g\"\n },\n \"version\": \"1:1.2.8.dfsg-5+deb9u1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian\",\n \"name\": \"zstd\"\n },\n \"version\": \"1.1.2-1+deb9u1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Config_UnusedIgnores/unused_ignores_are_reported_with_specific_config_and_multiple_files\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 21542\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2025-26519\",\n \"modified\": \"2025-12-11T11:16:21.978419Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"ALPINE-CVE-2018-25032\",\n \"modified\": \"2025-12-03T22:47:03.844688Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2022-37434\",\n \"modified\": \"2025-12-03T22:50:43.469206Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-22184\",\n \"modified\": \"2026-03-09T02:10:12.057314Z\"\n },\n {\n \"id\": \"ALPINE-CVE-2026-27171\",\n \"modified\": \"2026-03-09T02:09:33.041671Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2011-3374\",\n \"modified\": \"2026-03-17T02:42:42.368242Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0501\",\n \"modified\": \"2025-11-19T02:04:24.786271Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-3462\",\n \"modified\": \"2025-11-19T02:02:50.288367Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-27350\",\n \"modified\": \"2025-11-19T01:06:21.507844Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-3810\",\n \"modified\": \"2025-11-19T01:08:53.168851Z\"\n },\n {\n \"id\": \"DSA-4685-1\",\n \"modified\": \"2026-03-09T02:09:03.263738Z\"\n },\n {\n \"id\": \"DSA-4808-1\",\n \"modified\": \"2026-03-09T02:11:17.119108Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2019-18276\",\n \"modified\": \"2025-11-19T01:19:06.470662Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3715\",\n \"modified\": \"2026-03-17T02:47:45.184492Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-2781\",\n \"modified\": \"2026-03-17T02:44:35.752995Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-18018\",\n \"modified\": \"2026-03-17T02:45:06.555217Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-0684\",\n \"modified\": \"2025-11-19T01:02:00.374806Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-5278\",\n \"modified\": \"2026-03-17T02:52:23.723753Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3482-1\",\n \"modified\": \"2025-05-26T07:01:25.263124Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1664\",\n \"modified\": \"2025-11-20T10:15:48.083782Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6297\",\n \"modified\": \"2026-03-17T02:50:41.230667Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-2219\",\n \"modified\": \"2026-03-14T15:06:12.109941Z\"\n },\n {\n \"id\": \"DLA-3022-1\",\n \"modified\": \"2026-03-09T01:23:37.553205Z\"\n },\n {\n \"id\": \"DSA-5147-1\",\n \"modified\": \"2026-03-09T02:10:11.335992Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2019-5094\",\n \"modified\": \"2025-11-19T02:02:52.019166Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-5188\",\n \"modified\": \"2025-11-19T01:01:51.904490Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-1304\",\n \"modified\": \"2025-11-20T10:15:47.847878Z\"\n },\n {\n \"id\": \"DLA-3910-1\",\n \"modified\": \"2026-03-09T01:22:32.343795Z\"\n },\n {\n \"id\": \"DSA-4535-1\",\n \"modified\": \"2026-03-09T02:10:12.902574Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9493-h29p-rfm2\",\n \"modified\": \"2026-02-04T03:47:55.536228Z\"\n },\n {\n \"id\": \"GHSA-cgrx-mc8f-2prm\",\n \"modified\": \"2026-02-04T02:50:45.342760Z\"\n },\n {\n \"id\": \"GHSA-f3fp-gc8g-vw66\",\n \"modified\": \"2026-02-04T04:15:59.735117Z\"\n },\n {\n \"id\": \"GHSA-g2j6-57v7-gm8c\",\n \"modified\": \"2026-02-04T02:43:58.212471Z\"\n },\n {\n \"id\": \"GHSA-jfvp-7x6p-h2pv\",\n \"modified\": \"2026-02-04T03:12:37.981869Z\"\n },\n {\n \"id\": \"GHSA-m8cg-xc2p-r3fc\",\n \"modified\": \"2026-02-04T03:29:19.767788Z\"\n },\n {\n \"id\": \"GHSA-qw9x-cqr3-wc7r\",\n \"modified\": \"2026-02-04T02:13:22.313241Z\"\n },\n {\n \"id\": \"GHSA-v95c-p5hm-xq8f\",\n \"modified\": \"2026-03-13T22:16:11.684125Z\"\n },\n {\n \"id\": \"GHSA-vpvm-3wq2-2wvm\",\n \"modified\": \"2026-02-04T02:53:37.613379Z\"\n },\n {\n \"id\": \"GHSA-xr7r-f8xq-vfvv\",\n \"modified\": \"2026-02-04T03:18:48.377509Z\"\n },\n {\n \"id\": \"GO-2022-0274\",\n \"modified\": \"2026-02-04T02:26:28.343240Z\"\n },\n {\n \"id\": \"GO-2022-0452\",\n \"modified\": \"2026-02-04T03:17:02.340230Z\"\n },\n {\n \"id\": \"GO-2023-1627\",\n \"modified\": \"2026-02-04T03:58:42.107712Z\"\n },\n {\n \"id\": \"GO-2023-1682\",\n \"modified\": \"2026-02-04T02:59:23.815900Z\"\n },\n {\n \"id\": \"GO-2023-1683\",\n \"modified\": \"2026-02-04T04:01:58.343687Z\"\n },\n {\n \"id\": \"GO-2024-2491\",\n \"modified\": \"2026-02-04T02:39:00.262696Z\"\n },\n {\n \"id\": \"GO-2024-3110\",\n \"modified\": \"2026-02-04T02:23:26.560077Z\"\n },\n {\n \"id\": \"GO-2025-4096\",\n \"modified\": \"2026-02-04T03:11:33.546218Z\"\n },\n {\n \"id\": \"GO-2025-4097\",\n \"modified\": \"2026-02-04T03:00:55.376695Z\"\n },\n {\n \"id\": \"GO-2025-4098\",\n \"modified\": \"2026-02-04T02:52:46.004719Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-p782-xgp4-8hr8\",\n \"modified\": \"2026-02-04T04:15:14.486111Z\"\n },\n {\n \"id\": \"GO-2022-0493\",\n \"modified\": \"2026-02-04T03:42:54.589715Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1271\",\n \"modified\": \"2025-11-20T10:15:47.940295Z\"\n },\n {\n \"id\": \"DSA-5122-1\",\n \"modified\": \"2026-03-09T02:09:10.163691Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-0379\",\n \"modified\": \"2025-11-19T01:06:25.120079Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7526\",\n \"modified\": \"2025-11-19T02:04:40.318681Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0495\",\n \"modified\": \"2025-11-19T02:04:27.207183Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6829\",\n \"modified\": \"2026-03-10T05:05:47.263837Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-13627\",\n \"modified\": \"2025-11-19T01:12:35.581705Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-33560\",\n \"modified\": \"2026-03-10T05:07:08.938163Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-40528\",\n \"modified\": \"2025-11-19T01:01:59.995618Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-2236\",\n \"modified\": \"2026-03-10T05:09:58.705229Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-10790\",\n \"modified\": \"2025-11-19T01:01:57.855157Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-1000654\",\n \"modified\": \"2025-11-19T02:02:40.642360Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6003\",\n \"modified\": \"2025-11-19T01:06:22.990063Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-46848\",\n \"modified\": \"2025-11-20T10:15:14.681077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-12133\",\n \"modified\": \"2025-11-20T10:17:02.620233Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-13151\",\n \"modified\": \"2026-01-20T05:13:20.502324Z\"\n },\n {\n \"id\": \"DLA-3263-1\",\n \"modified\": \"2026-03-09T01:22:34.273046Z\"\n },\n {\n \"id\": \"DLA-4061-1\",\n \"modified\": \"2026-03-09T01:20:16.124977Z\"\n },\n {\n \"id\": \"DSA-5863-1\",\n \"modified\": \"2026-03-09T02:08:50.747280Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-3709\",\n \"modified\": \"2025-11-20T10:12:11.931996Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2016-9318\",\n \"modified\": \"2025-11-19T02:02:45.582059Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-0663\",\n \"modified\": \"2025-11-19T02:02:52.056836Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-15412\",\n \"modified\": \"2025-11-19T01:08:49.499099Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-16931\",\n \"modified\": \"2025-11-19T02:04:25.542166Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-16932\",\n \"modified\": \"2025-11-19T01:04:39.458229Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-18258\",\n \"modified\": \"2025-11-19T01:08:48.927062Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-5130\",\n \"modified\": \"2025-11-19T01:03:12.822124Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-5969\",\n \"modified\": \"2025-11-19T01:08:52.062516Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7375\",\n \"modified\": \"2025-11-19T02:02:48.011785Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-7376\",\n \"modified\": \"2025-11-19T02:01:17.016443Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-8872\",\n \"modified\": \"2025-11-19T02:04:31.920669Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9047\",\n \"modified\": \"2025-11-19T02:04:30.335407Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9048\",\n \"modified\": \"2025-11-19T01:19:09.303210Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9049\",\n \"modified\": \"2025-11-19T01:03:12.259406Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-9050\",\n \"modified\": \"2025-11-19T01:08:53.069573Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-14404\",\n \"modified\": \"2025-11-19T01:12:32.274520Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-14567\",\n \"modified\": \"2025-11-19T01:08:49.660035Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-19956\",\n \"modified\": \"2025-11-19T02:01:17.970372Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-20388\",\n \"modified\": \"2025-11-19T02:04:37.363509Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-24977\",\n \"modified\": \"2025-11-19T02:04:41.266003Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-7595\",\n \"modified\": \"2025-11-19T02:04:29.271836Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3516\",\n \"modified\": \"2025-11-19T02:01:14.946107Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3517\",\n \"modified\": \"2025-11-19T01:12:34.981900Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3518\",\n \"modified\": \"2025-11-19T01:19:08.645337Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3537\",\n \"modified\": \"2025-11-19T02:04:30.248276Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3541\",\n \"modified\": \"2025-11-19T02:04:36.614917Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2309\",\n \"modified\": \"2025-11-20T10:15:28.694644Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-23308\",\n \"modified\": \"2025-11-20T10:15:29.029152Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-29824\",\n \"modified\": \"2025-11-20T10:15:52.814213Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-40303\",\n \"modified\": \"2025-11-20T10:16:01.982632Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-40304\",\n \"modified\": \"2025-11-20T10:16:01.918054Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-49043\",\n \"modified\": \"2025-11-20T10:16:12.358770Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-28484\",\n \"modified\": \"2025-11-20T10:16:35.199991Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-29469\",\n \"modified\": \"2025-11-20T10:17:34.943682Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-39615\",\n \"modified\": \"2025-11-20T10:16:41.593841Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-45322\",\n \"modified\": \"2025-11-20T10:16:44.891362Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-25062\",\n \"modified\": \"2025-11-20T10:17:04.986212Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-34459\",\n \"modified\": \"2025-11-20T10:17:41.570595Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-56171\",\n \"modified\": \"2025-11-20T10:17:48.605695Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-24928\",\n \"modified\": \"2025-11-20T10:18:05.778161Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-27113\",\n \"modified\": \"2025-11-20T10:18:06.358243Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-32414\",\n \"modified\": \"2025-11-20T10:18:08.076077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-32415\",\n \"modified\": \"2025-11-20T10:18:08.251077Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-49794\",\n \"modified\": \"2025-11-20T10:18:23.322205Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-49796\",\n \"modified\": \"2025-11-20T10:18:23.585429Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6021\",\n \"modified\": \"2025-11-20T10:18:26.314947Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-6170\",\n \"modified\": \"2025-11-20T10:18:26.670728Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-8732\",\n \"modified\": \"2025-12-14T10:13:26.467517Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9714\",\n \"modified\": \"2026-01-10T14:08:12.148171Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0989\",\n \"modified\": \"2026-01-16T11:05:07.928323Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0990\",\n \"modified\": \"2026-01-16T11:05:23.527352Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-0992\",\n \"modified\": \"2026-01-16T11:05:10.515041Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-1757\",\n \"modified\": \"2026-02-03T11:16:44.779248Z\"\n },\n {\n \"id\": \"DLA-3012-1\",\n \"modified\": \"2026-03-09T01:20:46.878115Z\"\n },\n {\n \"id\": \"DLA-3172-1\",\n \"modified\": \"2026-03-09T01:19:54.747665Z\"\n },\n {\n \"id\": \"DLA-3405-1\",\n \"modified\": \"2026-03-09T01:01:29.748040Z\"\n },\n {\n \"id\": \"DLA-3878-1\",\n \"modified\": \"2026-03-09T01:20:38.676387Z\"\n },\n {\n \"id\": \"DLA-4064-1\",\n \"modified\": \"2026-03-09T01:20:30.558703Z\"\n },\n {\n \"id\": \"DLA-4146-1\",\n \"modified\": \"2026-03-09T01:22:43.732573Z\"\n },\n {\n \"id\": \"DLA-4251-1\",\n \"modified\": \"2026-03-09T02:11:12.986866Z\"\n },\n {\n \"id\": \"DLA-4319-1\",\n \"modified\": \"2025-09-30T22:17:08.381361Z\"\n },\n {\n \"id\": \"DSA-5142-1\",\n \"modified\": \"2026-03-09T02:10:58.737631Z\"\n },\n {\n \"id\": \"DSA-5271-1\",\n \"modified\": \"2026-03-09T02:10:55.154283Z\"\n },\n {\n \"id\": \"DSA-5391-1\",\n \"modified\": \"2026-03-09T02:09:39.164621Z\"\n },\n {\n \"id\": \"DSA-5949-1\",\n \"modified\": \"2026-03-09T02:09:32.257423Z\"\n },\n {\n \"id\": \"DSA-5990-1\",\n \"modified\": \"2025-08-29T13:01:48.117026Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2018-0732\",\n \"modified\": \"2025-11-19T02:02:54.249966Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0734\",\n \"modified\": \"2025-11-19T02:02:43.768735Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-0735\",\n \"modified\": \"2025-11-19T01:19:04.251217Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-5407\",\n \"modified\": \"2025-11-19T01:02:00.203143Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1543\",\n \"modified\": \"2025-11-19T01:12:34.981629Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1547\",\n \"modified\": \"2025-11-19T01:12:35.687253Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1549\",\n \"modified\": \"2025-11-19T01:04:40.924710Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1551\",\n \"modified\": \"2025-11-19T01:19:08.067279Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-1563\",\n \"modified\": \"2025-11-19T02:04:34.392400Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-1967\",\n \"modified\": \"2025-11-19T02:04:38.886020Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-1971\",\n \"modified\": \"2025-11-19T02:04:28.520483Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-23840\",\n \"modified\": \"2025-11-19T01:03:14.356310Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-23841\",\n \"modified\": \"2025-11-19T02:02:54.160482Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3449\",\n \"modified\": \"2025-11-19T01:04:41.495834Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3450\",\n \"modified\": \"2025-11-19T02:01:16.123253Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3711\",\n \"modified\": \"2025-11-20T10:15:44.121033Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3712\",\n \"modified\": \"2025-11-20T10:15:44.130193Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-4160\",\n \"modified\": \"2025-11-20T10:15:10.185497Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-0778\",\n \"modified\": \"2025-11-20T10:15:47.332694Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-1292\",\n \"modified\": \"2025-11-20T10:15:25.471825Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2068\",\n \"modified\": \"2025-11-20T10:15:27.022420Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2097\",\n \"modified\": \"2025-11-20T10:15:27.065089Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-2274\",\n \"modified\": \"2025-11-19T02:02:45.418259Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3358\",\n \"modified\": \"2025-11-19T01:06:25.721124Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3602\",\n \"modified\": \"2025-11-19T01:12:35.687556Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3786\",\n \"modified\": \"2025-11-19T01:19:02.748977Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-3996\",\n \"modified\": \"2025-11-19T02:01:16.596616Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4203\",\n \"modified\": \"2025-11-19T02:01:16.313531Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4304\",\n \"modified\": \"2025-11-20T10:16:04.313466Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-4450\",\n \"modified\": \"2025-11-20T10:16:05.367442Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0215\",\n \"modified\": \"2025-11-20T10:16:27.838296Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0216\",\n \"modified\": \"2025-11-19T02:04:35.947667Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0217\",\n \"modified\": \"2025-11-19T01:12:37.272749Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0286\",\n \"modified\": \"2025-11-20T10:16:27.985311Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0401\",\n \"modified\": \"2025-11-19T01:12:36.298552Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0464\",\n \"modified\": \"2025-11-20T10:16:28.057931Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0465\",\n \"modified\": \"2025-11-20T10:16:28.143046Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-0466\",\n \"modified\": \"2025-11-20T10:16:28.053837Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-1255\",\n \"modified\": \"2025-11-19T01:08:49.387669Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-2650\",\n \"modified\": \"2025-11-20T10:17:34.439123Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-2975\",\n \"modified\": \"2025-11-20T10:16:36.112183Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-3446\",\n \"modified\": \"2025-11-20T10:16:38.860251Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-3817\",\n \"modified\": \"2025-11-20T10:17:35.737266Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-5363\",\n \"modified\": \"2025-11-20T10:16:59.430619Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-5678\",\n \"modified\": \"2025-11-20T10:17:38.719690Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-6129\",\n \"modified\": \"2025-11-20T10:17:39.029757Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-6237\",\n \"modified\": \"2025-11-20T10:17:39.218097Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-0727\",\n \"modified\": \"2025-11-20T10:17:01.258658Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-12797\",\n \"modified\": \"2025-11-19T02:04:36.131726Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-13176\",\n \"modified\": \"2026-03-17T02:49:44.824285Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-2511\",\n \"modified\": \"2025-11-20T10:17:05.139581Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-4603\",\n \"modified\": \"2025-11-20T10:17:43.955114Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-4741\",\n \"modified\": \"2025-11-20T10:17:26.990307Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-5535\",\n \"modified\": \"2025-11-20T10:17:48.194687Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-6119\",\n \"modified\": \"2025-11-20T10:17:53.824117Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-9143\",\n \"modified\": \"2025-11-20T10:17:55.864918Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-11187\",\n \"modified\": \"2026-03-17T02:47:10.761659Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15467\",\n \"modified\": \"2026-03-17T02:51:11.866899Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15468\",\n \"modified\": \"2026-03-17T02:51:12.304672Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-15469\",\n \"modified\": \"2026-03-17T02:51:12.299847Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-27587\",\n \"modified\": \"2026-03-17T02:51:34.552234Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-4575\",\n \"modified\": \"2025-11-19T02:02:43.971243Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-66199\",\n \"modified\": \"2026-03-17T02:52:26.091887Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-68160\",\n \"modified\": \"2026-03-17T02:50:42.645267Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69418\",\n \"modified\": \"2026-03-17T02:51:22.404226Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69419\",\n \"modified\": \"2026-03-17T02:51:22.497785Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69420\",\n \"modified\": \"2026-03-17T02:51:22.651361Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-69421\",\n \"modified\": \"2026-03-17T02:51:22.561721Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9230\",\n \"modified\": \"2026-03-17T02:51:39.764914Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9231\",\n \"modified\": \"2026-03-17T02:51:39.727656Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-9232\",\n \"modified\": \"2026-03-17T02:51:39.882696Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-22795\",\n \"modified\": \"2026-03-17T02:51:47.646020Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-22796\",\n \"modified\": \"2026-03-17T02:51:47.743030Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-2673\",\n \"modified\": \"2026-03-18T09:03:28.363302Z\"\n },\n {\n \"id\": \"DLA-3008-1\",\n \"modified\": \"2026-03-09T01:23:33.375630Z\"\n },\n {\n \"id\": \"DLA-3325-1\",\n \"modified\": \"2026-03-09T01:19:40.983935Z\"\n },\n {\n \"id\": \"DLA-3449-1\",\n \"modified\": \"2026-03-09T01:22:47.322805Z\"\n },\n {\n \"id\": \"DLA-3530-1\",\n \"modified\": \"2026-03-09T01:19:28.929204Z\"\n },\n {\n \"id\": \"DLA-3942-1\",\n \"modified\": \"2026-03-09T01:22:40.686044Z\"\n },\n {\n \"id\": \"DLA-3942-2\",\n \"modified\": \"2026-03-09T01:21:01.728730Z\"\n },\n {\n \"id\": \"DLA-4176-1\",\n \"modified\": \"2026-03-09T01:20:23.459313Z\"\n },\n {\n \"id\": \"DLA-4321-1\",\n \"modified\": \"2025-10-03T16:33:24.717173Z\"\n },\n {\n \"id\": \"DLA-4490-1\",\n \"modified\": \"2026-02-23T10:30:28.927832Z\"\n },\n {\n \"id\": \"DSA-4539-1\",\n \"modified\": \"2026-03-09T02:09:20.276054Z\"\n },\n {\n \"id\": \"DSA-4539-3\",\n \"modified\": \"2025-05-26T07:05:14.261652Z\"\n },\n {\n \"id\": \"DSA-4661-1\",\n \"modified\": \"2026-03-09T02:08:53.792348Z\"\n },\n {\n \"id\": \"DSA-4807-1\",\n \"modified\": \"2026-03-09T02:10:20.442914Z\"\n },\n {\n \"id\": \"DSA-4855-1\",\n \"modified\": \"2026-03-09T02:11:29.405206Z\"\n },\n {\n \"id\": \"DSA-4875-1\",\n \"modified\": \"2026-03-09T02:10:05.387501Z\"\n },\n {\n \"id\": \"DSA-4963-1\",\n \"modified\": \"2026-03-09T02:10:15.488747Z\"\n },\n {\n \"id\": \"DSA-5103-1\",\n \"modified\": \"2026-03-09T02:09:42.407559Z\"\n },\n {\n \"id\": \"DSA-5139-1\",\n \"modified\": \"2026-03-09T02:09:17.334653Z\"\n },\n {\n \"id\": \"DSA-5169-1\",\n \"modified\": \"2026-03-09T02:09:37.692763Z\"\n },\n {\n \"id\": \"DSA-5343-1\",\n \"modified\": \"2026-03-09T02:09:47.149297Z\"\n },\n {\n \"id\": \"DSA-5417-1\",\n \"modified\": \"2026-03-09T02:09:39.950679Z\"\n },\n {\n \"id\": \"DSA-5532-1\",\n \"modified\": \"2026-03-09T02:08:31.395482Z\"\n },\n {\n \"id\": \"DSA-5764-1\",\n \"modified\": \"2026-03-09T02:09:02.723874Z\"\n },\n {\n \"id\": \"DSA-6015-1\",\n \"modified\": \"2025-10-01T13:32:01.848986Z\"\n },\n {\n \"id\": \"DSA-6113-1\",\n \"modified\": \"2026-01-27T20:30:04.397078Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2011-4116\",\n \"modified\": \"2025-11-20T10:10:50.058601Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-12837\",\n \"modified\": \"2025-11-19T01:03:14.361068Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2017-12883\",\n \"modified\": \"2025-11-19T01:12:38.323688Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-12015\",\n \"modified\": \"2025-11-19T02:02:49.033339Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18311\",\n \"modified\": \"2025-11-19T01:12:36.918544Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18312\",\n \"modified\": \"2025-11-19T02:04:33.584277Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18313\",\n \"modified\": \"2025-11-19T01:06:24.154928Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-18314\",\n \"modified\": \"2025-11-19T01:12:35.416886Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6797\",\n \"modified\": \"2025-11-19T02:04:23.831823Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6798\",\n \"modified\": \"2025-11-19T02:02:49.628171Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-6913\",\n \"modified\": \"2025-11-19T02:02:50.593437Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-10543\",\n \"modified\": \"2025-11-19T01:04:39.904198Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-10878\",\n \"modified\": \"2025-11-19T01:12:35.457057Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-12723\",\n \"modified\": \"2025-11-19T02:02:47.094787Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2020-16156\",\n \"modified\": \"2025-11-20T10:14:36.701112Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-36770\",\n \"modified\": \"2025-11-20T10:15:44.080114Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-48522\",\n \"modified\": \"2025-11-19T01:08:52.915564Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-31484\",\n \"modified\": \"2025-11-20T10:17:35.627220Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-31486\",\n \"modified\": \"2026-03-17T02:48:35.857896Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-47038\",\n \"modified\": \"2025-11-20T10:16:46.343364Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-56406\",\n \"modified\": \"2025-11-20T10:17:48.686371Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-40909\",\n \"modified\": \"2025-11-20T10:18:21.143971Z\"\n },\n {\n \"id\": \"DLA-3926-1\",\n \"modified\": \"2026-03-09T01:20:46.118633Z\"\n },\n {\n \"id\": \"DSA-5902-1\",\n \"modified\": \"2026-03-09T02:09:19.793163Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3072-1\",\n \"modified\": \"2026-03-09T01:22:24.680239Z\"\n },\n {\n \"id\": \"DLA-3189-1\",\n \"modified\": \"2025-05-26T07:01:07.887113Z\"\n },\n {\n \"id\": \"DLA-3316-1\",\n \"modified\": \"2025-05-26T07:01:13.127412Z\"\n },\n {\n \"id\": \"DLA-3422-1\",\n \"modified\": \"2026-03-09T01:20:56.692752Z\"\n },\n {\n \"id\": \"DLA-3600-1\",\n \"modified\": \"2026-03-09T01:17:49.966197Z\"\n },\n {\n \"id\": \"DLA-3651-1\",\n \"modified\": \"2026-03-09T01:18:05.310519Z\"\n },\n {\n \"id\": \"DLA-3764-1\",\n \"modified\": \"2026-03-09T01:23:22.273526Z\"\n },\n {\n \"id\": \"DSA-5135-1\",\n \"modified\": \"2026-03-09T02:11:21.646978Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2017-17512\",\n \"modified\": \"2025-11-19T02:04:30.656495Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2005-2541\",\n \"modified\": \"2026-03-17T02:42:47.789952Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-20482\",\n \"modified\": \"2025-11-19T02:02:47.070832Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2019-9923\",\n \"modified\": \"2025-11-19T02:02:53.559001Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-20193\",\n \"modified\": \"2025-11-19T01:01:55.139356Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-48303\",\n \"modified\": \"2025-11-20T10:16:07.552593Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2023-39804\",\n \"modified\": \"2025-11-20T10:16:41.587973Z\"\n },\n {\n \"id\": \"DLA-3755-1\",\n \"modified\": \"2026-03-09T01:18:04.185679Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-3051-1\",\n \"modified\": \"2025-05-26T07:01:56.257796Z\"\n },\n {\n \"id\": \"DLA-3134-1\",\n \"modified\": \"2025-05-26T07:01:01.500124Z\"\n },\n {\n \"id\": \"DLA-3161-1\",\n \"modified\": \"2025-05-26T07:01:03.882213Z\"\n },\n {\n \"id\": \"DLA-3366-1\",\n \"modified\": \"2025-05-26T07:01:17.027142Z\"\n },\n {\n \"id\": \"DLA-3412-1\",\n \"modified\": \"2025-05-26T07:01:20.109212Z\"\n },\n {\n \"id\": \"DLA-3684-1\",\n \"modified\": \"2025-05-26T07:01:38.953691Z\"\n },\n {\n \"id\": \"DLA-3788-1\",\n \"modified\": \"2025-05-26T07:01:46.700929Z\"\n },\n {\n \"id\": \"DLA-3972-1\",\n \"modified\": \"2025-05-26T07:02:05.284676Z\"\n },\n {\n \"id\": \"DLA-4085-1\",\n \"modified\": \"2025-05-26T07:02:10.958749Z\"\n },\n {\n \"id\": \"DLA-4105-1\",\n \"modified\": \"2025-05-26T07:02:13.921097Z\"\n },\n {\n \"id\": \"DLA-4403-1\",\n \"modified\": \"2025-12-12T10:13:37.154747Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DLA-4016-1\",\n \"modified\": \"2025-05-26T07:02:06.504254Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2016-2779\",\n \"modified\": \"2025-11-19T01:12:38.591462Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2018-7738\",\n \"modified\": \"2025-11-20T10:13:54.493707Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-37600\",\n \"modified\": \"2025-11-19T02:02:43.997954Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3995\",\n \"modified\": \"2025-11-20T10:15:45.587792Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2021-3996\",\n \"modified\": \"2025-11-20T10:15:45.602424Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2022-0563\",\n \"modified\": \"2026-03-17T02:46:43.123134Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-28085\",\n \"modified\": \"2025-11-20T10:17:41.612682Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-14104\",\n \"modified\": \"2026-03-05T17:00:58.361610Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2026-3184\",\n \"modified\": \"2026-02-26T09:30:44.219098Z\"\n },\n {\n \"id\": \"DLA-3782-1\",\n \"modified\": \"2026-03-09T01:20:42.573872Z\"\n },\n {\n \"id\": \"DSA-5055-1\",\n \"modified\": \"2026-03-09T02:10:40.826335Z\"\n },\n {\n \"id\": \"DSA-5650-1\",\n \"modified\": \"2026-03-09T02:08:30.371343Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"DEBIAN-CVE-2022-1271\",\n \"modified\": \"2025-11-20T10:15:47.940295Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2024-3094\",\n \"modified\": \"2025-11-19T01:12:34.542011Z\"\n },\n {\n \"id\": \"DEBIAN-CVE-2025-31115\",\n \"modified\": \"2025-11-20T10:18:07.484724Z\"\n },\n {\n \"id\": \"DSA-5123-1\",\n \"modified\": \"2026-03-09T02:10:46.054497Z\"\n },\n {\n \"id\": \"DSA-5895-1\",\n \"modified\": \"2026-03-09T02:08:52.515269Z\"\n }\n ]\n },\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"21542\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_ExplicitExtractors_WithDefaults.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 521\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 521\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 521\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_an_extractor_that_does_not_exist\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 399\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_disabled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 22\n body: |\n {\n \"results\": [\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"22\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 521\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/scanning_directory_with_one_specific_extractor_enabled_and_the_defaults\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_different_extractor_enabled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithDefaults/scanning_file_with_one_specific_extractor_enabled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_ExplicitExtractors_WithoutDefaults.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 273\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_individually\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 273\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_a_couple_of_specific_extractors_enabled_specified_together\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_an_extractor_that_does_not_exist\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 399\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_disabled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 22\n body: |\n {\n \"results\": [\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"22\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_directory_with_one_specific_extractor_enabled_and_no_defaults\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_ExplicitExtractors_WithoutDefaults/scanning_file_with_one_specific_extractor_enabled\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_GithubActions.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 238\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"commit\": \"4579d5538f06c5ef615a15bc67ebb9ac0523a973\"\n },\n {\n \"commit\": \"9de7a0544457c6aba755ccb65abb41b0dc1db70d\"\n },\n {\n \"commit\": \"5d60bd2eb4642b64d00c845e5ca9f1ea41fd6db6\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_GithubActions/scanning_osv-scanner_custom_format\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 161\n body: |\n {\n \"results\": [\n {},\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2023-39137\",\n \"modified\": \"2026-03-15T14:11:43.205446Z\"\n },\n {\n \"id\": \"CVE-2023-39139\",\n \"modified\": \"2026-03-14T12:08:30.752661Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"161\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 238\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"commit\": \"4579d5538f06c5ef615a15bc67ebb9ac0523a973\"\n },\n {\n \"commit\": \"9de7a0544457c6aba755ccb65abb41b0dc1db70d\"\n },\n {\n \"commit\": \"5d60bd2eb4642b64d00c845e5ca9f1ea41fd6db6\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_GithubActions/scanning_osv-scanner_custom_format_output_json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 161\n body: |\n {\n \"results\": [\n {},\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2023-39137\",\n \"modified\": \"2026-03-15T14:11:43.205446Z\"\n },\n {\n \"id\": \"CVE-2023-39139\",\n \"modified\": \"2026-03-14T12:08:30.752661Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"161\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 169\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"GIT\",\n \"name\": \"github.com/openssl/openssl\"\n },\n \"version\": \"openssl-3.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_GithubActions/scanning_osv-scanner_custom_format_with_git_tag\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2593\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"CVE-2016-2177\",\n \"modified\": \"2026-03-15T22:22:35.782155Z\"\n },\n {\n \"id\": \"CVE-2016-2182\",\n \"modified\": \"2026-03-15T22:06:16.823524Z\"\n },\n {\n \"id\": \"CVE-2022-2274\",\n \"modified\": \"2026-03-14T00:45:56.901948Z\"\n },\n {\n \"id\": \"CVE-2022-3358\",\n \"modified\": \"2026-03-15T22:44:12.519547Z\"\n },\n {\n \"id\": \"CVE-2022-3996\",\n \"modified\": \"2026-03-15T22:44:21.336918Z\"\n },\n {\n \"id\": \"CVE-2022-4203\",\n \"modified\": \"2026-03-14T11:56:48.298901Z\"\n },\n {\n \"id\": \"CVE-2022-4304\",\n \"modified\": \"2026-03-14T11:57:20.473258Z\"\n },\n {\n \"id\": \"CVE-2022-4450\",\n \"modified\": \"2026-03-15T14:48:08.469047Z\"\n },\n {\n \"id\": \"CVE-2023-0215\",\n \"modified\": \"2026-03-15T22:46:35.699581Z\"\n },\n {\n \"id\": \"CVE-2023-0216\",\n \"modified\": \"2026-03-14T14:54:02.977746Z\"\n },\n {\n \"id\": \"CVE-2023-0217\",\n \"modified\": \"2026-03-15T22:46:23.122521Z\"\n },\n {\n \"id\": \"CVE-2023-0286\",\n \"modified\": \"2026-03-14T11:56:55.751641Z\"\n },\n {\n \"id\": \"CVE-2023-0401\",\n \"modified\": \"2026-03-14T12:00:52.936954Z\"\n },\n {\n \"id\": \"CVE-2023-0464\",\n \"modified\": \"2026-03-15T22:46:00.576549Z\"\n },\n {\n \"id\": \"CVE-2023-0465\",\n \"modified\": \"2026-03-15T22:45:58.975327Z\"\n },\n {\n \"id\": \"CVE-2023-0466\",\n \"modified\": \"2026-03-15T22:46:04.107702Z\"\n },\n {\n \"id\": \"CVE-2023-1255\",\n \"modified\": \"2026-03-14T12:01:08.330785Z\"\n },\n {\n \"id\": \"CVE-2023-2650\",\n \"modified\": \"2026-03-15T22:46:51.910562Z\"\n },\n {\n \"id\": \"CVE-2023-2975\",\n \"modified\": \"2026-03-15T14:49:55.221034Z\"\n },\n {\n \"id\": \"CVE-2023-3817\",\n \"modified\": \"2026-03-15T22:45:38.616987Z\"\n },\n {\n \"id\": \"CVE-2023-4807\",\n \"modified\": \"2026-03-14T12:23:37.361743Z\"\n },\n {\n \"id\": \"CVE-2023-5363\",\n \"modified\": \"2026-03-15T22:49:01.513389Z\"\n },\n {\n \"id\": \"CVE-2023-5678\",\n \"modified\": \"2026-03-15T22:49:18.011924Z\"\n },\n {\n \"id\": \"CVE-2023-6129\",\n \"modified\": \"2026-03-15T21:45:17.017844Z\"\n },\n {\n \"id\": \"CVE-2023-6237\",\n \"modified\": \"2026-03-15T22:49:35.974149Z\"\n },\n {\n \"id\": \"CVE-2024-13176\",\n \"modified\": \"2026-03-15T22:49:27.674006Z\"\n },\n {\n \"id\": \"CVE-2024-2511\",\n \"modified\": \"2026-03-15T22:50:31.329929Z\"\n },\n {\n \"id\": \"CVE-2024-4603\",\n \"modified\": \"2026-03-15T13:45:23.443979Z\"\n },\n {\n \"id\": \"CVE-2024-4741\",\n \"modified\": \"2026-03-15T22:50:47.073119Z\"\n },\n {\n \"id\": \"CVE-2024-5535\",\n \"modified\": \"2026-03-15T22:50:00.523154Z\"\n },\n {\n \"id\": \"CVE-2024-9143\",\n \"modified\": \"2026-03-15T22:52:44.104304Z\"\n },\n {\n \"id\": \"CVE-2025-15467\",\n \"modified\": \"2026-03-15T22:51:41.488774Z\"\n },\n {\n \"id\": \"CVE-2025-68160\",\n \"modified\": \"2026-03-15T22:52:16.241316Z\"\n },\n {\n \"id\": \"CVE-2025-69418\",\n \"modified\": \"2026-03-15T22:52:15.052519Z\"\n },\n {\n \"id\": \"CVE-2025-69419\",\n \"modified\": \"2026-03-15T22:52:23.255585Z\"\n },\n {\n \"id\": \"CVE-2025-69420\",\n \"modified\": \"2026-03-15T14:54:02.448397Z\"\n },\n {\n \"id\": \"CVE-2025-9230\",\n \"modified\": \"2026-03-15T21:45:01.944849Z\"\n },\n {\n \"id\": \"CVE-2025-9232\",\n \"modified\": \"2026-03-15T22:22:16.665069Z\"\n },\n {\n \"id\": \"CVE-2026-22795\",\n \"modified\": \"2026-03-15T14:55:17.107605Z\"\n },\n {\n \"id\": \"CVE-2026-22796\",\n \"modified\": \"2026-03-15T22:54:02.133546Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"2593\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HtmlFile.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_HtmlFile\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_HtmlFile_Deprecated.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_HtmlFile_Deprecated\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_JavareachArchive.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 3196\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-core\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-kms\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-s3\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:jmespath-java\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.example:hello-tester\"\n },\n \"version\": \"1.0-SNAPSHOT\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-annotations\"\n },\n \"version\": \"2.6.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-core\"\n },\n \"version\": \"2.14.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\"\n },\n \"version\": \"2.6.7.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.dataformat:jackson-dataformat-cbor\"\n },\n \"version\": \"2.6.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-codec:commons-codec\"\n },\n \"version\": \"1.10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-logging:commons-logging\"\n },\n \"version\": \"1.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"joda-time:joda-time\"\n },\n \"version\": \"2.8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.commons:commons-lang3\"\n },\n \"version\": \"3.12.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.httpcomponents:httpclient\"\n },\n \"version\": \"4.5.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.httpcomponents:httpcore\"\n },\n \"version\": \"4.4.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-continuation\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-http\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-io\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-servlets\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-util\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"software.amazon.ion:ion-java\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 4418\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-c28r-hw5m-5gv3\",\n \"modified\": \"2023-11-08T04:09:28.159861Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-72hv-8253-57qq\",\n \"modified\": \"2026-03-04T15:06:51.908001Z\"\n },\n {\n \"id\": \"GHSA-h46c-h94j-95f3\",\n \"modified\": \"2026-02-04T03:44:39.385253Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-288c-cq4h-88gq\",\n \"modified\": \"2026-02-04T04:33:29.159339Z\"\n },\n {\n \"id\": \"GHSA-4gq5-ch57-c2mg\",\n \"modified\": \"2024-03-15T05:20:21.411726Z\"\n },\n {\n \"id\": \"GHSA-4w82-r329-3q67\",\n \"modified\": \"2024-03-16T05:18:54.922179Z\"\n },\n {\n \"id\": \"GHSA-57j2-w4cx-62h2\",\n \"modified\": \"2026-02-04T04:26:14.546092Z\"\n },\n {\n \"id\": \"GHSA-5949-rw7g-wx7w\",\n \"modified\": \"2025-09-15T07:42:14.888352Z\"\n },\n {\n \"id\": \"GHSA-5r5r-6hpj-8gg9\",\n \"modified\": \"2024-02-18T05:42:28.539166Z\"\n },\n {\n \"id\": \"GHSA-5ww9-j83m-q7qx\",\n \"modified\": \"2024-03-15T01:17:50.016820Z\"\n },\n {\n \"id\": \"GHSA-645p-88qh-w398\",\n \"modified\": \"2024-03-16T05:19:17.936174Z\"\n },\n {\n \"id\": \"GHSA-6fpp-rgj9-8rwc\",\n \"modified\": \"2024-03-15T05:18:54.134884Z\"\n },\n {\n \"id\": \"GHSA-85cw-hj65-qqv9\",\n \"modified\": \"2024-03-15T05:20:15.574552Z\"\n },\n {\n \"id\": \"GHSA-89qr-369f-5m5x\",\n \"modified\": \"2024-02-18T05:37:27.581808Z\"\n },\n {\n \"id\": \"GHSA-8c4j-34r4-xr8g\",\n \"modified\": \"2024-02-18T05:31:52.762759Z\"\n },\n {\n \"id\": \"GHSA-8w26-6f25-cm9x\",\n \"modified\": \"2024-02-18T05:30:48.085017Z\"\n },\n {\n \"id\": \"GHSA-9gph-22xh-8x98\",\n \"modified\": \"2024-02-18T05:33:27.617261Z\"\n },\n {\n \"id\": \"GHSA-9m6f-7xcq-8vf8\",\n \"modified\": \"2024-02-18T05:32:25.400029Z\"\n },\n {\n \"id\": \"GHSA-c8hm-7hpq-7jhg\",\n \"modified\": \"2024-03-15T01:17:19.251183Z\"\n },\n {\n \"id\": \"GHSA-cf6r-3wgc-h863\",\n \"modified\": \"2024-02-18T05:32:56.325249Z\"\n },\n {\n \"id\": \"GHSA-cggj-fvv3-cqwv\",\n \"modified\": \"2024-03-15T01:18:46.938616Z\"\n },\n {\n \"id\": \"GHSA-cjjf-94ff-43w7\",\n \"modified\": \"2024-03-11T05:19:23.395848Z\"\n },\n {\n \"id\": \"GHSA-cmfg-87vq-g5g4\",\n \"modified\": \"2024-03-15T01:18:17.903231Z\"\n },\n {\n \"id\": \"GHSA-cvm9-fjm9-3572\",\n \"modified\": \"2024-02-18T05:25:36.165759Z\"\n },\n {\n \"id\": \"GHSA-f3j5-rmmp-3fc5\",\n \"modified\": \"2024-03-15T05:20:35.120151Z\"\n },\n {\n \"id\": \"GHSA-f9xh-2qgp-cq57\",\n \"modified\": \"2024-02-18T05:32:05.421673Z\"\n },\n {\n \"id\": \"GHSA-fmmc-742q-jg75\",\n \"modified\": \"2024-03-16T05:19:55.172981Z\"\n },\n {\n \"id\": \"GHSA-fqwf-pjwf-7vqv\",\n \"modified\": \"2024-07-03T21:22:37.578162Z\"\n },\n {\n \"id\": \"GHSA-gjmw-vf9h-g25v\",\n \"modified\": \"2024-03-16T05:19:37.211801Z\"\n },\n {\n \"id\": \"GHSA-gwp4-hfv6-p7hw\",\n \"modified\": \"2024-03-13T05:27:58.436849Z\"\n },\n {\n \"id\": \"GHSA-gww7-p5w4-wrfv\",\n \"modified\": \"2024-03-15T01:05:18.790961Z\"\n },\n {\n \"id\": \"GHSA-h3cw-g4mq-c5x2\",\n \"modified\": \"2024-02-18T05:30:45.329621Z\"\n },\n {\n \"id\": \"GHSA-h592-38cm-4ggp\",\n \"modified\": \"2024-03-15T01:16:50.905794Z\"\n },\n {\n \"id\": \"GHSA-h822-r4r5-v8jg\",\n \"modified\": \"2026-02-04T02:19:17.186100Z\"\n },\n {\n \"id\": \"GHSA-jjjh-jjxp-wpff\",\n \"modified\": \"2026-02-04T02:23:59.070528Z\"\n },\n {\n \"id\": \"GHSA-m6x4-97wx-4q27\",\n \"modified\": \"2024-02-18T05:21:54.725837Z\"\n },\n {\n \"id\": \"GHSA-mph4-vhrx-mv67\",\n \"modified\": \"2024-03-15T01:16:21.467932Z\"\n },\n {\n \"id\": \"GHSA-mx7p-6679-8g3q\",\n \"modified\": \"2024-03-15T01:01:46.432481Z\"\n },\n {\n \"id\": \"GHSA-p43x-xfjf-5jhr\",\n \"modified\": \"2024-03-15T00:33:14.700288Z\"\n },\n {\n \"id\": \"GHSA-q93h-jc49-78gg\",\n \"modified\": \"2024-03-16T05:19:47.711015Z\"\n },\n {\n \"id\": \"GHSA-qjw2-hr98-qgfh\",\n \"modified\": \"2024-02-18T05:20:56.894470Z\"\n },\n {\n \"id\": \"GHSA-qr7j-h6gg-jmgc\",\n \"modified\": \"2024-03-11T05:21:14.313980Z\"\n },\n {\n \"id\": \"GHSA-r3gr-cxrf-hg25\",\n \"modified\": \"2024-06-25T14:20:21.323050Z\"\n },\n {\n \"id\": \"GHSA-r695-7vr9-jgc2\",\n \"modified\": \"2024-02-18T05:30:45.856594Z\"\n },\n {\n \"id\": \"GHSA-rfx6-vp9g-rh7v\",\n \"modified\": \"2024-03-11T05:17:47.425595Z\"\n },\n {\n \"id\": \"GHSA-rgv9-q543-rqg4\",\n \"modified\": \"2026-02-04T02:40:22.352009Z\"\n },\n {\n \"id\": \"GHSA-rpr3-cw39-3pxh\",\n \"modified\": \"2026-03-13T22:01:03.241551Z\"\n },\n {\n \"id\": \"GHSA-v585-23hc-c647\",\n \"modified\": \"2024-02-18T05:22:38.024460Z\"\n },\n {\n \"id\": \"GHSA-vfqx-33qm-g869\",\n \"modified\": \"2024-02-18T05:24:26.785781Z\"\n },\n {\n \"id\": \"GHSA-w3f4-3q6j-rh82\",\n \"modified\": \"2024-03-11T05:18:22.727055Z\"\n },\n {\n \"id\": \"GHSA-wh8g-3j2c-rqj5\",\n \"modified\": \"2024-03-15T00:31:15.123603Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-j288-q9x7-2f5v\",\n \"modified\": \"2026-02-04T03:18:02.851501Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-7r82-7xv7-xcpj\",\n \"modified\": \"2026-02-04T02:20:49.137443Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-cj7v-27pg-wf7q\",\n \"modified\": \"2026-03-13T22:01:09.359414Z\"\n },\n {\n \"id\": \"GHSA-hmr7-m48g-48f6\",\n \"modified\": \"2026-02-04T03:59:52.327364Z\"\n },\n {\n \"id\": \"GHSA-qh8g-58pp-2wxh\",\n \"modified\": \"2026-02-04T05:13:21.910792Z\"\n },\n {\n \"id\": \"GHSA-wjpw-4j6x-6rwh\",\n \"modified\": \"2026-03-09T11:29:07.402944Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-3gh6-v5v9-6v9j\",\n \"modified\": \"2026-02-04T03:12:16.534413Z\"\n },\n {\n \"id\": \"GHSA-gwcr-j4wh-j3cq\",\n \"modified\": \"2026-03-13T21:59:32.515061Z\"\n },\n {\n \"id\": \"GHSA-j26w-f9rq-mr2q\",\n \"modified\": \"2026-02-04T03:32:43.162423Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-264p-99wq-f4j6\",\n \"modified\": \"2026-02-04T03:21:48.913313Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"4418\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 3196\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-core\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-kms\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-s3\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:jmespath-java\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.example:hello-tester\"\n },\n \"version\": \"1.0-SNAPSHOT\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-annotations\"\n },\n \"version\": \"2.6.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-core\"\n },\n \"version\": \"2.14.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\"\n },\n \"version\": \"2.6.7.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.dataformat:jackson-dataformat-cbor\"\n },\n \"version\": \"2.6.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-codec:commons-codec\"\n },\n \"version\": \"1.10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-logging:commons-logging\"\n },\n \"version\": \"1.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"joda-time:joda-time\"\n },\n \"version\": \"2.8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.commons:commons-lang3\"\n },\n \"version\": \"3.12.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.httpcomponents:httpclient\"\n },\n \"version\": \"4.5.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.httpcomponents:httpcore\"\n },\n \"version\": \"4.4.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-continuation\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-http\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-io\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-servlets\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-util\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"software.amazon.ion:ion-java\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_JavareachArchive/jars_can_be_scanned_with_call_analysis_and_disabled_enricher\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 4418\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-c28r-hw5m-5gv3\",\n \"modified\": \"2023-11-08T04:09:28.159861Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-72hv-8253-57qq\",\n \"modified\": \"2026-03-04T15:06:51.908001Z\"\n },\n {\n \"id\": \"GHSA-h46c-h94j-95f3\",\n \"modified\": \"2026-02-04T03:44:39.385253Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-288c-cq4h-88gq\",\n \"modified\": \"2026-02-04T04:33:29.159339Z\"\n },\n {\n \"id\": \"GHSA-4gq5-ch57-c2mg\",\n \"modified\": \"2024-03-15T05:20:21.411726Z\"\n },\n {\n \"id\": \"GHSA-4w82-r329-3q67\",\n \"modified\": \"2024-03-16T05:18:54.922179Z\"\n },\n {\n \"id\": \"GHSA-57j2-w4cx-62h2\",\n \"modified\": \"2026-02-04T04:26:14.546092Z\"\n },\n {\n \"id\": \"GHSA-5949-rw7g-wx7w\",\n \"modified\": \"2025-09-15T07:42:14.888352Z\"\n },\n {\n \"id\": \"GHSA-5r5r-6hpj-8gg9\",\n \"modified\": \"2024-02-18T05:42:28.539166Z\"\n },\n {\n \"id\": \"GHSA-5ww9-j83m-q7qx\",\n \"modified\": \"2024-03-15T01:17:50.016820Z\"\n },\n {\n \"id\": \"GHSA-645p-88qh-w398\",\n \"modified\": \"2024-03-16T05:19:17.936174Z\"\n },\n {\n \"id\": \"GHSA-6fpp-rgj9-8rwc\",\n \"modified\": \"2024-03-15T05:18:54.134884Z\"\n },\n {\n \"id\": \"GHSA-85cw-hj65-qqv9\",\n \"modified\": \"2024-03-15T05:20:15.574552Z\"\n },\n {\n \"id\": \"GHSA-89qr-369f-5m5x\",\n \"modified\": \"2024-02-18T05:37:27.581808Z\"\n },\n {\n \"id\": \"GHSA-8c4j-34r4-xr8g\",\n \"modified\": \"2024-02-18T05:31:52.762759Z\"\n },\n {\n \"id\": \"GHSA-8w26-6f25-cm9x\",\n \"modified\": \"2024-02-18T05:30:48.085017Z\"\n },\n {\n \"id\": \"GHSA-9gph-22xh-8x98\",\n \"modified\": \"2024-02-18T05:33:27.617261Z\"\n },\n {\n \"id\": \"GHSA-9m6f-7xcq-8vf8\",\n \"modified\": \"2024-02-18T05:32:25.400029Z\"\n },\n {\n \"id\": \"GHSA-c8hm-7hpq-7jhg\",\n \"modified\": \"2024-03-15T01:17:19.251183Z\"\n },\n {\n \"id\": \"GHSA-cf6r-3wgc-h863\",\n \"modified\": \"2024-02-18T05:32:56.325249Z\"\n },\n {\n \"id\": \"GHSA-cggj-fvv3-cqwv\",\n \"modified\": \"2024-03-15T01:18:46.938616Z\"\n },\n {\n \"id\": \"GHSA-cjjf-94ff-43w7\",\n \"modified\": \"2024-03-11T05:19:23.395848Z\"\n },\n {\n \"id\": \"GHSA-cmfg-87vq-g5g4\",\n \"modified\": \"2024-03-15T01:18:17.903231Z\"\n },\n {\n \"id\": \"GHSA-cvm9-fjm9-3572\",\n \"modified\": \"2024-02-18T05:25:36.165759Z\"\n },\n {\n \"id\": \"GHSA-f3j5-rmmp-3fc5\",\n \"modified\": \"2024-03-15T05:20:35.120151Z\"\n },\n {\n \"id\": \"GHSA-f9xh-2qgp-cq57\",\n \"modified\": \"2024-02-18T05:32:05.421673Z\"\n },\n {\n \"id\": \"GHSA-fmmc-742q-jg75\",\n \"modified\": \"2024-03-16T05:19:55.172981Z\"\n },\n {\n \"id\": \"GHSA-fqwf-pjwf-7vqv\",\n \"modified\": \"2024-07-03T21:22:37.578162Z\"\n },\n {\n \"id\": \"GHSA-gjmw-vf9h-g25v\",\n \"modified\": \"2024-03-16T05:19:37.211801Z\"\n },\n {\n \"id\": \"GHSA-gwp4-hfv6-p7hw\",\n \"modified\": \"2024-03-13T05:27:58.436849Z\"\n },\n {\n \"id\": \"GHSA-gww7-p5w4-wrfv\",\n \"modified\": \"2024-03-15T01:05:18.790961Z\"\n },\n {\n \"id\": \"GHSA-h3cw-g4mq-c5x2\",\n \"modified\": \"2024-02-18T05:30:45.329621Z\"\n },\n {\n \"id\": \"GHSA-h592-38cm-4ggp\",\n \"modified\": \"2024-03-15T01:16:50.905794Z\"\n },\n {\n \"id\": \"GHSA-h822-r4r5-v8jg\",\n \"modified\": \"2026-02-04T02:19:17.186100Z\"\n },\n {\n \"id\": \"GHSA-jjjh-jjxp-wpff\",\n \"modified\": \"2026-02-04T02:23:59.070528Z\"\n },\n {\n \"id\": \"GHSA-m6x4-97wx-4q27\",\n \"modified\": \"2024-02-18T05:21:54.725837Z\"\n },\n {\n \"id\": \"GHSA-mph4-vhrx-mv67\",\n \"modified\": \"2024-03-15T01:16:21.467932Z\"\n },\n {\n \"id\": \"GHSA-mx7p-6679-8g3q\",\n \"modified\": \"2024-03-15T01:01:46.432481Z\"\n },\n {\n \"id\": \"GHSA-p43x-xfjf-5jhr\",\n \"modified\": \"2024-03-15T00:33:14.700288Z\"\n },\n {\n \"id\": \"GHSA-q93h-jc49-78gg\",\n \"modified\": \"2024-03-16T05:19:47.711015Z\"\n },\n {\n \"id\": \"GHSA-qjw2-hr98-qgfh\",\n \"modified\": \"2024-02-18T05:20:56.894470Z\"\n },\n {\n \"id\": \"GHSA-qr7j-h6gg-jmgc\",\n \"modified\": \"2024-03-11T05:21:14.313980Z\"\n },\n {\n \"id\": \"GHSA-r3gr-cxrf-hg25\",\n \"modified\": \"2024-06-25T14:20:21.323050Z\"\n },\n {\n \"id\": \"GHSA-r695-7vr9-jgc2\",\n \"modified\": \"2024-02-18T05:30:45.856594Z\"\n },\n {\n \"id\": \"GHSA-rfx6-vp9g-rh7v\",\n \"modified\": \"2024-03-11T05:17:47.425595Z\"\n },\n {\n \"id\": \"GHSA-rgv9-q543-rqg4\",\n \"modified\": \"2026-02-04T02:40:22.352009Z\"\n },\n {\n \"id\": \"GHSA-rpr3-cw39-3pxh\",\n \"modified\": \"2026-03-13T22:01:03.241551Z\"\n },\n {\n \"id\": \"GHSA-v585-23hc-c647\",\n \"modified\": \"2024-02-18T05:22:38.024460Z\"\n },\n {\n \"id\": \"GHSA-vfqx-33qm-g869\",\n \"modified\": \"2024-02-18T05:24:26.785781Z\"\n },\n {\n \"id\": \"GHSA-w3f4-3q6j-rh82\",\n \"modified\": \"2024-03-11T05:18:22.727055Z\"\n },\n {\n \"id\": \"GHSA-wh8g-3j2c-rqj5\",\n \"modified\": \"2024-03-15T00:31:15.123603Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-j288-q9x7-2f5v\",\n \"modified\": \"2026-02-04T03:18:02.851501Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-7r82-7xv7-xcpj\",\n \"modified\": \"2026-02-04T02:20:49.137443Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-cj7v-27pg-wf7q\",\n \"modified\": \"2026-03-13T22:01:09.359414Z\"\n },\n {\n \"id\": \"GHSA-hmr7-m48g-48f6\",\n \"modified\": \"2026-02-04T03:59:52.327364Z\"\n },\n {\n \"id\": \"GHSA-qh8g-58pp-2wxh\",\n \"modified\": \"2026-02-04T05:13:21.910792Z\"\n },\n {\n \"id\": \"GHSA-wjpw-4j6x-6rwh\",\n \"modified\": \"2026-03-09T11:29:07.402944Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-3gh6-v5v9-6v9j\",\n \"modified\": \"2026-02-04T03:12:16.534413Z\"\n },\n {\n \"id\": \"GHSA-gwcr-j4wh-j3cq\",\n \"modified\": \"2026-03-13T21:59:32.515061Z\"\n },\n {\n \"id\": \"GHSA-j26w-f9rq-mr2q\",\n \"modified\": \"2026-02-04T03:32:43.162423Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-264p-99wq-f4j6\",\n \"modified\": \"2026-02-04T03:21:48.913313Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"4418\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 3196\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-core\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-kms\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:aws-java-sdk-s3\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.amazonaws:jmespath-java\"\n },\n \"version\": \"1.11.327\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.example:hello-tester\"\n },\n \"version\": \"1.0-SNAPSHOT\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-annotations\"\n },\n \"version\": \"2.6.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-core\"\n },\n \"version\": \"2.14.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\"\n },\n \"version\": \"2.6.7.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.fasterxml.jackson.dataformat:jackson-dataformat-cbor\"\n },\n \"version\": \"2.6.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-codec:commons-codec\"\n },\n \"version\": \"1.10\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-logging:commons-logging\"\n },\n \"version\": \"1.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"joda-time:joda-time\"\n },\n \"version\": \"2.8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.commons:commons-lang3\"\n },\n \"version\": \"3.12.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.httpcomponents:httpclient\"\n },\n \"version\": \"4.5.5\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.httpcomponents:httpcore\"\n },\n \"version\": \"4.4.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-continuation\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-http\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-io\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-servlets\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.eclipse.jetty:jetty-util\"\n },\n \"version\": \"9.4.40.v20210413\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"software.amazon.ion:ion-java\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_JavareachArchive/jars_can_be_scanned_without_call_analysis\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 4418\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-c28r-hw5m-5gv3\",\n \"modified\": \"2023-11-08T04:09:28.159861Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-72hv-8253-57qq\",\n \"modified\": \"2026-03-04T15:06:51.908001Z\"\n },\n {\n \"id\": \"GHSA-h46c-h94j-95f3\",\n \"modified\": \"2026-02-04T03:44:39.385253Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-288c-cq4h-88gq\",\n \"modified\": \"2026-02-04T04:33:29.159339Z\"\n },\n {\n \"id\": \"GHSA-4gq5-ch57-c2mg\",\n \"modified\": \"2024-03-15T05:20:21.411726Z\"\n },\n {\n \"id\": \"GHSA-4w82-r329-3q67\",\n \"modified\": \"2024-03-16T05:18:54.922179Z\"\n },\n {\n \"id\": \"GHSA-57j2-w4cx-62h2\",\n \"modified\": \"2026-02-04T04:26:14.546092Z\"\n },\n {\n \"id\": \"GHSA-5949-rw7g-wx7w\",\n \"modified\": \"2025-09-15T07:42:14.888352Z\"\n },\n {\n \"id\": \"GHSA-5r5r-6hpj-8gg9\",\n \"modified\": \"2024-02-18T05:42:28.539166Z\"\n },\n {\n \"id\": \"GHSA-5ww9-j83m-q7qx\",\n \"modified\": \"2024-03-15T01:17:50.016820Z\"\n },\n {\n \"id\": \"GHSA-645p-88qh-w398\",\n \"modified\": \"2024-03-16T05:19:17.936174Z\"\n },\n {\n \"id\": \"GHSA-6fpp-rgj9-8rwc\",\n \"modified\": \"2024-03-15T05:18:54.134884Z\"\n },\n {\n \"id\": \"GHSA-85cw-hj65-qqv9\",\n \"modified\": \"2024-03-15T05:20:15.574552Z\"\n },\n {\n \"id\": \"GHSA-89qr-369f-5m5x\",\n \"modified\": \"2024-02-18T05:37:27.581808Z\"\n },\n {\n \"id\": \"GHSA-8c4j-34r4-xr8g\",\n \"modified\": \"2024-02-18T05:31:52.762759Z\"\n },\n {\n \"id\": \"GHSA-8w26-6f25-cm9x\",\n \"modified\": \"2024-02-18T05:30:48.085017Z\"\n },\n {\n \"id\": \"GHSA-9gph-22xh-8x98\",\n \"modified\": \"2024-02-18T05:33:27.617261Z\"\n },\n {\n \"id\": \"GHSA-9m6f-7xcq-8vf8\",\n \"modified\": \"2024-02-18T05:32:25.400029Z\"\n },\n {\n \"id\": \"GHSA-c8hm-7hpq-7jhg\",\n \"modified\": \"2024-03-15T01:17:19.251183Z\"\n },\n {\n \"id\": \"GHSA-cf6r-3wgc-h863\",\n \"modified\": \"2024-02-18T05:32:56.325249Z\"\n },\n {\n \"id\": \"GHSA-cggj-fvv3-cqwv\",\n \"modified\": \"2024-03-15T01:18:46.938616Z\"\n },\n {\n \"id\": \"GHSA-cjjf-94ff-43w7\",\n \"modified\": \"2024-03-11T05:19:23.395848Z\"\n },\n {\n \"id\": \"GHSA-cmfg-87vq-g5g4\",\n \"modified\": \"2024-03-15T01:18:17.903231Z\"\n },\n {\n \"id\": \"GHSA-cvm9-fjm9-3572\",\n \"modified\": \"2024-02-18T05:25:36.165759Z\"\n },\n {\n \"id\": \"GHSA-f3j5-rmmp-3fc5\",\n \"modified\": \"2024-03-15T05:20:35.120151Z\"\n },\n {\n \"id\": \"GHSA-f9xh-2qgp-cq57\",\n \"modified\": \"2024-02-18T05:32:05.421673Z\"\n },\n {\n \"id\": \"GHSA-fmmc-742q-jg75\",\n \"modified\": \"2024-03-16T05:19:55.172981Z\"\n },\n {\n \"id\": \"GHSA-fqwf-pjwf-7vqv\",\n \"modified\": \"2024-07-03T21:22:37.578162Z\"\n },\n {\n \"id\": \"GHSA-gjmw-vf9h-g25v\",\n \"modified\": \"2024-03-16T05:19:37.211801Z\"\n },\n {\n \"id\": \"GHSA-gwp4-hfv6-p7hw\",\n \"modified\": \"2024-03-13T05:27:58.436849Z\"\n },\n {\n \"id\": \"GHSA-gww7-p5w4-wrfv\",\n \"modified\": \"2024-03-15T01:05:18.790961Z\"\n },\n {\n \"id\": \"GHSA-h3cw-g4mq-c5x2\",\n \"modified\": \"2024-02-18T05:30:45.329621Z\"\n },\n {\n \"id\": \"GHSA-h592-38cm-4ggp\",\n \"modified\": \"2024-03-15T01:16:50.905794Z\"\n },\n {\n \"id\": \"GHSA-h822-r4r5-v8jg\",\n \"modified\": \"2026-02-04T02:19:17.186100Z\"\n },\n {\n \"id\": \"GHSA-jjjh-jjxp-wpff\",\n \"modified\": \"2026-02-04T02:23:59.070528Z\"\n },\n {\n \"id\": \"GHSA-m6x4-97wx-4q27\",\n \"modified\": \"2024-02-18T05:21:54.725837Z\"\n },\n {\n \"id\": \"GHSA-mph4-vhrx-mv67\",\n \"modified\": \"2024-03-15T01:16:21.467932Z\"\n },\n {\n \"id\": \"GHSA-mx7p-6679-8g3q\",\n \"modified\": \"2024-03-15T01:01:46.432481Z\"\n },\n {\n \"id\": \"GHSA-p43x-xfjf-5jhr\",\n \"modified\": \"2024-03-15T00:33:14.700288Z\"\n },\n {\n \"id\": \"GHSA-q93h-jc49-78gg\",\n \"modified\": \"2024-03-16T05:19:47.711015Z\"\n },\n {\n \"id\": \"GHSA-qjw2-hr98-qgfh\",\n \"modified\": \"2024-02-18T05:20:56.894470Z\"\n },\n {\n \"id\": \"GHSA-qr7j-h6gg-jmgc\",\n \"modified\": \"2024-03-11T05:21:14.313980Z\"\n },\n {\n \"id\": \"GHSA-r3gr-cxrf-hg25\",\n \"modified\": \"2024-06-25T14:20:21.323050Z\"\n },\n {\n \"id\": \"GHSA-r695-7vr9-jgc2\",\n \"modified\": \"2024-02-18T05:30:45.856594Z\"\n },\n {\n \"id\": \"GHSA-rfx6-vp9g-rh7v\",\n \"modified\": \"2024-03-11T05:17:47.425595Z\"\n },\n {\n \"id\": \"GHSA-rgv9-q543-rqg4\",\n \"modified\": \"2026-02-04T02:40:22.352009Z\"\n },\n {\n \"id\": \"GHSA-rpr3-cw39-3pxh\",\n \"modified\": \"2026-03-13T22:01:03.241551Z\"\n },\n {\n \"id\": \"GHSA-v585-23hc-c647\",\n \"modified\": \"2024-02-18T05:22:38.024460Z\"\n },\n {\n \"id\": \"GHSA-vfqx-33qm-g869\",\n \"modified\": \"2024-02-18T05:24:26.785781Z\"\n },\n {\n \"id\": \"GHSA-w3f4-3q6j-rh82\",\n \"modified\": \"2024-03-11T05:18:22.727055Z\"\n },\n {\n \"id\": \"GHSA-wh8g-3j2c-rqj5\",\n \"modified\": \"2024-03-15T00:31:15.123603Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-j288-q9x7-2f5v\",\n \"modified\": \"2026-02-04T03:18:02.851501Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-7r82-7xv7-xcpj\",\n \"modified\": \"2026-02-04T02:20:49.137443Z\"\n }\n ]\n },\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-cj7v-27pg-wf7q\",\n \"modified\": \"2026-03-13T22:01:09.359414Z\"\n },\n {\n \"id\": \"GHSA-hmr7-m48g-48f6\",\n \"modified\": \"2026-02-04T03:59:52.327364Z\"\n },\n {\n \"id\": \"GHSA-qh8g-58pp-2wxh\",\n \"modified\": \"2026-02-04T05:13:21.910792Z\"\n },\n {\n \"id\": \"GHSA-wjpw-4j6x-6rwh\",\n \"modified\": \"2026-03-09T11:29:07.402944Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-3gh6-v5v9-6v9j\",\n \"modified\": \"2026-02-04T03:12:16.534413Z\"\n },\n {\n \"id\": \"GHSA-gwcr-j4wh-j3cq\",\n \"modified\": \"2026-03-13T21:59:32.515061Z\"\n },\n {\n \"id\": \"GHSA-j26w-f9rq-mr2q\",\n \"modified\": \"2026-02-04T03:32:43.162423Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-264p-99wq-f4j6\",\n \"modified\": \"2026-02-04T03:21:48.913313Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"4418\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Licenses.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 505\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"babel\"\n },\n \"version\": \"6.23.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"human-signals\"\n },\n \"version\": \"5.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ms\"\n },\n \"version\": \"2.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"type-fest\"\n },\n \"version\": \"4.26.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Licenses_in_summary_mode_json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 505\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"babel\"\n },\n \"version\": \"6.23.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"human-signals\"\n },\n \"version\": \"5.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ms\"\n },\n \"version\": \"2.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"type-fest\"\n },\n \"version\": \"4.26.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Licenses_with_expressions\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 505\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"babel\"\n },\n \"version\": \"6.23.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"human-signals\"\n },\n \"version\": \"5.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ms\"\n },\n \"version\": \"2.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"type-fest\"\n },\n \"version\": \"4.26.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Licenses_with_invalid_expression_in_config\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 505\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"babel\"\n },\n \"version\": \"6.23.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"human-signals\"\n },\n \"version\": \"5.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ms\"\n },\n \"version\": \"2.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"type-fest\"\n },\n \"version\": \"4.26.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/No_license_violations_and_show-all-packages_in_json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 149\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/No_vulnerabilities_but_license_violations_with_allowlist\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 521\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/No_vulnerabilities_with_license_summary\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 521\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/No_vulnerabilities_with_license_summary_in_markdown\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 505\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"babel\"\n },\n \"version\": \"6.23.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"human-signals\"\n },\n \"version\": \"5.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ms\"\n },\n \"version\": \"2.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"type-fest\"\n },\n \"version\": \"4.26.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Show_all_Packages_with_license_summary_in_json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 648\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"ast\"\n },\n \"version\": \"2.4.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Some_packages_with_ignored_licenses\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 107\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"107\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 505\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"babel\"\n },\n \"version\": \"6.23.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"human-signals\"\n },\n \"version\": \"5.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ms\"\n },\n \"version\": \"2.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"type-fest\"\n },\n \"version\": \"4.26.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Some_packages_with_license_violations_and_show-all-packages_in_json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 505\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"babel\"\n },\n \"version\": \"6.23.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"human-signals\"\n },\n \"version\": \"5.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ms\"\n },\n \"version\": \"2.1.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"type-fest\"\n },\n \"version\": \"4.26.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Some_packages_with_license_violations_in_json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Vulnerabilities_and_all_license_violations_allowlisted\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 95\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"95\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Vulnerabilities_and_license_summary\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 95\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"95\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 144\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Licenses/Vulnerabilities_and_license_violations_with_allowlist\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 95\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"95\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_LocalDatabases.yaml", "content": "---\nversion: 2\ninteractions: []\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_LocalDatabases_AlwaysOffline.yaml", "content": "---\nversion: 2\ninteractions: []\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_LockfileWithExplicitParseAs.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 149\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_LockfileWithExplicitParseAs/absolute_paths_are_automatically_escaped_on_windows\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 149\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_LockfileWithExplicitParseAs/absolute_paths_work_with_explicit_escaping\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_LockfileWithExplicitParseAs/empty_is_default\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 882\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"has-flag\"\n },\n \"version\": \"4.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"wrappy\"\n },\n \"version\": \"1.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.99.9\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 271\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n },\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"271\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 882\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"has-flag\"\n },\n \"version\": \"4.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"wrappy\"\n },\n \"version\": \"1.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.99.9\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_LockfileWithExplicitParseAs/multiple,_+_output_order_is_deterministic_2\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 271\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n },\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"271\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 3\n host: api.osv.dev\n body: |\n {}\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_LockfileWithExplicitParseAs/one_lockfile_with_local_path\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2\n body: |\n {}\n headers:\n Content-Length:\n - \"2\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 760\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"has-flag\"\n },\n \"version\": \"4.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"wrappy\"\n },\n \"version\": \"1.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"league/flysystem\"\n },\n \"version\": \"1.0.8\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"ansi-html\"\n },\n \"version\": \"0.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\"\n },\n \"version\": \"1.99.9\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"toolchain\"\n },\n \"version\": \"1.99.9\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_LockfileWithExplicitParseAs/when_an_explicit_parse-as_is_given,_it's_applied_to_that_file\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 189\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"modified\": \"2026-03-13T22:01:08.982482Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-whgm-jr23-g3j9\",\n \"modified\": \"2023-11-08T04:05:08.868477Z\"\n }\n ]\n },\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"189\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_MoreLockfiles.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 774\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"AC-Angle\"\n },\n \"version\": \"1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"ALUT\"\n },\n \"version\": \"2.4.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"ANum\"\n },\n \"version\": \"0.2.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"Agda\"\n },\n \"version\": \"2.6.4.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"Allure\"\n },\n \"version\": \"0.11.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"biscuit-haskell\"\n },\n \"version\": \"0.3.0.0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_MoreLockfiles/cabal.project.freeze\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 105\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"HSEC-2024-0009\",\n \"modified\": \"2025-11-14T18:15:43.110342Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"105\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 571\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"NuGet\",\n \"name\": \"AWSSDK.Core\"\n },\n \"version\": \"3.7.10.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"NuGet\",\n \"name\": \"Microsoft.Extensions.DependencyInjection\"\n },\n \"version\": \"6.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"NuGet\",\n \"name\": \"System.Linq.Dynamic.Core\"\n },\n \"version\": \"1.3.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"NuGet\",\n \"name\": \"TestLibrary\"\n },\n \"version\": \"1.0.0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_MoreLockfiles/depsjson\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 104\n body: |\n {\n \"results\": [\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-4cv2-4hjh-77rx\",\n \"modified\": \"2025-01-27T19:00:52.634361Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"104\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 3215\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"async\"\n },\n \"version\": \"2.23.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"async-dns\"\n },\n \"version\": \"1.4.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"async-http\"\n },\n \"version\": \"0.87.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"async-pool\"\n },\n \"version\": \"0.10.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"console\"\n },\n \"version\": \"1.29.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"fiber-annotation\"\n },\n \"version\": \"0.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"fiber-local\"\n },\n \"version\": \"1.1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"fiber-storage\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"geoip\"\n },\n \"version\": \"1.6.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"io-endpoint\"\n },\n \"version\": \"0.15.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"io-event\"\n },\n \"version\": \"1.9.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"io-stream\"\n },\n \"version\": \"0.6.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"json\"\n },\n \"version\": \"2.10.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"metrics\"\n },\n \"version\": \"0.12.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"nokogiri\"\n },\n \"version\": \"1.18.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"process-daemon\"\n },\n \"version\": \"1.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"protocol-hpack\"\n },\n \"version\": \"1.5.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"protocol-http\"\n },\n \"version\": \"0.49.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"protocol-http1\"\n },\n \"version\": \"0.30.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"protocol-http2\"\n },\n \"version\": \"0.22.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"racc\"\n },\n \"version\": \"1.8.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"rainbow\"\n },\n \"version\": \"2.2.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"rake\"\n },\n \"version\": \"13.2.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"rubydns\"\n },\n \"version\": \"2.0.2\"\n },\n {\n \"package\": {\n \"ecosystem\": \"RubyGems\",\n \"name\": \"traces\"\n },\n \"version\": \"0.15.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_MoreLockfiles/gems.locked\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 526\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9m3q-rhmv-5q44\",\n \"modified\": \"2026-02-04T03:22:18.343631Z\"\n }\n ]\n },\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-353f-x4gh-cqq8\",\n \"modified\": \"2026-02-04T03:08:45.682451Z\"\n },\n {\n \"id\": \"GHSA-5w6v-399v-w3cc\",\n \"modified\": \"2026-02-04T02:49:28.572138Z\"\n },\n {\n \"id\": \"GHSA-mrxw-mxhj-p664\",\n \"modified\": \"2026-02-04T04:34:58.905946Z\"\n },\n {\n \"id\": \"GHSA-vvfq-8hwr-qm4m\",\n \"modified\": \"2026-02-04T03:58:31.466756Z\"\n },\n {\n \"id\": \"GHSA-wx95-c6cv-8532\",\n \"modified\": \"2026-02-25T10:44:01.279701Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"526\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 325\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"NuGet\",\n \"name\": \"Microsoft.CodeDom.Providers.DotNetCompilerPlatform\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"NuGet\",\n \"name\": \"Microsoft.Net.Compilers\"\n },\n \"version\": \"1.0.0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_MoreLockfiles/packages.config\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 153\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"NuGet\",\n \"name\": \"Newtonsoft.Json\"\n },\n \"version\": \"13.0.3\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_MoreLockfiles/packages.lock.json\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 536\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"fuzzyset\"\n },\n \"version\": \"0.2.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"hasql-pool\"\n },\n \"version\": \"1.0.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"jose-jwt\"\n },\n \"version\": \"0.10.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Hackage\",\n \"name\": \"postgresql-libpq\"\n },\n \"version\": \"0.10.1.0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_MoreLockfiles/stack.yaml.lock\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 25\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"25\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 265\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"emoji\"\n },\n \"version\": \"2.14.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"protobuf\"\n },\n \"version\": \"4.25.5\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_MoreLockfiles/uv.lock\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 168\n body: |\n {\n \"results\": [\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-7gcm-g887-7qv7\",\n \"modified\": \"2026-02-05T16:35:34.839005Z\"\n },\n {\n \"id\": \"GHSA-8qvm-5x2c-j2w7\",\n \"modified\": \"2026-02-04T03:00:07.684118Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"168\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_Transitive.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 9305\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:animated-vector-drawable\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:appcompat-v7\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:mediarouter-v7\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:palette-v7\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:support-annotations\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:support-v4\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:support-vector-drawable\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-ads\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-ads-lite\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-analytics\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-analytics-impl\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-appinvite\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-auth\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-auth-base\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-awareness\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-base\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-basement\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-cast\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-cast-framework\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-clearcut\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-drive\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-fitness\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-games\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-gass\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-gcm\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-identity\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-iid\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-instantapps\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-location\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-maps\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-nearby\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-panorama\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-places\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-plus\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-safetynet\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-tagmanager\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-tagmanager-api\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-tagmanager-v4-impl\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-tasks\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-vision\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-wallet\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-wearable\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-analytics\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-analytics-impl\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-appindexing\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-auth\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-common\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-config\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-crash\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-database\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-database-connection\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-iid\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-messaging\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-storage\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-storage-common\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-api\"\n },\n \"version\": \"2.14.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-core\"\n },\n \"version\": \"2.14.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-web\"\n },\n \"version\": \"2.14.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/pom.xml_multiple_registries\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 628\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-cm6r-892j-jv2g\",\n \"modified\": \"2023-11-08T04:08:28.014834Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-7rjr-3q55-vv33\",\n \"modified\": \"2025-10-22T19:37:53.742023Z\"\n },\n {\n \"id\": \"GHSA-8489-44mv-ggj8\",\n \"modified\": \"2025-05-09T13:12:38.923602Z\"\n },\n {\n \"id\": \"GHSA-jfh8-c2jp-5v3q\",\n \"modified\": \"2025-10-22T19:37:02.616807Z\"\n },\n {\n \"id\": \"GHSA-p6xc-xr62-6r2g\",\n \"modified\": \"2025-05-09T13:12:54.089856Z\"\n },\n {\n \"id\": \"GHSA-vc5p-v9hr-52mj\",\n \"modified\": \"2026-02-04T03:10:00.616806Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"628\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 172\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-web\"\n },\n \"version\": \"2.14.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/pom.xml_no_resolve_no_transitive\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 286\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"junit:junit\"\n },\n \"version\": \"4.12\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.hamcrest:hamcrest-core\"\n },\n \"version\": \"1.3\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/pom.xml_non_utf8_encoding\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 98\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-269g-pwp5-87pp\",\n \"modified\": \"2026-03-13T22:15:22.410895Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"98\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 473\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-api\"\n },\n \"version\": \"2.14.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-core\"\n },\n \"version\": \"2.14.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-web\"\n },\n \"version\": \"2.14.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/pom.xml_transitive_default\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 381\n body: |\n {\n \"results\": [\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-7rjr-3q55-vv33\",\n \"modified\": \"2025-10-22T19:37:53.742023Z\"\n },\n {\n \"id\": \"GHSA-8489-44mv-ggj8\",\n \"modified\": \"2025-05-09T13:12:38.923602Z\"\n },\n {\n \"id\": \"GHSA-jfh8-c2jp-5v3q\",\n \"modified\": \"2025-10-22T19:37:02.616807Z\"\n },\n {\n \"id\": \"GHSA-p6xc-xr62-6r2g\",\n \"modified\": \"2025-05-09T13:12:54.089856Z\"\n },\n {\n \"id\": \"GHSA-vc5p-v9hr-52mj\",\n \"modified\": \"2026-02-04T03:10:00.616806Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"381\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 473\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-api\"\n },\n \"version\": \"2.14.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-core\"\n },\n \"version\": \"2.14.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-web\"\n },\n \"version\": \"2.14.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/pom.xml_transitive_explicit_lockfile\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 381\n body: |\n {\n \"results\": [\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-7rjr-3q55-vv33\",\n \"modified\": \"2025-10-22T19:37:53.742023Z\"\n },\n {\n \"id\": \"GHSA-8489-44mv-ggj8\",\n \"modified\": \"2025-05-09T13:12:38.923602Z\"\n },\n {\n \"id\": \"GHSA-jfh8-c2jp-5v3q\",\n \"modified\": \"2025-10-22T19:37:02.616807Z\"\n },\n {\n \"id\": \"GHSA-p6xc-xr62-6r2g\",\n \"modified\": \"2025-05-09T13:12:54.089856Z\"\n },\n {\n \"id\": \"GHSA-vc5p-v9hr-52mj\",\n \"modified\": \"2026-02-04T03:10:00.616806Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"381\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 9305\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:animated-vector-drawable\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:appcompat-v7\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:mediarouter-v7\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:palette-v7\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:support-annotations\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:support-v4\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.android.support:support-vector-drawable\"\n },\n \"version\": \"24.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-ads\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-ads-lite\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-analytics\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-analytics-impl\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-appinvite\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-auth\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-auth-base\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-awareness\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-base\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-basement\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-cast\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-cast-framework\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-clearcut\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-drive\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-fitness\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-games\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-gass\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-gcm\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-identity\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-iid\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-instantapps\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-location\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-maps\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-nearby\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-panorama\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-places\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-plus\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-safetynet\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-tagmanager\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-tagmanager-api\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-tagmanager-v4-impl\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-tasks\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-vision\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-wallet\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.android.gms:play-services-wearable\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-analytics\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-analytics-impl\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-appindexing\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-auth\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-common\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-config\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-crash\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-database\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-database-connection\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-iid\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-messaging\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-storage\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.firebase:firebase-storage-common\"\n },\n \"version\": \"10.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-api\"\n },\n \"version\": \"2.14.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-core\"\n },\n \"version\": \"2.14.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"org.apache.logging.log4j:log4j-web\"\n },\n \"version\": \"2.14.1\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/pom.xml_transitive_native_source\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 628\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-cm6r-892j-jv2g\",\n \"modified\": \"2023-11-08T04:08:28.014834Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-7rjr-3q55-vv33\",\n \"modified\": \"2025-10-22T19:37:53.742023Z\"\n },\n {\n \"id\": \"GHSA-8489-44mv-ggj8\",\n \"modified\": \"2025-05-09T13:12:38.923602Z\"\n },\n {\n \"id\": \"GHSA-jfh8-c2jp-5v3q\",\n \"modified\": \"2025-10-22T19:37:02.616807Z\"\n },\n {\n \"id\": \"GHSA-p6xc-xr62-6r2g\",\n \"modified\": \"2025-05-09T13:12:54.089856Z\"\n },\n {\n \"id\": \"GHSA-vc5p-v9hr-52mj\",\n \"modified\": \"2026-02-04T03:10:00.616806Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"628\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 386\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"django\"\n },\n \"version\": \"1.11.29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"requests\"\n },\n \"version\": \"2.20.0\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/requirements.txt_no_resolve_no_transitive\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 1081\n body: |\n {\n \"results\": [\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68w8-qjq3-2gfm\",\n \"modified\": \"2024-09-20T15:46:52.557962Z\"\n },\n {\n \"id\": \"GHSA-6w2r-r2m5-xq5w\",\n \"modified\": \"2026-02-04T04:00:06.061990Z\"\n },\n {\n \"id\": \"GHSA-7xr5-9hcq-chf9\",\n \"modified\": \"2026-02-04T03:48:05.224740Z\"\n },\n {\n \"id\": \"GHSA-8x94-hmjh-97hq\",\n \"modified\": \"2026-02-04T02:45:55.690257Z\"\n },\n {\n \"id\": \"GHSA-frmv-pr5f-9mcr\",\n \"modified\": \"2025-11-27T09:10:30.649595Z\"\n },\n {\n \"id\": \"GHSA-qw25-v68c-qjf3\",\n \"modified\": \"2026-02-04T04:08:30.303132Z\"\n },\n {\n \"id\": \"GHSA-rrqc-c2jx-6jgv\",\n \"modified\": \"2024-10-30T19:23:59.139649Z\"\n },\n {\n \"id\": \"PYSEC-2021-98\",\n \"modified\": \"2023-12-06T01:01:16.755410Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9hjg-9r4m-mvj7\",\n \"modified\": \"2026-02-04T03:44:00.676479Z\"\n },\n {\n \"id\": \"GHSA-9wx4-h78v-vm56\",\n \"modified\": \"2026-02-04T02:43:42.271895Z\"\n },\n {\n \"id\": \"GHSA-j8r2-6x86-q33q\",\n \"modified\": \"2026-02-04T03:34:13.807518Z\"\n },\n {\n \"id\": \"PYSEC-2023-74\",\n \"modified\": \"2023-11-08T04:12:35.436175Z\"\n }\n ]\n }\n ]\n }\n headers:\n Content-Length:\n - \"1081\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 997\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"click\"\n },\n \"version\": \"8.3.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask-cors\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"itsdangerous\"\n },\n \"version\": \"2.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"jinja2\"\n },\n \"version\": \"3.1.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"markupsafe\"\n },\n \"version\": \"3.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pandas\"\n },\n \"version\": \"0.23.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"werkzeug\"\n },\n \"version\": \"3.1.6\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/requirements.txt_resolution_fallback\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 880\n body: |\n {\n \"results\": [\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-43qf-4rqw-9q2g\",\n \"modified\": \"2026-02-04T02:30:19.251090Z\"\n },\n {\n \"id\": \"GHSA-7rxf-gvfg-47g4\",\n \"modified\": \"2026-02-04T04:27:15.173118Z\"\n },\n {\n \"id\": \"GHSA-84pr-m4jr-85g5\",\n \"modified\": \"2026-02-04T02:57:32.875272Z\"\n },\n {\n \"id\": \"GHSA-8vgw-p6qm-5gr7\",\n \"modified\": \"2026-02-04T02:42:09.564281Z\"\n },\n {\n \"id\": \"GHSA-hxwh-jpp2-84pm\",\n \"modified\": \"2026-02-04T02:15:39.891834Z\"\n },\n {\n \"id\": \"GHSA-xc3p-ff3m-f46v\",\n \"modified\": \"2024-09-20T20:01:25.449661Z\"\n },\n {\n \"id\": \"PYSEC-2020-43\",\n \"modified\": \"2025-10-09T07:22:50.566622Z\"\n },\n {\n \"id\": \"PYSEC-2024-71\",\n \"modified\": \"2025-10-09T08:27:44.186589Z\"\n }\n ]\n },\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"PYSEC-2020-73\",\n \"modified\": \"2023-11-08T04:02:12.263851Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"880\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1610\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"certifi\"\n },\n \"version\": \"2026.2.25\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"chardet\"\n },\n \"version\": \"3.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"click\"\n },\n \"version\": \"8.3.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"django\"\n },\n \"version\": \"1.11.29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"1.0.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"idna\"\n },\n \"version\": \"2.7.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"itsdangerous\"\n },\n \"version\": \"2.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"jinja2\"\n },\n \"version\": \"3.1.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"markupsafe\"\n },\n \"version\": \"3.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pytz\"\n },\n \"version\": \"2026.1.0.post1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"requests\"\n },\n \"version\": \"2.20.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"urllib3\"\n },\n \"version\": \"1.24.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"werkzeug\"\n },\n \"version\": \"3.1.6\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/requirements.txt_transitive_default\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2083\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68w8-qjq3-2gfm\",\n \"modified\": \"2024-09-20T15:46:52.557962Z\"\n },\n {\n \"id\": \"GHSA-6w2r-r2m5-xq5w\",\n \"modified\": \"2026-02-04T04:00:06.061990Z\"\n },\n {\n \"id\": \"GHSA-7xr5-9hcq-chf9\",\n \"modified\": \"2026-02-04T03:48:05.224740Z\"\n },\n {\n \"id\": \"GHSA-8x94-hmjh-97hq\",\n \"modified\": \"2026-02-04T02:45:55.690257Z\"\n },\n {\n \"id\": \"GHSA-frmv-pr5f-9mcr\",\n \"modified\": \"2025-11-27T09:10:30.649595Z\"\n },\n {\n \"id\": \"GHSA-qw25-v68c-qjf3\",\n \"modified\": \"2026-02-04T04:08:30.303132Z\"\n },\n {\n \"id\": \"GHSA-rrqc-c2jx-6jgv\",\n \"modified\": \"2024-10-30T19:23:59.139649Z\"\n },\n {\n \"id\": \"PYSEC-2021-98\",\n \"modified\": \"2023-12-06T01:01:16.755410Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-jjg7-2v4v-x38h\",\n \"modified\": \"2026-02-04T03:49:45.087439Z\"\n },\n {\n \"id\": \"PYSEC-2024-60\",\n \"modified\": \"2024-07-11T17:42:33.704488Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9hjg-9r4m-mvj7\",\n \"modified\": \"2026-02-04T03:44:00.676479Z\"\n },\n {\n \"id\": \"GHSA-9wx4-h78v-vm56\",\n \"modified\": \"2026-02-04T02:43:42.271895Z\"\n },\n {\n \"id\": \"GHSA-j8r2-6x86-q33q\",\n \"modified\": \"2026-02-04T03:34:13.807518Z\"\n },\n {\n \"id\": \"PYSEC-2023-74\",\n \"modified\": \"2023-11-08T04:12:35.436175Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-2xpw-w6gg-jr37\",\n \"modified\": \"2026-02-04T02:36:12.983430Z\"\n },\n {\n \"id\": \"GHSA-34jh-p97f-mpxf\",\n \"modified\": \"2026-02-04T03:37:44.850742Z\"\n },\n {\n \"id\": \"GHSA-38jv-5279-wg99\",\n \"modified\": \"2026-02-04T03:51:36.162029Z\"\n },\n {\n \"id\": \"GHSA-g4mx-q9vg-27p4\",\n \"modified\": \"2026-02-04T03:30:16.767903Z\"\n },\n {\n \"id\": \"GHSA-gm62-xv2j-4w53\",\n \"modified\": \"2026-02-04T03:37:15.919661Z\"\n },\n {\n \"id\": \"GHSA-pq67-6m6q-mj2v\",\n \"modified\": \"2026-02-04T04:38:01.163387Z\"\n },\n {\n \"id\": \"GHSA-v845-jxx5-vc9f\",\n \"modified\": \"2026-02-04T02:58:30.152562Z\"\n },\n {\n \"id\": \"GHSA-wqvq-5m8c-6g24\",\n \"modified\": \"2024-11-18T22:47:07.792720Z\"\n },\n {\n \"id\": \"PYSEC-2020-148\",\n \"modified\": \"2023-11-08T04:03:14.251187Z\"\n },\n {\n \"id\": \"PYSEC-2021-108\",\n \"modified\": \"2023-11-08T04:06:04.829992Z\"\n },\n {\n \"id\": \"PYSEC-2023-192\",\n \"modified\": \"2023-11-08T04:13:33.452167Z\"\n },\n {\n \"id\": \"PYSEC-2023-212\",\n \"modified\": \"2023-11-08T04:13:39.165450Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2083\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 1604\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"certifi\"\n },\n \"version\": \"2026.2.25\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"chardet\"\n },\n \"version\": \"3.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"click\"\n },\n \"version\": \"8.3.1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"django\"\n },\n \"version\": \"1.11.29\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"flask\"\n },\n \"version\": \"1.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"idna\"\n },\n \"version\": \"2.7\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"itsdangerous\"\n },\n \"version\": \"2.2.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"jinja2\"\n },\n \"version\": \"3.1.6\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"markupsafe\"\n },\n \"version\": \"3.0.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"pytz\"\n },\n \"version\": \"2026.1.post1\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"requests\"\n },\n \"version\": \"2.20.0\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"urllib3\"\n },\n \"version\": \"1.24.3\"\n },\n {\n \"package\": {\n \"ecosystem\": \"PyPI\",\n \"name\": \"werkzeug\"\n },\n \"version\": \"3.1.6\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_Transitive/requirements.txt_transitive_native_source\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 2083\n body: |\n {\n \"results\": [\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68w8-qjq3-2gfm\",\n \"modified\": \"2024-09-20T15:46:52.557962Z\"\n },\n {\n \"id\": \"GHSA-6w2r-r2m5-xq5w\",\n \"modified\": \"2026-02-04T04:00:06.061990Z\"\n },\n {\n \"id\": \"GHSA-7xr5-9hcq-chf9\",\n \"modified\": \"2026-02-04T03:48:05.224740Z\"\n },\n {\n \"id\": \"GHSA-8x94-hmjh-97hq\",\n \"modified\": \"2026-02-04T02:45:55.690257Z\"\n },\n {\n \"id\": \"GHSA-frmv-pr5f-9mcr\",\n \"modified\": \"2025-11-27T09:10:30.649595Z\"\n },\n {\n \"id\": \"GHSA-qw25-v68c-qjf3\",\n \"modified\": \"2026-02-04T04:08:30.303132Z\"\n },\n {\n \"id\": \"GHSA-rrqc-c2jx-6jgv\",\n \"modified\": \"2024-10-30T19:23:59.139649Z\"\n },\n {\n \"id\": \"PYSEC-2021-98\",\n \"modified\": \"2023-12-06T01:01:16.755410Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-68rp-wp8r-4726\",\n \"modified\": \"2026-02-23T23:43:45.778179Z\"\n },\n {\n \"id\": \"GHSA-m2qf-hxjv-5gpq\",\n \"modified\": \"2025-02-21T05:42:17.337040Z\"\n },\n {\n \"id\": \"PYSEC-2023-62\",\n \"modified\": \"2023-11-08T04:12:28.231927Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-jjg7-2v4v-x38h\",\n \"modified\": \"2026-02-04T03:49:45.087439Z\"\n },\n {\n \"id\": \"PYSEC-2024-60\",\n \"modified\": \"2024-07-11T17:42:33.704488Z\"\n }\n ]\n },\n {},\n {},\n {},\n {},\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-9hjg-9r4m-mvj7\",\n \"modified\": \"2026-02-04T03:44:00.676479Z\"\n },\n {\n \"id\": \"GHSA-9wx4-h78v-vm56\",\n \"modified\": \"2026-02-04T02:43:42.271895Z\"\n },\n {\n \"id\": \"GHSA-j8r2-6x86-q33q\",\n \"modified\": \"2026-02-04T03:34:13.807518Z\"\n },\n {\n \"id\": \"PYSEC-2023-74\",\n \"modified\": \"2023-11-08T04:12:35.436175Z\"\n }\n ]\n },\n {\n \"vulns\": [\n {\n \"id\": \"GHSA-2xpw-w6gg-jr37\",\n \"modified\": \"2026-02-04T02:36:12.983430Z\"\n },\n {\n \"id\": \"GHSA-34jh-p97f-mpxf\",\n \"modified\": \"2026-02-04T03:37:44.850742Z\"\n },\n {\n \"id\": \"GHSA-38jv-5279-wg99\",\n \"modified\": \"2026-02-04T03:51:36.162029Z\"\n },\n {\n \"id\": \"GHSA-g4mx-q9vg-27p4\",\n \"modified\": \"2026-02-04T03:30:16.767903Z\"\n },\n {\n \"id\": \"GHSA-gm62-xv2j-4w53\",\n \"modified\": \"2026-02-04T03:37:15.919661Z\"\n },\n {\n \"id\": \"GHSA-pq67-6m6q-mj2v\",\n \"modified\": \"2026-02-04T04:38:01.163387Z\"\n },\n {\n \"id\": \"GHSA-v845-jxx5-vc9f\",\n \"modified\": \"2026-02-04T02:58:30.152562Z\"\n },\n {\n \"id\": \"GHSA-wqvq-5m8c-6g24\",\n \"modified\": \"2024-11-18T22:47:07.792720Z\"\n },\n {\n \"id\": \"PYSEC-2020-148\",\n \"modified\": \"2023-11-08T04:03:14.251187Z\"\n },\n {\n \"id\": \"PYSEC-2021-108\",\n \"modified\": \"2023-11-08T04:06:04.829992Z\"\n },\n {\n \"id\": \"PYSEC-2023-192\",\n \"modified\": \"2023-11-08T04:13:33.452167Z\"\n },\n {\n \"id\": \"PYSEC-2023-212\",\n \"modified\": \"2023-11-08T04:13:39.165450Z\"\n }\n ]\n },\n {}\n ]\n }\n headers:\n Content-Length:\n - \"2083\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_WithDetector_OffLinux.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_WithDetector_OffLinux/ssh_version_errors\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_WithDetector_OffLinux/ssh_version_is_after_last_vuln_version\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_WithDetector_OffLinux/ssh_version_is_before_first_vuln_version\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/cassettes/TestCommand_WithDetector_OnLinux.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_WithDetector_OnLinux/ssh_version_errors\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_WithDetector_OnLinux/ssh_version_is_after_last_vuln_version\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_WithDetector_OnLinux/ssh_version_is_before_first_vuln_version\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/config-invalid/osv-scanner-test.toml", "content": "!\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/exp-plugins-pkgdeprecate/deprecated-vuln/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/go-project/go-version-config.toml", "content": "GoVersionOverride = \"1.21.7\"" }, { "path": "cmd/osv-scanner/scan/source/testdata/go-project/go.mod", "content": "module github.com/ossf-tests/osv-e2e\n\ngo 1.19\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/go-project/nested/go-version-config.toml", "content": "GoVersionOverride = \"1.21.7\"" }, { "path": "cmd/osv-scanner/scan/source/testdata/go-project/nested/go.mod", "content": "module github.com/ossf-tests/osv-e2e\n\ngo 1.19\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/go-project/nested/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/go-project/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-git/osv-scanner.json", "content": "{\n \"results\": [\n {\n \"packages\": [\n {\n \"//1\": \"version and commit are the same, so rust-openssl advisories should be reported\",\n \"//2\": \"note online reports CVE-2023-6180 as well due to matching commits for an implicit fork\",\n \"package\": {\n \"name\": \"https://github.com/sfackler/rust-openssl\",\n \"commit\": \"0f428d190410263e4daa65b917c0e84707a9c0ef\",\n \"version\": \"openssl-v0.8.1\"\n }\n },\n {\n \"//1\": \"repo is different to the advisory, so only online checking will report anything\",\n \"package\": {\n \"name\": \"https://github.com/sfackler-fork/rust-openssl\",\n \"commit\": \"3b064fdb022912bbb98f5b8d9d111aeb6fec8f79\",\n \"version\": \"openssl-v0.10.23\"\n }\n },\n {\n \"//1\": \"no version, so only online checking will report anything\",\n \"package\": {\n \"name\": \"https://github.com/openssl/openssl\",\n \"commit\": \"45fda76bc1b9fd74d10e85e0ce9b65a12dcc58b0\"\n }\n },\n {\n \"//1\": \"version is for 3.5.0 which is vulnerable to CVE-2025-3416, but commit is for 3.5.1 which is not\",\n \"package\": {\n \"name\": \"https://github.com/openssl/openssl\",\n \"commit\": \"aea7aaf2abb04789f5868cbabec406ea43aa84bf\",\n \"version\": \"openssl-3.5.0\"\n }\n },\n {\n \"//1\": \"commit is for a completely different repository that does have vulns\",\n \"package\": {\n \"name\": \"https://github.com/apache/orc\",\n \"commit\": \"17b30e96476be70b8773b2b807bab857fd3ceb39\",\n \"version\": \"v3.19.0\"\n }\n },\n {\n \"//1\": \"matches an advisory whose repo url does not start with the http protocol, which should not matter\",\n \"package\": {\n \"name\": \"http://github.com/boostorg/boost\",\n \"commit\": \"1a9dda41fbfb0dfbec17ab6afeba8138265395f7\",\n \"version\": \"boost-1.67.0\"\n }\n },\n {\n \"//1\": \"matches an advisory whose repo url does not start with the git protocol, which should not matter\",\n \"package\": {\n \"name\": \"git://github.com/boostorg/boost\",\n \"commit\": \"1a9dda41fbfb0dfbec17ab6afeba8138265395f7\",\n \"version\": \"boost-1.67.0\"\n }\n },\n {\n \"//1\": \"matches an advisory even though the repo url has no protocol, which should not matter\",\n \"package\": {\n \"name\": \"github.com/boostorg/boost\",\n \"commit\": \"1a9dda41fbfb0dfbec17ab6afeba8138265395f7\",\n \"version\": \"boost-1.67.0\"\n }\n },\n {\n \"//1\": \"matches an advisory whose repo url ends with .git, which should not matter\",\n \"package\": {\n \"name\": \"https://github.com/boostorg/boost\",\n \"commit\": \"1a9dda41fbfb0dfbec17ab6afeba8138265395f7\",\n \"version\": \"boost-1.67.0\"\n }\n },\n {\n \"//1\": \"matches an advisory whose repo url does not end .git, which should not matter\",\n \"package\": {\n \"name\": \"https://github.com/capricorn86/happy-dom.git\",\n \"commit\": \"f82211036f434593c69b8e3680ea65203a46d315\",\n \"version\": \"v11.1.0\"\n }\n },\n {\n \"//1\": \"matches advisories whose repo urls are a different case, which should be respected\",\n \"//2\": \"note in future this might change for github and gitlab, as they are not case-sensitive\",\n \"package\": {\n \"name\": \"https://github.com/Exiv2/exiv2\",\n \"commit\": \"931a40a746f5678dcc4625b06a2eb25fa4f00b34\",\n \"version\": \"v0.28.0\"\n }\n }\n ]\n }\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-gitignore/subdir/test.gitignore", "content": "Gemfile.lock" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-gitignore/test.gitignore", "content": "ignored\n/yarn.lock\ncomposer*" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-insecure/my-package-lock.json", "content": "{\n \"requires\": true,\n \"lockfileVersion\": 1,\n \"dependencies\": {\n \"ansi-html\": {\n \"version\": \"0.0.1\"\n }\n }\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-custom-git-tag.json", "content": "{\n \"results\": [\n {\n \"source\": {},\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/openssl/openssl\",\n \"version\": \"openssl-3.0.4\",\n \"ecosystem\": \"GIT\"\n }\n }\n ]\n }\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-custom.json", "content": "{\n \"results\": [\n {\n \"source\": {},\n \"packages\": [\n {\n \"package\": {\n \"name\": \"stdlib\",\n \"version\": \"1.99.9\",\n \"ecosystem\": \"Go\"\n }\n }\n ]\n },\n {\n \"source\": {},\n \"packages\": [\n {\n \"package\": {\n \"name\": \"toolchain\",\n \"version\": \"1.99.9\",\n \"ecosystem\": \"Go\"\n }\n }\n ]\n }\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-flutter-deps.json", "content": "{\n \"results\": [\n {\n \"packageSource\": {\n \"path\": \"/path/to/engine/DEPS\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"https://github.com/flutter/buildroot.git\",\n \"commit\": \"5d60bd2eb4642b64d00c845e5ca9f1ea41fd6db6\"\n }\n },\n {\n \"package\": {\n \"name\": \"https://github.com/brendan-duncan/archive.git\",\n \"commit\": \"9de7a0544457c6aba755ccb65abb41b0dc1db70d\"\n }\n }\n ]\n },\n {\n \"packageSource\": {\n \"path\": \"/path/to/engine/third_party/accessibility/README.md\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"https://chromium.googlesource.com/chromium/src\",\n \"commit\": \"4579d5538f06c5ef615a15bc67ebb9ac0523a973\"\n }\n }\n ]\n }\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner-with-unscannables.json", "content": "{\n \"results\": [\n {\n \"source\": {},\n \"packages\": [\n {\n \"package\": {\n \"name\": \"stdlib\",\n \"version\": \"1.999.1\",\n \"ecosystem\": \"Go\"\n }\n }\n ]\n },\n {\n \"source\": {},\n \"packages\": [\n {\n \"package\": {\n \"name\": \"toolchain\",\n \"version\": \"1.24.4\",\n \"ecosystem\": \"\"\n }\n }\n ]\n }\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner.json", "content": "{\n \"results\": [\n {\n \"source\": {},\n \"packages\": [\n {\n \"package\": {\n \"name\": \"stdlib\",\n \"version\": \"1.24.4\",\n \"ecosystem\": \"Go\"\n }\n }\n ]\n },\n {\n \"source\": {},\n \"packages\": [\n {\n \"package\": {\n \"name\": \"toolchain\",\n \"version\": \"1.24.4\",\n \"ecosystem\": \"Go\"\n }\n }\n ]\n }\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-insecure/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-licenses/package.json", "content": "{\n \"dependencies\": {\n \"babel\": \"^6.23.0\",\n \"human-signals\": \"^5.0.0\",\n \"ms\": \"^2.1.3\",\n \"type-fest\": \"^4.26.1\"\n }\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many/installed", "content": "C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\nP:apk-tools\nV:2.12.10-r1\nA:x86_64\nS:120973\nI:307200\nT:Alpine Package Keeper - package manager for alpine\nU:https://gitlab.alpinelinux.org/alpine/apk-tools\nL:GPL-2.0-only\no:apk-tools\nm:Natanael Copa \nt:1666552494\nc:0188f510baadbae393472103427b9c1875117136\nD:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1\np:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1\nF:etc\nF:etc/apk\nF:etc/apk/keys\nF:etc/apk/protected_paths.d\nF:lib\nR:libapk.so.3.12.0\na:0:0:755\nZ:Q1opjpYqXgzmOVo7EbNe8l5Xol08g=\nF:lib/apk\nF:lib/apk/exec\nF:sbin\nR:apk\na:0:0:755\nZ:Q1/4bmOPe/H1YhHRzlrj27oufThMw=\nF:var\nF:var/lib\nF:var/lib/apk" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many/not-a-lockfile.toml", "content": "_=\"whatever this is, it's not a lockfile!\"\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many/osv-scanner-test.toml", "content": "" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many/replace-local.mod", "content": "require (\n golang.org/x/net v1.2.3\n)\n\nreplace (\n golang.org/x/net v1.2.3 => ./fork/net\n)\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many/status", "content": "Package: adduser\nStatus: install ok installed\nPriority: important\nSection: admin\nInstalled-Size: 849\nMaintainer: redacted \nArchitecture: all\nMulti-Arch: foreign\nVersion: 3.118\nDepends: passwd, debconf (>= 0.5) | debconf-2.0\nSuggests: liblocale-gettext-perl, perl\nConffiles:\n /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2\nDescription: add and remove users and groups\n This package includes the 'adduser' and 'deluser' commands for creating\n and removing users.\n .\n - 'adduser' creates new users and groups and adds existing users to\n existing groups;\n - 'deluser' removes users and groups and removes users from a given\n group.\n .\n Adding users with 'adduser' is much easier than adding them manually.\n Adduser will choose appropriate UID and GID values, create a home\n directory, copy skeletal user configuration, and automate setting\n initial values for the user's password, real name and so on.\n .\n Deluser can back up and remove users' home directories\n and mail spool or all the files they own on the system.\n .\n A custom script can be executed after each of the commands." }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/alpine.cdx.xml", "content": "\n\n \n 2023-03-02T12:04:22+11:00\n \n \n anchore\n syft\n 0.73.0\n \n \n \n alpine:latest\n sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3\n \n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 331776\n alpine-baselayout\n Q1/eXfmbYT1WXenFSqKjroYyK84NE=\n alpine-baselayout-data=3.4.0-r0\n /bin/sh\n 8890\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout-data\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 77824\n alpine-baselayout\n Q1/JgpM8J6DWI/541tUX+uHEzSjqo=\n 11664\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-keys\n 2.4-r1\n Public keys for Alpine Linux packages\n \n \n MIT\n \n \n cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n aab68f8c9ab434a46710de8e12fb3206e2930a59\n 159744\n alpine-keys\n Q1KM01lfKVp+gEZn23awujqjSkrN8=\n 13361\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n apk-tools\n 2.12.10-r1\n Alpine Package Keeper - package manager for alpine\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2\n \n \n https://gitlab.alpinelinux.org/alpine/apk-tools\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 0188f510baadbae393472103427b9c1875117136\n 307200\n apk-tools\n so:libapk.so.3.12.0=3.12.0\n cmd:apk=2.12.10-r1\n Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\n musl>=1.2\n ca-certificates-bundle\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n so:libz.so.1\n 120973\n \n \n \n busybox\n 1.35.0\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n \n binary-cataloger\n BinaryMetadata\n binary\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /bin/busybox\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n busybox-binsh\n 1.36.1-r27\n busybox ash /bin/sh\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 8192\n busybox\n /bin/sh\n cmd:sh=1.36.1-r27\n Q1miWwyhWKXVEiRYLhmArV1TKMs6A=\n busybox=1.36.1-r27\n 1547\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n ca-certificates-bundle\n 20220614-r4\n Pre generated bundle of Mozilla certificates\n \n \n MPL-2.0\n \n \n MIT\n \n \n cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2\n \n \n https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e1839fd45a096c9e21ac24f8a61991d357d11628\n 237568\n ca-certificates\n ca-certificates-cacert=20220614-r4\n Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ=\n 126296\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n libc-utils\n 0.7.2-r3\n Meta package to pull in correct libc\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 60424133be2e79bbfeff3d58147a22886f817ce2\n 4096\n libc-dev\n Q19Gg06pBPiiG9UN94ql7qImsHSUQ=\n musl-utils\n 1485\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libcrypto3\n 3.0.8-r0\n Crypto library from openssl\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 4206592\n openssl\n so:libcrypto.so.3=3\n Q1lyWpurYeMlLEt60ys+OlTABmzgs=\n so:libc.musl-x86_64.so.1\n 1710217\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libssl3\n 3.0.8-r0\n SSL shared libraries\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 622592\n openssl\n so:libssl.so.3=3\n Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n 246853\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 634880\n musl\n so:libc.musl-x86_64.so.1=1\n Q1Pk7x1woArbB1nzkMPJPq1TECwus=\n 388955\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl-utils\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n BSD-2-Clause\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 135168\n musl\n cmd:getconf=1.2.3-r4\n cmd:getent=1.2.3-r4\n cmd:iconv=1.2.3-r4\n cmd:ldconfig=1.2.3-r4\n cmd:ldd=1.2.3-r4\n Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4=\n scanelf\n so:libc.musl-x86_64.so.1\n 36697\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n scanelf\n 1.3.5-r1\n Scan ELF binaries for stuff\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2\n \n \n https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e52243dbb02069f10d48440ccc5fd41fa5fc2236\n 98304\n pax-utils\n cmd:scanelf=1.3.5-r1\n Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ=\n so:libc.musl-x86_64.so.1\n 37687\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n ssl_client\n 1.36.1-r27\n EXternal ssl_client for busybox wget\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 28672\n busybox\n cmd:ssl_client=1.36.1-r27\n Q1QuqZjeP6XG85I29tOiCWofL8Cj0=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n 4929\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n zlib\n 1.2.13-r0\n A compression/decompression Library\n \n \n Zlib\n \n \n cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2\n \n \n https://zlib.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bb37266b06a72d21d1fd850ef4b86665cf9ef70f\n 110592\n zlib\n so:libz.so.1=1.2.13\n Q1rjnXT01l1PAxXheUxe4Oldl5rFk=\n so:libc.musl-x86_64.so.1\n 54258\n \n \n \n alpine\n 3.17.2\n Alpine Linux v3.17\n \n \n \n https://gitlab.alpinelinux.org/alpine/aports/-/issues\n \n \n https://alpinelinux.org/\n \n \n \n alpine\n Alpine Linux v3.17\n 3.17.2\n \n \n \n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/installed", "content": "C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\nP:apk-tools\nV:2.12.10-r1\nA:x86_64\nS:120973\nI:307200\nT:Alpine Package Keeper - package manager for alpine\nU:https://gitlab.alpinelinux.org/alpine/apk-tools\nL:GPL-2.0-only\no:apk-tools\nm:Natanael Copa \nt:1666552494\nc:0188f510baadbae393472103427b9c1875117136\nD:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1\np:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1\nF:etc\nF:etc/apk\nF:etc/apk/keys\nF:etc/apk/protected_paths.d\nF:lib\nR:libapk.so.3.12.0\na:0:0:755\nZ:Q1opjpYqXgzmOVo7EbNe8l5Xol08g=\nF:lib/apk\nF:lib/apk/exec\nF:sbin\nR:apk\na:0:0:755\nZ:Q1/4bmOPe/H1YhHRzlrj27oufThMw=\nF:var\nF:var/lib\nF:var/lib/apk" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/not-a-lockfile.toml", "content": "_=\"whatever this is, it's not a lockfile!\"\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/replace-local.mod", "content": "require (\n golang.org/x/net v1.2.3\n)\n\nreplace (\n golang.org/x/net v1.2.3 => ./fork/net\n)\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-many-with-insecure/status", "content": "Package: adduser\nStatus: install ok installed\nPriority: important\nSection: admin\nInstalled-Size: 849\nMaintainer: redacted \nArchitecture: all\nMulti-Arch: foreign\nVersion: 3.118\nDepends: passwd, debconf (>= 0.5) | debconf-2.0\nSuggests: liblocale-gettext-perl, perl\nConffiles:\n /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2\nDescription: add and remove users and groups\n This package includes the 'adduser' and 'deluser' commands for creating\n and removing users.\n .\n - 'adduser' creates new users and groups and adds existing users to\n existing groups;\n - 'deluser' removes users and groups and removes users from a given\n group.\n .\n Adding users with 'adduser' is much easier than adding them manually.\n Adduser will choose appropriate UID and GID values, create a home\n directory, copy skeletal user configuration, and automate setting\n initial values for the user's password, real name and so on.\n .\n Deluser can back up and remove users' home directories\n and mail spool or all the files they own on the system.\n .\n A custom script can be executed after each of the commands." }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-none/README.md", "content": "this directory has no lockfiles at all! (but the nested one does ;)\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-requirements/my-requirements.txt", "content": "flask==1.0.0\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-requirements/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements-dev.txt", "content": "black==25.1.0\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements-transitive.txt", "content": "numpy==2.3.1\n-r requirements.txt\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements.prod.txt", "content": "django==2.2.24\n # via\n # -r requirements.in\n # django-debug-toolbar\n # django-filter\n # django-storages\n # easy-thumbnails\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-requirements/requirements.txt", "content": "flask==1.0.0\ndjango==1.11.29\nrequests==2.20.0\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-requirements/the_requirements_for_test.txt", "content": "numpy==2.3.1\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-requirements/unresolvable-requirements.txt", "content": "flask==1.0.0\nflask-cors==1.0.0\npandas==0.23.4\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-scalibr/Package.resolved", "content": "{\n \"pins\" : [\n {\n \"identity\" : \"swift-algorithms\",\n \"kind\" : \"remoteSourceControl\",\n \"location\" : \"https://github.com/apple/swift-algorithms.git\",\n \"state\" : {\n \"revision\" : \"b14b7f4c528c942f121c8b860b9410b2bf57825e\",\n \"version\" : \"1.0.0\"\n }\n },\n {\n \"identity\" : \"swift-async-algorithms\",\n \"kind\" : \"remoteSourceControl\",\n \"location\" : \"https://github.com/apple/swift-async-algorithms.git\",\n \"state\" : {\n \"revision\" : \"9cfed92b026c524674ed869a4ff2dcfdeedf8a2a\",\n \"version\" : \"0.1.0\"\n }\n },\n {\n \"identity\" : \"swift-atomics\",\n \"kind\" : \"remoteSourceControl\",\n \"location\" : \"https://github.com/apple/swift-atomics.git\",\n \"state\" : {\n \"revision\" : \"6c89474e62719ddcc1e9614989fff2f68208fe10\",\n \"version\" : \"1.1.0\"\n }\n }\n ],\n \"version\" : 2\n}\n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-scalibr/cabal.project.freeze", "content": "constraints: any.AC-Angle ==1.0,\n any.ALUT ==2.4.0.3,\n any.ANum ==0.2.0.2,\n any.Agda ==2.6.4.3,\n transformers-base +orphaninstances,\n any.Allure ==0.11.0.0,\n any.biscuit-haskell ==0.3.0.0,\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-scalibr/depsjson", "content": "{\n \"runtimeTarget\": {\n \"name\": \".NETCoreApp,Version=v6.0\",\n \"signature\": \"\"\n },\n \"compilationOptions\": {},\n \"targets\": {\n \".NETCoreApp,Version=v6.0\": {\n \"TestLibrary/1.0.0\": {\n \"dependencies\": {\n \"Microsoft.Extensions.DependencyInjection\": \"6.0.0\",\n \"Microsoft.Extensions.Logging\": \"6.0.0\",\n \"Newtonsoft.Json\": \"13.0.1\",\n \"Serilog\": \"2.10.0\",\n \"Serilog.Sinks.Console\": \"4.0.1\",\n \"TestCommon\": \"1.0.0\"\n },\n \"runtime\": {\n \"TestLibrary.dll\": {}\n }\n },\n \"AWSSDK.Core/3.7.10.6\": {\n \"runtime\": {\n \"lib/netcoreapp3.1/AWSSDK.Core.dll\": {\n \"assemblyVersion\": \"3.3.0.0\",\n \"fileVersion\": \"3.7.10.6\"\n }\n }\n },\n \"Microsoft.Extensions.DependencyInjection/6.0.0\": {\n \"dependencies\": {\n \"Microsoft.Extensions.DependencyInjection.Abstractions\": \"6.0.0\",\n \"System.Runtime.CompilerServices.Unsafe\": \"6.0.0\"\n },\n \"runtime\": {\n \"lib/net6.0/Microsoft.Extensions.DependencyInjection.dll\": {\n \"assemblyVersion\": \"6.0.0.0\",\n \"fileVersion\": \"6.0.21.52210\"\n }\n }\n }\n }\n },\n \"libraries\": {\n \"TestLibrary/1.0.0\": {\n \"type\": \"project\",\n \"serviceable\": false,\n \"sha512\": \"\"\n },\n \"AWSSDK.Core/3.7.10.6\": {\n \"type\": \"package\",\n \"serviceable\": true,\n \"sha512\": \"sha512-kHBB+QmosVaG6DpngXQ8OlLVVNMzltNITfsRr68Z90qO7dSqJ2EHNd8dtBU1u3AQQLqqFHOY0lfmbpexeH6Pew==\",\n \"path\": \"awssdk.core/3.7.10.6\",\n \"hashPath\": \"awssdk.core.3.7.10.6.nupkg.sha512\"\n },\n \"Microsoft.Extensions.DependencyInjection/6.0.0\": {\n \"type\": \"package\",\n \"serviceable\": true,\n \"sha512\": \"sha512-k6PWQMuoBDGGHOQTtyois2u4AwyVcIwL2LaSLlTZQm2CYcJ1pxbt6jfAnpWmzENA/wfrYRI/X9DTLoUkE4AsLw==\",\n \"path\": \"microsoft.extensions.dependencyinjection/6.0.0\",\n \"hashPath\": \"microsoft.extensions.dependencyinjection.6.0.0.nupkg.sha512\"\n },\n \"System.Linq.Dynamic.Core/1.3.7\": {\n \"type\": \"package\",\n \"serviceable\": true,\n \"sha512\": \"sha512-7J9oS95JCcyOtnKCr0tYUOMAj67Ee3WKal6li20vEeuQFdD7C4XuAABysp3H5dx+wmHkXuUNoxW3+U+OEsx+JQ==\",\n \"path\": \"system.linq.dynamic.core/1.3.7\",\n \"hashPath\": \"system.linq.dynamic.core.1.3.7.nupkg.sha512\"\n }\n }\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-scalibr/gems.locked", "content": "PATH\n remote: ..\n specs:\n rubydns (2.0.2)\n async-dns (~> 1.0)\n\nGEM\n remote: https://rubygems.org/\n specs:\n async (2.23.0)\n console (~> 1.29)\n fiber-annotation\n io-event (~> 1.9)\n metrics (~> 0.12)\n traces (~> 0.15)\n async-dns (1.4.1)\n async\n io-endpoint\n async-http (0.87.0)\n async (>= 2.10.2)\n async-pool (~> 0.9)\n io-endpoint (~> 0.14)\n io-stream (~> 0.6)\n metrics (~> 0.12)\n protocol-http (~> 0.49)\n protocol-http1 (~> 0.30)\n protocol-http2 (~> 0.22)\n traces (~> 0.10)\n async-pool (0.10.3)\n async (>= 1.25)\n console (1.29.2)\n fiber-annotation\n fiber-local (~> 1.1)\n json\n fiber-annotation (0.2.0)\n fiber-local (1.1.0)\n fiber-storage\n fiber-storage (1.0.0)\n geoip (1.6.4)\n io-endpoint (0.15.1)\n io-event (1.9.0)\n io-stream (0.6.1)\n json (2.10.1)\n metrics (0.12.1)\n nokogiri (1.18.2-arm64-darwin)\n racc (~> 1.4)\n nokogiri (1.18.2-x86_64-linux-gnu)\n racc (~> 1.4)\n process-daemon (1.0.1)\n rainbow (~> 2.0)\n protocol-hpack (1.5.1)\n protocol-http (0.49.0)\n protocol-http1 (0.30.0)\n protocol-http (~> 0.22)\n protocol-http2 (0.22.1)\n protocol-hpack (~> 1.4)\n protocol-http (~> 0.47)\n racc (1.8.1)\n rainbow (2.2.2)\n rake\n rake (13.2.1)\n traces (0.15.2)\n\nPLATFORMS\n arm64-darwin-21\n x86_64-linux\n\nDEPENDENCIES\n async-http\n geoip\n nokogiri\n process-daemon\n rubydns!\n\nBUNDLED WITH\n 2.6.2\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-scalibr/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-scalibr/packages.config", "content": "\n\n \n \n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-scalibr/packages.lock.json", "content": "{\n \"version\": 1,\n \"dependencies\": {\n \"net8.0\": {\n \"Newtonsoft.Json\": {\n \"type\": \"Direct\",\n \"requested\": \"[13.0.3, )\",\n \"resolved\": \"13.0.3\",\n \"contentHash\": \"HrC5BXdl00IP9zeV+0Z848QWPAoCr9P3bDEZguI+gkLcBKAOxix/tLEAAHC+UvDNPv4a2d18lOReHMOagPa+zQ==\"\n }\n }\n }\n }" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner-test.toml", "content": "[[IgnoredVulns]]\nid = \"CVE-2021-23424\"\nreason = \"Test manifest file (package-lock.json)\"\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/locks-test-ignore/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/maven-transitive/abc.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n \n http://www.example.com\n\n \n \n org.apache.logging.log4j\n log4j-web\n 2.14.1\n \n \n\n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/maven-transitive/encoding.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n \n http://www.example.com\n\n \n \n junit\n junit\n 4.12\n \n \n\n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/maven-transitive/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/maven-transitive/parent.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n parent\n 1.0.0\n\n my-app\n\n pom\n\n\n \n \n \n com.google.android.gms\n play-services\n 10.0.0\n \n \n\n \n \n google-android\n https://dl.google.com/dl/android/maven2\n \n \n\n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/maven-transitive/pom.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n \n http://www.example.com\n\n \n \n org.apache.logging.log4j\n log4j-web\n 2.14.1\n \n \n\n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/maven-transitive/registry.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n\n \n com.mycompany.app\n parent\n 1.0.0\n ./parent.xml\n \n\n \n \n org.apache.logging.log4j\n log4j-web\n 2.14.1\n \n \n\n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-call-analysis-config.toml", "content": "[[PackageOverrides]]\nname = \"stdlib\"\nreason = \"Just want to test actual packages\"\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-complex-licenses-config.toml", "content": "[[PackageOverrides]]\necosystem = \"npm\"\nignore = true\nlicense.override = [\"0BSD\"]\n\n[[PackageOverrides]]\necosystem = \"Packagist\"\nlicense.override = [\"0BSD\"]\n\n[[PackageOverrides]]\necosystem = \"Alpine\"\nname = \"musl\"\nlicense.override = [\"UNKNOWN\"]\n\n[[PackageOverrides]]\necosystem = \"Alpine\"\nname = \"musl-utils\"\nlicense.ignore = true # this takes priority over license.override\nlicense.override = [\"UNKNOWN\"]\n\n[[PackageOverrides]]\necosystem = \"Alpine\"\nname = \"apk-tools\"\nlicense.ignore = false\n\n[[PackageOverrides]]\necosystem = \"Alpine\"\nlicense.ignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-composite-config.toml", "content": "[[PackageOverrides]]\necosystem = \"npm\"\nignore = true\n\n[[PackageOverrides]]\nname = \"https://github.com/brendan-duncan/archive.git\"\nvulnerability.ignore = true\n\n[[PackageOverrides]]\necosystem = \"Maven\"\nignore = true\nreason = \"it makes the table output really really long\"\n\n[[PackageOverrides]]\necosystem = \"Packagist\"\nlicense.override = [\"0BSD\"]\n\n[[PackageOverrides]]\necosystem = \"Alpine\"\nlicense.override = [\"MIT\"]\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-duplicate-config.toml", "content": "[[IgnoredVulns]]\nid = \"GO-2022-0274\"\nignoreuntil = 2020-01-01\n\n[[IgnoredVulns]]\nid = \"GO-2022-0274\"\nignoreuntil = 2022-01-01\n\n[[IgnoredVulns]]\nid = \"GHSA-whgm-jr23-g3j9\"\n\n[[IgnoredVulns]]\nid = \"CVE-2025-26519\"\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-empty-config.toml", "content": "# An empty config file to override the ignore config\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-expressive-licenses-config.toml", "content": "[[PackageOverrides]]\nname = \"babel\"\nlicense.override = [\"MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)\"]\n\n[[PackageOverrides]]\nname = \"human-signals\"\nlicense.override = [\"LGPL-2.1-only OR MIT OR BSD-3-Clause\"]\n\n[[PackageOverrides]]\nname = \"ms\"\nlicense.override = [\"MIT WITH Bison-exception-2.2\"]\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-invalid-licenses-config.toml", "content": "[[PackageOverrides]]\nname = \"babel\"\nlicense.override = [\"MIT AND (LGPL-2.1-or-later OR BSD-3-Clause))\"]\n\n[[PackageOverrides]]\nname = \"human-signals\"\nlicense.override = [\"LGPL-2.1-only OR OR BSD-3-Clause\"]\n\n[[PackageOverrides]]\nname = \"ms\"\nlicense.override = [\"MIT WITH (Bison-exception-2.2 AND somethingelse)\"]\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-partial-ignores-config.toml", "content": "[[IgnoredVulns]]\nid = \"CVE-2025-26519\" # in alpine.cdx.xml\n\n[[IgnoredVulns]]\nid = \"CVE-2018-25032\" # in alpine.cdx.xml\n\n[[IgnoredVulns]]\nid = \"GO-2022-0274\" # in postgres-stretch.cdx.xml\n\n[[IgnoredVulns]]\nid = \"CVE-2019-5188\"\nignoreUntil = 2020-01-01\n\n[[IgnoredVulns]]\nid = \"CVE-2022-1304\"\nignoreUntil = 2100-01-01\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-reasonless-ignores-config.toml", "content": "[[IgnoredVulns]]\nid = \"GHSA-whgm-jr23-g3j9\"\n\n[[PackageOverrides]]\necosystem = \"Packagist\"\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/osv-scanner-unknown-config.toml", "content": "RustVersionOverride = \"1.2.3\"\n\n[[PackageOverrides]]\necosystem = \"npm\"\nskip = true\nlicense.override = [\"0BSD\"]\n\n[[PackageOverrides]]\necosystem = \"Packagist\"\nlicense.override = [\"0BSD\"]\n\n[[PackageOverrides]]\necosystem = \"Alpine\"\nName = \"musl\"\nlicense.override = [\"UNKNOWN\"]\n\n[[PackageOverrides]]\necosystem = \"Alpine\"\nname = \"musl-utils\"\nlicense.skip = true\n\n[[IgnoredVulns]]\nid = \"GO-2022-0274\"\nignoreuntil = 2020-01-01\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/sbom-insecure/alpine-zlib-16.cdx.json", "content": "{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"metadata\": {\n \"timestamp\": \"2025-07-08T05:23:38Z\",\n \"tools\": {\n \"components\": [\n {\n \"type\": \"application\",\n \"name\": \"SCALIBR\",\n \"externalReferences\": [\n {\n \"url\": \"https://github.com/google/osv-scalibr\",\n \"type\": \"website\"\n }\n ]\n }\n ]\n },\n \"authors\": [\n {}\n ],\n \"component\": {\n \"bom-ref\": \"a5add6de-55de-40a9-aa0d-1f03de5ab308\",\n \"type\": \"\",\n \"name\": \"\"\n }\n },\n \"components\": [\n {\n \"bom-ref\": \"6756e583-83d8-4a08-a573-d2e9506cbd93\",\n \"type\": \"library\",\n \"name\": \"zlib\",\n \"version\": \"1.2.12-r1\",\n \"purl\": \"pkg:apk/alpine/zlib@1.2.12-r1?arch=x86_64\\u0026distro=3.22.0\\u0026origin=zlib\",\n \"evidence\": {\n \"occurrences\": [\n {\n \"location\": \"lib/apk/db/installed\"\n }\n ]\n }\n }\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/sbom-insecure/alpine.cdx.xml", "content": "\n\n \n 2023-03-02T12:04:22+11:00\n \n \n anchore\n syft\n 0.73.0\n \n \n \n alpine:latest\n sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3\n \n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 331776\n alpine-baselayout\n Q1/eXfmbYT1WXenFSqKjroYyK84NE=\n alpine-baselayout-data=3.4.0-r0\n /bin/sh\n 8890\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout-data\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 77824\n alpine-baselayout\n Q1/JgpM8J6DWI/541tUX+uHEzSjqo=\n 11664\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-keys\n 2.4-r1\n Public keys for Alpine Linux packages\n \n \n MIT\n \n \n cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n aab68f8c9ab434a46710de8e12fb3206e2930a59\n 159744\n alpine-keys\n Q1KM01lfKVp+gEZn23awujqjSkrN8=\n 13361\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n apk-tools\n 2.12.10-r1\n Alpine Package Keeper - package manager for alpine\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2\n \n \n https://gitlab.alpinelinux.org/alpine/apk-tools\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 0188f510baadbae393472103427b9c1875117136\n 307200\n apk-tools\n so:libapk.so.3.12.0=3.12.0\n cmd:apk=2.12.10-r1\n Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\n musl>=1.2\n ca-certificates-bundle\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n so:libz.so.1\n 120973\n \n \n \n busybox\n 1.35.0\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n \n binary-cataloger\n BinaryMetadata\n binary\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /bin/busybox\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n busybox-binsh\n 1.36.1-r27\n busybox ash /bin/sh\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 8192\n busybox\n /bin/sh\n cmd:sh=1.36.1-r27\n Q1miWwyhWKXVEiRYLhmArV1TKMs6A=\n busybox=1.36.1-r27\n 1547\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n ca-certificates-bundle\n 20220614-r4\n Pre generated bundle of Mozilla certificates\n \n \n MPL-2.0\n \n \n MIT\n \n \n cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2\n \n \n https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e1839fd45a096c9e21ac24f8a61991d357d11628\n 237568\n ca-certificates\n ca-certificates-cacert=20220614-r4\n Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ=\n 126296\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n libc-utils\n 0.7.2-r3\n Meta package to pull in correct libc\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 60424133be2e79bbfeff3d58147a22886f817ce2\n 4096\n libc-dev\n Q19Gg06pBPiiG9UN94ql7qImsHSUQ=\n musl-utils\n 1485\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libcrypto3\n 3.0.8-r0\n Crypto library from openssl\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 4206592\n openssl\n so:libcrypto.so.3=3\n Q1lyWpurYeMlLEt60ys+OlTABmzgs=\n so:libc.musl-x86_64.so.1\n 1710217\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libssl3\n 3.0.8-r0\n SSL shared libraries\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 622592\n openssl\n so:libssl.so.3=3\n Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n 246853\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 634880\n musl\n so:libc.musl-x86_64.so.1=1\n Q1Pk7x1woArbB1nzkMPJPq1TECwus=\n 388955\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl-utils\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n BSD-2-Clause\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 135168\n musl\n cmd:getconf=1.2.3-r4\n cmd:getent=1.2.3-r4\n cmd:iconv=1.2.3-r4\n cmd:ldconfig=1.2.3-r4\n cmd:ldd=1.2.3-r4\n Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4=\n scanelf\n so:libc.musl-x86_64.so.1\n 36697\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n scanelf\n 1.3.5-r1\n Scan ELF binaries for stuff\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2\n \n \n https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e52243dbb02069f10d48440ccc5fd41fa5fc2236\n 98304\n pax-utils\n cmd:scanelf=1.3.5-r1\n Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ=\n so:libc.musl-x86_64.so.1\n 37687\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n ssl_client\n 1.36.1-r27\n EXternal ssl_client for busybox wget\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 28672\n busybox\n cmd:ssl_client=1.36.1-r27\n Q1QuqZjeP6XG85I29tOiCWofL8Cj0=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n 4929\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n zlib\n 1.2.10-r0\n A compression/decompression Library\n \n \n Zlib\n \n \n cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2\n \n \n https://zlib.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bb37266b06a72d21d1fd850ef4b86665cf9ef70f\n 110592\n zlib\n so:libz.so.1=1.2.13\n Q1rjnXT01l1PAxXheUxe4Oldl5rFk=\n so:libc.musl-x86_64.so.1\n 54258\n \n \n \n alpine\n 3.17.2\n Alpine Linux v3.17\n \n \n \n https://gitlab.alpinelinux.org/alpine/aports/-/issues\n \n \n https://alpinelinux.org/\n \n \n \n alpine\n Alpine Linux v3.17\n 3.17.2\n \n \n \n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/sbom-insecure/bad-purls.cdx.xml", "content": "\n\n \n 2023-03-02T12:04:22+11:00\n \n \n anchore\n syft\n 0.73.0\n \n \n \n alpine:latest\n sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3\n \n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n \n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 331776\n alpine-baselayout\n Q1/eXfmbYT1WXenFSqKjroYyK84NE=\n alpine-baselayout-data=3.4.0-r0\n /bin/sh\n 8890\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout-data\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n \n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 77824\n alpine-baselayout\n Q1/JgpM8J6DWI/541tUX+uHEzSjqo=\n 11664\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-keys\n 2.4-r1\n Public keys for Alpine Linux packages\n \n \n MIT\n \n \n cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n pkg:pypi/\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n aab68f8c9ab434a46710de8e12fb3206e2930a59\n 159744\n alpine-keys\n Q1KM01lfKVp+gEZn23awujqjSkrN8=\n 13361\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n apk-tools\n 2.12.10-r1\n Alpine Package Keeper - package manager for alpine\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2\n \n \n https://gitlab.alpinelinux.org/alpine/apk-tools\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 0188f510baadbae393472103427b9c1875117136\n 307200\n apk-tools\n so:libapk.so.3.12.0=3.12.0\n cmd:apk=2.12.10-r1\n Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\n musl>=1.2\n ca-certificates-bundle\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n so:libz.so.1\n 120973\n \n \n \n busybox\n 1.35.0\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n \n binary-cataloger\n BinaryMetadata\n binary\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /bin/busybox\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n busybox-binsh\n 1.36.1-r27\n busybox ash /bin/sh\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 8192\n busybox\n /bin/sh\n cmd:sh=1.36.1-r27\n Q1miWwyhWKXVEiRYLhmArV1TKMs6A=\n busybox=1.36.1-r27\n 1547\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n ca-certificates-bundle\n 20220614-r4\n Pre generated bundle of Mozilla certificates\n \n \n MPL-2.0\n \n \n MIT\n \n \n cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n pkg:pypi/\n \n \n https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e1839fd45a096c9e21ac24f8a61991d357d11628\n 237568\n ca-certificates\n ca-certificates-cacert=20220614-r4\n Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ=\n 126296\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n libc-utils\n 0.7.2-r3\n Meta package to pull in correct libc\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n pkg:///\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 60424133be2e79bbfeff3d58147a22886f817ce2\n 4096\n libc-dev\n Q19Gg06pBPiiG9UN94ql7qImsHSUQ=\n musl-utils\n 1485\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libcrypto3\n 3.0.8-r0\n Crypto library from openssl\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 4206592\n openssl\n so:libcrypto.so.3=3\n Q1lyWpurYeMlLEt60ys+OlTABmzgs=\n so:libc.musl-x86_64.so.1\n 1710217\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libssl3\n 3.0.8-r0\n SSL shared libraries\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 622592\n openssl\n so:libssl.so.3=3\n Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n 246853\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:*\n /\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 634880\n musl\n so:libc.musl-x86_64.so.1=1\n Q1Pk7x1woArbB1nzkMPJPq1TECwus=\n 388955\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl-utils\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n BSD-2-Clause\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 135168\n musl\n cmd:getconf=1.2.3-r4\n cmd:getent=1.2.3-r4\n cmd:iconv=1.2.3-r4\n cmd:ldconfig=1.2.3-r4\n cmd:ldd=1.2.3-r4\n Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4=\n scanelf\n so:libc.musl-x86_64.so.1\n 36697\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n scanelf\n 1.3.5-r1\n Scan ELF binaries for stuff\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2\n \n \n https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e52243dbb02069f10d48440ccc5fd41fa5fc2236\n 98304\n pax-utils\n cmd:scanelf=1.3.5-r1\n Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ=\n so:libc.musl-x86_64.so.1\n 37687\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n ssl_client\n 1.36.1-r27\n EXternal ssl_client for busybox wget\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 28672\n busybox\n cmd:ssl_client=1.36.1-r27\n Q1QuqZjeP6XG85I29tOiCWofL8Cj0=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n 4929\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n zlib\n 1.2.10-r0\n A compression/decompression Library\n \n \n Zlib\n \n \n cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:*\n pkg:pypi/\n \n \n https://zlib.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bb37266b06a72d21d1fd850ef4b86665cf9ef70f\n 110592\n zlib\n so:libz.so.1=1.2.13\n Q1rjnXT01l1PAxXheUxe4Oldl5rFk=\n so:libc.musl-x86_64.so.1\n 54258\n \n \n \n \n 3.17.2\n Alpine Linux v3.17\n \n \n \n \n \n \n \n \n \n \n alpine\n Alpine Linux v3.17\n 3.17.2\n \n \n \n\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/sbom-insecure/only-unimportant.spdx.json", "content": "{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/1989157b-1458-4e57-abcb-fbec4a542b9c\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"2025-08-26T01:01:15Z\"\n },\n \"packages\": [\n {\n \"name\": \"libpcre3\",\n \"SPDXID\": \"SPDXRef-Package-libpcre3-9f1e7f2f-24ab-4eb2-8be4-7d3be9403a72\",\n \"versionInfo\": \"2:8.39-12ubuntu0.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the os/dpkg extractor from var/lib/dpkg/status\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:deb/ubuntu/pcre3@2%3A8.39-12ubuntu0.1?arch=amd64\\u0026distro=focal\\u0026source=pcre3\"\n }\n ]\n }\n ],\n \"relationships\": [\n\n ]\n}\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/sbom-insecure/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/source/testdata/sbom-insecure/postgres-stretch.cdx.xml", "content": "\n\n \n 2023-03-02T12:00:49+11:00\n \n \n anchore\n syft\n 0.73.0\n \n \n \n postgres:11.15-stretch\n sha256:84ac18036f93e18c3d8165e4fd9d9885924bb71beeab042dd50443d4f88fcdda\n \n \n \n \n Debian Adduser Developers <adduser-devel@lists.alioth.debian.org>\n adduser\n 3.115\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:adduser:adduser:3.115:*:*:*:*:*:*:*\n pkg:deb/debian/adduser@3.115?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/adduser/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/adduser.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/adduser.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 849\n \n \n \n APT Development Team <deity@lists.debian.org>\n apt\n 1.4.11\n \n \n GPL-2.0-only\n \n \n GPLv2+\n \n \n cpe:2.3:a:apt:apt:1.4.11:*:*:*:*:*:*:*\n pkg:deb/debian/apt@1.4.11?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/apt/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/apt.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/apt.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 3539\n \n \n \n Santiago Vila <sanvila@debian.org>\n base-files\n 9.9+deb9u13\n \n \n GPL\n \n \n cpe:2.3:a:base-files:base-files:9.9\\+deb9u13:*:*:*:*:*:*:*\n pkg:deb/debian/base-files@9.9+deb9u13?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:base-files:base_files:9.9\\+deb9u13:*:*:*:*:*:*:*\n cpe:2.3:a:base_files:base-files:9.9\\+deb9u13:*:*:*:*:*:*:*\n cpe:2.3:a:base_files:base_files:9.9\\+deb9u13:*:*:*:*:*:*:*\n cpe:2.3:a:base:base-files:9.9\\+deb9u13:*:*:*:*:*:*:*\n cpe:2.3:a:base:base_files:9.9\\+deb9u13:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/base-files/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/base-files.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/base-files.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 333\n \n \n \n Colin Watson <cjwatson@debian.org>\n base-passwd\n 3.5.43\n \n \n GPL-2.0-only\n \n \n PD\n \n \n cpe:2.3:a:base-passwd:base-passwd:3.5.43:*:*:*:*:*:*:*\n pkg:deb/debian/base-passwd@3.5.43?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:base-passwd:base_passwd:3.5.43:*:*:*:*:*:*:*\n cpe:2.3:a:base_passwd:base-passwd:3.5.43:*:*:*:*:*:*:*\n cpe:2.3:a:base_passwd:base_passwd:3.5.43:*:*:*:*:*:*:*\n cpe:2.3:a:base:base-passwd:3.5.43:*:*:*:*:*:*:*\n cpe:2.3:a:base:base_passwd:3.5.43:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/base-passwd/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/base-passwd.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 229\n \n \n \n Matthias Klose <doko@debian.org>\n bash\n 4.4-5\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:bash:bash:4.4-5:*:*:*:*:*:*:*\n pkg:deb/debian/bash@4.4-5?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/bash/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/bash.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/bash.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 5798\n \n \n \n Debian util-linux Maintainers <ah-util-linux@debian.org>\n bsdutils\n 1:2.29.2-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-4-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n MIT\n \n \n public-domain\n \n \n cpe:2.3:a:bsdutils:bsdutils:1\\:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/bsdutils@1:2.29.2-1+deb9u1?arch=amd64&upstream=util-linux%402.29.2-1+deb9u1&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/bsdutils/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/bsdutils.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 238\n util-linux\n 2.29.2-1+deb9u1\n \n \n \n Michael Stone <mstone@debian.org>\n coreutils\n 8.26-3\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:coreutils:coreutils:8.26-3:*:*:*:*:*:*:*\n pkg:deb/debian/coreutils@8.26-3?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/coreutils/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/coreutils.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 15103\n \n \n \n Gerrit Pape <pape@smarden.org>\n dash\n 0.5.8-2.4\n \n \n GPL\n \n \n cpe:2.3:a:dash:dash:0.5.8-2.4:*:*:*:*:*:*:*\n pkg:deb/debian/dash@0.5.8-2.4?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/dash/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/dash.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 204\n \n \n \n Debconf Developers <debconf-devel@lists.alioth.debian.org>\n debconf\n 1.5.61\n \n \n BSD-2-Clause\n \n \n cpe:2.3:a:debconf:debconf:1.5.61:*:*:*:*:*:*:*\n pkg:deb/debian/debconf@1.5.61?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/debconf/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/debconf.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/debconf.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 558\n \n \n \n Debian Release Team <packages@release.debian.org>\n debian-archive-keyring\n 2017.5+deb9u2\n \n \n GPL\n \n \n cpe:2.3:a:debian-archive-keyring:debian-archive-keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/debian-archive-keyring@2017.5+deb9u2?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:debian-archive-keyring:debian_archive_keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:debian_archive_keyring:debian-archive-keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:debian_archive_keyring:debian_archive_keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:debian-archive:debian-archive-keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:debian-archive:debian_archive_keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:debian_archive:debian-archive-keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:debian_archive:debian_archive_keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:debian:debian-archive-keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:debian:debian_archive_keyring:2017.5\\+deb9u2:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/debian-archive-keyring/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/debian-archive-keyring.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/debian-archive-keyring.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 189\n \n \n \n Clint Adams <clint@debian.org>\n debianutils\n 4.8.1.1\n \n \n GPL\n \n \n cpe:2.3:a:debianutils:debianutils:4.8.1.1:*:*:*:*:*:*:*\n pkg:deb/debian/debianutils@4.8.1.1?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/debianutils/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/debianutils.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 213\n \n \n \n Santiago Vila <sanvila@debian.org>\n diffutils\n 1:3.5-3\n \n \n GFDL\n \n \n GPL\n \n \n cpe:2.3:a:diffutils:diffutils:1\\:3.5-3:*:*:*:*:*:*:*\n pkg:deb/debian/diffutils@1:3.5-3?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/diffutils/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/diffutils.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1327\n \n \n \n Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>\n dirmngr\n 2.1.18-8~deb9u4\n \n \n BSD-3-Clause\n \n \n Expat\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n RFC-Reference\n \n \n TinySCHEME\n \n \n permissive\n \n \n cpe:2.3:a:dirmngr:dirmngr:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/dirmngr@2.1.18-8~deb9u4?arch=amd64&upstream=gnupg2&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/dirmngr/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/dirmngr.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1088\n gnupg2\n \n \n \n Dpkg Developers <debian-dpkg@lists.debian.org>\n dpkg\n 1.18.25\n \n \n BSD-2-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n public-domain-md5\n \n \n public-domain-s-s-d\n \n \n cpe:2.3:a:dpkg:dpkg:1.18.25:*:*:*:*:*:*:*\n pkg:deb/debian/dpkg@1.18.25?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/dpkg/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/dpkg.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/dpkg.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 6778\n \n \n \n Theodore Y. Ts'o <tytso@mit.edu>\n e2fslibs\n 1.43.4-2+deb9u2\n \n \n GPL-2.0-only\n \n \n LGPL-2.0-only\n \n \n cpe:2.3:a:e2fslibs:e2fslibs:1.43.4-2\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/e2fslibs@1.43.4-2+deb9u2?arch=amd64&upstream=e2fsprogs&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/e2fslibs/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/e2fslibs:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 450\n e2fsprogs\n \n \n \n Theodore Y. Ts'o <tytso@mit.edu>\n e2fsprogs\n 1.43.4-2+deb9u2\n \n \n GPL-2.0-only\n \n \n LGPL-2.0-only\n \n \n cpe:2.3:a:e2fsprogs:e2fsprogs:1.43.4-2\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/e2fsprogs@1.43.4-2+deb9u2?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/e2fsprogs/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/e2fsprogs.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/e2fsprogs.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 4027\n \n \n \n Andreas Metzler <ametzler@debian.org>\n findutils\n 4.6.0+git+20161106-2\n \n \n GFDL-1.3-only\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:findutils:findutils:4.6.0\\+git\\+20161106-2:*:*:*:*:*:*:*\n pkg:deb/debian/findutils@4.6.0+git+20161106-2?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/findutils/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/findutils.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1854\n \n \n \n Debian GCC Maintainers <debian-gcc@lists.debian.org>\n gcc-6-base\n 6.3.0-18+deb9u1\n \n \n Artistic\n \n \n GFDL-1.2-only\n \n \n GPL\n \n \n GPL-2.0-only\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:gcc-6-base:gcc-6-base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/gcc-6-base@6.3.0-18+deb9u1?arch=amd64&upstream=gcc-6&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:gcc-6-base:gcc_6_base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:gcc_6_base:gcc-6-base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:gcc_6_base:gcc_6_base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:gcc-6:gcc-6-base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:gcc-6:gcc_6_base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:gcc_6:gcc-6-base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:gcc_6:gcc_6_base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:gcc:gcc-6-base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:gcc:gcc_6_base:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/gcc-6-base/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/gcc-6-base:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 209\n gcc-6\n \n \n \n github.com/opencontainers/runc\n v1.0.1\n cpe:2.3:a:opencontainers:runc:v1.0.1:*:*:*:*:*:*:*\n pkg:golang/github.com/opencontainers/runc@v1.0.1\n \n go-module-binary-cataloger\n go\n GolangBinMetadata\n go-module\n sha256:0305f2b14826a228defa3526b1fcd8af7291315d19e9e8dea531eb8725f1c369\n /usr/local/bin/gosu\n x86_64\n go1.16.7\n h1:G18PGckGdAm3yVQRWDVQ1rLSLntiniKJ0cNRT2Tm5gs=\n github.com/tianon/gosu\n \n \n \n github.com/tianon/gosu\n (devel)\n cpe:2.3:a:tianon:gosu:\\(devel\\):*:*:*:*:*:*:*\n pkg:golang/github.com/tianon/gosu@(devel)\n \n go-module-binary-cataloger\n go\n GolangBinMetadata\n go-module\n sha256:0305f2b14826a228defa3526b1fcd8af7291315d19e9e8dea531eb8725f1c369\n /usr/local/bin/gosu\n x86_64\n go1.16.7\n github.com/tianon/gosu\n \n \n \n Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>\n gnupg\n 2.1.18-8~deb9u4\n \n \n BSD-3-Clause\n \n \n Expat\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n RFC-Reference\n \n \n TinySCHEME\n \n \n permissive\n \n \n cpe:2.3:a:gnupg:gnupg:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/gnupg@2.1.18-8~deb9u4?arch=amd64&upstream=gnupg2&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/gnupg/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/gnupg.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 2093\n gnupg2\n \n \n \n Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>\n gnupg-agent\n 2.1.18-8~deb9u4\n \n \n BSD-3-Clause\n \n \n Expat\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n RFC-Reference\n \n \n TinySCHEME\n \n \n permissive\n \n \n cpe:2.3:a:gnupg-agent:gnupg-agent:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/gnupg-agent@2.1.18-8~deb9u4?arch=amd64&upstream=gnupg2&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:gnupg-agent:gnupg_agent:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:gnupg_agent:gnupg-agent:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:gnupg_agent:gnupg_agent:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:gnupg:gnupg-agent:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:gnupg:gnupg_agent:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/gnupg-agent/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/gnupg-agent.conffiles\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/gnupg-agent.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1362\n gnupg2\n \n \n \n golang.org/x/sys\n v0.0.0-20210817142637-7d9622a276b7\n cpe:2.3:a:golang:x\\/sys:v0.0.0-20210817142637-7d9622a276b7:*:*:*:*:*:*:*\n pkg:golang/golang.org/x/sys@v0.0.0-20210817142637-7d9622a276b7\n \n go-module-binary-cataloger\n go\n GolangBinMetadata\n go-module\n sha256:0305f2b14826a228defa3526b1fcd8af7291315d19e9e8dea531eb8725f1c369\n /usr/local/bin/gosu\n x86_64\n go1.16.7\n h1:lQ8Btl/sJr2+f4ql7ffKUKfnV0BsgsICvm0oEeINAQY=\n github.com/tianon/gosu\n \n \n \n Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>\n gpgv\n 2.1.18-8~deb9u4\n \n \n BSD-3-Clause\n \n \n Expat\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n RFC-Reference\n \n \n TinySCHEME\n \n \n permissive\n \n \n cpe:2.3:a:gpgv:gpgv:2.1.18-8\\~deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/gpgv@2.1.18-8~deb9u4?arch=amd64&upstream=gnupg2&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/gpgv/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/gpgv.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 721\n gnupg2\n \n \n \n Anibal Monsalve Salazar <anibal@debian.org>\n grep\n 2.27-2\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n cpe:2.3:a:grep:grep:2.27-2:*:*:*:*:*:*:*\n pkg:deb/debian/grep@2.27-2?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/grep/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/grep.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1131\n \n \n \n Bdale Garbee <bdale@gag.com>\n gzip\n 1.6-5+deb9u1\n \n \n GPL\n \n \n cpe:2.3:a:gzip:gzip:1.6-5\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/gzip@1.6-5+deb9u1?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/gzip/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/gzip.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 230\n \n \n \n Debian Hostname Team <hostname-devel@lists.alioth.debian.org>\n hostname\n 3.18+b1\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:hostname:hostname:3.18\\+b1:*:*:*:*:*:*:*\n pkg:deb/debian/hostname@3.18+b1?arch=amd64&upstream=hostname%403.18&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/hostname/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/hostname.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 47\n hostname\n 3.18\n \n \n \n Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>\n init-system-helpers\n 1.48\n \n \n BSD-3-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:init-system-helpers:init-system-helpers:1.48:*:*:*:*:*:*:*\n pkg:deb/debian/init-system-helpers@1.48?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:init-system-helpers:init_system_helpers:1.48:*:*:*:*:*:*:*\n cpe:2.3:a:init_system_helpers:init-system-helpers:1.48:*:*:*:*:*:*:*\n cpe:2.3:a:init_system_helpers:init_system_helpers:1.48:*:*:*:*:*:*:*\n cpe:2.3:a:init-system:init-system-helpers:1.48:*:*:*:*:*:*:*\n cpe:2.3:a:init-system:init_system_helpers:1.48:*:*:*:*:*:*:*\n cpe:2.3:a:init_system:init-system-helpers:1.48:*:*:*:*:*:*:*\n cpe:2.3:a:init_system:init_system_helpers:1.48:*:*:*:*:*:*:*\n cpe:2.3:a:init:init-system-helpers:1.48:*:*:*:*:*:*:*\n cpe:2.3:a:init:init_system_helpers:1.48:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/init-system-helpers/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/init-system-helpers.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 131\n \n \n \n Anibal Monsalve Salazar <anibal@debian.org>\n libacl1\n 2.2.52-3+b1\n \n \n GPL\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libacl1:libacl1:2.2.52-3\\+b1:*:*:*:*:*:*:*\n pkg:deb/debian/libacl1@2.2.52-3+b1?arch=amd64&upstream=acl%402.2.52-3&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libacl1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libacl1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 62\n acl\n 2.2.52-3\n \n \n \n APT Development Team <deity@lists.debian.org>\n libapt-pkg5.0\n 1.4.11\n \n \n GPL-2.0-only\n \n \n GPLv2+\n \n \n cpe:2.3:a:libapt-pkg5.0:libapt-pkg5.0:1.4.11:*:*:*:*:*:*:*\n pkg:deb/debian/libapt-pkg5.0@1.4.11?arch=amd64&upstream=apt&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libapt-pkg5.0:libapt_pkg5.0:1.4.11:*:*:*:*:*:*:*\n cpe:2.3:a:libapt_pkg5.0:libapt-pkg5.0:1.4.11:*:*:*:*:*:*:*\n cpe:2.3:a:libapt_pkg5.0:libapt_pkg5.0:1.4.11:*:*:*:*:*:*:*\n cpe:2.3:a:libapt:libapt-pkg5.0:1.4.11:*:*:*:*:*:*:*\n cpe:2.3:a:libapt:libapt_pkg5.0:1.4.11:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libapt-pkg5.0/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libapt-pkg5.0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 3056\n apt\n \n \n \n Debian GnuPG-Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>\n libassuan0\n 2.4.3-2\n \n \n GAP\n \n \n GAP~FSF\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n cpe:2.3:a:libassuan0:libassuan0:2.4.3-2:*:*:*:*:*:*:*\n pkg:deb/debian/libassuan0@2.4.3-2?arch=amd64&upstream=libassuan&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libassuan0/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libassuan0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 106\n libassuan\n \n \n \n Anibal Monsalve Salazar <anibal@debian.org>\n libattr1\n 1:2.4.47-2+b2\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libattr1:libattr1:1\\:2.4.47-2\\+b2:*:*:*:*:*:*:*\n pkg:deb/debian/libattr1@1:2.4.47-2+b2?arch=amd64&upstream=attr%401:2.4.47-2&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libattr1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libattr1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 42\n attr\n 1:2.4.47-2\n \n \n \n Laurent Bigonville <bigon@debian.org>\n libaudit-common\n 1:2.6.7-2\n \n \n GPL-1.0-only\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libaudit-common:libaudit-common:1\\:2.6.7-2:*:*:*:*:*:*:*\n pkg:deb/debian/libaudit-common@1:2.6.7-2?arch=all&upstream=audit&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libaudit-common:libaudit_common:1\\:2.6.7-2:*:*:*:*:*:*:*\n cpe:2.3:a:libaudit_common:libaudit-common:1\\:2.6.7-2:*:*:*:*:*:*:*\n cpe:2.3:a:libaudit_common:libaudit_common:1\\:2.6.7-2:*:*:*:*:*:*:*\n cpe:2.3:a:libaudit:libaudit-common:1\\:2.6.7-2:*:*:*:*:*:*:*\n cpe:2.3:a:libaudit:libaudit_common:1\\:2.6.7-2:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libaudit-common/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libaudit-common.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libaudit-common.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 30\n audit\n \n \n \n Laurent Bigonville <bigon@debian.org>\n libaudit1\n 1:2.6.7-2\n \n \n GPL-1.0-only\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libaudit1:libaudit1:1\\:2.6.7-2:*:*:*:*:*:*:*\n pkg:deb/debian/libaudit1@1:2.6.7-2?arch=amd64&upstream=audit&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libaudit1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libaudit1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 150\n audit\n \n \n \n Debian util-linux Maintainers <ah-util-linux@debian.org>\n libblkid1\n 2.29.2-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-4-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n MIT\n \n \n public-domain\n \n \n cpe:2.3:a:libblkid1:libblkid1:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libblkid1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libblkid1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libblkid1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 367\n util-linux\n \n \n \n Guillem Jover <guillem@debian.org>\n libbsd0\n 0.8.3-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-2-Clause\n \n \n BSD-2-clause-author\n \n \n BSD-2-clause-verbatim\n \n \n BSD-3-Clause\n \n \n BSD-3-clause-Peter-Wemm\n \n \n BSD-3-clause-Regents\n \n \n BSD-4-clause-Christopher-G-Demetriou\n \n \n BSD-4-clause-Niels-Provos\n \n \n BSD-5-clause-Peter-Wemm\n \n \n Beerware\n \n \n Expat\n \n \n ISC\n \n \n ISC-Original\n \n \n public-domain\n \n \n public-domain-Colin-Plumb\n \n \n cpe:2.3:a:libbsd0:libbsd0:0.8.3-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libbsd0@0.8.3-1+deb9u1?arch=amd64&upstream=libbsd&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libbsd0/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libbsd0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 159\n libbsd\n \n \n \n Anibal Monsalve Salazar <anibal@debian.org>\n libbz2-1.0\n 1.0.6-8.1\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:libbz2-1.0:libbz2-1.0:1.0.6-8.1:*:*:*:*:*:*:*\n pkg:deb/debian/libbz2-1.0@1.0.6-8.1?arch=amd64&upstream=bzip2&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libbz2-1.0:libbz2_1.0:1.0.6-8.1:*:*:*:*:*:*:*\n cpe:2.3:a:libbz2_1.0:libbz2-1.0:1.0.6-8.1:*:*:*:*:*:*:*\n cpe:2.3:a:libbz2_1.0:libbz2_1.0:1.0.6-8.1:*:*:*:*:*:*:*\n cpe:2.3:a:libbz2:libbz2-1.0:1.0.6-8.1:*:*:*:*:*:*:*\n cpe:2.3:a:libbz2:libbz2_1.0:1.0.6-8.1:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libbz2-1.0/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libbz2-1.0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 96\n bzip2\n \n \n \n GNU Libc Maintainers <debian-glibc@lists.debian.org>\n libc-bin\n 2.24-11+deb9u4\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libc-bin:libc-bin:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/libc-bin@2.24-11+deb9u4?arch=amd64&upstream=glibc&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libc-bin:libc_bin:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:libc_bin:libc-bin:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:libc_bin:libc_bin:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc-bin:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc_bin:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libc-bin/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libc-bin.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libc-bin.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 3366\n glibc\n \n \n \n GNU Libc Maintainers <debian-glibc@lists.debian.org>\n libc-l10n\n 2.24-11+deb9u4\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libc-l10n:libc-l10n:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/libc-l10n@2.24-11+deb9u4?arch=all&upstream=glibc&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libc-l10n:libc_l10n:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:libc_l10n:libc-l10n:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:libc_l10n:libc_l10n:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc-l10n:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc_l10n:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56\n /usr/share/doc/libc-l10n/copyright\n sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56\n /var/lib/dpkg/info/libc-l10n.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 4211\n glibc\n \n \n \n GNU Libc Maintainers <debian-glibc@lists.debian.org>\n libc6\n 2.24-11+deb9u4\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libc6:libc6:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/libc6@2.24-11+deb9u4?arch=amd64&upstream=glibc&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libc6/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libc6:amd64.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libc6:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 10686\n glibc\n \n \n \n Pierre Chifflier <pollux@debian.org>\n libcap-ng0\n 0.7.7-3+b1\n \n \n GPL-2.0-only\n \n \n GPL-3.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libcap-ng0:libcap-ng0:0.7.7-3\\+b1:*:*:*:*:*:*:*\n pkg:deb/debian/libcap-ng0@0.7.7-3+b1?arch=amd64&upstream=libcap-ng%400.7.7-3&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libcap-ng0:libcap_ng0:0.7.7-3\\+b1:*:*:*:*:*:*:*\n cpe:2.3:a:libcap_ng0:libcap-ng0:0.7.7-3\\+b1:*:*:*:*:*:*:*\n cpe:2.3:a:libcap_ng0:libcap_ng0:0.7.7-3\\+b1:*:*:*:*:*:*:*\n cpe:2.3:a:libcap:libcap-ng0:0.7.7-3\\+b1:*:*:*:*:*:*:*\n cpe:2.3:a:libcap:libcap_ng0:0.7.7-3\\+b1:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libcap-ng0/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libcap-ng0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 43\n libcap-ng\n 0.7.7-3\n \n \n \n Theodore Y. Ts'o <tytso@mit.edu>\n libcomerr2\n 1.43.4-2+deb9u2\n cpe:2.3:a:libcomerr2:libcomerr2:1.43.4-2\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/libcomerr2@1.43.4-2+deb9u2?arch=amd64&upstream=e2fsprogs&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libcomerr2/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libcomerr2:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 84\n e2fsprogs\n \n \n \n Debian Berkeley DB Group <pkg-db-devel@lists.alioth.debian.org>\n libdb5.3\n 5.3.28-12+deb9u1\n cpe:2.3:a:libdb5.3:libdb5.3:5.3.28-12\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libdb5.3@5.3.28-12+deb9u1?arch=amd64&upstream=db5.3&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libdb5.3/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libdb5.3:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1814\n db5.3\n \n \n \n Debian Install System Team <debian-boot@lists.debian.org>\n libdebconfclient0\n 0.227\n cpe:2.3:a:libdebconfclient0:libdebconfclient0:0.227:*:*:*:*:*:*:*\n pkg:deb/debian/libdebconfclient0@0.227?arch=amd64&upstream=cdebconf&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libdebconfclient0/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libdebconfclient0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 67\n cdebconf\n \n \n \n LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>\n libedit2\n 3.1-20160903-3\n cpe:2.3:a:libedit2:libedit2:3.1-20160903-3:*:*:*:*:*:*:*\n pkg:deb/debian/libedit2@3.1-20160903-3?arch=amd64&upstream=libedit&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libedit2/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libedit2:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 241\n libedit\n \n \n \n Debian util-linux Maintainers <ah-util-linux@debian.org>\n libfdisk1\n 2.29.2-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-4-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n MIT\n \n \n public-domain\n \n \n cpe:2.3:a:libfdisk1:libfdisk1:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libfdisk1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libfdisk1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libfdisk1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 469\n util-linux\n \n \n \n Debian GCC Maintainers <debian-gcc@lists.debian.org>\n libffi6\n 3.2.1-6\n \n \n GPL\n \n \n cpe:2.3:a:libffi6:libffi6:3.2.1-6:*:*:*:*:*:*:*\n pkg:deb/debian/libffi6@3.2.1-6?arch=amd64&upstream=libffi&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libffi6/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libffi6:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 56\n libffi\n \n \n \n Debian GCC Maintainers <debian-gcc@lists.debian.org>\n libgcc1\n 1:6.3.0-18+deb9u1\n \n \n Artistic\n \n \n GFDL-1.2-only\n \n \n GPL\n \n \n GPL-2.0-only\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:libgcc1:libgcc1:1\\:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libgcc1@1:6.3.0-18+deb9u1?arch=amd64&upstream=gcc-6%406.3.0-18+deb9u1&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/gcc-6-base/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libgcc1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 108\n gcc-6\n 6.3.0-18+deb9u1\n \n \n \n Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>\n libgcrypt20\n 1.7.6-2+deb9u4\n \n \n GPL-2.0-only\n \n \n LGPL\n \n \n cpe:2.3:a:libgcrypt20:libgcrypt20:1.7.6-2\\+deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/libgcrypt20@1.7.6-2+deb9u4?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libgcrypt20/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libgcrypt20:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1266\n \n \n \n Debian QA Group <packages@qa.debian.org>\n libgdbm3\n 1.8.3-14\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:libgdbm3:libgdbm3:1.8.3-14:*:*:*:*:*:*:*\n pkg:deb/debian/libgdbm3@1.8.3-14?arch=amd64&upstream=gdbm&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libgdbm3/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libgdbm3:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 68\n gdbm\n \n \n \n Debian Science Team <debian-science-maintainers@lists.alioth.debian.org>\n libgmp10\n 2:6.1.2+dfsg-1+deb9u1\n \n \n GPL\n \n \n GPL-2.0-only\n \n \n GPL-3.0-only\n \n \n LGPL-3.0-only\n \n \n cpe:2.3:a:libgmp10:libgmp10:2\\:6.1.2\\+dfsg-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libgmp10@2:6.1.2+dfsg-1+deb9u1?arch=amd64&upstream=gmp&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libgmp10/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libgmp10:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 568\n gmp\n \n \n \n Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>\n libgnutls30\n 3.5.8-5+deb9u6\n \n \n CC0\n \n \n GFDL-1.3-only\n \n \n GPL\n \n \n GPL-3.0-only\n \n \n LGPL\n \n \n LGPL-3.0-only\n \n \n LGPL2.1\n \n \n The\n \n \n cpe:2.3:a:libgnutls30:libgnutls30:3.5.8-5\\+deb9u6:*:*:*:*:*:*:*\n pkg:deb/debian/libgnutls30@3.5.8-5+deb9u6?arch=amd64&upstream=gnutls28&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libgnutls30/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libgnutls30:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 2429\n gnutls28\n \n \n \n Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>\n libgpg-error0\n 1.26-2\n \n \n GPL-2.1+\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libgpg-error0:libgpg-error0:1.26-2:*:*:*:*:*:*:*\n pkg:deb/debian/libgpg-error0@1.26-2?arch=amd64&upstream=libgpg-error&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libgpg-error0:libgpg_error0:1.26-2:*:*:*:*:*:*:*\n cpe:2.3:a:libgpg_error0:libgpg-error0:1.26-2:*:*:*:*:*:*:*\n cpe:2.3:a:libgpg_error0:libgpg_error0:1.26-2:*:*:*:*:*:*:*\n cpe:2.3:a:libgpg:libgpg-error0:1.26-2:*:*:*:*:*:*:*\n cpe:2.3:a:libgpg:libgpg_error0:1.26-2:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libgpg-error0/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libgpg-error0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 572\n libgpg-error\n \n \n \n Sam Hartman <hartmans@debian.org>\n libgssapi-krb5-2\n 1.15-1+deb9u3\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:libgssapi-krb5-2:libgssapi-krb5-2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n pkg:deb/debian/libgssapi-krb5-2@1.15-1+deb9u3?arch=amd64&upstream=krb5&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libgssapi-krb5-2:libgssapi_krb5_2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libgssapi_krb5_2:libgssapi-krb5-2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libgssapi_krb5_2:libgssapi_krb5_2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libgssapi-krb5:libgssapi-krb5-2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libgssapi-krb5:libgssapi_krb5_2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libgssapi_krb5:libgssapi-krb5-2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libgssapi_krb5:libgssapi_krb5_2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libgssapi:libgssapi-krb5-2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libgssapi:libgssapi_krb5_2:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libgssapi-krb5-2/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libgssapi-krb5-2:amd64.conffiles\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libgssapi-krb5-2:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 423\n krb5\n \n \n \n Magnus Holmgren <holmgren@debian.org>\n libhogweed4\n 3.3-1+deb9u1\n \n \n GAP\n \n \n GPL\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-or-later\n \n \n other\n \n \n public-domain\n \n \n cpe:2.3:a:libhogweed4:libhogweed4:3.3-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libhogweed4@3.3-1+deb9u1?arch=amd64&upstream=nettle&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libnettle6/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libhogweed4:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 232\n nettle\n \n \n \n Laszlo Boszormenyi (GCS) <gcs@debian.org>\n libicu57\n 57.1-6+deb9u5\n cpe:2.3:a:libicu57:libicu57:57.1-6\\+deb9u5:*:*:*:*:*:*:*\n pkg:deb/debian/libicu57@57.1-6+deb9u5?arch=amd64&upstream=icu&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libicu57/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libicu57:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 30043\n icu\n \n \n \n Debian Libidn Team <help-libidn@gnu.org>\n libidn11\n 1.33-1+deb9u1\n \n \n GAP\n \n \n GFDL-1.3-only\n \n \n GFDL-1.3+\n \n \n GPL-2.0-only\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n cpe:2.3:a:libidn11:libidn11:1.33-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libidn11@1.33-1+deb9u1?arch=amd64&upstream=libidn&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libidn11/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libidn11:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 307\n libidn\n \n \n \n Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>\n libjson-perl\n 2.90-1\n \n \n Artistic\n \n \n GPL-1.0-only\n \n \n GPL-1.0-or-later\n \n \n cpe:2.3:a:libjson-perl:libjson-perl:2.90-1:*:*:*:*:*:*:*\n pkg:deb/debian/libjson-perl@2.90-1?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libjson-perl:libjson_perl:2.90-1:*:*:*:*:*:*:*\n cpe:2.3:a:libjson_perl:libjson-perl:2.90-1:*:*:*:*:*:*:*\n cpe:2.3:a:libjson_perl:libjson_perl:2.90-1:*:*:*:*:*:*:*\n cpe:2.3:a:libjson:libjson-perl:2.90-1:*:*:*:*:*:*:*\n cpe:2.3:a:libjson:libjson_perl:2.90-1:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libjson-perl/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libjson-perl.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 229\n \n \n \n Sam Hartman <hartmans@debian.org>\n libk5crypto3\n 1.15-1+deb9u3\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:libk5crypto3:libk5crypto3:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n pkg:deb/debian/libk5crypto3@1.15-1+deb9u3?arch=amd64&upstream=krb5&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libk5crypto3/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libk5crypto3:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 311\n krb5\n \n \n \n Christian Kastner <ckk@debian.org>\n libkeyutils1\n 1.5.9-9\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n cpe:2.3:a:libkeyutils1:libkeyutils1:1.5.9-9:*:*:*:*:*:*:*\n pkg:deb/debian/libkeyutils1@1.5.9-9?arch=amd64&upstream=keyutils&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libkeyutils1/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libkeyutils1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 36\n keyutils\n \n \n \n Sam Hartman <hartmans@debian.org>\n libkrb5-3\n 1.15-1+deb9u3\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:libkrb5-3:libkrb5-3:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n pkg:deb/debian/libkrb5-3@1.15-1+deb9u3?arch=amd64&upstream=krb5&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libkrb5-3:libkrb5_3:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libkrb5_3:libkrb5-3:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libkrb5_3:libkrb5_3:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libkrb5:libkrb5-3:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libkrb5:libkrb5_3:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libkrb5-3/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libkrb5-3:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1026\n krb5\n \n \n \n Sam Hartman <hartmans@debian.org>\n libkrb5support0\n 1.15-1+deb9u3\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:libkrb5support0:libkrb5support0:1.15-1\\+deb9u3:*:*:*:*:*:*:*\n pkg:deb/debian/libkrb5support0@1.15-1+deb9u3?arch=amd64&upstream=krb5&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libkrb5support0/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libkrb5support0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 159\n krb5\n \n \n \n Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>\n libksba8\n 1.3.5-2\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:libksba8:libksba8:1.3.5-2:*:*:*:*:*:*:*\n pkg:deb/debian/libksba8@1.3.5-2?arch=amd64&upstream=libksba&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libksba8/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libksba8:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 264\n libksba\n \n \n \n Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>\n libldap-2.4-2\n 2.4.44+dfsg-5+deb9u8\n cpe:2.3:a:libldap-2.4-2:libldap-2.4-2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n pkg:deb/debian/libldap-2.4-2@2.4.44+dfsg-5+deb9u8?arch=amd64&upstream=openldap&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libldap-2.4-2:libldap_2.4_2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap_2.4_2:libldap-2.4-2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap_2.4_2:libldap_2.4_2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap-2.4:libldap-2.4-2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap-2.4:libldap_2.4_2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap_2.4:libldap-2.4-2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap_2.4:libldap_2.4_2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap:libldap-2.4-2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap:libldap_2.4_2:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libldap-2.4-2/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libldap-2.4-2:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 510\n openldap\n \n \n \n Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>\n libldap-common\n 2.4.44+dfsg-5+deb9u8\n cpe:2.3:a:libldap-common:libldap-common:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n pkg:deb/debian/libldap-common@2.4.44+dfsg-5+deb9u8?arch=all&upstream=openldap&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libldap-common:libldap_common:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap_common:libldap-common:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap_common:libldap_common:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap:libldap-common:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n cpe:2.3:a:libldap:libldap_common:2.4.44\\+dfsg-5\\+deb9u8:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libldap-common/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libldap-common.conffiles\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libldap-common.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 109\n openldap\n \n \n \n LLVM Packaging Team <pkg-llvm-team@lists.alioth.debian.org>\n libllvm6.0\n 1:6.0-1~bpo9+1\n \n \n ARM\n \n \n Apple\n \n \n BSD-3-Clause\n \n \n BSD-3-Clause\n \n \n Expat\n \n \n LLVM\n \n \n MIT\n \n \n NCSA\n \n \n Polly\n \n \n Python\n \n \n U-OF-I-BSD-LIKE\n \n \n public-domain\n \n \n solar-public-domain\n \n \n cpe:2.3:a:libllvm6.0:libllvm6.0:1\\:6.0-1\\~bpo9\\+1:*:*:*:*:*:*:*\n pkg:deb/debian/libllvm6.0@1:6.0-1~bpo9+1?arch=amd64&upstream=llvm-toolchain-6.0&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libllvm6.0/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libllvm6.0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 59860\n llvm-toolchain-6.0\n \n \n \n Nobuhiro Iwamatsu <iwamatsu@debian.org>\n liblz4-1\n 0.0~r131-2+deb9u1\n \n \n BSD-2-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:liblz4-1:liblz4-1:0.0\\~r131-2\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/liblz4-1@0.0~r131-2+deb9u1?arch=amd64&upstream=lz4&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:liblz4-1:liblz4_1:0.0\\~r131-2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:liblz4_1:liblz4-1:0.0\\~r131-2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:liblz4_1:liblz4_1:0.0\\~r131-2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:liblz4:liblz4-1:0.0\\~r131-2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:liblz4:liblz4_1:0.0\\~r131-2\\+deb9u1:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/liblz4-1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/liblz4-1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 92\n lz4\n \n \n \n Jonathan Nieder <jrnieder@gmail.com>\n liblzma5\n 5.2.2-1.2+deb9u1\n \n \n Autoconf\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n LGPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n PD\n \n \n PD-debian\n \n \n config-h\n \n \n noderivs\n \n \n permissive-fsf\n \n \n permissive-nowarranty\n \n \n probably-PD\n \n \n cpe:2.3:a:liblzma5:liblzma5:5.2.2-1.2\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/liblzma5@5.2.2-1.2+deb9u1?arch=amd64&upstream=xz-utils&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/liblzma5/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/liblzma5:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 338\n xz-utils\n \n \n \n Debian util-linux Maintainers <ah-util-linux@debian.org>\n libmount1\n 2.29.2-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-4-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n MIT\n \n \n public-domain\n \n \n cpe:2.3:a:libmount1:libmount1:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libmount1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libmount1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libmount1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 403\n util-linux\n \n \n \n Craig Small <csmall@debian.org>\n libncurses5\n 6.0+20161126-1+deb9u2\n cpe:2.3:a:libncurses5:libncurses5:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/libncurses5@6.0+20161126-1+deb9u2?arch=amd64&upstream=ncurses&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libtinfo5/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libncurses5:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 287\n ncurses\n \n \n \n Craig Small <csmall@debian.org>\n libncursesw5\n 6.0+20161126-1+deb9u2\n cpe:2.3:a:libncursesw5:libncursesw5:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/libncursesw5@6.0+20161126-1+deb9u2?arch=amd64&upstream=ncurses&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libtinfo5/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libncursesw5:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 347\n ncurses\n \n \n \n Magnus Holmgren <holmgren@debian.org>\n libnettle6\n 3.3-1+deb9u1\n \n \n GAP\n \n \n GPL\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-or-later\n \n \n other\n \n \n public-domain\n \n \n cpe:2.3:a:libnettle6:libnettle6:3.3-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libnettle6@3.3-1+deb9u1?arch=amd64&upstream=nettle&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libnettle6/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libnettle6:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 357\n nettle\n \n \n \n Eric Dorland <eric@debian.org>\n libnpth0\n 1.3-1\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n cpe:2.3:a:libnpth0:libnpth0:1.3-1:*:*:*:*:*:*:*\n pkg:deb/debian/libnpth0@1.3-1?arch=amd64&upstream=npth&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libnpth0/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libnpth0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 43\n npth\n \n \n \n Debian SSSD Team <pkg-sssd-devel@lists.alioth.debian.org>\n libnss-wrapper\n 1.1.3-1\n \n \n BSD-3-clauses\n \n \n cpe:2.3:a:libnss-wrapper:libnss-wrapper:1.1.3-1:*:*:*:*:*:*:*\n pkg:deb/debian/libnss-wrapper@1.1.3-1?arch=amd64&upstream=nss-wrapper&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libnss-wrapper:libnss_wrapper:1.1.3-1:*:*:*:*:*:*:*\n cpe:2.3:a:libnss_wrapper:libnss-wrapper:1.1.3-1:*:*:*:*:*:*:*\n cpe:2.3:a:libnss_wrapper:libnss_wrapper:1.1.3-1:*:*:*:*:*:*:*\n cpe:2.3:a:libnss:libnss-wrapper:1.1.3-1:*:*:*:*:*:*:*\n cpe:2.3:a:libnss:libnss_wrapper:1.1.3-1:*:*:*:*:*:*:*\n sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767\n /usr/share/doc/libnss-wrapper/copyright\n sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767\n /var/lib/dpkg/info/libnss-wrapper.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 87\n nss-wrapper\n \n \n \n Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>\n libp11-kit0\n 0.23.3-2+deb9u1\n \n \n BSD-3-Clause\n \n \n ISC\n \n \n ISC+IBM\n \n \n permissive-like-automake-output\n \n \n same-as-rest-of-p11kit\n \n \n cpe:2.3:a:libp11-kit0:libp11-kit0:0.23.3-2\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libp11-kit0@0.23.3-2+deb9u1?arch=amd64&upstream=p11-kit&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libp11-kit0:libp11_kit0:0.23.3-2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:libp11_kit0:libp11-kit0:0.23.3-2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:libp11_kit0:libp11_kit0:0.23.3-2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:libp11:libp11-kit0:0.23.3-2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:libp11:libp11_kit0:0.23.3-2\\+deb9u1:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libp11-kit0/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libp11-kit0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 439\n p11-kit\n \n \n \n Steve Langasek <vorlon@debian.org>\n libpam-modules\n 1.1.8-3.6\n \n \n GPL\n \n \n cpe:2.3:a:libpam-modules:libpam-modules:1.1.8-3.6:*:*:*:*:*:*:*\n pkg:deb/debian/libpam-modules@1.1.8-3.6?arch=amd64&upstream=pam&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libpam-modules:libpam_modules:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam_modules:libpam-modules:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam_modules:libpam_modules:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam:libpam-modules:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam:libpam_modules:1.1.8-3.6:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libpam-modules/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libpam-modules:amd64.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libpam-modules:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 874\n pam\n \n \n \n Steve Langasek <vorlon@debian.org>\n libpam-modules-bin\n 1.1.8-3.6\n \n \n GPL\n \n \n cpe:2.3:a:libpam-modules-bin:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:*\n pkg:deb/debian/libpam-modules-bin@1.1.8-3.6?arch=amd64&upstream=pam&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libpam-modules-bin:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam_modules_bin:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam_modules_bin:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam-modules:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam-modules:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam_modules:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam_modules:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam:libpam-modules-bin:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam:libpam_modules_bin:1.1.8-3.6:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libpam-modules-bin/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libpam-modules-bin.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 220\n pam\n \n \n \n Steve Langasek <vorlon@debian.org>\n libpam-runtime\n 1.1.8-3.6\n \n \n GPL\n \n \n cpe:2.3:a:libpam-runtime:libpam-runtime:1.1.8-3.6:*:*:*:*:*:*:*\n pkg:deb/debian/libpam-runtime@1.1.8-3.6?arch=all&upstream=pam&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libpam-runtime:libpam_runtime:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam_runtime:libpam-runtime:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam_runtime:libpam_runtime:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam:libpam-runtime:1.1.8-3.6:*:*:*:*:*:*:*\n cpe:2.3:a:libpam:libpam_runtime:1.1.8-3.6:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libpam-runtime/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libpam-runtime.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libpam-runtime.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1016\n pam\n \n \n \n Steve Langasek <vorlon@debian.org>\n libpam0g\n 1.1.8-3.6\n \n \n GPL\n \n \n cpe:2.3:a:libpam0g:libpam0g:1.1.8-3.6:*:*:*:*:*:*:*\n pkg:deb/debian/libpam0g@1.1.8-3.6?arch=amd64&upstream=pam&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libpam0g/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libpam0g:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 229\n pam\n \n \n \n Matthew Vernon <matthew@debian.org>\n libpcre3\n 2:8.39-3\n cpe:2.3:a:libpcre3:libpcre3:2\\:8.39-3:*:*:*:*:*:*:*\n pkg:deb/debian/libpcre3@2:8.39-3?arch=amd64&upstream=pcre3&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libpcre3/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libpcre3:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 668\n pcre3\n \n \n \n Niko Tyni <ntyni@debian.org>\n libperl5.24\n 5.24.1-3+deb9u7\n \n \n Artistic\n \n \n Artistic-2.0\n \n \n BSD-3-Clause\n \n \n BSD-3-clause-GENERIC\n \n \n BSD-3-clause-with-weird-numbering\n \n \n BSD-4-clause-POWERDOG\n \n \n BZIP\n \n \n DONT-CHANGE-THE-GPL\n \n \n Expat\n \n \n GPL-1.0-only\n \n \n GPL-1.0-or-later\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3+-WITH-BISON-EXCEPTION\n \n \n HSIEH-BSD\n \n \n HSIEH-DERIVATIVE\n \n \n LGPL-2.1-only\n \n \n REGCOMP\n \n \n REGCOMP,\n \n \n RRA-KEEP-THIS-NOTICE\n \n \n S2P\n \n \n SDBM-PUBLIC-DOMAIN\n \n \n TEXT-TABS\n \n \n Unicode\n \n \n Zlib\n \n \n cpe:2.3:a:libperl5.24:libperl5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n pkg:deb/debian/libperl5.24@5.24.1-3+deb9u7?arch=amd64&upstream=perl&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libperl5.24/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libperl5.24:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 20936\n perl\n \n \n \n Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>\n libpq5\n 14.2-1.pgdg90+1\n \n \n Artistic\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-3-Clause\n \n \n Custom-Unicode\n \n \n Custom-pg_dump\n \n \n Custom-regex\n \n \n GPL-1.0-only\n \n \n PostgreSQL\n \n \n TCL\n \n \n blf\n \n \n double-metaphone\n \n \n imath\n \n \n nagaysau-ishii\n \n \n rijndael\n \n \n cpe:2.3:a:libpq5:libpq5:14.2-1.pgdg90\\+1:*:*:*:*:*:*:*\n pkg:deb/debian/libpq5@14.2-1.pgdg90+1?arch=amd64&upstream=postgresql-14&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libpq5/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libpq5:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 743\n postgresql-14\n \n \n \n Matthias Klose <doko@debian.org>\n libreadline7\n 7.0-3\n \n \n GFDL\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:libreadline7:libreadline7:7.0-3:*:*:*:*:*:*:*\n pkg:deb/debian/libreadline7@7.0-3?arch=amd64&upstream=readline&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libreadline7/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libreadline7:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 416\n readline\n \n \n \n Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org>\n libsasl2-2\n 2.1.27~101-g0780600+dfsg-3+deb9u2\n \n \n BSD-4-Clause\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n cpe:2.3:a:libsasl2-2:libsasl2-2:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/libsasl2-2@2.1.27~101-g0780600+dfsg-3+deb9u2?arch=amd64&upstream=cyrus-sasl2&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libsasl2-2:libsasl2_2:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2_2:libsasl2-2:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2_2:libsasl2_2:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2:libsasl2-2:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2:libsasl2_2:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libsasl2-2/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libsasl2-2:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 184\n cyrus-sasl2\n \n \n \n Debian Cyrus SASL Team <pkg-cyrus-sasl2-debian-devel@lists.alioth.debian.org>\n libsasl2-modules-db\n 2.1.27~101-g0780600+dfsg-3+deb9u2\n \n \n BSD-4-Clause\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n cpe:2.3:a:libsasl2-modules-db:libsasl2-modules-db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/libsasl2-modules-db@2.1.27~101-g0780600+dfsg-3+deb9u2?arch=amd64&upstream=cyrus-sasl2&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libsasl2-modules-db:libsasl2_modules_db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2_modules_db:libsasl2-modules-db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2_modules_db:libsasl2_modules_db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2-modules:libsasl2-modules-db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2-modules:libsasl2_modules_db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2_modules:libsasl2-modules-db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2_modules:libsasl2_modules_db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2:libsasl2-modules-db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:libsasl2:libsasl2_modules_db:2.1.27\\~101-g0780600\\+dfsg-3\\+deb9u2:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libsasl2-modules-db/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libsasl2-modules-db:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 97\n cyrus-sasl2\n \n \n \n Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>\n libselinux1\n 2.6-3+b3\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libselinux1:libselinux1:2.6-3\\+b3:*:*:*:*:*:*:*\n pkg:deb/debian/libselinux1@2.6-3+b3?arch=amd64&upstream=libselinux%402.6-3&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libselinux1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libselinux1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 209\n libselinux\n 2.6-3\n \n \n \n Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>\n libsemanage-common\n 2.6-2\n \n \n GPL\n \n \n LGPL\n \n \n cpe:2.3:a:libsemanage-common:libsemanage-common:2.6-2:*:*:*:*:*:*:*\n pkg:deb/debian/libsemanage-common@2.6-2?arch=all&upstream=libsemanage&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libsemanage-common:libsemanage_common:2.6-2:*:*:*:*:*:*:*\n cpe:2.3:a:libsemanage_common:libsemanage-common:2.6-2:*:*:*:*:*:*:*\n cpe:2.3:a:libsemanage_common:libsemanage_common:2.6-2:*:*:*:*:*:*:*\n cpe:2.3:a:libsemanage:libsemanage-common:2.6-2:*:*:*:*:*:*:*\n cpe:2.3:a:libsemanage:libsemanage_common:2.6-2:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libsemanage-common/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libsemanage-common.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libsemanage-common.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 39\n libsemanage\n \n \n \n Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>\n libsemanage1\n 2.6-2\n \n \n GPL\n \n \n LGPL\n \n \n cpe:2.3:a:libsemanage1:libsemanage1:2.6-2:*:*:*:*:*:*:*\n pkg:deb/debian/libsemanage1@2.6-2?arch=amd64&upstream=libsemanage&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libsemanage1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libsemanage1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 291\n libsemanage\n \n \n \n Debian SELinux maintainers <selinux-devel@lists.alioth.debian.org>\n libsepol1\n 2.6-2\n \n \n GPL\n \n \n LGPL\n \n \n cpe:2.3:a:libsepol1:libsepol1:2.6-2:*:*:*:*:*:*:*\n pkg:deb/debian/libsepol1@2.6-2?arch=amd64&upstream=libsepol&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libsepol1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libsepol1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 653\n libsepol\n \n \n \n Debian util-linux Maintainers <ah-util-linux@debian.org>\n libsmartcols1\n 2.29.2-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-4-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n MIT\n \n \n public-domain\n \n \n cpe:2.3:a:libsmartcols1:libsmartcols1:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libsmartcols1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libsmartcols1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libsmartcols1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 257\n util-linux\n \n \n \n Laszlo Boszormenyi (GCS) <gcs@debian.org>\n libsqlite3-0\n 3.16.2-5+deb9u3\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n public-domain\n \n \n cpe:2.3:a:libsqlite3-0:libsqlite3-0:3.16.2-5\\+deb9u3:*:*:*:*:*:*:*\n pkg:deb/debian/libsqlite3-0@3.16.2-5+deb9u3?arch=amd64&upstream=sqlite3&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libsqlite3-0:libsqlite3_0:3.16.2-5\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libsqlite3_0:libsqlite3-0:3.16.2-5\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libsqlite3_0:libsqlite3_0:3.16.2-5\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libsqlite3:libsqlite3-0:3.16.2-5\\+deb9u3:*:*:*:*:*:*:*\n cpe:2.3:a:libsqlite3:libsqlite3_0:3.16.2-5\\+deb9u3:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libsqlite3-0/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libsqlite3-0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1163\n sqlite3\n \n \n \n Theodore Y. Ts'o <tytso@mit.edu>\n libss2\n 1.43.4-2+deb9u2\n cpe:2.3:a:libss2:libss2:1.43.4-2\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/libss2@1.43.4-2+deb9u2?arch=amd64&upstream=e2fsprogs&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libss2/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libss2:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 96\n e2fsprogs\n \n \n \n Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>\n libssl1.1\n 1.1.0l-1~deb9u5\n cpe:2.3:a:libssl1.1:libssl1.1:1.1.0l-1\\~deb9u5:*:*:*:*:*:*:*\n pkg:deb/debian/libssl1.1@1.1.0l-1~deb9u5?arch=amd64&upstream=openssl&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libssl1.1/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libssl1.1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 3565\n openssl\n \n \n \n Debian GCC Maintainers <debian-gcc@lists.debian.org>\n libstdc++6\n 6.3.0-18+deb9u1\n \n \n Artistic\n \n \n GFDL-1.2-only\n \n \n GPL\n \n \n GPL-2.0-only\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:libstdc\\+\\+6:libstdc\\+\\+6:6.3.0-18\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libstdc++6@6.3.0-18+deb9u1?arch=amd64&upstream=gcc-6&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/gcc-6-base/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libstdc++6:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1998\n gcc-6\n \n \n \n Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>\n libsystemd0\n 232-25+deb9u13\n \n \n CC0\n \n \n Expat\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n public-domain\n \n \n cpe:2.3:a:libsystemd0:libsystemd0:232-25\\+deb9u13:*:*:*:*:*:*:*\n pkg:deb/debian/libsystemd0@232-25+deb9u13?arch=amd64&upstream=systemd&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libsystemd0/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libsystemd0:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 654\n systemd\n \n \n \n Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>\n libtasn1-6\n 4.10-1.1+deb9u1\n \n \n GFDL-1.3-only\n \n \n GPL-3.0-only\n \n \n LGPL\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:libtasn1-6:libtasn1-6:4.10-1.1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libtasn1-6@4.10-1.1+deb9u1?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libtasn1-6:libtasn1_6:4.10-1.1\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:libtasn1_6:libtasn1-6:4.10-1.1\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:libtasn1_6:libtasn1_6:4.10-1.1\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:libtasn1:libtasn1-6:4.10-1.1\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:libtasn1:libtasn1_6:4.10-1.1\\+deb9u1:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/libtasn1-6/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/libtasn1-6:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 112\n \n \n \n Craig Small <csmall@debian.org>\n libtinfo5\n 6.0+20161126-1+deb9u2\n cpe:2.3:a:libtinfo5:libtinfo5:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/libtinfo5@6.0+20161126-1+deb9u2?arch=amd64&upstream=ncurses&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libtinfo5/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libtinfo5:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 478\n ncurses\n \n \n \n Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>\n libudev1\n 232-25+deb9u13\n \n \n CC0\n \n \n Expat\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n public-domain\n \n \n cpe:2.3:a:libudev1:libudev1:232-25\\+deb9u13:*:*:*:*:*:*:*\n pkg:deb/debian/libudev1@232-25+deb9u13?arch=amd64&upstream=systemd&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libudev1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libudev1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 224\n systemd\n \n \n \n Vaclav Ovsik <vaclav.ovsik@i.cz>\n libustr-1.0-1\n 1.0.4-6\n \n \n BSD-2-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n MIT\n \n \n cpe:2.3:a:libustr-1.0-1:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:*\n pkg:deb/debian/libustr-1.0-1@1.0.4-6?arch=amd64&upstream=ustr&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:libustr-1.0-1:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:*\n cpe:2.3:a:libustr_1.0_1:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:*\n cpe:2.3:a:libustr_1.0_1:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:*\n cpe:2.3:a:libustr-1.0:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:*\n cpe:2.3:a:libustr-1.0:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:*\n cpe:2.3:a:libustr_1.0:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:*\n cpe:2.3:a:libustr_1.0:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:*\n cpe:2.3:a:libustr:libustr-1.0-1:1.0.4-6:*:*:*:*:*:*:*\n cpe:2.3:a:libustr:libustr_1.0_1:1.0.4-6:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libustr-1.0-1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libustr-1.0-1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 258\n ustr\n \n \n \n Debian util-linux Maintainers <ah-util-linux@debian.org>\n libuuid1\n 2.29.2-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-4-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n MIT\n \n \n public-domain\n \n \n cpe:2.3:a:libuuid1:libuuid1:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libuuid1@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/libuuid1/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/libuuid1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 107\n util-linux\n \n \n \n Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>\n libxml2\n 2.9.4+dfsg1-2.2+deb9u6\n cpe:2.3:a:libxml2:libxml2:2.9.4\\+dfsg1-2.2\\+deb9u6:*:*:*:*:*:*:*\n pkg:deb/debian/libxml2@2.9.4+dfsg1-2.2+deb9u6?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libxml2/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libxml2:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 2131\n \n \n \n Debian XML/SGML Group <debian-xml-sgml-pkgs@lists.alioth.debian.org>\n libxslt1.1\n 1.1.29-2.1+deb9u2\n cpe:2.3:a:libxslt1.1:libxslt1.1:1.1.29-2.1\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/libxslt1.1@1.1.29-2.1+deb9u2?arch=amd64&upstream=libxslt&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/libxslt1.1/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/libxslt1.1:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 481\n libxslt\n \n \n \n Debian Med Packaging <debian-med-packaging@lists.alioth.debian.org>\n libzstd1\n 1.1.2-1+deb9u1\n \n \n BSD-3-clause-with-patent-grant\n \n \n Expat\n \n \n Zlib\n \n \n cpe:2.3:a:libzstd1:libzstd1:1.1.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/libzstd1@1.1.2-1+deb9u1?arch=amd64&upstream=libzstd&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767\n /usr/share/doc/libzstd1/copyright\n sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767\n /var/lib/dpkg/info/libzstd1.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 550\n libzstd\n \n \n \n GNU Libc Maintainers <debian-glibc@lists.debian.org>\n locales\n 2.24-11+deb9u4\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:locales:locales:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/locales@2.24-11+deb9u4?arch=all&upstream=glibc&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56\n /usr/share/doc/locales/copyright\n sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56\n /var/lib/dpkg/info/locales.conffiles\n sha256:5afa113a433cd32056370367d1a936a5e77cc30cca6590c0241acffa33d1ec56\n /var/lib/dpkg/info/locales.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 9246\n glibc\n \n \n \n Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>\n login\n 1:4.4-4.1+deb9u1\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:login:login:1\\:4.4-4.1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/login@1:4.4-4.1+deb9u1?arch=amd64&upstream=shadow&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/login/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/login.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/login.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 2747\n shadow\n \n \n \n Debian LSB Team <debian-lsb@lists.debian.org>\n lsb-base\n 9.20161125\n \n \n BSD-3-Clause\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:lsb-base:lsb-base:9.20161125:*:*:*:*:*:*:*\n pkg:deb/debian/lsb-base@9.20161125?arch=all&upstream=lsb&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:lsb-base:lsb_base:9.20161125:*:*:*:*:*:*:*\n cpe:2.3:a:lsb_base:lsb-base:9.20161125:*:*:*:*:*:*:*\n cpe:2.3:a:lsb_base:lsb_base:9.20161125:*:*:*:*:*:*:*\n cpe:2.3:a:lsb:lsb-base:9.20161125:*:*:*:*:*:*:*\n cpe:2.3:a:lsb:lsb_base:9.20161125:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/lsb-base/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/lsb-base.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 49\n lsb\n \n \n \n Steve Langasek <vorlon@debian.org>\n mawk\n 1.3.3-17+b3\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:mawk:mawk:1.3.3-17\\+b3:*:*:*:*:*:*:*\n pkg:deb/debian/mawk@1.3.3-17+b3?arch=amd64&upstream=mawk%401.3.3-17&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/mawk/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/mawk.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 183\n mawk\n 1.3.3-17\n \n \n \n Debian util-linux Maintainers <ah-util-linux@debian.org>\n mount\n 2.29.2-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-4-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n MIT\n \n \n public-domain\n \n \n cpe:2.3:a:mount:mount:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/mount@2.29.2-1+deb9u1?arch=amd64&upstream=util-linux&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/mount/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/mount.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 444\n util-linux\n \n \n \n GNU Libc Maintainers <debian-glibc@lists.debian.org>\n multiarch-support\n 2.24-11+deb9u4\n \n \n GPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n cpe:2.3:a:multiarch-support:multiarch-support:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n pkg:deb/debian/multiarch-support@2.24-11+deb9u4?arch=amd64&upstream=glibc&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:multiarch-support:multiarch_support:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:multiarch_support:multiarch-support:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:multiarch_support:multiarch_support:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:multiarch:multiarch-support:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n cpe:2.3:a:multiarch:multiarch_support:2.24-11\\+deb9u4:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/multiarch-support/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/multiarch-support.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 221\n glibc\n \n \n \n Craig Small <csmall@debian.org>\n ncurses-base\n 6.0+20161126-1+deb9u2\n cpe:2.3:a:ncurses-base:ncurses-base:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/ncurses-base@6.0+20161126-1+deb9u2?arch=all&upstream=ncurses&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:ncurses-base:ncurses_base:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:ncurses_base:ncurses-base:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:ncurses_base:ncurses_base:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:ncurses:ncurses-base:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:ncurses:ncurses_base:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/ncurses-base/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/ncurses-base.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/ncurses-base.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 340\n ncurses\n \n \n \n Craig Small <csmall@debian.org>\n ncurses-bin\n 6.0+20161126-1+deb9u2\n cpe:2.3:a:ncurses-bin:ncurses-bin:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n pkg:deb/debian/ncurses-bin@6.0+20161126-1+deb9u2?arch=amd64&upstream=ncurses&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:ncurses-bin:ncurses_bin:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:ncurses_bin:ncurses-bin:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:ncurses_bin:ncurses_bin:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:ncurses:ncurses-bin:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n cpe:2.3:a:ncurses:ncurses_bin:6.0\\+20161126-1\\+deb9u2:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/ncurses-bin/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/ncurses-bin.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 536\n ncurses\n \n \n \n Marco d'Itri <md@linux.it>\n netbase\n 5.4\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:netbase:netbase:5.4:*:*:*:*:*:*:*\n pkg:deb/debian/netbase@5.4?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/netbase/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/netbase.conffiles\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/netbase.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 44\n \n \n \n Debian OpenSSL Team <pkg-openssl-devel@lists.alioth.debian.org>\n openssl\n 1.1.0l-1~deb9u5\n cpe:2.3:a:openssl:openssl:1.1.0l-1\\~deb9u5:*:*:*:*:*:*:*\n pkg:deb/debian/openssl@1.1.0l-1~deb9u5?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/openssl/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/openssl.conffiles\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/openssl.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1315\n \n \n \n Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>\n passwd\n 1:4.4-4.1+deb9u1\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:passwd:passwd:1\\:4.4-4.1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/passwd@1:4.4-4.1+deb9u1?arch=amd64&upstream=shadow&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/passwd/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/passwd.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/passwd.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 2478\n shadow\n \n \n \n Niko Tyni <ntyni@debian.org>\n perl\n 5.24.1-3+deb9u7\n \n \n Artistic\n \n \n Artistic-2.0\n \n \n BSD-3-Clause\n \n \n BSD-3-clause-GENERIC\n \n \n BSD-3-clause-with-weird-numbering\n \n \n BSD-4-clause-POWERDOG\n \n \n BZIP\n \n \n DONT-CHANGE-THE-GPL\n \n \n Expat\n \n \n GPL-1.0-only\n \n \n GPL-1.0-or-later\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3+-WITH-BISON-EXCEPTION\n \n \n HSIEH-BSD\n \n \n HSIEH-DERIVATIVE\n \n \n LGPL-2.1-only\n \n \n REGCOMP\n \n \n REGCOMP,\n \n \n RRA-KEEP-THIS-NOTICE\n \n \n S2P\n \n \n SDBM-PUBLIC-DOMAIN\n \n \n TEXT-TABS\n \n \n Unicode\n \n \n Zlib\n \n \n cpe:2.3:a:perl:perl:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n pkg:deb/debian/perl@5.24.1-3+deb9u7?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/perl/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/perl.conffiles\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/perl.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 651\n \n \n \n Niko Tyni <ntyni@debian.org>\n perl-base\n 5.24.1-3+deb9u7\n \n \n Artistic\n \n \n Artistic-2.0\n \n \n BSD-3-Clause\n \n \n BSD-3-clause-GENERIC\n \n \n BSD-3-clause-with-weird-numbering\n \n \n BSD-4-clause-POWERDOG\n \n \n BZIP\n \n \n DONT-CHANGE-THE-GPL\n \n \n Expat\n \n \n GPL-1.0-only\n \n \n GPL-1.0-or-later\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3+-WITH-BISON-EXCEPTION\n \n \n HSIEH-BSD\n \n \n HSIEH-DERIVATIVE\n \n \n LGPL-2.1-only\n \n \n REGCOMP\n \n \n REGCOMP,\n \n \n RRA-KEEP-THIS-NOTICE\n \n \n S2P\n \n \n SDBM-PUBLIC-DOMAIN\n \n \n TEXT-TABS\n \n \n Unicode\n \n \n Zlib\n \n \n cpe:2.3:a:perl-base:perl-base:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n pkg:deb/debian/perl-base@5.24.1-3+deb9u7?arch=amd64&upstream=perl&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:perl-base:perl_base:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl_base:perl-base:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl_base:perl_base:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl:perl-base:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl:perl_base:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/perl/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/perl-base.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 7551\n perl\n \n \n \n Niko Tyni <ntyni@debian.org>\n perl-modules-5.24\n 5.24.1-3+deb9u7\n \n \n Artistic\n \n \n Artistic-2.0\n \n \n BSD-3-Clause\n \n \n BSD-3-clause-GENERIC\n \n \n BSD-3-clause-with-weird-numbering\n \n \n BSD-4-clause-POWERDOG\n \n \n BZIP\n \n \n DONT-CHANGE-THE-GPL\n \n \n Expat\n \n \n GPL-1.0-only\n \n \n GPL-1.0-or-later\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3+-WITH-BISON-EXCEPTION\n \n \n HSIEH-BSD\n \n \n HSIEH-DERIVATIVE\n \n \n LGPL-2.1-only\n \n \n REGCOMP\n \n \n REGCOMP,\n \n \n RRA-KEEP-THIS-NOTICE\n \n \n S2P\n \n \n SDBM-PUBLIC-DOMAIN\n \n \n TEXT-TABS\n \n \n Unicode\n \n \n Zlib\n \n \n cpe:2.3:a:perl-modules-5.24:perl-modules-5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n pkg:deb/debian/perl-modules-5.24@5.24.1-3+deb9u7?arch=all&upstream=perl&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:perl-modules-5.24:perl_modules_5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl_modules_5.24:perl-modules-5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl_modules_5.24:perl_modules_5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl-modules:perl-modules-5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl-modules:perl_modules_5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl_modules:perl-modules-5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl_modules:perl_modules_5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl:perl-modules-5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n cpe:2.3:a:perl:perl_modules_5.24:5.24.1-3\\+deb9u7:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/perl-modules-5.24/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/perl-modules-5.24.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 17631\n perl\n \n \n \n Debian PostgreSQL Maintainers <pkg-postgresql-public@lists.alioth.debian.org>\n pgdg-keyring\n 2018.2\n cpe:2.3:a:pgdg-keyring:pgdg-keyring:2018.2:*:*:*:*:*:*:*\n pkg:deb/debian/pgdg-keyring@2018.2?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:pgdg-keyring:pgdg_keyring:2018.2:*:*:*:*:*:*:*\n cpe:2.3:a:pgdg_keyring:pgdg-keyring:2018.2:*:*:*:*:*:*:*\n cpe:2.3:a:pgdg_keyring:pgdg_keyring:2018.2:*:*:*:*:*:*:*\n cpe:2.3:a:pgdg:pgdg-keyring:2018.2:*:*:*:*:*:*:*\n cpe:2.3:a:pgdg:pgdg_keyring:2018.2:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/pgdg-keyring/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/pgdg-keyring.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 22\n \n \n \n Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>\n pinentry-curses\n 1.0.0-2\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n X11\n \n \n cpe:2.3:a:pinentry-curses:pinentry-curses:1.0.0-2:*:*:*:*:*:*:*\n pkg:deb/debian/pinentry-curses@1.0.0-2?arch=amd64&upstream=pinentry&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:pinentry-curses:pinentry_curses:1.0.0-2:*:*:*:*:*:*:*\n cpe:2.3:a:pinentry_curses:pinentry-curses:1.0.0-2:*:*:*:*:*:*:*\n cpe:2.3:a:pinentry_curses:pinentry_curses:1.0.0-2:*:*:*:*:*:*:*\n cpe:2.3:a:pinentry:pinentry-curses:1.0.0-2:*:*:*:*:*:*:*\n cpe:2.3:a:pinentry:pinentry_curses:1.0.0-2:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/pinentry-curses/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/pinentry-curses.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 99\n pinentry\n \n \n \n postgresql\n 11.15\n cpe:2.3:a:postgresql:postgresql:11.15:*:*:*:*:*:*:*\n pkg:generic/postgresql@11.15\n \n binary-cataloger\n BinaryMetadata\n binary\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/lib/postgresql/11/bin/postgres\n \n \n \n Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>\n postgresql-11\n 11.15-1.pgdg90+1\n \n \n Artistic\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n Custom-Unicode\n \n \n Custom-pg_dump\n \n \n Custom-regex\n \n \n GPL-1.0-only\n \n \n PostgreSQL\n \n \n Snowball\n \n \n TCL\n \n \n blf\n \n \n double-metaphone\n \n \n imath\n \n \n nagaysau-ishii\n \n \n rijndael\n \n \n cpe:2.3:a:postgresql-11:postgresql-11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n pkg:deb/debian/postgresql-11@11.15-1.pgdg90+1?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:postgresql-11:postgresql_11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_11:postgresql-11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_11:postgresql_11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql:postgresql-11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql:postgresql_11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/postgresql-11/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/postgresql-11.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 44373\n \n \n \n Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>\n postgresql-client-11\n 11.15-1.pgdg90+1\n \n \n Artistic\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n Custom-Unicode\n \n \n Custom-pg_dump\n \n \n Custom-regex\n \n \n GPL-1.0-only\n \n \n PostgreSQL\n \n \n Snowball\n \n \n TCL\n \n \n blf\n \n \n double-metaphone\n \n \n imath\n \n \n nagaysau-ishii\n \n \n rijndael\n \n \n cpe:2.3:a:postgresql-client-11:postgresql-client-11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n pkg:deb/debian/postgresql-client-11@11.15-1.pgdg90+1?arch=amd64&upstream=postgresql-11&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:postgresql-client-11:postgresql_client_11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_client_11:postgresql-client-11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_client_11:postgresql_client_11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql-client:postgresql-client-11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql-client:postgresql_client_11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_client:postgresql-client-11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_client:postgresql_client_11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql:postgresql-client-11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql:postgresql_client_11:11.15-1.pgdg90\\+1:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/postgresql-client-11/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/postgresql-client-11.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 6465\n postgresql-11\n \n \n \n Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>\n postgresql-client-common\n 238.pgdg90+1\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:postgresql-client-common:postgresql-client-common:238.pgdg90\\+1:*:*:*:*:*:*:*\n pkg:deb/debian/postgresql-client-common@238.pgdg90+1?arch=all&upstream=postgresql-common&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:postgresql-client-common:postgresql_client_common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_client_common:postgresql-client-common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_client_common:postgresql_client_common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql-client:postgresql-client-common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql-client:postgresql_client_common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_client:postgresql-client-common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_client:postgresql_client_common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql:postgresql-client-common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql:postgresql_client_common:238.pgdg90\\+1:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/postgresql-client-common/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/postgresql-client-common.conffiles\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/postgresql-client-common.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 188\n postgresql-common\n \n \n \n Debian PostgreSQL Maintainers <team+postgresql@tracker.debian.org>\n postgresql-common\n 238.pgdg90+1\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:postgresql-common:postgresql-common:238.pgdg90\\+1:*:*:*:*:*:*:*\n pkg:deb/debian/postgresql-common@238.pgdg90+1?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:postgresql-common:postgresql_common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_common:postgresql-common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql_common:postgresql_common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql:postgresql-common:238.pgdg90\\+1:*:*:*:*:*:*:*\n cpe:2.3:a:postgresql:postgresql_common:238.pgdg90\\+1:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/postgresql-common/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/postgresql-common.conffiles\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/postgresql-common.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 691\n \n \n \n Matthias Klose <doko@debian.org>\n readline-common\n 7.0-3\n \n \n GFDL\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:readline-common:readline-common:7.0-3:*:*:*:*:*:*:*\n pkg:deb/debian/readline-common@7.0-3?arch=all&upstream=readline&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:readline-common:readline_common:7.0-3:*:*:*:*:*:*:*\n cpe:2.3:a:readline_common:readline-common:7.0-3:*:*:*:*:*:*:*\n cpe:2.3:a:readline_common:readline_common:7.0-3:*:*:*:*:*:*:*\n cpe:2.3:a:readline:readline-common:7.0-3:*:*:*:*:*:*:*\n cpe:2.3:a:readline:readline_common:7.0-3:*:*:*:*:*:*:*\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /usr/share/doc/readline-common/copyright\n sha256:53da616d382b12a2259d87e48c0a266b2acdbbd42d6efb446b71ee2e1816be47\n /var/lib/dpkg/info/readline-common.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 89\n readline\n \n \n \n Clint Adams <clint@debian.org>\n sed\n 4.4-1\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:sed:sed:4.4-1:*:*:*:*:*:*:*\n pkg:deb/debian/sed@4.4-1?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/sed/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/sed.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 799\n \n \n \n Anibal Monsalve Salazar <anibal@debian.org>\n sensible-utils\n 0.0.9+deb9u1\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:sensible-utils:sensible-utils:0.0.9\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/sensible-utils@0.0.9+deb9u1?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:sensible-utils:sensible_utils:0.0.9\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:sensible_utils:sensible-utils:0.0.9\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:sensible_utils:sensible_utils:0.0.9\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:sensible:sensible-utils:0.0.9\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:sensible:sensible_utils:0.0.9\\+deb9u1:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/sensible-utils/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/sensible-utils.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 62\n \n \n \n Debian Apache Maintainers <debian-apache@lists.debian.org>\n ssl-cert\n 1.0.39\n \n \n BSD-3-Clause\n \n \n cpe:2.3:a:ssl-cert:ssl-cert:1.0.39:*:*:*:*:*:*:*\n pkg:deb/debian/ssl-cert@1.0.39?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:ssl-cert:ssl_cert:1.0.39:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_cert:ssl-cert:1.0.39:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_cert:ssl_cert:1.0.39:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl-cert:1.0.39:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl_cert:1.0.39:*:*:*:*:*:*:*\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/ssl-cert/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/ssl-cert.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 63\n \n \n \n Debian sysvinit maintainers <pkg-sysvinit-devel@lists.alioth.debian.org>\n sysvinit-utils\n 2.88dsf-59.9\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:sysvinit-utils:sysvinit-utils:2.88dsf-59.9:*:*:*:*:*:*:*\n pkg:deb/debian/sysvinit-utils@2.88dsf-59.9?arch=amd64&upstream=sysvinit&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:sysvinit-utils:sysvinit_utils:2.88dsf-59.9:*:*:*:*:*:*:*\n cpe:2.3:a:sysvinit_utils:sysvinit-utils:2.88dsf-59.9:*:*:*:*:*:*:*\n cpe:2.3:a:sysvinit_utils:sysvinit_utils:2.88dsf-59.9:*:*:*:*:*:*:*\n cpe:2.3:a:sysvinit:sysvinit-utils:2.88dsf-59.9:*:*:*:*:*:*:*\n cpe:2.3:a:sysvinit:sysvinit_utils:2.88dsf-59.9:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/sysvinit-utils/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/sysvinit-utils.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 110\n sysvinit\n \n \n \n Bdale Garbee <bdale@gag.com>\n tar\n 1.29b-1.1+deb9u1\n \n \n GPL-2.0-only\n \n \n GPL-3.0-only\n \n \n cpe:2.3:a:tar:tar:1.29b-1.1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/tar@1.29b-1.1+deb9u1?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/tar/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/tar.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/tar.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 2774\n \n \n \n GNU Libc Maintainers <debian-glibc@lists.debian.org>\n tzdata\n 2021a-0+deb9u3\n cpe:2.3:a:tzdata:tzdata:2021a-0\\+deb9u3:*:*:*:*:*:*:*\n pkg:deb/debian/tzdata@2021a-0+deb9u3?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/tzdata/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/tzdata.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 3036\n \n \n \n Manoj Srivastava <srivasta@debian.org>\n ucf\n 3.0036\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:ucf:ucf:3.0036:*:*:*:*:*:*:*\n pkg:deb/debian/ucf@3.0036?arch=all&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /usr/share/doc/ucf/copyright\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/ucf.conffiles\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/info/ucf.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 191\n \n \n \n Debian util-linux Maintainers <ah-util-linux@debian.org>\n util-linux\n 2.29.2-1+deb9u1\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n BSD-4-Clause\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n GPL-3.0-or-later\n \n \n LGPL\n \n \n LGPL-2.0-only\n \n \n LGPL-2.0-or-later\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n LGPL-3.0-only\n \n \n LGPL-3.0-or-later\n \n \n MIT\n \n \n public-domain\n \n \n cpe:2.3:a:util-linux:util-linux:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/util-linux@2.29.2-1+deb9u1?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:util-linux:util_linux:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:util_linux:util-linux:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:util_linux:util_linux:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:util:util-linux:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:util:util_linux:2.29.2-1\\+deb9u1:*:*:*:*:*:*:*\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/util-linux/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/util-linux.conffiles\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/util-linux.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 3558\n \n \n \n Jonathan Nieder <jrnieder@gmail.com>\n xz-utils\n 5.2.2-1.2+deb9u1\n \n \n Autoconf\n \n \n GPL-2.0-only\n \n \n GPL-2.0-or-later\n \n \n GPL-3.0-only\n \n \n LGPL-2.0-only\n \n \n LGPL-2.1-only\n \n \n LGPL-2.1-or-later\n \n \n PD\n \n \n PD-debian\n \n \n config-h\n \n \n noderivs\n \n \n permissive-fsf\n \n \n permissive-nowarranty\n \n \n probably-PD\n \n \n cpe:2.3:a:xz-utils:xz-utils:5.2.2-1.2\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/xz-utils@5.2.2-1.2+deb9u1?arch=amd64&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n cpe:2.3:a:xz-utils:xz_utils:5.2.2-1.2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:xz_utils:xz-utils:5.2.2-1.2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:xz_utils:xz_utils:5.2.2-1.2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:xz:xz-utils:5.2.2-1.2\\+deb9u1:*:*:*:*:*:*:*\n cpe:2.3:a:xz:xz_utils:5.2.2-1.2\\+deb9u1:*:*:*:*:*:*:*\n sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767\n /usr/share/doc/xz-utils/copyright\n sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767\n /var/lib/dpkg/info/xz-utils.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 515\n \n \n \n Mark Brown <broonie@debian.org>\n zlib1g\n 1:1.2.8.dfsg-5+deb9u1\n cpe:2.3:a:zlib1g:zlib1g:1\\:1.2.8.dfsg-5\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/zlib1g@1:1.2.8.dfsg-5+deb9u1?arch=amd64&upstream=zlib&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /usr/share/doc/zlib1g/copyright\n sha256:20fa02db39e77a3327d6aabea63ca2b5ced645c33e08ada3aea745130d341e73\n /var/lib/dpkg/info/zlib1g:amd64.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 156\n zlib\n \n \n \n Debian Med Packaging <debian-med-packaging@lists.alioth.debian.org>\n zstd\n 1.1.2-1+deb9u1\n \n \n BSD-3-clause-with-patent-grant\n \n \n Expat\n \n \n Zlib\n \n \n cpe:2.3:a:zstd:zstd:1.1.2-1\\+deb9u1:*:*:*:*:*:*:*\n pkg:deb/debian/zstd@1.1.2-1+deb9u1?arch=amd64&upstream=libzstd&distro=debian-9\n \n dpkgdb-cataloger\n DpkgMetadata\n deb\n sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767\n /usr/share/doc/zstd/copyright\n sha256:01d30ba422c5d9f4a346d59ee398d0ab9882cd9b962e972a68c9c5345c2e4767\n /var/lib/dpkg/info/zstd.md5sums\n sha256:28ad98e51293c2d01fd259354167ecd9f9ca0cd7aa8f025e068d7f372e5ccceb\n /var/lib/dpkg/status\n 1218\n libzstd\n \n \n \n debian\n 9\n Debian GNU/Linux 9 (stretch)\n \n \n \n https://bugs.debian.org/\n \n \n https://www.debian.org/\n \n \n https://www.debian.org/support\n support\n \n \n \n debian\n Debian GNU/Linux 9 (stretch)\n stretch\n 9\n \n \n \n" }, { "path": "cmd/osv-scanner/scan/source/testdata/sbom-insecure/with-duplicates.cdx.xml", "content": "\n\n \n 2023-03-02T12:04:22+11:00\n \n \n anchore\n syft\n 0.73.0\n \n \n \n alpine:latest\n sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3\n \n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 331776\n alpine-baselayout\n Q1/eXfmbYT1WXenFSqKjroYyK84NE=\n alpine-baselayout-data=3.4.0-r0\n /bin/sh\n 8890\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout-data\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 77824\n alpine-baselayout\n Q1/JgpM8J6DWI/541tUX+uHEzSjqo=\n 11664\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-keys\n 2.4-r1\n Public keys for Alpine Linux packages\n \n \n MIT\n \n \n cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n aab68f8c9ab434a46710de8e12fb3206e2930a59\n 159744\n alpine-keys\n Q1KM01lfKVp+gEZn23awujqjSkrN8=\n 13361\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n apk-tools\n 2.12.10-r1\n Alpine Package Keeper - package manager for alpine\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2\n \n \n https://gitlab.alpinelinux.org/alpine/apk-tools\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 0188f510baadbae393472103427b9c1875117136\n 307200\n apk-tools\n so:libapk.so.3.12.0=3.12.0\n cmd:apk=2.12.10-r1\n Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\n musl>=1.2\n ca-certificates-bundle\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n so:libz.so.1\n 120973\n \n \n \n busybox\n 1.35.0\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n \n binary-cataloger\n BinaryMetadata\n binary\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /bin/busybox\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n busybox-binsh\n 1.36.1-r27\n busybox ash /bin/sh\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 8192\n busybox\n /bin/sh\n cmd:sh=1.36.1-r27\n Q1miWwyhWKXVEiRYLhmArV1TKMs6A=\n busybox=1.36.1-r27\n 1547\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n ca-certificates-bundle\n 20220614-r4\n Pre generated bundle of Mozilla certificates\n \n \n MPL-2.0\n \n \n MIT\n \n \n cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2\n \n \n https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e1839fd45a096c9e21ac24f8a61991d357d11628\n 237568\n ca-certificates\n ca-certificates-cacert=20220614-r4\n Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ=\n 126296\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n libc-utils\n 0.7.2-r3\n Meta package to pull in correct libc\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 60424133be2e79bbfeff3d58147a22886f817ce2\n 4096\n libc-dev\n Q19Gg06pBPiiG9UN94ql7qImsHSUQ=\n musl-utils\n 1485\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libcrypto3\n 3.0.8-r0\n Crypto library from openssl\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 4206592\n openssl\n so:libcrypto.so.3=3\n Q1lyWpurYeMlLEt60ys+OlTABmzgs=\n so:libc.musl-x86_64.so.1\n 1710217\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libcrypto3\n 3.0.8-r0\n Crypto library from openssl\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 4206592\n openssl\n so:libcrypto.so.3=3\n Q1lyWpurYeMlLEt60ys+OlTABmzgs=\n so:libc.musl-x86_64.so.1\n 1710217\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libssl3\n 3.0.8-r0\n SSL shared libraries\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 622592\n openssl\n so:libssl.so.3=3\n Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n 246853\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 634880\n musl\n so:libc.musl-x86_64.so.1=1\n Q1Pk7x1woArbB1nzkMPJPq1TECwus=\n 388955\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl-utils\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n BSD-2-Clause\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 135168\n musl\n cmd:getconf=1.2.3-r4\n cmd:getent=1.2.3-r4\n cmd:iconv=1.2.3-r4\n cmd:ldconfig=1.2.3-r4\n cmd:ldd=1.2.3-r4\n Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4=\n scanelf\n so:libc.musl-x86_64.so.1\n 36697\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n scanelf\n 1.3.5-r1\n Scan ELF binaries for stuff\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2\n \n \n https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e52243dbb02069f10d48440ccc5fd41fa5fc2236\n 98304\n pax-utils\n cmd:scanelf=1.3.5-r1\n Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ=\n so:libc.musl-x86_64.so.1\n 37687\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n ssl_client\n 1.36.1-r27\n EXternal ssl_client for busybox wget\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 28672\n busybox\n cmd:ssl_client=1.36.1-r27\n Q1QuqZjeP6XG85I29tOiCWofL8Cj0=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n 4929\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n zlib\n 1.2.10-r0\n A compression/decompression Library\n \n \n Zlib\n \n \n cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2\n \n \n https://zlib.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bb37266b06a72d21d1fd850ef4b86665cf9ef70f\n 110592\n zlib\n so:libz.so.1=1.2.13\n Q1rjnXT01l1PAxXheUxe4Oldl5rFk=\n so:libc.musl-x86_64.so.1\n 54258\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n zlib\n 1.2.10-r0\n A compression/decompression Library\n \n \n Zlib\n \n \n cpe:2.3:a:zlib:zlib:1.2.10-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/zlib@1.2.10-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2\n \n \n https://zlib.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bb37266b06a72d21d1fd850ef4b86665cf9ef70f\n 110592\n zlib\n so:libz.so.1=1.2.13\n Q1rjnXT01l1PAxXheUxe4Oldl5rFk=\n so:libc.musl-x86_64.so.1\n 54258\n \n \n \n alpine\n 3.17.2\n Alpine Linux v3.17\n \n \n \n https://gitlab.alpinelinux.org/alpine/aports/-/issues\n \n \n https://alpinelinux.org/\n \n \n \n alpine\n Alpine Linux v3.17\n 3.17.2\n \n \n \n\n" }, { "path": "cmd/osv-scanner/scan/source/testmain_test.go", "content": "package source_test\n\nimport (\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan/source\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tconfig.OSVScannerConfigName = \"osv-scanner-test.toml\"\n\n\tcleanupGitFixtures, err := testcmd.SetupGitFixtures()\n\n\tif err != nil {\n\t\tcleanupGitFixtures()\n\n\t\tpanic(err)\n\t}\n\n\tslog.SetDefault(slog.New(testlogger.New()))\n\ttestcmd.CommandsUnderTest = []cmd.CommandBuilder{source.Command}\n\tm.Run()\n\n\tcleanupGitFixtures()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "cmd/osv-scanner/scan/testdata/cassettes/TestCommand_SubCommands.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 278\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_SubCommands/scan_with_a_flag\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_SubCommands/with_no_subcommand\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - TestCommand_SubCommands/with_scan_subcommand\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/scan/testdata/locks-many/alpine.cdx.xml", "content": "\n\n \n 2023-03-02T12:04:22+11:00\n \n \n anchore\n syft\n 0.73.0\n \n \n \n alpine:latest\n sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3\n \n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 331776\n alpine-baselayout\n Q1/eXfmbYT1WXenFSqKjroYyK84NE=\n alpine-baselayout-data=3.4.0-r0\n /bin/sh\n 8890\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout-data\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 77824\n alpine-baselayout\n Q1/JgpM8J6DWI/541tUX+uHEzSjqo=\n 11664\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-keys\n 2.4-r1\n Public keys for Alpine Linux packages\n \n \n MIT\n \n \n cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n aab68f8c9ab434a46710de8e12fb3206e2930a59\n 159744\n alpine-keys\n Q1KM01lfKVp+gEZn23awujqjSkrN8=\n 13361\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n apk-tools\n 2.12.10-r1\n Alpine Package Keeper - package manager for alpine\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2\n \n \n https://gitlab.alpinelinux.org/alpine/apk-tools\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 0188f510baadbae393472103427b9c1875117136\n 307200\n apk-tools\n so:libapk.so.3.12.0=3.12.0\n cmd:apk=2.12.10-r1\n Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\n musl>=1.2\n ca-certificates-bundle\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n so:libz.so.1\n 120973\n \n \n \n busybox\n 1.35.0\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n \n binary-cataloger\n BinaryMetadata\n binary\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /bin/busybox\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n busybox-binsh\n 1.36.1-r27\n busybox ash /bin/sh\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 8192\n busybox\n /bin/sh\n cmd:sh=1.36.1-r27\n Q1miWwyhWKXVEiRYLhmArV1TKMs6A=\n busybox=1.36.1-r27\n 1547\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n ca-certificates-bundle\n 20220614-r4\n Pre generated bundle of Mozilla certificates\n \n \n MPL-2.0\n \n \n MIT\n \n \n cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2\n \n \n https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e1839fd45a096c9e21ac24f8a61991d357d11628\n 237568\n ca-certificates\n ca-certificates-cacert=20220614-r4\n Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ=\n 126296\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n libc-utils\n 0.7.2-r3\n Meta package to pull in correct libc\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 60424133be2e79bbfeff3d58147a22886f817ce2\n 4096\n libc-dev\n Q19Gg06pBPiiG9UN94ql7qImsHSUQ=\n musl-utils\n 1485\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libcrypto3\n 3.0.8-r0\n Crypto library from openssl\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 4206592\n openssl\n so:libcrypto.so.3=3\n Q1lyWpurYeMlLEt60ys+OlTABmzgs=\n so:libc.musl-x86_64.so.1\n 1710217\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libssl3\n 3.0.8-r0\n SSL shared libraries\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 622592\n openssl\n so:libssl.so.3=3\n Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n 246853\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 634880\n musl\n so:libc.musl-x86_64.so.1=1\n Q1Pk7x1woArbB1nzkMPJPq1TECwus=\n 388955\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl-utils\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n BSD-2-Clause\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 135168\n musl\n cmd:getconf=1.2.3-r4\n cmd:getent=1.2.3-r4\n cmd:iconv=1.2.3-r4\n cmd:ldconfig=1.2.3-r4\n cmd:ldd=1.2.3-r4\n Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4=\n scanelf\n so:libc.musl-x86_64.so.1\n 36697\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n scanelf\n 1.3.5-r1\n Scan ELF binaries for stuff\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2\n \n \n https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e52243dbb02069f10d48440ccc5fd41fa5fc2236\n 98304\n pax-utils\n cmd:scanelf=1.3.5-r1\n Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ=\n so:libc.musl-x86_64.so.1\n 37687\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n ssl_client\n 1.36.1-r27\n EXternal ssl_client for busybox wget\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 28672\n busybox\n cmd:ssl_client=1.36.1-r27\n Q1QuqZjeP6XG85I29tOiCWofL8Cj0=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n 4929\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n zlib\n 1.2.13-r0\n A compression/decompression Library\n \n \n Zlib\n \n \n cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2\n \n \n https://zlib.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bb37266b06a72d21d1fd850ef4b86665cf9ef70f\n 110592\n zlib\n so:libz.so.1=1.2.13\n Q1rjnXT01l1PAxXheUxe4Oldl5rFk=\n so:libc.musl-x86_64.so.1\n 54258\n \n \n \n alpine\n 3.17.2\n Alpine Linux v3.17\n \n \n \n https://gitlab.alpinelinux.org/alpine/aports/-/issues\n \n \n https://alpinelinux.org/\n \n \n \n alpine\n Alpine Linux v3.17\n 3.17.2\n \n \n \n\n" }, { "path": "cmd/osv-scanner/scan/testdata/locks-many/installed", "content": "C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\nP:apk-tools\nV:2.12.10-r1\nA:x86_64\nS:120973\nI:307200\nT:Alpine Package Keeper - package manager for alpine\nU:https://gitlab.alpinelinux.org/alpine/apk-tools\nL:GPL-2.0-only\no:apk-tools\nm:Natanael Copa \nt:1666552494\nc:0188f510baadbae393472103427b9c1875117136\nD:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1\np:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1\nF:etc\nF:etc/apk\nF:etc/apk/keys\nF:etc/apk/protected_paths.d\nF:lib\nR:libapk.so.3.12.0\na:0:0:755\nZ:Q1opjpYqXgzmOVo7EbNe8l5Xol08g=\nF:lib/apk\nF:lib/apk/exec\nF:sbin\nR:apk\na:0:0:755\nZ:Q1/4bmOPe/H1YhHRzlrj27oufThMw=\nF:var\nF:var/lib\nF:var/lib/apk" }, { "path": "cmd/osv-scanner/scan/testdata/locks-many/not-a-lockfile.toml", "content": "_=\"whatever this is, it's not a lockfile!\"\n" }, { "path": "cmd/osv-scanner/scan/testdata/locks-many/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/scan/testdata/locks-many/replace-local.mod", "content": "require (\n golang.org/x/net v1.2.3\n)\n\nreplace (\n golang.org/x/net v1.2.3 => ./fork/net\n)\n" }, { "path": "cmd/osv-scanner/scan/testdata/locks-many/status", "content": "Package: adduser\nStatus: install ok installed\nPriority: important\nSection: admin\nInstalled-Size: 849\nMaintainer: redacted \nArchitecture: all\nMulti-Arch: foreign\nVersion: 3.118\nDepends: passwd, debconf (>= 0.5) | debconf-2.0\nSuggests: liblocale-gettext-perl, perl\nConffiles:\n /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2\nDescription: add and remove users and groups\n This package includes the 'adduser' and 'deluser' commands for creating\n and removing users.\n .\n - 'adduser' creates new users and groups and adds existing users to\n existing groups;\n - 'deluser' removes users and groups and removes users from a given\n group.\n .\n Adding users with 'adduser' is much easier than adding them manually.\n Adduser will choose appropriate UID and GID values, create a home\n directory, copy skeletal user configuration, and automate setting\n initial values for the user's password, real name and so on.\n .\n Deluser can back up and remove users' home directories\n and mail spool or all the files they own on the system.\n .\n A custom script can be executed after each of the commands." }, { "path": "cmd/osv-scanner/scan/testmain_test.go", "content": "package scan_test\n\nimport (\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tconfig.OSVScannerConfigName = \"osv-scanner-test.toml\"\n\n\tcleanupGitFixtures, err := testcmd.SetupGitFixtures()\n\n\tif err != nil {\n\t\tcleanupGitFixtures()\n\n\t\tpanic(err)\n\t}\n\n\tslog.SetDefault(slog.New(testlogger.New()))\n\ttestcmd.CommandsUnderTest = []cmd.CommandBuilder{scan.Command}\n\tm.Run()\n\n\tcleanupGitFixtures()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "cmd/osv-scanner/testdata/cassettes/Test_run_SubCommands.yaml", "content": "---\nversion: 2\ninteractions:\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 278\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"balanced-match\"\n },\n \"version\": \"1.0.2\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - Test_run_SubCommands/scan_with_a_flag\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 19\n body: |\n {\n \"results\": [\n {},\n {}\n ]\n }\n headers:\n Content-Length:\n - \"19\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - Test_run_SubCommands/with_no_subcommand\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n - request:\n proto: HTTP/1.1\n proto_major: 1\n proto_minor: 1\n content_length: 151\n host: api.osv.dev\n body: |\n {\n \"queries\": [\n {\n \"package\": {\n \"ecosystem\": \"Packagist\",\n \"name\": \"sentry/sdk\"\n },\n \"version\": \"2.0.4\"\n }\n ]\n }\n headers:\n Content-Type:\n - application/json\n X-Test-Name:\n - Test_run_SubCommands/with_scan_subcommand\n url: https://api.osv.dev/v1/querybatch\n method: POST\n response:\n proto: HTTP/2.0\n proto_major: 2\n proto_minor: 0\n content_length: 16\n body: |\n {\n \"results\": [\n {}\n ]\n }\n headers:\n Content-Length:\n - \"16\"\n Content-Type:\n - application/json\n status: 200 OK\n code: 200\n duration: 0s\n" }, { "path": "cmd/osv-scanner/testdata/locks-many/alpine.cdx.xml", "content": "\n\n \n 2023-03-02T12:04:22+11:00\n \n \n anchore\n syft\n 0.73.0\n \n \n \n alpine:latest\n sha256:fd6275a37d2472b9d3be70c3261087b8d65e441c21342ae7313096312bcda2b3\n \n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 331776\n alpine-baselayout\n Q1/eXfmbYT1WXenFSqKjroYyK84NE=\n alpine-baselayout-data=3.4.0-r0\n /bin/sh\n 8890\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-baselayout-data\n 3.4.0-r0\n Alpine base dir structure and init scripts\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-baselayout-data@3.4.0-r0?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.17.2\n \n \n https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout_data:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine-baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_baselayout:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-baselayout-data:3.4.0-r0:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_baselayout_data:3.4.0-r0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bd965a7ebf7fd8f07d7a0cc0d7375bf3e4eb9b24\n 77824\n alpine-baselayout\n Q1/JgpM8J6DWI/541tUX+uHEzSjqo=\n 11664\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n alpine-keys\n 2.4-r1\n Public keys for Alpine Linux packages\n \n \n MIT\n \n \n cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/alpine-keys@2.4-r1?arch=x86_64&upstream=alpine-keys&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine_keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*\n cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n aab68f8c9ab434a46710de8e12fb3206e2930a59\n 159744\n alpine-keys\n Q1KM01lfKVp+gEZn23awujqjSkrN8=\n 13361\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n apk-tools\n 2.12.10-r1\n Alpine Package Keeper - package manager for alpine\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:apk-tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/apk-tools@2.12.10-r1?arch=x86_64&upstream=apk-tools&distro=alpine-3.17.2\n \n \n https://gitlab.alpinelinux.org/alpine/apk-tools\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:apk-tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk_tools:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk-tools:2.12.10-r1:*:*:*:*:*:*:*\n cpe:2.3:a:apk:apk_tools:2.12.10-r1:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 0188f510baadbae393472103427b9c1875117136\n 307200\n apk-tools\n so:libapk.so.3.12.0=3.12.0\n cmd:apk=2.12.10-r1\n Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\n musl>=1.2\n ca-certificates-bundle\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n so:libz.so.1\n 120973\n \n \n \n busybox\n 1.35.0\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n \n binary-cataloger\n BinaryMetadata\n binary\n cpe:2.3:a:busybox:busybox:1.35.0:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /bin/busybox\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n busybox-binsh\n 1.36.1-r27\n busybox ash /bin/sh\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:busybox-binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/busybox-binsh@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:busybox-binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox_binsh:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox-binsh:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:busybox:busybox_binsh:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 8192\n busybox\n /bin/sh\n cmd:sh=1.36.1-r27\n Q1miWwyhWKXVEiRYLhmArV1TKMs6A=\n busybox=1.36.1-r27\n 1547\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n ca-certificates-bundle\n 20220614-r4\n Pre generated bundle of Mozilla certificates\n \n \n MPL-2.0\n \n \n MIT\n \n \n cpe:2.3:a:ca-certificates-bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/ca-certificates-bundle@20220614-r4?arch=x86_64&upstream=ca-certificates&distro=alpine-3.17.2\n \n \n https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ca-certificates-bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates_bundle:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca-certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca_certificates:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca-certificates-bundle:20220614-r4:*:*:*:*:*:*:*\n cpe:2.3:a:ca:ca_certificates_bundle:20220614-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e1839fd45a096c9e21ac24f8a61991d357d11628\n 237568\n ca-certificates\n ca-certificates-cacert=20220614-r4\n Q14PFUzkDXTGDcHkiuEdFuzb+EvxQ=\n 126296\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n libc-utils\n 0.7.2-r3\n Meta package to pull in correct libc\n \n \n BSD-2-Clause\n \n \n BSD-3-Clause\n \n \n cpe:2.3:a:libc-utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n pkg:apk/alpine/libc-utils@0.7.2-r3?arch=x86_64&upstream=libc-dev&distro=alpine-3.17.2\n \n \n https://alpinelinux.org\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:libc-utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc_utils:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc-utils:0.7.2-r3:*:*:*:*:*:*:*\n cpe:2.3:a:libc:libc_utils:0.7.2-r3:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 60424133be2e79bbfeff3d58147a22886f817ce2\n 4096\n libc-dev\n Q19Gg06pBPiiG9UN94ql7qImsHSUQ=\n musl-utils\n 1485\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libcrypto3\n 3.0.8-r0\n Crypto library from openssl\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libcrypto3:libcrypto3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libcrypto3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 4206592\n openssl\n so:libcrypto.so.3=3\n Q1lyWpurYeMlLEt60ys+OlTABmzgs=\n so:libc.musl-x86_64.so.1\n 1710217\n \n \n \n Ariadne Conill <ariadne@dereferenced.org>\n libssl3\n 3.0.8-r0\n SSL shared libraries\n \n \n Apache-2.0\n \n \n cpe:2.3:a:libssl3:libssl3:3.0.8-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/libssl3@3.0.8-r0?arch=x86_64&upstream=openssl&distro=alpine-3.17.2\n \n \n https://www.openssl.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 524302e205a5b43c2bb48d041bcb10ccf2b480f9\n 622592\n openssl\n so:libssl.so.3=3\n Q1Z6/d/FKYkPehWzNtOtYnJ74oIkY=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n 246853\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n cpe:2.3:a:musl:musl:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 634880\n musl\n so:libc.musl-x86_64.so.1=1\n Q1Pk7x1woArbB1nzkMPJPq1TECwus=\n 388955\n \n \n \n Timo Teräs <timo.teras@iki.fi>\n musl-utils\n 1.2.3-r4\n the musl c library (libc) implementation\n \n \n MIT\n \n \n BSD-2-Clause\n \n \n GPL-2.0-or-later\n \n \n cpe:2.3:a:musl-utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n pkg:apk/alpine/musl-utils@1.2.3-r4?arch=x86_64&upstream=musl&distro=alpine-3.17.2\n \n \n https://musl.libc.org/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:musl-utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl_utils:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl-utils:1.2.3-r4:*:*:*:*:*:*:*\n cpe:2.3:a:musl:musl_utils:1.2.3-r4:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n f93af038c3de7146121c2ea8124ba5ce29b4b058\n 135168\n musl\n cmd:getconf=1.2.3-r4\n cmd:getent=1.2.3-r4\n cmd:iconv=1.2.3-r4\n cmd:ldconfig=1.2.3-r4\n cmd:ldd=1.2.3-r4\n Q1ZWJL4eySx8nPSjF1FAJgQyvuNs4=\n scanelf\n so:libc.musl-x86_64.so.1\n 36697\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n scanelf\n 1.3.5-r1\n Scan ELF binaries for stuff\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:scanelf:scanelf:1.3.5-r1:*:*:*:*:*:*:*\n pkg:apk/alpine/scanelf@1.3.5-r1?arch=x86_64&upstream=pax-utils&distro=alpine-3.17.2\n \n \n https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n e52243dbb02069f10d48440ccc5fd41fa5fc2236\n 98304\n pax-utils\n cmd:scanelf=1.3.5-r1\n Q11dxYFsHvBFAzzHGDo5gOTDNJDyQ=\n so:libc.musl-x86_64.so.1\n 37687\n \n \n \n SÃļren Tempel <soeren+alpine@soeren-tempel.net>\n ssl_client\n 1.36.1-r27\n EXternal ssl_client for busybox wget\n \n \n GPL-2.0-only\n \n \n cpe:2.3:a:ssl-client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n pkg:apk/alpine/ssl_client@1.36.1-r27?arch=x86_64&upstream=busybox&distro=alpine-3.17.2\n \n \n https://busybox.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n cpe:2.3:a:ssl-client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl_client:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl-client:1.36.1-r27:*:*:*:*:*:*:*\n cpe:2.3:a:ssl:ssl_client:1.36.1-r27:*:*:*:*:*:*:*\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n 1dbf7a793afae640ea643a055b6dd4f430ac116b\n 28672\n busybox\n cmd:ssl_client=1.36.1-r27\n Q1QuqZjeP6XG85I29tOiCWofL8Cj0=\n so:libc.musl-x86_64.so.1\n so:libcrypto.so.3\n so:libssl.so.3\n 4929\n \n \n \n Natanael Copa <ncopa@alpinelinux.org>\n zlib\n 1.2.13-r0\n A compression/decompression Library\n \n \n Zlib\n \n \n cpe:2.3:a:zlib:zlib:1.2.13-r0:*:*:*:*:*:*:*\n pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64&upstream=zlib&distro=alpine-3.17.2\n \n \n https://zlib.net/\n \n \n \n apkdb-cataloger\n ApkMetadata\n apk\n sha256:7cd52847ad775a5ddc4b58326cf884beee34544296402c6292ed76474c686d39\n /lib/apk/db/installed\n bb37266b06a72d21d1fd850ef4b86665cf9ef70f\n 110592\n zlib\n so:libz.so.1=1.2.13\n Q1rjnXT01l1PAxXheUxe4Oldl5rFk=\n so:libc.musl-x86_64.so.1\n 54258\n \n \n \n alpine\n 3.17.2\n Alpine Linux v3.17\n \n \n \n https://gitlab.alpinelinux.org/alpine/aports/-/issues\n \n \n https://alpinelinux.org/\n \n \n \n alpine\n Alpine Linux v3.17\n 3.17.2\n \n \n \n\n" }, { "path": "cmd/osv-scanner/testdata/locks-many/installed", "content": "C:Q1Ef3iwt+cMdGngEgaFr2URIJhKzQ=\nP:apk-tools\nV:2.12.10-r1\nA:x86_64\nS:120973\nI:307200\nT:Alpine Package Keeper - package manager for alpine\nU:https://gitlab.alpinelinux.org/alpine/apk-tools\nL:GPL-2.0-only\no:apk-tools\nm:Natanael Copa \nt:1666552494\nc:0188f510baadbae393472103427b9c1875117136\nD:musl>=1.2 ca-certificates-bundle so:libc.musl-x86_64.so.1 so:libcrypto.so.3 so:libssl.so.3 so:libz.so.1\np:so:libapk.so.3.12.0=3.12.0 cmd:apk=2.12.10-r1\nF:etc\nF:etc/apk\nF:etc/apk/keys\nF:etc/apk/protected_paths.d\nF:lib\nR:libapk.so.3.12.0\na:0:0:755\nZ:Q1opjpYqXgzmOVo7EbNe8l5Xol08g=\nF:lib/apk\nF:lib/apk/exec\nF:sbin\nR:apk\na:0:0:755\nZ:Q1/4bmOPe/H1YhHRzlrj27oufThMw=\nF:var\nF:var/lib\nF:var/lib/apk" }, { "path": "cmd/osv-scanner/testdata/locks-many/not-a-lockfile.toml", "content": "_=\"whatever this is, it's not a lockfile!\"\n" }, { "path": "cmd/osv-scanner/testdata/locks-many/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/testdata/locks-many/replace-local.mod", "content": "require (\n golang.org/x/net v1.2.3\n)\n\nreplace (\n golang.org/x/net v1.2.3 => ./fork/net\n)\n" }, { "path": "cmd/osv-scanner/testdata/locks-many/status", "content": "Package: adduser\nStatus: install ok installed\nPriority: important\nSection: admin\nInstalled-Size: 849\nMaintainer: redacted \nArchitecture: all\nMulti-Arch: foreign\nVersion: 3.118\nDepends: passwd, debconf (>= 0.5) | debconf-2.0\nSuggests: liblocale-gettext-perl, perl\nConffiles:\n /etc/deluser.conf 773fb95e98a27947de4a95abb3d3f2a2\nDescription: add and remove users and groups\n This package includes the 'adduser' and 'deluser' commands for creating\n and removing users.\n .\n - 'adduser' creates new users and groups and adds existing users to\n existing groups;\n - 'deluser' removes users and groups and removes users from a given\n group.\n .\n Adding users with 'adduser' is much easier than adding them manually.\n Adduser will choose appropriate UID and GID values, create a home\n directory, copy skeletal user configuration, and automate setting\n initial values for the user's password, real name and so on.\n .\n Deluser can back up and remove users' home directories\n and mail spool or all the files they own on the system.\n .\n A custom script can be executed after each of the commands." }, { "path": "cmd/osv-scanner/testmain_test.go", "content": "package main\n\nimport (\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/fix\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/scan\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/update\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tconfig.OSVScannerConfigName = \"osv-scanner-test.toml\"\n\n\tcleanupGitFixtures, err := testcmd.SetupGitFixtures()\n\n\tif err != nil {\n\t\tcleanupGitFixtures()\n\n\t\tpanic(err)\n\t}\n\n\tslog.SetDefault(slog.New(testlogger.New()))\n\ttestcmd.CommandsUnderTest = []cmd.CommandBuilder{\n\t\tscan.Command,\n\t\tfix.Command,\n\t\tupdate.Command,\n\t}\n\tm.Run()\n\n\tcleanupGitFixtures()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "cmd/osv-scanner/update/__snapshots__/command_test.snap", "content": "\n[TestCommand/errors_with_invalid_data_source - 1]\n\n---\n\n[TestCommand/errors_with_invalid_data_source - 2]\nunsupported data-source \"github\" - must be one of: deps.dev, native\n\n---\n\n[TestCommand/errors_with_invalid_data_source - 3]\n\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n \n http://www.example.com\n\n \n UTF-8\n 1.7\n 1.7\n 4.12\n \n\n \n \n com.fasterxml.jackson.core\n jackson-core\n 2.14.0\n \n \n junit\n junit\n ${junit.version}\n test\n \n \n\n \n \n \n org.slf4j\n slf4j-migrator\n 2.0.0\n \n \n \n\n \n \n some-profile\n \n \n org.apache.logging.log4j\n log4j-api\n 2.0\n \n \n \n \n\n\n\n---\n\n[TestCommand/file_does_not_exist - 1]\n\n---\n\n[TestCommand/file_does_not_exist - 2]\nfile not found: ./testdata/does_not_exist.xml\n\n---\n\n[TestCommand/update_pom.xml_with_in-place_changes - 1]\n\n---\n\n[TestCommand/update_pom.xml_with_in-place_changes - 2]\n\n---\n\n[TestCommand/update_pom.xml_with_in-place_changes - 3]\n\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n \n http://www.example.com\n\n \n UTF-8\n 1.7\n 1.7\n 4.13.2\n \n\n \n \n com.fasterxml.jackson.core\n jackson-core\n 2.21.1\n \n \n junit\n junit\n ${junit.version}\n test\n \n \n\n \n \n \n org.slf4j\n slf4j-migrator\n 2.1.0-alpha1\n \n \n \n\n \n \n some-profile\n \n \n org.apache.logging.log4j\n log4j-api\n 3.0.0-beta2\n \n \n \n \n\n\n\n---\n\n[TestCommand/update_pom_with_in_place_changes_using_deps_dev_data_source - 1]\n\n---\n\n[TestCommand/update_pom_with_in_place_changes_using_deps_dev_data_source - 2]\n\n---\n\n[TestCommand/update_pom_with_in_place_changes_using_deps_dev_data_source - 3]\n\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n \n http://www.example.com\n\n \n UTF-8\n 1.7\n 1.7\n 4.13.2\n \n\n \n \n com.fasterxml.jackson.core\n jackson-core\n 2.21.1\n \n \n junit\n junit\n ${junit.version}\n test\n \n \n\n \n \n \n org.slf4j\n slf4j-migrator\n 2.1.0-alpha1\n \n \n \n\n \n \n some-profile\n \n \n org.apache.logging.log4j\n log4j-api\n 3.0.0-beta2\n \n \n \n \n\n\n\n---\n\n[TestCommand/update_pom_with_in_place_changes_using_native_data_source - 1]\n\n---\n\n[TestCommand/update_pom_with_in_place_changes_using_native_data_source - 2]\n\n---\n\n[TestCommand/update_pom_with_in_place_changes_using_native_data_source - 3]\n\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n \n http://www.example.com\n\n \n UTF-8\n 1.7\n 1.7\n 4.13.2\n \n\n \n \n com.fasterxml.jackson.core\n jackson-core\n 2.21.1\n \n \n junit\n junit\n ${junit.version}\n test\n \n \n\n \n \n \n org.slf4j\n slf4j-migrator\n 2.1.0-alpha1\n \n \n \n\n \n \n some-profile\n \n \n org.apache.logging.log4j\n log4j-api\n 3.0.0-beta2\n \n \n \n \n\n\n\n---\n\n[TestCommand/with_no_arguments - 1]\nNAME:\n osv-scanner update - [EXPERIMENTAL] scans a manifest file then updates dependencies\n\nUSAGE:\n osv-scanner update\n\nOPTIONS:\n --manifest string, -M string path to manifest file (required)\n --ignore-dev whether to ignore development dependencies for updates\n --upgrade-config [package-name:]level [ --upgrade-config [package-name:]level ] the allowed package upgrades, in the format [package-name:]level. If package-name is omitted, level is applied to all packages. level must be one of (major, minor, patch, none). (default: major)\n --data-source string source to fetch package information from; value can be: deps.dev, native (default: \"deps.dev\")\n --help, -h show help\n\n---\n\n[TestCommand/with_no_arguments - 2]\nRequired flag \"manifest\" not set\n\n---\n" }, { "path": "cmd/osv-scanner/update/command.go", "content": "// Package update implements the `update` command for osv-scanner.\npackage update\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/depsdev\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/suggest\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/urfave/cli/v3\"\n)\n\nfunc Command(_, _ io.Writer, _ *http.Client) *cli.Command {\n\treturn &cli.Command{\n\t\tHidden: true,\n\t\tName: \"update\",\n\t\tUsage: \"[EXPERIMENTAL] scans a manifest file then updates dependencies\",\n\t\tFlags: []cli.Flag{\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"manifest\",\n\t\t\t\tAliases: []string{\"M\"},\n\t\t\t\tUsage: \"path to manifest file (required)\",\n\t\t\t\tTakesFile: true,\n\t\t\t\tRequired: true,\n\t\t\t},\n\t\t\t&cli.BoolFlag{\n\t\t\t\tName: \"ignore-dev\",\n\t\t\t\tUsage: \"whether to ignore development dependencies for updates\",\n\t\t\t},\n\t\t\t&cli.StringSliceFlag{\n\t\t\t\tName: \"upgrade-config\",\n\t\t\t\tUsage: \"the allowed package upgrades, in the format `[package-name:]level`. If package-name is omitted, level is applied to all packages. level must be one of (major, minor, patch, none).\",\n\t\t\t\tDefaultText: \"major\",\n\t\t\t},\n\t\t\t&cli.StringFlag{\n\t\t\t\tName: \"data-source\",\n\t\t\t\tUsage: \"source to fetch package information from; value can be: deps.dev, native\",\n\t\t\t\tValue: \"deps.dev\",\n\t\t\t\tAction: func(_ context.Context, _ *cli.Command, s string) error {\n\t\t\t\t\tif s != \"deps.dev\" && s != \"native\" {\n\t\t\t\t\t\treturn fmt.Errorf(\"unsupported data-source \\\"%s\\\" - must be one of: deps.dev, native\", s)\n\t\t\t\t\t}\n\n\t\t\t\t\treturn nil\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tAction: action,\n\t}\n}\n\ntype updateOptions struct {\n\tManifest string\n\tIgnoreDev bool\n\tUpgradeConfig upgrade.Config // Allowed upgrade levels per package.\n\n\tClient client.DependencyClient\n\tManifestRW manifest.ReadWriter\n}\n\nfunc action(ctx context.Context, cmd *cli.Command) error {\n\toptions := updateOptions{\n\t\tManifest: cmd.String(\"manifest\"),\n\t\tIgnoreDev: cmd.Bool(\"ignore-dev\"),\n\t\tUpgradeConfig: upgrade.ParseUpgradeConfig(cmd.StringSlice(\"upgrade-config\")),\n\t}\n\n\tif _, err := os.Stat(options.Manifest); errors.Is(err, os.ErrNotExist) {\n\t\treturn fmt.Errorf(\"file not found: %s\", options.Manifest)\n\t} else if err != nil {\n\t\treturn err\n\t}\n\n\tsystem := resolve.UnknownSystem\n\tif options.Manifest != \"\" {\n\t\trw, err := manifest.GetReadWriter(options.Manifest, cmd.String(\"maven-registry\"))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\toptions.ManifestRW = rw\n\t\tsystem = rw.System()\n\t}\n\n\tvar err error\n\tswitch cmd.String(\"data-source\") {\n\tcase \"deps.dev\":\n\t\toptions.Client, err = client.NewDepsDevClient(depsdev.DepsdevAPI, \"osv-scanner_update/\"+version.OSVVersion)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\tcase \"native\":\n\t\tswitch system {\n\t\tcase resolve.Maven:\n\t\t\toptions.Client, err = client.NewMavenRegistryClient(cmd.String(\"maven-registry\"))\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\tcase resolve.NPM, resolve.UnknownSystem:\n\t\t\tfallthrough\n\t\tdefault:\n\t\t\treturn fmt.Errorf(\"native data-source currently unsupported for %s ecosystem\", system.String())\n\t\t}\n\t}\n\n\tdf, err := depfile.OpenLocalDepFile(options.Manifest)\n\tif err != nil {\n\t\treturn err\n\t}\n\tmf, err := options.ManifestRW.Read(df)\n\tdf.Close() // Close the dep file and we may re-open it for writing\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tsuggester, err := suggest.GetSuggester(mf.System())\n\tif err != nil {\n\t\treturn err\n\t}\n\tpatch, err := suggester.Suggest(ctx, options.Client, mf, suggest.Options{\n\t\tIgnoreDev: options.IgnoreDev,\n\t\tUpgradeConfig: options.UpgradeConfig,\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn manifest.Overwrite(options.ManifestRW, options.Manifest, patch)\n}\n" }, { "path": "cmd/osv-scanner/update/command_test.go", "content": "package update_test\n\nimport (\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestCommand(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []testcmd.Case{\n\t\t{\n\t\t\tName: \"with_no_arguments\",\n\t\t\tArgs: []string{\"\", \"update\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"update_pom.xml_with_in-place_changes\",\n\t\t\tArgs: []string{\"\", \"update\", \"-M=./testdata/pom.xml\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"update_pom_with_in_place_changes_using_deps_dev_data_source\",\n\t\t\tArgs: []string{\"\", \"update\", \"--data-source\", \"deps.dev\", \"-M\", \"./testdata/pom.xml\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"update_pom_with_in_place_changes_using_native_data_source\",\n\t\t\tArgs: []string{\"\", \"update\", \"--data-source\", \"native\", \"-M\", \"./testdata/pom.xml\"},\n\t\t\tExit: 0,\n\t\t},\n\t\t{\n\t\t\tName: \"errors_with_invalid_data_source\",\n\t\t\tArgs: []string{\"\", \"update\", \"--data-source\", \"github\", \"-M\", \"./testdata/pom.xml\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t{\n\t\t\tName: \"file_does_not_exist\",\n\t\t\tArgs: []string{\"\", \"update\", \"-M\", \"./testdata/does_not_exist.xml\"},\n\t\t\tExit: 127,\n\t\t},\n\t\t// TODO: add other test cases.\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\t// Update action overwrites files, copy them to a temporary directory.\n\t\t\ttestDir := testutility.CreateTestDir(t)\n\n\t\t\tmanifest := testcmd.CopyFileFlagTo(t, tt, \"-M\", testDir)\n\n\t\t\ttestcmd.RunAndMatchSnapshots(t, tt)\n\n\t\t\tif manifest != \"\" {\n\t\t\t\tb, err := os.ReadFile(manifest)\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Fatalf(\"could not read test file: %v\", err)\n\t\t\t\t}\n\t\t\t\ttestutility.NewSnapshot().WithCRLFReplacement().MatchText(t, string(b))\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "cmd/osv-scanner/update/testdata/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "cmd/osv-scanner/update/testdata/pom.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0.0\n\n my-app\n \n http://www.example.com\n\n \n UTF-8\n 1.7\n 1.7\n 4.12\n \n\n \n \n com.fasterxml.jackson.core\n jackson-core\n 2.14.0\n \n \n junit\n junit\n ${junit.version}\n test\n \n \n\n \n \n \n org.slf4j\n slf4j-migrator\n 2.0.0\n \n \n \n\n \n \n some-profile\n \n \n org.apache.logging.log4j\n log4j-api\n 2.0\n \n \n \n \n\n\n" }, { "path": "cmd/osv-scanner/update/testmain_test.go", "content": "package update_test\n\nimport (\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/cmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/internal/testcmd\"\n\t\"github.com/google/osv-scanner/v2/cmd/osv-scanner/update\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tslog.SetDefault(slog.New(testlogger.New()))\n\ttestcmd.CommandsUnderTest = []cmd.CommandBuilder{update.Command}\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "docs/.gitignore", "content": "_site\n.sass-cache\n.jekyll-cache\n.jekyll-metadata\nvendor\n" }, { "path": "docs/404.html", "content": "---\npermalink: /404.html\nlayout: default\n---\n\n\n\n
\n

404

\n\n

Page not found

\n

The requested page could not be found.

\n
\n" }, { "path": "docs/Gemfile", "content": "ruby \"~> 3\"\n\nsource \"https://rubygems.org\"\n# Hello! This is where you manage which Jekyll version is used to run.\n# When you want to use a different version, change it below, save the\n# file and run `bundle install`. Run Jekyll with `bundle exec`, like so:\n#\n# bundle exec jekyll serve\n#\n# This will help ensure the proper Jekyll version is running.\n# Happy Jekylling!\n# gem \"jekyll\", \"~> 4.3.2\"\n# This is the default theme for new Jekyll sites. You may change this to anything you like.\n# If you want to use GitHub Pages, remove the \"gem \"jekyll\"\" above and\n# uncomment the line below. To upgrade, run `bundle update github-pages`.\ngem \"github-pages\", \"~> 232\", group: :jekyll_plugins\n# If you have any plugins, put them here!\ngroup :jekyll_plugins do\n gem \"jekyll-feed\", \"~> 0.15\"\nend\n\n# Windows and JRuby does not include zoneinfo files, so bundle the tzinfo-data gem\n# and associated library.\nplatforms :mingw, :x64_mingw, :mswin, :jruby do\n gem \"tzinfo\", \">= 1\", \"< 3\"\n gem \"tzinfo-data\"\nend\n\n# Performance-booster for watching directories on Windows\ngem \"wdm\", \"~> 0.2.0\", :platforms => [:mingw, :x64_mingw, :mswin]\n\n# Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem\n# do not have a Java counterpart.\ngem \"http_parser.rb\", \"~> 0.8.0\", :platforms => [:jruby]\ngem \"webrick\", \"~> 1.7\"\n" }, { "path": "docs/README.md", "content": "# README\n\nThe [OSV-Scanner docs](https://google.github.io/osv-scanner) are hosted on a [GitHub page](https://pages.github.com/).\n\n## Running docs locally (docker)\n\nYou can run the docs locally consistently through docker:\n\n```bash\ndocker build -t osv-scanner-docs -f docs.Dockerfile .\ndocker run -p 4000:4000 osv-scanner-docs\n```\n\n## Running docs locally (native)\n\nTo run the docs locally, use :\n\n- Install `ruby (>= 3.1.0)`. This should come with `bundler`.\n - On Debian, you need to install them separately:\n - `ruby`\n - `ruby-bundler`\n- In this directory:\n - `bundle config set --local path 'vendor/bundle'` (you can skip this step if serving from this directory, as the config is already saved in `.bundle/config`)\n - `bundle install`\n - `bundle exec jekyll serve`\n\nHere's the full documentation on github for running the [docs locally].\n\n[docs locally]: https://docs.github.com/en/pages/setting-up-a-github-pages-site-with-jekyll/testing-your-github-pages-site-locally-with-jekyll#building-your-site-locally\n\n## Formatting docs\n\nWe use [Prettier](https://prettier.io/) to standardize the format of markdown and config files.\n\nThis requires [node/npm](https://docs.npmjs.com/downloading-and-installing-node-js-and-npm) to be installed.\n\n### Running the formatter\n\nRun the following in the project directory:\n\n```shell\n./scripts/run_formatters.sh\n```\n\n## Documentation theme\n\nWe are using the [Just the Docs](https://just-the-docs.github.io/just-the-docs/)\ntheme.\n" }, { "path": "docs/_config.yml", "content": "# Welcome to Jekyll!\n#\n# This config file is meant for settings that affect your whole blog, values\n# which you are expected to set up once and rarely edit after that. If you find\n# yourself editing this file very often, consider using Jekyll's data files\n# feature for the data you need to update frequently.\n#\n# For technical reasons, this file is *NOT* reloaded automatically when you use\n# 'bundle exec jekyll serve'. If you change this file, please restart the server process.\n#\n# If you need help with YAML syntax, here are some quick references for you:\n# https://learn-the-web.algonquindesign.ca/topics/markdown-yaml-cheat-sheet/#yaml\n# https://learnxinyminutes.com/docs/yaml/\n#\n# Site settings\n# These are used to personalize your new site. If you look in the HTML files,\n# you will see them accessed via {{ site.title }}, {{ site.email }}, and so on.\n# You can create any custom variable you would like, and they will be accessible\n# in the templates via {{ site.myvariable }}.\n\ntitle: OSV-Scanner\ndescription: >- # this means to ignore newlines until \"baseurl:\"\n Use OSV-Scanner to find existing vulnerabilities affecting your project's dependencies.\nbaseurl: \"/osv-scanner\" # the subpath of your site, e.g. /blog\nurl: \"\" # the base hostname & protocol for your site, e.g. http://example.com\ngithub_username: google\nga_tracking: G-60SWD6J0TM\n\n# Build settings\nremote_theme: just-the-docs/just-the-docs\nplugins:\n - jekyll-feed\n\ncolor_scheme: custom_dark\nmarkdown: kramdown\n\nkramdown:\n toc_levels: 1..3\n\nlogo: \"/assets/logo-dark.png\"\nfavicon_ico: \"/assets/icon.png\"\n\ncallouts_level: quiet # or loud\ncallouts:\n highlight:\n color: yellow\n important:\n title: Important\n color: blue\n new:\n title: New\n color: green\n note:\n title: Note\n color: purple\n warning:\n title: Warning\n color: red\n\naux_links:\n \"OSV-Scanner on GitHub\":\n - https://github.com/google/osv-scanner\n\nnav_external_links:\n - title: OSV.dev\n url: https://osv.dev\n hide_icon: false # set to true to hide the external link icon - defaults to false\n - title: API docs\n url: https://osv.dev/docs/\n hide_icon: false # set to true to hide the external link icon - defaults to false\n - title: OSV Schema\n url: https://ossf.github.io/osv-schema/\n hide_icon: false # set to true to hide the external link icon - defaults to false\n\n\n# Exclude from processing.\n# The following items will not be processed, by default.\n# Any item listed under the `exclude:` key here will be automatically added to\n# the internal \"default list\".\n#\n# Excluded items can be processed by explicitly listing the directories or\n# their entries' file path in the `include:` list.\n#\n# exclude:\n# - .sass-cache/\n# - .jekyll-cache/\n# - gemfiles/\n# - Gemfile\n# - Gemfile.lock\n# - node_modules/\n# - vendor/bundle/\n# - vendor/cache/\n# - vendor/gems/\n# - vendor/ruby/\n" }, { "path": "docs/_sass/color_schemes/_variables.scss", "content": "$white: #fff !default;\n$grey-dk-000: #959396 !default;\n$grey-dk-100: #5c5962 !default;\n$grey-dk-200: #44434d !default;\n$grey-dk-250: #302d36 !default;\n$grey-dk-300: #27262b !default;\n$grey-lt-000: #f5f6fa !default;\n$grey-lt-100: #eeebee !default;\n$grey-lt-200: #ecebed !default;\n$grey-lt-300: #e6e1e8 !default;\n$purple-000: #7253ed !default;\n$purple-100: #5e41d0 !default;\n$purple-200: #4e26af !default;\n// Override the default purple 300 for better visibility\n$purple-300: #d7c6ff;\n$blue-000: #2c84fa !default;\n$blue-100: #2869e6 !default;\n$blue-200: #264caf !default;\n$blue-300: #183385 !default;\n$green-000: #41d693 !default;\n$green-100: #11b584 !default;\n$green-200: #009c7b !default;\n$green-300: #026e57 !default;\n// Override the default yellow 000 for better visibility\n$yellow-000: #5f4f00;\n$yellow-100: #fadf50 !default;\n$yellow-200: #f7d12e !default;\n$yellow-300: #e7af06 !default;\n$red-000: #f77e7e !default;\n$red-100: #f96e65 !default;\n$red-200: #e94c4c !default;\n$red-300: #dd2e2e !default;\n\n$body-font-family:\n \"Source Sans 3\",\n system-ui,\n -apple-system,\n sans-serif;\n\n$mono-font-family: consolas, monospace;\n" }, { "path": "docs/_sass/color_schemes/custom_dark.scss", "content": "@import \"./variables\";\n@import \"../highlight/native.scss\";\n@import url(\"https://fonts.googleapis.com/css2?family=Overpass:ital,wght@0,100..900;1,100..900&family=Source+Sans+3:ital,wght@0,200..900;1,200..900&display=swap\");\n$new-body-background-color: #292929;\n\n// Overriding dark default for just-the-docs styles\n$color-scheme: dark;\n$body-background-color: $new-body-background-color; // Replacing default $grey-dk-300\n$body-heading-color: $white; // Replacing default $grey-lt-000\n$body-text-color: $white; //Replacing default $grey-lt-300\n$link-color: #c9f5f7;\n$nav-child-link-color: $white; // Replacing default $grey-dk-000\n$sidebar-color: $new-body-background-color; //Replacing default $grey-dk-300\n$base-button-color: $grey-dk-250;\n$btn-primary-color: $blue-200;\n$code-background-color: #202020; // Important to match with .highlight background and .highlight.err background-color\n$code-linenumber-color: #f5f6fa; // Important to match with .highlight.nf color\n$feedback-color: darken($sidebar-color, 3%);\n$table-background-color: lighten(\n $new-body-background-color,\n 5%\n); // Replacing default $grey-dk-250\n$search-background-color: $new-body-background-color; // Replacing default $grey-dk-250\n$search-result-preview-color: $grey-dk-000;\n$border-color: #6a6a6a; // Replacing default $grey-dk-200\n" }, { "path": "docs/_sass/custom/custom.scss", "content": "// Always show child pages in the navigation menu\n// https://github.com/just-the-docs/just-the-docs/issues/245#issuecomment-656334333\n.nav-list .nav-list-item > .nav-list {\n display: block !important;\n}\n\n// Hide the child page expand arrow, since it doesn't do anything\n.nav-list .nav-list-expander {\n display: none !important;\n}\n\n:not(pre, figure) code {\n padding: 0.2rem 0.35rem !important;\n font-size: 0.85em;\n}\n\nh1,\nh2,\nh3,\nh4 {\n font-family:\n \"Overpass\",\n system-ui,\n -apple-system,\n sans-serif;\n}\n\ntable {\n border-collapse: collapse;\n\n th {\n border-bottom-width: 2px;\n }\n}\n\n.site-title {\n padding-top: 15px !important;\n}\n\n// Fix callout styling regression introduced in just-the-docs v0.11.0 which\n// replaced the colored background fill with an all-sides border outline.\n\n@mixin callout-fix($bg-color, $border-color) {\n border: none;\n border-left: $border-radius solid $border-color;\n background: rgba($bg-color, 0.2);\n}\n\np.note,\nblockquote.note {\n @include callout-fix($purple-000, $purple-300);\n}\np.warning,\nblockquote.warning {\n @include callout-fix($red-000, $red-300);\n}\np.highlight,\nblockquote.highlight {\n @include callout-fix($yellow-000, $yellow-300);\n}\n" }, { "path": "docs/_sass/highlight/native.scss", "content": "// Based on https://github.com/dwayne/sass-pygments/blob/master/styles/scss/native.scss\n\n.highlight,\npre.highlight,\n.highlight code {\n color: #d0d0d0;\n background: #202020;\n\n .hll {\n background-color: #404040;\n }\n\n .c {\n color: #999999;\n font-style: italic;\n }\n\n .err {\n color: #d0d0d0; // Replacing default #a61717 with default text code for code block\n background-color: #202020; // Replacing default #e3d2d2 with background for the code block\n }\n\n .esc,\n .g {\n color: #d0d0d0;\n }\n\n .k {\n color: #6ab825;\n font-weight: bold;\n }\n\n .l,\n .n,\n .o,\n .x,\n .p {\n color: #d0d0d0;\n }\n\n .ch,\n .cm {\n color: #999999;\n font-style: italic;\n }\n\n .cp {\n color: #cd2828;\n font-weight: bold;\n }\n\n .cpf,\n .c1 {\n color: #999999;\n font-style: italic;\n }\n\n .cs {\n color: #e50808;\n font-weight: bold;\n background-color: #520000;\n }\n\n .gd {\n color: #d22323;\n }\n\n .ge {\n color: #d0d0d0;\n font-style: italic;\n }\n\n .gr {\n color: #d22323;\n }\n\n .gh {\n color: #ffffff;\n font-weight: bold;\n }\n\n .gi {\n color: #589819;\n }\n\n .go {\n color: #cccccc;\n }\n\n .gp {\n color: #aaaaaa;\n }\n\n .gs {\n color: #d0d0d0;\n font-weight: bold;\n }\n\n .gu {\n color: #ffffff;\n text-decoration: underline;\n }\n\n .gt {\n color: #d22323;\n }\n\n .kc,\n .kd,\n .kn {\n color: #6ab825;\n font-weight: bold;\n }\n\n .kp {\n color: #6ab825;\n }\n\n .kr,\n .kt {\n color: #6ab825;\n font-weight: bold;\n }\n\n .ld {\n color: #d0d0d0;\n }\n\n .m {\n color: #3677a9;\n }\n\n .s {\n color: #ed9d13;\n }\n\n .na {\n color: #bbbbbb;\n }\n\n .nb {\n color: #24909d;\n }\n\n .nc {\n color: #f5f6fa;\n text-decoration: underline;\n }\n\n .no {\n color: #40ffff;\n }\n\n .nd {\n color: #ffa500;\n }\n\n .ni {\n color: #d0d0d0;\n }\n\n .ne {\n color: #bbbbbb;\n }\n\n .nf {\n color: #f5f6fa;\n }\n\n .nl {\n color: #d0d0d0;\n }\n\n .nn {\n color: #f5f6fa;\n text-decoration: underline;\n }\n\n .nx,\n .py {\n color: #d0d0d0;\n }\n\n .nt {\n color: #6ab825;\n font-weight: bold;\n }\n\n .nv {\n color: #40ffff;\n }\n\n .ow {\n color: #6ab825;\n font-weight: bold;\n }\n\n .w {\n color: #666666;\n }\n\n .mb,\n .mf,\n .mh,\n .mi,\n .mo {\n color: #3677a9;\n }\n\n .sb,\n .sc,\n .sd,\n .s2,\n .se,\n .sh,\n .si {\n color: #ed9d13;\n }\n\n .sx {\n color: #ffa500;\n }\n\n .sr,\n .s1,\n .ss {\n color: #ed9d13;\n }\n\n .bp {\n color: #24909d;\n }\n\n .vc,\n .vg,\n .vi {\n color: #40ffff;\n }\n\n .il {\n color: #3677a9;\n }\n}\n\n/* Comment */\n/* Error */\n/* Escape */\n/* Generic */\n/* Keyword */\n/* Literal */\n/* Name */\n/* Operator */\n/* Other */\n/* Punctuation */\n/* Comment.Hashbang */\n/* Comment.Multiline */\n/* Comment.Preproc */\n/* Comment.PreprocFile */\n/* Comment.Single */\n/* Comment.Special */\n/* Generic.Deleted */\n/* Generic.Emph */\n/* Generic.Error */\n/* Generic.Heading */\n/* Generic.Inserted */\n/* Generic.Output */\n/* Generic.Prompt */\n/* Generic.Strong */\n/* Generic.Subheading */\n/* Generic.Traceback */\n/* Keyword.Constant */\n/* Keyword.Declaration */\n/* Keyword.Namespace */\n/* Keyword.Pseudo */\n/* Keyword.Reserved */\n/* Keyword.Type */\n/* Literal.Date */\n/* Literal.Number */\n/* Literal.String */\n/* Name.Attribute */\n/* Name.Builtin */\n/* Name.Class */\n/* Name.Constant */\n/* Name.Decorator */\n/* Name.Entity */\n/* Name.Exception */\n/* Name.Function */\n/* Name.Label */\n/* Name.Namespace */\n/* Name.Other */\n/* Name.Property */\n/* Name.Tag */\n/* Name.Variable */\n/* Operator.Word */\n/* Text.Whitespace */\n/* Literal.Number.Bin */\n/* Literal.Number.Float */\n/* Literal.Number.Hex */\n/* Literal.Number.Integer */\n/* Literal.Number.Oct */\n/* Literal.String.Backtick */\n/* Literal.String.Char */\n/* Literal.String.Doc */\n/* Literal.String.Double */\n/* Literal.String.Escape */\n/* Literal.String.Heredoc */\n/* Literal.String.Interpol */\n/* Literal.String.Other */\n/* Literal.String.Regex */\n/* Literal.String.Single */\n/* Literal.String.Symbol */\n/* Name.Builtin.Pseudo */\n/* Name.Variable.Class */\n/* Name.Variable.Global */\n/* Name.Variable.Instance */\n/* Literal.Number.Integer.Long */\n" }, { "path": "docs/configuration.md", "content": "---\nlayout: page\npermalink: /configuration/\nnav_order: 5\n---\n\n# Configuration\n\nTo configure scanning, place an osv-scanner.toml file in the scanned file's directory. This does not propagate to child directories.\n\n**Example:**\n\n```\n/Cargo.lock\n/osv-scanner.toml (1)\n/child-dir/go.mod\n/child-dir/osv-scanner.toml (2)\n/child-dir/nested-dir/package-lock.json\n```\n\n`osv-scanner.toml (1)` will only apply to `Cargo.lock`, `osv-scanner.toml (2)` will only apply to `go.mod`, and no config will apply to `package-lock.json`.\n\nTo override `osv-scanner.toml` files, pass the `--config=/path/to/config.toml` flag with the path to the configuration you want to apply instead, this will apply `config.toml` to all files parsed, and ignore `osv-scanner.toml` in all directories.\n\n## Ignore vulnerabilities by ID\n\nTo ignore a vulnerability, enter the ID under the `IgnoreVulns` key. Optionally, add an expiry date or reason.\n\n### Example\n\n```toml\n[[IgnoredVulns]]\nid = \"GO-2022-0968\"\n# ignoreUntil = 2022-11-09 # Optional exception expiry date\nreason = \"No ssh servers are connected to or hosted in Go lang\"\n\n[[IgnoredVulns]]\nid = \"GO-2022-1059\"\n# ignoreUntil = 2022-11-09 # Optional exception expiry date\nreason = \"No external http servers are written in Go lang.\"\n```\n\nIgnoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability.\n\n## Override packages\n\nYou can specify overrides for particular packages to have them either ignored entirely or to set their license using the `PackageOverrides` key:\n\n```toml\n[[PackageOverrides]]\n# One or more fields to match each package against:\nname = \"lib\"\nversion = \"1.0.0\"\necosystem = \"Go\"\ngroup = \"dev\"\n\n# Actions to take for matching packages:\nignore = true # Ignore this package completely, including both reporting vulnerabilities and license violations\nvulnerability.ignore = true # Ignore vulnerabilities for this package, while still checking the license (if not also ignored)\nlicense.ignore = true # Ignore the license of the package, while still checking for vulnerabilities (if not also ignored)\nlicense.override = [\"MIT\", \"0BSD\"] # Override the license of the package, if it is not ignored from license scanning completely\n\neffectiveUntil = 2022-11-09 # Optional exception expiry date, after which the override will no longer apply\nreason = \"abc\" # Optional reason for the override, to explain why it was added\n```\n\nOverrides are applied if all the configured fields match, enabling you to create very broad or very specific overrides based on your needs:\n\n```toml\n# ignore everything in the current directory\n[[PackageOverrides]]\nignore = true\n\n# ignore a particular group\n[[PackageOverrides]]\ngroup = \"dev\"\nignore = true\n\n# ignore a particular ecosystem\n[[PackageOverrides]]\necosystem = \"go\"\nignore = true\n\n# ignore packages named \"axios\" regardless of ecosystem or group\n[[PackageOverrides]]\nname = \"axios\"\nignore = true\n\n# ignore packages named \"axios\" in the npm ecosystem that are in the dev group\n[[PackageOverrides]]\nname = \"axios\"\necosystem = \"npm\"\ngroup = \"dev\"\nignore = true\n\n# ... and so on\n```\n\n## Go Version Override\n\nUse the `GoVersionOverride` key to override the Go version used for scanning. This is useful when the scanner fails to detect the correct Go version or when you want to force a specific version.\n\n### Example\n\n```toml\n# Do not add a prefix (e.g. go1.20.0 is just 1.20.0)\nGoVersionOverride = \"1.20.0\"\n```\n" }, { "path": "docs/contribute.md", "content": "---\nlayout: page\npermalink: /contribute/\nnav_order: 9\n---\n\n# Contribute\n\n## Report Problems\n\nIf you have what looks like a bug, please use the [Github issue tracking system](https://github.com/google/osv-scanner/issues). Before you file an issue, please search existing issues to see if your issue is already covered.\n\n## Contributing to `osv-scanner`\n\nSee [CONTRIBUTING.md](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md) for general contribution information and for details on how to contribute [code](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md/#contributing-code) and [documentation](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md/#contributing-documentation).\n" }, { "path": "docs/docs.Dockerfile", "content": "# Use an official Ruby runtime as a parent image.\nFROM ruby:3@sha256:cddc8a7877ed0213dbd4a3cf726e357ac27e493fefa8b5350e7936f4ec02018e\n\n# Set the working directory in the container.\nWORKDIR /usr/src/app\n\n# Copy the Gemfile and Gemfile.lock.\n# This is done first to leverage Docker's layer caching.\nCOPY ./Gemfile* ./\n\n# Install the dependencies.\nRUN bundle install\n\n# Copy the rest of the documentation files.\nCOPY ./ ./\n\n# Expose port 4000 for the Jekyll server.\nEXPOSE 4000\n\n# The command to run when the container starts.\n# --host 0.0.0.0 is important to make the server accessible from outside the container.\nCMD [\"bundle\", \"exec\", \"jekyll\", \"serve\", \"--host\", \"0.0.0.0\"]\n" }, { "path": "docs/experimental.md", "content": "---\nlayout: page\npermalink: /experimental/\nnav_order: 8\nhas_children: true\n---\n\n# Experimental Features\n\n{: .no_toc }\n\nThese features are currently under development. While their functionality may be subject to change, they are available for you to try.\n\n{: .note }\nFeatures and flags with the `experimental` prefix might change or be removed with only a minor version update.\n" }, { "path": "docs/github-action.md", "content": "---\nlayout: page\npermalink: /github-action/\nnav_order: 7\n---\n\n# GitHub Action\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\nOSV-Scanner is available as a CI/CD Action. We currently offer two different reusable workflows for Github:\n\n1. A workflow that triggers a scan with each [pull request](./github-action.md#scan-on-pull-request) and will only report new vulnerabilities introduced through the pull request.\n2. A workflow that performs a full vulnerability scan, which can be configured to scan on pushes or a [regular schedule](./github-action.md#scheduled-scans). The full vulnerability scan can also be configured to run [on release](./github-action.md#scan-on-release) to prevent releasing with known vulnerabilities in dependencies.\n\nCurrently, there is no prebuilt workflows for other platforms, but we welcome any contributions for this!\n\n## Scan on pull request\n\nScanning your project on each pull request can help you keep vulnerabilities out of your project. This GitHub Action compares a vulnerability scan of the target branch to a vulnerability scan of the feature branch, and will fail if there are new vulnerabilities introduced through the feature branch. You may choose to [prevent merging](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging) if new vulnerabilities are introduced, but by default the check will only warn users.\n\n### Instructions\n\nIn your project repository, create a new file `.github/workflows/osv-scanner-pr.yml`.\n\nInclude the following in the `osv-scanner-pr.yml` file:\n\n```yml\nname: OSV-Scanner PR Scan\n\n# Change \"main\" to your default branch if you use a different name, i.e. \"master\"\non:\n pull_request:\n branches: [main]\n merge_group:\n branches: [main]\n\npermissions:\n # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117\n actions: read\n # Require writing security events to upload SARIF file to security tab\n security-events: write\n # Only need to read contents\n contents: read\n\njobs:\n scan-pr:\n uses: \"google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.4\"\n```\n\n### View results\n\nResults may be viewed by clicking on the details of the failed action, either from your project's actions tab or directly on the PR.\n\n| OSV-Scanner PR Check Failing | PR Scanning Check Output |\n| :---------------------------------------------------------------------------------------------------------------------------: | :-----------------------------------------------------------------------: |\n| ![Screenshot of PR introducing a vulnerable dependency, and osv-scanner blocking check](images/github-action-PR-scanning.png) | ![Screenshot of osv-scanner output](images/github-action-scan-output.png) |\n\nResults are also included in GitHub annotations on the \"Files changed\" tab for the PR.\n\n## Scheduled scans\n\nRegularly scanning your project for vulnerabilities can alert you to new vulnerabilities in your dependency tree. This GitHub Action will scan your project on a set schedule and report all known vulnerabilities. If vulnerabilities are found the action will return a failed status.\n\n### Instructions\n\nIn your project repository, create a new file `.github/workflows/osv-scanner-scheduled.yml`.\n\nInclude the following in the `osv-scanner-scheduled.yml` file:\n\n```yml\nname: OSV-Scanner Scheduled Scan\n\non:\n schedule:\n - cron: \"30 12 * * 1\"\n # Change \"main\" to your default branch if you use a different name, i.e. \"master\"\n push:\n branches: [main]\n\npermissions:\n # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117\n actions: read\n # Require writing security events to upload SARIF file to security tab\n security-events: write\n # Only need to read contents\n contents: read\n\njobs:\n scan-scheduled:\n uses: \"google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.4\"\n```\n\nAs written, the scanner will run on 12:30 pm UTC every Monday, and also on every push to the main branch. You can change the schedule by following the instructions [here](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule).\n\n### View results\n\nMaintainers can review results of the scan by navigating to their project's `security > code scanning` tab. Vulnerability details can also be viewed by clicking on the details of the failed action.\n\n| OSV-Scanner Code Scanning Tab | Code Scanning Detailed Entry |\n| :------------------------------------------------------------------------------: | :-------------------------------------------------------------------------------------------: |\n| ![Image of results in code scanning tab](images/github-action-code-scanning.png) | ![Image of details of specific in code scanning entry](images/github-action-code-details.png) |\n\n## Scan on release\n\nHere is an example of blocking on release, though the actual implementation will heavily depend on your specific release process.\n\n```yml\nname: Go Release Process\n\non:\n push:\n tags:\n - \"*\" # triggers only if push new tag version, like `0.8.4` or else\n\npermissions:\n # Required to upload SARIF file to CodeQL. See: https://github.com/github/codeql-action/issues/2117\n actions: read\n # Require writing security events to upload SARIF file to security tab\n security-events: write\n # to fetch code (actions/checkout)\n contents: read\n\njobs:\n osv-scan:\n uses: \"google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@v2.3.2\"\n with:\n # Only scan the top level go.mod file without recursively scanning directories since\n # this is pipeline is about releasing the go module and binary\n scan-args: |-\n ./\n permissions:\n # Require writing security events to upload SARIF file to security tab\n security-events: write\n tests:\n name: Run unit tests\n ...\n release:\n needs: # Needs both tests and osv-scan to pass\n - tests\n - osv-scan\n # Your actual release steps\n steps:\n ...\n```\n\n### View results\n\nResults may be viewed by clicking on the details of the failed release action from the action tab.\n\n## Customization\n\nThe GitHub Actions have the following optional inputs:\n\n- `scan-args`: This value is passed to `osv-scanner` CLI after being split by each line. See the [usage](./usage.md) page for the available options. The `--format` and `--output` flags are already set by the reusable workflow and should not be overridden here.\n Default:\n ```bash\n --recursive # Recursively scan subdirectories\n ./ # Start the scan from the root of the repository\n ```\n- `results-file-name`: This is the name of the final SARIF file uploaded to Github.\n Default: `results.sarif`\n- `download-artifact`: Optional artifact to download for scanning. Can be used if you need to do some preprocessing to prepare the lockfiles for scanning. If the file names in the artifact are not standard lockfile names, make sure to add custom scan-args to specify the lockfile type and path (see [specify lockfiles](./usage.md#specify-lockfiles)).\n- `upload-sarif`: Whether to upload the results to Security > Code Scanning. Defaults to `true`.\n- `fail-on-vuln`: Whether to fail the workflow when a vulnerability is found. Defaults to `true`.\n- `matrix-property`: Optional, adds support for matrix strategies by inserting a unique variable per job run. (E.g. `amd64-`) Defaults to `\"\"`.\n\n
\n\nExamples\n\n\n#### Scan specific lockfiles\n\n```yml\njobs:\n scan-pr:\n uses: \"google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.4\"\n with:\n scan-args: |-\n --lockfile=./path/to/lockfile1\n --lockfile=requirements.txt:./path/to/python-lockfile2.txt\n```\n\n#### Default arguments\n\n```yml\njobs:\n scan-pr:\n uses: \"google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.4\"\n with:\n scan-args: |-\n --recursive\n ./\n```\n\n#### Using download-artifact input to support preprocessing\n\n```yml\njobs:\n extract-deps:\n name: Extract Dependencies\n # ...\n steps:\n # ... Steps to extract your dependencies\n - name: \"upload osv-scanner deps\" # Upload the deps\n uses: actions/upload-artifact@v4\n with:\n name: converted-OSV-Scanner-deps\n path: osv-scanner-deps.json\n retention-days: 2\n vuln-scan:\n name: Vulnerability scanning\n # makes sure the extraction step is completed before running the scanner\n needs: extract-deps\n uses: \"google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v2.3.4\"\n with:\n # Download the artifact uploaded in extract-deps step\n download-artifact: converted-OSV-Scanner-deps\n # Scan only the file inside the uploaded artifact\n scan-args: |-\n --lockfile=osv-scanner:osv-scanner-deps.json\n permissions:\n # Needed to upload the SARIF results to code-scanning dashboard.\n security-events: write\n contents: read\n actions: read\n```\n\n#### Using download-artifact with matrix\n\n```yml\njobs:\n extract-deps:\n strategy:\n fail-fast: false\n matrix:\n platform: [\n {target_arch: amd64},\n {target_arch: armv7}\n {target_arch: armhf},\n {target_arch: aarch64}\n ]\n name: Extract Dependencies\n # ...\n steps:\n # ... Steps to extract your dependencies for each matrix run\n - name: \"upload osv-scanner deps\" # Upload the deps\n uses: actions/upload-artifact@v4\n with:\n name: ${{ matrix.platform.target_arch }}-OSV-Scanner-deps\n path: osv-scanner-deps.json\n retention-days: 2\n vuln-scan:\n needs:\n - extract-deps\n strategy:\n fail-fast: false\n matrix:\n platform: [\n {target_arch: amd64},\n {target_arch: armv7}\n {target_arch: armhf},\n {target_arch: aarch64}\n ]\n uses: \"extract/osv-scanner/.github/workflows/osv-scanner-reusable.yml@v2.3.4\"\n with:\n download-artifact: \"${{ matrix.platform.target_arch }}-OSV-Scanner-deps\"\n matrix-property: \"${{ matrix.platform.target_arch }}-\"\n scan-args: |-\n --lockfile=osv-scanner:osv-scanner-deps.json\n --recursive\n ./\n permissions:\n security-events: write\n contents: read\n actions: read\n```\n\n
\n" }, { "path": "docs/guided-remediation.md", "content": "---\nlayout: page\npermalink: /experimental/guided-remediation/\nparent: Experimental Features\nnav_order: 3\n---\n\n# Guided Remediation\n\nExperimental\n{: .label }\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\nGuided remediation (`osv-scanner fix`) aims to help developers with fixing the high number of known vulnerabilities in dependencies typically reported by vulnerability scanners by providing a small number of actionable steps.\n\nThis tool provides several options to users for how to prioritise and remediate their vulnerabilities, with easy to understand information on how we arrived at these options and how to compare them. This includes features such as:\n\n- Resolution and analysis of the entire transitive graph (leveraging [deps.dev](https://deps.dev)) to determine the minimal changes required to remove vulnerabilities.\n- Prioritising direct dependency upgrades by the total number of transitive vulnerabilities fixed.\n- Prioritising vulnerabilities by dependency depth, severity, and whether to care about dev-only dependencies.\n- Modification of package manifest and lockfiles (e.g. `package.json`/`package-lock.json`) to fix vulnerabilities.\n- Different strategies with different risk/reward ratios (e.g. in-place fixes vs relocking).\n\n{: .note }\nThis feature is experimental and might change or be removed with only a minor version update.\n\n### Supported strategies\n\nWe currently support remediating vulnerabilities in the following files:\n\n| Ecosystem | File Format (Type) | Supported [Remediation Strategies](#remediation-strategies) |\n| :-------- | :---------------------------------------------------------------------------------------- | :---------------------------------------------------------- |\n| npm | `package-lock.json` (lockfile) | [`in-place`](#in-place-lockfile-changes) |\n| npm | `package.json` (manifest) | [`relock`](#relock-and-relax-direct-dependencies) |\n| Maven | `pom.xml` (manifest)[note](#pom-note) | [`override`](#override-dependency-versions) |\n\n{: .note #pom-note}\nBy default, the tool only checks dependencies that are actually present in a POM's dependency graph - it will not detect vulnerabilities in `` dependencies if they are not actually used when resolving the POM. The [`--maven-fix-management`](#maven-flags) flag can be used to also fix them.\n\n## Basic usage\n\nTo fix as many vulnerabilities as possible in your `package-lock.json` file [in-place](#in-place-lockfile-changes), you can use the following command:\n\n```bash\nosv-scanner fix --strategy=in-place -L path/to/package-lock.json\n```\n\nAlternatively, to potentially resolve even more vulnerabilities with larger (potentially breaking) changes, you can [regenerate your lockfile and update your direct dependencies](#relock-and-relax-direct-dependencies) with the following command:\n\n```bash\nosv-scanner fix --strategy=relax -M path/to/package.json -L path/to/package-lock.json\n```\n\nFor Maven `pom.xml` files, you can update direct dependencies and [add version overrides](#override-dependency-versions) to your POM's `` section with the following command:\n\n```bash\nosv-scanner fix --strategy=override -M path/to/pom.xml\n```\n\n{: .warning }\nThe subcommand will modify your manifest and lockfile. Make sure you commit or backup your files before running.\n\n{: .note }\nThe subcommand will not reinstall your `node_modules/` - you will need to manually run `npm ci` to install dependencies.\n\nIf you wish to remediation only specific vulnerabilities, you may specify OSV IDs using the `--vulns` flag. [See all remediation flags](#remediation-flags).\n\n### Output formats\n\nNon-interactive mode outputs to the terminal the actions taken and vulnerabilities remediated. The output format can be controlled with the `--format` flag.\n\n{: .highlight }\nThe output formats may change with minor version updates.\n\n#### Text (default)\n\nThe default format.\n\n```bash\nosv-scanner fix --format text --strategy=in-place -L path/to/package-lock.json\n```\n\n
\nSample in-place text output\n\n```\nScanning path/to/package-lock.json...\nFound 55 vulnerabilities matching the filter\nCan fix 25/55 matching vulnerabilities by changing 21 dependencies\nUPGRADED-PACKAGE: lodash,4.17.20,4.17.21\nUPGRADED-PACKAGE: minimist,1.2.0,1.2.8\nUPGRADED-PACKAGE: ws,6.2.1,6.2.3\nUPGRADED-PACKAGE: ws,7.1.2,7.5.10\nUPGRADED-PACKAGE: acorn,5.7.3,5.4.1\nUPGRADED-PACKAGE: acorn,6.0.2,6.4.2\nUPGRADED-PACKAGE: acorn,7.1.0,7.4.1\nUPGRADED-PACKAGE: ansi-regex,3.0.0,3.0.1\nUPGRADED-PACKAGE: dat.gui,0.7.3,0.7.9\nUPGRADED-PACKAGE: get-func-name,2.0.0,2.0.2\nUPGRADED-PACKAGE: glob-parent,5.0.0,5.1.2\nUPGRADED-PACKAGE: json5,2.1.0,2.2.3\nUPGRADED-PACKAGE: minimist,1.2.5,1.2.8\nUPGRADED-PACKAGE: node-fetch,2.6.6,2.7.0\nUPGRADED-PACKAGE: path-parse,1.0.6,1.0.7\nUPGRADED-PACKAGE: pathval,1.1.0,1.1.1\nUPGRADED-PACKAGE: qs,6.5.2,6.5.3\nUPGRADED-PACKAGE: semver,5.5.1,5.7.2\nUPGRADED-PACKAGE: semver,5.6.0,5.7.2\nUPGRADED-PACKAGE: semver,6.3.0,6.3.1\nUPGRADED-PACKAGE: y18n,4.0.0,4.0.3\nFIXED-VULN-IDS: GHSA-29mw-wpgm-hmr9,GHSA-35jh-r3h4-6jhm,GHSA-3h5v-q93c-6h6q,GHSA-3h5v-q93c-6h6q,GHSA-4q6p-r6v2-jvc5,GHSA-6chw-6frg-f759,GHSA-6chw-6frg-f759,GHSA-6chw-6frg-f759,GHSA-6fc8-4gx4-v693,GHSA-6fc8-4gx4-v693,GHSA-93q8-gq69-wqmw,GHSA-9c47-m6qq-7p4h,GHSA-c2qf-rxjj-qqgw,GHSA-c2qf-rxjj-qqgw,GHSA-c2qf-rxjj-qqgw,GHSA-c4w7-xm78-47vh,GHSA-chwr-hf3w-c984,GHSA-g6ww-v8xp-vmwg,GHSA-hj48-42vr-x3v9,GHSA-hrpp-h998-j3pp,GHSA-r683-j2x4-v87g,GHSA-vh95-rmgr-6w4m,GHSA-ww39-953v-wcq6,GHSA-xvch-5gv4-984h,GHSA-xvch-5gv4-984h\nREMAINING-VULNS: 30\nUNFIXABLE-VULNS: 30\nRewriting path/to/package-lock.json...\n```\n\n
\n\n```bash\nosv-scanner fix --format text --strategy=relax -M path/to/package.json -L path/to/package-lock.json\n```\n\n
\nSample relax text output\n\n```\nResolving path/to/package.json...\nFound 12 vulnerabilities matching the filter\nCan fix 9/12 matching vulnerabilities by changing 6 dependencies\nUPGRADED-PACKAGE: mocha,^5.2.0,^9.2.2\nUPGRADED-PACKAGE: @google-cloud/cloudbuild,^2.6.0,^4.5.0\nUPGRADED-PACKAGE: autoprefixer,^9.3.0,^10.4.20\nUPGRADED-PACKAGE: google-closure-library,^20190909.0.0,^20200315.0.0\nUPGRADED-PACKAGE: terser,^3.10.11,^4.8.1\nUPGRADED-PACKAGE: yargs,^12.0.2,^13.3.2\nFIXED-VULN-IDS: GHSA-4wf5-vphf-c2xc,GHSA-7fh5-64p2-3v2j,GHSA-7v5v-9h63-cj86,GHSA-f8q6-p94x-37v3,GHSA-h755-8qp9-cq85,GHSA-p9pc-299p-vxgp,GHSA-vh5w-fg69-rc8m,GHSA-vh95-rmgr-6w4m,GHSA-xvch-5gv4-984h\nREMAINING-VULNS: 3\nUNFIXABLE-VULNS: 3\nRewriting path/to/package.json...\nShelling out to regenerate lockfile...\nExecuting `/usr/bin/npm install --package-lock-only`...\n```\n\n
\n\n```bash\nosv-scanner fix --format text --strategy=override -M path/to/pom.xml\n```\n\n
\nSample override output\n\n```\nResolving path/to/pom.xml...\nFound 60 vulnerabilities matching the filter\nCan fix 44/60 matching vulnerabilities by overriding 24 dependencies\nOVERRIDE-PACKAGE: io.atomix:atomix,3.1.6\nOVERRIDE-PACKAGE: org.apache.pdfbox:pdfbox,2.0.24\nOVERRIDE-PACKAGE: xerces:xercesImpl,2.12.2\nOVERRIDE-PACKAGE: com.google.guava:guava,32.0.0-jre\nOVERRIDE-PACKAGE: org.apache.mina:mina-core,2.0.27\nOVERRIDE-PACKAGE: com.fasterxml.jackson.core:jackson-databind,2.12.7.1\nOVERRIDE-PACKAGE: io.netty:netty-handler,4.1.94.Final\nOVERRIDE-PACKAGE: org.apache.commons:commons-compress,1.26.0\nOVERRIDE-PACKAGE: org.apache.commons:commons-configuration2,2.10.1\nOVERRIDE-PACKAGE: org.apache.shiro:shiro-web,1.13.0\nOVERRIDE-PACKAGE: org.eclipse.jgit:org.eclipse.jgit,5.13.3.202401111512-r\nOVERRIDE-PACKAGE: com.nimbusds:nimbus-jose-jwt,9.37.2\nOVERRIDE-PACKAGE: commons-io:commons-io,2.14.0\nOVERRIDE-PACKAGE: io.netty:netty,3.9.8.Final\nOVERRIDE-PACKAGE: io.netty:netty-common,4.1.115.Final\nOVERRIDE-PACKAGE: org.apache.directory.api:api-ldap-model,1.0.0-M31\nOVERRIDE-PACKAGE: org.apache.shiro:shiro-core,1.13.0\nOVERRIDE-PACKAGE: org.eclipse.jetty:jetty-http,12.0.12\nOVERRIDE-PACKAGE: org.eclipse.jetty:jetty-server,9.4.56.v20240826\nOVERRIDE-PACKAGE: org.glassfish.jersey.core:jersey-common,2.34\nOVERRIDE-PACKAGE: xalan:xalan,2.7.3\nOVERRIDE-PACKAGE: org.apache.thrift:libthrift,0.14.0\nOVERRIDE-PACKAGE: org.apache.tomcat.embed:tomcat-embed-core,8.5.99\nOVERRIDE-PACKAGE: io.netty:netty-codec,4.1.68.Final\nFIXED-VULN-IDS: GHSA-2fqw-684c-pvp7,GHSA-2h3j-m7gr-25xj,GHSA-3p86-9955-h393,GHSA-4265-ccf5-phj5,GHSA-4g9r-vxhx-9pgx,GHSA-4jhc-wjr3-pwh2,GHSA-5h29-qq92-wj7f,GHSA-5mg8-w23w-74h3,GHSA-6mcm-j9cj-3vc3,GHSA-6mjq-h674-j845,GHSA-6vqp-h455-42mr,GHSA-6vvh-5794-vpmj,GHSA-76h9-2vwh-w278,GHSA-78wr-2p64-hpwj,GHSA-7fr2-94h7-ccg2,GHSA-7g45-4rm6-3mm3,GHSA-7grw-6pjh-jpc9,GHSA-7j4h-8wpf-rqfh,GHSA-9339-86wc-4qgf,GHSA-9w38-p64v-xpmv,GHSA-c43q-5hpj-4crv,GHSA-cx3q-cv6w-mx4h,GHSA-fg3j-q579-v8x4,GHSA-g2fg-mr77-6vrm,GHSA-g7p8-r2ch-4rmf,GHSA-g8m5-722r-8whq,GHSA-gvpg-vgmx-xg6w,GHSA-h65f-jvqw-m9fj,GHSA-hhw5-c326-822h,GHSA-jc7h-c423-mpjc,GHSA-jjjh-jjxp-wpff,GHSA-m4h3-7mc2-v295,GHSA-mf27-wg66-m8f5,GHSA-mm9x-g8pc-w292,GHSA-mvr2-9pj6-7w5j,GHSA-pmhc-2g4f-85cg,GHSA-q446-82vq-w674,GHSA-qh8g-58pp-2wxh,GHSA-rgv9-q543-rqg4,GHSA-vmqm-g3vh-847m,GHSA-w4jq-qh47-hvjq,GHSA-xfv3-rrfm-f2rv,GHSA-xjp4-hw94-mvp5,GHSA-xq3w-v528-46rv\nREMAINING-VULNS: 16\nUNFIXABLE-VULNS: 15\nRewriting path/to/pom.xml...\n```\n\n
\n\n#### JSON\n\nOutputs the results as a JSON object to stdout, with all other output being directed to stderr - this makes it safe to redirect the output to a file.\n\nThe `json` format is expected to be stable. It is intended to be suitable for integration with automated tooling.\n\n```bash\nosv-scanner fix --format json --strategy=relax -M path/to/package.json\n```\n\n
\nSample relax JSON output\n\n```json\n{\n \"path\": \"path/to/package.json\",\n \"ecosystem\": \"npm\",\n \"strategy\": \"relax\",\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-gcx4-mw62-g8wm\",\n \"packages\": [\n {\n \"name\": \"rollup\",\n \"version\": \"1.32.1\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-h755-8qp9-cq85\",\n \"packages\": [\n {\n \"name\": \"protobufjs\",\n \"version\": \"6.11.3\"\n }\n ]\n },\n {\n \"id\": \"GHSA-pfq8-rq6v-vf5m\",\n \"packages\": [\n {\n \"name\": \"html-minifier\",\n \"version\": \"4.0.0\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-xvch-5gv4-984h\",\n \"packages\": [\n {\n \"name\": \"minimist\",\n \"version\": \"0.0.8\"\n }\n ]\n }\n ],\n \"patches\": [\n {\n \"packageUpdates\": [\n {\n \"name\": \"@google-cloud/cloudbuild\",\n \"versionFrom\": \"^2.6.0\",\n \"versionTo\": \"^4.7.0\",\n \"transitive\": false\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-h755-8qp9-cq85\",\n \"packages\": [\n {\n \"name\": \"protobufjs\",\n \"version\": \"6.11.3\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"mocha\",\n \"versionFrom\": \"^5.2.0\",\n \"versionTo\": \"^8.4.0\",\n \"transitive\": false\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-xvch-5gv4-984h\",\n \"packages\": [\n {\n \"name\": \"minimist\",\n \"version\": \"0.0.8\"\n }\n ]\n }\n ]\n }\n ]\n}\n```\n\n
\n\n```bash\nosv-scanner fix --format json --strategy=override -M path/to/pom.xml\n```\n\n
\nSample override JSON output\n\n```json\n{\n \"path\": \"path/to/pom.xml\",\n \"ecosystem\": \"Maven\",\n \"strategy\": \"override\",\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-3832-9276-x7gf\",\n \"packages\": [\n {\n \"name\": \"commons-httpclient:commons-httpclient\",\n \"version\": \"3.0.1\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-56h3-78gp-v83r\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-6hgm-866r-3cjv\",\n \"packages\": [\n {\n \"name\": \"commons-collections:commons-collections\",\n \"version\": \"3.2.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-6phf-73q6-gh87\",\n \"packages\": [\n {\n \"name\": \"commons-beanutils:commons-beanutils\",\n \"version\": \"1.7.0\"\n }\n ]\n },\n {\n \"id\": \"GHSA-78wr-2p64-hpwj\",\n \"packages\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"version\": \"2.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-7rf3-mqpx-h7xg\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-c27h-mcmw-48hv\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jackson:jackson-mapper-asl\",\n \"version\": \"1.8.8\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-cgp8-4m63-fhh5\",\n \"packages\": [\n {\n \"name\": \"commons-net:commons-net\",\n \"version\": \"1.4.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-fjq5-5j5f-mvxh\",\n \"packages\": [\n {\n \"name\": \"commons-collections:commons-collections\",\n \"version\": \"3.2.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-grr4-wv38-f68w\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-gwrp-pvrq-jmwv\",\n \"packages\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"version\": \"2.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-q6g2-g7f3-rr83\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-r6j9-8759-g62w\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jackson:jackson-mapper-asl\",\n \"version\": \"1.8.8\"\n }\n ],\n \"unactionable\": true\n },\n {\n \"id\": \"GHSA-x27m-9w8j-5vcw\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n }\n ],\n \"patches\": [\n {\n \"packageUpdates\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"versionFrom\": \"1.1\",\n \"versionTo\": \"1.5.4\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-56h3-78gp-v83r\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-7rf3-mqpx-h7xg\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-grr4-wv38-f68w\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-q6g2-g7f3-rr83\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-x27m-9w8j-5vcw\",\n \"packages\": [\n {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"version\": \"1.1\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"commons-collections:commons-collections\",\n \"versionFrom\": \"3.2.1\",\n \"versionTo\": \"3.2.2\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-6hgm-866r-3cjv\",\n \"packages\": [\n {\n \"name\": \"commons-collections:commons-collections\",\n \"version\": \"3.2.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-fjq5-5j5f-mvxh\",\n \"packages\": [\n {\n \"name\": \"commons-collections:commons-collections\",\n \"version\": \"3.2.1\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"versionFrom\": \"2.1\",\n \"versionTo\": \"2.14.0\",\n \"transitive\": false\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-78wr-2p64-hpwj\",\n \"packages\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"version\": \"2.1\"\n }\n ]\n },\n {\n \"id\": \"GHSA-gwrp-pvrq-jmwv\",\n \"packages\": [\n {\n \"name\": \"commons-io:commons-io\",\n \"version\": \"2.1\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"commons-beanutils:commons-beanutils\",\n \"versionFrom\": \"1.7.0\",\n \"versionTo\": \"1.9.4\",\n \"transitive\": true\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-6phf-73q6-gh87\",\n \"packages\": [\n {\n \"name\": \"commons-beanutils:commons-beanutils\",\n \"version\": \"1.7.0\"\n }\n ]\n }\n ]\n },\n {\n \"packageUpdates\": [\n {\n \"name\": \"commons-net:commons-net\",\n \"versionFrom\": \"1.4.1\",\n \"versionTo\": \"3.9.0\",\n \"transitive\": false\n }\n ],\n \"fixed\": [\n {\n \"id\": \"GHSA-cgp8-4m63-fhh5\",\n \"packages\": [\n {\n \"name\": \"commons-net:commons-net\",\n \"version\": \"1.4.1\"\n }\n ]\n }\n ]\n }\n ]\n}\n```\n\n
\n\n## Scripted usage\n\nThe non-interactive mode, in combination with [other flags](#remediation-flags), can be used in scripts to automatically apply and test remediation patches.\n\nCheck out our [sample Python script](https://github.com/google/osv-scanner/blob/main/scripts/examples/auto_guided_remediation.py) that uses `osv-scanner fix` to remediate as many vulnerabilities as possible in an npm project without failing your project's `npm run test`.\n\n## Interactive mode\n\nInteractive mode provides a step-by-step process to understand and fix vulnerabilities in your project.\n\n{: .note }\nInteractive mode currently only supports npm manifest and lockfiles.\n\nTo run it, you can use the following command:\n\n```bash\nosv-scanner fix --interactive -M path/to/package.json -L path/to/package-lock.json\n```\n\n{: .warning }\nThe subcommand will modify your manifest and lockfile. Make sure you commit or backup your files before running.\n\nThe command will launch the Guided Remediation TUI and begin scanning your manifest and lockfile for vulnerabilities. Use the arrow keys to navigate menu items and the `ENTER` key to select. `TAB` can be used to switch to and from the information panel of each option.\n\n![Screenshot of the initial interactive results screen, showing found vulnerabilities and the potential remediation approaches](images/guided-remediation-result.png)\n\n{: .highlight }\n\n> The initial screen allows you to change the vulnerability selection criteria. Each correspond to a [vulnerability selection flag](#vulnerability-selection):\n>\n> - Max dependency depth: `--max-depth`\n> - Min CVSS score: `--min-severity`\n> - Exclude dev only: `--ignore-dev`\n\nFrom the first results screen, you can select which of the two remediation strategies to attempt.\n\n## Remediation strategies\n\nThere are currently three remediation strategies:\n\n### In-place lockfile changes\n\n'In-place' remediation involves replacing vulnerable versions of packages in your lockfile with non-vulnerable versions, while still respecting the existing constraints for that dependency. This approach is usually less risky, but will often fix less vulnerabilities than the [relax strategy](#relock-and-relax-direct-dependencies).\n\nSelecting the \"Modify lockfile in place\" option will bring you to the in-place information page. From here, you can see which vulnerabilities can and cannot be resolved by this strategy. By default, every possible in-place patch will be chosen to be applied. You may instead choose which subset of patches you wish to apply.\n\n![Screenshot of the interactive in-place results screen](images/guided-remediation-in-place-results.png)\n\n![Screenshot of the interactive in-place patch selection screen](images/guided-remediation-in-place-choose.png)\n\nIf you wish to apply the proposed in-place patches, select the \"Write\" option to update your lockfile with the new dependency versions.\n\n{: .note }\nWriting these changes will not reinstall your dependencies. You'll need to run `npm ci` (or equivalent) separately.\n\n### Relock and relax direct dependencies\n\nRelocking recomputes your entire dependency graph based on your manifest file, taking the newest possible versions of all your required packages. Doing so will often allow for constraints on vulnerable packages to be unblocked and thus able to be remediated. However, relocking may cause a large number of changes to your dependency graph, which potentially carries a larger risk of breakages.\n\nSelecting the \"Relock\" option will bring you to the relock information page. Here, you can see which vulnerabilities are present after relocking.\n\nIn addition to relocking, it may be possible to further remove vulnerabilities by bumping the required version constraints of your direct dependencies. You may choose to apply these patches by selecting them on the relock page then choosing the \"Apply pending patches\" option. The dependency graph will then be recomputed, and you may continue to select more options.\n\n![Screenshot of the interactive relock results screen with some relaxation patches selected](images/guided-remediation-relock-patches.png)\n\nThe relaxation patches are presented in order of effectiveness, with patches that resolve the most vulnerabilities with the least amount of dependency change shown first.\n\nIf you wish to apply your current relock & relaxation changes, select the \"Write\" option to update your manifest file with the new requirements and regenerate your lockfile (if provided).\n\n{: .note }\nThe `package-lock.json` file is regenerated by first deleting the existing `package-lock.json` and `node_modules/` directory, then running `npm install --package-lock-only`. This recreates the lockfile but does not install the `node_modules/` dependencies. Run `npm ci` separately to install the dependencies.\n\n### Override dependency versions\n\n{: .note }\nThe `override` strategy is currently only supported in non-interactive mode.\n\nMaven allows for the version specification of direct and indirect dependencies to be overwritten by a POM's ``. This mechanism can be used to force a vulnerable dependency to be updated to a newer, non-vulnerable version. Overriding dependency versions can enable otherwise inaccessible updates, but it also risks breaking the application if the new version is incompatible with other dependencies.\n\nIf a direct dependency is vulnerable, the override strategy will update its version in the `` section (if possible). Relevant `` will be updated if used by an existing version specification.\n\nAs with the other strategies, override patches are prioritized by vulnerabilities fixed per updated dependency.\n\n## Remediation flags\n\nThe `fix` subcommand has a number of flags to allow you to control which vulnerabilities and patches may be considered during remediation.\n\nGuided remediation can be run in the [interactive mode](#interactive-mode) with `--interactive` flag.\n\n### Non-interactive flags\n\nThe following flags may be used when running in non-interactive mode only:\n\n- `--strategy=` [`in-place`](#in-place-lockfile-changes) OR [`relax`](#relock-and-relax-direct-dependencies) OR [`override`](#override-dependency-versions): Which remediation strategy to use.\n- `--apply-top=`: Specifies the maximum number of patches to apply. Patches are chosen in the same order as they would appear in the interactive mode.\n\n For example, `--apply-top=1` will only apply one patch, and `--apply-top=2` would apply the two best compatible patches. This flag is particularly useful when scripting to test the outcome of specific patches. Setting `--apply-top=-1` will apply every possible patch (default behavior).\n\n- `--no-introduce`: Set to exclude patches that would introduce new vulnerabilities if applied.\n- `--format=` `text` OR `json`. The [output format](#output-formats) to use for results.\n\n### Vulnerability selection\n\nThe following flags may be used to filter which vulnerabilities will be selected for remediation:\n\n- `--max-depth=`: The maximum dependency depth to consider vulnerabilities from.\n\n For example, `--max-depth=1` will only consider vulnerabilities affecting direct dependencies, while `--max-depth=2` will consider up to the direct dependencies of your direct dependencies. Setting `--max-depth=-1` will consider all dependencies, regardless of depth.\n\n- `--min-severity=`: The minimum CVSS score of vulnerabilities to consider.\n\n For example, `--min-severity=7.5` will consider only vulnerabilities with CVSS a score of 7.5 and above. If the OSV record for the vulnerability does not have a CVSS score, it will **not** be excluded.\n\n- `--ignore-dev`: Whether to exclude vulnerabilities from dependencies that are only used in `devDependencies`.\n- `--ignore-vulns=`: A list of OSV IDs to exclude from consideration.\n- `--vulns=`: An explicit list of OSV IDs that should exclusively be considered, as long as the other criteria are satisfied.\n\nA vulnerability is only considered if it satisfies all the conditions set by these flags.\n\n### Dependency upgrade options\n\nThe following flag may be used to limit the patches allowed for your dependencies:\n\n- `--upgrade-config=<[package-name:]level>` Sets the maximum upgrade level allowed for a package. Can be repeated for multiple packages.\n\n `level` is the SemVer component to allow updates to, can be one of `major`, `minor`, `patch`, or `none`. e.g. If a package was at version `1.2.3`\n - `major` allows for updates to any version `>=1.2.3`\n - `minor` allows for updates `>=1.2.3, <2.0.0`\n - `patch` allows for updates `>=1.2.3, <1.3.0`\n - `none` disallows any updates\n\n If `package-name:` is omitted, `level` is applied to all packages. The specific `package-name:level` will take precedence over the general `level` (e.g. specifying both `minor` `pkg:none` will use `none` as the allowed level for `pkg`).\n\n Default behaviour is `--upgrade-config=major`.\n\n Example usage:\n - `--upgrade-config=minor` - disallow any patches that would bump a major version of any package.\n - `--upgrade-config=foo:minor` - disallow any patches that bumps package `foo` by a major version. Other packages may receive major version-updating patches.\n - `--upgrade-config=none --upgrade-config=foo:patch` - only allow patches to package `foo`, and only allow changes to `foo`'s SemVer patch level.\n\n### Data source\n\nBy default, we use the [deps.dev API](https://docs.deps.dev/api/) to find version and dependency information of packages during remediation.\n\nIf instead you'd like to use your ecosystem's native registry API (e.g. `https://registry.npmjs.org`), you can use the `--data-source=native` flag. `osv-scanner fix` will attempt to use the authentication specified by the native tooling (e.g. `npm config` or Maven's `settings.xml`)\n\n{: .highlight }\nIf your project uses mirrored or private registries, you will need to use `--data-source=native`\n\n{: .note }\n\n> The subcommand caches the requests it makes in `[FILE].resolve.deps` (deps.dev), `package.json.resolve.npm` (native npm), or `pom.xml.resolve.maven` (native Maven).\n>\n> The native caches will store the addresses of private registries used, though not any authentication information.\n\n### Maven flags\n\n- `--maven-fix-management`: If set, patches for vulnerabilities in packages declared in `` will be made, even if those packages are not found in the resolved dependency tree (useful for patching parent POM files).\n- `--maven-registry=`: Override for the default registry used to fetch dependencies (typically the `central` repository at `https://repo.maven.apache.org/maven2`)\n\n### Offline Vulnerability Database\n\nThe `fix` subcommand supports the `--offline-vulnerabilities` and `--download-offline-databases` flags.\n\nFor more information, see [Offline Mode](./offline-mode.md).\n\n## Known issues\n\n- The subcommand does not use the `osv-scanner.toml` configuration. Use the `--ignore-vulns` flag instead.\n- The subcommand does not group aliases of the same vulnerabilities together.\n- Unique vulnerabilities are counted differently with `fix --strategy=relax` versus with `fix --strategy=in-place` and with `scan`. `scan` will count the same OSV ID affecting two different package versions separately, whereas `fix --strategy=relax` will count this as one vulnerability.\n\n e.g. if `OSV-123-456` affects both `foo@1.0.0` and `foo@2.0.0` in your project, `scan` and `fix --strategy=in-place` will treat this as two distinct vulnerabilities, while `fix --strategy=relax` will treat this as only one.\n\n### npm\n\n- Non-registry dependencies (local paths, URLs, Git, etc.) are not evaluated.\n- [#1026](https://github.com/google/osv-scanner/issues/1026) `peerDependencies` are not properly considered during dependency resolution (treated as if using `--legacy-peer-deps`).\n- `overrides` are ignored during dependency resolution.\n\n#### Workspaces\n\nRemediation in npm `workspaces` is only partially supported:\n\n- In-place updates should function correctly on the workspace `package-lock.json`.\n- Dependency relaxation can change dependencies in the `package.json` file being scanned. This means only dependencies declared in the root package can be changed.\n - You can remediate the individual `package.json` files of each workspace, but this will be unaware of any packages or constraints caused by sibling workspaces.\n- The `node_modules/` in workspaces are not deleted when relocking, which may impact the resulting dependency graph when running `npm install`.\n- Each workspace package is considered dependency depth 1 from the root workspace.\n\n### Maven\n\n- [#1238](https://github.com/google/osv-scanner/issues/1238) Dependencies that use properties in their `groupId`/`artifactId` may not be updated correctly.\n- [#1239](https://github.com/google/osv-scanner/issues/1239) Support for profiles is limited.\n- Encrypted values in `settings.xml` files are not supported.\n" }, { "path": "docs/index.md", "content": "---\n# Feel free to add content and custom Front Matter to this file.\n# To modify the layout, see https://jekyllrb.com/docs/themes/#overriding-theme-defaults\n\nlayout: home\nnav_order: 1\n---\n\n# OSV-Scanner\n\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/google/osv-scanner/badge)](https://api.securityscorecards.dev/projects/github.com/google/osv-scanner)\n[![Go Report Card](https://goreportcard.com/badge/github.com/google/osv-scanner)](https://goreportcard.com/report/github.com/google/osv-scanner)\n[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)\n[![GitHub Release](https://img.shields.io/github/v/release/google/osv-scanner)](https://github.com/google/osv-scanner/releases)\n\nUse OSV-Scanner to find existing vulnerabilities affecting your project's dependencies.\n\nOSV-Scanner provides an officially supported frontend to the [OSV database](https://osv.dev/) that connects a project’s list of dependencies with the vulnerabilities that affect them.\n\nYou can use OSV-scanner in two ways:\n\n1. **As a CLI tool:** Run directly in a terminal or CI/CD pipeline to scan projects. See the [Installation Guide](./installation.md) to get started.\n2. **As a Go library:** Import the [Go package](https://pkg.go.dev/github.com/google/osv-scanner/v2/pkg/osvscanner) to integrate vulnerability scanning logic into Go applications.\n\nSince the OSV.dev database is open source and distributed, it has several benefits in comparison with closed source advisory databases and scanners:\n\n- Each advisory comes from an open and authoritative source (e.g. the [RustSec Advisory Database](https://github.com/rustsec/advisory-db))\n- Anyone can suggest improvements to advisories, resulting in a very high quality database\n- The OSV format unambiguously stores information about affected versions in a machine-readable format that precisely maps onto a developer’s list of packages\n\nThe above all results in fewer, more actionable vulnerability notifications, which reduces the time needed to resolve them. Check out our [announcement blog post] for more details!\n\n[announcement blog post]: https://security.googleblog.com/2022/12/announcing-osv-scanner-vulnerability.html\n" }, { "path": "docs/installation.md", "content": "---\nlayout: page\npermalink: /installation/\nnav_order: 3\n---\n\n# Installation\n\nYou may download the [SLSA3](https://slsa.dev) compliant binaries for Linux, macOS, and Windows from our [releases page](https://github.com/google/osv-scanner/releases).\n\n## Package Managers\n\n[![Packaging status](https://repology.org/badge/vertical-allrepos/osv-scanner.svg)](https://repology.org/project/osv-scanner/versions)\n\n### Windows Scoop\n\n[Windows Scoop](https://scoop.sh) users can install osv-scanner from the [official bucket](https://github.com/ScoopInstaller/Main/blob/master/bucket/osv-scanner.json):\n\n```bash\nscoop install osv-scanner\n```\n\n### Windows WinGet\n\nWindows users can also install osv-scanner from the official [WinGet repo](https://github.com/microsoft/winget-pkgs):\n\n```bash\nwinget install Google.OSVScanner\n```\n\n### Homebrew\n\n[Homebrew](https://brew.sh/) users can install [osv-scanner](https://formulae.brew.sh/formula/osv-scanner) via:\n\n```bash\nbrew install osv-scanner\n```\n\n### Arch Linux\n\nArch Linux users can install osv-scanner from the official repo:\n\n```bash\npacman -S osv-scanner\n```\n\n### Alpine Linux\n\nAlpine Linux users can install osv-scanner from the official repo:\n\n```bash\napk add osv-scanner\n```\n\n### FreeBSD\n\nFreeBSD users can install osv-scanner from the official repo:\n\n```bash\npkg install osv-scanner\n```\n\n### NetBSD\n\nNetBSD users can install osv-scanner from the official repo:\n\n```bash\npkg_add osv-scanner\n```\n\n### OpenBSD\n\nOpenBSD users can install osv-scanner from the official repo:\n\n```bash\npkg_add osv-scanner\n```\n\n## Install from source\n\nAlternatively, you can install this from source by running:\n\n```bash\ngo install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest\n```\n\nThis requires Go 1.25.7+ to be installed.\n\n## Build from source\n\nSee our [contribution guidelines](https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md) for instructions on how to build from source.\n\n## Verifying Builds\n\nEach of our releases come with SLSA provenance data (`multiple.intoto.jsonl`),\nwhich can be used to verify the source and provenance of the binaries with the [`slsa-verifier`](https://github.com/slsa-framework/slsa-verifier) tool.\n\nE.g.\n\n```bash\nslsa-verifier verify-artifact ./osv-scanner_1.2.0_linux_amd64 --provenance-path multiple.intoto2.jsonl --source-uri github.com/google/osv-scanner --source-tag v1.2.0\n```\n\n## SemVer Adherence\n\nAll releases on the same Major version will be guaranteed to have backward compatible JSON output and CLI arguments.\nHowever, features prefixed with `experimental` (e.g. `--experimental-call-analysis`) might be changed or removed with only a Minor version change.\n" }, { "path": "docs/license-scanning.md", "content": "---\nlayout: page\npermalink: /usage/license-scanning/\nparent: Usage\nnav_order: 3\n---\n\n# License Scanning\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\nOSV-Scanner supports license checking as an official feature. The data comes from the [deps.dev API](https://docs.deps.dev/api/).\n\n## License Summary and Violations\n\nThe `--licenses` flag provides a summary of the licenses used by your dependencies.\nTo also display violations, you can provide an allowlist of permitted licenses as an argument:\n\n```bash\n# Show license summary only\nosv-scanner --licenses path/to/repository\n\n# Show the license summary and violations against an allowlist (provide the list after the = sign):\nosv-scanner --licenses=\"comma-separated list of allowed licenses\" path/to/directory\n```\n\nInclude your allowed licenses as a comma-separated list. OSV-Scanner recognizes licenses in SPDX format. Please indicate your allowed licenses using [SPDX license](https://spdx.org/licenses/) identifiers.\n\n### License violations example\n\nIf you wanted to allow the following licenses:\n\n- [BSD 3-Clause \"New\" or \"Revised\" License](https://spdx.org/licenses/BSD-3-Clause.html)\n- [Apache License 2.0](https://spdx.org/licenses/Apache-2.0.html)\n- [MIT](https://spdx.org/licenses/MIT.html)\n\nYour command would be in this form:\n\n```bash\nosv-scanner --licenses=\"BSD-3-Clause,Apache-2.0,MIT\" path/to/directory\n```\n\n## Override License\n\nSometimes, the license either cannot be retrieved, or does not apply to your specific use. In those cases, you can override the license of a specific package by setting it in the config file.\n\nSee the [configuration docs](./configuration.md) for how to do this.\n" }, { "path": "docs/manual-plugin-selection.md", "content": "---\nlayout: page\npermalink: /experimental/manual-plugin-selection/\nparent: Experimental Features\nnav_order: 5\n---\n\n# Manual OSV-Scalibr Plugin Selection\n\nExperimental\n{: .label }\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\nBy default, OSV-Scanner automatically enables the relevant plugins for each scanning situation\n(see [this page](./supported_languages_and_lockfiles.md) for more details).\nHowever, if the default selection is not suitable, or you require additional plugins from OSV-Scalibr (e.g., detectors),\nyou can manually enable or disable them.\n\n## Enabling and Disabling Plugins\n\nYou can control which plugins to run using the following flags:\n\n- `--experimental-plugins`: Enables a comma-separated list of specific plugins that will be used along with the default plugins for the command being run\n- `--experimental-disable-plugins`: Disables a comma-separated list of specific plugins.\n- `--experimental-no-default-plugins`: Excludes the default plugins for the command being run from being automatically included\n\nFor a full list of available plugin names, see OSV-Scalibr's documentation here:\nhttps://github.com/google/osv-scalibr/blob/main/docs/supported_inventory_types.md\n\n### Presets\n\nYou can also enable or disable various presets, which group multiple plugins together.\n\n**Example:**\n\n```bash\n# This will enable all sbom plugins + cargolock extractor + requirements extractor\nosv-scanner scan source --experimental-plugins sbom,rust/cargolock,python/requirements\n\n# This will enable all lockfile plugins, except the cargolock and requirements extractors\nosv-scanner scan source --experimental-plugins lockfile --experimental-disable-plugins rust/cargolock,python/requirements\n```\n\n**Available Presets:**\n\n| Preset | Description |\n| :---------- | :------------------------------ |\n| `sbom` | Default for directory scanning. |\n| `lockfile` | Default for lockfile scanning. |\n| `directory` | Default for directory scanning. |\n| `artifact` | Default for image scanning. |\n\n### Detectors\n\nOSV-Scalibr provides detectors that can identify potential security issues beyond known vulnerabilities.\nWe experimentally support these detectors. Currently, detector findings are only available in the JSON output under\n`experimental_generic_findings`.\n\n**Available Detector Presets:**\n\n| Preset | Description |\n| :------------ | :----------------------------------------- |\n| `untested` | Finds dependencies that are not tested. |\n| `weakcreds` | Detects weak credentials. |\n| `govulncheck` | Checks for vulnerabilities in Go binaries. |\n| `cis` | Checks for compliance with CIS benchmarks. |\n\n
\n\nExample detector run\n\n\n```bash\nosv-scanner scan image --experimental-plugins=os/apk,weakcredentials/etcshadow --format=json\n```\n\n```json\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/lib/apk/db/installed\",\n \"type\": \"os\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"apk-tools\",\n \"os_package_name\": \"apk-tools\",\n \"version\": \"2.10.6-r0\",\n \"ecosystem\": \"Alpine:v3.10\",\n \"commit\": \"ee458ccae264321745e9622c759baf110130eb2f\",\n \"image_origin_details\": {\n \"index\": 0\n }\n },\n \"vulnerabilities\": [\"CVE-2021-36159\"],\n \"groups\": 1\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n },\n \"experimental_generic_findings\": [\n {\n \"Adv\": {\n \"ID\": {\n \"Publisher\": \"SCALIBR\",\n \"Reference\": \"etc-shadow-weakcredentials\"\n },\n \"Title\": \"Ensure all users have strong passwords configured\",\n \"Description\": \"The /etc/shadow file contains user account password hashes. These passwords must be strong and not easily guessable.\",\n \"Recommendation\": \"Run the following command to reset password for the reported users:/n# change password for USER: sudo passwd USER\",\n \"Sev\": 5\n },\n \"Target\": {\n \"Extra\": \"/etc/shadow: The following users have weak passwords:/nuser-bcrypt/n\"\n },\n \"Plugins\": [\"weakcredentials/etcshadow\"],\n \"ExploitabilitySignals\": null\n }\n ],\n \"image_metadata\": {\n \"os\": \"Alpine Linux v3.10\",\n \"layer_metadata\": [\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"/bin/sh -c #(nop) ADD file:c5377eaa926bf412dd8d4a08b0a1f2399cfd708743533b0aa03b53d14cb4bb4e in / \",\n \"is_empty\": false,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"\",\n \"command\": \"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\",\n \"is_empty\": true,\n \"base_image_index\": 1\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c echo 'user-bcrypt:$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG' /u003e/u003e /etc/shadow # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n {\n \"diff_id\": \"sha256:...\",\n \"command\": \"RUN /bin/sh -c echo 'user-descrypt:chERDiI95PGCQ' /u003e/u003e /etc/shadow # buildkit\",\n \"is_empty\": false,\n \"base_image_index\": 0\n }\n ],\n \"base_images\": [\n {},\n {\n \"name\": \"alpine\",\n \"tags\": null\n }\n ]\n }\n}\n```\n\n
\n" }, { "path": "docs/migrating-from-scalibr.md", "content": "---\nlayout: default\ntitle: Migrating from osv-scalibr\nnav_order: 18\n---\n\n# Migrating from osv-scalibr to osv-scanner\n\nThis guide is for users who are familiar with `osv-scalibr` and want to migrate to `osv-scanner`. It explains how to\nachieve similar results with `osv-scanner`.\n\n`osv-scanner` has integrated `osv-scalibr`'s inventory collection and vulnerability scanning capabilities.\nWhile most of `osv-scalibr`'s functionalities are available in `osv-scanner`, the command-line flags and output formats\nare different.\n\n## Command-line Equivalence\n\nThe `osv-scanner` CLI is designed to be more intuitive and user-friendly. Here's a mapping of common `osv-scalibr`\ncommands to their `osv-scanner` equivalents.\n\n### Scanning a directory\n\n**osv-scalibr:**\n\n```sh\nscalibr --root /path/to/your/project --result result.json\n```\n\n**osv-scanner:**\n\n```sh\nosv-scanner /path/to/your/project\n```\n\n### Selecting plugins\n\nOSV-Scanner has access to the full list of OSV-Scalibr plugins, though only a well tested subset of them are enabled by\ndefault in OSV-Scanner.\n\nIn `osv-scalibr`, you can select which plugins to run using the `--extractors`, `--detectors` flags,\nor alternatively using the `--plugins` flag.\n\nFor a full list of available plugin names, see OSV-Scalibr's documentation here:\nhttps://github.com/google/osv-scalibr/blob/main/docs/supported_inventory_types.md\n\n**osv-scalibr:**\n\n```sh\nscalibr --plugins python/pip,go/gomod --detectors go/govulncheck /path/to/your/project\n```\n\nIn `osv-scanner`, you can achieve the same by using the `--experimental-plugins` flag. This is an experimental feature.\n\n**osv-scanner:**\n\n```sh\nosv-scanner --experimental-plugins python/pip,go/gomod,go/govulncheck /path/to/your/project\n```\n\n`osv-scanner` lets you exclude its default plugins with `--experimental-no-default-plugins`, for when you want to only\nrun specific plugins.\n\n`osv-scanner` also allows you to disable specific plugins with `--experimental-disable-plugins`.\n\nFor more details on manual plugin selection in `osv-scanner`, see the [manual plugin selection documentation](manual-plugin-selection.md).\n\n### Generating SPDX output\n\n`osv-scalibr` uses the `-o` flag to specify the output format and file. For example, to generate an SPDX JSON report:\n\n**osv-scalibr:**\n\n```sh\nscalibr -o spdx23-json=result.spdx.json /path/to/your/project\n```\n\n`osv-scanner` uses the `--format` flag to specify the output format and the output is written to standard output,\nand a separate `--output-file` flag if you wish to save the output into a file.\n\n**osv-scanner:**\n\n```sh\nosv-scanner --format spdx-2.3-json /path/to/your/project > result.spdx.json\n```\n\nFor more details on `osv-scanner` output formats, see the [output documentation](output.md).\n\n## Flag Translation Table\n\n| `osv-scalibr` Flag | `osv-scanner` Flag | Notes |\n| --------------------------------- | ------------------------- | ---------------------------------------------------------------------------------------------------------- |\n| `--version` | `--version` | `osv-scanner version` |\n| `--root` | `[directory]` (argument) | `osv-scanner scan source [directory]` |\n| `--result` | `--output` | `osv-scanner --output ` |\n| `-o` | `--format` and `--output` | e.g. `osv-scalibr -o spdx23-json=r.json` becomes `osv-scanner --format spdx-2.3-json --output-file r.json` |\n| `--plugins` | `--experimental-plugins` | |\n| `--extractors` | `--experimental-plugins` | |\n| `--detectors` | `--experimental-plugins` | |\n| `--annotators` | `--experimental-plugins` | |\n| `--ignore-sub-dirs` | (no direct equivalent) | `osv-scanner` is not recursive by default. Use `--recursive` to enable. |\n| `--skip-dirs` | Not yet available | |\n| `--skip-dir-regex` | Not yet available | |\n| `--skip-dir-glob` | Not yet available | |\n| `--max-file-size` | Not yet available | |\n| `--use-gitignore` | (default behavior) | Use `--no-ignore` to disable. |\n| `--remote-image` | `[image]` (argument) | `osv-scanner scan image [image]` |\n| `--image-tarball` | `--archive` | `osv-scanner scan image --archive [tarball]` |\n| `--image-local-docker` | `[image]` (argument) | `osv-scanner scan image [image]` (it will look for local images first) |\n| `--image-platform` | Not yet available | |\n| `--gobinary-version-from-content` | Not yet available | |\n| `--govulncheck-db` | Not yet available | |\n| `--spdx-document-name` | Not yet available | |\n| `--spdx-document-namespace` | Not yet available | |\n| `--spdx-creators` | Not yet available | |\n| `--cdx-component-name` | Not yet available | |\n| `--cdx-component-type` | Not yet available | |\n| `--cdx-component-version` | Not yet available | |\n| `--cdx-authors` | Not yet available | |\n| `--verbose` | `--verbosity` | `osv-scanner --verbosity `, e.g. `debug`. |\n| `--explicit-extractors` | (default behavior) | |\n| `--filter-by-capabilities` | (default behavior) | `osv-scanner` automatically filters plugins. |\n| `--windows-all-drives` | Not yet available | |\n| `--offline` | `--offline` | |\n| `--local-registry` | `--maven-registry` | Only for Maven. |\n" }, { "path": "docs/migration-guide.md", "content": "# Migration Guide\n\n## `v1` to `v2` migration guide\n\n### CLI changes:\n\nMost experimental commands have now been stablized, all experimental versions of these flags have been removed:\n\n- `--experimental-call-analysis` => `--call-analysis`\n- `--experimental-no-call-analysis` => `--no-call-analysis`\n- `--experimental-all-packages` => `--all-packages`\n- `--experimental-licenses` & `--experimental-license-summary` => `--licenses`\n - Instead of two separate flags, by having no values after `--licenses`, it behaves the same way as just `--experimental-license-summary`\n - You can still specify the license allow list after `--licenses` flag like so: `--licenses=\"MIT,Apache 2.0,...\"`\n- `--experimental-offline` => `--offline`\n- `--experimental-offline-vulnerabilities` => `--offline-vulnerabilities`\n- `--experimental-download-offline-databases` => `--download-offline-databases`\n- `--experimental-no-resolve` => `--no-resolve`\n\n---\n\nContainer scanning and the `--docker/-D` flag has been migrated to its own command.\n\n```bash\nosv-scanner scan image \n```\n\n---\n\n[Guided remeidation](https://google.github.io/osv-scanner/experimental/guided-remediation/) now defaults to the non-interactive mode. To run in the interactive mode, use the `--interactive` flag.\n\n---\n\n`--verbosity=verbose` verbosity level removed. Now there are only `info`, `warn`, `error` verbosity levels.\n\n---\n\n`osv-scanner ` is now a shortcut for `osv-scanner scan source `.\n\n---\n\nSBOM scanning (`osv-scanner --sbom`) now relies on the filename of the sbom file to follow the relevant SBOM specs. E.g. `*.spdx.json`.\n\n---\n\nThe `.git` root hash directory is not automatically scanned now, therefore:\n\n`--skip-git` flag removed, replaced with `--include-git-root`.\n\n---\n\nThe following deprecated flags have been removed:\n\n- `scan --json` removed, please use `--format=json`\n- `fix --disallow-major-upgrades` removed\n- `fix --disallow-package-upgrades`\n\n### JSON output changes:\n\nLicense summary is now in JSON output when `--license-summary` is used, rather than showing every package.\n" }, { "path": "docs/offline-mode.md", "content": "---\nlayout: page\npermalink: /usage/offline-mode/\nparent: Usage\nnav_order: 4\n---\n\n# Offline Mode\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\nOSV-Scanner now supports offline scanning as an official feature. Offline scanning checks your project against a local database instead of calling the OSV.dev API.\n\n## Specify database location\n\nOur offline features require the use of a local database, the location of which is determined through the use of the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable.\n\nThe local database file structure is in this form:\n\n```\n{local_db_dir}/\n osv-scanner/\n npm/all.zip\n PyPI/all.zip\n â€Ļ\n {ecosystem}/all.zip\n```\n\nWhere `{local_db_dir}` can be set by the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable.\n\nIf the `OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY` environment variable is _not_ set, OSV-Scanner will attempt to look for the database in the following locations, in this order:\n\n1. The location returned by [`os.UserCacheDir`](https://pkg.go.dev/os#UserCacheDir)\n2. The location returned by [`os.TempDir`](https://pkg.go.dev/os#TempDir)\n\nThe database can be [downloaded manually](#manual-database-download) or by using the [`--download-offline-databases` flag](#download-offline-databases-option).\n\n## Offline option\n\nThe offline database flag `--offline` causes OSV-Scanner to scan your project against a previously downloaded local database. OSV-Scanner will not download or update the local database, nor will it send any project or dependency information anywhere. When a local database is not present, you will get an error message. No network connection is required when using this flag.\n\n```bash\nosv-scanner --offline ./path/to/your/dir\n```\n\nTo use offline mode for just the vulnerability database, but allow other features to possibly make network requests (e.g. [transitive dependency scanning](./supported_languages_and_lockfiles.md#transitive-dependency-scanning)), you can use the `--offline-vulnerabilities` flag instead.\n\n## Download offline databases option\n\nThe download offline databases flag `--download-offline-databases` allows OSV-Scanner to download or update your local database when running in offline mode, to make it easier to get started. This option only works when you also set the offline flag.\n\n```bash\nosv-scanner --offline-vulnerabilities --download-offline-databases ./path/to/your/dir\n```\n\n## Manual database download\n\nInstead of using the `--download-offline-databases` flag to download the database, it is possible to manually download the database.\n\nA downloadable copy of the OSV database is stored in a GCS bucket maintained by OSV:\n[`gs://osv-vulnerabilities`](https://osv-vulnerabilities.storage.googleapis.com)\n\nThis bucket contains zip files containing all vulnerabilities for each ecosystem at:\n`gs://osv-vulnerabilities//all.zip`.\n\nE.g. for PyPI vulnerabilities:\n\n```bash\ngcloud storage cp gs://osv-vulnerabilities/PyPI/all.zip .\n```\n\nYou can also download over HTTP via `https://osv-vulnerabilities.storage.googleapis.com//all.zip`.\n\nA list of all current ecosystems is available at\n[`gs://osv-vulnerabilities/ecosystems.txt`](https://osv-vulnerabilities.storage.googleapis.com/ecosystems.txt).\n\nSet the location of your manually downloaded database by following the instructions [here](#specify-database-location).\n\n## Limitations\n\n1. Commit level scanning is not supported.\n" }, { "path": "docs/osv-reporter.md", "content": "---\nlayout: page\npermalink: /experimental/osv-reporter/\nparent: Experimental Features\nnav_order: 4\n---\n\n# OSV-Reporter\n\nExperimental\n{: .label }\n\nOSV-Reporter can be used to perform some experimental operations on the OSV-Scanner output JSON.\n\n## Features\n\n- Create a diff between two osv-scanner.json outputs, so you can see only new vulnerabilities.\n\n```bash\n$ osv-reporter --old previous-osv-scanner.json --new current-osv-scanner.json\n```\n\n- Output multiple different formats from a single set of scan results.\n\n```bash\n$ osv-reporter --new osv-scanner.json --output-files=[format]:[output-path],[format2]:[output-path2]\n```\n\n## How to install\n\nWe don't provide prebuilt binaries for osv-reporter as it is very experimental and can change at any point.\n\nCurrently you can install it from source via `go install`:\n\n```bash\n$ go install github.com/google/osv-scanner/v2/cmd/osv-reporter@latest\n# Or @main for the latest commit\n```\n" }, { "path": "docs/output.md", "content": "---\nlayout: page\npermalink: /output/\nnav_order: 6\n---\n\n# Output\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\n## Explanation of output data\n\nFor every vulnerability found, OSV-Scanner will display the following information:\n\n- OSV URL: Link to the osv.dev entry for the vulnerability\n- CVSS: CVSS v2 or v3, calculated from the [severity[].score](https://ossf.github.io/osv-schema/#severity-field) field.\n- Ecosystem: Ecosystem associated with the package\n- Package: Package name\n- Version: Package version\n- Fixed Version: The version where the vulnerability is fixed, if available. If no fix is available, this will be shown as `--`.\n- Source: Path to the sbom or lockfile where the package originated\n\nAnd if you are performing layer scanning, osv-scanner additionally returns:\n\n- Layer where a package was first introduced\n- Layer history and commands\n- Base images the image is based on\n- OS/Distro the container is running on\n\n## Output formats\n\nYou can control the format used by the scanner to output results with the `--format` flag.\n\n### Table (Default)\n\nThe default format, which outputs the results as a human-readable table.\n\n```bash\nosv-scanner scan --format table your/project/dir\n```\n\n
\nSample table output\n\n```bash\nTotal 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems.\n1 vulnerability can be fixed.\n\n╭─────────────────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ──────────────────────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ FIXED VERSION │ VERSION │ SOURCE │\n├─────────────────────────────────────â”ŧ──────â”ŧ───────────â”ŧ──────────────────────────â”ŧ───────────────â”ŧ─────────â”ŧ────────────────────┤\n│ https://osv.dev/GHSA-c3h9-896r-86jm │ 8.6 │ Go │ github.com/gogo/protobuf │ 1.3.2 │ 1.3.1 │ path/to/go.mod │\n│ https://osv.dev/GHSA-m5pq-gvj9-9vr8 │ 7.5 │ crates.io │ regex │ -- │ 1.3.1 │ path/to/Cargo.lock │\n╰─────────────────────────────────────┴──────┴───────────┴──────────────────────────┴───────────────┴─────────┴────────────────────╯\n```\n\nIf the 'Fixed Version' column is empty or shows `--`, it means there is currently no fix for this vulnerability.\n\n
\n\n---\n\n### Markdown Table\n\n```bash\nosv-scanner scan --format markdown your/project/dir\n```\n\n
\nSample markdown output\n\n**Raw output:**\n\n```\nTotal 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems.\n1 vulnerability can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Fixed Version | Version | Source |\n| ---------------------------------- | ---- | --------- | ------------------------ | ------------- | ------- | ------------------------------------------------------ |\n| https://osv.dev/GHSA-c3h9-896r-86jm| 8.6 | Go | github.com/gogo/protobuf | 1.3.2 | 1.3.1 | ../scorecard-check-osv-e2e/go.mod |\n| https://osv.dev/GHSA-m5pq-gvj9-9vr8| 7.5 | crates.io | regex | -- | 1.5.1 | ../scorecard-check-osv-e2e/sub-rust-project/Cargo.lock |\n```\n\n**Rendered:**\n\n| OSV URL | CVSS | Ecosystem | Package | Fixed Version | Version | Source |\n| ----------------------------------- | ---- | --------- | ------------------------ | ------------- | ------- | ------------------------------------------------------ |\n| https://osv.dev/GHSA-c3h9-896r-86jm | 8.6 | Go | github.com/gogo/protobuf | 1.3.2 | 1.3.1 | ../scorecard-check-osv-e2e/go.mod |\n| https://osv.dev/GHSA-m5pq-gvj9-9vr8 | 7.5 | crates.io | regex | -- | 1.5.1 | ../scorecard-check-osv-e2e/sub-rust-project/Cargo.lock |\n\n
\n\n---\n\n### Vertical\n\n```bash\nosv-scanner scan --format vertical your/project/dir\n```\n\n
\nSample vertical output\n\n```bash\nTotal 2 packages affected by 2 known vulnerabilities (1 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 2 ecosystems.\n1 vulnerability can be fixed.\n\nGo\n\npath/to/go.mod: found 1 package with issues\n\n github.com/gogo/protobuf@1.3.1 has the following known vulnerabilities:\n GHSA-c3h9-896r-86jm: Improper Input Validation in GoGo Protobuf\n Severity: '8.6'; Minimal Fix Version: '1.3.2';\n\n 1 known vulnerability found in path/to/go.mod\n\ncrates.io\n\npath/to/Cargo.lock: found 1 package with issues\n\n regex@1.5.1 has the following known vulnerabilities:\n GHSA-m5pq-gvj9-9vr8: Rust's regex crate vulnerable to regular expression denial of service\n Severity: '7.5'; Minimal Fix Version: '1.5.5';\n\n 1 known vulnerability found in path/to/Cargo.lock\n```\n\n
\n\n---\n\n### HTML\n\n```bash\nosv-scanner scan --format html your/project/dir\n# OR\nosv-scanner scan --serve your/project/dir # Hosts HTML output at localhost port 8000\n# Use the --port flag along with --serve to specify a custom port to host the output\n```\n\nThe HTML output features a lot more interactivity and information compared to terminal only outputs, including:\n\n- Severity breakdown\n- Package and ID filtering\n- Vulnerability importance filtering\n- Full vulnerability advisory entries\n\nAnd additionally for container image scanning:\n\n- Layer filtering\n- Image layer information\n- Base image identification\n\n
\nSample HTML output\n\n![HTML Output Screenshot](./images/html-container-output.png)\n\n
\n\n### JSON\n\nJSON output allows you to get all the information osv-scanner found in a machine-readable format.\n\n```bash\nosv-scanner scan --format json your/project/dir\n```\n\nOutputs the results as a JSON object to stdout, with all other output being directed to stderr - this makes it safe to redirect the output to a file with\n\n```bash\nosv-scanner scan --format json -L path/to/lockfile > /path/to/file.json\n```\n\n
\nSample JSON output\n\n```json\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/absolute/path/to/go.mod\",\n // One of: lockfile, sbom, git, docker\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"aliases\": [\"CVE-2021-3121\"]\n // ... Full OSV\n },\n {\n \"id\": \"GO-2021-0053\",\n \"aliases\": [\"CVE-2021-3121\", \"GHSA-c3h9-896r-86jm\"]\n // ... Full OSV\n }\n ],\n // Grouping based on aliases, if two vulnerability share the same alias, or alias each other,\n // they are considered the same vulnerability, and is grouped here under the id field.\n \"groups\": [\n {\n \"ids\": [\"GHSA-c3h9-896r-86jm\", \"GO-2021-0053\"],\n // Call stack analysis is done using the `--call-analysis=` flag\n // and result is matched against data provided by the advisory to check if\n // affected code is actually being executed.\n \"experimentalAnalysis\": {\n \"GO-2021-0053\": {\n \"called\": false\n }\n }\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/absolute/path/to/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"aliases\": [\"CVE-2022-24713\"]\n // ... Full OSV\n },\n {\n \"id\": \"RUSTSEC-2022-0013\",\n \"aliases\": [\"CVE-2022-24713\"]\n // ... Full OSV\n }\n ],\n \"groups\": [\n {\n \"ids\": [\"GHSA-m5pq-gvj9-9vr8\", \"RUSTSEC-2022-0013\"]\n }\n ]\n }\n ]\n }\n ]\n}\n```\n\n
\n\n---\n\n### SARIF\n\n```bash\nosv-scanner scan --format sarif your/project/dir\n```\n\nOutputs the result in the [SARIF](https://sarifweb.azurewebsites.net/) v2.1.0 format. Each vulnerability (grouped by aliases) is a separate rule, and each package containing a vulnerable dependency is a rule violation.\nThe help text within the SARIF report contains detailed information about the vulnerability and remediation instructions for how to resolve it.\n\n
\nSample SARIF output\n\n```json\n{\n \"version\": \"2.1.0\",\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"runs\": [\n {\n \"tool\": {\n \"driver\": {\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"name\": \"osv-scanner\",\n \"rules\": [\n {\n \"id\": \"CVE-2022-24713\",\n \"shortDescription\": {\n \"text\": \"CVE-2022-24713: \"\n },\n \"fullDescription\": {\n \"text\": \"...\",\n \"markdown\": \"...\"\n },\n // Deprecated IDs field contains all alias IDs\n \"deprecatedIds\": [\n \"CVE-2022-24713\",\n \"RUSTSEC-2022-0013\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"help\": {\n \"text\": \"...\",\n \"markdown\": \"...\"\n }\n }\n ],\n \"version\": \"1.4.1\"\n }\n },\n \"artifacts\": [\n {\n \"location\": {\n \"uri\": \"file:///path/to/sub-rust-project/Cargo.lock\"\n },\n \"length\": -1\n }\n ],\n \"results\": [\n {\n \"ruleId\": \"CVE-2022-24713\",\n \"ruleIndex\": 0,\n \"level\": \"warning\",\n \"message\": {\n \"text\": \"Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8').\"\n },\n \"locations\": [\n {\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"uri\": \"file:///path/to/sub-rust-project/Cargo.lock\"\n }\n }\n }\n ]\n }\n ]\n }\n ]\n}\n```\n\n
\n\n
\nSample SARIF Help Text\n\n> **Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/list?q=CVE-2022-24713)**\n> (Also published as: [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8), ).\n>\n> {:.no_toc}\n>\n> ## [RUSTSEC-2022-0013](https://osv.dev/vulnerability/RUSTSEC-2022-0013)\n>\n>
\n> Details\n>\n> > Full advisory details...\n>\n>
\n>\n> {:.no_toc}\n>\n> ## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/vulnerability/GHSA-m5pq-gvj9-9vr8)\n>\n>
\n> Details\n>\n> > Full advisory details...\n>\n>
\n>\n> ---\n>\n> {:.no_toc}\n>\n> ### Affected Packages\n>\n> | Source | Package Name | Package Version |\n> | ----------------------------------------- | ------------ | --------------- |\n> | lockfile:/path/to/rust-project/Cargo.lock | regex | 1.5.1 |\n>\n> {:.no_toc}\n>\n> ## Remediation\n>\n> To fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n>\n> {:.no_toc}\n>\n> ### Fixed Versions\n>\n> | Vulnerability ID | Package Name | Fixed Version |\n> | ------------------- | ------------ | ------------- |\n> | GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |\n> | RUSTSEC-2022-0013 | regex | 1.5.5 |\n>\n> If you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n> `osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n>\n> See the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n>\n> Add or append these values to the following config files to ignore this vulnerability:\n>\n> `/path/to/rust-project/osv-scanner.toml`\n>\n> ```\n> [[IgnoredVulns]]\n> id = \"CVE-2022-24713\"\n> reason = \"Your reason for ignoring this vulnerability\"\n> ```\n\n
\n\n---\n\n### SPDX\n\n```bash\nosv-scanner scan --format spdx-2-3 --all-packages your/project/dir\n```\n\nOutputs the result in the [SPDX](https://spdx.dev/) v2.3 format. This matches OSV-Scalibr's SPDX output format.\n\n{: .note }\nSPDX only supports listing the packages found, and does not include vulnerability information.\nHowever, `osv-scanner` will still exit with a non-zero exit code (`1`) if any vulnerabilities are found.\n\n
\nSample SPDX output\n\n```json\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/uuid-placeholder-0\",\n \"creationInfo\": {\n \"creators\": [\"Tool: SCALIBR\"],\n \"created\": \"2025-08-11T02:58:42Z\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"has-flag\",\n \"SPDXID\": \"SPDXRef-Package-has-flag-uuid-placeholder-2\",\n \"versionInfo\": \"4.0.0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/bunlock extractor from /path/to/bun.lock\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/has-flag@4.0.0\"\n }\n ]\n },\n {\n \"name\": \"wrappy\",\n \"SPDXID\": \"SPDXRef-Package-wrappy-uuid-placeholder-3\",\n \"versionInfo\": \"1.0.2\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/bunlock extractor from /path/to/bun.lock\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/wrappy@1.0.2\"\n }\n ]\n },\n {\n \"name\": \"league/flysystem\",\n \"SPDXID\": \"SPDXRef-Package-league-flysystem-uuid-placeholder-4\",\n \"versionInfo\": \"1.0.8\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the php/composerlock extractor from /path/to/composer.lock\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/league%2Fflysystem@1.0.8\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relatedSpdxElement\": \"SPDXRef-Package-has-flag-uuid-placeholder-2\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-has-flag-uuid-placeholder-2\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relatedSpdxElement\": \"SPDXRef-Package-wrappy-uuid-placeholder-3\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-wrappy-uuid-placeholder-3\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-uuid-placeholder-1\",\n \"relatedSpdxElement\": \"SPDXRef-Package-league-flysystem-uuid-placeholder-4\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-league-flysystem-uuid-placeholder-4\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n```\n\n
\n\n---\n\n### CycloneDX\n\n```bash\nosv-scanner scan --format cyclonedx-1-5 --all-packages your/project/dir\n```\n\nOutputs the result in the [CycloneDX](https://cyclonedx.org/) format.\n\nYou can also specify cyclonedx 1.4 using `--format cyclonedx-1.4`.\n\n
\nSample CycloneDX output\n\n```json\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/league/flysystem@1.0.8\",\n \"type\": \"library\",\n \"name\": \"league/flysystem\",\n \"version\": \"1.0.8\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/league/flysystem@1.0.8\"\n },\n {\n \"bom-ref\": \"pkg:npm/has-flag@4.0.0\",\n \"type\": \"library\",\n \"name\": \"has-flag\",\n \"version\": \"4.0.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/has-flag@4.0.0\"\n },\n {\n \"bom-ref\": \"pkg:npm/wrappy@1.0.2\",\n \"type\": \"library\",\n \"name\": \"wrappy\",\n \"version\": \"1.0.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/wrappy@1.0.2\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-9f46-5r25-5wfm\",\n \"references\": [\n {\n \"id\": \"CVE-2021-32708\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"method\": \"CVSSv3\",\n \"vector\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"description\": \"Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem\",\n \"detail\": \"### Impact\\n\\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\\n\\nThe conditions: \\n\\n- A user is allowed to supply the path or filename of an uploaded file.\\n- The supplied path or filename is not checked against unicode chars.\\n- The supplied pathname checked against an extension deny-list, not an allow-list.\\n- The supplied path or filename contains a unicode whitespace char in the extension.\\n- The uploaded file is stored in a directory that allows PHP code to be executed.\\n\\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\\n\\n### Patches\\n\\nThe unicode whitespace removal has been replaced with a rejection (exception).\\n\\nThe library has been patched in:\\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\\n\\n### Workarounds\\n\\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\\n\",\n \"advisories\": [\n {\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-32708\"\n }\n ],\n \"published\": \"2021-06-29T03:13:28Z\",\n \"updated\": \"2024-02-16T08:21:35Z\",\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": [\n {\n \"ref\": \"pkg:composer/league/flysystem\"\n }\n ]\n }\n ]\n}\n```\n\n
\n\n---\n\n## Call analysis\n\nWith `--call-analysis=` flag enabled, call information will be included in the output. See [Scanning with call analysis](./scan-source.md#scanning-with-call-analysis) for more details on how to enable call analysis.\n\n### Table\n\nIn the table output format, call analysis info is used to split output between vulnerabilities that\naffects code called by your project, and vulnerabilities that only affect code paths not called by\nyour code.\n\n```bash\nosv-scanner scan --format table --call-analysis=rust your/project/dir\n```\n\n
\nSample table output\n\n```bash\n╭─────────────────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────────────â”Ŧ─────────â”Ŧ────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├─────────────────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────────â”ŧ─────────â”ŧ────────────────────┤\n│ https://osv.dev/GHSA-qc84-gqf4-9926 │ 8.1 │ crates.io │ crossbeam-utils │ 0.6.6 │ path/to/Cargo.lock │\n│ https://osv.dev/RUSTSEC-2022-0041 │ │ │ │ │ │\n│ https://osv.dev/GHSA-43w2-9j62-hq99 │ 9.8 │ crates.io │ smallvec │ 1.6.0 │ path/to/Cargo.lock │\n│ https://osv.dev/RUSTSEC-2021-0003 │ │ │ │ │ │\n├─────────────────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────────â”ŧ─────────â”ŧ────────────────────┤\n│ Uncalled vulnerabilities │ │ │ │ │ │\n├─────────────────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────────â”ŧ─────────â”ŧ────────────────────┤\n│ https://osv.dev/GHSA-xcf7-rvmh-g6q4 │ │ crates.io │ openssl │ 0.10.52 │ path/to/Cargo.lock │\n│ https://osv.dev/RUSTSEC-2023-0044 │ │ │ │ │ │\n╰─────────────────────────────────────┴──────┴───────────┴─────────────────┴─────────┴────────────────────╯\n```\n\n
\n\n### JSON\n\nThe JSON output will include analysis results for each vulnerability group.\n\n```bash\nosv-scanner scan --format json --call-analysis=rust -L path/to/lockfile > /path/to/file.json\n```\n\n
\nSample JSON output\n\n```json\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"path/to/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"crossbeam-utils\",\n \"version\": \"0.6.6\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-qc84-gqf4-9926\",\n \"aliases\": [\"CVE-2022-23639\"]\n // ... Full OSV\n },\n {\n \"id\": \"RUSTSEC-2022-0041\",\n \"aliases\": [\"GHSA-qc84-gqf4-9926\", \"CVE-2022-23639\"]\n // ... Full OSV\n }\n ],\n \"groups\": [\n {\n // This vuln has no function info, so no call analysis done\n \"ids\": [\"GHSA-qc84-gqf4-9926\", \"RUSTSEC-2022-0041\"]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"memoffset\",\n \"version\": \"0.5.6\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-wfg4-322g-9vqv\"\n // ... Full OSV\n },\n {\n \"id\": \"RUSTSEC-2023-0045\",\n \"aliases\": [\"GHSA-wfg4-322g-9vqv\"]\n // ... Full OSV\n }\n ],\n \"groups\": [\n {\n \"ids\": [\"GHSA-wfg4-322g-9vqv\", \"RUSTSEC-2023-0045\"],\n // RUSTSEC-2023-0045 does have function info, call analysis is performed\n // the vulnerable function is not called\n \"experimentalAnalysis\": {\n \"RUSTSEC-2023-0045\": {\n \"called\": false\n }\n }\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"smallvec\",\n \"version\": \"1.6.0\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-43w2-9j62-hq99\",\n \"aliases\": [\"CVE-2021-25900\"]\n // ... Full OSV\n },\n {\n \"id\": \"RUSTSEC-2021-0003\",\n \"aliases\": [\"CVE-2021-25900\", \"GHSA-43w2-9j62-hq99\"]\n // ... Full OSV\n }\n ],\n \"groups\": [\n {\n \"ids\": [\"GHSA-43w2-9j62-hq99\", \"RUSTSEC-2021-0003\"],\n // RUSTSEC-2021-0003 does have function info, call analysis is performed\n // the vulnerable function does get called.\n \"experimentalAnalysis\": {\n \"RUSTSEC-2021-0003\": {\n \"called\": true\n }\n }\n }\n ]\n }\n ]\n }\n ]\n}\n```\n\n
\n\n## Return Codes\n\n| Exit Code | Reason |\n| :-------: | -------------------------------------------------------------------------------------------- |\n| `0` | Packages were found when scanning, but does not match any known vulnerabilities or findings. |\n| `1` | Packages were found when scanning, and there are vulnerabilities or findings. |\n| `1-126` | Reserved for vulnerability result related errors. |\n| `127` | General Error. |\n| `128` | No packages found (likely caused by the scanning format not picking up any files to scan). |\n| `129-255` | Reserved for non result related errors. |\n" }, { "path": "docs/package-deprecation.md", "content": "---\nlayout: page\npermalink: /experimental/flag-deprecated-packages/\nparent: Experimental Features\nnav_order: 4\n---\n\n# Flag Deprecated Packages\n\nExperimental\n{: .label }\n\nOSV-Scanner can identify and report unsupported or removed packages in dependencies.\n\nThis feature leverages the [deps.dev API](https://docs.deps.dev/api/).\n\n## Deprecation Status\n\nThe `deprecated` field is a boolean value indicating if a package is flagged as unsupported. This includes states such as:\n\n- **Deprecated**: Marked as deprecated by the author.\n- **Yanked**: Removed from the registry.\n\n## Usage\n\nTo enable package deprecation reporting, use the `--experimental-flag-deprecated-packages` flag. The feature is not available in the `spdx` format.\n\n### Project Source Scanning\n\n```bash\nosv-scanner scan source --experimental-flag-deprecated-packages -r /path/to/project\n```\n\nFor more details on source scanning, see [Project Source Scanning](./scan-source.md).\n\n### Container Images Scanning\n\n```bash\n# Scan a local or remote image by name\nosv-scanner scan image --experimental-flag-deprecated-packages my-image:tag\n\n# Scan an exported image archive\nosv-scanner scan image --experimental-flag-deprecated-packages --archive ./path/to/my-image.tar\n```\n\nFor more details on image scanning, see [Container Image Scanning](./scan-image.md).\n\n## Output\n\nWhen enabled, the output reports deprecated packages as follows:\n\n- **Table, Markdown, HTML**: A dedicated section listing deprecated packages.\n- **JSON**: A `deprecated` field in the `package` object.\n- **SARIF**: A \"Deprecated\" column in the \"Affected Packages\" table.\n- **CycloneDX**: A `deprecated` property in `component`.\n\nIf no deprecated packages are detected, the corresponding section or field is omitted.\n\n
\n\nExample JSON Output\n\n\n```json\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"deprecated-package\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\",\n \"deprecated\": true\n }\n },\n {\n \"package\": {\n \"name\": \"not-deprecated-package\",\n \"version\": \"2.0.0\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n }\n ]\n}\n```\n\n
\n" }, { "path": "docs/scan-image.md", "content": "---\nlayout: page\nparent: Usage\npermalink: /usage/scan-image\nnav_order: 1\n---\n\n# Container Image Scanning\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\nOSV-Scanner analyzes container images by extracting package information and matching it against known vulnerabilities in the OSV.dev database. This helps identify potential security risks in your containerized applications.\n\n### Prerequisites\n\n- **Docker (Optional)**: If you want to scan images directly by name (e.g., my-image:latest) without exporting them first, the docker command-line tool must be installed and available in your system's PATH. If you choose to scan exported image archives, Docker is not required.\n\nAll image scanning is done with the `scan image` subcommand:\n\n```bash\nosv-scanner scan image :\n```\n\n## Scanning Methods\n\nYou can scan container images using two primary methods:\n\n1. **Direct Image Scan:** Specify the image name and tag (e.g., `my-image:latest`). OSV-Scanner will attempt to locate the image locally. If not found locally, it will attempt to pull the image from the appropriate registry using the `docker` command.\n\n ```bash\n osv-scanner scan image image-name:tag\n ```\n\n - **How it works:** OSV-Scanner uses `docker save` to export the image to a temporary archive, which is then analyzed. No container code is executed during the scan.\n\n2. **Scan from Exported Image Archive:** If you have already exported your container image as a Docker archive (`.tar` file), you can scan it directly using the `--archive` flag. This method does not require Docker to be installed.\n\n ```bash\n osv-scanner scan image --archive ./path/to/my-image.tar\n ```\n\n - **How to create an image archive:** You can create an image archive using the following commands:\n\n ```bash\n # Using Docker\n docker save my-image:latest > my-image.tar\n\n # Using Podman\n podman save --format=docker-archive my-image:latest > my-image.tar\n\n # Other image tools: Use the docker archive format to export the tar\n ```\n\n### Usage Notes\n\n- **No other scan targets:** When using `scan image`, you cannot specify other scan targets (e.g., directories or lockfiles).\n\n- **Configuration Flags:** All the global configuration flags available for the `scan` command (as described in the [Usage documentation](./usage.md)) can be used with the `scan image` subcommand. This includes flags for output format, verbosity, config files, and experimental features.\n\n## Scanning targets\n\nOSV-Scanner scans for OS packages and build artifacts, including dependency information, on the given image, and attributes them to specific layers in the container.\n\nSee [Supported Artifacts](./supported_languages_and_lockfiles.md#supported-artifacts) for details on what targets are scanned.\n\n## Output\n\nBy default, OSV-Scanner provides a summarized output of the scan results, grouping vulnerabilities by package. This is designed to handle the large number of vulnerabilities often found in container images.\n\n
\nSample table output\n\n```bash\nContainer Scanning Result (Debian GNU/Linux 12 (bookworm)):\nTotal 20 packages affected by 105 vulnerabilities (7 Critical, 14 High, 19 Medium, 1 Low, 64 Unknown) from 2 ecosystems.\n54 vulnerabilities have fixes available.\n\nGo\n╭─────────────────────────────────────────────────────────────────────────────────────────────╮\n│ Source:artifact:artifact/tester-built-with-1-21-0 │\n├─────────â”Ŧ───────────────────â”Ŧ───────────────â”Ŧ────────────â”Ŧ──────────────────â”Ŧ───────────────┤\n│ PACKAGE │ INSTALLED VERSION │ FIX AVAILABLE │ VULN COUNT │ INTRODUCED LAYER │ IN BASE IMAGE │\n├─────────â”ŧ───────────────────â”ŧ───────────────â”ŧ────────────â”ŧ──────────────────â”ŧ───────────────┤\n│ stdlib │ 1.21.0 │ Fix Available │ 20 │ # 8 Layer │ -- │\n╰─────────┴───────────────────┴───────────────┴────────────┴──────────────────┴───────────────╯\n╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ Source:artifact:src/tester │\n├─────────────────────────────â”Ŧ───────────────────â”Ŧ───────────────â”Ŧ────────────â”Ŧ──────────────────â”Ŧ───────────────┤\n│ PACKAGE │ INSTALLED VERSION │ FIX AVAILABLE │ VULN COUNT │ INTRODUCED LAYER │ IN BASE IMAGE │\n├─────────────────────────────â”ŧ───────────────────â”ŧ───────────────â”ŧ────────────â”ŧ──────────────────â”ŧ───────────────┤\n│ github.com/gogo/protobuf │ 1.3.1 │ Fix Available │ 1 │ # 9 Layer │ -- │\n│ github.com/ipfs/go-bitfield │ 1.0.0 │ Fix Available │ 1 │ # 9 Layer │ -- │\n│ stdlib │ 1.19.8 │ Fix Available │ 25 │ # 9 Layer │ -- │\n╰─────────────────────────────┴───────────────────┴───────────────┴────────────┴──────────────────┴───────────────╯\nDebian:12\n╭───────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ Source:os:var/lib/dpkg/status │\n├─────────────â”Ŧ───────────────────â”Ŧ─────────────────────────â”Ŧ────────────â”Ŧ──────────────────â”Ŧ───────────────┤\n│ PACKAGE │ INSTALLED VERSION │ FIX AVAILABLE │ VULN COUNT │ INTRODUCED LAYER │ IN BASE IMAGE │\n├─────────────â”ŧ───────────────────â”ŧ─────────────────────────â”ŧ────────────â”ŧ──────────────────â”ŧ───────────────┤\n│ aom │ 3.6.0-1+deb12u1 │ No fix available │ 2 │ # 1 Layer │ -- │\n...\n│ zlib │ 1:1.2.13.dfsg-1 │ No fix available │ 1 │ # 0 Layer │ debian │\n╰─────────────┴───────────────────┴─────────────────────────┴────────────┴──────────────────┴───────────────╯\n\nFiltered Vulnerabilities:\n╭─────────────â”Ŧ───────────â”Ŧ───────────────────────â”Ŧ─────────────────────â”Ŧ────────────────╮\n│ PACKAGE │ ECOSYSTEM │ INSTALLED VERSION │ FILTERED VULN COUNT │ FILTER REASONS │\n├─────────────â”ŧ───────────â”ŧ───────────────────────â”ŧ─────────────────────â”ŧ────────────────┤\n│ apt │ Debian:12 │ 2.6.1 │ 1 │ Unimportant │\n│ binutils │ Debian:12 │ 2.40-2 │ 8 │ Unimportant │\n...\n│ util-linux │ Debian:12 │ 2.38.1-5+deb12u2 │ 1 │ Unimportant │\n╰─────────────┴───────────┴───────────────────────┴─────────────────────┴────────────────╯\n```\n\n
\n\n### Detailed Output:\n\nFor a more detailed view of vulnerabilities, including individual **vulnerability details**, **base image identification**, and **layer specific filters**, use the HTML output format. You can enable it using:\n\n- `--format=html`: This will output the results to an HTML file.\n\n- `--serve`: This will generate an HTML report and host it locally on `localhost:8000`.\n\nSee the [Output documentation](./output.md) for more information on output formats.\n\n**Sample HTML Output**:\n\n![Screenshot of HTML output for container image scanning](./images/html-container-output.png)\n" }, { "path": "docs/scan-source.md", "content": "---\nlayout: page\nparent: Usage\npermalink: /usage/scan-source\nnav_order: 2\n---\n\n# Project Source Scanning\n\nOSV-Scanner can be used to scan your project source and lockfiles to find vulnerabilities in your dependencies.\n\n```bash\nosv-scanner scan source [paths...]\n```\n\nAs this is the most common use case of osv-scanner, `scan source` is the default subcommand of osv-scanner, so the above is equivalent to:\n\n```bash\nosv-scanner [paths...]\n```\n\n## General use case: scanning a directory\n\n```bash\nosv-scanner scan source -r /path/to/your/dir\n```\n\nThe preceding command will find lockfiles, SBOMs, and git directories in your target directory and use them to determine the dependencies to check against the OSV database for any known vulnerabilities.\n\nThe recursive flag `-r` or `--recursive` will tell the scanner to search all subdirectories in addition to the specified directory. It can find additional lockfiles, dependencies, and vulnerabilities. If your project has deeply nested subdirectories, a recursive search may take a long time.\n\n## Ignored files\n\nBy default, OSV-Scanner will not scan files that are ignored by `.gitignore` files. All recursively scanned files are matched to a git repository (if it exists) and any matching `.gitignore` files within that repository are taken into account.\n\nThere is a [known issue](https://github.com/google/osv-scanner/issues/209) that the parser does not correctly respect repository boundaries.\n\nThe `--no-ignore` flag can be used to force the scanner to scan ignored files.\n\n## Excluding Paths\n\nExperimental\n{: .label }\n\nYou can exclude specific paths from scanning using the `--experimental-exclude` flag. This is useful for excluding test directories, documentation, or vendor directories from vulnerability scans.\n\n**Note:** This flag currently only excludes directories, not individual files. This is an experimental feature and the syntax may change in future versions.\n\n### Syntax\n\nThe flag supports three pattern types, matching the `--lockfile` flag syntax:\n\n- **Exact directory name** (no prefix or `:` prefix): Matches directories with the exact name\n- **Glob pattern** (`g:` prefix): Matches using glob patterns\n- **Regex pattern** (`r:` prefix): Matches using regular expressions\n\n### Examples\n\n```bash\n# Exclude directories named \"test\" or \"docs\" (exact match)\nosv-scanner scan source -r --experimental-exclude=test --experimental-exclude=docs /path/to/your/dir\n\n# Exclude using glob patterns\nosv-scanner scan source -r --experimental-exclude=\"g:**/test/**\" --experimental-exclude=\"g:**/docs/**\" /path/to/your/dir\n\n# Exclude using regex patterns\nosv-scanner scan source -r --experimental-exclude=\"r:.*_test$\" /path/to/your/dir\n\n# Mix different pattern types\nosv-scanner scan source -r --experimental-exclude=vendor --experimental-exclude=\"g:**/test/**\" --experimental-exclude=\"r:\\\\.cache\" /path/to/your/dir\n\n# Escape directory names containing colons using : prefix\nosv-scanner scan source -r --experimental-exclude=\":my:project\" /path/to/your/dir\n```\n\n### Common use cases\n\n- Excluding test directories: `--experimental-exclude=test` or `--experimental-exclude=\"g:**/test/**\"`\n- Excluding documentation: `--experimental-exclude=docs`\n- Excluding vendor directories: `--experimental-exclude=vendor`\n\nAlternatively, you can use the `osv-scanner.toml` configuration file with `[[PackageOverrides]]` to ignore specific packages or directories. See [Configuration](./configuration.md) for more details.\n\n## SBOM scanning\n\nSBOMs will be automatically identified so long as their name follows the specification for the particular format:\n\n- [SPDX Filenames]:\n - `*.spdx.json`\n - `*.spdx`\n - `*.spdx.yml`\n - `*.spdx.rdf`\n - `*.spdx.rdf.xml`\n- [CycloneDX Filenames]:\n - `bom.json`\n - `*.cdx.json`\n - `bom.xml`\n - `*.cdx.xml`\n\n```bash\nosv-scanner scan source -L /path/to/your/sbom.spdx.json\n```\n\n[SPDX] and [CycloneDX] SBOMs using [Package URLs] are supported.\n\n[SPDX]: https://spdx.dev/\n[SPDX Filenames]: https://spdx.github.io/spdx-spec/v2.3/conformance/\n[CycloneDX Filenames]: https://cyclonedx.org/specification/overview/#recognized-file-patterns\n[CycloneDX]: https://cyclonedx.org/\n[Package URLs]: https://github.com/package-url/purl-spec\n\n## Specify Lockfile(s)\n\nIf you want to check for known vulnerabilities in specific lockfiles, you can use the following command:\n\n```bash\nosv-scanner scan source --lockfile=/path/to/your/package-lock.json --lockfile=/path/to/another/Cargo.lock\n```\n\nIt is possible to specify more than one lockfile at a time; you can also specify how to parse an arbitrary file:\n\n```bash\nosv-scanner scan source --lockfile 'requirements.txt:/path/to/your/extra-requirements.txt'\n```\n\nThe list of supported lockfile formats can be found [here](./supported_languages_and_lockfiles.md).\n\nIf the file you are scanning is located in a directory that has a colon in its name,\nyou can prefix the path to just a colon to explicitly signal to the scanner that\nit should infer the parser based on the filename:\n\n```bash\nosv-scanner scan source --lockfile ':/path/to/my:projects/package-lock.json'\n```\n\n## Git Repository Scanning\n\nOSV-Scanner will automatically scan git submodules and vendored directories for C/C++ code and try to attribute them to specific dependencies and versions. See [C/C++ Scanning](./supported_languages_and_lockfiles.md#cc-scanning) for more details.\n\nBy default, root git directories (i.e. git repositories that are not a submodule of a bigger git repo) are skipped. You can include those repositories by setting the `--include-git-root` flag.\n\n## Scanning with call analysis\n\nCall stack analysis can be performed on some languages to check if the\nvulnerable code is actually being executed by your project. If the code\nis not being executed, these vulnerabilities will be marked as unexecuted.\n\nTo enable call analysis in all languages, call OSV-Scanner with the `--call-analysis=all` flag. By default, call analysis in Go is enabled, but you can disable it using the `--no-call-analysis=go` flag.\n\n### Call analysis in Go\n\nOSV-Scanner uses the [`govulncheck`](https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck) library to analyze Go source code to identify called vulnerable functions.\n\n#### Additional Dependencies\n\n`go` compiler needs to be installed and available on `PATH`.\n\n### Call analysis in Rust\n\nExperimental\n{: .label }\n\nCall analysis in Rust is still considered experimental.\n\n{: .warning }\n\n> Running call analysis for Rust will execute build scripts (`build.rs`) in your dependencies as part of the compilation.\n> This may execute arbitrary code.\n\nOSV-Scanner compiles Rust source code and analyzes the output binary's DWARF debug information to identify called vulnerable functions.\n\n#### Additional Dependencies\n\nRust toolchain (including `cargo`) that can compile the source code being scanned needs to be installed and available on `PATH`.\n\nThe installed Rust toolchain must be capable of compiling every crate/target in the scanned code, for code with\na lot of dependencies this will take a few minutes.\n\n### Limitations\n\nCurrent implementation has a few limitations:\n\n- Does not support dependencies on proc-macros (Tracked in [#464](https://github.com/google/osv-scanner/issues/464))\n- Does not support any dependencies that are dynamically linked\n- Does not support dependencies that link external non-rust code\n\n### Example\n\n```bash\nosv-scanner scan source --call-analysis=rust --no-call-analysis=go ./my/project/path\n```\n" }, { "path": "docs/supported_languages_and_lockfiles.md", "content": "---\nlayout: page\npermalink: /supported-languages-and-lockfiles/\nnav_order: 2\n---\n\n# Supported Artifacts and Manifests\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\nArtifact and manifest extraction logic is implemented in [OSV-Scalibr](https://github.com/google/osv-scalibr) as a standalone library. OSV-Scanner tightly integrates with OSV-Scalibr to provide an end to end vulnerability scanner for developers.\n\n## Core Concept\n\nWe split the files we can scan into two broad categories, **artifacts** and **manifests**.\n\nWe found that when performing different forms of scanning, you are generally interested in different types of files. For example, when scanning your source project, you are much more interested in what your lockfiles and manifests contain, and less interested in what is installed on your development machine, or leftover compiled artifacts. However, if you are scanning a container, then what is installed is the vital piece of information, and lockfiles found on the system no longer matters if the artifacts they point to are not actually downloaded and installed.\n\n## Supported Artifacts\n\nWhen scanning container images (`osv-scanner scan image ...`), OSV-Scanner automatically extracts and analyzes the following artifacts:\n\n| Source | Example files |\n| ------------------------------------ | ---------------------------------- |\n| Alpine APK packages | `/lib/apk/db/installed` |\n| Debian/Ubuntu dpkg/apt packages | `/var/lib/dpkg/status` |\n| | |\n| Go Binaries | `main-go` |\n| Rust Binaries (with cargo-auditable) | `main-rust-built-with-auditable` |\n| Java Uber `jars` | `my-java-app.jar` |\n| Node Modules | `node-app/node_modules/...` |\n| Python wheels | `lib/python3.11/site-packages/...` |\n\n## Supported lockfiles/manifests\n\nWhen scanning source code (`osv-scanner scan source ...`), OSV-Scanner automatically extracts and analyzes the following lockfiles/manifests:\n\n| Language | Compatible Lockfile(s) |\n| :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- |\n| C/C++ | `conan.lock`
[C/C++ commit scanning](#cc-scanning) |\n| Dart | `pubspec.lock` |\n| Elixir | `mix.lock` |\n| Go | `go.mod` |\n| Haskell | `cabal.project.freeze`
`stack.yaml.lock` |\n| Java | `buildscript-gradle.lockfile`
`gradle.lockfile`
`gradle/verification-metadata.xml`
`pom.xml`[\\*](#transitive-dependency-scanning) |\n| Javascript | `bun.lock`
`package-lock.json`
`pnpm-lock.yaml`
`yarn.lock` |\n| .NET | `deps.json`
`packages.config`
`packages.lock.json` |\n| PHP | `composer.lock` |\n| Python | `Pipfile.lock`
`poetry.lock`
`requirements.txt`[\\*](https://github.com/google/osv-scanner/issues/34)
`pdm.lock`
`pylock.toml`
`uv.lock` |\n| R | `renv.lock` |\n| Ruby | `Gemfile.lock`
`gems.locked` |\n| Rust | `Cargo.lock` |\n\n## C/C++ scanning\n\nWith the addition of [vulnerable commit ranges](https://osv.dev/blog/posts/introducing-broad-c-c++-support/) to the OSV.dev database, OSV-Scanner now supports vendored and submoduled C/C++ dependencies\n\nBecause the C/C++ ecosystem does not have a centralized package manager, C/C++ dependencies tend to be bundled with the project. Dependencies are either [submoduled](#submoduled-dependencies) or [vendored](#vendored-dependencies). In either case, OSV-Scanner is able to find known vulnerabilities in your project dependencies.\n\nOSV-Scanner's C/C++ support is based on commit-level data. OSV's commit-level data covers the majority of C/C++ vulnerabilities within the OSV database, but users should be aware that there may be vulnerabilities in their dependencies that could be excluded from OSV-Scanner results. Adding more commit-level data to the database is an ongoing project.\n\n### Submoduled dependencies\n\nSubmoduled dependencies are included in the project folder retain their Git histories. To scan a C/C++ project with submoduled dependencies:\n\n1. Navigate to the root folder of your project.\n2. Ensure that your submodules are up to date using `git submodule update`.\n3. Run scanner using `osv-scanner -r .`.\n\n### Vendored dependencies\n\nVendored dependencies have been directly copied into the project folder, but do not retain their Git histories. OSV-Scanner uses OSV's [determineversion API](https://google.github.io/osv.dev/post-v1-determineversion/) to estimate each dependency's version (and associated Git Commit). Vulnerabilities for the estimated version are returned. This process requires no additional work from the user. Run OSV-Scanner as you normally would.\n\n## Transitive dependency scanning\n\nOSV-Scanner supports transitive dependency scanning for Maven pom.xml. This feature is enabled by default when scanning, but it can be disabled using the `--no-resolve` flag. It is also disabled in the [offline mode](./offline-mode.md).\n\nOSV-Scanner uses [deps.dev’s resolver library](https://pkg.go.dev/deps.dev/util/resolve) to compute the dependency graph of a project. This graph includes all the direct and transitive dependencies. By default, [deps.dev API](https://docs.deps.dev/api/v3/index.html) is queried for package versions and requirements. Support for querying Maven Central and private registries is also available.\n\nAfter the dependency resolution, the OSV database is queried for the vulnerabilities associated with these dependencies as usual.\n\n{: .note }\nTest dependencies are not supported yet in the computed dependency graph for Maven pom.xml.\n\n### Data source\n\nBy default, we use the [deps.dev API](https://docs.deps.dev/api/v3/) to find version and dependency information of packages during transitive scanning.\n\nIf instead you'd like to fetch data from [Maven Central](https://repo.maven.apache.org/maven2/), you can use the `--data-source=native` flag.\n\nIf your project uses mirrored or private registries, in addition to setting `--data-source=native`, you will need to use the `--maven-registry=` flag to specify the registry (e.g. `--maven-registry=https://repo.maven.apache.org/maven2/`).\n\n## Custom Lockfiles\n\nIf you have a custom lockfile that we do not support or prefer to do your own custom parsing, you can extract the custom lockfile information and create a custom intermediate file containing dependency information so that osv-scanner can still check for vulnerabilities.\n\nOnce you extracted your own dependency information, place it in a `osv-scanner.json` file, with the same format as the JSON output of osv-scanner, e.g.:\n\n```jsonc\n{\n \"results\": [\n {\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/repo/url\",\n \"commit\": \"9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52\"\n }\n },\n {\n \"package\": {\n \"name\": \"react\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n }\n }\n // ...\n ]\n }\n ]\n}\n```\n\nThen pass this to `osv-scanner` with this:\n\n```\nosv-scanner --lockfile osv-scanner:/path/to/osv-scanner.json\n```\n\nFor automatic scan detection, you can create an `osv-scanner-custom.json` file using the same procedure described above for `osv-scanner.json`.\nRun the command below for detection:\n\n```\n./osv-scanner scan source -r /path/to/folder/you/want/to/scan\n```\n\n### Known limitations\n\nWhen scanning a file in the `osv-scanner.json` format, using the `--format=spdx` flag produces incorrect output.\n\nFor more details, see issue [#2192](https://github.com/google/osv-scanner/issues/2192).\n" }, { "path": "docs/usage.md", "content": "---\nlayout: page\npermalink: /usage/\nnav_order: 4\n---\n\n# Usage\n\n{: .note }\nThis documentation is for the V2 release. For the older, V1 release documentation, check out .\n\n{: .no_toc }\n\n
\n \n Table of contents\n \n {: .text-delta }\n- TOC\n{:toc}\n
\n\n## Core Concept\n\nOSV-Scanner operates in a two-step process:\n\n1. **Package Extraction**: The tool first extracts information about the packages used in your project, container image, or other target.\n\n2. **Vulnerability Matching**: The extracted package information is then matched against known vulnerability databases to identify potential security issues.\n\n## Subcommands\n\nOSV-Scanner V2 is divided into several subcommands:\n\n| Subcommand | Documentation Link | Quick Example |\n| ------------- | ---------------------------------------------------- | ---------------------------------------------------------------------- |\n| `scan` | [Further down this page](./usage.md#scan-subcommand) | `osv-scanner scan -r ./my-project-dir/` |\n| `scan source` | [Source Project Scanning]() | Source scanning is default, so the example is the same as above. |\n| `scan image` | [Container Scanning](./scan-image.md) | `osv-scanner scan image my-docker-img:latest` |\n| `fix` | [Guided Remediation](./guided-remediation.md) | `osv-scanner fix -M path/to/package.json -L path/to/package-lock.json` |\n\n### The `scan` Subcommand\n\nThe `scan` subcommand is the primary way to initiate vulnerability scans. It has two subcommands of its own: `source` (default) and `image`.\n\n- **`scan source`**: Scans source code directories for package dependencies and vulnerabilities. See the [Scanning Source documentation](./scan-source.md) for more details.\n\n- **`scan image`**: Scans container images for vulnerabilities. See the [Scanning Container Images documentation](./scan-image.md) for more details.\n\nBoth `scan source` and `scan image` share a common set of flags for configuring the scan and output.\n\n## Post-Extraction Flags\n\n### Saving to File\n\nThe `--output-file` flag can be used to save the scan results to a file instead of being printed on the stdout:\n\n```bash\nosv-scanner scan -L package-lock.json --output-file scan-results.txt\n```\n\n### Setting Output Format\n\nThe `--format` flag can be used to specify the output format osv-scanner gives.\n\nSee [Output](./output.md) page for more details.\n\n```bash\nosv-scanner scan -L package-lock.json --format json\n```\n\n### Override config file\n\nThe `--config` flag can be used to specify a global config override to apply to all the files you are scanning.\n\nSee [Config](./configuration.md) for more details.\n\n```bash\nosv-scanner scan -L package-lock.json --config ./my-osv-scanner-config.toml\n```\n\n### Set verbosity level\n\nThe `--verbosity` flag can be used to set the verbosity level. See `--help` output for possible levels.\n\n```bash\nosv-scanner scan -L package-lock.json --verbosity info\n```\n\n### Serve HTML report locally\n\nThe `--serve` flag is a helper flag to set the output format to HTML, and serve the report locally on port 8000.\n\n```bash\nosv-scanner scan -L package-lock.json --serve\n```\n\n### Offline vulnerability match\n\nThe `--offline-vulnerabilities` flag can be used to check for vulnerabilities using local databases that are already cached\n\n```bash\nosv-scanner --offline-vulnerabilities --download-offline-databases ./path/to/your/dir\n```\n\nSee [offline vulnerabilities](./offline-mode.md) for more details.\n\n### Licenses scanning\n\nThe `--licenses` flag can be used to report license violations based on an allowlist\n\n```bash\n# Show license summary only\nosv-scanner --licenses path/to/repository\n\n# Show the license summary and violations against an allowlist (provide the list after the = sign):\nosv-scanner --licenses=\"comma-separated list of allowed licenses\" path/to/directory\n```\n\nSee [licenses scanning](./license-scanning.md) for more details.\n\n### Show all packages\n\nThe `--all-packages` flag can be used to output all packages in JSON format (make sure to set `--format=json`).\n\nNote that the `PackageOverrides` configuration, specifically the `ignore` action, takes precedence over this flag.\n\nSee [configuration](./configuration.md#override-packages) for more details.\n\n```bash\nosv-scanner --all-packages --format=json path/to/repository\n```\n\n### Other features\n\nSeveral other features are available through flags. See their respective documentation pages for more details:\n\n- `--no-resolve`: Disables [transitive dependency resolution](./supported_languages_and_lockfiles.md#transitive-dependency-scanning).\n\n## Pre-Commit Integration\n\nOSV-Scanner can be integrated as a [pre-commit](https://pre-commit.com) hook in your project.\n\n1. Add the `osv-scanner` hook to your `.pre-commit-config.yaml` file.\n\n2. Use the `args` key to pass command-line arguments as you would when running OSV-Scanner directly.\n\n3. Verify your configuration with:\n\n```bash\npre-commit run --all-files --verbose osv-scanner\n```\n\n### Examples\n\n```yaml\n# Scan the current directory.\nrepos:\n - repo: https://github.com/google/osv-scanner/\n rev: v2.2.4\n hooks:\n - id: osv-scanner\n\n# Scan the current directory, this equivalent as the previous one, but with custom\n# user defined arguments. The arguments (`args` key) are the defaults.\nrepos:\n - repo: https://github.com/google/osv-scanner/\n rev: v2.2.4\n hooks:\n - id: osv-scanner\n args:\n - \"scan\"\n - \"source\"\n - \"--format=vertical\"\n - \"--verbosity=error\"\n - \"--recursive\"\n - \".\" # replace with your chosen directory or lock file\n\n# Scan a container image. The `docker` command should be present in your PATH.\nrepos:\n - repo: https://github.com/google/osv-scanner/\n rev: v2.2.4\n hooks:\n - id: osv-scanner\n args:\n - \"scan\"\n - \"image\"\n - \"--format=vertical\"\n - \"--verbosity=error\"\n - \"debian:trixie\" # replace with your chosen image (the tag is mandatory)\n```\n\n## Running in a Docker Container\n\nThe OSV-Scanner Docker image can be pulled from the GitHub Container Registry:\n\n```bash\ndocker pull ghcr.io/google/osv-scanner:latest\n```\n\nOnce you have the image, you can test that it works by running:\n\n```bash\ndocker run ghcr.io/google/osv-scanner -h\n```\n\nTo run a scan, mount the directory to scan to `/src` and pass the necessary flags:\n\n```bash\ndocker run -v ${PWD}:/src ghcr.io/google/osv-scanner -L /src/go.mod\n```\n" }, { "path": "exit_code_redirect.sh", "content": "#!/bin/bash\n\n# Copyright 2023 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\n# This script works around a limitation of github actions where\n# actions cannot receive a variable number of arguments in an array\n# This script takes the last argument and splits it out by new line,\n# passing it into osv-scanner as separate arguments\n\n# Get the total number of arguments\ntotal_args=$#\n\n# Extract the last argument\nlast_arg=\"${!total_args}\"\n\n# Remove the last argument from the list\nargs=${@:1:$((total_args - 1))}\n\n# () interprets spaces as separate entries in an array\n# tr replaces newlines with spaces\nsplit_args=($(echo \"$last_arg\" | tr '\\n' ' '))\n\n# Execute osv-scanner with the provided arguments\nosv-scanner $args \"${split_args[@]}\"\n\n# Store the exit code\nexit_code=$?\n\necho \"Exit code: ${exit_code}\"\n# don't error if there are no lockfiles found\nif [[ $exit_code -eq 128 ]]; then\n # if the \"--allow-no-lockfiles\" flag has not been used, print a deprecation warning\n using_new_flag=\"no\"\n for value in \"${args[@]}\"; do\n if [[ \"$value\" = \"--allow-no-lockfiles\" ]] ||\n [[ \"$value\" = \"-allow-no-lockfiles\" ]] ||\n [[ \"$value\" = \"-allow-no-lockfiles=true\" ]] ||\n [[ \"$value\" = \"--allow-no-lockfiles=true\" ]]; then\n using_new_flag=\"yes\"\n fi\n\n if [[ \"$value\" = \"-allow-no-lockfiles=false\" ]] ||\n [[ \"$value\" = \"--allow-no-lockfiles=false\" ]]; then\n exit $exit_code\n fi\n done\n if [[ $using_new_flag = \"no\" ]]; then\n echo \"deprecation warning: please use the --allow-no-lockfiles flag if you don't want this action to error when there are no lockfiles\"\n\n if [[ -n \"$CI\" ]]; then\n echo \"::warning::No lockfiles found. Please use the --allow-no-lockfiles flag to suppress this warning.\"\n fi\n fi\n\n exit_code=0\nfi\n\n# Exit with the modified exit code\nexit $exit_code\n" }, { "path": "go.mod", "content": "module github.com/google/osv-scanner/v2\n\ngo 1.26.1\n\nrequire (\n\tcharm.land/bubbles/v2 v2.0.0\n\tcharm.land/bubbletea/v2 v2.0.1\n\tcharm.land/glamour/v2 v2.0.0\n\tcharm.land/lipgloss/v2 v2.0.1\n\tdeps.dev/api/v3 v3.0.0-20260225225317-765e10b45d5b\n\tdeps.dev/api/v3alpha v0.0.0-20260225225317-765e10b45d5b\n\tdeps.dev/util/maven v0.0.0-20260225225317-765e10b45d5b\n\tdeps.dev/util/resolve v0.0.0-20260225225317-765e10b45d5b\n\tdeps.dev/util/semver v0.0.0-20260225225317-765e10b45d5b\n\tgithub.com/BurntSushi/toml v1.6.0\n\tgithub.com/CycloneDX/cyclonedx-go v0.10.0\n\tgithub.com/gkampitakis/go-snaps v0.5.20\n\tgithub.com/go-git/go-git/v5 v5.17.0\n\tgithub.com/gobwas/glob v0.2.3\n\tgithub.com/goccy/go-yaml v1.19.2\n\tgithub.com/google/go-cmp v0.7.0\n\tgithub.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9\n\tgithub.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f\n\tgithub.com/jedib0t/go-pretty/v6 v6.7.8\n\tgithub.com/modelcontextprotocol/go-sdk v1.4.1\n\tgithub.com/muesli/reflow v0.3.0\n\tgithub.com/opencontainers/go-digest v1.0.0\n\tgithub.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4\n\tgithub.com/owenrumney/go-sarif/v3 v3.3.0\n\tgithub.com/package-url/packageurl-go v0.1.5\n\tgithub.com/pandatix/go-cvss v0.6.2\n\tgithub.com/tidwall/gjson v1.18.0\n\tgithub.com/tidwall/pretty v1.2.1\n\tgithub.com/tidwall/sjson v1.2.5\n\tgithub.com/urfave/cli/v3 v3.7.0\n\tgo.yaml.in/yaml/v3 v3.0.4\n\tgo.yaml.in/yaml/v4 v4.0.0-rc.4\n\tgolang.org/x/net v0.51.0\n\tgolang.org/x/sync v0.20.0\n\tgolang.org/x/term v0.40.0\n\tgolang.org/x/vuln v1.1.4\n\tgoogle.golang.org/grpc v1.79.3\n\tgoogle.golang.org/protobuf v1.36.11\n\tgopkg.in/dnaeon/go-vcr.v4 v4.0.6\n\tgopkg.in/ini.v1 v1.67.1\n\tosv.dev/bindings/go v0.0.0-20260306051416-1f963c5a9f4f\n)\n\nrequire (\n\tbitbucket.org/creachadair/stringset v0.0.14 // indirect\n\tcloud.google.com/go/compute/metadata v0.9.0 // indirect\n\tcyphar.com/go-pathrs v0.2.1 // indirect\n\tdario.cat/mergo v1.0.2 // indirect\n\tdeps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b // indirect\n\tgithub.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect\n\tgithub.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa // indirect\n\tgithub.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect\n\tgithub.com/Microsoft/go-winio v0.6.2 // indirect\n\tgithub.com/Microsoft/hcsshim v0.13.0 // indirect\n\tgithub.com/ProtonMail/go-crypto v1.3.0 // indirect\n\tgithub.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 // indirect\n\tgithub.com/agext/levenshtein v1.2.3 // indirect\n\tgithub.com/alecthomas/chroma/v2 v2.19.0 // indirect\n\tgithub.com/anchore/go-lzo v0.1.0 // indirect\n\tgithub.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 // indirect\n\tgithub.com/atotto/clipboard v0.1.4 // indirect\n\tgithub.com/aymerick/douceur v0.2.0 // indirect\n\tgithub.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694 // indirect\n\tgithub.com/cespare/xxhash/v2 v2.3.0 // indirect\n\tgithub.com/charmbracelet/colorprofile v0.4.2 // indirect\n\tgithub.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 // indirect\n\tgithub.com/charmbracelet/x/ansi v0.11.6 // indirect\n\tgithub.com/charmbracelet/x/exp/slice v0.0.0-20250711012602-b1f986320f7e // indirect\n\tgithub.com/charmbracelet/x/term v0.2.2 // indirect\n\tgithub.com/charmbracelet/x/termios v0.1.1 // indirect\n\tgithub.com/charmbracelet/x/windows v0.2.2 // indirect\n\tgithub.com/clipperhouse/displaywidth v0.11.0 // indirect\n\tgithub.com/clipperhouse/uax29/v2 v2.7.0 // indirect\n\tgithub.com/cloudflare/circl v1.6.3 // indirect\n\tgithub.com/compose-spec/compose-go/v2 v2.8.1 // indirect\n\tgithub.com/containerd/cgroups/v3 v3.0.5 // indirect\n\tgithub.com/containerd/containerd v1.7.29 // indirect\n\tgithub.com/containerd/containerd/api v1.9.0 // indirect\n\tgithub.com/containerd/continuity v0.4.5 // indirect\n\tgithub.com/containerd/errdefs v1.0.0 // indirect\n\tgithub.com/containerd/errdefs/pkg v0.3.0 // indirect\n\tgithub.com/containerd/fifo v1.1.0 // indirect\n\tgithub.com/containerd/log v0.1.0 // indirect\n\tgithub.com/containerd/platforms v1.0.0-rc.1 // indirect\n\tgithub.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect\n\tgithub.com/containerd/ttrpc v1.2.7 // indirect\n\tgithub.com/containerd/typeurl/v2 v2.2.3 // indirect\n\tgithub.com/cyphar/filepath-securejoin v0.6.0 // indirect\n\tgithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect\n\tgithub.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb // indirect\n\tgithub.com/diskfs/go-diskfs v1.7.0 // indirect\n\tgithub.com/distribution/reference v0.6.0 // indirect\n\tgithub.com/djherbis/times v1.6.0 // indirect\n\tgithub.com/dlclark/regexp2 v1.11.5 // indirect\n\tgithub.com/docker/cli v29.2.0+incompatible // indirect\n\tgithub.com/docker/distribution v2.8.3+incompatible // indirect\n\tgithub.com/docker/docker v28.3.3+incompatible // indirect\n\tgithub.com/docker/docker-credential-helpers v0.9.3 // indirect\n\tgithub.com/docker/go-connections v0.5.0 // indirect\n\tgithub.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 // indirect\n\tgithub.com/docker/go-units v0.5.0 // indirect\n\tgithub.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589 // indirect\n\tgithub.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd // indirect\n\tgithub.com/dustin/go-humanize v1.0.1 // indirect\n\tgithub.com/edsrzf/mmap-go v1.2.0 // indirect\n\tgithub.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab // indirect\n\tgithub.com/emirpasic/gods v1.18.1 // indirect\n\tgithub.com/erikvarga/go-rpmdb v0.0.0-20250523120114-a15a62cd4593 // indirect\n\tgithub.com/felixge/httpsnoop v1.0.4 // indirect\n\tgithub.com/gkampitakis/ciinfo v0.3.2 // indirect\n\tgithub.com/go-errors/errors v1.0.2 // indirect\n\tgithub.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect\n\tgithub.com/go-git/go-billy/v5 v5.8.0 // indirect\n\tgithub.com/go-logr/logr v1.4.3 // indirect\n\tgithub.com/go-logr/stdr v1.2.2 // indirect\n\tgithub.com/go-ole/go-ole v1.2.6 // indirect\n\tgithub.com/go-restruct/restruct v1.2.0-alpha // indirect\n\tgithub.com/go-viper/mapstructure/v2 v2.4.0 // indirect\n\tgithub.com/gogo/protobuf v1.3.2 // indirect\n\tgithub.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect\n\tgithub.com/google/go-containerregistry v0.20.6 // indirect\n\tgithub.com/google/jsonschema-go v0.4.2 // indirect\n\tgithub.com/google/uuid v1.6.0 // indirect\n\tgithub.com/gorilla/css v1.0.1 // indirect\n\tgithub.com/icholy/digest v1.1.0 // indirect\n\tgithub.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect\n\tgithub.com/kevinburke/ssh_config v1.2.0 // indirect\n\tgithub.com/klauspost/compress v1.18.0 // indirect\n\tgithub.com/kr/pretty v0.3.1 // indirect\n\tgithub.com/kr/text v0.2.0 // indirect\n\tgithub.com/lucasb-eyer/go-colorful v1.3.0 // indirect\n\tgithub.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 // indirect\n\tgithub.com/maruel/natural v1.1.1 // indirect\n\tgithub.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd // indirect\n\tgithub.com/mattn/go-isatty v0.0.20 // indirect\n\tgithub.com/mattn/go-runewidth v0.0.20 // indirect\n\tgithub.com/mattn/go-shellwords v1.0.12 // indirect\n\tgithub.com/microcosm-cc/bluemonday v1.0.27 // indirect\n\tgithub.com/micromdm/plist v0.2.1 // indirect\n\tgithub.com/mitchellh/go-homedir v1.1.0 // indirect\n\tgithub.com/moby/buildkit v0.23.2 // indirect\n\tgithub.com/moby/docker-image-spec v1.3.1 // indirect\n\tgithub.com/moby/locker v1.0.1 // indirect\n\tgithub.com/moby/sys/mountinfo v0.7.2 // indirect\n\tgithub.com/moby/sys/sequential v0.6.0 // indirect\n\tgithub.com/moby/sys/signal v0.7.1 // indirect\n\tgithub.com/moby/sys/user v0.4.0 // indirect\n\tgithub.com/moby/sys/userns v0.1.0 // indirect\n\tgithub.com/muesli/cancelreader v0.2.2 // indirect\n\tgithub.com/ncruces/go-strftime v0.1.9 // indirect\n\tgithub.com/opencontainers/image-spec v1.1.1 // indirect\n\tgithub.com/opencontainers/runtime-spec v1.2.1 // indirect\n\tgithub.com/opencontainers/selinux v1.13.0 // indirect\n\tgithub.com/pierrec/lz4/v4 v4.1.17 // indirect\n\tgithub.com/pjbgf/sha1cd v0.4.0 // indirect\n\tgithub.com/pkg/errors v0.9.1 // indirect\n\tgithub.com/pkg/xattr v0.4.9 // indirect\n\tgithub.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect\n\tgithub.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect\n\tgithub.com/rivo/uniseg v0.4.7 // indirect\n\tgithub.com/rogpeppe/go-internal v1.14.1 // indirect\n\tgithub.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c // indirect\n\tgithub.com/saferwall/pe v1.5.7 // indirect\n\tgithub.com/sahilm/fuzzy v0.1.1 // indirect\n\tgithub.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect\n\tgithub.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect\n\tgithub.com/segmentio/asm v1.1.3 // indirect\n\tgithub.com/segmentio/encoding v0.5.4 // indirect\n\tgithub.com/sergi/go-diff v1.4.0 // indirect\n\tgithub.com/shirou/gopsutil v3.21.11+incompatible // indirect\n\tgithub.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af // indirect\n\tgithub.com/skeema/knownhosts v1.3.1 // indirect\n\tgithub.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb // indirect\n\tgithub.com/spdx/tools-golang v0.5.5 // indirect\n\tgithub.com/thoas/go-funk v0.9.3 // indirect\n\tgithub.com/tidwall/jsonc v0.3.2 // indirect\n\tgithub.com/tidwall/match v1.1.1 // indirect\n\tgithub.com/tink-crypto/tink-go/v2 v2.4.0 // indirect\n\tgithub.com/tklauser/go-sysconf v0.3.15 // indirect\n\tgithub.com/tklauser/numcpus v0.10.0 // indirect\n\tgithub.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 // indirect\n\tgithub.com/ulikunitz/xz v0.5.15 // indirect\n\tgithub.com/vbatts/tar-split v0.12.1 // indirect\n\tgithub.com/xanzy/ssh-agent v0.3.3 // indirect\n\tgithub.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect\n\tgithub.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect\n\tgithub.com/xeipuuv/gojsonschema v1.2.0 // indirect\n\tgithub.com/xhit/go-str2duration/v2 v2.1.0 // indirect\n\tgithub.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect\n\tgithub.com/yosida95/uritemplate/v3 v3.0.2 // indirect\n\tgithub.com/yuin/goldmark v1.7.12 // indirect\n\tgithub.com/yuin/goldmark-emoji v1.0.6 // indirect\n\tgithub.com/yusufpapurcu/wmi v1.2.4 // indirect\n\tgo.etcd.io/bbolt v1.4.2 // indirect\n\tgo.opencensus.io v0.24.0 // indirect\n\tgo.opentelemetry.io/auto/sdk v1.2.1 // indirect\n\tgo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect\n\tgo.opentelemetry.io/otel v1.39.0 // indirect\n\tgo.opentelemetry.io/otel/metric v1.39.0 // indirect\n\tgo.opentelemetry.io/otel/trace v1.39.0 // indirect\n\tgo.uber.org/atomic v1.7.0 // indirect\n\tgo.uber.org/multierr v1.11.0 // indirect\n\tgo.uber.org/zap v1.17.0 // indirect\n\tgo.yaml.in/yaml/v2 v2.4.2 // indirect\n\tgolang.org/x/crypto v0.48.0 // indirect\n\tgolang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect\n\tgolang.org/x/mod v0.32.0 // indirect\n\tgolang.org/x/oauth2 v0.34.0 // indirect\n\tgolang.org/x/sys v0.42.0 // indirect\n\tgolang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 // indirect\n\tgolang.org/x/text v0.34.0 // indirect\n\tgolang.org/x/tools v0.41.0 // indirect\n\tgolang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect\n\tgoogle.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 // indirect\n\tgoogle.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect\n\tgoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d // indirect\n\tgopkg.in/warnings.v0 v0.1.2 // indirect\n\tgopkg.in/yaml.v3 v3.0.1 // indirect\n\tmodernc.org/libc v1.66.3 // indirect\n\tmodernc.org/mathutil v1.7.1 // indirect\n\tmodernc.org/memory v1.11.0 // indirect\n\tmodernc.org/sqlite v1.38.0 // indirect\n\tsigs.k8s.io/yaml v1.6.0 // indirect\n\twww.velocidex.com/golang/go-ntfs v0.2.0 // indirect\n\twww.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7 // indirect\n)\n" }, { "path": "go.sum", "content": "bitbucket.org/creachadair/stringset v0.0.14 h1:t1ejQyf8utS4GZV/4fM+1gvYucggZkfhb+tMobDxYOE=\nbitbucket.org/creachadair/stringset v0.0.14/go.mod h1:Ej8fsr6rQvmeMDf6CCWMWGb14H9mz8kmDgPPTdiVT0w=\ncharm.land/bubbles/v2 v2.0.0 h1:tE3eK/pHjmtrDiRdoC9uGNLgpopOd8fjhEe31B/ai5s=\ncharm.land/bubbles/v2 v2.0.0/go.mod h1:rCHoleP2XhU8um45NTuOWBPNVHxnkXKTiZqcclL/qOI=\ncharm.land/bubbletea/v2 v2.0.1 h1:B8e9zzK7x9JJ+XvHGF4xnYu9Xa0E0y0MyggY6dbaCfQ=\ncharm.land/bubbletea/v2 v2.0.1/go.mod h1:3LRff2U4WIYXy7MTxfbAQ+AdfM3D8Xuvz2wbsOD9OHQ=\ncharm.land/glamour/v2 v2.0.0 h1:IDBoqLEy7Hdpb9VOXN+khLP/XSxtJy1VsHuW/yF87+U=\ncharm.land/glamour/v2 v2.0.0/go.mod h1:kjq9WB0s8vuUYZNYey2jp4Lgd9f4cKdzAw88FZtpj/w=\ncharm.land/lipgloss/v2 v2.0.1 h1:6Xzrn49+Py1Um5q/wZG1gWgER2+7dUyZ9XMEufqPSys=\ncharm.land/lipgloss/v2 v2.0.1/go.mod h1:KjPle2Qd3YmvP1KL5OMHiHysGcNwq6u83MUjYkFvEkM=\ncloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=\ncloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=\ncloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=\ncyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8=\ncyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc=\ndario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=\ndario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=\ndeps.dev/api/v3 v3.0.0-20260225225317-765e10b45d5b h1:NfcHjM/zoNS7fQsEkpms4iDeDeDN0epSc85v9E8URHA=\ndeps.dev/api/v3 v3.0.0-20260225225317-765e10b45d5b/go.mod h1:+gN+ydvfcDk/mTxWon7Ze4X8gYN/HZxUdt54XWgWcRQ=\ndeps.dev/api/v3alpha v0.0.0-20260225225317-765e10b45d5b h1:rLNtxOQmnJ4tBpU1RdZAAF8I5S/VLBEnjxE8qINO9RM=\ndeps.dev/api/v3alpha v0.0.0-20260225225317-765e10b45d5b/go.mod h1:gZ4p6jKUfgFWBPgK32TByXK59A+sDp9plnb7sz7VmxQ=\ndeps.dev/util/maven v0.0.0-20260225225317-765e10b45d5b h1:sfRt80paU8Awo8LlaULg1EovlaVqIi4uO12NaEQhISk=\ndeps.dev/util/maven v0.0.0-20260225225317-765e10b45d5b/go.mod h1:eGrXziwI7scSGrwIj+5EBHtTeSxAZD/yi8Hb3nFXesA=\ndeps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b h1:67FfxwUt82PEMle2FKlW4DZvzcfSODDoTnSGOT1bYtY=\ndeps.dev/util/pypi v0.0.0-20250903005441-604c45d5b44b/go.mod h1:qmA0z/Lsfa1FMtuLd9JmVZLMHR3GBX/EmbM6z1X3EDU=\ndeps.dev/util/resolve v0.0.0-20260225225317-765e10b45d5b h1:1B0TKabhNud7PlSakdDVtZlLR9S69nfxdSGQJFq44Ao=\ndeps.dev/util/resolve v0.0.0-20260225225317-765e10b45d5b/go.mod h1:u4+2T3Dt2jsbUnWEngaKJYtZuBHN2wSVupHnZcqQvy4=\ndeps.dev/util/semver v0.0.0-20260225225317-765e10b45d5b h1:NAN/jQ0J56JgMqvzt2Ht9i/RQm0GUCi8wHY3TnXt02k=\ndeps.dev/util/semver v0.0.0-20260225225317-765e10b45d5b/go.mod h1:jjJweVqtuMQ7Q4zlTQ/kCHpboojkRvpMYlhy/c93DVU=\ngithub.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=\ngithub.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=\ngithub.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa h1:x6kFzdPgBoLbyoNkA/jny0ENpoEz4wqY8lPTQL2DPkg=\ngithub.com/AdamKorcz/go-118-fuzz-build v0.0.0-20250520111509-a70c2aa677fa/go.mod h1:gCLVsLfv1egrcZu+GoJATN5ts75F2s62ih/457eWzOw=\ngithub.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=\ngithub.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=\ngithub.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=\ngithub.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=\ngithub.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=\ngithub.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y=\ngithub.com/CycloneDX/cyclonedx-go v0.10.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=\ngithub.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=\ngithub.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=\ngithub.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=\ngithub.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=\ngithub.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=\ngithub.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA=\ngithub.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok=\ngithub.com/ProtonMail/go-crypto v1.3.0 h1:ILq8+Sf5If5DCpHQp4PbZdS1J7HDFRXz/+xKBiRGFrw=\ngithub.com/ProtonMail/go-crypto v1.3.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=\ngithub.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 h1:5L8Mj9Co9sJVgW3TpYk2gxGJnDjsYuboNTcRmbtGKGs=\ngithub.com/aead/serpent v0.0.0-20160714141033-fba169763ea6/go.mod h1:3HgLJ9d18kXMLQlJvIY3+FszZYMxCz8WfE2MQ7hDY0w=\ngithub.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=\ngithub.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=\ngithub.com/alecthomas/assert v1.0.0 h1:3XmGh/PSuLzDbK3W2gUbRXwgW5lqPkuqvRgeQ30FI5o=\ngithub.com/alecthomas/assert v1.0.0/go.mod h1:va/d2JC+M7F6s+80kl/R3G7FUiW6JzUO+hPhLyJ36ZY=\ngithub.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=\ngithub.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=\ngithub.com/alecthomas/chroma/v2 v2.19.0 h1:Im+SLRgT8maArxv81mULDWN8oKxkzboH07CHesxElq4=\ngithub.com/alecthomas/chroma/v2 v2.19.0/go.mod h1:RVX6AvYm4VfYe/zsk7mjHueLDZor3aWCNE14TFlepBk=\ngithub.com/alecthomas/colour v0.1.0 h1:nOE9rJm6dsZ66RGWYSFrXw461ZIt9A6+nHgL7FRrDUk=\ngithub.com/alecthomas/colour v0.1.0/go.mod h1:QO9JBoKquHd+jz9nshCh40fOfO+JzsoXy8qTHF68zU0=\ngithub.com/alecthomas/repr v0.4.0 h1:GhI2A8MACjfegCPVq9f1FLvIBS+DrQ2KQBFZP1iFzXc=\ngithub.com/alecthomas/repr v0.4.0/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=\ngithub.com/anchore/go-lzo v0.1.0 h1:NgAacnzqPeGH49Ky19QKLBZEuFRqtTG9cdaucc3Vncs=\ngithub.com/anchore/go-lzo v0.1.0/go.mod h1:3kLx0bve2oN1iDwgM1U5zGku1Tfbdb0No5qp1eL1fIk=\ngithub.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=\ngithub.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160 h1:r8/1fxpbDMlQO6GgQiud1uL5eAu3p/NVUmfNx95/KY8=\ngithub.com/anchore/go-struct-converter v0.0.0-20250211213226-cce56d595160/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=\ngithub.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=\ngithub.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=\ngithub.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=\ngithub.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=\ngithub.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=\ngithub.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=\ngithub.com/aymanbagabas/go-udiff v0.4.1 h1:OEIrQ8maEeDBXQDoGCbbTTXYJMYRCRO1fnodZ12Gv5o=\ngithub.com/aymanbagabas/go-udiff v0.4.1/go.mod h1:0L9PGwj20lrtmEMeyw4WKJ/TMyDtvAoK9bf2u/mNo3w=\ngithub.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=\ngithub.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=\ngithub.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694 h1:LiKs9FsSfMx3NomNclXYkv9enY77oft5Mc/vX/AKHgI=\ngithub.com/bazelbuild/buildtools v0.0.0-20250826111327-4006b543a694/go.mod h1:PLNUetjLa77TCCziPsz0EI8a6CUxgC+1jgmWv0H25tg=\ngithub.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=\ngithub.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=\ngithub.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=\ngithub.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=\ngithub.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=\ngithub.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=\ngithub.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=\ngithub.com/charmbracelet/colorprofile v0.4.2 h1:BdSNuMjRbotnxHSfxy+PCSa4xAmz7szw70ktAtWRYrY=\ngithub.com/charmbracelet/colorprofile v0.4.2/go.mod h1:0rTi81QpwDElInthtrQ6Ni7cG0sDtwAd4C4le060fT8=\ngithub.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8 h1:eyFRbAmexyt43hVfeyBofiGSEmJ7krjLOYt/9CF5NKA=\ngithub.com/charmbracelet/ultraviolet v0.0.0-20260205113103-524a6607adb8/go.mod h1:SQpCTRNBtzJkwku5ye4S3HEuthAlGy2n9VXZnWkEW98=\ngithub.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8=\ngithub.com/charmbracelet/x/ansi v0.11.6/go.mod h1:2JNYLgQUsyqaiLovhU2Rv/pb8r6ydXKS3NIttu3VGZQ=\ngithub.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f h1:pk6gmGpCE7F3FcjaOEKYriCvpmIN4+6OS/RD0vm4uIA=\ngithub.com/charmbracelet/x/exp/golden v0.0.0-20250806222409-83e3a29d542f/go.mod h1:IfZAMTHB6XkZSeXUqriemErjAWCCzT0LwjKFYCZyw0I=\ngithub.com/charmbracelet/x/exp/slice v0.0.0-20250711012602-b1f986320f7e h1:uuxP7L/srRKTMRPUCZsARYBr9x/bULlN6Sc28aUAIJU=\ngithub.com/charmbracelet/x/exp/slice v0.0.0-20250711012602-b1f986320f7e/go.mod h1:vI5nDVMWi6veaYH+0Fmvpbe/+cv/iJfMntdh+N0+Tms=\ngithub.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=\ngithub.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=\ngithub.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8JawjaNZY=\ngithub.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo=\ngithub.com/charmbracelet/x/windows v0.2.2 h1:IofanmuvaxnKHuV04sC0eBy/smG6kIKrWG2/jYn2GuM=\ngithub.com/charmbracelet/x/windows v0.2.2/go.mod h1:/8XtdKZzedat74NQFn0NGlGL4soHB0YQZrETF96h75k=\ngithub.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=\ngithub.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=\ngithub.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=\ngithub.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=\ngithub.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=\ngithub.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=\ngithub.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=\ngithub.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=\ngithub.com/compose-spec/compose-go/v2 v2.8.1 h1:27O4dzyhiS/UEUKp1zHOHCBWD1WbxGsYGMNNaSejTk4=\ngithub.com/compose-spec/compose-go/v2 v2.8.1/go.mod h1:veko/VB7URrg/tKz3vmIAQDaz+CGiXH8vZsW79NmAww=\ngithub.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJHo6Bzo=\ngithub.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins=\ngithub.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=\ngithub.com/containerd/containerd v1.7.29/go.mod h1:azUkWcOvHrWvaiUjSQH0fjzuHIwSPg1WL5PshGP4Szs=\ngithub.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0=\ngithub.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI=\ngithub.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=\ngithub.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=\ngithub.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=\ngithub.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=\ngithub.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=\ngithub.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=\ngithub.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=\ngithub.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=\ngithub.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=\ngithub.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=\ngithub.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E=\ngithub.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=\ngithub.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=\ngithub.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=\ngithub.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=\ngithub.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=\ngithub.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=\ngithub.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=\ngithub.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=\ngithub.com/cyphar/filepath-securejoin v0.6.0 h1:BtGB77njd6SVO6VztOHfPxKitJvd/VPT+OFBFMOi1Is=\ngithub.com/cyphar/filepath-securejoin v0.6.0/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=\ngithub.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=\ngithub.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=\ngithub.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb h1:4W/2rQ3wzEimF5s+J6OY3ODiQtJZ5W1sForSgogVXkY=\ngithub.com/deitch/magic v0.0.0-20240306090643-c67ab88f10cb/go.mod h1:B3tI9iGHi4imdLi4Asdha1Sc6feLMTfPLXh9IUYmysk=\ngithub.com/diskfs/go-diskfs v1.7.0 h1:vonWmt5CMowXwUc79jWyGrf2DIMeoOjkLlMnQYGVOs8=\ngithub.com/diskfs/go-diskfs v1.7.0/go.mod h1:LhQyXqOugWFRahYUSw47NyZJPezFzB9UELwhpszLP/k=\ngithub.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=\ngithub.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=\ngithub.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=\ngithub.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=\ngithub.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=\ngithub.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=\ngithub.com/docker/cli v29.2.0+incompatible h1:9oBd9+YM7rxjZLfyMGxjraKBKE4/nVyvVfN4qNl9XRM=\ngithub.com/docker/cli v29.2.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=\ngithub.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=\ngithub.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=\ngithub.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=\ngithub.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=\ngithub.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=\ngithub.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=\ngithub.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=\ngithub.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=\ngithub.com/docker/go-events v0.0.0-20250114142523-c867878c5e32 h1:EHZfspsnLAz8Hzccd67D5abwLiqoqym2jz/jOS39mCk=\ngithub.com/docker/go-events v0.0.0-20250114142523-c867878c5e32/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=\ngithub.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=\ngithub.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=\ngithub.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589 h1:LzrKhEeL5tqo8i86+5a8JgL5cEJBRspVm4FsKRK/gxA=\ngithub.com/dsoprea/go-exfat v0.0.0-20190906070738-5e932fbdb589/go.mod h1:zs3tKt0dOHncKZ7QhimWwN9RP7f6W6CLdjRfscKvvcA=\ngithub.com/dsoprea/go-logging v0.0.0-20190624164917-c4f10aab7696/go.mod h1:Nm/x2ZUNRW6Fe5C3LxdY1PyZY5wmDv/s5dkPJ/VB3iA=\ngithub.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd h1:l+vLbuxptsC6VQyQsfD7NnEC8BZuFpz45PgY+pH8YTg=\ngithub.com/dsoprea/go-logging v0.0.0-20200710184922-b02d349568dd/go.mod h1:7I+3Pe2o/YSU88W0hWlm9S22W7XI1JFNJ86U0zPKMf8=\ngithub.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=\ngithub.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=\ngithub.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=\ngithub.com/edsrzf/mmap-go v1.1.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q=\ngithub.com/edsrzf/mmap-go v1.2.0 h1:hXLYlkbaPzt1SaQk+anYwKSRNhufIDCchSPkUD6dD84=\ngithub.com/edsrzf/mmap-go v1.2.0/go.mod h1:19H/e8pUPLicwkyNgOykDXkJ9F0MHE+Z52B8EIth78Q=\ngithub.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=\ngithub.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=\ngithub.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab h1:h1UgjJdAAhj+uPL68n7XASS6bU+07ZX1WJvVS2eyoeY=\ngithub.com/elliotwutingfeng/asciiset v0.0.0-20230602022725-51bbb787efab/go.mod h1:GLo/8fDswSAniFG+BFIaiSPcK610jyzgEhWYPQwuQdw=\ngithub.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=\ngithub.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=\ngithub.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=\ngithub.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=\ngithub.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=\ngithub.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=\ngithub.com/erikvarga/go-rpmdb v0.0.0-20250523120114-a15a62cd4593 h1:cIQ/Ziclb/qreqg1nqGEtH4V9UJCTaNSKz9gBRaeZlA=\ngithub.com/erikvarga/go-rpmdb v0.0.0-20250523120114-a15a62cd4593/go.mod h1:MiEorPk0IChAoCwpg2FXyqVgbNvOlPWZAYHqqIoDNoY=\ngithub.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=\ngithub.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=\ngithub.com/gkampitakis/ciinfo v0.3.2 h1:JcuOPk8ZU7nZQjdUhctuhQofk7BGHuIy0c9Ez8BNhXs=\ngithub.com/gkampitakis/ciinfo v0.3.2/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=\ngithub.com/gkampitakis/go-snaps v0.5.20 h1:FGKonEeQPJ12t7RQj6cTPa881fl5c8HYarMLv5vP7sg=\ngithub.com/gkampitakis/go-snaps v0.5.20/go.mod h1:gC3YqxQTPyIXvQrw/Vpt3a8VqR1MO8sVpZFWN4DGwNs=\ngithub.com/glebarez/go-sqlite v1.20.3 h1:89BkqGOXR9oRmG58ZrzgoY/Fhy5x0M+/WV48U5zVrZ4=\ngithub.com/glebarez/go-sqlite v1.20.3/go.mod h1:u3N6D/wftiAzIOJtZl6BmedqxmmkDfH3q+ihjqxC9u0=\ngithub.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=\ngithub.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=\ngithub.com/go-errors/errors v1.0.1/go.mod h1:f4zRHt4oKfwPJE5k8C9vpYG+aDHdBFUsgrm6/TyX73Q=\ngithub.com/go-errors/errors v1.0.2 h1:xMxH9j2fNg/L4hLn/4y3M0IUsn0M6Wbu/Uh9QlOfBh4=\ngithub.com/go-errors/errors v1.0.2/go.mod h1:psDX2osz5VnTOnFWbDeWwS7yejl+uV3FEWEp4lssFEs=\ngithub.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=\ngithub.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=\ngithub.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDzZG0=\ngithub.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=\ngithub.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=\ngithub.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=\ngithub.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxesM=\ngithub.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=\ngithub.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=\ngithub.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=\ngithub.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=\ngithub.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=\ngithub.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=\ngithub.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=\ngithub.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=\ngithub.com/go-restruct/restruct v0.0.0-20190418070341-acd4e4c2cb35/go.mod h1:e2k/t2/850rC773ilFYQSoqyJ78SpTx7gtFtOY6/AYA=\ngithub.com/go-restruct/restruct v1.2.0-alpha h1:2Lp474S/9660+SJjpVxoKuWX09JsXHSrdV7Nv3/gkvc=\ngithub.com/go-restruct/restruct v1.2.0-alpha/go.mod h1:KqrpKpn4M8OLznErihXTGLlsXFGeLxHUrLRRI/1YjGk=\ngithub.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=\ngithub.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=\ngithub.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=\ngithub.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=\ngithub.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=\ngithub.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=\ngithub.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=\ngithub.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=\ngithub.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=\ngithub.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=\ngithub.com/gohugoio/hashstructure v0.5.0 h1:G2fjSBU36RdwEJBWJ+919ERvOVqAg9tfcYp47K9swqg=\ngithub.com/gohugoio/hashstructure v0.5.0/go.mod h1:Ser0TniXuu/eauYmrwM4o64EBvySxNzITEOLlm4igec=\ngithub.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=\ngithub.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=\ngithub.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=\ngithub.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=\ngithub.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=\ngithub.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=\ngithub.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=\ngithub.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=\ngithub.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=\ngithub.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=\ngithub.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=\ngithub.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=\ngithub.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=\ngithub.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=\ngithub.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=\ngithub.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=\ngithub.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=\ngithub.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=\ngithub.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=\ngithub.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=\ngithub.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=\ngithub.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=\ngithub.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=\ngithub.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=\ngithub.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=\ngithub.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=\ngithub.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU=\ngithub.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y=\ngithub.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932 h1:5/4TSDzpDnHQ8rKEEQBjRlYx77mHOvXu08oGchxej7o=\ngithub.com/google/go-cpy v0.0.0-20211218193943-a9c933c06932/go.mod h1:cC6EdPbj/17GFCPDK39NRarlMI+kt+O60S12cNB5J9Y=\ngithub.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8=\ngithub.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=\ngithub.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9 h1:bOqoTMcFFJf0yuXgH+EdPWzcgIIUzyCWxT/agq2u4lw=\ngithub.com/google/osv-scalibr v0.4.6-0.20260318175007-ec4239d68fb9/go.mod h1:0yLzHje112PqLC/q9GKwcmaKrKWotOvc49xc+SegKV0=\ngithub.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=\ngithub.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=\ngithub.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=\ngithub.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=\ngithub.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=\ngithub.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=\ngithub.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=\ngithub.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=\ngithub.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=\ngithub.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=\ngithub.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f h1:Fnl4pzx8SR7k7JuzyW8lEtSFH6EQ8xgcypgIn8pcGIE=\ngithub.com/ianlancetaylor/demangle v0.0.0-20251118225945-96ee0021ea0f/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=\ngithub.com/icholy/digest v1.1.0 h1:HfGg9Irj7i+IX1o1QAmPfIBNu/Q5A5Tu3n/MED9k9H4=\ngithub.com/icholy/digest v1.1.0/go.mod h1:QNrsSGQ5v7v9cReDI0+eyjsXGUoRSUZQHeQ5C4XLa0Y=\ngithub.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=\ngithub.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=\ngithub.com/jedib0t/go-pretty/v6 v6.7.8 h1:BVYrDy5DPBA3Qn9ICT+PokP9cvCv1KaHv2i+Hc8sr5o=\ngithub.com/jedib0t/go-pretty/v6 v6.7.8/go.mod h1:YwC5CE4fJ1HFUDeivSV1r//AmANFHyqczZk+U6BDALU=\ngithub.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=\ngithub.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=\ngithub.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=\ngithub.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=\ngithub.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=\ngithub.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=\ngithub.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=\ngithub.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=\ngithub.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=\ngithub.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=\ngithub.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=\ngithub.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=\ngithub.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=\ngithub.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=\ngithub.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=\ngithub.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=\ngithub.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=\ngithub.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=\ngithub.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40 h1:EnfXoSqDfSNJv0VBNqY/88RNnhSGYkrHaO0mmFGbVsc=\ngithub.com/lunixbochs/struc v0.0.0-20200707160740-784aaebc1d40/go.mod h1:vy1vK6wD6j7xX6O6hXe621WabdtNkou2h7uRtTfRMyg=\ngithub.com/maruel/natural v1.1.1 h1:Hja7XhhmvEFhcByqDoHz9QZbkWey+COd9xWfCfn1ioo=\ngithub.com/maruel/natural v1.1.1/go.mod h1:v+Rfd79xlw1AgVBjbO0BEQmptqb5HvL/k9GRHB7ZKEg=\ngithub.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd h1:JEIW94K3spsvBI5Xb9PGhKSIza9/jxO1lF30tPCAJlA=\ngithub.com/masahiro331/go-ext4-filesystem v0.0.0-20240620024024-ca14e6327bbd/go.mod h1:3XMMY1M486mWGTD13WPItg6FsgflQR72ZMAkd+gsyoQ=\ngithub.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=\ngithub.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=\ngithub.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=\ngithub.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ=\ngithub.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=\ngithub.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=\ngithub.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=\ngithub.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=\ngithub.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=\ngithub.com/micromdm/plist v0.2.1 h1:4SoSMOVAyzv1ThT8IKLgXLJEKezLkcVDN6wivqTTFdo=\ngithub.com/micromdm/plist v0.2.1/go.mod h1:flkfm0od6GzyXBqI28h5sgEyi3iPO28W2t1Zm9LpwWs=\ngithub.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=\ngithub.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=\ngithub.com/moby/buildkit v0.23.2 h1:gt/dkfcpgTXKx+B9I310kV767hhVqTvEyxGgI3mqsGQ=\ngithub.com/moby/buildkit v0.23.2/go.mod h1:iEjAfPQKIuO+8y6OcInInvzqTMiKMbb2RdJz1K/95a0=\ngithub.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=\ngithub.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=\ngithub.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=\ngithub.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=\ngithub.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=\ngithub.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=\ngithub.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=\ngithub.com/moby/sys/mountinfo v0.7.2/go.mod h1:1YOa8w8Ih7uW0wALDUgT1dTTSBrZ+HiBLGws92L2RU4=\ngithub.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=\ngithub.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=\ngithub.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0=\ngithub.com/moby/sys/signal v0.7.1/go.mod h1:Se1VGehYokAkrSQwL4tDzHvETwUZlnY7S5XtQ50mQp8=\ngithub.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=\ngithub.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=\ngithub.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=\ngithub.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=\ngithub.com/moby/term v0.0.0-20221205130635-1aeaba878587 h1:HfkjXDfhgVaN5rmueG8cL8KKeFNecRCXFhaJ2qZ5SKA=\ngithub.com/moby/term v0.0.0-20221205130635-1aeaba878587/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=\ngithub.com/modelcontextprotocol/go-sdk v1.4.1 h1:M4x9GyIPj+HoIlHNGpK2hq5o3BFhC+78PkEaldQRphc=\ngithub.com/modelcontextprotocol/go-sdk v1.4.1/go.mod h1:Bo/mS87hPQqHSRkMv4dQq1XCu6zv4INdXnFZabkNU6s=\ngithub.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=\ngithub.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=\ngithub.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=\ngithub.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=\ngithub.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=\ngithub.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=\ngithub.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=\ngithub.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8=\ngithub.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=\ngithub.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=\ngithub.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=\ngithub.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=\ngithub.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=\ngithub.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=\ngithub.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=\ngithub.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=\ngithub.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=\ngithub.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=\ngithub.com/opencontainers/selinux v1.13.0 h1:Zza88GWezyT7RLql12URvoxsbLfjFx988+LGaWfbL84=\ngithub.com/opencontainers/selinux v1.13.0/go.mod h1:XxWTed+A/s5NNq4GmYScVy+9jzXhGBVEOAyucdRUY8s=\ngithub.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4 h1:4zC49SlXs2waAuZJFEP1lAGf9Bgjg8SQww6y8C9znJ0=\ngithub.com/ossf/osv-schema/bindings/go v0.0.0-20260304051245-ec3272c283e4/go.mod h1:NJzqZPEfOy3B1dWe9pKRtmxJ/UF1++6apnQLjz3du8E=\ngithub.com/owenrumney/go-sarif/v3 v3.3.0 h1:p5oSxEV0uPWBRpAspTmwWr4t1YZyKUpdoFzSB7WE90A=\ngithub.com/owenrumney/go-sarif/v3 v3.3.0/go.mod h1:72MaugkExDexbSauRuPq6BvUAAqAX0TwoNYMIQyZCMw=\ngithub.com/package-url/packageurl-go v0.1.5 h1:O4efRXja2XQ5CtiiYiCZ22k/m7i5ugLiAghgcC+eDgk=\ngithub.com/package-url/packageurl-go v0.1.5/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=\ngithub.com/pandatix/go-cvss v0.6.2 h1:TFiHlzUkT67s6UkelHmK6s1INKVUG7nlKYiWWDTITGI=\ngithub.com/pandatix/go-cvss v0.6.2/go.mod h1:jDXYlQBZrc8nvrMUVVvTG8PhmuShOnKrxP53nOFkt8Q=\ngithub.com/pierrec/lz4/v4 v4.1.17 h1:kV4Ip+/hUBC+8T6+2EgburRtkE9ef4nbY3f4dFhGjMc=\ngithub.com/pierrec/lz4/v4 v4.1.17/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=\ngithub.com/pjbgf/sha1cd v0.4.0 h1:NXzbL1RvjTUi6kgYZCX3fPwwl27Q1LJndxtUDVfJGRY=\ngithub.com/pjbgf/sha1cd v0.4.0/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=\ngithub.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=\ngithub.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=\ngithub.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=\ngithub.com/pkg/xattr v0.4.9 h1:5883YPCtkSd8LFbs13nXplj9g9tlrwoJRjgpgMu1/fE=\ngithub.com/pkg/xattr v0.4.9/go.mod h1:di8WF84zAKk8jzR1UBTEWh9AUlIZZ7M/JNt8e9B6ktU=\ngithub.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=\ngithub.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=\ngithub.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=\ngithub.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=\ngithub.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=\ngithub.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=\ngithub.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=\ngithub.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=\ngithub.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=\ngithub.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=\ngithub.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=\ngithub.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=\ngithub.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=\ngithub.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=\ngithub.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=\ngithub.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=\ngithub.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c h1:8gOLsYwaY2JwlTMT4brS5/9XJdrdIbmk2obvQ748CC0=\ngithub.com/rust-secure-code/go-rustaudit v0.0.0-20250226111315-e20ec32e963c/go.mod h1:kwM/7r/rVluTE8qJbHAffduuqmSv4knVQT2IajGvSiA=\ngithub.com/saferwall/pe v1.5.7 h1:fxlRLvhyr+3cIs1yturWhWmgACIu147o+xSEYFlUAyA=\ngithub.com/saferwall/pe v1.5.7/go.mod h1:mJx+PuptmNpoPFBNhWs/uDMFL/kTHVZIkg0d4OUJFbQ=\ngithub.com/sahilm/fuzzy v0.1.1 h1:ceu5RHF8DGgoi+/dR5PsECjCDH1BE3Fnmpo7aVXOdRA=\ngithub.com/sahilm/fuzzy v0.1.1/go.mod h1:VFvziUEIMCrT6A6tw2RFIXPXXmzXbOsSHF0DOI8ZK9Y=\ngithub.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw=\ngithub.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU=\ngithub.com/sebdah/goldie v1.0.0 h1:9GNhIat69MSlz/ndaBg48vl9dF5fI+NBB6kfOxgfkMc=\ngithub.com/sebdah/goldie v1.0.0/go.mod h1:jXP4hmWywNEwZzhMuv2ccnqTSFpuq8iyQhtQdkkZBH4=\ngithub.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d h1:RQqyEogx5J6wPdoxqL132b100j8KjcVHO1c0KLRoIhc=\ngithub.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d/go.mod h1:PegD7EVqlN88z7TpCqH92hHP+GBpfomGCCnw1PFtNOA=\ngithub.com/segmentio/asm v1.1.3 h1:WM03sfUOENvvKexOLp+pCqgb/WDjsi7EK8gIsICtzhc=\ngithub.com/segmentio/asm v1.1.3/go.mod h1:Ld3L4ZXGNcSLRg4JBsZ3//1+f/TjYl0Mzen/DQy1EJg=\ngithub.com/segmentio/encoding v0.5.4 h1:OW1VRern8Nw6ITAtwSZ7Idrl3MXCFwXHPgqESYfvNt0=\ngithub.com/segmentio/encoding v0.5.4/go.mod h1:HS1ZKa3kSN32ZHVZ7ZLPLXWvOVIiZtyJnO1gPH1sKt0=\ngithub.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=\ngithub.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=\ngithub.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI=\ngithub.com/shirou/gopsutil v3.21.11+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=\ngithub.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=\ngithub.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af h1:Sp5TG9f7K39yfB+If0vjp97vuT74F72r8hfRpP8jLU0=\ngithub.com/sirupsen/logrus v1.9.4-0.20230606125235-dd1b4c2e81af/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=\ngithub.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=\ngithub.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=\ngithub.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=\ngithub.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb h1:7G2Czq97VORM5xNRrD8tSQdhoXPRs8s+Otlc7st9TS0=\ngithub.com/spdx/gordf v0.0.0-20250128162952-000978ccd6fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=\ngithub.com/spdx/tools-golang v0.5.5 h1:61c0KLfAcNqAjlg6UNMdkwpMernhw3zVRwDZ2x9XOmk=\ngithub.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE=\ngithub.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=\ngithub.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=\ngithub.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=\ngithub.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=\ngithub.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=\ngithub.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=\ngithub.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=\ngithub.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=\ngithub.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=\ngithub.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=\ngithub.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=\ngithub.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=\ngithub.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=\ngithub.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=\ngithub.com/terminalstatic/go-xsd-validate v0.1.6 h1:TenYeQ3eY631qNi1/cTmLH/s2slHPRKTTHT+XSHkepo=\ngithub.com/terminalstatic/go-xsd-validate v0.1.6/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=\ngithub.com/thoas/go-funk v0.9.3 h1:7+nAEx3kn5ZJcnDm2Bh23N2yOtweO14bi//dvRtgLpw=\ngithub.com/thoas/go-funk v0.9.3/go.mod h1:+IWnUfUmFO1+WVYQWQtIJHeRRdaIyyYglZN7xzUPe4Q=\ngithub.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=\ngithub.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=\ngithub.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=\ngithub.com/tidwall/jsonc v0.3.2 h1:ZTKrmejRlAJYdn0kcaFqRAKlxxFIC21pYq8vLa4p2Wc=\ngithub.com/tidwall/jsonc v0.3.2/go.mod h1:dw+3CIxqHi+t8eFSpzzMlcVYxKp08UP5CD8/uSFCyJE=\ngithub.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=\ngithub.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=\ngithub.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=\ngithub.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=\ngithub.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=\ngithub.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=\ngithub.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=\ngithub.com/tink-crypto/tink-go/v2 v2.4.0 h1:8VPZeZI4EeZ8P/vB6SIkhlStrJfivTJn+cQ4dtyHNh0=\ngithub.com/tink-crypto/tink-go/v2 v2.4.0/go.mod h1:l//evrF2Y3MjdbpNDNGnKgCpo5zSmvUvnQ4MU+yE2sw=\ngithub.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8Ol49K4=\ngithub.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=\ngithub.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=\ngithub.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=\ngithub.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 h1:2f304B10LaZdB8kkVEaoXvAMVan2tl9AiK4G0odjQtE=\ngithub.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE=\ngithub.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=\ngithub.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=\ngithub.com/urfave/cli/v3 v3.7.0 h1:AGSnbUyjtLiM+WJUb4dzXKldl/gL+F8OwmRDtVr6g2U=\ngithub.com/urfave/cli/v3 v3.7.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso=\ngithub.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=\ngithub.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=\ngithub.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=\ngithub.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=\ngithub.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=\ngithub.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=\ngithub.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=\ngithub.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=\ngithub.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=\ngithub.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=\ngithub.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=\ngithub.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc=\ngithub.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=\ngithub.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=\ngithub.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=\ngithub.com/yosida95/uritemplate/v3 v3.0.2 h1:Ed3Oyj9yrmi9087+NczuL5BwkIc4wvTb5zIM+UJPGz4=\ngithub.com/yosida95/uritemplate/v3 v3.0.2/go.mod h1:ILOh0sOhIJR3+L/8afwt/kE++YT040gmv5BQTMR2HP4=\ngithub.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=\ngithub.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=\ngithub.com/yuin/goldmark v1.7.12 h1:YwGP/rrea2/CnCtUHgjuolG/PnMxdQtPMO5PvaE2/nY=\ngithub.com/yuin/goldmark v1.7.12/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=\ngithub.com/yuin/goldmark-emoji v1.0.6 h1:QWfF2FYaXwL74tfGOW5izeiZepUDroDJfWubQI9HTHs=\ngithub.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJpI31LTKmWuA=\ngithub.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=\ngithub.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=\ngo.etcd.io/bbolt v1.4.2 h1:IrUHp260R8c+zYx/Tm8QZr04CX+qWS5PGfPdevhdm1I=\ngo.etcd.io/bbolt v1.4.2/go.mod h1:Is8rSHO/b4f3XigBC0lL0+4FwAQv3HXEEIgFMuKHceM=\ngo.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=\ngo.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=\ngo.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=\ngo.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=\ngo.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=\ngo.opentelemetry.io/otel v1.39.0 h1:8yPrr/S0ND9QEfTfdP9V+SiwT4E0G7Y5MO7p85nis48=\ngo.opentelemetry.io/otel v1.39.0/go.mod h1:kLlFTywNWrFyEdH0oj2xK0bFYZtHRYUdv1NklR/tgc8=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=\ngo.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=\ngo.opentelemetry.io/otel/metric v1.39.0 h1:d1UzonvEZriVfpNKEVmHXbdf909uGTOQjA0HF0Ls5Q0=\ngo.opentelemetry.io/otel/metric v1.39.0/go.mod h1:jrZSWL33sD7bBxg1xjrqyDjnuzTUB0x1nBERXd7Ftcs=\ngo.opentelemetry.io/otel/sdk v1.39.0 h1:nMLYcjVsvdui1B/4FRkwjzoRVsMK8uL/cj0OyhKzt18=\ngo.opentelemetry.io/otel/sdk v1.39.0/go.mod h1:vDojkC4/jsTJsE+kh+LXYQlbL8CgrEcwmt1ENZszdJE=\ngo.opentelemetry.io/otel/sdk/metric v1.39.0 h1:cXMVVFVgsIf2YL6QkRF4Urbr/aMInf+2WKg+sEJTtB8=\ngo.opentelemetry.io/otel/sdk/metric v1.39.0/go.mod h1:xq9HEVH7qeX69/JnwEfp6fVq5wosJsY1mt4lLfYdVew=\ngo.opentelemetry.io/otel/trace v1.39.0 h1:2d2vfpEDmCJ5zVYz7ijaJdOF59xLomrvj7bjt6/qCJI=\ngo.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4EtqqlVdxWy+rNOA=\ngo.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=\ngo.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=\ngo.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=\ngo.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=\ngo.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=\ngo.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=\ngo.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=\ngo.uber.org/zap v1.17.0 h1:MTjgFu6ZLKvY6Pvaqk97GlxNBuMpV4Hy/3P6tRGlI2U=\ngo.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=\ngo.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=\ngo.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=\ngo.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=\ngo.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=\ngo.yaml.in/yaml/v4 v4.0.0-rc.4 h1:UP4+v6fFrBIb1l934bDl//mmnoIZEDK0idg1+AIvX5U=\ngo.yaml.in/yaml/v4 v4.0.0-rc.4/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=\ngolang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=\ngolang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=\ngolang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=\ngolang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=\ngolang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=\ngolang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=\ngolang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc h1:TS73t7x3KarrNd5qAipmspBDS1rkMcgVG/fS1aRb4Rc=\ngolang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=\ngolang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=\ngolang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=\ngolang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=\ngolang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=\ngolang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=\ngolang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=\ngolang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=\ngolang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=\ngolang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=\ngolang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=\ngolang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=\ngolang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=\ngolang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=\ngolang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=\ngolang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=\ngolang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=\ngolang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=\ngolang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=\ngolang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=\ngolang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=\ngolang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=\ngolang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=\ngolang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=\ngolang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2 h1:O1cMQHRfwNpDfDJerqRoE2oD+AFlyid87D40L/OkkJo=\ngolang.org/x/telemetry v0.0.0-20260109210033-bd525da824e2/go.mod h1:b7fPSJ0pKZ3ccUh8gnTONJxhn3c/PS6tyzQvyqw4iA8=\ngolang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=\ngolang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=\ngolang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=\ngolang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=\ngolang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=\ngolang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=\ngolang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=\ngolang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=\ngolang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=\ngolang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=\ngolang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=\ngolang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=\ngolang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=\ngolang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=\ngolang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=\ngolang.org/x/tools/go/expect v0.1.0-deprecated h1:jY2C5HGYR5lqex3gEniOQL0r7Dq5+VGVgY1nudX5lXY=\ngolang.org/x/tools/go/expect v0.1.0-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=\ngolang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=\ngolang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=\ngolang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=\ngolang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\ngolang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY=\ngolang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=\ngonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=\ngonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=\ngoogle.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=\ngoogle.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=\ngoogle.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=\ngoogle.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=\ngoogle.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=\ngoogle.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7 h1:FGOcxvKlJgRBVbXeugjljCfCgfKWhC42FBoYmTCWVBs=\ngoogle.golang.org/genproto v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:249YoW4b1INqFTEop2T4aJgiO7UBYJrpejsaLvjWfI8=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 h1:tu/dtnW1o3wfaxCOjSLn5IRX4YDcJrtlpzYkhHhGaC4=\ngoogle.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171/go.mod h1:M5krXqk4GhBKvB596udGL3UyjL4I1+cTbK0orROM9ng=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d h1:t/LOSXPJ9R0B6fnZNyALBRfZBH0Uy0gT+uR+SJ6syqQ=\ngoogle.golang.org/genproto/googleapis/rpc v0.0.0-20260217215200-42d3e9bedb6d/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=\ngoogle.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=\ngoogle.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=\ngoogle.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=\ngoogle.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=\ngoogle.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=\ngoogle.golang.org/grpc v1.79.3 h1:sybAEdRIEtvcD68Gx7dmnwjZKlyfuc61Dyo9pGXXkKE=\ngoogle.golang.org/grpc v1.79.3/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ=\ngoogle.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=\ngoogle.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=\ngoogle.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=\ngoogle.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=\ngoogle.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=\ngoogle.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=\ngoogle.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=\ngoogle.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=\ngoogle.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=\ngoogle.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=\ngoogle.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=\ngopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=\ngopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=\ngopkg.in/dnaeon/go-vcr.v4 v4.0.6 h1:PiJkrakkmzc5s7EfBnZOnyiLwi7o7A9fwPzN0X2uwe0=\ngopkg.in/dnaeon/go-vcr.v4 v4.0.6/go.mod h1:sbq5oMEcM4PXngbcNbHhzfCP9OdZodLhrbRYoyg09HY=\ngopkg.in/ini.v1 v1.67.1 h1:tVBILHy0R6e4wkYOn3XmiITt/hEVH4TFMYvAX2Ytz6k=\ngopkg.in/ini.v1 v1.67.1/go.mod h1:x/cyOwCgZqOkJoDIJ3c1KNHMo10+nLGAhh+kn3Zizss=\ngopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=\ngopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=\ngopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=\ngopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=\ngopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=\ngopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=\ngopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=\ngotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=\ngotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=\nhonnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=\nhonnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=\nmodernc.org/cc/v4 v4.26.2 h1:991HMkLjJzYBIfha6ECZdjrIYz2/1ayr+FL8GN+CNzM=\nmodernc.org/cc/v4 v4.26.2/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=\nmodernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU=\nmodernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE=\nmodernc.org/fileutil v1.3.8 h1:qtzNm7ED75pd1C7WgAGcK4edm4fvhtBsEiI/0NQ54YM=\nmodernc.org/fileutil v1.3.8/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=\nmodernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=\nmodernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=\nmodernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=\nmodernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=\nmodernc.org/libc v1.66.3 h1:cfCbjTUcdsKyyZZfEUKfoHcP3S0Wkvz3jgSzByEWVCQ=\nmodernc.org/libc v1.66.3/go.mod h1:XD9zO8kt59cANKvHPXpx7yS2ELPheAey0vjIuZOhOU8=\nmodernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=\nmodernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=\nmodernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=\nmodernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=\nmodernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=\nmodernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=\nmodernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=\nmodernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=\nmodernc.org/sqlite v1.38.0 h1:+4OrfPQ8pxHKuWG4md1JpR/EYAh3Md7TdejuuzE7EUI=\nmodernc.org/sqlite v1.38.0/go.mod h1:1Bj+yES4SVvBZ4cBOpVZ6QgesMCKpJZDq0nxYzOpmNE=\nmodernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=\nmodernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=\nmodernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=\nmodernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=\nosv.dev/bindings/go v0.0.0-20260306051416-1f963c5a9f4f h1:B0XTb5DYHKy+Fy/z2BFgnBeTik2yPAcUDiPNnqouxGI=\nosv.dev/bindings/go v0.0.0-20260306051416-1f963c5a9f4f/go.mod h1:OVdSVs0ycryhh/ctD+AzobnK9YwV0ap9487js1AYP9M=\nsigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=\nsigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=\nsigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=\nwww.velocidex.com/golang/go-ntfs v0.2.0 h1:JLS4hOQLupiVzo+1z4Xb8AZyIaXHDmiGnKyoM/bRYq0=\nwww.velocidex.com/golang/go-ntfs v0.2.0/go.mod h1:itvbHQcnLdTVIDY6fI3lR0zeBwXwBYBdUFtswE0x1vc=\nwww.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7 h1:BMX/37sYwX+8JhHt+YNbPfbx7dXG1w1L1mXonNBtjt0=\nwww.velocidex.com/golang/regparser v0.0.0-20250203141505-31e704a67ef7/go.mod h1:pxSECT5mWM3goJ4sxB4HCJNKnKqiAlpyT8XnvBwkLGU=\n" }, { "path": "goreleaser-action.dockerfile", "content": "# Copyright 2024 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nFROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039\nRUN apk --no-cache add \\\n ca-certificates \\\n git \\\n bash\n\n# Allow git to run on mounted directories\nRUN git config --global --add safe.directory '*'\n\n# Built binaries provided by goreleaser\nWORKDIR /root/\nCOPY ./osv-scanner-action ./osv-scanner\nCOPY ./osv-reporter ./\nCOPY ./exit_code_redirect.sh ./\n\nENV PATH=\"${PATH}:/root\"\n\nENTRYPOINT [\"bash\", \"/root/exit_code_redirect.sh\"]\n" }, { "path": "goreleaser.dockerfile", "content": "# Copyright 2022 Google LLC\n#\n# Licensed under the Apache License, Version 2.0 (the \"License\");\n# you may not use this file except in compliance with the License.\n# You may obtain a copy of the License at\n#\n# http://www.apache.org/licenses/LICENSE-2.0\n#\n# Unless required by applicable law or agreed to in writing, software\n# distributed under the License is distributed on an \"AS IS\" BASIS,\n# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n# See the License for the specific language governing permissions and\n# limitations under the License.\n\nFROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039\nRUN apk add --no-cache \\\n ca-certificates \\\n git\n\n# Allow git to run on mounted directories\nRUN git config --global --add safe.directory '*'\n\nWORKDIR /\n\nCOPY osv-scanner ./\n\nENTRYPOINT [\"/osv-scanner\"]\n" }, { "path": "internal/cachedregexp/regex.go", "content": "// Package cachedregexp provides a cached version of regexp.MustCompile and regexp.Compile.\npackage cachedregexp\n\nimport (\n\t\"regexp\"\n\t\"sync\"\n)\n\nvar cache sync.Map\n\nfunc MustCompile(exp string) *regexp.Regexp {\n\tcompiled, ok := cache.Load(exp)\n\tif !ok {\n\t\tcompiled, _ = cache.LoadOrStore(exp, regexp.MustCompile(exp))\n\t}\n\n\treturn compiled.(*regexp.Regexp)\n}\n\n// Compile returns a compiled regexp or an error if the pattern is invalid.\n// Results are cached for performance.\nfunc Compile(exp string) (*regexp.Regexp, error) {\n\tcompiled, ok := cache.Load(exp)\n\tif ok {\n\t\treturn compiled.(*regexp.Regexp), nil\n\t}\n\n\tr, err := regexp.Compile(exp)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tcache.LoadOrStore(exp, r)\n\n\treturn r, nil\n}\n" }, { "path": "internal/ci/__snapshots__/vulnerability_result_diff_test.snap", "content": "\n[TestDiffVulnerabilityByUniqueVulnCountResults/new_has_one_less_vuln - 1]\n{}\n---\n\n[TestDiffVulnerabilityByUniqueVulnCountResults/same_everything - 1]\n{}\n---\n\n[TestDiffVulnerabilityByUniqueVulnCountResults/same_package_with_new_vuln - 1]\n{\n \"GHSA-c3h9-896r-86jm\": 1\n}\n---\n\n[TestDiffVulnerabilityByUniqueVulnCountResults/same_packages_with_different_source_path - 1]\n{}\n---\n\n[TestDiffVulnerabilityResults/new_has_one_less_vuln - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[TestDiffVulnerabilityResults/new_vuln_and_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"max_severity\": \"8.6\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ],\n \"summary\": \"Improper Input Validation in GoGo Protobuf\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-m5pq-gvj9-9vr8\",\n \"RUSTSEC-2022-0013\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[TestDiffVulnerabilityResults/old_package_replaced_with_new_package - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/brandnew/package\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"Go\"\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[TestDiffVulnerabilityResults/old_vuln_and_packages_gone - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[TestDiffVulnerabilityResults/same_everything - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[TestDiffVulnerabilityResults/same_packages_but_with_one_moved - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/different-dir/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GO-2021-0053\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[TestDiffVulnerabilityResults/same_packages_with_new_vuln - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"max_severity\": \"8.6\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ],\n \"summary\": \"Improper Input Validation in GoGo Protobuf\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n" }, { "path": "internal/ci/testdata/not-json.txt", "content": "this is not valid json! (I think)\n" }, { "path": "internal/ci/testdata/results-empty.json", "content": "{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": true,\n \"allowlist\": [\"MIT\"]\n }\n }\n}\n" }, { "path": "internal/ci/testdata/results-some.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/different-dir/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2021-0053\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GO-2021-0053\"\n ],\n \"aliases\": null\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": true,\n \"allowlist\": null\n }\n }\n}\n" }, { "path": "internal/ci/testdata/vulns/test-vuln-results-a-1.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/different-dir/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2021-0053\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GO-2021-0053\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\",\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\",\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-m5pq-gvj9-9vr8\",\n \"RUSTSEC-2022-0013\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}" }, { "path": "internal/ci/testdata/vulns/test-vuln-results-a.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2021-0053\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GO-2021-0053\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\",\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\",\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-m5pq-gvj9-9vr8\",\n \"RUSTSEC-2022-0013\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}" }, { "path": "internal/ci/testdata/vulns/test-vuln-results-b.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"summary\": \"Improper Input Validation in GoGo Protobuf\",\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2021-0053\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\",\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\",\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-m5pq-gvj9-9vr8\",\n \"RUSTSEC-2022-0013\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}" }, { "path": "internal/ci/testdata/vulns/test-vuln-results-c.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2021-0053\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}" }, { "path": "internal/ci/testdata/vulns/test-vuln-results-d.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/brandnew/package\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [],\n \"groups\": []\n }\n ]\n }\n ]\n}\n" }, { "path": "internal/ci/testmain_test.go", "content": "package ci_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "internal/ci/utility.go", "content": "// Package ci provides utility functions for CI integration.\npackage ci\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"os\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc LoadVulnResults(path string) (models.VulnerabilityResults, error) {\n\tfile, err := os.Open(path)\n\tif err != nil {\n\t\treturn models.VulnerabilityResults{}, fmt.Errorf(\"failed to load '%s'\", path)\n\t}\n\tdefer file.Close()\n\tvar value models.VulnerabilityResults\n\terr = json.NewDecoder(file).Decode(&value)\n\tif err != nil {\n\t\treturn models.VulnerabilityResults{}, fmt.Errorf(\"failed to parse '%s'\", path)\n\t}\n\n\treturn value, nil\n}\n" }, { "path": "internal/ci/utility_test.go", "content": "package ci_test\n\nimport (\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/osv-scanner/v2/internal/ci\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/testing/protocmp\"\n\t\"google.golang.org/protobuf/types/known/structpb\"\n\t\"google.golang.org/protobuf/types/known/timestamppb\"\n)\n\nfunc parseTime(t *testing.T, str string) time.Time {\n\tt.Helper()\n\n\tti, err := time.Parse(time.RFC3339, str)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\treturn ti\n}\n\nfunc TestLoadVulnResults(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\tpath string\n\t\twant models.VulnerabilityResults\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"does_not_exist\",\n\t\t\tpath: \"./testdata/does_not_exist\",\n\t\t\twant: models.VulnerabilityResults{},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"invalid_json\",\n\t\t\tpath: \"./testdata/not-json.txt\",\n\t\t\twant: models.VulnerabilityResults{},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"results_empty\",\n\t\t\tpath: \"./testdata/results-empty.json\",\n\t\t\twant: models.VulnerabilityResults{\n\t\t\t\tResults: []models.PackageSource{},\n\t\t\t\tExperimentalAnalysisConfig: models.ExperimentalAnalysisConfig{\n\t\t\t\t\tLicenses: models.ExperimentalLicenseConfig{\n\t\t\t\t\t\tSummary: true,\n\t\t\t\t\t\tAllowlist: []models.License{\"MIT\"},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tImageMetadata: nil,\n\t\t\t\tLicenseSummary: nil,\n\t\t\t},\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"results_some\",\n\t\t\tpath: \"./testdata/results-some.json\",\n\t\t\twant: models.VulnerabilityResults{\n\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t{\n\t\t\t\t\t\tSource: models.SourceInfo{\n\t\t\t\t\t\t\tPath: \"/path/to/different-dir/go.mod\",\n\t\t\t\t\t\t\tType: \"lockfile\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tExperimentalPES: nil,\n\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tPackage: models.PackageInfo{\n\t\t\t\t\t\t\t\t\tName: \"github.com/gogo/protobuf\",\n\t\t\t\t\t\t\t\t\tVersion: \"1.3.1\",\n\t\t\t\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\tSchemaVersion: \"1.4.0\",\n\t\t\t\t\t\t\t\t\t\tId: \"GO-2021-0053\",\n\t\t\t\t\t\t\t\t\t\tModified: timestamppb.New(parseTime(t, \"2023-06-12T18:45:41Z\")),\n\t\t\t\t\t\t\t\t\t\tPublished: timestamppb.New(parseTime(t, \"2021-04-14T20:04:52Z\")),\n\t\t\t\t\t\t\t\t\t\tAliases: []string{\"CVE-2021-3121\", \"GHSA-c3h9-896r-86jm\"},\n\t\t\t\t\t\t\t\t\t\tSummary: \"Panic due to improper input validation in github.com/gogo/protobuf\",\n\t\t\t\t\t\t\t\t\t\tDetails: \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n\t\t\t\t\t\t\t\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\tPackage: &osvschema.Package{\n\t\t\t\t\t\t\t\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tName: \"github.com/gogo/protobuf\",\n\t\t\t\t\t\t\t\t\t\t\t\t\tPurl: \"pkg:golang/github.com/gogo/protobuf\",\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tRanges: []*osvschema.Range{{\n\t\t\t\t\t\t\t\t\t\t\t\t\tType: osvschema.Range_SEMVER,\n\t\t\t\t\t\t\t\t\t\t\t\t\tEvents: []*osvschema.Event{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t{Introduced: \"0\"},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t{Fixed: \"1.3.2\"},\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\t\t\t\tDatabaseSpecific: &structpb.Struct{\n\t\t\t\t\t\t\t\t\t\t\t\t\tFields: map[string]*structpb.Value{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"source\": {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tKind: &structpb.Value_StringValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringValue: \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\tEcosystemSpecific: &structpb.Struct{\n\t\t\t\t\t\t\t\t\t\t\t\t\tFields: map[string]*structpb.Value{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"imports\": {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tKind: &structpb.Value_ListValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tListValue: &structpb.ListValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tValues: []*structpb.Value{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tKind: &structpb.Value_StructValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tStructValue: &structpb.Struct{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tFields: map[string]*structpb.Value{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"path\": {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tKind: &structpb.Value_StringValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringValue: \"github.com/gogo/protobuf/plugin/unmarshal\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"symbols\": {\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tKind: &structpb.Value_ListValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tListValue: &structpb.ListValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tValues: []*structpb.Value{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tKind: &structpb.Value_StringValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringValue: \"unmarshal.Generate\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tKind: &structpb.Value_StringValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringValue: \"unmarshal.field\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\tReferences: []*osvschema.Reference{\n\t\t\t\t\t\t\t\t\t\t\t{Type: osvschema.Reference_FIX, Url: \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\tDatabaseSpecific: &structpb.Struct{\n\t\t\t\t\t\t\t\t\t\t\tFields: map[string]*structpb.Value{\n\t\t\t\t\t\t\t\t\t\t\t\t\"url\": {\n\t\t\t\t\t\t\t\t\t\t\t\t\tKind: &structpb.Value_StringValue{\n\t\t\t\t\t\t\t\t\t\t\t\t\t\tStringValue: \"https://pkg.go.dev/vuln/GO-2021-0053\",\n\t\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"GO-2021-0053\"}}},\n\t\t\t\t\t\t\t\tLicenses: nil,\n\t\t\t\t\t\t\t\tLicenseViolations: nil,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tExperimentalAnalysisConfig: models.ExperimentalAnalysisConfig{\n\t\t\t\t\tLicenses: models.ExperimentalLicenseConfig{\n\t\t\t\t\t\tSummary: true,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tImageMetadata: nil,\n\t\t\t\tLicenseSummary: nil,\n\t\t\t},\n\t\t\twantErr: false,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot, err := ci.LoadVulnResults(tt.path)\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"LoadVulnResults() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif diff := cmp.Diff(tt.want, got, protocmp.Transform()); diff != \"\" {\n\t\t\t\tt.Errorf(\"LoadVulnResults() returned unexpected result (-want +got):\\n%s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/ci/vulnerability_result_diff.go", "content": "package ci\n\nimport (\n\t\"github.com/google/osv-scanner/v2/internal/grouper\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\n// DiffVulnerabilityResults will return any new vulnerabilities that are in `newRes`\n// which is not present in `oldRes`, but not the reverse.\nfunc DiffVulnerabilityResults(oldRes, newRes models.VulnerabilityResults) models.VulnerabilityResults {\n\tresult := models.VulnerabilityResults{}\n\t// Initialize caches for quick lookup\n\tsourceToIndex, packageToIndex, vulnToIndex := initializeCaches(oldRes)\n\n\tfor _, ps := range newRes.Results {\n\t\tsourceIdx, sourceExists := sourceToIndex[ps.Source]\n\t\tif !sourceExists {\n\t\t\t// Newly introduced source, so all results for this source are going to be new, add everything for this source\n\t\t\tresult.Results = append(result.Results, ps)\n\t\t\tcontinue\n\t\t}\n\t\t// Otherwise the old source used to exist, so we need to find the difference in the packages\n\t\tresult.Results = append(result.Results, models.PackageSource{\n\t\t\tSource: ps.Source,\n\t\t})\n\t\tresultPS := &result.Results[len(result.Results)-1]\n\t\tfor _, pv := range ps.Packages {\n\t\t\tpkgIdx, packageExists := packageToIndex[sourceIdx][pv.Package]\n\t\t\tif !packageExists {\n\t\t\t\t// Newly introduced package, so all results for this package are going to be new, add everything for this package\n\t\t\t\tresultPS.Packages = append(resultPS.Packages, pv)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// Otherwise the old package used to exist, so we need to find the difference in the vulnerabilities\n\t\t\t// Only copy over packages as vulns and groups might change\n\t\t\tresultPS.Packages = append(resultPS.Packages, models.PackageVulns{\n\t\t\t\tPackage: pv.Package,\n\t\t\t})\n\t\t\tresultPV := &resultPS.Packages[len(resultPS.Packages)-1]\n\t\t\tfor _, v := range pv.Vulnerabilities {\n\t\t\t\tif !vulnToIndex[sourceIdx][pkgIdx][v.GetId()] {\n\t\t\t\t\t// Vulnerability is new, add it to the results\n\t\t\t\t\tresultPV.Vulnerabilities = append(resultPV.Vulnerabilities, v)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\t\t\tif len(resultPV.Vulnerabilities) == 0 {\n\t\t\t\t// No vulns, so we can remove the PackageVulns entry entirely, and skip grouping\n\t\t\t\tresultPS.Packages = resultPS.Packages[:len(resultPS.Packages)-1]\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// Rebuild the groups lost in the previous step\n\t\t\tgroups := grouper.Group(grouper.ConvertVulnerabilityToIDAliases(resultPV.Vulnerabilities))\n\t\t\tfor i, group := range groups {\n\t\t\t\tgroups[i].MaxSeverity = output.MaxSeverity(group, *resultPV)\n\t\t\t}\n\t\t\tresultPV.Groups = groups\n\t\t}\n\t\tif len(resultPS.Packages) == 0 {\n\t\t\t// No packages, so we can remove the PackageSource entry entirely\n\t\t\tresult.Results = result.Results[:len(result.Results)-1]\n\t\t\tcontinue\n\t\t}\n\t}\n\n\treturn result\n}\n\n// initializeCaches sets up maps for quick lookup of sources, packages, and vulnerabilities by their indices.\nfunc initializeCaches(oldRes models.VulnerabilityResults) (map[models.SourceInfo]int, []map[models.PackageInfo]int, [][]map[string]bool) {\n\tsourceToIndex := make(map[models.SourceInfo]int, len(oldRes.Results))\n\t// The index in the array corresponds to a source index, a query would look like packageToIndex[sourceIndex][packageInfo]\n\tpackageToIndex := make([]map[models.PackageInfo]int, len(oldRes.Results))\n\t// The first index in the array corresponds to a source index, and the second index corresponds to a package index\n\t// a query would look like vulnToIndex[sourceIndex][packageIndex][vulnID]\n\tvulnToIndex := make([][]map[string]bool, len(oldRes.Results))\n\n\t// Populate index maps for sources, packages, and vulnerabilities\n\tfor sourceIndex, vulnResult := range oldRes.Results {\n\t\tsourceToIndex[oldRes.Results[sourceIndex].Source] = sourceIndex\n\t\tif vulnToIndex[sourceIndex] == nil {\n\t\t\tvulnToIndex[sourceIndex] = make([]map[string]bool, len(vulnResult.Packages))\n\t\t}\n\t\tfor packageIndex, pkg := range vulnResult.Packages {\n\t\t\tif packageToIndex[sourceIndex] == nil {\n\t\t\t\tpackageToIndex[sourceIndex] = make(map[models.PackageInfo]int, len(vulnResult.Packages))\n\t\t\t}\n\t\t\tpackageToIndex[sourceIndex][pkg.Package] = packageIndex\n\t\t\tif vulnToIndex[sourceIndex][packageIndex] == nil {\n\t\t\t\tvulnToIndex[sourceIndex][packageIndex] = make(map[string]bool, len(pkg.Vulnerabilities))\n\t\t\t}\n\t\t\tfor _, vuln := range pkg.Vulnerabilities {\n\t\t\t\tvulnToIndex[sourceIndex][packageIndex][vuln.GetId()] = true // Mark the vulnerability as present\n\t\t\t}\n\t\t}\n\t}\n\n\treturn sourceToIndex, packageToIndex, vulnToIndex\n}\n\n// DiffVulnerabilityResultsByOccurrences will return the occurrence of each vulnerability that are in `newRes`\n// which is not present in `oldRes`, but not the reverse. This calculates the difference by vulnerability ID,\n// while ignoring the source of the vulnerability.\n//\n// This prevents us reporting \"new\" vulnerabilities in a PR when a previously vulnerable file is being moved.\nfunc DiffVulnerabilityResultsByOccurrences(oldRes, newRes models.VulnerabilityResults) map[string]int {\n\toldResFlat := oldRes.Flatten()\n\tnewResFlat := newRes.Flatten()\n\n\toldResMap := map[string]int{}\n\tnewResMap := map[string]int{}\n\n\tfor _, vf := range oldResFlat {\n\t\toldResMap[vf.Vulnerability.GetId()] += 1\n\t}\n\n\tfor _, vf := range newResFlat {\n\t\tnewResMap[vf.Vulnerability.GetId()] += 1\n\t}\n\n\tfor k, oldVulnCount := range oldResMap {\n\t\t// If the new result has fewer vulnerabilities than the old result remove the entry from the new result.\n\t\t// `map`'s default value is 0 when empty, and delete also works fine when the entry is empty\n\t\tif newResMap[k] <= oldVulnCount {\n\t\t\tdelete(newResMap, k)\n\t\t}\n\t}\n\n\treturn newResMap\n}\n" }, { "path": "internal/ci/vulnerability_result_diff_test.go", "content": "package ci_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/ci\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc TestDiffVulnerabilityResults(t *testing.T) {\n\tt.Parallel()\n\ttype args struct {\n\t\toldRes models.VulnerabilityResults\n\t\tnewRes models.VulnerabilityResults\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t}{\n\t\t{\n\t\t\t// diff should be empty since the old and new results are the same\n\t\t\tname: \"same_everything\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should have the moved package only\n\t\t\tname: \"same_packages_but_with_one_moved\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a-1.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should have just the new vuln\n\t\t\tname: \"same_packages_with_new_vuln\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-b.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should be empty\n\t\t\tname: \"new_has_one_less_vuln\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-b.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should have all the new vulns\n\t\t\tname: \"new_vuln_and_packages\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-c.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-b.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should have no vulns\n\t\t\tname: \"old_vuln_and_packages_gone\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-b.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-c.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should be empty since new package does not have any vulns\n\t\t\tname: \"old_package_replaced_with_new_package\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-d.json\"),\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tgot := ci.DiffVulnerabilityResults(tt.args.oldRes, tt.args.newRes)\n\t\t\ttestutility.NewSnapshot().MatchJSON(t, got)\n\t\t})\n\t}\n}\n\nfunc TestDiffVulnerabilityByUniqueVulnCountResults(t *testing.T) {\n\tt.Parallel()\n\ttype args struct {\n\t\toldRes models.VulnerabilityResults\n\t\tnewRes models.VulnerabilityResults\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t}{\n\t\t{\n\t\t\t// diff should be empty\n\t\t\tname: \"same_packages_with_different_source_path\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a-1.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should be empty\n\t\t\tname: \"same_everything\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should have just the new vuln\n\t\t\tname: \"same_package_with_new_vuln\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-b.json\"),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\t// diff should be empty\n\t\t\tname: \"new_has_one_less_vuln\",\n\t\t\targs: args{\n\t\t\t\toldRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-b.json\"),\n\t\t\t\tnewRes: testutility.LoadJSONFixture[models.VulnerabilityResults](t, \"testdata/vulns/test-vuln-results-a.json\"),\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tgot := ci.DiffVulnerabilityResultsByOccurrences(tt.args.oldRes, tt.args.newRes)\n\t\t\ttestutility.NewSnapshot().MatchJSON(t, got)\n\t\t})\n\t}\n}\n" }, { "path": "internal/clients/clientimpl/licensematcher/licensematcher.go", "content": "// Package licensematcher implements a client for matching licenses using the deps.dev API.\npackage licensematcher\n\nimport (\n\t\"context\"\n\n\tdepsdevpb \"deps.dev/api/v3\"\n\t\"github.com/google/osv-scalibr/clients/datasource\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/depsdev\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"golang.org/x/sync/errgroup\"\n\t\"google.golang.org/grpc/codes\"\n\t\"google.golang.org/grpc/status\"\n)\n\nconst (\n\tmaxConcurrentRequests = 1000\n)\n\n// DepsDevLicenseMatcher implements the LicenseMatcher interface with a deps.dev client.\n// It sends out requests for every package version and does not perform caching.\ntype DepsDevLicenseMatcher struct {\n\tClient *datasource.CachedInsightsClient\n}\n\nfunc (matcher *DepsDevLicenseMatcher) MatchLicenses(ctx context.Context, packages []*extractor.Package) error {\n\tqueries := make([]*depsdevpb.GetVersionRequest, len(packages))\n\n\tfor i, pkg := range packages {\n\t\tsystem, ok := depsdev.System[imodels.Ecosystem(pkg).Ecosystem]\n\t\tif !ok || imodels.Name(pkg) == \"\" || imodels.Version(pkg) == \"\" {\n\t\t\tcontinue\n\t\t}\n\t\tqueries[i] = versionQuery(system, imodels.Name(pkg), imodels.Version(pkg))\n\t}\n\n\tpkgLicenses, err := matcher.makeVersionRequest(ctx, queries)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfor i, licenses := range pkgLicenses {\n\t\tpackages[i].Licenses = make([]string, len(licenses))\n\n\t\tfor j, license := range licenses {\n\t\t\tpackages[i].Licenses[j] = string(license)\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// makeVersionRequest calls the deps.dev GetVersion gRPC API endpoint for each\n// query. It makes these requests concurrently, sharing the single HTTP/2\n// connection. The order in which the requests are specified should correspond\n// to the order of licenses returned by this function.\nfunc (matcher *DepsDevLicenseMatcher) makeVersionRequest(ctx context.Context, queries []*depsdevpb.GetVersionRequest) ([][]models.License, error) {\n\tlicenses := make([][]models.License, len(queries))\n\tg, ctx := errgroup.WithContext(ctx)\n\tg.SetLimit(maxConcurrentRequests)\n\n\tfor i := range queries {\n\t\tif queries[i] == nil {\n\t\t\t// This may be a private package.\n\t\t\tlicenses[i] = []models.License{models.License(\"UNKNOWN\")}\n\t\t\tcontinue\n\t\t}\n\t\tg.Go(func() error {\n\t\t\tresp, err := matcher.Client.GetVersion(ctx, queries[i])\n\t\t\tif err != nil {\n\t\t\t\tif status.Code(err) == codes.NotFound {\n\t\t\t\t\tlicenses[i] = append(licenses[i], \"UNKNOWN\")\n\t\t\t\t\treturn nil\n\t\t\t\t}\n\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tls := make([]models.License, len(resp.GetLicenses()))\n\t\t\tfor j, license := range resp.GetLicenses() {\n\t\t\t\tls[j] = models.License(license)\n\t\t\t}\n\t\t\tif len(ls) == 0 {\n\t\t\t\t// The deps.dev API will return an\n\t\t\t\t// empty slice if the license is\n\t\t\t\t// unknown.\n\t\t\t\tls = []models.License{models.License(\"UNKNOWN\")}\n\t\t\t}\n\t\t\tlicenses[i] = ls\n\n\t\t\treturn nil\n\t\t})\n\t}\n\tif err := g.Wait(); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn licenses, nil\n}\n\nfunc versionQuery(system depsdevpb.System, name string, version string) *depsdevpb.GetVersionRequest {\n\tif system == depsdevpb.System_GO {\n\t\t// deps.dev uses native go versioning, which includes prepending v for package versions\n\t\t// and go for stdlib\n\t\tif name == \"stdlib\" {\n\t\t\tversion = \"go\" + version\n\t\t} else {\n\t\t\tversion = \"v\" + version\n\t\t}\n\t}\n\n\treturn &depsdevpb.GetVersionRequest{\n\t\tVersionKey: &depsdevpb.VersionKey{\n\t\t\tSystem: system,\n\t\t\tName: name,\n\t\t\tVersion: version,\n\t\t},\n\t}\n}\n" }, { "path": "internal/clients/clientimpl/localmatcher/localmatcher.go", "content": "// Package localmatcher implements a vulnerability matcher\n// that uses a local database downloaded from osv.dev's export bucket.\npackage localmatcher\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/inventory/osvecosystem\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nconst zippedDBRemoteHost = \"https://osv-vulnerabilities.storage.googleapis.com\"\nconst envKeyLocalDBCacheDirectory = \"OSV_SCANNER_LOCAL_DB_CACHE_DIRECTORY\"\n\n// LocalMatcher implements the VulnerabilityMatcher interface by downloading the osv export zip files,\n// and performing the matching locally.\ntype LocalMatcher struct {\n\tdbBasePath string\n\tdbs map[osvconstants.Ecosystem]*ZipDB\n\tdownloadDB bool\n\t// failedDBs keeps track of the errors when getting databases for each ecosystem\n\tfailedDBs map[osvconstants.Ecosystem]error\n\t// userAgent sets the user agent requests for db zips are made with\n\tuserAgent string\n}\n\nfunc NewLocalMatcher(localDBPath string, userAgent string, downloadDB bool) (*LocalMatcher, error) {\n\tdbBasePath, err := setupLocalDBDirectory(localDBPath)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"could not create %s: %w\", dbBasePath, err)\n\t}\n\n\treturn &LocalMatcher{\n\t\tdbBasePath: dbBasePath,\n\t\tdbs: make(map[osvconstants.Ecosystem]*ZipDB),\n\t\tdownloadDB: downloadDB,\n\t\tuserAgent: userAgent,\n\t\tfailedDBs: make(map[osvconstants.Ecosystem]error),\n\t}, nil\n}\n\nfunc (matcher *LocalMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*extractor.Package) ([][]*osvschema.Vulnerability, error) {\n\tresults := make([][]*osvschema.Vulnerability, 0, len(pkgs))\n\n\t// ensure all databases loaded so far have been fully loaded; this is just a\n\t// basic safeguard since we don't actually currently attempt to reuse matchers\n\t// across scans, and its possible we never will, so we don't need to be smart\n\tfor _, db := range matcher.dbs {\n\t\tif db.Partial {\n\t\t\treturn nil, errors.New(\"local matcher cannot be (re)used with a partially loaded database\")\n\t\t}\n\t}\n\n\tfor _, pkg := range pkgs {\n\t\tif ctx.Err() != nil {\n\t\t\treturn nil, ctx.Err()\n\t\t}\n\n\t\teco := imodels.Ecosystem(pkg).Ecosystem\n\n\t\tif imodels.Ecosystem(pkg).IsEmpty() {\n\t\t\tif imodels.Commit(pkg) == \"\" {\n\t\t\t\t// This should never happen, as those results will be filtered out before matching\n\t\t\t\treturn nil, errors.New(\"ecosystem is empty and there is no commit hash\")\n\t\t\t}\n\n\t\t\t// matching ecosystem-less versions can only be attempted if we have a version\n\t\t\tif imodels.Version(pkg) == \"\" {\n\t\t\t\t// Is a commit based query, skip local scanning\n\t\t\t\tresults = append(results, []*osvschema.Vulnerability{})\n\n\t\t\t\t// TODO (V2 logging):\n\t\t\t\tcmdlogger.Infof(\"Skipping commit scanning for: %s\", imodels.Commit(pkg))\n\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\teco = \"GIT\"\n\t\t}\n\n\t\tdb, err := matcher.loadDBFromCache(ctx, eco, pkgs)\n\n\t\tif err != nil {\n\t\t\t// no logging here as the loader will have already done that\n\t\t\tresults = append(results, []*osvschema.Vulnerability{})\n\n\t\t\tcontinue\n\t\t}\n\n\t\tresults = append(results, VulnerabilitiesAffectingPackage(db.Vulnerabilities, pkg))\n\t}\n\n\treturn results, nil\n}\n\n// LoadEcosystem tries to preload the ecosystem into the cache, and returns an error if the ecosystem\n// cannot be loaded.\n//\n// Preloaded databases include every advisory, so can be reused.\nfunc (matcher *LocalMatcher) LoadEcosystem(ctx context.Context, eco osvecosystem.Parsed) error {\n\t_, err := matcher.loadDBFromCache(ctx, eco.Ecosystem, nil)\n\n\treturn err\n}\n\nfunc (matcher *LocalMatcher) loadDBFromCache(ctx context.Context, eco osvconstants.Ecosystem, invs []*extractor.Package) (*ZipDB, error) {\n\tif db, ok := matcher.dbs[eco]; ok {\n\t\treturn db, nil\n\t}\n\n\tif matcher.failedDBs[eco] != nil {\n\t\treturn nil, matcher.failedDBs[eco]\n\t}\n\n\tdb, err := NewZippedDB(\n\t\tctx,\n\t\tmatcher.dbBasePath,\n\t\tstring(eco),\n\t\tfmt.Sprintf(\"%s/%s/all.zip\", zippedDBRemoteHost, eco),\n\t\tmatcher.userAgent,\n\t\t!matcher.downloadDB,\n\t\tinvs,\n\t)\n\n\tif err != nil {\n\t\tmatcher.failedDBs[eco] = err\n\t\tcmdlogger.Errorf(\"could not load db for %s ecosystem: %v\", eco, err)\n\n\t\treturn nil, err\n\t}\n\n\tcmdlogger.Infof(\"Loaded %s local db from %s\", db.Name, db.StoredAt)\n\n\tmatcher.dbs[eco] = db\n\n\treturn db, nil\n}\n\n// setupLocalDBDirectory attempts to set up the directory the scanner should\n// use to store local databases.\n//\n// if a local path is explicitly provided either by the localDBPath parameter\n// or via the envKeyLocalDBCacheDirectory environment variable, the scanner will\n// attempt to use the user cache directory if possible or otherwise the temp directory\n//\n// if an error occurs at any point when a local path is not explicitly provided,\n// the scanner will fall back to the temp directory first before finally erroring\nfunc setupLocalDBDirectory(localDBPath string) (string, error) {\n\tvar err error\n\n\t// fallback to the env variable if a local database path has not been provided\n\tif localDBPath == \"\" {\n\t\tif p, envSet := os.LookupEnv(envKeyLocalDBCacheDirectory); envSet {\n\t\t\tlocalDBPath = p\n\t\t}\n\t}\n\n\timplicitPath := localDBPath == \"\"\n\n\t// if we're implicitly picking a path, use the user cache directory if available\n\tif implicitPath {\n\t\tlocalDBPath, err = os.UserCacheDir()\n\n\t\tif err != nil {\n\t\t\tlocalDBPath = os.TempDir()\n\t\t}\n\t}\n\n\taltPath := path.Join(localDBPath, \"osv-scanner\")\n\terr = os.MkdirAll(altPath, 0750)\n\tif err == nil {\n\t\treturn altPath, nil\n\t}\n\n\t// if we're implicitly picking a path, try the temp directory before giving up\n\tif implicitPath && localDBPath != os.TempDir() {\n\t\treturn setupLocalDBDirectory(os.TempDir())\n\t}\n\n\treturn \"\", err\n}\n" }, { "path": "internal/clients/clientimpl/localmatcher/testdata/db/file.json", "content": "{\n \"id\": \"GHSA-1234\"\n}\n" }, { "path": "internal/clients/clientimpl/localmatcher/testdata/db/file.yaml", "content": "id: GHSA-5678\n" }, { "path": "internal/clients/clientimpl/localmatcher/testdata/db/nested-1/osv-1.json", "content": "{\n \"id\": \"OSV-1\"\n}\n" }, { "path": "internal/clients/clientimpl/localmatcher/testdata/db/nested-2/invalid.json", "content": "{\n \"id\": \"OSV-2\"\n" }, { "path": "internal/clients/clientimpl/localmatcher/testdata/db/nested-2/osv-2.json", "content": "{\n \"id\": \"OSV-2\"\n}\n" }, { "path": "internal/clients/clientimpl/localmatcher/zip.go", "content": "package localmatcher\n\nimport (\n\t\"archive/zip\"\n\t\"context\"\n\t\"encoding/base64\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"fmt\"\n\t\"hash/crc32\"\n\t\"io\"\n\t\"net/http\"\n\t\"os\"\n\t\"path\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"github.com/tidwall/gjson\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n)\n\ntype ZipDB struct {\n\t// the name of the database\n\tName string\n\t// the url that the zip archive was downloaded from\n\tArchiveURL string\n\t// whether this database should make any network requests\n\tOffline bool\n\t// the path to the zip archive on disk\n\tStoredAt string\n\t// the vulnerabilities that are loaded into this database\n\tVulnerabilities []*osvschema.Vulnerability\n\t// User agent to query with\n\tUserAgent string\n\n\t// whether this database only has some of the advisories\n\t// loaded from the underlying zip file\n\tPartial bool\n}\n\nvar ErrOfflineDatabaseNotFound = errors.New(\"no offline version of the OSV database is available\")\n\nfunc fetchRemoteArchiveCRC32CHash(ctx context.Context, url string) (uint32, error) {\n\treq, err := http.NewRequestWithContext(ctx, http.MethodHead, url, nil)\n\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\tresp, err := http.DefaultClient.Do(req)\n\tif err != nil {\n\t\treturn 0, err\n\t}\n\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn 0, fmt.Errorf(\"db host returned %s\", resp.Status)\n\t}\n\n\tfor _, value := range resp.Header.Values(\"X-Goog-Hash\") {\n\t\tif after, ok := strings.CutPrefix(value, \"crc32c=\"); ok {\n\t\t\tvalue = after\n\t\t\tout, err := base64.StdEncoding.DecodeString(value)\n\n\t\t\tif err != nil {\n\t\t\t\treturn 0, fmt.Errorf(\"could not decode crc32c= checksum: %w\", err)\n\t\t\t}\n\n\t\t\treturn binary.BigEndian.Uint32(out), nil\n\t\t}\n\t}\n\n\treturn 0, errors.New(\"could not find crc32c= checksum\")\n}\n\nfunc fetchLocalArchiveCRC32CHash(f *os.File) (uint32, error) {\n\th := crc32.New(crc32.MakeTable(crc32.Castagnoli))\n\n\tif _, err := io.Copy(h, f); err != nil {\n\t\treturn 0, err\n\t}\n\n\treturn h.Sum32(), nil\n}\n\nfunc (db *ZipDB) fetchZip(ctx context.Context) (*os.File, error) {\n\tf, err := os.Open(db.StoredAt)\n\n\tif db.Offline {\n\t\tif err != nil {\n\t\t\treturn nil, ErrOfflineDatabaseNotFound\n\t\t}\n\n\t\treturn f, nil\n\t}\n\n\tif err == nil {\n\t\tremoteHash, err := fetchRemoteArchiveCRC32CHash(ctx, db.ArchiveURL)\n\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tlocalHash, err := fetchLocalArchiveCRC32CHash(f)\n\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tif remoteHash == localHash {\n\t\t\treturn f, nil\n\t\t}\n\t}\n\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, db.ArchiveURL, nil)\n\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"could not retrieve OSV database archive: %w\", err)\n\t}\n\n\tif db.UserAgent != \"\" {\n\t\treq.Header.Set(\"User-Agent\", db.UserAgent)\n\t}\n\n\tresp, err := http.DefaultClient.Do(req)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"could not retrieve OSV database archive: %w\", err)\n\t}\n\n\tdefer resp.Body.Close()\n\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn nil, fmt.Errorf(\"db host returned %s\", resp.Status)\n\t}\n\n\terr = os.MkdirAll(path.Dir(db.StoredAt), 0750)\n\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"could not create cache directory: %w\", err)\n\t}\n\n\tf, err = os.OpenFile(db.StoredAt, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)\n\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"could not create cache file: %w\", err)\n\t}\n\n\t_, err = io.Copy(f, resp.Body)\n\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"could not write cache file: %w\", err)\n\t}\n\n\t_, _ = f.Seek(0, io.SeekStart)\n\n\treturn f, nil\n}\n\nfunc mightAffectPackagesBytes(content []byte, names []string) bool {\n\taffected := gjson.GetBytes(content, \"affected\")\n\n\tfor _, name := range affected.Get(\"#.package.name\").Array() {\n\t\tif slices.Contains(names, name.String()) {\n\t\t\treturn true\n\t\t}\n\t}\n\n\tfor _, repos := range affected.Get(\"#.ranges.#.repo\").Array() {\n\t\tfor _, repo := range repos.Array() {\n\t\t\trepoName := vulns.NormalizeRepo(repo.String())\n\n\t\t\tfor _, name := range names {\n\t\t\t\t// \"name\" will be the git repository in the case of the GIT ecosystem\n\t\t\t\tif repoName == vulns.NormalizeRepo(name) {\n\t\t\t\t\treturn true\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn false\n}\n\n// Loads the given zip file into the database as an OSV.\n// It is assumed that the file is JSON and in the working directory of the db\nfunc (db *ZipDB) loadZipFile(zipFile *zip.File, names []string) {\n\tfile, err := zipFile.Open()\n\tif err != nil {\n\t\tcmdlogger.Warnf(\"Could not read %s: %v\", zipFile.Name, err)\n\n\t\treturn\n\t}\n\tdefer file.Close()\n\n\tcontent, err := io.ReadAll(file)\n\tif err != nil {\n\t\tcmdlogger.Warnf(\"Could not read %s: %v\", zipFile.Name, err)\n\n\t\treturn\n\t}\n\n\t// if we have been provided a list of package names, only load advisories\n\t// that might actually affect those packages, rather than all advisories\n\tif len(names) > 0 && !mightAffectPackagesBytes(content, names) {\n\t\treturn\n\t}\n\n\tvulnerability := &osvschema.Vulnerability{}\n\tif err := protojson.Unmarshal(content, vulnerability); err != nil {\n\t\tcmdlogger.Warnf(\"%s is not a valid JSON file: %v\", zipFile.Name, err)\n\n\t\treturn\n\t}\n\n\tdb.Vulnerabilities = append(db.Vulnerabilities, vulnerability)\n}\n\n// load fetches a zip archive of the OSV database and loads known vulnerabilities\n// from it (which are assumed to be in json files following the OSV spec).\n//\n// If a list of package names is provided, then only advisories with at least\n// one affected entry for a listed package will be loaded.\n//\n// Internally, the archive is cached along with the date that it was fetched\n// so that a new version of the archive is only downloaded if it has been\n// modified, per HTTP caching standards.\nfunc (db *ZipDB) load(ctx context.Context, names []string) error {\n\tdb.Vulnerabilities = []*osvschema.Vulnerability{}\n\n\tf, err := db.fetchZip(ctx)\n\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tdefer f.Close()\n\n\ts, err := f.Stat()\n\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tzipReader, err := zip.NewReader(f, s.Size())\n\tif err != nil {\n\t\treturn fmt.Errorf(\"could not read OSV database archive: %w\", err)\n\t}\n\n\t// Read all the files from the zip archive\n\tfor _, zipFile := range zipReader.File {\n\t\tif !strings.HasSuffix(zipFile.Name, \".json\") {\n\t\t\tcontinue\n\t\t}\n\n\t\tdb.loadZipFile(zipFile, names)\n\t}\n\n\treturn nil\n}\n\nfunc NewZippedDB(ctx context.Context, dbBasePath, name, url, userAgent string, offline bool, pkgs []*extractor.Package) (*ZipDB, error) {\n\tdb := &ZipDB{\n\t\tName: name,\n\t\tArchiveURL: url,\n\t\tOffline: offline,\n\t\tStoredAt: path.Join(dbBasePath, name, \"all.zip\"),\n\t\tUserAgent: userAgent,\n\n\t\t// we only fully load the database if we're not provided a list of packages\n\t\tPartial: len(pkgs) != 0,\n\t}\n\tnames := make([]string, 0, len(pkgs))\n\n\t// map the packages to their names ahead of loading,\n\t// to make things simpler and reduce double working\n\tfor _, pkg := range pkgs {\n\t\tnames = append(names, imodels.Name(pkg))\n\t}\n\n\tif err := db.load(ctx, names); err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to fetch OSV database: %w\", err)\n\t}\n\n\treturn db, nil\n}\n\n// VulnerabilitiesAffectingPackage returns the vulnerabilities that affects the provided package\n//\n// TODO: Move this to another file.\nfunc VulnerabilitiesAffectingPackage(allVulns []*osvschema.Vulnerability, pkg *extractor.Package) []*osvschema.Vulnerability {\n\tvar vulnerabilities []*osvschema.Vulnerability\n\n\tfor _, vulnerability := range allVulns {\n\t\tif vulnerability.GetWithdrawn() == nil && vulns.IsAffected(vulnerability, pkg) && !vulns.Include(vulnerabilities, vulnerability) {\n\t\t\tvulnerabilities = append(vulnerabilities, vulnerability)\n\t\t}\n\t}\n\n\treturn vulnerabilities\n}\n" }, { "path": "internal/clients/clientimpl/localmatcher/zip_test.go", "content": "package localmatcher_test\n\nimport (\n\t\"archive/zip\"\n\t\"bytes\"\n\t\"encoding/base64\"\n\t\"encoding/binary\"\n\t\"errors\"\n\t\"hash/crc32\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"path\"\n\t\"sort\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n\t\"google.golang.org/protobuf/testing/protocmp\"\n)\n\nconst userAgent = \"osv-scanner_test/\" + version.OSVVersion\n\nfunc expectDBToHaveOSVs(\n\tt *testing.T,\n\tdb *localmatcher.ZipDB,\n\texpect []*osvschema.Vulnerability,\n) {\n\tt.Helper()\n\n\tvulns := db.Vulnerabilities\n\n\tsort.Slice(vulns, func(i, j int) bool {\n\t\treturn vulns[i].GetId() < vulns[j].GetId()\n\t})\n\tsort.Slice(expect, func(i, j int) bool {\n\t\treturn expect[i].GetId() < expect[j].GetId()\n\t})\n\n\tif diff := cmp.Diff(expect, vulns, protocmp.Transform()); diff != \"\" {\n\t\tt.Errorf(\"db is missing some vulnerabilities (-want +got):\\n%s\", diff)\n\t}\n}\n\nfunc cacheWrite(t *testing.T, storedAt string, cache []byte) {\n\tt.Helper()\n\n\terr := os.MkdirAll(path.Dir(storedAt), 0750)\n\n\tif err == nil {\n\t\t//nolint:gosec // being world readable is fine\n\t\terr = os.WriteFile(storedAt, cache, 0644)\n\t}\n\n\tif err != nil {\n\t\tt.Errorf(\"unexpected error with cache: %v\", err)\n\t}\n}\n\nfunc cacheWriteBad(t *testing.T, storedAt string, contents string) {\n\tt.Helper()\n\n\terr := os.MkdirAll(path.Dir(storedAt), 0750)\n\n\tif err == nil {\n\t\t//nolint:gosec // being world readable is fine\n\t\terr = os.WriteFile(storedAt, []byte(contents), 0644)\n\t}\n\n\tif err != nil {\n\t\tt.Errorf(\"unexpected error with cache: %v\", err)\n\t}\n}\n\nfunc createZipServer(t *testing.T, handler http.HandlerFunc) *httptest.Server {\n\tt.Helper()\n\n\tts := httptest.NewServer(handler)\n\n\tt.Cleanup(ts.Close)\n\n\treturn ts\n}\n\nfunc computeCRC32CHash(t *testing.T, data []byte) string {\n\tt.Helper()\n\n\thash := crc32.Checksum(data, crc32.MakeTable(crc32.Castagnoli))\n\n\treturn base64.StdEncoding.EncodeToString(binary.BigEndian.AppendUint32([]byte{}, hash))\n}\n\nfunc writeOSVsZip(t *testing.T, w http.ResponseWriter, osvs map[string]*osvschema.Vulnerability) (int, error) {\n\tt.Helper()\n\n\tz := zipOSVs(t, osvs)\n\n\tw.Header().Add(\"x-goog-hash\", \"crc32c=\"+computeCRC32CHash(t, z))\n\n\treturn w.Write(z)\n}\n\nfunc zipOSVs(t *testing.T, osvs map[string]*osvschema.Vulnerability) []byte {\n\tt.Helper()\n\n\tbuf := new(bytes.Buffer)\n\twriter := zip.NewWriter(buf)\n\n\tfor fp, osv := range osvs {\n\t\tdata, err := protojson.Marshal(osv)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"could not marshal %v: %v\", osv, err)\n\t\t}\n\n\t\tf, err := writer.Create(fp)\n\t\tif err != nil {\n\t\t\tt.Fatal(err)\n\t\t}\n\t\t_, err = f.Write(data)\n\t\tif err != nil {\n\t\t\tt.Fatal(err)\n\t\t}\n\t}\n\n\tif err := writer.Close(); err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\treturn buf.Bytes()\n}\n\n//nolint:unparam // name might get changed at some point\nfunc determineStoredAtPath(dbBasePath, name string) string {\n\treturn path.Join(dbBasePath, name, \"all.zip\")\n}\n\nfunc TestNewZippedDB_Offline_WithoutCache(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(_ http.ResponseWriter, _ *http.Request) {\n\t\tt.Errorf(\"a server request was made when running offline\")\n\t})\n\n\t_, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, true, nil)\n\n\tif !errors.Is(err, localmatcher.ErrOfflineDatabaseNotFound) {\n\t\tt.Errorf(\"expected \\\"%v\\\" error but got \\\"%v\\\"\", localmatcher.ErrOfflineDatabaseNotFound, err)\n\t}\n}\n\nfunc TestNewZippedDB_Offline_WithCache(t *testing.T) {\n\tt.Parallel()\n\n\tosvs := []*osvschema.Vulnerability{\n\t\t{Id: \"GHSA-1\"},\n\t\t{Id: \"GHSA-2\"},\n\t\t{Id: \"GHSA-3\"},\n\t\t{Id: \"GHSA-4\"},\n\t\t{Id: \"GHSA-5\"},\n\t}\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(_ http.ResponseWriter, _ *http.Request) {\n\t\tt.Errorf(\"a server request was made when running offline\")\n\t})\n\n\tcacheWrite(t, determineStoredAtPath(testDir, \"my-db\"), zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t\t\"GHSA-4.json\": {Id: \"GHSA-4\"},\n\t\t\"GHSA-5.json\": {Id: \"GHSA-5\"},\n\t}))\n\n\tdb, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, true, nil)\n\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error \\\"%v\\\"\", err)\n\t}\n\n\tif db.Partial != false {\n\t\tt.Errorf(\"db is incorrectly marked as partially loaded\")\n\t}\n\texpectDBToHaveOSVs(t, db, osvs)\n}\n\nfunc TestNewZippedDB_BadZip(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = w.Write([]byte(\"this is not a zip\"))\n\t})\n\n\t_, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err == nil {\n\t\tt.Errorf(\"expected an error but did not get one\")\n\t}\n}\n\nfunc TestNewZippedDB_UnsupportedProtocol(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\t_, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", \"file://hello-world\", userAgent, false, nil)\n\n\tif err == nil {\n\t\tt.Errorf(\"expected an error but did not get one\")\n\t}\n}\n\nfunc TestNewZippedDB_Online_WithoutCache(t *testing.T) {\n\tt.Parallel()\n\n\tosvs := []*osvschema.Vulnerability{\n\t\t{Id: \"GHSA-1\"},\n\t\t{Id: \"GHSA-2\"},\n\t\t{Id: \"GHSA-3\"},\n\t\t{Id: \"GHSA-4\"},\n\t\t{Id: \"GHSA-5\"},\n\t}\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{\n\t\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t\t\t\"GHSA-4.json\": {Id: \"GHSA-4\"},\n\t\t\t\"GHSA-5.json\": {Id: \"GHSA-5\"},\n\t\t})\n\t})\n\n\tdb, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error \\\"%v\\\"\", err)\n\t}\n\n\tif db.Partial != false {\n\t\tt.Errorf(\"db is incorrectly marked as partially loaded\")\n\t}\n\texpectDBToHaveOSVs(t, db, osvs)\n}\n\nfunc TestNewZippedDB_Online_WithoutCacheAndNoHashHeader(t *testing.T) {\n\tt.Parallel()\n\n\tosvs := []*osvschema.Vulnerability{\n\t\t{Id: \"GHSA-1\"},\n\t\t{Id: \"GHSA-2\"},\n\t\t{Id: \"GHSA-3\"},\n\t\t{Id: \"GHSA-4\"},\n\t\t{Id: \"GHSA-5\"},\n\t}\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = w.Write(zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t\t\t\"GHSA-4.json\": {Id: \"GHSA-4\"},\n\t\t\t\"GHSA-5.json\": {Id: \"GHSA-5\"},\n\t\t}))\n\t})\n\n\tdb, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error \\\"%v\\\"\", err)\n\t}\n\n\tif db.Partial != false {\n\t\tt.Errorf(\"db is incorrectly marked as partially loaded\")\n\t}\n\texpectDBToHaveOSVs(t, db, osvs)\n}\n\nfunc TestNewZippedDB_Online_WithSameCache(t *testing.T) {\n\tt.Parallel()\n\n\tosvs := []*osvschema.Vulnerability{\n\t\t{Id: \"GHSA-1\"},\n\t\t{Id: \"GHSA-2\"},\n\t\t{Id: \"GHSA-3\"},\n\t}\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tcache := zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t})\n\n\tts := createZipServer(t, func(w http.ResponseWriter, r *http.Request) {\n\t\tif r.Method != http.MethodHead {\n\t\t\tt.Errorf(\"unexpected %s request\", r.Method)\n\t\t}\n\n\t\tw.Header().Add(\"x-goog-hash\", \"crc32c=\"+computeCRC32CHash(t, cache))\n\n\t\t_, _ = w.Write(cache)\n\t})\n\n\tcacheWrite(t, determineStoredAtPath(testDir, \"my-db\"), cache)\n\n\tdb, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error \\\"%v\\\"\", err)\n\t}\n\n\tif db.Partial != false {\n\t\tt.Errorf(\"db is incorrectly marked as partially loaded\")\n\t}\n\texpectDBToHaveOSVs(t, db, osvs)\n}\n\nfunc TestNewZippedDB_Online_WithDifferentCache(t *testing.T) {\n\tt.Parallel()\n\n\tosvs := []*osvschema.Vulnerability{\n\t\t{Id: \"GHSA-1\"},\n\t\t{Id: \"GHSA-2\"},\n\t\t{Id: \"GHSA-3\"},\n\t\t{Id: \"GHSA-4\"},\n\t\t{Id: \"GHSA-5\"},\n\t}\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{\n\t\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t\t\t\"GHSA-4.json\": {Id: \"GHSA-4\"},\n\t\t\t\"GHSA-5.json\": {Id: \"GHSA-5\"},\n\t\t})\n\t})\n\n\tcacheWrite(t, determineStoredAtPath(testDir, \"my-db\"), zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t}))\n\n\tdb, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error \\\"%v\\\"\", err)\n\t}\n\n\tif db.Partial != false {\n\t\tt.Errorf(\"db is incorrectly marked as partially loaded\")\n\t}\n\texpectDBToHaveOSVs(t, db, osvs)\n}\n\nfunc TestNewZippedDB_Online_WithCacheButBadHeadResponse(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\tw.WriteHeader(http.StatusBadRequest)\n\t})\n\n\tcacheWrite(t, determineStoredAtPath(testDir, \"my-db\"), zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t}))\n\n\t_, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err == nil {\n\t\tt.Errorf(\"expected an error but did not get one\")\n\t}\n}\n\nfunc TestNewZippedDB_Online_WithCacheButBadHashHeader(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = w.Write(zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t\t\t\"GHSA-4.json\": {Id: \"GHSA-4\"},\n\t\t\t\"GHSA-5.json\": {Id: \"GHSA-5\"},\n\t\t}))\n\n\t\tw.Header().Add(\"x-goog-hash\", \"crc32c=bad-value\")\n\t})\n\n\tcacheWrite(t, determineStoredAtPath(testDir, \"my-db\"), zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t}))\n\n\t_, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err == nil {\n\t\tt.Errorf(\"expected an error but did not get one\")\n\t}\n}\n\nfunc TestNewZippedDB_Online_WithCacheButNoHashHeader(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = w.Write(zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t\t\t\"GHSA-4.json\": {Id: \"GHSA-4\"},\n\t\t\t\"GHSA-5.json\": {Id: \"GHSA-5\"},\n\t\t}))\n\t})\n\n\tcacheWrite(t, determineStoredAtPath(testDir, \"my-db\"), zipOSVs(t, map[string]*osvschema.Vulnerability{\n\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t}))\n\n\t_, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err == nil {\n\t\tt.Errorf(\"expected an error but did not get one\")\n\t}\n}\n\nfunc TestNewZippedDB_Online_WithBadCache(t *testing.T) {\n\tt.Parallel()\n\n\tosvs := []*osvschema.Vulnerability{\n\t\t{Id: \"GHSA-1\"},\n\t\t{Id: \"GHSA-2\"},\n\t\t{Id: \"GHSA-3\"},\n\t}\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{\n\t\t\t\"GHSA-1.json\": {Id: \"GHSA-1\"},\n\t\t\t\"GHSA-2.json\": {Id: \"GHSA-2\"},\n\t\t\t\"GHSA-3.json\": {Id: \"GHSA-3\"},\n\t\t})\n\t})\n\n\tcacheWriteBad(t, determineStoredAtPath(testDir, \"my-db\"), \"this is not json!\")\n\n\tdb, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error \\\"%v\\\"\", err)\n\t}\n\n\tif db.Partial != false {\n\t\tt.Errorf(\"db is incorrectly marked as partially loaded\")\n\t}\n\texpectDBToHaveOSVs(t, db, osvs)\n}\n\nfunc TestNewZippedDB_Online_WithBadGetResponse(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, r *http.Request) {\n\t\tif r.Method == http.MethodGet {\n\t\t\tw.WriteHeader(http.StatusMethodNotAllowed)\n\n\t\t\treturn\n\t\t}\n\n\t\t_, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{})\n\t})\n\n\t_, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err == nil {\n\t\tt.Errorf(\"expected an error but did not get one\")\n\t}\n}\n\nfunc TestNewZippedDB_FileChecks(t *testing.T) {\n\tt.Parallel()\n\n\tosvs := []*osvschema.Vulnerability{{Id: \"GHSA-1234\"}, {Id: \"GHSA-4321\"}}\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{\n\t\t\t\"file.json\": {Id: \"GHSA-1234\"},\n\t\t\t// only files with .json suffix should be loaded\n\t\t\t\"file.yaml\": {Id: \"GHSA-5678\"},\n\t\t\t// (no longer) special case for the GH security database\n\t\t\t\"advisory-database-main/advisories/unreviewed/file.json\": {Id: \"GHSA-4321\"},\n\t\t})\n\t})\n\n\tdb, err := localmatcher.NewZippedDB(t.Context(), testDir, \"my-db\", ts.URL, userAgent, false, nil)\n\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error \\\"%v\\\"\", err)\n\t}\n\n\tif db.Partial != false {\n\t\tt.Errorf(\"db is incorrectly marked as partially loaded\")\n\t}\n\texpectDBToHaveOSVs(t, db, osvs)\n}\n\nfunc TestNewZippedDB_WithSpecificPackages(t *testing.T) {\n\tt.Parallel()\n\n\ttestDir := testutility.CreateTestDir(t)\n\n\tts := createZipServer(t, func(w http.ResponseWriter, _ *http.Request) {\n\t\t_, _ = writeOSVsZip(t, w, map[string]*osvschema.Vulnerability{\n\t\t\t\"GHSA-1.json\": {\n\t\t\t\tId: \"GHSA-1\",\n\t\t\t\tAffected: []*osvschema.Affected{},\n\t\t\t},\n\t\t\t\"GHSA-2.json\": {\n\t\t\t\tId: \"GHSA-2\",\n\t\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-1\"}},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"GHSA-3.json\": {\n\t\t\t\tId: \"GHSA-3\",\n\t\t\t},\n\t\t\t\"GHSA-4.json\": {\n\t\t\t\tId: \"GHSA-4\",\n\t\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-2\"}},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"GHSA-5.json\": {\n\t\t\t\tId: \"GHSA-5\",\n\t\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-2\"}},\n\t\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-1\"}},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"GHSA-6.json\": {\n\t\t\t\tId: \"GHSA-6\",\n\t\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-3\"}},\n\t\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-2\"}},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"GHSA-7.json\": {\n\t\t\t\tId: \"GHSA-7\",\n\t\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t\t{\n\t\t\t\t\t\tRanges: []*osvschema.Range{\n\t\t\t\t\t\t\t{Type: osvschema.Range_SEMVER},\n\t\t\t\t\t\t\t{Type: osvschema.Range_GIT, Repo: \"https://github.com/org/repo\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"GHSA-8.json\": {\n\t\t\t\tId: \"GHSA-8\",\n\t\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t\t{Ranges: []*osvschema.Range{{Type: osvschema.Range_SEMVER}}},\n\t\t\t\t\t{Ranges: []*osvschema.Range{{Type: osvschema.Range_GIT, Repo: \"git://github.com/org/repo.git\"}}},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"GHSA-9.json\": {\n\t\t\t\tId: \"GHSA-9\",\n\t\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t\t{\n\t\t\t\t\t\tRanges: []*osvschema.Range{\n\t\t\t\t\t\t\t{Type: osvschema.Range_GIT, Repo: \"https://github.com/anotherorg/anotherrepo\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t})\n\n\tdb, err := localmatcher.NewZippedDB(\n\t\tt.Context(),\n\t\ttestDir,\n\t\t\"my-db\",\n\t\tts.URL,\n\t\tuserAgent,\n\t\tfalse,\n\t\t[]*extractor.Package{{Name: \"pkg-1\"}, {Name: \"pkg-3\"}, {Name: \"https://github.com/org/repo\"}},\n\t)\n\n\tif err != nil {\n\t\tt.Fatalf(\"unexpected error \\\"%v\\\"\", err)\n\t}\n\n\t// we are loaded for specific packages\n\tif db.Partial != true {\n\t\tt.Errorf(\"db is incorrectly marked as fully loaded\")\n\t}\n\n\texpectDBToHaveOSVs(t, db, []*osvschema.Vulnerability{\n\t\t{\n\t\t\tId: \"GHSA-2\",\n\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-1\"}},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tId: \"GHSA-5\",\n\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-2\"}},\n\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-1\"}},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tId: \"GHSA-6\",\n\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-3\"}},\n\t\t\t\t{Package: &osvschema.Package{Name: \"pkg-2\"}},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tId: \"GHSA-7\",\n\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t{Ranges: []*osvschema.Range{\n\t\t\t\t\t{Type: osvschema.Range_SEMVER},\n\t\t\t\t\t{Type: osvschema.Range_GIT, Repo: \"https://github.com/org/repo\"},\n\t\t\t\t}},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tId: \"GHSA-8\",\n\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t{Ranges: []*osvschema.Range{{Type: osvschema.Range_SEMVER}}},\n\t\t\t\t{Ranges: []*osvschema.Range{{Type: osvschema.Range_GIT, Repo: \"git://github.com/org/repo.git\"}}},\n\t\t\t},\n\t\t},\n\t})\n}\n" }, { "path": "internal/clients/clientimpl/osvmatcher/cachedosvmatcher.go", "content": "// Package osvmatcher implements two vulnerability matcher using osv.dev's API.\npackage osvmatcher\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"maps\"\n\t\"slices\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"golang.org/x/sync/errgroup\"\n\t\"osv.dev/bindings/go/api\"\n\t\"osv.dev/bindings/go/osvdev\"\n\t\"osv.dev/bindings/go/osvdevexperimental\"\n)\n\n// CachedOSVMatcher implements the VulnerabilityMatcher interface with a osv.dev client.\n// It sends out requests for every vulnerability of each package, which get cached.\n// Checking if a specific version matches an OSV record is done locally.\n// This should be used when we know the same packages are going to be repeatedly\n// queried multiple times, as in guided remediation.\n// TODO: This does not support commit-based queries.\ntype CachedOSVMatcher struct {\n\tClient osvdev.OSVClient\n\t// InitialQueryTimeout allows you to set a timeout specifically for the initial paging query\n\t// If timeout runs out, whatever pages that has been successfully queried within the timeout will\n\t// still return fully hydrated.\n\tInitialQueryTimeout time.Duration\n\n\tvulnCache sync.Map // map[PackageKey][]osvschema.Vulnerability\n}\n\nfunc (matcher *CachedOSVMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*extractor.Package) ([][]*osvschema.Vulnerability, error) {\n\t// populate vulnCache with missing packages\n\tif err := matcher.doQueries(ctx, pkgs); err != nil {\n\t\treturn nil, err\n\t}\n\n\tresults := make([][]*osvschema.Vulnerability, len(pkgs))\n\n\tfor i, pkg := range pkgs {\n\t\tif ctx.Err() != nil {\n\t\t\treturn nil, ctx.Err()\n\t\t}\n\n\t\tcachedVulns, ok := matcher.vulnCache.Load(\n\t\t\tvulns.NewPackageKey(&osvschema.Package{\n\t\t\t\tName: imodels.Name(pkg),\n\t\t\t\tEcosystem: imodels.Ecosystem(pkg).String(),\n\t\t\t}))\n\t\tif !ok {\n\t\t\tcontinue\n\t\t}\n\t\tresults[i] = localmatcher.VulnerabilitiesAffectingPackage(cachedVulns.([]*osvschema.Vulnerability), pkg)\n\t}\n\n\treturn results, nil\n}\n\nfunc (matcher *CachedOSVMatcher) doQueries(ctx context.Context, invs []*extractor.Package) error {\n\tvar batchResp *api.BatchVulnerabilityList\n\tdeadlineExceeded := false\n\n\tvar queries []*api.Query\n\t// determine which packages aren't already cached\n\t// convert Package to Query for each pkgs element\n\ttoQuery := make(map[*api.Query]struct{})\n\tfor _, inv := range invs {\n\t\tif imodels.Name(inv) == \"\" || imodels.Ecosystem(inv).IsEmpty() {\n\t\t\tcontinue\n\t\t}\n\t\tpkg := &osvschema.Package{\n\t\t\tName: imodels.Name(inv),\n\t\t\tEcosystem: imodels.Ecosystem(inv).String(),\n\t\t}\n\t\tif _, ok := matcher.vulnCache.Load(vulns.NewPackageKey(pkg)); !ok {\n\t\t\ttoQuery[&api.Query{Package: pkg}] = struct{}{}\n\t\t}\n\t}\n\tqueries = slices.AppendSeq(make([]*api.Query, 0, len(toQuery)), maps.Keys(toQuery))\n\n\tif len(queries) == 0 {\n\t\treturn nil\n\t}\n\n\tvar err error\n\n\t// If there is a timeout for the initial query, set an additional context deadline here.\n\tif matcher.InitialQueryTimeout > 0 {\n\t\tbatchQueryCtx, cancelFunc := context.WithDeadline(ctx, time.Now().Add(matcher.InitialQueryTimeout))\n\t\tbatchResp, err = osvdevexperimental.BatchQueryPaging(batchQueryCtx, &matcher.Client, queries)\n\t\tcancelFunc()\n\t} else {\n\t\tbatchResp, err = osvdevexperimental.BatchQueryPaging(ctx, &matcher.Client, queries)\n\t}\n\n\tif err != nil {\n\t\t// Deadline being exceeded is likely caused by a long paging time\n\t\t// if that's the case, we should return what we already got, and\n\t\t// then let the caller know it is not all the results.\n\t\tif errors.Is(err, context.DeadlineExceeded) {\n\t\t\tdeadlineExceeded = true\n\t\t} else {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tvulnerabilities := make([][]*osvschema.Vulnerability, len(batchResp.GetResults()))\n\tg, ctx := errgroup.WithContext(ctx)\n\tg.SetLimit(maxConcurrentRequests)\n\n\tfor batchIdx, resp := range batchResp.GetResults() {\n\t\tvulnerabilities[batchIdx] = make([]*osvschema.Vulnerability, len(resp.GetVulns()))\n\t\tfor resultIdx, vuln := range resp.GetVulns() {\n\t\t\tg.Go(func() error {\n\t\t\t\t// exit early if another hydration request has already failed\n\t\t\t\t// results are thrown away later, so avoid needless work\n\t\t\t\tif ctx.Err() != nil {\n\t\t\t\t\treturn nil //nolint:nilerr // this value doesn't matter to errgroup.Wait()\n\t\t\t\t}\n\t\t\t\tvuln, err := matcher.Client.GetVulnByID(ctx, vuln.GetId())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tvulnerabilities[batchIdx][resultIdx] = vuln\n\n\t\t\t\treturn nil\n\t\t\t})\n\t\t}\n\t}\n\n\tif err := g.Wait(); err != nil {\n\t\treturn err\n\t}\n\n\tif deadlineExceeded {\n\t\treturn context.DeadlineExceeded\n\t}\n\n\tfor i, vs := range vulnerabilities {\n\t\tmatcher.vulnCache.Store(vulns.NewPackageKey(queries[i].GetPackage()), vs)\n\t}\n\n\treturn nil\n}\n" }, { "path": "internal/clients/clientimpl/osvmatcher/osvmatcher.go", "content": "package osvmatcher\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"net/http\"\n\t\"time\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"golang.org/x/sync/errgroup\"\n\t\"osv.dev/bindings/go/api\"\n\t\"osv.dev/bindings/go/osvdev\"\n\t\"osv.dev/bindings/go/osvdevexperimental\"\n)\n\nconst (\n\tmaxConcurrentRequests = 1000\n)\n\n// goVersionSuffixRegexp matches a Golang major suffix in a PURL's subpath.\n//\n// Matches:\n// - v4 - v4\n// - /v5/sdk/internal - v5\n//\n// Does not match:\n// - sdk/internal\n// - /sdk/resourcemanager/iothub/armiothub\nvar goVersionSuffixRegexp = cachedregexp.MustCompile(`^/?(v\\d+)`)\n\n// OSVMatcher implements the VulnerabilityMatcher interface with an osv.dev client.\n// It sends out requests for every package version and does not perform caching.\ntype OSVMatcher struct {\n\tClient osvdev.OSVClient\n\t// InitialQueryTimeout allows you to set a timeout specifically for the initial paging query\n\t// If timeout runs out, whatever pages that has been successfully queried within the timeout will\n\t// still return fully hydrated.\n\tInitialQueryTimeout time.Duration\n}\n\nfunc New(initialQueryTimeout time.Duration, userAgent string, httpClient *http.Client) *OSVMatcher {\n\tif httpClient == nil {\n\t\thttpClient = http.DefaultClient\n\t}\n\n\tconfig := osvdev.DefaultConfig()\n\tconfig.UserAgent = userAgent\n\n\treturn &OSVMatcher{\n\t\tClient: osvdev.OSVClient{\n\t\t\tHTTPClient: httpClient,\n\t\t\tConfig: config,\n\t\t\tBaseHostURL: osvdev.DefaultBaseURL,\n\t\t},\n\t\tInitialQueryTimeout: initialQueryTimeout,\n\t}\n}\n\n// MatchVulnerabilities matches vulnerabilities for a list of packages.\nfunc (matcher *OSVMatcher) MatchVulnerabilities(ctx context.Context, pkgs []*extractor.Package) ([][]*osvschema.Vulnerability, error) {\n\tvar batchResp *api.BatchVulnerabilityList\n\tdeadlineExceeded := false\n\n\t{\n\t\tvar err error\n\n\t\t// convert Package to Query for each pkgs element\n\t\tqueries := pkgsToQueries(pkgs)\n\t\t// If there is a timeout for the initial query, set an additional context deadline here.\n\t\tif matcher.InitialQueryTimeout > 0 {\n\t\t\tbatchQueryCtx, cancelFunc := context.WithDeadline(ctx, time.Now().Add(matcher.InitialQueryTimeout))\n\t\t\tbatchResp, err = osvdevexperimental.BatchQueryPaging(batchQueryCtx, &matcher.Client, queries)\n\t\t\tcancelFunc()\n\t\t} else {\n\t\t\tbatchResp, err = osvdevexperimental.BatchQueryPaging(ctx, &matcher.Client, queries)\n\t\t}\n\n\t\tif err != nil {\n\t\t\t// Deadline being exceeded is likely caused by a long paging time\n\t\t\t// if that's the case, we should return what we already got, and\n\t\t\t// then let the caller know it is not all the results.\n\t\t\tif errors.Is(err, context.DeadlineExceeded) {\n\t\t\t\tdeadlineExceeded = true\n\t\t\t} else {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\n\t\t// No results found - this could be due to a timeout\n\t\tif batchResp == nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\tvulnerabilities := make([][]*osvschema.Vulnerability, len(batchResp.GetResults()))\n\tg, ctx := errgroup.WithContext(ctx)\n\tg.SetLimit(maxConcurrentRequests)\n\n\tfor batchIdx, resp := range batchResp.GetResults() {\n\t\tvulnerabilities[batchIdx] = make([]*osvschema.Vulnerability, len(resp.GetVulns()))\n\t\tfor resultIdx, vuln := range resp.GetVulns() {\n\t\t\tg.Go(func() error {\n\t\t\t\t// exit early if another hydration request has already failed\n\t\t\t\t// results are thrown away later, so avoid needless work\n\t\t\t\tif ctx.Err() != nil {\n\t\t\t\t\treturn nil //nolint:nilerr // this value doesn't matter to errgroup.Wait()\n\t\t\t\t}\n\t\t\t\tvuln, err := matcher.Client.GetVulnByID(ctx, vuln.GetId())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tvulnerabilities[batchIdx][resultIdx] = vuln\n\n\t\t\t\treturn nil\n\t\t\t})\n\t\t}\n\t}\n\n\tif err := g.Wait(); err != nil {\n\t\treturn nil, err\n\t}\n\n\tif deadlineExceeded {\n\t\treturn vulnerabilities, context.DeadlineExceeded\n\t}\n\n\treturn vulnerabilities, nil\n}\n\nfunc pkgToQuery(pkg *extractor.Package) *api.Query {\n\tif imodels.Name(pkg) != \"\" && !imodels.Ecosystem(pkg).IsEmpty() && imodels.Version(pkg) != \"\" {\n\t\tname := imodels.Name(pkg)\n\n\t\t// Tools like Syft create Go PURLs where the module's major suffix is part\n\t\t// of the subpath as opposed to the package name:\n\t\t//\n\t\t// pkg:golang/github.com/go-jose/go-jose@v4.1.3#v4\n\t\t//\n\t\t// For a correct match we need to add the major suffix back\n\t\tif imodels.Ecosystem(pkg).Ecosystem == osvconstants.EcosystemGo && pkg.PURL().Subpath != \"\" {\n\t\t\tmatch := goVersionSuffixRegexp.FindStringSubmatch(pkg.PURL().Subpath)\n\t\t\tif match != nil {\n\t\t\t\tname += \"/\" + match[1]\n\t\t\t}\n\t\t}\n\n\t\treturn &api.Query{\n\t\t\tPackage: &osvschema.Package{\n\t\t\t\tName: name,\n\t\t\t\tEcosystem: imodels.Ecosystem(pkg).String(),\n\t\t\t},\n\t\t\tParam: &api.Query_Version{\n\t\t\t\tVersion: imodels.Version(pkg),\n\t\t\t},\n\t\t}\n\t}\n\n\tif imodels.Commit(pkg) != \"\" {\n\t\treturn &api.Query{\n\t\t\tParam: &api.Query_Commit{\n\t\t\t\tCommit: imodels.Commit(pkg),\n\t\t\t},\n\t\t}\n\t}\n\n\t// This should have be filtered out before reaching this point\n\tcmdlogger.Errorf(\"invalid query element: %#v\", pkg)\n\n\treturn nil\n}\n\n// pkgsToQueries converts packages to queries via the osv-scanner internal imodels\n// to perform the necessary transformations\nfunc pkgsToQueries(pkgs []*extractor.Package) []*api.Query {\n\tqueries := make([]*api.Query, len(pkgs))\n\n\tfor i, pkg := range pkgs {\n\t\tqueries[i] = pkgToQuery(pkg)\n\t}\n\n\treturn queries\n}\n" }, { "path": "internal/clients/clientimpl/osvmatcher/osvmatcher_test.go", "content": "package osvmatcher\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"reflect\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/purl\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"osv.dev/bindings/go/osvdev\"\n)\n\nfunc TestOSVMatcher_MatchVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttype fields struct {\n\t\tClient osvdev.OSVClient\n\t\tInitialQueryTimeout time.Duration\n\t}\n\n\ttype args struct {\n\t\tpkgs []*extractor.Package\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tfields fields\n\t\targs args\n\t\twant [][]*osvschema.Vulnerability\n\t\twantErr error\n\t}{\n\t\t{\n\t\t\tname: \"Timeout_returns_deadline_exceeded_error_(http.Client_code)\",\n\t\t\tfields: fields{\n\t\t\t\tClient: *osvdev.DefaultClient(),\n\t\t\t\t// Long enough to not timeout until we enter the http client code\n\t\t\t\tInitialQueryTimeout: 1 * time.Millisecond,\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tpkgs: []*extractor.Package{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"stdlib\",\n\t\t\t\t\t\tVersion: \"1.22.0\",\n\t\t\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: nil,\n\t\t\twantErr: context.DeadlineExceeded,\n\t\t},\n\t\t{\n\t\t\tname: \"Timeout_returns_deadline_exceeded_error_(osv.dev_code)\",\n\t\t\tfields: fields{\n\t\t\t\tClient: *osvdev.DefaultClient(),\n\t\t\t\t// Short enough to test timeouts before reaching the http client\n\t\t\t\tInitialQueryTimeout: 100 * time.Nanosecond,\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tpkgs: []*extractor.Package{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"stdlib\",\n\t\t\t\t\t\tVersion: \"1.22.0\",\n\t\t\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: nil,\n\t\t\twantErr: context.DeadlineExceeded,\n\t\t},\n\t}\n\n\tfor i := range tests {\n\t\ttt := tests[i]\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tmatcher := &OSVMatcher{\n\t\t\t\tClient: tt.fields.Client,\n\t\t\t\tInitialQueryTimeout: tt.fields.InitialQueryTimeout,\n\t\t\t}\n\n\t\t\tgot, err := matcher.MatchVulnerabilities(t.Context(), tt.args.pkgs)\n\t\t\tif !errors.Is(err, tt.wantErr) {\n\t\t\t\tt.Errorf(\"OSVMatcher.MatchVulnerabilities() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t}\n\n\t\t\tif !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"OSVMatcher.MatchVulnerabilities() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/clients/clientinterfaces/licensematcher.go", "content": "// Package clientinterfaces defines interfaces for external accessors used in osv-scanner.\npackage clientinterfaces\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n)\n\ntype LicenseMatcher interface {\n\tMatchLicenses(ctx context.Context, psr []*extractor.Package) error\n}\n" }, { "path": "internal/clients/clientinterfaces/vulnerabilitymatcher.go", "content": "package clientinterfaces\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\ntype VulnerabilityMatcher interface {\n\tMatchVulnerabilities(ctx context.Context, invs []*extractor.Package) ([][]*osvschema.Vulnerability, error)\n}\n" }, { "path": "internal/cmdlogger/fmt.go", "content": "// Package cmdlogger provides wrapper for slog logging commands.\npackage cmdlogger\n\nimport (\n\t\"cmp\"\n\t\"fmt\"\n\t\"log/slog\"\n)\n\nfunc Debugf(msg string, args ...any) {\n\tlogger := cmp.Or(GlobalLogger, slog.Default())\n\tlogger.Debug(fmt.Sprintf(msg, args...))\n}\n\nfunc Infof(msg string, args ...any) {\n\tlogger := cmp.Or(GlobalLogger, slog.Default())\n\tlogger.Info(fmt.Sprintf(msg, args...))\n}\n\nfunc Warnf(msg string, args ...any) {\n\tlogger := cmp.Or(GlobalLogger, slog.Default())\n\tlogger.Warn(fmt.Sprintf(msg, args...))\n}\n\nfunc Errorf(msg string, args ...any) {\n\tlogger := cmp.Or(GlobalLogger, slog.Default())\n\tlogger.Error(fmt.Sprintf(msg, args...))\n}\n" }, { "path": "internal/cmdlogger/handler.go", "content": "package cmdlogger\n\nimport (\n\t\"context\"\n\t\"fmt\"\n\t\"io\"\n\t\"log/slog\"\n\t\"strings\"\n)\n\nvar (\n\tGlobalLogger *slog.Logger\n)\n\ntype Handler struct {\n\tstdout io.Writer\n\tstderr io.Writer\n\thasErrored bool\n\teverythingToStderr bool\n\tlevel slog.Leveler\n\toverrideHandler slog.Handler\n\n\thasErroredBecauseInvalidConfig bool\n}\n\n// SendEverythingToStderr tells the logger to send all logs to stderr regardless\n// of their level.\n//\n// This is useful if we're expecting to output structured data to stdout such\n// as JSON, which cannot be mixed with other output.\nfunc (c *Handler) SendEverythingToStderr() {\n\tc.everythingToStderr = true\n}\n\nfunc (c *Handler) SetLevel(level slog.Leveler) {\n\tc.level = level\n}\n\nfunc (c *Handler) writer(level slog.Level) io.Writer {\n\tif c.everythingToStderr || level == slog.LevelError {\n\t\treturn c.stderr\n\t}\n\n\treturn c.stdout\n}\n\nfunc (c *Handler) Enabled(ctx context.Context, level slog.Level) bool {\n\tif level == slog.LevelError {\n\t\tc.SetHasErrored()\n\t}\n\n\tif c.overrideHandler != nil {\n\t\treturn c.overrideHandler.Enabled(ctx, level)\n\t}\n\n\treturn level >= c.level.Level()\n}\n\nfunc (c *Handler) Handle(ctx context.Context, record slog.Record) error {\n\t// todo: we probably want to be reporting disabled plugins in some way,\n\t// but currently our snapshot-based tests cannot handle os-dependent\n\t// output and we've got some plugins that are only available for linux\n\tif strings.HasPrefix(record.Message, \"Disabling plugin \") {\n\t\treturn nil\n\t}\n\n\tif record.Level == slog.LevelError {\n\t\tc.SetHasErrored()\n\n\t\tif strings.HasPrefix(record.Message, \"Ignored invalid config file\") {\n\t\t\tc.hasErroredBecauseInvalidConfig = true\n\t\t}\n\t}\n\n\tif c.overrideHandler != nil {\n\t\treturn c.overrideHandler.Handle(ctx, record)\n\t}\n\n\t_, err := fmt.Fprint(c.writer(record.Level), record.Message+\"\\n\")\n\n\treturn err\n}\n\nfunc (c *Handler) SetHasErrored() {\n\tc.hasErrored = true\n}\n\n// HasErrored returns true if there have been any calls to Handle with\n// a level of [slog.LevelError]\nfunc (c *Handler) HasErrored() bool {\n\treturn c.hasErrored\n}\n\n// HasErroredBecauseInvalidConfig returns true if there have been any calls to\n// Handle with a level of [slog.LevelError] due to a config file being invalid\nfunc (c *Handler) HasErroredBecauseInvalidConfig() bool {\n\treturn c.hasErroredBecauseInvalidConfig\n}\n\nfunc (c *Handler) WithAttrs(a []slog.Attr) slog.Handler {\n\tif c.overrideHandler != nil {\n\t\treturn c.overrideHandler.WithAttrs(a)\n\t}\n\tpanic(\"not supported\")\n}\n\nfunc (c *Handler) WithGroup(g string) slog.Handler {\n\tif c.overrideHandler != nil {\n\t\treturn c.overrideHandler.WithGroup(g)\n\t}\n\tpanic(\"not supported\")\n}\n\nvar _ CmdLogger = &Handler{}\n\nfunc New(stdout, stderr io.Writer) CmdLogger {\n\treturn &Handler{\n\t\tstdout: stdout,\n\t\tstderr: stderr,\n\t\tlevel: slog.LevelInfo,\n\t}\n}\n\nfunc NewOverride(overrideHandler slog.Handler) CmdLogger {\n\treturn &Handler{\n\t\toverrideHandler: overrideHandler,\n\t}\n}\n" }, { "path": "internal/cmdlogger/interface.go", "content": "package cmdlogger\n\nimport \"log/slog\"\n\ntype CmdLogger interface {\n\tslog.Handler\n\tSendEverythingToStderr()\n\tSetHasErrored()\n\tHasErrored() bool\n\tHasErroredBecauseInvalidConfig() bool\n\tSetLevel(level slog.Leveler)\n}\n\n// SendEverythingToStderr tells the logger (if its in use) to send all logs\n// to stderr regardless of their level.\n//\n// This is useful if we're expecting to output structured data to stdout such\n// as JSON, which cannot be mixed with other output.\nfunc SendEverythingToStderr() {\n\tl, ok := slog.Default().Handler().(CmdLogger)\n\n\tif ok {\n\t\tl.SendEverythingToStderr()\n\t}\n}\n" }, { "path": "internal/cmdlogger/level.go", "content": "package cmdlogger\n\nimport (\n\t\"fmt\"\n\t\"log/slog\"\n\t\"strings\"\n)\n\nvar levels = []string{\n\t\"error\",\n\t\"warn\",\n\t\"info\",\n}\n\nfunc Levels() []string {\n\treturn levels\n}\n\nfunc ParseLevel(text string) (slog.Level, error) {\n\tswitch text {\n\tcase \"error\":\n\t\treturn slog.LevelError, nil\n\tcase \"warn\":\n\t\treturn slog.LevelWarn, nil\n\tcase \"info\":\n\t\treturn slog.LevelInfo, nil\n\tdefault:\n\t\treturn slog.LevelInfo, fmt.Errorf(\"invalid verbosity level \\\"%s\\\" - must be one of: %s\", text, strings.Join(Levels(), \", \"))\n\t}\n}\n" }, { "path": "internal/cmdlogger/level_test.go", "content": "package cmdlogger_test\n\nimport (\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n)\n\nfunc TestParseVerbosityLevel_GivenValidLevels(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tinput string\n\t\tlevel slog.Level\n\t}{\n\t\t{input: \"error\", level: slog.LevelError},\n\t\t{input: \"warn\", level: slog.LevelWarn},\n\t\t{input: \"info\", level: slog.LevelInfo},\n\t}\n\n\tfor _, tt := range tests {\n\t\tlvl, err := cmdlogger.ParseLevel(tt.input)\n\t\tif err != nil {\n\t\t\tt.Error(err)\n\t\t}\n\t\tif lvl != tt.level {\n\t\t\tt.Errorf(\"level should be supported: %s\", tt.input)\n\t\t}\n\t}\n}\n\nfunc TestParseVerbosityLevel_GivenInvalidLevels(t *testing.T) {\n\tt.Parallel()\n\n\t_, err := cmdlogger.ParseLevel(\"invalidlvl\")\n\tif err == nil {\n\t\tt.Error(\"expected invalid level to be an error\")\n\t}\n}\n" }, { "path": "internal/cmdlogger/scalibr.go", "content": "package cmdlogger\n\nimport (\n\t\"fmt\"\n\t\"log/slog\"\n\n\t\"github.com/google/osv-scalibr/log\"\n)\n\nvar _ log.Logger = &ScalibrAdapter{}\n\ntype ScalibrAdapter struct {\n\tLogger *slog.Logger\n}\n\nfunc (s *ScalibrAdapter) Errorf(format string, args ...any) {\n\ts.Logger.Error(fmt.Sprintf(format, args...))\n}\n\nfunc (s *ScalibrAdapter) Error(args ...any) {\n\ts.Logger.Error(fmt.Sprint(args...))\n}\n\nfunc (s *ScalibrAdapter) Warnf(format string, args ...any) {\n\ts.Logger.Warn(fmt.Sprintf(format, args...))\n}\n\nfunc (s *ScalibrAdapter) Warn(args ...any) {\n\ts.Logger.Warn(fmt.Sprint(args...))\n}\n\nfunc (s *ScalibrAdapter) Infof(format string, args ...any) {\n\ts.Logger.Info(fmt.Sprintf(format, args...))\n}\n\nfunc (s *ScalibrAdapter) Info(args ...any) {\n\ts.Logger.Info(fmt.Sprint(args...))\n}\n\nfunc (s *ScalibrAdapter) Debugf(format string, args ...any) {\n\ts.Logger.Debug(fmt.Sprintf(format, args...))\n}\n\nfunc (s *ScalibrAdapter) Debug(args ...any) {\n\ts.Logger.Debug(fmt.Sprint(args...))\n}\n" }, { "path": "internal/cmdlogger/static.go", "content": "package cmdlogger\n\nimport \"log/slog\"\n\nfunc SetHasErrored() {\n\tl, ok := slog.Default().Handler().(CmdLogger)\n\n\tif ok {\n\t\tl.SetHasErrored()\n\t}\n}\n\n// HasErrored returns true if there have been any calls to Handle with\n// a level of [slog.LevelError], assuming the logger is a [Handler].\n//\n// If the logger is not a [Handler], this will always return false.\nfunc HasErrored() bool {\n\tl, ok := slog.Default().Handler().(CmdLogger)\n\n\tif ok {\n\t\treturn l.HasErrored()\n\t}\n\n\treturn false\n}\n\nfunc SetLevel(level slog.Leveler) {\n\tl, ok := slog.Default().Handler().(CmdLogger)\n\n\tif ok {\n\t\tl.SetLevel(level)\n\t}\n}\n" }, { "path": "internal/config/config.go", "content": "// Package config manages the configuration for osv-scanner.\npackage config\n\nimport (\n\t\"slices\"\n\t\"time\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n)\n\nvar OSVScannerConfigName = \"osv-scanner.toml\"\n\ntype Config struct {\n\tIgnoredVulns []*IgnoreEntry `toml:\"IgnoredVulns\"`\n\tPackageOverrides []PackageOverrideEntry `toml:\"PackageOverrides\"`\n\tGoVersionOverride string `toml:\"GoVersionOverride\"`\n\t// The path to config file that this config was loaded from,\n\t// set by the scanner after having successfully parsed the file\n\tLoadPath string `toml:\"-\"`\n}\n\ntype IgnoreEntry struct {\n\tID string `toml:\"id\"`\n\tIgnoreUntil time.Time `toml:\"ignoreUntil\"`\n\tReason string `toml:\"reason\"`\n\n\tUsed bool `toml:\"-\"`\n}\n\nfunc (ie *IgnoreEntry) MarkAsUsed() {\n\tie.Used = true\n}\n\ntype PackageOverrideEntry struct {\n\tName string `toml:\"name\"`\n\t// If the version is empty, the entry applies to all versions.\n\tVersion string `toml:\"version\"`\n\tEcosystem string `toml:\"ecosystem\"`\n\tGroup string `toml:\"group\"`\n\tIgnore bool `toml:\"ignore\"`\n\tVulnerability Vulnerability `toml:\"vulnerability\"`\n\tLicense License `toml:\"license\"`\n\tEffectiveUntil time.Time `toml:\"effectiveUntil\"`\n\tReason string `toml:\"reason\"`\n}\n\nfunc (e PackageOverrideEntry) matches(pkg *extractor.Package) bool {\n\tif e.Name != \"\" && e.Name != imodels.Name(pkg) {\n\t\treturn false\n\t}\n\tif e.Version != \"\" && e.Version != imodels.Version(pkg) {\n\t\treturn false\n\t}\n\t// If there is an ecosystem filter, the filter must not match both the:\n\t// - Full ecosystem + suffix\n\t// - The base ecosystem\n\tif e.Ecosystem != \"\" && (e.Ecosystem != imodels.Ecosystem(pkg).String() && e.Ecosystem != string(imodels.Ecosystem(pkg).Ecosystem)) {\n\t\treturn false\n\t}\n\tif e.Group != \"\" && !slices.Contains(imodels.DepGroups(pkg), e.Group) {\n\t\treturn false\n\t}\n\n\treturn true\n}\n\ntype Vulnerability struct {\n\tIgnore bool `toml:\"ignore\"`\n}\n\ntype License struct {\n\tOverride []string `toml:\"override\"`\n\tIgnore bool `toml:\"ignore\"`\n}\n\nfunc (c *Config) UnusedIgnoredVulns() []*IgnoreEntry {\n\tunused := make([]*IgnoreEntry, 0, len(c.IgnoredVulns))\n\n\tfor _, entry := range c.IgnoredVulns {\n\t\tif !entry.Used {\n\t\t\tunused = append(unused, entry)\n\t\t}\n\t}\n\n\treturn unused\n}\n\nfunc (c *Config) ShouldIgnore(vulnID string) (bool, *IgnoreEntry) {\n\tindex := slices.IndexFunc(c.IgnoredVulns, func(e *IgnoreEntry) bool { return e.ID == vulnID })\n\tif index == -1 {\n\t\treturn false, &IgnoreEntry{}\n\t}\n\tignoredLine := c.IgnoredVulns[index]\n\n\treturn shouldIgnoreTimestamp(ignoredLine.IgnoreUntil), ignoredLine\n}\n\nfunc (c *Config) filterPackageVersionEntries(pkg *extractor.Package, condition func(PackageOverrideEntry) bool) (bool, PackageOverrideEntry) {\n\tindex := slices.IndexFunc(c.PackageOverrides, func(e PackageOverrideEntry) bool {\n\t\treturn e.matches(pkg) && condition(e)\n\t})\n\tif index == -1 {\n\t\treturn false, PackageOverrideEntry{}\n\t}\n\tignoredLine := c.PackageOverrides[index]\n\n\treturn shouldIgnoreTimestamp(ignoredLine.EffectiveUntil), ignoredLine\n}\n\n// ShouldIgnorePackage determines if the given package should be ignored based on override entries in the config\nfunc (c *Config) ShouldIgnorePackage(pkg *extractor.Package) (bool, PackageOverrideEntry) {\n\treturn c.filterPackageVersionEntries(pkg, func(e PackageOverrideEntry) bool {\n\t\treturn e.Ignore\n\t})\n}\n\n// ShouldIgnorePackageVulnerabilities determines if the given package should have its vulnerabilities ignored based on override entries in the config\nfunc (c *Config) ShouldIgnorePackageVulnerabilities(pkg *extractor.Package) bool {\n\toverrides, _ := c.filterPackageVersionEntries(pkg, func(e PackageOverrideEntry) bool {\n\t\treturn e.Vulnerability.Ignore\n\t})\n\n\treturn overrides\n}\n\n// ShouldOverridePackageLicense determines if the given package should have its license ignored or changed based on override entries in the config\nfunc (c *Config) ShouldOverridePackageLicense(pkg *extractor.Package) (bool, PackageOverrideEntry) {\n\treturn c.filterPackageVersionEntries(pkg, func(e PackageOverrideEntry) bool {\n\t\treturn e.License.Ignore || len(e.License.Override) > 0\n\t})\n}\n\nfunc shouldIgnoreTimestamp(ignoreUntil time.Time) bool {\n\tif ignoreUntil.IsZero() {\n\t\t// If IgnoreUntil is not set, should ignore.\n\t\treturn true\n\t}\n\t// Should ignore if IgnoreUntil is still after current time\n\t// Takes timezone offsets into account if it is specified. otherwise it's using local time\n\treturn ignoreUntil.After(time.Now())\n}\n\nfunc (c *Config) warnAboutDuplicates() {\n\tseen := make(map[string]struct{})\n\n\tfor _, vuln := range c.IgnoredVulns {\n\t\tif _, ok := seen[vuln.ID]; ok {\n\t\t\tcmdlogger.Warnf(\"warning: %s has multiple ignores for %s - only the first will be used!\", c.LoadPath, vuln.ID)\n\t\t}\n\t\tseen[vuln.ID] = struct{}{}\n\t}\n}\n" }, { "path": "internal/config/config_internal_test.go", "content": "package config\n\nimport (\n\t\"fmt\"\n\t\"reflect\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\tapkmetadata \"github.com/google/osv-scalibr/extractor/filesystem/os/apk/metadata\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/osv\"\n\t\"github.com/google/osv-scalibr/purl\"\n)\n\n// Attempts to normalize any file paths in the given `output` so that they can\n// be compared reliably regardless of the file path separator being used.\n//\n// Namely, escaped forward slashes are replaced with backslashes.\nfunc normalizeFilePaths(t *testing.T, output string) string {\n\tt.Helper()\n\n\treturn strings.ReplaceAll(strings.ReplaceAll(output, \"\\\\\\\\\", \"/\"), \"\\\\\", \"/\")\n}\n\nfunc Test_normalizeConfigLoadPath(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\ttarget string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant string\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"target_does_not_exist\",\n\t\t\targs: args{\n\t\t\t\ttarget: \"./testdata/testdatainner/does-not-exist\",\n\t\t\t},\n\t\t\twant: \"\",\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"target_is_file_in_directory\",\n\t\t\targs: args{\n\t\t\t\ttarget: \"./testdata/testdatainner/innerFolder/test.yaml\",\n\t\t\t},\n\t\t\twant: \"testdata/testdatainner/innerFolder/osv-scanner.toml\",\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"target_is_inner_directory_with_trailing_slash\",\n\t\t\targs: args{\n\t\t\t\ttarget: \"./testdata/testdatainner/innerFolder/\",\n\t\t\t},\n\t\t\twant: \"testdata/testdatainner/innerFolder/osv-scanner.toml\",\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"target_is_inner_directory_without_trailing_slash\",\n\t\t\targs: args{\n\t\t\t\ttarget: \"./testdata/testdatainner/innerFolder\",\n\t\t\t},\n\t\t\twant: \"testdata/testdatainner/innerFolder/osv-scanner.toml\",\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"target_is_directory_with_trailing_slash\",\n\t\t\targs: args{\n\t\t\t\ttarget: \"./testdata/testdatainner/\",\n\t\t\t},\n\t\t\twant: \"testdata/testdatainner/osv-scanner.toml\",\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"target_is_file_in_directory\",\n\t\t\targs: args{\n\t\t\t\ttarget: \"./testdata/testdatainner/some-manifest.yaml\",\n\t\t\t},\n\t\t\twant: \"testdata/testdatainner/osv-scanner.toml\",\n\t\t\twantErr: false,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot, err := normalizeConfigLoadPath(tt.args.target)\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"normalizeConfigLoadPath() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tgot = normalizeFilePaths(t, got)\n\t\t\tif got != tt.want {\n\t\t\t\tt.Errorf(\"normalizeConfigLoadPath() got = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc Test_tryLoadConfig(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tconfigPath string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant Config\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"config_does_not_exist\",\n\t\t\targs: args{\n\t\t\t\tconfigPath: \"./testdata/testdatainner/does-not-exist\",\n\t\t\t},\n\t\t\twant: Config{},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"config_has_some_ignored_vulnerabilities_and_package_overrides\",\n\t\t\targs: args{\n\t\t\t\tconfigPath: \"./testdata/testdatainner/osv-scanner.toml\",\n\t\t\t},\n\t\t\twant: Config{\n\t\t\t\tLoadPath: \"./testdata/testdatainner/osv-scanner.toml\",\n\t\t\t\tIgnoredVulns: []*IgnoreEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tID: \"GO-2022-0968\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tID: \"GO-2022-1059\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"my-pkg\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tLicense: License{\n\t\t\t\t\t\t\tOverride: []string{\"MIT\", \"0BSD\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantErr: false,\n\t\t},\n\t\t{\n\t\t\tname: \"load_path_cannot_be_overridden_via_config\",\n\t\t\targs: args{\n\t\t\t\tconfigPath: \"./testdata/testdatainner/osv-scanner-load-path.toml\",\n\t\t\t},\n\t\t\twant: Config{\n\t\t\t\tLoadPath: \"\",\n\t\t\t},\n\t\t\twantErr: true,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot, err := tryLoadConfig(tt.args.configPath)\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"tryLoadConfig() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif diff := cmp.Diff(tt.want, got); diff != \"\" {\n\t\t\t\tt.Errorf(\"tryLoadConfig() mismatch (-want +got):\\n%s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestTryLoadConfig_UnknownKeys(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tconfigPath string\n\t\tunknownMsg string\n\t}{\n\t\t{\n\t\t\tconfigPath: \"./testdata/unknown-key-1.toml\",\n\t\t\tunknownMsg: \"IgnoredVulns.ignoreUntilTime\",\n\t\t},\n\t\t{\n\t\t\tconfigPath: \"./testdata/unknown-key-2.toml\",\n\t\t\tunknownMsg: \"IgnoredVulns.ignoreUntiI\",\n\t\t},\n\t\t{\n\t\t\tconfigPath: \"./testdata/unknown-key-3.toml\",\n\t\t\tunknownMsg: \"IgnoredVulns.reasoning\",\n\t\t},\n\t\t{\n\t\t\tconfigPath: \"./testdata/unknown-key-4.toml\",\n\t\t\tunknownMsg: \"PackageOverrides.skip\",\n\t\t},\n\t\t{\n\t\t\tconfigPath: \"./testdata/unknown-key-5.toml\",\n\t\t\tunknownMsg: \"PackageOverrides.license.skip\",\n\t\t},\n\t\t{\n\t\t\tconfigPath: \"./testdata/unknown-key-6.toml\",\n\t\t\tunknownMsg: \"RustVersionOverride\",\n\t\t},\n\t\t{\n\t\t\tconfigPath: \"./testdata/unknown-key-7.toml\",\n\t\t\tunknownMsg: \"RustVersionOverride, PackageOverrides.skip\",\n\t\t},\n\t}\n\n\tfor _, testData := range tests {\n\t\tc, err := tryLoadConfig(testData.configPath)\n\n\t\t// we should always be returning an empty config on error\n\t\tif diff := cmp.Diff(Config{}, c); diff != \"\" {\n\t\t\tt.Errorf(\"tryLoadConfig() mismatch (-want +got):\\n%s\", diff)\n\t\t}\n\t\tif err == nil {\n\t\t\tt.Fatal(\"tryLoadConfig() did not return an error\")\n\t\t}\n\n\t\twantMsg := fmt.Sprintf(\"unknown keys in config file: %v\", testData.unknownMsg)\n\n\t\tif err.Error() != wantMsg {\n\t\t\tt.Errorf(\"tryLoadConfig() error = '%v', want '%s'\", err, wantMsg)\n\t\t}\n\t}\n}\n\nfunc TestConfig_ShouldIgnore(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tvulnID string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\tconfig Config\n\t\targs args\n\t\twantOk bool\n\t\twantEntry *IgnoreEntry\n\t}{\n\t\t// entry exists\n\t\t{\n\t\t\tname: \"\",\n\t\t\tconfig: Config{\n\t\t\t\tIgnoredVulns: []*IgnoreEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tID: \"GHSA-123\",\n\t\t\t\t\t\tIgnoreUntil: time.Time{},\n\t\t\t\t\t\tReason: \"\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tvulnID: \"GHSA-123\",\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: &IgnoreEntry{\n\t\t\t\tID: \"GHSA-123\",\n\t\t\t\tIgnoreUntil: time.Time{},\n\t\t\t\tReason: \"\",\n\t\t\t},\n\t\t},\n\t\t// entry does not exist\n\t\t{\n\t\t\tname: \"\",\n\t\t\tconfig: Config{\n\t\t\t\tIgnoredVulns: []*IgnoreEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tID: \"GHSA-123\",\n\t\t\t\t\t\tIgnoreUntil: time.Time{},\n\t\t\t\t\t\tReason: \"\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tvulnID: \"nonexistent\",\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: &IgnoreEntry{},\n\t\t},\n\t\t// ignored until a time in the past\n\t\t{\n\t\t\tname: \"\",\n\t\t\tconfig: Config{\n\t\t\t\tIgnoredVulns: []*IgnoreEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tID: \"GHSA-123\",\n\t\t\t\t\t\tIgnoreUntil: time.Now().Add(-time.Hour).Round(time.Second),\n\t\t\t\t\t\tReason: \"\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tvulnID: \"GHSA-123\",\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: &IgnoreEntry{\n\t\t\t\tID: \"GHSA-123\",\n\t\t\t\tIgnoreUntil: time.Now().Add(-time.Hour).Round(time.Second),\n\t\t\t\tReason: \"\",\n\t\t\t},\n\t\t},\n\t\t// ignored until a time in the future\n\t\t{\n\t\t\tname: \"\",\n\t\t\tconfig: Config{\n\t\t\t\tIgnoredVulns: []*IgnoreEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tID: \"GHSA-123\",\n\t\t\t\t\t\tIgnoreUntil: time.Now().Add(time.Hour).Round(time.Second),\n\t\t\t\t\t\tReason: \"\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tvulnID: \"GHSA-123\",\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: &IgnoreEntry{\n\t\t\t\tID: \"GHSA-123\",\n\t\t\t\tIgnoreUntil: time.Now().Add(time.Hour).Round(time.Second),\n\t\t\t\tReason: \"\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgotOk, gotEntry := tt.config.ShouldIgnore(tt.args.vulnID)\n\t\t\tif gotOk != tt.wantOk {\n\t\t\t\tt.Errorf(\"ShouldIgnore() gotOk = %v, wantOk %v\", gotOk, tt.wantOk)\n\t\t\t}\n\t\t\tif !reflect.DeepEqual(gotEntry, tt.wantEntry) {\n\t\t\t\tt.Errorf(\"ShouldIgnore() gotEntry = %v, wantEntry %v\", gotEntry, tt.wantEntry)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestConfig_ShouldIgnorePackage(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\tconfig Config\n\t\targs *extractor.Package\n\t\twantOk bool\n\t\twantEntry PackageOverrideEntry\n\t}{\n\t\t{\n\t\t\tname: \"Everything-level_entry_exists\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t// -------------------------------------------------------------------------\n\t\t{\n\t\t\tname: \"Ecosystem-level_entry_exists_and_does_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tEcosystem: \"Go\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Ecosystem-level_entry_exists_and_does_not_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib2\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: \"npm\",\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t// -------------------------------------------------------------------------\n\t\t{\n\t\t\tname: \"Ecosystem-level_entry_with_suffix_exists_and_does_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tEcosystem: \"Alpine:v3.20\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"bin1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeApk,\n\t\t\t\tMetadata: &apkmetadata.Metadata{\n\t\t\t\t\tPackageName: \"bin1\",\n\t\t\t\t\tOSID: \"Alpine\",\n\t\t\t\t\tOSVersionID: \"3.20\",\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tEcosystem: \"Alpine:v3.20\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Ecosystem-level_entry_with_suffix_exists_and_does_not_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tEcosystem: \"Alpine:v3.20\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"bin2\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeApk,\n\t\t\t\tMetadata: &apkmetadata.Metadata{\n\t\t\t\t\tPackageName: \"bin1\",\n\t\t\t\t\tOSID: \"Alpine\",\n\t\t\t\t\tOSVersionID: \"3.19\",\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t{\n\t\t\tname: \"Ecosystem-level_entry_without_suffix_exists_and_does_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tEcosystem: \"Alpine\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"bin1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeApk,\n\t\t\t\tMetadata: &apkmetadata.Metadata{\n\t\t\t\t\tPackageName: \"bin1\",\n\t\t\t\t\tOSID: \"Alpine\",\n\t\t\t\t\tOSVersionID: \"3.20\",\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tEcosystem: \"Alpine\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t// -------------------------------------------------------------------------\n\t\t{\n\t\t\tname: \"Group-level_entry_exists_and_does_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tGroup: \"dev\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tGroup: \"dev\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Group-level_entry_exists_and_does_not_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tGroup: \"dev\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib2\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: \"npm\",\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"optional\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t{\n\t\t\tname: \"Group-level_entry_exists_and_does_not_match_when_empty\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tGroup: \"dev\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib2\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: \"npm\",\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t// -------------------------------------------------------------------------\n\t\t{\n\t\t\tname: \"Version-level_entry_exists_and_does_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Version-level_entry_exists_and_does_not_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t// -------------------------------------------------------------------------\n\t\t{\n\t\t\tname: \"Name-level_entry_exists_and_does_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Name-level_entry_exists_and_does_not_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib2\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: \"npm\",\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t// -------------------------------------------------------------------------\n\t\t{\n\t\t\tname: \"Name,_Version,_and_Ecosystem_entry_exists\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tEcosystem: \"Go\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Name_and_Ecosystem_entry_exists\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tEcosystem: \"Go\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Name,_Ecosystem,_and_Group_entry_exists_and_matches\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tGroup: \"dev\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tEcosystem: \"Go\",\n\t\t\t\tGroup: \"dev\",\n\t\t\t\tIgnore: true,\n\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Name,_Ecosystem,_and_Group_entry_exists_but_does_not_match\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tGroup: \"dev\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t\tMetadata: osv.DepGroupMetadata{\n\t\t\t\t\tDepGroupVals: []string{\"prod\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t{\n\t\t\tname: \"Entry_doesn't_exist\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tVersion: \"2.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tIgnore: false,\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib2\",\n\t\t\t\t\t\tVersion: \"2.0.0\",\n\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tEffectiveUntil: time.Time{},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"2.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgotOk, gotEntry := tt.config.ShouldIgnorePackage(tt.args)\n\t\t\tif gotOk != tt.wantOk {\n\t\t\t\tt.Errorf(\"ShouldIgnorePackage() gotOk = %v, wantOk %v\", gotOk, tt.wantOk)\n\t\t\t}\n\t\t\tif !reflect.DeepEqual(gotEntry, tt.wantEntry) {\n\t\t\t\tt.Errorf(\"ShouldIgnorePackage() gotEntry = %v, wantEntry %v\", gotEntry, tt.wantEntry)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestConfig_ShouldIgnorePackageVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\tconfig Config\n\t\targs *extractor.Package\n\t\twantOk bool\n\t}{\n\t\t{\n\t\t\tname: \"Exact_version_entry_exists_with_ignore\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tVulnerability: Vulnerability{\n\t\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: true,\n\t\t},\n\t\t{\n\t\t\tname: \"Version_entry_doesn't_exist_with_ignore\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tVulnerability: Vulnerability{\n\t\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: false,\n\t\t},\n\t\t{\n\t\t\tname: \"Name_matches_with_ignore\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tVulnerability: Vulnerability{\n\t\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: true,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgotOk := tt.config.ShouldIgnorePackageVulnerabilities(tt.args)\n\t\t\tif gotOk != tt.wantOk {\n\t\t\t\tt.Errorf(\"ShouldIgnorePackageVulnerabilities() gotOk = %v, wantOk %v\", gotOk, tt.wantOk)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestConfig_ShouldOverridePackageLicense(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\tconfig Config\n\t\targs *extractor.Package\n\t\twantOk bool\n\t\twantEntry PackageOverrideEntry\n\t}{\n\t\t{\n\t\t\tname: \"Exact_version_entry_exists_with_override\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tLicense: License{\n\t\t\t\t\t\t\tOverride: []string{\"mit\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tEcosystem: \"Go\",\n\t\t\t\tLicense: License{\n\t\t\t\t\tOverride: []string{\"mit\"},\n\t\t\t\t},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Exact_version_entry_exists_with_ignore\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tLicense: License{\n\t\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tEcosystem: \"Go\",\n\t\t\t\tLicense: License{\n\t\t\t\t\tIgnore: true,\n\t\t\t\t},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Version_entry_doesn't_exist_with_override\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tLicense: License{\n\t\t\t\t\t\t\tOverride: []string{\"mit\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t{\n\t\t\tname: \"Version_entry_doesn't_exist_with_ignore\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tLicense: License{\n\t\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: false,\n\t\t\twantEntry: PackageOverrideEntry{},\n\t\t},\n\t\t{\n\t\t\tname: \"Name_matches_with_override\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tLicense: License{\n\t\t\t\t\t\t\tOverride: []string{\"mit\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tEcosystem: \"Go\",\n\t\t\t\tLicense: License{\n\t\t\t\t\tOverride: []string{\"mit\"},\n\t\t\t\t},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"Name_matches_with_ignore\",\n\t\t\tconfig: Config{\n\t\t\t\tPackageOverrides: []PackageOverrideEntry{\n\t\t\t\t\t{\n\t\t\t\t\t\tName: \"lib1\",\n\t\t\t\t\t\tEcosystem: \"Go\",\n\t\t\t\t\t\tLicense: License{\n\t\t\t\t\t\t\tIgnore: true,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tReason: \"abc\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: &extractor.Package{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\tPURLType: purl.TypeGolang,\n\t\t\t},\n\t\t\twantOk: true,\n\t\t\twantEntry: PackageOverrideEntry{\n\t\t\t\tName: \"lib1\",\n\t\t\t\tEcosystem: \"Go\",\n\t\t\t\tLicense: License{\n\t\t\t\t\tIgnore: true,\n\t\t\t\t},\n\t\t\t\tReason: \"abc\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgotOk, gotEntry := tt.config.ShouldOverridePackageLicense(tt.args)\n\t\t\tif gotOk != tt.wantOk {\n\t\t\t\tt.Errorf(\"ShouldOverridePackageLicense() gotOk = %v, wantOk %v\", gotOk, tt.wantOk)\n\t\t\t}\n\t\t\tif !reflect.DeepEqual(gotEntry, tt.wantEntry) {\n\t\t\t\tt.Errorf(\"ShouldOverridePackageLicense() gotEntry = %v, wantEntry %v\", gotEntry, tt.wantEntry)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/config/manager.go", "content": "package config\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/BurntSushi/toml\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n)\n\ntype Manager struct {\n\t// Override to replace all other configs\n\tOverrideConfig *Config\n\t// Config to use if no config file is found alongside manifests\n\tDefaultConfig Config\n\t// Cache to store loaded configs\n\tConfigMap map[string]Config\n}\n\n// UseOverride updates the Manager to use the config at the given path in place\n// of any other config files that would be loaded when calling Get\nfunc (m *Manager) UseOverride(configPath string) error {\n\tconfig, configErr := tryLoadConfig(configPath)\n\tif configErr != nil {\n\t\treturn configErr\n\t}\n\tm.OverrideConfig = &config\n\n\treturn nil\n}\n\n// Get returns the appropriate config to use based on the targetPath\nfunc (m *Manager) Get(targetPath string) Config {\n\tif m.OverrideConfig != nil {\n\t\treturn *m.OverrideConfig\n\t}\n\n\tconfigPath, err := normalizeConfigLoadPath(targetPath)\n\tif err != nil {\n\t\t// TODO: This can happen when target is not a file (e.g. Docker container, git hash...etc.)\n\t\t// Figure out a more robust way to load config from non files\n\t\t// r.PrintErrorf(\"Can't find config path: %s\\n\", err)\n\t\treturn Config{}\n\t}\n\n\tconfig, alreadyExists := m.ConfigMap[configPath]\n\tif alreadyExists {\n\t\treturn config\n\t}\n\n\tconfig, configErr := tryLoadConfig(configPath)\n\tif configErr == nil {\n\t\tcmdlogger.Infof(\"Loaded filter from: %s\", config.LoadPath)\n\t} else {\n\t\t// anything other than the config file not existing is most likely due to an invalid config file\n\t\tif !errors.Is(configErr, os.ErrNotExist) {\n\t\t\tcmdlogger.Errorf(\"Ignored invalid config file at %s because: %v\", configPath, configErr)\n\t\t}\n\t\t// If config doesn't exist, use the default config\n\t\tconfig = m.DefaultConfig\n\t}\n\tm.ConfigMap[configPath] = config\n\n\treturn config\n}\n\nfunc (m *Manager) GetUnusedIgnoreEntries() map[string][]*IgnoreEntry {\n\tentries := make(map[string][]*IgnoreEntry)\n\n\tfor _, config := range m.ConfigMap {\n\t\tunusedEntries := config.UnusedIgnoredVulns()\n\n\t\tif len(unusedEntries) > 0 {\n\t\t\tentries[config.LoadPath] = unusedEntries\n\t\t}\n\t}\n\n\tif m.OverrideConfig != nil {\n\t\tunusedEntries := m.OverrideConfig.UnusedIgnoredVulns()\n\n\t\tif len(unusedEntries) > 0 {\n\t\t\tentries[m.OverrideConfig.LoadPath] = unusedEntries\n\t\t}\n\t}\n\n\treturn entries\n}\n\n// Finds the containing folder of `target`, then appends osvScannerConfigName\nfunc normalizeConfigLoadPath(target string) (string, error) {\n\tstat, err := os.Stat(target)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"failed to stat target: %w\", err)\n\t}\n\n\tvar containingFolder string\n\tif !stat.IsDir() {\n\t\tcontainingFolder = filepath.Dir(target)\n\t} else {\n\t\tcontainingFolder = target\n\t}\n\tconfigPath := filepath.Join(containingFolder, OSVScannerConfigName)\n\n\treturn configPath, nil\n}\n\n// tryLoadConfig attempts to parse the config file at the given path as TOML,\n// returning the Config object if successful or otherwise the error\nfunc tryLoadConfig(configPath string) (Config, error) {\n\tconfig := Config{}\n\tc, err := toml.DecodeFile(configPath, &config)\n\tif err == nil {\n\t\tunknownKeys := c.Undecoded()\n\n\t\tif len(unknownKeys) > 0 {\n\t\t\tkeys := make([]string, 0, len(unknownKeys))\n\n\t\t\tfor _, key := range unknownKeys {\n\t\t\t\tkeys = append(keys, key.String())\n\t\t\t}\n\n\t\t\treturn Config{}, fmt.Errorf(\"unknown keys in config file: %s\", strings.Join(keys, \", \"))\n\t\t}\n\n\t\tconfig.LoadPath = configPath\n\t\tconfig.warnAboutDuplicates()\n\t}\n\n\treturn config, err\n}\n" }, { "path": "internal/config/testdata/testdatainner/innerFolder/test.yaml", "content": "" }, { "path": "internal/config/testdata/testdatainner/osv-scanner-load-path.toml", "content": "LoadPath = \"a/b/c\"\n" }, { "path": "internal/config/testdata/testdatainner/osv-scanner.toml", "content": "[[IgnoredVulns]]\nid = \"GO-2022-0968\"\n# ignoreUntil = 2022-11-09\n# reason = \"\" # Optional reason\n\n[[IgnoredVulns]]\nid = \"GO-2022-1059\"\n# ignoreUntil = 2022-11-09 # Optional exception expiry date\n# reason = \"\" # Optional reason\n\n[[PackageOverrides]]\nname = \"lib\"\nversion = \"1.0.0\"\necosystem = \"Go\"\nignore = true\n# effectiveUntil = 2022-11-09 # Optional exception expiry date\nreason = \"abc\"\n \n[[PackageOverrides]]\nname = \"my-pkg\"\nversion = \"1.0.0\"\necosystem = \"Go\"\nignore = true\nreason = \"abc\"\nlicense.override = [\"MIT\", \"0BSD\"]\n" }, { "path": "internal/config/testdata/testdatainner/some-manifest.yaml", "content": "" }, { "path": "internal/config/testdata/unknown-key-1.toml", "content": "[[IgnoredVulns]]\nid = \"GHSA-jgvc-jfgh-rjvv\"\nignoreUntilTime = 2024-08-02 # whoops, should be \"ignoreUntil\"\nreason = \"...\"\n" }, { "path": "internal/config/testdata/unknown-key-2.toml", "content": "[[IgnoredVulns]]\nid = \"GHSA-jgvc-jfgh-rjvv\"\nignoreUntiI = 2024-08-02 # whoops, should be \"ignoreUntil\"\nreason = \"...\"\n" }, { "path": "internal/config/testdata/unknown-key-3.toml", "content": "[[IgnoredVulns]]\nid = \"GHSA-jgvc-jfgh-rjvv\"\nignoreUntil = 2024-08-02\nreasoning = \"...\" # whoops, should be \"reason\"\n" }, { "path": "internal/config/testdata/unknown-key-4.toml", "content": "[[PackageOverrides]]\necosystem = \"npm\"\nskip = true # whoops, should be \"ignore\"\nlicense.override = [\"0BSD\"]\n" }, { "path": "internal/config/testdata/unknown-key-5.toml", "content": "[[PackageOverrides]]\necosystem = \"npm\"\nlicense.skip = false # whoops, should be \"license.ignore\"\n" }, { "path": "internal/config/testdata/unknown-key-6.toml", "content": "RustVersionOverride = \"1.2.3\" # whoops, not supported\n" }, { "path": "internal/config/testdata/unknown-key-7.toml", "content": "RustVersionOverride = \"1.2.3\" # whoops, not supported\n\n[[PackageOverrides]]\necosystem = \"npm\"\nskip = true # whoops, should be \"ignore\"\n" }, { "path": "internal/datasource/cache.go", "content": "// Package datasource provides data sources for dependency resolution used by transitive scanning and guided remediation.\npackage datasource\n\nimport (\n\t\"bytes\"\n\t\"encoding/gob\"\n\t\"maps\"\n\t\"sync\"\n\t\"time\"\n)\n\nconst cacheExpiry = 6 * time.Hour\n\nfunc gobMarshal(v any) ([]byte, error) {\n\tvar b bytes.Buffer\n\tenc := gob.NewEncoder(&b)\n\n\terr := enc.Encode(v)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn b.Bytes(), nil\n}\n\nfunc gobUnmarshal(b []byte, v any) error {\n\tdec := gob.NewDecoder(bytes.NewReader(b))\n\treturn dec.Decode(v)\n}\n\ntype requestCacheCall[V any] struct {\n\twg sync.WaitGroup\n\tval V\n\terr error\n}\n\n// RequestCache is a map to cache the results of expensive functions that are called concurrently.\ntype RequestCache[K comparable, V any] struct {\n\tcache map[K]V\n\tcalls map[K]*requestCacheCall[V]\n\tmu sync.Mutex\n}\n\nfunc NewRequestCache[K comparable, V any]() *RequestCache[K, V] {\n\treturn &RequestCache[K, V]{\n\t\tcache: make(map[K]V),\n\t\tcalls: make(map[K]*requestCacheCall[V]),\n\t}\n}\n\n// Get gets the value from the cache map if it's cached, otherwise it will call fn to get the value and cache it.\n// fn will only ever be called once for a key, even if there are multiple simultaneous calls to Get before the first call is finished.\nfunc (rq *RequestCache[K, V]) Get(key K, fn func() (V, error)) (V, error) {\n\t// Try get it from regular cache.\n\trq.mu.Lock()\n\tif v, ok := rq.cache[key]; ok {\n\t\trq.mu.Unlock()\n\t\treturn v, nil\n\t}\n\n\t// See if there is already a pending request for this key.\n\tif c, ok := rq.calls[key]; ok {\n\t\trq.mu.Unlock()\n\t\tc.wg.Wait()\n\n\t\treturn c.val, c.err\n\t}\n\n\t// Cache miss - create the call.\n\tc := new(requestCacheCall[V])\n\tc.wg.Add(1)\n\trq.calls[key] = c\n\trq.mu.Unlock()\n\n\tc.val, c.err = fn()\n\trq.mu.Lock()\n\tdefer rq.mu.Unlock()\n\n\t// Allow other waiting goroutines to return\n\tc.wg.Done()\n\n\t// Store value in regular cache.\n\tif c.err == nil {\n\t\trq.cache[key] = c.val\n\t}\n\n\t// Remove the completed call now that it's cached.\n\tif rq.calls[key] == c {\n\t\tdelete(rq.calls, key)\n\t}\n\n\treturn c.val, c.err\n}\n\n// GetMap gets a shallow clone of the stored cache map.\nfunc (rq *RequestCache[K, V]) GetMap() map[K]V {\n\trq.mu.Lock()\n\tdefer rq.mu.Unlock()\n\n\treturn maps.Clone(rq.cache)\n}\n\n// SetMap loads (a shallow clone of) the provided map into the cache map.\nfunc (rq *RequestCache[K, V]) SetMap(m map[K]V) {\n\trq.mu.Lock()\n\tdefer rq.mu.Unlock()\n\trq.cache = maps.Clone(m)\n}\n" }, { "path": "internal/datasource/cache_test.go", "content": "package datasource_test\n\nimport (\n\t\"maps\"\n\t\"sync\"\n\t\"sync/atomic\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n)\n\nfunc TestRequestCache(t *testing.T) {\n\t// Test that RequestCache calls each function exactly once per key.\n\tt.Parallel()\n\trequestCache := datasource.NewRequestCache[int, int]()\n\n\tconst numKeys = 20\n\tconst requestsPerKey = 50\n\n\tvar wg sync.WaitGroup\n\tvar fnCalls [numKeys]int32\n\n\tfor i := range numKeys {\n\t\tfor range requestsPerKey {\n\t\t\twg.Go(func() {\n\t\t\t\tt.Helper()\n\t\t\t\t//nolint:errcheck\n\t\t\t\trequestCache.Get(i, func() (int, error) {\n\t\t\t\t\t// Count how many times this function gets called for this key,\n\t\t\t\t\t// then return the key as the value.\n\t\t\t\t\tatomic.AddInt32(&fnCalls[i], 1)\n\t\t\t\t\treturn i, nil\n\t\t\t\t})\n\t\t\t})\n\t\t}\n\t}\n\n\twg.Wait() // Make sure all the goroutines are finished\n\n\tfor i, c := range fnCalls {\n\t\tif c != 1 {\n\t\t\tt.Errorf(\"RequestCache Get(%d) function called %d times\", i, c)\n\t\t}\n\t}\n\n\tcacheMap := requestCache.GetMap()\n\tif len(cacheMap) != numKeys {\n\t\tt.Errorf(\"RequestCache GetMap length was %d, expected %d\", len(cacheMap), numKeys)\n\t}\n\n\tfor k, v := range cacheMap {\n\t\tif k != v {\n\t\t\tt.Errorf(\"RequestCache GetMap key %d has unexpected value %d\", k, v)\n\t\t}\n\t}\n}\n\nfunc TestRequestCacheSetMap(t *testing.T) {\n\tt.Parallel()\n\n\trequestCache := datasource.NewRequestCache[string, string]()\n\trequestCache.SetMap(map[string]string{\"foo\": \"foo1\", \"bar\": \"bar2\"})\n\tfn := func() (string, error) { return \"CACHE MISS\", nil }\n\n\twant := map[string]string{\n\t\t\"foo\": \"foo1\",\n\t\t\"bar\": \"bar2\",\n\t\t\"baz\": \"CACHE MISS\",\n\t\t\"FOO\": \"CACHE MISS\",\n\t}\n\n\tfor k, v := range want {\n\t\tgot, err := requestCache.Get(k, fn)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Get(%v) returned an error: %v\", v, err)\n\t\t} else if got != v {\n\t\t\tt.Errorf(\"Get(%v) got: %v, want %v\", k, got, v)\n\t\t}\n\t}\n\n\tgotMap := requestCache.GetMap()\n\tif !maps.Equal(want, gotMap) {\n\t\tt.Errorf(\"GetMap() got %v, want %v\", gotMap, want)\n\t}\n}\n" }, { "path": "internal/datasource/http_auth.go", "content": "package datasource\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"crypto/md5\" //nolint:gosec // used in Digest access authentication algorithm\n\t\"crypto/rand\"\n\t\"encoding/base64\"\n\t\"encoding/hex\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"slices\"\n\t\"strings\"\n\t\"sync/atomic\"\n)\n\ntype HTTPAuthMethod int\n\nconst (\n\tAuthBasic HTTPAuthMethod = iota\n\tAuthBearer\n\tAuthDigest\n)\n\n// HTTPAuthentication holds the information needed for general HTTP Authentication support.\n// Requests made through this will automatically populate the relevant info in the Authorization headers.\n// This is a general implementation and should be suitable for use with any ecosystem.\ntype HTTPAuthentication struct {\n\tSupportedMethods []HTTPAuthMethod // In order of preference, only one method will be attempted.\n\n\t// AlwaysAuth determines whether to always send auth headers.\n\t// If false, the server must respond with a WWW-Authenticate header which will be checked for supported methods.\n\t// Must be set to false to use Digest authentication.\n\tAlwaysAuth bool\n\n\t// Shared\n\tUsername string // Basic & Digest, plain text.\n\tPassword string // Basic & Digest, plain text.\n\t// Basic\n\tBasicAuth string // Base64-encoded username:password. Overrides Username & Password fields if set.\n\t// Bearer\n\tBearerToken string\n\t// Digest\n\tCnonceFunc func() string // Function used to generate cnonce string for Digest. OK to leave unassigned. Mostly for use in tests.\n\n\tlastUsed atomic.Value // The last-used authentication method - used when AlwaysAuth is false to automatically send Basic auth.\n}\n\n// Get makes an http GET request with the given http.Client.\n// The Authorization Header will automatically be populated according to the fields in the HTTPAuthentication.\nfunc (auth *HTTPAuthentication) Get(ctx context.Context, httpClient *http.Client, url string) (*http.Response, error) {\n\treq, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// For convenience, have the nil HTTPAuthentication just make an unauthenticated request.\n\tif auth == nil {\n\t\treturn httpClient.Do(req)\n\t}\n\n\tif auth.AlwaysAuth {\n\t\tfor _, method := range auth.SupportedMethods {\n\t\t\tok := false\n\t\t\tswitch method {\n\t\t\tcase AuthBasic:\n\t\t\t\tok = auth.addBasic(req)\n\t\t\tcase AuthBearer:\n\t\t\t\tok = auth.addBearer(req)\n\t\t\tcase AuthDigest:\n\t\t\t\t// AuthDigest needs a challenge from WWW-Authenticate, so we cannot always add the auth.\n\t\t\t}\n\t\t\tif ok {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\treturn httpClient.Do(req)\n\t}\n\n\t// If the last request we made to this server used Basic or Bearer auth, send the header with this request\n\tif lastUsed, ok := auth.lastUsed.Load().(HTTPAuthMethod); ok {\n\t\tswitch lastUsed {\n\t\tcase AuthBasic:\n\t\t\tauth.addBasic(req)\n\t\tcase AuthBearer:\n\t\t\tauth.addBearer(req)\n\t\tcase AuthDigest:\n\t\t\t// Cannot add AuthDigest without the challenge from the initial request.\n\t\t}\n\t}\n\n\tresp, err := httpClient.Do(req)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tif resp.StatusCode != http.StatusUnauthorized {\n\t\treturn resp, nil\n\t}\n\n\twwwAuth := resp.Header.Values(\"WWW-Authenticate\")\n\n\tok := false\n\tvar usedMethod HTTPAuthMethod\n\treq, err = http.NewRequestWithContext(ctx, http.MethodGet, url, nil)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tfor _, method := range auth.SupportedMethods {\n\t\tswitch method {\n\t\tcase AuthBasic:\n\t\t\tif auth.authIndex(wwwAuth, \"Basic\") >= 0 {\n\t\t\t\tok = auth.addBasic(req)\n\t\t\t}\n\t\tcase AuthBearer:\n\t\t\tif auth.authIndex(wwwAuth, \"Bearer\") >= 0 {\n\t\t\t\tok = auth.addBearer(req)\n\t\t\t}\n\t\tcase AuthDigest:\n\t\t\tif idx := auth.authIndex(wwwAuth, \"Digest\"); idx >= 0 {\n\t\t\t\tok = auth.addDigest(req, wwwAuth[idx])\n\t\t\t}\n\t\t}\n\t\tif ok {\n\t\t\tusedMethod = method\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif ok {\n\t\tdefer resp.Body.Close() // Close the original request before we discard it.\n\t\tresp, err = httpClient.Do(req)\n\t}\n\tif resp.StatusCode == http.StatusOK {\n\t\tauth.lastUsed.Store(usedMethod)\n\t}\n\t// The original request's response will be returned if there is no matching methods.\n\treturn resp, err\n}\n\nfunc (auth *HTTPAuthentication) authIndex(wwwAuth []string, authScheme string) int {\n\treturn slices.IndexFunc(wwwAuth, func(s string) bool {\n\t\tscheme, _, _ := strings.Cut(s, \" \")\n\t\treturn scheme == authScheme\n\t})\n}\n\nfunc (auth *HTTPAuthentication) addBasic(req *http.Request) bool {\n\tif auth.BasicAuth != \"\" {\n\t\treq.Header.Set(\"Authorization\", \"Basic \"+auth.BasicAuth)\n\n\t\treturn true\n\t}\n\n\tif auth.Username != \"\" && auth.Password != \"\" {\n\t\tauthStr := base64.StdEncoding.EncodeToString([]byte(auth.Username + \":\" + auth.Password))\n\t\treq.Header.Set(\"Authorization\", \"Basic \"+authStr)\n\n\t\treturn true\n\t}\n\n\treturn false\n}\n\nfunc (auth *HTTPAuthentication) addBearer(req *http.Request) bool {\n\tif auth.BearerToken != \"\" {\n\t\treq.Header.Set(\"Authorization\", \"Bearer \"+auth.BearerToken)\n\n\t\treturn true\n\t}\n\n\treturn false\n}\n\nfunc (auth *HTTPAuthentication) addDigest(req *http.Request, challenge string) bool {\n\t// Mostly following the algorithm as outlined in https://en.wikipedia.org/wiki/Digest_access_authentication\n\t// And also https://datatracker.ietf.org/doc/html/rfc2617\n\tif auth.Username == \"\" || auth.Password == \"\" {\n\t\treturn false\n\t}\n\tparams := auth.parseChallenge(challenge)\n\trealm, ok := params[\"realm\"]\n\tif !ok {\n\t\treturn false\n\t}\n\n\tnonce, ok := params[\"nonce\"]\n\tif !ok {\n\t\treturn false\n\t}\n\tvar cnonce string\n\n\tha1 := md5.Sum([]byte(auth.Username + \":\" + realm + \":\" + auth.Password)) //nolint:gosec\n\tswitch params[\"algorithm\"] {\n\tcase \"MD5-sess\":\n\t\tcnonce = auth.cnonce()\n\t\tif cnonce == \"\" {\n\t\t\treturn false\n\t\t}\n\t\tvar b bytes.Buffer\n\t\tfmt.Fprintf(&b, \"%x:%s:%s\", ha1, nonce, cnonce)\n\t\tha1 = md5.Sum(b.Bytes()) //nolint:gosec\n\tcase \"MD5\":\n\tcase \"\":\n\tdefault:\n\t\treturn false\n\t}\n\n\t// Only support \"auth\" qop\n\tif qop, ok := params[\"qop\"]; ok && !slices.Contains(strings.Split(qop, \",\"), \"auth\") {\n\t\treturn false\n\t}\n\n\turi := req.URL.Path // is this sufficient?\n\n\tha2 := md5.Sum([]byte(req.Method + \":\" + uri)) //nolint:gosec\n\n\t// hard-coding nonceCount to 1 since we don't make a request more than once\n\tnonceCount := \"00000001\"\n\n\tvar b bytes.Buffer\n\tif _, ok := params[\"qop\"]; ok {\n\t\tif cnonce == \"\" {\n\t\t\tcnonce = auth.cnonce()\n\t\t\tif cnonce == \"\" {\n\t\t\t\treturn false\n\t\t\t}\n\t\t}\n\t\tfmt.Fprintf(&b, \"%x:%s:%s:%s:%s:%x\", ha1, nonce, nonceCount, cnonce, \"auth\", ha2)\n\t} else {\n\t\tfmt.Fprintf(&b, \"%x:%s:%x\", ha1, nonce, ha2)\n\t}\n\tresponse := md5.Sum(b.Bytes()) //nolint:gosec\n\n\tvar sb strings.Builder\n\tfmt.Fprintf(&sb, \"Digest username=\\\"%s\\\", realm=\\\"%s\\\", nonce=\\\"%s\\\", uri=\\\"%s\\\"\",\n\t\tauth.Username, realm, nonce, uri)\n\tif _, ok := params[\"qop\"]; ok {\n\t\tfmt.Fprintf(&sb, \", qop=auth, nc=%s, cnonce=\\\"%s\\\"\", nonceCount, cnonce)\n\t}\n\tif alg, ok := params[\"algorithm\"]; ok {\n\t\tfmt.Fprintf(&sb, \", algorithm=%s\", alg)\n\t}\n\tfmt.Fprintf(&sb, \", response=\\\"%x\\\", opaque=\\\"%s\\\"\", response, params[\"opaque\"])\n\n\treq.Header.Add(\"Authorization\", sb.String())\n\n\treturn true\n}\n\nfunc (auth *HTTPAuthentication) parseChallenge(challenge string) map[string]string {\n\t// Parse the params out of the auth challenge header.\n\t// e.g. Digest realm=\"testrealm@host.com\", qop=\"auth,auth-int\" ->\n\t// {\"realm\": \"testrealm@host.com\", \"qop\", \"auth,auth-int\"}\n\t//\n\t// This isn't perfectly robust - some edge cases / weird headers may parse incorrectly.\n\n\t// Get rid of \"Digest\" prefix\n\t_, challenge, _ = strings.Cut(challenge, \" \")\n\n\tparts := strings.Split(challenge, \",\")\n\t// parts may have had a quoted comma, recombine if there's an unclosed quote.\n\n\tfor i := 0; i < len(parts); {\n\t\tif strings.Count(parts[i], \"\\\"\")%2 == 1 && len(parts) > i+1 {\n\t\t\tparts[i] = parts[i] + \",\" + parts[i+1]\n\t\t\tparts = append(parts[:i+1], parts[i+2:]...)\n\n\t\t\tcontinue\n\t\t}\n\t\ti++\n\t}\n\n\tm := make(map[string]string)\n\tfor _, part := range parts {\n\t\tkey, val, _ := strings.Cut(part, \"=\")\n\t\tkey = strings.Trim(key, \" \")\n\t\tval = strings.Trim(val, \" \")\n\t\t// remove quotes from quoted string\n\t\tval = strings.Trim(val, \"\\\"\")\n\t\tm[key] = val\n\t}\n\n\treturn m\n}\n\nfunc (auth *HTTPAuthentication) cnonce() string {\n\tif auth.CnonceFunc != nil {\n\t\treturn auth.CnonceFunc()\n\t}\n\n\t// for a default nonce use a random 8 bytes\n\tb := make([]byte, 8)\n\tif _, err := rand.Read(b); err != nil {\n\t\treturn \"\"\n\t}\n\n\treturn hex.EncodeToString(b)\n}\n" }, { "path": "internal/datasource/http_auth_test.go", "content": "package datasource_test\n\nimport (\n\t\"net/http\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n)\n\n// mockTransport is used to inspect the requests being made by HTTPAuthentications\ntype mockTransport struct {\n\tRequests []*http.Request // All requests made to this transport\n\tUnauthedResponse *http.Response // Response sent when request does not have an 'Authorization' header.\n\tAuthedReponse *http.Response // Response to sent when request does include 'Authorization' (not checked).\n}\n\nfunc (mt *mockTransport) RoundTrip(req *http.Request) (*http.Response, error) {\n\tmt.Requests = append(mt.Requests, req)\n\tvar resp *http.Response\n\tif req.Header.Get(\"Authorization\") == \"\" {\n\t\tresp = mt.UnauthedResponse\n\t} else {\n\t\tresp = mt.AuthedReponse\n\t}\n\tif resp == nil {\n\t\tresp = &http.Response{StatusCode: http.StatusOK}\n\t}\n\n\treturn resp, nil\n}\n\nfunc TestHTTPAuthentication(t *testing.T) {\n\tt.Parallel()\n\ttests := []struct {\n\t\tname string\n\t\thttpAuth *datasource.HTTPAuthentication\n\t\trequestURL string\n\t\twwwAuth []string\n\t\texpectedAuths []string // expected Authentication headers received.\n\t\texpectedResponseCodes []int // expected final response codes received (length may be less than expectedAuths)\n\t}{\n\t\t{\n\t\t\tname: \"nil_auth\",\n\t\t\thttpAuth: nil,\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\twwwAuth: []string{\"Basic\"},\n\t\t\texpectedAuths: []string{\"\"},\n\t\t\texpectedResponseCodes: []int{http.StatusUnauthorized},\n\t\t},\n\t\t{\n\t\t\tname: \"default_auth\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\twwwAuth: []string{\"Basic\"},\n\t\t\texpectedAuths: []string{\"\"},\n\t\t\texpectedResponseCodes: []int{http.StatusUnauthorized},\n\t\t},\n\t\t{\n\t\t\tname: \"basic_auth\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic},\n\t\t\t\tAlwaysAuth: true,\n\t\t\t\tUsername: \"Aladdin\",\n\t\t\t\tPassword: \"open sesame\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\texpectedAuths: []string{\"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"basic_auth_from_token\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic},\n\t\t\t\tAlwaysAuth: true,\n\t\t\t\tUsername: \"ignored\",\n\t\t\t\tPassword: \"ignored\",\n\t\t\t\tBasicAuth: \"QWxhZGRpbjpvcGVuIHNlc2FtZQ==\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\texpectedAuths: []string{\"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"basic_auth_missing_username\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic},\n\t\t\t\tAlwaysAuth: true,\n\t\t\t\tUsername: \"\",\n\t\t\t\tPassword: \"ignored\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\texpectedAuths: []string{\"\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"basic_auth_missing_password\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic},\n\t\t\t\tAlwaysAuth: true,\n\t\t\t\tUsername: \"ignored\",\n\t\t\t\tPassword: \"\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\texpectedAuths: []string{\"\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"basic_auth_not_always\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic},\n\t\t\t\tAlwaysAuth: false,\n\t\t\t\tBasicAuth: \"YTph\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\twwwAuth: []string{\"Basic realm=\\\"User Visible Realm\\\"\"},\n\t\t\texpectedAuths: []string{\"\", \"Basic YTph\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"bearer_auth\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBearer},\n\t\t\t\tAlwaysAuth: true,\n\t\t\t\tBearerToken: \"abcdefgh\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\texpectedAuths: []string{\"Bearer abcdefgh\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"bearer_auth_not_always\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBearer},\n\t\t\t\tAlwaysAuth: false,\n\t\t\t\tBearerToken: \"abcdefgh\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\twwwAuth: []string{\"Bearer\"},\n\t\t\texpectedAuths: []string{\"\", \"Bearer abcdefgh\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"always_auth_priority\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBasic, datasource.AuthBearer},\n\t\t\t\tAlwaysAuth: true,\n\t\t\t\tBasicAuth: \"UseThisOne\",\n\t\t\t\tBearerToken: \"NotThisOne\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\texpectedAuths: []string{\"Basic UseThisOne\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"not_always_auth_priority\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthBearer, datasource.AuthDigest, datasource.AuthBasic},\n\t\t\t\tAlwaysAuth: false,\n\t\t\t\tUsername: \"DoNotUse\",\n\t\t\t\tPassword: \"ThisField\",\n\t\t\t\tBearerToken: \"PleaseUseThis\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\twwwAuth: []string{\"Basic\", \"Bearer\"},\n\t\t\texpectedAuths: []string{\"\", \"Bearer PleaseUseThis\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"digest_auth\",\n\t\t\t// Example from https://en.wikipedia.org/wiki/Digest_access_authentication#Example_with_explanation\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},\n\t\t\t\tAlwaysAuth: false,\n\t\t\t\tUsername: \"Mufasa\",\n\t\t\t\tPassword: \"Circle Of Life\",\n\t\t\t\tCnonceFunc: func() string { return \"0a4f113b\" },\n\t\t\t},\n\t\t\trequestURL: \"https://127.0.0.1/dir/index.html\",\n\t\t\twwwAuth: []string{\n\t\t\t\t\"Digest realm=\\\"testrealm@host.com\\\", \" +\n\t\t\t\t\t\"qop=\\\"auth,auth-int\\\", \" +\n\t\t\t\t\t\"nonce=\\\"dcd98b7102dd2f0e8b11d0f600bfb0c093\\\", \" +\n\t\t\t\t\t\"opaque=\\\"5ccc069c403ebaf9f0171e9517f40e41\\\"\",\n\t\t\t},\n\t\t\texpectedAuths: []string{\n\t\t\t\t\"\",\n\t\t\t\t// The order of these fields shouldn't actually matter\n\t\t\t\t\"Digest username=\\\"Mufasa\\\", \" +\n\t\t\t\t\t\"realm=\\\"testrealm@host.com\\\", \" +\n\t\t\t\t\t\"nonce=\\\"dcd98b7102dd2f0e8b11d0f600bfb0c093\\\", \" +\n\t\t\t\t\t\"uri=\\\"/dir/index.html\\\", \" +\n\t\t\t\t\t\"qop=auth, \" +\n\t\t\t\t\t\"nc=00000001, \" +\n\t\t\t\t\t\"cnonce=\\\"0a4f113b\\\", \" +\n\t\t\t\t\t\"response=\\\"6629fae49393a05397450978507c4ef1\\\", \" +\n\t\t\t\t\t\"opaque=\\\"5ccc069c403ebaf9f0171e9517f40e41\\\"\",\n\t\t\t},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"digest_auth_rfc2069\", // old spec, without qop header\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},\n\t\t\t\tAlwaysAuth: false,\n\t\t\t\tUsername: \"Mufasa\",\n\t\t\t\tPassword: \"Circle Of Life\",\n\t\t\t},\n\t\t\trequestURL: \"https://127.0.0.1/dir/index.html\",\n\t\t\twwwAuth: []string{\n\t\t\t\t\"Digest realm=\\\"testrealm@host.com\\\", \" +\n\t\t\t\t\t\"nonce=\\\"dcd98b7102dd2f0e8b11d0f600bfb0c093\\\", \" +\n\t\t\t\t\t\"opaque=\\\"5ccc069c403ebaf9f0171e9517f40e41\\\"\",\n\t\t\t},\n\t\t\texpectedAuths: []string{\n\t\t\t\t\"\",\n\t\t\t\t// The order of these fields shouldn't actually matter\n\t\t\t\t\"Digest username=\\\"Mufasa\\\", \" +\n\t\t\t\t\t\"realm=\\\"testrealm@host.com\\\", \" +\n\t\t\t\t\t\"nonce=\\\"dcd98b7102dd2f0e8b11d0f600bfb0c093\\\", \" +\n\t\t\t\t\t\"uri=\\\"/dir/index.html\\\", \" +\n\t\t\t\t\t\"response=\\\"670fd8c2df070c60b045671b8b24ff02\\\", \" +\n\t\t\t\t\t\"opaque=\\\"5ccc069c403ebaf9f0171e9517f40e41\\\"\",\n\t\t\t},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"digest_auth_mvn\",\n\t\t\t// From what mvn sends.\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest},\n\t\t\t\tAlwaysAuth: false,\n\t\t\t\tUsername: \"my-username\",\n\t\t\t\tPassword: \"cool-password\",\n\t\t\t\tCnonceFunc: func() string { return \"f7ef2d457dabcd54\" },\n\t\t\t},\n\t\t\trequestURL: \"https://127.0.0.1:41565/commons-io/commons-io/1.0/commons-io-1.0.pom\",\n\t\t\twwwAuth: []string{\n\t\t\t\t\"Digest realm=\\\"test@osv.dev\\\",\" +\n\t\t\t\t\t\"qop=\\\"auth\\\",\" +\n\t\t\t\t\t\"nonce=\\\"deadbeef\\\",\" +\n\t\t\t\t\t\"opaque=\\\"aaaa\\\",\" +\n\t\t\t\t\t\"algorithm=\\\"MD5-sess\\\",\" +\n\t\t\t\t\t\"domain=\\\"/test\\\"\",\n\t\t\t},\n\t\t\texpectedAuths: []string{\n\t\t\t\t\"\",\n\t\t\t\t// The order of these fields shouldn't actually matter\n\t\t\t\t\"Digest username=\\\"my-username\\\", \" +\n\t\t\t\t\t\"realm=\\\"test@osv.dev\\\", \" +\n\t\t\t\t\t\"nonce=\\\"deadbeef\\\", \" +\n\t\t\t\t\t\"uri=\\\"/commons-io/commons-io/1.0/commons-io-1.0.pom\\\", \" +\n\t\t\t\t\t\"qop=auth, \" +\n\t\t\t\t\t\"nc=00000001, \" +\n\t\t\t\t\t\"cnonce=\\\"f7ef2d457dabcd54\\\", \" +\n\t\t\t\t\t\"algorithm=MD5-sess, \" +\n\t\t\t\t\t\"response=\\\"15a35e7018a0fc7db05d31185e0d2c9e\\\", \" +\n\t\t\t\t\t\"opaque=\\\"aaaa\\\"\",\n\t\t\t},\n\t\t\texpectedResponseCodes: []int{http.StatusOK},\n\t\t},\n\t\t{\n\t\t\tname: \"basic_auth_reuse_on_subsequent\",\n\t\t\thttpAuth: &datasource.HTTPAuthentication{\n\t\t\t\tSupportedMethods: []datasource.HTTPAuthMethod{datasource.AuthDigest, datasource.AuthBasic},\n\t\t\t\tAlwaysAuth: false,\n\t\t\t\tUsername: \"user\",\n\t\t\t\tPassword: \"pass\",\n\t\t\t},\n\t\t\trequestURL: \"http://127.0.0.1/\",\n\t\t\twwwAuth: []string{\"Basic realm=\\\"Realm\\\"\"},\n\t\t\texpectedAuths: []string{\"\", \"Basic dXNlcjpwYXNz\", \"Basic dXNlcjpwYXNz\"},\n\t\t\texpectedResponseCodes: []int{http.StatusOK, http.StatusOK},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tmt := &mockTransport{}\n\t\t\tif len(tt.wwwAuth) > 0 {\n\t\t\t\tmt.UnauthedResponse = &http.Response{\n\t\t\t\t\tStatusCode: http.StatusUnauthorized,\n\t\t\t\t\tHeader: make(http.Header),\n\t\t\t\t}\n\t\t\t\tfor _, v := range tt.wwwAuth {\n\t\t\t\t\tmt.UnauthedResponse.Header.Add(\"WWW-Authenticate\", v)\n\t\t\t\t}\n\t\t\t}\n\t\t\thttpClient := &http.Client{Transport: mt}\n\t\t\tfor _, want := range tt.expectedResponseCodes {\n\t\t\t\tresp, err := tt.httpAuth.Get(t.Context(), httpClient, tt.requestURL)\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Fatalf(\"error making request: %v\", err)\n\t\t\t\t}\n\t\t\t\tdefer resp.Body.Close()\n\t\t\t\tif resp.StatusCode != want {\n\t\t\t\t\tt.Errorf(\"authorization response status code got = %d, want %d\", resp.StatusCode, want)\n\t\t\t\t}\n\t\t\t}\n\t\t\tif len(mt.Requests) != len(tt.expectedAuths) {\n\t\t\t\tt.Fatalf(\"unexpected number of requests got = %d, want %d\", len(mt.Requests), len(tt.expectedAuths))\n\t\t\t}\n\t\t\tfor i, want := range tt.expectedAuths {\n\t\t\t\tgot := mt.Requests[i].Header.Get(\"Authorization\")\n\t\t\t\tif got != want {\n\t\t\t\t\tt.Errorf(\"authorization header got = \\\"%s\\\", want \\\"%s\\\"\", got, want)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/datasource/insights.go", "content": "package datasource\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\t\"fmt\"\n\t\"sync\"\n\t\"time\"\n\n\tpb \"deps.dev/api/v3\"\n\t\"google.golang.org/grpc\"\n\t\"google.golang.org/grpc/credentials\"\n)\n\n// CachedInsightsClient is a wrapper for InsightsClient that caches requests.\ntype CachedInsightsClient struct {\n\tpb.InsightsClient\n\n\t// cache fields\n\tmu sync.Mutex\n\tcacheTimestamp *time.Time\n\tpackageCache *RequestCache[packageKey, *pb.Package]\n\tversionCache *RequestCache[versionKey, *pb.Version]\n\trequirementsCache *RequestCache[versionKey, *pb.Requirements]\n}\n\n// Comparable types to use as map keys for cache.\ntype packageKey struct {\n\tSystem pb.System\n\tName string\n}\n\nfunc makePackageKey(k *pb.PackageKey) packageKey {\n\treturn packageKey{\n\t\tSystem: k.GetSystem(),\n\t\tName: k.GetName(),\n\t}\n}\n\ntype versionKey struct {\n\tSystem pb.System\n\tName string\n\tVersion string\n}\n\nfunc makeVersionKey(k *pb.VersionKey) versionKey {\n\treturn versionKey{\n\t\tSystem: k.GetSystem(),\n\t\tName: k.GetName(),\n\t\tVersion: k.GetVersion(),\n\t}\n}\n\nfunc NewCachedInsightsClient(addr string, userAgent string) (*CachedInsightsClient, error) {\n\tcertPool, err := x509.SystemCertPool()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"getting system cert pool: %w\", err)\n\t}\n\tcreds := credentials.NewClientTLSFromCert(certPool, \"\")\n\tdialOpts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}\n\n\tif userAgent != \"\" {\n\t\tdialOpts = append(dialOpts, grpc.WithUserAgent(userAgent))\n\t}\n\n\tconn, err := grpc.NewClient(addr, dialOpts...)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"dialling %q: %w\", addr, err)\n\t}\n\n\treturn &CachedInsightsClient{\n\t\tInsightsClient: pb.NewInsightsClient(conn),\n\t\tpackageCache: NewRequestCache[packageKey, *pb.Package](),\n\t\tversionCache: NewRequestCache[versionKey, *pb.Version](),\n\t\trequirementsCache: NewRequestCache[versionKey, *pb.Requirements](),\n\t}, nil\n}\n\nfunc (c *CachedInsightsClient) GetPackage(ctx context.Context, in *pb.GetPackageRequest, opts ...grpc.CallOption) (*pb.Package, error) {\n\treturn c.packageCache.Get(makePackageKey(in.GetPackageKey()), func() (*pb.Package, error) {\n\t\treturn c.InsightsClient.GetPackage(ctx, in, opts...)\n\t})\n}\n\nfunc (c *CachedInsightsClient) GetVersion(ctx context.Context, in *pb.GetVersionRequest, opts ...grpc.CallOption) (*pb.Version, error) {\n\treturn c.versionCache.Get(makeVersionKey(in.GetVersionKey()), func() (*pb.Version, error) {\n\t\treturn c.InsightsClient.GetVersion(ctx, in, opts...)\n\t})\n}\n\nfunc (c *CachedInsightsClient) GetRequirements(ctx context.Context, in *pb.GetRequirementsRequest, opts ...grpc.CallOption) (*pb.Requirements, error) {\n\treturn c.requirementsCache.Get(makeVersionKey(in.GetVersionKey()), func() (*pb.Requirements, error) {\n\t\treturn c.InsightsClient.GetRequirements(ctx, in, opts...)\n\t})\n}\n" }, { "path": "internal/datasource/insights_cache.go", "content": "package datasource\n\nimport (\n\t\"time\"\n\n\tpb \"deps.dev/api/v3\"\n\t\"google.golang.org/protobuf/proto\"\n)\n\ntype depsdevAPICache struct {\n\tTimestamp *time.Time\n\tPackageCache map[packageKey][]byte\n\tVersionCache map[versionKey][]byte\n\tRequirementsCache map[versionKey][]byte\n}\n\nfunc protoMarshalCache[K comparable, V proto.Message](protoMap map[K]V) (map[K][]byte, error) {\n\tbyteMap := make(map[K][]byte)\n\tfor k, v := range protoMap {\n\t\tb, err := proto.Marshal(v)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tbyteMap[k] = b\n\t}\n\n\treturn byteMap, nil\n}\n\nfunc protoUnmarshalCache[K comparable, V any, PV interface {\n\tproto.Message\n\t*V\n}](byteMap map[K][]byte, protoMap *map[K]PV) error {\n\t*protoMap = make(map[K]PV)\n\tfor k, b := range byteMap {\n\t\tv := PV(new(V))\n\t\tif err := proto.Unmarshal(b, v); err != nil {\n\t\t\treturn err\n\t\t}\n\t\t(*protoMap)[k] = v\n\t}\n\n\treturn nil\n}\n\nfunc (c *CachedInsightsClient) GobEncode() ([]byte, error) {\n\tvar cache depsdevAPICache\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tif c.cacheTimestamp == nil {\n\t\tnow := time.Now().UTC()\n\t\tc.cacheTimestamp = &now\n\t}\n\n\tcache.Timestamp = c.cacheTimestamp\n\tvar err error\n\tcache.PackageCache, err = protoMarshalCache(c.packageCache.GetMap())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcache.VersionCache, err = protoMarshalCache(c.versionCache.GetMap())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tcache.RequirementsCache, err = protoMarshalCache(c.requirementsCache.GetMap())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn gobMarshal(cache)\n}\n\nfunc (c *CachedInsightsClient) GobDecode(b []byte) error {\n\tvar cache depsdevAPICache\n\tif err := gobUnmarshal(b, &cache); err != nil {\n\t\treturn err\n\t}\n\n\tif cache.Timestamp != nil && time.Since(*cache.Timestamp) >= cacheExpiry {\n\t\t// Cache expired\n\t\treturn nil\n\t}\n\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tc.cacheTimestamp = cache.Timestamp\n\n\tvar pkgMap map[packageKey]*pb.Package\n\tif err := protoUnmarshalCache(cache.PackageCache, &pkgMap); err != nil {\n\t\treturn err\n\t}\n\n\tvar verMap map[versionKey]*pb.Version\n\tif err := protoUnmarshalCache(cache.VersionCache, &verMap); err != nil {\n\t\treturn err\n\t}\n\n\tvar reqMap map[versionKey]*pb.Requirements\n\tif err := protoUnmarshalCache(cache.RequirementsCache, &reqMap); err != nil {\n\t\treturn err\n\t}\n\n\tc.packageCache.SetMap(pkgMap)\n\tc.versionCache.SetMap(verMap)\n\tc.requirementsCache.SetMap(reqMap)\n\n\treturn nil\n}\n" }, { "path": "internal/datasource/insightsalpha.go", "content": "package datasource\n\nimport (\n\t\"crypto/x509\"\n\t\"fmt\"\n\n\tpb \"deps.dev/api/v3alpha\"\n\t\"google.golang.org/grpc\"\n\t\"google.golang.org/grpc/credentials\"\n)\n\n// NewInsightsAlphaClient creates a deps.dev v3alpha InsightsClient with a custom address and userAgent.\nfunc NewInsightsAlphaClient(addr string, userAgent string) (pb.InsightsClient, error) {\n\tcertPool, err := x509.SystemCertPool()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"getting system cert pool: %w\", err)\n\t}\n\tcreds := credentials.NewClientTLSFromCert(certPool, \"\")\n\tdialOpts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}\n\n\tif userAgent != \"\" {\n\t\tdialOpts = append(dialOpts, grpc.WithUserAgent(userAgent))\n\t}\n\n\tconn, err := grpc.NewClient(addr, dialOpts...)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"dialling %q: %w\", addr, err)\n\t}\n\n\treturn pb.NewInsightsClient(conn), nil\n}\n" }, { "path": "internal/datasource/maven_registry.go", "content": "package datasource\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/xml\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"slices\"\n\t\"strings\"\n\t\"sync\"\n\t\"time\"\n\n\t\"deps.dev/util/maven\"\n\t\"deps.dev/util/semver\"\n\t\"golang.org/x/net/html/charset\"\n)\n\nconst MavenCentral = \"https://repo.maven.apache.org/maven2\"\n\nvar errAPIFailed = errors.New(\"API query failed\")\n\ntype MavenRegistryAPIClient struct {\n\tdefaultRegistry MavenRegistry // The default registry that we are making requests\n\tregistries []MavenRegistry // Additional registries specified to fetch projects\n\tregistryAuths map[string]*HTTPAuthentication // Authentication for the registries keyed by registry ID. From settings.xml\n\n\t// Cache fields\n\tmu *sync.Mutex\n\tcacheTimestamp *time.Time // If set, this means we loaded from a cache\n\tresponses *RequestCache[string, response]\n}\n\ntype response struct {\n\tStatusCode int\n\tBody []byte\n}\n\ntype MavenRegistry struct {\n\tURL string\n\tParsed *url.URL\n\n\t// Information from pom.xml\n\tID string\n\tReleasesEnabled bool\n\tSnapshotsEnabled bool\n}\n\nfunc NewMavenRegistryAPIClient(registry MavenRegistry) (*MavenRegistryAPIClient, error) {\n\tif registry.URL == \"\" {\n\t\tregistry.URL = MavenCentral\n\t\tregistry.ID = \"central\"\n\t}\n\tu, err := url.Parse(registry.URL)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"invalid Maven registry %s: %w\", registry.URL, err)\n\t}\n\tregistry.Parsed = u\n\n\t// TODO: allow for manual specification of settings files\n\tglobalSettings := ParseMavenSettings(globalMavenSettingsFile())\n\tuserSettings := ParseMavenSettings(userMavenSettingsFile())\n\n\treturn &MavenRegistryAPIClient{\n\t\t// We assume only downloading releases is allowed on the default registry.\n\t\tdefaultRegistry: registry,\n\t\tmu: &sync.Mutex{},\n\t\tresponses: NewRequestCache[string, response](),\n\t\tregistryAuths: MakeMavenAuth(globalSettings, userSettings),\n\t}, nil\n}\n\n// WithoutRegistries makes MavenRegistryAPIClient including its cache but not registries.\nfunc (m *MavenRegistryAPIClient) WithoutRegistries() *MavenRegistryAPIClient {\n\treturn &MavenRegistryAPIClient{\n\t\tdefaultRegistry: m.defaultRegistry,\n\t\tmu: m.mu,\n\t\tcacheTimestamp: m.cacheTimestamp,\n\t\tresponses: m.responses,\n\t}\n}\n\n// AddRegistry adds the given registry to the list of registries if it has not been added.\nfunc (m *MavenRegistryAPIClient) AddRegistry(registry MavenRegistry) error {\n\tfor _, reg := range m.registries {\n\t\tif reg.ID == registry.ID {\n\t\t\treturn nil\n\t\t}\n\t}\n\n\tu, err := url.Parse(registry.URL)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tregistry.Parsed = u\n\tm.registries = append(m.registries, registry)\n\n\treturn nil\n}\n\nfunc (m *MavenRegistryAPIClient) GetRegistries() (registries []MavenRegistry) {\n\treturn m.registries\n}\n\n// GetProject fetches a pom.xml specified by groupID, artifactID and version and parses it to maven.Project.\n// Each registry in the list is tried until we find the project.\n// For a snapshot version, version level metadata is used to find the extact version string.\n// More about Maven Repository Metadata Model: https://maven.apache.org/ref/3.9.9/maven-repository-metadata/\n// More about Maven Metadata: https://maven.apache.org/repositories/metadata.html\nfunc (m *MavenRegistryAPIClient) GetProject(ctx context.Context, groupID, artifactID, version string) (maven.Project, error) {\n\tif !strings.HasSuffix(version, \"-SNAPSHOT\") {\n\t\tfor _, registry := range append(m.registries, m.defaultRegistry) {\n\t\t\tif !registry.ReleasesEnabled {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tproject, err := m.getProject(ctx, registry, groupID, artifactID, version, \"\")\n\t\t\tif err == nil {\n\t\t\t\treturn project, nil\n\t\t\t}\n\t\t}\n\n\t\treturn maven.Project{}, fmt.Errorf(\"failed to fetch Maven project %s:%s@%s\", groupID, artifactID, version)\n\t}\n\n\tfor _, registry := range append(m.registries, m.defaultRegistry) {\n\t\t// Fetch version metadata for snapshot versions from the registries enabling that.\n\t\tif !registry.SnapshotsEnabled {\n\t\t\tcontinue\n\t\t}\n\t\tmetadata, err := m.getVersionMetadata(ctx, registry, groupID, artifactID, version)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\n\t\tsnapshot := \"\"\n\t\tfor _, sv := range metadata.Versioning.SnapshotVersions {\n\t\t\tif sv.Extension == \"pom\" {\n\t\t\t\t// We only look for pom.xml for project metadata.\n\t\t\t\tsnapshot = string(sv.Value)\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\tproject, err := m.getProject(ctx, registry, groupID, artifactID, version, snapshot)\n\t\tif err == nil {\n\t\t\treturn project, nil\n\t\t}\n\t}\n\n\treturn maven.Project{}, fmt.Errorf(\"failed to fetch Maven project %s:%s@%s\", groupID, artifactID, version)\n}\n\n// GetVersions returns the list of available versions of a Maven package specified by groupID and artifactID.\n// Versions found in all registries are unioned, then sorted by semver.\nfunc (m *MavenRegistryAPIClient) GetVersions(ctx context.Context, groupID, artifactID string) ([]maven.String, error) {\n\tvar versions []maven.String\n\tfor _, registry := range append(m.registries, m.defaultRegistry) {\n\t\tmetadata, err := m.getArtifactMetadata(ctx, registry, groupID, artifactID)\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tversions = append(versions, metadata.Versioning.Versions...)\n\t}\n\tslices.SortFunc(versions, func(a, b maven.String) int { return semver.Maven.Compare(string(a), string(b)) })\n\n\treturn slices.Compact(versions), nil\n}\n\n// getProject fetches a pom.xml specified by groupID, artifactID and version and parses it to maven.Project.\n// For snapshot versions, the exact version value is specified by snapshot.\nfunc (m *MavenRegistryAPIClient) getProject(ctx context.Context, registry MavenRegistry, groupID, artifactID, version, snapshot string) (maven.Project, error) {\n\tif snapshot == \"\" {\n\t\tsnapshot = version\n\t}\n\tu := registry.Parsed.JoinPath(strings.ReplaceAll(groupID, \".\", \"/\"), artifactID, version, fmt.Sprintf(\"%s-%s.pom\", artifactID, snapshot)).String()\n\n\tvar project maven.Project\n\tif err := m.get(ctx, m.registryAuths[registry.ID], u, &project); err != nil {\n\t\treturn maven.Project{}, err\n\t}\n\n\treturn project, nil\n}\n\n// getVersionMetadata fetches a version level maven-metadata.xml and parses it to maven.Metadata.\nfunc (m *MavenRegistryAPIClient) getVersionMetadata(ctx context.Context, registry MavenRegistry, groupID, artifactID, version string) (maven.Metadata, error) {\n\tu := registry.Parsed.JoinPath(strings.ReplaceAll(groupID, \".\", \"/\"), artifactID, version, \"maven-metadata.xml\").String()\n\n\tvar metadata maven.Metadata\n\tif err := m.get(ctx, m.registryAuths[registry.ID], u, &metadata); err != nil {\n\t\treturn maven.Metadata{}, err\n\t}\n\n\treturn metadata, nil\n}\n\n// GetArtifactMetadata fetches an artifact level maven-metadata.xml and parses it to maven.Metadata.\nfunc (m *MavenRegistryAPIClient) getArtifactMetadata(ctx context.Context, registry MavenRegistry, groupID, artifactID string) (maven.Metadata, error) {\n\tu := registry.Parsed.JoinPath(strings.ReplaceAll(groupID, \".\", \"/\"), artifactID, \"maven-metadata.xml\").String()\n\n\tvar metadata maven.Metadata\n\tif err := m.get(ctx, m.registryAuths[registry.ID], u, &metadata); err != nil {\n\t\treturn maven.Metadata{}, err\n\t}\n\n\treturn metadata, nil\n}\n\nfunc (m *MavenRegistryAPIClient) get(ctx context.Context, auth *HTTPAuthentication, apiURL string, dst any) error {\n\tresp, err := m.responses.Get(apiURL, func() (response, error) {\n\t\tresp, err := auth.Get(ctx, http.DefaultClient, apiURL)\n\t\tif err != nil {\n\t\t\treturn response{}, fmt.Errorf(\"%w: Maven registry query failed: %w\", errAPIFailed, err)\n\t\t}\n\t\tdefer resp.Body.Close()\n\n\t\tif !slices.Contains([]int{http.StatusOK, http.StatusNotFound, http.StatusUnauthorized}, resp.StatusCode) {\n\t\t\t// Only cache responses with Status OK, NotFound, or Unauthorized\n\t\t\treturn response{}, fmt.Errorf(\"%w: Maven registry query status: %d\", errAPIFailed, resp.StatusCode)\n\t\t}\n\n\t\tb, err := io.ReadAll(resp.Body)\n\t\tif err != nil {\n\t\t\treturn response{}, fmt.Errorf(\"failed to read body: %w\", err)\n\t\t}\n\n\t\treturn response{StatusCode: resp.StatusCode, Body: b}, nil\n\t})\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn fmt.Errorf(\"%w: Maven registry query status: %d\", errAPIFailed, resp.StatusCode)\n\t}\n\n\treturn NewMavenDecoder(bytes.NewReader(resp.Body)).Decode(dst)\n}\n\n// NewMavenDecoder returns an xml decoder with CharsetReader and Entity set.\nfunc NewMavenDecoder(reader io.Reader) *xml.Decoder {\n\tdecoder := xml.NewDecoder(reader)\n\t// Set charset reader for conversion from non-UTF-8 charset into UTF-8.\n\tdecoder.CharsetReader = charset.NewReaderLabel\n\t// Set HTML entity map for translation between non-standard entity names\n\t// and string replacements.\n\tdecoder.Entity = xml.HTMLEntity\n\n\treturn decoder\n}\n" }, { "path": "internal/datasource/maven_registry_cache.go", "content": "package datasource\n\nimport (\n\t\"time\"\n)\n\ntype mavenRegistryCache struct {\n\tTimestamp *time.Time\n\tResponses map[string]response // url -> response\n}\n\nfunc (m *MavenRegistryAPIClient) GobEncode() ([]byte, error) {\n\tm.mu.Lock()\n\tdefer m.mu.Unlock()\n\n\tif m.cacheTimestamp == nil {\n\t\tnow := time.Now().UTC()\n\t\tm.cacheTimestamp = &now\n\t}\n\n\tcache := mavenRegistryCache{\n\t\tTimestamp: m.cacheTimestamp,\n\t\tResponses: m.responses.GetMap(),\n\t}\n\n\treturn gobMarshal(&cache)\n}\n\nfunc (m *MavenRegistryAPIClient) GobDecode(b []byte) error {\n\tvar cache mavenRegistryCache\n\tif err := gobUnmarshal(b, &cache); err != nil {\n\t\treturn err\n\t}\n\n\tif cache.Timestamp != nil && time.Since(*cache.Timestamp) >= cacheExpiry {\n\t\t// Cache expired\n\t\treturn nil\n\t}\n\n\tm.mu.Lock()\n\tdefer m.mu.Unlock()\n\n\tm.cacheTimestamp = cache.Timestamp\n\tm.responses.SetMap(cache.Responses)\n\n\treturn nil\n}\n" }, { "path": "internal/datasource/maven_registry_test.go", "content": "package datasource\n\nimport (\n\t\"net/url\"\n\t\"reflect\"\n\t\"testing\"\n\n\t\"deps.dev/util/maven\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMavenRegistryAPIClient_GetProject(t *testing.T) {\n\tt.Parallel()\n\n\tsrv := testutility.NewMockHTTPServer(t)\n\tclient, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: srv.URL, ReleasesEnabled: true})\n\tsrv.SetResponse(t, \"org/example/x.y.z/1.0.0/x.y.z-1.0.0.pom\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t 1.0.0\n\t\n\t`))\n\n\tgot, err := client.GetProject(t.Context(), \"org.example\", \"x.y.z\", \"1.0.0\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get Maven project %s:%s verion %s: %v\", \"org.example\", \"x.y.z\", \"1.0.0\", err)\n\t}\n\twant := maven.Project{\n\t\tProjectKey: maven.ProjectKey{\n\t\t\tGroupID: \"org.example\",\n\t\t\tArtifactID: \"x.y.z\",\n\t\t\tVersion: \"1.0.0\",\n\t\t},\n\t}\n\tif !reflect.DeepEqual(got, want) {\n\t\tt.Errorf(\"GetProject(%s, %s, %s):\\ngot %v\\nwant %v\\n\", \"org.example\", \"x.y.z\", \"1.0.0\", got, want)\n\t}\n}\n\nfunc TestGetProjectSnapshot(t *testing.T) {\n\tt.Parallel()\n\n\tsrv := testutility.NewMockHTTPServer(t)\n\tclient, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: srv.URL, SnapshotsEnabled: true})\n\tsrv.SetResponse(t, \"org/example/x.y.z/3.3.1-SNAPSHOT/maven-metadata.xml\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t \n\t \n\t 20230302.052731\n\t 9\n\t \n\t 20230302052731\n\t \n\t \n\t jar\n\t 3.3.1-20230302.052731-9\n\t 20230302052731\n\t \n\t \n\t pom\n\t 3.3.1-20230302.052731-9\n\t 20230302052731\n\t \n\t \n\t \n\t\n\t`))\n\tsrv.SetResponse(t, \"org/example/x.y.z/3.3.1-SNAPSHOT/x.y.z-3.3.1-20230302.052731-9.pom\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t 3.3.1-SNAPSHOT\n\t\n\t`))\n\n\tgot, err := client.GetProject(t.Context(), \"org.example\", \"x.y.z\", \"3.3.1-SNAPSHOT\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get Maven project %s:%s verion %s: %v\", \"org.example\", \"x.y.z\", \"3.3.1-SNAPSHOT\", err)\n\t}\n\twant := maven.Project{\n\t\tProjectKey: maven.ProjectKey{\n\t\t\tGroupID: \"org.example\",\n\t\t\tArtifactID: \"x.y.z\",\n\t\t\tVersion: \"3.3.1-SNAPSHOT\",\n\t\t},\n\t}\n\tif !reflect.DeepEqual(got, want) {\n\t\tt.Errorf(\"GetProject(%s, %s, %s):\\ngot %v\\nwant %v\\n\", \"org.example\", \"x.y.z\", \"3.3.1-SNAPSHOT\", got, want)\n\t}\n}\n\nfunc TestGetArtifactMetadata(t *testing.T) {\n\tt.Parallel()\n\n\tsrv := testutility.NewMockHTTPServer(t)\n\tclient, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: srv.URL, ReleasesEnabled: true})\n\tsrv.SetResponse(t, \"org/example/x.y.z/maven-metadata.xml\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t \n\t 3.0\n\t 3.0\n\t \n\t 1.0\n\t 2.0\n\t\t 3.0\n\t \n\t \n\t\n\t`))\n\n\tu, err := url.Parse(srv.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get parse URL %s: %v\", srv.URL, err)\n\t}\n\n\tgot, err := client.getArtifactMetadata(t.Context(), MavenRegistry{Parsed: u}, \"org.example\", \"x.y.z\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get artifact metadata for %s:%s: %v\", \"org.example\", \"x.y.z\", err)\n\t}\n\twant := maven.Metadata{\n\t\tGroupID: \"org.example\",\n\t\tArtifactID: \"x.y.z\",\n\t\tVersioning: maven.Versioning{\n\t\t\tLatest: \"3.0\",\n\t\t\tRelease: \"3.0\",\n\t\t\tVersions: []maven.String{\n\t\t\t\t\"1.0\",\n\t\t\t\t\"2.0\",\n\t\t\t\t\"3.0\",\n\t\t\t},\n\t\t},\n\t}\n\tif !reflect.DeepEqual(got, want) {\n\t\tt.Errorf(\"GetArtifactMetadata(%s, %s):\\ngot %v\\nwant %v\\n\", \"org.example\", \"x.y.z\", got, want)\n\t}\n}\n\nfunc TestGetVersionMetadata(t *testing.T) {\n\tt.Parallel()\n\n\tsrv := testutility.NewMockHTTPServer(t)\n\tclient, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: srv.URL, SnapshotsEnabled: true})\n\tsrv.SetResponse(t, \"org/example/x.y.z/3.3.1-SNAPSHOT/maven-metadata.xml\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t \n\t \n\t 20230302.052731\n\t 9\n\t \n\t 20230302052731\n\t \n\t \n\t jar\n\t 3.3.1-20230302.052731-9\n\t 20230302052731\n\t \n\t \n\t pom\n\t 3.3.1-20230302.052731-9\n\t 20230302052731\n\t \n\t \n\t \n\t\n\t`))\n\n\tu, err := url.Parse(srv.URL)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get parse URL %s: %v\", srv.URL, err)\n\t}\n\n\tgot, err := client.getVersionMetadata(t.Context(), MavenRegistry{Parsed: u}, \"org.example\", \"x.y.z\", \"3.3.1-SNAPSHOT\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get metadata for %s:%s verion %s: %v\", \"org.example\", \"x.y.z\", \"3.3.1-SNAPSHOT\", err)\n\t}\n\twant := maven.Metadata{\n\t\tGroupID: \"org.example\",\n\t\tArtifactID: \"x.y.z\",\n\t\tVersioning: maven.Versioning{\n\t\t\tSnapshot: maven.Snapshot{\n\t\t\t\tTimestamp: \"20230302.052731\",\n\t\t\t\tBuildNumber: 9,\n\t\t\t},\n\t\t\tLastUpdated: \"20230302052731\",\n\t\t\tSnapshotVersions: []maven.SnapshotVersion{\n\t\t\t\t{\n\t\t\t\t\tExtension: \"jar\",\n\t\t\t\t\tValue: \"3.3.1-20230302.052731-9\",\n\t\t\t\t\tUpdated: \"20230302052731\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tExtension: \"pom\",\n\t\t\t\t\tValue: \"3.3.1-20230302.052731-9\",\n\t\t\t\t\tUpdated: \"20230302052731\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tif !reflect.DeepEqual(got, want) {\n\t\tt.Errorf(\"getVersionMetadata(%s, %s):\\ngot %v\\nwant %v\\n\", \"org.example\", \"x.y.z\", got, want)\n\t}\n}\n\nfunc TestMultipleRegistry(t *testing.T) {\n\tt.Parallel()\n\n\tdft := testutility.NewMockHTTPServer(t)\n\tclient, _ := NewMavenRegistryAPIClient(MavenRegistry{URL: dft.URL, ReleasesEnabled: true})\n\tdft.SetResponse(t, \"org/example/x.y.z/maven-metadata.xml\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t \n\t 3.0.0\n\t 3.0.0\n\t \n\t 2.0.0\n\t\t 3.0.0\n\t \n\t \n\t\n\t`))\n\tdft.SetResponse(t, \"org/example/x.y.z/2.0.0/x.y.z-2.0.0.pom\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t 2.0.0\n\t\n\t`))\n\tdft.SetResponse(t, \"org/example/x.y.z/3.0.0/x.y.z-3.0.0.pom\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t 3.0.0\n\t\n\t`))\n\n\tsrv := testutility.NewMockHTTPServer(t)\n\tif err := client.AddRegistry(MavenRegistry{URL: srv.URL, ReleasesEnabled: true}); err != nil {\n\t\tt.Fatalf(\"failed to add registry %s: %v\", srv.URL, err)\n\t}\n\tsrv.SetResponse(t, \"org/example/x.y.z/maven-metadata.xml\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t \n\t 2.0.0\n\t 2.0.0\n\t \n\t 1.0.0\n\t\t 2.0.0\n\t \n\t \n\t\n\t`))\n\tsrv.SetResponse(t, \"org/example/x.y.z/1.0.0/x.y.z-1.0.0.pom\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t 1.0.0\n\t\n\t`))\n\tsrv.SetResponse(t, \"org/example/x.y.z/2.0.0/x.y.z-2.0.0.pom\", []byte(`\n\t\n\t org.example\n\t x.y.z\n\t 2.0.0\n\t\n\t`))\n\n\tgotProj, err := client.GetProject(t.Context(), \"org.example\", \"x.y.z\", \"1.0.0\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get Maven project %s:%s verion %s: %v\", \"org.example\", \"x.y.z\", \"1.0.0\", err)\n\t}\n\twantProj := maven.Project{\n\t\tProjectKey: maven.ProjectKey{\n\t\t\tGroupID: \"org.example\",\n\t\t\tArtifactID: \"x.y.z\",\n\t\t\tVersion: \"1.0.0\",\n\t\t},\n\t}\n\tif !reflect.DeepEqual(gotProj, wantProj) {\n\t\tt.Errorf(\"GetProject(%s, %s, %s):\\ngot %v\\nwant %v\\n\", \"org.example\", \"x.y.z\", \"1.0.0\", gotProj, wantProj)\n\t}\n\n\tgotVersions, err := client.GetVersions(t.Context(), \"org.example\", \"x.y.z\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get versions for Maven package %s:%s: %v\", \"org.example\", \"x.y.z\", err)\n\t}\n\twantVersions := []maven.String{\"1.0.0\", \"2.0.0\", \"3.0.0\"}\n\tif !reflect.DeepEqual(gotVersions, wantVersions) {\n\t\tt.Errorf(\"GetVersions(%s, %s):\\ngot %v\\nwant %v\\n\", \"org.example\", \"x.y.z\", gotVersions, wantVersions)\n\t}\n}\n" }, { "path": "internal/datasource/maven_settings.go", "content": "package datasource\n\nimport (\n\t\"encoding/xml\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\t\"unicode\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n)\n\n// Maven settings.xml file parsing for registry authentication.\n// https://maven.apache.org/settings.html\n\ntype MavenSettingsXML struct {\n\tServers []MavenSettingsXMLServer `xml:\"servers>server\"`\n}\n\ntype MavenSettingsXMLServer struct {\n\tID string `xml:\"id\"`\n\tUsername string `xml:\"username\"`\n\tPassword string `xml:\"password\"`\n}\n\nfunc ParseMavenSettings(path string) MavenSettingsXML {\n\tf, err := os.Open(path)\n\tif err != nil {\n\t\treturn MavenSettingsXML{}\n\t}\n\tdefer f.Close()\n\n\tvar settings MavenSettingsXML\n\tif err := xml.NewDecoder(f).Decode(&settings); err != nil {\n\t\treturn MavenSettingsXML{}\n\t}\n\n\t// interpolate strings with environment variables only\n\t// system properties are too hard to determine.\n\tre := cachedregexp.MustCompile(`\\${env\\.[^}]*}`)\n\treplFn := func(match string) string {\n\t\t// grab just the environment variable string\n\t\tenv := match[len(\"${env.\") : len(match)-1]\n\n\t\t// Environment variables on Windows are case-insensitive,\n\t\t// but Maven will only replace them if they are in all-caps.\n\t\tif runtime.GOOS == \"windows\" && strings.ContainsFunc(env, unicode.IsLower) {\n\t\t\treturn match // No replacement.\n\t\t}\n\n\t\tif val, ok := os.LookupEnv(env); ok {\n\t\t\treturn val\n\t\t}\n\n\t\t// Don't do any replacement if the environment variable isn't set\n\t\treturn match\n\t}\n\tfor i := range settings.Servers {\n\t\tsettings.Servers[i].ID = re.ReplaceAllStringFunc(settings.Servers[i].ID, replFn)\n\t\tsettings.Servers[i].Username = re.ReplaceAllStringFunc(settings.Servers[i].Username, replFn)\n\t\tsettings.Servers[i].Password = re.ReplaceAllStringFunc(settings.Servers[i].Password, replFn)\n\t}\n\n\treturn settings\n}\n\n// TODO: How to use with virtual filesystem + environment variables.\nfunc globalMavenSettingsFile() string {\n\t// ${maven.home}/conf/settings.xml\n\t// Find ${maven.home} from the installed mvn binary\n\tmvnExec, err := exec.LookPath(\"mvn\")\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\tmvnExec, err = filepath.EvalSymlinks(mvnExec)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\n\tsettings := filepath.Join(filepath.Dir(mvnExec), \"..\", \"conf\", \"settings.xml\")\n\tsettings, err = filepath.Abs(settings)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\n\treturn settings\n}\n\nfunc userMavenSettingsFile() string {\n\t// ${user.home}/.m2/settings.xml\n\thome, err := os.UserHomeDir()\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\n\treturn filepath.Join(home, \".m2\", \"settings.xml\")\n}\n\nvar mavenSupportedAuths = []HTTPAuthMethod{AuthDigest, AuthBasic}\n\nfunc MakeMavenAuth(globalSettings, userSettings MavenSettingsXML) map[string]*HTTPAuthentication {\n\tauth := make(map[string]*HTTPAuthentication)\n\tfor _, s := range globalSettings.Servers {\n\t\tauth[s.ID] = &HTTPAuthentication{\n\t\t\tSupportedMethods: mavenSupportedAuths,\n\t\t\tAlwaysAuth: false,\n\t\t\tUsername: s.Username,\n\t\t\tPassword: s.Password,\n\t\t}\n\t}\n\n\tfor _, s := range userSettings.Servers {\n\t\tauth[s.ID] = &HTTPAuthentication{\n\t\t\tSupportedMethods: mavenSupportedAuths,\n\t\t\tAlwaysAuth: false,\n\t\t\tUsername: s.Username,\n\t\t\tPassword: s.Password,\n\t\t}\n\t}\n\n\treturn auth\n}\n" }, { "path": "internal/datasource/maven_settings_test.go", "content": "package datasource_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n)\n\nfunc TestParseMavenSettings(t *testing.T) {\n\tt.Setenv(\"MAVEN_SETTINGS_TEST_USR\", \"UsErNaMe\")\n\tt.Setenv(\"MAVEN_SETTINGS_TEST_PWD\", \"P455W0RD\")\n\tt.Setenv(\"MAVEN_SETTINGS_TEST_SID\", \"my-cool-server\")\n\tt.Setenv(\"MAVEN_SETTINGS_TEST_NIL\", \"\")\n\twant := datasource.MavenSettingsXML{\n\t\tServers: []datasource.MavenSettingsXMLServer{\n\t\t\t{\n\t\t\t\tID: \"server1\",\n\t\t\t\tUsername: \"user\",\n\t\t\t\tPassword: \"pass\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tID: \"server2\",\n\t\t\t\tUsername: \"UsErNaMe\",\n\t\t\t\tPassword: \"~~P455W0RD~~\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tID: \"my-cool-server\",\n\t\t\t\tUsername: \"${env.maven_settings_test_usr}-\",\n\t\t\t\tPassword: \"${env.MAVEN_SETTINGS_TEST_BAD}\",\n\t\t\t},\n\t\t},\n\t}\n\n\tgot := datasource.ParseMavenSettings(\"./testdata/maven_settings/settings.xml\")\n\n\tif diff := cmp.Diff(want, got); diff != \"\" {\n\t\tt.Errorf(\"ParseMavenSettings() (-want +got):\\n%s\", diff)\n\t}\n}\n\nfunc TestMakeMavenAuth(t *testing.T) {\n\tt.Parallel()\n\tglobalSettings := datasource.MavenSettingsXML{\n\t\tServers: []datasource.MavenSettingsXMLServer{\n\t\t\t{\n\t\t\t\tID: \"global\",\n\t\t\t\tUsername: \"global-user\",\n\t\t\t\tPassword: \"global-pass\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tID: \"overwrite1\",\n\t\t\t\tUsername: \"original-user\",\n\t\t\t\tPassword: \"original-pass\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tID: \"overwrite2\",\n\t\t\t\tUsername: \"user-to-be-deleted\",\n\t\t\t\t// no password\n\t\t\t},\n\t\t},\n\t}\n\tuserSettings := datasource.MavenSettingsXML{\n\t\tServers: []datasource.MavenSettingsXMLServer{\n\t\t\t{\n\t\t\t\tID: \"user\",\n\t\t\t\tUsername: \"user\",\n\t\t\t\tPassword: \"pass\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tID: \"overwrite1\",\n\t\t\t\tUsername: \"new-user\",\n\t\t\t\tPassword: \"new-pass\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tID: \"overwrite2\",\n\t\t\t\t// no username\n\t\t\t\tPassword: \"lone-password\",\n\t\t\t},\n\t\t},\n\t}\n\n\twantSupportedMethods := []datasource.HTTPAuthMethod{datasource.AuthDigest, datasource.AuthBasic}\n\twant := map[string]*datasource.HTTPAuthentication{\n\t\t\"global\": {\n\t\t\tSupportedMethods: wantSupportedMethods,\n\t\t\tAlwaysAuth: false,\n\t\t\tUsername: \"global-user\",\n\t\t\tPassword: \"global-pass\",\n\t\t},\n\t\t\"user\": {\n\t\t\tSupportedMethods: wantSupportedMethods,\n\t\t\tAlwaysAuth: false,\n\t\t\tUsername: \"user\",\n\t\t\tPassword: \"pass\",\n\t\t},\n\t\t\"overwrite1\": {\n\t\t\tSupportedMethods: wantSupportedMethods,\n\t\t\tAlwaysAuth: false,\n\t\t\tUsername: \"new-user\",\n\t\t\tPassword: \"new-pass\",\n\t\t},\n\t\t\"overwrite2\": {\n\t\t\tSupportedMethods: wantSupportedMethods,\n\t\t\tAlwaysAuth: false,\n\t\t\tUsername: \"\",\n\t\t\tPassword: \"lone-password\",\n\t\t},\n\t}\n\n\tgot := datasource.MakeMavenAuth(globalSettings, userSettings)\n\tif diff := cmp.Diff(want, got, cmpopts.IgnoreUnexported(datasource.HTTPAuthentication{})); diff != \"\" {\n\t\tt.Errorf(\"MakeMavenAuth() (-want +got):\\n%s\", diff)\n\t}\n}\n" }, { "path": "internal/datasource/npm_registry.go", "content": "package datasource\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"maps\"\n\t\"net/http\"\n\t\"slices\"\n\t\"sync\"\n\t\"time\"\n\n\t\"github.com/tidwall/gjson\"\n)\n\ntype NpmRegistryAPIClient struct {\n\t// Registries from the npmrc config\n\t// This should only be written to when the client is first being created.\n\t// Other functions should not modify it & it is not covered by the mutex.\n\tregistries NpmRegistryConfig\n\n\t// cache fields\n\tmu sync.Mutex\n\tcacheTimestamp *time.Time // If set, this means we loaded from a cache\n\tdetails *RequestCache[string, npmRegistryPackageDetails]\n}\n\ntype npmRegistryPackageDetails struct {\n\t// Only cache the info needed for the DependencyClient\n\tVersions map[string]NpmRegistryDependencies\n\tTags map[string]string\n}\n\nfunc NewNpmRegistryAPIClient(workdir string) (*NpmRegistryAPIClient, error) {\n\tregistries, err := LoadNpmRegistryConfig(workdir)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &NpmRegistryAPIClient{\n\t\tregistries: registries,\n\t\tdetails: NewRequestCache[string, npmRegistryPackageDetails](),\n\t}, nil\n}\n\ntype NpmRegistryVersions struct {\n\tVersions []string\n\tTags map[string]string\n}\n\nfunc (c *NpmRegistryAPIClient) Versions(ctx context.Context, pkg string) (NpmRegistryVersions, error) {\n\tpkgDetails, err := c.getPackageDetails(ctx, pkg)\n\tif err != nil {\n\t\treturn NpmRegistryVersions{}, err\n\t}\n\n\treturn NpmRegistryVersions{\n\t\tVersions: slices.AppendSeq(make([]string, 0, len(pkgDetails.Versions)), maps.Keys(pkgDetails.Versions)),\n\t\tTags: pkgDetails.Tags,\n\t}, nil\n}\n\ntype NpmRegistryDependencies struct {\n\t// TODO: These maps should preserve ordering from JSON response\n\tDependencies map[string]string\n\tDevDependencies map[string]string\n\tPeerDependencies map[string]string\n\tOptionalDependencies map[string]string\n\tBundleDependencies []string\n}\n\nfunc (c *NpmRegistryAPIClient) Dependencies(ctx context.Context, pkg, version string) (NpmRegistryDependencies, error) {\n\tpkgDetails, err := c.getPackageDetails(ctx, pkg)\n\tif err != nil {\n\t\treturn NpmRegistryDependencies{}, err\n\t}\n\n\tif deps, ok := pkgDetails.Versions[version]; ok {\n\t\treturn deps, nil\n\t}\n\n\treturn NpmRegistryDependencies{}, fmt.Errorf(\"no version %s for package %s\", version, pkg)\n}\n\nfunc (c *NpmRegistryAPIClient) FullJSON(ctx context.Context, pkg, version string) (gjson.Result, error) {\n\treturn c.get(ctx, pkg, version)\n}\n\nfunc (c *NpmRegistryAPIClient) get(ctx context.Context, urlComponents ...string) (gjson.Result, error) {\n\tresp, err := c.registries.MakeRequest(ctx, http.DefaultClient, urlComponents...)\n\tif err != nil {\n\t\treturn gjson.Result{}, err\n\t}\n\n\tdefer resp.Body.Close()\n\tif resp.StatusCode != http.StatusOK {\n\t\treturn gjson.Result{}, errors.New(resp.Status)\n\t}\n\n\tbody, err := io.ReadAll(resp.Body)\n\tif err != nil {\n\t\treturn gjson.Result{}, err\n\t}\n\n\tres := gjson.ParseBytes(body)\n\n\treturn res, nil\n}\n\nfunc (c *NpmRegistryAPIClient) getPackageDetails(ctx context.Context, pkg string) (npmRegistryPackageDetails, error) {\n\treturn c.details.Get(pkg, func() (npmRegistryPackageDetails, error) {\n\t\tjsonData, err := c.get(ctx, pkg)\n\t\tif err != nil {\n\t\t\treturn npmRegistryPackageDetails{}, err\n\t\t}\n\n\t\tversions := make(map[string]NpmRegistryDependencies)\n\t\tfor v, data := range jsonData.Get(\"versions\").Map() {\n\t\t\tversions[v] = NpmRegistryDependencies{\n\t\t\t\tDependencies: jsonToStringMap(data.Get(\"dependencies\")),\n\t\t\t\tDevDependencies: jsonToStringMap(data.Get(\"devDependencies\")),\n\t\t\t\tPeerDependencies: jsonToStringMap(data.Get(\"peerDependencies\")),\n\t\t\t\tOptionalDependencies: jsonToStringMap(data.Get(\"optionalDependencies\")),\n\t\t\t\tBundleDependencies: jsonToStringSlice(data.Get(\"bundleDependencies\")),\n\t\t\t}\n\t\t}\n\n\t\treturn npmRegistryPackageDetails{\n\t\t\tVersions: versions,\n\t\t\tTags: jsonToStringMap(jsonData.Get(\"dist-tags\")),\n\t\t}, nil\n\t})\n}\n\nfunc jsonToStringSlice(v gjson.Result) []string {\n\tarr := v.Array()\n\tif len(arr) == 0 {\n\t\treturn nil\n\t}\n\tstrs := make([]string, len(arr))\n\tfor i, s := range arr {\n\t\tstrs[i] = s.String()\n\t}\n\n\treturn strs\n}\n\nfunc jsonToStringMap(v gjson.Result) map[string]string {\n\tmp := v.Map()\n\tif len(mp) == 0 {\n\t\treturn nil\n\t}\n\tstrs := make(map[string]string)\n\tfor k, s := range mp {\n\t\tstrs[k] = s.String()\n\t}\n\n\treturn strs\n}\n" }, { "path": "internal/datasource/npm_registry_cache.go", "content": "package datasource\n\nimport (\n\t\"maps\"\n\t\"strings\"\n\t\"time\"\n)\n\ntype npmRegistryCache struct {\n\tTimestamp *time.Time // Timestamp of when this cache was made\n\tDetails map[string]npmRegistryPackageDetails // For a package name, the versions & their dependencies, and the list of tags\n\tScopeURLs map[string]string // The URL of the registry used for a given package @scope. Used to invalidate cache if registry has changed.\n}\n\nfunc (c *NpmRegistryAPIClient) GobEncode() ([]byte, error) {\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\tif c.cacheTimestamp == nil {\n\t\tnow := time.Now().UTC()\n\t\tc.cacheTimestamp = &now\n\t}\n\n\tcache := npmRegistryCache{\n\t\tTimestamp: c.cacheTimestamp,\n\t\tDetails: c.details.GetMap(),\n\t\tScopeURLs: make(map[string]string),\n\t}\n\n\t// store the registry URL for each scope (but not the auth info)\n\tcache.ScopeURLs = c.registries.ScopeURLs\n\n\treturn gobMarshal(&cache)\n}\n\nfunc (c *NpmRegistryAPIClient) GobDecode(b []byte) error {\n\t// decode the cached data\n\tvar cache npmRegistryCache\n\tif err := gobUnmarshal(b, &cache); err != nil {\n\t\treturn err\n\t}\n\n\tif cache.Timestamp != nil && time.Since(*cache.Timestamp) >= cacheExpiry {\n\t\t// Cache expired\n\t\treturn nil\n\t}\n\n\tc.mu.Lock()\n\tdefer c.mu.Unlock()\n\n\t// remove any cache entries whose registry has changed\n\tmaps.DeleteFunc(cache.Details, func(pkg string, _ npmRegistryPackageDetails) bool {\n\t\tscope := \"\"\n\t\tif strings.HasPrefix(pkg, \"@\") {\n\t\t\tscope, _, _ = strings.Cut(pkg, \"/\")\n\t\t}\n\n\t\treturn cache.ScopeURLs[scope] != c.registries.ScopeURLs[scope]\n\t})\n\n\tc.cacheTimestamp = cache.Timestamp\n\tc.details.SetMap(cache.Details)\n\n\treturn nil\n}\n" }, { "path": "internal/datasource/npm_registry_test.go", "content": "package datasource_test\n\nimport (\n\tcompare \"cmp\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/tidwall/gjson\"\n)\n\nfunc TestNpmRegistryClient(t *testing.T) {\n\tt.Parallel()\n\n\t//nolint:gosec // \"Potential hardcoded credentials\" :)\n\tconst (\n\t\tauth = \"Y29vbDphdXRoCg==\"\n\t\tauthToken = \"bmljZS10b2tlbgo=\"\n\t)\n\n\tsrv1 := testutility.NewMockHTTPServer(t)\n\tsrv1.SetAuthorization(t, \"Basic \"+auth)\n\tsrv1.SetResponseFromFile(t, \"/fake-package\", \"./testdata/npm_registry/fake-package.json\")\n\tsrv1.SetResponseFromFile(t, \"/fake-package/2.2.2\", \"./testdata/npm_registry/fake-package-2.2.2.json\")\n\n\tsrv2 := testutility.NewMockHTTPServer(t)\n\tsrv2.SetAuthorization(t, \"Bearer \"+authToken)\n\tsrv2.SetResponseFromFile(t, \"/@fake-registry%2fa\", \"./testdata/npm_registry/@fake-registry-a.json\")\n\n\tnpmrcFile := createTempNpmrc(t, \".npmrc\")\n\twriteToNpmrc(t, npmrcFile,\n\t\t\"registry=\"+srv1.URL,\n\t\t\"//\"+strings.TrimPrefix(srv1.URL, \"http://\")+\"/:_auth=\"+auth,\n\t\t\"@fake-registry:registry=\"+srv2.URL,\n\t\t\"//\"+strings.TrimPrefix(srv2.URL, \"http://\")+\"/:_authToken=\"+authToken,\n\t)\n\n\tcl, err := datasource.NewNpmRegistryAPIClient(filepath.Dir(npmrcFile))\n\tif err != nil {\n\t\tt.Fatalf(\"failed creating npm api client: %v\", err)\n\t}\n\t{\n\t\tconst pkg = \"fake-package\"\n\t\twant := datasource.NpmRegistryVersions{\n\t\t\tVersions: []string{\"1.0.0\", \"2.2.2\"},\n\t\t\tTags: map[string]string{\n\t\t\t\t\"latest\": \"1.0.0\",\n\t\t\t\t\"version1\": \"1.0.0\",\n\t\t\t\t\"version2\": \"2.2.2\",\n\t\t\t},\n\t\t}\n\t\tgot, err := cl.Versions(t.Context(), pkg)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed getting versions: %v\", err)\n\t\t}\n\t\tif diff := cmp.Diff(want, got, cmpopts.SortSlices(compare.Less[string])); diff != \"\" {\n\t\t\tt.Errorf(\"Versions(\\\"%s\\\") (-want +got)\\n%s\", pkg, diff)\n\t\t}\n\t}\n\t{\n\t\tconst pkg = \"@fake-registry/a\"\n\t\twant := datasource.NpmRegistryVersions{\n\t\t\tVersions: []string{\"1.2.3\", \"2.3.4\"},\n\t\t\tTags: map[string]string{\"latest\": \"2.3.4\"},\n\t\t}\n\t\tgot, err := cl.Versions(t.Context(), pkg)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed getting versions: %v\", err)\n\t\t}\n\t\tif diff := cmp.Diff(want, got, cmpopts.SortSlices(compare.Less[string])); diff != \"\" {\n\t\t\tt.Errorf(\"Versions(\\\"%s\\\") (-want +got)\\n%s\", pkg, diff)\n\t\t}\n\t}\n\n\t{\n\t\tconst pkg = \"fake-package\"\n\t\tconst ver = \"2.2.2\"\n\t\twant := datasource.NpmRegistryDependencies{\n\t\t\tDependencies: map[string]string{\n\t\t\t\t\"a\": \"^3.0.1\",\n\t\t\t\t\"b\": \"^2.0.1\",\n\t\t\t\t\"e\": \"^0.2.33\",\n\t\t\t\t\"f\": \"npm:g@^2.0.1\",\n\t\t\t},\n\t\t\tDevDependencies: map[string]string{\n\t\t\t\t\"c\": \"^1.1.1\",\n\t\t\t\t\"d\": \"^1.0.2\",\n\t\t\t},\n\t\t\tPeerDependencies: map[string]string{\n\t\t\t\t\"h\": \"^1.0.0\",\n\t\t\t},\n\t\t\tOptionalDependencies: map[string]string{\n\t\t\t\t\"e\": \"^0.2.33\",\n\t\t\t\t\"f\": \"npm:g@^2.0.1\",\n\t\t\t},\n\t\t\tBundleDependencies: []string{\n\t\t\t\t\"a\",\n\t\t\t},\n\t\t}\n\t\tgot, err := cl.Dependencies(t.Context(), pkg, ver)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed getting dependencies: %v\", err)\n\t\t}\n\t\tif diff := cmp.Diff(want, got, cmpopts.SortSlices(compare.Less[string])); diff != \"\" {\n\t\t\tt.Errorf(\"Dependencies(\\\"%s\\\", \\\"%s\\\") (-want +got)\\n%s\", pkg, ver, diff)\n\t\t}\n\t}\n\t{\n\t\tconst pkg = \"fake-package\"\n\t\tconst ver = \"2.2.2\"\n\t\twant := gjson.Parse(`{\n\t\t\t\"name\": \"fake-package\",\n\t\t\t\"version\": \"2.2.2\",\n\t\t\t\"main\": \"index.js\",\n\t\t\t\"scripts\": {\n\t\t\t\t\"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n\t\t\t},\n\t\t\t\"author\": \"\",\n\t\t\t\"license\": \"ISC\",\n\t\t\t\"dependencies\": {\n\t\t\t\t\"a\": \"^3.0.1\",\n\t\t\t\t\"b\": \"^2.0.1\",\n\t\t\t\t\"e\": \"^0.2.33\",\n\t\t\t\t\"f\": \"npm:g@^2.0.1\"\n\t\t\t},\n\t\t\t\"devDependencies\": {\n\t\t\t\t\"c\": \"^1.1.1\",\n\t\t\t\t\"d\": \"^1.0.2\"\n\t\t\t},\n\t\t\t\"optionalDependencies\": {\n\t\t\t\t\"e\": \"^0.2.33\",\n\t\t\t\t\"f\": \"npm:g@^2.0.1\"\n\t\t\t},\n\t\t\t\"peerDependencies\": {\n\t\t\t\t\"h\": \"^1.0.0\"\n\t\t\t},\n\t\t\t\"bundleDependencies\": [\n\t\t\t\t\"a\"\n\t\t\t],\n\t\t\t\"_id\": \"fake-package@2.2.2\",\n\t\t\t\"_nodeVersion\": \"20.9.0\",\n\t\t\t\"_npmVersion\": \"10.1.0\",\n\t\t\t\"dist\": {\n\t\t\t\t\"integrity\": \"sha512-NWvNE9fxykrzSQVr1CSKchzkQr5qwplvgn3O/0JL46qM6BhoGlKRjLiaZYdo1byXJWLGthghOgGpUZiEL04HQQ==\",\n\t\t\t\t\"shasum\": \"8dc47515da4e67bb794a4c9c7f4750bb4d67c7fc\",\n\t\t\t\t\"tarball\": \"http://localhost:4873/fake-package/-/fake-package-2.2.2.tgz\"\n\t\t\t},\n\t\t\t\"contributors\": []\n\t\t}`)\n\t\tgot, err := cl.FullJSON(t.Context(), pkg, ver)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed getting full json: %v\", err)\n\t\t}\n\t\twantMap := want.Value().(map[string]any)\n\t\tgotMap := got.Value().(map[string]any)\n\t\tif diff := cmp.Diff(wantMap, gotMap, cmpopts.SortSlices(compare.Less[string])); diff != \"\" {\n\t\t\tt.Errorf(\"FullJSON(\\\"%s\\\", \\\"%s\\\") (-want +got)\\n%s\", pkg, ver, diff)\n\t\t}\n\t}\n}\n" }, { "path": "internal/datasource/npmrc.go", "content": "package datasource\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/base64\"\n\t\"errors\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"gopkg.in/ini.v1\"\n)\n\ntype NpmrcConfig map[string]string\n\nfunc loadNpmrc(workdir string) (NpmrcConfig, error) {\n\t// Find & parse the 4 npmrc files (builtin, global, user, project) + values set in environment variables\n\t// https://docs.npmjs.com/cli/v10/configuring-npm/npmrc\n\t// https://docs.npmjs.com/cli/v10/using-npm/config\n\n\t// project npmrc is always in ./.npmrc\n\tprojectFile, _ := filepath.Abs(filepath.Join(workdir, \".npmrc\"))\n\t// TODO: Pass in environment variables so we can sandbox tests\n\tbuiltinFile := builtinNpmrc()\n\tenvVarOpts, _ := envVarNpmrc()\n\n\topts := ini.LoadOptions{\n\t\tLoose: true, // ignore missing files\n\t\tKeyValueDelimiters: \"=\", // default delimiters are \"=:\", but npmrc uses : in some keys\n\t}\n\t// Make use of data overwriting to load the correct values\n\tfullNpmrc, err := ini.LoadSources(opts, builtinFile, projectFile, envVarOpts)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// user npmrc is either set as userconfig, or ${HOME}/.npmrc\n\t// though userconfig cannot be set in the user or global npmrcs\n\tvar userFile string\n\tswitch {\n\tcase fullNpmrc.Section(\"\").HasKey(\"userconfig\"):\n\t\tuserFile = os.ExpandEnv(fullNpmrc.Section(\"\").Key(\"userconfig\").String())\n\t\t// TODO: npm config replaces only ${VAR}, not $VAR\n\t\t// and if VAR is unset, it will leave the string as \"${VAR}\"\n\tdefault:\n\t\thomeDir, err := os.UserHomeDir()\n\t\tif err == nil { // only set userFile if homeDir exists\n\t\t\tuserFile = filepath.Join(homeDir, \".npmrc\")\n\t\t}\n\t}\n\n\t// reload the npmrc files with the user file included\n\tfullNpmrc, err = ini.LoadSources(opts, builtinFile, userFile, projectFile, envVarOpts)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar globalFile string\n\t// global npmrc is either set as globalconfig, prefix/etc/npmrc, ${PREFIX}/etc/npmrc\n\t// cannot be set within the global npmrc itself\n\tswitch {\n\tcase fullNpmrc.Section(\"\").HasKey(\"globalconfig\"):\n\t\tglobalFile = os.ExpandEnv(fullNpmrc.Section(\"\").Key(\"globalconfig\").String())\n\t// TODO: Windows\n\tcase fullNpmrc.Section(\"\").HasKey(\"prefix\"):\n\t\tprefix := os.ExpandEnv(fullNpmrc.Section(\"\").Key(\"prefix\").String())\n\t\tglobalFile, _ = filepath.Abs(filepath.Join(prefix, \"etc\", \"npmrc\"))\n\tcase os.Getenv(\"PREFIX\") != \"\":\n\t\tglobalFile, _ = filepath.Abs(filepath.Join(os.Getenv(\"PREFIX\"), \"etc\", \"npmrc\"))\n\tdefault:\n\t\tglobalFile = filepath.Join(\"/etc\", \"npmrc\") // TODO: what should this be actually?\n\t}\n\n\t// return final joined config, with correct overriding order\n\tfullNpmrc, err = ini.LoadSources(opts, builtinFile, globalFile, userFile, projectFile, envVarOpts)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn fullNpmrc.Section(\"\").KeysHash(), nil\n}\n\nfunc envVarNpmrc() ([]byte, error) {\n\t// parse npm config settings that were set in environment variables,\n\t// returns a ini.Load()-able byte array of the values\n\n\tiniFile := ini.Empty()\n\t// npm config environment variables seem to be case-insensitive, interpreted in lowercase\n\t// get all the matching environment variables and their values\n\tconst envPrefix = \"npm_config_\"\n\tfor _, env := range os.Environ() {\n\t\tsplit := strings.SplitN(env, \"=\", 2)\n\t\tk := strings.ToLower(split[0])\n\t\tv := split[1]\n\t\tif s, ok := strings.CutPrefix(k, envPrefix); ok {\n\t\t\tif _, err := iniFile.Section(\"\").NewKey(s, v); err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t}\n\tvar buf bytes.Buffer\n\t_, err := iniFile.WriteTo(&buf)\n\n\treturn buf.Bytes(), err\n}\n\nfunc builtinNpmrc() string {\n\t// builtin is always at /path/to/npm/npmrc\n\tnpmExec, err := exec.LookPath(\"npm\")\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\tnpmExec, err = filepath.EvalSymlinks(npmExec)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\tnpmrc := filepath.Join(filepath.Dir(npmExec), \"..\", \"npmrc\")\n\tnpmrc, err = filepath.Abs(npmrc)\n\tif err != nil {\n\t\treturn \"\"\n\t}\n\n\treturn npmrc\n}\n\n// NpmRegistryAuths handles npm registry authentication in a manner similar to npm-registry-fetch\n// https://github.com/npm/npm-registry-fetch/blob/237d33b45396caa00add61e0549cf09fbf9deb4f/lib/auth.js\ntype NpmRegistryAuths map[string]*HTTPAuthentication\n\nfunc (auths NpmRegistryAuths) GetAuth(uri string) *HTTPAuthentication {\n\tparsed, err := url.Parse(uri)\n\tif err != nil {\n\t\treturn nil\n\t}\n\tregKey := \"//\" + parsed.Host + parsed.EscapedPath()\n\tfor regKey != \"//\" {\n\t\tif httpAuth, ok := auths[regKey]; ok {\n\t\t\t// Make sure this httpAuth actually has the necessary fields to construct an auth.\n\t\t\t// i.e. it's not valid if only Username or only Password is set\n\t\t\tif httpAuth.BearerToken != \"\" ||\n\t\t\t\thttpAuth.BasicAuth != \"\" ||\n\t\t\t\t(httpAuth.Username != \"\" && httpAuth.Password != \"\") {\n\t\t\t\treturn httpAuth\n\t\t\t}\n\t\t}\n\n\t\t// can be either //host/some/path/:_auth or //host/some/path:_auth\n\t\t// walk up by removing EITHER what's after the slash OR the slash itself\n\t\tvar found bool\n\t\tif regKey, found = strings.CutSuffix(regKey, \"/\"); !found {\n\t\t\tregKey = regKey[:strings.LastIndex(regKey, \"/\")+1]\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// urlPathEscapeLower is url.PathEscape but with lowercase letters in hex codes (matching npm's behaviour)\n// e.g. \"@reg/pkg\" -> \"@reg%2fpkg\"\nfunc urlPathEscapeLower(s string) string {\n\tescaped := url.PathEscape(s)\n\tre := cachedregexp.MustCompile(`%[0-9A-F]{2}`)\n\n\treturn re.ReplaceAllStringFunc(escaped, strings.ToLower)\n}\n\ntype NpmRegistryConfig struct {\n\tScopeURLs map[string]string // map of @scope to registry URL\n\tAuths NpmRegistryAuths // auth info per npm registry URI\n}\n\nfunc LoadNpmRegistryConfig(workdir string) (NpmRegistryConfig, error) {\n\tnpmrc, err := loadNpmrc(workdir)\n\tif err != nil {\n\t\treturn NpmRegistryConfig{}, err\n\t}\n\n\treturn ParseNpmRegistryInfo(npmrc), nil\n}\n\n// MakeRequest makes the http request to the corresponding npm registry api (with auth).\n// urlComponents should be (package) or (package, version)\nfunc (r NpmRegistryConfig) MakeRequest(ctx context.Context, httpClient *http.Client, urlComponents ...string) (*http.Response, error) {\n\tif len(urlComponents) == 0 {\n\t\treturn nil, errors.New(\"no package specified in npm request\")\n\t}\n\t// find the corresponding registryInfo for the package's scope\n\tpkg := urlComponents[0]\n\tscope := \"\"\n\tif strings.HasPrefix(pkg, \"@\") {\n\t\tscope, _, _ = strings.Cut(pkg, \"/\")\n\t}\n\tbaseURL, ok := r.ScopeURLs[scope]\n\tif !ok {\n\t\t// no specific rules for this scope, use the default scope\n\t\tbaseURL = r.ScopeURLs[\"\"]\n\t}\n\n\tfor i := range urlComponents {\n\t\turlComponents[i] = urlPathEscapeLower(urlComponents[i])\n\t}\n\treqURL, err := url.JoinPath(baseURL, urlComponents...)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn r.Auths.GetAuth(reqURL).Get(ctx, httpClient, reqURL)\n}\n\nvar npmSupportedAuths = []HTTPAuthMethod{AuthBearer, AuthBasic}\n\nfunc ParseNpmRegistryInfo(npmrc NpmrcConfig) NpmRegistryConfig {\n\tconfig := NpmRegistryConfig{\n\t\tScopeURLs: map[string]string{\"\": \"https://registry.npmjs.org/\"}, // set the default registry\n\t\tAuths: make(map[string]*HTTPAuthentication),\n\t}\n\n\tgetOrInitAuth := func(key string) *HTTPAuthentication {\n\t\tif auth, ok := config.Auths[key]; ok {\n\t\t\treturn auth\n\t\t}\n\t\tauth := &HTTPAuthentication{\n\t\t\tSupportedMethods: npmSupportedAuths,\n\t\t\tAlwaysAuth: true,\n\t\t}\n\t\tconfig.Auths[key] = auth\n\n\t\treturn auth\n\t}\n\n\tfor name, value := range npmrc {\n\t\tvar part1, part2 string\n\t\t// must split on the last ':' in case e.g. '//localhost:8080/:_auth=xyz'\n\t\tif idx := strings.LastIndex(name, \":\"); idx >= 0 {\n\t\t\tpart1, part2 = name[:idx], name[idx+1:]\n\t\t}\n\t\tvalue := os.ExpandEnv(value)\n\t\t// TODO: npm config replaces only ${VAR}, not $VAR\n\t\t// and if VAR is unset, it will leave the string as \"${VAR}\"\n\t\tswitch {\n\t\tcase name == \"registry\": // registry=...\n\t\t\tconfig.ScopeURLs[\"\"] = value\n\t\tcase part2 == \"registry\": // @scope:registry=...\n\t\t\tconfig.ScopeURLs[part1] = value\n\t\tcase part2 == \"_authToken\": // //uri:_authToken=...\n\t\t\tgetOrInitAuth(part1).BearerToken = value\n\t\tcase part2 == \"_auth\": // //uri:_auth=...\n\t\t\tgetOrInitAuth(part1).BasicAuth = value\n\t\tcase part2 == \"username\": // //uri:username=...\n\t\t\tgetOrInitAuth(part1).Username = value\n\t\tcase part2 == \"_password\": // //uri:_password=\n\t\t\tpassword, err := base64.StdEncoding.DecodeString(value)\n\t\t\tif err != nil {\n\t\t\t\t// TODO: mimic the behaviour of node's Buffer.from(s, 'base64').toString()\n\t\t\t\t// e.g. ignore invalid characters, stop parsing after first '=', just never throw an error\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tgetOrInitAuth(part1).Password = string(password)\n\t\t}\n\t}\n\n\treturn config\n}\n" }, { "path": "internal/datasource/npmrc_test.go", "content": "package datasource_test\n\nimport (\n\t\"encoding/base64\"\n\t\"fmt\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\n// These tests rely on using 'globalconfig' and 'userconfig' in the package .npmrc to override their default locations.\n// It's also possible for environment variables or the builtin npmrc to mess with these tests.\n// TODO: Should test the default and other methods of setting the global/user config.\n\nfunc createTempNpmrc(t *testing.T, filename string) string {\n\tt.Helper()\n\tdir := testutility.CreateTestDir(t)\n\tfile := filepath.Join(dir, filename)\n\tf, err := os.Create(file)\n\tif err != nil {\n\t\tt.Fatalf(\"could not create test npmrc file: %v\", err)\n\t}\n\tf.Close()\n\n\treturn file\n}\n\nfunc writeToNpmrc(t *testing.T, file string, lines ...string) {\n\tt.Helper()\n\tf, err := os.OpenFile(file, os.O_APPEND|os.O_WRONLY, 0666)\n\tif err != nil {\n\t\tt.Fatalf(\"could not write to test npmrc file: %v\", err)\n\t}\n\tdefer f.Close()\n\tfor _, line := range lines {\n\t\tif _, err := fmt.Fprintln(f, line); err != nil {\n\t\t\tt.Fatalf(\"could not write to test npmrc file: %v\", err)\n\t\t}\n\t}\n}\n\ntype testNpmrcFiles struct {\n\tglobal string\n\tuser string\n\tproject string\n}\n\nfunc makeBlankNpmrcFiles(t *testing.T) testNpmrcFiles {\n\tt.Helper()\n\tvar files testNpmrcFiles\n\tfiles.global = createTempNpmrc(t, \"npmrc\")\n\tfiles.user = createTempNpmrc(t, \".npmrc\")\n\tfiles.project = createTempNpmrc(t, \".npmrc\")\n\twriteToNpmrc(t, files.project, \"globalconfig=\"+files.global, \"userconfig=\"+files.user)\n\n\treturn files\n}\n\nfunc checkNpmRegistryRequest(t *testing.T, config datasource.NpmRegistryConfig, urlComponents []string, wantURL string, wantAuth string) {\n\tt.Helper()\n\tmt := &mockTransport{}\n\thttpClient := &http.Client{Transport: mt}\n\tresp, err := config.MakeRequest(t.Context(), httpClient, urlComponents...)\n\tif err != nil {\n\t\tt.Fatalf(\"error making request: %v\", err)\n\t}\n\tdefer resp.Body.Close()\n\tif len(mt.Requests) != 1 {\n\t\tt.Fatalf(\"unexpected number of requests made: %v\", len(mt.Requests))\n\t}\n\treq := mt.Requests[0]\n\tgotURL := req.URL.String()\n\tif gotURL != wantURL {\n\t\tt.Errorf(\"MakeRequest() URL was %s, want %s\", gotURL, wantURL)\n\t}\n\tgotAuth := req.Header.Get(\"Authorization\")\n\tif gotAuth != wantAuth {\n\t\tt.Errorf(\"MakeRequest() Authorization was \\\"%s\\\", want \\\"%s\\\"\", gotAuth, wantAuth)\n\t}\n}\n\nfunc TestLoadNpmRegistryConfig_WithNoRegistries(t *testing.T) {\n\tt.Parallel()\n\tnpmrcFiles := makeBlankNpmrcFiles(t)\n\n\tconfig, err := datasource.LoadNpmRegistryConfig(filepath.Dir(npmrcFiles.project))\n\tif err != nil {\n\t\tt.Fatalf(\"could not parse npmrc: %v\", err)\n\t}\n\n\tif nRegs := len(config.ScopeURLs); nRegs != 1 {\n\t\tt.Errorf(\"expected 1 npm registry, got %v\", nRegs)\n\t}\n\n\tcheckNpmRegistryRequest(t, config, []string{\"@test/package\", \"1.2.3\"},\n\t\t\"https://registry.npmjs.org/@test%2fpackage/1.2.3\", \"\")\n}\n\nfunc TestLoadNpmRegistryConfig_WithAuth(t *testing.T) {\n\tt.Parallel()\n\tnpmrcFiles := makeBlankNpmrcFiles(t)\n\twriteToNpmrc(t, npmrcFiles.project,\n\t\t\"registry=https://registry1.test.com\",\n\t\t\"//registry1.test.com/:_auth=bXVjaDphdXRoCg==\",\n\t\t\"@test1:registry=https://registry2.test.com\",\n\t\t\"//registry2.test.com/:_authToken=c3VjaCB0b2tlbgo=\",\n\t\t\"@test2:registry=https://sub.registry2.test.com\",\n\t\t\"//sub.registry2.test.com:username=user\",\n\t\t\"//sub.registry2.test.com:_password=d293Cg==\",\n\t)\n\n\tconfig, err := datasource.LoadNpmRegistryConfig(filepath.Dir(npmrcFiles.project))\n\tif err != nil {\n\t\tt.Fatalf(\"could not parse npmrc: %v\", err)\n\t}\n\n\tcheckNpmRegistryRequest(t, config, []string{\"foo\"}, \"https://registry1.test.com/foo\", \"Basic bXVjaDphdXRoCg==\")\n\tcheckNpmRegistryRequest(t, config, []string{\"@test0/bar\"}, \"https://registry1.test.com/@test0%2fbar\", \"Basic bXVjaDphdXRoCg==\")\n\tcheckNpmRegistryRequest(t, config, []string{\"@test1/baz\"}, \"https://registry2.test.com/@test1%2fbaz\", \"Bearer c3VjaCB0b2tlbgo=\")\n\tcheckNpmRegistryRequest(t, config, []string{\"@test2/test\"}, \"https://sub.registry2.test.com/@test2%2ftest\", \"Basic dXNlcjp3b3cK\")\n}\n\n// Do not make this test parallel because it calls t.Setenv()\nfunc TestLoadNpmRegistryConfig_WithOverrides(t *testing.T) {\n\tcheck := func(t *testing.T, npmrcFiles testNpmrcFiles, wantURLs [5]string) {\n\t\tt.Helper()\n\t\tconfig, err := datasource.LoadNpmRegistryConfig(filepath.Dir(npmrcFiles.project))\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"could not parse npmrc: %v\", err)\n\t\t}\n\t\tcheckNpmRegistryRequest(t, config, []string{\"pkg\"}, wantURLs[0], \"\")\n\t\tcheckNpmRegistryRequest(t, config, []string{\"@general/pkg\"}, wantURLs[1], \"\")\n\t\tcheckNpmRegistryRequest(t, config, []string{\"@global/pkg\"}, wantURLs[2], \"\")\n\t\tcheckNpmRegistryRequest(t, config, []string{\"@user/pkg\"}, wantURLs[3], \"\")\n\t\tcheckNpmRegistryRequest(t, config, []string{\"@project/pkg\"}, wantURLs[4], \"\")\n\t}\n\n\tnpmrcFiles := makeBlankNpmrcFiles(t)\n\twriteToNpmrc(t, npmrcFiles.project, \"@project:registry=https://project.registry.com\")\n\twriteToNpmrc(t, npmrcFiles.user, \"@user:registry=https://user.registry.com\")\n\twriteToNpmrc(t, npmrcFiles.global,\n\t\t\"@global:registry=https://global.registry.com\",\n\t\t\"@general:registry=https://general.global.registry.com\",\n\t\t\"registry=https://global.registry.com\",\n\t)\n\twantURLs := [5]string{\n\t\t\"https://global.registry.com/pkg\",\n\t\t\"https://general.global.registry.com/@general%2fpkg\",\n\t\t\"https://global.registry.com/@global%2fpkg\",\n\t\t\"https://user.registry.com/@user%2fpkg\",\n\t\t\"https://project.registry.com/@project%2fpkg\",\n\t}\n\tcheck(t, npmrcFiles, wantURLs)\n\n\t// override global in user\n\twriteToNpmrc(t, npmrcFiles.user,\n\t\t\"@general:registry=https://general.user.registry.com\",\n\t\t\"registry=https://user.registry.com\",\n\t)\n\twantURLs[0] = \"https://user.registry.com/pkg\"\n\twantURLs[1] = \"https://general.user.registry.com/@general%2fpkg\"\n\tcheck(t, npmrcFiles, wantURLs)\n\n\t// override global/user in project\n\twriteToNpmrc(t, npmrcFiles.project,\n\t\t\"@general:registry=https://general.project.registry.com\",\n\t\t\"registry=https://project.registry.com\",\n\t)\n\twantURLs[0] = \"https://project.registry.com/pkg\"\n\twantURLs[1] = \"https://general.project.registry.com/@general%2fpkg\"\n\tcheck(t, npmrcFiles, wantURLs)\n\n\t// override global/user/project in environment variable\n\tt.Setenv(\"NPM_CONFIG_REGISTRY\", \"https://environ.registry.com\")\n\twantURLs[0] = \"https://environ.registry.com/pkg\"\n\tcheck(t, npmrcFiles, wantURLs)\n}\n\nfunc TestNpmRegistryAuths(t *testing.T) {\n\tt.Parallel()\n\tb64enc := func(s string) string {\n\t\tt.Helper()\n\t\treturn base64.StdEncoding.EncodeToString([]byte(s))\n\t}\n\ttests := []struct {\n\t\tname string\n\t\tconfig datasource.NpmrcConfig\n\t\trequestURL string\n\t\twantAuth string\n\t}{\n\t\t// Auth tests adapted from npm-registry-fetch\n\t\t// https://github.com/npm/npm-registry-fetch/blob/237d33b45396caa00add61e0549cf09fbf9deb4f/test/auth.js\n\t\t{\n\t\t\tname: \"basic_auth\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//my.custom.registry/here/:username\": \"user\",\n\t\t\t\t\"//my.custom.registry/here/:_password\": b64enc(\"pass\"),\n\t\t\t},\n\t\t\trequestURL: \"https://my.custom.registry/here/\",\n\t\t\twantAuth: \"Basic \" + b64enc(\"user:pass\"),\n\t\t},\n\t\t{\n\t\t\tname: \"token_auth\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//my.custom.registry/here/:_authToken\": \"c0ffee\",\n\t\t\t\t\"//my.custom.registry/here/:token\": \"nope\",\n\t\t\t\t\"//my.custom.registry/:_authToken\": \"7ea\",\n\t\t\t\t\"//my.custom.registry/:token\": \"nope\",\n\t\t\t},\n\t\t\trequestURL: \"https://my.custom.registry/here//foo/-/foo.tgz\",\n\t\t\twantAuth: \"Bearer c0ffee\",\n\t\t},\n\t\t{\n\t\t\tname: \"_auth_auth\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//my.custom.registry/:_auth\": \"decafbad\",\n\t\t\t\t\"//my.custom.registry/here/:_auth\": \"c0ffee\",\n\t\t\t},\n\t\t\trequestURL: \"https://my.custom.registry/here//asdf/foo/bard/baz\",\n\t\t\twantAuth: \"Basic c0ffee\",\n\t\t},\n\t\t{\n\t\t\tname: \"_auth_username:pass_auth\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//my.custom.registry/here/:_auth\": b64enc(\"foo:bar\"),\n\t\t\t},\n\t\t\trequestURL: \"https://my.custom.registry/here/\",\n\t\t\twantAuth: \"Basic \" + b64enc(\"foo:bar\"),\n\t\t},\n\t\t{\n\t\t\tname: \"ignore_user/pass_when__auth_is_set\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//registry/:_auth\": b64enc(\"not:foobar\"),\n\t\t\t\t\"//registry/:username\": \"foo\",\n\t\t\t\t\"//registry/:_password\": b64enc(\"bar\"),\n\t\t\t},\n\t\t\trequestURL: \"http://registry/pkg/-/pkg-1.2.3.tgz\",\n\t\t\twantAuth: \"Basic \" + b64enc(\"not:foobar\"),\n\t\t},\n\t\t{\n\t\t\tname: \"different_hosts_for_uri_vs_registry\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//my.custom.registry/here/:_authToken\": \"c0ffee\",\n\t\t\t\t\"//my.custom.registry/here/:token\": \"nope\",\n\t\t\t},\n\t\t\trequestURL: \"https://some.other.host/\",\n\t\t\twantAuth: \"\",\n\t\t},\n\t\t{\n\t\t\tname: \"do_not_be_thrown_by_other_weird_configs\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"@asdf:_authToken\": \"does this work?\",\n\t\t\t\t\"//registry.npmjs.org:_authToken\": \"do not share this\",\n\t\t\t\t\"_authToken\": \"definitely do not share this, either\",\n\t\t\t\t\"//localhost:15443:_authToken\": \"wrong\",\n\t\t\t\t\"//localhost:15443/foo:_authToken\": \"correct bearer token\",\n\t\t\t\t\"//localhost:_authToken\": \"not this one\",\n\t\t\t\t\"//other-registry:_authToken\": \"this should not be used\",\n\t\t\t\t\"@asdf:registry\": \"https://other-registry/\",\n\t\t\t},\n\t\t\trequestURL: \"http://localhost:15443/foo/@asdf/bar/-/bar-1.2.3.tgz\",\n\t\t\twantAuth: \"Bearer correct bearer token\",\n\t\t},\n\t\t// Some extra tests, based on experimentation with npm config\n\t\t{\n\t\t\tname: \"exact_package_path_uri\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//custom.registry/:_authToken\": \"less specific match\",\n\t\t\t\t\"//custom.registry/package:_authToken\": \"exact match\",\n\t\t\t\t\"//custom.registry/package/:_authToken\": \"no match trailing slash\",\n\t\t\t},\n\t\t\trequestURL: \"http://custom.registry/package\",\n\t\t\twantAuth: \"Bearer exact match\",\n\t\t},\n\t\t{\n\t\t\tname: \"percent-encoding_case-sensitivity\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//custom.registry/:_authToken\": \"expected\",\n\t\t\t\t\"//custom.registry/@scope%2Fpackage:_authToken\": \"bad config\",\n\t\t\t},\n\t\t\trequestURL: \"http://custom.registry/@scope%2fpackage\",\n\t\t\twantAuth: \"Bearer expected\",\n\t\t},\n\t\t{\n\t\t\tname: \"require_both_user_and_pass\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//custom.registry/:_authToken\": \"fallback\",\n\t\t\t\t\"//custom.registry/foo:username\": \"user\",\n\t\t\t},\n\t\t\trequestURL: \"https://custom.registry/foo/bar\",\n\t\t\twantAuth: \"Bearer fallback\",\n\t\t},\n\t\t{\n\t\t\tname: \"don't_inherit_username\",\n\t\t\tconfig: datasource.NpmrcConfig{\n\t\t\t\t\"//custom.registry/:_authToken\": \"fallback\",\n\t\t\t\t\"//custom.registry/foo:username\": \"user\",\n\t\t\t\t\"//custom.registry/foo/bar:_password\": b64enc(\"pass\"),\n\t\t\t},\n\t\t\trequestURL: \"https://custom.registry/foo/bar/baz\",\n\t\t\twantAuth: \"Bearer fallback\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tconfig := datasource.ParseNpmRegistryInfo(tt.config)\n\t\t\t// Send off requests to mockTransport to see the auth headers being added.\n\t\t\tmt := &mockTransport{}\n\t\t\thttpClient := &http.Client{Transport: mt}\n\t\t\tresp, err := config.Auths.GetAuth(tt.requestURL).Get(t.Context(), httpClient, tt.requestURL)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"error making request: %v\", err)\n\t\t\t}\n\t\t\tdefer resp.Body.Close()\n\t\t\tif len(mt.Requests) != 1 {\n\t\t\t\tt.Fatalf(\"unexpected number of requests made: %v\", len(mt.Requests))\n\t\t\t}\n\t\t\theader := mt.Requests[0].Header\n\t\t\tif got := header.Get(\"Authorization\"); got != tt.wantAuth {\n\t\t\t\tt.Errorf(\"authorization header got = \\\"%s\\\", want \\\"%s\\\"\", got, tt.wantAuth)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/datasource/testdata/maven_settings/settings.xml", "content": "\n\n \n \n server1\n user\n pass\n \n \n server2\n ${env.MAVEN_SETTINGS_TEST_USR}\n ~~${env.MAVEN_SETTINGS_TEST_PWD}~~\n \n \n ${env.MAVEN_SETTINGS_TEST_SID}\n ${env.maven_settings_test_usr}-${env.MAVEN_SETTINGS_TEST_NIL}\n ${env.MAVEN_SETTINGS_TEST_BAD}\n \n \n" }, { "path": "internal/datasource/testdata/npm_registry/@fake-registry-a.json", "content": "{\n \"name\": \"@fake-registry/a\",\n \"versions\": {\n \"1.2.3\": {\n \"name\": \"@fake-registry/a\",\n \"version\": \"1.2.3\",\n \"description\": \"package a\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": {\n \"name\": \"a author\"\n },\n \"license\": \"ISC\",\n \"optionalDependencies\": {\n \"@fake-registry/b\": \"^1.0.0\",\n \"@fake-registry/e\": \"^1.0.0\"\n },\n \"dependencies\": {\n \"@fake-registry/b\": \"^1.0.0\",\n \"@fake-registry/e\": \"^1.0.0\"\n },\n \"_id\": \"@fake-registry/a@1.2.3\",\n \"_nodeVersion\": \"10.24.1\",\n \"_npmVersion\": \"7.24.2\",\n \"dist\": {\n \"integrity\": \"sha512-vIimlnWl8mXXUvJkdeF2KsTIz/3AN3T6Xn7mz0e9w4a0OmVPGJG7M0jL63GkvNYJrvFHLcapfsNksZ/QNKRGhg==\",\n \"shasum\": \"f74ccf91104999d9240c9ea019c6c7872a0429fb\",\n \"tarball\": \"http://localhost:4873/@fake-registry%2fa/-/a-1.2.3.tgz\"\n },\n \"contributors\": []\n },\n \"2.3.4\": {\n \"name\": \"@fake-registry/a\",\n \"version\": \"2.3.4\",\n \"description\": \"package a@2\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": {\n \"name\": \"a@2 author\"\n },\n \"license\": \"MIT\",\n \"dependencies\": {\n \"@fake-registry/b\": \"^2.0.0\"\n },\n \"_id\": \"@fake-registry/a@2.3.4\",\n \"_nodeVersion\": \"10.24.1\",\n \"_npmVersion\": \"7.24.2\",\n \"dist\": {\n \"integrity\": \"sha512-Q1N2Ke+K6e4Vr20qHsjCPMzin4zKNxoo1qkN0MngiZKjNt7UfChaPi7zCtQtrWgH21j9WWR3/J0roepjJJp0iQ==\",\n \"shasum\": \"cdc054c44494751f50508032d557ab7b7fc78703\",\n \"tarball\": \"http://localhost:4873/@fake-registry%2fa/-/a-2.3.4.tgz\"\n },\n \"contributors\": []\n }\n },\n \"time\": {\n \"modified\": \"2024-03-11T03:25:10.926Z\",\n \"created\": \"2024-03-11T03:25:06.832Z\",\n \"1.2.3\": \"2024-03-11T03:25:06.832Z\",\n \"2.3.4\": \"2024-03-11T03:25:10.926Z\"\n },\n \"users\": {},\n \"dist-tags\": {\n \"latest\": \"2.3.4\"\n },\n \"_rev\": \"6-92a4e77dfe57d1a3\",\n \"_id\": \"@fake-registry/a\",\n \"readme\": \"ERROR: No README data found!\",\n \"_attachments\": {}\n}\n" }, { "path": "internal/datasource/testdata/npm_registry/fake-package-2.2.2.json", "content": "{\n \"name\": \"fake-package\",\n \"version\": \"2.2.2\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"a\": \"^3.0.1\",\n \"b\": \"^2.0.1\",\n \"e\": \"^0.2.33\",\n \"f\": \"npm:g@^2.0.1\"\n },\n \"devDependencies\": {\n \"c\": \"^1.1.1\",\n \"d\": \"^1.0.2\"\n },\n \"optionalDependencies\": {\n \"e\": \"^0.2.33\",\n \"f\": \"npm:g@^2.0.1\"\n },\n \"peerDependencies\": {\n \"h\": \"^1.0.0\"\n },\n \"bundleDependencies\": [\n \"a\"\n ],\n \"_id\": \"fake-package@2.2.2\",\n \"_nodeVersion\": \"20.9.0\",\n \"_npmVersion\": \"10.1.0\",\n \"dist\": {\n \"integrity\": \"sha512-NWvNE9fxykrzSQVr1CSKchzkQr5qwplvgn3O/0JL46qM6BhoGlKRjLiaZYdo1byXJWLGthghOgGpUZiEL04HQQ==\",\n \"shasum\": \"8dc47515da4e67bb794a4c9c7f4750bb4d67c7fc\",\n \"tarball\": \"http://localhost:4873/fake-package/-/fake-package-2.2.2.tgz\"\n },\n \"contributors\": []\n}\n" }, { "path": "internal/datasource/testdata/npm_registry/fake-package.json", "content": "{\n \"name\": \"fake-package\",\n \"versions\": {\n \"1.0.0\": {\n \"name\": \"fake-package\",\n \"version\": \"1.0.0\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"_id\": \"fake-package@1.0.0\",\n \"_nodeVersion\": \"20.9.0\",\n \"_npmVersion\": \"10.1.0\",\n \"dist\": {\n \"integrity\": \"sha512-leL6CT1Ld/eHfO5bYq0NQRKBh0fu0WyKGMbZ/IA/wcfDlZpA+5NBARcCciGmswKgdIk/zD+7uRQ8366YwVuoEg==\",\n \"shasum\": \"0d2ff81ce4e33cbb95d45c8ee394c5f90398cf2e\",\n \"tarball\": \"http://localhost:4873/fake-package/-/fake-package-1.0.0.tgz\"\n },\n \"contributors\": []\n },\n \"2.2.2\": {\n \"name\": \"fake-package\",\n \"version\": \"2.2.2\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"a\": \"^3.0.1\",\n \"b\": \"^2.0.1\",\n \"e\": \"^0.2.33\",\n \"f\": \"npm:g@^2.0.1\"\n },\n \"devDependencies\": {\n \"c\": \"^1.1.1\",\n \"d\": \"^1.0.2\"\n },\n \"optionalDependencies\": {\n \"e\": \"^0.2.33\",\n \"f\": \"npm:g@^2.0.1\"\n },\n \"peerDependencies\": {\n \"h\": \"^1.0.0\"\n },\n \"bundleDependencies\": [\n \"a\"\n ],\n \"_id\": \"fake-package@2.2.2\",\n \"_nodeVersion\": \"20.9.0\",\n \"_npmVersion\": \"10.1.0\",\n \"dist\": {\n \"integrity\": \"sha512-NWvNE9fxykrzSQVr1CSKchzkQr5qwplvgn3O/0JL46qM6BhoGlKRjLiaZYdo1byXJWLGthghOgGpUZiEL04HQQ==\",\n \"shasum\": \"8dc47515da4e67bb794a4c9c7f4750bb4d67c7fc\",\n \"tarball\": \"http://localhost:4873/fake-package/-/fake-package-2.2.2.tgz\"\n },\n \"contributors\": []\n }\n },\n \"time\": {\n \"modified\": \"2024-03-20T04:11:53.692Z\",\n \"created\": \"2024-03-20T04:03:14.913Z\",\n \"1.0.0\": \"2024-03-20T04:03:14.913Z\",\n \"2.2.2\": \"2024-03-20T04:11:53.692Z\"\n },\n \"users\": {},\n \"dist-tags\": {\n \"latest\": \"1.0.0\",\n \"version1\": \"1.0.0\",\n \"version2\": \"2.2.2\"\n },\n \"_rev\": \"6-08472a5a07b7c076\",\n \"_id\": \"fake-package\",\n \"readme\": \"ERROR: No README data found!\",\n \"_attachments\": {}\n}\n" }, { "path": "internal/depsdev/depsdev.go", "content": "// Package depsdev contains constants and mappings for the deps.dev API.\npackage depsdev\n\nimport (\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\n\tdepsdevpb \"deps.dev/api/v3\"\n)\n\n// DepsdevAPI is the URL to the deps.dev API. It is documented at\n// docs.deps.dev/api.\nconst DepsdevAPI = \"api.deps.dev:443\"\n\n// System maps from a lockfile system to the depsdev API system.\nvar System = map[osvconstants.Ecosystem]depsdevpb.System{\n\tosvconstants.EcosystemNPM: depsdevpb.System_NPM,\n\tosvconstants.EcosystemNuGet: depsdevpb.System_NUGET,\n\tosvconstants.EcosystemCratesIO: depsdevpb.System_CARGO,\n\tosvconstants.EcosystemGo: depsdevpb.System_GO,\n\tosvconstants.EcosystemMaven: depsdevpb.System_MAVEN,\n\tosvconstants.EcosystemPyPI: depsdevpb.System_PYPI,\n\tosvconstants.EcosystemRubyGems: depsdevpb.System_RUBYGEMS,\n}\n" }, { "path": "internal/grouper/grouper.go", "content": "// Package grouper groups vulnerabilities by aliases, then sorts them.\npackage grouper\n\nimport (\n\t\"maps\"\n\t\"slices\"\n\t\"sort\"\n\n\t\"github.com/google/osv-scanner/v2/internal/identifiers\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc hasAliasIntersection(v1, v2 IDAliases) bool {\n\t// Check if any aliases intersect.\n\tfor _, alias := range v1.Aliases {\n\t\tif slices.Contains(v2.Aliases, alias) {\n\t\t\treturn true\n\t\t}\n\t}\n\t// Check if either IDs are in the others' aliases.\n\treturn slices.Contains(v1.Aliases, v2.ID) || slices.Contains(v2.Aliases, v1.ID)\n}\n\n// Group groups vulnerabilities by aliases.\nfunc Group(vulns []IDAliases) []models.GroupInfo {\n\t// Mapping of `vulns` index to a group ID. A group ID is just another index in the `vulns` slice.\n\tgroups := make([]int, len(vulns))\n\n\t// Initially make every vulnerability its own group.\n\tfor i := range vulns {\n\t\tgroups[i] = i\n\t}\n\n\t// Do a pair-wise (n^2) comparison and merge all intersecting vulns.\n\tfor i := range vulns {\n\t\tfor j := i + 1; j < len(vulns); j++ {\n\t\t\tif hasAliasIntersection(vulns[i], vulns[j]) {\n\t\t\t\t// Merge the two groups. Use the smaller index as the representative ID.\n\t\t\t\tgroups[i] = min(groups[i], groups[j])\n\t\t\t\tgroups[j] = groups[i]\n\t\t\t}\n\t\t}\n\t}\n\n\t// Extract groups into the final result structure.\n\textractedGroups := map[int][]string{}\n\textractedAliases := map[int][]string{}\n\tfor i, gid := range groups {\n\t\textractedGroups[gid] = append(extractedGroups[gid], vulns[i].ID)\n\t\textractedAliases[gid] = append(extractedAliases[gid], vulns[i].Aliases...)\n\t}\n\n\t// Sort by group ID to maintain stable order for tests.\n\tsortedKeys := slices.AppendSeq(make([]int, 0, len(extractedGroups)), maps.Keys(extractedGroups))\n\tsort.Ints(sortedKeys)\n\n\tresult := make([]models.GroupInfo, 0, len(sortedKeys))\n\tfor _, key := range sortedKeys {\n\t\t// Sort the strings so they are always in the same order\n\t\tslices.SortFunc(extractedGroups[key], identifiers.IDSortFunc)\n\n\t\t// Add IDs to aliases\n\t\textractedAliases[key] = append(extractedAliases[key], extractedGroups[key]...)\n\n\t\t// Dedup entries\n\t\tsort.Strings(extractedAliases[key])\n\t\textractedAliases[key] = slices.Compact(extractedAliases[key])\n\n\t\tresult = append(result, models.GroupInfo{IDs: extractedGroups[key], Aliases: extractedAliases[key]})\n\t}\n\n\treturn result\n}\n" }, { "path": "internal/grouper/grouper_models.go", "content": "package grouper\n\nimport (\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/identifiers\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\ntype IDAliases struct {\n\tID string\n\tAliases []string\n}\n\nfunc ConvertVulnerabilityToIDAliases(c []*osvschema.Vulnerability) []IDAliases {\n\toutput := make([]IDAliases, 0, len(c))\n\n\tslices.SortFunc(c, identifiers.MostUpstreamsOrder)\n\n\tfor _, v := range c {\n\t\tidAliases := IDAliases{\n\t\t\tID: v.GetId(),\n\t\t\tAliases: v.GetAliases(),\n\t\t}\n\n\t\tidAliases.Aliases = append(idAliases.Aliases, v.GetUpstream()...)\n\n\t\t// For Ubuntu Security Advisory data,\n\t\t// all related CVEs should be bundled together, as they are part of this USN.\n\t\t// TODO(jesslowe): remove after all USNs are migrated.\n\t\tif strings.Split(v.GetId(), \"-\")[0] == \"USN\" {\n\t\t\tidAliases.Aliases = append(idAliases.Aliases, v.GetRelated()...)\n\t\t}\n\n\t\toutput = append(output, idAliases)\n\t}\n\n\treturn output\n}\n" }, { "path": "internal/grouper/grouper_test.go", "content": "package grouper_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/osv-scanner/v2/internal/grouper\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc TestGroup(t *testing.T) {\n\tt.Parallel()\n\n\t// Should be grouped by IDs appearing in alias.\n\tv1 := grouper.IDAliases{\n\t\tID: \"CVE-1\",\n\t\tAliases: []string{\n\t\t\t\"FOO-1\",\n\t\t},\n\t}\n\tv2 := grouper.IDAliases{\n\t\tID: \"FOO-1\",\n\t\tAliases: []string{},\n\t}\n\tv3 := grouper.IDAliases{\n\t\tID: \"FOO-2\",\n\t\tAliases: []string{\n\t\t\t\"FOO-1\",\n\t\t},\n\t}\n\n\t// Should be grouped by aliases intersecting.\n\tv4 := grouper.IDAliases{\n\t\tID: \"BAR-1\",\n\t\tAliases: []string{\n\t\t\t\"CVE-2\",\n\t\t\t\"CVE-3\",\n\t\t},\n\t}\n\tv5 := grouper.IDAliases{\n\t\tID: \"BAR-2\",\n\t\tAliases: []string{\n\t\t\t\"CVE-3\",\n\t\t\t\"CVE-4\",\n\t\t},\n\t}\n\tv6 := grouper.IDAliases{\n\t\tID: \"BAR-3\",\n\t\tAliases: []string{\n\t\t\t\"CVE-4\",\n\t\t},\n\t}\n\n\t// Unrelated.\n\tv7 := grouper.IDAliases{\n\t\tID: \"UNRELATED-1\",\n\t\tAliases: []string{\n\t\t\t\"BAR-1337\",\n\t\t},\n\t}\n\tv8 := grouper.IDAliases{\n\t\tID: \"UNRELATED-2\",\n\t\tAliases: []string{\n\t\t\t\"BAR-1338\",\n\t\t},\n\t}\n\n\t// Unrelated, empty aliases\n\tv9 := grouper.IDAliases{\n\t\tID: \"UNRELATED-3\",\n\t}\n\tv10 := grouper.IDAliases{\n\t\tID: \"UNRELATED-4\",\n\t}\n\tfor _, tc := range []struct {\n\t\tvulns []grouper.IDAliases\n\t\twant []models.GroupInfo\n\t}{\n\t\t{\n\t\t\tvulns: []grouper.IDAliases{\n\t\t\t\tv1, v2, v3, v4, v5, v6, v7, v8,\n\t\t\t},\n\t\t\twant: []models.GroupInfo{\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v1.ID, v2.ID, v3.ID},\n\t\t\t\t\tAliases: []string{v1.ID, v2.ID, v3.ID},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v4.ID, v5.ID, v6.ID},\n\t\t\t\t\tAliases: []string{v4.ID, v5.ID, v6.ID, v4.Aliases[0], v4.Aliases[1], v5.Aliases[1]},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v7.ID},\n\t\t\t\t\tAliases: []string{v7.Aliases[0], v7.ID},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v8.ID},\n\t\t\t\t\tAliases: []string{v8.Aliases[0], v8.ID},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tvulns: []grouper.IDAliases{\n\t\t\t\tv8, v2, v1, v5, v7, v4, v6, v3, v9, v10,\n\t\t\t},\n\t\t\twant: []models.GroupInfo{\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v8.ID},\n\t\t\t\t\tAliases: []string{v8.Aliases[0], v8.ID},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v1.ID, v2.ID, v3.ID}, // Deterministic order\n\t\t\t\t\tAliases: []string{v1.ID, v2.ID, v3.ID}, // Deterministic order\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v4.ID, v5.ID, v6.ID},\n\t\t\t\t\tAliases: []string{v4.ID, v5.ID, v6.ID, v4.Aliases[0], v4.Aliases[1], v5.Aliases[1]},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v7.ID},\n\t\t\t\t\tAliases: []string{v7.Aliases[0], v7.ID},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v9.ID},\n\t\t\t\t\tAliases: []string{v9.ID},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v10.ID},\n\t\t\t\t\tAliases: []string{v10.ID},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tvulns: []grouper.IDAliases{\n\t\t\t\tv9, v10,\n\t\t\t},\n\t\t\twant: []models.GroupInfo{\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v9.ID},\n\t\t\t\t\tAliases: []string{v9.ID},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{v10.ID},\n\t\t\t\t\tAliases: []string{v10.ID},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t} {\n\t\tgrouped := grouper.Group(tc.vulns)\n\t\tif diff := cmp.Diff(tc.want, grouped); diff != \"\" {\n\t\t\tt.Errorf(\"GroupedVulns() returned an unexpected result (-want +got):\\n%s\", diff)\n\t\t}\n\t}\n}\n" }, { "path": "internal/identifiers/identifiers.go", "content": "// Package identifiers provides functions for sorting vulnerability identifiers.\npackage identifiers\n\nimport (\n\t\"strings\"\n\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\n// MostUpstreamsOrder orders by which vuln has the most upstreams,\n// thereby finding the furthest downstream vuln identifier.\nfunc MostUpstreamsOrder(a, b *osvschema.Vulnerability) int {\n\tif len(a.GetUpstream()) > len(b.GetUpstream()) {\n\t\treturn -1\n\t} else if len(a.GetUpstream()) < len(b.GetUpstream()) {\n\t\treturn 1\n\t}\n\n\treturn IDSortFunc(a.GetId(), b.GetId())\n}\n\nfunc prefixOrder(prefix string) int {\n\tswitch prefix {\n\tcase \"DSA\", \"USN\":\n\t\t// Special case: For container scanning, DSA contains multiple CVEs and is more accurate.\n\t\treturn 3\n\tcase \"CVE\":\n\t\t// Highest precedence for normal cases\n\t\treturn 2\n\tcase \"GHSA\":\n\t\t// Lowest precedence\n\t\treturn 0\n\t}\n\n\treturn 1\n}\n\nfunc prefixOrderForDescription(prefix string) int {\n\tswitch prefix {\n\tcase \"CVE\":\n\t\treturn 0\n\tcase \"GHSA\":\n\t\treturn 1\n\t}\n\n\treturn 2\n}\n\nfunc idSort(a, b string, prefixOrd func(string) int) int {\n\tprefixAOrd := prefixOrd(strings.Split(a, \"-\")[0])\n\tprefixBOrd := prefixOrd(strings.Split(b, \"-\")[0])\n\n\tif prefixAOrd > prefixBOrd {\n\t\treturn -1\n\t} else if prefixAOrd < prefixBOrd {\n\t\treturn 1\n\t}\n\n\treturn strings.Compare(a, b)\n}\n\n// IDSortFunc sorts IDs ascending by CVE < [ECO-SPECIFIC] < GHSA\nfunc IDSortFunc(a, b string) int {\n\treturn idSort(a, b, prefixOrder)\n}\n\n// IDSortFuncForDescription sorts ID ascending by [ECO-SPECIFIC] < GHSA < CVE\nfunc IDSortFuncForDescription(a, b string) int {\n\treturn idSort(a, b, prefixOrderForDescription)\n}\n" }, { "path": "internal/identifiers/identifiers_test.go", "content": "package identifiers\n\nimport (\n\t\"slices\"\n\t\"testing\"\n)\n\nfunc Test_idSortFunc(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\ta string\n\t\tb string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant int\n\t}{\n\t\t{\n\t\t\targs: args{\n\t\t\t\ta: \"CVE-2012-1234\",\n\t\t\t\tb: \"ANYTHING-2012-1234\",\n\t\t\t},\n\t\t\twant: -1,\n\t\t},\n\t\t{\n\t\t\targs: args{\n\t\t\t\ta: \"GHSA-2012-1234\",\n\t\t\t\tb: \"ANYTHING-2012-1234\",\n\t\t\t},\n\t\t\twant: 1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tif got := IDSortFunc(tt.args.a, tt.args.b); got != tt.want {\n\t\t\t\tt.Errorf(\"idSortFunc() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc Test_idSortFuncUsage(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\targs []string\n\t\twant string\n\t}{\n\t\t{\n\t\t\targs: []string{\n\t\t\t\t\"CVE-2012-1234\",\n\t\t\t\t\"ANYTHING-2012-1234\",\n\t\t\t},\n\t\t\twant: \"CVE-2012-1234\",\n\t\t},\n\t\t{\n\t\t\targs: []string{\n\t\t\t\t\"GHSA-2012-1234\",\n\t\t\t\t\"RUSTSEC-2012-1234\",\n\t\t\t},\n\t\t\twant: \"RUSTSEC-2012-1234\",\n\t\t},\n\t\t{\n\t\t\targs: []string{\n\t\t\t\t\"CVE-2012-1234\",\n\t\t\t\t\"DSA-2012-1234\",\n\t\t\t},\n\t\t\twant: \"DSA-2012-1234\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tif got := slices.MinFunc(tt.args, IDSortFunc); got != tt.want {\n\t\t\t\tt.Errorf(\"slices.MinFunc = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/imodels/imodels.go", "content": "// Package imodels defines internal models for osv-scanner.\npackage imodels\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/google/osv-scalibr/converter\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\tarchivemetadata \"github.com/google/osv-scalibr/extractor/filesystem/language/java/archive/metadata\"\n\tapkmetadata \"github.com/google/osv-scalibr/extractor/filesystem/os/apk/metadata\"\n\tdpkgmetadata \"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg/metadata\"\n\trpmmetadata \"github.com/google/osv-scalibr/extractor/filesystem/os/rpm/metadata\"\n\t\"github.com/google/osv-scalibr/inventory/osvecosystem\"\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrplugin\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/purl\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/semverlike\"\n\n\tscalibrosv \"github.com/google/osv-scalibr/extractor/filesystem/osv\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n)\n\nvar gitExtractors = map[string]struct{}{\n\tgitrepo.Name: {},\n}\n\n// todo: SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete\nvar cache = sync.Map{} // map[*extractor.Package]*models.PackageInfo\n\nfunc toCachedPackageInfo(pkg *extractor.Package) *models.PackageInfo {\n\tif SourceType(pkg) != models.SourceTypeSBOM {\n\t\treturn nil\n\t}\n\n\tv, ok := cache.Load(pkg)\n\n\tif !ok {\n\t\tpurlStruct := converter.ToPURL(pkg)\n\n\t\tif purlStruct == nil {\n\t\t\treturn nil\n\t\t}\n\n\t\tpurlCache, _ := purl.ToPackage(purlStruct.String())\n\t\tcache.Store(pkg, &purlCache)\n\n\t\treturn &purlCache\n\t}\n\n\tif v == nil {\n\t\treturn nil\n\t}\n\n\treturn v.(*models.PackageInfo)\n}\n\nfunc Name(pkg *extractor.Package) string {\n\t// TODO(v2): SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete\n\tif purlCache := toCachedPackageInfo(pkg); purlCache != nil {\n\t\treturn purlCache.Name\n\t}\n\n\t// --- Make specific patches to names as necessary ---\n\t// Patch Go package to stdlib\n\tif Ecosystem(pkg).Ecosystem == osvconstants.EcosystemGo && pkg.Name == \"go\" {\n\t\treturn \"stdlib\"\n\t}\n\n\t// TODO: Move the normalization to another where matching logic happens.\n\t// Patch python package names to be normalized\n\tif Ecosystem(pkg).Ecosystem == osvconstants.EcosystemPyPI {\n\t\t// per https://peps.python.org/pep-0503/#normalized-names\n\t\treturn strings.ToLower(cachedregexp.MustCompile(`[-_.]+`).ReplaceAllLiteralString(pkg.Name, \"-\"))\n\t}\n\n\t// Patch Maven archive extractor package names\n\tif metadata, ok := pkg.Metadata.(*archivemetadata.Metadata); ok {\n\t\tif metadata.ArtifactID != \"\" && metadata.GroupID != \"\" {\n\t\t\treturn metadata.GroupID + \":\" + metadata.ArtifactID\n\t\t}\n\t}\n\n\t// --- OS metadata ---\n\tif metadata, ok := pkg.Metadata.(*dpkgmetadata.Metadata); ok {\n\t\t// Debian uses source name on osv.dev\n\t\t// (fallback to using the normal name if source name is empty)\n\t\tif metadata.SourceName != \"\" {\n\t\t\treturn metadata.SourceName\n\t\t}\n\t}\n\n\tif metadata, ok := pkg.Metadata.(*apkmetadata.Metadata); ok {\n\t\tif metadata.OriginName != \"\" {\n\t\t\treturn metadata.OriginName\n\t\t}\n\t}\n\n\tif Ecosystem(pkg).String() == \"GIT\" && pkg.SourceCode != nil && pkg.SourceCode.Repo != \"\" {\n\t\treturn pkg.SourceCode.Repo\n\t}\n\n\treturn pkg.Name\n}\n\nfunc Ecosystem(pkg *extractor.Package) osvecosystem.Parsed {\n\teco := pkg.Ecosystem()\n\n\tif metadata, ok := pkg.Metadata.(*osvscannerjson.Metadata); ok {\n\t\tnewEco, err := osvecosystem.Parse(metadata.Ecosystem)\n\t\tif err != nil {\n\t\t\tcmdlogger.Warnf(\"Warning: error parsing osvscanner.json ecosystem: %s\", err.Error())\n\t\t\treturn eco\n\t\t}\n\n\t\teco = newEco\n\t}\n\n\t// TODO(v2): SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete\n\tif purlCache := toCachedPackageInfo(pkg); purlCache != nil {\n\t\tnewEco, err := osvecosystem.Parse(purlCache.Ecosystem)\n\t\tif err != nil {\n\t\t\tcmdlogger.Warnf(\"Warning: error parsing osvscanner.json ecosystem: %s\", err.Error())\n\t\t\treturn eco\n\t\t}\n\n\t\teco = newEco\n\t}\n\n\treturn eco\n}\n\nfunc Version(pkg *extractor.Package) string {\n\t// TODO(v2): SBOM special case, to be removed after PURL to ESI conversion within each extractor is complete\n\tif purlCache := toCachedPackageInfo(pkg); purlCache != nil {\n\t\treturn purlCache.Version\n\t}\n\n\t// Assume Go stdlib patch version as the latest version\n\t//\n\t// This is done because go1.20 and earlier do not support patch\n\t// version in go.mod file, and will fail to build.\n\t//\n\t// However, if we assume patch version as .0, this will cause a lot of\n\t// false positives. This compromise still allows osv-scanner to pick up\n\t// when the user is using a minor version that is out-of-support.\n\tif Ecosystem(pkg).Ecosystem == osvconstants.EcosystemGo && Name(pkg) == \"stdlib\" {\n\t\tv := semverlike.ParseSemverLikeVersion(pkg.Version, 3)\n\t\tif len(v.Components) == 2 {\n\t\t\treturn fmt.Sprintf(\n\t\t\t\t\"%d.%d.%d\",\n\t\t\t\tv.Components.Fetch(0),\n\t\t\t\tv.Components.Fetch(1),\n\t\t\t\t99,\n\t\t\t)\n\t\t}\n\t}\n\n\treturn pkg.Version\n}\n\nfunc Location(pkg *extractor.Package) string {\n\treturn pkg.Location.PathOrEmpty()\n}\n\nfunc Commit(pkg *extractor.Package) string {\n\tif pkg.SourceCode != nil {\n\t\treturn pkg.SourceCode.Commit\n\t}\n\n\treturn \"\"\n}\n\nfunc SourceType(pkg *extractor.Package) models.SourceType {\n\tfor _, extractorName := range pkg.Plugins {\n\t\tif strings.HasPrefix(extractorName, \"os/\") {\n\t\t\treturn models.SourceTypeOSPackage\n\t\t} else if _, ok := scalibrplugin.ExtractorPresets[\"sbom\"][extractorName]; ok {\n\t\t\treturn models.SourceTypeSBOM\n\t\t} else if _, ok := gitExtractors[extractorName]; ok {\n\t\t\treturn models.SourceTypeGit\n\t\t} else if _, ok := scalibrplugin.ExtractorPresets[\"artifact\"][extractorName]; ok {\n\t\t\treturn models.SourceTypeArtifact\n\t\t} else if _, ok := scalibrplugin.ExtractorPresets[\"lockfile\"][extractorName]; ok {\n\t\t\treturn models.SourceTypeProjectPackage\n\t\t}\n\t}\n\n\treturn models.SourceTypeUnknown\n}\n\nfunc DepGroups(pkg *extractor.Package) []string {\n\tif dg, ok := pkg.Metadata.(scalibrosv.DepGroups); ok {\n\t\treturn dg.DepGroups()\n\t}\n\n\treturn []string{}\n}\n\nfunc OSPackageName(pkg *extractor.Package) string {\n\tif metadata, ok := pkg.Metadata.(*apkmetadata.Metadata); ok {\n\t\treturn metadata.PackageName\n\t}\n\tif metadata, ok := pkg.Metadata.(*dpkgmetadata.Metadata); ok {\n\t\treturn metadata.PackageName\n\t}\n\tif metadata, ok := pkg.Metadata.(*rpmmetadata.Metadata); ok {\n\t\treturn metadata.PackageName\n\t}\n\n\treturn \"\"\n}\n" }, { "path": "internal/imodels/imodels_test.go", "content": "package imodels\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson\"\n)\n\nfunc Test_Name(t *testing.T) {\n\tt.Parallel()\n\ttests := []struct {\n\t\tname string\n\t\tpkg *extractor.Package\n\t\twant string\n\t}{\n\t\t{\n\t\t\tname: \"Regular_package\",\n\t\t\tpkg: &extractor.Package{\n\t\t\t\tName: \"regular-pkg\",\n\t\t\t},\n\t\t\twant: \"regular-pkg\",\n\t\t},\n\t\t{\n\t\t\tname: \"GIT_ecosystem_with_repo\",\n\t\t\tpkg: &extractor.Package{\n\t\t\t\tName: \"openssl@3.5\",\n\t\t\t\tSourceCode: &extractor.SourceCodeIdentifier{\n\t\t\t\t\tRepo: \"github.com/openssl/openssl\",\n\t\t\t\t},\n\t\t\t\tMetadata: &osvscannerjson.Metadata{\n\t\t\t\t\tEcosystem: \"GIT\",\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: \"github.com/openssl/openssl\",\n\t\t},\n\t\t{\n\t\t\tname: \"GIT_ecosystem_without_repo\",\n\t\t\tpkg: &extractor.Package{\n\t\t\t\tName: \"openssl@3.5\",\n\t\t\t\tSourceCode: &extractor.SourceCodeIdentifier{\n\t\t\t\t\tRepo: \"\",\n\t\t\t\t},\n\t\t\t\tMetadata: &osvscannerjson.Metadata{\n\t\t\t\t\tEcosystem: \"GIT\",\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: \"openssl@3.5\",\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tif got := Name(tt.pkg); got != tt.want {\n\t\t\t\tt.Errorf(\"Name(*extractor.Package) = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/imodels/results/scanresults.go", "content": "// Package results defines the data structures for scan results.\npackage results\n\nimport (\n\tspb \"github.com/google/osv-scalibr/binary/proto/scan_result_go_proto\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n)\n\n// ScanResults represents the complete results of a scan.\n// This includes information that affect multiple packages.\ntype ScanResults struct {\n\tInventory inventory.Inventory\n\n\tPackageScanResults []*extractor.Package\n\n\t// TODO(v2): Temporarily commented out until ScanParameters is moved\n\t// to a shared package to avoid cyclic dependencies\n\t// The user parameters for the scan\n\t// ScanParameters\n\n\t// Scan config\n\tConfigManager config.Manager\n\n\t// For container scanning, metadata including layer information\n\tImageMetadata *spb.ContainerImageMetadata\n}\n" }, { "path": "internal/output/__snapshots__/cyclonedx_test.snap", "content": "\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n },\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"UNKNOWN\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:nuget/mine1@1.3.5\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/no_sources - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"UNKNOWN\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n },\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/deprecated-pkg@1.0.0\",\n \"type\": \"library\",\n \"name\": \"deprecated-pkg\",\n \"version\": \"1.0.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/deprecated-pkg@1.0.0\",\n \"properties\": [\n {\n \"name\": \"deprecated\",\n \"value\": \"true\"\n }\n ]\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/no_sources - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.10.2-rc\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.10.2-rc\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.10.2-rc\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [],\n \"detail\": \"This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [],\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX14_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.4.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.4\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n },\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"UNKNOWN\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:nuget/mine1@1.3.5\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/no_sources - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"UNKNOWN\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n },\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/deprecated-pkg@1.0.0\",\n \"type\": \"library\",\n \"name\": \"deprecated-pkg\",\n \"version\": \"1.0.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/deprecated-pkg@1.0.0\",\n \"properties\": [\n {\n \"name\": \"deprecated\",\n \"value\": \"true\"\n }\n ]\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/no_sources - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.10.2-rc\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.10.2-rc\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.10.2-rc\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [],\n \"detail\": \"This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [],\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX15_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.5.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.5\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n },\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"UNKNOWN\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:nuget/mine1@1.3.5\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/no_sources - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"UNKNOWN\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n },\n {\n \"license\": {\n \"id\": \"Apache-2.0\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/deprecated-pkg@1.0.0\",\n \"type\": \"library\",\n \"name\": \"deprecated-pkg\",\n \"version\": \"1.0.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/deprecated-pkg@1.0.0\",\n \"properties\": [\n {\n \"name\": \"deprecated\",\n \"value\": \"true\"\n }\n ]\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"ISC\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [\n {\n \"license\": {\n \"id\": \"MIT\"\n }\n }\n ],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.3.5\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.3.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@3.2.5\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.4.1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.2\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.2\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:composer/author1/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author1/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:composer/author3/mine3@0.4.1\",\n \"type\": \"library\",\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"licenses\": [],\n \"purl\": \"pkg:composer/author3/mine3@0.4.1\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1\"\n },\n {\n \"bom-ref\": \"pkg:nuget/mine2@3.2.5\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"licenses\": [],\n \"purl\": \"pkg:nuget/mine2@3.2.5\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something less scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-3\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something mildly scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-5\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/no_sources - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_no_packages - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": []\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scarier!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-123\",\n \"references\": [\n {\n \"id\": \"OSV-1\",\n \"source\": {}\n }\n ],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine3@0.10.2-rc\",\n \"type\": \"library\",\n \"name\": \"mine3\",\n \"version\": \"0.10.2-rc\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine3@0.10.2-rc\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [],\n \"detail\": \"This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n },\n {\n \"id\": \"OSV-2\",\n \"references\": [],\n \"ratings\": [],\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n },\n {\n \"bom-ref\": \"pkg:npm/mine2@5.9.0\",\n \"type\": \"library\",\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine2@5.9.0\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n\n[TestPrintCycloneDXResults/CycloneDX16_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n{\n \"$schema\": \"http://cyclonedx.org/schema/bom-1.6.schema.json\",\n \"bomFormat\": \"CycloneDX\",\n \"specVersion\": \"1.6\",\n \"version\": 1,\n \"components\": [\n {\n \"bom-ref\": \"pkg:npm/mine1@1.2.3\",\n \"type\": \"library\",\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"licenses\": [],\n \"purl\": \"pkg:npm/mine1@1.2.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"references\": [],\n \"ratings\": [\n {\n \"vector\": \"1\"\n }\n ],\n \"description\": \"Something scary!\",\n \"advisories\": [],\n \"credits\": {\n \"organizations\": []\n },\n \"affects\": []\n }\n ]\n}\n\n---\n" }, { "path": "internal/output/__snapshots__/githubannotation_test.snap", "content": "\n[TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/no_sources - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_no_packages - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | 7.8 | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n::error file=path/to/lockfile::path/to/lockfile%0A+----------------+-----------------+------------+%0A| PACKAGE | CURRENT VERSION | DEPRECATED |%0A+----------------+-----------------+------------+%0A| deprecated-pkg | 1.0.0 | true |%0A+----------------+-----------------+------------+\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/third/lockfile::path/to/my/third/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| author1/mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| author1/mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| author3/mine3 | https://osv.dev/OSV-3 | 4.3 | 0.4.1 | |%0A| author3/mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| author1/mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| author1/mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.2 | |%0A+---------------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| author3/mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| author3/mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| author1/mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| author1/mine1 | https://osv.dev/OSV-5 | | 1.2.3 | |%0A| mine1 | https://osv.dev/OSV-1 | | | |%0A+---------------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------------+-----------------------+------+-----------------+---------------+%0A| mine2 | https://osv.dev/OSV-2 | | 3.2.5 | |%0A| author3/mine3 | https://osv.dev/OSV-3 | | 0.4.1 | |%0A| author3/mine3 | https://osv.dev/OSV-5 | | 0.4.1 | |%0A+---------------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/no_sources - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_no_packages - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine1 | https://osv.dev/GHSA-123 | | 1.2.3 | |%0A+---------+--------------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | 9 | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| | https://osv.dev/GHSA-123 | | | |%0A+---------+--------------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | 8.3 | 1.2.3 | |%0A| | https://osv.dev/GHSA-123 | | | |%0A+---------+--------------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+--------------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+--------------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| | https://osv.dev/GHSA-123 | | | |%0A+---------+--------------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A| mine3 | https://osv.dev/OSV-2 | | 0.10.2-rc | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n\n[TestPrintGHAnnotationReport_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n::error file=path/to/my/first/lockfile::path/to/my/first/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+::error file=path/to/my/second/lockfile::path/to/my/second/lockfile%0A+---------+-----------------------+------+-----------------+---------------+%0A| PACKAGE | VULNERABILITY ID | CVSS | CURRENT VERSION | FIXED VERSION |%0A+---------+-----------------------+------+-----------------+---------------+%0A| mine1 | https://osv.dev/OSV-1 | | 1.2.3 | |%0A+---------+-----------------------+------+-----------------+---------------+\n---\n" }, { "path": "internal/output/__snapshots__/machinejson_test.snap", "content": "\n[TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"Apache-2.0\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\",\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"UNKNOWN\"\n ],\n \"license_violations\": [\n \"UNKNOWN\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"Apache-2.0\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"Apache-2.0\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"Packagist\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"Apache-2.0\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"NuGet\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n },\n {\n \"package\": {\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"Packagist\"\n },\n \"dependency_groups\": [\n \"dev\"\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"dev\",\n \"optional\"\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"dev\",\n \"optional\"\n ],\n \"licenses\": [\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"Apache-2.0\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"build\"\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": []\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": []\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": []\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/no_sources - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_no_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": []\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"UNKNOWN\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\",\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"MIT\",\n \"Apache-2.0\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"dev\"\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\",\n \"commit\": \"abc123\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"\",\n \"ecosystem\": \"npm\",\n \"commit\": \"abc123\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"7.8\"\n }\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-2\": {\n \"called\": true,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"ISC\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"Apache-2.0\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"ISC\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"Apache-2.0\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\",\n \"commit\": \"abcxzy\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"\",\n \"ecosystem\": \"npm\",\n \"commit\": \"abc123\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"ISC\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"ISC\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"Apache-2.0\"\n ],\n \"license_violations\": [\n \"Apache-2.0\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"deprecated-pkg\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\",\n \"deprecated\": true\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": true,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"ISC\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ],\n \"license_violations\": [\n \"MIT\"\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"ISC\"\n ]\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"dev\",\n \"optional\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"dev\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"build\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-3\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-3\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something mildly scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-3\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-3\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something mildly scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n }\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n }\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.3.5\",\n \"ecosystem\": \"npm\"\n }\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"Packagist\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"NuGet\"\n },\n \"dependency_groups\": [\n \"dev\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"Packagist\"\n },\n \"dependency_groups\": [\n \"build\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-3\"\n ],\n \"aliases\": null,\n \"max_severity\": \"4.3\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-3\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something mildly scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"Packagist\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-5\": {\n \"called\": true,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.2\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"NuGet\"\n },\n \"dependency_groups\": [\n \"dev\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"Packagist\"\n },\n \"dependency_groups\": [\n \"build\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-3\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-3\": {\n \"called\": true,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-3\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something mildly scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"author1/mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"Packagist\",\n \"commit\": \"123abc\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"\",\n \"ecosystem\": \"npm\",\n \"commit\": \"abcxyz\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"3.2.5\",\n \"ecosystem\": \"NuGet\"\n },\n \"dependency_groups\": [\n \"dev\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something less scary!\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"author3/mine3\",\n \"version\": \"0.4.1\",\n \"ecosystem\": \"Packagist\"\n },\n \"dependency_groups\": [\n \"build\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-3\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"OSV-5\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-3\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something mildly scary!\"\n },\n {\n \"id\": \"OSV-5\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": []\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": []\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/third/lockfile\",\n \"type\": \"unknown\"\n },\n \"packages\": []\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/no_sources - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_no_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": []\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": true,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"GHSA-123\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"GHSA-123\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"id\": \"GHSA-123\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scarier!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"9\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": true,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"dev\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"experimental_analysis\": {\n \"OSV-1\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"aliases\": [\n \"OSV-1\"\n ],\n \"id\": \"GHSA-123\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"max_severity\": \"8.3\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"aliases\": [\n \"OSV-1\"\n ],\n \"id\": \"GHSA-123\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n },\n {\n \"aliases\": [\n \"OSV-1\"\n ],\n \"id\": \"GHSA-123\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\",\n \"commit\": \"abc123\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"\",\n \"ecosystem\": \"npm\",\n \"commit\": \"abc123\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"details\": \"This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\",\n \"id\": \"OSV-1\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"mine3\",\n \"version\": \"0.10.2-rc\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-2\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-2\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine2\",\n \"version\": \"5.9.0\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n\n[TestPrintJSONResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/my/first/lockfile\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/my/second/lockfile\",\n \"type\": \"sbom\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"mine1\",\n \"version\": \"1.2.3\",\n \"ecosystem\": \"npm\"\n },\n \"dependency_groups\": [\n \"dev\"\n ],\n \"groups\": [\n {\n \"ids\": [\n \"OSV-1\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"OSV-1\",\n \"severity\": [\n {\n \"score\": \"1\"\n }\n ],\n \"summary\": \"Something scary!\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n\n---\n" }, { "path": "internal/output/__snapshots__/markdowntable_test.snap", "content": "\n[TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | Packagist | author1/mine1 | 1.2.3 | path/to/my/first/lockfile |\n| Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile |\n| MIT | Packagist | author1/mine1 | 1.2.3 | path/to/my/third/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT, Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile |\n| Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile |\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile |\n| Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 | | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile |\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile |\n| Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nTotal 1 package deprecated.\n\n# Deprecated packages\n| Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- |\n| npm | deprecated-pkg | 1.0.0 | path/to/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| License Violation | Ecosystem | Package | Version | Source |\n| --- | --- | --- | --- | --- |\n| MIT | npm | mine2 | 5.9.0 | path/to/my/second/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-5 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 (dev) | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-3 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-5 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-3 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-3 | 4.3 | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n\nTotal 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-3 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile |\n| Uncalled vulnerabilities | | | | | | |\n| https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-3 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| Uncalled vulnerabilities | | | | | | |\n| https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | 9 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| Uncalled vulnerabilities | | | | | | |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| Uncalled vulnerabilities | | | | | | |\n| https://osv.dev/OSV-1
https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1
https://osv.dev/GHSA-123 | 8.3 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1
https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine3 | 0.10.2-rc | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n\n---\n\n[TestPrintMarkdownTableResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n| OSV URL | CVSS | Ecosystem | Package | Version | Fixed Version | Source |\n| --- | --- | --- | --- | --- | --- | --- |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/second/lockfile |\n\n---\n" }, { "path": "internal/output/__snapshots__/output_result_test.snap", "content": "\n[TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.2\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 3,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 3\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 3\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine2\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"3.2.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-2\",\n \"GroupIDs\": [\n \"OSV-2\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something less scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine3\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"0.4.1\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-3\",\n \"GroupIDs\": [\n \"OSV-3\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something mildly scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 3,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 3\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 3\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 6,\n \"OS\": 0,\n \"Project\": 6,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 4,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 6,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 6\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 6\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.2\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 3,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 3\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 3\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine2\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"3.2.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-2\",\n \"GroupIDs\": [\n \"OSV-2\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something less scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine3\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"0.4.1\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-3\",\n \"GroupIDs\": [\n \"OSV-3\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something mildly scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 3,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 3\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 3\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 6,\n \"OS\": 0,\n \"Project\": 6,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 4,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 6,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 6\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 6\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine2\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"3.2.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine3\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"0.4.1\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"unknown:/path/to/my/third/lockfile\",\n \"Type\": \"unknown\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.3.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 0,\n \"OS\": 0,\n \"Project\": 0,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine2\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"3.2.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-2\",\n \"GroupIDs\": [\n \"OSV-2\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something less scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine3\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"0.4.1\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"unknown:/path/to/my/third/lockfile\",\n \"Type\": \"unknown\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.3.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 3,\n \"OS\": 0,\n \"Project\": 3,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 3,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 3,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 3\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 3\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"NuGet\",\n \"Sources\": [\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine2\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"3.2.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-2\",\n \"GroupIDs\": [\n \"OSV-2\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something less scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n },\n {\n \"Name\": \"Packagist\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"author1/mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"author3/mine3\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"0.4.1\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-3\",\n \"GroupIDs\": [\n \"OSV-3\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something mildly scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"MEDIUM\",\n \"SeverityScore\": \"4.3\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 1,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 1,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n },\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.2\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 6,\n \"OS\": 0,\n \"Project\": 6,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 4,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 6,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 1,\n \"Low\": 0,\n \"Unknown\": 5\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 6\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"NuGet\",\n \"Sources\": [\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine2\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"3.2.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-2\",\n \"GroupIDs\": [\n \"OSV-2\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something less scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n },\n {\n \"Name\": \"Packagist\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 1\n },\n \"Packages\": [\n {\n \"Name\": \"author1/mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 1,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"author3/mine3\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"0.4.1\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-3\",\n \"GroupIDs\": [\n \"OSV-3\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something mildly scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n },\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.2\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 5,\n \"OS\": 0,\n \"Project\": 5,\n \"Hidden\": 1\n },\n \"PackageTypeCount\": {\n \"Regular\": 4,\n \"Hidden\": 1\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 5,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 5\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 5\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"NuGet\",\n \"Sources\": [\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine2\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"3.2.5\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-2\",\n \"GroupIDs\": [\n \"OSV-2\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something less scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n },\n {\n \"Name\": \"Packagist\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"author1/mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"123abc\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"author3/mine3\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"0.4.1\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-3\",\n \"GroupIDs\": [\n \"OSV-3\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something mildly scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n },\n {\n \"ID\": \"OSV-5\",\n \"GroupIDs\": [\n \"OSV-5\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n },\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"\",\n \"Commit\": \"abcxyz\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 6,\n \"OS\": 0,\n \"Project\": 6,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 4,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 6,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 6\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 6\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"unknown:/path/to/my/third/lockfile\",\n \"Type\": \"unknown\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 0,\n \"OS\": 0,\n \"Project\": 0,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/no_sources - 1]\n{\n \"Ecosystems\": null,\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 0,\n \"OS\": 0,\n \"Project\": 0,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_no_packages - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 0,\n \"OS\": 0,\n \"Project\": 0,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 0,\n \"OS\": 0,\n \"Project\": 0,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 1\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [\n {\n \"ID\": \"GHSA-123\",\n \"GroupIDs\": [\n \"GHSA-123\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scarier!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 1,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 1\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 1\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"CRITICAL\",\n \"SeverityScore\": \"9\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 1,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 1,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 1,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 1,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 0,\n \"OS\": 0,\n \"Project\": 0,\n \"Hidden\": 1\n },\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"Aliases\": [\n \"GHSA-123\"\n ],\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 1,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 0,\n \"OS\": 0,\n \"Project\": 0,\n \"Hidden\": 1\n },\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 1\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"Aliases\": [\n \"GHSA-123\"\n ],\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"HIGH\",\n \"SeverityScore\": \"8.3\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 1,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 1,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 1,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"Aliases\": [\n \"GHSA-123\"\n ],\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"abc123\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"\",\n \"Commit\": \"abc123\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n },\n {\n \"Name\": \"mine3\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"0.10.2-rc\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-2\",\n \"GroupIDs\": [\n \"OSV-2\"\n ],\n \"Aliases\": null,\n \"Description\": \"\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 2,\n \"OS\": 0,\n \"Project\": 2,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine2\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"5.9.0\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 1,\n \"OS\": 0,\n \"Project\": 1,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n }\n}\n\n---\n\n[TestPrintOutputResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n{\n \"Ecosystems\": [\n {\n \"Name\": \"npm\",\n \"Sources\": [\n {\n \"Name\": \"lockfile:/path/to/my/first/lockfile\",\n \"Type\": \"lockfile\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n },\n {\n \"Name\": \"sbom:/path/to/my/second/lockfile\",\n \"Type\": \"sbom\",\n \"PackageTypeCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"Packages\": [\n {\n \"Name\": \"mine1\",\n \"OSPackageNames\": [\n \"\"\n ],\n \"InstalledVersion\": \"1.2.3\",\n \"Commit\": \"\",\n \"FixedVersion\": \"No fix available\",\n \"RegularVulns\": [\n {\n \"ID\": \"OSV-1\",\n \"GroupIDs\": [\n \"OSV-1\"\n ],\n \"Aliases\": null,\n \"Description\": \"Something scary!\",\n \"IsFixable\": false,\n \"FixedVersion\": \"No fix available\",\n \"VulnAnalysisType\": 0,\n \"SeverityRating\": \"UNKNOWN\",\n \"SeverityScore\": \"N/A\"\n }\n ],\n \"HiddenVulns\": [],\n \"LayerDetail\": {\n \"LayerIndex\": 0,\n \"LayerInfo\": {\n \"Index\": 0,\n \"LayerMetadata\": {\n \"diff_id\": \"\",\n \"command\": \"\",\n \"is_empty\": false,\n \"base_image_index\": 0\n },\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n },\n \"BaseImageInfo\": {\n \"Index\": 0,\n \"BaseImageInfo\": null,\n \"AllLayers\": null,\n \"Count\": {\n \"AnalysisCount\": {\n \"Regular\": 0,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 0\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 0\n }\n }\n }\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"Licenses\": null,\n \"LicenseViolations\": null\n }\n ],\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 1,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 1\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 1\n }\n },\n \"LicenseViolationsCount\": 0\n }\n ],\n \"IsOS\": false\n }\n ],\n \"IsContainerScanning\": false,\n \"ImageInfo\": {\n \"OS\": \"\",\n \"AllLayers\": null,\n \"AllBaseImages\": null\n },\n \"LicenseSummary\": {\n \"Summary\": false,\n \"ShowViolations\": false,\n \"LicenseCount\": null\n },\n \"VulnTypeSummary\": {\n \"All\": 2,\n \"OS\": 0,\n \"Project\": 2,\n \"Hidden\": 0\n },\n \"PackageTypeCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"VulnCount\": {\n \"AnalysisCount\": {\n \"Regular\": 2,\n \"Hidden\": 0\n },\n \"SeverityCount\": {\n \"Critical\": 0,\n \"High\": 0,\n \"Medium\": 0,\n \"Low\": 0,\n \"Unknown\": 2\n },\n \"FixableCount\": {\n \"Fixed\": 0,\n \"UnFixed\": 2\n }\n }\n}\n\n---\n" }, { "path": "internal/output/__snapshots__/result_test.snap", "content": "\n[Test_groupFixedVersions/#00 - 1]\n{\n \"lockfile:/path/to/scorecard-check-osv-e2e/go.mod:GHSA-c3h9-896r-86jm,GO-2021-0053\": [\n \"1.3.2\"\n ],\n \"lockfile:/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock:GHSA-m5pq-gvj9-9vr8,RUSTSEC-2022-0013\": [\n \"1.5.5\"\n ]\n}\n---\n\n[Test_groupFixedVersions/#01 - 1]\n{\n \"lockfile:/path/to/scorecard-check-osv-e2e/go.mod:GHSA-c3h9-896r-86jm,GO-2021-0053\": [\n \"1.3.2\"\n ],\n \"lockfile:/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock:GHSA-m5pq-gvj9-9vr8,RUSTSEC-2022-0013\": [\n \"1.5.5\"\n ]\n}\n---\n\n[Test_mapIDsToGroupedSARIFFinding/#00 - 1]\n{\n \"GHSA-m5pq-gvj9-9vr8\": {\n \"DisplayID\": \"CVE-2022-24713\",\n \"PkgSource\": [\n {\n \"Package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"Source\": {\n \"path\": \"/path/to/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n }\n }\n ],\n \"AliasedIDList\": [\n \"CVE-2022-24713\",\n \"RUSTSEC-2022-0013\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"AliasedVulns\": {\n \"GHSA-m5pq-gvj9-9vr8\": {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\"\n },\n \"RUSTSEC-2022-0013\": {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\"\n }\n }\n },\n \"GO-2021-0053\": {\n \"DisplayID\": \"CVE-2021-3121\",\n \"PkgSource\": [\n {\n \"Package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"Source\": {\n \"path\": \"/path/to/go.mod\",\n \"type\": \"lockfile\"\n }\n }\n ],\n \"AliasedIDList\": [\n \"CVE-2021-3121\",\n \"GO-2021-0053\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"AliasedVulns\": {\n \"GO-2021-0053\": {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\"\n }\n }\n },\n \"RUSTSEC-2022-0013\": {\n \"DisplayID\": \"CVE-2022-24713\",\n \"PkgSource\": [\n {\n \"Package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"Source\": {\n \"path\": \"/path/to/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n }\n }\n ],\n \"AliasedIDList\": [\n \"CVE-2022-24713\",\n \"RUSTSEC-2022-0013\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"AliasedVulns\": {\n \"GHSA-m5pq-gvj9-9vr8\": {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\"\n },\n \"RUSTSEC-2022-0013\": {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\"\n }\n }\n }\n}\n---\n" }, { "path": "internal/output/__snapshots__/sarif_internal_test.snap", "content": "\n[Test_createSARIFHelpText/#00 - 1]\n**Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/CVE-2022-24713)**\n(Also published as: [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8), ).\n\n## [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013)\n\n
\nDetails\n\n> The Rust Security Response WG was notified that the `regex` crate did not\n> properly limit the complexity of the regular expressions (regex) it parses. An\n> attacker could use this security issue to perform a denial of service, by\n> sending a specially crafted regex to a service accepting untrusted regexes. No\n> known vulnerability is present when parsing untrusted input with trusted\n> regexes.\n> \n> This issue has been assigned CVE-2022-24713. The severity of this vulnerability\n> is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses\n> of the `regex` crate are not affected by this vulnerability.\n> \n> ## Overview\n> \n> The `regex` crate features built-in mitigations to prevent denial of service\n> attacks caused by untrusted regexes, or untrusted input matched by trusted\n> regexes. Those (tunable) mitigations already provide sane defaults to prevent\n> attacks. This guarantee is documented and it's considered part of the crate's\n> API.\n> \n> Unfortunately a bug was discovered in the mitigations designed to prevent\n> untrusted regexes to take an arbitrary amount of time during parsing, and it's\n> possible to craft regexes that bypass such mitigations. This makes it possible\n> to perform denial of service attacks by sending specially crafted regexes to\n> services accepting user-controlled, untrusted regexes.\n> \n> ## Affected versions\n> \n> All versions of the `regex` crate before or equal to 1.5.4 are affected by this\n> issue. The fix is include starting from `regex` 1.5.5.\n> \n> ## Mitigations\n> \n> We recommend everyone accepting user-controlled regexes to upgrade immediately\n> to the latest version of the `regex` crate.\n> \n> Unfortunately there is no fixed set of problematic regexes, as there are\n> practically infinite regexes that could be crafted to exploit this\n> vulnerability. Because of this, we do not recommend denying known problematic\n> regexes.\n> \n> ## Acknowledgements\n> \n> We want to thank Addison Crump for responsibly disclosing this to us according\n> to the [Rust security policy][1], and for helping review the fix.\n> \n> We also want to thank Andrew Gallant for developing the fix, and Pietro Albini\n> for coordinating the disclosure and writing this advisory.\n> \n> [1]: https://www.rust-lang.org/policies/security\n\n
\n\n## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8)\n\n
\nDetails\n\n> > This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\n> \n> [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\n> \n> The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\n> \n> This issue has been assigned CVE-2022-24713. The severity of this vulnerability is \"high\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\n> \n> ## Overview\n> \n> The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\n> \n> Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\n> \n> ## Affected versions\n> \n> All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\n> \n> ## Mitigations\n> \n> We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\n> \n> Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\n> \n> ## Acknowledgements\n> \n> We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\n> \n> We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\n\n
\n\n/-/-/-/\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/path/to/sub-rust-project/Cargo.lock | regex | 1.5.1 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |\n| RUSTSEC-2022-0013 | regex | 1.5.5 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/path/to/sub-rust-project/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"CVE-2022-24713\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n\n---\n\n[Test_createSARIFHelpText/#01 - 1]\n**Your dependency is vulnerable to [OSV-2023-72](https://osv.dev/OSV-2023-72)**.\n\n## [OSV-2023-72](https://osv.dev/OSV-2023-72)\n\n
\nDetails\n\n> OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56057\n> \n> ```\n> Crash type: Heap-buffer-overflow WRITE 4\n> Crash state:\n> perfetto::trace_processor::TrackEventParser::ParseTrackDescriptor\n> perfetto::trace_processor::TrackEventModule::ParseTracePacketData\n> perfetto::trace_processor::ProtoTraceParser::ParseTracePacket\n> ```\n> \n\n
\n\n/-/-/-/\n\n### Affected Packages\n\n| Source | Package Name | Package Version |\n| --- | --- | --- |\n| lockfile:/Documents/Project/engine/deps_flatten.txt | https://fuchsia.googlesource.com/third_party/android.googlesource.com/platform/external/perfetto | b8da07095979310818f0efde2ef3c69ea70d62c5 |\n\n## Remediation\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n| Vulnerability ID | Package Name | Fixed Version |\n| --- | --- | --- |\n| OSV-2023-72 | perfetto | 9a7f09383dd39f19e662d428321ca708a2a600a3 |\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n`/Documents/Project/engine/osv-scanner.toml`\n\n```\n[[IgnoredVulns]]\nid = \"OSV-2023-72\"\nreason = \"Your reason for ignoring this vulnerability\"\n```\n\n---\n" }, { "path": "internal/output/__snapshots__/sarif_test.snap", "content": "\n[TestPrintSARIFReport/#00 - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/sub-rust-project/Cargo.lock\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/go.mod\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/sub-rust-project/Cargo.lock\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"CVE-2022-24713\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/go.mod\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'github.com/gogo/protobuf@1.3.1' is vulnerable to 'CVE-2021-3121' (also known as 'GO-2021-0053', 'GHSA-c3h9-896r-86jm').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"CVE-2021-3121\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/sub-rust-project/Cargo.lock\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'regex@1.5.1' is vulnerable to 'CVE-2022-24713' (also known as 'RUSTSEC-2022-0013', 'GHSA-m5pq-gvj9-9vr8').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"CVE-2022-24713\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"CVE-2022-24713\",\n \"RUSTSEC-2022-0013\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"fullDescription\": {\n \"markdown\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"text\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/CVE-2022-24713)**\\n(Also published as: [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8), ).\\n\\n## [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e The Rust Security Response WG was notified that the `regex` crate did not\\n\\u003e properly limit the complexity of the regular expressions (regex) it parses. An\\n\\u003e attacker could use this security issue to perform a denial of service, by\\n\\u003e sending a specially crafted regex to a service accepting untrusted regexes. No\\n\\u003e known vulnerability is present when parsing untrusted input with trusted\\n\\u003e regexes.\\n\\u003e \\n\\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability\\n\\u003e is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\n\\u003e of the `regex` crate are not affected by this vulnerability.\\n\\u003e \\n\\u003e ## Overview\\n\\u003e \\n\\u003e The `regex` crate features built-in mitigations to prevent denial of service\\n\\u003e attacks caused by untrusted regexes, or untrusted input matched by trusted\\n\\u003e regexes. Those (tunable) mitigations already provide sane defaults to prevent\\n\\u003e attacks. This guarantee is documented and it's considered part of the crate's\\n\\u003e API.\\n\\u003e \\n\\u003e Unfortunately a bug was discovered in the mitigations designed to prevent\\n\\u003e untrusted regexes to take an arbitrary amount of time during parsing, and it's\\n\\u003e possible to craft regexes that bypass such mitigations. This makes it possible\\n\\u003e to perform denial of service attacks by sending specially crafted regexes to\\n\\u003e services accepting user-controlled, untrusted regexes.\\n\\u003e \\n\\u003e ## Affected versions\\n\\u003e \\n\\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this\\n\\u003e issue. The fix is include starting from `regex` 1.5.5.\\n\\u003e \\n\\u003e ## Mitigations\\n\\u003e \\n\\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately\\n\\u003e to the latest version of the `regex` crate.\\n\\u003e \\n\\u003e Unfortunately there is no fixed set of problematic regexes, as there are\\n\\u003e practically infinite regexes that could be crafted to exploit this\\n\\u003e vulnerability. Because of this, we do not recommend denying known problematic\\n\\u003e regexes.\\n\\u003e \\n\\u003e ## Acknowledgements\\n\\u003e \\n\\u003e We want to thank Addison Crump for responsibly disclosing this to us according\\n\\u003e to the [Rust security policy][1], and for helping review the fix.\\n\\u003e \\n\\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\n\\u003e for coordinating the disclosure and writing this advisory.\\n\\u003e \\n\\u003e [1]: https://www.rust-lang.org/policies/security\\n\\n\\u003c/details\\u003e\\n\\n## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\u003e \\n\\u003e [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\u003e \\n\\u003e The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\u003e \\n\\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\u003e \\n\\u003e ## Overview\\n\\u003e \\n\\u003e The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\u003e \\n\\u003e Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\u003e \\n\\u003e ## Affected versions\\n\\u003e \\n\\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\u003e \\n\\u003e ## Mitigations\\n\\u003e \\n\\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\u003e \\n\\u003e Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\u003e \\n\\u003e ## Acknowledgements\\n\\u003e \\n\\u003e We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\u003e \\n\\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/sub-rust-project/Cargo.lock | regex | 1.5.1 |\\n\\n## Remediation\\n\\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\\n\\n### Fixed Versions\\n\\n| Vulnerability ID | Package Name | Fixed Version |\\n| --- | --- | --- |\\n| GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |\\n| RUSTSEC-2022-0013 | regex | 1.5.5 |\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/sub-rust-project/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2022-24713\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [CVE-2022-24713](https://osv.dev/CVE-2022-24713)**\\n(Also published as: [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013), [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8), ).\\n\\n## [RUSTSEC-2022-0013](https://osv.dev/RUSTSEC-2022-0013)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e The Rust Security Response WG was notified that the `regex` crate did not\\n\\u003e properly limit the complexity of the regular expressions (regex) it parses. An\\n\\u003e attacker could use this security issue to perform a denial of service, by\\n\\u003e sending a specially crafted regex to a service accepting untrusted regexes. No\\n\\u003e known vulnerability is present when parsing untrusted input with trusted\\n\\u003e regexes.\\n\\u003e \\n\\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability\\n\\u003e is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\n\\u003e of the `regex` crate are not affected by this vulnerability.\\n\\u003e \\n\\u003e ## Overview\\n\\u003e \\n\\u003e The `regex` crate features built-in mitigations to prevent denial of service\\n\\u003e attacks caused by untrusted regexes, or untrusted input matched by trusted\\n\\u003e regexes. Those (tunable) mitigations already provide sane defaults to prevent\\n\\u003e attacks. This guarantee is documented and it's considered part of the crate's\\n\\u003e API.\\n\\u003e \\n\\u003e Unfortunately a bug was discovered in the mitigations designed to prevent\\n\\u003e untrusted regexes to take an arbitrary amount of time during parsing, and it's\\n\\u003e possible to craft regexes that bypass such mitigations. This makes it possible\\n\\u003e to perform denial of service attacks by sending specially crafted regexes to\\n\\u003e services accepting user-controlled, untrusted regexes.\\n\\u003e \\n\\u003e ## Affected versions\\n\\u003e \\n\\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this\\n\\u003e issue. The fix is include starting from `regex` 1.5.5.\\n\\u003e \\n\\u003e ## Mitigations\\n\\u003e \\n\\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately\\n\\u003e to the latest version of the `regex` crate.\\n\\u003e \\n\\u003e Unfortunately there is no fixed set of problematic regexes, as there are\\n\\u003e practically infinite regexes that could be crafted to exploit this\\n\\u003e vulnerability. Because of this, we do not recommend denying known problematic\\n\\u003e regexes.\\n\\u003e \\n\\u003e ## Acknowledgements\\n\\u003e \\n\\u003e We want to thank Addison Crump for responsibly disclosing this to us according\\n\\u003e to the [Rust security policy][1], and for helping review the fix.\\n\\u003e \\n\\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\n\\u003e for coordinating the disclosure and writing this advisory.\\n\\u003e \\n\\u003e [1]: https://www.rust-lang.org/policies/security\\n\\n\\u003c/details\\u003e\\n\\n## [GHSA-m5pq-gvj9-9vr8](https://osv.dev/GHSA-m5pq-gvj9-9vr8)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\u003e \\n\\u003e [advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\u003e \\n\\u003e The Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\u003e \\n\\u003e This issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\u003e \\n\\u003e ## Overview\\n\\u003e \\n\\u003e The `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\u003e \\n\\u003e Unfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\u003e \\n\\u003e ## Affected versions\\n\\u003e \\n\\u003e All versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\u003e \\n\\u003e ## Mitigations\\n\\u003e \\n\\u003e We recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\u003e \\n\\u003e Unfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\u003e \\n\\u003e ## Acknowledgements\\n\\u003e \\n\\u003e We want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\u003e \\n\\u003e We also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/sub-rust-project/Cargo.lock | regex | 1.5.1 |\\n\\n## Remediation\\n\\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\\n\\n### Fixed Versions\\n\\n| Vulnerability ID | Package Name | Fixed Version |\\n| --- | --- | --- |\\n| GHSA-m5pq-gvj9-9vr8 | regex | 1.5.5 |\\n| RUSTSEC-2022-0013 | regex | 1.5.5 |\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/sub-rust-project/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2022-24713\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"CVE-2022-24713\",\n \"name\": \"CVE-2022-24713\",\n \"properties\": {\n \"security-severity\": \"7.5\"\n },\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"CVE-2022-24713: Regexes with large repetitions on empty sub-expressions take a very long time to parse\",\n \"text\": \"CVE-2022-24713: Regexes with large repetitions on empty sub-expressions take a very long time to parse\"\n }\n },\n {\n \"deprecatedIds\": [\n \"CVE-2021-3121\",\n \"GO-2021-0053\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"fullDescription\": {\n \"markdown\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"text\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [CVE-2021-3121](https://osv.dev/CVE-2021-3121)**.\\n\\n## [GO-2021-0053](https://osv.dev/GO-2021-0053)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/go.mod | github.com/gogo/protobuf | 1.3.1 |\\n\\n## Remediation\\n\\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\\n\\n### Fixed Versions\\n\\n| Vulnerability ID | Package Name | Fixed Version |\\n| --- | --- | --- |\\n| GO-2021-0053 | github.com/gogo/protobuf | 1.3.2 |\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2021-3121\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [CVE-2021-3121](https://osv.dev/CVE-2021-3121)**.\\n\\n## [GO-2021-0053](https://osv.dev/GO-2021-0053)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/go.mod | github.com/gogo/protobuf | 1.3.1 |\\n\\n## Remediation\\n\\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\\n\\n### Fixed Versions\\n\\n| Vulnerability ID | Package Name | Fixed Version |\\n| --- | --- | --- |\\n| GO-2021-0053 | github.com/gogo/protobuf | 1.3.2 |\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"CVE-2021-3121\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"CVE-2021-3121\",\n \"name\": \"CVE-2021-3121\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"CVE-2021-3121: Panic due to improper input validation in github.com/gogo/protobuf\",\n \"text\": \"CVE-2021-3121: Panic due to improper input validation in github.com/gogo/protobuf\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/no_sources - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_no_packages - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/third/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/third/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@3.2.5' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/third/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/third/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/third/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/third/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@3.2.5' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/third/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/third/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/third/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@abcxzy' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/third/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@abc123' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | abcxzy |\\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/third/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | abcxzy |\\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/third/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | abc123 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | abc123 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.2' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@3.2.5' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine3@0.4.1' is vulnerable to 'OSV-3'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-3\",\n \"ruleIndex\": 2,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine3@0.4.1' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-3\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-3\",\n \"name\": \"OSV-3\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-3: Something mildly scary!\",\n \"text\": \"OSV-3: Something mildly scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-5\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-5\",\n \"name\": \"OSV-5\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-5: Something scarier!\",\n \"text\": \"OSV-5: Something scarier!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.2' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@3.2.5' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine3@0.4.1' is vulnerable to 'OSV-3'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-3\",\n \"ruleIndex\": 2,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine3@0.4.1' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-3\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-3\",\n \"name\": \"OSV-3\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-3: Something mildly scary!\",\n \"text\": \"OSV-3: Something mildly scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-5\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-5\",\n \"name\": \"OSV-5\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-5: Something scarier!\",\n \"text\": \"OSV-5: Something scarier!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/third/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/third/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@3.2.5' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/third/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| unknown:/path/to/my/third/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/third/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author1/mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.2' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@3.2.5' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-3'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-3\",\n \"ruleIndex\": 2,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author1/mine1@1.2.3' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-3\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-3\",\n \"name\": \"OSV-3\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-3: Something mildly scary!\",\n \"text\": \"OSV-3: Something mildly scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-5\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-5\",\n \"name\": \"OSV-5\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-5: Something scarier!\",\n \"text\": \"OSV-5: Something scarier!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author1/mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.2' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@3.2.5' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-3'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-3\",\n \"ruleIndex\": 2,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author1/mine1@1.2.3' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.2 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-3\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-3\",\n \"name\": \"OSV-3\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-3: Something mildly scary!\",\n \"text\": \"OSV-3: Something mildly scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-5\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-5\",\n \"name\": \"OSV-5\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-5: Something scarier!\",\n \"text\": \"OSV-5: Something scarier!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author1/mine1@123abc' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@abcxyz' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine2@3.2.5' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-3'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-3\",\n \"ruleIndex\": 2,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author1/mine1@123abc' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'author3/mine3@0.4.1' is vulnerable to 'OSV-5'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-5\",\n \"ruleIndex\": 3,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 123abc |\\n| lockfile:/path/to/my/first/lockfile | mine1 | abcxyz |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 123abc |\\n| lockfile:/path/to/my/first/lockfile | mine1 | abcxyz |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | mine2 | 3.2.5 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2: Something less scary!\",\n \"text\": \"OSV-2: Something less scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-3\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-3](https://osv.dev/OSV-3)**.\\n\\n## [OSV-3](https://osv.dev/OSV-3)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-3\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-3\",\n \"name\": \"OSV-3\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-3: Something mildly scary!\",\n \"text\": \"OSV-3: Something mildly scary!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-5\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 123abc |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-5](https://osv.dev/OSV-5)**.\\n\\n## [OSV-5](https://osv.dev/OSV-5)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | author1/mine1 | 123abc |\\n| sbom:/path/to/my/second/lockfile | author3/mine3 | 0.4.1 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-5\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-5\",\n \"name\": \"OSV-5\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-5: Something scarier!\",\n \"text\": \"OSV-5: Something scarier!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/no_sources - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_no_packages - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'GHSA-123'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"GHSA-123\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"GHSA-123\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [GHSA-123](https://osv.dev/GHSA-123)**.\\n\\n## [GHSA-123](https://osv.dev/GHSA-123)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"GHSA-123\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [GHSA-123](https://osv.dev/GHSA-123)**.\\n\\n## [GHSA-123](https://osv.dev/GHSA-123)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"GHSA-123\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"GHSA-123\",\n \"name\": \"GHSA-123\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"GHSA-123: Something scarier!\",\n \"text\": \"GHSA-123: Something scarier!\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n## [GHSA-123](https://osv.dev/GHSA-123)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n## [GHSA-123](https://osv.dev/GHSA-123)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n## [GHSA-123](https://osv.dev/GHSA-123)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n## [GHSA-123](https://osv.dev/GHSA-123)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1' (also known as 'GHSA-123').\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\",\n \"GHSA-123\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n## [GHSA-123](https://osv.dev/GHSA-123)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**\\n(Also published as: [GHSA-123](https://osv.dev/GHSA-123), ).\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n## [GHSA-123](https://osv.dev/GHSA-123)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@abc123' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | abc123 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | abc123 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@abc123' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | abc123 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | abc123 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine3@0.10.2-rc' is vulnerable to 'OSV-2'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-2\",\n \"ruleIndex\": 1,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\",\n \"text\": \"This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1\",\n \"text\": \"OSV-1\"\n }\n },\n {\n \"deprecatedIds\": [\n \"OSV-2\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine3 | 0.10.2-rc |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-2](https://osv.dev/OSV-2)**.\\n\\n## [OSV-2](https://osv.dev/OSV-2)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine3 | 0.10.2-rc |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-2\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-2\",\n \"name\": \"OSV-2\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-2\",\n \"text\": \"OSV-2\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n\n[TestPrintSARIFReport_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n{\n \"$schema\": \"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json\",\n \"properties\": {},\n \"runs\": [\n {\n \"addresses\": [],\n \"artifacts\": [\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n },\n {\n \"length\": -1,\n \"location\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n },\n \"parentIndex\": -1,\n \"roles\": []\n }\n ],\n \"graphs\": [],\n \"invocations\": [],\n \"language\": \"en-US\",\n \"logicalLocations\": [],\n \"newlineSequences\": [\n \"\\r\\n\",\n \"\\n\"\n ],\n \"policies\": [],\n \"redactionTokens\": [],\n \"results\": [\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/first/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n },\n {\n \"attachments\": [],\n \"codeFlows\": [],\n \"fixes\": [],\n \"graphTraversals\": [],\n \"graphs\": [],\n \"kind\": \"fail\",\n \"level\": \"warning\",\n \"locations\": [\n {\n \"annotations\": [],\n \"id\": -1,\n \"logicalLocations\": [],\n \"physicalLocation\": {\n \"artifactLocation\": {\n \"index\": -1,\n \"uri\": \"file:///path/to/my/second/lockfile\"\n }\n },\n \"relationships\": []\n }\n ],\n \"message\": {\n \"arguments\": [],\n \"text\": \"Package 'mine1@1.2.3' is vulnerable to 'OSV-1'.\"\n },\n \"partialFingerprints\": {\n \"primaryLocationLineHash\": \"[line-hash]\"\n },\n \"rank\": -1,\n \"relatedLocations\": [],\n \"ruleId\": \"OSV-1\",\n \"ruleIndex\": 0,\n \"stacks\": [],\n \"taxa\": []\n }\n ],\n \"runAggregates\": [],\n \"taxonomies\": [],\n \"threadFlowLocations\": [],\n \"tool\": {\n \"driver\": {\n \"contents\": [\n \"localizedData\",\n \"nonLocalizedData\"\n ],\n \"informationUri\": \"https://github.com/google/osv-scanner\",\n \"isComprehensive\": false,\n \"language\": \"en-US\",\n \"locations\": [],\n \"name\": \"osv-scanner\",\n \"notifications\": [],\n \"rules\": [\n {\n \"deprecatedIds\": [\n \"OSV-1\"\n ],\n \"fullDescription\": {\n \"markdown\": \"\",\n \"text\": \"\"\n },\n \"help\": {\n \"markdown\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\",\n \"text\": \"**Your dependency is vulnerable to [OSV-1](https://osv.dev/OSV-1)**.\\n\\n## [OSV-1](https://osv.dev/OSV-1)\\n\\n\\u003cdetails\\u003e\\n\\u003csummary\\u003eDetails\\u003c/summary\\u003e\\n\\n\\u003e \\n\\n\\u003c/details\\u003e\\n\\n---\\n\\n### Affected Packages\\n\\n| Source | Package Name | Package Version |\\n| --- | --- | --- |\\n| lockfile:/path/to/my/first/lockfile | mine1 | 1.2.3 |\\n| sbom:/path/to/my/second/lockfile | mine1 | 1.2.3 |\\n\\n## Remediation\\n\\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\\n`osv-scanner.toml` file located in the same directory as the lockfile containing the vulnerable dependency.\\n\\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\\n\\nAdd or append these values to the following config files to ignore this vulnerability:\\n\\n`/path/to/my/first/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n`/path/to/my/second/osv-scanner.toml`\\n\\n```\\n[[IgnoredVulns]]\\nid = \\\"OSV-1\\\"\\nreason = \\\"Your reason for ignoring this vulnerability\\\"\\n```\\n\"\n },\n \"id\": \"OSV-1\",\n \"name\": \"OSV-1\",\n \"relationships\": [],\n \"shortDescription\": {\n \"markdown\": \"OSV-1: Something scary!\",\n \"text\": \"OSV-1: Something scary!\"\n }\n }\n ],\n \"supportedTaxonomies\": [],\n \"taxa\": [],\n \"version\": \"2.3.4\"\n },\n \"extensions\": []\n },\n \"translations\": [],\n \"versionControlProvenance\": [],\n \"webRequests\": [],\n \"webResponses\": []\n }\n ],\n \"version\": \"2.1.0\"\n}\n---\n" }, { "path": "internal/output/__snapshots__/spdx_test.snap", "content": "\n[TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"author1/mine1\",\n \"SPDXID\": \"SPDXRef-Package-author1-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the php/composerlock extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/author1%2Fmine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the dotnet/packageslockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:nuget/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"author1/mine1\",\n \"SPDXID\": \"SPDXRef-Package-author1-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the php/composerlock extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/author1%2Fmine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-author1-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-author1-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-author1-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-author1-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/no_sources - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_no_packages - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"5.9.0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@5.9.0\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"deprecated-pkg\",\n \"SPDXID\": \"SPDXRef-Package-deprecated-pkg-\",\n \"versionInfo\": \"1.0.0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/deprecated-pkg@1.0.0\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-deprecated-pkg-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-deprecated-pkg-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"5.9.0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@5.9.0\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.2\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.2\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.2\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.2\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.4.1\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.3.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.3.5\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/third/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"author1/mine1\",\n \"SPDXID\": \"SPDXRef-Package-author1-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the php/composerlock extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/author1%2Fmine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.2\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.2\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the dotnet/pe extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:nuget/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"author3/mine3\",\n \"SPDXID\": \"SPDXRef-Package-author3-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/author3%2Fmine3@0.4.1\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-author1-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-author1-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-author3-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-author3-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"author1/mine1\",\n \"SPDXID\": \"SPDXRef-Package-author1-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the php/composerlock extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/author1%2Fmine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.2\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.2\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the dotnet/pe extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:nuget/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"author3/mine3\",\n \"SPDXID\": \"SPDXRef-Package-author3-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the php/composerlock extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/author3%2Fmine3@0.4.1\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-author1-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-author1-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-author3-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-author3-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"author1/mine1\",\n \"SPDXID\": \"SPDXRef-Package-author1-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the php/composerlock extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/author1%2Fmine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"3.2.5\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the dotnet/pe extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:nuget/mine2@3.2.5\"\n }\n ]\n },\n {\n \"name\": \"author3/mine3\",\n \"SPDXID\": \"SPDXRef-Package-author3-mine3-\",\n \"versionInfo\": \"0.4.1\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:composer/author3%2Fmine3@0.4.1\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-author1-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-author1-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-author3-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-author3-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/no_sources - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_no_packages - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine3\",\n \"SPDXID\": \"SPDXRef-Package-mine3-\",\n \"versionInfo\": \"0.10.2-rc\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine3@0.10.2-rc\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine3-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine3-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine2\",\n \"SPDXID\": \"SPDXRef-Package-mine2-\",\n \"versionInfo\": \"5.9.0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine2@5.9.0\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine2-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine2-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n\n[TestPrintSPDXResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n{\n \"spdxVersion\": \"SPDX-2.3\",\n \"dataLicense\": \"CC0-1.0\",\n \"SPDXID\": \"SPDXRef-DOCUMENT\",\n \"name\": \"SCALIBR-generated SPDX\",\n \"documentNamespace\": \"https://spdx.google/\",\n \"creationInfo\": {\n \"creators\": [\n \"Tool: SCALIBR\"\n ],\n \"created\": \"\"\n },\n \"packages\": [\n {\n \"name\": \"main\",\n \"SPDXID\": \"SPDXRef-Package-main-\",\n \"versionInfo\": \"0\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/first/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n },\n {\n \"name\": \"mine1\",\n \"SPDXID\": \"SPDXRef-Package-mine1-\",\n \"versionInfo\": \"1.2.3\",\n \"supplier\": \"NOASSERTION\",\n \"downloadLocation\": \"NOASSERTION\",\n \"filesAnalyzed\": false,\n \"sourceInfo\": \"Identified by the javascript/packagelockjson extractor from /path/to/my/second/lockfile\",\n \"licenseConcluded\": \"NOASSERTION\",\n \"licenseDeclared\": \"NOASSERTION\",\n \"externalRefs\": [\n {\n \"referenceCategory\": \"PACKAGE-MANAGER\",\n \"referenceType\": \"purl\",\n \"referenceLocator\": \"pkg:npm/mine1@1.2.3\"\n }\n ]\n }\n ],\n \"relationships\": [\n {\n \"spdxElementId\": \"SPDXRef-DOCUMENT\",\n \"relatedSpdxElement\": \"SPDXRef-Package-main-\",\n \"relationshipType\": \"DESCRIBES\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-main-\",\n \"relatedSpdxElement\": \"SPDXRef-Package-mine1-\",\n \"relationshipType\": \"CONTAINS\"\n },\n {\n \"spdxElementId\": \"SPDXRef-Package-mine1-\",\n \"relatedSpdxElement\": \"NOASSERTION\",\n \"relationshipType\": \"CONTAINS\"\n }\n ]\n}\n\n---\n" }, { "path": "internal/output/__snapshots__/table_test.snap", "content": "\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n│ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfile │\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ────────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ────────────────────────────┤\n│ MIT │ Packagist │ author1/mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n│ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfile │\n│ MIT │ Packagist │ author1/mine1 │ 1.2.3 │ path/to/my/third/lockfile │\n╰───────────────────┴───────────┴───────────────┴─────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n│ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfile │\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT, Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ Uncalled vulnerabilities │ │ │ │ │ │ │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-1 │ 7.8 │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/third/lockfile │\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n│ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfile │\n│ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/third/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n│ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfile │\n│ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/third/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n│ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfile │\n│ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nTotal 1 package deprecated.\n\n╭─────────────────────────────────────────────────────────╮\n│ Deprecated packages │\n├───────────â”Ŧ────────────────â”Ŧ─────────â”Ŧ──────────────────┤\n│ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────â”ŧ────────────────â”ŧ─────────â”ŧ──────────────────┤\n│ npm │ deprecated-pkg │ 1.0.0 │ path/to/lockfile │\n╰───────────┴────────────────┴─────────┴──────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ Uncalled vulnerabilities │ │ │ │ │ │ │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────────┤\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────────────────────╮\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────────────────────┤\n│ MIT │ npm │ mine2 │ 5.9.0 │ path/to/my/second/lockfile │\n╰───────────────────┴───────────┴─────────┴─────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-5 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 (dev) │ 3.2.5 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-3 │ │ npm │ mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-5 │ │ npm │ mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴───────────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-5 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-3 │ │ npm │ mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-5 │ │ npm │ mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/third/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-3 │ 4.3 │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴───────────────┴─────────┴───────────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n\nTotal 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-3 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- │ path/to/my/first/lockfile │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ Uncalled vulnerabilities │ │ │ │ │ │ │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰──────────────────────────┴──────┴───────────┴───────────────┴─────────┴───────────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-3 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- │ path/to/my/second/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴───────────────┴─────────┴───────────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ Uncalled vulnerabilities │ │ │ │ │ │ │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/GHSA-123 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ 9 │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ Uncalled vulnerabilities │ │ │ │ │ │ │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ Uncalled vulnerabilities │ │ │ │ │ │ │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/GHSA-123 │ │ │ │ │ │ │\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ 8.3 │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/GHSA-123 │ │ │ │ │ │ │\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/GHSA-123 │ │ │ │ │ │ │\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ───────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ───────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-2 │ │ npm │ mine3 │ 0.10.2-rc │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴───────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ───────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────â”ŧ───────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴───────────────┴───────────────────────────╯\n\n---\n\n[TestPrintTableResults_LongTerminalWidth_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────────â”Ŧ─────────â”Ŧ───────────────â”Ŧ────────────────────────────╮\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION │ SOURCE │\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────â”ŧ─────────â”ŧ───────────────â”ŧ────────────────────────────┤\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- │ path/to/my/first/lockfile │\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- │ path/to/my/second/lockfile │\n╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴───────────────┴────────────────────────────╯\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------+---------+----------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+----------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n+-------------------+-----------+---------+---------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------------+---------+----------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------------+---------+----------------------------+\n| MIT | Packagist | author1/mine1 | 1.2.3 | path/to/my/first/lockfile |\n| Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile |\n| MIT | Packagist | author1/mine1 | 1.2.3 | path/to/my/third/lockfile |\n+-------------------+-----------+---------------+---------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------+---------+----------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+----------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| Apache-2.0 | npm | mine2 | 3.2.5 | path/to/my/second/lockfile |\n| MIT | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n+-------------------+-----------+---------+---------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT, Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------+------+-----------+---------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------+------+-----------+---------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n+--------------------------+------+-----------+---------+---------+---------------+----------------------------+\n| Uncalled vulnerabilities | | | | | | |\n+--------------------------+------+-----------+---------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-1 | 7.8 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile |\n+--------------------------+------+-----------+---------+---------+---------------+----------------------------+\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile |\n| Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile |\n| Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 | | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n| MIT | npm | mine1 | 1.3.5 | path/to/my/third/lockfile |\n| Apache-2.0 | npm | mine1 | 1.2.3 | path/to/my/third/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nTotal 1 package deprecated.\n\n+---------------------------------------------------------+\n| Deprecated packages |\n+-----------+----------------+---------+------------------+\n| ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-----------+----------------+---------+------------------+\n| npm | deprecated-pkg | 1.0.0 | path/to/lockfile |\n+-----------+----------------+---------+------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| Uncalled vulnerabilities | | | | | | |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n+-------------------+-----------+---------+---------+---------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+---------------------------+\n| MIT | npm | mine1 | 1.2.3 | path/to/my/first/lockfile |\n+-------------------+-----------+---------+---------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n+-------------------+-----------+---------+---------+----------------------------+\n| LICENSE VIOLATION | ECOSYSTEM | PACKAGE | VERSION | SOURCE |\n+-------------------+-----------+---------+---------+----------------------------+\n| MIT | npm | mine2 | 5.9.0 | path/to/my/second/lockfile |\n+-------------------+-----------+---------+---------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+-------------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+-------------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-5 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 (dev) | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-3 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n+-----------------------+------+-----------+-------------+---------+---------------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-5 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-3 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | npm | mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/third/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-3 | 4.3 | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------------+---------+---------------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n\nTotal 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n+--------------------------+------+-----------+---------------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------+------+-----------+---------------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-3 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.2 | -- | path/to/my/first/lockfile |\n+--------------------------+------+-----------+---------------+---------+---------------+----------------------------+\n| Uncalled vulnerabilities | | | | | | |\n+--------------------------+------+-----------+---------------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+--------------------------+------+-----------+---------------+---------+---------------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-2 | | NuGet | mine2 | 3.2.5 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author1/mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-3 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-5 | | Packagist | author3/mine3 | 0.4.1 | -- | path/to/my/second/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 | | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------------+---------+---------------+----------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| Uncalled vulnerabilities | | | | | | |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/GHSA-123 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | 9 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| Uncalled vulnerabilities | | | | | | |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+-------------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+-------------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+-------------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| Uncalled vulnerabilities | | | | | | |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/GHSA-123 | | | | | | |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | 8.3 | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/GHSA-123 | | | | | | |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/GHSA-123 | | | | | | |\n+--------------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+-----------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+-----------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-2 | | npm | mine3 | 0.10.2-rc | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+-----------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n+-----------------------+------+-----------+---------+---------+---------------+---------------------------+\n\n---\n\n[TestPrintTableResults_NoTerminalWidth_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n+-----------------------+------+-----------+-------------+---------+---------------+----------------------------+\n| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | FIXED VERSION | SOURCE |\n+-----------------------+------+-----------+-------------+---------+---------------+----------------------------+\n| https://osv.dev/OSV-1 | | npm | mine1 | 1.2.3 | -- | path/to/my/first/lockfile |\n| https://osv.dev/OSV-1 | | npm | mine1 (dev) | 1.2.3 | -- | path/to/my/second/lockfile |\n+-----------------------+------+-----------+-------------+---------+---------------+----------------------------+\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n│ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfi ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ─────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ─────────────────── ≈\n│ MIT │ Packagist │ author1/mine1 │ 1.2.3 │ path/to/my/first/l ≈\n│ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/ ≈\n│ MIT │ Packagist │ author1/mine1 │ 1.2.3 │ path/to/my/third/l ≈\n╰───────────────────┴───────────┴───────────────┴─────────┴─────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n│ Apache-2.0 │ npm │ mine2 │ 3.2.5 │ path/to/my/second/lockfi ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT, Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ─────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ Uncalled vulnerabilities │ │ │ │ │ ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/OSV-1 │ 7.8 │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n│ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfil ≈\n│ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n│ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfil ≈\n│ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n│ MIT │ npm │ mine1 │ 1.3.5 │ path/to/my/third/lockfil ≈\n│ Apache-2.0 │ npm │ mine1 │ 1.2.3 │ path/to/my/third/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nTotal 1 package deprecated.\n\n╭─────────────────────────────────────────────────────────╮\n│ Deprecated packages │\n├───────────â”Ŧ────────────────â”Ŧ─────────â”Ŧ──────────────────┤\n│ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE │\n├───────────â”ŧ────────────────â”ŧ─────────â”ŧ──────────────────┤\n│ npm │ deprecated-pkg │ 1.0.0 │ path/to/lockfile │\n╰───────────┴────────────────┴─────────┴──────────────────╯\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ─────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ Uncalled vulnerabilities │ │ │ │ │ ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine1 │ 1.2.3 │ path/to/my/first/lockfil ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n╭───────────────────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ───────────────────────── ≈\n│ LICENSE VIOLATION │ ECOSYSTEM │ PACKAGE │ VERSION │ SOURCE ≈\n├───────────────────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ───────────────────────── ≈\n│ MIT │ npm │ mine2 │ 5.9.0 │ path/to/my/second/lockfi ≈\n╰───────────────────┴───────────┴─────────┴─────────┴───────────────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────────â”Ŧ─────────â”Ŧ────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VER ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────â”ŧ─────────â”ŧ────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 (dev) │ 3.2.5 │ -- ≈\n│ https://osv.dev/OSV-3 │ │ npm │ mine3 │ 0.4.1 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ npm │ mine3 │ 0.4.1 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- ≈\n│ https://osv.dev/OSV-3 │ │ npm │ mine3 │ 0.4.1 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ npm │ mine3 │ 0.4.1 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-2 │ │ npm │ mine2 │ 3.2.5 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ──────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED V ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ──────── ≈\n│ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-3 │ 4.3 │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- ≈\n╰───────────────────────┴──────┴───────────┴───────────────┴─────────┴──────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n\nTotal 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ───── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXE ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ───── ≈\n│ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-3 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.2 │ -- ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ───── ≈\n│ Uncalled vulnerabilities │ │ │ │ │ ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ───── ≈\n│ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈\n╰──────────────────────────┴──────┴───────────┴───────────────┴─────────┴───── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ───────────────â”Ŧ─────────â”Ŧ──────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED V ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ───────────────â”ŧ─────────â”ŧ──────── ≈\n│ https://osv.dev/OSV-2 │ │ NuGet │ mine2 │ 3.2.5 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ Packagist │ author1/mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-3 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈\n│ https://osv.dev/OSV-5 │ │ Packagist │ author3/mine3 │ 0.4.1 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ │ -- ≈\n╰───────────────────────┴──────┴───────────┴───────────────┴─────────┴──────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ─────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ Uncalled vulnerabilities │ │ │ │ │ ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/GHSA-123 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ 9 │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ─────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ Uncalled vulnerabilities │ │ │ │ │ ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────────â”Ŧ─────────â”Ŧ────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VER ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────â”ŧ─────────â”ŧ────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ─────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ Uncalled vulnerabilities │ │ │ │ │ ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/GHSA-123 │ │ │ │ │ ≈\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ─────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/OSV-1 │ 8.3 │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/GHSA-123 │ │ │ │ │ ≈\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭──────────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ─────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERS ≈\n├──────────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ─────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/GHSA-123 │ │ │ │ │ ≈\n╰──────────────────────────┴──────┴───────────┴─────────┴─────────┴─────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ───────────â”Ŧ──────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSI ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ───────────â”ŧ──────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-2 │ │ npm │ mine3 │ 0.10.2-rc │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴───────────┴──────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────â”Ŧ─────────â”Ŧ────────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VERSION ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────â”ŧ─────────â”ŧ────────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────┴─────────┴────────────── ≈\n\n---\n\n[TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n╭───────────────────────â”Ŧ──────â”Ŧ───────────â”Ŧ─────────────â”Ŧ─────────â”Ŧ────────── ≈\n│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION │ FIXED VER ≈\n├───────────────────────â”ŧ──────â”ŧ───────────â”ŧ─────────────â”ŧ─────────â”ŧ────────── ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 │ 1.2.3 │ -- ≈\n│ https://osv.dev/OSV-1 │ │ npm │ mine1 (dev) │ 1.2.3 │ -- ≈\n╰───────────────────────┴──────┴───────────┴─────────────┴─────────┴────────── ≈\n\n---\n" }, { "path": "internal/output/__snapshots__/vertical_test.snap", "content": "\n[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine2@3.2.5 (Apache-2.0)\n\n 1 license violation found in sbom:/path/to/my/second/lockfile\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in unknown:/path/to/my/third/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages,_some_license_violations#01 - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\nNuGet\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\nPackagist\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n author1/mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n author1/mine1@1.2.3 (MIT)\n\n 1 license violation found in unknown:/path/to/my/third/lockfile\n\nnpm\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine2@3.2.5 (Apache-2.0)\n\n 1 license violation found in sbom:/path/to/my/second/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine2@3.2.5 (Apache-2.0)\n\n 1 license violation found in sbom:/path/to/my/second/lockfile\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in unknown:/path/to/my/third/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package,_no_licenses - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_an_unknown_license - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_multiple_license_violations - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT, Apache-2.0)\n\n 2 license violations found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_and_one_license_violation_(dev) - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/one_source_with_one_package_with_just_a_commit_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@ (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithLicenseViolations/two_sources_with_packages,_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n no license violations found\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\nHiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show them.\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n mine2@3.2.5 has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in sbom:/path/to/my/second/lockfile\n no license violations found\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\nHiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show them.\n\n license violations found:\n mine1@1.2.3 (Apache-2.0)\n mine1@1.3.5 (MIT)\n\n 2 license violations found in unknown:/path/to/my/third/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n mine2@3.2.5 has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in sbom:/path/to/my/second/lockfile\n no license violations found\n\nunknown:/path/to/my/third/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in unknown:/path/to/my/third/lockfile\n\n license violations found:\n mine1@1.2.3 (Apache-2.0)\n mine1@1.3.5 (MIT)\n\n 2 license violations found in unknown:/path/to/my/third/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n mine2@ has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in sbom:/path/to/my/second/lockfile\n no license violations found\n\nunknown:/path/to/my/third/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in unknown:/path/to/my/third/lockfile\n\n license violations found:\n mine1@1.2.3 (Apache-2.0)\n mine1@1.3.5 (MIT)\n\n 2 license violations found in unknown:/path/to/my/third/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_deprecated_package - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nTotal 1 package deprecated.\n\nnpm\n\nlockfile:/path/to/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n 1 deprecated packages found:\n deprecated-pkg@1.0.0\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\nHiding 1 number of vulnerabilities deemed unimportant, use --all-vulns to show them.\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/one_source_with_one_package,_one_vulnerability,_and_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n license violations found:\n mine1@1.2.3 (MIT)\n\n 1 license violation found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithMixedIssues/two_sources_with_packages,_one_vulnerability,_one_license_violation - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n no license violations found\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n license violations found:\n mine2@5.9.0 (MIT)\n\n 1 license violation found in sbom:/path/to/my/second/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 2 packages with issues\n\n mine1@1.2.2 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 3 known vulnerabilities found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 2 packages with issues\n\n mine2@3.2.5 has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n mine3@0.4.1 has the following known vulnerabilities:\n OSV-3: Something mildly scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 3 known vulnerabilities found in sbom:/path/to/my/second/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 2 packages with issues\n\n mine1@1.2.2 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 3 known vulnerabilities found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 2 packages with issues\n\n mine2@3.2.5 has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n mine3@0.4.1 has the following known vulnerabilities:\n OSV-3: Something mildly scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 3 known vulnerabilities found in sbom:/path/to/my/second/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities - 1]\n\nTotal 3 packages affected by 3 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 3 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n mine2@3.2.5 has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in sbom:/path/to/my/second/lockfile\n\nunknown:/path/to/my/third/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in unknown:/path/to/my/third/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 1 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\nNuGet\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n mine2@3.2.5 has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in sbom:/path/to/my/second/lockfile\n\nPackagist\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n author1/mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n author3/mine3@0.4.1 has the following known vulnerabilities:\n OSV-3: Something mildly scary!\n Severity: '4.3'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.2 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled - 1]\n\nTotal 4 packages affected by 5 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 5 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\nNuGet\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n mine2@3.2.5 has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in sbom:/path/to/my/second/lockfile\n\nPackagist\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n author1/mine1@1.2.3 has the following known vulnerabilities:\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n author1/mine1@1.2.3 has the following uncalled vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out)\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n author3/mine3@0.4.1 has the following known vulnerabilities:\n OSV-3: Something mildly scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.2 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities - 1]\n\nTotal 4 packages affected by 6 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 6 Unknown) from 3 ecosystems.\n0 vulnerabilities can be fixed.\n\nNuGet\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n mine2@3.2.5 has the following known vulnerabilities:\n OSV-2: Something less scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in sbom:/path/to/my/second/lockfile\n\nPackagist\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n author1/mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n author3/mine3@0.4.1 has the following known vulnerabilities:\n OSV-3: Something mildly scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n OSV-5: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 2 known vulnerabilities found in sbom:/path/to/my/second/lockfile\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@ has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/multiple_sources_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\nunknown:/path/to/my/third/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/no_sources - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 0 ecosystems.\n0 vulnerabilities can be fixed.\n\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_no_packages - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\n\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_no_vulnerabilities - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n mine1@1.2.3 has the following uncalled vulnerabilities:\n GHSA-123: Something scarier!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out)\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package,_one_vulnerability,_and_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (1 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: '9'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_called_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n\n mine1@1.2.3 has the following uncalled vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out)\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_one_vulnerability_(dev) - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability - 1]\n\nTotal 0 packages affected by 0 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 0 packages with issues\n\n mine1@1.2.3 has the following uncalled vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 uncalled/unimportant vulnerability found in lockfile:/path/to/my/first/lockfile (filtered out)\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium, 0 Low, 0 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: '8.3'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_one_package_with_just_a_commit_and_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@ has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/one_source_with_vulnerabilities,_some_missing_content - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 2 packages with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: This vulnerability allows for some very scary stuff to happen - seriously,...\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n mine3@0.10.2-rc has the following known vulnerabilities:\n OSV-2: (no details available)\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 2 known vulnerabilities found in lockfile:/path/to/my/first/lockfile\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/two_sources_with_packages,_one_vulnerability - 1]\n\nTotal 1 package affected by 1 known vulnerability (0 Critical, 0 High, 0 Medium, 0 Low, 1 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 0 packages with issues\n no known vulnerabilities found\n\n\n---\n\n[TestPrintVerticalResults_WithVulnerabilities/two_sources_with_the_same_vulnerable_package - 1]\n\nTotal 2 packages affected by 2 known vulnerabilities (0 Critical, 0 High, 0 Medium, 0 Low, 2 Unknown) from 1 ecosystem.\n0 vulnerabilities can be fixed.\n\nnpm\n\nlockfile:/path/to/my/first/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in lockfile:/path/to/my/first/lockfile\n\nsbom:/path/to/my/second/lockfile: found 1 package with issues\n\n mine1@1.2.3 has the following known vulnerabilities:\n OSV-1: Something scary!\n Severity: 'N/A'; Minimal Fix Version: 'No fix available';\n\n 1 known vulnerability found in sbom:/path/to/my/second/lockfile\n\n\n---\n" }, { "path": "internal/output/cyclonedx.go", "content": "// Package output provides functionality for printing scan results in various formats.\npackage output\n\nimport (\n\t\"errors\"\n\t\"io\"\n\n\t\"github.com/CycloneDX/cyclonedx-go\"\n\t\"github.com/google/osv-scanner/v2/internal/output/sbom\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/purl\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\n// PrintCycloneDXResults writes results to the provided writer in CycloneDX format\nfunc PrintCycloneDXResults(vulnResult *models.VulnerabilityResults, cycloneDXVersion models.CycloneDXVersion, outputWriter io.Writer) error {\n\tbomCreator := sbom.SpecVersionToBomCreator[cycloneDXVersion]\n\tresultsByPurl, errs := purl.Group(vulnResult.Results)\n\n\tbom := bomCreator(resultsByPurl)\n\tencoder := cyclonedx.NewBOMEncoder(outputWriter, cyclonedx.BOMFileFormatJSON)\n\tencoder.SetPretty(true)\n\n\terr := encoder.Encode(bom)\n\n\treturn errors.Join(err, errors.Join(errs...))\n}\n" }, { "path": "internal/output/cyclonedx_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc testCycloneDXResults(t *testing.T, version models.CycloneDXVersion, testFunc func(*testing.T, func(*testing.T, outputTestCaseArgs))) {\n\tt.Helper()\n\ttestFunc(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintCycloneDXResults(args.vulnResult, version, outputWriter)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"%v\", err)\n\t\t}\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintCycloneDXResults(t *testing.T) {\n\tt.Parallel()\n\ttests := []struct {\n\t\tname string\n\t\tversion models.CycloneDXVersion\n\t\ttestFn func(*testing.T, func(*testing.T, outputTestCaseArgs))\n\t}{\n\t\t{\"CycloneDX14_WithVulnerabilities\", models.CycloneDXVersion14, testOutputWithVulnerabilities},\n\t\t{\"CycloneDX14_WithLicenseViolations\", models.CycloneDXVersion14, testOutputWithLicenseViolations},\n\t\t{\"CycloneDX14_WithMixedIssues\", models.CycloneDXVersion14, testOutputWithMixedIssues},\n\t\t{\"CycloneDX15_WithVulnerabilities\", models.CycloneDXVersion15, testOutputWithVulnerabilities},\n\t\t{\"CycloneDX15_WithLicenseViolations\", models.CycloneDXVersion15, testOutputWithLicenseViolations},\n\t\t{\"CycloneDX15_WithMixedIssues\", models.CycloneDXVersion15, testOutputWithMixedIssues},\n\t\t{\"CycloneDX16_WithVulnerabilities\", models.CycloneDXVersion16, testOutputWithVulnerabilities},\n\t\t{\"CycloneDX16_WithLicenseViolations\", models.CycloneDXVersion16, testOutputWithLicenseViolations},\n\t\t{\"CycloneDX16_WithMixedIssues\", models.CycloneDXVersion16, testOutputWithMixedIssues},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\ttestCycloneDXResults(t, tt.version, tt.testFn)\n\t\t})\n\t}\n}\n" }, { "path": "internal/output/form.go", "content": "package output\n\n// Form returns the singular or plural form that should be used based on the given count\nfunc Form(count int, singular, plural string) string {\n\tif count == 1 {\n\t\treturn singular\n\t}\n\n\treturn plural\n}\n" }, { "path": "internal/output/form_test.go", "content": "package output_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n)\n\nfunc TestForm(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tcount int\n\t\tsingular string\n\t\tplural string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant string\n\t}{\n\t\t{\n\t\t\tname: \"\",\n\t\t\targs: args{\n\t\t\t\tcount: 0,\n\t\t\t\tsingular: \"package\",\n\t\t\t\tplural: \"packages\",\n\t\t\t},\n\t\t\twant: \"packages\",\n\t\t},\n\t\t{\n\t\t\tname: \"\",\n\t\t\targs: args{\n\t\t\t\tcount: 1,\n\t\t\t\tsingular: \"package\",\n\t\t\t\tplural: \"packages\",\n\t\t\t},\n\t\t\twant: \"package\",\n\t\t},\n\t\t{\n\t\t\tname: \"\",\n\t\t\targs: args{\n\t\t\t\tcount: 2,\n\t\t\t\tsingular: \"package\",\n\t\t\t\tplural: \"packages\",\n\t\t\t},\n\t\t\twant: \"packages\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tif got := output.Form(tt.args.count, tt.args.singular, tt.args.plural); got != tt.want {\n\t\t\t\tt.Errorf(\"Form() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/output/githubannotation.go", "content": "package output\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/jedib0t/go-pretty/v6/table\"\n)\n\n// createSourceRemediationTable creates a vulnerability table which includes the fixed versions for a specific source file\nfunc createSourceRemediationTable(source models.PackageSource, groupedFixedVersions map[string][]string) (table.Writer, bool) {\n\thasRow := false\n\tremediationTable := table.NewWriter()\n\tremediationTable.AppendHeader(table.Row{\"Package\", \"Vulnerability ID\", \"CVSS\", \"Current Version\", \"Fixed Version\"})\n\n\tfor _, pv := range source.Packages {\n\t\tfor _, group := range pv.Groups {\n\t\t\tfixedVersions := groupedFixedVersions[source.Source.String()+\":\"+group.IndexString()]\n\n\t\t\tvulnIDs := make([]string, 0, len(group.IDs))\n\t\t\tfor _, id := range group.IDs {\n\t\t\t\tvulnIDs = append(vulnIDs, \"https://osv.dev/\"+id)\n\t\t\t}\n\t\t\tremediationTable.AppendRow(table.Row{\n\t\t\t\tpv.Package.Name,\n\t\t\t\tstrings.Join(vulnIDs, \"\\n\"),\n\t\t\t\tgroup.MaxSeverity,\n\t\t\t\tpv.Package.Version,\n\t\t\t\tstrings.Join(fixedVersions, \"\\n\")})\n\t\t\thasRow = true\n\t\t}\n\t}\n\n\treturn remediationTable, hasRow\n}\n\nfunc createDeprecationTable(source models.PackageSource) (table.Writer, bool) {\n\thasRow := false\n\tdeprecationTable := table.NewWriter()\n\tdeprecationTable.AppendHeader(table.Row{\"Package\", \"Current Version\", \"Deprecated\"})\n\n\tfor _, pv := range source.Packages {\n\t\tif pv.Package.Deprecated {\n\t\t\tdeprecationTable.AppendRow(table.Row{\n\t\t\t\tpv.Package.Name,\n\t\t\t\tpv.Package.Version,\n\t\t\t\tpv.Package.Deprecated,\n\t\t\t})\n\t\t\thasRow = true\n\t\t}\n\t}\n\n\treturn deprecationTable, hasRow\n}\n\n// PrintGHAnnotationReport prints Github specific annotations to outputWriter\nfunc PrintGHAnnotationReport(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error {\n\tflattened := vulnResult.Flatten()\n\n\t// TODO: Also support last affected\n\tgroupedFixedVersions := groupFixedVersions(flattened)\n\tworkingDir := mustGetWorkingDirectory()\n\n\tfor _, source := range vulnResult.Results {\n\t\tif len(source.Packages) == 0 {\n\t\t\tcontinue\n\t\t}\n\t\t// TODO: Support docker images\n\n\t\tvar artifactPath string\n\t\tvar err error\n\t\tartifactPath, err = filepath.Rel(workingDir, source.Source.Path)\n\t\tif err != nil {\n\t\t\tartifactPath = source.Source.Path\n\t\t}\n\n\t\tartifactPath = filepath.ToSlash(artifactPath)\n\n\t\tremediationTable, hasVulnTable := createSourceRemediationTable(source, groupedFixedVersions)\n\t\tif hasVulnTable {\n\t\t\trenderedTable := remediationTable.Render()\n\t\t\t// This is required as github action annotations must be on the same terminal line\n\t\t\t// so we URL encode the new line character\n\t\t\trenderedTable = strings.ReplaceAll(renderedTable, \"\\n\", \"%0A\")\n\n\t\t\t// Prepend the table with a new line to look nicer in the output\n\t\t\tfmt.Fprintf(outputWriter, \"::error file=%s::%s%s\", artifactPath, artifactPath, \"%0A\"+renderedTable)\n\t\t}\n\n\t\t// Create and render package deprecation table\n\t\tdeprecationTable, hasDeprecationTable := createDeprecationTable(source)\n\t\tif hasDeprecationTable {\n\t\t\trenderedDeprecationTable := deprecationTable.Render()\n\t\t\trenderedDeprecationTable = strings.ReplaceAll(renderedDeprecationTable, \"\\n\", \"%0A\")\n\t\t\tfmt.Fprintf(outputWriter, \"::error file=%s::%s%s\", artifactPath, artifactPath, \"%0A\"+renderedDeprecationTable)\n\t\t}\n\t}\n\n\treturn nil\n}\n" }, { "path": "internal/output/githubannotation_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestPrintGHAnnotationReport_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintGHAnnotationReport(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing GH annotation output: %s\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintGHAnnotationReport_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintGHAnnotationReport(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing GH annotation output: %s\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintGHAnnotationReport_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintGHAnnotationReport(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing GH annotation output: %s\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n" }, { "path": "internal/output/helpers_test.go", "content": "package output_test\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/dotnetpe\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/php/composerlock\"\n\t\"github.com/google/osv-scalibr/purl\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\ntype outputTestCaseArgs struct {\n\tvulnResult *models.VulnerabilityResults\n}\n\ntype outputTestCase struct {\n\tname string\n\targs outputTestCaseArgs\n}\n\ntype outputTestRunner = func(t *testing.T, args outputTestCaseArgs)\n\ntype pkginfo struct {\n\tName string\n\tOSPackageName string\n\tVersion string\n\tEcosystem string\n\tDeprecated bool\n\tCommit string\n\tImageOrigin *models.ImageOriginDetails\n\tExtractor extractor.Extractor\n}\n\nfunc resolvePURLType(eco string) string {\n\tswitch eco {\n\tcase \"npm\":\n\t\treturn purl.TypeNPM\n\tcase \"NuGet\":\n\t\treturn purl.TypeNuget\n\tcase \"Packagist\":\n\t\treturn purl.TypeComposer\n\t}\n\n\tpanic(\"unknown PURL type for ecosystem \" + eco)\n}\n\nfunc newPackageInfo(source string, pi pkginfo) models.PackageInfo {\n\tinfo := models.PackageInfo{\n\t\tName: pi.Name,\n\t\tOSPackageName: pi.OSPackageName,\n\t\tVersion: pi.Version,\n\t\tEcosystem: pi.Ecosystem,\n\t\tCommit: pi.Commit,\n\t\tImageOrigin: pi.ImageOrigin,\n\t\tDeprecated: pi.Deprecated,\n\t\tInventory: &extractor.Package{\n\t\t\tName: pi.Name,\n\t\t\tVersion: pi.Version,\n\t\t\tPlugins: []string{pi.Extractor.Name()},\n\t\t\tLocation: extractor.LocationFromPath(source),\n\t\t\tPURLType: resolvePURLType(pi.Ecosystem),\n\t\t},\n\t}\n\n\treturn info\n}\n\nfunc testOutputWithVulnerabilities(t *testing.T, run outputTestRunner) {\n\tt.Helper()\n\n\tcwd := filepath.ToSlash(testutility.GetCurrentWorkingDirectory(t))\n\n\ttests := []outputTestCase{\n\t\t{\n\t\t\tname: \"no_sources\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_no_packages\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_no_packages\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package,_no_vulnerabilities\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages,_no_vulnerabilities\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_one_vulnerability\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package,_one_vulnerability,_and_a_max_severity\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}, MaxSeverity: \"9\"}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_with_both_a_version_and_commit_and_one_vulnerability\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tCommit: \"abc123\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_with_just_a_commit_and_one_vulnerability\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tCommit: \"abc123\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_one_called_vulnerability\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: true},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_one_uncalled_vulnerability\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: false},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package,_one_uncalled_vulnerability,_and_one_called_vulnerability\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: true},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tIDs: []string{\"GHSA-123\"},\n\t\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\t\"GHSA-123\": {Called: false},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"GHSA-123\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_one_vulnerability_(dev)\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"two_sources_with_the_same_vulnerable_package\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_without_a_max_severity\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\", \"GHSA-123\"},\n\t\t\t\t\t\t\t\t\t\tAliases: []string{\"OSV-1\", \"GHSA-123\"},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"GHSA-123\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tAliases: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_two_aliases_of_a_single_vulnerability_with_a_max_severity\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\", \"GHSA-123\"},\n\t\t\t\t\t\t\t\t\t\tAliases: []string{\"OSV-1\", \"GHSA-123\"},\n\t\t\t\t\t\t\t\t\t\tMaxSeverity: \"8.3\",\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"GHSA-123\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tAliases: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_two_aliases_of_a_single_uncalled_vulnerability\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\", \"GHSA-123\"},\n\t\t\t\t\t\t\t\t\t\tAliases: []string{\"OSV-1\", \"GHSA-123\"},\n\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: false},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"GHSA-123\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tAliases: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"two_sources_with_packages,_one_vulnerability\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"5.9.0\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages,_and_multiple_vulnerabilities\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-1\"}},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.2\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-3\"}},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-3\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something mildly scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_grouped_packages,_and_multiple_vulnerabilities\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\", \"optional\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-1\"}},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.2\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"build\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-3\"}},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-3\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something mildly scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"author1/mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"Packagist\",\n\t\t\t\t\t\t\t\t\t\tExtractor: composerlock.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-1\"}},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.2\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"NuGet\",\n\t\t\t\t\t\t\t\t\t\tExtractor: dotnetpe.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"author3/mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"Packagist\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"build\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-3\"}, MaxSeverity: \"4.3\"},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-3\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something mildly scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages_across_ecosystems_using_commits_and_version,_and_multiple_vulnerabilities\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"author1/mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"Packagist\",\n\t\t\t\t\t\t\t\t\t\tCommit: \"123abc\",\n\t\t\t\t\t\t\t\t\t\tExtractor: composerlock.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-1\"}},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tCommit: \"abcxyz\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"NuGet\",\n\t\t\t\t\t\t\t\t\t\tExtractor: dotnetpe.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"author3/mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"Packagist\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"build\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-3\"}},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-3\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something mildly scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_and_multiple_vulnerabilities,_but_some_uncalled\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"author1/mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"Packagist\",\n\t\t\t\t\t\t\t\t\t\tExtractor: composerlock.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: false},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-5\"},\n\t\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\t\"OSV-5\": {Called: true},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.2\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"NuGet\",\n\t\t\t\t\t\t\t\t\t\tExtractor: dotnetpe.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"author3/mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"Packagist\",\n\t\t\t\t\t\t\t\t\t\tExtractor: composerlock.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"build\"},\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-3\"},\n\t\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\t\"OSV-3\": {Called: true},\n\t\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{IDs: []string{\"OSV-5\"}},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-3\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something mildly scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-5\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scarier!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_vulnerabilities,_some_missing_content\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{Id: \"OSV-1\", Details: \"This vulnerability allows for some very scary stuff to happen - seriously, you'd not believe it!\"},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.10.2-rc\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{Id: \"OSV-2\"},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\trun(t, tt.args)\n\t\t})\n\t}\n}\n\nfunc testOutputWithLicenseViolations(t *testing.T, run outputTestRunner) {\n\tt.Helper()\n\n\tcwd := filepath.ToSlash(testutility.GetCurrentWorkingDirectory(t))\n\n\texperimentalAnalysisConfig := models.ExperimentalAnalysisConfig{\n\t\tLicenses: models.ExperimentalLicenseConfig{Summary: false, Allowlist: []models.License{\"ISC\"}},\n\t}\n\n\ttests := []outputTestCase{\n\t\t{\n\t\t\tname: \"no_sources\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_no_packages\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_no_packages\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package,_no_licenses\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_an_unknown_license\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"UNKNOWN\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package,_no_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages,_no_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_with_both_a_version_and_a_commit_and_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tCommit: \"abc123\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_with_just_a_commit_and_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tCommit: \"abc123\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_one_license_violation_(dev)\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\"},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"two_sources_with_packages,_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"5.9.0\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages,_some_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages_and_groups,_some_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\", \"optional\"},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\", \"optional\"},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"build\"},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages_across_ecosystems,_some_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"author1/mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"Packagist\",\n\t\t\t\t\t\t\t\t\t\tExtractor: composerlock.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"NuGet\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packageslockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"author1/mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"Packagist\",\n\t\t\t\t\t\t\t\t\t\tExtractor: composerlock.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tDepGroups: []string{\"dev\"},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package_and_multiple_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\", \"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\", \"Apache-2.0\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages,_some_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\", \"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"UNKNOWN\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"UNKNOWN\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\trun(t, tt.args)\n\t\t})\n\t}\n}\n\nfunc testOutputWithMixedIssues(t *testing.T, run outputTestRunner) {\n\tt.Helper()\n\n\tcwd := filepath.ToSlash(testutility.GetCurrentWorkingDirectory(t))\n\n\texperimentalAnalysisConfig := models.ExperimentalAnalysisConfig{\n\t\tLicenses: models.ExperimentalLicenseConfig{Summary: false, Allowlist: []models.License{\"ISC\"}},\n\t}\n\n\ttests := []outputTestCase{\n\t\t{\n\t\t\tname: \"one_source_with_one_package,_one_vulnerability,_and_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_in_working_directory_with_one_package,_one_vulnerability,_and_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package,_one_called_vulnerability,_and_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: true},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_package,_one_uncalled_vulnerability,_and_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: false},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"two_sources_with_packages,_one_vulnerability,_one_license_violation\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"5.9.0\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages,_some_vulnerabilities_and_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages_with_versions_and_commits,_some_vulnerabilities_and_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tCommit: \"abcxzy\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tCommit: \"abc123\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-2\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{IDs: []string{\"OSV-1\"}}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_sources_with_a_mixed_count_of_packages,_some_called_vulnerabilities_and_license_violations\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tExperimentalAnalysisConfig: experimentalAnalysisConfig,\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/first/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/first/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\tMaxSeverity: \"7.8\",\n\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: false},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/second/lockfile\", Type: models.SourceTypeSBOM},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine2\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"3.2.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-2\"},\n\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\"OSV-2\": {Called: true},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-2\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something less scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/second/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine3\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"0.4.1\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"ISC\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/my/third/lockfile\", Type: models.SourceTypeUnknown},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.3.5\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/my/third/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"mine1\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tGroups: []models.GroupInfo{{\n\t\t\t\t\t\t\t\t\t\tIDs: []string{\"OSV-1\"},\n\t\t\t\t\t\t\t\t\t\tExperimentalAnalysis: map[string]models.AnalysisInfo{\n\t\t\t\t\t\t\t\t\t\t\t\"OSV-1\": {Called: false},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t}},\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\t\tId: \"OSV-1\",\n\t\t\t\t\t\t\t\t\t\t\tSummary: \"Something scary!\",\n\t\t\t\t\t\t\t\t\t\t\tSeverity: []*osvschema.Severity{{Score: \"1\"}},\n\t\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tLicenses: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t\tLicenseViolations: []models.License{\"Apache-2.0\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_source_with_one_deprecated_package\",\n\t\t\targs: outputTestCaseArgs{\n\t\t\t\tvulnResult: &models.VulnerabilityResults{\n\t\t\t\t\tResults: []models.PackageSource{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tSource: models.SourceInfo{Path: cwd + \"/path/to/lockfile\", Type: models.SourceTypeProjectPackage},\n\t\t\t\t\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\tPackage: newPackageInfo(cwd+\"/path/to/lockfile\", pkginfo{\n\t\t\t\t\t\t\t\t\t\tName: \"deprecated-pkg\",\n\t\t\t\t\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\t\t\tDeprecated: true,\n\t\t\t\t\t\t\t\t\t\tExtractor: packagelockjson.Extractor{},\n\t\t\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\trun(t, tt.args)\n\t\t})\n\t}\n}\n" }, { "path": "internal/output/html/base_image_template.gohtml", "content": "\n
\n \n \n \n \n \n \n {{ $totalVuln := .VulnTypeSummary.All }}\n {{ range .ImageInfo.AllBaseImages}}\n\n \n \n \n \n \n\n \n \n \n \n\n {{ end }}\n\n
OS version:{{ .ImageInfo.OS }}
\n {{ if gt (len .AllLayers) 0}}\n
\n play_arrow\n
\n {{ end }}\n 		\n {{ if eq .Index 0}}\n Your image:\n {{ else }}\n Base image {{ .Index }}:\n {{ end }}\n \n {{ getBaseImageName . }} ({{ .Count.AnalysisCount.Regular }}/{{ $totalVuln }} vulnerabilities)\n
\n
\n {{ range .AllLayers }}\n {{ $index := .Index }}\n {{ $originalCommand := .LayerMetadata.Command }}\n {{ $commandSet := formatLayerCommand $originalCommand }}\n {{ $command := index $commandSet 0 }}\n {{ $commandDetail := index $commandSet 1 }}\n {{ $diffID := .LayerMetadata.DiffID }}\n {{ $longCommand := false }}\n \n {{ if gt (len $command) 109 }}\n {{ $longCommand = true }}\n {{ end }}\n {{ $hasVuln := false }}\n {{ if gt .Count.AnalysisCount.Regular 0 }}\n {{ $hasVuln = true }}\n {{ end }}\n
\n
\n

{{ .Index }} {{ $command }}

\n {{ if $longCommand }}\n {{ $originalCommand }}\n {{ end }}\n
\n {{ if $hasVuln }}\n {{ template \"severity_summary_template.gohtml\".Count.SeverityCount }}\n {{ end }}\n
\n {{ end }}\n
\n
\n\n
\n" }, { "path": "internal/output/html/deprecated_package_template.gohtml", "content": "
\n \n \n \n \n \n
\n play_arrow\n View deprecated packages
\n \n \n \n \n \n \n {{ range $ecosystem := .Ecosystems }}\n {{ range $source := $ecosystem.Sources }}\n {{ range $package := $source.Packages }}\n {{ if $package.Deprecated }}\n \n \n \n \n \n {{ end }}\n {{ end }}\n {{ end }}\n {{ end }}\n
EcosystemPackage NameVersion
{{ $ecosystem.Name }}{{ $package.Name }}{{ $package.InstalledVersion }}
\n
\n" }, { "path": "internal/output/html/filter_template.gohtml", "content": "
\n
\n {{ if .IsContainerScanning }}\n
\n Layer
\n
\n

\n
\n keyboard_arrow_down\n
\n
\n
\n
\n

All layers ({{ .VulnCount.AnalysisCount.Regular }})

\n {{ template \"severity_summary_template.gohtml\" .VulnCount.SeverityCount }}\n
\n {{ range .ImageInfo.AllLayers }}\n {{ $index := .Index }}\n {{ $originalCommand := .LayerMetadata.Command }}\n {{ $commandSet := formatLayerCommand $originalCommand }}\n {{ $command := index $commandSet 0 }}\n {{ $commandDetail := index $commandSet 1 }}\n {{ $diffID := .LayerMetadata.DiffID }}\n {{ $longCommand := false }}\n {{ if gt (len $command) 109 }}\n {{ $longCommand = true }}\n {{ end }}\n\n {{ if gt .Count.AnalysisCount.Regular 0 }}\n
\n
\n

{{ $index }} {{ $command }}

\n {{ if $longCommand }}\n {{ $originalCommand }}\n {{ end }}\n
\n {{ template \"severity_summary_template.gohtml\".Count.SeverityCount }}\n
\n {{ end }}\n {{ end }}\n
\n
\n {{ end }}\n\n
\n Filters
\n
\n

\n \n (/{{ add .VulnTypeSummary.All .VulnTypeSummary.Hidden }})\n

\n
\n keyboard_arrow_down\n
\n
\n
\n {{ if hasOSResult .Ecosystems }}\n \n {{ end }}\n \n {{ if hasOSResult .Ecosystems }}\n \n {{ end }}\n \n
\n
\n
\n\n\n
\n Overall Severity\n
\n
\n

{{ .VulnCount.SeverityCount.Critical }} Critical

\n
\n
\n

{{ .VulnCount.SeverityCount.High }} High

\n
\n
\n

{{ .VulnCount.SeverityCount.Medium }} Medium

\n
\n
\n

{{ .VulnCount.SeverityCount.Low }} Low

\n
\n
\n

{{ .VulnCount.SeverityCount.Unknown }} Unknown

\n
\n
\n
\n\n\n
\n" }, { "path": "internal/output/html/license_summary_template.gohtml", "content": "
\n \n \n \n \n \n
\n play_arrow\n View license summary
\n \n {{ range . }}\n \n {{ end }}\n
{{ .Name }}:{{ .Count }}
\n
\n" }, { "path": "internal/output/html/package_table_template.gohtml", "content": "\n \n \n {{ if isOSResult .Type }}\n \n {{ else }}\n \n {{ end }}\n \n \n \n {{ $showLicense := false }}\n {{ if gt .LicenseViolationsCount 0 }}\n {{ $showLicense = true }}\n \n {{ end }}\n \n {{ range $rowIndex, $element := .Packages }}\n {{ $index := uniqueID }}\n {{ $isUncalled := false }}\n {{ if eq $element.VulnCount.AnalysisCount.Regular 0 }}\n {{ $isUncalled = true }}\n {{ end }}\n {{ $hasLicenseViolations := false }}\n {{ if gt (len .LicenseViolations) 0 }}\n {{ $hasLicenseViolations = true }}\n {{ end }}\n \n \n \n \n {{ if not $isUncalled }}\n \n \n {{ else }}\n \n \n {{ end }}\n\n {{ if $showLicense }}\n {{ if $hasLicenseViolations}}\n \n {{ else }}\n \n {{ end }}\n {{ end }}\n\n \n \n \n \n {{ end }}\n
Source PackagePackageInstalled version\n
\n

Fix available

\n Fix available indicates whether a patch or update exists to address the\n vulnerabilities found in the corresponding package.\n
\n 		\n
\n

Vulnerability count

\n Vulnerability count shows the number of vulnerabilities found in the package, counted\n by each severity level.\n
\n 		License violations
\n
\n play_arrow\n
\n 		{{ $element.Name }}\n {{ if ne $element.InstalledVersion \"\" }}\n {{ $element.InstalledVersion }}\n {{ else if ne $element.Commit \"\" }}\n
\n
@{{ GetShortCommit $element.Commit }}
\n Commit: {{ $element.Commit }}\n
\n {{ end }}\n 		\n
\n {{ if ne $element.VulnCount.FixableCount.UnFixed 0 }}\n {{ if eq $element.VulnCount.FixableCount.Fixed 0}}\n

No fix available

\n All {{ $element.VulnCount.AnalysisCount.Regular }} vulnerabilities have no fixed version available.\n {{ else }}\n

Partial fixes available

\n Upgrading the package can fix {{ $element.VulnCount.FixableCount.Fixed }} out of {{\n $element.VulnCount.AnalysisCount.Regular }} vulnerabilities.\n {{ end }}\n {{ else }}\n

Fix available

\n Upgrading the package can fix all {{ $element.VulnCount.FixableCount.Fixed }} vulnerabilities.\n {{ end }}\n
\n 		\n {{ template \"severity_summary_template.gohtml\" $element.VulnCount.SeverityCount }}\n \n

Filtered out

\n 		\n

{{ getFilteredVulnReasons $element.HiddenVulns }}

\n 		{{ formatLicense .LicenseViolations }} --
\n
\n {{ $binaries := formatSlice $element.OSPackageNames }}\n {{ if not (eq $binaries \"\") }}\n

Installed binaries: {{ $binaries }}

\n {{ end }}\n\n {{ if and $element.LayerDetail.LayerInfo.LayerMetadata (not (eq $element.LayerDetail.LayerInfo.LayerMetadata.Command \"\")) }}\n {{ $index := $element.LayerDetail.LayerIndex }}\n {{ $diffID := $element.LayerDetail.LayerInfo.LayerMetadata.DiffID }}\n {{ $baseImageIndex := $element.LayerDetail.LayerInfo.LayerMetadata.BaseImageIndex }}\n {{ $originalCommand := $element.LayerDetail.LayerInfo.LayerMetadata.Command }}\n {{ $commandSet := formatLayerCommand $originalCommand }}\n {{ $command := index $commandSet 0 }}\n {{ $commandDetail := index $commandSet 1 }}\n {{ $longCommand := false }}\n {{ if gt (len $command) 109 }}\n {{ $longCommand = true }}\n {{ end }}\n
\n {{ if $longCommand }}\n

Introduced in layer # {{ $index }}: 

\n
\n

{{ $command }}

\n {{ $originalCommand }}\n
\n {{ else if ne $commandDetail \"\" }}\n

Introduced in layer # {{ $index }}: 

\n
\n

{{ $command }}

\n {{ $commandDetail }}\n
\n {{ else }}\n

Introduced in layer # {{ $index }}: 

\n

{{ $command }}

\n {{ end }}\n
\n

In base image: {{ if eq $baseImageIndex 0 }} False {{ else }} {{ getBaseImageName $element.LayerDetail.BaseImageInfo }}{{ end }}

\n {{ end }}\n {{ template \"vuln_table_template.gohtml\" $element }}\n
\n\n
\n" }, { "path": "internal/output/html/package_view_template.gohtml", "content": "{{ range . }}\n
\n

{{ .Name }}

\n
\n {{ range .Sources }}\n
\n

Source: {{ .Name }}

\n {{ template \"package_table_template.gohtml\" . }}\n
\n {{ end }}\n
\n
\n{{ end }}\n" }, { "path": "internal/output/html/report_template.gohtml", "content": "\n\n\n\n Vulnerability Scan Report\n \n \n \n \n \n\n\n\n
\n
\n
\n \"OSV-Scanner\n
\n

Open Source Vulnerabilities

\n
\n
\n Feedback\n
\n
\n\n
\n
\n
\n

Scanning summary

\n
\n
\n
\n
\n\n\n
\n
\n {{ template \"filter_template.gohtml\" .}}\n\n {{ if .IsContainerScanning }}\n {{ template \"base_image_template.gohtml\" .}}\n {{ end }}\n\n {{ if .LicenseSummary.Summary }}\n {{ template \"license_summary_template.gohtml\" .LicenseSummary.LicenseCount }}\n {{ end }}\n\n {{ if gt .PkgDeprecatedCount 0 }}\n {{ template \"deprecated_package_template.gohtml\" . }}\n {{ end }}\n\n
\n
\n search\n
\n \n
\n\n
\n {{template \"package_view_template.gohtml\" .Ecosystems}}\n
\n
\n
\n\n
\n \n\n\n\n" }, { "path": "internal/output/html/script.js", "content": "const selectedTypeFilterValue = new Set([\"all\"]);\nlet selectedLayer = \"all\";\n\nfunction toggleDetails(summaryID) {\n const detailsElementID = `${summaryID}-details`;\n const iconElementID = `${summaryID}-icon`;\n const detailsElement = document.getElementById(detailsElementID);\n const iconElement = document.getElementById(iconElementID);\n\n detailsElement.classList.toggle(\"hide-block\");\n iconElement.classList.toggle(\"expanded\");\n}\n\nfunction quickFilterByLayer(DiffID, layerCommand) {\n selectedLayer = DiffID;\n applyFilters(selectedTypeFilterValue, selectedLayer);\n const selectedDisplay = document.getElementById(\"layer-filter-selected\");\n selectedDisplay.textContent = layerCommand;\n}\n\nfunction showBaseImageLayer(imageID) {\n const detailElementID = `base-image-details-${imageID}`;\n const detailsElement = document.getElementById(detailElementID);\n\n const icon = document.querySelector(\n `#base-image-summary-${imageID} .material-icons`\n ); // Select the icon within the row\n\n const hidBlock = detailsElement.classList.toggle(\"hide-block\");\n icon.classList.toggle(\"expanded\", !hidBlock);\n}\n\nfunction showPackageDetails(detailsId) {\n const detailsElement = document.getElementById(\n `table-tr-${detailsId}-details`\n );\n const icon = document.querySelector(`#table-tr-${detailsId} .material-icons`); // Select the icon within the row\n\n const hidBlock = detailsElement.classList.toggle(\"hide-block\");\n icon.classList.toggle(\"expanded\", !hidBlock);\n}\n\nfunction openVulnInNewTab(inputString) {\n const osvURL = `https://osv.dev/${inputString}`;\n const tabs = document.getElementById(\"tabs\");\n const tabSwitches = document.getElementById(\"tab-switch\");\n\n const existingTab = document.getElementById(inputString);\n if (existingTab) {\n openTab(inputString);\n return;\n }\n\n // Create the new tab div.\n const newTab = document.createElement(\"div\");\n newTab.id = inputString; // Set the ID to the input string\n newTab.className = \"tab osv-tab\"; // Set the class name\n\n // Create a spinner indicating loading status\n const spinner = document.createElement(\"div\");\n spinner.className = \"iframe-spinner\";\n\n // Create the iframe element.\n const iframe = document.createElement(\"iframe\");\n iframe.src = osvURL;\n iframe.onload = () => {\n newTab.removeChild(spinner);\n };\n\n // Create a new tab button\n const newTabButton = document.createElement(\"div\");\n newTabButton.id = `${inputString}-button`;\n newTabButton.className = \"tab-switch-button\";\n newTabButton.onclick = () => {\n openTab(inputString);\n };\n\n // Add

and elements to the button\n const newTabTextContainer = document.createElement(\"div\");\n newTabTextContainer.className = \"tab-button-text-container\";\n const newTabText = document.createElement(\"p\");\n newTabText.textContent = inputString;\n newTabTextContainer.appendChild(newTabText);\n\n const newTabButtonBorder = document.createElement(\"div\");\n newTabButtonBorder.className = \"tab-switch-button-border\";\n newTabTextContainer.appendChild(newTabButtonBorder);\n\n newTabButton.appendChild(newTabTextContainer);\n\n const closeIcon = document.createElement(\"span\");\n closeIcon.className = \"material-icons\";\n closeIcon.textContent = \"close\";\n // Add the onclick function to the close icon\n closeIcon.onclick = event => {\n event.stopPropagation(); // Prevent the click from opening the tab\n closeVulnTab(inputString);\n };\n\n newTabButton.appendChild(closeIcon);\n\n // Add the iframe to the new tab div.\n newTab.appendChild(spinner);\n newTab.appendChild(iframe);\n // Add the iframe to the container.\n tabs.appendChild(newTab);\n tabSwitches.appendChild(newTabButton);\n\n openTab(newTab.id);\n}\n\nfunction closeVulnTab(inputString) {\n const tabToRemove = document.getElementById(inputString);\n const buttonToRemove = document.getElementById(`${inputString}-button`);\n const tabs = document.getElementById(\"tabs\");\n const tabSwitches = document.getElementById(\"tab-switch\");\n\n if (tabToRemove && buttonToRemove) {\n const nextTabButton =\n buttonToRemove.nextElementSibling ||\n buttonToRemove.previousElementSibling;\n\n tabs.removeChild(tabToRemove);\n tabSwitches.removeChild(buttonToRemove);\n\n if (nextTabButton) {\n const nextTabId = nextTabButton.id.replace(\"-button\", \"\");\n openTab(nextTabId);\n }\n }\n}\n\nfunction openTab(activeTabId) {\n const tabs = document.getElementsByClassName(\"tab\");\n const tabButtons = document.getElementsByClassName(\"tab-switch-button\");\n for (let i = 0; i < tabs.length; i += 1) {\n tabs[i].classList.toggle(\"hide-block\", tabs[i].id !== activeTabId);\n tabButtons[i].classList.toggle(\n \"tab-switch-button-selected\",\n tabs[i].id === activeTabId\n );\n }\n}\n\nfunction hideAllFilterOptions() {\n const containers = document.getElementsByClassName(\"filter-option-container\");\n\n for (const container of containers) {\n container.classList.add(\"hide-block\");\n }\n}\n\nfunction toggleFilter(input) {\n const targetID = `${input}-filter-option-container`;\n const optionContainer = document.getElementById(targetID);\n const containers = document.getElementsByClassName(\"filter-option-container\");\n for (const loopContainer of containers) {\n if (loopContainer.id === targetID) {\n optionContainer.classList.toggle(\"hide-block\");\n } else {\n loopContainer.classList.add(\"hide-block\");\n }\n }\n}\n\nfunction showAndHideParentSections() {\n const ecosystemContainers = document.querySelectorAll(\".ecosystem-container\");\n\n ecosystemContainers.forEach(ecosystemContainer => {\n const sourceContainers =\n ecosystemContainer.querySelectorAll(\".source-container\");\n let ecosystemHasVisibleSources = false;\n\n sourceContainers.forEach(sourceContainer => {\n const packageRows = sourceContainer.querySelectorAll(\".package-tr\");\n let sourceHasVisibleRows = false;\n\n packageRows.forEach(packageRow => {\n const packageDetails = document.getElementById(\n `${packageRow.id}-details`\n );\n const vulnRows = packageDetails.querySelectorAll(\".vuln-tr\");\n if (\n Array.from(vulnRows).some(\n row => !row.classList.contains(\"hide-block\")\n )\n ) {\n sourceHasVisibleRows = true;\n packageRow.classList.remove(\"hide-block\");\n return;\n }\n\n packageRow.classList.add(\"hide-block\");\n packageDetails.classList.add(\"hide-block\");\n const icon = document.querySelector(\n `#${packageRow.id} .material-icons`\n );\n icon.classList.remove(\"expanded\"); // Rotate back to 0 degrees\n });\n\n sourceContainer.classList.toggle(\"hide-block\", !sourceHasVisibleRows);\n\n if (sourceHasVisibleRows) {\n ecosystemHasVisibleSources = true;\n }\n });\n\n ecosystemContainer.classList.toggle(\n \"hide-block\",\n !ecosystemHasVisibleSources\n );\n });\n}\n\nfunction showAllVulns() {\n const vulnRows = document.getElementsByClassName(\"vuln-tr\");\n for (const row of vulnRows) {\n const isUncalled = row.classList.contains(\"uncalled-tr\");\n row.classList.toggle(\"hide-block\", isUncalled);\n }\n\n showAndHideParentSections();\n}\n\nfunction applyFilters(selectedTypeFilterValue, selectedLayerFilterValue) {\n // Show all vulnerabilities and then hide those that do not match the filter requirements.\n showAllVulns();\n applyTypeFilter(selectedTypeFilterValue);\n applyLayerFilter(selectedLayerFilterValue);\n showAndHideParentSections();\n}\n\nfunction applyTypeFilter(selectedValue) {\n updateTypeFilterText();\n const selectedAll = selectedValue.has(\"all\");\n const selectedProject = selectedAll || selectedValue.has(\"project\");\n const selectedOS = selectedAll || selectedValue.has(\"os\");\n const selectedUncalled = selectedValue.has(\"uncalled\");\n\n const ecosystemElements = document.querySelectorAll(\".ecosystem-container\");\n\n ecosystemElements.forEach(ecosystemElement => {\n const vulnElements = ecosystemElement.querySelectorAll(\".vuln-tr\");\n vulnElements.forEach(vuln => {\n if (vuln.classList.contains(\"uncalled-tr\")) {\n vuln.classList.toggle(\"hide-block\", !selectedUncalled);\n }\n if (\n (ecosystemElement.classList.contains(\"os-type\") && !selectedOS) ||\n (ecosystemElement.classList.contains(\"project-type\") &&\n !selectedProject)\n ) {\n vuln.classList.add(\"hide-block\");\n }\n });\n });\n}\n\nfunction applyLayerFilter(selectedLayerID) {\n const tableRows = document.querySelectorAll(\"tr.has-layer-info\");\n tableRows.forEach(row => {\n const rowLayerID = row.getAttribute(\"data-layer\");\n if (selectedLayerID !== \"all\" && rowLayerID !== selectedLayerID) {\n const packageDetails = document.getElementById(`${row.id}-details`);\n const vulnElements = packageDetails.querySelectorAll(\".vuln-tr\");\n vulnElements.forEach(vuln => {\n vuln.classList.add(\"hide-block\");\n });\n }\n });\n}\n\nfunction updateTypeFilterText() {\n const typeSelected = document.getElementById(\"type-filter-selected\");\n const selectedVulnCount = document.getElementById(\"selected-count\");\n\n const allTypeCheckbox = document.getElementById(\"all-type-checkbox\");\n const osTypeCheckbox = document.getElementById(\"os-type-checkbox\");\n const projectTypeCheckbox = document.getElementById(\"project-type-checkbox\");\n const uncalledTypeCheckbox = document.getElementById(\n \"uncalled-type-checkbox\"\n );\n\n let selectedText = \"\";\n let selectedCount = 0;\n\n if (projectTypeCheckbox && projectTypeCheckbox.checked) {\n selectedText += `${selectedText ? \", \" : \"\"}Project`;\n const projectTypeVulnCount = projectTypeCheckbox.getAttribute(\n \"data-type-project-count\"\n );\n selectedCount += parseInt(projectTypeVulnCount, 10);\n }\n if (osTypeCheckbox && osTypeCheckbox.checked) {\n selectedText += `${selectedText ? \", \" : \"\"}OS`;\n const osTypeVulnCount = osTypeCheckbox.getAttribute(\"data-type-os-count\");\n selectedCount += parseInt(osTypeVulnCount, 10);\n }\n if (uncalledTypeCheckbox && uncalledTypeCheckbox.checked) {\n selectedText += `${selectedText ? \", \" : \"\"}Unimportant`;\n const uncalledTypeVulnCount = uncalledTypeCheckbox.getAttribute(\n \"data-type-uncalled-count\"\n );\n selectedCount += parseInt(uncalledTypeVulnCount, 10);\n }\n\n if (\n allTypeCheckbox &&\n allTypeCheckbox.checked &&\n uncalledTypeCheckbox &&\n !uncalledTypeCheckbox.checked\n ) {\n selectedText = \"Default\";\n }\n\n typeSelected.textContent = selectedText;\n selectedVulnCount.textContent = selectedCount;\n}\n\nfunction resetFilterText() {\n const layerSelected = document.getElementById(\"layer-filter-selected\");\n const allLayerCheckedBox = document.getElementById(\"all-layer-checkbox\");\n if (layerSelected) {\n layerSelected.textContent = `All layers (${allLayerCheckedBox.getAttribute(\"data-layer-all-count\")})`;\n }\n\n const typeSelected = document.getElementById(\"type-filter-selected\");\n const selectedVulnCount = document.getElementById(\"selected-count\");\n const allTypeCheckedBox = document.getElementById(\"all-type-checkbox\");\n const uncalledTypeCheckBox = document.getElementById(\n \"uncalled-type-checkbox\"\n );\n if (allTypeCheckedBox) {\n typeSelected.textContent = \"Default\";\n selectedVulnCount.textContent = allTypeCheckedBox.getAttribute(\n \"data-type-all-count\"\n );\n if (allLayerCheckedBox) {\n allLayerCheckedBox.checked = true;\n }\n uncalledTypeCheckBox.checked = false;\n } else {\n const projectTypeCheckedBox = document.getElementById(\n \"project-type-checkbox\"\n );\n projectTypeCheckedBox.checked = true;\n typeSelected.textContent = \"Default\";\n selectedVulnCount.textContent = projectTypeCheckedBox.getAttribute(\n \"data-type-project-count\"\n );\n uncalledTypeCheckBox.checked = false;\n }\n}\n\nfunction resetSearchText() {\n const vulnSearchInput = document.getElementById(\"vuln-search\");\n if (vulnSearchInput.value !== \"\") {\n vulnSearchInput.value = \"\";\n showAllVulns();\n }\n}\n\nfunction resetTypeCheckbox() {\n const allTypeCheckbox = document.getElementById(\"all-type-checkbox\");\n const osTypeCheckbox = document.getElementById(\"os-type-checkbox\");\n const projectTypeCheckbox = document.getElementById(\"project-type-checkbox\");\n const uncalledTypeCheckbox = document.getElementById(\n \"uncalled-type-checkbox\"\n );\n\n if (allTypeCheckbox) {\n allTypeCheckbox.checked = true;\n projectTypeCheckbox.checked = true;\n if (osTypeCheckbox) {\n osTypeCheckbox.checked = true;\n }\n uncalledTypeCheckbox.checked = false;\n }\n}\n\ndocument.addEventListener(\"DOMContentLoaded\", () => {\n resetFilterText();\n showAndHideParentSections();\n\n // Implement filter for vulnerability types\n const typeFilterOptions = document.getElementById(\n \"type-filter-option-container\"\n );\n\n typeFilterOptions.addEventListener(\"change\", event => {\n resetSearchText();\n const changedElement = event.target;\n const allTypesCheckbox = document.getElementById(\"all-type-checkbox\");\n const projectCheckbox = document.getElementById(\"project-type-checkbox\"); // Project vulnerabilities\n const osCheckbox = document.getElementById(\"os-type-checkbox\"); // OS vulnerabilities\n const uncalledCheckbox = document.getElementById(\"uncalled-type-checkbox\"); // OS vulnerabilities\n selectedTypeFilterValue.clear();\n\n if (allTypesCheckbox !== null) {\n if (changedElement === allTypesCheckbox) {\n osCheckbox.checked = allTypesCheckbox.checked;\n projectCheckbox.checked = allTypesCheckbox.checked;\n if (allTypesCheckbox.checked === true) {\n selectedTypeFilterValue.add(\"all\");\n }\n }\n if (osCheckbox.checked === false || projectCheckbox.checked === false) {\n allTypesCheckbox.checked = false;\n }\n\n if (osCheckbox.checked) {\n selectedTypeFilterValue.add(\"os\");\n }\n }\n\n if (projectCheckbox.checked) {\n selectedTypeFilterValue.add(\"project\");\n }\n\n if (uncalledCheckbox.checked) {\n selectedTypeFilterValue.add(\"uncalled\");\n }\n\n applyFilters(selectedTypeFilterValue, selectedLayer);\n });\n\n // Implement layer filter\n const layerFilterOptionsContainer = document.getElementById(\n \"layer-filter-option-container\"\n );\n\n if (layerFilterOptionsContainer) {\n layerFilterOptionsContainer.addEventListener(\"click\", event => {\n const clickedOption = event.target.closest(\".layer-filter-option\");\n if (clickedOption) {\n resetSearchText();\n selectedLayer = clickedOption.getAttribute(\"data-layer-hash\");\n const selectedDisplay = document.getElementById(\n \"layer-filter-selected\"\n );\n const layerCommand = clickedOption.querySelector(\"p:first-child\");\n selectedDisplay.textContent = layerCommand.textContent;\n\n hideAllFilterOptions();\n applyFilters(selectedTypeFilterValue, selectedLayer);\n }\n });\n }\n\n // Hide filter options when clicking other parts\n const filterSections = document.querySelectorAll(\"div.filter\");\n\n document.addEventListener(\"click\", event => {\n if (![...filterSections].some(c => c.contains(event.target))) {\n hideAllFilterOptions();\n }\n });\n\n // Search bar\n const vulnSearchInput = document.getElementById(\"vuln-search\");\n vulnSearchInput.addEventListener(\"keyup\", () => {\n resetFilterText();\n selectedTypeFilterValue.clear();\n selectedTypeFilterValue.add(\"all\");\n selectedLayer = \"all\";\n resetTypeCheckbox();\n\n const searchTerm = vulnSearchInput.value.trim().toLowerCase();\n\n const vulnRows = document.querySelectorAll(\"[data-vuln-id]\");\n\n if (searchTerm === \"\") {\n showAllVulns();\n return;\n }\n\n vulnRows.forEach(row => {\n const vulnID = row.getAttribute(\"data-vuln-id\").toLowerCase();\n row.classList.toggle(\"hide-block\", !vulnID.includes(searchTerm));\n });\n showAndHideParentSections();\n });\n\n // Implement tooltips\n document.querySelectorAll(\".tooltip\").forEach(elem => {\n elem.addEventListener(\"mouseover\", () => {\n const rect = elem.getBoundingClientRect();\n const tooltipElem = elem.querySelector(\".tooltiptext\");\n\n tooltipElem.style.left = `${rect.left}px`;\n tooltipElem.style.top = `${rect.top}px`;\n });\n });\n\n showAllVulns();\n});\n" }, { "path": "internal/output/html/severity_summary_template.gohtml", "content": "

\n
\n

{{ .Critical }}

\n Critical\n
\n
\n

{{ .High }}

\n High\n
\n
\n

{{ .Medium }}

\n Medium\n
\n
\n

{{ .Low }}

\n Low\n
\n
\n

{{ .Unknown }}

\n Unknown\n
\n
\n" }, { "path": "internal/output/html/style.css", "content": "body {\n margin: 0;\n padding: 0;\n background: #292929;\n color: #fff;\n overflow-y: scroll;\n font-family: \"Overpass Mono\", monospace;\n font-size: 12pt;\n font-weight: 100;\n min-width: fit-content;\n}\n\na {\n color: inherit;\n}\n\n.container {\n max-width: 1400px;\n margin: 50px auto;\n padding: 20px;\n border-radius: 4px;\n box-shadow: 0 0 5px rgba(255, 255, 255, 0.15);\n min-height: 90vh;\n}\n\nh2 {\n margin-top: 50px;\n font-size: 15pt;\n}\n\nh3 {\n font-size: 12pt;\n margin-top: 30px;\n}\n\nh1,\nh2,\nh3 {\n font-family: \"Overpass Mono\", monospace;\n font-weight: normal;\n}\n\n.ecosystem {\n margin-top: 20px;\n}\n\nheader {\n display: flex;\n margin-bottom: 50px;\n justify-content: space-between;\n}\n\n#header-left {\n display: flex;\n align-items: center;\n}\n\n.logo {\n height: 20px;\n}\n\n#header-left .vl {\n border-left: 2px solid #fff;\n height: 25px;\n margin-left: 20px;\n margin-right: 20px;\n}\n\n#header-left h1 {\n font-size: 23px;\n}\n\n#header-right {\n display: flex;\n align-items: center;\n}\n\n#header-right ::after {\n display: inline-block;\n content: \" \";\n background-image: url(https://osv.dev/static/img/external-link.svg);\n width: 16px;\n height: 16px;\n margin-left: 3px;\n vertical-align: middle;\n}\n\n.material-icons {\n vertical-align: middle;\n transform: rotate(0deg);\n transition: transform 0.2s ease;\n user-select: none;\n}\n\n.material-icons.expanded {\n transform: rotate(90deg);\n}\n\n.vuln-table {\n width: 100%;\n text-align: left;\n margin-bottom: 40px;\n margin-top: 10px;\n color: rgba(255, 255, 255, 0.87);\n border-spacing: 0;\n}\n\n.vuln-table th {\n border-bottom: 1px solid rgba(255, 255, 255, 0.33);\n padding: 16px;\n}\n\n.table-tr {\n line-height: 30px;\n}\n\n.table-tr td {\n word-break: break-word;\n width: 200px;\n padding: 16px;\n}\n\n.table-tr:hover {\n background-color: rgba(255, 255, 255, 0.04);\n}\n\n.table-tr-details > td {\n border-bottom: 1px solid rgba(255, 255, 255, 0.2);\n}\n\n.vuln-tr {\n display: table-row;\n}\n\n.vuln-id {\n color: #d9534f;\n}\n\n.package-details {\n text-align: left;\n padding: 20px 50px 30px 50px;\n display: block;\n max-height: 800px;\n overflow: auto;\n\n background:\n /* Cover TOP */\n linear-gradient(rgb(41, 41, 41) 30%, rgba(41, 41, 41, 0)) center top,\n /* Cover BOTTOM */ linear-gradient(rgba(41, 41, 41, 0), rgb(41, 41, 41) 70%)\n center bottom,\n /* Shadow TOP */ linear-gradient(rgba(0, 0, 0, 0.2), rgba(0, 0, 0, 0))\n center top,\n /* Shadow BOTTOM */ linear-gradient(rgba(0, 0, 0, 0), rgba(0, 0, 0, 0.2))\n center bottom;\n\n background-repeat: no-repeat;\n background-size:\n 100% 40px,\n 100% 40px,\n 100% 20px,\n 100% 20px;\n\n background-attachment: local, local, scroll, scroll;\n}\n\n.package-details p {\n margin-bottom: 10px;\n margin-top: 10px;\n}\n\n.table-tr:hover .open-in-tab-tag {\n display: inline;\n}\n\n.open-in-tab-tag {\n display: none;\n border: 1px solid rgba(255, 255, 255, 0.12);\n padding: 5px;\n border-radius: 4px;\n width: fit-content;\n}\n\n.open-in-tab-cell {\n width: 90px !important;\n cursor: pointer;\n}\n\n.severity-cell {\n width: 60px !important;\n user-select: none;\n}\n\n.fixable-tag {\n border-radius: 4px;\n max-width: 250px;\n width: fit-content;\n padding: 0 5px;\n white-space: nowrap;\n overflow: hidden;\n text-align: center;\n user-select: none;\n}\n\n.has-fix {\n white-space: break-spaces;\n background-color: #6a6a6a;\n}\n\n.no-fix {\n background-color: #252525;\n border: 1px solid #3c4043;\n}\n\n.hide-block + .table-tr-details {\n /* If details is after a hidden block, also hide details */\n\n display: none;\n}\n\n.uncalled-text {\n color: #808080;\n}\n\n#vuln-tab {\n display: block;\n margin-top: 30px;\n}\n\n#tab-switch {\n text-align: left;\n border-bottom: 1px solid #6c6c6c;\n padding-left: 20px;\n display: flex;\n margin-bottom: 50px;\n}\n\n.tab-switch-button {\n width: 180px;\n outline: 0;\n cursor: pointer;\n background-color: transparent;\n text-align: center;\n display: flex;\n}\n\n.tab-button-text-container {\n flex-direction: column;\n align-items: center;\n}\n\n.tab-button-text-container p {\n width: 160px;\n white-space: nowrap;\n overflow: hidden;\n text-overflow: ellipsis;\n border-bottom: 2px solid transparent;\n color: #5f6368;\n}\n\n.tab-switch-button span {\n cursor: pointer;\n font-size: 16px;\n display: none;\n}\n\n.tab-switch-button-border {\n width: 85%;\n height: 3px;\n background-color: transparent;\n margin: auto;\n}\n\n.tab-button-text-container:hover p {\n color: #fff;\n}\n\n.tab-switch-button-selected:hover span {\n display: block;\n}\n\n.tab-switch-button-selected .tab-switch-button-border {\n background-color: #eee;\n border-top-left-radius: 5px;\n border-top-right-radius: 5px;\n}\n\n.tab-switch-button-selected p {\n color: #fff;\n}\n\n.osv-tab {\n position: relative;\n}\n\n.osv-tab iframe {\n width: 100%;\n min-height: 1000px;\n border: none;\n}\n\n.iframe-spinner {\n position: absolute;\n inset: 0;\n margin: auto;\n width: 48px;\n height: 48px;\n border: 5px solid #fff;\n border-bottom-color: transparent;\n border-radius: 50%;\n display: inline-block;\n box-sizing: border-box;\n animation: rotation 1s linear infinite;\n}\n\n.package-tr {\n cursor: pointer;\n}\n\n.icon-td {\n width: 10px !important;\n}\n\n#filter-section {\n display: flex;\n width: 60%;\n}\n\n.filter-container {\n margin-right: 20px;\n max-width: 600px;\n}\n\n.filter {\n margin-top: 10px;\n max-width: 600px;\n min-width: 250px;\n background-color: transparent;\n border-radius: 8px;\n overflow: hidden;\n color: #fff;\n border: 1px solid #ddd;\n display: flex;\n justify-content: space-between;\n padding: 0 20px;\n}\n\n#layer-filter {\n width: 400px !important;\n}\n\n.filter-selected {\n white-space: nowrap;\n overflow: hidden;\n}\n\n.filter-option-container {\n border: 1px solid #ddd;\n border-radius: 8px;\n position: absolute;\n background-color: #292929;\n min-width: 200px;\n max-width: 1400px;\n box-shadow: 0px 8px 16px 0px rgba(0, 0, 0, 0.2);\n z-index: 1;\n display: block;\n}\n\n.filter-option {\n border-bottom: 1px dotted #ddd;\n padding: 15px 20px;\n white-space: nowrap;\n cursor: pointer;\n display: block;\n}\n\n.filter-option input,\n.filter-option label {\n cursor: pointer;\n}\n\n#layer-filter-option-container {\n width: 1400px;\n}\n\n.layer-filter-option {\n display: flex;\n justify-content: space-between;\n}\n\n.filter-option:hover {\n background-color: rgba(255, 255, 255, 0.04);\n}\n\n.filter-icon i {\n position: relative;\n top: 25%;\n}\n\n#summary-section {\n display: flex;\n justify-content: space-between;\n width: 100%;\n}\n\n#severity-section {\n overflow: hidden;\n}\n\n.severity-long {\n text-align: center;\n min-width: 100px;\n overflow: hidden;\n white-space: nowrap;\n user-select: none;\n}\n\n.severity-long p {\n font-size: 10pt;\n padding: 5px 5px;\n border-radius: 4px;\n margin-right: 3px;\n}\n\n.critical {\n background-color: #ad0300;\n}\n\n.high {\n background-color: #ffa500;\n}\n\n.medium {\n background-color: #ffd700;\n color: #292929;\n}\n\n.low {\n background-color: #53aa33;\n color: #292929;\n}\n\n.unknown {\n background-color: #80868b;\n}\n\n.severity-count-summary {\n display: flex;\n}\n\n.severity-short {\n width: 40px;\n user-select: none;\n}\n\n.severity-short p {\n text-align: center;\n}\n\n.severity-short-first p {\n border-top-left-radius: 4px;\n border-bottom-left-radius: 4px;\n}\n\n.severity-short-last p {\n border-top-right-radius: 4px;\n border-bottom-right-radius: 4px;\n}\n\n.severity-cell .severity-short p {\n border-radius: 4px;\n}\n\n/* CSS for the search box */\n.search-box {\n display: flex;\n align-items: center;\n width: 100%;\n border: 1px solid #fff;\n background-color: transparent;\n border-radius: 8px;\n margin-top: 30px;\n}\n\n.search-box input[type=\"text\"] {\n flex: 1 0 auto;\n padding: 15px 10px;\n\n border: none;\n background-color: transparent;\n color: #fff;\n font-size: 12pt;\n}\n\n.search-box input[type=\"text\"]:focus {\n outline: none;\n}\n\n.search-icon {\n height: fit-content;\n padding: 13px;\n}\n\n.package-detail-title {\n color: #9aa0a6;\n}\n\n.layer-command-container {\n display: flex;\n}\n\n.inner-table {\n width: 100%;\n border: 0.5px solid rgba(255, 255, 255, 0.12);\n border-spacing: 0px;\n border-radius: 4px;\n}\n\n.inner-table th {\n border-bottom: 0.5px solid rgba(255, 255, 255, 0.12);\n}\n\n.inner-table td {\n border-bottom: 0.5px solid rgba(255, 255, 255, 0.12);\n}\n\n.expand-icon i.rotated {\n transform: rotate(90deg);\n}\n\n.tooltip {\n position: relative;\n display: inline-block;\n text-decoration: underline;\n text-decoration-style: dotted;\n text-underline-offset: 3px;\n}\n\n.tooltip.no-underline {\n text-decoration: none;\n}\n\n.tooltip .tooltiptext {\n visibility: hidden;\n\n background-color: black;\n color: #fff;\n\n white-space: normal;\n text-align: left;\n line-height: 1.5;\n\n max-width: 300px;\n width: max-content;\n padding: 10px;\n\n border-radius: 4px;\n /* Position the tooltip */\n position: fixed;\n transform: translateY(-100%);\n z-index: 999;\n}\n\n.tooltip .tooltiptext.layer-tooltiptext {\n white-space: normal;\n margin-left: 0;\n width: 1000px;\n max-width: 1000px;\n max-height: 200px;\n overflow-x: hidden;\n overflow-y: auto;\n}\n\n.tooltip:hover .tooltiptext {\n visibility: visible;\n}\n\n.severity-count-summary .tooltip {\n text-decoration: none;\n}\n\n.flex-box {\n display: flex;\n}\n\n/* new added */\n.base-icon .tooltiptext {\n margin-left: 0px;\n background-color: #292929;\n}\n\ndiv.title {\n visibility: hidden;\n}\n\n.summary-section {\n margin-top: 30px;\n border: 1px solid #fff;\n border-radius: 8px;\n padding: 10px 20px;\n max-height: 400px;\n overflow-y: visible;\n overflow-x: hidden;\n}\n\n#base-image-table {\n width: 100%;\n}\n\n#base-image-table th {\n text-align: left;\n height: 30px;\n}\n\n.layer-entry {\n display: flex;\n justify-content: space-between;\n padding: 0 10px;\n border-bottom: 1px dotted #666666;\n}\n\n.base-image-summary {\n cursor: pointer;\n}\n\n.base-image-details {\n display: block;\n margin-bottom: 20px;\n}\n\n.base-image-title {\n width: 150px;\n color: #9aa0a6;\n height: 20px;\n}\n\n.layer-command {\n max-width: 1000px;\n white-space: nowrap;\n overflow: hidden;\n text-overflow: ellipsis;\n}\n\n.clickable {\n cursor: pointer;\n}\n\n.clickable-layer:hover {\n background-color: rgba(255, 255, 255, 0.04);\n}\n\n.source-path {\n border: 1px #888 solid;\n border-radius: 4px;\n padding: 5px;\n background-color: rgba(0, 0, 0, 0.2);\n line-height: 2;\n}\n\n.hide-block {\n display: none !important;\n}\n\n#license-summary-details {\n margin-left: 30px;\n}\n\n#deprecated-packages-details {\n margin-left: 30px;\n}\n\n@keyframes rotation {\n 0% {\n transform: rotate(0deg);\n }\n\n 100% {\n transform: rotate(360deg);\n }\n}\n" }, { "path": "internal/output/html/vuln_table_entry_template.gohtml", "content": "{{ $index := uniqueID }}\n{{ $element := .Element }}\n\n \n {{ if eq (len $element.GroupIDs) 1 }}\n
{{ $element.ID }}
\n {{ else }}\n
\n
{{ $element.ID }}
\n Group IDs:
\n {{ range $rowIndex, $alias := $element.GroupIDs }}\n {{ $alias }}
\n {{ end }}\n \n
\n {{ end }}\n \n \n {{ if eq (len $element.Aliases) 1 }}\n {{ index $element.Aliases 0 }}\n {{ else if gt (len $element.Aliases) 1}}\n
\n {{ index $element.Aliases 0}}, ...\n \n {{ range $rowIndex, $alias := $element.Aliases }}\n {{ $alias }}
\n {{ end }}\n \n
\n {{ else }}\n No Aliases\n {{ end }}\n \n\n \n

\n {{$element.FixedVersion }}

\n \n \n
\n

{{ $element.SeverityScore }}

\n
\n \n \n

Open in tab

\n \n\n" }, { "path": "internal/output/html/vuln_table_template.gohtml", "content": "\n \n \n \n \n \n \n \n {{ range $rowIndex, $element := .RegularVulns }}\n {{$args := buildVulnTableEntryArgument $element false}}\n {{template \"vuln_table_entry_template.gohtml\" $args}}\n {{ end }}\n\n {{ range $rowIndex, $element := .HiddenVulns }}\n {{ $index := uniqueID }}\n {{$args := buildVulnTableEntryArgument $element true}}\n {{template \"vuln_table_entry_template.gohtml\" $args}}\n {{ end }}\n
Vulnerability IDAliases / UpstreamFixed versionSeverity
\n" }, { "path": "internal/output/html.go", "content": "package output\n\nimport (\n\t\"embed\"\n\t\"html/template\"\n\t\"io\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/utility/results\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/severity\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\n// TemplateDir is the directory containing the HTML templates\nconst TemplateDir = \"html/*\"\n\n//go:embed html/*\nvar templates embed.FS\n\n// uniqueIndex creates a function that generates unique indices for HTML elements.\n// It takes an integer pointer as input and increments the integer's value each time the\n// returned function is called. This ensures that each call to the returned function\n// produces a different index, even when called concurrently from multiple goroutines.\nfunc uniqueIndex(index *int) func() int {\n\treturn func() int {\n\t\t*index += 1\n\t\treturn *index\n\t}\n}\n\nfunc formatSlice(slice []string) string {\n\treturn strings.Join(slice, \", \")\n}\n\nfunc formatLicense(slice []models.License) string {\n\tstringSlice := make([]string, len(slice))\n\tfor i, license := range slice {\n\t\tstringSlice[i] = string(license)\n\t}\n\n\treturn formatSlice(stringSlice)\n}\n\nfunc formatRating(rating severity.Rating) string {\n\treturn strings.ToLower(string(rating))\n}\n\ntype VulnTableEntryArgument struct {\n\tElement VulnResult\n\tIsHidden bool\n}\n\nfunc buildVulnTableEntryArgument(element VulnResult, isHidden bool) VulnTableEntryArgument {\n\treturn VulnTableEntryArgument{\n\t\tIsHidden: isHidden,\n\t\tElement: element,\n\t}\n}\n\nfunc hasOSResult(ecosystems []EcosystemResult) bool {\n\tfor _, ecosystem := range ecosystems {\n\t\tif ecosystem.IsOS {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc PrintHTMLResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error {\n\t// htmlResult := BuildHTMLResults(vulnResult)\n\tresult := BuildResults(vulnResult)\n\tvulnIndex := 0\n\n\t// Parse embedded templates\n\tfuncMap := template.FuncMap{\n\t\t\"uniqueID\": uniqueIndex(&vulnIndex),\n\t\t\"join\": strings.Join,\n\t\t\"formatRating\": formatRating,\n\t\t\"add\": func(a, b int) int {\n\t\t\treturn a + b\n\t\t},\n\t\t\"getFilteredVulnReasons\": getFilteredVulnReasons,\n\t\t\"getBaseImageName\": getBaseImageName,\n\t\t\"formatSlice\": formatSlice,\n\t\t\"formatLayerCommand\": formatLayerCommand,\n\t\t\"buildVulnTableEntryArgument\": buildVulnTableEntryArgument,\n\t\t\"formatLicense\": formatLicense,\n\t\t\"hasOSResult\": hasOSResult,\n\t\t\"GetShortCommit\": results.GetShortCommit,\n\t\t\"isOSResult\": isOSResult,\n\t}\n\n\ttmpl := template.Must(template.New(\"\").Funcs(funcMap).ParseFS(templates, TemplateDir))\n\n\t// Execute template\n\treturn tmpl.ExecuteTemplate(outputWriter, \"report_template.gohtml\", result)\n}\n" }, { "path": "internal/output/html_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n)\n\nfunc TestPrintHTMLResults_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintHTMLResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing HTML output: %s\", err)\n\t\t}\n\t})\n}\n\nfunc TestPrintHTMLResults_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintHTMLResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing HTML output: %s\", err)\n\t\t}\n\t})\n}\n\nfunc TestPrintHTMLResults_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintHTMLResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing HTML output: %s\", err)\n\t\t}\n\t})\n}\n" }, { "path": "internal/output/machinejson.go", "content": "package output\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\n// PrintJSONResults writes results to the provided writer in JSON format\nfunc PrintJSONResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error {\n\tencoder := json.NewEncoder(outputWriter)\n\tencoder.SetIndent(\"\", \" \")\n\n\treturn encoder.Encode(vulnResult)\n}\n" }, { "path": "internal/output/machinejson_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestPrintJSONResults_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintJSONResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing JSON output: %s\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintJSONResults_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintJSONResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing JSON output: %s\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintJSONResults_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintJSONResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing JSON output: %s\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n" }, { "path": "internal/output/markdowntable.go", "content": "package output\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/jedib0t/go-pretty/v6/table\"\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n)\n\n// PrintMarkdownTableResults prints the osv scan results into a human friendly Markdown table.\n// The Markdown table uses the same format and columns as the standard table output.\nfunc PrintMarkdownTableResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer, showAllVulns bool) {\n\ttext.DisableColors()\n\n\toutputResult := BuildResults(vulnResult)\n\n\t// Add a newline to separate results from logs.\n\tfmt.Fprintln(outputWriter)\n\tif outputResult.IsContainerScanning {\n\t\tfmt.Fprintf(outputWriter, \"%s:\\n\", GetContainerScanningHeader(outputResult))\n\t}\n\tprintSummary(outputResult, outputWriter)\n\n\toutputTable := table.NewWriter()\n\toutputTable.SetOutputMirror(outputWriter)\n\toutputTable = tableBuilder(outputTable, outputResult, showAllVulns)\n\n\tif outputTable.Length() != 0 {\n\t\toutputTable.RenderMarkdown()\n\t}\n\n\tlicenseConfig := vulnResult.ExperimentalAnalysisConfig.Licenses\n\tif licenseConfig.Summary {\n\t\toutputLicenseSummaryTable := table.NewWriter()\n\t\toutputLicenseSummaryTable.SetOutputMirror(outputWriter)\n\t\toutputLicenseSummaryTable = licenseSummaryTableBuilder(outputLicenseSummaryTable, vulnResult)\n\n\t\tif outputLicenseSummaryTable.Length() != 0 {\n\t\t\toutputLicenseSummaryTable.RenderMarkdown()\n\t\t}\n\t}\n\n\tif len(licenseConfig.Allowlist) > 0 {\n\t\toutputLicenseViolationsTable := table.NewWriter()\n\t\toutputLicenseViolationsTable.SetOutputMirror(outputWriter)\n\t\toutputLicenseViolationsTable = licenseViolationsTableBuilder(outputLicenseViolationsTable, vulnResult)\n\n\t\tif outputLicenseViolationsTable.Length() > 0 {\n\t\t\toutputLicenseViolationsTable.RenderMarkdown()\n\t\t}\n\t}\n\n\tif outputResult.PkgDeprecatedCount > 0 {\n\t\toutputDeprecatedPackagesTable := table.NewWriter()\n\t\toutputDeprecatedPackagesTable.SetOutputMirror(outputWriter)\n\t\toutputDeprecatedPackagesTable = deprecatedPackagesTableBuilder(outputDeprecatedPackagesTable, vulnResult)\n\n\t\tprintPkgDeprecatedSummary(outputResult, outputWriter)\n\t\toutputDeprecatedPackagesTable.RenderMarkdown()\n\t}\n}\n" }, { "path": "internal/output/markdowntable_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestPrintMarkdownTableResults_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintMarkdownTableResults(args.vulnResult, outputWriter, true)\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintMarkdownTableResults_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintMarkdownTableResults(args.vulnResult, outputWriter, false)\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintMarkdownTableResults_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintMarkdownTableResults(args.vulnResult, outputWriter, false)\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n" }, { "path": "internal/output/output_result.go", "content": "package output\n\nimport (\n\t\"cmp\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"slices\"\n\t\"sort\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scalibr/inventory/vex\"\n\t\"github.com/google/osv-scalibr/semantic\"\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"github.com/google/osv-scanner/v2/internal/identifiers\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/results\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/severity\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\n// Result represents the vulnerability scanning results for output report.\ntype Result struct {\n\tEcosystems []EcosystemResult\n\t// Container scanning related\n\tIsContainerScanning bool\n\tImageInfo ImageInfo\n\tLicenseSummary LicenseSummary\n\tVulnTypeSummary VulnTypeSummary\n\tPackageTypeCount AnalysisCount\n\tVulnCount VulnCount\n\tPkgDeprecatedCount int `json:\",omitempty\"`\n}\n\n// EcosystemResult represents the vulnerability scanning results for an ecosystem.\ntype EcosystemResult struct {\n\tName string\n\tSources []SourceResult\n\tIsOS bool\n}\n\n// SourceResult represents the vulnerability scanning results for a source file.\ntype SourceResult struct {\n\tName string\n\tType models.SourceType\n\tPackageTypeCount AnalysisCount\n\tPackages []PackageResult\n\tVulnCount VulnCount\n\tLicenseViolationsCount int\n\tPkgDeprecatedCount int `json:\",omitempty\"`\n}\n\n// PackageResult represents the vulnerability scanning results for a package.\ntype PackageResult struct {\n\tName string\n\t// OSPackageNames represents the actual installed binary names. This is primarily used for container scanning.\n\tOSPackageNames []string\n\tInstalledVersion string\n\tCommit string\n\tFixedVersion string\n\t// RegularVulns holds all the vulnerabilities that should be displayed to users\n\tRegularVulns []VulnResult\n\t// HiddenVulns holds all the vulnerabilities that should not be displayed to users, such as those deemed unimportant or uncalled.\n\tHiddenVulns []VulnResult\n\tLayerDetail PackageContainerInfo\n\tVulnCount VulnCount\n\tLicenses []models.License\n\tLicenseViolations []models.License\n\tDepGroups []string `json:\"-\"`\n\tDeprecated bool `json:\",omitempty\"`\n}\n\n// VulnResult represents a single vulnerability.\ntype VulnResult struct {\n\tID string\n\tGroupIDs []string\n\tAliases []string\n\t// Description is either the Vulnerability.Summary (default) or the Vulnerability.Details.\n\tDescription string\n\tIsFixable bool\n\tFixedVersion string\n\tVulnAnalysisType VulnAnalysisType\n\tSeverityRating severity.Rating\n\tSeverityScore string\n}\n\ntype ImageInfo struct {\n\tOS string\n\tAllLayers []LayerInfo\n\tAllBaseImages []BaseImageGroupInfo\n}\n\ntype LicenseSummary struct {\n\tSummary bool\n\tShowViolations bool\n\tLicenseCount []models.LicenseCount\n}\n\n// PackageContainerInfo represents detailed layer tracing information about a package.\ntype PackageContainerInfo struct {\n\tLayerIndex int\n\tLayerInfo LayerInfo\n\tBaseImageInfo BaseImageGroupInfo\n}\n\ntype BaseImageGroupInfo struct {\n\tIndex int\n\tBaseImageInfo []models.BaseImageDetails\n\tAllLayers []LayerInfo\n\tCount VulnCount\n}\n\ntype LayerInfo struct {\n\tIndex int\n\tLayerMetadata models.LayerMetadata\n\tCount VulnCount\n}\n\n// VulnTypeSummary represents the count of each vulnerability type at the top level\n// of the scanning results.\ntype VulnTypeSummary struct {\n\tAll int\n\tOS int\n\tProject int\n\tHidden int\n}\n\n// VulnCount represents the counts of vulnerabilities by call analysis, severity and fixed/unfixed status\ntype VulnCount struct {\n\tAnalysisCount AnalysisCount\n\t// Only regular vulnerabilities are included in the severity and fixable counts.\n\tSeverityCount SeverityCount\n\tFixableCount FixableCount\n}\n\n// SeverityCount represents the counts of vulnerabilities by severity level.\ntype SeverityCount struct {\n\tCritical int\n\tHigh int\n\tMedium int\n\tLow int\n\tUnknown int\n}\n\n// AnalysisCount represents the counts of vulnerabilities by analysis type (e.g. call analysis)\ntype AnalysisCount struct {\n\tRegular int\n\tHidden int\n}\n\n// FixableCount represents the counts of vulnerabilities by fixable status.\ntype FixableCount struct {\n\tFixed int\n\tUnFixed int\n}\n\ntype VulnAnalysisType int\n\nconst (\n\tVulnTypeRegular VulnAnalysisType = iota // 0\n\tVulnTypeUncalled // 1\n\tVulnTypeUnimportant // 2\n)\n\nconst UnfixedDescription = \"No fix available\"\nconst VersionUnsupported = \"N/A\"\n\n// osEcosystems is a list of OS images.\nvar osEcosystems = []string{\"Debian\", \"Alpine\", \"Ubuntu\"}\n\n// PrintResults prints the output to the outputWriter.\n// This function is for testing purposes only, to visualize the result format.\nfunc PrintResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error {\n\tencoder := json.NewEncoder(outputWriter)\n\tencoder.SetIndent(\"\", \" \")\n\tresult := BuildResults(vulnResult)\n\t//nolint:musttag\n\treturn encoder.Encode(result)\n}\n\n// BuildResults constructs the output result structure from the vulnerability results.\n//\n// This function creates a hierarchical representation of the results, starting from the overall\n// summary and drilling down to ecosystems, sources, packages, and vulnerability details.\n// This structured format facilitates generating various output formats (e.g., table, HTML, etc.).\nfunc BuildResults(vulnResult *models.VulnerabilityResults) Result {\n\tvar ecosystemMap = make(map[string][]SourceResult)\n\tvar resultCount VulnCount\n\tpkgDeprecatedCount := 0\n\nRowLoop:\n\tfor _, packageSource := range vulnResult.Results {\n\t\tfor _, pes := range packageSource.ExperimentalPES {\n\t\t\tif pes.MatchesAllVulns && pes.Justification == vex.ComponentNotPresent {\n\t\t\t\tcontinue RowLoop\n\t\t\t}\n\t\t}\n\n\t\t// Process vulnerabilities for each source\n\t\tsourceResults := processSource(packageSource)\n\t\tfor ecosystem, source := range sourceResults {\n\t\t\tecosystemMap[ecosystem] = append(ecosystemMap[ecosystem], source)\n\t\t\tresultCount.Add(source.VulnCount)\n\t\t\tpkgDeprecatedCount += source.PkgDeprecatedCount\n\t\t}\n\t}\n\n\treturn buildResult(ecosystemMap, resultCount, vulnResult.ImageMetadata, vulnResult.ExperimentalAnalysisConfig.Licenses, vulnResult.LicenseSummary, pkgDeprecatedCount)\n}\n\n// buildResult builds the final Result object from the ecosystem map and total vulnerability count.\nfunc buildResult(ecosystemMap map[string][]SourceResult, resultCount VulnCount, imageMetadata *models.ImageMetadata, licenseConfig models.ExperimentalLicenseConfig, licenseCount []models.LicenseCount, pkgDeprecatedCount int) Result {\n\tresult := Result{}\n\tvar ecosystemResults []EcosystemResult\n\tvar osResults []EcosystemResult\n\n\tfor ecosystem, sources := range ecosystemMap {\n\t\tecosystemResult := EcosystemResult{\n\t\t\tName: ecosystem,\n\t\t\tSources: sources,\n\t\t}\n\n\t\tif isOSEcosystem(ecosystem) {\n\t\t\tecosystemResult.IsOS = true\n\t\t\tosResults = append(osResults, ecosystemResult)\n\t\t} else {\n\t\t\tecosystemResults = append(ecosystemResults, ecosystemResult)\n\t\t}\n\t}\n\n\t// Sort ecosystemResults to ensure consistent output\n\tslices.SortFunc(ecosystemResults, func(a, b EcosystemResult) int {\n\t\treturn cmp.Compare(a.Name, b.Name)\n\t})\n\n\t// Sort osResults to ensure consistent output\n\tslices.SortFunc(osResults, func(a, b EcosystemResult) int {\n\t\treturn cmp.Compare(a.Name, b.Name)\n\t})\n\n\t// Add project results before OS results\n\tecosystemResults = append(ecosystemResults, osResults...)\n\n\tvulnTypeSummary := getVulnTypeSummary(ecosystemResults)\n\tpackageTypeCount := getPackageTypeCount(ecosystemResults)\n\n\tresult.Ecosystems = ecosystemResults\n\tresult.VulnTypeSummary = vulnTypeSummary\n\tresult.PackageTypeCount = packageTypeCount\n\tresult.VulnCount = resultCount\n\tresult.PkgDeprecatedCount = pkgDeprecatedCount\n\n\tif imageMetadata != nil {\n\t\tpopulateResultWithImageMetadata(&result, *imageMetadata)\n\t}\n\n\tif licenseConfig.Summary {\n\t\tresult.LicenseSummary = LicenseSummary{\n\t\t\tSummary: true,\n\t\t\tLicenseCount: licenseCount,\n\t\t}\n\t}\n\n\tif len(licenseConfig.Allowlist) != 0 {\n\t\tresult.LicenseSummary.ShowViolations = true\n\t}\n\n\treturn result\n}\n\n// populateResultWithImageMetadata modifies the result by adding image metadata to it.\n// It uses a pointer receiver (*Result) to modify the original result in place.\nfunc populateResultWithImageMetadata(result *Result, imageMetadata models.ImageMetadata) {\n\tallLayers := buildLayers(imageMetadata.LayerMetadata)\n\tallBaseImages := buildBaseImages(imageMetadata.BaseImages)\n\n\tlayerCount := make([]VulnCount, len(allLayers))\n\tbaseImageCount := make([]VulnCount, len(allBaseImages))\n\n\t// Calculate total vulns for each layer and base image.\n\tfor _, ecosystem := range result.Ecosystems {\n\t\tfor _, source := range ecosystem.Sources {\n\t\t\tfor _, pkg := range source.Packages {\n\t\t\t\tlayerIndex := pkg.LayerDetail.LayerIndex\n\t\t\t\tlayerCount[layerIndex].Add(pkg.VulnCount)\n\n\t\t\t\tbaseImageIndex := allLayers[layerIndex].LayerMetadata.BaseImageIndex\n\t\t\t\tbaseImageCount[baseImageIndex].Add(pkg.VulnCount)\n\t\t\t}\n\t\t}\n\t}\n\n\tbaseImageMap := make(map[int][]LayerInfo)\n\n\t// Update vuln count for layers and base images\n\tfor i := range allLayers {\n\t\tallLayers[i].Count = layerCount[i]\n\t\tbaseImageIndex := allLayers[i].LayerMetadata.BaseImageIndex\n\t\tbaseImageMap[baseImageIndex] = append(baseImageMap[baseImageIndex], allLayers[i])\n\t}\n\n\tfor i := range allBaseImages {\n\t\tallBaseImages[i].Count = baseImageCount[i]\n\t\tslices.SortFunc(baseImageMap[i], func(a, b LayerInfo) int {\n\t\t\treturn cmp.Compare(a.Index, b.Index)\n\t\t})\n\t\tallBaseImages[i].AllLayers = baseImageMap[i]\n\t}\n\n\t// Fill up Layer info for each package\n\tfor i := range result.Ecosystems {\n\t\tfor j := range result.Ecosystems[i].Sources {\n\t\t\tfor k := range result.Ecosystems[i].Sources[j].Packages {\n\t\t\t\t// Pointer to packageInfo to modify directly.\n\t\t\t\tpackageInfo := &result.Ecosystems[i].Sources[j].Packages[k]\n\n\t\t\t\tlayerIndex := packageInfo.LayerDetail.LayerIndex\n\t\t\t\tpackageInfo.LayerDetail.LayerInfo = allLayers[layerIndex]\n\n\t\t\t\tbaseImageIndex := allLayers[layerIndex].LayerMetadata.BaseImageIndex\n\t\t\t\tpackageInfo.LayerDetail.BaseImageInfo = allBaseImages[baseImageIndex]\n\t\t\t}\n\t\t}\n\t}\n\n\t// Display base images in a reverse order\n\tslices.SortFunc(allBaseImages, func(a, b BaseImageGroupInfo) int {\n\t\treturn cmp.Compare(b.Index, a.Index)\n\t})\n\n\tresult.ImageInfo = ImageInfo{\n\t\tOS: imageMetadata.OS,\n\t\tAllLayers: allLayers,\n\t\tAllBaseImages: allBaseImages,\n\t}\n\n\tif len(allLayers) != 0 {\n\t\tresult.IsContainerScanning = true\n\t}\n}\n\nfunc buildBaseImages(baseImages [][]models.BaseImageDetails) []BaseImageGroupInfo {\n\tallBaseImages := make([]BaseImageGroupInfo, len(baseImages))\n\tfor i, baseImage := range baseImages {\n\t\tallBaseImages[i] = BaseImageGroupInfo{\n\t\t\tIndex: i,\n\t\t\tBaseImageInfo: baseImage,\n\t\t}\n\t}\n\n\treturn allBaseImages\n}\n\nfunc buildLayers(layerMetadata []models.LayerMetadata) []LayerInfo {\n\tallLayers := make([]LayerInfo, len(layerMetadata))\n\tfor i, layer := range layerMetadata {\n\t\tallLayers[i] = LayerInfo{\n\t\t\tIndex: i,\n\t\t\tLayerMetadata: layer,\n\t\t}\n\t}\n\n\treturn allLayers\n}\n\n// processSource processes a single source (lockfile or artifact) and returns a map of ecosystems to their corresponding SourceResults.\nfunc processSource(packageSource models.PackageSource) map[string]SourceResult {\n\t// Handle potential duplicate source packages with different OS package names.\n\t// This map ensures each package is processed only once,\n\t// with subsequent occurrences only adding their OSPackageName to the list.\n\tpackageMap := make(map[string]PackageResult)\n\t// Use a map to handle one source contains packages form multiple ecosystems\n\tsourceResults := make(map[string]SourceResult)\n\n\t// If no packages with issues are found, mark the ecosystem as empty.\n\tif len(packageSource.Packages) == 0 {\n\t\tsourceResults[\"\"] = SourceResult{\n\t\t\tName: packageSource.Source.String(),\n\t\t\tType: packageSource.Source.Type,\n\t\t\tPackages: []PackageResult{},\n\t\t}\n\n\t\treturn sourceResults\n\t}\n\n\tfor _, vulnPkg := range packageSource.Packages {\n\t\tif _, exists := sourceResults[vulnPkg.Package.Ecosystem]; !exists {\n\t\t\tsourceResults[vulnPkg.Package.Ecosystem] = SourceResult{\n\t\t\t\tName: packageSource.Source.String(),\n\t\t\t\tType: packageSource.Source.Type,\n\t\t\t}\n\t\t}\n\n\t\t// Use a unique identifier (package name + version) to deduplicate packages (same version),\n\t\t// ensuring each is processed only once.\n\t\tkey := vulnPkg.Package.Ecosystem + \":\" + vulnPkg.Package.Name + \":\" + vulnPkg.Package.Version\n\t\tif _, exist := packageMap[key]; exist {\n\t\t\tpkgTemp := packageMap[key]\n\t\t\tpkgTemp.OSPackageNames = append(pkgTemp.OSPackageNames, vulnPkg.Package.OSPackageName)\n\t\t\tpackageMap[key] = pkgTemp\n\n\t\t\tcontinue // Skip processing this vulnPkg as it was already added\n\t\t}\n\n\t\tpackageResult := processPackage(vulnPkg)\n\t\tif vulnPkg.Package.ImageOrigin != nil {\n\t\t\tpackageResult.LayerDetail = PackageContainerInfo{\n\t\t\t\tLayerIndex: vulnPkg.Package.ImageOrigin.Index,\n\t\t\t}\n\t\t}\n\t\tpackageMap[key] = packageResult\n\t}\n\n\tfor ecosystem, sourceResult := range sourceResults {\n\t\tvar packages []PackageResult\n\t\tfor key, pkg := range packageMap {\n\t\t\tif !strings.HasPrefix(key, ecosystem) {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tpackages = append(packages, pkg)\n\n\t\t\tsourceResult.VulnCount.Add(pkg.VulnCount)\n\t\t\tsourceResult.LicenseViolationsCount += len(pkg.LicenseViolations)\n\t\t\tif len(pkg.RegularVulns) != 0 {\n\t\t\t\tsourceResult.PackageTypeCount.Regular += 1\n\t\t\t}\n\t\t\t// A package can be counted as both regular and hidden if it has both called and uncalled vulnerabilities.\n\t\t\tif len(pkg.HiddenVulns) != 0 {\n\t\t\t\tsourceResult.PackageTypeCount.Hidden += 1\n\t\t\t}\n\t\t\tif pkg.Deprecated {\n\t\t\t\tsourceResult.PkgDeprecatedCount += 1\n\t\t\t}\n\t\t}\n\n\t\t// Sort packageResults to ensure consistent output\n\t\tslices.SortFunc(packages, func(a, b PackageResult) int {\n\t\t\treturn cmp.Or(\n\t\t\t\tcmp.Compare(a.Name, b.Name),\n\t\t\t\tcmp.Compare(a.InstalledVersion, b.InstalledVersion),\n\t\t\t\tcmp.Compare(a.Commit, b.Commit),\n\t\t\t)\n\t\t})\n\t\tsourceResult.Packages = packages\n\t\tsourceResults[ecosystem] = sourceResult\n\t}\n\n\treturn sourceResults\n}\n\n// processPackage processes vulnerability information for a given package\n// and generates a structured output result.\n//\n// This function processes the vulnerability groups, updates vulnerability details,\n// and constructs the final output result for the package, including details about\n// called and uncalled vulnerabilities, fixable counts, and layer information (if available).\nfunc processPackage(vulnPkg models.PackageVulns) PackageResult {\n\tregularVulnMap, hiddenVulnMap := processVulnGroups(vulnPkg)\n\tupdateVuln(regularVulnMap, vulnPkg)\n\tupdateVuln(hiddenVulnMap, vulnPkg)\n\n\tregularVulnList := getVulnList(regularVulnMap)\n\thiddenVulnList := getVulnList(hiddenVulnMap)\n\n\tcount := calculateCount(regularVulnList, hiddenVulnList)\n\n\tpackageFixedVersion := calculatePackageFixedVersion(vulnPkg.Package.Ecosystem, regularVulnList)\n\n\tpackageResult := PackageResult{\n\t\tName: vulnPkg.Package.Name,\n\t\tOSPackageNames: []string{vulnPkg.Package.OSPackageName},\n\t\tInstalledVersion: vulnPkg.Package.Version,\n\t\tCommit: vulnPkg.Package.Commit,\n\t\tFixedVersion: packageFixedVersion,\n\t\tRegularVulns: regularVulnList,\n\t\tHiddenVulns: hiddenVulnList,\n\t\tVulnCount: count,\n\t\tLicenses: vulnPkg.Licenses,\n\t\tLicenseViolations: vulnPkg.LicenseViolations,\n\t\tDepGroups: vulnPkg.DepGroups,\n\t\tDeprecated: vulnPkg.Package.Deprecated,\n\t}\n\n\treturn packageResult\n}\n\n// processVulnGroups processes vulnerability groups within a package.\n//\n// Returns:\n//\n//\tregularVulnMap: A map of regular vulnerabilities, keyed by their representative ID.\n//\thiddenVulnMap: A map of unimportant vulnerabilities, keyed by their representative ID.\nfunc processVulnGroups(vulnPkg models.PackageVulns) (map[string]VulnResult, map[string]VulnResult) {\n\tregularVulnMap := make(map[string]VulnResult)\n\thiddenVulnMap := make(map[string]VulnResult)\n\n\tfor _, group := range vulnPkg.Groups {\n\t\trepresentID := group.IDs[0]\n\t\tvar aliases []string\n\t\tif len(group.Aliases) > 0 && slices.Contains(group.Aliases, representID) {\n\t\t\tfor _, val := range group.Aliases {\n\t\t\t\tif val != representID {\n\t\t\t\t\taliases = append(aliases, val)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tvuln := VulnResult{\n\t\t\tID: representID,\n\t\t\tGroupIDs: group.IDs,\n\t\t\tAliases: aliases,\n\t\t}\n\n\t\tvuln.SeverityScore = group.MaxSeverity\n\t\tvuln.SeverityRating, _ = severity.CalculateRating(vuln.SeverityScore)\n\t\tif vuln.SeverityRating == severity.UnknownRating {\n\t\t\tvuln.SeverityScore = \"N/A\"\n\t\t}\n\n\t\tif group.IsCalled() && !group.IsGroupUnimportant() {\n\t\t\tvuln.VulnAnalysisType = VulnTypeRegular\n\t\t\tregularVulnMap[representID] = vuln\n\t\t} else if group.IsGroupUnimportant() {\n\t\t\tvuln.VulnAnalysisType = VulnTypeUnimportant\n\t\t\thiddenVulnMap[representID] = vuln\n\t\t} else if !group.IsCalled() {\n\t\t\tvuln.VulnAnalysisType = VulnTypeUncalled\n\t\t\thiddenVulnMap[representID] = vuln\n\t\t}\n\t}\n\n\treturn regularVulnMap, hiddenVulnMap\n}\n\n// updateVuln updates each vulnerability info in vulnMap from the details of vulnPkg.Vulnerabilities.\nfunc updateVuln(vulnMap map[string]VulnResult, vulnPkg models.PackageVulns) {\n\tfor _, vuln := range vulnPkg.Vulnerabilities {\n\t\tfixable, fixedVersion := getNextFixVersion(vuln.GetAffected(), vulnPkg.Package.Version, vulnPkg.Package.Name, vulnPkg.Package.Ecosystem)\n\t\tif outputVuln, exist := vulnMap[vuln.GetId()]; exist {\n\t\t\toutputVuln.FixedVersion = fixedVersion\n\t\t\toutputVuln.IsFixable = fixable\n\t\t\toutputVuln.Description = vuln.GetSummary()\n\t\t\tif outputVuln.Description == \"\" {\n\t\t\t\toutputVuln.Description = vuln.GetDetails()\n\t\t\t}\n\t\t\tvulnMap[vuln.GetId()] = outputVuln\n\t\t}\n\t}\n}\n\nfunc getVulnList(vulnMap map[string]VulnResult) []VulnResult {\n\tvulnList := make([]VulnResult, 0, len(vulnMap))\n\tfor _, vuln := range vulnMap {\n\t\tvulnList = append(vulnList, vuln)\n\t}\n\n\t// Sort projectResults to ensure consistent output\n\tslices.SortFunc(vulnList, func(a, b VulnResult) int {\n\t\treturn identifiers.IDSortFunc(a.ID, b.ID)\n\t})\n\n\treturn vulnList\n}\n\n// getNextFixVersion finds the next fixed version for a given vulnerability.\n// returns a boolean value indicating whether a fixed version is available.\nfunc getNextFixVersion(allAffected []*osvschema.Affected, installedVersion string, installedPackage string, ecosystem string) (bool, string) {\n\tecosystemPrefix := strings.Split(ecosystem, \":\")[0]\n\tvp, err := semantic.Parse(installedVersion, ecosystemPrefix)\n\tif err != nil {\n\t\treturn false, VersionUnsupported\n\t}\n\n\tminFixVersion := UnfixedDescription\n\tfor _, affected := range allAffected {\n\t\tif affected.GetPackage().GetName() != installedPackage || removeVariants(affected.GetPackage().GetEcosystem()) != ecosystem {\n\t\t\tcontinue\n\t\t}\n\t\tfor _, affectedRange := range affected.GetRanges() {\n\t\t\tfor _, affectedEvent := range affectedRange.GetEvents() {\n\t\t\t\torder, _ := vp.CompareStr(affectedEvent.GetFixed())\n\t\t\t\t// Skip if it's not a fix version event or the installed version is greater than the fix version.\n\t\t\t\tif affectedEvent.GetFixed() == \"\" || order > 0 {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\n\t\t\t\torder, _ = semantic.MustParse(affectedEvent.GetFixed(), ecosystemPrefix).CompareStr(minFixVersion)\n\t\t\t\t// Find the minimum fix version\n\t\t\t\tif minFixVersion == UnfixedDescription || order < 0 {\n\t\t\t\t\tminFixVersion = affectedEvent.GetFixed()\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\thasFixedVersion := minFixVersion != UnfixedDescription // Check if a fix is found\n\n\treturn hasFixedVersion, minFixVersion\n}\n\n// calculatePackageFixedVersion determines the highest version that resolves the most known vulnerabilities for a package.\nfunc calculatePackageFixedVersion(ecosystem string, allVulns []VulnResult) string {\n\tecosystemPrefix := strings.Split(ecosystem, \":\")[0]\n\tmaxFixVersion := \"\"\n\tvar vp semantic.Version\n\tfor _, vuln := range allVulns {\n\t\t// Skip vulnerabilities without a fixed version.\n\t\tif !vuln.IsFixable {\n\t\t\tcontinue\n\t\t}\n\n\t\tif maxFixVersion == \"\" {\n\t\t\tmaxFixVersion = vuln.FixedVersion\n\t\t\t// maxFixVersion will always be valid as it comes from a parsable vulnerability fixed version.\n\t\t\t// If the fixed version was invalid, 'IsFixable' will be marked as false and will be skipped.\n\t\t\tvp = semantic.MustParse(maxFixVersion, ecosystemPrefix)\n\n\t\t\tcontinue\n\t\t}\n\n\t\torder, _ := vp.CompareStr(vuln.FixedVersion)\n\t\t// Update if the current vulnerability's fixed version is higher\n\t\tif order < 0 {\n\t\t\tmaxFixVersion = vuln.FixedVersion\n\t\t\tvp = semantic.MustParse(maxFixVersion, ecosystemPrefix)\n\t\t}\n\t}\n\n\t// Default to UnfixedDescription if no fix version is found.\n\tif maxFixVersion == \"\" {\n\t\tmaxFixVersion = UnfixedDescription\n\t}\n\n\treturn maxFixVersion\n}\n\n// Add adds the counts from another VulnCount to the receiver.\nfunc (v *VulnCount) Add(other VulnCount) {\n\tv.SeverityCount.Add(other.SeverityCount)\n\tv.AnalysisCount.Add(other.AnalysisCount)\n\tv.FixableCount.Add(other.FixableCount)\n}\n\n// Add adds the counts from another SeverityCount to the receiver.\nfunc (c *SeverityCount) Add(other SeverityCount) {\n\tc.Critical += other.Critical\n\tc.High += other.High\n\tc.Medium += other.Medium\n\tc.Low += other.Low\n\tc.Unknown += other.Unknown\n}\n\n// Add adds the counts from another CallAnalysisCount to the receiver.\nfunc (c *AnalysisCount) Add(other AnalysisCount) {\n\tc.Regular += other.Regular\n\tc.Hidden += other.Hidden\n}\n\n// Add adds the counts from another FixableCount to the receiver.\nfunc (c *FixableCount) Add(other FixableCount) {\n\tc.Fixed += other.Fixed\n\tc.UnFixed += other.UnFixed\n}\n\nfunc (vt VulnAnalysisType) String() string {\n\tswitch vt {\n\tcase VulnTypeRegular:\n\t\treturn \"Regular\"\n\tcase VulnTypeUncalled:\n\t\treturn \"Uncalled\"\n\tcase VulnTypeUnimportant:\n\t\treturn \"Unimportant\"\n\tdefault:\n\t\treturn \"Unknown\"\n\t}\n}\n\nfunc getFilteredVulnReasons(vulns []VulnResult) string {\n\treasonMap := make(map[string]bool)\n\tfor _, vuln := range vulns {\n\t\tif vuln.VulnAnalysisType != VulnTypeRegular {\n\t\t\treasonMap[vuln.VulnAnalysisType.String()] = true\n\t\t}\n\t}\n\n\treasons := make([]string, 0, len(reasonMap))\n\tfor reason := range reasonMap {\n\t\treasons = append(reasons, reason)\n\t}\n\n\tsort.Strings(reasons)\n\n\treturn strings.Join(reasons, \", \")\n}\n\nfunc getBaseImageName(baseImageInfo BaseImageGroupInfo) string {\n\tif len(baseImageInfo.BaseImageInfo) > 0 {\n\t\treturn baseImageInfo.BaseImageInfo[0].Name\n\t}\n\n\treturn \"\"\n}\n\nfunc increaseSeverityCount(severityCount SeverityCount, severityType severity.Rating) SeverityCount {\n\tswitch severityType {\n\tcase severity.CriticalRating:\n\t\tseverityCount.Critical += 1\n\tcase severity.HighRating:\n\t\tseverityCount.High += 1\n\tcase severity.MediumRating:\n\t\tseverityCount.Medium += 1\n\tcase severity.LowRating:\n\t\tseverityCount.Low += 1\n\tcase severity.UnknownRating:\n\t\tseverityCount.Unknown += 1\n\t}\n\n\treturn severityCount\n}\n\nfunc isOSEcosystem(ecosystem string) bool {\n\tfor _, image := range osEcosystems {\n\t\tif strings.HasPrefix(ecosystem, image) {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc getVulnTypeSummary(result []EcosystemResult) VulnTypeSummary {\n\tvar vulnTypeSummary VulnTypeSummary\n\n\tfor _, ecosystem := range result {\n\t\tfor _, source := range ecosystem.Sources {\n\t\t\tif ecosystem.IsOS {\n\t\t\t\tvulnTypeSummary.OS += source.VulnCount.AnalysisCount.Regular\n\t\t\t} else {\n\t\t\t\tvulnTypeSummary.Project += source.VulnCount.AnalysisCount.Regular\n\t\t\t}\n\t\t\tvulnTypeSummary.Hidden += source.VulnCount.AnalysisCount.Hidden\n\t\t}\n\t}\n\n\tvulnTypeSummary.All = vulnTypeSummary.OS + vulnTypeSummary.Project\n\n\treturn vulnTypeSummary\n}\n\nfunc getPackageTypeCount(result []EcosystemResult) AnalysisCount {\n\tvar packageCount AnalysisCount\n\n\tfor _, ecosystem := range result {\n\t\tfor _, source := range ecosystem.Sources {\n\t\t\tpackageCount.Regular += source.PackageTypeCount.Regular\n\t\t\tpackageCount.Hidden += source.PackageTypeCount.Hidden\n\t\t}\n\t}\n\n\treturn packageCount\n}\n\n// calculateCount calculates the vulnerability counts based on the provided\n// lists of regular and hidden vulnerabilities.\nfunc calculateCount(regularVulnList, hiddenVulnList []VulnResult) VulnCount {\n\tvar count VulnCount\n\n\tfor _, vuln := range regularVulnList {\n\t\tif vuln.IsFixable {\n\t\t\tcount.FixableCount.Fixed += 1\n\t\t} else {\n\t\t\tcount.FixableCount.UnFixed += 1\n\t\t}\n\n\t\tcount.SeverityCount = increaseSeverityCount(count.SeverityCount, vuln.SeverityRating)\n\t}\n\tcount.AnalysisCount.Regular = len(regularVulnList)\n\tcount.AnalysisCount.Hidden = len(hiddenVulnList)\n\n\treturn count\n}\n\n// formatLayerCommand formats the layer command output for better readability.\n// It replaces the unreadable file ID with \"UNKNOWN\" and extracting the ID separately.\nfunc formatLayerCommand(command string) []string {\n\tcommand = cleanupSpaces(command)\n\tre := cachedregexp.MustCompile(`(dir|file):([a-f0-9]+)`)\n\tmatch := re.FindStringSubmatch(command)\n\n\tif len(match) > 2 {\n\t\tprefix := match[1] // Capture \"dir\" or \"file\"\n\t\thash := match[2] // Capture the hash ID\n\t\tnewCommand := re.ReplaceAllString(command, prefix+\":UNKNOWN\")\n\n\t\treturn []string{newCommand, \"File ID: \" + hash}\n\t}\n\n\treturn []string{command, \"\"}\n}\n\n// cleanupSpaces uses a regular expression to replace multiple spaces with a single space.\nfunc cleanupSpaces(s string) string {\n\tre := cachedregexp.MustCompile(`\\s+`)\n\ts = re.ReplaceAllString(s, \" \")\n\ts = strings.TrimSpace(s)\n\n\treturn s\n}\n\nfunc printSummary(result Result, out io.Writer) {\n\tpackageForm := Form(result.PackageTypeCount.Regular, \"package\", \"packages\")\n\tvulnerabilityForm := Form(result.VulnTypeSummary.All, \"vulnerability\", \"vulnerabilities\")\n\tfixedVulnForm := Form(result.VulnCount.FixableCount.Fixed, \"vulnerability\", \"vulnerabilities\")\n\tecosystemForm := Form(len(result.Ecosystems), \"ecosystem\", \"ecosystems\")\n\n\tsummary := fmt.Sprintf(\n\t\t\"Total %[1]d %[10]s affected by %[2]d known %[11]s (%[3]s, %[4]s, %[5]s, %[6]s, %[7]s) from %[8]s.\\n\"+\n\t\t\t\"%[9]d %[12]s can be fixed.\\n\",\n\t\tresult.PackageTypeCount.Regular,\n\t\tresult.VulnTypeSummary.All,\n\t\ttext.FgRed.Sprintf(\"%d Critical\", result.VulnCount.SeverityCount.Critical),\n\t\ttext.FgHiYellow.Sprintf(\"%d High\", result.VulnCount.SeverityCount.High),\n\t\ttext.FgYellow.Sprintf(\"%d Medium\", result.VulnCount.SeverityCount.Medium),\n\t\ttext.FgHiCyan.Sprintf(\"%d Low\", result.VulnCount.SeverityCount.Low),\n\t\ttext.FgCyan.Sprintf(\"%d Unknown\", result.VulnCount.SeverityCount.Unknown),\n\t\ttext.FgGreen.Sprintf(\"%d %s\", len(result.Ecosystems), ecosystemForm),\n\t\tresult.VulnCount.FixableCount.Fixed,\n\n\t\tpackageForm,\n\t\tvulnerabilityForm,\n\t\tfixedVulnForm,\n\t)\n\tfmt.Fprintln(out, summary)\n}\n\nfunc printPkgDeprecatedSummary(result Result, out io.Writer) {\n\tpackageForm := Form(result.PkgDeprecatedCount, \"package\", \"packages\")\n\tsummary := fmt.Sprintf(\"Total %d %s deprecated.\\n\", result.PkgDeprecatedCount, packageForm)\n\tfmt.Fprintln(out, summary)\n}\n\nfunc getInstalledVersionOrCommit(pkg PackageResult) string {\n\tresult := pkg.InstalledVersion\n\tif result == \"\" && pkg.Commit != \"\" {\n\t\tresult = results.GetShortCommit(pkg.Commit)\n\t}\n\n\treturn result\n}\n\nfunc isOSResult(sourceType models.SourceType) bool {\n\treturn sourceType == models.SourceTypeOSPackage\n}\n\nfunc containsOSResult(result Result) bool {\n\tfor _, ecosystem := range result.Ecosystems {\n\t\tfor _, source := range ecosystem.Sources {\n\t\t\tif isOSResult(source.Type) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc ecosystemHasRegVuln(ecosystem EcosystemResult) bool {\n\tfor _, source := range ecosystem.Sources {\n\t\tif source.PackageTypeCount.Regular > 0 {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc removeVariants(ecosystem string) string {\n\tif strings.Contains(ecosystem, \"Ubuntu\") {\n\t\tecosystem := strings.ReplaceAll(strings.ReplaceAll(ecosystem, \":Pro\", \"\"), \":LTS\", \"\")\n\t\treturn ecosystem\n\t}\n\n\treturn ecosystem\n}\n\nfunc formatHiddenVulnsPrompt(hiddenVulns int) string {\n\treturn fmt.Sprintf(\"Hiding %d number of vulnerabilities deemed unimportant, use --all-vulns to show them.\", hiddenVulns)\n}\n\nfunc GetContainerScanningHeader(result Result) string {\n\tif !result.IsContainerScanning {\n\t\treturn \"\"\n\t}\n\n\theader := fmt.Sprintf(\"Container Scanning Result (%s)\", result.ImageInfo.OS)\n\n\tvar baseImageName string\n\tfor _, baseImage := range result.ImageInfo.AllBaseImages {\n\t\tif baseImage.Index == 1 {\n\t\t\tbaseImageName = getBaseImageName(baseImage)\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif baseImageName != \"\" {\n\t\theader += fmt.Sprintf(\" (Based on \\\"%s\\\" image)\", baseImageName)\n\t}\n\n\treturn header\n}\n" }, { "path": "internal/output/output_result_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestPrintOutputResults_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Error writing output: %s\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n" }, { "path": "internal/output/result.go", "content": "package output\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"log\"\n\t\"maps\"\n\t\"os\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/identifiers\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n)\n\ntype pkgWithSource struct {\n\tPackage models.PackageInfo `json:\"Package\"`\n\tSource models.SourceInfo `json:\"Source\"`\n}\n\n// Custom implementation of this unique set map to allow it to serialize to JSON\ntype pkgSourceSet map[pkgWithSource]struct{}\n\n// StableKeys returns the pkgWithSource keys in a deterministic order\nfunc (pss *pkgSourceSet) StableKeys() []pkgWithSource {\n\tpkgWithSrcKeys := slices.AppendSeq(make([]pkgWithSource, 0, len(*pss)), maps.Keys(*pss))\n\n\tslices.SortFunc(pkgWithSrcKeys, func(a, b pkgWithSource) int {\n\t\t// compare based on each field in descending priority\n\t\tfor _, fn := range []func() int{\n\t\t\tfunc() int { return strings.Compare(a.Source.Path, b.Source.Path) },\n\t\t\tfunc() int { return strings.Compare(a.Package.Name, b.Package.Name) },\n\t\t\tfunc() int { return strings.Compare(a.Package.Version, b.Package.Version) },\n\t\t} {\n\t\t\tif r := fn(); r != 0 {\n\t\t\t\treturn r\n\t\t\t}\n\t\t}\n\n\t\treturn 0\n\t})\n\n\treturn pkgWithSrcKeys\n}\n\nfunc (pss *pkgSourceSet) MarshalJSON() ([]byte, error) {\n\tres := make([]pkgWithSource, 0, len(*pss))\n\n\tfor v := range *pss {\n\t\tres = append(res, v)\n\t}\n\n\treturn json.Marshal(res)\n}\n\nfunc (pss *pkgSourceSet) UnmarshalJSON(data []byte) error {\n\taux := []pkgWithSource{}\n\tif err := json.Unmarshal(data, &aux); err != nil {\n\t\treturn err\n\t}\n\n\t*pss = make(pkgSourceSet)\n\tfor _, pws := range aux {\n\t\t(*pss)[pws] = struct{}{}\n\t}\n\n\treturn nil\n}\n\n// mustGetWorkingDirectory panics if it can't get the working directory\nfunc mustGetWorkingDirectory() string {\n\tdir, err := os.Getwd()\n\tif err != nil {\n\t\tlog.Panicf(\"can't get working dir: %v\", err)\n\t}\n\n\treturn dir\n}\n\n// groupFixedVersions builds the fixed versions for each ID Group, with keys formatted like so:\n// `Source:ID`\nfunc groupFixedVersions(flattened []models.VulnerabilityFlattened) map[string][]string {\n\tgroupedFixedVersions := map[string][]string{}\n\n\t// Get the fixed versions indexed by each group of vulnerabilities\n\t// Prepend source path as same vulnerability in two projects should be counted twice\n\t// Remember to sort and compact before displaying later\n\tfor _, vf := range flattened {\n\t\tif vf.Vulnerability == nil {\n\t\t\tcontinue\n\t\t}\n\t\tgroupIdx := vf.Source.String() + \":\" + vf.GroupInfo.IndexString()\n\t\tpkg := vulns.PackageKey{\n\t\t\tEcosystem: vf.Package.Ecosystem,\n\t\t\tName: vf.Package.Name,\n\t\t}\n\t\tgroupedFixedVersions[groupIdx] =\n\t\t\tappend(groupedFixedVersions[groupIdx], vulns.GetFixedVersions(vf.Vulnerability)[pkg]...)\n\t}\n\n\t// Remove duplicates\n\tfor k := range groupedFixedVersions {\n\t\tfixedVersions := groupedFixedVersions[k]\n\t\tslices.Sort(fixedVersions)\n\t\tgroupedFixedVersions[k] = slices.Compact(fixedVersions)\n\t}\n\n\treturn groupedFixedVersions\n}\n\n// groupedSARIFFinding groups vulnerabilities by aliases\ntype groupedSARIFFinding struct {\n\tDisplayID string\n\tPkgSource pkgSourceSet\n\t// AliasedVulns contains vulns that are OSV vulnerabilities\n\tAliasedVulns map[string]*osvschema.Vulnerability\n\t// AliasedIDList contains all aliased IDs, including ones that are not OSV (e.g. CVE IDs)\n\t// Sorted by idSortFunc, therefore the first element will be the display ID\n\tAliasedIDList []string\n}\n\n// UnmarshalJSON implements the json.unmarshaler interface.\n// It is required because the AliasedVulns field is a proto message,\n// which requires protojson to unmarshal, while the rest of the struct uses\n// the standard encoding/json library.\nfunc (g *groupedSARIFFinding) UnmarshalJSON(data []byte) error {\n\t// Use alias to avoid recursion.\n\ttype alias groupedSARIFFinding\n\n\t// Use temporary struct to combine standard fields (via alias)\n\t// and the manually processed field (via shadowing).\n\ttmp := &struct {\n\t\t*alias\n\n\t\tAliasedVulns map[string]json.RawMessage `json:\"AliasedVulns\"`\n\t}{\n\t\talias: (*alias)(g),\n\t}\n\n\tif err := json.Unmarshal(data, &tmp); err != nil {\n\t\treturn err\n\t}\n\n\t// Manually process the custom field from RawMessage format.\n\tif tmp.AliasedVulns != nil {\n\t\tg.AliasedVulns = make(map[string]*osvschema.Vulnerability, len(tmp.AliasedVulns))\n\t\tfor id, rawVuln := range tmp.AliasedVulns {\n\t\t\tvar vuln osvschema.Vulnerability\n\t\t\tif err := protojson.Unmarshal(rawVuln, &vuln); err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to protojson unmarshal vuln %q: %w\", id, err)\n\t\t\t}\n\t\t\tg.AliasedVulns[id] = &vuln\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// MarshalJSON implements the json.Marshaler interface.\n// It is required because the AliasedVulns field is a proto message,\n// which requires protojson to marshal, while the rest of the struct uses\n// the standard encoding/json library.\nfunc (g *groupedSARIFFinding) MarshalJSON() ([]byte, error) {\n\t// Use alias to avoid recursion.\n\ttype alias groupedSARIFFinding\n\n\t// Pre-process the custom field into standardized RawMessage format.\n\tvar rawVulns map[string]json.RawMessage\n\tif g.AliasedVulns != nil {\n\t\trawVulns = make(map[string]json.RawMessage, len(g.AliasedVulns))\n\t\tfor id, vuln := range g.AliasedVulns {\n\t\t\tunstableJSON, err := protojson.Marshal(vuln)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"failed to marshal vuln %q: %w\", id, err)\n\t\t\t}\n\t\t\tvar vuln any\n\t\t\tif err := json.Unmarshal(unstableJSON, &vuln); err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tb, err := json.MarshalIndent(vuln, \"\", \" \")\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\trawVulns[id] = b\n\t\t}\n\t}\n\n\t// Use temporary struct to combine standard fields (via alias)\n\t// and the manually processed field (via shadowing).\n\treturn json.Marshal(&struct {\n\t\t*alias\n\n\t\tAliasedVulns map[string]json.RawMessage `json:\"AliasedVulns\"`\n\t}{\n\t\talias: (*alias)(g),\n\t\tAliasedVulns: rawVulns,\n\t})\n}\n\n// mapIDsToGroupedSARIFFinding creates a map over all vulnerability IDs, with aliased vuln IDs\n// pointing to the same groupedSARIFFinding object\nfunc mapIDsToGroupedSARIFFinding(vulnResults *models.VulnerabilityResults) map[string]*groupedSARIFFinding {\n\t// Map of vuln IDs to their respective groupedSARIFFinding\n\tresults := map[string]*groupedSARIFFinding{}\n\n\tfor _, res := range vulnResults.Results {\n\t\tfor _, pkg := range res.Packages {\n\t\t\tfor _, gi := range pkg.Groups {\n\t\t\t\tvar data *groupedSARIFFinding\n\t\t\t\t// See if this vulnerability group already exists (from another package or source)\n\t\t\t\tfor _, id := range gi.IDs {\n\t\t\t\t\texistingData, ok := results[id]\n\t\t\t\t\tif ok {\n\t\t\t\t\t\tdata = existingData\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// If not create this group\n\t\t\t\tif data == nil {\n\t\t\t\t\tdata = &groupedSARIFFinding{\n\t\t\t\t\t\tPkgSource: make(pkgSourceSet),\n\t\t\t\t\t\tAliasedVulns: make(map[string]*osvschema.Vulnerability),\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// Point all the IDs of the same group to the same data, either newly created or existing\n\t\t\t\tfor _, id := range gi.IDs {\n\t\t\t\t\tresults[id] = data\n\t\t\t\t}\n\t\t\t}\n\t\t\tfor _, v := range pkg.Vulnerabilities {\n\t\t\t\tnewPkgSource := pkgWithSource{\n\t\t\t\t\tPackage: pkg.Package,\n\t\t\t\t\tSource: res.Source,\n\t\t\t\t}\n\t\t\t\tentry := results[v.GetId()]\n\t\t\t\tentry.PkgSource[newPkgSource] = struct{}{}\n\t\t\t\tentry.AliasedVulns[v.GetId()] = v\n\t\t\t\tentry.AliasedIDList = append(entry.AliasedIDList, v.GetId())\n\t\t\t\tentry.AliasedIDList = append(entry.AliasedIDList, v.GetAliases()...)\n\t\t\t}\n\t\t}\n\t}\n\n\tfor _, gs := range results {\n\t\tslices.SortFunc(gs.AliasedIDList, identifiers.IDSortFunc)\n\t\tgs.AliasedIDList = slices.Compact(gs.AliasedIDList)\n\t\tgs.DisplayID = gs.AliasedIDList[0]\n\t}\n\n\treturn results\n}\n" }, { "path": "internal/output/result_test.go", "content": "package output\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc Test_groupFixedVersions(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\targs []models.VulnerabilityFlattened\n\t\twant testutility.Snapshot\n\t}{\n\t\t{\n\t\t\tname: \"\",\n\t\t\targs: testutility.LoadJSONFixture[[]models.VulnerabilityFlattened](t, \"testdata/flattened_vulns.json\"),\n\t\t\twant: testutility.NewSnapshot(),\n\t\t},\n\t\t{\n\t\t\tname: \"\",\n\t\t\targs: testutility.LoadJSONFixtureWithWindowsReplacements[[]models.VulnerabilityFlattened](t,\n\t\t\t\t\"testdata/flattened_vulns.json\",\n\t\t\t\tmap[string]string{\n\t\t\t\t\t\"/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock\": \"D:\\\\\\\\path\\\\\\\\to\\\\\\\\scorecard-check-osv-e2e\\\\\\\\sub-rust-project\\\\\\\\Cargo.lock\",\n\t\t\t\t\t\"/path/to/scorecard-check-osv-e2e/go.mod\": \"D:\\\\\\\\path\\\\\\\\to\\\\\\\\scorecard-check-osv-e2e\\\\\\\\go.mod\",\n\t\t\t\t},\n\t\t\t),\n\t\t\twant: testutility.NewSnapshot().WithWindowsReplacements(\n\t\t\t\tmap[string]string{\n\t\t\t\t\t\"D:\\\\\\\\path\\\\\\\\to\\\\\\\\scorecard-check-osv-e2e\\\\\\\\sub-rust-project\\\\\\\\Cargo.lock\": \"/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock\",\n\t\t\t\t\t\"D:\\\\\\\\path\\\\\\\\to\\\\\\\\scorecard-check-osv-e2e\\\\\\\\go.mod\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tgot := groupFixedVersions(tt.args)\n\t\t\ttt.want.MatchJSON(t, got)\n\t\t})\n\t}\n}\n\nfunc Test_mapIDsToGroupedSARIFFinding(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\targs models.VulnerabilityResults\n\t\twant testutility.Snapshot\n\t}{\n\t\t{\n\t\t\targs: testutility.LoadJSONFixtureWithWindowsReplacements[models.VulnerabilityResults](t,\n\t\t\t\t\"testdata/test-vuln-results-a.json\",\n\t\t\t\tmap[string]string{\n\t\t\t\t\t\"/path/to/sub-rust-project/Cargo.lock\": \"D:\\\\\\\\path\\\\\\\\to\\\\\\\\sub-rust-project\\\\\\\\Cargo.lock\",\n\t\t\t\t\t\"/path/to/go.mod\": \"D:\\\\\\\\path\\\\\\\\to\\\\\\\\go.mod\",\n\t\t\t\t},\n\t\t\t),\n\t\t\twant: testutility.NewSnapshot().WithWindowsReplacements(\n\t\t\t\tmap[string]string{\n\t\t\t\t\t\"D:\\\\\\\\path\\\\\\\\to\\\\\\\\sub-rust-project\\\\\\\\Cargo.lock\": \"/path/to/sub-rust-project/Cargo.lock\",\n\t\t\t\t\t\"D:\\\\\\\\path\\\\\\\\to\\\\\\\\go.mod\": \"/path/to/go.mod\",\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := mapIDsToGroupedSARIFFinding(&tt.args)\n\t\t\ttt.want.MatchJSON(t, got)\n\t\t})\n\t}\n}\n" }, { "path": "internal/output/sarif.go", "content": "package output\n\nimport (\n\t\"crypto/sha256\"\n\t\"encoding/hex\"\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strconv\"\n\t\"strings\"\n\t\"text/template\"\n\n\t\"github.com/google/osv-scanner/v2/internal/identifiers\"\n\t\"github.com/google/osv-scanner/v2/internal/url\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/results\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/severity\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/jedib0t/go-pretty/v6/table\"\n\t\"github.com/owenrumney/go-sarif/v3/pkg/report/v210/sarif\"\n)\n\ntype HelpTemplateData struct {\n\tID string\n\tAffectedPackagesTable string\n\tAffectedPackagePaths []string\n\tAliasedVulns []VulnDescription\n\tHasFixedVersion bool\n\tFixedVersionTable string\n\tPathSeparator string\n}\n\ntype FixedPkgTableData struct {\n\tVulnID string\n\tPackageName string\n\tFixedVersion string\n}\ntype VulnDescription struct {\n\tID string\n\tDetails string\n}\n\n// SARIFTemplate is used as the help text for findings.\n//\n// Note that double double-quotes are (\"\") are used to represent a single backtick (`)`,\n// since backticks cannot be escaped in raw strings\nconst SARIFTemplate = `\n**Your dependency is vulnerable to [{{.ID}}](https://osv.dev/{{.ID}})**\n{{- if gt (len .AliasedVulns) 1 }}\n(Also published as: {{range .AliasedVulns -}} {{if ne .ID $.ID -}} [{{.ID}}](https://osv.dev/{{.ID}}), {{end}}{{end}})\n{{- end}}.\n\n{{range .AliasedVulns -}}\n## [{{.ID}}](https://osv.dev/{{.ID}})\n\n
\nDetails\n\n> {{.Details}}\n\n
\n\n{{end -}}\n---\n\n### Affected Packages\n\n{{.AffectedPackagesTable}}\n\n## Remediation\n\n{{- if .HasFixedVersion }}\n\nTo fix these vulnerabilities, update the vulnerabilities past the listed fixed versions below.\n\n### Fixed Versions\n\n{{.FixedVersionTable}}\n\n{{- end}}\n\nIf you believe these vulnerabilities do not affect your code and wish to ignore them, add them to the ignore list in an\n\"\"osv-scanner.toml\"\" file located in the same directory as the lockfile containing the vulnerable dependency.\n\nSee the format and more options in our documentation here: https://google.github.io/osv-scanner/configuration/\n\nAdd or append these values to the following config files to ignore this vulnerability:\n\n{{range .AffectedPackagePaths -}}\n\"\"{{.}}{{$.PathSeparator}}osv-scanner.toml\"\"\n\n\"\"\"\"\"\"\n[[IgnoredVulns]]\nid = \"{{$.ID}}\"\nreason = \"Your reason for ignoring this vulnerability\"\n\"\"\"\"\"\"\n{{end}}\n`\n\n// createSARIFAffectedPkgTable creates a vulnerability table which includes the affected versions for a specific source file\nfunc createSARIFAffectedPkgTable(pkgWithSrc []pkgWithSource) table.Writer {\n\thelpTable := table.NewWriter()\n\theaderRow := table.Row{\"Source\", \"Package Name\", \"Package Version\"}\n\n\thasDeprecated := false\n\tfor _, ps := range pkgWithSrc {\n\t\tif ps.Package.Deprecated {\n\t\t\thasDeprecated = true\n\t\t\tbreak\n\t\t}\n\t}\n\n\tif hasDeprecated {\n\t\theaderRow = append(headerRow, \"Deprecated\")\n\t}\n\thelpTable.AppendHeader(headerRow)\n\n\tfor _, ps := range pkgWithSrc {\n\t\tver := ps.Package.Version\n\t\tif ps.Package.Commit != \"\" {\n\t\t\tver = ps.Package.Commit\n\t\t}\n\t\trow := table.Row{\n\t\t\tps.Source.String(),\n\t\t\tps.Package.Name,\n\t\t\tver,\n\t\t}\n\t\tif hasDeprecated {\n\t\t\trow = append(row, ps.Package.Deprecated)\n\t\t}\n\t\thelpTable.AppendRow(row)\n\t}\n\n\treturn helpTable\n}\n\n// createSARIFFixedPkgTable creates a vulnerability table which includes the fixed versions for a specific source file\nfunc createSARIFFixedPkgTable(fixedPkgTableData []FixedPkgTableData) table.Writer {\n\thelpTable := table.NewWriter()\n\thelpTable.AppendHeader(table.Row{\"Vulnerability ID\", \"Package Name\", \"Fixed Version\"})\n\n\tslices.SortFunc(fixedPkgTableData, func(a, b FixedPkgTableData) int {\n\t\treturn strings.Compare(a.VulnID, b.VulnID)\n\t})\n\n\tfor _, data := range fixedPkgTableData {\n\t\thelpTable.AppendRow(table.Row{\n\t\t\tdata.VulnID,\n\t\t\tdata.PackageName,\n\t\t\tdata.FixedVersion,\n\t\t})\n\t}\n\n\treturn helpTable\n}\n\n// stripGitHubWorkspace strips /github/workspace/ from the given path.\nfunc stripGitHubWorkspace(path string) string {\n\treturn strings.TrimPrefix(path, \"/github/workspace/\")\n}\n\n// createSARIFFingerprint generates a stable fingerprint for a SARIF result\n// to help GitHub deduplicate findings across scans.\n//\n// The fingerprint is computed from three components to ensure uniqueness while maintaining stability:\n// 1. vulnID: The vulnerability identifier (e.g., \"CVE-2022-24713\") - ensures different vulnerabilities\n// produce different fingerprints even for the same package\n// 2. artifactPath: The path to the lockfile (e.g., \"/path/to/package.json\") - distinguishes the same\n// vulnerability in different parts of a monorepo or different projects\n// 3. pkg: The package information (name, version, or commit) - differentiates the same vulnerability\n// across different versions or instances of a package\n//\n// These three components are combined because they uniquely identify a specific vulnerability finding:\n// the same vulnerability (vulnID) in the same package (pkg) detected in the same location (artifactPath)\n// should always be considered the same finding and produce the same fingerprint across scans.\nfunc createSARIFFingerprint(vulnID string, artifactPath string, pkg models.PackageInfo) string {\n\t// Create a stable string representation\n\tpkgStr := results.PkgToString(pkg)\n\tfingerprintData := fmt.Sprintf(\"%s:%s:%s\", vulnID, artifactPath, pkgStr)\n\n\t// Hash the data to create a stable fingerprint\n\thash := sha256.Sum256([]byte(fingerprintData))\n\n\treturn hex.EncodeToString(hash[:])\n}\n\n// createSARIFHelpText returns the text for SARIF rule's help field\nfunc createSARIFHelpText(gv *groupedSARIFFinding) string {\n\tbacktickSARIFTemplate := strings.ReplaceAll(strings.TrimSpace(SARIFTemplate), `\"\"`, \"`\")\n\thelpTextTemplate, err := template.New(\"helpText\").Parse(backtickSARIFTemplate)\n\tif err != nil {\n\t\tlog.Panicf(\"failed to parse sarif help text template: %v\", err)\n\t}\n\n\tvulnDescriptions := []VulnDescription{}\n\tfixedPkgTableData := []FixedPkgTableData{}\n\n\thasFixedVersion := false\n\tfor _, v := range gv.AliasedVulns {\n\t\tif v == nil {\n\t\t\tcontinue\n\t\t}\n\t\tfor p, v2 := range vulns.GetFixedVersions(v) {\n\t\t\tslices.Sort(v2)\n\t\t\tfixedPkgTableData = append(fixedPkgTableData, FixedPkgTableData{\n\t\t\t\tPackageName: p.Name,\n\t\t\t\tFixedVersion: strings.Join(slices.Compact(v2), \", \"),\n\t\t\t\tVulnID: v.GetId(),\n\t\t\t})\n\t\t\thasFixedVersion = true\n\t\t}\n\n\t\tvulnDescriptions = append(vulnDescriptions, VulnDescription{\n\t\t\tID: v.GetId(),\n\t\t\tDetails: strings.ReplaceAll(v.GetDetails(), \"\\n\", \"\\n> \"),\n\t\t})\n\t}\n\tslices.SortFunc(vulnDescriptions, func(a, b VulnDescription) int { return identifiers.IDSortFunc(a.ID, b.ID) })\n\n\thelpText := strings.Builder{}\n\n\tpkgWithSrcKeys := gv.PkgSource.StableKeys()\n\n\taffectedPackagePaths := []string{}\n\tfor _, pws := range pkgWithSrcKeys {\n\t\taffectedPackagePaths = append(affectedPackagePaths, stripGitHubWorkspace(filepath.Dir(pws.Source.Path)))\n\t}\n\t// Compact to remove duplicates\n\t// (which should already be next to each other since it's sorted in the previous step)\n\taffectedPackagePaths = slices.Compact(affectedPackagePaths)\n\n\terr = helpTextTemplate.Execute(&helpText, HelpTemplateData{\n\t\tID: gv.DisplayID,\n\t\tAffectedPackagesTable: createSARIFAffectedPkgTable(pkgWithSrcKeys).RenderMarkdown(),\n\t\tAliasedVulns: vulnDescriptions,\n\t\tHasFixedVersion: hasFixedVersion,\n\t\tFixedVersionTable: createSARIFFixedPkgTable(fixedPkgTableData).RenderMarkdown(),\n\t\tAffectedPackagePaths: affectedPackagePaths,\n\t\tPathSeparator: string(filepath.Separator),\n\t})\n\n\tif err != nil {\n\t\tlog.Panicf(\"failed to execute sarif help text template\")\n\t}\n\n\treturn helpText.String()\n}\n\n// PrintSARIFReport prints SARIF output to outputWriter\nfunc PrintSARIFReport(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error {\n\treport := sarif.NewReport()\n\n\trun := sarif.NewRunWithInformationURI(\"osv-scanner\", \"https://github.com/google/osv-scanner\")\n\trun.Tool.Driver.WithVersion(version.OSVVersion)\n\n\tvulnIDMap := mapIDsToGroupedSARIFFinding(vulnResult)\n\t// Sort the IDs to have deterministic loop of vulnIDMap\n\tvulnIDs := make([]string, 0, len(vulnIDMap))\n\tfor vulnID := range vulnIDMap {\n\t\tvulnIDs = append(vulnIDs, vulnID)\n\t}\n\tslices.Sort(vulnIDs)\n\n\tfor _, vulnID := range vulnIDs {\n\t\tgv := vulnIDMap[vulnID]\n\t\tif gv == nil {\n\t\t\tcontinue\n\t\t}\n\n\t\thelpText := createSARIFHelpText(gv)\n\n\t\t// Pick the \"best\" description from the alias group based on the source.\n\t\t// Set short description to the first entry with a non-empty summary\n\t\t// Set long description to the same entry as short description\n\t\t// or use a random long description.\n\t\tvar shortDescription, longDescription string\n\t\tids := slices.Clone(gv.AliasedIDList)\n\t\tslices.SortFunc(ids, identifiers.IDSortFuncForDescription)\n\n\t\tfor _, id := range ids {\n\t\t\tv := gv.AliasedVulns[id]\n\t\t\tif v == nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tlongDescription = v.GetDetails()\n\t\t\tif v.GetSummary() != \"\" {\n\t\t\t\tshortDescription = fmt.Sprintf(\"%s: %s\", gv.DisplayID, v.GetSummary())\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\t// If no advisory for this vulnerability has a summary field,\n\t\t// just show the ID in the shortDescription\n\t\tif shortDescription == \"\" {\n\t\t\tshortDescription = gv.DisplayID\n\t\t}\n\n\t\trule := run.AddRule(gv.DisplayID)\n\t\tif rule == nil {\n\t\t\t// Skipping SARIF rule for empty ID\n\t\t\tcontinue\n\t\t}\n\t\trule.WithName(gv.DisplayID).\n\t\t\tWithShortDescription(sarif.NewMultiformatMessageString().WithText(shortDescription).WithMarkdown(shortDescription)).\n\t\t\tWithFullDescription(sarif.NewMultiformatMessageString().WithText(longDescription).WithMarkdown(longDescription)).\n\t\t\tWithMarkdownHelp(helpText)\n\n\t\t// Find the worst severity score\n\t\tvar worstScore float64 = -1\n\t\tfor _, v := range gv.AliasedVulns {\n\t\t\tif v == nil || v.GetSeverity() == nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tscore, _, _ := severity.CalculateOverallScore(v.GetSeverity())\n\t\t\tif score > worstScore {\n\t\t\t\tworstScore = score\n\t\t\t}\n\t\t}\n\n\t\tif worstScore >= 0 {\n\t\t\tvar bag = sarif.NewPropertyBag()\n\t\t\tbag.Add(\"security-severity\", strconv.FormatFloat(worstScore, 'f', -1, 64))\n\t\t\trule.WithProperties(bag)\n\t\t}\n\n\t\tif gv.AliasedIDList == nil {\n\t\t\tgv.AliasedIDList = []string{}\n\t\t}\n\t\trule.DeprecatedIds = gv.AliasedIDList\n\n\t\tfor _, pws := range gv.PkgSource.StableKeys() {\n\t\t\tartifactPath := stripGitHubWorkspace(pws.Source.Path)\n\t\t\tif filepath.IsAbs(artifactPath) {\n\t\t\t\t// this only errors if the file path is not absolute,\n\t\t\t\t// which we've already confirmed is not the case\n\t\t\t\tp, err := url.FromFilePath(artifactPath)\n\t\t\t\tif err == nil && p != nil {\n\t\t\t\t\tartifactPath = p.String()\n\t\t\t\t}\n\t\t\t}\n\n\t\t\trun.AddDistinctArtifact(artifactPath)\n\n\t\t\talsoKnownAsStr := \"\"\n\t\t\tif len(gv.AliasedIDList) > 1 {\n\t\t\t\talsoKnownAsStr = fmt.Sprintf(\" (also known as '%s')\", strings.Join(gv.AliasedIDList[1:], \"', '\"))\n\t\t\t}\n\n\t\t\t// Generate a stable fingerprint for deduplication\n\t\t\tfingerprint := createSARIFFingerprint(gv.DisplayID, artifactPath, pws.Package)\n\n\t\t\trun.CreateResultForRule(gv.DisplayID).\n\t\t\t\tWithLevel(\"warning\").\n\t\t\t\tWithMessage(\n\t\t\t\t\tsarif.NewTextMessage(\n\t\t\t\t\t\tfmt.Sprintf(\n\t\t\t\t\t\t\t\"Package '%s' is vulnerable to '%s'%s.\",\n\t\t\t\t\t\t\tresults.PkgToString(pws.Package),\n\t\t\t\t\t\t\tgv.DisplayID,\n\t\t\t\t\t\t\talsoKnownAsStr,\n\t\t\t\t\t\t))).\n\t\t\t\tAddLocation(\n\t\t\t\t\tsarif.NewLocationWithPhysicalLocation(\n\t\t\t\t\t\tsarif.NewPhysicalLocation().\n\t\t\t\t\t\t\tWithArtifactLocation(sarif.NewSimpleArtifactLocation(artifactPath)),\n\t\t\t\t\t)).\n\t\t\t\tWithPartialFingerprints(map[string]string{\n\t\t\t\t\t// Use \"primaryLocationLineHash\" as the key for the fingerprint.\n\t\t\t\t\t// This is the standard key that GitHub Advanced Security uses to deduplicate\n\t\t\t\t\t// code scanning alerts across multiple runs.\n\t\t\t\t\t//\n\t\t\t\t\t// Reference: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#preventing-duplicate-alerts-using-fingerprints\n\t\t\t\t\t//\n\t\t\t\t\t// GitHub's documentation states: \"GitHub uses the primaryLocationLineHash property\n\t\t\t\t\t// to detect results that are logically the same, so they can be shown only once,\n\t\t\t\t\t// in the correct branch and pull request.\"\n\t\t\t\t\t//\n\t\t\t\t\t// For dependency scanning (as opposed to source code analysis), we don't have\n\t\t\t\t\t// line numbers in the traditional sense, so our fingerprint is based on the\n\t\t\t\t\t// combination of vulnerability ID, package, and location rather than source code lines.\n\t\t\t\t\t\"primaryLocationLineHash\": fingerprint,\n\t\t\t\t})\n\t\t}\n\t}\n\n\treport.AddRun(run)\n\n\terr := report.PrettyWrite(outputWriter)\n\tif err != nil {\n\t\treturn err\n\t}\n\tfmt.Fprintln(outputWriter)\n\n\treturn nil\n}\n" }, { "path": "internal/output/sarif_fingerprint_test.go", "content": "package output\n\nimport (\n\t\"fmt\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\n// Common test parameter values used by both test functions\nvar (\n\ttestVulnIDs = []string{\"CVE-2021-1234\", \"CVE-2022-5678\"}\n\ttestArtifactPaths = []string{\"/path/to/package.json\", \"/different/path/go.mod\"}\n\ttestPackages = []models.PackageInfo{\n\t\t{Name: \"pkg1\", Version: \"1.0.0\"},\n\t\t{Name: \"pkg2\", Version: \"1.0.0\"},\n\t\t{Name: \"pkg1\", Version: \"2.0.0\"},\n\t\t{Name: \"pkg1\", Commit: \"abc123\"},\n\t}\n)\n\nfunc Test_createSARIFFingerprint(t *testing.T) {\n\tt.Parallel()\n\n\t// Generate all combinations from common test parameters\n\tfor i, vulnID := range testVulnIDs {\n\t\tfor j, artifactPath := range testArtifactPaths {\n\t\t\tfor k, pkg := range testPackages {\n\t\t\t\ttestName := fmt.Sprintf(\"vuln_%d_path_%d_pkg_%d\", i, j, k)\n\n\t\t\t\tt.Run(testName, func(t *testing.T) {\n\t\t\t\t\tt.Parallel()\n\n\t\t\t\t\tgot := createSARIFFingerprint(vulnID, artifactPath, pkg)\n\n\t\t\t\t\t// Verify it returns a 64-character hex string (SHA-256 produces 32 bytes = 64 hex chars)\n\t\t\t\t\tif len(got) != 64 {\n\t\t\t\t\t\tt.Errorf(\"createSARIFFingerprint() returned fingerprint of length %d, want 64\", len(got))\n\t\t\t\t\t}\n\n\t\t\t\t\t// Verify determinism by calling it again with the same inputs\n\t\t\t\t\tgot2 := createSARIFFingerprint(vulnID, artifactPath, pkg)\n\t\t\t\t\tif got != got2 {\n\t\t\t\t\t\tt.Errorf(\"createSARIFFingerprint() is not deterministic: first call = %v, second call = %v\", got, got2)\n\t\t\t\t\t}\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc Test_createSARIFFingerprint_DifferentInputs(t *testing.T) {\n\tt.Parallel()\n\n\t// Generate all combinations from common test parameters and their fingerprints\n\ttype testCase struct {\n\t\tvulnID string\n\t\tartifactPath string\n\t\tpkg models.PackageInfo\n\t\tfingerprint string\n\t}\n\n\ttestCases := make([]testCase, 0, len(testPackages)*len(testArtifactPaths)*len(testVulnIDs))\n\tfor _, vulnID := range testVulnIDs {\n\t\tfor _, artifactPath := range testArtifactPaths {\n\t\t\tfor _, pkg := range testPackages {\n\t\t\t\tfp := createSARIFFingerprint(vulnID, artifactPath, pkg)\n\t\t\t\ttestCases = append(testCases, testCase{\n\t\t\t\t\tvulnID: vulnID,\n\t\t\t\t\tartifactPath: artifactPath,\n\t\t\t\t\tpkg: pkg,\n\t\t\t\t\tfingerprint: fp,\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\n\t// Verify that all fingerprints are unique\n\tfor i := range testCases {\n\t\tfor j := i + 1; j < len(testCases); j++ {\n\t\t\tif testCases[i].fingerprint == testCases[j].fingerprint {\n\t\t\t\tt.Errorf(\"Expected different fingerprints but got same:\\n\"+\n\t\t\t\t\t\" Input 1: vulnID=%q, path=%q, pkg=%+v\\n\"+\n\t\t\t\t\t\" Input 2: vulnID=%q, path=%q, pkg=%+v\\n\"+\n\t\t\t\t\t\" Fingerprint: %s\",\n\t\t\t\t\ttestCases[i].vulnID, testCases[i].artifactPath, testCases[i].pkg,\n\t\t\t\t\ttestCases[j].vulnID, testCases[j].artifactPath, testCases[j].pkg,\n\t\t\t\t\ttestCases[i].fingerprint)\n\t\t\t}\n\t\t}\n\t}\n}\n" }, { "path": "internal/output/sarif_internal_test.go", "content": "package output\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc Test_createSARIFHelpText(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\targs groupedSARIFFinding\n\t\twant testutility.Snapshot\n\t}{\n\t\t{\n\t\t\targs: testutility.LoadJSONFixture[groupedSARIFFinding](t, \"testdata/vuln-grouped.json\"),\n\t\t\twant: testutility.NewSnapshot().WithWindowsReplacements(map[string]string{\n\t\t\t\t\"\\\\path\\\\to\\\\sub-rust-project\\\\osv-scanner.toml\": \"/path/to/sub-rust-project/osv-scanner.toml\",\n\t\t\t}),\n\t\t},\n\t\t{\n\t\t\targs: testutility.LoadJSONFixture[groupedSARIFFinding](t, \"testdata/commit-grouped.json\"),\n\t\t\twant: testutility.NewSnapshot().WithWindowsReplacements(map[string]string{\n\t\t\t\t\"\\\\Documents\\\\Project\\\\engine\\\\osv-scanner.toml\": \"/Documents/Project/engine/osv-scanner.toml\",\n\t\t\t}),\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tgot := createSARIFHelpText(&tt.args)\n\t\t\ttt.want.MatchText(t, got)\n\t\t})\n\t}\n}\n" }, { "path": "internal/output/sarif_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc TestPrintSARIFReport(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\targs models.VulnerabilityResults\n\t\twant testutility.Snapshot\n\t}{\n\t\t{\n\t\t\tname: \"\",\n\t\t\targs: testutility.LoadJSONFixtureWithWindowsReplacements[models.VulnerabilityResults](t,\n\t\t\t\t\"testdata/test-vuln-results-a.json\",\n\t\t\t\tmap[string]string{\n\t\t\t\t\t\"/path/to/sub-rust-project/Cargo.lock\": \"D:\\\\\\\\path\\\\\\\\to\\\\\\\\sub-rust-project\\\\\\\\Cargo.lock\",\n\t\t\t\t\t\"/path/to/go.mod\": \"D:\\\\\\\\path\\\\\\\\to\\\\\\\\go.mod\",\n\t\t\t\t},\n\t\t\t),\n\t\t\twant: testutility.NewSnapshot().WithWindowsReplacements(\n\t\t\t\tmap[string]string{\n\t\t\t\t\t\"lockfile:D:\\\\\\\\path\\\\\\\\to\\\\\\\\sub-rust-project\\\\\\\\Cargo.lock\": \"lockfile:/path/to/sub-rust-project/Cargo.lock\",\n\t\t\t\t\t\"lockfile:D:\\\\\\\\path\\\\\\\\to\\\\\\\\go.mod\": \"lockfile:/path/to/go.mod\",\n\t\t\t\t\t\"D:\\\\\\\\path\\\\\\\\to\\\\\\\\sub-rust-project\\\\\\\\osv-scanner.toml\": \"/path/to/sub-rust-project/osv-scanner.toml\",\n\t\t\t\t\t\"D:\\\\\\\\path\\\\\\\\to\\\\\\\\osv-scanner.toml\": \"/path/to/osv-scanner.toml\",\n\t\t\t\t\t\"file:///D:/path/to\": \"file:///path/to\",\n\t\t\t\t},\n\t\t\t),\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tjsonStructure := buildJSONSarifReport(t, &tt.args)\n\n\t\t\ttt.want.MatchJSON(t, jsonStructure)\n\t\t})\n\t}\n}\n\nfunc TestPrintSARIFReport_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\tjsonStructure := buildJSONSarifReport(t, args.vulnResult)\n\n\t\ttestutility.NewSnapshot().WithWindowsReplacements(\n\t\t\tmap[string]string{\n\t\t\t\tstrings.ReplaceAll(cwd, \"\\\\\", \"\\\\\\\\\"): strings.ReplaceAll(cwd, \"\\\\\", \"/\"),\n\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\first\\\\\\\\osv-scanner.toml\": \"/path/to/my/first/osv-scanner.toml\",\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\second\\\\\\\\osv-scanner.toml\": \"/path/to/my/second/osv-scanner.toml\",\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\third\\\\\\\\osv-scanner.toml\": \"/path/to/my/third/osv-scanner.toml\",\n\t\t\t}).MatchJSON(t, jsonStructure)\n\t})\n}\n\nfunc TestPrintSARIFReport_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\tjsonStructure := buildJSONSarifReport(t, args.vulnResult)\n\n\t\ttestutility.NewSnapshot().WithWindowsReplacements(\n\t\t\tmap[string]string{\n\t\t\t\tstrings.ReplaceAll(cwd, \"\\\\\", \"\\\\\\\\\"): strings.ReplaceAll(cwd, \"\\\\\", \"/\"),\n\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\first\\\\\\\\osv-scanner.toml\": \"/path/to/my/first/osv-scanner.toml\",\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\second\\\\\\\\osv-scanner.toml\": \"/path/to/my/second/osv-scanner.toml\",\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\third\\\\\\\\osv-scanner.toml\": \"/path/to/my/third/osv-scanner.toml\",\n\t\t\t}).MatchJSON(t, jsonStructure)\n\t})\n}\n\nfunc TestPrintSARIFReport_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\tjsonStructure := buildJSONSarifReport(t, args.vulnResult)\n\n\t\ttestutility.NewSnapshot().WithWindowsReplacements(\n\t\t\tmap[string]string{\n\t\t\t\tstrings.ReplaceAll(cwd, \"\\\\\", \"\\\\\\\\\"): strings.ReplaceAll(cwd, \"\\\\\", \"/\"),\n\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\first\\\\\\\\osv-scanner.toml\": \"/path/to/my/first/osv-scanner.toml\",\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\second\\\\\\\\osv-scanner.toml\": \"/path/to/my/second/osv-scanner.toml\",\n\t\t\t\t\"\\\\\\\\path\\\\\\\\to\\\\\\\\my\\\\\\\\third\\\\\\\\osv-scanner.toml\": \"/path/to/my/third/osv-scanner.toml\",\n\t\t\t}).MatchJSON(t, jsonStructure)\n\t})\n}\n\nfunc buildJSONSarifReport(t *testing.T, res *models.VulnerabilityResults) map[string]any {\n\tt.Helper()\n\n\toutputWriter := &bytes.Buffer{}\n\terr := output.PrintSARIFReport(res, outputWriter)\n\n\tif err != nil {\n\t\tt.Errorf(\"Error writing SARIF output: %s\", err)\n\t}\n\n\treplacedJSON := testutility.ReplaceJSONInput(\n\t\tt,\n\t\toutputWriter.String(),\n\t\ttestutility.ReplacePartialFingerprintHash.Path,\n\t\ttestutility.ReplacePartialFingerprintHash.ReplaceFunc,\n\t)\n\n\tjsonStructure := map[string]any{}\n\terr = json.NewDecoder(bytes.NewBufferString(replacedJSON)).Decode(&jsonStructure)\n\tif err != nil {\n\t\tt.Errorf(\"Error decoding SARIF output: %s\", err)\n\t}\n\n\treturn jsonStructure\n}\n" }, { "path": "internal/output/sbom/cyclonedx_1_4.go", "content": "// Package sbom provides functionality to generate SBOMs from scan results.\npackage sbom\n\nimport (\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\n\t\"github.com/CycloneDX/cyclonedx-go\"\n)\n\nfunc ToCycloneDX14Bom(uniquePackages map[string]models.PackageVulns) *cyclonedx.BOM {\n\tbom := buildCycloneDXBom(uniquePackages)\n\tbom.JSONSchema = cycloneDx14Schema\n\tbom.SpecVersion = cyclonedx.SpecVersion1_4\n\n\treturn bom\n}\n" }, { "path": "internal/output/sbom/cyclonedx_1_5.go", "content": "package sbom\n\nimport (\n\t\"github.com/CycloneDX/cyclonedx-go\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc ToCycloneDX15Bom(uniquePackages map[string]models.PackageVulns) *cyclonedx.BOM {\n\tbom := buildCycloneDXBom(uniquePackages)\n\tbom.JSONSchema = cycloneDx15Schema\n\tbom.SpecVersion = cyclonedx.SpecVersion1_5\n\n\treturn bom\n}\n" }, { "path": "internal/output/sbom/cyclonedx_1_6.go", "content": "package sbom\n\nimport (\n\t\"github.com/CycloneDX/cyclonedx-go\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc ToCycloneDX16Bom(uniquePackages map[string]models.PackageVulns) *cyclonedx.BOM {\n\tbom := buildCycloneDXBom(uniquePackages)\n\tbom.JSONSchema = cycloneDx16Schema\n\tbom.SpecVersion = cyclonedx.SpecVersion1_6\n\n\treturn bom\n}\n" }, { "path": "internal/output/sbom/cyclonedx_common.go", "content": "package sbom\n\nimport (\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\t\"github.com/CycloneDX/cyclonedx-go\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/types/known/timestamppb\"\n)\n\nfunc buildCycloneDXBom(uniquePackages map[string]models.PackageVulns) *cyclonedx.BOM {\n\tbom := cyclonedx.NewBOM()\n\tcomponents := make([]cyclonedx.Component, 0, len(uniquePackages))\n\tvulnerabilities := make(map[string]cyclonedx.Vulnerability)\n\n\tfor packageURL, packageDetail := range uniquePackages {\n\t\tcomponent := cyclonedx.Component{}\n\n\t\tcomponent.Type = libraryComponentType\n\t\tcomponent.BOMRef = packageURL\n\t\tcomponent.PackageURL = packageURL\n\t\tcomponent.Name = packageDetail.Package.Name\n\t\tcomponent.Version = packageDetail.Package.Version\n\n\t\taddDeprecatedProperty(&component, packageDetail)\n\t\tfillLicenses(&component, packageDetail)\n\t\taddVulnerabilities(vulnerabilities, packageDetail)\n\n\t\tcomponents = append(components, component)\n\t}\n\n\tslices.SortFunc(components, func(a, b cyclonedx.Component) int {\n\t\treturn strings.Compare(a.PackageURL, b.PackageURL)\n\t})\n\n\tbomVulnerabilities := make([]cyclonedx.Vulnerability, 0, len(vulnerabilities))\n\n\tfor _, vulnerability := range vulnerabilities {\n\t\tbomVulnerabilities = append(bomVulnerabilities, vulnerability)\n\t}\n\n\tslices.SortFunc(bomVulnerabilities, func(a, b cyclonedx.Vulnerability) int {\n\t\treturn strings.Compare(a.ID, b.ID)\n\t})\n\n\tbom.Components = &components\n\tbom.Vulnerabilities = &bomVulnerabilities\n\n\treturn bom\n}\n\nfunc fillLicenses(component *cyclonedx.Component, packageDetail models.PackageVulns) {\n\tlicenses := make(cyclonedx.Licenses, len(packageDetail.Licenses))\n\n\tfor index, license := range packageDetail.Licenses {\n\t\tlicenses[index] = cyclonedx.LicenseChoice{\n\t\t\tLicense: &cyclonedx.License{\n\t\t\t\tID: string(license),\n\t\t\t},\n\t\t}\n\t}\n\tcomponent.Licenses = &licenses\n}\n\nfunc addVulnerabilities(vulnerabilities map[string]cyclonedx.Vulnerability, packageDetail models.PackageVulns) {\n\tfor i := range packageDetail.Vulnerabilities {\n\t\tvulnerability := packageDetail.Vulnerabilities[i]\n\t\tif _, exists := vulnerabilities[vulnerability.GetId()]; exists {\n\t\t\tcontinue\n\t\t}\n\n\t\t// It doesn't exist yet, lets add it\n\t\tvulnerabilities[vulnerability.GetId()] = cyclonedx.Vulnerability{\n\t\t\tID: vulnerability.GetId(),\n\t\t\tUpdated: formatDateIfExists(vulnerability.GetModified()),\n\t\t\tPublished: formatDateIfExists(vulnerability.GetPublished()),\n\t\t\tRejected: formatDateIfExists(vulnerability.GetWithdrawn()),\n\t\t\tReferences: buildReferences(vulnerability),\n\t\t\tDescription: vulnerability.GetSummary(),\n\t\t\tDetail: vulnerability.GetDetails(),\n\t\t\tAffects: buildAffectedPackages(vulnerability),\n\t\t\tRatings: buildRatings(vulnerability),\n\t\t\tAdvisories: buildAdvisories(vulnerability),\n\t\t\tCredits: buildCredits(vulnerability),\n\t\t}\n\t}\n}\n\nfunc addDeprecatedProperty(component *cyclonedx.Component, packageDetail models.PackageVulns) {\n\tif !packageDetail.Package.Deprecated {\n\t\treturn\n\t}\n\n\tcomponent.Properties = &[]cyclonedx.Property{\n\t\t{\n\t\t\tName: \"deprecated\",\n\t\t\tValue: \"true\",\n\t\t},\n\t}\n}\n\nfunc formatDateIfExists(ts *timestamppb.Timestamp) string {\n\tif ts == nil {\n\t\treturn \"\"\n\t}\n\tt := ts.AsTime()\n\tif t.IsZero() {\n\t\treturn \"\"\n\t}\n\n\treturn t.Format(time.RFC3339)\n}\n\nfunc buildCredits(vulnerability *osvschema.Vulnerability) *cyclonedx.Credits {\n\torganizations := make([]cyclonedx.OrganizationalEntity, len(vulnerability.GetCredits()))\n\n\tfor index, credit := range vulnerability.GetCredits() {\n\t\torganizations[index] = cyclonedx.OrganizationalEntity{\n\t\t\tName: credit.GetName(),\n\t\t\tURL: &vulnerability.GetCredits()[index].Contact,\n\t\t}\n\t}\n\n\treturn &cyclonedx.Credits{\n\t\tOrganizations: &organizations,\n\t}\n}\n\nfunc buildAffectedPackages(vulnerability *osvschema.Vulnerability) *[]cyclonedx.Affects {\n\tuniqueRefs := make(map[string]bool)\n\taffectedPackages := make([]cyclonedx.Affects, 0)\n\n\tfor _, affected := range vulnerability.GetAffected() {\n\t\tif _, exists := uniqueRefs[affected.GetPackage().GetPurl()]; exists {\n\t\t\tcontinue\n\t\t}\n\t\tuniqueRefs[affected.GetPackage().GetPurl()] = true\n\t\taffectedPackages = append(affectedPackages, cyclonedx.Affects{\n\t\t\tRef: affected.GetPackage().GetPurl(),\n\t\t})\n\t}\n\n\treturn &affectedPackages\n}\n\nfunc buildRatings(vulnerability *osvschema.Vulnerability) *[]cyclonedx.VulnerabilityRating {\n\tratings := make([]cyclonedx.VulnerabilityRating, len(vulnerability.GetSeverity()))\n\tfor index, severity := range vulnerability.GetSeverity() {\n\t\tratings[index] = cyclonedx.VulnerabilityRating{\n\t\t\tMethod: SeverityMapper[severity.GetType()],\n\t\t\tVector: severity.GetScore(),\n\t\t}\n\t}\n\n\treturn &ratings\n}\n\nfunc buildReferences(vulnerability *osvschema.Vulnerability) *[]cyclonedx.VulnerabilityReference {\n\treferences := make([]cyclonedx.VulnerabilityReference, len(vulnerability.GetAliases()))\n\n\tfor index, alias := range vulnerability.GetAliases() {\n\t\treferences[index] = cyclonedx.VulnerabilityReference{\n\t\t\tID: alias,\n\t\t\tSource: &cyclonedx.Source{},\n\t\t}\n\t}\n\n\treturn &references\n}\n\nfunc buildAdvisories(vulnerability *osvschema.Vulnerability) *[]cyclonedx.Advisory {\n\tadvisories := make([]cyclonedx.Advisory, 0)\n\tfor _, reference := range vulnerability.GetReferences() {\n\t\tif reference.GetType() != osvschema.Reference_ADVISORY {\n\t\t\tcontinue\n\t\t}\n\t\tadvisories = append(advisories, cyclonedx.Advisory{\n\t\t\tURL: reference.GetUrl(),\n\t\t})\n\t}\n\n\treturn &advisories\n}\n" }, { "path": "internal/output/sbom/models.go", "content": "package sbom\n\nimport (\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\n\t\"github.com/CycloneDX/cyclonedx-go\"\n)\n\nvar SpecVersionToBomCreator = map[models.CycloneDXVersion]CycloneDXBomCreator{\n\tmodels.CycloneDXVersion14: ToCycloneDX14Bom,\n\tmodels.CycloneDXVersion15: ToCycloneDX15Bom,\n\tmodels.CycloneDXVersion16: ToCycloneDX16Bom,\n}\n\ntype CycloneDXBomCreator func(packageSources map[string]models.PackageVulns) *cyclonedx.BOM\n\nconst (\n\tcycloneDx14Schema = \"http://cyclonedx.org/schema/bom-1.4.schema.json\"\n\tcycloneDx15Schema = \"http://cyclonedx.org/schema/bom-1.5.schema.json\"\n\tcycloneDx16Schema = \"http://cyclonedx.org/schema/bom-1.6.schema.json\"\n)\n\nconst libraryComponentType = \"library\"\n\nvar SeverityMapper = map[osvschema.Severity_Type]cyclonedx.ScoringMethod{\n\tosvschema.Severity_CVSS_V2: cyclonedx.ScoringMethodCVSSv2,\n\tosvschema.Severity_CVSS_V3: cyclonedx.ScoringMethodCVSSv3,\n\tosvschema.Severity_CVSS_V4: cyclonedx.ScoringMethodCVSSv4,\n}\n" }, { "path": "internal/output/spdx.go", "content": "package output\n\nimport (\n\t\"encoding/json\"\n\t\"io\"\n\n\tscalibr \"github.com/google/osv-scalibr\"\n\t\"github.com/google/osv-scalibr/converter/spdx\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\n// PrintSPDXResults writes results to the provided writer in SPDX format\nfunc PrintSPDXResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer) error {\n\tscanResult := &scalibr.ScanResult{}\n\n\tfor _, source := range vulnResult.Results {\n\t\tfor _, pkg := range source.Packages {\n\t\t\tscanResult.Inventory.Packages = append(scanResult.Inventory.Packages, pkg.Package.Inventory)\n\t\t}\n\t}\n\n\t// TODO(#1783): Allow user configuration\n\tdoc := spdx.ToSPDX23(scanResult.Inventory, spdx.Config{})\n\n\tencoder := json.NewEncoder(outputWriter)\n\tencoder.SetIndent(\"\", \" \")\n\n\treturn encoder.Encode(doc)\n}\n" }, { "path": "internal/output/spdx_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n)\n\nfunc normalizeSPDXOutput(t *testing.T, str string) string {\n\tt.Helper()\n\n\tstr = text.StripEscape(str)\n\tstr = cachedregexp.MustCompile(`[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`).ReplaceAllString(str, ``)\n\tstr = cachedregexp.MustCompile(`\"created\": \".+T.+Z\"`).ReplaceAllString(str, `\"created\": \"\"`)\n\n\treturn str\n}\n\nfunc TestPrintSPDXResults_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintSPDXResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"%v\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, normalizeSPDXOutput(t, outputWriter.String()))\n\t})\n}\n\nfunc TestPrintSPDXResults_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintSPDXResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"%v\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, normalizeSPDXOutput(t, outputWriter.String()))\n\t})\n}\n\nfunc TestPrintSPDXResults_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\terr := output.PrintSPDXResults(args.vulnResult, outputWriter)\n\n\t\tif err != nil {\n\t\t\tt.Errorf(\"%v\", err)\n\t\t}\n\n\t\ttestutility.NewSnapshot().MatchText(t, normalizeSPDXOutput(t, outputWriter.String()))\n\t})\n}\n" }, { "path": "internal/output/table.go", "content": "package output\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scalibr/inventory/osvecosystem\"\n\tdepgroups \"github.com/google/osv-scanner/v2/internal/utility/depgroup\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/results\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/severity\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\n\t\"github.com/jedib0t/go-pretty/v6/table\"\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n)\n\n// OSVBaseVulnerabilityURL is the base URL for detailed vulnerability views.\n// Copied in from osv package to avoid referencing the osv package unnecessarily\nconst OSVBaseVulnerabilityURL = \"https://osv.dev/\"\n\n// PrintTableResults prints the osv scan results into a human friendly table.\nfunc PrintTableResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer, terminalWidth int, showAllVulns bool) {\n\tif terminalWidth <= 0 {\n\t\ttext.DisableColors()\n\t}\n\n\toutputResult := BuildResults(vulnResult)\n\n\t// Add a newline to separate results from logs.\n\tfmt.Fprintln(outputWriter)\n\n\t// Render the vulnerabilities.\n\tif containsOSResult(outputResult) {\n\t\tprintSummaryResult(outputResult, outputWriter, terminalWidth, showAllVulns)\n\t} else {\n\t\t// Print summary at the top\n\t\tprintSummary(outputResult, outputWriter)\n\n\t\toutputTable := newTable(outputWriter, terminalWidth)\n\t\toutputTable = tableBuilder(outputTable, outputResult, showAllVulns)\n\t\tif outputTable.Length() != 0 {\n\t\t\toutputTable.Render()\n\t\t}\n\n\t\t// Render the licenses if any.\n\t\tlicenseConfig := vulnResult.ExperimentalAnalysisConfig.Licenses\n\t\tif licenseConfig.Summary {\n\t\t\tbuildLicenseSummaryTable(outputWriter, terminalWidth, vulnResult)\n\t\t}\n\t\tif len(licenseConfig.Allowlist) > 0 {\n\t\t\tbuildLicenseViolationsTable(outputWriter, terminalWidth, vulnResult)\n\t\t}\n\n\t\t// Render deprecated packages if any.\n\t\tif outputResult.PkgDeprecatedCount > 0 {\n\t\t\tprintPkgDeprecatedSummary(outputResult, outputWriter)\n\t\t\tbuildDeprecatedPackagesTable(outputWriter, terminalWidth, vulnResult)\n\t\t}\n\t}\n}\n\nfunc newTable(outputWriter io.Writer, terminalWidth int) table.Writer {\n\toutputTable := table.NewWriter()\n\toutputTable.SetOutputMirror(outputWriter)\n\n\t// use fancy characters if we're outputting to a terminal\n\tif terminalWidth > 0 {\n\t\toutputTable.SetStyle(table.StyleRounded)\n\t\toutputTable.SetAllowedRowLength(terminalWidth)\n\t}\n\n\toutputTable.Style().Options.DoNotColorBordersAndSeparators = true\n\toutputTable.Style().Color.Row = text.Colors{text.Reset, text.BgHiBlack}\n\toutputTable.Style().Color.RowAlternate = text.Colors{text.Reset, text.BgBlack}\n\n\treturn outputTable\n}\n\nfunc tableBuilder(outputTable table.Writer, result Result, showAllVulns bool) table.Writer {\n\toutputTable.AppendHeader(table.Row{\"OSV URL\", \"CVSS\", \"Ecosystem\", \"Package\", \"Version\", \"Fixed Version\", \"Source\"})\n\trows := tableBuilderInner(result, VulnTypeRegular)\n\tfor _, elem := range rows {\n\t\toutputTable.AppendRow(elem.row, table.RowConfig{AutoMerge: elem.shouldMerge})\n\t}\n\n\tuncalledRows := tableBuilderInner(result, VulnTypeUncalled)\n\tif showAllVulns && len(uncalledRows) != 0 {\n\t\toutputTable.AppendSeparator()\n\t\toutputTable.AppendRow(table.Row{\"Uncalled vulnerabilities\"})\n\t\toutputTable.AppendSeparator()\n\n\t\tfor _, elem := range uncalledRows {\n\t\t\toutputTable.AppendRow(elem.row, table.RowConfig{AutoMerge: elem.shouldMerge})\n\t\t}\n\t}\n\n\tunimportantRows := tableBuilderInner(result, VulnTypeUnimportant)\n\tif showAllVulns && len(unimportantRows) != 0 {\n\t\toutputTable.AppendSeparator()\n\t\toutputTable.AppendRow(table.Row{\"Unimportant vulnerabilities\"})\n\t\toutputTable.AppendSeparator()\n\n\t\tfor _, elem := range unimportantRows {\n\t\t\toutputTable.AppendRow(elem.row, table.RowConfig{AutoMerge: elem.shouldMerge})\n\t\t}\n\t}\n\n\treturn outputTable\n}\n\nfunc printSummaryResult(result Result, outputWriter io.Writer, terminalWidth int, showAllVulns bool) {\n\t// Add a newline to separate results from logs.\n\tfmt.Fprintln(outputWriter)\n\tif result.IsContainerScanning {\n\t\tfmt.Fprintf(outputWriter, \"%s:\\n\", GetContainerScanningHeader(result))\n\t} else {\n\t\tfmt.Fprint(outputWriter, \"Scanning Result (package view):\\n\")\n\t}\n\tprintSummary(result, outputWriter)\n\tif result.PkgDeprecatedCount > 0 {\n\t\tprintPkgDeprecatedSummary(result, outputWriter)\n\t}\n\t// Add a newline\n\tfmt.Fprintln(outputWriter)\n\n\tif result.LicenseSummary.Summary {\n\t\tprintLicenseSummary(result.LicenseSummary, outputWriter, terminalWidth)\n\t}\n\n\tfor _, eco := range result.Ecosystems {\n\t\tif ecosystemHasRegVuln(eco) {\n\t\t\tfmt.Fprintln(outputWriter, eco.Name)\n\t\t}\n\n\t\tfor _, source := range eco.Sources {\n\t\t\tif source.PackageTypeCount.Regular == 0 && source.PkgDeprecatedCount == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\toutputTable := newTable(outputWriter, terminalWidth)\n\t\t\toutputTable.SetTitle(\"Source:\" + source.Name)\n\t\t\tsourcePackageHeader := \"Package\"\n\t\t\tif isOSResult(source.Type) {\n\t\t\t\tsourcePackageHeader = \"Source Package\"\n\t\t\t}\n\n\t\t\ttableHeader := table.Row{sourcePackageHeader, \"Installed Version\", \"Fix Available\", \"Vuln Count\"}\n\n\t\t\tif isOSResult(source.Type) {\n\t\t\t\ttableHeader = append(tableHeader, \"Binary Packages (Count)\")\n\t\t\t}\n\n\t\t\tif result.IsContainerScanning {\n\t\t\t\ttableHeader = append(tableHeader, \"Introduced Layer\", \"In Base Image\")\n\t\t\t}\n\n\t\t\tif result.LicenseSummary.ShowViolations {\n\t\t\t\ttableHeader = append(tableHeader, \"License Violations\")\n\t\t\t}\n\n\t\t\tif source.PkgDeprecatedCount > 0 {\n\t\t\t\ttableHeader = append(tableHeader, \"Deprecated\")\n\t\t\t}\n\n\t\t\toutputTable.AppendHeader(tableHeader)\n\t\t\tfor _, pkg := range source.Packages {\n\t\t\t\tif pkg.VulnCount.AnalysisCount.Regular == 0 && len(pkg.LicenseViolations) == 0 && !pkg.Deprecated {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\toutputRow := table.Row{}\n\t\t\t\ttotalCount := pkg.VulnCount.AnalysisCount.Regular\n\t\t\t\tvar fixAvailable string\n\t\t\t\tif pkg.FixedVersion == UnfixedDescription {\n\t\t\t\t\tfixAvailable = UnfixedDescription\n\t\t\t\t} else {\n\t\t\t\t\tif pkg.VulnCount.FixableCount.UnFixed > 0 {\n\t\t\t\t\t\tfixAvailable = \"Partial fixes Available\"\n\t\t\t\t\t} else {\n\t\t\t\t\t\tfixAvailable = \"Fix Available\"\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\toutputRow = append(outputRow, pkg.Name, getInstalledVersionOrCommit(pkg), fixAvailable, totalCount)\n\n\t\t\t\tif isOSResult(source.Type) {\n\t\t\t\t\toutputRow = append(outputRow, formatBinaryPackages(pkg.OSPackageNames))\n\t\t\t\t}\n\n\t\t\t\tif result.IsContainerScanning {\n\t\t\t\t\tlayer := fmt.Sprintf(\"# %d Layer\", pkg.LayerDetail.LayerIndex)\n\n\t\t\t\t\tinBaseImage := \"--\"\n\t\t\t\t\tif pkg.LayerDetail.BaseImageInfo.Index != 0 {\n\t\t\t\t\t\tinBaseImage = getBaseImageName(pkg.LayerDetail.BaseImageInfo)\n\t\t\t\t\t}\n\n\t\t\t\t\toutputRow = append(outputRow, layer, inBaseImage)\n\t\t\t\t}\n\n\t\t\t\tif result.LicenseSummary.ShowViolations {\n\t\t\t\t\tif len(pkg.LicenseViolations) == 0 {\n\t\t\t\t\t\toutputRow = append(outputRow, \"--\")\n\t\t\t\t\t} else {\n\t\t\t\t\t\toutputRow = append(outputRow, pkg.LicenseViolations)\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif source.PkgDeprecatedCount > 0 {\n\t\t\t\t\tif pkg.Deprecated {\n\t\t\t\t\t\toutputRow = append(outputRow, \"True\")\n\t\t\t\t\t} else {\n\t\t\t\t\t\toutputRow = append(outputRow, \"--\")\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\toutputTable.AppendRow(outputRow)\n\t\t\t}\n\t\t\toutputTable.Render()\n\t\t}\n\t}\n\n\tif showAllVulns && result.VulnTypeSummary.Hidden != 0 {\n\t\t// Add a newline\n\t\tfmt.Fprintln(outputWriter)\n\t\tfmt.Fprintln(outputWriter, \"Filtered Vulnerabilities:\")\n\t\toutputTable := newTable(outputWriter, terminalWidth)\n\t\toutputTable.AppendHeader(table.Row{\"Package\", \"Ecosystem\", \"Installed Version\", \"Filtered Vuln Count\", \"Filter Reasons\"})\n\t\tfor _, eco := range result.Ecosystems {\n\t\t\tfor _, source := range eco.Sources {\n\t\t\t\tfor _, pkg := range source.Packages {\n\t\t\t\t\tif pkg.VulnCount.AnalysisCount.Hidden == 0 {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\toutputRow := table.Row{}\n\t\t\t\t\ttotalCount := pkg.VulnCount.AnalysisCount.Hidden\n\t\t\t\t\tfilteredReasons := getFilteredVulnReasons(pkg.HiddenVulns)\n\t\t\t\t\toutputRow = append(outputRow, pkg.Name, eco.Name, getInstalledVersionOrCommit(pkg), totalCount, filteredReasons)\n\t\t\t\t\toutputTable.AppendRow(outputRow)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\toutputTable.Render()\n\t}\n\n\t// Add a newline\n\tfmt.Fprintln(outputWriter)\n\n\tif !showAllVulns && result.VulnCount.AnalysisCount.Hidden != 0 {\n\t\tpromptUnimportant := formatHiddenVulnsPrompt(result.VulnCount.AnalysisCount.Hidden)\n\t\tfmt.Fprintln(outputWriter, promptUnimportant)\n\t}\n\n\tconst promptMessage = \"For the most comprehensive scan results, we recommend using the HTML output: \" +\n\t\t\"`osv-scanner scan image --serve `.\\n\" +\n\t\t\"You can also view the full vulnerability list in your terminal with: \" +\n\t\t\"`osv-scanner scan image --format vertical `.\"\n\tfmt.Fprintln(outputWriter, promptMessage)\n}\n\nfunc printLicenseSummary(licenseSummary LicenseSummary, outputWriter io.Writer, terminalWidth int) {\n\toutputTable := newTable(outputWriter, terminalWidth)\n\toutputTable.AppendHeader(table.Row{\"License\", \"No. of package versions\"})\n\tfor _, license := range licenseSummary.LicenseCount {\n\t\toutputTable.AppendRow(table.Row{license.Name, license.Count})\n\t}\n\n\toutputTable.Render()\n\n\tfmt.Fprintln(outputWriter)\n}\n\ntype tbInnerResponse struct {\n\trow table.Row\n\tshouldMerge bool\n}\n\nfunc tableBuilderInner(result Result, vulnAnalysisType VulnAnalysisType) []tbInnerResponse {\n\tallOutputRows := []tbInnerResponse{}\n\tworkingDir := mustGetWorkingDirectory()\n\n\tfor _, eco := range result.Ecosystems {\n\t\tfor _, source := range eco.Sources {\n\t\t\tfor _, pkg := range source.Packages {\n\t\t\t\teverything := make([]VulnResult, 0, len(pkg.RegularVulns)+len(pkg.HiddenVulns))\n\n\t\t\t\teverything = append(everything, pkg.RegularVulns...)\n\t\t\t\teverything = append(everything, pkg.HiddenVulns...)\n\n\t\t\t\tfor _, vuln := range everything {\n\t\t\t\t\toutputRow := table.Row{}\n\t\t\t\t\tshouldMerge := false\n\n\t\t\t\t\tvar links []string\n\n\t\t\t\t\tif vuln.VulnAnalysisType != vulnAnalysisType {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\n\t\t\t\t\tfor _, id := range vuln.GroupIDs {\n\t\t\t\t\t\tlinks = append(links, OSVBaseVulnerabilityURL+text.Bold.Sprintf(\"%s\", id))\n\t\t\t\t\t\t// For container scanning results, if there is a DSA, then skip printing its sub-CVEs.\n\t\t\t\t\t\tif strings.Split(id, \"-\")[0] == \"DSA\" {\n\t\t\t\t\t\t\tbreak\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\toutputRow = append(outputRow, strings.Join(links, \"\\n\"))\n\n\t\t\t\t\t// todo: this is just to make the snapshots pass without change\n\t\t\t\t\tif vuln.SeverityScore == \"N/A\" {\n\t\t\t\t\t\toutputRow = append(outputRow, \"\")\n\t\t\t\t\t} else {\n\t\t\t\t\t\toutputRow = append(outputRow, vuln.SeverityScore)\n\t\t\t\t\t}\n\n\t\t\t\t\tif eco.Name == \"\" && pkg.Commit != \"\" {\n\t\t\t\t\t\tpkgCommitStr := results.PkgToString(models.PackageInfo{\n\t\t\t\t\t\t\tName: pkg.Name,\n\t\t\t\t\t\t\tCommit: pkg.Commit,\n\t\t\t\t\t\t\tVersion: pkg.InstalledVersion,\n\t\t\t\t\t\t})\n\t\t\t\t\t\toutputRow = append(outputRow, \"GIT\", pkgCommitStr, pkgCommitStr)\n\t\t\t\t\t\tshouldMerge = true\n\t\t\t\t\t} else {\n\t\t\t\t\t\toutputRow = append(outputRow, eco.Name)\n\n\t\t\t\t\t\tname := pkg.Name\n\n\t\t\t\t\t\t// TODO(#1646): Migrate this earlier to the result struct directly\n\t\t\t\t\t\tif depgroups.IsDevGroup(osvecosystem.MustParse(eco.Name).Ecosystem, pkg.DepGroups) {\n\t\t\t\t\t\t\tname += \" (dev)\"\n\t\t\t\t\t\t}\n\t\t\t\t\t\toutputRow = append(outputRow, name)\n\t\t\t\t\t\toutputRow = append(outputRow, pkg.InstalledVersion)\n\t\t\t\t\t}\n\n\t\t\t\t\tif vuln.IsFixable {\n\t\t\t\t\t\toutputRow = append(outputRow, vuln.FixedVersion)\n\t\t\t\t\t} else {\n\t\t\t\t\t\toutputRow = append(outputRow, \"--\")\n\t\t\t\t\t}\n\n\t\t\t\t\t// todo: see if we want to start including any of this information\n\t\t\t\t\tp := strings.TrimPrefix(source.Name, \":\")\n\t\t\t\t\tp = strings.TrimPrefix(p, string(source.Type))\n\t\t\t\t\tp = strings.TrimPrefix(p, \":\")\n\t\t\t\t\tp = strings.TrimPrefix(p, filepath.ToSlash(workingDir))\n\t\t\t\t\tp = strings.TrimPrefix(p, \"/\")\n\n\t\t\t\t\toutputRow = append(outputRow, p)\n\n\t\t\t\t\tallOutputRows = append(allOutputRows, tbInnerResponse{\n\t\t\t\t\t\trow: outputRow,\n\t\t\t\t\t\tshouldMerge: shouldMerge,\n\t\t\t\t\t})\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn allOutputRows\n}\n\nfunc MaxSeverity(group models.GroupInfo, pkg models.PackageVulns) string {\n\tvar maxSeverity float64 = -1\n\tfor _, vulnID := range group.IDs {\n\t\tvar severities []*osvschema.Severity\n\t\tfor _, vuln := range pkg.Vulnerabilities {\n\t\t\tif vuln.GetId() == vulnID {\n\t\t\t\tseverities = vuln.GetSeverity()\n\t\t\t}\n\t\t}\n\t\tscore, _, _ := severity.CalculateOverallScore(severities)\n\t\tmaxSeverity = max(maxSeverity, score)\n\t}\n\n\tif maxSeverity < 0 {\n\t\treturn \"\"\n\t}\n\n\treturn fmt.Sprintf(\"%.1f\", maxSeverity)\n}\n\nfunc buildLicenseSummaryTable(outputWriter io.Writer, terminalWidth int, vulnResult *models.VulnerabilityResults) {\n\toutputTable := newTable(outputWriter, terminalWidth)\n\tlicenseSummaryTableBuilder(outputTable, vulnResult)\n\tif outputTable.Length() == 0 {\n\t\treturn\n\t}\n\toutputTable.Render()\n}\n\nfunc licenseSummaryTableBuilder(outputTable table.Writer, vulnResult *models.VulnerabilityResults) table.Writer {\n\toutputTable.AppendHeader(table.Row{\"License\", \"No. of package versions\"})\n\tfor _, license := range vulnResult.LicenseSummary {\n\t\toutputTable.AppendRow(table.Row{license.Name, license.Count})\n\t}\n\n\treturn outputTable\n}\n\nfunc buildLicenseViolationsTable(outputWriter io.Writer, terminalWidth int, vulnResult *models.VulnerabilityResults) {\n\toutputTable := newTable(outputWriter, terminalWidth)\n\n\toutputTable = licenseViolationsTableBuilder(outputTable, vulnResult)\n\tif outputTable.Length() == 0 {\n\t\treturn\n\t}\n\toutputTable.Render()\n}\n\nfunc licenseViolationsTableBuilder(outputTable table.Writer, vulnResult *models.VulnerabilityResults) table.Writer {\n\toutputTable.AppendHeader(table.Row{\"License Violation\", \"Ecosystem\", \"Package\", \"Version\", \"Source\"})\n\tworkingDir := mustGetWorkingDirectory()\n\tfor _, pkgSource := range vulnResult.Results {\n\t\tfor _, pkg := range pkgSource.Packages {\n\t\t\tif len(pkg.LicenseViolations) == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tviolations := make([]string, len(pkg.LicenseViolations))\n\t\t\tfor i, l := range pkg.LicenseViolations {\n\t\t\t\tviolations[i] = string(l)\n\t\t\t}\n\t\t\tpath := pkgSource.Source.Path\n\t\t\tif simplifiedPath, err := filepath.Rel(workingDir, pkgSource.Source.Path); err == nil {\n\t\t\t\tpath = simplifiedPath\n\t\t\t}\n\t\t\toutputTable.AppendRow(table.Row{\n\t\t\t\tstrings.Join(violations, \", \"),\n\t\t\t\tpkg.Package.Ecosystem,\n\t\t\t\tpkg.Package.Name,\n\t\t\t\tpkg.Package.Version,\n\t\t\t\tpath,\n\t\t\t})\n\t\t}\n\t}\n\n\treturn outputTable\n}\n\nfunc buildDeprecatedPackagesTable(outputWriter io.Writer, terminalWidth int, vulnResult *models.VulnerabilityResults) {\n\toutputTable := newTable(outputWriter, terminalWidth)\n\toutputTable = deprecatedPackagesTableBuilder(outputTable, vulnResult)\n\n\tif outputTable.Length() == 0 {\n\t\treturn\n\t}\n\toutputTable.Render()\n}\n\nfunc deprecatedPackagesTableBuilder(outputTable table.Writer, vulnResult *models.VulnerabilityResults) table.Writer {\n\toutputTable.SetTitle(\"Deprecated packages\")\n\toutputTable.AppendHeader(table.Row{\"Ecosystem\", \"Package\", \"Version\", \"Source\"})\n\tworkingDir := mustGetWorkingDirectory()\n\tfor _, pkgSource := range vulnResult.Results {\n\t\tfor _, pkg := range pkgSource.Packages {\n\t\t\tif !pkg.Package.Deprecated {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tpath := pkgSource.Source.Path\n\t\t\tif simplifiedPath, err := filepath.Rel(workingDir, pkgSource.Source.Path); err == nil {\n\t\t\t\tpath = simplifiedPath\n\t\t\t}\n\t\t\toutputTable.AppendRow(table.Row{\n\t\t\t\tpkg.Package.Ecosystem,\n\t\t\t\tpkg.Package.Name,\n\t\t\t\tpkg.Package.Version,\n\t\t\t\tpath,\n\t\t\t})\n\t\t}\n\t}\n\n\treturn outputTable\n}\n\nfunc formatBinaryPackages(slice []string) string {\n\tmaxChars := 20\n\tresult := strings.Join(slice, \", \")\n\n\tif len(result) <= maxChars {\n\t\treturn result\n\t}\n\n\ttruncatedResult := result[:maxChars]\n\t// Find the last comma before truncation to avoid cutting words\n\tlastComma := strings.LastIndex(truncatedResult, \",\")\n\tif lastComma != -1 {\n\t\ttruncatedResult = truncatedResult[:lastComma]\n\t}\n\n\treturn fmt.Sprintf(\"%s... (%d)\", truncatedResult, len(slice))\n}\n" }, { "path": "internal/output/table_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n)\n\nfunc TestPrintTableResults_StandardTerminalWidth_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, 80, true)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n\nfunc TestPrintTableResults_StandardTerminalWidth_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, 80, false)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n\nfunc TestPrintTableResults_StandardTerminalWidth_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, 80, true)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n\nfunc TestPrintTableResults_LongTerminalWidth_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, 800, true)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n\nfunc TestPrintTableResults_LongTerminalWidth_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, 800, false)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n\nfunc TestPrintTableResults_LongTerminalWidth_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, 800, true)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n\nfunc TestPrintTableResults_NoTerminalWidth_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, -1, true)\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintTableResults_NoTerminalWidth_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, -1, false)\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n\nfunc TestPrintTableResults_NoTerminalWidth_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintTableResults(args.vulnResult, outputWriter, -1, true)\n\n\t\ttestutility.NewSnapshot().MatchText(t, outputWriter.String())\n\t})\n}\n" }, { "path": "internal/output/testdata/commit-grouped.json", "content": "{\n \"DisplayID\": \"OSV-2023-72\",\n \"PkgSource\": [\n {\n \"Package\": {\n \"name\": \"https://fuchsia.googlesource.com/third_party/android.googlesource.com/platform/external/perfetto\",\n \"version\": \"\",\n \"ecosystem\": \"\",\n \"commit\": \"b8da07095979310818f0efde2ef3c69ea70d62c5\"\n },\n \"Source\": {\n \"path\": \"/Documents/Project/engine/deps_flatten.txt\",\n \"type\": \"lockfile\"\n }\n }\n ],\n \"AliasedVulns\": {\n \"OSV-2023-72\": {\n \"modified\": \"2023-04-20T22:43:30Z\",\n \"published\": \"2023-02-18T13:00:15Z\",\n \"schema_version\": \"1.6.0\",\n \"id\": \"OSV-2023-72\",\n \"summary\": \"Heap-buffer-overflow in perfetto::trace_processor::TrackEventParser::ParseTrackDescriptor\",\n \"details\": \"OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56057\\n\\n```\\nCrash type: Heap-buffer-overflow WRITE 4\\nCrash state:\\nperfetto::trace_processor::TrackEventParser::ParseTrackDescriptor\\nperfetto::trace_processor::TrackEventModule::ParseTracePacketData\\nperfetto::trace_processor::ProtoTraceParser::ParseTracePacket\\n```\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"OSS-Fuzz\",\n \"name\": \"perfetto\",\n \"purl\": \"pkg:generic/perfetto\"\n },\n \"ranges\": [\n {\n \"type\": \"GIT\",\n \"events\": [\n {\n \"introduced\": \"8209fb9b9a4156232aa87ad4621e541bfb777ec1\"\n },\n {\n \"fixed\": \"9a7f09383dd39f19e662d428321ca708a2a600a3\"\n }\n ],\n \"repo\": \"https://android.googlesource.com/platform/external/perfetto/\"\n }\n ],\n \"versions\": [\n \"android-13.0.0_r1\",\n \"android-13.0.0_r12\",\n \"android-13.0.0_r2\",\n \"android-13.0.0_r3\",\n \"android-13.0.0_r31\",\n \"android-13.0.0_r4\",\n \"android-13.0.0_r5\",\n \"android-13.0.0_r6\",\n \"android-13.0.0_r7\",\n \"android-13.0.0_r8\",\n \"android-cts-13.0_r1\",\n \"android-cts-13.0_r2\",\n \"android-cts-13.0_r3\",\n \"android-mainline-12.0.0_r100\",\n \"android-mainline-12.0.0_r122\",\n \"android-mainline-12.0.0_r49\",\n \"android-mainline-12.0.0_r59\",\n \"android-mainline-12.0.0_r63\",\n \"android-mainline-12.0.0_r70\",\n \"android-mainline-12.0.0_r77\",\n \"android-mainline-12.0.0_r99\",\n \"android-platform-13.0.0_r1\",\n \"android-platform-13.0.0_r2\",\n \"android-security-13.0.0_r1\",\n \"android-security-13.0.0_r2\",\n \"android-vts-13.0_r1\",\n \"android-vts-13.0_r2\",\n \"android-vts-13.0_r3\",\n \"platform-tools-29.0.1\",\n \"platform-tools-29.0.2\",\n \"platform-tools-29.0.3\",\n \"platform-tools-29.0.4\",\n \"platform-tools-29.0.5\",\n \"platform-tools-29.0.6\",\n \"platform-tools-30.0.0\",\n \"platform-tools-30.0.1\",\n \"platform-tools-30.0.2\",\n \"platform-tools-30.0.3\",\n \"platform-tools-30.0.4\",\n \"platform-tools-30.0.5\",\n \"platform-tools-31.0.0\",\n \"platform-tools-31.0.1\",\n \"platform-tools-31.0.2\",\n \"platform-tools-31.0.3\",\n \"platform-tools-32.0.0\",\n \"platform-tools-33.0.0\",\n \"platform-tools-33.0.1\",\n \"platform-tools-33.0.2\",\n \"platform-tools-33.0.3\",\n \"platform-tools-33.0.4\",\n \"platform-tools-34.0.0\",\n \"v27.0\",\n \"v27.1\",\n \"v28.0\",\n \"v29.0\",\n \"v30.0\",\n \"v31.0\",\n \"v32.0\",\n \"v32.1\",\n \"v32.2\",\n \"android-security-13.0.0_r3\",\n \"android-security-13.0.0_r4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/google/oss-fuzz-vulns/blob/main/vulns/perfetto/OSV-2023-72.yaml\"\n },\n \"ecosystem_specific\": {\n \"severity\": \"HIGH\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56057\"\n }\n ]\n }\n },\n \"AliasedIDList\": [\n \"OSV-2023-72\"\n ]\n}" }, { "path": "internal/output/testdata/flattened_vulns.json", "content": "[\n {\n \"Source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"Package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"Vulnerability\": {\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"summary\": \"Improper Input Validation in GoGo Protobuf\",\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n \"GroupInfo\": {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ]\n }\n },\n {\n \"Source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/go.mod\",\n \"type\": \"lockfile\"\n },\n \"Package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"Vulnerability\": {\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2021-0053\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n },\n \"GroupInfo\": {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ]\n }\n },\n {\n \"Source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"Package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"Vulnerability\": {\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\",\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n \"GroupInfo\": {\n \"ids\": [\n \"GHSA-m5pq-gvj9-9vr8\",\n \"RUSTSEC-2022-0013\"\n ]\n }\n },\n {\n \"Source\": {\n \"path\": \"/path/to/scorecard-check-osv-e2e/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"Package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"Vulnerability\": {\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\",\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ]\n },\n \"GroupInfo\": {\n \"ids\": [\n \"GHSA-m5pq-gvj9-9vr8\",\n \"RUSTSEC-2022-0013\"\n ]\n }\n }\n]" }, { "path": "internal/output/testdata/test-vuln-results-a.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/go.mod\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-06-12T18:45:41Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2021-0053\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"Panic due to improper input validation in github.com/gogo/protobuf\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GO-2021-0053\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"/path/to/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\",\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\",\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-m5pq-gvj9-9vr8\",\n \"RUSTSEC-2022-0013\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}\n" }, { "path": "internal/output/testdata/vuln-grouped.json", "content": "{\n \"DisplayID\": \"CVE-2022-24713\",\n \"PkgSource\": [\n {\n \"Package\": {\n \"name\": \"regex\",\n \"version\": \"1.5.1\",\n \"ecosystem\": \"crates.io\",\n \"commit\": \"\"\n },\n \"Source\": {\n \"path\": \"/path/to/sub-rust-project/Cargo.lock\",\n \"type\": \"lockfile\"\n }\n }\n ],\n \"AliasedVulns\": {\n \"GHSA-m5pq-gvj9-9vr8\": {\n \"modified\": \"2022-08-11T20:38:52Z\",\n \"published\": \"2022-03-08T20:00:36Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-m5pq-gvj9-9vr8\",\n \"aliases\": [\n \"CVE-2022-24713\"\n ],\n \"summary\": \"Rust's regex crate vulnerable to regular expression denial of service\",\n \"details\": \"\\u003e This is a cross-post of [the official security advisory][advisory]. The official advisory contains a signed version with our PGP key, as well.\\n\\n[advisory]: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\\n\\nThe Rust Security Response WG was notified that the `regex` crate did not properly limit the complexity of the regular expressions (regex) it parses. An attacker could use this security issue to perform a denial of service, by sending a specially crafted regex to a service accepting untrusted regexes. No known vulnerability is present when parsing untrusted input with trusted regexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability is \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses of the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service attacks caused by untrusted regexes, or untrusted input matched by trusted regexes. Those (tunable) mitigations already provide sane defaults to prevent attacks. This guarantee is documented and it's considered part of the crate's API.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent untrusted regexes to take an arbitrary amount of time during parsing, and it's possible to craft regexes that bypass such mitigations. This makes it possible to perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this issue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately to the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are practically infinite regexes that could be crafted to exploit this vulnerability. Because of this, we do not recommend denying known problematic regexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according to the [Rust security policy](https://www.rust-lang.org/policies/security), and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini for coordinating the disclosure and writing this advisory.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-m5pq-gvj9-9vr8/GHSA-m5pq-gvj9-9vr8.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24713\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rust-lang/regex/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/04/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JANLZ3JXWJR7FSHE57K66UIZUIJZI67T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/O3YB7CURSG64CIPCDPNMGPE4UU24AB6H/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDOWTHNVGBOP2HN27PUFIGRYNSNDTYRJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5118\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-08T20:00:36Z\",\n \"nvd_published_at\": \"2022-03-08T19:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n \"RUSTSEC-2022-0013\": {\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2022-03-08T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2022-0013\",\n \"aliases\": [\n \"CVE-2022-24713\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ],\n \"summary\": \"Regexes with large repetitions on empty sub-expressions take a very long time to parse\",\n \"details\": \"The Rust Security Response WG was notified that the `regex` crate did not\\nproperly limit the complexity of the regular expressions (regex) it parses. An\\nattacker could use this security issue to perform a denial of service, by\\nsending a specially crafted regex to a service accepting untrusted regexes. No\\nknown vulnerability is present when parsing untrusted input with trusted\\nregexes.\\n\\nThis issue has been assigned CVE-2022-24713. The severity of this vulnerability\\nis \\\"high\\\" when the `regex` crate is used to parse untrusted regexes. Other uses\\nof the `regex` crate are not affected by this vulnerability.\\n\\n## Overview\\n\\nThe `regex` crate features built-in mitigations to prevent denial of service\\nattacks caused by untrusted regexes, or untrusted input matched by trusted\\nregexes. Those (tunable) mitigations already provide sane defaults to prevent\\nattacks. This guarantee is documented and it's considered part of the crate's\\nAPI.\\n\\nUnfortunately a bug was discovered in the mitigations designed to prevent\\nuntrusted regexes to take an arbitrary amount of time during parsing, and it's\\npossible to craft regexes that bypass such mitigations. This makes it possible\\nto perform denial of service attacks by sending specially crafted regexes to\\nservices accepting user-controlled, untrusted regexes.\\n\\n## Affected versions\\n\\nAll versions of the `regex` crate before or equal to 1.5.4 are affected by this\\nissue. The fix is include starting from `regex` 1.5.5.\\n\\n## Mitigations\\n\\nWe recommend everyone accepting user-controlled regexes to upgrade immediately\\nto the latest version of the `regex` crate.\\n\\nUnfortunately there is no fixed set of problematic regexes, as there are\\npractically infinite regexes that could be crafted to exploit this\\nvulnerability. Because of this, we do not recommend denying known problematic\\nregexes.\\n\\n## Acknowledgements\\n\\nWe want to thank Addison Crump for responsibly disclosing this to us according\\nto the [Rust security policy][1], and for helping review the fix.\\n\\nWe also want to thank Andrew Gallant for developing the fix, and Pietro Albini\\nfor coordinating the disclosure and writing this advisory.\\n\\n[1]: https://www.rust-lang.org/policies/security\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"regex\",\n \"purl\": \"pkg:cargo/regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"1.5.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"denial-of-service\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0013.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/regex\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw\"\n }\n ]\n }\n },\n \"AliasedIDList\": [\n \"CVE-2022-24713\",\n \"RUSTSEC-2022-0013\",\n \"GHSA-m5pq-gvj9-9vr8\"\n ]\n}\n" }, { "path": "internal/output/testmain_test.go", "content": "package output_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "internal/output/vertical.go", "content": "package output\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\t\"strconv\"\n\t\"strings\"\n\t\"unicode\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n)\n\nfunc PrintVerticalResults(vulnResult *models.VulnerabilityResults, outputWriter io.Writer, showAllVulns bool) {\n\t// Add a newline to separate results from logs.\n\tfmt.Fprintln(outputWriter)\n\toutputResult := BuildResults(vulnResult)\n\tif outputResult.IsContainerScanning {\n\t\tfmt.Fprintf(outputWriter, \"%s:\\n\", GetContainerScanningHeader(outputResult))\n\t}\n\tprintSummary(outputResult, outputWriter)\n\tif outputResult.PkgDeprecatedCount > 0 {\n\t\tprintPkgDeprecatedSummary(outputResult, outputWriter)\n\t}\n\tif outputResult.IsContainerScanning {\n\t\tprintBaseImages(outputResult.ImageInfo, outputWriter)\n\t}\n\n\tif outputResult.LicenseSummary.Summary {\n\t\tprintVerticalLicenseSummary(outputResult.LicenseSummary, outputWriter)\n\t}\n\n\tfor i, ecosystem := range outputResult.Ecosystems {\n\t\tfmt.Fprintf(outputWriter, \"%s\", text.FgGreen.Sprintf(\"%s\\n\\n\", ecosystem.Name))\n\t\tfor j, source := range ecosystem.Sources {\n\t\t\tprintVerticalHeader(source, outputWriter)\n\t\t\tprintVerticalVulnerabilities(source, outputResult.IsContainerScanning, outputWriter, showAllVulns)\n\t\t\tif outputResult.LicenseSummary.ShowViolations {\n\t\t\t\tprintVerticalLicenseViolations(source, outputWriter)\n\t\t\t}\n\t\t\tif source.PkgDeprecatedCount > 0 {\n\t\t\t\tprintVerticalPkgDeprecatedSummary(source, outputWriter)\n\t\t\t}\n\t\t\tif j < len(ecosystem.Sources)-1 {\n\t\t\t\tfmt.Fprintln(outputWriter)\n\t\t\t}\n\t\t}\n\n\t\tif i < len(outputResult.Ecosystems)-1 {\n\t\t\tfmt.Fprintln(outputWriter)\n\t\t}\n\t}\n\n\tfmt.Fprintln(outputWriter)\n}\n\nfunc printVerticalLicenseSummary(licenseSummary LicenseSummary, out io.Writer) {\n\tfmt.Fprintf(out, \"License summary:\\n\")\n\tfor _, license := range licenseSummary.LicenseCount {\n\t\tfmt.Fprintf(out, \" %s: %d\\n\", text.FgCyan.Sprintf(\"%s\", license.Name), license.Count)\n\t}\n\n\tfmt.Fprintln(out)\n}\n\nfunc printVerticalLicenseViolations(source SourceResult, out io.Writer) {\n\tcount := source.LicenseViolationsCount\n\n\tif count == 0 {\n\t\tfmt.Fprintf(\n\t\t\tout,\n\t\t\t\" %s\\n\",\n\t\t\ttext.FgGreen.Sprintf(\"no license violations found\"),\n\t\t)\n\n\t\treturn\n\t}\n\n\tfmt.Fprintf(out, \"\\n %s\\n\", text.FgRed.Sprintf(\"license violations found:\"))\n\n\tfor _, pkg := range source.Packages {\n\t\tif len(pkg.LicenseViolations) == 0 {\n\t\t\tcontinue\n\t\t}\n\n\t\tviolations := make([]string, len(pkg.LicenseViolations))\n\t\tfor i, l := range pkg.LicenseViolations {\n\t\t\tviolations[i] = string(l)\n\t\t}\n\n\t\tfmt.Fprintf(out,\n\t\t\t\" %s (%s)\\n\",\n\t\t\ttext.FgYellow.Sprintf(\"%s@%s\", pkg.Name, pkg.InstalledVersion),\n\t\t\ttext.FgCyan.Sprintf(\"%s\", strings.Join(violations, \", \")),\n\t\t)\n\t}\n\n\tfmt.Fprintf(out, \"\\n %s\\n\",\n\t\ttext.FgRed.Sprintf(\n\t\t\t\"%d license %s found in %s\",\n\t\t\tcount,\n\t\t\tForm(count, \"violation\", \"violations\"),\n\t\t\tsource.Name,\n\t\t),\n\t)\n}\n\nfunc printVerticalPkgDeprecatedSummary(source SourceResult, out io.Writer) {\n\tfmt.Fprintf(out, \"\\n %d %s\\n\", source.PkgDeprecatedCount, text.FgRed.Sprintf(\"deprecated packages found:\"))\n\n\tfor _, pkg := range source.Packages {\n\t\tif !pkg.Deprecated {\n\t\t\tcontinue\n\t\t}\n\n\t\tfmt.Fprintf(out,\n\t\t\t\" %s\\n\",\n\t\t\ttext.FgYellow.Sprintf(\"%s@%s\", pkg.Name, pkg.InstalledVersion),\n\t\t)\n\t}\n}\n\nfunc printBaseImages(imageResult ImageInfo, out io.Writer) {\n\tfmt.Fprintf(out, \"Container image information:\\n\")\n\tfmt.Fprintf(out, \" OS version: %s\\n\", text.FgGreen.Sprintf(\"%s\", imageResult.OS))\n\t// Calculate the number of digits in the largest layer index\n\tmaxDigits := len(strconv.Itoa(len(imageResult.AllLayers) - 1))\n\tfor _, baseImage := range imageResult.AllBaseImages {\n\t\tbaseImageString := text.FgYellow.Sprintf(\"Base Image %d (%s)\", baseImage.Index, getBaseImageName(baseImage))\n\t\tif baseImage.Index == 0 {\n\t\t\tbaseImageString = text.FgYellow.Sprintf(\"Your Image\")\n\t\t}\n\t\tfmt.Fprintf(out, \" %s:\\n\", baseImageString)\n\t\tfor _, layer := range baseImage.AllLayers {\n\t\t\tlayerCommand := formatLayerCommand(layer.LayerMetadata.Command)[0]\n\t\t\tlayerCommand = truncate(layerCommand, 100)\n\t\t\tfmt.Fprintf(out, \" %s\", text.FgCyan.Sprintf(\"Layer %d\", layer.Index))\n\n\t\t\t// Add spaces for alignment\n\t\t\tpadding := strings.Repeat(\" \", maxDigits-len(strconv.Itoa(layer.Index)))\n\t\t\tfmt.Fprintf(out, \"%s\", padding)\n\n\t\t\tfmt.Fprintf(out, \"%s\", text.Italic.Sprintf(\" %s\", layerCommand))\n\t\t\tif layer.Count.AnalysisCount.Regular > 0 {\n\t\t\t\tfmt.Fprintf(out, \" %s\\n\", text.FgRed.Sprintf(\"(%d vulns)\", layer.Count.AnalysisCount.Regular))\n\t\t\t} else {\n\t\t\t\tfmt.Fprintln(out)\n\t\t\t}\n\t\t}\n\t}\n\tfmt.Fprintln(out)\n}\n\nfunc printVerticalHeader(result SourceResult, out io.Writer) {\n\tfmt.Fprintf(\n\t\tout,\n\t\t\"%s: found %s %s with issues\\n\",\n\t\ttext.FgMagenta.Sprintf(\"%s\", result.Name),\n\t\ttext.FgYellow.Sprintf(\"%d\", result.PackageTypeCount.Regular),\n\t\tForm(result.PackageTypeCount.Regular, \"package\", \"packages\"),\n\t)\n}\n\nfunc printVerticalPackageContainerInfo(pkg PackageResult, out io.Writer) {\n\tbaseImageName := getBaseImageName(pkg.LayerDetail.BaseImageInfo)\n\tfmt.Fprintf(out, \" introduced in %s\", text.FgCyan.Sprintf(\"# %d Layer\", pkg.LayerDetail.LayerIndex))\n\tif baseImageName != \"\" {\n\t\tfmt.Fprintf(out, \"%s\", text.FgCyan.Sprintf(\" (%s)\", baseImageName))\n\t}\n\tfmt.Fprintln(out)\n}\n\nfunc printVerticalVulnerabilitiesCountSummary(count int, printingCalled bool, sourcePath string, out io.Writer) {\n\tstate := \"known\"\n\tif !printingCalled {\n\t\tstate = \"uncalled/unimportant\"\n\t}\n\n\tfmt.Fprintf(out, \"\\n %s\",\n\t\ttext.FgRed.Sprintf(\n\t\t\t\"%d %s %s found in %s\",\n\t\t\tcount,\n\t\t\tstate,\n\t\t\tForm(count, \"vulnerability\", \"vulnerabilities\"),\n\t\t\tsourcePath,\n\t\t),\n\t)\n\n\tif !printingCalled {\n\t\tfmt.Fprintf(out, \"%s\",\n\t\t\ttext.FgRed.Sprint(\" (filtered out)\"))\n\t}\n\n\tfmt.Fprintln(out)\n}\n\nfunc printVerticalVulnerabilitiesForPackages(packages []PackageResult, out io.Writer, printingCalled bool, isContainerScanning bool, isOSResult bool) {\n\tfor _, pkg := range packages {\n\t\tvulns := pkg.RegularVulns\n\t\tif !printingCalled {\n\t\t\tvulns = pkg.HiddenVulns\n\t\t}\n\n\t\tif len(vulns) == 0 {\n\t\t\tcontinue\n\t\t}\n\n\t\tstate := \"known\"\n\n\t\tif !printingCalled {\n\t\t\tstate = strings.ToLower(getFilteredVulnReasons(vulns))\n\t\t}\n\n\t\tpkgSourceName := pkg.Name\n\n\t\tpkgName := strings.Join(pkg.OSPackageNames, \", \")\n\n\t\tpkgNameInfo := \"\"\n\t\tif isOSResult && pkgName != \"\" && pkgName != pkgSourceName {\n\t\t\tpkgNameInfo = fmt.Sprintf(\" (binary %s: %s)\", Form(len(pkg.OSPackageNames), \"package\", \"packages\"), pkgName)\n\t\t}\n\n\t\tfmt.Fprintf(out,\n\t\t\t\" %s%s %s\\n\",\n\t\t\ttext.FgYellow.Sprintf(\"%s@%s\", pkgSourceName, pkg.InstalledVersion),\n\t\t\ttext.FgYellow.Sprintf(\"%s\", pkgNameInfo),\n\t\t\ttext.FgRed.Sprintf(\"has the following %s vulnerabilities:\", state),\n\t\t)\n\n\t\tif isContainerScanning {\n\t\t\tprintVerticalPackageContainerInfo(pkg, out)\n\t\t}\n\n\t\tfor _, vulnerability := range vulns {\n\t\t\tfmt.Fprintf(out,\n\t\t\t\t\" %s %s\\n\",\n\t\t\t\ttext.FgCyan.Sprintf(\"%s:\", vulnerability.ID),\n\t\t\t\tdescribe(vulnerability),\n\t\t\t)\n\n\t\t\tfmt.Fprintf(out,\n\t\t\t\t\" Severity: '%s'; Minimal Fix Version: '%s';\\n\",\n\t\t\t\tvulnerability.SeverityScore,\n\t\t\t\tvulnerability.FixedVersion,\n\t\t\t)\n\t\t}\n\t}\n}\n\nfunc printVerticalVulnerabilities(sourceResult SourceResult, isContainerScanning bool, out io.Writer, showAllVulns bool) {\n\tcountCalled := sourceResult.VulnCount.AnalysisCount.Regular\n\tcountUncalled := sourceResult.VulnCount.AnalysisCount.Hidden\n\n\tif countCalled == 0 && countUncalled == 0 {\n\t\tfmt.Fprintf(\n\t\t\tout,\n\t\t\t\" %s\\n\",\n\t\t\ttext.FgGreen.Sprintf(\"no known vulnerabilities found\"),\n\t\t)\n\n\t\treturn\n\t}\n\n\tif countCalled > 0 {\n\t\tfmt.Fprintln(out)\n\n\t\tprintVerticalVulnerabilitiesForPackages(sourceResult.Packages, out, true, isContainerScanning, isOSResult(sourceResult.Type))\n\t\tprintVerticalVulnerabilitiesCountSummary(countCalled, true, sourceResult.Name, out)\n\t}\n\n\tif showAllVulns && countUncalled > 0 {\n\t\tfmt.Fprintln(out)\n\n\t\tprintVerticalVulnerabilitiesForPackages(sourceResult.Packages, out, false, isContainerScanning, isOSResult(sourceResult.Type))\n\t\tprintVerticalVulnerabilitiesCountSummary(countUncalled, false, sourceResult.Name, out)\n\t}\n\n\tif !showAllVulns && countUncalled > 0 {\n\t\tfmt.Fprintln(out, formatHiddenVulnsPrompt(countUncalled))\n\t}\n}\n\n// truncate ensures that the given string is shorter than the provided limit.\n//\n// If the string is longer than the limit, it's trimmed and suffixed with an ellipsis.\n// Ideally the string will be trimmed at the space that's closest to the limit to\n// preserve whole words; if a string has no spaces before the limit, it'll be forcefully truncated.\nfunc truncate(str string, limit int) string {\n\tcount := 0\n\ttruncateAt := -1\n\n\tfor i, c := range str {\n\t\tif unicode.IsSpace(c) {\n\t\t\ttruncateAt = i\n\t\t}\n\n\t\tcount++\n\n\t\tif count >= limit {\n\t\t\t// ideally we want to keep words whole when truncating,\n\t\t\t// but if we can't find a space just truncate at the limit\n\t\t\tif truncateAt == -1 {\n\t\t\t\ttruncateAt = limit\n\t\t\t}\n\n\t\t\treturn str[:truncateAt] + \"...\"\n\t\t}\n\t}\n\n\treturn str\n}\n\nfunc describe(vulnerability VulnResult) string {\n\tbuilder := strings.Builder{}\n\tif vulnerability.Description == \"\" {\n\t\tbuilder.WriteString(\"(no details available)\")\n\t} else {\n\t\tbuilder.WriteString(truncate(vulnerability.Description, 80))\n\t}\n\n\treturn builder.String()\n}\n" }, { "path": "internal/output/vertical_test.go", "content": "package output_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n)\n\nfunc TestPrintVerticalResults_WithVulnerabilities(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithVulnerabilities(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintVerticalResults(args.vulnResult, outputWriter, true)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n\nfunc TestPrintVerticalResults_WithLicenseViolations(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithLicenseViolations(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintVerticalResults(args.vulnResult, outputWriter, false)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n\nfunc TestPrintVerticalResults_WithMixedIssues(t *testing.T) {\n\tt.Parallel()\n\n\ttestOutputWithMixedIssues(t, func(t *testing.T, args outputTestCaseArgs) {\n\t\tt.Helper()\n\n\t\toutputWriter := &bytes.Buffer{}\n\t\toutput.PrintVerticalResults(args.vulnResult, outputWriter, false)\n\n\t\ttestutility.NewSnapshot().MatchText(t, text.StripEscape(outputWriter.String()))\n\t})\n}\n" }, { "path": "internal/remediation/__snapshots__/in_place_test.snap", "content": "\n[TestComputeInPlacePatches/npm-santatracker - 1]\n{\n \"Patches\": [\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"lodash\"\n },\n \"OrigVersion\": \"4.17.20\",\n \"NewVersion\": \"4.17.21\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-29mw-wpgm-hmr9\",\n \"AffectedNodes\": [\n 338\n ]\n },\n {\n \"ID\": \"GHSA-35jh-r3h4-6jhm\",\n \"AffectedNodes\": [\n 338\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"minimist\"\n },\n \"OrigVersion\": \"1.2.0\",\n \"NewVersion\": \"1.2.8\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-vh95-rmgr-6w4m\",\n \"AffectedNodes\": [\n 357\n ]\n },\n {\n \"ID\": \"GHSA-xvch-5gv4-984h\",\n \"AffectedNodes\": [\n 357\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"ws\"\n },\n \"OrigVersion\": \"6.2.1\",\n \"NewVersion\": \"6.2.3\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-3h5v-q93c-6h6q\",\n \"AffectedNodes\": [\n 513\n ]\n },\n {\n \"ID\": \"GHSA-6fc8-4gx4-v693\",\n \"AffectedNodes\": [\n 513\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"ws\"\n },\n \"OrigVersion\": \"7.1.2\",\n \"NewVersion\": \"7.5.10\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-3h5v-q93c-6h6q\",\n \"AffectedNodes\": [\n 609\n ]\n },\n {\n \"ID\": \"GHSA-6fc8-4gx4-v693\",\n \"AffectedNodes\": [\n 609\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"acorn\"\n },\n \"OrigVersion\": \"5.7.3\",\n \"NewVersion\": \"5.4.1\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-6chw-6frg-f759\",\n \"AffectedNodes\": [\n 620\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"acorn\"\n },\n \"OrigVersion\": \"6.0.2\",\n \"NewVersion\": \"6.4.2\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-6chw-6frg-f759\",\n \"AffectedNodes\": [\n 133,\n 649\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"acorn\"\n },\n \"OrigVersion\": \"7.1.0\",\n \"NewVersion\": \"7.4.1\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-6chw-6frg-f759\",\n \"AffectedNodes\": [\n 595\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"ansi-regex\"\n },\n \"OrigVersion\": \"3.0.0\",\n \"NewVersion\": \"3.0.1\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-93q8-gq69-wqmw\",\n \"AffectedNodes\": [\n 564,\n 644\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"brace-expansion\"\n },\n \"OrigVersion\": \"1.1.11\",\n \"NewVersion\": \"1.1.12\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-v6h2-p8h4-qcjw\",\n \"AffectedNodes\": [\n 162\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"cross-spawn\"\n },\n \"OrigVersion\": \"6.0.5\",\n \"NewVersion\": \"6.0.6\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-3xgq-45jj-v275\",\n \"AffectedNodes\": [\n 203\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"dat.gui\"\n },\n \"OrigVersion\": \"0.7.3\",\n \"NewVersion\": \"0.7.9\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-chwr-hf3w-c984\",\n \"AffectedNodes\": [\n 208\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"get-func-name\"\n },\n \"OrigVersion\": \"2.0.0\",\n \"NewVersion\": \"2.0.2\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-4q6p-r6v2-jvc5\",\n \"AffectedNodes\": [\n 264\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"glob-parent\"\n },\n \"OrigVersion\": \"5.0.0\",\n \"NewVersion\": \"5.1.2\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-ww39-953v-wcq6\",\n \"AffectedNodes\": [\n 269\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"json5\"\n },\n \"OrigVersion\": \"2.1.0\",\n \"NewVersion\": \"2.2.3\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-9c47-m6qq-7p4h\",\n \"AffectedNodes\": [\n 329\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"minimist\"\n },\n \"OrigVersion\": \"1.2.5\",\n \"NewVersion\": \"1.2.8\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-xvch-5gv4-984h\",\n \"AffectedNodes\": [\n 580\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"node-fetch\"\n },\n \"OrigVersion\": \"2.6.6\",\n \"NewVersion\": \"2.7.0\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-r683-j2x4-v87g\",\n \"AffectedNodes\": [\n 586,\n 591,\n 634\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"path-parse\"\n },\n \"OrigVersion\": \"1.0.6\",\n \"NewVersion\": \"1.0.7\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-hj48-42vr-x3v9\",\n \"AffectedNodes\": [\n 398\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"pathval\"\n },\n \"OrigVersion\": \"1.1.0\",\n \"NewVersion\": \"1.1.1\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-g6ww-v8xp-vmwg\",\n \"AffectedNodes\": [\n 400\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"qs\"\n },\n \"OrigVersion\": \"6.5.2\",\n \"NewVersion\": \"6.5.3\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-hrpp-h998-j3pp\",\n \"AffectedNodes\": [\n 422\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"rollup\"\n },\n \"OrigVersion\": \"2.59.0\",\n \"NewVersion\": \"2.79.2\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-gcx4-mw62-g8wm\",\n \"AffectedNodes\": [\n 444\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"semver\"\n },\n \"OrigVersion\": \"5.5.1\",\n \"NewVersion\": \"5.7.2\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-c2qf-rxjj-qqgw\",\n \"AffectedNodes\": [\n 449\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"semver\"\n },\n \"OrigVersion\": \"5.6.0\",\n \"NewVersion\": \"5.7.2\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-c2qf-rxjj-qqgw\",\n \"AffectedNodes\": [\n 539,\n 572\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"semver\"\n },\n \"OrigVersion\": \"6.3.0\",\n \"NewVersion\": \"6.3.1\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-c2qf-rxjj-qqgw\",\n \"AffectedNodes\": [\n 571\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"y18n\"\n },\n \"OrigVersion\": \"4.0.0\",\n \"NewVersion\": \"4.0.3\"\n },\n \"Resolved\": [\n {\n \"ID\": \"GHSA-c4w7-xm78-47vh\",\n \"AffectedNodes\": [\n 518\n ]\n }\n ]\n }\n ],\n \"Unfixable\": [\n {\n \"ID\": \"GHSA-2r2c-g63r-vccr\",\n \"AffectedNodes\": [\n 366\n ]\n },\n {\n \"ID\": \"GHSA-3wf4-68gx-mph8\",\n \"AffectedNodes\": [\n 255\n ]\n },\n {\n \"ID\": \"GHSA-3xgq-45jj-v275\",\n \"AffectedNodes\": [\n 575\n ]\n },\n {\n \"ID\": \"GHSA-4wf5-vphf-c2xc\",\n \"AffectedNodes\": [\n 470\n ]\n },\n {\n \"ID\": \"GHSA-52f5-9888-hmc6\",\n \"AffectedNodes\": [\n 472\n ]\n },\n {\n \"ID\": \"GHSA-566m-qj78-rww5\",\n \"AffectedNodes\": [\n 406\n ]\n },\n {\n \"ID\": \"GHSA-5rrq-pxf6-6jx5\",\n \"AffectedNodes\": [\n 366\n ]\n },\n {\n \"ID\": \"GHSA-67hx-6x53-jw92\",\n \"AffectedNodes\": [\n 71\n ]\n },\n {\n \"ID\": \"GHSA-72xf-g2v4-qvf3\",\n \"AffectedNodes\": [\n 475\n ]\n },\n {\n \"ID\": \"GHSA-72xf-g2v4-qvf3\",\n \"AffectedNodes\": [\n 607\n ]\n },\n {\n \"ID\": \"GHSA-72xf-g2v4-qvf3\",\n \"AffectedNodes\": [\n 652\n ]\n },\n {\n \"ID\": \"GHSA-7fh5-64p2-3v2j\",\n \"AffectedNodes\": [\n 406\n ]\n },\n {\n \"ID\": \"GHSA-7v5v-9h63-cj86\",\n \"AffectedNodes\": [\n 109\n ]\n },\n {\n \"ID\": \"GHSA-896r-f27r-55mw\",\n \"AffectedNodes\": [\n 326\n ]\n },\n {\n \"ID\": \"GHSA-8fr3-hfg3-gpgp\",\n \"AffectedNodes\": [\n 366\n ]\n },\n {\n \"ID\": \"GHSA-968p-4wvh-cqc8\",\n \"AffectedNodes\": [\n 24\n ]\n },\n {\n \"ID\": \"GHSA-9wv6-86v2-598j\",\n \"AffectedNodes\": [\n 399\n ]\n },\n {\n \"ID\": \"GHSA-cfm4-qjh2-4765\",\n \"AffectedNodes\": [\n 366\n ]\n },\n {\n \"ID\": \"GHSA-f8q6-p94x-37v3\",\n \"AffectedNodes\": [\n 356\n ]\n },\n {\n \"ID\": \"GHSA-fjxv-7rqg-78g4\",\n \"AffectedNodes\": [\n 257\n ]\n },\n {\n \"ID\": \"GHSA-g954-5hwp-pp24\",\n \"AffectedNodes\": [\n 415\n ]\n },\n {\n \"ID\": \"GHSA-gcx4-mw62-g8wm\",\n \"AffectedNodes\": [\n 605\n ]\n },\n {\n \"ID\": \"GHSA-gf8q-jrpm-jvxq\",\n \"AffectedNodes\": [\n 366\n ]\n },\n {\n \"ID\": \"GHSA-grv7-fg5c-xmjg\",\n \"AffectedNodes\": [\n 163\n ]\n },\n {\n \"ID\": \"GHSA-h755-8qp9-cq85\",\n \"AffectedNodes\": [\n 415\n ]\n },\n {\n \"ID\": \"GHSA-hwj9-h5mp-3pm3\",\n \"AffectedNodes\": [\n 406\n ]\n },\n {\n \"ID\": \"GHSA-p8p7-x288-28g6\",\n \"AffectedNodes\": [\n 436\n ]\n },\n {\n \"ID\": \"GHSA-p9pc-299p-vxgp\",\n \"AffectedNodes\": [\n 521\n ]\n },\n {\n \"ID\": \"GHSA-pfq8-rq6v-vf5m\",\n \"AffectedNodes\": [\n 291\n ]\n },\n {\n \"ID\": \"GHSA-r683-j2x4-v87g\",\n \"AffectedNodes\": [\n 365\n ]\n },\n {\n \"ID\": \"GHSA-v88g-cgmw-v5xw\",\n \"AffectedNodes\": [\n 138\n ]\n },\n {\n \"ID\": \"GHSA-vh5w-fg69-rc8m\",\n \"AffectedNodes\": [\n 278\n ]\n },\n {\n \"ID\": \"GHSA-vh95-rmgr-6w4m\",\n \"AffectedNodes\": [\n 615\n ]\n },\n {\n \"ID\": \"GHSA-w8qv-6jwh-64r5\",\n \"AffectedNodes\": [\n 166\n ]\n },\n {\n \"ID\": \"GHSA-w8qv-6jwh-64r5\",\n \"AffectedNodes\": [\n 560\n ]\n },\n {\n \"ID\": \"GHSA-x4jg-mjrx-434g\",\n \"AffectedNodes\": [\n 366\n ]\n },\n {\n \"ID\": \"GHSA-xvch-5gv4-984h\",\n \"AffectedNodes\": [\n 615\n ]\n }\n ]\n}\n---\n" }, { "path": "internal/remediation/__snapshots__/testhelpers_test.snap", "content": "\n[TestComputeOverridePatches/maven-classifier - 1]\n[\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.commons:commons-lang3\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"3.18.0\",\n \"OrigResolved\": \"3.5\",\n \"NewResolved\": \"3.18.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-j288-q9x7-2f5v\",\n \"AffectedNodes\": [\n 2\n ]\n }\n ],\n \"AddedVulns\": []\n }\n]\n---\n\n[TestComputeOverridePatches/maven-management-only - 1]\n[\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.commons:commons-configuration2\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.10.1\",\n \"OrigResolved\": \"2.8.0\",\n \"NewResolved\": \"2.10.1\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-9w38-p64v-xpmv\",\n \"AffectedNodes\": [\n 16\n ]\n },\n {\n \"ID\": \"GHSA-xjp4-hw94-mvp5\",\n \"AffectedNodes\": [\n 16\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.shiro:shiro-web\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.13.0\",\n \"OrigResolved\": \"1.10.0\",\n \"NewResolved\": \"1.13.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-hhw5-c326-822h\",\n \"AffectedNodes\": [\n 23\n ]\n },\n {\n \"ID\": \"GHSA-pmhc-2g4f-85cg\",\n \"AffectedNodes\": [\n 23\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"commons-io:commons-io\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.14.0\",\n \"OrigResolved\": \"2.7\",\n \"NewResolved\": \"2.14.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-78wr-2p64-hpwj\",\n \"AffectedNodes\": [\n 19\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.shiro:shiro-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.13.0\",\n \"OrigResolved\": \"1.10.0\",\n \"NewResolved\": \"1.13.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-jc7h-c423-mpjc\",\n \"AffectedNodes\": [\n 22\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.shiro:shiro-web\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.12.0\",\n \"OrigResolved\": \"1.10.0\",\n \"NewResolved\": \"1.12.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-pmhc-2g4f-85cg\",\n \"AffectedNodes\": [\n 23\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.thrift:libthrift\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"0.14.0\",\n \"OrigResolved\": \"0.13.0\",\n \"NewResolved\": \"0.14.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-g2fg-mr77-6vrm\",\n \"AffectedNodes\": [\n 6\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.commons:commons-lang3\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"3.18.0\",\n \"OrigResolved\": \"3.12.0\",\n \"NewResolved\": \"3.18.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [],\n \"AddedVulns\": []\n }\n]\n---\n\n[TestComputeOverridePatches/maven-zeppelin-server - 1]\n[\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.zeppelin:zeppelin-interpreter\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"0.12.0\",\n \"OrigResolved\": \"0.11.1\",\n \"NewResolved\": \"0.12.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-2fqw-684c-pvp7\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-389x-839f-4rhx\",\n \"AffectedNodes\": [\n 278\n ]\n },\n {\n \"ID\": \"GHSA-3p8m-j85q-pgmj\",\n \"AffectedNodes\": [\n 256\n ]\n },\n {\n \"ID\": \"GHSA-4jhc-wjr3-pwh2\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-5mg8-w23w-74h3\",\n \"AffectedNodes\": [\n 260\n ]\n },\n {\n \"ID\": \"GHSA-6mjq-h674-j845\",\n \"AffectedNodes\": [\n 257\n ]\n },\n {\n \"ID\": \"GHSA-6vvh-5794-vpmj\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-7fr2-94h7-ccg2\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-7g45-4rm6-3mm3\",\n \"AffectedNodes\": [\n 260\n ]\n },\n {\n \"ID\": \"GHSA-7pgf-ppxw-8624\",\n \"AffectedNodes\": [\n 39\n ]\n },\n {\n \"ID\": \"GHSA-g7p8-r2ch-4rmf\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-m4h3-7mc2-v295\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-mf27-wg66-m8f5\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-mm9x-g8pc-w292\",\n \"AffectedNodes\": [\n 257\n ]\n },\n {\n \"ID\": \"GHSA-mvr2-9pj6-7w5j\",\n \"AffectedNodes\": [\n 260\n ]\n },\n {\n \"ID\": \"GHSA-xq3w-v528-46rv\",\n \"AffectedNodes\": [\n 278\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.atomix:atomix\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"3.1.6\",\n \"OrigResolved\": \"3.0.0-rc5\",\n \"NewResolved\": \"3.1.6\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-2fqw-684c-pvp7\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-4jhc-wjr3-pwh2\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-6vvh-5794-vpmj\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-7fr2-94h7-ccg2\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-g7p8-r2ch-4rmf\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-m4h3-7mc2-v295\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-mf27-wg66-m8f5\",\n \"AffectedNodes\": [\n 123\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-v2xm-76pq-phcf\",\n \"AffectedNodes\": [\n 264\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty-handler\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.1.118.Final\",\n \"OrigResolved\": \"4.1.27.Final\",\n \"NewResolved\": \"4.1.118.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-389x-839f-4rhx\",\n \"AffectedNodes\": [\n 278\n ]\n },\n {\n \"ID\": \"GHSA-6mjq-h674-j845\",\n \"AffectedNodes\": [\n 257\n ]\n },\n {\n \"ID\": \"GHSA-mm9x-g8pc-w292\",\n \"AffectedNodes\": [\n 257\n ]\n },\n {\n \"ID\": \"GHSA-xq3w-v528-46rv\",\n \"AffectedNodes\": [\n 278\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.pdfbox:pdfbox\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.0.24\",\n \"OrigResolved\": \"2.0.16\",\n \"NewResolved\": \"2.0.24\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-2h3j-m7gr-25xj\",\n \"AffectedNodes\": [\n 287\n ]\n },\n {\n \"ID\": \"GHSA-6vqp-h455-42mr\",\n \"AffectedNodes\": [\n 287\n ]\n },\n {\n \"ID\": \"GHSA-7grw-6pjh-jpc9\",\n \"AffectedNodes\": [\n 287\n ]\n },\n {\n \"ID\": \"GHSA-fg3j-q579-v8x4\",\n \"AffectedNodes\": [\n 287\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"xerces:xercesImpl\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.12.2\",\n \"OrigResolved\": \"2.11.0\",\n \"NewResolved\": \"2.12.2\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-7j4h-8wpf-rqfh\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-h65f-jvqw-m9fj\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-vmqm-g3vh-847m\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-w4jq-qh47-hvjq\",\n \"AffectedNodes\": [\n 252\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.atomix:atomix\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"3.1.6\",\n \"OrigResolved\": \"3.0.0-rc5\",\n \"NewResolved\": \"3.1.6\"\n },\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.github.classgraph:classgraph\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.8.112\",\n \"OrigResolved\": \"4.2.3\",\n \"NewResolved\": \"4.8.112\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-2fqw-684c-pvp7\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-4jhc-wjr3-pwh2\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-6vvh-5794-vpmj\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-7fr2-94h7-ccg2\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-g7p8-r2ch-4rmf\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-m4h3-7mc2-v295\",\n \"AffectedNodes\": [\n 123\n ]\n },\n {\n \"ID\": \"GHSA-mf27-wg66-m8f5\",\n \"AffectedNodes\": [\n 123\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.google.guava:guava\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"32.0.0-jre\",\n \"OrigResolved\": \"22.0\",\n \"NewResolved\": \"32.0.0-jre\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-5mg8-w23w-74h3\",\n \"AffectedNodes\": [\n 260\n ]\n },\n {\n \"ID\": \"GHSA-7g45-4rm6-3mm3\",\n \"AffectedNodes\": [\n 260\n ]\n },\n {\n \"ID\": \"GHSA-mvr2-9pj6-7w5j\",\n \"AffectedNodes\": [\n 260\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty-codec\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.1.125.Final\",\n \"OrigResolved\": \"4.1.27.Final\",\n \"NewResolved\": \"4.1.125.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-389x-839f-4rhx\",\n \"AffectedNodes\": [\n 278\n ]\n },\n {\n \"ID\": \"GHSA-3p8m-j85q-pgmj\",\n \"AffectedNodes\": [\n 256\n ]\n },\n {\n \"ID\": \"GHSA-xq3w-v528-46rv\",\n \"AffectedNodes\": [\n 278\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.mina:mina-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.0.27\",\n \"OrigResolved\": \"2.0.7\",\n \"NewResolved\": \"2.0.27\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-5h29-qq92-wj7f\",\n \"AffectedNodes\": [\n 167\n ]\n },\n {\n \"ID\": \"GHSA-6mcm-j9cj-3vc3\",\n \"AffectedNodes\": [\n 167\n ]\n },\n {\n \"ID\": \"GHSA-76h9-2vwh-w278\",\n \"AffectedNodes\": [\n 167\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.eclipse.jgit:org.eclipse.jgit\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"6.10.1.202505221210-r\",\n \"OrigResolved\": \"4.5.4.201711221230-r\",\n \"NewResolved\": \"6.10.1.202505221210-r\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-3p86-9955-h393\",\n \"AffectedNodes\": [\n 56\n ]\n },\n {\n \"ID\": \"GHSA-q446-82vq-w674\",\n \"AffectedNodes\": [\n 151\n ]\n },\n {\n \"ID\": \"GHSA-vrpq-qp53-qv56\",\n \"AffectedNodes\": [\n 56\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"xerces:xercesImpl\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.12.1\",\n \"OrigResolved\": \"2.11.0\",\n \"NewResolved\": \"2.12.1\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-7j4h-8wpf-rqfh\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-vmqm-g3vh-847m\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-w4jq-qh47-hvjq\",\n \"AffectedNodes\": [\n 252\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.fasterxml.jackson.core:jackson-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.15.0\",\n \"OrigResolved\": \"2.12.6\",\n \"NewResolved\": \"2.15.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-h46c-h94j-95f3\",\n \"AffectedNodes\": [\n 78\n ]\n },\n {\n \"ID\": \"GHSA-wf8f-6423-gfxg\",\n \"AffectedNodes\": [\n 78\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.fasterxml.jackson.core:jackson-databind\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.12.7.1\",\n \"OrigResolved\": \"2.12.6.1\",\n \"NewResolved\": \"2.12.7.1\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-jjjh-jjxp-wpff\",\n \"AffectedNodes\": [\n 15\n ]\n },\n {\n \"ID\": \"GHSA-rgv9-q543-rqg4\",\n \"AffectedNodes\": [\n 15\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.nimbusds:nimbus-jose-jwt\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"9.37.4\",\n \"OrigResolved\": \"9.13\",\n \"NewResolved\": \"9.37.4\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-gvpg-vgmx-xg6w\",\n \"AffectedNodes\": [\n 28\n ]\n },\n {\n \"ID\": \"GHSA-xwmg-2g98-w7v9\",\n \"AffectedNodes\": [\n 28\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty-common\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.1.118.Final\",\n \"OrigResolved\": \"4.1.27.Final\",\n \"NewResolved\": \"4.1.118.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-389x-839f-4rhx\",\n \"AffectedNodes\": [\n 278\n ]\n },\n {\n \"ID\": \"GHSA-xq3w-v528-46rv\",\n \"AffectedNodes\": [\n 278\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.commons:commons-compress\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.26.0\",\n \"OrigResolved\": \"1.21\",\n \"NewResolved\": \"1.26.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-4265-ccf5-phj5\",\n \"AffectedNodes\": [\n 59\n ]\n },\n {\n \"ID\": \"GHSA-4g9r-vxhx-9pgx\",\n \"AffectedNodes\": [\n 59\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.commons:commons-configuration2\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.10.1\",\n \"OrigResolved\": \"2.8.0\",\n \"NewResolved\": \"2.10.1\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-9w38-p64v-xpmv\",\n \"AffectedNodes\": [\n 127\n ]\n },\n {\n \"ID\": \"GHSA-xjp4-hw94-mvp5\",\n \"AffectedNodes\": [\n 127\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.commons:commons-vfs2\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.10.0\",\n \"OrigResolved\": \"2.6.0\",\n \"NewResolved\": \"2.10.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-3936-3gx6-49c4\",\n \"AffectedNodes\": [\n 55\n ]\n },\n {\n \"ID\": \"GHSA-9q4x-fr4m-jp86\",\n \"AffectedNodes\": [\n 55\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.mina:mina-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.0.22\",\n \"OrigResolved\": \"2.0.7\",\n \"NewResolved\": \"2.0.22\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-5h29-qq92-wj7f\",\n \"AffectedNodes\": [\n 167\n ]\n },\n {\n \"ID\": \"GHSA-6mcm-j9cj-3vc3\",\n \"AffectedNodes\": [\n 167\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.pdfbox:pdfbox\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.0.23\",\n \"OrigResolved\": \"2.0.16\",\n \"NewResolved\": \"2.0.23\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-2h3j-m7gr-25xj\",\n \"AffectedNodes\": [\n 287\n ]\n },\n {\n \"ID\": \"GHSA-6vqp-h455-42mr\",\n \"AffectedNodes\": [\n 287\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.shiro:shiro-web\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.13.0\",\n \"OrigResolved\": \"1.10.0\",\n \"NewResolved\": \"1.13.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-hhw5-c326-822h\",\n \"AffectedNodes\": [\n 21\n ]\n },\n {\n \"ID\": \"GHSA-pmhc-2g4f-85cg\",\n \"AffectedNodes\": [\n 21\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.eclipse.jetty:jetty-server\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"9.4.57.v20241219\",\n \"OrigResolved\": \"9.4.52.v20230823\",\n \"NewResolved\": \"9.4.57.v20241219\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-g8m5-722r-8whq\",\n \"AffectedNodes\": [\n 243\n ]\n },\n {\n \"ID\": \"GHSA-q4rv-gq96-w7c5\",\n \"AffectedNodes\": [\n 243\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.eclipse.jgit:org.eclipse.jgit\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"5.13.3.202401111512-r\",\n \"OrigResolved\": \"4.5.4.201711221230-r\",\n \"NewResolved\": \"5.13.3.202401111512-r\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-3p86-9955-h393\",\n \"AffectedNodes\": [\n 56\n ]\n },\n {\n \"ID\": \"GHSA-q446-82vq-w674\",\n \"AffectedNodes\": [\n 151\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"xerces:xercesImpl\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.12.0\",\n \"OrigResolved\": \"2.11.0\",\n \"NewResolved\": \"2.12.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-7j4h-8wpf-rqfh\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-vmqm-g3vh-847m\",\n \"AffectedNodes\": [\n 252\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"commons-net:commons-net\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"3.9.0\",\n \"OrigResolved\": \"3.6\",\n \"NewResolved\": \"3.9.0\"\n },\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"net.sourceforge.htmlunit:htmlunit\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.37.0\",\n \"OrigResolved\": \"2.18\",\n \"NewResolved\": \"2.37.0\"\n },\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"net.sourceforge.htmlunit:neko-htmlunit\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.61.0\",\n \"OrigResolved\": \"2.37.0\",\n \"NewResolved\": \"2.61.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-5mh9-r3rr-9597\",\n \"AffectedNodes\": [\n 173\n ]\n },\n {\n \"ID\": \"GHSA-7j4h-8wpf-rqfh\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-h65f-jvqw-m9fj\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-vmqm-g3vh-847m\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-w4jq-qh47-hvjq\",\n \"AffectedNodes\": [\n 252\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"net.sourceforge.htmlunit:htmlunit\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.37.0\",\n \"OrigResolved\": \"2.18\",\n \"NewResolved\": \"2.37.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-5mh9-r3rr-9597\",\n \"AffectedNodes\": [\n 173\n ]\n },\n {\n \"ID\": \"GHSA-7j4h-8wpf-rqfh\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-vmqm-g3vh-847m\",\n \"AffectedNodes\": [\n 252\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-6jmm-mp6w-4rrg\",\n \"AffectedNodes\": [\n 252\n ]\n },\n {\n \"ID\": \"GHSA-cgp8-4m63-fhh5\",\n \"AffectedNodes\": [\n 254\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty-handler\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.1.94.Final\",\n \"OrigResolved\": \"4.1.27.Final\",\n \"NewResolved\": \"4.1.94.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-6mjq-h674-j845\",\n \"AffectedNodes\": [\n 257\n ]\n },\n {\n \"ID\": \"GHSA-mm9x-g8pc-w292\",\n \"AffectedNodes\": [\n 257\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-4g8c-wm8x-jfhw\",\n \"AffectedNodes\": [\n 257\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.fasterxml.jackson.core:jackson-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.13.0\",\n \"OrigResolved\": \"2.12.6\",\n \"NewResolved\": \"2.13.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-wf8f-6423-gfxg\",\n \"AffectedNodes\": [\n 78\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.google.guava:guava\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"24.1.1-jre\",\n \"OrigResolved\": \"22.0\",\n \"NewResolved\": \"24.1.1-jre\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-mvr2-9pj6-7w5j\",\n \"AffectedNodes\": [\n 260\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.jcraft:jsch\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"0.1.54\",\n \"OrigResolved\": \"0.1.53\",\n \"NewResolved\": \"0.1.54\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-q446-82vq-w674\",\n \"AffectedNodes\": [\n 151\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.nimbusds:nimbus-jose-jwt\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"9.37.2\",\n \"OrigResolved\": \"9.13\",\n \"NewResolved\": \"9.37.2\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-gvpg-vgmx-xg6w\",\n \"AffectedNodes\": [\n 28\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"commons-beanutils:commons-beanutils\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.11.0\",\n \"OrigResolved\": \"1.9.4\",\n \"NewResolved\": \"1.11.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-wxr5-93ph-8wr9\",\n \"AffectedNodes\": [\n 20\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"commons-io:commons-io\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.14.0\",\n \"OrigResolved\": \"2.7\",\n \"NewResolved\": \"2.14.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-78wr-2p64-hpwj\",\n \"AffectedNodes\": [\n 42\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"3.9.8.Final\",\n \"OrigResolved\": \"3.5.2.Final\",\n \"NewResolved\": \"3.9.8.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-xfv3-rrfm-f2rv\",\n \"AffectedNodes\": [\n 175\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty-common\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.1.115.Final\",\n \"OrigResolved\": \"4.1.27.Final\",\n \"NewResolved\": \"4.1.115.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-xq3w-v528-46rv\",\n \"AffectedNodes\": [\n 278\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty-handler\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.1.46.Final\",\n \"OrigResolved\": \"4.1.27.Final\",\n \"NewResolved\": \"4.1.46.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-mm9x-g8pc-w292\",\n \"AffectedNodes\": [\n 257\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.directory.api:api-ldap-model\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.0.0-M31\",\n \"OrigResolved\": \"1.0.0-M20\",\n \"NewResolved\": \"1.0.0-M31\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-cx3q-cv6w-mx4h\",\n \"AffectedNodes\": [\n 104\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.jackrabbit:jackrabbit-jcr-commons\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.22.2\",\n \"OrigResolved\": \"1.6.5\",\n \"NewResolved\": \"2.22.2\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-cxvc-g8f2-4gmm\",\n \"AffectedNodes\": [\n 241\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.mina:mina-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.0.21\",\n \"OrigResolved\": \"2.0.7\",\n \"NewResolved\": \"2.0.21\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-5h29-qq92-wj7f\",\n \"AffectedNodes\": [\n 167\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.shiro:shiro-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.13.0\",\n \"OrigResolved\": \"1.10.0\",\n \"NewResolved\": \"1.13.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-jc7h-c423-mpjc\",\n \"AffectedNodes\": [\n 19\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.shiro:shiro-web\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.12.0\",\n \"OrigResolved\": \"1.10.0\",\n \"NewResolved\": \"1.12.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-pmhc-2g4f-85cg\",\n \"AffectedNodes\": [\n 21\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.eclipse.jetty:jetty-http\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"12.0.12\",\n \"OrigResolved\": \"9.4.52.v20230823\",\n \"NewResolved\": \"12.0.12\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-qh8g-58pp-2wxh\",\n \"AffectedNodes\": [\n 141\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.eclipse.jetty:jetty-server\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"9.4.56.v20240826\",\n \"OrigResolved\": \"9.4.52.v20230823\",\n \"NewResolved\": \"9.4.56.v20240826\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-g8m5-722r-8whq\",\n \"AffectedNodes\": [\n 243\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.glassfish.jersey.core:jersey-common\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.34\",\n \"OrigResolved\": \"2.30\",\n \"NewResolved\": \"2.34\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-c43q-5hpj-4crv\",\n \"AffectedNodes\": [\n 68\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"xalan:xalan\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"2.7.3\",\n \"OrigResolved\": \"2.7.2\",\n \"NewResolved\": \"2.7.3\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-9339-86wc-4qgf\",\n \"AffectedNodes\": [\n 249\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.thrift:libthrift\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"0.14.0\",\n \"OrigResolved\": \"0.13.0\",\n \"NewResolved\": \"0.14.0\"\n },\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.tomcat.embed:tomcat-embed-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"9.0.110\",\n \"OrigResolved\": \"8.5.46\",\n \"NewResolved\": \"9.0.110\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-g2fg-mr77-6vrm\",\n \"AffectedNodes\": [\n 126\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty-codec\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.1.68.Final\",\n \"OrigResolved\": \"4.1.27.Final\",\n \"NewResolved\": \"4.1.68.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"io.netty:netty-handler\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"4.1.45.Final\",\n \"OrigResolved\": \"4.1.27.Final\",\n \"NewResolved\": \"4.1.45.Final\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.commons:commons-lang3\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"3.18.0\",\n \"OrigResolved\": \"3.12.0\",\n \"NewResolved\": \"3.18.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.thrift:libthrift\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"0.14.0\",\n \"OrigResolved\": \"0.13.0\",\n \"NewResolved\": \"0.14.0\"\n },\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.tomcat.embed:tomcat-embed-core\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"9.0.106\",\n \"OrigResolved\": \"8.5.46\",\n \"NewResolved\": \"9.0.106\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-g2fg-mr77-6vrm\",\n \"AffectedNodes\": [\n 126\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-gqp3-2cvr-x8m3\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-hgrr-935x-pq79\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-vfww-5hm6-hx2j\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-wmwf-9ccg-fff5\",\n \"AffectedNodes\": [\n 179\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"org.apache.thrift:libthrift\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"0.14.0\",\n \"OrigResolved\": \"0.13.0\",\n \"NewResolved\": \"0.14.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-g2fg-mr77-6vrm\",\n \"AffectedNodes\": [\n 126\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-2rvv-w9r2-rg7m\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-3p2h-wqq4-wf4h\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-5j33-cvvr-w245\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-7w75-32cg-r6g2\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-83qj-6fr2-vhqg\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-9xcj-c8cr-8c3c\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-c9hw-wf7x-jp9j\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-f4qf-m5gf-8jm8\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-fccv-jmmp-qg76\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-ff77-26x5-69cr\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-g8pj-r55q-5c2v\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-h2fw-rfh5-95r3\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-h3gc-qfqq-6h8f\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-hh3j-x4mc-g48r\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-j39c-c8hj-x4j3\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-jgwr-3qm3-26f3\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-p22x-g9px-3945\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-q3mw-pvr8-9ggc\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-qppj-fm5r-hxr3\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-qxf4-chvg-4r8r\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-r6j3-px5g-cq3x\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-wc4r-xq3c-5cf3\",\n \"AffectedNodes\": [\n 179\n ]\n },\n {\n \"ID\": \"GHSA-wm9w-rjj3-j356\",\n \"AffectedNodes\": [\n 179\n ]\n }\n ]\n }\n]\n---\n\n[TestComputeOverridePatches/workaround-commons - 1]\n[\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"commons-beanutils:commons-beanutils\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"1.9.4\",\n \"OrigResolved\": \"20020520\",\n \"NewResolved\": \"1.9.4\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-6phf-73q6-gh87\",\n \"AffectedNodes\": [\n 1\n ]\n }\n ],\n \"AddedVulns\": []\n }\n]\n---\n\n[TestComputeOverridePatches/workaround-maven-guava-android-to-android - 1]\n[\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.google.guava:guava\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"24.0-android\",\n \"OrigResolved\": \"22.0-android\",\n \"NewResolved\": \"24.0-android\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"OSV-000-000\",\n \"AffectedNodes\": [\n 1\n ]\n }\n ],\n \"AddedVulns\": []\n }\n]\n---\n\n[TestComputeOverridePatches/workaround-maven-guava-jre-to-jre - 1]\n[\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.google.guava:guava\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"24.0-jre\",\n \"OrigResolved\": \"23.1-jre\",\n \"NewResolved\": \"24.0-jre\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"OSV-000-000\",\n \"AffectedNodes\": [\n 1\n ]\n }\n ],\n \"AddedVulns\": []\n }\n]\n---\n\n[TestComputeOverridePatches/workaround-maven-guava-none-to-jre - 1]\n[\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 6,\n \"Name\": \"com.google.guava:guava\"\n },\n \"Type\": {},\n \"OrigRequire\": \"\",\n \"NewRequire\": \"24.0-jre\",\n \"OrigResolved\": \"20.0\",\n \"NewResolved\": \"24.0-jre\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"OSV-000-000\",\n \"AffectedNodes\": [\n 1\n ]\n }\n ],\n \"AddedVulns\": []\n }\n]\n---\n\n[TestComputeRelaxPatches/npm-santatracker - 1]\n[\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"mocha\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^5.2.0\",\n \"NewRequire\": \"^10.8.2\",\n \"OrigResolved\": \"5.2.0\",\n \"NewResolved\": \"10.8.2\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-f8q6-p94x-37v3\",\n \"AffectedNodes\": [\n 573\n ]\n },\n {\n \"ID\": \"GHSA-vh95-rmgr-6w4m\",\n \"AffectedNodes\": [\n 577\n ]\n },\n {\n \"ID\": \"GHSA-xvch-5gv4-984h\",\n \"AffectedNodes\": [\n 577\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"@google-cloud/cloudbuild\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^2.6.0\",\n \"NewRequire\": \"^4.8.1\",\n \"OrigResolved\": \"2.6.0\",\n \"NewResolved\": \"4.8.1\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-7v5v-9h63-cj86\",\n \"AffectedNodes\": [\n 181\n ]\n },\n {\n \"ID\": \"GHSA-h755-8qp9-cq85\",\n \"AffectedNodes\": [\n 192\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"mocha\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^5.2.0\",\n \"NewRequire\": \"^9.2.2\",\n \"OrigResolved\": \"5.2.0\",\n \"NewResolved\": \"9.2.2\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-f8q6-p94x-37v3\",\n \"AffectedNodes\": [\n 573\n ]\n },\n {\n \"ID\": \"GHSA-vh95-rmgr-6w4m\",\n \"AffectedNodes\": [\n 577\n ]\n },\n {\n \"ID\": \"GHSA-xvch-5gv4-984h\",\n \"AffectedNodes\": [\n 577\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-76p7-773f-r4q5\",\n \"AffectedNodes\": [\n 580\n ]\n },\n {\n \"ID\": \"GHSA-mwcw-c2x4-8c55\",\n \"AffectedNodes\": [\n 579\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"@google-cloud/cloudbuild\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^2.6.0\",\n \"NewRequire\": \"^3.10.0\",\n \"OrigResolved\": \"2.6.0\",\n \"NewResolved\": \"3.10.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-7v5v-9h63-cj86\",\n \"AffectedNodes\": [\n 181\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"autoprefixer\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^9.3.0\",\n \"NewRequire\": \"^10.4.21\",\n \"OrigResolved\": \"9.8.8\",\n \"NewResolved\": \"10.4.21\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-7fh5-64p2-3v2j\",\n \"AffectedNodes\": [\n 316\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"dhost\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^0.1.9\",\n \"NewRequire\": \"^0.3.5\",\n \"OrigResolved\": \"0.1.9\",\n \"NewResolved\": \"0.3.5\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-3xgq-45jj-v275\",\n \"AffectedNodes\": [\n 358\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"firebase\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^8.10.0\",\n \"NewRequire\": \"^11.10.0\",\n \"OrigResolved\": \"8.10.1\",\n \"NewResolved\": \"11.10.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-3wf4-68gx-mph8\",\n \"AffectedNodes\": [\n 21\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"google-closure-library\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^20190909.0.0\",\n \"NewRequire\": \"^20200315.0.0\",\n \"OrigResolved\": \"20190909.0.0\",\n \"NewResolved\": \"20200315.0.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-vh5w-fg69-rc8m\",\n \"AffectedNodes\": [\n 24\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"terser\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^3.10.11\",\n \"NewRequire\": \"^4.8.1\",\n \"OrigResolved\": \"3.17.0\",\n \"NewResolved\": \"4.8.1\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-4wf5-vphf-c2xc\",\n \"AffectedNodes\": [\n 44\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"tmp\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^0.0.33\",\n \"NewRequire\": \"^0.2.5\",\n \"OrigResolved\": \"0.0.33\",\n \"NewResolved\": \"0.2.5\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-52f5-9888-hmc6\",\n \"AffectedNodes\": [\n 45\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"yargs\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^12.0.2\",\n \"NewRequire\": \"^13.3.2\",\n \"OrigResolved\": \"12.0.5\",\n \"NewResolved\": \"13.3.2\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-p9pc-299p-vxgp\",\n \"AffectedNodes\": [\n 601\n ]\n }\n ],\n \"AddedVulns\": []\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"mocha\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^5.2.0\",\n \"NewRequire\": \"^6.2.3\",\n \"OrigResolved\": \"5.2.0\",\n \"NewResolved\": \"6.2.3\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-vh95-rmgr-6w4m\",\n \"AffectedNodes\": [\n 577\n ]\n },\n {\n \"ID\": \"GHSA-xvch-5gv4-984h\",\n \"AffectedNodes\": [\n 577\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-2j2x-2gpw-g8fm\",\n \"AffectedNodes\": [\n 690\n ]\n },\n {\n \"ID\": \"GHSA-gxpj-cx7g-858c\",\n \"AffectedNodes\": [\n 568\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"mocha\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^5.2.0\",\n \"NewRequire\": \"^8.4.0\",\n \"OrigResolved\": \"5.2.0\",\n \"NewResolved\": \"8.4.0\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-vh95-rmgr-6w4m\",\n \"AffectedNodes\": [\n 577\n ]\n },\n {\n \"ID\": \"GHSA-xvch-5gv4-984h\",\n \"AffectedNodes\": [\n 577\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-mwcw-c2x4-8c55\",\n \"AffectedNodes\": [\n 579\n ]\n },\n {\n \"ID\": \"GHSA-qrpm-p2h7-hrv2\",\n \"AffectedNodes\": [\n 579\n ]\n }\n ]\n },\n {\n \"Patch\": {\n \"Deps\": [\n {\n \"Pkg\": {\n \"System\": 3,\n \"Name\": \"firebase\"\n },\n \"Type\": {},\n \"OrigRequire\": \"^8.10.0\",\n \"NewRequire\": \"^10.14.1\",\n \"OrigResolved\": \"8.10.1\",\n \"NewResolved\": \"10.14.1\"\n }\n ],\n \"EcosystemSpecific\": null\n },\n \"RemovedVulns\": [\n {\n \"ID\": \"GHSA-3wf4-68gx-mph8\",\n \"AffectedNodes\": [\n 21\n ]\n }\n ],\n \"AddedVulns\": [\n {\n \"ID\": \"GHSA-c76h-2ccp-4975\",\n \"AffectedNodes\": [\n 409\n ]\n },\n {\n \"ID\": \"GHSA-cxrh-j4jr-qwg3\",\n \"AffectedNodes\": [\n 409\n ]\n }\n ]\n }\n]\n---\n" }, { "path": "internal/remediation/in_place.go", "content": "// Package remediation provides logic for Guided Remediation.\npackage remediation\n\nimport (\n\t\"cmp\"\n\t\"context\"\n\t\"errors\"\n\t\"maps\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientinterfaces\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\tlf \"github.com/google/osv-scanner/v2/internal/resolution/lockfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/util\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\ntype InPlacePatch struct {\n\tlf.DependencyPatch\n\n\tResolvedVulns []resolution.Vulnerability\n}\n\ntype InPlaceResult struct {\n\tPatches []InPlacePatch\n\tUnfixable []resolution.Vulnerability\n}\n\ntype VulnCount struct {\n\tDirect int\n\tTransitive int\n\n\t// Note: These are metrics that overlap with Direct/Transitive, and with each other.\n\tUnfixable int\n\tDev int\n}\n\nfunc (vc VulnCount) Total() int {\n\treturn vc.Direct + vc.Transitive\n}\n\nfunc (r InPlaceResult) VulnCount() VulnCount {\n\tdevCount := 0\n\tdirectCount := 0\n\ttransitiveCount := 0\n\n\tfor _, rv := range r.Unfixable {\n\t\tif rv.DevOnly {\n\t\t\tdevCount++\n\t\t}\n\n\t\tif rv.IsDirect() {\n\t\t\tdirectCount++\n\t\t} else {\n\t\t\ttransitiveCount++\n\t\t}\n\t}\n\n\t// Key vulnerabilities by (ID, package name, package version) to be consistent with scan action's counting\n\ttype vulnKey struct {\n\t\tid string\n\t\tvk resolve.VersionKey\n\t}\n\tuniqueVulns := make(map[vulnKey]struct {\n\t\tdev bool\n\t\tdirect bool\n\t})\n\tfor _, p := range r.Patches {\n\t\tvk := resolve.VersionKey{PackageKey: p.Pkg, Version: p.OrigVersion}\n\t\tfor _, rv := range p.ResolvedVulns {\n\t\t\tkey := vulnKey{id: rv.OSV.GetId(), vk: vk}\n\t\t\td, ok := uniqueVulns[key]\n\t\t\tif !ok {\n\t\t\t\td.dev = rv.DevOnly\n\t\t\t\td.direct = rv.IsDirect()\n\t\t\t} else {\n\t\t\t\td.dev = d.dev && rv.DevOnly\n\t\t\t\td.direct = d.direct || rv.IsDirect()\n\t\t\t}\n\t\t\tuniqueVulns[key] = d\n\t\t}\n\t}\n\n\tfor _, d := range uniqueVulns {\n\t\tif d.dev {\n\t\t\tdevCount++\n\t\t}\n\t\tif d.direct {\n\t\t\tdirectCount++\n\t\t} else {\n\t\t\ttransitiveCount++\n\t\t}\n\t}\n\n\treturn VulnCount{\n\t\tUnfixable: len(r.Unfixable),\n\t\tDev: devCount,\n\t\tDirect: directCount,\n\t\tTransitive: transitiveCount,\n\t}\n}\n\n// ComputeInPlacePatches finds all possible targeting version changes that would fix vulnerabilities in a resolved graph.\n// TODO: Check for introduced vulnerabilities\nfunc ComputeInPlacePatches(ctx context.Context, cl client.ResolutionClient, graph *resolve.Graph, opts Options) (InPlaceResult, error) {\n\tres, err := inPlaceVulnsNodes(ctx, cl, graph)\n\tif err != nil {\n\t\treturn InPlaceResult{}, err\n\t}\n\n\t// Compute the overall constraints imposed by the dependent packages on the vulnerable nodes\n\tvkDependentConstraint := make(map[resolve.VersionKey]semver.Set)\n\tfor vk, vkVulns := range res.vkVulns {\n\t\treqVers := make(map[string]struct{})\n\t\tfor _, vuln := range vkVulns {\n\t\t\tfor _, sg := range vuln.Subgraphs {\n\t\t\t\tfor _, e := range sg.Nodes[sg.Dependency].Parents {\n\t\t\t\t\treqVers[e.Requirement] = struct{}{}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tset, err := buildConstraintSet(vk.Semver(), slices.AppendSeq(make([]string, 0, len(reqVers)), maps.Keys(reqVers)))\n\t\tif err != nil {\n\t\t\t// TODO: log error?\n\t\t\tcontinue\n\t\t}\n\t\tvkDependentConstraint[vk] = set\n\t}\n\n\tvar result InPlaceResult\n\t// TODO: This could be parallelized\n\tfor vk, vulnList := range res.vkVulns {\n\t\tfor _, vuln := range vulnList {\n\t\t\tif !opts.MatchVuln(vuln) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// Consider vulns affecting packages we don't want to change unfixable\n\t\t\tif opts.UpgradeConfig.Get(vk.Name) == upgrade.None {\n\t\t\t\tresult.Unfixable = append(result.Unfixable, vuln)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tnewVK, err := findFixedVersion(ctx, cl, vk.PackageKey, func(newVK resolve.VersionKey) bool {\n\t\t\t\t// Check if this is a disallowed version bump\n\t\t\t\t_, diff, err := vk.Semver().Difference(vk.Version, newVK.Version)\n\t\t\t\tif err != nil || !opts.UpgradeConfig.Get(vk.Name).Allows(diff) {\n\t\t\t\t\treturn false\n\t\t\t\t}\n\t\t\t\t// Check if dependent packages are still satisfied by new version\n\t\t\t\tok, err := vkDependentConstraint[vk].Match(newVK.Version)\n\t\t\t\tif err != nil || !ok {\n\t\t\t\t\treturn false\n\t\t\t\t}\n\n\t\t\t\t// Check if new version's dependencies are satisfied by existing packages\n\t\t\t\tfor _, nID := range res.vkNodes[vk] {\n\t\t\t\t\tok, err := dependenciesSatisfied(ctx, cl, newVK, res.nodeDependencies[nID])\n\t\t\t\t\tif err != nil || !ok {\n\t\t\t\t\t\treturn false\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// Check if this version is vulnerable\n\t\t\t\treturn !vulns.IsAffected(vuln.OSV, util.VKToPackageInfo(newVK))\n\t\t\t})\n\n\t\t\tif errors.Is(err, errInPlaceImpossible) {\n\t\t\t\tresult.Unfixable = append(result.Unfixable, vuln)\n\t\t\t\tcontinue\n\t\t\t} else if err != nil {\n\t\t\t\treturn InPlaceResult{}, err\n\t\t\t}\n\n\t\t\tdp := lf.DependencyPatch{\n\t\t\t\tPkg: vk.PackageKey,\n\t\t\t\tOrigVersion: vk.Version,\n\t\t\t\tNewVersion: newVK.Version,\n\t\t\t}\n\t\t\tidx := slices.IndexFunc(result.Patches, func(ipp InPlacePatch) bool { return ipp.DependencyPatch == dp })\n\t\t\tif idx >= 0 {\n\t\t\t\tresult.Patches[idx].ResolvedVulns = append(result.Patches[idx].ResolvedVulns, vuln)\n\t\t\t} else {\n\t\t\t\tresult.Patches = append(result.Patches, InPlacePatch{\n\t\t\t\t\tDependencyPatch: dp,\n\t\t\t\t\tResolvedVulns: []resolution.Vulnerability{vuln},\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\n\t// Sort patches for priority/consistency\n\tslices.SortFunc(result.Patches, func(a, b InPlacePatch) int {\n\t\t// Number of vulns fixed descending\n\t\tif c := cmp.Compare(len(a.ResolvedVulns), len(b.ResolvedVulns)); c != 0 {\n\t\t\treturn -c\n\t\t}\n\t\t// Package name ascending\n\t\tif c := cmp.Compare(a.Pkg.Name, b.Pkg.Name); c != 0 {\n\t\t\treturn c\n\t\t}\n\t\t// Original version ascending\n\t\tif c := cmp.Compare(a.OrigVersion, b.OrigVersion); c != 0 {\n\t\t\treturn c\n\t\t}\n\t\t// New version descending\n\t\treturn -cmp.Compare(a.NewVersion, b.NewVersion)\n\t})\n\n\treturn result, nil\n}\n\nvar errInPlaceImpossible = errors.New(\"cannot find a version satisfying in-place constraints\")\n\nfunc findFixedVersion(ctx context.Context, cl client.DependencyClient, pk resolve.PackageKey, satifyFn func(resolve.VersionKey) bool) (resolve.VersionKey, error) {\n\tvers, err := cl.Versions(ctx, pk)\n\tif err != nil {\n\t\treturn resolve.VersionKey{}, err\n\t}\n\n\t// Make sure versions are sorted, then iterate over versions from latest to earliest looking for a satisfying version\n\tslices.SortFunc(vers, func(a, b resolve.Version) int { return a.Semver().Compare(a.Version, b.Version) })\n\tfor i := len(vers) - 1; i >= 0; i-- {\n\t\tvk := vers[i].VersionKey\n\t\tif vk.VersionType == resolve.Concrete && satifyFn(vk) {\n\t\t\treturn vk, nil\n\t\t}\n\t}\n\n\treturn resolve.VersionKey{}, errInPlaceImpossible\n}\n\ntype inPlaceVulnsNodesResult struct {\n\tnodeDependencies map[resolve.NodeID][]resolve.VersionKey\n\tvkVulns map[resolve.VersionKey][]resolution.Vulnerability\n\tvkNodes map[resolve.VersionKey][]resolve.NodeID\n}\n\nfunc inPlaceVulnsNodes(ctx context.Context, m clientinterfaces.VulnerabilityMatcher, graph *resolve.Graph) (inPlaceVulnsNodesResult, error) {\n\tnodeVulns, err := m.MatchVulnerabilities(ctx, client.GraphToInventory(graph))\n\tif err != nil {\n\t\treturn inPlaceVulnsNodesResult{}, err\n\t}\n\n\t// GraphToInventory/MatchVulnerabilities excludes the root node of the graph.\n\t// Prepend an element to nodeVulns so that the indices line up with graph.Nodes[i] <=> nodeVulns[i]\n\tnodeVulns = append([][]*osvschema.Vulnerability{nil}, nodeVulns...)\n\n\tresult := inPlaceVulnsNodesResult{\n\t\tnodeDependencies: make(map[resolve.NodeID][]resolve.VersionKey),\n\t\tvkVulns: make(map[resolve.VersionKey][]resolution.Vulnerability),\n\t\tvkNodes: make(map[resolve.VersionKey][]resolve.NodeID),\n\t}\n\n\t// Find all direct dependencies of vulnerable nodes.\n\tfor _, e := range graph.Edges {\n\t\tif len(nodeVulns[e.From]) > 0 {\n\t\t\tresult.nodeDependencies[e.From] = append(result.nodeDependencies[e.From], graph.Nodes[e.To].Version)\n\t\t}\n\t}\n\n\t// Construct resolution.Vulnerability for all vulnerable packages\n\t// combining nodes with the same package & versions number\n\tvar nodeIDs []resolve.NodeID\n\tfor nID, nVulns := range nodeVulns {\n\t\tif len(nVulns) > 0 {\n\t\t\tnodeIDs = append(nodeIDs, resolve.NodeID(nID))\n\t\t}\n\t}\n\tnodeSubgraphs := resolution.ComputeSubgraphs(graph, nodeIDs)\n\n\tfor i, nID := range nodeIDs {\n\t\tvk := graph.Nodes[nID].Version\n\t\tresult.vkNodes[vk] = append(result.vkNodes[vk], nID)\n\t\tfor _, vuln := range nodeVulns[nID] {\n\t\t\tresVuln := resolution.Vulnerability{\n\t\t\t\tOSV: vuln,\n\t\t\t\tSubgraphs: []*resolution.DependencySubgraph{nodeSubgraphs[i]},\n\t\t\t\tDevOnly: nodeSubgraphs[i].IsDevOnly(nil),\n\t\t\t}\n\t\t\tidx := slices.IndexFunc(result.vkVulns[vk], func(rv resolution.Vulnerability) bool { return rv.OSV.GetId() == resVuln.OSV.GetId() })\n\t\t\tif idx >= 0 {\n\t\t\t\tresult.vkVulns[vk][idx].DevOnly = result.vkVulns[vk][idx].DevOnly && resVuln.DevOnly\n\n\t\t\t\tresult.vkVulns[vk][idx].Subgraphs = append(result.vkVulns[vk][idx].Subgraphs, resVuln.Subgraphs...)\n\t\t\t} else {\n\t\t\t\tresult.vkVulns[vk] = append(result.vkVulns[vk], resVuln)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn result, nil\n}\n\nfunc buildConstraintSet(sys semver.System, requiredVers []string) (semver.Set, error) {\n\t// combine a list of requirement strings into one semver.Set to allow version matching\n\tv := requiredVers[0]\n\t// 'latest' is effectively meaningless in a lockfile, since what 'latest' is could have changed between locking\n\t// TODO: other tags e.g. \"next\", \"old\" (?)\n\t// TODO: non-npm ecosystems\n\tif v == \"latest\" {\n\t\tv = \"*\"\n\t}\n\tc, err := sys.ParseConstraint(v)\n\tif err != nil {\n\t\treturn semver.Set{}, err\n\t}\n\tcSet := c.Set()\n\tfor _, req := range requiredVers[1:] {\n\t\tif req == \"latest\" {\n\t\t\treq = \"*\"\n\t\t}\n\t\tc, err := sys.ParseConstraint(req)\n\t\tif err != nil {\n\t\t\treturn semver.Set{}, err\n\t\t}\n\t\tif err := cSet.Intersect(c.Set()); err != nil {\n\t\t\treturn semver.Set{}, err\n\t\t}\n\t}\n\n\treturn cSet, nil\n}\n\nfunc dependenciesSatisfied(ctx context.Context, cl client.DependencyClient, vk resolve.VersionKey, children []resolve.VersionKey) (bool, error) {\n\tvar deps []resolve.VersionKey\n\tvar optDeps []resolve.VersionKey\n\treqs, err := cl.Requirements(ctx, vk)\n\tif err != nil {\n\t\treturn false, err\n\t}\n\n\tfor _, v := range reqs {\n\t\tif v.Type.IsRegular() {\n\t\t\tdeps = append(deps, v.VersionKey)\n\t\t} else if v.Type.HasAttr(dep.Opt) {\n\t\t\toptDeps = append(optDeps, v.VersionKey)\n\t\t}\n\t}\n\t// TODO: correctly handle other attrs e.g. npm peerDependencies\n\n\t// remove the optional deps from the regular deps (because they can show up in both) if they're not already installed\n\tfor _, optVk := range optDeps {\n\t\tif !slices.ContainsFunc(children, func(vk resolve.VersionKey) bool { return vk.Name == optVk.Name }) {\n\t\t\tidx := slices.IndexFunc(deps, func(vk resolve.VersionKey) bool { return vk.Name == optVk.Name })\n\t\t\tif idx >= 0 {\n\t\t\t\tdeps = slices.Delete(deps, idx, idx+1)\n\t\t\t}\n\t\t}\n\t}\n\n\tfor _, depVK := range deps {\n\t\tver := depVK.Version\n\t\t// 'latest' is effectively meaningless in a lockfile, since what 'latest' is could have changed between locking\n\t\t// TODO: Support other tags e.g. \"next\", \"old\" & non-npm ecosystems\n\t\tif ver == \"latest\" {\n\t\t\tver = \"*\"\n\t\t}\n\t\tconstr, err := vk.Semver().ParseConstraint(ver)\n\t\tif err != nil {\n\t\t\treturn false, err\n\t\t}\n\n\t\t// check if any of the current children satisfy this import\n\t\tok := false\n\t\tfor _, child := range children {\n\t\t\tif child.Name == depVK.Name && constr.Match(child.Version) {\n\t\t\t\tok = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !ok {\n\t\t\treturn false, nil\n\t\t}\n\t}\n\n\treturn true, nil\n}\n" }, { "path": "internal/remediation/in_place_test.go", "content": "package remediation_test\n\nimport (\n\t\"cmp\"\n\t\"maps\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/clienttest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/lockfile\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc parseInPlaceFixture(t *testing.T, universePath, vulnPath, lockfilePath string) (*resolve.Graph, client.ResolutionClient) {\n\tt.Helper()\n\n\trw, err := lockfile.GetReadWriter(lockfilePath)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get ReadWriter: %v\", err)\n\t}\n\n\tf, err := depfile.OpenLocalDepFile(lockfilePath)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to open lockfile: %v\", err)\n\t}\n\tdefer f.Close()\n\n\tg, err := rw.Read(f)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse lockfile: %v\", err)\n\t}\n\n\treturn g, clienttest.NewMockResolutionClient(t, universePath, vulnPath)\n}\n\nfunc checkInPlaceResults(t *testing.T, res remediation.InPlaceResult) {\n\t// InPlaceResult is too large when dumped as JSON.\n\t// Extract & compare a subset of fields that are relevant for the tests.\n\tt.Helper()\n\n\ttype minimalVuln struct {\n\t\tID string\n\t\tAffectedNodes []resolve.NodeID\n\t}\n\n\ttoMinimalVuln := func(v resolution.Vulnerability) minimalVuln {\n\t\tt.Helper()\n\t\tnodes := make(map[resolve.NodeID]struct{})\n\t\tfor _, sg := range v.Subgraphs {\n\t\t\tnodes[sg.Dependency] = struct{}{}\n\t\t}\n\t\tsortedNodes := slices.AppendSeq(make([]resolve.NodeID, 0, len(nodes)), maps.Keys(nodes))\n\t\tslices.Sort(sortedNodes)\n\n\t\treturn minimalVuln{\n\t\t\tID: v.OSV.GetId(),\n\t\t\tAffectedNodes: sortedNodes,\n\t\t}\n\t}\n\n\ttype minimalPatch struct {\n\t\tPatch lockfile.DependencyPatch\n\t\tResolved []minimalVuln\n\t}\n\n\ttype minimalResult struct {\n\t\tPatches []minimalPatch\n\t\tUnfixable []minimalVuln\n\t}\n\n\tminimalRes := minimalResult{\n\t\tPatches: make([]minimalPatch, len(res.Patches)),\n\t\tUnfixable: make([]minimalVuln, len(res.Unfixable)),\n\t}\n\n\tfor i, p := range res.Patches {\n\t\tminimalRes.Patches[i].Patch = p.DependencyPatch\n\t\tresolved := make([]minimalVuln, len(p.ResolvedVulns))\n\t\tfor j, v := range p.ResolvedVulns {\n\t\t\tresolved[j] = toMinimalVuln(v)\n\t\t}\n\t\tminimalRes.Patches[i].Resolved = resolved\n\t}\n\n\tfor i, v := range res.Unfixable {\n\t\tminimalRes.Unfixable[i] = toMinimalVuln(v)\n\t}\n\n\t// make sure the unfixable vulns are in a stable order\n\tslices.SortFunc(minimalRes.Unfixable, func(a, b minimalVuln) int {\n\t\tif c := cmp.Compare(a.ID, b.ID); c != 0 {\n\t\t\treturn c\n\t\t}\n\n\t\treturn slices.Compare(a.AffectedNodes, b.AffectedNodes)\n\t})\n\n\ttestutility.NewSnapshot().MatchJSON(t, minimalRes)\n}\n\nfunc TestComputeInPlacePatches(t *testing.T) {\n\tt.Parallel()\n\n\tbasicOpts := remediation.Options{\n\t\tDevDeps: true,\n\t\tMaxDepth: -1,\n\t\tUpgradeConfig: upgrade.NewConfig(),\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tuniversePath string\n\t\tvulnPath string\n\t\tlockfilePath string\n\t\topts remediation.Options\n\t}{\n\t\t{\n\t\t\tname: \"npm-santatracker\",\n\t\t\tuniversePath: \"./testdata/santatracker/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/santatracker/vulns.json\",\n\t\t\tlockfilePath: \"./testdata/santatracker/package-lock.json\",\n\t\t\topts: basicOpts,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tg, cl := parseInPlaceFixture(t, tt.universePath, tt.vulnPath, tt.lockfilePath)\n\t\t\tres, err := remediation.ComputeInPlacePatches(t.Context(), cl, g, tt.opts)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"Failed to compute in-place patches: %v\", err)\n\t\t\t}\n\t\t\tcheckInPlaceResults(t, res)\n\t\t})\n\t}\n}\n" }, { "path": "internal/remediation/override.go", "content": "package remediation\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/util\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/maven\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n)\n\ntype overridePatch struct {\n\tresolve.PackageKey\n\n\tOrigVersion string\n\tNewVersion string\n}\n\n// ComputeOverridePatches attempts to resolve each vulnerability found in result independently, returning the list of unique possible patches.\n// Vulnerabilities are resolved by directly overriding versions of vulnerable packages to non-vulnerable versions.\n// If a patch introduces new vulnerabilities, additional overrides are attempted for the new vulnerabilities.\nfunc ComputeOverridePatches(ctx context.Context, cl client.ResolutionClient, result *resolution.Result, opts Options) ([]resolution.Difference, error) {\n\t// TODO: this is very similar to ComputeRelaxPatches - can the common parts be factored out?\n\t// Filter the original result just in case it hasn't been already\n\tresult.FilterVulns(opts.MatchVuln)\n\n\t// Do the resolutions concurrently\n\ttype overrideResult struct {\n\t\tvulnIDs []string\n\t\tresult *resolution.Result\n\t\tpatches []overridePatch\n\t\terr error\n\t}\n\tch := make(chan overrideResult)\n\tdoOverride := func(vulnIDs []string) {\n\t\tres, patches, err := overridePatchVulns(ctx, cl, result, vulnIDs, opts)\n\t\tif err == nil {\n\t\t\tres.FilterVulns(opts.MatchVuln)\n\t\t}\n\t\tch <- overrideResult{\n\t\t\tvulnIDs: vulnIDs,\n\t\t\tresult: res,\n\t\t\tpatches: patches,\n\t\t\terr: err,\n\t\t}\n\t}\n\n\ttoProcess := 0\n\tfor _, v := range result.Vulns {\n\t\t// TODO: limit the number of goroutines\n\t\tgo doOverride([]string{v.OSV.GetId()})\n\t\ttoProcess++\n\t}\n\n\tvar allResults []resolution.Difference\n\tfor toProcess > 0 {\n\t\tres := <-ch\n\t\ttoProcess--\n\t\tif errors.Is(res.err, errOverrideImpossible) {\n\t\t\tcontinue\n\t\t}\n\n\t\tif res.err != nil {\n\t\t\t// Resolution errors seem to happen when a package/version cannot be found, which isn't uncommon.\n\t\t\t// Just silently skip for now, treating it the same as unfixable.\n\t\t\t// TODO: Log the error somehow.\n\t\t\tcontinue\n\t\t}\n\n\t\tdiff := result.CalculateDiff(res.result)\n\n\t\t// CalculateDiff does not compute override manifest patches correctly, manually fill it out.\n\t\t// TODO: CalculateDiff maybe should not be reconstructing patches.\n\t\t// Refactor CalculateDiff, Relaxer, Override to make patches in a more sane way.\n\t\tdiff.Deps = make([]manifest.DependencyPatch, len(res.patches))\n\t\tfor i, p := range res.patches {\n\t\t\tdiff.Deps[i] = manifest.DependencyPatch{\n\t\t\t\tPkg: p.PackageKey,\n\t\t\t\tType: dep.Type{},\n\t\t\t\tOrigRequire: \"\", // Using empty original to signal this is an override patch\n\t\t\t\tOrigResolved: p.OrigVersion,\n\t\t\t\tNewRequire: p.NewVersion,\n\t\t\t\tNewResolved: p.NewVersion,\n\t\t\t}\n\t\t}\n\n\t\tallResults = append(allResults, diff)\n\n\t\t// If there are any new vulns, try override them as well\n\t\tvar newlyAdded []string\n\t\tfor _, v := range diff.AddedVulns {\n\t\t\tif !slices.Contains(res.vulnIDs, v.OSV.GetId()) {\n\t\t\t\tnewlyAdded = append(newlyAdded, v.OSV.GetId())\n\t\t\t}\n\t\t}\n\n\t\tif len(newlyAdded) > 0 {\n\t\t\tgo doOverride(append(res.vulnIDs, newlyAdded...)) // No need to clone res.vulnIDs here\n\t\t\ttoProcess++\n\t\t}\n\t}\n\n\t// Sort and remove duplicate patches\n\tslices.SortFunc(allResults, func(a, b resolution.Difference) int { return a.Compare(b) })\n\tallResults = slices.CompactFunc(allResults, func(a, b resolution.Difference) bool { return a.Compare(b) == 0 })\n\n\treturn allResults, nil\n}\n\nvar errOverrideImpossible = errors.New(\"cannot fix vulns by overrides\")\n\n// overridePatchVulns tries to fix as many vulns in vulnIDs as possible by overriding dependency versions.\n// returns errOverrideImpossible if 0 vulns are patchable, otherwise returns the most possible patches.\nfunc overridePatchVulns(ctx context.Context, cl client.ResolutionClient, result *resolution.Result, vulnIDs []string, opts Options) (*resolution.Result, []overridePatch, error) {\n\tvar effectivePatches []overridePatch\n\tfor {\n\t\t// Find the relevant vulns affecting each version key.\n\t\tvkVulns := make(map[resolve.VersionKey][]*resolution.Vulnerability)\n\t\tfor i, v := range result.Vulns {\n\t\t\tif !slices.Contains(vulnIDs, v.OSV.GetId()) {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// Keep track of VersionKeys we've seen for this vuln to avoid duplicates.\n\t\t\t// Usually, there will only be one VersionKey per vuln, but some vulns affect multiple packages.\n\t\t\tseenVKs := make(map[resolve.VersionKey]struct{})\n\t\t\t// Use the Subgraphs to find all the affected nodes.\n\t\t\tfor _, sg := range v.Subgraphs {\n\t\t\t\tfor _, e := range sg.Nodes[sg.Dependency].Parents {\n\t\t\t\t\t// Currently, there is no way to know if a specific classifier or type exists for a given version with deps.dev.\n\t\t\t\t\t// Blindly updating versions can lead to compilation failures if the artifact+version+classifier+type doesn't exist.\n\t\t\t\t\t// We can't reliably attempt remediation in these cases, so don't try.\n\t\t\t\t\tif e.Type.HasAttr(dep.MavenClassifier) || e.Type.HasAttr(dep.MavenArtifactType) {\n\t\t\t\t\t\treturn nil, nil, fmt.Errorf(\"%w: cannot fix vulns in artifacts with classifier or type\", errOverrideImpossible)\n\t\t\t\t\t}\n\t\t\t\t\tvk := sg.Nodes[sg.Dependency].Version\n\t\t\t\t\tif _, seen := seenVKs[vk]; !seen {\n\t\t\t\t\t\tvkVulns[vk] = append(vkVulns[vk], &result.Vulns[i])\n\t\t\t\t\t\tseenVKs[vk] = struct{}{}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif len(vkVulns) == 0 {\n\t\t\t// All vulns have been fixed.\n\t\t\tbreak\n\t\t}\n\n\t\tnewPatches := make([]overridePatch, 0, len(vkVulns))\n\n\t\t// For each VersionKey, try fix as many of the vulns affecting it as possible.\n\t\tfor vk, vulnerabilities := range vkVulns {\n\t\t\t// Consider vulns affecting packages we don't want to change unfixable\n\t\t\tif opts.UpgradeConfig.Get(vk.Name) == upgrade.None {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tbestVK := vk\n\t\t\tbestCount := len(vulnerabilities) // remaining vulns\n\t\t\tversions, err := getVersionsGreater(ctx, cl, vk)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, nil, err\n\t\t\t}\n\n\t\t\t// Find the minimal greater version that fixes as many vulnerabilities as possible.\n\t\t\tfor _, ver := range versions {\n\t\t\t\t// Break if we've encountered a disallowed version update.\n\t\t\t\tif _, diff, _ := vk.System.Semver().Difference(vk.Version, ver.Version); !opts.UpgradeConfig.Get(vk.Name).Allows(diff) {\n\t\t\t\t\tbreak\n\t\t\t\t}\n\n\t\t\t\t// Count the remaining known vulns that affect this version.\n\t\t\t\tcount := 0 // remaining vulns\n\t\t\t\tfor _, rv := range vulnerabilities {\n\t\t\t\t\tif vulns.IsAffected(rv.OSV, util.VKToPackageInfo(ver.VersionKey)) {\n\t\t\t\t\t\tcount++\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif count < bestCount {\n\t\t\t\t\t// Found a new candidate.\n\t\t\t\t\tbestCount = count\n\t\t\t\t\tbestVK = ver.VersionKey\n\t\t\t\t\tif bestCount == 0 { // stop if there are 0 vulns remaining\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif bestCount < len(vulnerabilities) {\n\t\t\t\t// Found a version that fixes some vulns.\n\t\t\t\tnewPatches = append(newPatches, overridePatch{\n\t\t\t\t\tPackageKey: vk.PackageKey,\n\t\t\t\t\tOrigVersion: vk.Version,\n\t\t\t\t\tNewVersion: bestVK.Version,\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\n\t\tif len(newPatches) == 0 {\n\t\t\tbreak\n\t\t}\n\n\t\t// Patch and re-resolve manifest\n\t\tnewManif, err := patchManifest(newPatches, result.Manifest)\n\t\tif err != nil {\n\t\t\treturn nil, nil, err\n\t\t}\n\n\t\tresult, err = resolution.Resolve(ctx, cl, newManif, opts.ResolveOpts)\n\t\tif err != nil {\n\t\t\treturn nil, nil, err\n\t\t}\n\n\t\tresult.FilterVulns(opts.MatchVuln)\n\n\t\t// If the patch applies to a package that was already patched before, update the effective patch.\n\t\tfor _, p := range newPatches {\n\t\t\tidx := slices.IndexFunc(effectivePatches, func(op overridePatch) bool { return op.PackageKey == p.PackageKey && op.NewVersion == p.OrigVersion })\n\t\t\tif idx == -1 {\n\t\t\t\teffectivePatches = append(effectivePatches, p)\n\t\t\t} else {\n\t\t\t\teffectivePatches[idx].NewVersion = p.NewVersion\n\t\t\t}\n\t\t}\n\t}\n\n\tif len(effectivePatches) == 0 {\n\t\treturn nil, nil, errOverrideImpossible\n\t}\n\n\t// Sort the patches for deterministic output.\n\tslices.SortFunc(effectivePatches, func(a, b overridePatch) int {\n\t\tif c := a.Compare(b.PackageKey); c != 0 {\n\t\t\treturn c\n\t\t}\n\n\t\treturn a.Semver().Compare(a.OrigVersion, b.OrigVersion)\n\t})\n\n\treturn result, effectivePatches, nil\n}\n\n// getVersionsGreater gets the known versions of a package that are greater than the given version, sorted in ascending order.\nfunc getVersionsGreater(ctx context.Context, cl client.DependencyClient, vk resolve.VersionKey) ([]resolve.Version, error) {\n\t// Get & sort all the valid versions of this package\n\t// TODO: (Maven) skip unlisted versions and versions on other registries\n\tversions, err := cl.Versions(ctx, vk.PackageKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tsemvers := make(map[resolve.VersionKey]*semver.Version)\n\tfor _, ver := range versions {\n\t\tparsed, err := semver.Maven.Parse(ver.Version)\n\t\tif err != nil {\n\t\t\tcmdlogger.Warnf(\"parsing Maven version %s: %v\", parsed, err)\n\t\t\tcontinue\n\t\t}\n\t\tsemvers[ver.VersionKey] = parsed\n\t}\n\n\tcmpFunc := func(a, b resolve.Version) int {\n\t\tif vk.System == resolve.Maven {\n\t\t\treturn maven.CompareVersions(vk, semvers[a.VersionKey], semvers[b.VersionKey])\n\t\t}\n\n\t\treturn vk.Semver().Compare(a.Version, b.Version)\n\t}\n\tslices.SortFunc(versions, cmpFunc)\n\t// Find the index of the next higher version\n\toffset, vkFound := slices.BinarySearchFunc(versions, resolve.Version{VersionKey: vk}, cmpFunc)\n\tif vkFound { // if the given version somehow doesn't exist, offset will already be at the next higher version\n\t\toffset++\n\t}\n\n\treturn versions[offset:], nil\n}\n\n// patchManifest applies the overridePatches to the manifest in-memory. Returns a copy of the manifest that has been patched.\nfunc patchManifest(patches []overridePatch, m manifest.Manifest) (manifest.Manifest, error) {\n\tif m.System() != resolve.Maven {\n\t\treturn manifest.Manifest{}, errors.New(\"unsupported ecosystem\")\n\t}\n\n\t// TODO: The overridePatch does not have an artifact's type or classifier, which is part of what uniquely identifies them.\n\t// This needs to be part of the comparison & added to dependency management for it to override packages that specify them.\n\n\tpatched := m.Clone()\n\n\tfor _, p := range patches {\n\t\tfound := false\n\t\ti := 0\n\t\tfor _, r := range patched.Requirements {\n\t\t\tif r.PackageKey != p.PackageKey {\n\t\t\t\tpatched.Requirements[i] = r\n\t\t\t\ti++\n\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\torigin, hasOrigin := r.Type.GetAttr(dep.MavenDependencyOrigin)\n\t\t\tif !hasOrigin || origin == maven.OriginManagement {\n\t\t\t\tfound = true\n\t\t\t\tr.Version = p.NewVersion\n\t\t\t\tpatched.Requirements[i] = r\n\t\t\t\ti++\n\t\t\t}\n\t\t}\n\t\tpatched.Requirements = patched.Requirements[:i]\n\t\tif !found {\n\t\t\tnewReq := resolve.RequirementVersion{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: p.PackageKey,\n\t\t\t\t\tVersion: p.NewVersion,\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t},\n\t\t\t}\n\t\t\tnewReq.Type.AddAttr(dep.MavenDependencyOrigin, maven.OriginManagement)\n\t\t\tpatched.Requirements = append(patched.Requirements, newReq)\n\t\t}\n\t}\n\n\treturn patched, nil\n}\n" }, { "path": "internal/remediation/override_test.go", "content": "package remediation_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n)\n\nfunc TestComputeOverridePatches(t *testing.T) {\n\tt.Parallel()\n\n\tbasicOpts := remediation.Options{\n\t\tDevDeps: true,\n\t\tMaxDepth: -1,\n\t\tUpgradeConfig: upgrade.NewConfig(),\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tuniversePath string\n\t\tvulnPath string\n\t\tmanifestPath string\n\t\topts remediation.Options\n\t}{\n\t\t{\n\t\t\tname: \"maven-zeppelin-server\",\n\t\t\tuniversePath: \"./testdata/zeppelin-server/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/zeppelin-server/vulns.json\",\n\t\t\tmanifestPath: \"./testdata/zeppelin-server/pom.xml\",\n\t\t\topts: basicOpts,\n\t\t},\n\t\t{\n\t\t\tname: \"maven-classifier\",\n\t\t\tuniversePath: \"./testdata/maven-classifier/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/maven-classifier/vulns.json\",\n\t\t\tmanifestPath: \"./testdata/maven-classifier/pom.xml\",\n\t\t\topts: basicOpts,\n\t\t},\n\t\t{\n\t\t\tname: \"maven-management-only\",\n\t\t\tuniversePath: \"./testdata/zeppelin-server/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/zeppelin-server/vulns.json\",\n\t\t\tmanifestPath: \"./testdata/zeppelin-server/parent/pom.xml\",\n\t\t\topts: remediation.Options{\n\t\t\t\tResolveOpts: resolution.ResolveOpts{\n\t\t\t\t\tMavenManagement: true,\n\t\t\t\t},\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t\tUpgradeConfig: upgrade.NewConfig(),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"workaround-maven-guava-none-to-jre\",\n\t\t\tuniversePath: \"./testdata/override-workaround/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/override-workaround/vulns.json\",\n\t\t\tmanifestPath: \"./testdata/override-workaround/guava/none-to-jre/pom.xml\",\n\t\t\topts: basicOpts,\n\t\t},\n\t\t{\n\t\t\tname: \"workaround-maven-guava-jre-to-jre\",\n\t\t\tuniversePath: \"./testdata/override-workaround/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/override-workaround/vulns.json\",\n\t\t\tmanifestPath: \"./testdata/override-workaround/guava/jre-to-jre/pom.xml\",\n\t\t\topts: basicOpts,\n\t\t},\n\t\t{\n\t\t\tname: \"workaround-maven-guava-android-to-android\",\n\t\t\tuniversePath: \"./testdata/override-workaround/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/override-workaround/vulns.json\",\n\t\t\tmanifestPath: \"./testdata/override-workaround/guava/android-to-android/pom.xml\",\n\t\t\topts: basicOpts,\n\t\t},\n\t\t{\n\t\t\tname: \"workaround-commons\",\n\t\t\tuniversePath: \"./testdata/override-workaround/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/override-workaround/vulns.json\",\n\t\t\tmanifestPath: \"./testdata/override-workaround/commons/pom.xml\",\n\t\t\topts: basicOpts,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tres, cl := parseRemediationFixture(t, tt.universePath, tt.vulnPath, tt.manifestPath, tt.opts.ResolveOpts)\n\t\t\tres.FilterVulns(tt.opts.MatchVuln)\n\t\t\tp, err := remediation.ComputeOverridePatches(t.Context(), cl, res, tt.opts)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"Failed to compute override patches: %v\", err)\n\t\t\t}\n\t\t\tcheckRemediationResults(t, p)\n\t\t})\n\t}\n}\n" }, { "path": "internal/remediation/relax/npm.go", "content": "package relax\n\nimport (\n\t\"context\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n)\n\ntype NpmRelaxer struct{}\n\nfunc (r NpmRelaxer) Relax(ctx context.Context, cl resolve.Client, req resolve.RequirementVersion, config upgrade.Config) (resolve.RequirementVersion, bool) {\n\tconfigLevel := config.Get(req.Name)\n\tif configLevel == upgrade.None {\n\t\treturn req, false\n\t}\n\n\tc, err := semver.NPM.ParseConstraint(req.Version)\n\tif err != nil {\n\t\t// The specified version is not a valid semver constraint\n\t\t// Check if it's a version tag (usually 'latest') by seeing if there are matching versions\n\t\tvks, err := cl.MatchingVersions(ctx, req.VersionKey)\n\t\tif err != nil || len(vks) == 0 { // no matches, cannot relax\n\t\t\treturn req, false\n\t\t}\n\t\t// Use the first matching version (there should only be one) as a pinned version\n\t\tc, err = semver.NPM.ParseConstraint(vks[0].Version)\n\t\tif err != nil {\n\t\t\treturn req, false\n\t\t}\n\t}\n\n\t// Get all the concrete versions of the package\n\tallVKs, err := cl.Versions(ctx, req.PackageKey)\n\tif err != nil {\n\t\treturn req, false\n\t}\n\tvar vers []string\n\tfor _, vk := range allVKs {\n\t\tif vk.VersionType == resolve.Concrete {\n\t\t\tvers = append(vers, vk.Version)\n\t\t}\n\t}\n\tslices.SortFunc(vers, semver.NPM.Compare)\n\n\t// Find the versions on either side of the upper boundary of the requirement\n\tvar lastIdx int // highest version matching constraint\n\tnextIdx := -1 // next version outside of range, preferring non-prerelease\n\tnextIsPre := true // if the next version is a prerelease version\n\tfor lastIdx = len(vers) - 1; lastIdx >= 0; lastIdx-- {\n\t\tv, err := semver.NPM.Parse(vers[lastIdx])\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tif c.MatchVersion(v) { // found the upper bound, stop iterating\n\t\t\tbreak\n\t\t}\n\n\t\t// Want to prefer non-prerelease versions, so only select one if we haven't seen any non-prerelease versions\n\t\tif !v.IsPrerelease() || nextIsPre {\n\t\t\tnextIdx = lastIdx\n\t\t\tnextIsPre = v.IsPrerelease()\n\t\t}\n\t}\n\n\t// Didn't find any higher versions of the package\n\tif nextIdx == -1 {\n\t\treturn req, false\n\t}\n\n\t// No versions match the existing constraint, something is wrong\n\tif lastIdx == -1 {\n\t\treturn req, false\n\t}\n\n\t// Our desired relaxation ordering is\n\t// 1.2.3 -> 1.2.* -> 1.*.* -> 2.*.* -> 3.*.* -> ...\n\t// But we want to use npm-like version specifiers e.g.\n\t// 1.2.3 -> ~1.2.4 -> ^1.4.5 -> ^2.6.7 -> ^3.8.9 -> ...\n\t// using the latest versions of the ranges\n\n\tcmpVer := vers[lastIdx]\n\t_, diff, _ := semver.NPM.Difference(cmpVer, vers[nextIdx])\n\tif !configLevel.Allows(diff) {\n\t\treturn req, false\n\t}\n\tif diff == semver.DiffMajor {\n\t\t// Want to step only one major version at a time\n\t\t// Instead of looking for a difference larger than major,\n\t\t// we want to look for a major version bump from the first next version\n\t\tcmpVer = vers[nextIdx]\n\t\tdiff = semver.DiffMinor\n\t}\n\n\t// Find the highest version with the same difference\n\tbest := vers[nextIdx]\n\tfor i := nextIdx + 1; i < len(vers); i++ {\n\t\t_, d, err := semver.NPM.Difference(cmpVer, vers[i])\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\n\t\t// If we've exceeded our allowed upgrade level, stop looking.\n\t\tif !configLevel.Allows(d) {\n\t\t\tbreak\n\t\t}\n\n\t\t// DiffMajor < DiffMinor < DiffPatch < DiffPrerelease\n\t\t// So if d is less than the original diff, it represents a larger change\n\t\tif d < diff {\n\t\t\tbreak\n\t\t}\n\t\tver, err := semver.NPM.Parse(vers[i])\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tif !ver.IsPrerelease() || nextIsPre {\n\t\t\tbest = vers[i]\n\t\t}\n\t}\n\n\tif diff == semver.DiffPatch {\n\t\treq.Version = \"~\" + best\n\t} else {\n\t\treq.Version = \"^\" + best\n\t}\n\n\treturn req, true\n}\n" }, { "path": "internal/remediation/relax/npm_test.go", "content": "package relax_test\n\nimport (\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/relax\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n)\n\nfunc TestRelaxNpm(t *testing.T) {\n\tt.Parallel()\n\n\ttype result struct {\n\t\tversion string\n\t\tok bool\n\t}\n\ttests := []struct {\n\t\tname string\n\t\tversions []string\n\t\tfrom string\n\t\tupgradeConfig upgrade.Config\n\t\twant result\n\t}{\n\t\t{\n\t\t\tname: \"pinned-to-patch\",\n\t\t\tversions: []string{\"1.2.3\", \"1.2.4\", \"1.2.5\", \"1.3.0\", \"2.0.0\"},\n\t\t\tfrom: \"1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Minor},\n\t\t\twant: result{\n\t\t\t\tversion: \"~1.2.5\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"patch-to-minor\",\n\t\t\tversions: []string{\"1.2.3\", \"1.2.4\", \"1.3.0\", \"1.3.1\", \"2.0.0\"},\n\t\t\tfrom: \"~1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Minor},\n\t\t\twant: result{\n\t\t\t\tversion: \"^1.3.1\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"minor-to-next-major\",\n\t\t\tversions: []string{\"1.2.3\", \"1.3.4\", \"2.3.4\", \"2.4.5\", \"3.0.0\"},\n\t\t\tfrom: \"^1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Major},\n\t\t\twant: result{\n\t\t\t\tversion: \"^2.4.5\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"skip-missing-major\",\n\t\t\tversions: []string{\"1.0.0\", \"3.0.0\", \"4.0.0\"},\n\t\t\tfrom: \"^1.0.0\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Major},\n\t\t\twant: result{\n\t\t\t\tversion: \"^3.0.0\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"no-more-versions\",\n\t\t\tversions: []string{\"1.2.3\", \"1.3.4\", \"1.4.5\"},\n\t\t\tfrom: \"^1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Major},\n\t\t\twant: result{\n\t\t\t\tversion: \"^1.2.3\",\n\t\t\t\tok: false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"avoid-prerelease-patch\",\n\t\t\tversions: []string{\"1.2.3\", \"1.2.4\", \"1.2.5-alpha\"},\n\t\t\tfrom: \"1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Minor},\n\t\t\twant: result{\n\t\t\t\tversion: \"~1.2.4\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"avoid-prerelease-minor\",\n\t\t\tversions: []string{\"1.2.3\", \"1.3.4\", \"1.4.5-alpha\"},\n\t\t\tfrom: \"~1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Major},\n\t\t\twant: result{\n\t\t\t\tversion: \"^1.3.4\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"skip-prerelease\",\n\t\t\tversions: []string{\"1.2.3\", \"2.0.0-alpha\", \"2.0.0\", \"3.0.0\"},\n\t\t\tfrom: \"^1.0.0\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Major},\n\t\t\twant: result{\n\t\t\t\tversion: \"^2.0.0\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"choose-final-prerelease\",\n\t\t\tversions: []string{\"1.2.3\", \"2.0.0-alpha.0\", \"2.0.0-alpha.1\", \"2.0.0-beta\"},\n\t\t\tfrom: \"^1.0.0\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Major},\n\t\t\twant: result{\n\t\t\t\tversion: \"^2.0.0-beta\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"from-prerelease\",\n\t\t\tversions: []string{\"1.0.0-pre\", \"1.2.3\", \"2.0.0-pre\", \"2.3.4\"},\n\t\t\tfrom: \"^1.0.0-pre\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Major},\n\t\t\twant: result{\n\t\t\t\tversion: \"^2.3.4\",\n\t\t\t\tok: true,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"disallow-major\",\n\t\t\tversions: []string{\"1.2.3\", \"1.3.4\", \"2.3.4\", \"2.4.5\", \"3.0.0\"},\n\t\t\tfrom: \"^1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"\": upgrade.Minor},\n\t\t\twant: result{\n\t\t\t\tversion: \"^1.2.3\",\n\t\t\t\tok: false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"disallow-major-pkg-only\",\n\t\t\tversions: []string{\"1.2.3\", \"1.3.4\", \"2.3.4\", \"2.4.5\", \"3.0.0\"},\n\t\t\tfrom: \"^1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"disallow-major-pkg-only\": upgrade.Minor, \"\": upgrade.None},\n\t\t\twant: result{\n\t\t\t\tversion: \"^1.2.3\",\n\t\t\t\tok: false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"disallow-pkg\",\n\t\t\tversions: []string{\"1.2.3\", \"1.3.4\", \"2.3.4\", \"2.4.5\", \"3.0.0\"},\n\t\t\tfrom: \"^1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"disallow-pkg\": upgrade.None},\n\t\t\twant: result{\n\t\t\t\tversion: \"^1.2.3\",\n\t\t\t\tok: false,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"disallow-minor\",\n\t\t\tversions: []string{\"1.2.3\", \"1.3.4\", \"2.3.4\", \"2.4.5\", \"3.0.0\"},\n\t\t\tfrom: \"~1.2.3\",\n\t\t\tupgradeConfig: upgrade.Config{\"disallow-minor\": upgrade.Patch},\n\t\t\twant: result{\n\t\t\t\tversion: \"~1.2.3\",\n\t\t\t\tok: false,\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tcl := resolve.NewLocalClient()\n\t\t\tpk := resolve.PackageKey{\n\t\t\t\tName: tt.name,\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t}\n\t\t\tfor _, v := range tt.versions {\n\t\t\t\tcl.AddVersion(resolve.Version{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: pk,\n\t\t\t\t\t\tVersion: v,\n\t\t\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\t\t},\n\t\t\t\t}, nil)\n\t\t\t}\n\n\t\t\trelaxer := relax.NpmRelaxer{}\n\t\t\tgot, ok := relaxer.Relax(t.Context(), cl, resolve.RequirementVersion{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: pk,\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: tt.from,\n\t\t\t\t}}, tt.upgradeConfig)\n\n\t\t\tif got.Version != tt.want.version || ok != tt.want.ok {\n\t\t\t\tt.Errorf(\"Relax() = (%s, %v), want (%s, %v)\", got.Version, ok, tt.want.version, tt.want.ok)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/remediation/relax/relax.go", "content": "// Package relax provides functionality for relaxing version constraints for guided remediation.\npackage relax\n\nimport (\n\t\"context\"\n\t\"errors\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n)\n\n// A RequirementRelaxer provides an ecosystem-specific method for 'relaxing' the\n// specified versions of dependencies for vulnerability remediation.\n// Relaxing involves incrementally widening and bumping the version specifiers\n// of the requirement to allow more recent versions to be selected during\n// dependency resolution.\n// It has access to the available versions of a package via a resolve client.\n//\n// e.g. in a semver-like ecosystem, relaxation could follow the sequence:\n// 1.2.3 -> 1.2.* -> 1.*.* -> 2.*.* -> 3.*.* -> ...\ntype RequirementRelaxer interface {\n\t// Relax attempts to relax import requirement.\n\t// Returns the newly relaxed import and true it was successful.\n\t// If unsuccessful, it returns the original import and false.\n\tRelax(ctx context.Context, cl resolve.Client, req resolve.RequirementVersion, config upgrade.Config) (resolve.RequirementVersion, bool)\n}\n\nfunc GetRelaxer(ecosystem resolve.System) (RequirementRelaxer, error) {\n\t// TODO: is using ecosystem fine, or should this be per manifest?\n\tswitch ecosystem {\n\tcase resolve.NPM:\n\t\treturn NpmRelaxer{}, nil\n\tdefault:\n\t\treturn nil, errors.New(\"unsupported ecosystem\")\n\t}\n}\n" }, { "path": "internal/remediation/relax.go", "content": "package remediation\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/relax\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n)\n\n// ComputeRelaxPatches attempts to resolve each vulnerability found in result independently, returning the list of unique possible patches\nfunc ComputeRelaxPatches(ctx context.Context, cl client.ResolutionClient, result *resolution.Result, opts Options) ([]resolution.Difference, error) {\n\t// Filter the original result just in case it hasn't been already\n\tresult.FilterVulns(opts.MatchVuln)\n\n\t// Do the resolutions concurrently\n\ttype relaxResult struct {\n\t\tvulnIDs []string\n\t\tresult *resolution.Result\n\t\terr error\n\t}\n\tch := make(chan relaxResult)\n\tdoRelax := func(vulnIDs []string) {\n\t\tres, err := tryRelaxRemediate(ctx, cl, result, vulnIDs, opts)\n\t\tif err == nil {\n\t\t\tres.FilterVulns(opts.MatchVuln)\n\t\t}\n\t\tch <- relaxResult{\n\t\t\tvulnIDs: vulnIDs,\n\t\t\tresult: res,\n\t\t\terr: err,\n\t\t}\n\t}\n\n\ttoProcess := 0\n\tfor _, vuln := range result.Vulns {\n\t\t// TODO: limit the number of goroutines\n\t\tgo doRelax([]string{vuln.OSV.GetId()})\n\t\ttoProcess++\n\t}\n\n\tvar allResults []resolution.Difference\n\tfor toProcess > 0 {\n\t\tres := <-ch\n\t\ttoProcess--\n\t\tif errors.Is(res.err, errRelaxRemediateImpossible) { // failed because it cannot be resolved - do not add it to list\n\t\t\tcontinue\n\t\t}\n\t\tif res.err != nil { // failed for some other reason - abort\n\t\t\t// TODO: stop goroutines\n\t\t\treturn nil, res.err\n\t\t}\n\t\tdiff := result.CalculateDiff(res.result)\n\t\tallResults = append(allResults, diff)\n\n\t\t// If this patch adds a new vuln, see if we can fix it also\n\t\t// TODO: If there's more than 1 added vuln, this can possibly cause every permutation of those vulns to be computed\n\t\tfor _, added := range diff.AddedVulns {\n\t\t\tgo doRelax(append(slices.Clone(res.vulnIDs), added.OSV.GetId()))\n\t\t\ttoProcess++\n\t\t}\n\t}\n\n\t// Sort and remove duplicate patches\n\tslices.SortFunc(allResults, func(a, b resolution.Difference) int { return a.Compare(b) })\n\tallResults = slices.CompactFunc(allResults, func(a, b resolution.Difference) bool { return a.Compare(b) == 0 })\n\n\treturn allResults, nil\n}\n\nvar errRelaxRemediateImpossible = errors.New(\"cannot fix vulns by relaxing\")\n\nfunc tryRelaxRemediate(\n\tctx context.Context,\n\tcl client.ResolutionClient,\n\torig *resolution.Result,\n\tvulnIDs []string,\n\topts Options,\n) (*resolution.Result, error) {\n\trelaxer, err := relax.GetRelaxer(orig.Manifest.System())\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tnewRes := orig\n\ttoRelax := reqsToRelax(ctx, cl, newRes, vulnIDs, opts)\n\tfor len(toRelax) > 0 {\n\t\t// Try relaxing all necessary requirements\n\t\tmanif := newRes.Manifest.Clone()\n\t\tfor _, idx := range toRelax {\n\t\t\trv := manif.Requirements[idx]\n\t\t\t// If we'd need to relax a package we want to avoid changing, we cannot fix the vuln\n\t\t\tif opts.UpgradeConfig.Get(rv.Name) == upgrade.None {\n\t\t\t\treturn nil, errRelaxRemediateImpossible\n\t\t\t}\n\t\t\tnewVer, ok := relaxer.Relax(ctx, cl, rv, opts.UpgradeConfig)\n\t\t\tif !ok {\n\t\t\t\treturn nil, errRelaxRemediateImpossible\n\t\t\t}\n\t\t\tmanif.Requirements[idx] = newVer\n\t\t}\n\n\t\t// re-resolve relaxed manifest\n\t\tnewRes, err = resolution.Resolve(ctx, cl, manif, opts.ResolveOpts)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\ttoRelax = reqsToRelax(ctx, cl, newRes, vulnIDs, opts)\n\t}\n\n\treturn newRes, nil\n}\n\nfunc reqsToRelax(ctx context.Context, cl resolve.Client, res *resolution.Result, vulnIDs []string, opts Options) []int {\n\ttoRelax := make(map[resolve.VersionKey]string)\n\tfor _, v := range res.Vulns {\n\t\t// Don't do a full opts.MatchVuln() since we know we don't need to check every condition\n\t\tif !slices.Contains(vulnIDs, v.OSV.GetId()) || (!opts.DevDeps && v.DevOnly) {\n\t\t\tcontinue\n\t\t}\n\t\t// Only relax dependencies if their distance is less than MaxDepth\n\t\tfor _, sg := range v.Subgraphs {\n\t\t\tconstr := sg.ConstrainingSubgraph(ctx, cl, v.OSV)\n\t\t\tfor _, edge := range constr.Nodes[0].Children {\n\t\t\t\tgNode := constr.Nodes[edge.To]\n\t\t\t\tif opts.MaxDepth <= 0 || gNode.Distance+1 <= opts.MaxDepth {\n\t\t\t\t\ttoRelax[gNode.Version] = edge.Requirement\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Find the index into the Manifest.Requirements of each that needs to be relaxed\n\treqIdxs := make([]int, 0, len(toRelax))\n\tfor vk, req := range toRelax {\n\t\tidx := slices.IndexFunc(res.Manifest.Requirements, func(rv resolve.RequirementVersion) bool {\n\t\t\treturn rv.PackageKey == vk.PackageKey && rv.Version == req\n\t\t})\n\t\treqIdxs = append(reqIdxs, idx)\n\t}\n\n\treturn reqIdxs\n}\n" }, { "path": "internal/remediation/relax_test.go", "content": "package remediation_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n)\n\nfunc TestComputeRelaxPatches(t *testing.T) {\n\tt.Parallel()\n\n\tbasicOpts := remediation.Options{\n\t\tDevDeps: true,\n\t\tMaxDepth: -1,\n\t\tUpgradeConfig: upgrade.NewConfig(),\n\t}\n\n\ttests := []struct {\n\t\tname string\n\t\tuniversePath string\n\t\tvulnPath string\n\t\tmanifestPath string\n\t\topts remediation.Options\n\t}{\n\t\t{\n\t\t\tname: \"npm-santatracker\",\n\t\t\tuniversePath: \"./testdata/santatracker/universe.yaml\",\n\t\t\tvulnPath: \"./testdata/santatracker/vulns.json\",\n\t\t\tmanifestPath: \"./testdata/santatracker/package.json\",\n\t\t\topts: basicOpts,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tres, cl := parseRemediationFixture(t, tt.universePath, tt.vulnPath, tt.manifestPath, tt.opts.ResolveOpts)\n\t\t\tres.FilterVulns(tt.opts.MatchVuln)\n\t\t\tp, err := remediation.ComputeRelaxPatches(t.Context(), cl, res, tt.opts)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"Failed to compute relaxation patches: %v\", err)\n\t\t\t}\n\t\t\tcheckRemediationResults(t, p)\n\t\t})\n\t}\n}\n" }, { "path": "internal/remediation/remediation.go", "content": "package remediation\n\nimport (\n\t\"math\"\n\t\"slices\"\n\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/lockfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/severity\"\n)\n\n// TODO: Supported strategies should be part of the manifest/lockfile ReadWriter directly\n\nfunc SupportsRelax(m manifest.ReadWriter) bool {\n\tswitch m.(type) {\n\tcase manifest.NpmReadWriter:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc SupportsOverride(m manifest.ReadWriter) bool {\n\tswitch m.(type) {\n\tcase manifest.MavenReadWriter:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc SupportsInPlace(l lockfile.ReadWriter) bool {\n\tswitch l.(type) {\n\tcase lockfile.NpmReadWriter:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\ntype Options struct {\n\tresolution.ResolveOpts\n\n\tIgnoreVulns []string // Vulnerability IDs to ignore\n\tExplicitVulns []string // If set, only consider these vulnerability IDs & ignore all others\n\n\tDevDeps bool // Whether to consider vulnerabilities in dev dependencies\n\tMinSeverity float64 // Minimum vulnerability CVSS score to consider\n\tMaxDepth int // Maximum depth of dependency to consider vulnerabilities for (e.g. 1 for direct only)\n\n\tUpgradeConfig upgrade.Config // Allowed upgrade levels per package.\n}\n\nfunc (opts Options) MatchVuln(v resolution.Vulnerability) bool {\n\tif opts.matchID(v, opts.IgnoreVulns) {\n\t\treturn false\n\t}\n\n\tif len(opts.ExplicitVulns) > 0 && !opts.matchID(v, opts.ExplicitVulns) {\n\t\treturn false\n\t}\n\n\tif !opts.DevDeps && v.DevOnly {\n\t\treturn false\n\t}\n\n\treturn opts.matchSeverity(v) && opts.matchDepth(v)\n}\n\nfunc (opts Options) matchID(v resolution.Vulnerability, ids []string) bool {\n\tif slices.Contains(ids, v.OSV.GetId()) {\n\t\treturn true\n\t}\n\n\tfor _, id := range v.OSV.GetAliases() {\n\t\tif slices.Contains(ids, id) {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc (opts Options) matchSeverity(v resolution.Vulnerability) bool {\n\tmaxScore := -1.0\n\t// TODO: also check OSV.Affected[].Severity\n\tfor _, sev := range v.OSV.GetSeverity() {\n\t\tif score, _, _ := severity.CalculateScore(sev); score > maxScore {\n\t\t\tmaxScore = score\n\t\t}\n\t}\n\n\t// CVSS scores are meant to only be to 1 decimal place\n\t// and we want to avoid something being falsely rejected/included due to floating point precision.\n\t// Multiply and round to only consider relevant parts of the score.\n\treturn math.Round(10*maxScore) >= math.Round(10*opts.MinSeverity) ||\n\t\tmaxScore < 0 // Always include vulns with unknown severities\n}\n\nfunc (opts Options) matchDepth(v resolution.Vulnerability) bool {\n\tif opts.MaxDepth <= 0 {\n\t\treturn true\n\t}\n\n\tfor _, sg := range v.Subgraphs {\n\t\tif sg.Nodes[0].Distance <= opts.MaxDepth {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n" }, { "path": "internal/remediation/remediation_test.go", "content": "package remediation_test\n\nimport (\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nfunc TestMatchVuln(t *testing.T) {\n\tt.Parallel()\n\tvar (\n\t\t// ID: VULN-001, Dev: false, Severity: 6.6, Depth: 3, Aliases: CVE-111, OSV-2\n\t\tvuln1 = resolution.Vulnerability{\n\t\t\tOSV: &osvschema.Vulnerability{\n\t\t\t\tId: \"VULN-001\",\n\t\t\t\tSeverity: []*osvschema.Severity{\n\t\t\t\t\t{Type: osvschema.Severity_CVSS_V3, Score: \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H\"}, // 6.6\n\t\t\t\t\t{Type: osvschema.Severity_CVSS_V2, Score: \"AV:L/AC:L/Au:S/C:P/I:P/A:C\"}, // 5.7\n\t\t\t\t},\n\t\t\t\tAliases: []string{\"CVE-111\", \"OSV-2\"},\n\t\t\t},\n\t\t\tDevOnly: false,\n\t\t\tSubgraphs: []*resolution.DependencySubgraph{{\n\t\t\t\tDependency: 3,\n\t\t\t\tNodes: map[resolve.NodeID]resolution.GraphNode{\n\t\t\t\t\t3: {\n\t\t\t\t\t\tDistance: 0,\n\t\t\t\t\t\tParents: []resolve.Edge{{From: 2, To: 3}},\n\t\t\t\t\t\tChildren: []resolve.Edge{},\n\t\t\t\t\t},\n\t\t\t\t\t2: {\n\t\t\t\t\t\tDistance: 1,\n\t\t\t\t\t\tParents: []resolve.Edge{{From: 1, To: 2}},\n\t\t\t\t\t\tChildren: []resolve.Edge{{From: 2, To: 3}},\n\t\t\t\t\t},\n\t\t\t\t\t1: {\n\t\t\t\t\t\tDistance: 2,\n\t\t\t\t\t\tParents: []resolve.Edge{{From: 0, To: 1}},\n\t\t\t\t\t\tChildren: []resolve.Edge{{From: 1, To: 2}},\n\t\t\t\t\t},\n\t\t\t\t\t0: {\n\t\t\t\t\t\tDistance: 3,\n\t\t\t\t\t\tParents: []resolve.Edge{},\n\t\t\t\t\t\tChildren: []resolve.Edge{{From: 0, To: 1}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}},\n\t\t}\n\t\t// ID: VULN-002, Dev: true, Severity: N/A, Depth: 2\n\t\tvuln2 = resolution.Vulnerability{\n\t\t\tOSV: &osvschema.Vulnerability{\n\t\t\t\tId: \"VULN-002\",\n\t\t\t\t// No severity\n\t\t\t},\n\t\t\tDevOnly: true,\n\t\t\tSubgraphs: []*resolution.DependencySubgraph{{\n\t\t\t\tDependency: 3,\n\t\t\t\tNodes: map[resolve.NodeID]resolution.GraphNode{\n\t\t\t\t\t3: {\n\t\t\t\t\t\tDistance: 0,\n\t\t\t\t\t\tParents: []resolve.Edge{{From: 2, To: 3}, {From: 1, To: 3}},\n\t\t\t\t\t\tChildren: []resolve.Edge{},\n\t\t\t\t\t},\n\t\t\t\t\t2: {\n\t\t\t\t\t\tDistance: 1,\n\t\t\t\t\t\tParents: []resolve.Edge{{From: 1, To: 2}},\n\t\t\t\t\t\tChildren: []resolve.Edge{{From: 2, To: 3}},\n\t\t\t\t\t},\n\t\t\t\t\t1: {\n\t\t\t\t\t\tDistance: 1,\n\t\t\t\t\t\tParents: []resolve.Edge{{From: 0, To: 1}},\n\t\t\t\t\t\tChildren: []resolve.Edge{{From: 1, To: 2}, {From: 1, To: 3}},\n\t\t\t\t\t},\n\t\t\t\t\t0: {\n\t\t\t\t\t\tDistance: 2,\n\t\t\t\t\t\tParents: []resolve.Edge{},\n\t\t\t\t\t\tChildren: []resolve.Edge{{From: 0, To: 1}},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t}},\n\t\t}\n\t)\n\ttests := []struct {\n\t\tname string\n\t\tvuln resolution.Vulnerability\n\t\topt remediation.Options\n\t\twant bool\n\t}{\n\t\t{\n\t\t\tname: \"basic_match\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"accept_depth\",\n\t\t\tvuln: vuln2,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: 2,\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"reject_depth\",\n\t\t\tvuln: vuln2,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: 1,\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"accept_severity\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t\tMinSeverity: 6.6,\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"reject_severity\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t\tMinSeverity: 6.7,\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"accept_unknown_severity\",\n\t\t\tvuln: vuln2,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t\tMinSeverity: 10.0,\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"accept_non-dev\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: false,\n\t\t\t\tMaxDepth: -1,\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"reject_dev\",\n\t\t\tvuln: vuln2,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: false,\n\t\t\t\tMaxDepth: -1,\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"reject_ID_excluded\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t\tIgnoreVulns: []string{\"VULN-001\"},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"reject_ID_not_in_explicit\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t\tExplicitVulns: []string{\"VULN-999\"},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"reject_ID_in_explicit,_but_not_matching_other_fields\",\n\t\t\tvuln: vuln2,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: false,\n\t\t\t\tMaxDepth: 1,\n\t\t\t\tExplicitVulns: []string{\"VULN-002\"},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"accept_matching_multiple_1\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: false,\n\t\t\t\tMaxDepth: 3,\n\t\t\t\tMinSeverity: 5.0,\n\t\t\t\tIgnoreVulns: []string{\"VULN-999\"},\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"accept_matching_multiple_2\",\n\t\t\tvuln: vuln2,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: 2,\n\t\t\t\tMinSeverity: 8.8,\n\t\t\t\tExplicitVulns: []string{\"VULN-002\"},\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"accept_explicit_ID_in_alias\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t\tExplicitVulns: []string{\"CVE-111\"},\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"reject_excluded_ID_in_alias\",\n\t\t\tvuln: vuln1,\n\t\t\topt: remediation.Options{\n\t\t\t\tDevDeps: true,\n\t\t\t\tMaxDepth: -1,\n\t\t\t\tIgnoreVulns: []string{\"OSV-2\"},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tif got := tt.opt.MatchVuln(tt.vuln); got != tt.want {\n\t\t\t\tt.Errorf(\"MatchVuln() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/remediation/suggest/maven.go", "content": "package suggest\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/maven\"\n)\n\ntype MavenSuggester struct{}\n\n// Suggest returns the ManifestPatch to update Maven dependencies to a newer\n// version based on the options.\n// ManifestPatch also includes the property patches to update.\nfunc (ms *MavenSuggester) Suggest(ctx context.Context, cl resolve.Client, mf manifest.Manifest, opts Options) (manifest.Patch, error) {\n\tspecific, ok := mf.EcosystemSpecific.(manifest.MavenManifestSpecific)\n\tif !ok {\n\t\treturn manifest.Patch{}, errors.New(\"invalid MavenManifestSpecific data\")\n\t}\n\n\tvar changedDeps []manifest.DependencyPatch\n\tfor _, req := range append(mf.Requirements, specific.RequirementsForUpdates...) {\n\t\tif opts.UpgradeConfig.Get(req.Name) == upgrade.None {\n\t\t\tcontinue\n\t\t}\n\n\t\tif opts.IgnoreDev && slices.Contains(mf.Groups[manifest.MakeRequirementKey(req)], \"test\") {\n\t\t\t// Skip the update if the dependency is of development group\n\t\t\t// and updates on development dependencies are not desired\n\t\t\tcontinue\n\t\t}\n\t\tif strings.Contains(req.Name, \"${\") && strings.Contains(req.Version, \"${\") {\n\t\t\t// If there are unresolved properties, we should skip this version.\n\t\t\tcontinue\n\t\t}\n\n\t\tlatest, err := suggestMavenVersion(ctx, cl, req, opts.UpgradeConfig.Get(req.Name))\n\t\tif err != nil {\n\t\t\treturn manifest.Patch{}, fmt.Errorf(\"suggesting latest version of %s: %w\", req.Version, err)\n\t\t}\n\t\tif latest.Version == req.Version {\n\t\t\t// No need to update\n\t\t\tcontinue\n\t\t}\n\n\t\tchangedDeps = append(changedDeps, manifest.DependencyPatch{\n\t\t\tPkg: req.PackageKey,\n\t\t\tType: req.Type,\n\t\t\tOrigRequire: req.Version,\n\t\t\tNewRequire: latest.Version,\n\t\t})\n\t}\n\n\treturn manifest.Patch{\n\t\tDeps: changedDeps,\n\t\tManifest: &mf,\n\t}, nil\n}\n\n// suggestMavenVersion returns the latest version based on the given Maven requirement version.\n// If there is no newer version available, req will be returned.\n// For a version range requirement,\n// - the greatest version matching the constraint is assumed when deciding whether the\n// update is a major update or not.\n// - if the latest version does not satisfy the constraint, this version is returned;\n// otherwise, the original version range requirement is returned.\nfunc suggestMavenVersion(ctx context.Context, cl resolve.Client, req resolve.RequirementVersion, level upgrade.Level) (resolve.RequirementVersion, error) {\n\tversions, err := cl.Versions(ctx, req.PackageKey)\n\tif err != nil {\n\t\treturn resolve.RequirementVersion{}, fmt.Errorf(\"requesting versions of Maven package %s: %w\", req.Name, err)\n\t}\n\tsemvers := make([]*semver.Version, 0, len(versions))\n\tfor _, ver := range versions {\n\t\tparsed, err := semver.Maven.Parse(ver.Version)\n\t\tif err != nil {\n\t\t\tcmdlogger.Warnf(\"parsing Maven version %s: %v\", parsed, err)\n\t\t\tcontinue\n\t\t}\n\t\tsemvers = append(semvers, parsed)\n\t}\n\n\tconstraint, err := semver.Maven.ParseConstraint(req.Version)\n\tif err != nil {\n\t\treturn resolve.RequirementVersion{}, fmt.Errorf(\"parsing Maven constraint %s: %w\", req.Version, err)\n\t}\n\n\tvar current *semver.Version\n\tif constraint.IsSimple() {\n\t\t// Constraint is a simple version string, so can be parsed to a single version.\n\t\tcurrent, err = semver.Maven.Parse(req.Version)\n\t\tif err != nil {\n\t\t\treturn resolve.RequirementVersion{}, fmt.Errorf(\"parsing Maven version %s: %w\", req.Version, err)\n\t\t}\n\t} else {\n\t\t// Guess the latest version satisfying the constraint is being used\n\t\tfor _, v := range semvers {\n\t\t\tif constraint.MatchVersion(v) && current.Compare(v) < 0 {\n\t\t\t\tcurrent = v\n\t\t\t}\n\t\t}\n\t}\n\n\tvar newReq *semver.Version\n\tfor _, v := range semvers {\n\t\tif maven.CompareVersions(req.VersionKey, v, newReq) < 0 {\n\t\t\t// Skip versions smaller than the current requirement\n\t\t\tcontinue\n\t\t}\n\t\tif _, diff := v.Difference(current); !level.Allows(diff) {\n\t\t\tcontinue\n\t\t}\n\t\tnewReq = v\n\t}\n\tif constraint.IsSimple() || !constraint.MatchVersion(newReq) {\n\t\t// For version range requirement, update the requirement if the\n\t\t// new requirement does not satisfy the constraint.\n\t\treq.Version = newReq.String()\n\t}\n\n\treturn req, nil\n}\n" }, { "path": "internal/remediation/suggest/maven_test.go", "content": "package suggest\n\nimport (\n\t\"path/filepath\"\n\t\"reflect\"\n\t\"sort\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n)\n\nvar (\n\tdepMgmt = depTypeWithOrigin(\"management\")\n\tdepParent = depTypeWithOrigin(\"parent\")\n\tdepPlugin = depTypeWithOrigin(\"plugin@org.plugin:plugin\")\n\tdepProfileOne = depTypeWithOrigin(\"profile@profile-one\")\n\tdepProfileTwoMgmt = depTypeWithOrigin(\"profile@profile-two@management\")\n)\n\nfunc depTypeWithOrigin(origin string) dep.Type {\n\tvar result dep.Type\n\tresult.AddAttr(dep.MavenDependencyOrigin, origin)\n\n\treturn result\n}\n\nfunc mavenReqKey(t *testing.T, name, artifactType, classifier string) manifest.RequirementKey {\n\tt.Helper()\n\tvar typ dep.Type\n\tif artifactType != \"\" {\n\t\ttyp.AddAttr(dep.MavenArtifactType, artifactType)\n\t}\n\tif classifier != \"\" {\n\t\ttyp.AddAttr(dep.MavenClassifier, classifier)\n\t}\n\n\treturn manifest.MakeRequirementKey(resolve.RequirementVersion{\n\t\tVersionKey: resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tName: name,\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t},\n\t\t},\n\t\tType: typ,\n\t})\n}\n\nfunc TestMavenSuggester_Suggest(t *testing.T) {\n\tt.Parallel()\n\tctx := t.Context()\n\tclient := resolve.NewLocalClient()\n\taddVersions := func(sys resolve.System, name string, versions []string) {\n\t\tfor _, version := range versions {\n\t\t\tclient.AddVersion(resolve.Version{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: sys,\n\t\t\t\t\t\tName: name,\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\t\tVersion: version,\n\t\t\t\t}}, nil)\n\t\t}\n\t}\n\taddVersions(resolve.Maven, \"com.mycompany.app:parent-pom\", []string{\"1.0.0\"})\n\taddVersions(resolve.Maven, \"junit:junit\", []string{\"4.11\", \"4.12\", \"4.13\", \"4.13.2\"})\n\taddVersions(resolve.Maven, \"org.example:abc\", []string{\"1.0.0\", \"1.0.1\", \"1.0.2\"})\n\taddVersions(resolve.Maven, \"org.example:no-updates\", []string{\"9.9.9\", \"10.0.0\"})\n\taddVersions(resolve.Maven, \"org.example:property\", []string{\"1.0.0\", \"1.0.1\"})\n\taddVersions(resolve.Maven, \"org.example:same-property\", []string{\"1.0.0\", \"1.0.1\"})\n\taddVersions(resolve.Maven, \"org.example:another-property\", []string{\"1.0.0\", \"1.1.0\"})\n\taddVersions(resolve.Maven, \"org.example:property-no-update\", []string{\"1.9.0\", \"2.0.0\"})\n\taddVersions(resolve.Maven, \"org.example:xyz\", []string{\"2.0.0\", \"2.0.1\"})\n\taddVersions(resolve.Maven, \"org.profile:abc\", []string{\"1.2.3\", \"1.2.4\"})\n\taddVersions(resolve.Maven, \"org.profile:def\", []string{\"2.3.4\", \"2.3.5\"})\n\taddVersions(resolve.Maven, \"org.import:xyz\", []string{\"6.6.6\", \"6.7.0\", \"7.0.0\"})\n\taddVersions(resolve.Maven, \"org.dep:plugin-dep\", []string{\"2.3.1\", \"2.3.2\", \"2.3.3\", \"2.3.4\"})\n\n\tsuggester, err := GetSuggester(resolve.Maven)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get Maven suggester: %v\", err)\n\t}\n\n\tdepProfileTwoMgmt.AddAttr(dep.MavenArtifactType, \"pom\")\n\tdepProfileTwoMgmt.AddAttr(dep.Scope, \"import\")\n\n\tmf := manifest.Manifest{\n\t\tFilePath: filepath.Join(\"testdata\", \"pom.xml\"),\n\t\tRoot: resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"com.mycompany.app:my-app\",\n\t\t\t\t},\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t},\n\t\t},\n\t\tRequirements: []resolve.RequirementVersion{\n\t\t\t{\n\t\t\t\t// Test dependencies are not updated.\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"junit:junit\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"4.12\",\n\t\t\t\t},\n\t\t\t\tType: dep.NewType(dep.Test),\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:abc\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\t// A package is specified to disallow updates.\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:no-updates\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"9.9.9\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\t// The universal property should be updated.\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:property\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\t// Property cannot be updated, so update the dependency directly.\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:property-no-update\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.9\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\t// The property is updated to the same value.\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:same-property\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\t// Property needs to be updated to a different value,\n\t\t\t\t// so update dependency directly.\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:another-property\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:xyz\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"2.0.0\",\n\t\t\t\t},\n\t\t\t\tType: depMgmt,\n\t\t\t},\n\t\t},\n\t\tGroups: map[manifest.RequirementKey][]string{\n\t\t\tmavenReqKey(t, \"junit:junit\", \"\", \"\"): {\"test\"},\n\t\t\tmavenReqKey(t, \"org.import:xyz\", \"\", \"\"): {\"import\"},\n\t\t},\n\t\tEcosystemSpecific: manifest.MavenManifestSpecific{\n\t\t\tRequirementsForUpdates: []resolve.RequirementVersion{\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"com.mycompany.app:parent-pom\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t},\n\t\t\t\t\tType: depParent,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.profile:abc\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t},\n\t\t\t\t\tType: depProfileOne,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.profile:def\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"2.3.4\",\n\t\t\t\t\t},\n\t\t\t\t\tType: depProfileOne,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\t// A package is specified to ignore major updates.\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.import:xyz\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"6.6.6\",\n\t\t\t\t\t},\n\t\t\t\t\tType: depProfileTwoMgmt,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.dep:plugin-dep\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"2.3.3\",\n\t\t\t\t\t},\n\t\t\t\t\tType: depPlugin,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tgot, err := suggester.Suggest(ctx, client, mf, Options{\n\t\tIgnoreDev: true, // Do no update test dependencies.\n\t\tUpgradeConfig: upgrade.Config{\n\t\t\t\"org.example:no-updates\": upgrade.None,\n\t\t\t\"org.import:xyz\": upgrade.Minor,\n\t\t},\n\t})\n\tif err != nil {\n\t\tt.Fatalf(\"failed to suggest ManifestPatch: %v\", err)\n\t}\n\n\twant := manifest.Patch{\n\t\tDeps: []manifest.DependencyPatch{\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.dep:plugin-dep\",\n\t\t\t\t},\n\t\t\t\tType: depPlugin,\n\t\t\t\tOrigRequire: \"2.3.3\",\n\t\t\t\tNewRequire: \"2.3.4\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.example:abc\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"1.0.1\",\n\t\t\t\tNewRequire: \"1.0.2\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.example:another-property\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"1.0.0\",\n\t\t\t\tNewRequire: \"1.1.0\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.example:property\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"1.0.0\",\n\t\t\t\tNewRequire: \"1.0.1\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.example:property-no-update\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"1.9\",\n\t\t\t\tNewRequire: \"2.0.0\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.example:same-property\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"1.0.0\",\n\t\t\t\tNewRequire: \"1.0.1\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.example:xyz\",\n\t\t\t\t},\n\t\t\t\tType: depMgmt,\n\t\t\t\tOrigRequire: \"2.0.0\",\n\t\t\t\tNewRequire: \"2.0.1\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.import:xyz\",\n\t\t\t\t},\n\t\t\t\tType: depProfileTwoMgmt,\n\t\t\t\tOrigRequire: \"6.6.6\",\n\t\t\t\tNewRequire: \"6.7.0\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.profile:abc\",\n\t\t\t\t},\n\t\t\t\tType: depProfileOne,\n\t\t\t\tOrigRequire: \"1.2.3\",\n\t\t\t\tNewRequire: \"1.2.4\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"org.profile:def\",\n\t\t\t\t},\n\t\t\t\tType: depProfileOne,\n\t\t\t\tOrigRequire: \"2.3.4\",\n\t\t\t\tNewRequire: \"2.3.5\",\n\t\t\t},\n\t\t},\n\t\tManifest: &mf,\n\t}\n\tsort.Slice(got.Deps, func(i, j int) bool {\n\t\treturn got.Deps[i].Pkg.Name < got.Deps[j].Pkg.Name\n\t})\n\tif !reflect.DeepEqual(got, want) {\n\t\tt.Fatalf(\"ManifestPatch suggested does not match expected: got %v\\n want %v\", got, want)\n\t}\n}\n\nfunc Test_suggestMavenVersion(t *testing.T) {\n\tt.Parallel()\n\tctx := t.Context()\n\tlc := resolve.NewLocalClient()\n\n\tpk := resolve.PackageKey{\n\t\tSystem: resolve.Maven,\n\t\tName: \"abc:xyz\",\n\t}\n\tfor _, version := range []string{\"1.0.0\", \"1.0.1\", \"1.1.0\", \"1.2.3\", \"2.0.0\", \"2.2.2\", \"2.3.4\"} {\n\t\tlc.AddVersion(resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\tVersion: version,\n\t\t\t}}, nil)\n\t}\n\n\ttests := []struct {\n\t\trequirement string\n\t\tlevel upgrade.Level\n\t\twant string\n\t}{\n\t\t{\"1.0.0\", upgrade.Major, \"2.3.4\"},\n\t\t// No major updates allowed\n\t\t{\"1.0.0\", upgrade.Minor, \"1.2.3\"},\n\t\t// Only allow patch updates\n\t\t{\"1.0.0\", upgrade.Patch, \"1.0.1\"},\n\t\t// Version range requirement is not outdated\n\t\t{\"[1.0.0,)\", upgrade.Major, \"[1.0.0,)\"},\n\t\t{\"[2.0.0,2.3.4]\", upgrade.Major, \"[2.0.0,2.3.4]\"},\n\t\t// Version range requirement is outdated\n\t\t{\"[2.0.0,2.3.4)\", upgrade.Major, \"2.3.4\"},\n\t\t{\"[2.0.0,2.2.2]\", upgrade.Major, \"2.3.4\"},\n\t\t// Version range requirement is outdated but latest version is a major update\n\t\t{\"[1.0.0,2.0.0)\", upgrade.Major, \"2.3.4\"},\n\t\t{\"[1.0.0,2.0.0)\", upgrade.Minor, \"[1.0.0,2.0.0)\"},\n\t}\n\tfor _, tt := range tests {\n\t\tvk := resolve.VersionKey{\n\t\t\tPackageKey: pk,\n\t\t\tVersionType: resolve.Requirement,\n\t\t\tVersion: tt.requirement,\n\t\t}\n\t\twant := resolve.RequirementVersion{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\tVersion: tt.want,\n\t\t\t},\n\t\t}\n\t\tgot, err := suggestMavenVersion(ctx, lc, resolve.RequirementVersion{VersionKey: vk}, tt.level)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"fail to suggest a new version for %v: %v\", vk, err)\n\t\t}\n\t\tif !reflect.DeepEqual(got, want) {\n\t\t\tt.Errorf(\"suggestMavenVersion(%v, %v): got %s want %s\", vk, tt.level, got, want)\n\t\t}\n\t}\n}\n\nfunc TestSuggestVersion_Guava(t *testing.T) {\n\tt.Parallel()\n\tctx := t.Context()\n\tlc := resolve.NewLocalClient()\n\n\tpk := resolve.PackageKey{\n\t\tSystem: resolve.Maven,\n\t\tName: \"com.google.guava:guava\",\n\t}\n\tfor _, version := range []string{\"1.0.0\", \"1.0.1-android\", \"1.0.1-jre\", \"1.1.0-android\", \"1.1.0-jre\", \"2.0.0-android\", \"2.0.0-jre\"} {\n\t\tlc.AddVersion(resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\tVersion: version,\n\t\t\t}}, nil)\n\t}\n\n\ttests := []struct {\n\t\trequirement string\n\t\tlevel upgrade.Level\n\t\twant string\n\t}{\n\t\t{\"1.0.0\", upgrade.Major, \"2.0.0-jre\"},\n\t\t// Update to the version with the same flavour\n\t\t{\"1.0.1-jre\", upgrade.Major, \"2.0.0-jre\"},\n\t\t{\"1.0.1-android\", upgrade.Major, \"2.0.0-android\"},\n\t\t{\"1.0.1-jre\", upgrade.Minor, \"1.1.0-jre\"},\n\t\t{\"1.0.1-android\", upgrade.Minor, \"1.1.0-android\"},\n\t\t// Version range requirement is not outdated\n\t\t{\"[1.0.0,)\", upgrade.Major, \"[1.0.0,)\"},\n\t\t// Version range requirement is outdated and the latest version is a major update\n\t\t{\"[1.0.0,2.0.0)\", upgrade.Major, \"2.0.0-jre\"},\n\t\t{\"[1.0.0,2.0.0)\", upgrade.Minor, \"[1.0.0,2.0.0)\"},\n\t}\n\tfor _, tt := range tests {\n\t\tvk := resolve.VersionKey{\n\t\t\tPackageKey: pk,\n\t\t\tVersionType: resolve.Requirement,\n\t\t\tVersion: tt.requirement,\n\t\t}\n\t\twant := resolve.RequirementVersion{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\tVersion: tt.want,\n\t\t\t},\n\t\t}\n\t\tgot, err := suggestMavenVersion(ctx, lc, resolve.RequirementVersion{VersionKey: vk}, tt.level)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"fail to suggest a new version for %v: %v\", vk, err)\n\t\t}\n\t\tif !reflect.DeepEqual(got, want) {\n\t\t\tt.Errorf(\"suggestMavenVersion(%v, %v): got %s want %s\", vk, tt.level, got, want)\n\t\t}\n\t}\n}\n\nfunc TestSuggestVersion_Commons(t *testing.T) {\n\tt.Parallel()\n\tctx := t.Context()\n\tlc := resolve.NewLocalClient()\n\n\tpk := resolve.PackageKey{\n\t\tSystem: resolve.Maven,\n\t\tName: \"commons-io:commons-io\",\n\t}\n\tfor _, version := range []string{\"1.0.0\", \"1.0.1\", \"1.1.0\", \"2.0.0\", \"20010101.000000\"} {\n\t\tlc.AddVersion(resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\tVersion: version,\n\t\t\t}}, nil)\n\t}\n\n\ttests := []struct {\n\t\trequirement string\n\t\tlevel upgrade.Level\n\t\twant string\n\t}{\n\t\t{\"1.0.0\", upgrade.Major, \"2.0.0\"},\n\t\t// No major updates allowed\n\t\t{\"1.0.0\", upgrade.Minor, \"1.1.0\"},\n\t\t// Only allow patch updates\n\t\t{\"1.0.0\", upgrade.Patch, \"1.0.1\"},\n\t\t// Version range requirement is not outdated\n\t\t{\"[1.0.0,)\", upgrade.Major, \"[1.0.0,)\"},\n\t\t// Version range requirement is outdated and the latest version is a major update\n\t\t{\"[1.0.0,2.0.0)\", upgrade.Major, \"2.0.0\"},\n\t\t{\"[1.0.0,2.0.0)\", upgrade.Minor, \"[1.0.0,2.0.0)\"},\n\t}\n\tfor _, tt := range tests {\n\t\tvk := resolve.VersionKey{\n\t\t\tPackageKey: pk,\n\t\t\tVersionType: resolve.Requirement,\n\t\t\tVersion: tt.requirement,\n\t\t}\n\t\twant := resolve.RequirementVersion{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\tVersion: tt.want,\n\t\t\t},\n\t\t}\n\t\tgot, err := suggestMavenVersion(ctx, lc, resolve.RequirementVersion{VersionKey: vk}, tt.level)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"fail to suggest a new version for %v: %v\", vk, err)\n\t\t}\n\t\tif !reflect.DeepEqual(got, want) {\n\t\t\tt.Errorf(\"suggestMavenVersion(%v, %v): got %s want %s\", vk, tt.level, got, want)\n\t\t}\n\t}\n}\n" }, { "path": "internal/remediation/suggest/suggest.go", "content": "// Package suggest provides functionality for suggesting version updates.\npackage suggest\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n)\n\ntype Options struct {\n\tIgnoreDev bool // Whether we should ignore development dependencies for updates\n\tUpgradeConfig upgrade.Config // Allowed upgrade levels per package.\n}\n\n// A PatchSuggester provides an ecosystem-specific method for 'suggesting'\n// ManifestPatch for dependency updates.\ntype PatchSuggester interface {\n\t// Suggest returns the ManifestPatch required to update the dependencies to\n\t// a newer version based on the given options.\n\t// ManifestPatch includes ecosystem-specific information.\n\tSuggest(ctx context.Context, client resolve.Client, mf manifest.Manifest, opts Options) (manifest.Patch, error)\n}\n\nfunc GetSuggester(system resolve.System) (PatchSuggester, error) {\n\tswitch system {\n\tcase resolve.Maven:\n\t\treturn &MavenSuggester{}, nil\n\tcase resolve.NPM:\n\t\treturn nil, errors.New(\"npm not yet supported\")\n\tcase resolve.UnknownSystem:\n\t\treturn nil, errors.New(\"unknown system\")\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unsupported ecosystem: %v\", system)\n\t}\n}\n" }, { "path": "internal/remediation/testdata/maven-classifier/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/remediation/testdata/maven-classifier/pom.xml", "content": "\n 4.0.0\n dev.osv\n maven-classifier\n 1\n \n \n com.github.javafaker\n javafaker\n 1.0.2\n \n \n \n\n" }, { "path": "internal/remediation/testdata/maven-classifier/universe.yaml", "content": "# Automatically generated by generate_mock_resolution_universe on 06 Nov 25 09:05 AEDT. DO NOT EDIT.\nsystem: Maven\nschema: |\n com.github.javafaker:javafaker\n \t1.0.2\n \t\torg.apache.commons:commons-lang3@3.5\n \t\tMavenClassifier android|org.yaml:snakeyaml@1.23\n \t\tcom.github.mifmif:generex@1.0.2\n com.github.mifmif:generex\n \t1.0.2\n \t\tdk.brics.automaton:automaton@1.11-8\n dk.brics.automaton:automaton\n \t1.11-8\n org.apache.commons:commons-lang3\n \t3.5\n \t3.18.0\n org.apache.commons:commons-parent\n \t41\n \t85\n org.apache:apache\n \t18\n \t35\n org.junit:junit-bom\n \t5.13.1\n org.sonatype.oss:oss-parent\n \t7\n org.yaml:snakeyaml\n \t1.23\n" }, { "path": "internal/remediation/testdata/maven-classifier/vulns.json", "content": "{\n \"vulns\": [\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-j288-q9x7-2f5v\",\n \"published\": \"2025-07-11T15:31:37Z\",\n \"modified\": \"2025-11-05T20:34:04.566048Z\",\n \"aliases\": [\n \"CVE-2025-48924\"\n ],\n \"related\": [\n \"CGA-22cr-f3cr-c7cm\",\n \"CGA-29x5-f7v5-rrg6\",\n \"CGA-2fmr-p6rq-h6gj\",\n \"CGA-48h5-566h-rvpp\",\n \"CGA-4fcv-jq36-r7hx\",\n \"CGA-523g-m72h-8798\",\n \"CGA-6pxc-gq99-gpx4\",\n \"CGA-6v52-24xf-x875\",\n \"CGA-78fw-62xf-9rm8\",\n \"CGA-7r2r-4fw7-h3qv\",\n \"CGA-8c99-22mx-hg38\",\n \"CGA-8w2x-v747-c9c7\",\n \"CGA-8x43-fp55-w32w\",\n \"CGA-9j28-2jv5-qv67\",\n \"CGA-9rcm-4h29-rv8h\",\n \"CGA-ff3x-mc4g-82q2\",\n \"CGA-g3gg-7c6f-x6qx\",\n \"CGA-hj53-w7gr-6f9r\",\n \"CGA-j6cx-9v8j-x9cc\",\n \"CGA-j84p-prch-g8wm\",\n \"CGA-j8w2-rj92-x353\",\n \"CGA-j93m-mcxv-7hxr\",\n \"CGA-jvxv-2xch-6xjm\",\n \"CGA-m7pc-jwx3-vm7v\",\n \"CGA-mhg4-342v-w7xq\",\n \"CGA-mp4q-mrjj-8862\",\n \"CGA-p7fm-p736-2fmc\",\n \"CGA-p87f-qfxg-x45v\",\n \"CGA-pxx2-65vr-8cc4\",\n \"CGA-rc28-932p-89cv\",\n \"CGA-v52f-47gw-2xcm\",\n \"CGA-vxhq-8vpg-mr2p\"\n ],\n \"summary\": \"Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs\",\n \"details\": \"Uncontrolled Recursion vulnerability in Apache Commons Lang.\\n\\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\\n\\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\\n\\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-lang3\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-lang3\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0\"\n },\n {\n \"fixed\": \"3.18.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0\",\n \"3.0.1\",\n \"3.1\",\n \"3.10\",\n \"3.11\",\n \"3.12.0\",\n \"3.13.0\",\n \"3.14.0\",\n \"3.15.0\",\n \"3.16.0\",\n \"3.17.0\",\n \"3.2\",\n \"3.2.1\",\n \"3.3\",\n \"3.3.1\",\n \"3.3.2\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"commons-lang:commons-lang\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-lang/commons-lang\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0\"\n },\n {\n \"last_affected\": \"2.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.1\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.5\",\n \"2.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-48924\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-lang\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/07/11/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-674\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-07-12T00:48:03Z\",\n \"nvd_published_at\": \"2025-07-11T15:15:24Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3mc7-4q67-w48m\",\n \"published\": \"2022-08-31T00:00:24Z\",\n \"modified\": \"2024-03-15T19:20:56.900754Z\",\n \"aliases\": [\n \"CVE-2022-25857\"\n ],\n \"related\": [\n \"CGA-8mhp-9r8c-whw4\",\n \"CGA-v8c3-wc4q-hfmx\",\n \"CGA-w753-xwwq-8ch4\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in snakeyaml\",\n \"details\": \"The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23\",\n \"1.24\",\n \"1.25\",\n \"1.26\",\n \"1.27\",\n \"1.28\",\n \"1.29\",\n \"1.30\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-3mc7-4q67-w48m/GHSA-3mc7-4q67-w48m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25857\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/snakeyaml/snakeyaml/commit/fc300780da21f4bb92c148bc90257201220cf174\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/commits/fc300780da21f4bb92c148bc90257201220cf174\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/525\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/snakeyaml/snakeyaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240315-0010\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-776\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-09-09T17:53:43Z\",\n \"nvd_published_at\": \"2022-08-30T05:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-98wm-3w3q-mw94\",\n \"published\": \"2022-09-06T00:00:27Z\",\n \"modified\": \"2024-03-15T12:49:11.748743Z\",\n \"aliases\": [\n \"CVE-2022-38751\"\n ],\n \"related\": [\n \"CGA-765h-9f88-48rm\",\n \"CGA-hrp6-hg6x-533q\",\n \"CGA-vf63-mx7x-xrxr\"\n ],\n \"summary\": \"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write\",\n \"details\": \"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23\",\n \"1.24\",\n \"1.25\",\n \"1.26\",\n \"1.27\",\n \"1.28\",\n \"1.29\",\n \"1.30\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-98wm-3w3q-mw94/GHSA-98wm-3w3q-mw94.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-38751\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/src/master/src/test/java/org/yaml/snakeyaml/issues/issue530/Fuzzy47039Test.java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-28\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240315-0010\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-121\",\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-09-16T17:45:10Z\",\n \"nvd_published_at\": \"2022-09-05T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9w3m-gqgf-c4p9\",\n \"published\": \"2022-09-06T00:00:27Z\",\n \"modified\": \"2024-03-15T12:59:23.253312Z\",\n \"aliases\": [\n \"CVE-2022-38752\"\n ],\n \"related\": [\n \"CGA-7jxj-mv7q-86xp\",\n \"CGA-85g9-6hwh-32gx\",\n \"CGA-jqmf-qxq4-phw6\",\n \"CGA-ph82-mcm9-7236\"\n ],\n \"summary\": \"snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write\",\n \"details\": \"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.32\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23\",\n \"1.24\",\n \"1.25\",\n \"1.26\",\n \"1.27\",\n \"1.28\",\n \"1.29\",\n \"1.30\",\n \"1.31\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-9w3m-gqgf-c4p9/GHSA-9w3m-gqgf-c4p9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-38752\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-28\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240315-0009\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-121\",\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-09-13T21:29:45Z\",\n \"nvd_published_at\": \"2022-09-05T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c4r9-r8fh-9vj2\",\n \"published\": \"2022-09-06T00:00:27Z\",\n \"modified\": \"2024-03-15T12:49:34.373482Z\",\n \"aliases\": [\n \"CVE-2022-38749\"\n ],\n \"related\": [\n \"CGA-8qv6-x47g-j5ch\",\n \"CGA-pc67-qgg2-hpmq\",\n \"CGA-prmx-f7v5-87x2\"\n ],\n \"summary\": \"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write\",\n \"details\": \"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23\",\n \"1.24\",\n \"1.25\",\n \"1.26\",\n \"1.27\",\n \"1.28\",\n \"1.29\",\n \"1.30\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"be.cylab:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/be.cylab/snakeyaml\"\n },\n \"versions\": [\n \"1.25.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.alipay.sofa.acts:acts-common-util\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.alipay.sofa.acts/acts-common-util\"\n },\n \"versions\": [\n \"1.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.prometheus.jmx:jmx_prometheus_httpserver\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.prometheus.jmx/jmx_prometheus_httpserver\"\n },\n \"versions\": [\n \"0.17.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.prometheus.jmx:jmx_prometheus_httpserver_java6\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.prometheus.jmx/jmx_prometheus_httpserver_java6\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"0.18.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.17.0\",\n \"0.17.1\",\n \"0.17.2\",\n \"0.18.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.testifyproject.external:external-snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.testifyproject.external/external-snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"1.0.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.9.5\",\n \"0.9.6\",\n \"0.9.7\",\n \"0.9.8\",\n \"0.9.9\",\n \"1.0.0\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"pl.droidsonroids.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/pl.droidsonroids.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"1.18.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.18-android\",\n \"1.18.1\",\n \"1.18.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-c4r9-r8fh-9vj2/GHSA-c4r9-r8fh-9vj2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-38749\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://arxiv.org/pdf/2306.05534.pdf\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-28\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240315-0010\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-121\",\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-09-15T03:27:43Z\",\n \"nvd_published_at\": \"2022-09-05T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hhhw-99gj-p3c3\",\n \"published\": \"2022-09-06T00:00:27Z\",\n \"modified\": \"2024-03-15T12:49:06.729862Z\",\n \"aliases\": [\n \"CVE-2022-38750\"\n ],\n \"related\": [\n \"CGA-5jp4-3j6v-xcj7\",\n \"CGA-67vf-v8g4-c73c\",\n \"CGA-xgv4-vx4w-mxg9\"\n ],\n \"summary\": \"snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write\",\n \"details\": \"Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23\",\n \"1.24\",\n \"1.25\",\n \"1.26\",\n \"1.27\",\n \"1.28\",\n \"1.29\",\n \"1.30\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-hhhw-99gj-p3c3/GHSA-hhhw-99gj-p3c3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-38750\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-28\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240315-0010\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-121\",\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-09-16T21:17:07Z\",\n \"nvd_published_at\": \"2022-09-05T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mjmj-j48q-9wg2\",\n \"published\": \"2022-12-12T21:19:47Z\",\n \"modified\": \"2025-06-18T18:37:13.356609Z\",\n \"aliases\": [\n \"CVE-2022-1471\"\n ],\n \"related\": [\n \"CGA-23vr-f599-cmcv\",\n \"CGA-4j46-m77j-2622\",\n \"CGA-7w78-ggr5-pfxv\",\n \"CGA-7xrx-m75c-pc58\",\n \"CGA-g9mf-8vr4-m7x9\",\n \"CGA-gmmv-497r-8r6h\",\n \"CGA-mhgw-xcxh-mprj\",\n \"CGA-p6jg-fjvm-fx3w\",\n \"CGA-r36x-jx84-2cgp\",\n \"CVE-2022-1471\"\n ],\n \"summary\": \"SnakeYaml Constructor Deserialization Remote Code Execution\",\n \"details\": \"### Summary\\nSnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows\\nany type be deserialized given the following line:\\n\\nnew Yaml(new Constructor(TestDataClass.class)).load(yamlContent);\\n\\nTypes do not have to match the types of properties in the\\ntarget class. A `ConstructorException` is thrown, but only after a malicious\\npayload is deserialized.\\n\\n### Severity\\nHigh, lack of type checks during deserialization allows remote code execution.\\n\\n### Proof of Concept\\nExecute `bash run.sh`. The PoC uses Constructor to deserialize a payload\\nfor RCE. RCE is demonstrated by using a payload which performs a http request to\\nhttp://127.0.0.1:8000.\\n\\nExample output of successful run of proof of concept:\\n\\n```\\n$ bash run.sh\\n\\n[+] Downloading snakeyaml if needed\\n[+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE\\nnc: no process found\\n[+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server.\\n[+] An exception is expected.\\nException:\\nCannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0\\n in 'string', line 1, column 1:\\n payload: !!javax.script.ScriptEn ... \\n ^\\nCan not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager\\n in 'string', line 1, column 10:\\n payload: !!javax.script.ScriptEngineManag ... \\n ^\\n\\n\\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291)\\n\\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172)\\n\\tat org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332)\\n\\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230)\\n\\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220)\\n\\tat org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174)\\n\\tat org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158)\\n\\tat org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491)\\n\\tat org.yaml.snakeyaml.Yaml.load(Yaml.java:416)\\n\\tat Main.main(Main.java:37)\\nCaused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager\\n\\tat java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167)\\n\\tat java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171)\\n\\tat java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81)\\n\\tat java.base/java.lang.reflect.Field.set(Field.java:780)\\n\\tat org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44)\\n\\tat org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286)\\n\\t... 9 more\\n[+] Dumping Received HTTP Request. Will not be empty if PoC worked\\nGET /proof-of-concept HTTP/1.1\\nUser-Agent: Java/11.0.14\\nHost: localhost:8000\\nAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\\nConnection: keep-alive\\n```\\n\\n### Further Analysis\\nPotential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content.\\n\\nSee https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject.\\n\\n### Timeline\\n**Date reported**: 4/11/2022\\n**Date fixed**: [30/12/2022](https://bitbucket.org/snakeyaml/snakeyaml/pull-requests/44)\\n**Date disclosed**: 10/13/2022\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23\",\n \"1.24\",\n \"1.25\",\n \"1.26\",\n \"1.27\",\n \"1.28\",\n \"1.29\",\n \"1.30\",\n \"1.31\",\n \"1.32\",\n \"1.33\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.33\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-mjmj-j48q-9wg2/GHSA-mjmj-j48q-9wg2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-1471\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230818-0015\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://infosecwriteups.com/%EF%B8%8F-inside-the-160-comment-fight-to-fix-snakeyamls-rce-default-1a20c5ca4d4c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/mbechler/marshalsec\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/11/19/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-12T21:19:47Z\",\n \"nvd_published_at\": \"2022-12-01T11:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rvwf-54qp-4r6v\",\n \"published\": \"2021-06-04T21:37:45Z\",\n \"modified\": \"2024-03-15T05:36:20.539640Z\",\n \"aliases\": [\n \"CVE-2017-18640\"\n ],\n \"summary\": \"SnakeYAML Entity Expansion during load operation\",\n \"details\": \"The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.26\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23\",\n \"1.24\",\n \"1.25\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rvwf-54qp-4r6v/GHSA-rvwf-54qp-4r6v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-18640\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5@%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d@%3Ccommon-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2@%3Cpr.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b@%3Cdev.phoenix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/asomov/snakeyaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a@%3Ccommits.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5@%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263@%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-28\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/asomov/snakeyaml/wiki/Changes\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/377\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457@%3Ccommits.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8@%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e@%3Cdev.phoenix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea@%3Ccommits.pulsar.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-776\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-06-04T21:34:16Z\",\n \"nvd_published_at\": \"2019-12-12T03:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-w37g-rhq8-7m4j\",\n \"published\": \"2022-11-11T19:00:31Z\",\n \"modified\": \"2024-06-25T02:34:20.451152Z\",\n \"aliases\": [\n \"CVE-2022-41854\"\n ],\n \"related\": [\n \"CGA-7rjv-f2q6-55mp\",\n \"CGA-vgmg-hv2p-g7h8\",\n \"CGA-vgwv-c777-jqwv\",\n \"CGA-w2jj-p5v7-324x\"\n ],\n \"summary\": \"Snakeyaml vulnerable to Stack overflow leading to denial of service\",\n \"details\": \"Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.yaml:snakeyaml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.yaml/snakeyaml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.32\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23\",\n \"1.24\",\n \"1.25\",\n \"1.26\",\n \"1.27\",\n \"1.28\",\n \"1.29\",\n \"1.30\",\n \"1.31\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-w37g-rhq8-7m4j/GHSA-w37g-rhq8-7m4j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41854\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/commits/e230a1758842beec93d28eddfde568c21774780a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/snakeyaml/snakeyaml/issues/531\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DDXEXXWAZGF5AVHIPGFPXIWL6TSMKJE\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7MKE4XWRXTH32757H7QJU4ACS67DYDCR\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSPAJ5Y45A4ZDION2KN5RDWLHK4XKY2J\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240315-0009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-121\",\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-11-21T22:27:27Z\",\n \"nvd_published_at\": \"2022-11-11T13:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n }\n ]\n}\n" }, { "path": "internal/remediation/testdata/override-workaround/commons/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/remediation/testdata/override-workaround/commons/pom.xml", "content": "\n 4.0.0\n \n dev.osv\n osv-fix\n 1\n\n \n \n commons-beanutils\n commons-beanutils\n 20020520\n \n \n commons-httpclient\n commons-httpclient\n 3.0\n \n \n\n" }, { "path": "internal/remediation/testdata/override-workaround/guava/android-to-android/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/remediation/testdata/override-workaround/guava/android-to-android/pom.xml", "content": "\n 4.0.0\n \n dev.osv\n osv-fix\n 1\n\n \n \n com.google.guava\n guava\n 22.0-android\n \n \n\n" }, { "path": "internal/remediation/testdata/override-workaround/guava/jre-to-jre/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/remediation/testdata/override-workaround/guava/jre-to-jre/pom.xml", "content": "\n 4.0.0\n \n dev.osv\n osv-fix\n 1\n\n \n \n com.google.guava\n guava\n 23.1-jre\n \n \n\n" }, { "path": "internal/remediation/testdata/override-workaround/guava/none-to-jre/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/remediation/testdata/override-workaround/guava/none-to-jre/pom.xml", "content": "\n 4.0.0\n \n dev.osv\n osv-fix\n 1\n\n \n \n com.google.guava\n guava\n 20.0\n \n \n\n" }, { "path": "internal/remediation/testdata/override-workaround/universe.yaml", "content": "system: Maven\nschema: |\n com.google.guava:guava\n 20.0\n 21.0\n 22.0\n 22.0-android\n 23.0\n 23.0-android\n 23.1-android\n 23.1-jre\n 24.0-android\n 24.0-jre\n commons-beanutils:commons-beanutils\n 1.0\n 1.2\n 1.9.0\n 1.9.3\n 1.9.4\n 20020520\n 20021128.082114\n 20030211.134440\n commons-httpclient:commons-httpclient\n 2.0.2\n 3.0\n 3.1\n 20020423\n" }, { "path": "internal/remediation/testdata/override-workaround/vulns.json", "content": "{\n \"vulns\": [\n {\n \"id\": \"OSV-000-000\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"com.google.guava:guava\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"24.0-android\"\n }\n ]\n }\n ],\n \"versions\": [\n \"20.0\",\n \"21.0\",\n \"22.0\",\n \"22.0-android\",\n \"23.0\",\n \"23.0-android\",\n \"23.1-android\",\n \"23.1-jre\"\n ]\n }\n ]\n },\n {\n \"id\": \"GHSA-6phf-73q6-gh87\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-beanutils:commons-beanutils\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.9.4\"\n },\n {\n \"introduced\": \"20020520\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.2\",\n \"1.9.0\",\n \"1.9.3\",\n \"20020520\",\n \"20021128.082114\",\n \"20030211.134440\"\n ]\n }\n ]\n },\n {\n \"id\": \"GHSA-3832-9276-x7gf\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Maven\",\n \"name\": \"commons-httpclient:commons-httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0\"\n },\n {\n \"fixed\": \"4.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0\",\n \"3.1\"\n ]\n }\n ]\n }\n ]\n}\n" }, { "path": "internal/remediation/testdata/santatracker/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/remediation/testdata/santatracker/package.json", "content": "{\n \"name\": \"santatracker\",\n \"version\": \"2021.1.0\",\n \"license\": \"Apache-2.0\",\n \"scripts\": {\n \"dev\": \"npm run start\",\n \"start\": \"./serve.js\",\n \"release\": \"./release.js\",\n \"test\": \"mocha-headless-server src/api/test.html\",\n \"staging-check\": \"node .cloudbuild/staging-check.js\",\n \"postinstall\": \"ln -s ../node_modules static/node_modules || true\"\n },\n \"dependencies\": {\n \"@babel/core\": \"^7.6.0\",\n \"@babel/preset-env\": \"^7.6.0\",\n \"@rollup/plugin-commonjs\": \"^21.0.1\",\n \"@rollup/plugin-node-resolve\": \"^13.0.6\",\n \"@webcomponents/webcomponentsjs\": \"^2.4.0\",\n \"autoprefixer\": \"^9.3.0\",\n \"babel-plugin-func-wrap\": \"^1.1.0\",\n \"chai\": \"^4.2.0\",\n \"chalk\": \"^2.4.2\",\n \"clipboardy\": \"^2.1.0\",\n \"core-js\": \"^3.3.2\",\n \"custom-event-polyfill\": \"^1.0.7\",\n \"dat.gui\": \"^0.7.3\",\n \"dhost\": \"^0.1.9\",\n \"esm-resolve\": \"^1.0.6\",\n \"event-target\": \"^1.2.3\",\n \"fancy-log\": \"^1.3.2\",\n \"fast-async\": \"^6.3.8\",\n \"firebase\": \"^8.10.0\",\n \"git-last-commit\": \"^1.0.1\",\n \"google-closure-compiler\": \"^20190909.0.0\",\n \"google-closure-library\": \"^20190909.0.0\",\n \"html-entities\": \"^1.2.1\",\n \"html-minifier\": \"^4.0.0\",\n \"html-modules-polyfill\": \"^0.1.0\",\n \"iframe-load\": \"^0.1.4\",\n \"jquery\": \"^3.5.0\",\n \"jsdom\": \"^12.2.0\",\n \"json5\": \"^2.1.0\",\n \"lit-element\": \"^2.2.1\",\n \"lottie-web\": \"^5.5.10\",\n \"mime-types\": \"^2.1.21\",\n \"mocha\": \"^5.2.0\",\n \"mocha-headless-server\": \"^0.1.2\",\n \"parse5\": \"^5.1.0\",\n \"polka\": \"^0.5.2\",\n \"pretty-ms\": \"^4.0.0\",\n \"regenerator-runtime\": \"^0.13.3\",\n \"rimraf\": \"^3.0.2\",\n \"rollup\": \"^2.59.0\",\n \"sass\": \"^1.22.9\",\n \"terser\": \"^3.10.11\",\n \"tmp\": \"^0.0.33\",\n \"unistore\": \"^3.4.1\",\n \"web-animations-js\": \"^2.3.1\",\n \"whatwg-fetch\": \"^3.0.0\",\n \"yargs\": \"^12.0.2\"\n },\n \"devDependencies\": {\n \"@google-cloud/cloudbuild\": \"^2.6.0\",\n \"@google-cloud/error-reporting\": \"^2.0.4\"\n }\n}\n" }, { "path": "internal/remediation/testdata/santatracker/universe.yaml", "content": "# Automatically generated by generate_mock_resolution_universe on 06 Nov 25 09:04 AEDT. DO NOT EDIT.\nsystem: NPM\nschema: |\n @arr/every\n \t1.0.0\n \t1.0.1\n @babel/code-frame\n \t7.0.0\n \t\t@babel/highlight@^7.0.0\n \t7.5.5\n \t\t@babel/highlight@^7.0.0\n \t7.27.1\n \t\t@babel/helper-validator-identifier@^7.27.1\n \t\tjs-tokens@^4.0.0\n \t\tpicocolors@^1.1.1\n @babel/compat-data\n \t7.28.5\n @babel/core\n \t7.6.0\n \t\t@babel/code-frame@^7.5.5\n \t\t@babel/generator@^7.6.0\n \t\t@babel/helpers@^7.6.0\n \t\t@babel/parser@^7.6.0\n \t\t@babel/template@^7.6.0\n \t\t@babel/traverse@^7.6.0\n \t\t@babel/types@^7.6.0\n \t\tconvert-source-map@^1.1.0\n \t\tdebug@^4.1.0\n \t\tjson5@^2.1.0\n \t\tlodash@^4.17.13\n \t\tresolve@^1.3.2\n \t\tsemver@^5.4.1\n \t\tsource-map@^0.5.0\n \t7.28.4\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.28.3\n \t\t@babel/helper-compilation-targets@^7.27.2\n \t\t@babel/helper-module-transforms@^7.28.3\n \t\t@babel/helpers@^7.28.4\n \t\t@babel/parser@^7.28.4\n \t\t@babel/template@^7.27.2\n \t\t@babel/traverse@^7.28.4\n \t\t@babel/types@^7.28.4\n \t\t@jridgewell/remapping@^2.3.5\n \t\tconvert-source-map@^2.0.0\n \t\tdebug@^4.1.0\n \t\tgensync@^1.0.0-beta.2\n \t\tjson5@^2.2.3\n \t\tsemver@^6.3.1\n @babel/generator\n \t7.6.0\n \t\t@babel/types@^7.6.0\n \t\tjsesc@^2.5.1\n \t\tlodash@^4.17.13\n \t\tsource-map@^0.5.0\n \t\ttrim-right@^1.0.1\n \t7.28.5\n \t\t@babel/parser@^7.28.5\n \t\t@babel/types@^7.28.5\n \t\t@jridgewell/gen-mapping@^0.3.12\n \t\t@jridgewell/trace-mapping@^0.3.28\n \t\tjsesc@^3.0.2\n @babel/helper-annotate-as-pure\n \t7.0.0\n \t\t@babel/types@^7.0.0\n \t7.27.3\n \t\t@babel/types@^7.27.3\n @babel/helper-builder-binary-assignment-operator-visitor\n \t7.1.0\n \t\t@babel/helper-explode-assignable-expression@^7.1.0\n \t\t@babel/types@^7.0.0\n @babel/helper-call-delegate\n \t7.4.4\n \t\t@babel/helper-hoist-variables@^7.4.4\n \t\t@babel/traverse@^7.4.4\n \t\t@babel/types@^7.4.4\n @babel/helper-compilation-targets\n \t7.27.2\n \t\t@babel/compat-data@^7.27.2\n \t\t@babel/helper-validator-option@^7.27.1\n \t\tbrowserslist@^4.24.0\n \t\tlru-cache@^5.1.1\n \t\tsemver@^6.3.1\n @babel/helper-create-class-features-plugin\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-annotate-as-pure@^7.27.3\n \t\t@babel/helper-member-expression-to-functions@^7.28.5\n \t\t@babel/helper-optimise-call-expression@^7.27.1\n \t\t@babel/helper-replace-supers@^7.27.1\n \t\t@babel/helper-skip-transparent-expression-wrappers@^7.27.1\n \t\t@babel/traverse@^7.28.5\n \t\tsemver@^6.3.1\n @babel/helper-create-regexp-features-plugin\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-annotate-as-pure@^7.27.3\n \t\tregexpu-core@^6.3.1\n \t\tsemver@^6.3.1\n @babel/helper-define-map\n \t7.5.5\n \t\t@babel/helper-function-name@^7.1.0\n \t\t@babel/types@^7.5.5\n \t\tlodash@^4.17.13\n @babel/helper-define-polyfill-provider\n \t0.6.5\n \t\tScope peer|@babel/core@^7.4.0 || ^8.0.0-0 <8.0.0\n \t\t@babel/helper-compilation-targets@^7.27.2\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\tdebug@^4.4.1\n \t\tlodash.debounce@^4.0.8\n \t\tresolve@^1.22.10\n @babel/helper-explode-assignable-expression\n \t7.1.0\n \t\t@babel/traverse@^7.1.0\n \t\t@babel/types@^7.0.0\n @babel/helper-function-name\n \t7.1.0\n \t\t@babel/helper-get-function-arity@^7.0.0\n \t\t@babel/template@^7.1.0\n \t\t@babel/types@^7.0.0\n @babel/helper-get-function-arity\n \t7.0.0\n \t\t@babel/types@^7.0.0\n @babel/helper-globals\n \t7.28.0\n @babel/helper-hoist-variables\n \t7.4.4\n \t\t@babel/types@^7.4.4\n @babel/helper-member-expression-to-functions\n \t7.5.5\n \t\t@babel/types@^7.5.5\n \t7.28.5\n \t\t@babel/traverse@^7.28.5\n \t\t@babel/types@^7.28.5\n @babel/helper-module-imports\n \t7.0.0\n \t\t@babel/types@^7.0.0\n \t7.27.1\n \t\t@babel/traverse@^7.27.1\n \t\t@babel/types@^7.27.1\n @babel/helper-module-transforms\n \t7.5.5\n \t\t@babel/helper-module-imports@^7.0.0\n \t\t@babel/helper-simple-access@^7.1.0\n \t\t@babel/helper-split-export-declaration@^7.4.4\n \t\t@babel/template@^7.4.4\n \t\t@babel/types@^7.5.5\n \t\tlodash@^4.17.13\n \t7.28.3\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-module-imports@^7.27.1\n \t\t@babel/helper-validator-identifier@^7.27.1\n \t\t@babel/traverse@^7.28.3\n @babel/helper-optimise-call-expression\n \t7.0.0\n \t\t@babel/types@^7.0.0\n \t7.27.1\n \t\t@babel/types@^7.27.1\n @babel/helper-plugin-utils\n \t7.0.0\n \t7.27.1\n @babel/helper-regex\n \t7.5.5\n \t\tlodash@^4.17.13\n @babel/helper-remap-async-to-generator\n \t7.1.0\n \t\t@babel/helper-annotate-as-pure@^7.0.0\n \t\t@babel/helper-wrap-function@^7.1.0\n \t\t@babel/template@^7.1.0\n \t\t@babel/traverse@^7.1.0\n \t\t@babel/types@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-annotate-as-pure@^7.27.1\n \t\t@babel/helper-wrap-function@^7.27.1\n \t\t@babel/traverse@^7.27.1\n @babel/helper-replace-supers\n \t7.5.5\n \t\t@babel/helper-member-expression-to-functions@^7.5.5\n \t\t@babel/helper-optimise-call-expression@^7.0.0\n \t\t@babel/traverse@^7.5.5\n \t\t@babel/types@^7.5.5\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-member-expression-to-functions@^7.27.1\n \t\t@babel/helper-optimise-call-expression@^7.27.1\n \t\t@babel/traverse@^7.27.1\n @babel/helper-simple-access\n \t7.1.0\n \t\t@babel/template@^7.1.0\n \t\t@babel/types@^7.0.0\n @babel/helper-skip-transparent-expression-wrappers\n \t7.27.1\n \t\t@babel/traverse@^7.27.1\n \t\t@babel/types@^7.27.1\n @babel/helper-split-export-declaration\n \t7.4.4\n \t\t@babel/types@^7.4.4\n @babel/helper-string-parser\n \t7.27.1\n @babel/helper-validator-identifier\n \t7.28.5\n @babel/helper-validator-option\n \t7.27.1\n @babel/helper-wrap-function\n \t7.2.0\n \t\t@babel/helper-function-name@^7.1.0\n \t\t@babel/template@^7.1.0\n \t\t@babel/traverse@^7.1.0\n \t\t@babel/types@^7.2.0\n \t7.28.3\n \t\t@babel/template@^7.27.2\n \t\t@babel/traverse@^7.28.3\n \t\t@babel/types@^7.28.2\n @babel/helpers\n \t7.6.0\n \t\t@babel/template@^7.6.0\n \t\t@babel/traverse@^7.6.0\n \t\t@babel/types@^7.6.0\n \t7.6.2\n \t\t@babel/template@^7.6.0\n \t\t@babel/traverse@^7.6.2\n \t\t@babel/types@^7.6.0\n \t7.7.0\n \t\t@babel/template@^7.7.0\n \t\t@babel/traverse@^7.7.0\n \t\t@babel/types@^7.7.0\n \t7.7.4\n \t\t@babel/template@^7.7.4\n \t\t@babel/traverse@^7.7.4\n \t\t@babel/types@^7.7.4\n \t7.8.0\n \t\t@babel/template@^7.8.0\n \t\t@babel/traverse@^7.8.0\n \t\t@babel/types@^7.8.0\n \t7.8.3\n \t\t@babel/template@^7.8.3\n \t\t@babel/traverse@^7.8.3\n \t\t@babel/types@^7.8.3\n \t7.8.4\n \t\t@babel/template@^7.8.3\n \t\t@babel/traverse@^7.8.4\n \t\t@babel/types@^7.8.3\n \t7.9.0\n \t\t@babel/template@^7.8.3\n \t\t@babel/traverse@^7.9.0\n \t\t@babel/types@^7.9.0\n \t7.9.2\n \t\t@babel/template@^7.8.3\n \t\t@babel/traverse@^7.9.0\n \t\t@babel/types@^7.9.0\n \t7.9.6\n \t\t@babel/template@^7.8.3\n \t\t@babel/traverse@^7.9.6\n \t\t@babel/types@^7.9.6\n \t7.10.0\n \t\t@babel/template@^7.10.0\n \t\t@babel/traverse@^7.10.0\n \t\t@babel/types@^7.10.0\n \t7.10.1\n \t\t@babel/template@^7.10.1\n \t\t@babel/traverse@^7.10.1\n \t\t@babel/types@^7.10.1\n \t7.10.4\n \t\t@babel/template@^7.10.4\n \t\t@babel/traverse@^7.10.4\n \t\t@babel/types@^7.10.4\n \t7.12.1\n \t\t@babel/template@^7.10.4\n \t\t@babel/traverse@^7.12.1\n \t\t@babel/types@^7.12.1\n \t7.12.5\n \t\t@babel/template@^7.10.4\n \t\t@babel/traverse@^7.12.5\n \t\t@babel/types@^7.12.5\n \t7.12.13\n \t\t@babel/template@^7.12.13\n \t\t@babel/traverse@^7.12.13\n \t\t@babel/types@^7.12.13\n \t7.12.17\n \t\t@babel/template@^7.12.13\n \t\t@babel/traverse@^7.12.17\n \t\t@babel/types@^7.12.17\n \t7.13.0\n \t\t@babel/template@^7.12.13\n \t\t@babel/traverse@^7.13.0\n \t\t@babel/types@^7.13.0\n \t7.13.10\n \t\t@babel/template@^7.12.13\n \t\t@babel/traverse@^7.13.0\n \t\t@babel/types@^7.13.0\n \t7.13.16\n \t\t@babel/template@^7.12.13\n \t\t@babel/traverse@^7.13.15\n \t\t@babel/types@^7.13.16\n \t7.13.17\n \t\t@babel/template@^7.12.13\n \t\t@babel/traverse@^7.13.17\n \t\t@babel/types@^7.13.17\n \t7.14.0\n \t\t@babel/template@^7.12.13\n \t\t@babel/traverse@^7.14.0\n \t\t@babel/types@^7.14.0\n \t7.14.5\n \t\t@babel/template@^7.14.5\n \t\t@babel/traverse@^7.14.5\n \t\t@babel/types@^7.14.5\n \t7.14.6\n \t\t@babel/template@^7.14.5\n \t\t@babel/traverse@^7.14.5\n \t\t@babel/types@^7.14.5\n \t7.14.8\n \t\t@babel/template@^7.14.5\n \t\t@babel/traverse@^7.14.8\n \t\t@babel/types@^7.14.8\n \t7.15.3\n \t\t@babel/template@^7.14.5\n \t\t@babel/traverse@^7.15.0\n \t\t@babel/types@^7.15.0\n \t7.15.4\n \t\t@babel/template@^7.15.4\n \t\t@babel/traverse@^7.15.4\n \t\t@babel/types@^7.15.4\n \t7.16.0\n \t\t@babel/template@^7.16.0\n \t\t@babel/traverse@^7.16.0\n \t\t@babel/types@^7.16.0\n \t7.16.3\n \t\t@babel/template@^7.16.0\n \t\t@babel/traverse@^7.16.3\n \t\t@babel/types@^7.16.0\n \t7.16.5\n \t\t@babel/template@^7.16.0\n \t\t@babel/traverse@^7.16.5\n \t\t@babel/types@^7.16.0\n \t7.16.7\n \t\t@babel/template@^7.16.7\n \t\t@babel/traverse@^7.16.7\n \t\t@babel/types@^7.16.7\n \t7.17.0\n \t\t@babel/template@^7.16.7\n \t\t@babel/traverse@^7.17.0\n \t\t@babel/types@^7.17.0\n \t7.17.2\n \t\t@babel/template@^7.16.7\n \t\t@babel/traverse@^7.17.0\n \t\t@babel/types@^7.17.0\n \t7.17.7\n \t\t@babel/template@^7.16.7\n \t\t@babel/traverse@^7.17.3\n \t\t@babel/types@^7.17.0\n \t7.17.8\n \t\t@babel/template@^7.16.7\n \t\t@babel/traverse@^7.17.3\n \t\t@babel/types@^7.17.0\n \t7.17.9\n \t\t@babel/template@^7.16.7\n \t\t@babel/traverse@^7.17.9\n \t\t@babel/types@^7.17.0\n \t7.18.0\n \t\t@babel/template@^7.16.7\n \t\t@babel/traverse@^7.18.0\n \t\t@babel/types@^7.18.0\n \t7.18.2\n \t\t@babel/template@^7.16.7\n \t\t@babel/traverse@^7.18.2\n \t\t@babel/types@^7.18.2\n \t7.18.6\n \t\t@babel/template@^7.18.6\n \t\t@babel/traverse@^7.18.6\n \t\t@babel/types@^7.18.6\n \t7.18.9\n \t\t@babel/template@^7.18.6\n \t\t@babel/traverse@^7.18.9\n \t\t@babel/types@^7.18.9\n \t7.19.0\n \t\t@babel/template@^7.18.10\n \t\t@babel/traverse@^7.19.0\n \t\t@babel/types@^7.19.0\n \t7.19.4\n \t\t@babel/template@^7.18.10\n \t\t@babel/traverse@^7.19.4\n \t\t@babel/types@^7.19.4\n \t7.20.0\n \t\t@babel/template@^7.18.10\n \t\t@babel/traverse@^7.20.0\n \t\t@babel/types@^7.20.0\n \t7.20.1\n \t\t@babel/template@^7.18.10\n \t\t@babel/traverse@^7.20.1\n \t\t@babel/types@^7.20.0\n \t7.20.5\n \t\t@babel/template@^7.18.10\n \t\t@babel/traverse@^7.20.5\n \t\t@babel/types@^7.20.5\n \t7.20.6\n \t\t@babel/template@^7.18.10\n \t\t@babel/traverse@^7.20.5\n \t\t@babel/types@^7.20.5\n \t7.20.7\n \t\t@babel/template@^7.20.7\n \t\t@babel/traverse@^7.20.7\n \t\t@babel/types@^7.20.7\n \t7.20.13\n \t\t@babel/template@^7.20.7\n \t\t@babel/traverse@^7.20.13\n \t\t@babel/types@^7.20.7\n \t7.21.0\n \t\t@babel/template@^7.20.7\n \t\t@babel/traverse@^7.21.0\n \t\t@babel/types@^7.21.0\n \t7.21.5\n \t\t@babel/template@^7.20.7\n \t\t@babel/traverse@^7.21.5\n \t\t@babel/types@^7.21.5\n \t7.22.0\n \t\t@babel/template@^7.21.9\n \t\t@babel/traverse@^7.22.0\n \t\t@babel/types@^7.22.0\n \t7.22.3\n \t\t@babel/template@^7.21.9\n \t\t@babel/traverse@^7.22.1\n \t\t@babel/types@^7.22.3\n \t7.22.5\n \t\t@babel/template@^7.22.5\n \t\t@babel/traverse@^7.22.5\n \t\t@babel/types@^7.22.5\n \t7.22.6\n \t\t@babel/template@^7.22.5\n \t\t@babel/traverse@^7.22.6\n \t\t@babel/types@^7.22.5\n \t7.22.10\n \t\t@babel/template@^7.22.5\n \t\t@babel/traverse@^7.22.10\n \t\t@babel/types@^7.22.10\n \t7.22.11\n \t\t@babel/template@^7.22.5\n \t\t@babel/traverse@^7.22.11\n \t\t@babel/types@^7.22.11\n \t7.22.15\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.22.15\n \t\t@babel/types@^7.22.15\n \t7.23.0\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.23.0\n \t\t@babel/types@^7.23.0\n \t7.23.1\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.23.0\n \t\t@babel/types@^7.23.0\n \t7.23.2\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.23.2\n \t\t@babel/types@^7.23.0\n \t7.23.4\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.23.4\n \t\t@babel/types@^7.23.4\n \t7.23.5\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.23.5\n \t\t@babel/types@^7.23.5\n \t7.23.6\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.23.6\n \t\t@babel/types@^7.23.6\n \t7.23.7\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.23.7\n \t\t@babel/types@^7.23.6\n \t7.23.8\n \t\t@babel/template@^7.22.15\n \t\t@babel/traverse@^7.23.7\n \t\t@babel/types@^7.23.6\n \t7.23.9\n \t\t@babel/template@^7.23.9\n \t\t@babel/traverse@^7.23.9\n \t\t@babel/types@^7.23.9\n \t7.24.0\n \t\t@babel/template@^7.24.0\n \t\t@babel/traverse@^7.24.0\n \t\t@babel/types@^7.24.0\n \t7.24.1\n \t\t@babel/template@^7.24.0\n \t\t@babel/traverse@^7.24.1\n \t\t@babel/types@^7.24.0\n \t7.24.4\n \t\t@babel/template@^7.24.0\n \t\t@babel/traverse@^7.24.1\n \t\t@babel/types@^7.24.0\n \t7.24.5\n \t\t@babel/template@^7.24.0\n \t\t@babel/traverse@^7.24.5\n \t\t@babel/types@^7.24.5\n \t7.24.6\n \t\t@babel/template@^7.24.6\n \t\t@babel/types@^7.24.6\n \t7.24.7\n \t\t@babel/template@^7.24.7\n \t\t@babel/types@^7.24.7\n \t7.24.8\n \t\t@babel/template@^7.24.7\n \t\t@babel/types@^7.24.8\n \t7.25.0\n \t\t@babel/template@^7.25.0\n \t\t@babel/types@^7.25.0\n \t7.25.6\n \t\t@babel/template@^7.25.0\n \t\t@babel/types@^7.25.6\n \t7.25.7\n \t\t@babel/template@^7.25.7\n \t\t@babel/types@^7.25.7\n \t7.25.9\n \t\t@babel/template@^7.25.9\n \t\t@babel/types@^7.25.9\n \t7.26.0\n \t\t@babel/template@^7.25.9\n \t\t@babel/types@^7.26.0\n \t7.26.7\n \t\t@babel/template@^7.25.9\n \t\t@babel/types@^7.26.7\n \t7.26.9\n \t\t@babel/template@^7.26.9\n \t\t@babel/types@^7.26.9\n \t7.26.10\n \t\t@babel/template@^7.26.9\n \t\t@babel/types@^7.26.10\n \t7.27.0\n \t\t@babel/template@^7.27.0\n \t\t@babel/types@^7.27.0\n \t7.27.1\n \t\t@babel/template@^7.27.1\n \t\t@babel/types@^7.27.1\n \t7.27.3\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.27.3\n \t7.27.4\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.27.3\n \t7.27.6\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.27.6\n \t7.28.2\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.28.2\n \t7.28.3\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.28.2\n \t7.28.4\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.28.4\n @babel/highlight\n \t7.0.0\n \t\tchalk@^2.0.0\n \t\tesutils@^2.0.2\n \t\tjs-tokens@^4.0.0\n @babel/parser\n \t7.1.2\n \t7.6.0\n \t7.28.5\n \t\t@babel/types@^7.28.5\n @babel/plugin-bugfix-firefox-class-in-computed-class-key\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/traverse@^7.28.5\n @babel/plugin-bugfix-safari-class-field-initializer-scope\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining\n \t7.27.1\n \t\tScope peer|@babel/core@^7.13.0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-skip-transparent-expression-wrappers@^7.27.1\n \t\t@babel/plugin-transform-optional-chaining@^7.27.1\n @babel/plugin-bugfix-v8-static-class-fields-redefine-readonly\n \t7.28.3\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/traverse@^7.28.3\n @babel/plugin-proposal-async-generator-functions\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-remap-async-to-generator@^7.1.0\n \t\t@babel/plugin-syntax-async-generators@^7.2.0\n @babel/plugin-proposal-dynamic-import\n \t7.5.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/plugin-syntax-dynamic-import@^7.2.0\n @babel/plugin-proposal-json-strings\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/plugin-syntax-json-strings@^7.2.0\n @babel/plugin-proposal-object-rest-spread\n \t7.5.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/plugin-syntax-object-rest-spread@^7.2.0\n @babel/plugin-proposal-optional-catch-binding\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/plugin-syntax-optional-catch-binding@^7.2.0\n @babel/plugin-proposal-private-property-in-object\n \t7.21.0-placeholder-for-preset-env.2\n \t\tScope peer|@babel/core@^7.0.0-0\n @babel/plugin-proposal-unicode-property-regex\n \t7.4.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-regex@^7.4.4\n \t\tregexpu-core@^4.5.4\n @babel/plugin-syntax-async-generators\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n @babel/plugin-syntax-dynamic-import\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n @babel/plugin-syntax-import-assertions\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-syntax-import-attributes\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-syntax-json-strings\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n @babel/plugin-syntax-object-rest-spread\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n @babel/plugin-syntax-optional-catch-binding\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n @babel/plugin-syntax-unicode-sets-regex\n \t7.18.6\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-create-regexp-features-plugin@^7.18.6\n \t\t@babel/helper-plugin-utils@^7.18.6\n @babel/plugin-transform-arrow-functions\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-async-generator-functions\n \t7.28.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-remap-async-to-generator@^7.27.1\n \t\t@babel/traverse@^7.28.0\n @babel/plugin-transform-async-to-generator\n \t7.5.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-imports@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-remap-async-to-generator@^7.1.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-imports@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-remap-async-to-generator@^7.27.1\n @babel/plugin-transform-block-scoped-functions\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-block-scoping\n \t7.6.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\tlodash@^4.17.13\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-class-properties\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-create-class-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-class-static-block\n \t7.28.3\n \t\tScope peer|@babel/core@^7.12.0\n \t\t@babel/helper-create-class-features-plugin@^7.28.3\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-classes\n \t7.5.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-annotate-as-pure@^7.0.0\n \t\t@babel/helper-define-map@^7.5.5\n \t\t@babel/helper-function-name@^7.1.0\n \t\t@babel/helper-optimise-call-expression@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-replace-supers@^7.5.5\n \t\t@babel/helper-split-export-declaration@^7.4.4\n \t\tglobals@^11.1.0\n \t7.28.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-annotate-as-pure@^7.27.3\n \t\t@babel/helper-compilation-targets@^7.27.2\n \t\t@babel/helper-globals@^7.28.0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-replace-supers@^7.27.1\n \t\t@babel/traverse@^7.28.4\n @babel/plugin-transform-computed-properties\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/template@^7.27.1\n @babel/plugin-transform-destructuring\n \t7.6.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/traverse@^7.28.5\n @babel/plugin-transform-dotall-regex\n \t7.4.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-regex@^7.4.4\n \t\tregexpu-core@^4.5.4\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-create-regexp-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-duplicate-keys\n \t7.5.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-duplicate-named-capturing-groups-regex\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-create-regexp-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-dynamic-import\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-explicit-resource-management\n \t7.28.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/plugin-transform-destructuring@^7.28.0\n @babel/plugin-transform-exponentiation-operator\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-builder-binary-assignment-operator-visitor@^7.1.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-export-namespace-from\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-for-of\n \t7.4.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-skip-transparent-expression-wrappers@^7.27.1\n @babel/plugin-transform-function-name\n \t7.4.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-function-name@^7.1.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-compilation-targets@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/traverse@^7.27.1\n @babel/plugin-transform-json-strings\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-literals\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-logical-assignment-operators\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-member-expression-literals\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-modules-amd\n \t7.5.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-transforms@^7.1.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\tbabel-plugin-dynamic-import-node@^2.3.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-transforms@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-modules-commonjs\n \t7.6.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-transforms@^7.4.4\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-simple-access@^7.1.0\n \t\tbabel-plugin-dynamic-import-node@^2.3.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-transforms@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-modules-systemjs\n \t7.5.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-hoist-variables@^7.4.4\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\tbabel-plugin-dynamic-import-node@^2.3.0\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-transforms@^7.28.3\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-validator-identifier@^7.28.5\n \t\t@babel/traverse@^7.28.5\n @babel/plugin-transform-modules-umd\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-transforms@^7.1.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-transforms@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-named-capturing-groups-regex\n \t7.6.0\n \t\tScope peer|@babel/core@^7.0.0\n \t\tregexp-tree@^0.1.13\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-create-regexp-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-new-target\n \t7.4.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-nullish-coalescing-operator\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-numeric-separator\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-object-rest-spread\n \t7.28.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-compilation-targets@^7.27.2\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/plugin-transform-destructuring@^7.28.0\n \t\t@babel/plugin-transform-parameters@^7.27.7\n \t\t@babel/traverse@^7.28.4\n @babel/plugin-transform-object-super\n \t7.5.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-replace-supers@^7.5.5\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-replace-supers@^7.27.1\n @babel/plugin-transform-optional-catch-binding\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-optional-chaining\n \t7.28.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-skip-transparent-expression-wrappers@^7.27.1\n @babel/plugin-transform-parameters\n \t7.4.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-call-delegate@^7.4.4\n \t\t@babel/helper-get-function-arity@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.7\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-private-methods\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-create-class-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-private-property-in-object\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-annotate-as-pure@^7.27.1\n \t\t@babel/helper-create-class-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-property-literals\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-regenerator\n \t7.4.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\tregenerator-transform@^0.14.0\n \t7.28.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-regexp-modifiers\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-create-regexp-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-reserved-words\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-shorthand-properties\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-spread\n \t7.2.2\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-skip-transparent-expression-wrappers@^7.27.1\n @babel/plugin-transform-sticky-regex\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-regex@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-template-literals\n \t7.4.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-annotate-as-pure@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-typeof-symbol\n \t7.2.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-unicode-escapes\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-unicode-property-regex\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-create-regexp-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-unicode-regex\n \t7.4.4\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/helper-regex@^7.4.4\n \t\tregexpu-core@^4.5.4\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-create-regexp-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/plugin-transform-unicode-sets-regex\n \t7.27.1\n \t\tScope peer|@babel/core@^7.0.0\n \t\t@babel/helper-create-regexp-features-plugin@^7.27.1\n \t\t@babel/helper-plugin-utils@^7.27.1\n @babel/preset-env\n \t7.6.0\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-module-imports@^7.0.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/plugin-proposal-async-generator-functions@^7.2.0\n \t\t@babel/plugin-proposal-dynamic-import@^7.5.0\n \t\t@babel/plugin-proposal-json-strings@^7.2.0\n \t\t@babel/plugin-proposal-object-rest-spread@^7.5.5\n \t\t@babel/plugin-proposal-optional-catch-binding@^7.2.0\n \t\t@babel/plugin-proposal-unicode-property-regex@^7.4.4\n \t\t@babel/plugin-syntax-async-generators@^7.2.0\n \t\t@babel/plugin-syntax-dynamic-import@^7.2.0\n \t\t@babel/plugin-syntax-json-strings@^7.2.0\n \t\t@babel/plugin-syntax-object-rest-spread@^7.2.0\n \t\t@babel/plugin-syntax-optional-catch-binding@^7.2.0\n \t\t@babel/plugin-transform-arrow-functions@^7.2.0\n \t\t@babel/plugin-transform-async-to-generator@^7.5.0\n \t\t@babel/plugin-transform-block-scoped-functions@^7.2.0\n \t\t@babel/plugin-transform-block-scoping@^7.6.0\n \t\t@babel/plugin-transform-classes@^7.5.5\n \t\t@babel/plugin-transform-computed-properties@^7.2.0\n \t\t@babel/plugin-transform-destructuring@^7.6.0\n \t\t@babel/plugin-transform-dotall-regex@^7.4.4\n \t\t@babel/plugin-transform-duplicate-keys@^7.5.0\n \t\t@babel/plugin-transform-exponentiation-operator@^7.2.0\n \t\t@babel/plugin-transform-for-of@^7.4.4\n \t\t@babel/plugin-transform-function-name@^7.4.4\n \t\t@babel/plugin-transform-literals@^7.2.0\n \t\t@babel/plugin-transform-member-expression-literals@^7.2.0\n \t\t@babel/plugin-transform-modules-amd@^7.5.0\n \t\t@babel/plugin-transform-modules-commonjs@^7.6.0\n \t\t@babel/plugin-transform-modules-systemjs@^7.5.0\n \t\t@babel/plugin-transform-modules-umd@^7.2.0\n \t\t@babel/plugin-transform-named-capturing-groups-regex@^7.6.0\n \t\t@babel/plugin-transform-new-target@^7.4.4\n \t\t@babel/plugin-transform-object-super@^7.5.5\n \t\t@babel/plugin-transform-parameters@^7.4.4\n \t\t@babel/plugin-transform-property-literals@^7.2.0\n \t\t@babel/plugin-transform-regenerator@^7.4.5\n \t\t@babel/plugin-transform-reserved-words@^7.2.0\n \t\t@babel/plugin-transform-shorthand-properties@^7.2.0\n \t\t@babel/plugin-transform-spread@^7.2.0\n \t\t@babel/plugin-transform-sticky-regex@^7.2.0\n \t\t@babel/plugin-transform-template-literals@^7.4.4\n \t\t@babel/plugin-transform-typeof-symbol@^7.2.0\n \t\t@babel/plugin-transform-unicode-regex@^7.4.4\n \t\t@babel/types@^7.6.0\n \t\tbrowserslist@^4.6.0\n \t\tcore-js-compat@^3.1.1\n \t\tinvariant@^2.2.2\n \t\tjs-levenshtein@^1.1.3\n \t\tsemver@^5.5.0\n \t7.28.5\n \t\t@babel/compat-data@^7.28.5\n \t\tScope peer|@babel/core@^7.0.0-0\n \t\t@babel/helper-compilation-targets@^7.27.2\n \t\t@babel/helper-plugin-utils@^7.27.1\n \t\t@babel/helper-validator-option@^7.27.1\n \t\t@babel/plugin-bugfix-firefox-class-in-computed-class-key@^7.28.5\n \t\t@babel/plugin-bugfix-safari-class-field-initializer-scope@^7.27.1\n \t\t@babel/plugin-bugfix-safari-id-destructuring-collision-in-function-expression@^7.27.1\n \t\t@babel/plugin-bugfix-v8-spread-parameters-in-optional-chaining@^7.27.1\n \t\t@babel/plugin-bugfix-v8-static-class-fields-redefine-readonly@^7.28.3\n \t\t@babel/plugin-proposal-private-property-in-object@7.21.0-placeholder-for-preset-env.2\n \t\t@babel/plugin-syntax-import-assertions@^7.27.1\n \t\t@babel/plugin-syntax-import-attributes@^7.27.1\n \t\t@babel/plugin-syntax-unicode-sets-regex@^7.18.6\n \t\t@babel/plugin-transform-arrow-functions@^7.27.1\n \t\t@babel/plugin-transform-async-generator-functions@^7.28.0\n \t\t@babel/plugin-transform-async-to-generator@^7.27.1\n \t\t@babel/plugin-transform-block-scoped-functions@^7.27.1\n \t\t@babel/plugin-transform-block-scoping@^7.28.5\n \t\t@babel/plugin-transform-class-properties@^7.27.1\n \t\t@babel/plugin-transform-class-static-block@^7.28.3\n \t\t@babel/plugin-transform-classes@^7.28.4\n \t\t@babel/plugin-transform-computed-properties@^7.27.1\n \t\t@babel/plugin-transform-destructuring@^7.28.5\n \t\t@babel/plugin-transform-dotall-regex@^7.27.1\n \t\t@babel/plugin-transform-duplicate-keys@^7.27.1\n \t\t@babel/plugin-transform-duplicate-named-capturing-groups-regex@^7.27.1\n \t\t@babel/plugin-transform-dynamic-import@^7.27.1\n \t\t@babel/plugin-transform-explicit-resource-management@^7.28.0\n \t\t@babel/plugin-transform-exponentiation-operator@^7.28.5\n \t\t@babel/plugin-transform-export-namespace-from@^7.27.1\n \t\t@babel/plugin-transform-for-of@^7.27.1\n \t\t@babel/plugin-transform-function-name@^7.27.1\n \t\t@babel/plugin-transform-json-strings@^7.27.1\n \t\t@babel/plugin-transform-literals@^7.27.1\n \t\t@babel/plugin-transform-logical-assignment-operators@^7.28.5\n \t\t@babel/plugin-transform-member-expression-literals@^7.27.1\n \t\t@babel/plugin-transform-modules-amd@^7.27.1\n \t\t@babel/plugin-transform-modules-commonjs@^7.27.1\n \t\t@babel/plugin-transform-modules-systemjs@^7.28.5\n \t\t@babel/plugin-transform-modules-umd@^7.27.1\n \t\t@babel/plugin-transform-named-capturing-groups-regex@^7.27.1\n \t\t@babel/plugin-transform-new-target@^7.27.1\n \t\t@babel/plugin-transform-nullish-coalescing-operator@^7.27.1\n \t\t@babel/plugin-transform-numeric-separator@^7.27.1\n \t\t@babel/plugin-transform-object-rest-spread@^7.28.4\n \t\t@babel/plugin-transform-object-super@^7.27.1\n \t\t@babel/plugin-transform-optional-catch-binding@^7.27.1\n \t\t@babel/plugin-transform-optional-chaining@^7.28.5\n \t\t@babel/plugin-transform-parameters@^7.27.7\n \t\t@babel/plugin-transform-private-methods@^7.27.1\n \t\t@babel/plugin-transform-private-property-in-object@^7.27.1\n \t\t@babel/plugin-transform-property-literals@^7.27.1\n \t\t@babel/plugin-transform-regenerator@^7.28.4\n \t\t@babel/plugin-transform-regexp-modifiers@^7.27.1\n \t\t@babel/plugin-transform-reserved-words@^7.27.1\n \t\t@babel/plugin-transform-shorthand-properties@^7.27.1\n \t\t@babel/plugin-transform-spread@^7.27.1\n \t\t@babel/plugin-transform-sticky-regex@^7.27.1\n \t\t@babel/plugin-transform-template-literals@^7.27.1\n \t\t@babel/plugin-transform-typeof-symbol@^7.27.1\n \t\t@babel/plugin-transform-unicode-escapes@^7.27.1\n \t\t@babel/plugin-transform-unicode-property-regex@^7.27.1\n \t\t@babel/plugin-transform-unicode-regex@^7.27.1\n \t\t@babel/plugin-transform-unicode-sets-regex@^7.27.1\n \t\t@babel/preset-modules@0.1.6-no-external-plugins\n \t\tbabel-plugin-polyfill-corejs2@^0.4.14\n \t\tbabel-plugin-polyfill-corejs3@^0.13.0\n \t\tbabel-plugin-polyfill-regenerator@^0.6.5\n \t\tcore-js-compat@^3.43.0\n \t\tsemver@^6.3.1\n @babel/preset-modules\n \t0.1.6-no-external-plugins\n \t\tScope peer|@babel/core@^7.0.0-0 || ^8.0.0-0 <8.0.0\n \t\t@babel/helper-plugin-utils@^7.0.0\n \t\t@babel/types@^7.4.4\n \t\tesutils@^2.0.2\n @babel/template\n \t7.1.2\n \t\t@babel/code-frame@^7.0.0\n \t\t@babel/parser@^7.1.2\n \t\t@babel/types@^7.1.2\n \t7.6.0\n \t\t@babel/code-frame@^7.0.0\n \t\t@babel/parser@^7.6.0\n \t\t@babel/types@^7.6.0\n \t7.27.2\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/parser@^7.27.2\n \t\t@babel/types@^7.27.1\n @babel/traverse\n \t7.6.0\n \t\t@babel/code-frame@^7.5.5\n \t\t@babel/generator@^7.6.0\n \t\t@babel/helper-function-name@^7.1.0\n \t\t@babel/helper-split-export-declaration@^7.4.4\n \t\t@babel/parser@^7.6.0\n \t\t@babel/types@^7.6.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.6.2\n \t\t@babel/code-frame@^7.5.5\n \t\t@babel/generator@^7.6.2\n \t\t@babel/helper-function-name@^7.1.0\n \t\t@babel/helper-split-export-declaration@^7.4.4\n \t\t@babel/parser@^7.6.2\n \t\t@babel/types@^7.6.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.6.3\n \t\t@babel/code-frame@^7.5.5\n \t\t@babel/generator@^7.6.3\n \t\t@babel/helper-function-name@^7.1.0\n \t\t@babel/helper-split-export-declaration@^7.4.4\n \t\t@babel/parser@^7.6.3\n \t\t@babel/types@^7.6.3\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.7.0\n \t\t@babel/code-frame@^7.5.5\n \t\t@babel/generator@^7.7.0\n \t\t@babel/helper-function-name@^7.7.0\n \t\t@babel/helper-split-export-declaration@^7.7.0\n \t\t@babel/parser@^7.7.0\n \t\t@babel/types@^7.7.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.7.2\n \t\t@babel/code-frame@^7.5.5\n \t\t@babel/generator@^7.7.2\n \t\t@babel/helper-function-name@^7.7.0\n \t\t@babel/helper-split-export-declaration@^7.7.0\n \t\t@babel/parser@^7.7.2\n \t\t@babel/types@^7.7.2\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.7.4\n \t\t@babel/code-frame@^7.5.5\n \t\t@babel/generator@^7.7.4\n \t\t@babel/helper-function-name@^7.7.4\n \t\t@babel/helper-split-export-declaration@^7.7.4\n \t\t@babel/parser@^7.7.4\n \t\t@babel/types@^7.7.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.8.0\n \t\t@babel/code-frame@^7.8.0\n \t\t@babel/generator@^7.8.0\n \t\t@babel/helper-function-name@^7.8.0\n \t\t@babel/helper-split-export-declaration@^7.8.0\n \t\t@babel/parser@^7.8.0\n \t\t@babel/types@^7.8.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.8.3\n \t\t@babel/code-frame@^7.8.3\n \t\t@babel/generator@^7.8.3\n \t\t@babel/helper-function-name@^7.8.3\n \t\t@babel/helper-split-export-declaration@^7.8.3\n \t\t@babel/parser@^7.8.3\n \t\t@babel/types@^7.8.3\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.8.4\n \t\t@babel/code-frame@^7.8.3\n \t\t@babel/generator@^7.8.4\n \t\t@babel/helper-function-name@^7.8.3\n \t\t@babel/helper-split-export-declaration@^7.8.3\n \t\t@babel/parser@^7.8.4\n \t\t@babel/types@^7.8.3\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.8.6\n \t\t@babel/code-frame@^7.8.3\n \t\t@babel/generator@^7.8.6\n \t\t@babel/helper-function-name@^7.8.3\n \t\t@babel/helper-split-export-declaration@^7.8.3\n \t\t@babel/parser@^7.8.6\n \t\t@babel/types@^7.8.6\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.9.0\n \t\t@babel/code-frame@^7.8.3\n \t\t@babel/generator@^7.9.0\n \t\t@babel/helper-function-name@^7.8.3\n \t\t@babel/helper-split-export-declaration@^7.8.3\n \t\t@babel/parser@^7.9.0\n \t\t@babel/types@^7.9.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.9.5\n \t\t@babel/code-frame@^7.8.3\n \t\t@babel/generator@^7.9.5\n \t\t@babel/helper-function-name@^7.9.5\n \t\t@babel/helper-split-export-declaration@^7.8.3\n \t\t@babel/parser@^7.9.0\n \t\t@babel/types@^7.9.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.9.6\n \t\t@babel/code-frame@^7.8.3\n \t\t@babel/generator@^7.9.6\n \t\t@babel/helper-function-name@^7.9.5\n \t\t@babel/helper-split-export-declaration@^7.8.3\n \t\t@babel/parser@^7.9.6\n \t\t@babel/types@^7.9.6\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.10.0\n \t\t@babel/code-frame@^7.8.3\n \t\t@babel/generator@^7.10.0\n \t\t@babel/helper-function-name@^7.9.5\n \t\t@babel/helper-split-export-declaration@^7.8.3\n \t\t@babel/parser@^7.10.0\n \t\t@babel/types@^7.10.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.10.1\n \t\t@babel/code-frame@^7.10.1\n \t\t@babel/generator@^7.10.1\n \t\t@babel/helper-function-name@^7.10.1\n \t\t@babel/helper-split-export-declaration@^7.10.1\n \t\t@babel/parser@^7.10.1\n \t\t@babel/types@^7.10.1\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.10.3\n \t\t@babel/code-frame@^7.10.3\n \t\t@babel/generator@^7.10.3\n \t\t@babel/helper-function-name@^7.10.3\n \t\t@babel/helper-split-export-declaration@^7.10.1\n \t\t@babel/parser@^7.10.3\n \t\t@babel/types@^7.10.3\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.10.4\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.10.4\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.10.4\n \t\t@babel/parser@^7.10.4\n \t\t@babel/types@^7.10.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.13\n \t7.10.5\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.10.5\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.10.4\n \t\t@babel/parser@^7.10.5\n \t\t@babel/types@^7.10.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.11.0\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.11.0\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.11.0\n \t\t@babel/types@^7.11.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.11.5\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.11.5\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.11.5\n \t\t@babel/types@^7.11.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.0\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.12.0\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.12.0\n \t\t@babel/types@^7.12.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.1\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.12.1\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.12.1\n \t\t@babel/types@^7.12.1\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.5\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.12.5\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.12.5\n \t\t@babel/types@^7.12.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.7\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.12.5\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.12.7\n \t\t@babel/types@^7.12.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.8\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.12.5\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.12.7\n \t\t@babel/types@^7.12.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.9\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.12.5\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.12.7\n \t\t@babel/types@^7.12.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.10\n \t\t@babel/code-frame@^7.10.4\n \t\t@babel/generator@^7.12.10\n \t\t@babel/helper-function-name@^7.10.4\n \t\t@babel/helper-split-export-declaration@^7.11.0\n \t\t@babel/parser@^7.12.10\n \t\t@babel/types@^7.12.10\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.12\n \t\t@babel/code-frame@^7.12.11\n \t\t@babel/generator@^7.12.11\n \t\t@babel/helper-function-name@^7.12.11\n \t\t@babel/helper-split-export-declaration@^7.12.11\n \t\t@babel/parser@^7.12.11\n \t\t@babel/types@^7.12.12\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.13\n \t\t@babel/code-frame@^7.12.13\n \t\t@babel/generator@^7.12.13\n \t\t@babel/helper-function-name@^7.12.13\n \t\t@babel/helper-split-export-declaration@^7.12.13\n \t\t@babel/parser@^7.12.13\n \t\t@babel/types@^7.12.13\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.12.17\n \t\t@babel/code-frame@^7.12.13\n \t\t@babel/generator@^7.12.17\n \t\t@babel/helper-function-name@^7.12.13\n \t\t@babel/helper-split-export-declaration@^7.12.13\n \t\t@babel/parser@^7.12.17\n \t\t@babel/types@^7.12.17\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.13.0\n \t\t@babel/code-frame@^7.12.13\n \t\t@babel/generator@^7.13.0\n \t\t@babel/helper-function-name@^7.12.13\n \t\t@babel/helper-split-export-declaration@^7.12.13\n \t\t@babel/parser@^7.13.0\n \t\t@babel/types@^7.13.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t\tlodash@^4.17.19\n \t7.13.13\n \t\t@babel/code-frame@^7.12.13\n \t\t@babel/generator@^7.13.9\n \t\t@babel/helper-function-name@^7.12.13\n \t\t@babel/helper-split-export-declaration@^7.12.13\n \t\t@babel/parser@^7.13.13\n \t\t@babel/types@^7.13.13\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.13.15\n \t\t@babel/code-frame@^7.12.13\n \t\t@babel/generator@^7.13.9\n \t\t@babel/helper-function-name@^7.12.13\n \t\t@babel/helper-split-export-declaration@^7.12.13\n \t\t@babel/parser@^7.13.15\n \t\t@babel/types@^7.13.14\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.13.17\n \t\t@babel/code-frame@^7.12.13\n \t\t@babel/generator@^7.13.16\n \t\t@babel/helper-function-name@^7.12.13\n \t\t@babel/helper-split-export-declaration@^7.12.13\n \t\t@babel/parser@^7.13.16\n \t\t@babel/types@^7.13.17\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.14.0\n \t\t@babel/code-frame@^7.12.13\n \t\t@babel/generator@^7.14.0\n \t\t@babel/helper-function-name@^7.12.13\n \t\t@babel/helper-split-export-declaration@^7.12.13\n \t\t@babel/parser@^7.14.0\n \t\t@babel/types@^7.14.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.14.2\n \t\t@babel/code-frame@^7.12.13\n \t\t@babel/generator@^7.14.2\n \t\t@babel/helper-function-name@^7.14.2\n \t\t@babel/helper-split-export-declaration@^7.12.13\n \t\t@babel/parser@^7.14.2\n \t\t@babel/types@^7.14.2\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.14.5\n \t\t@babel/code-frame@^7.14.5\n \t\t@babel/generator@^7.14.5\n \t\t@babel/helper-function-name@^7.14.5\n \t\t@babel/helper-hoist-variables@^7.14.5\n \t\t@babel/helper-split-export-declaration@^7.14.5\n \t\t@babel/parser@^7.14.5\n \t\t@babel/types@^7.14.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.14.7\n \t\t@babel/code-frame@^7.14.5\n \t\t@babel/generator@^7.14.5\n \t\t@babel/helper-function-name@^7.14.5\n \t\t@babel/helper-hoist-variables@^7.14.5\n \t\t@babel/helper-split-export-declaration@^7.14.5\n \t\t@babel/parser@^7.14.7\n \t\t@babel/types@^7.14.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.14.8\n \t\t@babel/code-frame@^7.14.5\n \t\t@babel/generator@^7.14.8\n \t\t@babel/helper-function-name@^7.14.5\n \t\t@babel/helper-hoist-variables@^7.14.5\n \t\t@babel/helper-split-export-declaration@^7.14.5\n \t\t@babel/parser@^7.14.8\n \t\t@babel/types@^7.14.8\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.14.9\n \t\t@babel/code-frame@^7.14.5\n \t\t@babel/generator@^7.14.9\n \t\t@babel/helper-function-name@^7.14.5\n \t\t@babel/helper-hoist-variables@^7.14.5\n \t\t@babel/helper-split-export-declaration@^7.14.5\n \t\t@babel/parser@^7.14.9\n \t\t@babel/types@^7.14.9\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.15.0\n \t\t@babel/code-frame@^7.14.5\n \t\t@babel/generator@^7.15.0\n \t\t@babel/helper-function-name@^7.14.5\n \t\t@babel/helper-hoist-variables@^7.14.5\n \t\t@babel/helper-split-export-declaration@^7.14.5\n \t\t@babel/parser@^7.15.0\n \t\t@babel/types@^7.15.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.15.4\n \t\t@babel/code-frame@^7.14.5\n \t\t@babel/generator@^7.15.4\n \t\t@babel/helper-function-name@^7.15.4\n \t\t@babel/helper-hoist-variables@^7.15.4\n \t\t@babel/helper-split-export-declaration@^7.15.4\n \t\t@babel/parser@^7.15.4\n \t\t@babel/types@^7.15.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.16.0\n \t\t@babel/code-frame@^7.16.0\n \t\t@babel/generator@^7.16.0\n \t\t@babel/helper-function-name@^7.16.0\n \t\t@babel/helper-hoist-variables@^7.16.0\n \t\t@babel/helper-split-export-declaration@^7.16.0\n \t\t@babel/parser@^7.16.0\n \t\t@babel/types@^7.16.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.16.3\n \t\t@babel/code-frame@^7.16.0\n \t\t@babel/generator@^7.16.0\n \t\t@babel/helper-function-name@^7.16.0\n \t\t@babel/helper-hoist-variables@^7.16.0\n \t\t@babel/helper-split-export-declaration@^7.16.0\n \t\t@babel/parser@^7.16.3\n \t\t@babel/types@^7.16.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.16.5\n \t\t@babel/code-frame@^7.16.0\n \t\t@babel/generator@^7.16.5\n \t\t@babel/helper-environment-visitor@^7.16.5\n \t\t@babel/helper-function-name@^7.16.0\n \t\t@babel/helper-hoist-variables@^7.16.0\n \t\t@babel/helper-split-export-declaration@^7.16.0\n \t\t@babel/parser@^7.16.5\n \t\t@babel/types@^7.16.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.16.7\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.16.7\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.16.7\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.16.7\n \t\t@babel/types@^7.16.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.16.8\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.16.8\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.16.7\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.16.8\n \t\t@babel/types@^7.16.8\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.16.10\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.16.8\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.16.7\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.16.10\n \t\t@babel/types@^7.16.8\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.17.0\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.17.0\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.16.7\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.17.0\n \t\t@babel/types@^7.17.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.17.3\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.17.3\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.16.7\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.17.3\n \t\t@babel/types@^7.17.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.17.9\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.17.9\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.17.9\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.17.9\n \t\t@babel/types@^7.17.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.17.10\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.17.10\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.17.9\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.17.10\n \t\t@babel/types@^7.17.10\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.17.12\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.17.12\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.17.9\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.17.12\n \t\t@babel/types@^7.17.12\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.0\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.18.0\n \t\t@babel/helper-environment-visitor@^7.16.7\n \t\t@babel/helper-function-name@^7.17.9\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.18.0\n \t\t@babel/types@^7.18.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.2\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.18.2\n \t\t@babel/helper-environment-visitor@^7.18.2\n \t\t@babel/helper-function-name@^7.17.9\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.18.0\n \t\t@babel/types@^7.18.2\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.5\n \t\t@babel/code-frame@^7.16.7\n \t\t@babel/generator@^7.18.2\n \t\t@babel/helper-environment-visitor@^7.18.2\n \t\t@babel/helper-function-name@^7.17.9\n \t\t@babel/helper-hoist-variables@^7.16.7\n \t\t@babel/helper-split-export-declaration@^7.16.7\n \t\t@babel/parser@^7.18.5\n \t\t@babel/types@^7.18.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.6\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.18.6\n \t\t@babel/helper-environment-visitor@^7.18.6\n \t\t@babel/helper-function-name@^7.18.6\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.18.6\n \t\t@babel/types@^7.18.6\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.8\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.18.7\n \t\t@babel/helper-environment-visitor@^7.18.6\n \t\t@babel/helper-function-name@^7.18.6\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.18.8\n \t\t@babel/types@^7.18.8\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.9\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.18.9\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.18.9\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.18.9\n \t\t@babel/types@^7.18.9\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.10\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.18.10\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.18.9\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.18.10\n \t\t@babel/types@^7.18.10\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.11\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.18.10\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.18.9\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.18.11\n \t\t@babel/types@^7.18.10\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.18.13\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.18.13\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.18.9\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.18.13\n \t\t@babel/types@^7.18.13\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.19.0\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.19.0\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.19.0\n \t\t@babel/types@^7.19.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.19.1\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.19.0\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.19.1\n \t\t@babel/types@^7.19.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.19.3\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.19.3\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.19.3\n \t\t@babel/types@^7.19.3\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.19.4\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.19.4\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.19.4\n \t\t@babel/types@^7.19.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.19.6\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.19.6\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.19.6\n \t\t@babel/types@^7.19.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.20.0\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.20.0\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.20.0\n \t\t@babel/types@^7.20.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.20.1\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.20.1\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.20.1\n \t\t@babel/types@^7.20.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.20.5\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.20.5\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.20.5\n \t\t@babel/types@^7.20.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.20.7\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.20.7\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.20.7\n \t\t@babel/types@^7.20.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.20.8\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.20.7\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.20.7\n \t\t@babel/types@^7.20.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.20.10\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.20.7\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.20.7\n \t\t@babel/types@^7.20.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.20.12\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.20.7\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.20.7\n \t\t@babel/types@^7.20.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.20.13\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.20.7\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.19.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.20.13\n \t\t@babel/types@^7.20.7\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.21.0\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.21.0\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.21.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.21.0\n \t\t@babel/types@^7.21.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.21.2\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.21.1\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.21.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.21.2\n \t\t@babel/types@^7.21.2\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.21.3\n \t\t@babel/code-frame@^7.18.6\n \t\t@babel/generator@^7.21.3\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.21.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.21.3\n \t\t@babel/types@^7.21.3\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.21.4\n \t\t@babel/code-frame@^7.21.4\n \t\t@babel/generator@^7.21.4\n \t\t@babel/helper-environment-visitor@^7.18.9\n \t\t@babel/helper-function-name@^7.21.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.21.4\n \t\t@babel/types@^7.21.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.21.5\n \t\t@babel/code-frame@^7.21.4\n \t\t@babel/generator@^7.21.5\n \t\t@babel/helper-environment-visitor@^7.21.5\n \t\t@babel/helper-function-name@^7.21.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.21.5\n \t\t@babel/types@^7.21.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.0\n \t\t@babel/code-frame@^7.21.4\n \t\t@babel/generator@^7.22.0\n \t\t@babel/helper-environment-visitor@^7.21.5\n \t\t@babel/helper-function-name@^7.21.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.22.0\n \t\t@babel/types@^7.22.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.1\n \t\t@babel/code-frame@^7.21.4\n \t\t@babel/generator@^7.22.0\n \t\t@babel/helper-environment-visitor@^7.22.1\n \t\t@babel/helper-function-name@^7.21.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.22.0\n \t\t@babel/types@^7.22.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.4\n \t\t@babel/code-frame@^7.21.4\n \t\t@babel/generator@^7.22.3\n \t\t@babel/helper-environment-visitor@^7.22.1\n \t\t@babel/helper-function-name@^7.21.0\n \t\t@babel/helper-hoist-variables@^7.18.6\n \t\t@babel/helper-split-export-declaration@^7.18.6\n \t\t@babel/parser@^7.22.4\n \t\t@babel/types@^7.22.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.5\n \t\t@babel/code-frame@^7.22.5\n \t\t@babel/generator@^7.22.5\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.5\n \t\t@babel/parser@^7.22.5\n \t\t@babel/types@^7.22.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.6\n \t\t@babel/code-frame@^7.22.5\n \t\t@babel/generator@^7.22.5\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.6\n \t\t@babel/types@^7.22.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.7\n \t\t@babel/code-frame@^7.22.5\n \t\t@babel/generator@^7.22.7\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.7\n \t\t@babel/types@^7.22.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.8\n \t\t@babel/code-frame@^7.22.5\n \t\t@babel/generator@^7.22.7\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.7\n \t\t@babel/types@^7.22.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.10\n \t\t@babel/code-frame@^7.22.10\n \t\t@babel/generator@^7.22.10\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.10\n \t\t@babel/types@^7.22.10\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.11\n \t\t@babel/code-frame@^7.22.10\n \t\t@babel/generator@^7.22.10\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.11\n \t\t@babel/types@^7.22.11\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.15\n \t\t@babel/code-frame@^7.22.13\n \t\t@babel/generator@^7.22.15\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.15\n \t\t@babel/types@^7.22.15\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.17\n \t\t@babel/code-frame@^7.22.13\n \t\t@babel/generator@^7.22.15\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.16\n \t\t@babel/types@^7.22.17\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.18\n \t\t@babel/code-frame@^7.22.13\n \t\t@babel/generator@^7.22.15\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.16\n \t\t@babel/types@^7.22.18\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.19\n \t\t@babel/code-frame@^7.22.13\n \t\t@babel/generator@^7.22.15\n \t\t@babel/helper-environment-visitor@^7.22.5\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.16\n \t\t@babel/types@^7.22.19\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.22.20\n \t\t@babel/code-frame@^7.22.13\n \t\t@babel/generator@^7.22.15\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.22.5\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.22.16\n \t\t@babel/types@^7.22.19\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.23.0\n \t\t@babel/code-frame@^7.22.13\n \t\t@babel/generator@^7.23.0\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.23.0\n \t\t@babel/types@^7.23.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.23.2\n \t\t@babel/code-frame@^7.22.13\n \t\t@babel/generator@^7.23.0\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.23.0\n \t\t@babel/types@^7.23.0\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.23.3\n \t\t@babel/code-frame@^7.22.13\n \t\t@babel/generator@^7.23.3\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.23.3\n \t\t@babel/types@^7.23.3\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.23.4\n \t\t@babel/code-frame@^7.23.4\n \t\t@babel/generator@^7.23.4\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.23.4\n \t\t@babel/types@^7.23.4\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.23.5\n \t\t@babel/code-frame@^7.23.5\n \t\t@babel/generator@^7.23.5\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.23.5\n \t\t@babel/types@^7.23.5\n \t\tdebug@^4.1.0\n \t\tglobals@^11.1.0\n \t7.23.6\n \t\t@babel/code-frame@^7.23.5\n \t\t@babel/generator@^7.23.6\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.23.6\n \t\t@babel/types@^7.23.6\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.23.7\n \t\t@babel/code-frame@^7.23.5\n \t\t@babel/generator@^7.23.6\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.23.6\n \t\t@babel/types@^7.23.6\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.23.9\n \t\t@babel/code-frame@^7.23.5\n \t\t@babel/generator@^7.23.6\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.23.9\n \t\t@babel/types@^7.23.9\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.24.0\n \t\t@babel/code-frame@^7.23.5\n \t\t@babel/generator@^7.23.6\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.24.0\n \t\t@babel/types@^7.24.0\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.24.1\n \t\t@babel/code-frame@^7.24.1\n \t\t@babel/generator@^7.24.1\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.22.6\n \t\t@babel/parser@^7.24.1\n \t\t@babel/types@^7.24.0\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.24.5\n \t\t@babel/code-frame@^7.24.2\n \t\t@babel/generator@^7.24.5\n \t\t@babel/helper-environment-visitor@^7.22.20\n \t\t@babel/helper-function-name@^7.23.0\n \t\t@babel/helper-hoist-variables@^7.22.5\n \t\t@babel/helper-split-export-declaration@^7.24.5\n \t\t@babel/parser@^7.24.5\n \t\t@babel/types@^7.24.5\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.24.6\n \t\t@babel/code-frame@^7.24.6\n \t\t@babel/generator@^7.24.6\n \t\t@babel/helper-environment-visitor@^7.24.6\n \t\t@babel/helper-function-name@^7.24.6\n \t\t@babel/helper-hoist-variables@^7.24.6\n \t\t@babel/helper-split-export-declaration@^7.24.6\n \t\t@babel/parser@^7.24.6\n \t\t@babel/types@^7.24.6\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.24.7\n \t\t@babel/code-frame@^7.24.7\n \t\t@babel/generator@^7.24.7\n \t\t@babel/helper-environment-visitor@^7.24.7\n \t\t@babel/helper-function-name@^7.24.7\n \t\t@babel/helper-hoist-variables@^7.24.7\n \t\t@babel/helper-split-export-declaration@^7.24.7\n \t\t@babel/parser@^7.24.7\n \t\t@babel/types@^7.24.7\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.24.8\n \t\t@babel/code-frame@^7.24.7\n \t\t@babel/generator@^7.24.8\n \t\t@babel/helper-environment-visitor@^7.24.7\n \t\t@babel/helper-function-name@^7.24.7\n \t\t@babel/helper-hoist-variables@^7.24.7\n \t\t@babel/helper-split-export-declaration@^7.24.7\n \t\t@babel/parser@^7.24.8\n \t\t@babel/types@^7.24.8\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.25.0\n \t\t@babel/code-frame@^7.24.7\n \t\t@babel/generator@^7.25.0\n \t\t@babel/parser@^7.25.0\n \t\t@babel/template@^7.25.0\n \t\t@babel/types@^7.25.0\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.25.1\n \t\t@babel/code-frame@^7.24.7\n \t\t@babel/generator@^7.25.0\n \t\t@babel/parser@^7.25.0\n \t\t@babel/template@^7.25.0\n \t\t@babel/types@^7.25.0\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.25.2\n \t\t@babel/code-frame@^7.24.7\n \t\t@babel/generator@^7.25.0\n \t\t@babel/parser@^7.25.0\n \t\t@babel/template@^7.25.0\n \t\t@babel/types@^7.25.2\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.25.3\n \t\t@babel/code-frame@^7.24.7\n \t\t@babel/generator@^7.25.0\n \t\t@babel/parser@^7.25.3\n \t\t@babel/template@^7.25.0\n \t\t@babel/types@^7.25.2\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.25.4\n \t\t@babel/code-frame@^7.24.7\n \t\t@babel/generator@^7.25.4\n \t\t@babel/parser@^7.25.4\n \t\t@babel/template@^7.25.0\n \t\t@babel/types@^7.25.4\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.25.6\n \t\t@babel/code-frame@^7.24.7\n \t\t@babel/generator@^7.25.6\n \t\t@babel/parser@^7.25.6\n \t\t@babel/template@^7.25.0\n \t\t@babel/types@^7.25.6\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.25.7\n \t\t@babel/code-frame@^7.25.7\n \t\t@babel/generator@^7.25.7\n \t\t@babel/parser@^7.25.7\n \t\t@babel/template@^7.25.7\n \t\t@babel/types@^7.25.7\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.25.9\n \t\t@babel/code-frame@^7.25.9\n \t\t@babel/generator@^7.25.9\n \t\t@babel/parser@^7.25.9\n \t\t@babel/template@^7.25.9\n \t\t@babel/types@^7.25.9\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.26.3\n \t\t@babel/code-frame@^7.26.2\n \t\t@babel/generator@^7.26.3\n \t\t@babel/parser@^7.26.3\n \t\t@babel/template@^7.25.9\n \t\t@babel/types@^7.26.3\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.26.4\n \t\t@babel/code-frame@^7.26.2\n \t\t@babel/generator@^7.26.3\n \t\t@babel/parser@^7.26.3\n \t\t@babel/template@^7.25.9\n \t\t@babel/types@^7.26.3\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.26.5\n \t\t@babel/code-frame@^7.26.2\n \t\t@babel/generator@^7.26.5\n \t\t@babel/parser@^7.26.5\n \t\t@babel/template@^7.25.9\n \t\t@babel/types@^7.26.5\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.26.7\n \t\t@babel/code-frame@^7.26.2\n \t\t@babel/generator@^7.26.5\n \t\t@babel/parser@^7.26.7\n \t\t@babel/template@^7.25.9\n \t\t@babel/types@^7.26.7\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.26.8\n \t\t@babel/code-frame@^7.26.2\n \t\t@babel/generator@^7.26.8\n \t\t@babel/parser@^7.26.8\n \t\t@babel/template@^7.26.8\n \t\t@babel/types@^7.26.8\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.26.9\n \t\t@babel/code-frame@^7.26.2\n \t\t@babel/generator@^7.26.9\n \t\t@babel/parser@^7.26.9\n \t\t@babel/template@^7.26.9\n \t\t@babel/types@^7.26.9\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.26.10\n \t\t@babel/code-frame@^7.26.2\n \t\t@babel/generator@^7.26.10\n \t\t@babel/parser@^7.26.10\n \t\t@babel/template@^7.26.9\n \t\t@babel/types@^7.26.10\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.27.0\n \t\t@babel/code-frame@^7.26.2\n \t\t@babel/generator@^7.27.0\n \t\t@babel/parser@^7.27.0\n \t\t@babel/template@^7.27.0\n \t\t@babel/types@^7.27.0\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.27.1\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.27.1\n \t\t@babel/parser@^7.27.1\n \t\t@babel/template@^7.27.1\n \t\t@babel/types@^7.27.1\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.27.3\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.27.3\n \t\t@babel/parser@^7.27.3\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.27.3\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.27.4\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.27.3\n \t\t@babel/parser@^7.27.4\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.27.3\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.27.7\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.27.5\n \t\t@babel/parser@^7.27.7\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.27.7\n \t\tdebug@^4.3.1\n \t\tglobals@^11.1.0\n \t7.28.0\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.28.0\n \t\t@babel/helper-globals@^7.28.0\n \t\t@babel/parser@^7.28.0\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.28.0\n \t\tdebug@^4.3.1\n \t7.28.3\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.28.3\n \t\t@babel/helper-globals@^7.28.0\n \t\t@babel/parser@^7.28.3\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.28.2\n \t\tdebug@^4.3.1\n \t7.28.4\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.28.3\n \t\t@babel/helper-globals@^7.28.0\n \t\t@babel/parser@^7.28.4\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.28.4\n \t\tdebug@^4.3.1\n \t7.28.5\n \t\t@babel/code-frame@^7.27.1\n \t\t@babel/generator@^7.28.5\n \t\t@babel/helper-globals@^7.28.0\n \t\t@babel/parser@^7.28.5\n \t\t@babel/template@^7.27.2\n \t\t@babel/types@^7.28.5\n \t\tdebug@^4.3.1\n @babel/types\n \t7.1.2\n \t\tesutils@^2.0.2\n \t\tlodash@^4.17.10\n \t\tto-fast-properties@^2.0.0\n \t7.6.1\n \t\tesutils@^2.0.2\n \t\tlodash@^4.17.13\n \t\tto-fast-properties@^2.0.0\n \t7.28.5\n \t\t@babel/helper-string-parser@^7.27.1\n \t\t@babel/helper-validator-identifier@^7.28.5\n @firebase/ai\n \t1.4.1\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/app-check-interop-types@0.3.3\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/analytics\n \t0.6.18\n \t\t@firebase/analytics-types@0.6.0\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/installations@0.4.32\n \t\t@firebase/logger@0.2.6\n \t\t@firebase/util@1.3.0\n \t\ttslib@^2.1.0\n \t0.10.0\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/installations@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.10.8\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/installations@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.10.17\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/installations@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/analytics-compat\n \t0.2.6\n \t\t@firebase/analytics@0.10.0\n \t\t@firebase/analytics-types@0.8.0\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.2.14\n \t\t@firebase/analytics@0.10.8\n \t\t@firebase/analytics-types@0.8.2\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.2.23\n \t\t@firebase/analytics@0.10.17\n \t\t@firebase/analytics-types@0.8.3\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/analytics-types\n \t0.6.0\n \t0.8.0\n \t0.8.2\n \t0.8.3\n @firebase/app\n \t0.6.30\n \t\t@firebase/app-types@0.6.3\n \t\t@firebase/component@0.5.6\n \t\t@firebase/logger@0.2.6\n \t\t@firebase/util@1.3.0\n \t\tdom-storage@2.1.0\n \t\ttslib@^2.1.0\n \t\txmlhttprequest@1.8.0\n \t0.9.13\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\tidb@7.1.1\n \t\ttslib@^2.1.0\n \t0.10.13\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\tidb@7.1.1\n \t\ttslib@^2.1.0\n \t0.13.2\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\tidb@7.1.1\n \t\ttslib@^2.1.0\n @firebase/app-check\n \t0.3.2\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/app-check-interop-types@0.1.0\n \t\t@firebase/app-check-types@0.3.1\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/logger@0.2.6\n \t\t@firebase/util@1.3.0\n \t\ttslib@^2.1.0\n \t0.8.0\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.8.8\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.10.1\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/app-check-compat\n \t0.3.7\n \t\t@firebase/app-check@0.8.0\n \t\t@firebase/app-check-types@0.5.0\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.3.15\n \t\t@firebase/app-check@0.8.8\n \t\t@firebase/app-check-types@0.5.2\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.3.26\n \t\t@firebase/app-check@0.10.1\n \t\t@firebase/app-check-types@0.5.3\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/app-check-interop-types\n \t0.1.0\n \t0.3.0\n \t0.3.2\n \t0.3.3\n @firebase/app-check-types\n \t0.3.1\n \t0.5.0\n \t0.5.2\n \t0.5.3\n @firebase/app-compat\n \t0.2.13\n \t\t@firebase/app@0.9.13\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.2.43\n \t\t@firebase/app@0.10.13\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.4.2\n \t\t@firebase/app@0.13.2\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/app-types\n \t0.6.3\n \t0.9.0\n \t0.9.2\n \t0.9.3\n @firebase/auth\n \t0.16.8\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/auth-types@0.10.3\n \t0.23.2\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\tnode-fetch@2.6.7\n \t\ttslib@^2.1.0\n \t1.7.9\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\tScope peer|@react-native-async-storage/async-storage@^1.18.1\n \t\ttslib@^2.1.0\n \t\tundici@6.19.7\n \t1.10.8\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\tScope peer|@react-native-async-storage/async-storage@^1.18.1\n \t\ttslib@^2.1.0\n @firebase/auth-compat\n \t0.4.2\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/auth@0.23.2\n \t\t@firebase/auth-types@0.12.0\n \t\t@firebase/component@0.6.4\n \t\t@firebase/util@1.9.3\n \t\tnode-fetch@2.6.7\n \t\ttslib@^2.1.0\n \t0.5.14\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/auth@1.7.9\n \t\t@firebase/auth-types@0.12.2\n \t\t@firebase/component@0.6.9\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t\tundici@6.19.7\n \t0.5.28\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/auth@1.10.8\n \t\t@firebase/auth-types@0.13.0\n \t\t@firebase/component@0.6.18\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/auth-interop-types\n \t0.1.6\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t0.2.1\n \t0.2.3\n \t0.2.4\n @firebase/auth-types\n \t0.10.3\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t0.12.0\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t0.12.2\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t0.13.0\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n @firebase/component\n \t0.5.6\n \t\t@firebase/util@1.3.0\n \t\ttslib@^2.1.0\n \t0.6.4\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.6.9\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.6.18\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/data-connect\n \t0.1.0\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/auth-interop-types@0.2.3\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.3.10\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/auth-interop-types@0.2.4\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/database\n \t0.11.0\n \t\t@firebase/auth-interop-types@0.1.6\n \t\t@firebase/component@0.5.6\n \t\t@firebase/database-types@0.8.0\n \t\t@firebase/logger@0.2.6\n \t\t@firebase/util@1.3.0\n \t\tfaye-websocket@0.11.3\n \t\ttslib@^2.1.0\n \t0.14.4\n \t\t@firebase/auth-interop-types@0.2.1\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\tfaye-websocket@0.11.4\n \t\ttslib@^2.1.0\n \t1.0.8\n \t\t@firebase/app-check-interop-types@0.3.2\n \t\t@firebase/auth-interop-types@0.2.3\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\tfaye-websocket@0.11.4\n \t\ttslib@^2.1.0\n \t1.0.20\n \t\t@firebase/app-check-interop-types@0.3.3\n \t\t@firebase/auth-interop-types@0.2.4\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\tfaye-websocket@0.11.4\n \t\ttslib@^2.1.0\n @firebase/database-compat\n \t0.3.4\n \t\t@firebase/component@0.6.4\n \t\t@firebase/database@0.14.4\n \t\t@firebase/database-types@0.10.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t1.0.8\n \t\t@firebase/component@0.6.9\n \t\t@firebase/database@1.0.8\n \t\t@firebase/database-types@1.0.5\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t2.0.11\n \t\t@firebase/component@0.6.18\n \t\t@firebase/database@1.0.20\n \t\t@firebase/database-types@1.0.15\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/database-types\n \t0.8.0\n \t\t@firebase/app-types@0.6.3\n \t\t@firebase/util@1.3.0\n \t0.10.4\n \t\t@firebase/app-types@0.9.0\n \t\t@firebase/util@1.9.3\n \t1.0.5\n \t\t@firebase/app-types@0.9.2\n \t\t@firebase/util@1.10.0\n \t1.0.15\n \t\t@firebase/app-types@0.9.3\n \t\t@firebase/util@1.12.1\n @firebase/firestore\n \t2.4.0\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/firestore-types@2.4.0\n \t\t@firebase/logger@0.2.6\n \t\t@firebase/util@1.3.0\n \t\t@firebase/webchannel-wrapper@0.5.1\n \t\t@grpc/grpc-js@^1.3.2\n \t\t@grpc/proto-loader@^0.6.0\n \t\tnode-fetch@2.6.1\n \t\ttslib@^2.1.0\n \t2.4.1\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/firestore-types@2.4.0\n \t\t@firebase/logger@0.2.6\n \t\t@firebase/util@1.3.0\n \t\t@firebase/webchannel-wrapper@0.5.1\n \t\t@grpc/grpc-js@^1.3.2\n \t\t@grpc/proto-loader@^0.6.0\n \t\tnode-fetch@2.6.7\n \t\ttslib@^2.1.0\n \t3.13.0\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\t@firebase/webchannel-wrapper@0.10.1\n \t\t@grpc/grpc-js@~1.7.0\n \t\t@grpc/proto-loader@^0.6.13\n \t\tnode-fetch@2.6.7\n \t\ttslib@^2.1.0\n \t4.7.3\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\t@firebase/webchannel-wrapper@1.0.1\n \t\t@grpc/grpc-js@~1.9.0\n \t\t@grpc/proto-loader@^0.7.8\n \t\ttslib@^2.1.0\n \t\tundici@6.19.7\n \t4.8.0\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\t@firebase/webchannel-wrapper@1.0.3\n \t\t@grpc/grpc-js@~1.9.0\n \t\t@grpc/proto-loader@^0.7.8\n \t\ttslib@^2.1.0\n @firebase/firestore-compat\n \t0.3.12\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/firestore@3.13.0\n \t\t@firebase/firestore-types@2.5.1\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.3.38\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/firestore@4.7.3\n \t\t@firebase/firestore-types@3.0.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.3.53\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/firestore@4.8.0\n \t\t@firebase/firestore-types@3.0.3\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/firestore-types\n \t2.4.0\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t2.5.1\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t3.0.2\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t3.0.3\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n @firebase/functions\n \t0.6.15\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/functions-types@0.4.0\n \t\t@firebase/messaging-types@0.5.0\n \t\tnode-fetch@2.6.1\n \t\ttslib@^2.1.0\n \t0.6.16\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/functions-types@0.4.0\n \t\t@firebase/messaging-types@0.5.0\n \t\tnode-fetch@2.6.7\n \t\ttslib@^2.1.0\n \t0.10.0\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/app-check-interop-types@0.3.0\n \t\t@firebase/auth-interop-types@0.2.1\n \t\t@firebase/component@0.6.4\n \t\t@firebase/messaging-interop-types@0.2.0\n \t\t@firebase/util@1.9.3\n \t\tnode-fetch@2.6.7\n \t\ttslib@^2.1.0\n \t0.11.8\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/app-check-interop-types@0.3.2\n \t\t@firebase/auth-interop-types@0.2.3\n \t\t@firebase/component@0.6.9\n \t\t@firebase/messaging-interop-types@0.2.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t\tundici@6.19.7\n \t0.12.9\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/app-check-interop-types@0.3.3\n \t\t@firebase/auth-interop-types@0.2.4\n \t\t@firebase/component@0.6.18\n \t\t@firebase/messaging-interop-types@0.2.3\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/functions-compat\n \t0.3.5\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/functions@0.10.0\n \t\t@firebase/functions-types@0.6.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.3.14\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/functions@0.11.8\n \t\t@firebase/functions-types@0.6.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.3.26\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/functions@0.12.9\n \t\t@firebase/functions-types@0.6.3\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/functions-types\n \t0.4.0\n \t0.6.0\n \t0.6.2\n \t0.6.3\n @firebase/installations\n \t0.4.32\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/installations-types@0.3.4\n \t\t@firebase/util@1.3.0\n \t\tidb@3.0.2\n \t\ttslib@^2.1.0\n \t0.6.4\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/util@1.9.3\n \t\tidb@7.0.1\n \t\ttslib@^2.1.0\n \t0.6.9\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/util@1.10.0\n \t\tidb@7.1.1\n \t\ttslib@^2.1.0\n \t0.6.18\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/util@1.12.1\n \t\tidb@7.1.1\n \t\ttslib@^2.1.0\n @firebase/installations-compat\n \t0.2.4\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/installations@0.6.4\n \t\t@firebase/installations-types@0.5.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.2.9\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/installations@0.6.9\n \t\t@firebase/installations-types@0.5.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.2.18\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/installations@0.6.18\n \t\t@firebase/installations-types@0.5.3\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/installations-types\n \t0.3.4\n \t\tScope peer|@firebase/app-types@0.x\n \t0.5.0\n \t\tScope peer|@firebase/app-types@0.x\n \t0.5.2\n \t\tScope peer|@firebase/app-types@0.x\n \t0.5.3\n \t\tScope peer|@firebase/app-types@0.x\n @firebase/logger\n \t0.2.6\n \t0.4.0\n \t\ttslib@^2.1.0\n \t0.4.2\n \t\ttslib@^2.1.0\n \t0.4.4\n \t\ttslib@^2.1.0\n @firebase/messaging\n \t0.8.0\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/installations@0.4.32\n \t\t@firebase/messaging-types@0.5.0\n \t\t@firebase/util@1.3.0\n \t\tidb@3.0.2\n \t\ttslib@^2.1.0\n \t0.12.4\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/installations@0.6.4\n \t\t@firebase/messaging-interop-types@0.2.0\n \t\t@firebase/util@1.9.3\n \t\tidb@7.0.1\n \t\ttslib@^2.1.0\n \t0.12.12\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/installations@0.6.9\n \t\t@firebase/messaging-interop-types@0.2.2\n \t\t@firebase/util@1.10.0\n \t\tidb@7.1.1\n \t\ttslib@^2.1.0\n \t0.12.22\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/installations@0.6.18\n \t\t@firebase/messaging-interop-types@0.2.3\n \t\t@firebase/util@1.12.1\n \t\tidb@7.1.1\n \t\ttslib@^2.1.0\n @firebase/messaging-compat\n \t0.2.4\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/messaging@0.12.4\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.2.12\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/messaging@0.12.12\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.2.22\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/messaging@0.12.22\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/messaging-interop-types\n \t0.2.0\n \t0.2.2\n \t0.2.3\n @firebase/messaging-types\n \t0.5.0\n \t\tScope peer|@firebase/app-types@0.x\n @firebase/performance\n \t0.4.18\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/installations@0.4.32\n \t\t@firebase/logger@0.2.6\n \t\t@firebase/performance-types@0.0.13\n \t\t@firebase/util@1.3.0\n \t\ttslib@^2.1.0\n \t0.6.4\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/installations@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.6.9\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/installations@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.7.7\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/installations@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n \t\tweb-vitals@^4.2.4\n @firebase/performance-compat\n \t0.2.4\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/performance@0.6.4\n \t\t@firebase/performance-types@0.2.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.2.9\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/performance@0.6.9\n \t\t@firebase/performance-types@0.2.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.2.20\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/performance@0.7.7\n \t\t@firebase/performance-types@0.2.3\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/performance-types\n \t0.0.13\n \t0.2.0\n \t0.2.2\n \t0.2.3\n @firebase/polyfill\n \t0.3.36\n \t\tcore-js@3.6.5\n \t\tpromise-polyfill@8.1.3\n \t\twhatwg-fetch@2.0.4\n @firebase/remote-config\n \t0.1.43\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/installations@0.4.32\n \t\t@firebase/logger@0.2.6\n \t\t@firebase/remote-config-types@0.1.9\n \t\t@firebase/util@1.3.0\n \t\ttslib@^2.1.0\n \t0.4.4\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/installations@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.4.9\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/installations@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.6.5\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/installations@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/remote-config-compat\n \t0.2.4\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/logger@0.4.0\n \t\t@firebase/remote-config@0.4.4\n \t\t@firebase/remote-config-types@0.3.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.2.9\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/remote-config@0.4.9\n \t\t@firebase/remote-config-types@0.3.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.2.18\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/logger@0.4.4\n \t\t@firebase/remote-config@0.6.5\n \t\t@firebase/remote-config-types@0.4.0\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/remote-config-types\n \t0.1.9\n \t0.3.0\n \t0.3.2\n \t0.4.0\n @firebase/storage\n \t0.7.0\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/storage-types@0.5.0\n \t\t@firebase/util@1.3.0\n \t\tnode-fetch@2.6.1\n \t\ttslib@^2.1.0\n \t0.7.1\n \t\tScope peer|@firebase/app@0.x\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.5.6\n \t\t@firebase/storage-types@0.5.0\n \t\t@firebase/util@1.3.0\n \t\tnode-fetch@2.6.7\n \t\ttslib@^2.1.0\n \t0.11.2\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/util@1.9.3\n \t\tnode-fetch@2.6.7\n \t\ttslib@^2.1.0\n \t0.13.2\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t\tundici@6.19.7\n \t0.13.14\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/storage-compat\n \t0.3.2\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.4\n \t\t@firebase/storage@0.11.2\n \t\t@firebase/storage-types@0.8.0\n \t\t@firebase/util@1.9.3\n \t\ttslib@^2.1.0\n \t0.3.12\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/storage@0.13.2\n \t\t@firebase/storage-types@0.8.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n \t0.3.24\n \t\tScope peer|@firebase/app-compat@0.x\n \t\t@firebase/component@0.6.18\n \t\t@firebase/storage@0.13.14\n \t\t@firebase/storage-types@0.8.3\n \t\t@firebase/util@1.12.1\n \t\ttslib@^2.1.0\n @firebase/storage-types\n \t0.5.0\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t0.8.0\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t0.8.2\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n \t0.8.3\n \t\tScope peer|@firebase/app-types@0.x\n \t\tScope peer|@firebase/util@1.x\n @firebase/util\n \t1.3.0\n \t\ttslib@^2.1.0\n \t1.9.3\n \t\ttslib@^2.1.0\n \t1.10.0\n \t\ttslib@^2.1.0\n \t1.12.1\n \t\ttslib@^2.1.0\n @firebase/vertexai-preview\n \t0.0.4\n \t\tScope peer|@firebase/app@0.x\n \t\t@firebase/app-check-interop-types@0.3.2\n \t\tScope peer|@firebase/app-types@0.x\n \t\t@firebase/component@0.6.9\n \t\t@firebase/logger@0.4.2\n \t\t@firebase/util@1.10.0\n \t\ttslib@^2.1.0\n @firebase/webchannel-wrapper\n \t0.5.1\n \t0.10.1\n \t1.0.1\n \t1.0.3\n @google-cloud/cloudbuild\n \t2.6.0\n \t\tgoogle-gax@^2.24.1\n \t3.10.0\n \t\tgoogle-gax@^3.5.8\n \t4.8.1\n \t\tgoogle-gax@^4.0.3\n @google-cloud/common\n \t3.8.0\n \t\t@google-cloud/projectify@^2.0.0\n \t\t@google-cloud/promisify@^2.0.0\n \t\tarrify@^2.0.1\n \t\tduplexify@^4.1.1\n \t\tent@^2.2.0\n \t\textend@^3.0.2\n \t\tgoogle-auth-library@^7.9.2\n \t\tretry-request@^4.2.2\n \t\tteeny-request@^7.0.0\n \t3.10.0\n \t\t@google-cloud/projectify@^2.0.0\n \t\t@google-cloud/promisify@^2.0.0\n \t\tarrify@^2.0.1\n \t\tduplexify@^4.1.1\n \t\tent@^2.2.0\n \t\textend@^3.0.2\n \t\tgoogle-auth-library@^7.14.0\n \t\tretry-request@^4.2.2\n \t\tteeny-request@^7.0.0\n @google-cloud/error-reporting\n \t2.0.4\n \t\t@google-cloud/common@^3.0.0\n \t\tconsole-log-level@^1.4.1\n \t2.0.5\n \t\t@google-cloud/common@^3.0.0\n \t\tconsole-log-level@^1.4.1\n @google-cloud/projectify\n \t2.1.1\n @google-cloud/promisify\n \t2.0.4\n @grpc/grpc-js\n \t1.4.0\n \t\t@grpc/proto-loader@^0.6.4\n \t\t@types/node@>=12.12.47\n \t1.4.1\n \t\t@grpc/proto-loader@^0.6.4\n \t\t@types/node@>=12.12.47\n \t1.4.2\n \t\t@grpc/proto-loader@^0.6.4\n \t\t@types/node@>=12.12.47\n \t1.4.3\n \t\t@grpc/proto-loader@^0.6.4\n \t\t@types/node@>=12.12.47\n \t1.4.4\n \t\t@grpc/proto-loader@^0.6.4\n \t\t@types/node@>=12.12.47\n \t1.4.5\n \t\t@grpc/proto-loader@^0.6.4\n \t\t@types/node@>=12.12.47\n \t1.4.6\n \t\t@grpc/proto-loader@^0.6.4\n \t\t@types/node@>=12.12.47\n \t1.6.12\n \t\t@grpc/proto-loader@^0.7.0\n \t\t@types/node@>=12.12.47\n \t1.7.3\n \t\t@grpc/proto-loader@^0.7.0\n \t\t@types/node@>=12.12.47\n \t1.8.22\n \t\t@grpc/proto-loader@^0.7.0\n \t\t@types/node@>=12.12.47\n \t1.9.15\n \t\t@grpc/proto-loader@^0.7.8\n \t\t@types/node@>=12.12.47\n \t1.14.0\n \t\t@grpc/proto-loader@^0.8.0\n \t\t@js-sdsl/ordered-map@^4.4.2\n @grpc/proto-loader\n \t0.6.6\n \t\t@types/long@^4.0.1\n \t\tlodash.camelcase@^4.3.0\n \t\tlong@^4.0.0\n \t\tprotobufjs@^6.10.0\n \t\tyargs@^16.1.1\n \t0.6.13\n \t\t@types/long@^4.0.1\n \t\tlodash.camelcase@^4.3.0\n \t\tlong@^4.0.0\n \t\tprotobufjs@^6.11.3\n \t\tyargs@^16.2.0\n \t0.7.15\n \t\tlodash.camelcase@^4.3.0\n \t\tlong@^5.0.0\n \t\tprotobufjs@^7.2.5\n \t\tyargs@^17.7.2\n \t0.8.0\n \t\tlodash.camelcase@^4.3.0\n \t\tlong@^5.0.0\n \t\tprotobufjs@^7.5.3\n \t\tyargs@^17.7.2\n @isaacs/balanced-match\n \t4.0.1\n @isaacs/brace-expansion\n \t5.0.0\n \t\t@isaacs/balanced-match@^4.0.1\n @isaacs/cliui\n \t8.0.2\n \t\tstring-width@^5.1.2\n \t\tKnownAs string-width-cjs|string-width@^4.2.0\n \t\tstrip-ansi@^7.0.1\n \t\tKnownAs strip-ansi-cjs|strip-ansi@^6.0.1\n \t\twrap-ansi@^8.1.0\n \t\tKnownAs wrap-ansi-cjs|wrap-ansi@^7.0.0\n @jridgewell/gen-mapping\n \t0.3.13\n \t\t@jridgewell/sourcemap-codec@^1.5.0\n \t\t@jridgewell/trace-mapping@^0.3.24\n @jridgewell/remapping\n \t2.3.5\n \t\t@jridgewell/gen-mapping@^0.3.5\n \t\t@jridgewell/trace-mapping@^0.3.24\n @jridgewell/resolve-uri\n \t3.1.2\n @jridgewell/sourcemap-codec\n \t1.5.5\n @jridgewell/trace-mapping\n \t0.3.31\n \t\t@jridgewell/resolve-uri@^3.1.0\n \t\t@jridgewell/sourcemap-codec@^1.4.14\n @js-sdsl/ordered-map\n \t4.4.2\n @jsdoc/salty\n \t0.2.9\n \t\tlodash@^4.17.21\n @parcel/watcher\n \t2.5.1\n \t\tOpt|@parcel/watcher-android-arm64@2.5.1\n \t\tOpt|@parcel/watcher-darwin-arm64@2.5.1\n \t\tOpt|@parcel/watcher-darwin-x64@2.5.1\n \t\tOpt|@parcel/watcher-freebsd-x64@2.5.1\n \t\tOpt|@parcel/watcher-linux-arm-glibc@2.5.1\n \t\tOpt|@parcel/watcher-linux-arm-musl@2.5.1\n \t\tOpt|@parcel/watcher-linux-arm64-glibc@2.5.1\n \t\tOpt|@parcel/watcher-linux-arm64-musl@2.5.1\n \t\tOpt|@parcel/watcher-linux-x64-glibc@2.5.1\n \t\tOpt|@parcel/watcher-linux-x64-musl@2.5.1\n \t\tOpt|@parcel/watcher-win32-arm64@2.5.1\n \t\tOpt|@parcel/watcher-win32-ia32@2.5.1\n \t\tOpt|@parcel/watcher-win32-x64@2.5.1\n \t\tdetect-libc@^1.0.3\n \t\tis-glob@^4.0.3\n \t\tmicromatch@^4.0.5\n \t\tnode-addon-api@^7.0.0\n @parcel/watcher-android-arm64\n \t2.5.1\n @parcel/watcher-darwin-arm64\n \t2.5.1\n @parcel/watcher-darwin-x64\n \t2.5.1\n @parcel/watcher-freebsd-x64\n \t2.5.1\n @parcel/watcher-linux-arm-glibc\n \t2.5.1\n @parcel/watcher-linux-arm-musl\n \t2.5.1\n @parcel/watcher-linux-arm64-glibc\n \t2.5.1\n @parcel/watcher-linux-arm64-musl\n \t2.5.1\n @parcel/watcher-linux-x64-glibc\n \t2.5.1\n @parcel/watcher-linux-x64-musl\n \t2.5.1\n @parcel/watcher-win32-arm64\n \t2.5.1\n @parcel/watcher-win32-ia32\n \t2.5.1\n @parcel/watcher-win32-x64\n \t2.5.1\n @polka/url\n \t0.5.0\n @protobufjs/aspromise\n \t1.1.2\n @protobufjs/base64\n \t1.1.2\n @protobufjs/codegen\n \t2.0.4\n @protobufjs/eventemitter\n \t1.1.0\n @protobufjs/fetch\n \t1.1.0\n \t\t@protobufjs/aspromise@^1.1.1\n \t\t@protobufjs/inquire@^1.1.0\n @protobufjs/float\n \t1.0.2\n @protobufjs/inquire\n \t1.1.0\n @protobufjs/path\n \t1.1.2\n @protobufjs/pool\n \t1.1.0\n @protobufjs/utf8\n \t1.1.0\n @rollup/plugin-commonjs\n \t21.0.1\n \t\t@rollup/pluginutils@^3.1.0\n \t\tcommondir@^1.0.1\n \t\testree-walker@^2.0.1\n \t\tglob@^7.1.6\n \t\tis-reference@^1.2.1\n \t\tmagic-string@^0.25.7\n \t\tresolve@^1.17.0\n \t\tScope peer|rollup@^2.38.3\n \t21.1.0\n \t\t@rollup/pluginutils@^3.1.0\n \t\tcommondir@^1.0.1\n \t\testree-walker@^2.0.1\n \t\tglob@^7.1.6\n \t\tis-reference@^1.2.1\n \t\tmagic-string@^0.25.7\n \t\tresolve@^1.17.0\n \t\tScope peer|rollup@^2.38.3\n @rollup/plugin-node-resolve\n \t13.0.6\n \t\t@rollup/pluginutils@^3.1.0\n \t\t@types/resolve@1.17.1\n \t\tbuiltin-modules@^3.1.0\n \t\tdeepmerge@^4.2.2\n \t\tis-module@^1.0.0\n \t\tresolve@^1.19.0\n \t\tScope peer|rollup@^2.42.0\n \t13.3.0\n \t\t@rollup/pluginutils@^3.1.0\n \t\t@types/resolve@1.17.1\n \t\tdeepmerge@^4.2.2\n \t\tis-builtin-module@^3.1.0\n \t\tis-module@^1.0.0\n \t\tresolve@^1.19.0\n \t\tScope peer|rollup@^2.42.0\n @rollup/pluginutils\n \t3.1.0\n \t\t@types/estree@0.0.39\n \t\testree-walker@^1.0.1\n \t\tpicomatch@^2.2.2\n \t\tScope peer|rollup@^1.20.0||^2.0.0\n @tootallnate/once\n \t2.0.0\n @types/caseless\n \t0.12.5\n @types/estree\n \t0.0.39\n \t1.0.8\n @types/glob\n \t9.0.0\n \t\tglob@*\n @types/linkify-it\n \t5.0.0\n @types/long\n \t4.0.1\n \t4.0.2\n @types/markdown-it\n \t14.1.2\n \t\t@types/linkify-it@^5\n \t\t@types/mdurl@^2\n @types/mdurl\n \t2.0.0\n @types/node\n \t12.6.9\n \t16.11.6\n \t24.10.0\n \t\tundici-types@~7.16.0\n @types/request\n \t2.48.13\n \t\t@types/caseless@*\n \t\t@types/node@*\n \t\t@types/tough-cookie@*\n \t\tform-data@^2.5.5\n @types/resolve\n \t1.17.1\n \t\t@types/node@*\n @types/rimraf\n \t3.0.2\n \t\t@types/glob@*\n \t\t@types/node@*\n @types/tough-cookie\n \t4.0.5\n @ungap/promise-all-settled\n \t1.1.2\n @webcomponents/webcomponentsjs\n \t2.4.0\n \t2.8.0\n abab\n \t2.0.0\n \t2.0.6\n abort-controller\n \t3.0.0\n \t\tevent-target-shim@^5.0.0\n acorn\n \t5.4.1\n \t5.5.0\n \t5.5.1\n \t5.5.2\n \t5.5.3\n \t5.6.0\n \t5.6.1\n \t5.6.2\n \t5.7.0\n \t5.7.1\n \t5.7.2\n \t5.7.3\n \t5.7.4\n \t6.0.2\n \t6.4.2\n \t7.1.0\n \t7.4.1\n \t8.15.0\n acorn-es7-plugin\n \t1.1.7\n acorn-globals\n \t4.3.0\n \t\tacorn@^6.0.1\n \t\tacorn-walk@^6.0.1\n \t4.3.4\n \t\tacorn@^6.0.1\n \t\tacorn-walk@^6.0.1\n acorn-jsx\n \t5.3.2\n \t\tScope peer|acorn@^6.0.0 || ^7.0.0 || ^8.0.0\n acorn-walk\n \t6.1.0\n \t6.2.0\n agent-base\n \t4.3.0\n \t\tes6-promisify@^5.0.0\n \t6.0.2\n \t\tdebug@4\n \t7.1.4\n ajv\n \t5.3.0\n \t\tco@^4.6.0\n \t\tfast-deep-equal@^1.0.0\n \t\tfast-json-stable-stringify@^2.0.0\n \t\tjson-schema-traverse@^0.3.0\n \t5.4.0\n \t\tco@^4.6.0\n \t\tfast-deep-equal@^1.0.0\n \t\tfast-json-stable-stringify@^2.0.0\n \t\tjson-schema-traverse@^0.3.0\n \t5.5.0\n \t\tco@^4.6.0\n \t\tfast-deep-equal@^1.0.0\n \t\tfast-json-stable-stringify@^2.0.0\n \t\tjson-schema-traverse@^0.3.0\n \t5.5.1\n \t\tco@^4.6.0\n \t\tfast-deep-equal@^1.0.0\n \t\tfast-json-stable-stringify@^2.0.0\n \t\tjson-schema-traverse@^0.3.0\n \t5.5.2\n \t\tco@^4.6.0\n \t\tfast-deep-equal@^1.0.0\n \t\tfast-json-stable-stringify@^2.0.0\n \t\tjson-schema-traverse@^0.3.0\n \t6.12.6\n \t\tfast-deep-equal@^3.1.1\n \t\tfast-json-stable-stringify@^2.0.0\n \t\tjson-schema-traverse@^0.4.1\n \t\turi-js@^4.2.2\n ansi-colors\n \t3.2.3\n \t4.1.1\n \t4.1.3\n ansi-gray\n \t0.1.1\n \t\tansi-wrap@0.1.0\n ansi-regex\n \t2.1.1\n \t3.0.0\n \t3.0.1\n \t4.1.1\n \t5.0.1\n \t6.2.2\n ansi-styles\n \t3.2.1\n \t\tcolor-convert@^1.9.0\n \t4.3.0\n \t\tcolor-convert@^2.0.1\n \t6.2.3\n ansi-wrap\n \t0.1.0\n anymatch\n \t3.0.3\n \t\tnormalize-path@^3.0.0\n \t\tpicomatch@^2.0.4\n \t3.1.3\n \t\tnormalize-path@^3.0.0\n \t\tpicomatch@^2.0.4\n arch\n \t2.1.1\n \t2.2.0\n argparse\n \t1.0.10\n \t\tsprintf-js@~1.0.2\n \t2.0.1\n array-buffer-byte-length\n \t1.0.2\n \t\tcall-bound@^1.0.3\n \t\tis-array-buffer@^3.0.5\n array-equal\n \t1.0.0\n \t1.0.2\n array.prototype.reduce\n \t1.0.8\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.4\n \t\tdefine-properties@^1.2.1\n \t\tes-abstract@^1.23.9\n \t\tes-array-method-boxes-properly@^1.0.0\n \t\tes-errors@^1.3.0\n \t\tes-object-atoms@^1.1.1\n \t\tis-string@^1.1.1\n arraybuffer.prototype.slice\n \t1.0.4\n \t\tarray-buffer-byte-length@^1.0.1\n \t\tcall-bind@^1.0.8\n \t\tdefine-properties@^1.2.1\n \t\tes-abstract@^1.23.5\n \t\tes-errors@^1.3.0\n \t\tget-intrinsic@^1.2.6\n \t\tis-array-buffer@^3.0.4\n arrify\n \t2.0.1\n asn1\n \t0.2.4\n \t\tsafer-buffer@~2.1.0\n \t0.2.6\n \t\tsafer-buffer@~2.1.0\n assert-plus\n \t1.0.0\n assertion-error\n \t1.1.0\n async-function\n \t1.0.0\n async-generator-function\n \t1.0.0\n async-limiter\n \t1.0.1\n async-transforms\n \t1.0.9\n asynckit\n \t0.4.0\n autoprefixer\n \t9.3.0\n \t\tbrowserslist@^4.3.2\n \t\tcaniuse-lite@^1.0.30000898\n \t\tnormalize-range@^0.1.2\n \t\tnum2fraction@^1.2.2\n \t\tpostcss@^7.0.5\n \t\tpostcss-value-parser@^3.3.1\n \t9.8.8\n \t\tbrowserslist@^4.12.0\n \t\tcaniuse-lite@^1.0.30001109\n \t\tnormalize-range@^0.1.2\n \t\tnum2fraction@^1.2.2\n \t\tpicocolors@^0.2.1\n \t\tpostcss@^7.0.32\n \t\tpostcss-value-parser@^4.1.0\n \t10.4.21\n \t\tbrowserslist@^4.24.4\n \t\tcaniuse-lite@^1.0.30001702\n \t\tfraction.js@^4.3.7\n \t\tnormalize-range@^0.1.2\n \t\tpicocolors@^1.1.1\n \t\tScope peer|postcss@^8.1.0\n \t\tpostcss-value-parser@^4.2.0\n available-typed-arrays\n \t1.0.7\n \t\tpossible-typed-array-names@^1.0.0\n aws-sign2\n \t0.7.0\n aws4\n \t1.8.0\n \t1.13.2\n babel-plugin-dynamic-import-node\n \t2.3.0\n \t\tobject.assign@^4.1.0\n babel-plugin-func-wrap\n \t1.1.0\n babel-plugin-polyfill-corejs2\n \t0.4.14\n \t\t@babel/compat-data@^7.27.7\n \t\tScope peer|@babel/core@^7.4.0 || ^8.0.0-0 <8.0.0\n \t\t@babel/helper-define-polyfill-provider@^0.6.5\n \t\tsemver@^6.3.1\n babel-plugin-polyfill-corejs3\n \t0.13.0\n \t\tScope peer|@babel/core@^7.4.0 || ^8.0.0-0 <8.0.0\n \t\t@babel/helper-define-polyfill-provider@^0.6.5\n \t\tcore-js-compat@^3.43.0\n babel-plugin-polyfill-regenerator\n \t0.6.5\n \t\tScope peer|@babel/core@^7.4.0 || ^8.0.0-0 <8.0.0\n \t\t@babel/helper-define-polyfill-provider@^0.6.5\n balanced-match\n \t1.0.0\n \t1.0.2\n base64-js\n \t1.5.1\n baseline-browser-mapping\n \t2.8.24\n \t2.8.25\n bcrypt-pbkdf\n \t1.0.2\n \t\ttweetnacl@^0.14.3\n bignumber.js\n \t9.0.1\n \t9.3.1\n binary-extensions\n \t2.0.0\n \t2.3.0\n bluebird\n \t3.7.2\n brace-expansion\n \t1.1.11\n \t\tbalanced-match@^1.0.0\n \t\tconcat-map@0.0.1\n \t1.1.12\n \t\tbalanced-match@^1.0.0\n \t\tconcat-map@0.0.1\n \t2.0.2\n \t\tbalanced-match@^1.0.0\n braces\n \t3.0.2\n \t\tfill-range@^7.0.1\n \t3.0.3\n \t\tfill-range@^7.1.1\n browser-process-hrtime\n \t0.1.3\n \t1.0.0\n browser-stdout\n \t1.3.1\n browserslist\n \t4.3.2\n \t\tcaniuse-lite@^1.0.30000898\n \t\telectron-to-chromium@^1.3.80\n \t\tnode-releases@^1.0.0-alpha.14\n \t4.3.3\n \t\tcaniuse-lite@^1.0.30000898\n \t\telectron-to-chromium@^1.3.81\n \t\tnode-releases@^1.0.0-alpha.15\n \t4.3.4\n \t\tcaniuse-lite@^1.0.30000899\n \t\telectron-to-chromium@^1.3.82\n \t\tnode-releases@^1.0.1\n \t4.3.5\n \t\tcaniuse-lite@^1.0.30000912\n \t\telectron-to-chromium@^1.3.86\n \t\tnode-releases@^1.0.5\n \t4.3.6\n \t\tcaniuse-lite@^1.0.30000921\n \t\telectron-to-chromium@^1.3.92\n \t\tnode-releases@^1.1.1\n \t4.3.7\n \t\tcaniuse-lite@^1.0.30000925\n \t\telectron-to-chromium@^1.3.96\n \t\tnode-releases@^1.1.3\n \t4.4.0\n \t\tcaniuse-lite@^1.0.30000928\n \t\telectron-to-chromium@^1.3.100\n \t\tnode-releases@^1.1.3\n \t4.4.1\n \t\tcaniuse-lite@^1.0.30000929\n \t\telectron-to-chromium@^1.3.103\n \t\tnode-releases@^1.1.3\n \t4.4.2\n \t\tcaniuse-lite@^1.0.30000939\n \t\telectron-to-chromium@^1.3.113\n \t\tnode-releases@^1.1.8\n \t4.5.0\n \t\tcaniuse-lite@^1.0.30000948\n \t\telectron-to-chromium@^1.3.116\n \t\tnode-releases@^1.1.10\n \t4.5.1\n \t\tcaniuse-lite@^1.0.30000949\n \t\telectron-to-chromium@^1.3.116\n \t\tnode-releases@^1.1.11\n \t4.5.2\n \t\tcaniuse-lite@^1.0.30000951\n \t\telectron-to-chromium@^1.3.116\n \t\tnode-releases@^1.1.11\n \t4.5.3\n \t\tcaniuse-lite@^1.0.30000955\n \t\telectron-to-chromium@^1.3.122\n \t\tnode-releases@^1.1.12\n \t4.5.4\n \t\tcaniuse-lite@^1.0.30000955\n \t\telectron-to-chromium@^1.3.122\n \t\tnode-releases@^1.1.13\n \t4.5.5\n \t\tcaniuse-lite@^1.0.30000960\n \t\telectron-to-chromium@^1.3.124\n \t\tnode-releases@^1.1.14\n \t4.5.6\n \t\tcaniuse-lite@^1.0.30000963\n \t\telectron-to-chromium@^1.3.127\n \t\tnode-releases@^1.1.17\n \t4.6.0\n \t\tcaniuse-lite@^1.0.30000967\n \t\telectron-to-chromium@^1.3.133\n \t\tnode-releases@^1.1.19\n \t4.6.1\n \t\tcaniuse-lite@^1.0.30000971\n \t\telectron-to-chromium@^1.3.137\n \t\tnode-releases@^1.1.21\n \t4.6.2\n \t\tcaniuse-lite@^1.0.30000974\n \t\telectron-to-chromium@^1.3.150\n \t\tnode-releases@^1.1.23\n \t4.6.3\n \t\tcaniuse-lite@^1.0.30000975\n \t\telectron-to-chromium@^1.3.164\n \t\tnode-releases@^1.1.23\n \t4.6.4\n \t\tcaniuse-lite@^1.0.30000981\n \t\telectron-to-chromium@^1.3.188\n \t\tnode-releases@^1.1.25\n \t4.6.5\n \t\tcaniuse-lite@^1.0.30000984\n \t\telectron-to-chromium@^1.3.191\n \t\tnode-releases@^1.1.25\n \t4.6.6\n \t\tcaniuse-lite@^1.0.30000984\n \t\telectron-to-chromium@^1.3.191\n \t\tnode-releases@^1.1.25\n \t4.7.0\n \t\tcaniuse-lite@^1.0.30000989\n \t\telectron-to-chromium@^1.3.247\n \t\tnode-releases@^1.1.29\n \t4.7.1\n \t\tcaniuse-lite@^1.0.30000999\n \t\telectron-to-chromium@^1.3.284\n \t\tnode-releases@^1.1.36\n \t4.7.2\n \t\tcaniuse-lite@^1.0.30001004\n \t\telectron-to-chromium@^1.3.295\n \t\tnode-releases@^1.1.38\n \t4.7.3\n \t\tcaniuse-lite@^1.0.30001010\n \t\telectron-to-chromium@^1.3.306\n \t\tnode-releases@^1.1.40\n \t4.8.0\n \t\tcaniuse-lite@^1.0.30001012\n \t\telectron-to-chromium@^1.3.317\n \t\tnode-releases@^1.1.41\n \t4.8.1\n \t\tcaniuse-lite@^1.0.30001015\n \t\telectron-to-chromium@^1.3.322\n \t\tnode-releases@^1.1.42\n \t4.8.2\n \t\tcaniuse-lite@^1.0.30001015\n \t\telectron-to-chromium@^1.3.322\n \t\tnode-releases@^1.1.42\n \t4.8.3\n \t\tcaniuse-lite@^1.0.30001017\n \t\telectron-to-chromium@^1.3.322\n \t\tnode-releases@^1.1.44\n \t4.8.4\n \t\tcaniuse-lite@^1.0.30001021\n \t\telectron-to-chromium@^1.3.338\n \t\tnode-releases@^1.1.46\n \t4.8.5\n \t\tcaniuse-lite@^1.0.30001022\n \t\telectron-to-chromium@^1.3.338\n \t\tnode-releases@^1.1.46\n \t4.8.6\n \t\tcaniuse-lite@^1.0.30001023\n \t\telectron-to-chromium@^1.3.341\n \t\tnode-releases@^1.1.47\n \t4.8.7\n \t\tcaniuse-lite@^1.0.30001027\n \t\telectron-to-chromium@^1.3.349\n \t\tnode-releases@^1.1.49\n \t4.9.0\n \t\tcaniuse-lite@^1.0.30001030\n \t\telectron-to-chromium@^1.3.361\n \t\tnode-releases@^1.1.50\n \t4.9.1\n \t\tcaniuse-lite@^1.0.30001030\n \t\telectron-to-chromium@^1.3.363\n \t\tnode-releases@^1.1.50\n \t4.10.0\n \t\tcaniuse-lite@^1.0.30001035\n \t\telectron-to-chromium@^1.3.378\n \t\tnode-releases@^1.1.52\n \t\tpkg-up@^3.1.0\n \t4.11.0\n \t\tcaniuse-lite@^1.0.30001035\n \t\telectron-to-chromium@^1.3.380\n \t\tnode-releases@^1.1.52\n \t\tpkg-up@^3.1.0\n \t4.11.1\n \t\tcaniuse-lite@^1.0.30001038\n \t\telectron-to-chromium@^1.3.390\n \t\tnode-releases@^1.1.53\n \t\tpkg-up@^2.0.0\n \t4.12.0\n \t\tcaniuse-lite@^1.0.30001043\n \t\telectron-to-chromium@^1.3.413\n \t\tnode-releases@^1.1.53\n \t\tpkg-up@^2.0.0\n \t4.12.1\n \t\tcaniuse-lite@^1.0.30001088\n \t\telectron-to-chromium@^1.3.481\n \t\tescalade@^3.0.1\n \t\tnode-releases@^1.1.58\n \t4.12.2\n \t\tcaniuse-lite@^1.0.30001088\n \t\telectron-to-chromium@^1.3.483\n \t\tescalade@^3.0.1\n \t\tnode-releases@^1.1.58\n \t4.13.0\n \t\tcaniuse-lite@^1.0.30001093\n \t\telectron-to-chromium@^1.3.488\n \t\tescalade@^3.0.1\n \t\tnode-releases@^1.1.58\n \t4.14.0\n \t\tcaniuse-lite@^1.0.30001111\n \t\telectron-to-chromium@^1.3.523\n \t\tescalade@^3.0.2\n \t\tnode-releases@^1.1.60\n \t4.14.1\n \t\tcaniuse-lite@^1.0.30001124\n \t\telectron-to-chromium@^1.3.562\n \t\tescalade@^3.0.2\n \t\tnode-releases@^1.1.60\n \t4.14.2\n \t\tcaniuse-lite@^1.0.30001125\n \t\telectron-to-chromium@^1.3.564\n \t\tescalade@^3.0.2\n \t\tnode-releases@^1.1.61\n \t4.14.3\n \t\tcaniuse-lite@^1.0.30001131\n \t\telectron-to-chromium@^1.3.570\n \t\tescalade@^3.1.0\n \t\tnode-releases@^1.1.61\n \t4.14.4\n \t\tcaniuse-lite@^1.0.30001135\n \t\telectron-to-chromium@^1.3.570\n \t\tescalade@^3.1.0\n \t\tnode-releases@^1.1.61\n \t4.14.5\n \t\tcaniuse-lite@^1.0.30001135\n \t\telectron-to-chromium@^1.3.571\n \t\tescalade@^3.1.0\n \t\tnode-releases@^1.1.61\n \t4.14.6\n \t\tcaniuse-lite@^1.0.30001154\n \t\telectron-to-chromium@^1.3.585\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.65\n \t4.14.7\n \t\tcaniuse-lite@^1.0.30001157\n \t\tcolorette@^1.2.1\n \t\telectron-to-chromium@^1.3.591\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.66\n \t4.15.0\n \t\tcaniuse-lite@^1.0.30001164\n \t\tcolorette@^1.2.1\n \t\telectron-to-chromium@^1.3.612\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.67\n \t4.16.0\n \t\tcaniuse-lite@^1.0.30001165\n \t\tcolorette@^1.2.1\n \t\telectron-to-chromium@^1.3.621\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.67\n \t4.16.1\n \t\tcaniuse-lite@^1.0.30001173\n \t\tcolorette@^1.2.1\n \t\telectron-to-chromium@^1.3.634\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.69\n \t4.16.2\n \t\tcaniuse-lite@^1.0.30001181\n \t\tcolorette@^1.2.1\n \t\telectron-to-chromium@^1.3.649\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.70\n \t4.16.3\n \t\tcaniuse-lite@^1.0.30001181\n \t\tcolorette@^1.2.1\n \t\telectron-to-chromium@^1.3.649\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.70\n \t4.16.4\n \t\tcaniuse-lite@^1.0.30001208\n \t\tcolorette@^1.2.2\n \t\telectron-to-chromium@^1.3.712\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.71\n \t4.16.5\n \t\tcaniuse-lite@^1.0.30001214\n \t\tcolorette@^1.2.2\n \t\telectron-to-chromium@^1.3.719\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.71\n \t4.16.6\n \t\tcaniuse-lite@^1.0.30001219\n \t\tcolorette@^1.2.2\n \t\telectron-to-chromium@^1.3.723\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.71\n \t4.16.7\n \t\tcaniuse-lite@^1.0.30001248\n \t\tcolorette@^1.2.2\n \t\telectron-to-chromium@^1.3.793\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.73\n \t4.16.8\n \t\tcaniuse-lite@^1.0.30001251\n \t\tcolorette@^1.3.0\n \t\telectron-to-chromium@^1.3.811\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.75\n \t4.17.0\n \t\tcaniuse-lite@^1.0.30001254\n \t\tcolorette@^1.3.0\n \t\telectron-to-chromium@^1.3.830\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.75\n \t4.17.1\n \t\tcaniuse-lite@^1.0.30001259\n \t\telectron-to-chromium@^1.3.846\n \t\tescalade@^3.1.1\n \t\tnanocolors@^0.1.5\n \t\tnode-releases@^1.1.76\n \t4.17.2\n \t\tcaniuse-lite@^1.0.30001261\n \t\telectron-to-chromium@^1.3.854\n \t\tescalade@^3.1.1\n \t\tnanocolors@^0.2.12\n \t\tnode-releases@^1.1.76\n \t4.17.3\n \t\tcaniuse-lite@^1.0.30001264\n \t\telectron-to-chromium@^1.3.857\n \t\tescalade@^3.1.1\n \t\tnode-releases@^1.1.77\n \t\tpicocolors@^0.2.1\n \t4.17.4\n \t\tcaniuse-lite@^1.0.30001265\n \t\telectron-to-chromium@^1.3.867\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.0\n \t\tpicocolors@^1.0.0\n \t4.17.5\n \t\tcaniuse-lite@^1.0.30001271\n \t\telectron-to-chromium@^1.3.878\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.1\n \t\tpicocolors@^1.0.0\n \t4.17.6\n \t\tcaniuse-lite@^1.0.30001274\n \t\telectron-to-chromium@^1.3.886\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.1\n \t\tpicocolors@^1.0.0\n \t4.18.0\n \t\tcaniuse-lite@^1.0.30001280\n \t\telectron-to-chromium@^1.3.896\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.1\n \t\tpicocolors@^1.0.0\n \t4.18.1\n \t\tcaniuse-lite@^1.0.30001280\n \t\telectron-to-chromium@^1.3.896\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.1\n \t\tpicocolors@^1.0.0\n \t4.19.0\n \t\tcaniuse-lite@^1.0.30001286\n \t\telectron-to-chromium@^1.4.17\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.1\n \t\tpicocolors@^1.0.0\n \t4.19.1\n \t\tcaniuse-lite@^1.0.30001286\n \t\telectron-to-chromium@^1.4.17\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.1\n \t\tpicocolors@^1.0.0\n \t4.19.2\n \t\tcaniuse-lite@^1.0.30001312\n \t\telectron-to-chromium@^1.4.71\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.2\n \t\tpicocolors@^1.0.0\n \t4.19.3\n \t\tcaniuse-lite@^1.0.30001312\n \t\telectron-to-chromium@^1.4.71\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.2\n \t\tpicocolors@^1.0.0\n \t4.20.0\n \t\tcaniuse-lite@^1.0.30001313\n \t\telectron-to-chromium@^1.4.76\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.2\n \t\tpicocolors@^1.0.0\n \t4.20.1\n \t\tcaniuse-lite@^1.0.30001317\n \t\telectron-to-chromium@^1.4.84\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.2\n \t\tpicocolors@^1.0.0\n \t4.20.2\n \t\tcaniuse-lite@^1.0.30001317\n \t\telectron-to-chromium@^1.4.84\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.2\n \t\tpicocolors@^1.0.0\n \t4.20.3\n \t\tcaniuse-lite@^1.0.30001332\n \t\telectron-to-chromium@^1.4.118\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.3\n \t\tpicocolors@^1.0.0\n \t4.20.4\n \t\tcaniuse-lite@^1.0.30001349\n \t\telectron-to-chromium@^1.4.147\n \t\tescalade@^3.1.1\n \t\tnode-releases@^2.0.5\n \t\tpicocolors@^1.0.0\n \t4.21.0\n \t\tcaniuse-lite@^1.0.30001358\n \t\telectron-to-chromium@^1.4.164\n \t\tnode-releases@^2.0.5\n \t\tupdate-browserslist-db@^1.0.0\n \t4.21.1\n \t\tcaniuse-lite@^1.0.30001359\n \t\telectron-to-chromium@^1.4.172\n \t\tnode-releases@^2.0.5\n \t\tupdate-browserslist-db@^1.0.4\n \t4.21.2\n \t\tcaniuse-lite@^1.0.30001366\n \t\telectron-to-chromium@^1.4.188\n \t\tnode-releases@^2.0.6\n \t\tupdate-browserslist-db@^1.0.4\n \t4.21.3\n \t\tcaniuse-lite@^1.0.30001370\n \t\telectron-to-chromium@^1.4.202\n \t\tnode-releases@^2.0.6\n \t\tupdate-browserslist-db@^1.0.5\n \t4.21.4\n \t\tcaniuse-lite@^1.0.30001400\n \t\telectron-to-chromium@^1.4.251\n \t\tnode-releases@^2.0.6\n \t\tupdate-browserslist-db@^1.0.9\n \t4.21.5\n \t\tcaniuse-lite@^1.0.30001449\n \t\telectron-to-chromium@^1.4.284\n \t\tnode-releases@^2.0.8\n \t\tupdate-browserslist-db@^1.0.10\n \t4.21.6\n \t\tcaniuse-lite@^1.0.30001489\n \t\telectron-to-chromium@^1.4.411\n \t\tnode-releases@^2.0.12\n \t\tupdate-browserslist-db@^1.0.11\n \t4.21.7\n \t\tcaniuse-lite@^1.0.30001489\n \t\telectron-to-chromium@^1.4.411\n \t\tnode-releases@^2.0.12\n \t\tupdate-browserslist-db@^1.0.11\n \t4.21.8\n \t\tcaniuse-lite@^1.0.30001502\n \t\telectron-to-chromium@^1.4.428\n \t\tnode-releases@^2.0.12\n \t\tupdate-browserslist-db@^1.0.11\n \t4.21.9\n \t\tcaniuse-lite@^1.0.30001503\n \t\telectron-to-chromium@^1.4.431\n \t\tnode-releases@^2.0.12\n \t\tupdate-browserslist-db@^1.0.11\n \t4.21.10\n \t\tcaniuse-lite@^1.0.30001517\n \t\telectron-to-chromium@^1.4.477\n \t\tnode-releases@^2.0.13\n \t\tupdate-browserslist-db@^1.0.11\n \t4.21.11\n \t\tcaniuse-lite@^1.0.30001538\n \t\telectron-to-chromium@^1.4.526\n \t\tnode-releases@^2.0.13\n \t\tupdate-browserslist-db@^1.0.13\n \t4.22.0\n \t\tcaniuse-lite@^1.0.30001539\n \t\telectron-to-chromium@^1.4.530\n \t\tnode-releases@^2.0.13\n \t\tupdate-browserslist-db@^1.0.13\n \t4.22.1\n \t\tcaniuse-lite@^1.0.30001541\n \t\telectron-to-chromium@^1.4.535\n \t\tnode-releases@^2.0.13\n \t\tupdate-browserslist-db@^1.0.13\n \t4.22.2\n \t\tcaniuse-lite@^1.0.30001565\n \t\telectron-to-chromium@^1.4.601\n \t\tnode-releases@^2.0.14\n \t\tupdate-browserslist-db@^1.0.13\n \t4.22.3\n \t\tcaniuse-lite@^1.0.30001580\n \t\telectron-to-chromium@^1.4.648\n \t\tnode-releases@^2.0.14\n \t\tupdate-browserslist-db@^1.0.13\n \t4.23.0\n \t\tcaniuse-lite@^1.0.30001587\n \t\telectron-to-chromium@^1.4.668\n \t\tnode-releases@^2.0.14\n \t\tupdate-browserslist-db@^1.0.13\n \t4.23.1\n \t\tcaniuse-lite@^1.0.30001629\n \t\telectron-to-chromium@^1.4.796\n \t\tnode-releases@^2.0.14\n \t\tupdate-browserslist-db@^1.0.16\n \t4.23.2\n \t\tcaniuse-lite@^1.0.30001640\n \t\telectron-to-chromium@^1.4.820\n \t\tnode-releases@^2.0.14\n \t\tupdate-browserslist-db@^1.1.0\n \t4.23.3\n \t\tcaniuse-lite@^1.0.30001646\n \t\telectron-to-chromium@^1.5.4\n \t\tnode-releases@^2.0.18\n \t\tupdate-browserslist-db@^1.1.0\n \t4.24.0\n \t\tcaniuse-lite@^1.0.30001663\n \t\telectron-to-chromium@^1.5.28\n \t\tnode-releases@^2.0.18\n \t\tupdate-browserslist-db@^1.1.0\n \t4.24.1\n \t\tcaniuse-lite@^1.0.30001669\n \t\telectron-to-chromium@^1.5.41\n \t\tnode-releases@^2.0.18\n \t\tupdate-browserslist-db@^1.1.1\n \t4.24.2\n \t\tcaniuse-lite@^1.0.30001669\n \t\telectron-to-chromium@^1.5.41\n \t\tnode-releases@^2.0.18\n \t\tupdate-browserslist-db@^1.1.1\n \t4.24.3\n \t\tcaniuse-lite@^1.0.30001688\n \t\telectron-to-chromium@^1.5.73\n \t\tnode-releases@^2.0.19\n \t\tupdate-browserslist-db@^1.1.1\n \t4.24.4\n \t\tcaniuse-lite@^1.0.30001688\n \t\telectron-to-chromium@^1.5.73\n \t\tnode-releases@^2.0.19\n \t\tupdate-browserslist-db@^1.1.1\n \t4.24.5\n \t\tcaniuse-lite@^1.0.30001716\n \t\telectron-to-chromium@^1.5.149\n \t\tnode-releases@^2.0.19\n \t\tupdate-browserslist-db@^1.1.3\n \t4.25.0\n \t\tcaniuse-lite@^1.0.30001718\n \t\telectron-to-chromium@^1.5.160\n \t\tnode-releases@^2.0.19\n \t\tupdate-browserslist-db@^1.1.3\n \t4.25.1\n \t\tcaniuse-lite@^1.0.30001726\n \t\telectron-to-chromium@^1.5.173\n \t\tnode-releases@^2.0.19\n \t\tupdate-browserslist-db@^1.1.3\n \t4.25.2\n \t\tcaniuse-lite@^1.0.30001733\n \t\telectron-to-chromium@^1.5.199\n \t\tnode-releases@^2.0.19\n \t\tupdate-browserslist-db@^1.1.3\n \t4.25.3\n \t\tcaniuse-lite@^1.0.30001735\n \t\telectron-to-chromium@^1.5.204\n \t\tnode-releases@^2.0.19\n \t\tupdate-browserslist-db@^1.1.3\n \t4.25.4\n \t\tcaniuse-lite@^1.0.30001737\n \t\telectron-to-chromium@^1.5.211\n \t\tnode-releases@^2.0.19\n \t\tupdate-browserslist-db@^1.1.3\n \t4.26.0\n \t\tbaseline-browser-mapping@^2.8.2\n \t\tcaniuse-lite@^1.0.30001741\n \t\telectron-to-chromium@^1.5.218\n \t\tnode-releases@^2.0.21\n \t\tupdate-browserslist-db@^1.1.3\n \t4.26.1\n \t\tbaseline-browser-mapping@2.8.4-beta3\n \t\tcaniuse-lite@^1.0.30001741\n \t\telectron-to-chromium@^1.5.218\n \t\tnode-releases@^2.0.21\n \t\tupdate-browserslist-db@^1.1.3\n \t4.26.2\n \t\tbaseline-browser-mapping@^2.8.3\n \t\tcaniuse-lite@^1.0.30001741\n \t\telectron-to-chromium@^1.5.218\n \t\tnode-releases@^2.0.21\n \t\tupdate-browserslist-db@^1.1.3\n \t4.26.3\n \t\tbaseline-browser-mapping@^2.8.9\n \t\tcaniuse-lite@^1.0.30001746\n \t\telectron-to-chromium@^1.5.227\n \t\tnode-releases@^2.0.21\n \t\tupdate-browserslist-db@^1.1.3\n \t4.27.0\n \t\tbaseline-browser-mapping@^2.8.19\n \t\tcaniuse-lite@^1.0.30001751\n \t\telectron-to-chromium@^1.5.238\n \t\tnode-releases@^2.0.26\n \t\tupdate-browserslist-db@^1.1.4\n buffer-crc32\n \t0.2.13\n buffer-equal-constant-time\n \t1.0.1\n buffer-from\n \t1.1.1\n \t1.1.2\n builtin-modules\n \t3.2.0\n \t3.3.0\n bytes\n \t3.0.0\n \t3.1.0\n \t3.1.2\n call-bind\n \t1.0.8\n \t\tcall-bind-apply-helpers@^1.0.0\n \t\tes-define-property@^1.0.0\n \t\tget-intrinsic@^1.2.4\n \t\tset-function-length@^1.2.2\n call-bind-apply-helpers\n \t1.0.2\n \t\tes-errors@^1.3.0\n \t\tfunction-bind@^1.1.2\n call-bound\n \t1.0.4\n \t\tcall-bind-apply-helpers@^1.0.2\n \t\tget-intrinsic@^1.3.0\n camel-case\n \t3.0.0\n \t\tno-case@^2.2.0\n \t\tupper-case@^1.1.1\n camelcase\n \t4.1.0\n \t5.3.1\n \t6.3.0\n caniuse-lite\n \t1.0.30000898\n \t1.0.30000989\n \t1.0.30001753\n caseless\n \t0.12.0\n catharsis\n \t0.9.0\n \t\tlodash@^4.17.15\n chai\n \t4.2.0\n \t\tassertion-error@^1.1.0\n \t\tcheck-error@^1.0.2\n \t\tdeep-eql@^3.0.1\n \t\tget-func-name@^2.0.0\n \t\tpathval@^1.1.0\n \t\ttype-detect@^4.0.5\n \t4.5.0\n \t\tassertion-error@^1.1.0\n \t\tcheck-error@^1.0.3\n \t\tdeep-eql@^4.1.3\n \t\tget-func-name@^2.0.2\n \t\tloupe@^2.3.6\n \t\tpathval@^1.1.1\n \t\ttype-detect@^4.1.0\n chalk\n \t2.4.1\n \t\tansi-styles@^3.2.1\n \t\tescape-string-regexp@^1.0.5\n \t\tsupports-color@^5.3.0\n \t2.4.2\n \t\tansi-styles@^3.2.1\n \t\tescape-string-regexp@^1.0.5\n \t\tsupports-color@^5.3.0\n \t4.1.2\n \t\tansi-styles@^4.1.0\n \t\tsupports-color@^7.1.0\n check-error\n \t1.0.2\n \t1.0.3\n \t\tget-func-name@^2.0.2\n chokidar\n \t3.0.2\n \t\tanymatch@^3.0.1\n \t\tbraces@^3.0.2\n \t\tOpt|fsevents@^2.0.6\n \t\tfsevents@^2.0.6\n \t\tglob-parent@^5.0.0\n \t\tis-binary-path@^2.1.0\n \t\tis-glob@^4.0.1\n \t\tnormalize-path@^3.0.0\n \t\treaddirp@^3.1.1\n \t3.3.0\n \t\tanymatch@~3.1.1\n \t\tbraces@~3.0.2\n \t\tOpt|fsevents@~2.1.1\n \t\tfsevents@~2.1.1\n \t\tglob-parent@~5.1.0\n \t\tis-binary-path@~2.1.0\n \t\tis-glob@~4.0.1\n \t\tnormalize-path@~3.0.0\n \t\treaddirp@~3.2.0\n \t3.5.1\n \t\tanymatch@~3.1.1\n \t\tbraces@~3.0.2\n \t\tOpt|fsevents@~2.3.1\n \t\tfsevents@~2.3.1\n \t\tglob-parent@~5.1.0\n \t\tis-binary-path@~2.1.0\n \t\tis-glob@~4.0.1\n \t\tnormalize-path@~3.0.0\n \t\treaddirp@~3.5.0\n \t3.5.3\n \t\tanymatch@~3.1.2\n \t\tbraces@~3.0.2\n \t\tOpt|fsevents@~2.3.2\n \t\tfsevents@~2.3.2\n \t\tglob-parent@~5.1.2\n \t\tis-binary-path@~2.1.0\n \t\tis-glob@~4.0.1\n \t\tnormalize-path@~3.0.0\n \t\treaddirp@~3.6.0\n \t3.6.0\n \t\tanymatch@~3.1.2\n \t\tbraces@~3.0.2\n \t\tOpt|fsevents@~2.3.2\n \t\tglob-parent@~5.1.2\n \t\tis-binary-path@~2.1.0\n \t\tis-glob@~4.0.1\n \t\tnormalize-path@~3.0.0\n \t\treaddirp@~3.6.0\n \t4.0.3\n \t\treaddirp@^4.0.1\n clean-css\n \t4.2.1\n \t\tsource-map@~0.6.0\n \t4.2.4\n \t\tsource-map@~0.6.0\n clipboardy\n \t1.2.3\n \t\tarch@^2.1.0\n \t\texeca@^0.8.0\n \t2.1.0\n \t\tarch@^2.1.1\n \t\texeca@^1.0.0\n \t2.3.0\n \t\tarch@^2.1.1\n \t\texeca@^1.0.0\n \t\tis-wsl@^2.1.1\n cliui\n \t4.1.0\n \t\tstring-width@^2.1.1\n \t\tstrip-ansi@^4.0.0\n \t\twrap-ansi@^2.0.0\n \t5.0.0\n \t\tstring-width@^3.1.0\n \t\tstrip-ansi@^5.2.0\n \t\twrap-ansi@^5.1.0\n \t7.0.4\n \t\tstring-width@^4.2.0\n \t\tstrip-ansi@^6.0.0\n \t\twrap-ansi@^7.0.0\n \t8.0.1\n \t\tstring-width@^4.2.0\n \t\tstrip-ansi@^6.0.1\n \t\twrap-ansi@^7.0.0\n clone\n \t2.1.2\n clone-buffer\n \t1.0.0\n clone-stats\n \t1.0.0\n cloneable-readable\n \t1.1.2\n \t\tinherits@^2.0.1\n \t\tprocess-nextick-args@^2.0.0\n \t\treadable-stream@^2.3.5\n \t1.1.3\n \t\tinherits@^2.0.1\n \t\tprocess-nextick-args@^2.0.0\n \t\treadable-stream@^2.3.5\n co\n \t4.6.0\n code-point-at\n \t1.1.0\n color-convert\n \t1.9.3\n \t\tcolor-name@1.1.3\n \t2.0.1\n \t\tcolor-name@~1.1.4\n color-name\n \t1.1.3\n \t1.1.4\n color-support\n \t1.1.3\n colorette\n \t1.4.0\n combined-stream\n \t1.0.7\n \t\tdelayed-stream@~1.0.0\n \t1.0.8\n \t\tdelayed-stream@~1.0.0\n commander\n \t0.6.1\n \t2.3.0\n \t2.15.1\n \t2.17.1\n \t2.20.0\n \t2.20.3\n commondir\n \t1.0.1\n concat-map\n \t0.0.1\n concat-stream\n \t1.6.2\n \t\tbuffer-from@^1.0.0\n \t\tinherits@^2.0.3\n \t\treadable-stream@^2.2.2\n \t\ttypedarray@^0.0.6\n console-log-level\n \t1.4.1\n content-disposition\n \t0.5.2\n convert-source-map\n \t1.6.0\n \t\tsafe-buffer@~5.1.1\n \t2.0.0\n core-js\n \t3.6.5\n \t3.46.0\n core-js-compat\n \t3.2.1\n \t\tbrowserslist@^4.6.6\n \t\tsemver@^6.3.0\n \t3.46.0\n \t\tbrowserslist@^4.26.3\n core-util-is\n \t1.0.2\n \t1.0.3\n cross-spawn\n \t5.0.1\n \t\tlru-cache@^4.0.1\n \t\tshebang-command@^1.2.0\n \t\twhich@^1.2.9\n \t5.1.0\n \t\tlru-cache@^4.0.1\n \t\tshebang-command@^1.2.0\n \t\twhich@^1.2.9\n \t6.0.5\n \t\tnice-try@^1.0.4\n \t\tpath-key@^2.0.1\n \t\tsemver@^5.5.0\n \t\tshebang-command@^1.2.0\n \t\twhich@^1.2.9\n \t6.0.6\n \t\tnice-try@^1.0.4\n \t\tpath-key@^2.0.1\n \t\tsemver@^5.5.0\n \t\tshebang-command@^1.2.0\n \t\twhich@^1.2.9\n \t7.0.6\n \t\tpath-key@^3.1.0\n \t\tshebang-command@^2.0.0\n \t\twhich@^2.0.1\n cssom\n \t0.3.4\n \t0.3.8\n \t0.4.1\n \t0.4.4\n cssstyle\n \t1.1.1\n \t\tcssom@0.3.x\n \t1.4.0\n \t\tcssom@0.3.x\n \t2.0.0\n \t\tcssom@~0.3.6\n \t2.3.0\n \t\tcssom@~0.3.6\n custom-event-polyfill\n \t1.0.7\n dashdash\n \t1.14.1\n \t\tassert-plus@^1.0.0\n dat.gui\n \t0.7.3\n \t0.7.9\n data-urls\n \t1.0.1\n \t\tabab@^2.0.0\n \t\twhatwg-mimetype@^2.1.0\n \t\twhatwg-url@^7.0.0\n \t1.1.0\n \t\tabab@^2.0.0\n \t\twhatwg-mimetype@^2.2.0\n \t\twhatwg-url@^7.0.0\n data-view-buffer\n \t1.0.2\n \t\tcall-bound@^1.0.3\n \t\tes-errors@^1.3.0\n \t\tis-data-view@^1.0.2\n data-view-byte-length\n \t1.0.2\n \t\tcall-bound@^1.0.3\n \t\tes-errors@^1.3.0\n \t\tis-data-view@^1.0.2\n data-view-byte-offset\n \t1.0.1\n \t\tcall-bound@^1.0.2\n \t\tes-errors@^1.3.0\n \t\tis-data-view@^1.0.1\n debug\n \t2.2.0\n \t\tms@0.7.1\n \t2.6.9\n \t\tms@2.0.0\n \t3.1.0\n \t\tms@2.0.0\n \t3.2.6\n \t\tms@^2.1.1\n \t3.2.7\n \t\tms@^2.1.1\n \t4.3.1\n \t\tms@2.1.2\n \t4.3.3\n \t\tms@2.1.2\n \t4.4.3\n \t\tms@^2.1.3\n decamelize\n \t1.2.0\n \t2.0.0\n \t\txregexp@4.0.0\n \t4.0.0\n deep-eql\n \t3.0.1\n \t\ttype-detect@^4.0.0\n \t4.1.4\n \t\ttype-detect@^4.0.0\n deep-is\n \t0.1.3\n \t0.1.4\n deepmerge\n \t4.2.2\n \t4.3.1\n define-data-property\n \t1.1.4\n \t\tes-define-property@^1.0.0\n \t\tes-errors@^1.3.0\n \t\tgopd@^1.0.1\n define-properties\n \t1.1.3\n \t\tobject-keys@^1.0.12\n \t1.2.1\n \t\tdefine-data-property@^1.0.1\n \t\thas-property-descriptors@^1.0.0\n \t\tobject-keys@^1.1.1\n delayed-stream\n \t1.0.0\n detect-libc\n \t1.0.3\n dhost\n \t0.1.9\n \t\tbytes@^3.1.0\n \t\tchalk@^2.4.2\n \t\tclipboardy@^1.2.3\n \t\the@^1.2.0\n \t\tmime@^2.4.0\n \t\tmri@^1.1.4\n \t0.3.5\n \t\tasync-transforms@^1.0.7\n \t\tbytes@^3.1.0\n \t\tcolorette@^1.2.1\n \t\tesm-resolve@^1.0.4\n \t\tgumnut@^0.3.8\n \t\the@^1.2.0\n \t\tmime@^2.5.2\n \t\tmri@^1.1.6\n diff\n \t1.4.0\n \t3.5.0\n \t5.0.0\n \t5.2.0\n dom-storage\n \t2.1.0\n domexception\n \t1.0.1\n \t\twebidl-conversions@^4.0.2\n dunder-proto\n \t1.0.1\n \t\tcall-bind-apply-helpers@^1.0.1\n \t\tes-errors@^1.3.0\n \t\tgopd@^1.2.0\n duplexify\n \t4.1.2\n \t\tend-of-stream@^1.4.1\n \t\tinherits@^2.0.3\n \t\treadable-stream@^3.1.1\n \t\tstream-shift@^1.0.0\n \t4.1.3\n \t\tend-of-stream@^1.4.1\n \t\tinherits@^2.0.3\n \t\treadable-stream@^3.1.1\n \t\tstream-shift@^1.0.2\n eastasianwidth\n \t0.2.0\n ecc-jsbn\n \t0.1.2\n \t\tjsbn@~0.1.0\n \t\tsafer-buffer@^2.1.0\n ecdsa-sig-formatter\n \t1.0.11\n \t\tsafe-buffer@^5.0.1\n electron-to-chromium\n \t1.3.81\n \t1.3.264\n \t1.5.244\n \t1.5.245\n emoji-regex\n \t7.0.3\n \t8.0.0\n \t9.2.2\n end-of-stream\n \t1.4.1\n \t\tonce@^1.4.0\n \t1.4.5\n \t\tonce@^1.4.0\n ent\n \t2.2.0\n \t2.2.2\n \t\tcall-bound@^1.0.3\n \t\tes-errors@^1.3.0\n \t\tpunycode@^1.4.1\n \t\tsafe-regex-test@^1.1.0\n entities\n \t4.5.0\n es-abstract\n \t1.24.0\n \t\tarray-buffer-byte-length@^1.0.2\n \t\tarraybuffer.prototype.slice@^1.0.4\n \t\tavailable-typed-arrays@^1.0.7\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.4\n \t\tdata-view-buffer@^1.0.2\n \t\tdata-view-byte-length@^1.0.2\n \t\tdata-view-byte-offset@^1.0.1\n \t\tes-define-property@^1.0.1\n \t\tes-errors@^1.3.0\n \t\tes-object-atoms@^1.1.1\n \t\tes-set-tostringtag@^2.1.0\n \t\tes-to-primitive@^1.3.0\n \t\tfunction.prototype.name@^1.1.8\n \t\tget-intrinsic@^1.3.0\n \t\tget-proto@^1.0.1\n \t\tget-symbol-description@^1.1.0\n \t\tglobalthis@^1.0.4\n \t\tgopd@^1.2.0\n \t\thas-property-descriptors@^1.0.2\n \t\thas-proto@^1.2.0\n \t\thas-symbols@^1.1.0\n \t\thasown@^2.0.2\n \t\tinternal-slot@^1.1.0\n \t\tis-array-buffer@^3.0.5\n \t\tis-callable@^1.2.7\n \t\tis-data-view@^1.0.2\n \t\tis-negative-zero@^2.0.3\n \t\tis-regex@^1.2.1\n \t\tis-set@^2.0.3\n \t\tis-shared-array-buffer@^1.0.4\n \t\tis-string@^1.1.1\n \t\tis-typed-array@^1.1.15\n \t\tis-weakref@^1.1.1\n \t\tmath-intrinsics@^1.1.0\n \t\tobject-inspect@^1.13.4\n \t\tobject-keys@^1.1.1\n \t\tobject.assign@^4.1.7\n \t\town-keys@^1.0.1\n \t\tregexp.prototype.flags@^1.5.4\n \t\tsafe-array-concat@^1.1.3\n \t\tsafe-push-apply@^1.0.0\n \t\tsafe-regex-test@^1.1.0\n \t\tset-proto@^1.0.0\n \t\tstop-iteration-iterator@^1.1.0\n \t\tstring.prototype.trim@^1.2.10\n \t\tstring.prototype.trimend@^1.0.9\n \t\tstring.prototype.trimstart@^1.0.8\n \t\ttyped-array-buffer@^1.0.3\n \t\ttyped-array-byte-length@^1.0.3\n \t\ttyped-array-byte-offset@^1.0.4\n \t\ttyped-array-length@^1.0.7\n \t\tunbox-primitive@^1.1.0\n \t\twhich-typed-array@^1.1.19\n es-array-method-boxes-properly\n \t1.0.0\n es-define-property\n \t1.0.1\n es-errors\n \t1.3.0\n es-object-atoms\n \t1.1.1\n \t\tes-errors@^1.3.0\n es-set-tostringtag\n \t2.1.0\n \t\tes-errors@^1.3.0\n \t\tget-intrinsic@^1.2.6\n \t\thas-tostringtag@^1.0.2\n \t\thasown@^2.0.2\n es-to-primitive\n \t1.3.0\n \t\tis-callable@^1.2.7\n \t\tis-date-object@^1.0.5\n \t\tis-symbol@^1.0.4\n es6-promise\n \t4.2.8\n es6-promisify\n \t5.0.0\n \t\tes6-promise@^4.0.3\n escalade\n \t3.1.1\n \t3.2.0\n escape-string-regexp\n \t1.0.2\n \t1.0.5\n \t2.0.0\n \t4.0.0\n escodegen\n \t1.11.0\n \t\tesprima@^3.1.3\n \t\testraverse@^4.2.0\n \t\tesutils@^2.0.2\n \t\toptionator@^0.8.1\n \t\tOpt|source-map@~0.6.1\n \t\tsource-map@~0.6.1\n \t1.12.0\n \t\tesprima@^3.1.3\n \t\testraverse@^4.2.0\n \t\tesutils@^2.0.2\n \t\toptionator@^0.8.1\n \t\tOpt|source-map@~0.6.1\n \t\tsource-map@~0.6.1\n \t1.14.3\n \t\tesprima@^4.0.1\n \t\testraverse@^4.2.0\n \t\tesutils@^2.0.2\n \t\toptionator@^0.8.1\n \t\tOpt|source-map@~0.6.1\n \t\tsource-map@~0.6.1\n eslint-visitor-keys\n \t3.4.3\n esm-resolve\n \t1.0.6\n \t1.0.11\n espree\n \t9.6.1\n \t\tacorn@^8.9.0\n \t\tacorn-jsx@^5.3.2\n \t\teslint-visitor-keys@^3.4.1\n esprima\n \t3.1.3\n \t4.0.1\n estraverse\n \t4.2.0\n \t4.3.0\n \t5.3.0\n estree-walker\n \t1.0.1\n \t2.0.2\n esutils\n \t2.0.2\n \t2.0.3\n event-target\n \t1.2.3\n event-target-shim\n \t5.0.1\n execa\n \t0.8.0\n \t\tcross-spawn@^5.0.1\n \t\tget-stream@^3.0.0\n \t\tis-stream@^1.1.0\n \t\tnpm-run-path@^2.0.0\n \t\tp-finally@^1.0.0\n \t\tsignal-exit@^3.0.0\n \t\tstrip-eof@^1.0.0\n \t0.10.0\n \t\tcross-spawn@^6.0.0\n \t\tget-stream@^3.0.0\n \t\tis-stream@^1.1.0\n \t\tnpm-run-path@^2.0.0\n \t\tp-finally@^1.0.0\n \t\tsignal-exit@^3.0.0\n \t\tstrip-eof@^1.0.0\n \t1.0.0\n \t\tcross-spawn@^6.0.0\n \t\tget-stream@^4.0.0\n \t\tis-stream@^1.1.0\n \t\tnpm-run-path@^2.0.0\n \t\tp-finally@^1.0.0\n \t\tsignal-exit@^3.0.0\n \t\tstrip-eof@^1.0.0\n extend\n \t3.0.2\n extract-zip\n \t1.7.0\n \t\tconcat-stream@^1.6.2\n \t\tdebug@^2.6.9\n \t\tmkdirp@^0.5.4\n \t\tyauzl@^2.10.0\n extsprintf\n \t1.3.0\n \t1.4.0\n fancy-log\n \t1.3.2\n \t\tansi-gray@^0.1.1\n \t\tcolor-support@^1.1.3\n \t\ttime-stamp@^1.0.0\n \t1.3.3\n \t\tansi-gray@^0.1.1\n \t\tcolor-support@^1.1.3\n \t\tparse-node-version@^1.0.0\n \t\ttime-stamp@^1.0.0\n fast-async\n \t6.3.8\n \t\tnodent-compiler@^3.2.10\n \t\tnodent-runtime@>=3.2.1\n fast-deep-equal\n \t1.1.0\n \t3.1.3\n fast-json-stable-stringify\n \t2.0.0\n \t2.1.0\n fast-levenshtein\n \t2.0.6\n fast-text-encoding\n \t1.0.3\n \t1.0.6\n fast-url-parser\n \t1.1.3\n \t\tpunycode@^1.3.2\n faye-websocket\n \t0.11.3\n \t\twebsocket-driver@>=0.5.1\n \t0.11.4\n \t\twebsocket-driver@>=0.5.1\n fd-slicer\n \t1.1.0\n \t\tpend@~1.2.0\n fill-range\n \t7.0.1\n \t\tto-regex-range@^5.0.1\n \t7.1.1\n \t\tto-regex-range@^5.0.1\n find-up\n \t3.0.0\n \t\tlocate-path@^3.0.0\n \t5.0.0\n \t\tlocate-path@^6.0.0\n \t\tpath-exists@^4.0.0\n firebase\n \t8.10.0\n \t\t@firebase/analytics@0.6.18\n \t\t@firebase/app@0.6.30\n \t\t@firebase/app-check@0.3.2\n \t\t@firebase/app-types@0.6.3\n \t\t@firebase/auth@0.16.8\n \t\t@firebase/database@0.11.0\n \t\t@firebase/firestore@2.4.0\n \t\t@firebase/functions@0.6.15\n \t\t@firebase/installations@0.4.32\n \t\t@firebase/messaging@0.8.0\n \t\t@firebase/performance@0.4.18\n \t\t@firebase/polyfill@0.3.36\n \t\t@firebase/remote-config@0.1.43\n \t\t@firebase/storage@0.7.0\n \t\t@firebase/util@1.3.0\n \t8.10.1\n \t\t@firebase/analytics@0.6.18\n \t\t@firebase/app@0.6.30\n \t\t@firebase/app-check@0.3.2\n \t\t@firebase/app-types@0.6.3\n \t\t@firebase/auth@0.16.8\n \t\t@firebase/database@0.11.0\n \t\t@firebase/firestore@2.4.1\n \t\t@firebase/functions@0.6.16\n \t\t@firebase/installations@0.4.32\n \t\t@firebase/messaging@0.8.0\n \t\t@firebase/performance@0.4.18\n \t\t@firebase/polyfill@0.3.36\n \t\t@firebase/remote-config@0.1.43\n \t\t@firebase/storage@0.7.1\n \t\t@firebase/util@1.3.0\n \t9.23.0\n \t\t@firebase/analytics@0.10.0\n \t\t@firebase/analytics-compat@0.2.6\n \t\t@firebase/app@0.9.13\n \t\t@firebase/app-check@0.8.0\n \t\t@firebase/app-check-compat@0.3.7\n \t\t@firebase/app-compat@0.2.13\n \t\t@firebase/app-types@0.9.0\n \t\t@firebase/auth@0.23.2\n \t\t@firebase/auth-compat@0.4.2\n \t\t@firebase/database@0.14.4\n \t\t@firebase/database-compat@0.3.4\n \t\t@firebase/firestore@3.13.0\n \t\t@firebase/firestore-compat@0.3.12\n \t\t@firebase/functions@0.10.0\n \t\t@firebase/functions-compat@0.3.5\n \t\t@firebase/installations@0.6.4\n \t\t@firebase/installations-compat@0.2.4\n \t\t@firebase/messaging@0.12.4\n \t\t@firebase/messaging-compat@0.2.4\n \t\t@firebase/performance@0.6.4\n \t\t@firebase/performance-compat@0.2.4\n \t\t@firebase/remote-config@0.4.4\n \t\t@firebase/remote-config-compat@0.2.4\n \t\t@firebase/storage@0.11.2\n \t\t@firebase/storage-compat@0.3.2\n \t\t@firebase/util@1.9.3\n \t10.14.1\n \t\t@firebase/analytics@0.10.8\n \t\t@firebase/analytics-compat@0.2.14\n \t\t@firebase/app@0.10.13\n \t\t@firebase/app-check@0.8.8\n \t\t@firebase/app-check-compat@0.3.15\n \t\t@firebase/app-compat@0.2.43\n \t\t@firebase/app-types@0.9.2\n \t\t@firebase/auth@1.7.9\n \t\t@firebase/auth-compat@0.5.14\n \t\t@firebase/data-connect@0.1.0\n \t\t@firebase/database@1.0.8\n \t\t@firebase/database-compat@1.0.8\n \t\t@firebase/firestore@4.7.3\n \t\t@firebase/firestore-compat@0.3.38\n \t\t@firebase/functions@0.11.8\n \t\t@firebase/functions-compat@0.3.14\n \t\t@firebase/installations@0.6.9\n \t\t@firebase/installations-compat@0.2.9\n \t\t@firebase/messaging@0.12.12\n \t\t@firebase/messaging-compat@0.2.12\n \t\t@firebase/performance@0.6.9\n \t\t@firebase/performance-compat@0.2.9\n \t\t@firebase/remote-config@0.4.9\n \t\t@firebase/remote-config-compat@0.2.9\n \t\t@firebase/storage@0.13.2\n \t\t@firebase/storage-compat@0.3.12\n \t\t@firebase/util@1.10.0\n \t\t@firebase/vertexai-preview@0.0.4\n \t11.10.0\n \t\t@firebase/ai@1.4.1\n \t\t@firebase/analytics@0.10.17\n \t\t@firebase/analytics-compat@0.2.23\n \t\t@firebase/app@0.13.2\n \t\t@firebase/app-check@0.10.1\n \t\t@firebase/app-check-compat@0.3.26\n \t\t@firebase/app-compat@0.4.2\n \t\t@firebase/app-types@0.9.3\n \t\t@firebase/auth@1.10.8\n \t\t@firebase/auth-compat@0.5.28\n \t\t@firebase/data-connect@0.3.10\n \t\t@firebase/database@1.0.20\n \t\t@firebase/database-compat@2.0.11\n \t\t@firebase/firestore@4.8.0\n \t\t@firebase/firestore-compat@0.3.53\n \t\t@firebase/functions@0.12.9\n \t\t@firebase/functions-compat@0.3.26\n \t\t@firebase/installations@0.6.18\n \t\t@firebase/installations-compat@0.2.18\n \t\t@firebase/messaging@0.12.22\n \t\t@firebase/messaging-compat@0.2.22\n \t\t@firebase/performance@0.7.7\n \t\t@firebase/performance-compat@0.2.20\n \t\t@firebase/remote-config@0.6.5\n \t\t@firebase/remote-config-compat@0.2.18\n \t\t@firebase/storage@0.13.14\n \t\t@firebase/storage-compat@0.3.24\n \t\t@firebase/util@1.12.1\n flat\n \t4.1.1\n \t\tis-buffer@~2.0.3\n \t5.0.2\n for-each\n \t0.3.5\n \t\tis-callable@^1.2.7\n foreground-child\n \t3.3.1\n \t\tcross-spawn@^7.0.6\n \t\tsignal-exit@^4.0.1\n forever-agent\n \t0.6.1\n form-data\n \t2.3.2\n \t\tasynckit@^0.4.0\n \t\tcombined-stream@1.0.6\n \t\tmime-types@^2.1.12\n \t2.3.3\n \t\tasynckit@^0.4.0\n \t\tcombined-stream@^1.0.6\n \t\tmime-types@^2.1.12\n \t2.5.5\n \t\tasynckit@^0.4.0\n \t\tcombined-stream@^1.0.8\n \t\tes-set-tostringtag@^2.1.0\n \t\thasown@^2.0.2\n \t\tmime-types@^2.1.35\n \t\tsafe-buffer@^5.2.1\n formatio\n \t1.1.1\n \t\tsamsam@~1.1\n fraction.js\n \t4.3.7\n fs.realpath\n \t1.0.0\n fsevents\n \t2.1.3\n \t2.3.2\n \t2.3.3\n function-bind\n \t1.1.1\n \t1.1.2\n function.prototype.name\n \t1.1.8\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.3\n \t\tdefine-properties@^1.2.1\n \t\tfunctions-have-names@^1.2.3\n \t\thasown@^2.0.2\n \t\tis-callable@^1.2.7\n functions-have-names\n \t1.2.3\n gaxios\n \t4.3.2\n \t\tabort-controller@^3.0.0\n \t\textend@^3.0.2\n \t\thttps-proxy-agent@^5.0.0\n \t\tis-stream@^2.0.0\n \t\tnode-fetch@^2.6.1\n \t4.3.3\n \t\tabort-controller@^3.0.0\n \t\textend@^3.0.2\n \t\thttps-proxy-agent@^5.0.0\n \t\tis-stream@^2.0.0\n \t\tnode-fetch@^2.6.7\n \t5.1.3\n \t\textend@^3.0.2\n \t\thttps-proxy-agent@^5.0.0\n \t\tis-stream@^2.0.0\n \t\tnode-fetch@^2.6.9\n \t6.7.1\n \t\textend@^3.0.2\n \t\thttps-proxy-agent@^7.0.1\n \t\tis-stream@^2.0.0\n \t\tnode-fetch@^2.6.9\n \t\tuuid@^9.0.1\n gcp-metadata\n \t4.3.1\n \t\tgaxios@^4.0.0\n \t\tjson-bigint@^1.0.0\n \t5.3.0\n \t\tgaxios@^5.0.0\n \t\tjson-bigint@^1.0.0\n \t6.1.1\n \t\tgaxios@^6.1.1\n \t\tgoogle-logging-utils@^0.0.2\n \t\tjson-bigint@^1.0.0\n generator-function\n \t2.0.1\n gensync\n \t1.0.0-beta.2\n get-caller-file\n \t1.0.3\n \t2.0.5\n get-func-name\n \t2.0.0\n \t2.0.2\n get-intrinsic\n \t1.3.1\n \t\tasync-function@^1.0.0\n \t\tasync-generator-function@^1.0.0\n \t\tcall-bind-apply-helpers@^1.0.2\n \t\tes-define-property@^1.0.1\n \t\tes-errors@^1.3.0\n \t\tes-object-atoms@^1.1.1\n \t\tfunction-bind@^1.1.2\n \t\tgenerator-function@^2.0.0\n \t\tget-proto@^1.0.1\n \t\tgopd@^1.2.0\n \t\thas-symbols@^1.1.0\n \t\thasown@^2.0.2\n \t\tmath-intrinsics@^1.1.0\n get-proto\n \t1.0.1\n \t\tdunder-proto@^1.0.1\n \t\tes-object-atoms@^1.0.0\n get-stream\n \t3.0.0\n \t4.1.0\n \t\tpump@^3.0.0\n get-symbol-description\n \t1.1.0\n \t\tcall-bound@^1.0.3\n \t\tes-errors@^1.3.0\n \t\tget-intrinsic@^1.2.6\n getpass\n \t0.1.7\n \t\tassert-plus@^1.0.0\n git-last-commit\n \t1.0.1\n glob\n \t3.2.11\n \t\tinherits@2\n \t\tminimatch@0.3\n \t7.1.2\n \t\tfs.realpath@^1.0.0\n \t\tinflight@^1.0.4\n \t\tinherits@2\n \t\tminimatch@^3.0.4\n \t\tonce@^1.3.0\n \t\tpath-is-absolute@^1.0.0\n \t7.1.3\n \t\tfs.realpath@^1.0.0\n \t\tinflight@^1.0.4\n \t\tinherits@2\n \t\tminimatch@^3.0.4\n \t\tonce@^1.3.0\n \t\tpath-is-absolute@^1.0.0\n \t7.1.6\n \t\tfs.realpath@^1.0.0\n \t\tinflight@^1.0.4\n \t\tinherits@2\n \t\tminimatch@^3.0.4\n \t\tonce@^1.3.0\n \t\tpath-is-absolute@^1.0.0\n \t7.2.0\n \t\tfs.realpath@^1.0.0\n \t\tinflight@^1.0.4\n \t\tinherits@2\n \t\tminimatch@^3.0.4\n \t\tonce@^1.3.0\n \t\tpath-is-absolute@^1.0.0\n \t7.2.3\n \t\tfs.realpath@^1.0.0\n \t\tinflight@^1.0.4\n \t\tinherits@2\n \t\tminimatch@^3.1.1\n \t\tonce@^1.3.0\n \t\tpath-is-absolute@^1.0.0\n \t8.1.0\n \t\tfs.realpath@^1.0.0\n \t\tinflight@^1.0.4\n \t\tinherits@2\n \t\tminimatch@^5.0.1\n \t\tonce@^1.3.0\n \t11.0.3\n \t\tforeground-child@^3.3.1\n \t\tjackspeak@^4.1.1\n \t\tminimatch@^10.0.3\n \t\tminipass@^7.1.2\n \t\tpackage-json-from-dist@^1.0.0\n \t\tpath-scurry@^2.0.0\n glob-parent\n \t5.0.0\n \t\tis-glob@^4.0.1\n \t5.1.2\n \t\tis-glob@^4.0.1\n glob-slash\n \t1.0.0\n glob-slasher\n \t1.0.1\n \t\tglob-slash@^1.0.0\n \t\tlodash.isobject@^2.4.1\n \t\ttoxic@^1.0.0\n globals\n \t11.8.0\n globalthis\n \t1.0.4\n \t\tdefine-properties@^1.2.1\n \t\tgopd@^1.0.1\n google-auth-library\n \t7.10.1\n \t\tarrify@^2.0.0\n \t\tbase64-js@^1.3.0\n \t\tecdsa-sig-formatter@^1.0.11\n \t\tfast-text-encoding@^1.0.0\n \t\tgaxios@^4.0.0\n \t\tgcp-metadata@^4.2.0\n \t\tgtoken@^5.0.4\n \t\tjws@^4.0.0\n \t\tlru-cache@^6.0.0\n \t7.14.1\n \t\tarrify@^2.0.0\n \t\tbase64-js@^1.3.0\n \t\tecdsa-sig-formatter@^1.0.11\n \t\tfast-text-encoding@^1.0.0\n \t\tgaxios@^4.0.0\n \t\tgcp-metadata@^4.2.0\n \t\tgtoken@^5.0.4\n \t\tjws@^4.0.0\n \t\tlru-cache@^6.0.0\n \t8.9.0\n \t\tarrify@^2.0.0\n \t\tbase64-js@^1.3.0\n \t\tecdsa-sig-formatter@^1.0.11\n \t\tfast-text-encoding@^1.0.0\n \t\tgaxios@^5.0.0\n \t\tgcp-metadata@^5.3.0\n \t\tgtoken@^6.1.0\n \t\tjws@^4.0.0\n \t\tlru-cache@^6.0.0\n \t9.15.1\n \t\tbase64-js@^1.3.0\n \t\tecdsa-sig-formatter@^1.0.11\n \t\tgaxios@^6.1.1\n \t\tgcp-metadata@^6.1.0\n \t\tgtoken@^7.0.0\n \t\tjws@^4.0.0\n google-closure-compiler\n \t20190909.0.0\n \t\tchalk@2.x\n \t\tgoogle-closure-compiler-java@^20190909.0.0\n \t\tgoogle-closure-compiler-js@^20190909.0.0\n \t\tgoogle-closure-compiler-linux@^20190909.0.0\n \t\tOpt|google-closure-compiler-linux@^20190909.0.0\n \t\tgoogle-closure-compiler-osx@^20190909.0.0\n \t\tOpt|google-closure-compiler-osx@^20190909.0.0\n \t\tgoogle-closure-compiler-windows@^20190909.0.0\n \t\tOpt|google-closure-compiler-windows@^20190909.0.0\n \t\tminimist@1.x\n \t\tvinyl@2.x\n \t\tvinyl-sourcemaps-apply@^0.2.0\n google-closure-compiler-java\n \t20190909.0.0\n google-closure-compiler-js\n \t20190909.0.0\n google-closure-compiler-linux\n \t20190909.0.0\n google-closure-compiler-osx\n \t20190909.0.0\n google-closure-compiler-windows\n \t20190909.0.0\n google-closure-library\n \t20190909.0.0\n \t20190929.0.0\n \t20191027.0.1\n \t\tpromises-aplus-tests@^2.1.2\n \t20191111.0.0\n \t\tpromises-aplus-tests@^2.1.2\n \t20200101.0.0\n \t\tpromises-aplus-tests@^2.1.2\n \t20200112.0.0\n \t\tpromises-aplus-tests@^2.1.2\n \t20200204.0.0\n \t20200224.0.0\n \t20200315.0.0\n google-gax\n \t2.28.0\n \t\t@grpc/grpc-js@~1.4.0\n \t\t@grpc/proto-loader@^0.6.1\n \t\t@types/long@^4.0.0\n \t\tabort-controller@^3.0.0\n \t\tduplexify@^4.0.0\n \t\tfast-text-encoding@^1.0.3\n \t\tgoogle-auth-library@^7.6.1\n \t\tis-stream-ended@^0.1.4\n \t\tnode-fetch@^2.6.1\n \t\tobject-hash@^2.1.1\n \t\tproto3-json-serializer@^0.1.1\n \t\tprotobufjs@6.11.2\n \t\tretry-request@^4.0.0\n \t2.30.5\n \t\t@grpc/grpc-js@~1.6.0\n \t\t@grpc/proto-loader@^0.6.12\n \t\t@types/long@^4.0.0\n \t\tabort-controller@^3.0.0\n \t\tduplexify@^4.0.0\n \t\tfast-text-encoding@^1.0.3\n \t\tgoogle-auth-library@^7.14.0\n \t\tis-stream-ended@^0.1.4\n \t\tnode-fetch@^2.6.1\n \t\tobject-hash@^3.0.0\n \t\tproto3-json-serializer@^0.1.8\n \t\tprotobufjs@6.11.3\n \t\tretry-request@^4.0.0\n \t3.6.1\n \t\t@grpc/grpc-js@~1.8.0\n \t\t@grpc/proto-loader@^0.7.0\n \t\t@types/long@^4.0.0\n \t\t@types/rimraf@^3.0.2\n \t\tabort-controller@^3.0.0\n \t\tduplexify@^4.0.0\n \t\tfast-text-encoding@^1.0.3\n \t\tgoogle-auth-library@^8.0.2\n \t\tis-stream-ended@^0.1.4\n \t\tnode-fetch@^2.6.1\n \t\tobject-hash@^3.0.0\n \t\tproto3-json-serializer@^1.0.0\n \t\tprotobufjs@7.2.4\n \t\tprotobufjs-cli@1.1.1\n \t\tretry-request@^5.0.0\n \t4.6.1\n \t\t@grpc/grpc-js@^1.10.9\n \t\t@grpc/proto-loader@^0.7.13\n \t\t@types/long@^4.0.0\n \t\tabort-controller@^3.0.0\n \t\tduplexify@^4.0.0\n \t\tgoogle-auth-library@^9.3.0\n \t\tnode-fetch@^2.7.0\n \t\tobject-hash@^3.0.0\n \t\tproto3-json-serializer@^2.0.2\n \t\tprotobufjs@^7.3.2\n \t\tretry-request@^7.0.0\n \t\tuuid@^9.0.1\n google-logging-utils\n \t0.0.2\n google-p12-pem\n \t3.1.2\n \t\tnode-forge@^0.10.0\n \t3.1.4\n \t\tnode-forge@^1.3.1\n \t4.0.1\n \t\tnode-forge@^1.3.1\n gopd\n \t1.2.0\n graceful-fs\n \t4.2.11\n growl\n \t1.9.2\n \t1.10.5\n gtoken\n \t5.3.1\n \t\tgaxios@^4.0.0\n \t\tgoogle-p12-pem@^3.0.3\n \t\tjws@^4.0.0\n \t5.3.2\n \t\tgaxios@^4.0.0\n \t\tgoogle-p12-pem@^3.1.3\n \t\tjws@^4.0.0\n \t6.1.2\n \t\tgaxios@^5.0.1\n \t\tgoogle-p12-pem@^4.0.0\n \t\tjws@^4.0.0\n \t7.1.0\n \t\tgaxios@^6.0.0\n \t\tjws@^4.0.0\n gumnut\n \t0.3.9\n har-schema\n \t2.0.0\n har-validator\n \t5.1.0\n \t\tajv@^5.3.0\n \t\thar-schema@^2.0.0\n \t5.1.5\n \t\tajv@^6.12.3\n \t\thar-schema@^2.0.0\n has\n \t1.0.3\n \t\tfunction-bind@^1.1.1\n has-bigints\n \t1.1.0\n has-flag\n \t3.0.0\n \t4.0.0\n has-property-descriptors\n \t1.0.2\n \t\tes-define-property@^1.0.0\n has-proto\n \t1.2.0\n \t\tdunder-proto@^1.0.0\n has-symbols\n \t1.0.0\n \t1.1.0\n has-tostringtag\n \t1.0.2\n \t\thas-symbols@^1.0.3\n hasown\n \t2.0.2\n \t\tfunction-bind@^1.1.2\n he\n \t1.1.1\n \t1.2.0\n html-encoding-sniffer\n \t1.0.2\n \t\twhatwg-encoding@^1.0.1\n html-entities\n \t1.2.1\n \t1.4.0\n html-minifier\n \t4.0.0\n \t\tcamel-case@^3.0.0\n \t\tclean-css@^4.2.1\n \t\tcommander@^2.19.0\n \t\the@^1.2.0\n \t\tparam-case@^2.1.1\n \t\trelateurl@^0.2.7\n \t\tuglify-js@^3.5.1\n html-modules-polyfill\n \t0.1.0\n \t\tjsdom@^15.1.1\n \t\trollup@^1.19.4\n http-parser-js\n \t0.5.3\n \t0.5.10\n http-proxy-agent\n \t5.0.0\n \t\t@tootallnate/once@2\n \t\tagent-base@6\n \t\tdebug@4\n http-signature\n \t1.2.0\n \t\tassert-plus@^1.0.0\n \t\tjsprim@^1.2.2\n \t\tsshpk@^1.7.0\n https-proxy-agent\n \t2.2.4\n \t\tagent-base@^4.3.0\n \t\tdebug@^3.1.0\n \t5.0.0\n \t\tagent-base@6\n \t\tdebug@4\n \t5.0.1\n \t\tagent-base@6\n \t\tdebug@4\n \t7.0.6\n \t\tagent-base@^7.1.2\n \t\tdebug@4\n iconv-lite\n \t0.4.24\n \t\tsafer-buffer@>= 2.1.2 < 3\n idb\n \t3.0.2\n \t7.0.1\n \t7.1.1\n iframe-load\n \t0.1.4\n immutable\n \t5.1.4\n inflight\n \t1.0.6\n \t\tonce@^1.3.0\n \t\twrappy@1\n inherits\n \t2.0.3\n \t2.0.4\n internal-slot\n \t1.1.0\n \t\tes-errors@^1.3.0\n \t\thasown@^2.0.2\n \t\tside-channel@^1.1.0\n invariant\n \t2.2.4\n \t\tloose-envify@^1.0.0\n invert-kv\n \t2.0.0\n ip-regex\n \t2.1.0\n is-arguments\n \t1.2.0\n \t\tcall-bound@^1.0.2\n \t\thas-tostringtag@^1.0.2\n is-array-buffer\n \t3.0.5\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.3\n \t\tget-intrinsic@^1.2.6\n is-async-function\n \t2.1.1\n \t\tasync-function@^1.0.0\n \t\tcall-bound@^1.0.3\n \t\tget-proto@^1.0.1\n \t\thas-tostringtag@^1.0.2\n \t\tsafe-regex-test@^1.1.0\n is-bigint\n \t1.1.0\n \t\thas-bigints@^1.0.2\n is-binary-path\n \t2.1.0\n \t\tbinary-extensions@^2.0.0\n is-boolean-object\n \t1.2.2\n \t\tcall-bound@^1.0.3\n \t\thas-tostringtag@^1.0.2\n is-buffer\n \t2.0.5\n is-builtin-module\n \t3.2.1\n \t\tbuiltin-modules@^3.3.0\n is-callable\n \t1.2.7\n is-core-module\n \t2.8.0\n \t\thas@^1.0.3\n \t2.16.1\n \t\thasown@^2.0.2\n is-data-view\n \t1.0.2\n \t\tcall-bound@^1.0.2\n \t\tget-intrinsic@^1.2.6\n \t\tis-typed-array@^1.1.13\n is-date-object\n \t1.1.0\n \t\tcall-bound@^1.0.2\n \t\thas-tostringtag@^1.0.2\n is-docker\n \t2.2.1\n is-extglob\n \t2.1.1\n is-finalizationregistry\n \t1.1.1\n \t\tcall-bound@^1.0.3\n is-fullwidth-code-point\n \t1.0.0\n \t\tnumber-is-nan@^1.0.0\n \t2.0.0\n \t3.0.0\n is-generator-function\n \t1.1.2\n \t\tcall-bound@^1.0.4\n \t\tgenerator-function@^2.0.0\n \t\tget-proto@^1.0.1\n \t\thas-tostringtag@^1.0.2\n \t\tsafe-regex-test@^1.1.0\n is-glob\n \t4.0.1\n \t\tis-extglob@^2.1.1\n \t4.0.3\n \t\tis-extglob@^2.1.1\n is-map\n \t2.0.3\n is-module\n \t1.0.0\n is-negative-zero\n \t2.0.3\n is-number\n \t7.0.0\n is-number-object\n \t1.1.1\n \t\tcall-bound@^1.0.3\n \t\thas-tostringtag@^1.0.2\n is-plain-obj\n \t2.1.0\n is-reference\n \t1.2.1\n \t\t@types/estree@*\n is-regex\n \t1.2.1\n \t\tcall-bound@^1.0.2\n \t\tgopd@^1.2.0\n \t\thas-tostringtag@^1.0.2\n \t\thasown@^2.0.2\n is-set\n \t2.0.3\n is-shared-array-buffer\n \t1.0.4\n \t\tcall-bound@^1.0.3\n is-stream\n \t1.1.0\n \t2.0.1\n is-stream-ended\n \t0.1.4\n is-string\n \t1.1.1\n \t\tcall-bound@^1.0.3\n \t\thas-tostringtag@^1.0.2\n is-symbol\n \t1.1.1\n \t\tcall-bound@^1.0.2\n \t\thas-symbols@^1.1.0\n \t\tsafe-regex-test@^1.1.0\n is-typed-array\n \t1.1.15\n \t\twhich-typed-array@^1.1.16\n is-typedarray\n \t1.0.0\n is-unicode-supported\n \t0.1.0\n is-weakmap\n \t2.0.2\n is-weakref\n \t1.1.1\n \t\tcall-bound@^1.0.3\n is-weakset\n \t2.0.4\n \t\tcall-bound@^1.0.3\n \t\tget-intrinsic@^1.2.6\n is-wsl\n \t2.2.0\n \t\tis-docker@^2.0.0\n isarray\n \t1.0.0\n \t2.0.5\n isexe\n \t2.0.0\n isstream\n \t0.1.2\n jackspeak\n \t4.1.1\n \t\t@isaacs/cliui@^8.0.2\n jade\n \t0.26.3\n \t\tcommander@0.6.1\n \t\tmkdirp@0.3.0\n jquery\n \t3.5.0\n \t3.7.1\n js-levenshtein\n \t1.1.6\n js-tokens\n \t4.0.0\n js-yaml\n \t3.13.1\n \t\targparse@^1.0.7\n \t\tesprima@^4.0.0\n \t4.0.0\n \t\targparse@^2.0.1\n \t4.1.0\n \t\targparse@^2.0.1\n js2xmlparser\n \t4.0.2\n \t\txmlcreate@^2.0.4\n jsbn\n \t0.1.1\n jsdoc\n \t4.0.5\n \t\t@babel/parser@^7.20.15\n \t\t@jsdoc/salty@^0.2.1\n \t\t@types/markdown-it@^14.1.1\n \t\tbluebird@^3.7.2\n \t\tcatharsis@^0.9.0\n \t\tescape-string-regexp@^2.0.0\n \t\tjs2xmlparser@^4.0.2\n \t\tklaw@^3.0.0\n \t\tmarkdown-it@^14.1.0\n \t\tmarkdown-it-anchor@^8.6.7\n \t\tmarked@^4.0.10\n \t\tmkdirp@^1.0.4\n \t\trequizzle@^0.2.3\n \t\tstrip-json-comments@^3.1.0\n \t\tunderscore@~1.13.2\n jsdom\n \t12.2.0\n \t\tabab@^2.0.0\n \t\tacorn@^6.0.2\n \t\tacorn-globals@^4.3.0\n \t\tarray-equal@^1.0.0\n \t\tcssom@^0.3.4\n \t\tcssstyle@^1.1.1\n \t\tdata-urls@^1.0.1\n \t\tdomexception@^1.0.1\n \t\tescodegen@^1.11.0\n \t\thtml-encoding-sniffer@^1.0.2\n \t\tnwsapi@^2.0.9\n \t\tparse5@5.1.0\n \t\tpn@^1.1.0\n \t\trequest@^2.88.0\n \t\trequest-promise-native@^1.0.5\n \t\tsaxes@^3.1.3\n \t\tsymbol-tree@^3.2.2\n \t\ttough-cookie@^2.4.3\n \t\tw3c-hr-time@^1.0.1\n \t\twebidl-conversions@^4.0.2\n \t\twhatwg-encoding@^1.0.5\n \t\twhatwg-mimetype@^2.2.0\n \t\twhatwg-url@^7.0.0\n \t\tws@^6.1.0\n \t\txml-name-validator@^3.0.0\n \t15.2.0\n \t\tabab@^2.0.0\n \t\tacorn@^7.1.0\n \t\tacorn-globals@^4.3.2\n \t\tarray-equal@^1.0.0\n \t\tScope peer|canvas@^2.5.0\n \t\tcssom@^0.4.1\n \t\tcssstyle@^2.0.0\n \t\tdata-urls@^1.1.0\n \t\tdomexception@^1.0.1\n \t\tescodegen@^1.11.1\n \t\thtml-encoding-sniffer@^1.0.2\n \t\tnwsapi@^2.1.4\n \t\tparse5@5.1.0\n \t\tpn@^1.1.0\n \t\trequest@^2.88.0\n \t\trequest-promise-native@^1.0.7\n \t\tsaxes@^3.1.9\n \t\tsymbol-tree@^3.2.2\n \t\ttough-cookie@^3.0.1\n \t\tw3c-hr-time@^1.0.1\n \t\tw3c-xmlserializer@^1.1.2\n \t\twebidl-conversions@^4.0.2\n \t\twhatwg-encoding@^1.0.5\n \t\twhatwg-mimetype@^2.3.0\n \t\twhatwg-url@^7.0.0\n \t\tws@^7.0.0\n \t\txml-name-validator@^3.0.0\n \t15.2.1\n \t\tabab@^2.0.0\n \t\tacorn@^7.1.0\n \t\tacorn-globals@^4.3.2\n \t\tarray-equal@^1.0.0\n \t\tScope peer|canvas@^2.5.0\n \t\tcssom@^0.4.1\n \t\tcssstyle@^2.0.0\n \t\tdata-urls@^1.1.0\n \t\tdomexception@^1.0.1\n \t\tescodegen@^1.11.1\n \t\thtml-encoding-sniffer@^1.0.2\n \t\tnwsapi@^2.2.0\n \t\tparse5@5.1.0\n \t\tpn@^1.1.0\n \t\trequest@^2.88.0\n \t\trequest-promise-native@^1.0.7\n \t\tsaxes@^3.1.9\n \t\tsymbol-tree@^3.2.2\n \t\ttough-cookie@^3.0.1\n \t\tw3c-hr-time@^1.0.1\n \t\tw3c-xmlserializer@^1.1.2\n \t\twebidl-conversions@^4.0.2\n \t\twhatwg-encoding@^1.0.5\n \t\twhatwg-mimetype@^2.3.0\n \t\twhatwg-url@^7.0.0\n \t\tws@^7.0.0\n \t\txml-name-validator@^3.0.0\n jsesc\n \t0.5.0\n \t2.5.1\n \t3.1.0\n json-bigint\n \t1.0.0\n \t\tbignumber.js@^9.0.0\n json-schema\n \t0.2.3\n \t0.4.0\n json-schema-traverse\n \t0.3.1\n \t0.4.1\n json-stringify-safe\n \t5.0.1\n json5\n \t2.1.0\n \t\tminimist@^1.2.0\n \t2.2.3\n jsprim\n \t1.4.1\n \t\tassert-plus@1.0.0\n \t\textsprintf@1.3.0\n \t\tjson-schema@0.2.3\n \t\tverror@1.10.0\n \t1.4.2\n \t\tassert-plus@1.0.0\n \t\textsprintf@1.3.0\n \t\tjson-schema@0.4.0\n \t\tverror@1.10.0\n jwa\n \t2.0.0\n \t\tbuffer-equal-constant-time@1.0.1\n \t\tecdsa-sig-formatter@1.0.11\n \t\tsafe-buffer@^5.0.1\n \t2.0.1\n \t\tbuffer-equal-constant-time@^1.0.1\n \t\tecdsa-sig-formatter@1.0.11\n \t\tsafe-buffer@^5.0.1\n jws\n \t4.0.0\n \t\tjwa@^2.0.0\n \t\tsafe-buffer@^5.0.1\n klaw\n \t3.0.0\n \t\tgraceful-fs@^4.1.9\n lcid\n \t2.0.0\n \t\tinvert-kv@^2.0.0\n levn\n \t0.3.0\n \t\tprelude-ls@~1.1.2\n \t\ttype-check@~0.3.2\n linkify-it\n \t5.0.0\n \t\tuc.micro@^2.0.0\n lit-element\n \t2.2.1\n \t\tlit-html@^1.0.0\n \t2.5.1\n \t\tlit-html@^1.1.1\n lit-html\n \t1.1.1\n \t1.4.1\n locate-path\n \t3.0.0\n \t\tp-locate@^3.0.0\n \t\tpath-exists@^3.0.0\n \t6.0.0\n \t\tp-locate@^5.0.0\n lodash\n \t4.17.20\n \t4.17.21\n lodash._objecttypes\n \t2.4.1\n lodash.camelcase\n \t4.3.0\n lodash.debounce\n \t4.0.8\n lodash.isobject\n \t2.4.1\n \t\tlodash._objecttypes@~2.4.1\n lodash.sortby\n \t4.7.0\n log-symbols\n \t2.2.0\n \t\tchalk@^2.0.1\n \t3.0.0\n \t\tchalk@^2.4.2\n \t4.0.0\n \t\tchalk@^4.0.0\n \t4.1.0\n \t\tchalk@^4.1.0\n \t\tis-unicode-supported@^0.1.0\n lolex\n \t1.3.2\n long\n \t4.0.0\n \t5.3.2\n loose-envify\n \t1.4.0\n \t\tjs-tokens@^3.0.0 || ^4.0.0\n lottie-web\n \t5.5.10\n \t5.13.0\n loupe\n \t2.3.7\n \t\tget-func-name@^2.0.1\n lower-case\n \t1.1.4\n lru-cache\n \t2.7.3\n \t4.1.5\n \t\tpseudomap@^1.0.2\n \t\tyallist@^2.1.2\n \t5.1.1\n \t\tyallist@^3.0.2\n \t6.0.0\n \t\tyallist@^4.0.0\n \t11.2.2\n magic-string\n \t0.25.7\n \t\tsourcemap-codec@^1.4.4\n \t0.25.9\n \t\tsourcemap-codec@^1.4.8\n map-age-cleaner\n \t0.1.2\n \t\tp-defer@^1.0.0\n \t0.1.3\n \t\tp-defer@^1.0.0\n markdown-it\n \t14.1.0\n \t\targparse@^2.0.1\n \t\tentities@^4.4.0\n \t\tlinkify-it@^5.0.0\n \t\tmdurl@^2.0.0\n \t\tpunycode.js@^2.3.1\n \t\tuc.micro@^2.1.0\n markdown-it-anchor\n \t8.6.7\n \t\tScope peer|@types/markdown-it@*\n \t\tScope peer|markdown-it@*\n marked\n \t4.3.0\n matchit\n \t1.0.8\n \t\t@arr/every@^1.0.0\n \t1.1.0\n \t\t@arr/every@^1.0.0\n math-intrinsics\n \t1.1.0\n mdurl\n \t2.0.0\n mem\n \t4.0.0\n \t\tmap-age-cleaner@^0.1.1\n \t\tmimic-fn@^1.0.0\n \t\tp-is-promise@^1.1.0\n \t4.3.0\n \t\tmap-age-cleaner@^0.1.1\n \t\tmimic-fn@^2.0.0\n \t\tp-is-promise@^2.0.0\n micromatch\n \t4.0.8\n \t\tbraces@^3.0.3\n \t\tpicomatch@^2.3.1\n mime\n \t2.6.0\n mime-db\n \t1.33.0\n \t1.37.0\n \t1.52.0\n mime-types\n \t2.1.18\n \t\tmime-db@~1.33.0\n \t2.1.21\n \t\tmime-db@~1.37.0\n \t2.1.35\n \t\tmime-db@1.52.0\n mimic-fn\n \t1.2.0\n \t2.1.0\n minimatch\n \t0.3.0\n \t\tlru-cache@2\n \t\tsigmund@~1.0.0\n \t3.0.4\n \t\tbrace-expansion@^1.1.7\n \t3.1.2\n \t\tbrace-expansion@^1.1.7\n \t4.2.1\n \t\tbrace-expansion@^1.1.7\n \t5.1.6\n \t\tbrace-expansion@^2.0.1\n \t10.1.1\n \t\t@isaacs/brace-expansion@^5.0.0\n minimist\n \t0.0.8\n \t1.2.0\n \t1.2.5\n \t1.2.8\n minipass\n \t7.1.2\n mkdirp\n \t0.3.0\n \t0.5.1\n \t\tminimist@0.0.8\n \t0.5.4\n \t\tminimist@^1.2.5\n \t0.5.5\n \t\tminimist@^1.2.5\n \t1.0.4\n mocha\n \t2.5.3\n \t\tcommander@2.3.0\n \t\tdebug@2.2.0\n \t\tdiff@1.4.0\n \t\tescape-string-regexp@1.0.2\n \t\tglob@3.2.11\n \t\tgrowl@1.9.2\n \t\tjade@0.26.3\n \t\tmkdirp@0.5.1\n \t\tsupports-color@1.2.0\n \t\tto-iso-string@0.0.2\n \t5.2.0\n \t\tbrowser-stdout@1.3.1\n \t\tcommander@2.15.1\n \t\tdebug@3.1.0\n \t\tdiff@3.5.0\n \t\tescape-string-regexp@1.0.5\n \t\tglob@7.1.2\n \t\tgrowl@1.10.5\n \t\the@1.1.1\n \t\tminimatch@3.0.4\n \t\tmkdirp@0.5.1\n \t\tsupports-color@5.4.0\n \t6.2.3\n \t\tansi-colors@3.2.3\n \t\tbrowser-stdout@1.3.1\n \t\tdebug@3.2.6\n \t\tdiff@3.5.0\n \t\tescape-string-regexp@1.0.5\n \t\tfind-up@3.0.0\n \t\tglob@7.1.3\n \t\tgrowl@1.10.5\n \t\the@1.2.0\n \t\tjs-yaml@3.13.1\n \t\tlog-symbols@2.2.0\n \t\tminimatch@3.0.4\n \t\tmkdirp@0.5.4\n \t\tms@2.1.1\n \t\tnode-environment-flags@1.0.5\n \t\tobject.assign@4.1.0\n \t\tstrip-json-comments@2.0.1\n \t\tsupports-color@6.0.0\n \t\twhich@1.3.1\n \t\twide-align@1.1.3\n \t\tyargs@13.3.2\n \t\tyargs-parser@13.1.2\n \t\tyargs-unparser@1.6.0\n \t7.2.0\n \t\tansi-colors@3.2.3\n \t\tbrowser-stdout@1.3.1\n \t\tchokidar@3.3.0\n \t\tdebug@3.2.6\n \t\tdiff@3.5.0\n \t\tescape-string-regexp@1.0.5\n \t\tfind-up@3.0.0\n \t\tglob@7.1.3\n \t\tgrowl@1.10.5\n \t\the@1.2.0\n \t\tjs-yaml@3.13.1\n \t\tlog-symbols@3.0.0\n \t\tminimatch@3.0.4\n \t\tmkdirp@0.5.5\n \t\tms@2.1.1\n \t\tnode-environment-flags@1.0.6\n \t\tobject.assign@4.1.0\n \t\tstrip-json-comments@2.0.1\n \t\tsupports-color@6.0.0\n \t\twhich@1.3.1\n \t\twide-align@1.1.3\n \t\tyargs@13.3.2\n \t\tyargs-parser@13.1.2\n \t\tyargs-unparser@1.6.0\n \t8.4.0\n \t\t@ungap/promise-all-settled@1.1.2\n \t\tansi-colors@4.1.1\n \t\tbrowser-stdout@1.3.1\n \t\tchokidar@3.5.1\n \t\tdebug@4.3.1\n \t\tdiff@5.0.0\n \t\tescape-string-regexp@4.0.0\n \t\tfind-up@5.0.0\n \t\tglob@7.1.6\n \t\tgrowl@1.10.5\n \t\the@1.2.0\n \t\tjs-yaml@4.0.0\n \t\tlog-symbols@4.0.0\n \t\tminimatch@3.0.4\n \t\tms@2.1.3\n \t\tnanoid@3.1.20\n \t\tserialize-javascript@5.0.1\n \t\tstrip-json-comments@3.1.1\n \t\tsupports-color@8.1.1\n \t\twhich@2.0.2\n \t\twide-align@1.1.3\n \t\tworkerpool@6.1.0\n \t\tyargs@16.2.0\n \t\tyargs-parser@20.2.4\n \t\tyargs-unparser@2.0.0\n \t9.2.2\n \t\t@ungap/promise-all-settled@1.1.2\n \t\tansi-colors@4.1.1\n \t\tbrowser-stdout@1.3.1\n \t\tchokidar@3.5.3\n \t\tdebug@4.3.3\n \t\tdiff@5.0.0\n \t\tescape-string-regexp@4.0.0\n \t\tfind-up@5.0.0\n \t\tglob@7.2.0\n \t\tgrowl@1.10.5\n \t\the@1.2.0\n \t\tjs-yaml@4.1.0\n \t\tlog-symbols@4.1.0\n \t\tminimatch@4.2.1\n \t\tms@2.1.3\n \t\tnanoid@3.3.1\n \t\tserialize-javascript@6.0.0\n \t\tstrip-json-comments@3.1.1\n \t\tsupports-color@8.1.1\n \t\twhich@2.0.2\n \t\tworkerpool@6.2.0\n \t\tyargs@16.2.0\n \t\tyargs-parser@20.2.4\n \t\tyargs-unparser@2.0.0\n \t10.8.2\n \t\tansi-colors@^4.1.3\n \t\tbrowser-stdout@^1.3.1\n \t\tchokidar@^3.5.3\n \t\tdebug@^4.3.5\n \t\tdiff@^5.2.0\n \t\tescape-string-regexp@^4.0.0\n \t\tfind-up@^5.0.0\n \t\tglob@^8.1.0\n \t\the@^1.2.0\n \t\tjs-yaml@^4.1.0\n \t\tlog-symbols@^4.1.0\n \t\tminimatch@^5.1.6\n \t\tms@^2.1.3\n \t\tserialize-javascript@^6.0.2\n \t\tstrip-json-comments@^3.1.1\n \t\tsupports-color@^8.1.1\n \t\tworkerpool@^6.5.1\n \t\tyargs@^16.2.0\n \t\tyargs-parser@^20.2.9\n \t\tyargs-unparser@^2.0.0\n mocha-headless-server\n \t0.1.2\n \t\tScope peer|mocha@5.x\n \t\tpuppeteer@^1.6.0\n \t\tserve-handler@^3.3.0\n \t0.1.4\n \t\tScope peer|dhost@0.1.x\n \t\tScope peer|mocha@5.x\n \t\tScope peer|puppeteer@2.x\n mri\n \t1.2.0\n ms\n \t0.7.1\n \t2.0.0\n \t2.1.1\n \t2.1.2\n \t2.1.3\n nanoid\n \t3.1.20\n \t3.3.1\n nice-try\n \t1.0.5\n no-case\n \t2.3.2\n \t\tlower-case@^1.1.1\n node-addon-api\n \t7.1.1\n node-environment-flags\n \t1.0.5\n \t\tobject.getownpropertydescriptors@^2.0.3\n \t\tsemver@^5.7.0\n \t1.0.6\n \t\tobject.getownpropertydescriptors@^2.0.3\n \t\tsemver@^5.7.0\n node-fetch\n \t2.6.1\n \t2.6.6\n \t\twhatwg-url@^5.0.0\n \t2.6.7\n \t\tScope peer|encoding@^0.1.0\n \t\twhatwg-url@^5.0.0\n \t2.7.0\n \t\tScope peer|encoding@^0.1.0\n \t\twhatwg-url@^5.0.0\n node-forge\n \t0.10.0\n \t1.3.1\n node-releases\n \t1.0.0-alpha.14\n \t\tsemver@^5.3.0\n \t1.1.32\n \t\tsemver@^5.3.0\n \t2.0.27\n nodent-compiler\n \t3.2.11\n \t\tacorn@>= 2.5.2 <= 5.7.3\n \t\tacorn-es7-plugin@^1.1.7\n \t\tnodent-transform@^3.2.9\n \t\tsource-map@^0.5.7\n \t3.2.13\n \t\tacorn@>= 2.5.2 <= 5.7.5\n \t\tacorn-es7-plugin@^1.1.7\n \t\tnodent-transform@^3.2.9\n \t\tsource-map@^0.5.7\n nodent-runtime\n \t3.2.1\n nodent-transform\n \t3.2.9\n normalize-path\n \t3.0.0\n normalize-range\n \t0.1.2\n npm-run-path\n \t2.0.2\n \t\tpath-key@^2.0.0\n num2fraction\n \t1.2.2\n number-is-nan\n \t1.0.1\n nwsapi\n \t2.0.9\n \t2.1.4\n \t2.2.22\n oauth-sign\n \t0.9.0\n object-hash\n \t2.2.0\n \t3.0.0\n object-inspect\n \t1.13.4\n object-keys\n \t1.1.1\n object.assign\n \t4.1.0\n \t\tdefine-properties@^1.1.2\n \t\tfunction-bind@^1.1.1\n \t\thas-symbols@^1.0.0\n \t\tobject-keys@^1.0.11\n \t4.1.7\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.3\n \t\tdefine-properties@^1.2.1\n \t\tes-object-atoms@^1.0.0\n \t\thas-symbols@^1.1.0\n \t\tobject-keys@^1.1.1\n object.getownpropertydescriptors\n \t2.1.8\n \t\tarray.prototype.reduce@^1.0.6\n \t\tcall-bind@^1.0.7\n \t\tdefine-properties@^1.2.1\n \t\tes-abstract@^1.23.2\n \t\tes-object-atoms@^1.0.0\n \t\tgopd@^1.0.1\n \t\tsafe-array-concat@^1.1.2\n once\n \t1.4.0\n \t\twrappy@1\n optionator\n \t0.8.2\n \t\tdeep-is@~0.1.3\n \t\tfast-levenshtein@~2.0.4\n \t\tlevn@~0.3.0\n \t\tprelude-ls@~1.1.2\n \t\ttype-check@~0.3.2\n \t\twordwrap@~1.0.0\n \t0.8.3\n \t\tdeep-is@~0.1.3\n \t\tfast-levenshtein@~2.0.6\n \t\tlevn@~0.3.0\n \t\tprelude-ls@~1.1.2\n \t\ttype-check@~0.3.2\n \t\tword-wrap@~1.2.3\n os-locale\n \t3.0.1\n \t\texeca@^0.10.0\n \t\tlcid@^2.0.0\n \t\tmem@^4.0.0\n \t3.1.0\n \t\texeca@^1.0.0\n \t\tlcid@^2.0.0\n \t\tmem@^4.0.0\n os-tmpdir\n \t1.0.2\n own-keys\n \t1.0.1\n \t\tget-intrinsic@^1.2.6\n \t\tobject-keys@^1.1.1\n \t\tsafe-push-apply@^1.0.0\n p-defer\n \t1.0.0\n p-finally\n \t1.0.0\n p-is-promise\n \t1.1.0\n \t2.1.0\n p-limit\n \t2.0.0\n \t\tp-try@^2.0.0\n \t2.3.0\n \t\tp-try@^2.0.0\n \t3.1.0\n \t\tyocto-queue@^0.1.0\n p-locate\n \t3.0.0\n \t\tp-limit@^2.0.0\n \t5.0.0\n \t\tp-limit@^3.0.2\n p-try\n \t2.0.0\n \t2.2.0\n package-json-from-dist\n \t1.0.1\n param-case\n \t2.1.1\n \t\tno-case@^2.2.0\n parse-ms\n \t2.0.0\n \t2.1.0\n parse-node-version\n \t1.0.1\n parse5\n \t5.1.0\n \t5.1.1\n path-exists\n \t3.0.0\n \t4.0.0\n path-is-absolute\n \t1.0.1\n path-is-inside\n \t1.0.2\n path-key\n \t2.0.1\n \t3.1.1\n path-parse\n \t1.0.6\n \t1.0.7\n path-scurry\n \t2.0.0\n \t\tlru-cache@^11.0.0\n \t\tminipass@^7.1.2\n path-to-regexp\n \t2.2.1\n pathval\n \t1.1.0\n \t1.1.1\n pend\n \t1.2.0\n performance-now\n \t2.1.0\n picocolors\n \t0.2.1\n \t1.1.1\n picomatch\n \t2.3.0\n \t2.3.1\n pn\n \t1.1.0\n polka\n \t0.5.2\n \t\t@polka/url@^0.5.0\n \t\ttrouter@^2.0.1\n possible-typed-array-names\n \t1.1.0\n postcss\n \t7.0.5\n \t\tchalk@^2.4.1\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^5.5.0\n \t7.0.6\n \t\tchalk@^2.4.1\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^5.5.0\n \t7.0.7\n \t\tchalk@^2.4.1\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^5.5.0\n \t7.0.8\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.0.0\n \t7.0.9\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.10\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.11\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.12\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.13\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.14\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.15\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.16\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.17\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.18\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.19\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.20\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.21\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.22\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.23\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.24\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.25\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.26\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.27\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.28\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.29\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.30\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.31\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.32\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.33\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.34\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.35\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.36\n \t\tchalk@^2.4.2\n \t\tsource-map@^0.6.1\n \t\tsupports-color@^6.1.0\n \t7.0.37\n \t\tnanocolors@^0.2.2\n \t\tsource-map@^0.6.1\n \t7.0.38\n \t\tnanocolors@^0.2.2\n \t\tsource-map@^0.6.1\n \t7.0.39\n \t\tpicocolors@^0.2.1\n \t\tsource-map@^0.6.1\n postcss-value-parser\n \t3.3.1\n \t4.2.0\n prelude-ls\n \t1.1.2\n pretty-ms\n \t4.0.0\n \t\tparse-ms@^2.0.0\n private\n \t0.1.8\n process-nextick-args\n \t2.0.0\n \t2.0.1\n progress\n \t2.0.3\n promise-polyfill\n \t8.1.3\n promises-aplus-tests\n \t2.1.2\n \t\tmocha@^2.5.3\n \t\tsinon@^1.10.3\n \t\tunderscore@~1.8.3\n proto3-json-serializer\n \t0.1.5\n \t0.1.9\n \t\tprotobufjs@^6.11.2\n \t1.1.1\n \t\tprotobufjs@^7.0.0\n \t2.0.2\n \t\tprotobufjs@^7.2.5\n protobufjs\n \t6.11.2\n \t\t@protobufjs/aspromise@^1.1.2\n \t\t@protobufjs/base64@^1.1.2\n \t\t@protobufjs/codegen@^2.0.4\n \t\t@protobufjs/eventemitter@^1.1.0\n \t\t@protobufjs/fetch@^1.1.0\n \t\t@protobufjs/float@^1.0.2\n \t\t@protobufjs/inquire@^1.1.0\n \t\t@protobufjs/path@^1.1.2\n \t\t@protobufjs/pool@^1.1.0\n \t\t@protobufjs/utf8@^1.1.0\n \t\t@types/long@^4.0.1\n \t\t@types/node@>=13.7.0\n \t\tlong@^4.0.0\n \t6.11.3\n \t\t@protobufjs/aspromise@^1.1.2\n \t\t@protobufjs/base64@^1.1.2\n \t\t@protobufjs/codegen@^2.0.4\n \t\t@protobufjs/eventemitter@^1.1.0\n \t\t@protobufjs/fetch@^1.1.0\n \t\t@protobufjs/float@^1.0.2\n \t\t@protobufjs/inquire@^1.1.0\n \t\t@protobufjs/path@^1.1.2\n \t\t@protobufjs/pool@^1.1.0\n \t\t@protobufjs/utf8@^1.1.0\n \t\t@types/long@^4.0.1\n \t\t@types/node@>=13.7.0\n \t\tlong@^4.0.0\n \t6.11.4\n \t\t@protobufjs/aspromise@^1.1.2\n \t\t@protobufjs/base64@^1.1.2\n \t\t@protobufjs/codegen@^2.0.4\n \t\t@protobufjs/eventemitter@^1.1.0\n \t\t@protobufjs/fetch@^1.1.0\n \t\t@protobufjs/float@^1.0.2\n \t\t@protobufjs/inquire@^1.1.0\n \t\t@protobufjs/path@^1.1.2\n \t\t@protobufjs/pool@^1.1.0\n \t\t@protobufjs/utf8@^1.1.0\n \t\t@types/long@^4.0.1\n \t\t@types/node@>=13.7.0\n \t\tlong@^4.0.0\n \t7.2.4\n \t\t@protobufjs/aspromise@^1.1.2\n \t\t@protobufjs/base64@^1.1.2\n \t\t@protobufjs/codegen@^2.0.4\n \t\t@protobufjs/eventemitter@^1.1.0\n \t\t@protobufjs/fetch@^1.1.0\n \t\t@protobufjs/float@^1.0.2\n \t\t@protobufjs/inquire@^1.1.0\n \t\t@protobufjs/path@^1.1.2\n \t\t@protobufjs/pool@^1.1.0\n \t\t@protobufjs/utf8@^1.1.0\n \t\t@types/node@>=13.7.0\n \t\tlong@^5.0.0\n \t7.5.4\n \t\t@protobufjs/aspromise@^1.1.2\n \t\t@protobufjs/base64@^1.1.2\n \t\t@protobufjs/codegen@^2.0.4\n \t\t@protobufjs/eventemitter@^1.1.0\n \t\t@protobufjs/fetch@^1.1.0\n \t\t@protobufjs/float@^1.0.2\n \t\t@protobufjs/inquire@^1.1.0\n \t\t@protobufjs/path@^1.1.2\n \t\t@protobufjs/pool@^1.1.0\n \t\t@protobufjs/utf8@^1.1.0\n \t\t@types/node@>=13.7.0\n \t\tlong@^5.0.0\n protobufjs-cli\n \t1.1.1\n \t\tchalk@^4.0.0\n \t\tescodegen@^1.13.0\n \t\tespree@^9.0.0\n \t\testraverse@^5.1.0\n \t\tglob@^8.0.0\n \t\tjsdoc@^4.0.0\n \t\tminimist@^1.2.0\n \t\tScope peer|protobufjs@^7.0.0\n \t\tsemver@^7.1.2\n \t\ttmp@^0.2.1\n \t\tuglify-js@^3.7.7\n proxy-from-env\n \t1.1.0\n pseudomap\n \t1.0.2\n psl\n \t1.1.29\n \t1.4.0\n \t1.15.0\n \t\tpunycode@^2.3.1\n pump\n \t3.0.0\n \t\tend-of-stream@^1.1.0\n \t\tonce@^1.3.1\n \t3.0.3\n \t\tend-of-stream@^1.1.0\n \t\tonce@^1.3.1\n punycode\n \t1.4.1\n \t2.1.1\n \t2.3.1\n punycode.js\n \t2.3.1\n puppeteer\n \t1.20.0\n \t\tdebug@^4.1.0\n \t\textract-zip@^1.6.6\n \t\thttps-proxy-agent@^2.2.1\n \t\tmime@^2.0.3\n \t\tprogress@^2.0.1\n \t\tproxy-from-env@^1.0.0\n \t\trimraf@^2.6.1\n \t\tws@^6.1.0\n qs\n \t6.5.2\n \t6.5.3\n randombytes\n \t2.1.0\n \t\tsafe-buffer@^5.1.0\n readable-stream\n \t2.3.6\n \t\tcore-util-is@~1.0.0\n \t\tinherits@~2.0.3\n \t\tisarray@~1.0.0\n \t\tprocess-nextick-args@~2.0.0\n \t\tsafe-buffer@~5.1.1\n \t\tstring_decoder@~1.1.1\n \t\tutil-deprecate@~1.0.1\n \t2.3.7\n \t\tcore-util-is@~1.0.0\n \t\tinherits@~2.0.3\n \t\tisarray@~1.0.0\n \t\tprocess-nextick-args@~2.0.0\n \t\tsafe-buffer@~5.1.1\n \t\tstring_decoder@~1.1.1\n \t\tutil-deprecate@~1.0.1\n \t2.3.8\n \t\tcore-util-is@~1.0.0\n \t\tinherits@~2.0.3\n \t\tisarray@~1.0.0\n \t\tprocess-nextick-args@~2.0.0\n \t\tsafe-buffer@~5.1.1\n \t\tstring_decoder@~1.1.1\n \t\tutil-deprecate@~1.0.1\n \t3.6.0\n \t\tinherits@^2.0.3\n \t\tstring_decoder@^1.1.1\n \t\tutil-deprecate@^1.0.1\n \t3.6.2\n \t\tinherits@^2.0.3\n \t\tstring_decoder@^1.1.1\n \t\tutil-deprecate@^1.0.1\n readdirp\n \t3.1.1\n \t\tpicomatch@^2.0.4\n \t3.2.0\n \t\tpicomatch@^2.0.4\n \t3.5.0\n \t\tpicomatch@^2.2.1\n \t3.6.0\n \t\tpicomatch@^2.2.1\n \t4.1.2\n reflect.getprototypeof\n \t1.0.10\n \t\tcall-bind@^1.0.8\n \t\tdefine-properties@^1.2.1\n \t\tes-abstract@^1.23.9\n \t\tes-errors@^1.3.0\n \t\tes-object-atoms@^1.0.0\n \t\tget-intrinsic@^1.2.7\n \t\tget-proto@^1.0.1\n \t\twhich-builtin-type@^1.2.1\n regenerate\n \t1.4.0\n \t1.4.2\n regenerate-unicode-properties\n \t8.1.0\n \t\tregenerate@^1.4.0\n \t10.2.2\n \t\tregenerate@^1.4.2\n regenerator-runtime\n \t0.13.3\n \t0.13.11\n regenerator-transform\n \t0.14.1\n \t\tprivate@^0.1.6\n regexp-tree\n \t0.1.13\n regexp.prototype.flags\n \t1.5.4\n \t\tcall-bind@^1.0.8\n \t\tdefine-properties@^1.2.1\n \t\tes-errors@^1.3.0\n \t\tget-proto@^1.0.1\n \t\tgopd@^1.2.0\n \t\tset-function-name@^2.0.2\n regexpu-core\n \t4.6.0\n \t\tregenerate@^1.4.0\n \t\tregenerate-unicode-properties@^8.1.0\n \t\tregjsgen@^0.5.0\n \t\tregjsparser@^0.6.0\n \t\tunicode-match-property-ecmascript@^1.0.4\n \t\tunicode-match-property-value-ecmascript@^1.1.0\n \t6.4.0\n \t\tregenerate@^1.4.2\n \t\tregenerate-unicode-properties@^10.2.2\n \t\tregjsgen@^0.8.0\n \t\tregjsparser@^0.13.0\n \t\tunicode-match-property-ecmascript@^2.0.0\n \t\tunicode-match-property-value-ecmascript@^2.2.1\n regjsgen\n \t0.5.0\n \t0.8.0\n regjsparser\n \t0.6.0\n \t\tjsesc@~0.5.0\n \t0.13.0\n \t\tjsesc@~3.1.0\n relateurl\n \t0.2.7\n remove-trailing-separator\n \t1.1.0\n replace-ext\n \t1.0.0\n \t1.0.1\n request\n \t2.88.0\n \t\taws-sign2@~0.7.0\n \t\taws4@^1.8.0\n \t\tcaseless@~0.12.0\n \t\tcombined-stream@~1.0.6\n \t\textend@~3.0.2\n \t\tforever-agent@~0.6.1\n \t\tform-data@~2.3.2\n \t\thar-validator@~5.1.0\n \t\thttp-signature@~1.2.0\n \t\tis-typedarray@~1.0.0\n \t\tisstream@~0.1.2\n \t\tjson-stringify-safe@~5.0.1\n \t\tmime-types@~2.1.19\n \t\toauth-sign@~0.9.0\n \t\tperformance-now@^2.1.0\n \t\tqs@~6.5.2\n \t\tsafe-buffer@^5.1.2\n \t\ttough-cookie@~2.4.3\n \t\ttunnel-agent@^0.6.0\n \t\tuuid@^3.3.2\n \t2.88.2\n \t\taws-sign2@~0.7.0\n \t\taws4@^1.8.0\n \t\tcaseless@~0.12.0\n \t\tcombined-stream@~1.0.6\n \t\textend@~3.0.2\n \t\tforever-agent@~0.6.1\n \t\tform-data@~2.3.2\n \t\thar-validator@~5.1.3\n \t\thttp-signature@~1.2.0\n \t\tis-typedarray@~1.0.0\n \t\tisstream@~0.1.2\n \t\tjson-stringify-safe@~5.0.1\n \t\tmime-types@~2.1.19\n \t\toauth-sign@~0.9.0\n \t\tperformance-now@^2.1.0\n \t\tqs@~6.5.2\n \t\tsafe-buffer@^5.1.2\n \t\ttough-cookie@~2.5.0\n \t\ttunnel-agent@^0.6.0\n \t\tuuid@^3.3.2\n request-promise-core\n \t1.1.1\n \t\tlodash@^4.13.1\n \t\tScope peer|request@^2.34\n \t1.1.2\n \t\tlodash@^4.17.11\n \t\tScope peer|request@^2.34\n \t1.1.4\n \t\tlodash@^4.17.19\n \t\tScope peer|request@^2.34\n request-promise-native\n \t1.0.5\n \t\tScope peer|request@^2.34\n \t\trequest-promise-core@1.1.1\n \t\tstealthy-require@^1.1.0\n \t\ttough-cookie@>=2.3.3\n \t1.0.7\n \t\tScope peer|request@^2.34\n \t\trequest-promise-core@1.1.2\n \t\tstealthy-require@^1.1.1\n \t\ttough-cookie@^2.3.3\n \t1.0.9\n \t\tScope peer|request@^2.34\n \t\trequest-promise-core@1.1.4\n \t\tstealthy-require@^1.1.1\n \t\ttough-cookie@^2.3.3\n require-directory\n \t2.1.1\n require-main-filename\n \t1.0.1\n \t2.0.0\n requizzle\n \t0.2.4\n \t\tlodash@^4.17.21\n resolve\n \t1.20.0\n \t\tis-core-module@^2.2.0\n \t\tpath-parse@^1.0.6\n \t1.22.11\n \t\tis-core-module@^2.16.1\n \t\tpath-parse@^1.0.7\n \t\tsupports-preserve-symlinks-flag@^1.0.0\n retry-request\n \t4.2.2\n \t\tdebug@^4.1.1\n \t\textend@^3.0.2\n \t5.0.2\n \t\tdebug@^4.1.1\n \t\textend@^3.0.2\n \t7.0.2\n \t\t@types/request@^2.48.8\n \t\textend@^3.0.2\n \t\tteeny-request@^9.0.0\n rimraf\n \t2.7.1\n \t\tglob@^7.1.3\n \t3.0.2\n \t\tglob@^7.1.3\n rollup\n \t1.19.4\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.6.9\n \t\tacorn@^6.2.1\n \t1.20.0\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.2\n \t\tacorn@^7.0.0\n \t1.20.1\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.2\n \t\tacorn@^7.0.0\n \t1.20.2\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.2\n \t\tacorn@^7.0.0\n \t1.20.3\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.2\n \t\tacorn@^7.0.0\n \t1.21.0\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.4\n \t\tacorn@^7.0.0\n \t1.21.1\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.4\n \t\tacorn@^7.0.0\n \t1.21.2\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.4\n \t\tacorn@^7.0.0\n \t1.21.3\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.5\n \t\tacorn@^7.0.0\n \t1.21.4\n \t\t@types/estree@0.0.39\n \t\t@types/node@^12.7.5\n \t\tacorn@^7.0.0\n \t1.22.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.23.0\n \t\t@types/estree@*\n \t\t@types/node@^12.7.10\n \t\tacorn@^7.1.0\n \t1.23.1\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.24.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.25.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.25.1\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.25.2\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.26.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.26.1\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.26.2\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.26.3\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.26.4\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.26.5\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.1\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.2\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.3\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.4\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.5\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.6\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.7\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.8\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.9\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.10\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.11\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.12\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.13\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.27.14\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.28.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.29.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.29.1\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.30.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.30.1\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.31.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.31.1\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.32.0\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t1.32.1\n \t\t@types/estree@*\n \t\t@types/node@*\n \t\tacorn@^7.1.0\n \t2.59.0\n \t\tfsevents@~2.3.2\n \t\tOpt|fsevents@~2.3.2\n \t2.79.2\n \t\tOpt|fsevents@~2.3.2\n safe-array-concat\n \t1.1.3\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.2\n \t\tget-intrinsic@^1.2.6\n \t\thas-symbols@^1.1.0\n \t\tisarray@^2.0.5\n safe-buffer\n \t5.1.2\n \t5.2.1\n safe-push-apply\n \t1.0.0\n \t\tes-errors@^1.3.0\n \t\tisarray@^2.0.5\n safe-regex-test\n \t1.1.0\n \t\tcall-bound@^1.0.2\n \t\tes-errors@^1.3.0\n \t\tis-regex@^1.2.1\n safer-buffer\n \t2.1.2\n samsam\n \t1.1.2\n sass\n \t1.22.9\n \t\tchokidar@>=2.0.0 <4.0.0\n \t1.93.3\n \t\tOpt|@parcel/watcher@^2.4.1\n \t\tchokidar@^4.0.0\n \t\timmutable@^5.0.2\n \t\tsource-map-js@>=0.6.2 <2.0.0\n saxes\n \t3.1.3\n \t\txmlchars@^1.3.1\n \t3.1.11\n \t\txmlchars@^2.1.1\n semver\n \t5.5.1\n \t5.6.0\n \t5.7.2\n \t6.3.0\n \t6.3.1\n \t7.7.3\n serialize-javascript\n \t5.0.1\n \t\trandombytes@^2.1.0\n \t6.0.0\n \t\trandombytes@^2.1.0\n \t6.0.2\n \t\trandombytes@^2.1.0\n serve-handler\n \t3.6.2\n \t\tbytes@3.0.0\n \t\tcontent-disposition@0.5.2\n \t\tfast-url-parser@1.1.3\n \t\tglob-slasher@1.0.1\n \t\tmime-types@2.1.18\n \t\tminimatch@3.0.4\n \t\tpath-is-inside@1.0.2\n \t\tpath-to-regexp@2.2.1\n set-blocking\n \t2.0.0\n set-function-length\n \t1.2.2\n \t\tdefine-data-property@^1.1.4\n \t\tes-errors@^1.3.0\n \t\tfunction-bind@^1.1.2\n \t\tget-intrinsic@^1.2.4\n \t\tgopd@^1.0.1\n \t\thas-property-descriptors@^1.0.2\n set-function-name\n \t2.0.2\n \t\tdefine-data-property@^1.1.4\n \t\tes-errors@^1.3.0\n \t\tfunctions-have-names@^1.2.3\n \t\thas-property-descriptors@^1.0.2\n set-proto\n \t1.0.0\n \t\tdunder-proto@^1.0.1\n \t\tes-errors@^1.3.0\n \t\tes-object-atoms@^1.0.0\n shebang-command\n \t1.2.0\n \t\tshebang-regex@^1.0.0\n \t2.0.0\n \t\tshebang-regex@^3.0.0\n shebang-regex\n \t1.0.0\n \t3.0.0\n side-channel\n \t1.1.0\n \t\tes-errors@^1.3.0\n \t\tobject-inspect@^1.13.3\n \t\tside-channel-list@^1.0.0\n \t\tside-channel-map@^1.0.1\n \t\tside-channel-weakmap@^1.0.2\n side-channel-list\n \t1.0.0\n \t\tes-errors@^1.3.0\n \t\tobject-inspect@^1.13.3\n side-channel-map\n \t1.0.1\n \t\tcall-bound@^1.0.2\n \t\tes-errors@^1.3.0\n \t\tget-intrinsic@^1.2.5\n \t\tobject-inspect@^1.13.3\n side-channel-weakmap\n \t1.0.2\n \t\tcall-bound@^1.0.2\n \t\tes-errors@^1.3.0\n \t\tget-intrinsic@^1.2.5\n \t\tobject-inspect@^1.13.3\n \t\tside-channel-map@^1.0.1\n sigmund\n \t1.0.1\n signal-exit\n \t3.0.2\n \t3.0.7\n \t4.1.0\n sinon\n \t1.17.7\n \t\tformatio@1.1.1\n \t\tlolex@1.3.2\n \t\tsamsam@1.1.2\n \t\tutil@>=0.10.3 <1\n source-map\n \t0.5.7\n \t0.6.1\n source-map-js\n \t1.2.1\n source-map-support\n \t0.5.9\n \t\tbuffer-from@^1.0.0\n \t\tsource-map@^0.6.0\n \t0.5.21\n \t\tbuffer-from@^1.0.0\n \t\tsource-map@^0.6.0\n sourcemap-codec\n \t1.4.8\n sprintf-js\n \t1.0.3\n sshpk\n \t1.15.1\n \t\tasn1@~0.2.3\n \t\tassert-plus@^1.0.0\n \t\tbcrypt-pbkdf@^1.0.0\n \t\tdashdash@^1.12.0\n \t\tecc-jsbn@~0.1.1\n \t\tgetpass@^0.1.1\n \t\tjsbn@~0.1.0\n \t\tsafer-buffer@^2.0.2\n \t\ttweetnacl@~0.14.0\n \t1.18.0\n \t\tasn1@~0.2.3\n \t\tassert-plus@^1.0.0\n \t\tbcrypt-pbkdf@^1.0.0\n \t\tdashdash@^1.12.0\n \t\tecc-jsbn@~0.1.1\n \t\tgetpass@^0.1.1\n \t\tjsbn@~0.1.0\n \t\tsafer-buffer@^2.0.2\n \t\ttweetnacl@~0.14.0\n stealthy-require\n \t1.1.1\n stop-iteration-iterator\n \t1.1.0\n \t\tes-errors@^1.3.0\n \t\tinternal-slot@^1.1.0\n stream-events\n \t1.0.5\n \t\tstubs@^3.0.0\n stream-shift\n \t1.0.1\n \t1.0.3\n string-width\n \t1.0.2\n \t\tcode-point-at@^1.0.0\n \t\tis-fullwidth-code-point@^1.0.0\n \t\tstrip-ansi@^3.0.0\n \t2.1.1\n \t\tis-fullwidth-code-point@^2.0.0\n \t\tstrip-ansi@^4.0.0\n \t3.1.0\n \t\temoji-regex@^7.0.1\n \t\tis-fullwidth-code-point@^2.0.0\n \t\tstrip-ansi@^5.1.0\n \t4.2.3\n \t\temoji-regex@^8.0.0\n \t\tis-fullwidth-code-point@^3.0.0\n \t\tstrip-ansi@^6.0.1\n \t5.1.2\n \t\teastasianwidth@^0.2.0\n \t\temoji-regex@^9.2.2\n \t\tstrip-ansi@^7.0.1\n string.prototype.trim\n \t1.2.10\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.2\n \t\tdefine-data-property@^1.1.4\n \t\tdefine-properties@^1.2.1\n \t\tes-abstract@^1.23.5\n \t\tes-object-atoms@^1.0.0\n \t\thas-property-descriptors@^1.0.2\n string.prototype.trimend\n \t1.0.9\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.2\n \t\tdefine-properties@^1.2.1\n \t\tes-object-atoms@^1.0.0\n string.prototype.trimstart\n \t1.0.8\n \t\tcall-bind@^1.0.7\n \t\tdefine-properties@^1.2.1\n \t\tes-object-atoms@^1.0.0\n string_decoder\n \t1.1.1\n \t\tsafe-buffer@~5.1.0\n \t1.3.0\n \t\tsafe-buffer@~5.2.0\n strip-ansi\n \t3.0.1\n \t\tansi-regex@^2.0.0\n \t4.0.0\n \t\tansi-regex@^3.0.0\n \t5.2.0\n \t\tansi-regex@^4.1.0\n \t6.0.1\n \t\tansi-regex@^5.0.1\n \t7.1.2\n \t\tansi-regex@^6.0.1\n strip-eof\n \t1.0.0\n strip-json-comments\n \t2.0.1\n \t3.1.1\n stubs\n \t3.0.0\n supports-color\n \t1.2.0\n \t5.4.0\n \t\thas-flag@^3.0.0\n \t5.5.0\n \t\thas-flag@^3.0.0\n \t6.0.0\n \t\thas-flag@^3.0.0\n \t7.2.0\n \t\thas-flag@^4.0.0\n \t8.1.1\n \t\thas-flag@^4.0.0\n supports-preserve-symlinks-flag\n \t1.0.0\n symbol-tree\n \t3.2.2\n \t3.2.4\n teeny-request\n \t7.1.3\n \t\thttp-proxy-agent@^5.0.0\n \t\thttps-proxy-agent@^5.0.0\n \t\tnode-fetch@^2.6.1\n \t\tstream-events@^1.0.5\n \t\tuuid@^8.0.0\n \t7.2.0\n \t\thttp-proxy-agent@^5.0.0\n \t\thttps-proxy-agent@^5.0.0\n \t\tnode-fetch@^2.6.1\n \t\tstream-events@^1.0.5\n \t\tuuid@^8.0.0\n \t9.0.0\n \t\thttp-proxy-agent@^5.0.0\n \t\thttps-proxy-agent@^5.0.0\n \t\tnode-fetch@^2.6.9\n \t\tstream-events@^1.0.5\n \t\tuuid@^9.0.0\n terser\n \t3.10.11\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.10.12\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.10.13\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.11.0\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.12.0\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.13.0\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.13.1\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.14.0\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.14.1\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.6\n \t3.16.0\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.9\n \t3.16.1\n \t\tcommander@~2.17.1\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.9\n \t3.17.0\n \t\tcommander@^2.19.0\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.10\n \t4.8.1\n \t\tcommander@^2.20.0\n \t\tsource-map@~0.6.1\n \t\tsource-map-support@~0.5.12\n time-stamp\n \t1.1.0\n tmp\n \t0.0.33\n \t\tos-tmpdir@~1.0.2\n \t0.2.5\n to-fast-properties\n \t2.0.0\n to-iso-string\n \t0.0.2\n to-regex-range\n \t5.0.1\n \t\tis-number@^7.0.0\n tough-cookie\n \t2.3.3\n \t\tpunycode@^1.4.1\n \t2.3.4\n \t\tpunycode@^1.4.1\n \t2.4.2\n \t\tpsl@^1.1.24\n \t\tpunycode@^1.4.1\n \t2.4.3\n \t\tpsl@^1.1.24\n \t\tpunycode@^1.4.1\n \t2.5.0\n \t\tpsl@^1.1.28\n \t\tpunycode@^2.1.1\n \t3.0.1\n \t\tip-regex@^2.1.0\n \t\tpsl@^1.1.28\n \t\tpunycode@^2.1.1\n toxic\n \t1.0.1\n \t\tlodash@^4.17.10\n tr46\n \t0.0.3\n \t1.0.1\n \t\tpunycode@^2.1.0\n trim-right\n \t1.0.1\n trouter\n \t2.0.1\n \t\tmatchit@^1.0.0\n tslib\n \t2.3.1\n \t2.8.1\n tunnel-agent\n \t0.6.0\n \t\tsafe-buffer@^5.0.1\n tweetnacl\n \t0.14.5\n type-check\n \t0.3.2\n \t\tprelude-ls@~1.1.2\n type-detect\n \t4.0.8\n \t4.1.0\n typed-array-buffer\n \t1.0.3\n \t\tcall-bound@^1.0.3\n \t\tes-errors@^1.3.0\n \t\tis-typed-array@^1.1.14\n typed-array-byte-length\n \t1.0.3\n \t\tcall-bind@^1.0.8\n \t\tfor-each@^0.3.3\n \t\tgopd@^1.2.0\n \t\thas-proto@^1.2.0\n \t\tis-typed-array@^1.1.14\n typed-array-byte-offset\n \t1.0.4\n \t\tavailable-typed-arrays@^1.0.7\n \t\tcall-bind@^1.0.8\n \t\tfor-each@^0.3.3\n \t\tgopd@^1.2.0\n \t\thas-proto@^1.2.0\n \t\tis-typed-array@^1.1.15\n \t\treflect.getprototypeof@^1.0.9\n typed-array-length\n \t1.0.7\n \t\tcall-bind@^1.0.7\n \t\tfor-each@^0.3.3\n \t\tgopd@^1.0.1\n \t\tis-typed-array@^1.1.13\n \t\tpossible-typed-array-names@^1.0.0\n \t\treflect.getprototypeof@^1.0.6\n typedarray\n \t0.0.6\n uc.micro\n \t2.1.0\n uglify-js\n \t3.6.0\n \t\tcommander@~2.20.0\n \t\tsource-map@~0.6.1\n \t3.19.3\n unbox-primitive\n \t1.1.0\n \t\tcall-bound@^1.0.3\n \t\thas-bigints@^1.0.2\n \t\thas-symbols@^1.1.0\n \t\twhich-boxed-primitive@^1.1.1\n underscore\n \t1.8.3\n \t1.13.7\n undici\n \t6.19.7\n undici-types\n \t7.16.0\n unicode-canonical-property-names-ecmascript\n \t1.0.4\n \t2.0.1\n unicode-match-property-ecmascript\n \t1.0.4\n \t\tunicode-canonical-property-names-ecmascript@^1.0.4\n \t\tunicode-property-aliases-ecmascript@^1.0.4\n \t2.0.0\n \t\tunicode-canonical-property-names-ecmascript@^2.0.0\n \t\tunicode-property-aliases-ecmascript@^2.0.0\n unicode-match-property-value-ecmascript\n \t1.1.0\n \t2.2.1\n unicode-property-aliases-ecmascript\n \t1.0.5\n \t2.2.0\n unistore\n \t3.4.1\n \t3.5.2\n update-browserslist-db\n \t1.1.4\n \t\tScope peer|browserslist@>= 4.21.0\n \t\tescalade@^3.2.0\n \t\tpicocolors@^1.1.1\n upper-case\n \t1.1.3\n uri-js\n \t4.4.1\n \t\tpunycode@^2.1.0\n util\n \t0.12.5\n \t\tinherits@^2.0.3\n \t\tis-arguments@^1.0.4\n \t\tis-generator-function@^1.0.7\n \t\tis-typed-array@^1.1.3\n \t\twhich-typed-array@^1.1.2\n util-deprecate\n \t1.0.2\n uuid\n \t3.3.2\n \t3.4.0\n \t8.3.2\n \t9.0.1\n verror\n \t1.10.0\n \t\tassert-plus@^1.0.0\n \t\tcore-util-is@1.0.2\n \t\textsprintf@^1.2.0\n vinyl\n \t2.2.0\n \t\tclone@^2.1.1\n \t\tclone-buffer@^1.0.0\n \t\tclone-stats@^1.0.0\n \t\tcloneable-readable@^1.0.0\n \t\tremove-trailing-separator@^1.0.1\n \t\treplace-ext@^1.0.0\n \t2.2.1\n \t\tclone@^2.1.1\n \t\tclone-buffer@^1.0.0\n \t\tclone-stats@^1.0.0\n \t\tcloneable-readable@^1.0.0\n \t\tremove-trailing-separator@^1.0.1\n \t\treplace-ext@^1.0.0\n vinyl-sourcemaps-apply\n \t0.2.1\n \t\tsource-map@^0.5.1\n w3c-hr-time\n \t1.0.1\n \t\tbrowser-process-hrtime@^0.1.2\n \t1.0.2\n \t\tbrowser-process-hrtime@^1.0.0\n w3c-xmlserializer\n \t1.1.2\n \t\tdomexception@^1.0.1\n \t\twebidl-conversions@^4.0.2\n \t\txml-name-validator@^3.0.0\n web-animations-js\n \t2.3.1\n \t2.3.2\n web-vitals\n \t4.2.4\n webidl-conversions\n \t3.0.1\n \t4.0.2\n websocket-driver\n \t0.7.4\n \t\thttp-parser-js@>=0.5.1\n \t\tsafe-buffer@>=5.1.0\n \t\twebsocket-extensions@>=0.1.1\n websocket-extensions\n \t0.1.4\n whatwg-encoding\n \t1.0.5\n \t\ticonv-lite@0.4.24\n whatwg-fetch\n \t2.0.4\n \t3.0.0\n \t3.6.20\n whatwg-mimetype\n \t2.2.0\n \t2.3.0\n whatwg-url\n \t5.0.0\n \t\ttr46@~0.0.3\n \t\twebidl-conversions@^3.0.0\n \t7.0.0\n \t\tlodash.sortby@^4.7.0\n \t\ttr46@^1.0.1\n \t\twebidl-conversions@^4.0.2\n \t7.1.0\n \t\tlodash.sortby@^4.7.0\n \t\ttr46@^1.0.1\n \t\twebidl-conversions@^4.0.2\n which\n \t1.3.1\n \t\tisexe@^2.0.0\n \t2.0.2\n \t\tisexe@^2.0.0\n which-boxed-primitive\n \t1.1.1\n \t\tis-bigint@^1.1.0\n \t\tis-boolean-object@^1.2.1\n \t\tis-number-object@^1.1.1\n \t\tis-string@^1.1.1\n \t\tis-symbol@^1.1.1\n which-builtin-type\n \t1.2.1\n \t\tcall-bound@^1.0.2\n \t\tfunction.prototype.name@^1.1.6\n \t\thas-tostringtag@^1.0.2\n \t\tis-async-function@^2.0.0\n \t\tis-date-object@^1.1.0\n \t\tis-finalizationregistry@^1.1.0\n \t\tis-generator-function@^1.0.10\n \t\tis-regex@^1.2.1\n \t\tis-weakref@^1.0.2\n \t\tisarray@^2.0.5\n \t\twhich-boxed-primitive@^1.1.0\n \t\twhich-collection@^1.0.2\n \t\twhich-typed-array@^1.1.16\n which-collection\n \t1.0.2\n \t\tis-map@^2.0.3\n \t\tis-set@^2.0.3\n \t\tis-weakmap@^2.0.2\n \t\tis-weakset@^2.0.3\n which-module\n \t2.0.0\n \t2.0.1\n which-typed-array\n \t1.1.19\n \t\tavailable-typed-arrays@^1.0.7\n \t\tcall-bind@^1.0.8\n \t\tcall-bound@^1.0.4\n \t\tfor-each@^0.3.5\n \t\tget-proto@^1.0.1\n \t\tgopd@^1.2.0\n \t\thas-tostringtag@^1.0.2\n wide-align\n \t1.1.3\n \t\tstring-width@^1.0.2 || 2\n word-wrap\n \t1.2.5\n wordwrap\n \t1.0.0\n workerpool\n \t6.1.0\n \t6.2.0\n \t6.5.1\n wrap-ansi\n \t2.1.0\n \t\tstring-width@^1.0.1\n \t\tstrip-ansi@^3.0.1\n \t5.1.0\n \t\tansi-styles@^3.2.0\n \t\tstring-width@^3.0.0\n \t\tstrip-ansi@^5.0.0\n \t7.0.0\n \t\tansi-styles@^4.0.0\n \t\tstring-width@^4.1.0\n \t\tstrip-ansi@^6.0.0\n \t8.1.0\n \t\tansi-styles@^6.1.0\n \t\tstring-width@^5.0.1\n \t\tstrip-ansi@^7.0.1\n wrappy\n \t1.0.2\n ws\n \t6.2.1\n \t\tasync-limiter@~1.0.0\n \t6.2.3\n \t\tasync-limiter@~1.0.0\n \t7.1.2\n \t\tasync-limiter@^1.0.0\n \t7.5.10\n \t\tScope peer|bufferutil@^4.0.1\n \t\tScope peer|utf-8-validate@^5.0.2\n xml-name-validator\n \t3.0.0\n xmlchars\n \t1.3.1\n \t2.2.0\n xmlcreate\n \t2.0.4\n xmlhttprequest\n \t1.8.0\n xregexp\n \t4.0.0\n y18n\n \t4.0.0\n \t4.0.3\n \t5.0.8\n yallist\n \t2.1.2\n \t3.1.1\n \t4.0.0\n yargs\n \t12.0.2\n \t\tcliui@^4.0.0\n \t\tdecamelize@^2.0.0\n \t\tfind-up@^3.0.0\n \t\tget-caller-file@^1.0.1\n \t\tos-locale@^3.0.0\n \t\trequire-directory@^2.1.1\n \t\trequire-main-filename@^1.0.1\n \t\tset-blocking@^2.0.0\n \t\tstring-width@^2.0.0\n \t\twhich-module@^2.0.0\n \t\ty18n@^3.2.1 || ^4.0.0\n \t\tyargs-parser@^10.1.0\n \t12.0.5\n \t\tcliui@^4.0.0\n \t\tdecamelize@^1.2.0\n \t\tfind-up@^3.0.0\n \t\tget-caller-file@^1.0.1\n \t\tos-locale@^3.0.0\n \t\trequire-directory@^2.1.1\n \t\trequire-main-filename@^1.0.1\n \t\tset-blocking@^2.0.0\n \t\tstring-width@^2.0.0\n \t\twhich-module@^2.0.0\n \t\ty18n@^3.2.1 || ^4.0.0\n \t\tyargs-parser@^11.1.1\n \t13.3.2\n \t\tcliui@^5.0.0\n \t\tfind-up@^3.0.0\n \t\tget-caller-file@^2.0.1\n \t\trequire-directory@^2.1.1\n \t\trequire-main-filename@^2.0.0\n \t\tset-blocking@^2.0.0\n \t\tstring-width@^3.0.0\n \t\twhich-module@^2.0.0\n \t\ty18n@^4.0.0\n \t\tyargs-parser@^13.1.2\n \t16.2.0\n \t\tcliui@^7.0.2\n \t\tescalade@^3.1.1\n \t\tget-caller-file@^2.0.5\n \t\trequire-directory@^2.1.1\n \t\tstring-width@^4.2.0\n \t\ty18n@^5.0.5\n \t\tyargs-parser@^20.2.2\n \t17.7.2\n \t\tcliui@^8.0.1\n \t\tescalade@^3.1.1\n \t\tget-caller-file@^2.0.5\n \t\trequire-directory@^2.1.1\n \t\tstring-width@^4.2.3\n \t\ty18n@^5.0.5\n \t\tyargs-parser@^21.1.1\n yargs-parser\n \t10.1.0\n \t\tcamelcase@^4.1.0\n \t11.1.1\n \t\tcamelcase@^5.0.0\n \t\tdecamelize@^1.2.0\n \t13.1.2\n \t\tcamelcase@^5.0.0\n \t\tdecamelize@^1.2.0\n \t20.2.4\n \t20.2.9\n \t21.1.1\n yargs-unparser\n \t1.6.0\n \t\tflat@^4.1.0\n \t\tlodash@^4.17.15\n \t\tyargs@^13.3.0\n \t2.0.0\n \t\tcamelcase@^6.0.0\n \t\tdecamelize@^4.0.0\n \t\tflat@^5.0.2\n \t\tis-plain-obj@^2.1.0\n yauzl\n \t2.10.0\n \t\tbuffer-crc32@~0.2.3\n \t\tfd-slicer@~1.1.0\n yocto-queue\n \t0.1.0\n" }, { "path": "internal/remediation/testdata/santatracker/vulns.json", "content": "{\n \"vulns\": [\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-968p-4wvh-cqc8\",\n \"published\": \"2025-03-11T20:30:18Z\",\n \"modified\": \"2025-04-16T15:39:50Z\",\n \"aliases\": [\n \"CVE-2025-27789\"\n ],\n \"related\": [\n \"CGA-3phx-qxx7-8vqw\",\n \"CGA-46ch-ch69-qmcw\",\n \"CGA-g6rv-q8mg-pp3f\",\n \"CGA-g7xj-r4gh-6jhr\",\n \"CGA-j8cm-jvwv-37vw\",\n \"CGA-m6wq-wmrx-cp34\",\n \"CGA-mwpg-44pj-qpj8\",\n \"CGA-qgr4-9ff9-9j58\",\n \"CGA-rh34-93h2-vxqh\",\n \"CGA-v5pv-jcc5-rq8m\"\n ],\n \"summary\": \"Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups\",\n \"details\": \"### Impact\\n\\nWhen using Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), Babel will generate a polyfill for the `.replace` method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to `.replace`).\\n\\nYour generated code is vulnerable if _all_ the following conditions are true:\\n- You use Babel to compile [regular expression named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group)\\n- You use the `.replace` method on a regular expression that contains named capturing groups\\n- **Your code uses untrusted strings as the second argument of `.replace`**\\n\\nIf you are using `@babel/preset-env` with the [`targets`](https://babeljs.io/docs/options#targets) option, the transform that injects the vulnerable code is automatically enabled if:\\n- you use [_duplicated_ named capturing groups](https://github.com/tc39/proposal-duplicate-named-capturing-groups), and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23\\n- you use any [named capturing groups](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Named_capturing_group), and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10\\n\\nYou can verify what transforms `@babel/preset-env` is using by enabling the [`debug` option](https://babeljs.io/docs/babel-preset-env#debug).\\n\\n\\n### Patches\\n\\nThis problem has been fixed in `@babel/helpers` and `@babel/runtime` 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on `@babel/helpers`, and instead you depend on `@babel/core` (which itself depends on `@babel/helpers`). Upgrading to `@babel/core` 7.26.10 is not required, but it guarantees that you are on a new enough `@babel/helpers` version.\\n\\nPlease note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.\\n\\n### Workarounds\\n\\nIf you are passing user-provided strings as the second argument of `.replace` on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring `$\\u003c` if it's then not followed by `\\u003e` (possibly with other characters in between).\\n\\n### References\\n\\nThis vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"@babel/helpers\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/helpers\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.26.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@babel/runtime\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/runtime\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.26.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@babel/runtime-corejs2\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/runtime-corejs2\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.26.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@babel/runtime-corejs3\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/runtime-corejs3\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.26.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@babel/helpers\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/helpers\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-alpha.0\"\n },\n {\n \"fixed\": \"8.0.0-alpha.17\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 8.0.0-alpha.16\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@babel/runtime\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/runtime\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-alpha.0\"\n },\n {\n \"fixed\": \"8.0.0-alpha.17\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 8.0.0-alpha.16\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@babel/runtime-corejs2\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/runtime-corejs2\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-alpha.0\"\n },\n {\n \"fixed\": \"8.0.0-alpha.17\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 8.0.0-alpha.16\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@babel/runtime-corejs3\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/runtime-corejs3\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-alpha.0\"\n },\n {\n \"fixed\": \"8.0.0-alpha.17\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 8.0.0-alpha.16\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-968p-4wvh-cqc8/GHSA-968p-4wvh-cqc8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-27789\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/babel/babel/pull/17173\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/babel/babel\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-03-11T20:30:18Z\",\n \"nvd_published_at\": \"2025-03-11T20:15:18Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-67hx-6x53-jw92\",\n \"published\": \"2023-10-16T13:55:36Z\",\n \"modified\": \"2024-04-04T14:26:10Z\",\n \"aliases\": [\n \"CVE-2023-45133\"\n ],\n \"related\": [\n \"CVE-2023-45133\"\n ],\n \"summary\": \"Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code\",\n \"details\": \"### Impact\\n\\nUsing Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods.\\n\\nKnown affected plugins are:\\n- `@babel/plugin-transform-runtime`\\n- `@babel/preset-env` when using its [`useBuiltIns`](https://babeljs.io/docs/babel-preset-env#usebuiltins) option\\n- Any \\\"polyfill provider\\\" plugin that depends on `@babel/helper-define-polyfill-provider`, such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill-corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill-regenerator`\\n\\nNo other plugins under the `@babel/` namespace are impacted, but third-party plugins might be.\\n\\n**Users that only compile trusted code are not impacted.**\\n\\n### Patches\\n\\nThe vulnerability has been fixed in `@babel/traverse@7.23.2`.\\n\\nBabel 6 does not receive security fixes anymore (see [Babel's security policy](https://github.com/babel/babel/security/policy)), hence there is no patch planned for `babel-traverse@6`.\\n\\n### Workarounds\\n\\n- Upgrade `@babel/traverse` to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. `@babel/core` \\u003e=7.23.2 will automatically pull in a non-vulnerable version.\\n- If you cannot upgrade `@babel/traverse` and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected `@babel/traverse` versions:\\n - `@babel/plugin-transform-runtime` v7.23.2\\n - `@babel/preset-env` v7.23.2\\n - `@babel/helper-define-polyfill-provider` v0.4.3\\n - `babel-plugin-polyfill-corejs2` v0.4.6\\n - `babel-plugin-polyfill-corejs3` v0.8.5\\n - `babel-plugin-polyfill-es-shims` v0.10.0\\n - `babel-plugin-polyfill-regenerator` v0.5.3\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"@babel/traverse\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/traverse\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.23.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-67hx-6x53-jw92/GHSA-67hx-6x53-jw92.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@babel/traverse\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40babel/traverse\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-alpha.0\"\n },\n {\n \"fixed\": \"8.0.0-alpha.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-67hx-6x53-jw92/GHSA-67hx-6x53-jw92.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"babel-traverse\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/babel-traverse\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 7.23.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-67hx-6x53-jw92/GHSA-67hx-6x53-jw92.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-45133\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/babel/babel/pull/16033\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://babeljs.io/blog/2023/10/16/cve-2023-45133\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/babel/babel\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/babel/babel/releases/tag/v7.23.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5528\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-184\",\n \"CWE-697\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-10-16T13:55:36Z\",\n \"nvd_published_at\": \"2023-10-12T17:15:09Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fpm5-vv97-jfwg\",\n \"published\": \"2021-05-18T01:57:24Z\",\n \"modified\": \"2025-01-14T08:56:55.449807Z\",\n \"aliases\": [\n \"CVE-2020-7765\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in firebase\",\n \"details\": \"This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"@firebase/util\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40firebase/util\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.3.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-fpm5-vv97-jfwg/GHSA-fpm5-vv97-jfwg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7765\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/firebase/firebase-js-sdk/pull/4001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/firebase/firebase-js-sdk/commit/9cf727fcc3d049551b16ae0698ac33dc2fe45ada\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-FIREBASEUTIL-1038324\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-15T21:39:07Z\",\n \"nvd_published_at\": \"2020-11-16T12:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7v5v-9h63-cj86\",\n \"published\": \"2024-06-10T21:38:05Z\",\n \"modified\": \"2024-07-15T22:12:28.175716Z\",\n \"aliases\": [\n \"CVE-2024-37168\"\n ],\n \"related\": [\n \"CGA-3vxq-pj3w-xvh2\",\n \"CGA-w377-c6cx-3vgh\",\n \"CVE-2024-37168\"\n ],\n \"summary\": \"@grpc/grpc-js can allocate memory for incoming messages well above configured limits\",\n \"details\": \"### Impact\\nThere are two separate code paths in which memory can be allocated per message in excess of the `grpc.max_receive_message_length` channel option:\\n\\n 1. If an incoming message has a size on the wire greater than the configured limit, the entire message is buffered before it is discarded.\\n 2. If an incoming message has a size within the limit on the wire but decompresses to a size greater than the limit, the entire message is decompressed into memory, and on the server is not discarded.\\n\\n### Patches\\n\\nThis has been patched in versions 1.10.9, 1.9.15, and 1.8.22\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"@grpc/grpc-js\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40grpc/grpc-js\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.10.0\"\n },\n {\n \"fixed\": \"1.10.9\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@grpc/grpc-js\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40grpc/grpc-js\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.9.0\"\n },\n {\n \"fixed\": \"1.9.15\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@grpc/grpc-js\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40grpc/grpc-js\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.8.22\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-7v5v-9h63-cj86/GHSA-7v5v-9h63-cj86.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-node/security/advisories/GHSA-7v5v-9h63-cj86\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-37168\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-node/commit/08b0422dae56467ecae1007e899efe66a8c4a650\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-node/commit/674f4e351a619fd4532f84ae6dff96b8ee4e1ed3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-node/commit/a8a020339c7eab1347a343a512ad17a4aea4bfdb\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/grpc/grpc-node\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-789\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-06-10T21:38:05Z\",\n \"nvd_published_at\": \"2024-06-10T22:15:12Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pp75-xfpw-37g9\",\n \"published\": \"2021-05-10T19:16:14Z\",\n \"modified\": \"2025-01-14T08:57:34.513174Z\",\n \"aliases\": [\n \"CVE-2020-7768\"\n ],\n \"summary\": \"Prototype pollution in grpc and @grpc/grpc-js\",\n \"details\": \"\\\"The package grpc before 1.24.4 and the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.\\\"\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"grpc\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/grpc\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.24.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-pp75-xfpw-37g9/GHSA-pp75-xfpw-37g9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@grpc/grpc-js\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40grpc/grpc-js\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.8\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-pp75-xfpw-37g9/GHSA-pp75-xfpw-37g9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7768\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-node/pull/1605\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-node/pull/1606\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-node/releases/tag/grpc%401.24.4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038819\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-GRPC-598671\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-GRPCGRPCJS-1038818\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/package/@grpc/grpc-js\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/package/grpc\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-915\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-19T22:57:05Z\",\n \"nvd_published_at\": \"2020-11-11T11:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6chw-6frg-f759\",\n \"published\": \"2020-04-03T21:48:38Z\",\n \"modified\": \"2021-08-23T15:10:32Z\",\n \"summary\": \"Regular Expression Denial of Service in Acorn\",\n \"details\": \"Affected versions of acorn are vulnerable to Regular Expression Denial of Service.\\nA regex in the form of /[x-\\\\ud800]/u causes the parser to enter an infinite loop.\\nThe string is not valid UTF16 which usually results in it being sanitized before reaching the parser.\\nIf an application processes untrusted input and passes it directly to acorn,\\nattackers may leverage the vulnerability leading to Denial of Service.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"acorn\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/acorn\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"5.5.0\"\n },\n {\n \"fixed\": \"5.7.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-6chw-6frg-f759/GHSA-6chw-6frg-f759.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"acorn\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/acorn\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.4.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-6chw-6frg-f759/GHSA-6chw-6frg-f759.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"acorn\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/acorn\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.1.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-6chw-6frg-f759/GHSA-6chw-6frg-f759.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/acornjs/acorn/issues/929\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-ACORN-559469\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1488\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-03T21:42:14Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v88g-cgmw-v5xw\",\n \"published\": \"2022-02-10T23:30:59Z\",\n \"modified\": \"2024-06-21T21:33:48Z\",\n \"aliases\": [\n \"CVE-2020-15366\"\n ],\n \"summary\": \"Prototype Pollution in Ajv\",\n \"details\": \"An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ajv\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ajv\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.12.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v88g-cgmw-v5xw/GHSA-v88g-cgmw-v5xw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-15366\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ajv-validator/ajv\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ajv-validator/ajv/tags\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/bugs?subject=user\\u0026report_id=894259\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0007\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-915\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-10T21:23:41Z\",\n \"nvd_published_at\": \"2020-07-15T20:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-93q8-gq69-wqmw\",\n \"published\": \"2021-09-20T20:20:09Z\",\n \"modified\": \"2023-11-08T04:06:25.310142Z\",\n \"aliases\": [\n \"CVE-2021-3807\"\n ],\n \"related\": [\n \"CGA-pgv4-jr4j-qh5w\"\n ],\n \"summary\": \"Inefficient Regular Expression Complexity in chalk/ansi-regex\",\n \"details\": \"ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.\\n\\n**Proof of Concept**\\n```js\\nimport ansiRegex from 'ansi-regex';\\nfor(var i = 1; i \\u003c= 50000; i++) {\\n var time = Date.now();\\n var attack_str = \\\"\\\\u001B[\\\"+\\\";\\\".repeat(i*10000);\\n ansiRegex().test(attack_str)\\n var time_cost = Date.now() - time;\\n console.log(\\\"attack_str.length: \\\" + attack_str.length + \\\": \\\" + time_cost+\\\" ms\\\")\\n}\\n```\\nThe ReDOS is mainly due to the sub-patterns `[[\\\\\\\\]()#;?]*` and `(?:;[-a-zA-Z\\\\\\\\d\\\\\\\\/#\\u0026.:=?%@~_]*)*`\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ansi-regex\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ansi-regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ansi-regex\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ansi-regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"5.0.0\"\n },\n {\n \"fixed\": \"5.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ansi-regex\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ansi-regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ansi-regex\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ansi-regex\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-93q8-gq69-wqmw/GHSA-93q8-gq69-wqmw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3807\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/chalk/ansi-regex\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chalk/ansi-regex/releases/tag/v6.0.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20221014-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-697\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-20T18:56:22Z\",\n \"nvd_published_at\": \"2021-09-17T07:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46966\",\n \"published\": \"2025-09-08T17:18:30Z\",\n \"modified\": \"2025-09-12T01:13:34Z\",\n \"aliases\": [\n \"GHSA-jvhh-2m83-6w29\"\n ],\n \"summary\": \"Malicious code in ansi-regex (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (2777701ac1bf8726f2ea353b404c7d765ea3eb7bf0506207db828590ade1bf6e)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ansi-regex\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ansi-regex\"\n },\n \"versions\": [\n \"6.2.1\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ansi-regex/MAL-2025-46966.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-jvhh-2m83-6w29\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-jvhh-2m83-6w29\",\n \"import_time\": \"2025-09-09T00:35:48.413747424Z\",\n \"modified_time\": \"2025-09-08T18:22:01Z\",\n \"sha256\": \"2777701ac1bf8726f2ea353b404c7d765ea3eb7bf0506207db828590ade1bf6e\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"6.2.1\"\n ]\n },\n {\n \"id\": \"GHSA-jvhh-2m83-6w29\",\n \"import_time\": \"2025-09-10T00:34:05.227213566Z\",\n \"modified_time\": \"2025-09-08T18:22:01Z\",\n \"sha256\": \"fd7ef224c32477d1ab8ba30a6d1a52e86d5c304753cdc3ae4bb69328e529bf8c\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"6.2.1\"\n ]\n },\n {\n \"id\": \"GHSA-jvhh-2m83-6w29\",\n \"import_time\": \"2025-09-11T00:34:35.47387599Z\",\n \"modified_time\": \"2025-09-10T17:56:02Z\",\n \"sha256\": \"0b61367c5dd8ed0ce2f849066960f18ee8861dc062dd4b8ee645a8a25fb7b8a7\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"6.2.1\"\n ]\n },\n {\n \"id\": \"GHSA-jvhh-2m83-6w29\",\n \"import_time\": \"2025-09-12T00:33:58.084580721Z\",\n \"modified_time\": \"2025-09-10T17:56:02Z\",\n \"sha256\": \"30d6b7a25ab660d87db43cd6b59c0a62eb3bdd66f3bba12a3374676105921d2d\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"6.2.1\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46967\",\n \"published\": \"2025-09-08T17:07:44Z\",\n \"modified\": \"2025-09-12T01:13:34Z\",\n \"aliases\": [\n \"GHSA-p5rr-crjh-x7gr\"\n ],\n \"summary\": \"Malicious code in ansi-styles (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (f82dc187071d265457effc48cb50c7ac209143e5da1a502a633a1c35b88aac67)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ansi-styles\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ansi-styles\"\n },\n \"versions\": [\n \"6.2.2\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ansi-styles/MAL-2025-46967.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-p5rr-crjh-x7gr\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-p5rr-crjh-x7gr\",\n \"import_time\": \"2025-09-09T00:35:48.416514611Z\",\n \"modified_time\": \"2025-09-08T18:23:38Z\",\n \"sha256\": \"f82dc187071d265457effc48cb50c7ac209143e5da1a502a633a1c35b88aac67\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"6.2.2\"\n ]\n },\n {\n \"id\": \"GHSA-p5rr-crjh-x7gr\",\n \"import_time\": \"2025-09-10T00:34:05.231930273Z\",\n \"modified_time\": \"2025-09-08T18:23:38Z\",\n \"sha256\": \"3fa94453bd8bd98849aa59804994125d406c772d6f2e5653e8fe1325bed56aa8\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"6.2.2\"\n ]\n },\n {\n \"id\": \"GHSA-p5rr-crjh-x7gr\",\n \"import_time\": \"2025-09-11T00:34:35.480419354Z\",\n \"modified_time\": \"2025-09-10T17:52:23Z\",\n \"sha256\": \"c19c5617faf7e2a6e818e2f53e125cf5ce6f045a959ac86cd9343d267503c16a\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"6.2.2\"\n ]\n },\n {\n \"id\": \"GHSA-p5rr-crjh-x7gr\",\n \"import_time\": \"2025-09-12T00:33:58.092782064Z\",\n \"modified_time\": \"2025-09-10T17:52:23Z\",\n \"sha256\": \"a11059eb0365e0623522503424e1528b796670bf5013d28f4450b8082e5f1d8c\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"6.2.2\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-832h-xg76-4gv6\",\n \"published\": \"2018-01-29T15:50:46Z\",\n \"modified\": \"2023-11-08T03:59:15.193726Z\",\n \"aliases\": [\n \"CVE-2017-18077\"\n ],\n \"summary\": \"ReDoS in brace-expansion\",\n \"details\": \"Affected versions of `brace-expansion` are vulnerable to a regular expression denial of service condition.\\n\\n## Proof of Concept\\n\\n```\\nvar expand = require('brace-expansion');\\nexpand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\\\\n}');\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.1.7 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"brace-expansion\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/brace-expansion\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-832h-xg76-4gv6/GHSA-832h-xg76-4gv6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-18077\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/juliangruber/brace-expansion/issues/33\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/juliangruber/brace-expansion/pull/35\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.debian.org/862712\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-832h-xg76-4gv6\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/juliangruber/brace-expansion\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/338\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:24:01Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v6h2-p8h4-qcjw\",\n \"published\": \"2025-06-09T21:30:51Z\",\n \"modified\": \"2025-06-11T20:54:10Z\",\n \"aliases\": [\n \"CVE-2025-5889\"\n ],\n \"related\": [\n \"CGA-48f6-2xrx-cxvw\",\n \"CGA-53f7-rx58-5rx6\",\n \"CGA-5489-g42r-jj95\",\n \"CGA-6q97-x38p-2v36\",\n \"CGA-8v3m-9726-pcqj\",\n \"CGA-9w98-92pm-h3wg\",\n \"CGA-gwp3-55v6-p25f\",\n \"CGA-hvx5-j33w-wf72\",\n \"CGA-jq8h-hpf9-qxxv\",\n \"CGA-jv3c-567r-7fr7\",\n \"CGA-mvmv-c4pf-vgpr\",\n \"CGA-p2f9-h939-jv5f\",\n \"CGA-vr9h-m8qm-5mj9\",\n \"CGA-x49c-f2g9-2gqg\",\n \"CGA-x9mj-gpvv-mx29\",\n \"CGA-xc8g-m7h6-2rp6\",\n \"CGA-xqvv-5w52-gqqq\"\n ],\n \"summary\": \"brace-expansion Regular Expression Denial of Service vulnerability\",\n \"details\": \"A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is `a5b98a4f30d7813266b221435e1eaaf25a1b0ac5`. It is recommended to upgrade the affected component.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"brace-expansion\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/brace-expansion\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.0.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"brace-expansion\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/brace-expansion\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.12\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.1.11\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"brace-expansion\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/brace-expansion\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"brace-expansion\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/brace-expansion\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-5889\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/juliangruber/brace-expansion\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?ctiid.311660\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?id.311660\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?submit.585717\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-06-10T22:51:59Z\",\n \"nvd_published_at\": \"2025-06-09T19:15:25Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cwfw-4gq5-mrqx\",\n \"published\": \"2022-01-06T20:42:03Z\",\n \"modified\": \"2023-11-08T03:59:45.345388Z\",\n \"aliases\": [\n \"CVE-2018-1109\"\n ],\n \"summary\": \"Regular Expression Denial of Service (ReDoS) in braces\",\n \"details\": \"A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"braces\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/braces\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.3.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-cwfw-4gq5-mrqx/GHSA-cwfw-4gq5-mrqx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1109\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1547272\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:braces:20180219\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-31T21:35:00Z\",\n \"nvd_published_at\": \"2021-03-30T02:15:00Z\",\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g95f-p29q-9xw4\",\n \"published\": \"2019-06-06T15:30:30Z\",\n \"modified\": \"2021-08-04T21:35:07Z\",\n \"summary\": \"Regular Expression Denial of Service in braces\",\n \"details\": \"Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 2.3.1 or higher.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"braces\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/braces\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.3.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-g95f-p29q-9xw4/GHSA-g95f-p29q-9xw4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:braces:20180219\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/786\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-185\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-06T09:40:51Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-grv7-fg5c-xmjg\",\n \"published\": \"2024-05-14T18:30:54Z\",\n \"modified\": \"2024-07-15T22:12:28.795792Z\",\n \"aliases\": [\n \"CVE-2024-4068\"\n ],\n \"related\": [\n \"CGA-g3x5-7mr7-wr8m\",\n \"CGA-hq78-8245-675v\",\n \"CGA-jrqh-c82g-rxvm\",\n \"CGA-p4gw-wx75-2mg4\",\n \"CGA-w95g-rrw2-66h4\",\n \"CGA-wr9w-hw24-rqg5\"\n ],\n \"summary\": \"Uncontrolled resource consumption in braces\",\n \"details\": \"The NPM package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends \\\"imbalanced braces\\\" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"braces\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/braces\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-grv7-fg5c-xmjg/GHSA-grv7-fg5c-xmjg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-4068\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/braces/issues/35\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/braces/pull/37\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/braces/pull/40\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://devhub.checkmarx.com/cve-details/CVE-2024-4068\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/micromatch/braces\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1050\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-06-10T20:17:26Z\",\n \"nvd_published_at\": \"2024-05-14T15:42:48Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-w8qv-6jwh-64r5\",\n \"published\": \"2021-05-24T19:52:40Z\",\n \"modified\": \"2025-01-14T08:57:17.283480Z\",\n \"aliases\": [\n \"CVE-2021-23364\"\n ],\n \"summary\": \"Regular Expression Denial of Service in browserslist\",\n \"details\": \"The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"browserslist\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/browserslist\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.16.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-w8qv-6jwh-64r5/GHSA-w8qv-6jwh-64r5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23364\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/browserslist/browserslist/pull/593\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-20T22:03:36Z\",\n \"nvd_published_at\": \"2021-04-28T16:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46969\",\n \"published\": \"2025-09-08T17:11:19Z\",\n \"modified\": \"2025-09-12T01:13:34Z\",\n \"aliases\": [\n \"GHSA-2v46-p5h4-248w\"\n ],\n \"summary\": \"Malicious code in chalk (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (985b6546ed08c8482326a4819faec318c27c1f6d7518acdf384d5f5a8c1453aa)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"chalk\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/chalk\"\n },\n \"versions\": [\n \"5.6.1\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/chalk/MAL-2025-46969.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-2v46-p5h4-248w\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-2v46-p5h4-248w\",\n \"import_time\": \"2025-09-09T00:35:48.404674353Z\",\n \"modified_time\": \"2025-09-08T18:23:16Z\",\n \"sha256\": \"985b6546ed08c8482326a4819faec318c27c1f6d7518acdf384d5f5a8c1453aa\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"5.6.1\"\n ]\n },\n {\n \"id\": \"GHSA-2v46-p5h4-248w\",\n \"import_time\": \"2025-09-10T00:34:05.214580215Z\",\n \"modified_time\": \"2025-09-08T18:23:16Z\",\n \"sha256\": \"9e4e6ffb9078f031d148a99152d1a63bffe9c267f969ac88d6d9b355cd8d211c\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"5.6.1\"\n ]\n },\n {\n \"id\": \"GHSA-2v46-p5h4-248w\",\n \"import_time\": \"2025-09-11T00:34:35.448176777Z\",\n \"modified_time\": \"2025-09-10T17:52:52Z\",\n \"sha256\": \"64c35cc6f93b797f929d31b27a664a0a23481218c1ed47a374c7d38ccf30a663\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"5.6.1\"\n ]\n },\n {\n \"id\": \"GHSA-2v46-p5h4-248w\",\n \"import_time\": \"2025-09-12T00:33:58.009713106Z\",\n \"modified_time\": \"2025-09-10T17:52:52Z\",\n \"sha256\": \"51098385745159b51bf05a6f6a1082961f4598d6f9ae81f34430ecbb9c9faffb\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"5.6.1\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wxhq-pm8v-cw75\",\n \"published\": \"2019-06-05T20:50:16Z\",\n \"modified\": \"2020-08-31T18:35:40Z\",\n \"summary\": \"Regular Expression Denial of Service in clean-css\",\n \"details\": \"Version of `clean-css` prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 4.1.11 or higher.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"clean-css\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/clean-css\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.11\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-wxhq-pm8v-cw75/GHSA-wxhq-pm8v-cw75.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jakubpawlowicz/clean-css/commit/2929bafbf8cdf7dccb24e0949c70833764fa87e3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/785\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-05T20:49:47Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pxx3-g568-hxr4\",\n \"published\": \"2025-09-15T23:32:36Z\",\n \"modified\": \"2025-09-16T06:44:36.975424Z\",\n \"aliases\": [\n \"CVE-2025-59162\",\n \"GHSA-ch7m-m9rf-8gvv\",\n \"MAL-2025-46971\"\n ],\n \"summary\": \"color-convert@3.1.1 contains malware after npm account takeover\",\n \"details\": \"### Impact\\nOn 8 September 2025, the npm publishing account for `color-convert` was taken over after a phishing attack. Version `3.1.1` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.\\n\\nLocal environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `\\u003cscript\\u003e` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.\\n\\nThe malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.\\n\\n### Patches\\nnpm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.\\n\\nOn 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.\\n\\nUsers should update to the latest patch version, completely remove their `node_modules` directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.\\n\\nThose operating private registries or registry mirrors should purge the offending versions from any caches.\\n\\n### References\\n- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\\n- https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\\n- https://www.ox.security/blog/npm-packages-compromised/\\n\\n### Point of Contact\\nIn the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see _Patches_ above), please reach out via one of the following channels of communication:\\n\\n- Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social\\n- `debug` repository, tracking issue (applies to all packages affected in the breach): https://github.com/debug-js/debug/issues/1005\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"color-convert\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/color-convert\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.1.1\"\n },\n {\n \"fixed\": \"3.1.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.1.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-pxx3-g568-hxr4/GHSA-pxx3-g568-hxr4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Qix-/color-convert/security/advisories/GHSA-pxx3-g568-hxr4\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-59162\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/issues/1005\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/Qix-/color-convert\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.ox.security/blog/npm-packages-compromised\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-506\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-09-15T23:32:36Z\",\n \"nvd_published_at\": \"2025-09-15T20:15:39Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46971\",\n \"published\": \"2025-09-08T15:20:15Z\",\n \"modified\": \"2025-09-16T06:44:36.975424Z\",\n \"aliases\": [\n \"CVE-2025-59162\",\n \"GHSA-ch7m-m9rf-8gvv\",\n \"GHSA-pxx3-g568-hxr4\"\n ],\n \"summary\": \"Malicious code in color-convert (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (71ee3370ed9cf22bf89fbf40c954408a6ddcd17fbd38750027a2b7fab6034bce)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"color-convert\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/color-convert\"\n },\n \"versions\": [\n \"3.1.1\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/color-convert/MAL-2025-46971.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/issues/6099\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-ch7m-m9rf-8gvv\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Qix-/color-convert/security/advisories/GHSA-pxx3-g568-hxr4\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-ch7m-m9rf-8gvv\",\n \"import_time\": \"2025-09-09T00:35:48.409407322Z\",\n \"modified_time\": \"2025-09-08T17:56:12Z\",\n \"sha256\": \"71ee3370ed9cf22bf89fbf40c954408a6ddcd17fbd38750027a2b7fab6034bce\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"3.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-ch7m-m9rf-8gvv\",\n \"import_time\": \"2025-09-10T00:34:05.222333023Z\",\n \"modified_time\": \"2025-09-08T17:56:12Z\",\n \"sha256\": \"ee95040e7382c445c5a1de4f66c3aed2bd1c73e1c57e6c1f771a7533ede4f69f\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"3.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-ch7m-m9rf-8gvv\",\n \"import_time\": \"2025-09-11T00:34:35.466556711Z\",\n \"modified_time\": \"2025-09-10T17:52:03Z\",\n \"sha256\": \"1e49d335bbdf3413c7efa2126f2e06bb7533e83ab6f365d579dbe20b0ae30be9\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"3.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-ch7m-m9rf-8gvv\",\n \"import_time\": \"2025-09-12T00:33:58.055781098Z\",\n \"modified_time\": \"2025-09-10T17:52:03Z\",\n \"sha256\": \"36c2dcaa1b9cf1e9b5ec230c48ee34687bbd9bea0c1f91efbfbf650557267927\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"3.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-ch7m-m9rf-8gvv\",\n \"import_time\": \"2025-09-16T00:34:25.618299208Z\",\n \"modified_time\": \"2025-09-15T23:53:52Z\",\n \"sha256\": \"b4461cfdaf22dc82a9f42a461cfb5010106609d3e678ca21a5ec688a726ccabd\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"3.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-ch7m-m9rf-8gvv\",\n \"import_time\": \"2025-09-17T00:07:09.294375031Z\",\n \"modified_time\": \"2025-09-15T23:53:52Z\",\n \"sha256\": \"38db2d19b1ffae2a528090f28216d7c84e2ab97ed2867873e8e2bce73367dd1d\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"3.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-ch7m-m9rf-8gvv\",\n \"import_time\": \"2025-09-17T00:34:59.136200926Z\",\n \"modified_time\": \"2025-09-15T23:53:52Z\",\n \"sha256\": \"801c40de46a1c5af84767ee6b828fad2b331674b3430948a4f75bda351040f8f\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"3.1.1\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5fvm-p68v-5wmh\",\n \"published\": \"2025-09-15T22:03:28Z\",\n \"modified\": \"2025-09-16T06:44:30.196915Z\",\n \"aliases\": [\n \"CVE-2025-59145\",\n \"GHSA-m99c-cfww-cxqx\",\n \"MAL-2025-46972\"\n ],\n \"summary\": \"color-name@2.0.1 contains malware after npm account takeover\",\n \"details\": \"### Impact\\nOn 8 September 2025, an npm publishing account for `color-name` was taken over after a phishing attack. Version `2.0.1` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.\\n\\nLocal environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `\\u003cscript\\u003e` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.\\n\\nThe malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.\\n\\n### Patches\\nnpm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.\\n\\nOn 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.\\n\\nUsers should update to the latest patch version, completely remove their `node_modules` directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.\\n\\nThose operating private registries or registry mirrors should purge the offending versions from any caches.\\n\\n### Resources\\n- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\\n- https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\\n- https://www.ox.security/blog/npm-packages-compromised/\\n\\n### Point of Contact\\nIn the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see _Patches_ above), please reach out via one of the following channels of communication:\\n\\n- Bluesky, compromised publishing account owner: https://bsky.app/profile/bad-at-computer.bsky.social\\n- `debug` repository, tracking issue (applies to all packages affected in the breach): https://github.com/debug-js/debug/issues/1005\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"color-name\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/color-name\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.0.1\"\n },\n {\n \"fixed\": \"2.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-5fvm-p68v-5wmh/GHSA-5fvm-p68v-5wmh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-59145\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/issues/1005\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/colorjs/color-name\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.ox.security/blog/npm-packages-compromised\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-506\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-09-15T22:03:28Z\",\n \"nvd_published_at\": \"2025-09-15T21:15:36Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46972\",\n \"published\": \"2025-09-08T15:05:16Z\",\n \"modified\": \"2025-09-16T06:44:30.196915Z\",\n \"aliases\": [\n \"CVE-2025-59145\",\n \"GHSA-5fvm-p68v-5wmh\",\n \"GHSA-m99c-cfww-cxqx\"\n ],\n \"summary\": \"Malicious code in color-name (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (ec95d0b2e67387181db7dbe2f93160248e40a3f6323ef1ee75b116f621ac5af1)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"color-name\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/color-name\"\n },\n \"versions\": [\n \"2.0.1\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/color-name/MAL-2025-46972.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/issues/6099\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-m99c-cfww-cxqx\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/colorjs/color-name/security/advisories/GHSA-5fvm-p68v-5wmh\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-m99c-cfww-cxqx\",\n \"import_time\": \"2025-09-09T00:35:48.415723474Z\",\n \"modified_time\": \"2025-09-08T18:02:51Z\",\n \"sha256\": \"ec95d0b2e67387181db7dbe2f93160248e40a3f6323ef1ee75b116f621ac5af1\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"2.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-m99c-cfww-cxqx\",\n \"import_time\": \"2025-09-10T00:34:05.231153986Z\",\n \"modified_time\": \"2025-09-08T18:02:51Z\",\n \"sha256\": \"928233225e28998e4fe7121fe96ac87179542253c82b34e02a3bc10e5e49c922\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"2.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-m99c-cfww-cxqx\",\n \"import_time\": \"2025-09-11T00:34:35.476356878Z\",\n \"modified_time\": \"2025-09-10T17:48:44Z\",\n \"sha256\": \"9c1bfc8bf637d2f2fe25386bba4164441b0432ed54331595e9e305d9e95e132a\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"2.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-m99c-cfww-cxqx\",\n \"import_time\": \"2025-09-12T00:33:58.086126601Z\",\n \"modified_time\": \"2025-09-10T17:48:44Z\",\n \"sha256\": \"f2cc960d02e1a3cc2e1b07650f63addf01114600f7e7615bddb85a3bbd89cf4b\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"2.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-m99c-cfww-cxqx\",\n \"import_time\": \"2025-09-16T00:34:25.640454724Z\",\n \"modified_time\": \"2025-09-15T23:56:12Z\",\n \"sha256\": \"b3b6aa6b1f5d027c077a05ae6b1071b92f602f0e2261ef295c2e64f73d437596\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"2.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-m99c-cfww-cxqx\",\n \"import_time\": \"2025-09-17T00:07:09.351618297Z\",\n \"modified_time\": \"2025-09-15T23:56:12Z\",\n \"sha256\": \"67cc1bbf808d890c505325e050d1996eb83ff0ae161bfe6aab545da645e58aaf\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"2.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-m99c-cfww-cxqx\",\n \"import_time\": \"2025-09-17T00:34:59.207984541Z\",\n \"modified_time\": \"2025-09-15T23:56:12Z\",\n \"sha256\": \"d4d3f83b21a80fbd745a6085a0ca1a103b9648524da94ebe8d8c21d30e86e607\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"2.0.1\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g74r-ffvr-5q9f\",\n \"published\": \"2019-06-03T17:26:44Z\",\n \"modified\": \"2020-08-31T18:29:17Z\",\n \"summary\": \"Memory Exposure in concat-stream\",\n \"details\": \"Versions of `concat-stream` before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into `write()`\\n\\nVersions \\u003c1.3.0 are not affected due to not using unguarded Buffer constructor.\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.5.2, 1.4.11, 1.3.2 or later.\\n\\nIf you are unable to update make sure user provided input into the `write()` function is not a number.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"concat-stream\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/concat-stream\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.5.0\"\n },\n {\n \"fixed\": \"1.5.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-g74r-ffvr-5q9f/GHSA-g74r-ffvr-5q9f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"concat-stream\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/concat-stream\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.4.0\"\n },\n {\n \"fixed\": \"1.4.11\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-g74r-ffvr-5q9f/GHSA-g74r-ffvr-5q9f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"concat-stream\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/concat-stream\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.3.0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-g74r-ffvr-5q9f/GHSA-g74r-ffvr-5q9f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/maxogden/concat-stream/pull/47\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gist.github.com/ChALkeR/c2d2fd3f1d72d51ad883df195be03a85\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/597\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-03T17:26:24Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3xgq-45jj-v275\",\n \"published\": \"2024-11-08T06:30:47Z\",\n \"modified\": \"2025-05-19T19:56:26Z\",\n \"aliases\": [\n \"CVE-2024-21538\"\n ],\n \"related\": [\n \"CGA-3wmj-q542-x56g\",\n \"CGA-49x5-fp72-pvgg\",\n \"CGA-56f7-wq2j-gqhc\",\n \"CGA-58mw-hm95-x9xv\",\n \"CGA-7c7p-r8cv-2pj4\",\n \"CGA-8hpc-g49m-34cc\",\n \"CGA-8j64-28x2-ggxv\",\n \"CGA-8rv2-6965-grc6\",\n \"CGA-m347-mh8c-rhf4\"\n ],\n \"summary\": \"Regular Expression Denial of Service (ReDoS) in cross-spawn\",\n \"details\": \"Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"cross-spawn\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/cross-spawn\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-3xgq-45jj-v275/GHSA-3xgq-45jj-v275.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"cross-spawn\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/cross-spawn\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.0.6\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-3xgq-45jj-v275/GHSA-3xgq-45jj-v275.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-21538\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/moxystudio/node-cross-spawn/issues/165\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/moxystudio/node-cross-spawn/pull/160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/moxystudio/node-cross-spawn\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-11-15T22:25:53Z\",\n \"nvd_published_at\": \"2024-11-08T05:15:06Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-chwr-hf3w-c984\",\n \"published\": \"2021-05-10T18:44:38Z\",\n \"modified\": \"2023-11-08T04:04:08.690471Z\",\n \"aliases\": [\n \"CVE-2020-7755\"\n ],\n \"summary\": \"Regular Expression Denial of Service in dat.gui\",\n \"details\": \"All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"dat.gui\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/dat.gui\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"0.7.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-chwr-hf3w-c984/GHSA-chwr-hf3w-c984.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7755\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/dataarts/dat.gui/issues/278\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/dataarts/dat.gui/pull/279\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-DATGUI-1016275\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/package/dat.gui\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-21T17:36:43Z\",\n \"nvd_published_at\": \"2020-10-27T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4x49-vf9v-38px\",\n \"published\": \"2025-09-15T21:30:55Z\",\n \"modified\": \"2025-09-16T06:44:36.384185Z\",\n \"aliases\": [\n \"CVE-2025-59144\",\n \"GHSA-8mgj-vmr8-frr6\",\n \"MAL-2025-46974\"\n ],\n \"summary\": \"debug@4.4.2 contains malware after npm account takeover\",\n \"details\": \"### Impact\\nOn 8 September 2025, the npm publishing account for `debug` was taken over after a phishing attack. Version `4.4.2` was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.\\n\\nLocal environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct `\\u003cscript\\u003e` inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.\\n\\nThe malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.\\n\\n### Patches\\nnpm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.\\n\\nOn 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.\\n\\nUsers should upgrade to the latest patch version, completely remove their `node_modules` directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.\\n\\nThose operating private registries or registry mirrors should purge the offending versions from any caches.\\n\\n### References\\n- https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\\n- https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\\n- https://www.ox.security/blog/npm-packages-compromised/\\n\\n### Point of Contact\\nIn the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see _Patches_ above), please reach out via one of the following channels of communication:\\n\\n- Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social\\n- `debug` repository, tracking issue (applies to all packages affected in the breach): https://github.com/debug-js/debug/issues/1005\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"debug\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/debug\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.4.2\"\n },\n {\n \"fixed\": \"4.4.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.4.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-4x49-vf9v-38px/GHSA-4x49-vf9v-38px.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/security/advisories/GHSA-4x49-vf9v-38px\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-59144\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/issues/1005\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/debug-js/debug\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.ox.security/blog/npm-packages-compromised\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-506\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-09-15T21:30:55Z\",\n \"nvd_published_at\": \"2025-09-15T20:15:39Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Red\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9vvw-cc9w-f27h\",\n \"published\": \"2023-01-09T12:30:19Z\",\n \"modified\": \"2023-11-08T03:59:17.780578Z\",\n \"aliases\": [\n \"CVE-2017-20165\"\n ],\n \"summary\": \"debug Inefficient Regular Expression Complexity vulnerability\",\n \"details\": \"A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The name of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability. The patch has been backported to the 2.6.x branch in version 2.6.9.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"debug\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/debug\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-9vvw-cc9w-f27h/GHSA-9vvw-cc9w-f27h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"debug\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/debug\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.9\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-9vvw-cc9w-f27h/GHSA-9vvw-cc9w-f27h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-20165\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/pull/504\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/debug-js/debug\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/releases/tag/2.6.9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/releases/tag/3.1.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?ctiid.217665\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?id.217665\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-10T21:49:01Z\",\n \"nvd_published_at\": \"2023-01-09T10:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gxpj-cx7g-858c\",\n \"published\": \"2018-08-09T20:18:07Z\",\n \"modified\": \"2024-03-25T19:01:23Z\",\n \"aliases\": [\n \"CVE-2017-16137\"\n ],\n \"related\": [\n \"CGA-j9cp-p46h-5p44\"\n ],\n \"summary\": \"Regular Expression Denial of Service in debug\",\n \"details\": \"Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \\n\\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.\\n\\nThis was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.\\n\\n## Recommendation\\n\\nVersion 2.x.x: Update to version 2.6.9 or later.\\nVersion 3.1.x: Update to version 3.1.0 or later.\\nVersion 3.2.x: Update to version 3.2.7 or later.\\nVersion 4.x.x: Update to version 4.3.1 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"debug\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/debug\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.9\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-gxpj-cx7g-858c/GHSA-gxpj-cx7g-858c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"debug\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/debug\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-gxpj-cx7g-858c/GHSA-gxpj-cx7g-858c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"debug\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/debug\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.2.0\"\n },\n {\n \"fixed\": \"3.2.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-gxpj-cx7g-858c/GHSA-gxpj-cx7g-858c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"debug\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/debug\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.3.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-gxpj-cx7g-858c/GHSA-gxpj-cx7g-858c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16137\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/issues/797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/visionmedia/debug/issues/501\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/visionmedia/debug/pull/504\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/visionmedia/debug\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:38:18Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46974\",\n \"published\": \"2025-09-08T14:26:51Z\",\n \"modified\": \"2025-09-16T06:44:36.384185Z\",\n \"aliases\": [\n \"CVE-2025-59144\",\n \"GHSA-4x49-vf9v-38px\",\n \"GHSA-8mgj-vmr8-frr6\"\n ],\n \"summary\": \"Malicious code in debug (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (558d1dda312e85212121f4ed15340349f780f5e40d6685c3687648bbb2924381)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"debug\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/debug\"\n },\n \"versions\": [\n \"4.4.2\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/debug/MAL-2025-46974.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/issues/6099\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-8mgj-vmr8-frr6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/debug-js/debug/security/advisories/GHSA-4x49-vf9v-38px\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-8mgj-vmr8-frr6\",\n \"import_time\": \"2025-09-09T00:35:48.408037926Z\",\n \"modified_time\": \"2025-09-08T17:54:47Z\",\n \"sha256\": \"558d1dda312e85212121f4ed15340349f780f5e40d6685c3687648bbb2924381\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"4.4.2\"\n ]\n },\n {\n \"id\": \"GHSA-8mgj-vmr8-frr6\",\n \"import_time\": \"2025-09-10T00:34:05.220545432Z\",\n \"modified_time\": \"2025-09-08T17:54:47Z\",\n \"sha256\": \"8107bf621a06423d1aae59bd505317ddf2bb8b03ebd71b4a35ce7a0059cad82a\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"4.4.2\"\n ]\n },\n {\n \"id\": \"GHSA-8mgj-vmr8-frr6\",\n \"import_time\": \"2025-09-11T00:34:35.461493997Z\",\n \"modified_time\": \"2025-09-10T17:47:46Z\",\n \"sha256\": \"d2b85998dbc6f082e6c96883e10d26afc54fa634507ab7c04adc926f6fc21de5\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"4.4.2\"\n ]\n },\n {\n \"id\": \"GHSA-8mgj-vmr8-frr6\",\n \"import_time\": \"2025-09-12T00:33:58.045928418Z\",\n \"modified_time\": \"2025-09-10T17:47:46Z\",\n \"sha256\": \"a55920f514ec4e15d3d2bdf89455777f247a624a1a1acf4f909726b3b6514c46\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"4.4.2\"\n ]\n },\n {\n \"id\": \"GHSA-8mgj-vmr8-frr6\",\n \"import_time\": \"2025-09-16T00:34:25.612039797Z\",\n \"modified_time\": \"2025-09-15T23:53:26Z\",\n \"sha256\": \"3bb0e19fac14a7d83fd61d2fc633bedf670deade726ba1a414db1a20f2f85ff3\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"4.4.2\"\n ]\n },\n {\n \"id\": \"GHSA-8mgj-vmr8-frr6\",\n \"import_time\": \"2025-09-17T00:07:09.274173202Z\",\n \"modified_time\": \"2025-09-15T23:53:26Z\",\n \"sha256\": \"55de988936dbe50449ae4dddd6b0bb821bde8f055aaea6e92f61f7d19958b212\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"4.4.2\"\n ]\n },\n {\n \"id\": \"GHSA-8mgj-vmr8-frr6\",\n \"import_time\": \"2025-09-17T00:34:59.109596052Z\",\n \"modified_time\": \"2025-09-15T23:53:26Z\",\n \"sha256\": \"e905a7ba17420439ee063d451043a50b951d28a69bfe4bc90c4f8350c2a26c37\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"4.4.2\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q5c4-39f5-m68j\",\n \"published\": \"2018-07-24T20:00:17Z\",\n \"modified\": \"2023-11-08T03:59:00.254876Z\",\n \"aliases\": [\n \"CVE-2017-16023\"\n ],\n \"summary\": \"Regular Expression Denial of Service in decamelize\",\n \"details\": \"Affected versions of `decamelize` are susceptible to a denial of service vulnerability when user input is passed directly into `decamelize`.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.1.2 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"decamelize\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/decamelize\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.1.0\"\n },\n {\n \"fixed\": \"1.1.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.1.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-q5c4-39f5-m68j/GHSA-q5c4-39f5-m68j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16023\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/sindresorhus/decamelize/issues/5\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-q5c4-39f5-m68j\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/308\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:51:05Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h6ch-v84p-w6p9\",\n \"published\": \"2019-06-13T18:58:54Z\",\n \"modified\": \"2021-02-24T19:27:02Z\",\n \"related\": [\n \"CGA-5cqv-mm6m-mf38\",\n \"CGA-5mc2-7mmg-hm4f\",\n \"CGA-6292-xfg3-c39h\",\n \"CGA-c4qh-jfrh-49m7\",\n \"CGA-f5r7-qrx9-rxrx\",\n \"CGA-v24c-cq4m-759w\",\n \"CGA-v9cq-gwgg-6x89\",\n \"CGA-vrj4-44qq-4856\"\n ],\n \"summary\": \"Regular Expression Denial of Service (ReDoS)\",\n \"details\": \"A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"diff\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/diff\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-h6ch-v84p-w6p9/GHSA-h6ch-v84p-w6p9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1552148\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:diff:20180305\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1631\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-13T18:54:38Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qrmc-fj45-qfc2\",\n \"published\": \"2019-02-07T18:03:28Z\",\n \"modified\": \"2023-11-08T04:00:01.054529Z\",\n \"aliases\": [\n \"CVE-2018-16492\"\n ],\n \"summary\": \"Prototype Pollution in extend\",\n \"details\": \"Versions of `extend` prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The `extend()` function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.\\n\\n\\n\\n\\n## Recommendation\\n\\nIf you're using `extend` 3.x upgrade to 3.0.2 or later.\\nIf you're using `extend` 2.x upgrade to 2.0.2 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"extend\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/extend\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-qrmc-fj45-qfc2/GHSA-qrmc-fj45-qfc2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"extend\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/extend\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-qrmc-fj45-qfc2/GHSA-qrmc-fj45-qfc2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-16492\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/381185\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-qrmc-fj45-qfc2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/996\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:52:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3wf4-68gx-mph8\",\n \"published\": \"2024-11-18T12:30:42Z\",\n \"modified\": \"2025-07-23T22:12:58Z\",\n \"aliases\": [\n \"CVE-2024-11023\"\n ],\n \"summary\": \"Firebase JavaScript SDK allows attackers to manipulate the \\\"_authTokenSyncURL\\\" to point to their own server\",\n \"details\": \"Firebase JavaScript SDK utilizes a \\\"FIREBASE_DEFAULTS\\\" cookie to store configuration data, including an \\\"_authTokenSyncURL\\\" field used for session synchronization. If this cookie field is preset via an attacker by any other method, the attacker can manipulate the \\\"_authTokenSyncURL\\\" to point to their own server and it would allow am actor to capture user session data transmitted by the SDK. We recommend upgrading Firebase JS SDK at least to 10.9.0.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"firebase\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/firebase\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"10.9.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-3wf4-68gx-mph8/GHSA-3wf4-68gx-mph8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-11023\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/firebase/firebase-js-sdk/pull/8056\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/firebase/firebase-js-sdk/commit/245dd26e19b6c16aca7e1b7e597ed5784c2984ba\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://firebase.google.com/support/release-notes/js#version_1090_-_march_14_2024\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/firebase/firebase-js-sdk\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-11-18T20:04:30Z\",\n \"nvd_published_at\": \"2024-11-18T11:15:05Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2j2x-2gpw-g8fm\",\n \"published\": \"2022-12-25T21:30:22Z\",\n \"modified\": \"2023-11-08T04:03:48.649741Z\",\n \"aliases\": [\n \"CVE-2020-36632\"\n ],\n \"summary\": \"flat vulnerable to Prototype Pollution\",\n \"details\": \"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"flat\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/flat\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-2j2x-2gpw-g8fm/GHSA-2j2x-2gpw-g8fm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36632\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/hughsk/flat/issues/105\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/hughsk/flat/pull/106\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/hughsk/flat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/hughsk/flat/releases/tag/5.0.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?ctiid.216777\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?id.216777\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-30T16:27:14Z\",\n \"nvd_published_at\": \"2022-12-25T20:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fjxv-7rqg-78g4\",\n \"published\": \"2025-07-21T19:04:54Z\",\n \"modified\": \"2025-11-03T21:34:08Z\",\n \"aliases\": [\n \"CVE-2025-7783\"\n ],\n \"related\": [\n \"CGA-35hh-78jw-8mmq\",\n \"CGA-9m6x-qcrx-9xfj\",\n \"CGA-cvhq-qgx3-vfx9\",\n \"CGA-g2fp-rgfq-2hjj\",\n \"CGA-h6v7-23w8-2vw8\",\n \"CGA-mp9r-pq3p-q3qc\",\n \"CGA-pgwm-362h-3mjh\",\n \"CGA-qvfw-fcfj-g5xq\",\n \"CGA-rvcj-gcgm-25q3\",\n \"CGA-xvgg-cqm9-vxh5\",\n \"CVE-2025-7783\"\n ],\n \"summary\": \"form-data uses unsafe random function in form-data for choosing boundary\",\n \"details\": \"### Summary\\n\\nform-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker:\\n1. can observe other values produced by Math.random in the target application, and\\n2. can control one field of a request made using form-data\\n\\nBecause the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request.\\n\\nThis is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work.\\n\\n### Details\\n\\nThe culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347\\n\\nAn attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a `x-request-id` header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. `Math.random()` is a fine place to get these sorts of IDs (in fact, [opentelemetry uses Math.random for this purpose](https://github.com/open-telemetry/opentelemetry-js/blob/2053f0d3a44631ade77ea04f656056a2c8a2ae76/packages/opentelemetry-sdk-trace-base/src/platform/node/RandomIdGenerator.ts#L22))\\n\\n### PoC\\n\\nPoC here: https://github.com/benweissmann/CVE-2025-7783-poc\\n\\nInstructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). \\n\\n### Impact\\n\\nFor an application to be vulnerable, it must:\\n- Use `form-data` to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array)\\n- Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. \\n\\nIf an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"form-data\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/form-data\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.5.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"form-data\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/form-data\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.0.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"form-data\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/form-data\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.0.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-fjxv-7rqg-78g4/GHSA-fjxv-7rqg-78g4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-7783\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/benweissmann/CVE-2025-7783-poc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/form-data/form-data\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00023.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-330\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-07-21T19:04:54Z\",\n \"nvd_published_at\": \"2025-07-18T17:15:44Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8r6j-v8pm-fqw3\",\n \"published\": \"2023-10-06T21:30:49Z\",\n \"modified\": \"2023-11-08T04:13:38.062107Z\",\n \"aliases\": [\n \"CVE-2023-45311\"\n ],\n \"summary\": \"Code injection in fsevents\",\n \"details\": \"fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"fsevents\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/fsevents\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.2.11\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.2.10\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-8r6j-v8pm-fqw3/GHSA-8r6j-v8pm-fqw3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-45311\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/atlassian/moo/blob/56ccbdd41b493332bc2cd7a4097a5802594cdb9c/package-lock.json#L1901-L1902\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/atlassian/react-immutable-proptypes/blob/ddb9fa5194b931bf7528eb4f2c0a8c3434f70edd/package-lock.json#L153\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/cloudflare/authr/blob/3f6129d97d06e61033a7f237d84e35e678db490f/ts/package-lock.json#L1512\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/cloudflare/hugo-cloudflare-docs/blob/e0f7cfa195af8ef1bfa51a487be7d34ba298ed06/package-lock.json#L494\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/cloudflare/redux-grim/blob/b652f99f95fb16812336073951adc5c5a93e2c23/package-lock.json#L266-L267\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/cloudflare/serverless-cloudflare-workers/blob/e95e1e9c9770ed9a3d9480c1fa73e64391268354/package-lock.json#L737\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/fsevents/fsevents\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/fsevents/fsevents/compare/v1.2.10...v1.2.11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JS-FSEVENTS-5487987\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-10-09T21:35:16Z\",\n \"nvd_published_at\": \"2023-10-06T21:15:10Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2023-462\",\n \"published\": \"2023-04-27T19:20:00Z\",\n \"modified\": \"2023-11-08T04:24:32.787594Z\",\n \"aliases\": [\n \"GHSA-xv2f-5jw4-v95m\"\n ],\n \"summary\": \"Malicious code in fsevents (npm)\",\n \"details\": \"\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (acdc3ae57250fab51aeff6e3938ed40197a1b74eb688a72cd5d7eee0c77a7167)\\nThis advisory is intended to inform the npm ecosystem with details to resolve a third-party malware incident that may have impacted your infrastructure if you are directly or transitively dependent on the [fsevents](https://www.npmjs.com/package/fsevents) npm package.\\n\\n## Overview\\n\\n[fsevents](https://www.npmjs.com/package/fsevents) v1.0.0 \\u003c= v1.2.10 downloaded binary executables that contained unintended code due to an expired cloud storage resource being reclaimed by a third party.\\n\\n## Details\\n\\nThe [fsevents npm package](https://www.npmjs.com/package/fsevents) v1.0.0 through v1.2.10 attempts to fetch a pre-built binary executable artifact (fse.node) from cloud storage. If this fetch fails, fsevents v1.x will attempt to build this artifact directly from source.\\n\\nVersion 1.x of fsevents has been deprecated for several years and as a result the aforementioned cloud storage resource namespace was available for registration. A third party, unrelated to the fsevents maintainers, subsequently claimed this namespace and in April 2023 this third party started serving modified versions of the “fse.node” binary executable artifact to new fsevents v1.x users. \\n\\nAs of April 27, 2023 the cloud storage resource in question has been indefinitely suspended and is no longer serving binaries.\\n\\nThe affected cloud storage pre-fetch was [removed](https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058) in fsevents version 1.2.11.\\n\\n## Impact\\n\\nThe impact of the modified versions of fse.node appears to be limited to information gathering. \\n\\nNote that initial analysis was performed for the modified artifact associated with fsevents v1.2.9, which was distributed as fse-v1.2.9-node-v72-darwin-x64.tar.gz prior to the cloud storage resource being suspended. \\n\\nFor more detailed analysis you may compare a decompilation of the v1.x fse.node artifacts on your systems with the intended fsevents v1.x source as it exists at https://github.com/fsevents/fsevents/tree/v1.x \\n\\n## How to fix it\\n\\nIf you are dependent on the deprecated version of fsevents v1.x, the recommended course of action is to upgrade to fsevents v2.x or remove the dependency altogether as currently maintained versions of Node.js no longer require fsevents for file system watching on macOS.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"fsevents\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/fsevents\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.2.11\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/fsevents/MAL-2023-462.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/package/fsevents\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/fsevents/fsevents/commit/909af26846834642c81d19f4148afa3b7557b058\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-xv2f-5jw4-v95m\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-xv2f-5jw4-v95m\",\n \"import_time\": \"2023-07-30T21:58:32.873496549Z\",\n \"modified_time\": \"2023-05-01T15:47:26Z\",\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.2.11\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ],\n \"sha256\": \"acdc3ae57250fab51aeff6e3938ed40197a1b74eb688a72cd5d7eee0c77a7167\",\n \"source\": \"ghsa-malware\"\n }\n ]\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4q6p-r6v2-jvc5\",\n \"published\": \"2023-09-27T20:16:00Z\",\n \"modified\": \"2023-11-08T04:13:31.847974Z\",\n \"aliases\": [\n \"CVE-2023-43646\"\n ],\n \"related\": [\n \"CGA-6527-pf2q-fc57\",\n \"CVE-2023-43646\"\n ],\n \"summary\": \"Chaijs/get-func-name vulnerable to ReDoS\",\n \"details\": \"The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks. The regex implementation in question is as follows:\\n\\n```js\\nconst functionNameMatch = /\\\\s*function(?:\\\\s|\\\\s*\\\\/\\\\*[^(?:*/)]+\\\\*\\\\/\\\\s*)*([^\\\\s(/]+)/;\\n```\\n\\nThis vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input:\\n\\n```js\\n'\\\\t'.repeat(54773) + '\\\\t/function/i'\\n```\\n\\nHere is a simple PoC code to demonstrate the issue:\\n\\n```js\\nconst protocolre = /\\\\sfunction(?:\\\\s|\\\\s/*[^(?:*\\\\/)]+*/\\\\s*)*([^\\\\(\\\\/]+)/;\\n\\nconst startTime = Date.now();\\nconst maliciousInput = '\\\\t'.repeat(54773) + '\\\\t/function/i'\\n\\nprotocolre.test(maliciousInput);\\n\\nconst endTime = Date.now();\\n\\nconsole.log(\\\"process time: \\\", endTime - startTime, \\\"ms\\\");\\n```\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"get-func-name\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/get-func-name\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-4q6p-r6v2-jvc5/GHSA-4q6p-r6v2-jvc5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-43646\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/chaijs/get-func-name\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chaijs/get-func-name/blob/78ad756441a83f3dc203e50f76c113ae3ac017dc/index.js#L15\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-27T20:16:00Z\",\n \"nvd_published_at\": \"2023-09-27T15:19:34Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cj88-88mr-972w\",\n \"published\": \"2022-07-18T17:03:23Z\",\n \"modified\": \"2025-04-14T22:13:25Z\",\n \"aliases\": [\n \"BIT-gulp-2021-35065\",\n \"CVE-2021-35065\"\n ],\n \"summary\": \"glob-parent 6.0.0 vulnerable to Regular Expression Denial of Service\",\n \"details\": \"glob-parent 6.0.0 is vulnerable to Regular Expression Denial of Service (ReDoS). This issue is fixed in version 6.0.1.\\n\\nThis vulnerability is separate from [GHSA-ww39-953v-wcq6](https://github.com/advisories/GHSA-ww39-953v-wcq6).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"glob-parent\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/glob-parent\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"6.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj88-88mr-972w/GHSA-cj88-88mr-972w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-35065\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1103\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/pull/49\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/commit/32f6d52663b7addac38d0dff570d8127edf03f47\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gulpjs/glob-parent\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/releases/tag/v6.0.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230214-0010\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JS-GLOBPARENT-1314294\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.mend.io/vulnerability-database/CVE-2021-35065\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-18T17:03:23Z\",\n \"nvd_published_at\": \"2022-12-26T07:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-ww39-953v-wcq6\",\n \"published\": \"2021-06-07T21:56:34Z\",\n \"modified\": \"2025-01-14T08:57:10.357296Z\",\n \"aliases\": [\n \"BIT-gulp-2020-28469\",\n \"CVE-2020-28469\"\n ],\n \"summary\": \"glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex\",\n \"details\": \"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"glob-parent\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/glob-parent\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"5.1.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-ww39-953v-wcq6/GHSA-ww39-953v-wcq6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28469\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/pull/36\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gulpjs/glob-parent\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-06-04T18:30:45Z\",\n \"nvd_published_at\": \"2021-06-03T16:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r9q4-w3fm-wrm2\",\n \"published\": \"2020-09-02T21:21:43Z\",\n \"modified\": \"2021-09-27T21:01:47Z\",\n \"summary\": \"Cross-Site Scripting in google-closure-library\",\n \"details\": \"Versions of `google-closure-library` prior to 20190301.0.0 are vulnerable to Cross-Site Scripting. The `safedomtreeprocessor.processToString()` function improperly processed empty elements, which could allow attackers to execute arbitrary JavaScript through Mutation Cross-Site Scripting.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 20190301.0.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"google-closure-library\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/google-closure-library\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"20190301.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-r9q4-w3fm-wrm2/GHSA-r9q4-w3fm-wrm2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/closure-library/commit/c79ab48e8e962fee57e68739c00e16b9934c0ffa#commitcomment-33294853\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/google/closure-library\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-GOOGLECLOSURELIBRARY-174519\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/878\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-31T18:39:08Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vh5w-fg69-rc8m\",\n \"published\": \"2021-05-07T16:06:34Z\",\n \"modified\": \"2023-11-08T04:04:19.217106Z\",\n \"aliases\": [\n \"CVE-2020-8910\"\n ],\n \"summary\": \"Improper Input Validation in Google Closure Library\",\n \"details\": \"A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation -- update your library to version v20200315.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"google-closure-library\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/google-closure-library\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"20200315.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 20200224.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-vh5w-fg69-rc8m/GHSA-vh5w-fg69-rc8m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-8910\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/closure-library/commit/294fc00b01d248419d8f8de37580adf2a0024fc9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/closure-library/releases/tag/v20200315\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-06T20:57:55Z\",\n \"nvd_published_at\": \"2020-03-26T12:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qh2h-chj9-jffq\",\n \"published\": \"2018-06-08T12:43:43Z\",\n \"modified\": \"2023-11-08T03:59:01.241655Z\",\n \"aliases\": [\n \"CVE-2017-16042\"\n ],\n \"summary\": \"Growl before 1.10.0 vulnerable to Command Injection\",\n \"details\": \"Affected versions of `growl` do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.10.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"growl\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/growl\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.10.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/06/GHSA-qh2h-chj9-jffq/GHSA-qh2h-chj9-jffq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16042\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tj/node-growl/issues/60\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tj/node-growl/pull/61\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tj/node-growl/pull/62\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tj/node-growl/commit/d71177d5331c9de4658aca62e0ac921f178b0669\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/tj/node-growl\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/146\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-78\",\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:51:54Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pfq8-rq6v-vf5m\",\n \"published\": \"2022-10-31T19:00:36Z\",\n \"modified\": \"2025-06-11T17:34:37Z\",\n \"aliases\": [\n \"CVE-2022-37620\"\n ],\n \"related\": [\n \"CGA-mvv3-xjv4-w9gc\"\n ],\n \"summary\": \"kangax html-minifier REDoS vulnerability\",\n \"details\": \"A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 because of the reCustomIgnore regular expression.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"html-minifier\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/html-minifier\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"4.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-pfq8-rq6v-vf5m/GHSA-pfq8-rq6v-vf5m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-37620\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kangax/html-minifier/issues/1135\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/kangax/html-minifier\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L1338\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kangax/html-minifier/blob/51ce10f4daedb1de483ffbcccecc41be1c873da2/src/htmlminifier.js#L294\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JS-HTMLMINIFIER-3091181\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-04-22T23:06:37Z\",\n \"nvd_published_at\": \"2022-10-31T12:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-86wf-436m-h424\",\n \"published\": \"2022-01-06T20:30:13Z\",\n \"modified\": \"2023-11-08T04:00:42.433382Z\",\n \"aliases\": [\n \"CVE-2019-10196\"\n ],\n \"summary\": \"Resource Exhaustion Denial of Service in http-proxy-agent \",\n \"details\": \"A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"http-proxy-agent\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/http-proxy-agent\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-86wf-436m-h424/GHSA-86wf-436m-h424.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10196\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/TooTallNate/node-http-proxy-agent/commit/b7b7cc793c3226aa83f820ce5c277e81862d32eb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1567245\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/607\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-665\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-22T22:28:09Z\",\n \"nvd_published_at\": \"2021-03-19T20:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8w57-jfpm-945m\",\n \"published\": \"2019-06-11T16:16:07Z\",\n \"modified\": \"2023-04-11T00:26:58Z\",\n \"summary\": \"Denial of Service in http-proxy-agent\",\n \"details\": \"Versions of `http-proxy-agent` before 2.1.0 are vulnerable to denial of service and uninitialized memory leak when unsanitized options are passed to `Buffer`. An attacker may leverage these unsanitized options to consume system resources.\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.1.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"http-proxy-agent\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/http-proxy-agent\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-8w57-jfpm-945m/GHSA-8w57-jfpm-945m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/321631\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/TooTallNate/node-http-proxy-agent/blob/2.0.0/index.js#L80\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/607\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-11T16:11:38Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q257-vv4p-fg92\",\n \"published\": \"2018-11-09T17:49:34Z\",\n \"modified\": \"2023-11-08T03:58:59.280300Z\",\n \"aliases\": [\n \"CVE-2017-16005\"\n ],\n \"summary\": \"Header Forgery in http-signature\",\n \"details\": \"Affected versions of `http-signature` contain a vulnerability which can allow an attacker in a privileged network position to modify header names and change the meaning of the request, without requiring an updated signature. \\n\\nThis problem occurs because vulnerable versions of `http-signature` sign the contents of headers, but not the header names.\\n\\n## Proof of Concept\\n\\nConsider this to be the initial, untampered request:\\n```http\\nPOST /pay HTTP/1.1\\nHost: example.com\\nDate: Thu, 05 Jan 2012 21:31:40 GMT\\nX-Payment-Source: src@money.com\\nX-Payment-Destination: dst@money.com\\nAuthorization: Signature keyId=\\\"Test\\\",algorithm=\\\"rsa-sha256\\\",headers=\\\"x-payment-source x-payment-destination\\\" MDyO5tSvin5...\\n```\\n\\nAnd the request is intercepted and tampered as follows:\\n```http\\nX-Payment-Source: dst@money.com // Emails switched\\nX-Payment-Destination: src@money.com\\nAuthorization: Signature keyId=\\\"Test\\\",algorithm=\\\"rsa-sha256\\\",headers=\\\"x-payment-destination x-payment-source\\\" MDyO5tSvin5...\\n```\\n\\nIn the resulting responses, both requests would pass signature verification without issue.\\n```\\nsrc@money.com\\\\n\\ndst@money.com\\\\n\\n```\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 0.10.0 or higher.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"http-signature\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/http-signature\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.10.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-q257-vv4p-fg92/GHSA-q257-vv4p-fg92.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/joyent/node-http-signature/issues/10\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-q257-vv4p-fg92\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/318\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:50:21Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8g7p-74h8-hg48\",\n \"published\": \"2018-07-27T17:04:52Z\",\n \"modified\": \"2023-11-08T04:00:18.222205Z\",\n \"aliases\": [\n \"CVE-2018-3739\"\n ],\n \"summary\": \"Denial of Service in https-proxy-agent\",\n \"details\": \"Versions of `https-proxy-agent` before 2.2.0 are vulnerable to denial of service. This is due to unsanitized options (proxy.auth) being passed to `Buffer()`.\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.2.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"https-proxy-agent\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/https-proxy-agent\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.2.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-8g7p-74h8-hg48/GHSA-8g7p-74h8-hg48.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-3736\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/TooTallNate/node-https-proxy-agent/commit/1c24219df87524e6ed973127e81f30801d658f07\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/319532\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/TooTallNate/node-https-proxy-agent\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-8g7p-74h8-hg48\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/593\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-125\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:25:32Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pc5p-h8pf-mvwp\",\n \"published\": \"2020-04-16T03:14:56Z\",\n \"modified\": \"2023-11-01T20:54:11Z\",\n \"summary\": \"Machine-In-The-Middle in https-proxy-agent\",\n \"details\": \"Versions of `https-proxy-agent` prior to 2.2.3 are vulnerable to Machine-In-The-Middle. The package fails to enforce TLS on the socket if the proxy server responds the to the request with a HTTP status different than 200. This allows an attacker with access to the proxy server to intercept unencrypted communications, which may include sensitive information such as credentials.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 3.0.0 or 2.2.3.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"https-proxy-agent\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/https-proxy-agent\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.2.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-pc5p-h8pf-mvwp/GHSA-pc5p-h8pf-mvwp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/TooTallNate/node-https-proxy-agent/commit/36d8cf509f877fa44f4404fce57ebaf9410fe51b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/541502\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-HTTPSPROXYAGENT-469131\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1184\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-300\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-16T03:03:19Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2pqj-h3vj-pqgw\",\n \"published\": \"2020-09-01T16:41:46Z\",\n \"modified\": \"2024-03-08T05:20:14.907785Z\",\n \"aliases\": [\n \"CVE-2012-6708\"\n ],\n \"summary\": \"Cross-Site Scripting in jquery\",\n \"details\": \"Affected versions of `jquery` are vulnerable to cross-site scripting. This occurs because the main `jquery` function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that `jquery` may interpret HTML as selectors when given certain inputs, allowing for client side code execution.\\n\\n## Proof of Concept\\n```\\n$(\\\"#log\\\").html(\\n $(\\\"element[attribute='\\u003cimg src=\\\\\\\"x\\\\\\\" onerror=\\\\\\\"alert(1)\\\\\\\" /\\u003e']\\\").html()\\n);\\n```\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.9.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.9.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.8.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2pqj-h3vj-pqgw/GHSA-2pqj-h3vj-pqgw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.9.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.7.2\",\n \"1.7.3\",\n \"1.8.2\",\n \"1.8.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.8.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2pqj-h3vj-pqgw/GHSA-2pqj-h3vj-pqgw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jQuery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jQuery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.9.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.1.1\",\n \"1.7.2\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.8.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2pqj-h3vj-pqgw/GHSA-2pqj-h3vj-pqgw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/jquery-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.2.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.1\",\n \"0.1.2\",\n \"0.1.3\",\n \"0.2\",\n \"0.2.1\",\n \"0.2.2\",\n \"0.2.3\",\n \"0.2.4\",\n \"0.2.5\",\n \"0.2.6\",\n \"0.2.7\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.11\",\n \"1.0.12\",\n \"1.0.13\",\n \"1.0.14\",\n \"1.0.15\",\n \"1.0.16\",\n \"1.0.17\",\n \"1.0.18\",\n \"1.0.19\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.0.rc\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2pqj-h3vj-pqgw/GHSA-2pqj-h3vj-pqgw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16011\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-6708\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227132049/http://www.securityfocus.com/bid/102792\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:jquery:20120206\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450223\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://research.insecurelabs.org/jquery/test\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2012-6708.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/v2.2.0/vendor/assets/javascripts/jquery.js#L67\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L59\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jquery/jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.jquery.com/ticket/9521\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.jquery.com/ticket/6429\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.jquery.com/ticket/12531\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.jquery.com/ticket/11290\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/161972/Linksys-EA7500-2.0.8.194281-Cross-Site-Scripting.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-64\",\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-31T18:19:31Z\",\n \"nvd_published_at\": \"2018-01-18T23:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-579v-mp3v-rrw5\",\n \"published\": \"2022-05-14T01:09:51Z\",\n \"modified\": \"2024-12-08T05:33:53.323376Z\",\n \"aliases\": [\n \"CVE-2011-4969\"\n ],\n \"summary\": \"jQuery vulnerable to Cross-Site Scripting (XSS)\",\n \"details\": \"Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.6.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-579v-mp3v-rrw5/GHSA-579v-mp3v-rrw5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jQuery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jQuery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.6.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-579v-mp3v-rrw5/GHSA-579v-mp3v-rrw5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/jquery-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.1\",\n \"0.1.2\",\n \"0.1.3\",\n \"0.2\",\n \"0.2.1\",\n \"0.2.2\",\n \"0.2.3\",\n \"0.2.4\",\n \"0.2.5\",\n \"0.2.6\",\n \"0.2.7\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.11\",\n \"1.0.12\",\n \"1.0.13\",\n \"1.0.14\",\n \"1.0.15\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.0.rc\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-579v-mp3v-rrw5/GHSA-579v-mp3v-rrw5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.6.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-579v-mp3v-rrw5/GHSA-579v-mp3v-rrw5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2011-4969\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jquery/jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190416-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450224\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://blog.jquery.com/2011/09/01/jquery-1-6-3-released\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://bugs.jquery.com/ticket/9521\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2013/01/31/3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-1722-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-09-12T14:46:34Z\",\n \"nvd_published_at\": \"2013-03-08T22:55:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6c3j-c64m-qhgq\",\n \"published\": \"2019-04-26T16:29:11Z\",\n \"modified\": \"2025-01-15T01:41:55.110833Z\",\n \"aliases\": [\n \"CVE-2019-11358\"\n ],\n \"summary\": \"XSS in jQuery as used in Drupal, Backdrop CMS, and other products\",\n \"details\": \"jQuery from 1.1.4 until 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles `jQuery.extend(true, {}, ...)` because of `Object.prototype` pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.1.4\"\n },\n {\n \"fixed\": \"3.4.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/jquery-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.3.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.1\",\n \"0.1.2\",\n \"0.1.3\",\n \"0.2\",\n \"0.2.1\",\n \"0.2.2\",\n \"0.2.3\",\n \"0.2.4\",\n \"0.2.5\",\n \"0.2.6\",\n \"0.2.7\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.11\",\n \"1.0.12\",\n \"1.0.13\",\n \"1.0.14\",\n \"1.0.15\",\n \"1.0.16\",\n \"1.0.17\",\n \"1.0.18\",\n \"1.0.19\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.0.rc\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.3.0\",\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\",\n \"4.0.0\",\n \"4.0.0.beta1\",\n \"4.0.0.beta2\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.0.4\",\n \"4.0.5\",\n \"4.1.0\",\n \"4.1.1\",\n \"4.2.0\",\n \"4.2.1\",\n \"4.2.2\",\n \"4.3.0\",\n \"4.3.1\",\n \"4.3.2\",\n \"4.3.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jQuery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jQuery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.1.4\"\n },\n {\n \"fixed\": \"3.4.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10.0\",\n \"1.10.0.1\",\n \"1.10.1\",\n \"1.10.2\",\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.11.3\",\n \"1.12.0\",\n \"1.12.1\",\n \"1.12.2\",\n \"1.12.3\",\n \"1.12.4\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.1.1\",\n \"1.7.2\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.1.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"3.0.0\",\n \"3.0.0.1\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.2.1\",\n \"3.3.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"django\",\n \"ecosystem\": \"PyPI\",\n \"purl\": \"pkg:pypi/django\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0a1\"\n },\n {\n \"fixed\": \"2.1.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\",\n \"2.0a1\",\n \"2.0b1\",\n \"2.0rc1\",\n \"2.1\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.1.7\",\n \"2.1.8\",\n \"2.1a1\",\n \"2.1b1\",\n \"2.1rc1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"django\",\n \"ecosystem\": \"PyPI\",\n \"purl\": \"pkg:pypi/django\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.2a1\"\n },\n {\n \"fixed\": \"2.2.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.2\",\n \"2.2.1\",\n \"2.2a1\",\n \"2.2b1\",\n \"2.2rc1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.1.4\"\n },\n {\n \"fixed\": \"3.4.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.3\",\n \"1.12.1\",\n \"1.12.2\",\n \"1.12.3\",\n \"1.12.4\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.1\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.1-rc1\",\n \"2.1.1-rc2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"3.0.0\",\n \"3.0.0-alpha1\",\n \"3.0.0-beta1\",\n \"3.0.0-rc1\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.2.0\",\n \"3.2.1\",\n \"3.3.0\",\n \"3.3.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"maximebf/debugbar\",\n \"ecosystem\": \"Packagist\",\n \"purl\": \"pkg:composer/maximebf/debugbar\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0.1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.1\",\n \"1.10.0\",\n \"1.10.1\",\n \"1.13.1\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.5\",\n \"1.5.1\",\n \"1.6\",\n \"1.6.1\",\n \"1.7\",\n \"1.7.1\",\n \"1.8\",\n \"1.9\",\n \"1.9.1\",\n \"1.9.10\",\n \"1.9.11\",\n \"1.9.12\",\n \"1.9.13\",\n \"1.9.14\",\n \"1.9.15\",\n \"1.9.2\",\n \"1.9.3\",\n \"1.9.4\",\n \"1.9.5\",\n \"1.9.6\",\n \"1.9.7\",\n \"1.9.8\",\n \"1.9.9\",\n \"v1.10.2\",\n \"v1.10.3\",\n \"v1.10.4\",\n \"v1.10.5\",\n \"v1.11.0\",\n \"v1.11.1\",\n \"v1.12.0\",\n \"v1.13.0\",\n \"v1.14.0\",\n \"v1.14.1\",\n \"v1.15.0\",\n \"v1.15.1\",\n \"v1.16.0\",\n \"v1.16.1\",\n \"v1.16.2\",\n \"v1.16.3\",\n \"v1.16.4\",\n \"v1.16.5\",\n \"v1.17.0\",\n \"v1.17.1\",\n \"v1.17.2\",\n \"v1.17.3\",\n \"v1.18.0\",\n \"v1.18.1\",\n \"v1.18.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-6c3j-c64m-qhgq/GHSA-6c3j-c64m-qhgq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-11358\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/maximebf/php-debugbar/issues/447\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/pull/4333\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Apr/32\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Jun/12\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/18\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2020-02\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2019-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.synology.com/security/advisory/Synology_SA_19_19\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.drupal.org/sa-core-2019-006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.djangoproject.com/weblog/2019/jun/03/security-releases\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4460\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4434\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-JQUERY-174006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190919-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jquery/jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.jquery.com/2019/04/10/jquery-3-4-0-released\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://backdropcms.org/security/backdrop-sa-core-2019-009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3024\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3023\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2587\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1456\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:1570\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2019/May/10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2019/May/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2019/May/13\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2019/06/03/2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/108023\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-04-26T16:28:41Z\",\n \"nvd_published_at\": \"2019-04-20T00:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gxr4-xjj5-5px2\",\n \"published\": \"2020-04-29T22:18:55Z\",\n \"modified\": \"2025-01-31T20:51:56.658421Z\",\n \"aliases\": [\n \"BIT-drupal-2020-11022\",\n \"CVE-2020-11022\"\n ],\n \"related\": [\n \"CVE-2020-11022\"\n ],\n \"summary\": \"Potential XSS vulnerability in jQuery\",\n \"details\": \"### Impact\\nPassing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code.\\n\\n### Patches\\nThis problem is patched in jQuery 3.5.0.\\n\\n### Workarounds\\nTo workaround the issue without upgrading, adding the following to your code:\\n\\n```js\\njQuery.htmlPrefilter = function( html ) {\\n\\treturn html;\\n};\\n```\\n\\nYou need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround.\\n\\n### References\\nhttps://blog.jquery.com/2020/04/10/jquery-3-5-0-released/\\nhttps://jquery.com/upgrade-guide/3.5/\\n\\n### For more information\\nIf you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.2.0\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.2.0\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10.0\",\n \"1.10.0.1\",\n \"1.10.1\",\n \"1.10.2\",\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.11.3\",\n \"1.12.0\",\n \"1.12.1\",\n \"1.12.2\",\n \"1.12.3\",\n \"1.12.4\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.1.1\",\n \"1.7.2\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.1.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"3.0.0\",\n \"3.0.0.1\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.2.1\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.4.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/jquery-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.4.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.1\",\n \"0.1.2\",\n \"0.1.3\",\n \"0.2\",\n \"0.2.1\",\n \"0.2.2\",\n \"0.2.3\",\n \"0.2.4\",\n \"0.2.5\",\n \"0.2.6\",\n \"0.2.7\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.11\",\n \"1.0.12\",\n \"1.0.13\",\n \"1.0.14\",\n \"1.0.15\",\n \"1.0.16\",\n \"1.0.17\",\n \"1.0.18\",\n \"1.0.19\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.0.rc\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.3.0\",\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\",\n \"4.0.0\",\n \"4.0.0.beta1\",\n \"4.0.0.beta2\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.0.4\",\n \"4.0.5\",\n \"4.1.0\",\n \"4.1.1\",\n \"4.2.0\",\n \"4.2.1\",\n \"4.2.2\",\n \"4.3.0\",\n \"4.3.1\",\n \"4.3.2\",\n \"4.3.3\",\n \"4.3.4\",\n \"4.3.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.2.0\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.3\",\n \"1.12.1\",\n \"1.12.2\",\n \"1.12.3\",\n \"1.12.4\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.1\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.1-rc1\",\n \"2.1.1-rc2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"3.0.0\",\n \"3.0.0-alpha1\",\n \"3.0.0-beta1\",\n \"3.0.0-rc1\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.2.0\",\n \"3.2.1\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.4.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"maximebf/debugbar\",\n \"ecosystem\": \"Packagist\",\n \"purl\": \"pkg:composer/maximebf/debugbar\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0.1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.1\",\n \"1.10.0\",\n \"1.10.1\",\n \"1.13.1\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.5\",\n \"1.5.1\",\n \"1.6\",\n \"1.6.1\",\n \"1.7\",\n \"1.7.1\",\n \"1.8\",\n \"1.9\",\n \"1.9.1\",\n \"1.9.10\",\n \"1.9.11\",\n \"1.9.12\",\n \"1.9.13\",\n \"1.9.14\",\n \"1.9.15\",\n \"1.9.2\",\n \"1.9.3\",\n \"1.9.4\",\n \"1.9.5\",\n \"1.9.6\",\n \"1.9.7\",\n \"1.9.8\",\n \"1.9.9\",\n \"v1.10.2\",\n \"v1.10.3\",\n \"v1.10.4\",\n \"v1.10.5\",\n \"v1.11.0\",\n \"v1.11.1\",\n \"v1.12.0\",\n \"v1.13.0\",\n \"v1.14.0\",\n \"v1.14.1\",\n \"v1.15.0\",\n \"v1.15.1\",\n \"v1.16.0\",\n \"v1.16.1\",\n \"v1.16.2\",\n \"v1.16.3\",\n \"v1.16.4\",\n \"v1.16.5\",\n \"v1.17.0\",\n \"v1.17.1\",\n \"v1.17.2\",\n \"v1.17.3\",\n \"v1.18.0\",\n \"v1.18.1\",\n \"v1.18.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"athlon1600/youtube-downloader\",\n \"ecosystem\": \"Packagist\",\n \"purl\": \"pkg:composer/athlon1600/youtube-downloader\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"4.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"v1.0.0\",\n \"v1.0.1\",\n \"v2.0.0\",\n \"v2.0.1\",\n \"v2.0.2\",\n \"v2.0.3\",\n \"v2.0.4\",\n \"v2.0.5\",\n \"v2.0.6\",\n \"v2.0.7\",\n \"v2.0.8\",\n \"v2.0.9\",\n \"v2.1.0\",\n \"v2.1.1\",\n \"v2.1.2\",\n \"v3.0.0\",\n \"v3.0.1\",\n \"v3.0.2\",\n \"v3.1.0\",\n \"v3.1.1\",\n \"v3.1.2\",\n \"v4.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"components/jquery\",\n \"ecosystem\": \"Packagist\",\n \"purl\": \"pkg:composer/components/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.2.0\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10.0\",\n \"1.10.1\",\n \"1.10.2\",\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.11.3\",\n \"1.12.0\",\n \"1.12.1\",\n \"1.12.4\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.4\",\n \"3.0.0\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.2.0\",\n \"3.2.1\",\n \"3.3.1\",\n \"3.4.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gxr4-xjj5-5px2/GHSA-gxr4-xjj5-5px2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11022\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/maximebf/php-debugbar/issues/447\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.jquery.com/2020/04/10/jquery-3-5-0-released\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202007-03\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200511-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4693\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.drupal.org/sa-core-2020-002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1518\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2020-10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2020-11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2021-02\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2021-10\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-gxr4-xjj5-5px2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jquery/jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/releases/tag/3.5.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://jquery.com/upgrade-guide/3.5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-29T22:18:37Z\",\n \"nvd_published_at\": \"2020-04-29T22:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jpcq-cgw6-v4j6\",\n \"published\": \"2020-04-29T22:19:14Z\",\n \"modified\": \"2025-10-22T19:26:30.488832Z\",\n \"aliases\": [\n \"BIT-drupal-2020-11023\",\n \"CVE-2020-11023\"\n ],\n \"related\": [\n \"CVE-2020-11023\"\n ],\n \"summary\": \"Potential XSS vulnerability in jQuery\",\n \"details\": \"### Impact\\nPassing HTML containing `\\u003coption\\u003e` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code.\\n\\n### Patches\\nThis problem is patched in jQuery 3.5.0.\\n\\n### Workarounds\\nTo workaround this issue without upgrading, use [DOMPurify](https://github.com/cure53/DOMPurify) with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method.\\n\\n### References\\nhttps://blog.jquery.com/2020/04/10/jquery-3-5-0-released/\\n\\n### For more information\\nIf you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.3\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/jquery-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.4.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.1\",\n \"0.1.2\",\n \"0.1.3\",\n \"0.2\",\n \"0.2.1\",\n \"0.2.2\",\n \"0.2.3\",\n \"0.2.4\",\n \"0.2.5\",\n \"0.2.6\",\n \"0.2.7\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.11\",\n \"1.0.12\",\n \"1.0.13\",\n \"1.0.14\",\n \"1.0.15\",\n \"1.0.16\",\n \"1.0.17\",\n \"1.0.18\",\n \"1.0.19\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.0.rc\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.3.0\",\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\",\n \"4.0.0\",\n \"4.0.0.beta1\",\n \"4.0.0.beta2\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.0.4\",\n \"4.0.5\",\n \"4.1.0\",\n \"4.1.1\",\n \"4.2.0\",\n \"4.2.1\",\n \"4.2.2\",\n \"4.3.0\",\n \"4.3.1\",\n \"4.3.2\",\n \"4.3.3\",\n \"4.3.4\",\n \"4.3.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jQuery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jQuery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0.3\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10.0\",\n \"1.10.0.1\",\n \"1.10.1\",\n \"1.10.2\",\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.11.3\",\n \"1.12.0\",\n \"1.12.1\",\n \"1.12.2\",\n \"1.12.3\",\n \"1.12.4\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.1.1\",\n \"1.7.2\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.1.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"3.0.0\",\n \"3.0.0.1\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.2.1\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.4.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0.3\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.3\",\n \"1.12.1\",\n \"1.12.2\",\n \"1.12.3\",\n \"1.12.4\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.1\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.1-rc1\",\n \"2.1.1-rc2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"3.0.0\",\n \"3.0.0-alpha1\",\n \"3.0.0-beta1\",\n \"3.0.0-rc1\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.2.0\",\n \"3.2.1\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.4.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"components/jquery\",\n \"ecosystem\": \"Packagist\",\n \"purl\": \"pkg:composer/components/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0.3\"\n },\n {\n \"fixed\": \"3.5.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10.0\",\n \"1.10.1\",\n \"1.10.2\",\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.11.3\",\n \"1.12.0\",\n \"1.12.1\",\n \"1.12.4\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.4\",\n \"3.0.0\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.2.0\",\n \"3.2.1\",\n \"3.3.1\",\n \"3.4.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11023\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2021-10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9@%3Ccommits.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2021-02\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.drupal.org/sa-core-2020-002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4693\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11023\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-JQUERY-565129\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-565440\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230725-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200511-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202007-03\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://jquery.com/upgrade-guide/3.5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11023.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/releases/tag/3.5.0\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jquery/jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/blob/99afa6fdeaf5d1d23e1021ff915a5e5dbc82c1f1/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json#L20-L37\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.jquery.com/2020/04/10/jquery-3-5-0-released\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c@%3Ccommits.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-29T21:04:50Z\",\n \"nvd_published_at\": \"2020-04-29T21:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N/E:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mhpp-875w-9cpv\",\n \"published\": \"2018-01-22T13:32:42Z\",\n \"modified\": \"2025-09-02T22:35:01Z\",\n \"aliases\": [\n \"CVE-2016-10707\"\n ],\n \"summary\": \"Denial of Service in jquery\",\n \"details\": \"Affected versions of `jquery` use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, `jquery` enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.\\n\\n\\n## Recommendation\\n\\nUpdate to version 3.0.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-rc.1\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0-rc.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-mhpp-875w-9cpv/GHSA-mhpp-875w-9cpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jQuery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jQuery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-rc.1\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0-rc.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-mhpp-875w-9cpv/GHSA-mhpp-875w-9cpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-rc1\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0-rc1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-mhpp-875w-9cpv/GHSA-mhpp-875w-9cpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/jquery-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-rc.1\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0-rc.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-mhpp-875w-9cpv/GHSA-mhpp-875w-9cpv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-10707\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/issues/3133\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/issues/3133#issuecomment-358978489\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/pull/3134\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mhpp-875w-9cpv\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jquery/jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2016-10707.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:jquery:20160529\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/330\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-674\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:46:22Z\",\n \"nvd_published_at\": \"2018-01-18T23:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q4m3-2j7h-f7xw\",\n \"published\": \"2020-05-20T16:18:01Z\",\n \"modified\": \"2025-01-14T08:57:21.902958Z\",\n \"aliases\": [\n \"CVE-2020-7656\"\n ],\n \"summary\": \"Cross-Site Scripting in jquery\",\n \"details\": \"Versions of `jquery` prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove `\\u003cscript\\u003e` HTML tags that contain a whitespace character, i.e: `\\u003c/script \\u003e`, which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a victim's browser.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 1.9.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.2.1\"\n },\n {\n \"fixed\": \"1.9.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q4m3-2j7h-f7xw/GHSA-q4m3-2j7h-f7xw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jQuery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jQuery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.2.1\"\n },\n {\n \"fixed\": \"1.9.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.1.1\",\n \"1.7.2\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q4m3-2j7h-f7xw/GHSA-q4m3-2j7h-f7xw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/jquery-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.2.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.1\",\n \"0.1.2\",\n \"0.1.3\",\n \"0.2\",\n \"0.2.1\",\n \"0.2.2\",\n \"0.2.3\",\n \"0.2.4\",\n \"0.2.5\",\n \"0.2.6\",\n \"0.2.7\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.11\",\n \"1.0.12\",\n \"1.0.13\",\n \"1.0.14\",\n \"1.0.15\",\n \"1.0.16\",\n \"1.0.17\",\n \"1.0.18\",\n \"1.0.19\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.0.rc\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q4m3-2j7h-f7xw/GHSA-q4m3-2j7h-f7xw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.2.1\"\n },\n {\n \"fixed\": \"1.9.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.7.2\",\n \"1.7.3\",\n \"1.8.2\",\n \"1.8.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q4m3-2j7h-f7xw/GHSA-q4m3-2j7h-f7xw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7656\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/05531fc4080ae24070930d15ae0cea7ae056457d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/606b863edaff29035960e4d813b45d63b8d92876\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jquery/jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/blob/9e6393b0bcb52b15313f88141d0bd7dd54227426/src/ajax.js#L203\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#220-19-january-2013\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/v2.1.4/vendor/assets/javascripts/jquery.js#L7481\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-7656.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200528-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-JQUERY-569619\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1?language=en_US\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-05-20T16:17:45Z\",\n \"nvd_published_at\": \"2020-05-19T21:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rmxg-73gg-4p98\",\n \"published\": \"2018-01-22T13:32:06Z\",\n \"modified\": \"2024-03-10T05:18:22.438189Z\",\n \"aliases\": [\n \"CVE-2015-9251\"\n ],\n \"summary\": \"Cross-Site Scripting (XSS) in jquery\",\n \"details\": \"Affected versions of `jquery` interpret `text/javascript` responses from cross-origin ajax requests, and automatically execute the contents in `jQuery.globalEval`, even when the ajax request doesn't contain the `dataType` option.\\n\\n\\n## Recommendation\\n\\nUpdate to version 3.0.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.12.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jQuery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jQuery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.12.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10.0\",\n \"1.10.0.1\",\n \"1.10.1\",\n \"1.10.2\",\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.11.3\",\n \"1.12.0\",\n \"1.12.1\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.1.1\",\n \"1.7.2\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jQuery\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/jQuery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.12.3\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.12.3\",\n \"1.12.4\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.1.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.12.3\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"jquery-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/jquery-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.2.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.1\",\n \"0.1.2\",\n \"0.1.3\",\n \"0.2\",\n \"0.2.1\",\n \"0.2.2\",\n \"0.2.3\",\n \"0.2.4\",\n \"0.2.5\",\n \"0.2.6\",\n \"0.2.7\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.11\",\n \"1.0.12\",\n \"1.0.13\",\n \"1.0.14\",\n \"1.0.15\",\n \"1.0.16\",\n \"1.0.17\",\n \"1.0.18\",\n \"1.0.19\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.0.rc\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.3.0\",\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\",\n \"4.0.0\",\n \"4.0.0.beta1\",\n \"4.0.0.beta2\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.0.4\",\n \"4.0.5\",\n \"4.1.0\",\n \"4.1.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.12.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.3\",\n \"1.12.1\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.webjars.npm:jquery\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.webjars.npm/jquery\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.12.3\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.12.3\",\n \"1.12.4\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.1-rc1\",\n \"2.1.1-rc2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"3.0.0-alpha1\",\n \"3.0.0-beta1\",\n \"3.0.0-rc1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-rmxg-73gg-4p98/GHSA-rmxg-73gg-4p98.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-9251\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/issues/2432\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/issues/2432#issuecomment-403761229\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/pull/2588\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0481\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/18\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210108-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450227\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:jquery:20150627\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227030101/http://www.securityfocus.com/bid/105658\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2019-08\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0729\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jquery/jquery\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rails/jquery-rails/releases/tag/v4.2.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-9251.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2019/May/10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2019/May/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2019/May/13\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:55:10Z\",\n \"nvd_published_at\": \"2018-01-18T23:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2pr6-76vf-7546\",\n \"published\": \"2019-06-05T14:35:29Z\",\n \"modified\": \"2021-08-04T21:32:56Z\",\n \"summary\": \"Denial of Service in js-yaml\",\n \"details\": \"Versions of `js-yaml` prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 3.13.0.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"js-yaml\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/js-yaml\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.13.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-2pr6-76vf-7546/GHSA-2pr6-76vf-7546.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodeca/js-yaml/issues/475\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-JSYAML-173999\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/788\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/788/versions\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-05T13:52:07Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8j8c-7jfh-h6hx\",\n \"published\": \"2019-06-04T20:14:07Z\",\n \"modified\": \"2020-08-31T18:36:43Z\",\n \"summary\": \"Code Injection in js-yaml\",\n \"details\": \"Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected.\\n\\nAn example payload is \\n`{ toString: !\\u003ctag:yaml.org,2002:js/function\\u003e 'function (){return Date.now()}' } : 1` \\nwhich returns the object \\n{\\n \\\"1553107949161\\\": 1\\n}\\n\\n\\n## Recommendation\\n\\nUpgrade to version 3.13.1.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"js-yaml\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/js-yaml\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.13.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-8j8c-7jfh-h6hx/GHSA-8j8c-7jfh-h6hx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodeca/js-yaml/pull/480\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/813\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-04T20:13:53Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xxvw-45rp-3mj2\",\n \"published\": \"2017-10-24T18:33:37Z\",\n \"modified\": \"2023-11-08T03:57:24.142876Z\",\n \"aliases\": [\n \"CVE-2013-4660\"\n ],\n \"summary\": \"Deserialization Code Execution in js-yaml\",\n \"details\": \"Versions 2.0.4 and earlier of `js-yaml` are affected by a code execution vulnerability in the YAML deserializer.\\n\\n## Proof of Concept\\n```\\nconst yaml = require('js-yaml');\\n\\nconst x = `test: !!js/function \\u003e\\nfunction f() { \\nconsole.log(1); \\n}();`\\n\\nyaml.load(x);\\n```\\n\\n\\n## Recommendation\\n\\nUpdate js-yaml to version 2.0.5 or later, and ensure that all instances where the `.load()` method is called are updated to use `.safeLoad()` instead.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"js-yaml\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/js-yaml\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-xxvw-45rp-3mj2/GHSA-xxvw-45rp-3mj2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2013-4660\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-xxvw-45rp-3mj2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://nealpoole.com/blog/2013/06/code-execution-via-yaml-in-js-yaml-nodejs-module\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/16\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T22:05:02Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wgfq-7857-4jcc\",\n \"published\": \"2021-05-07T16:47:19Z\",\n \"modified\": \"2023-11-08T04:04:15.903445Z\",\n \"aliases\": [\n \"CVE-2020-8237\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in json-bigint\",\n \"details\": \"Prototype pollution in json-bigint npm package \\u003c 1.0.0 may lead to a denial-of-service (DoS) attack.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"json-bigint\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/json-bigint\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-wgfq-7857-4jcc/GHSA-wgfq-7857-4jcc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-8237\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/916430\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-28T16:57:11Z\",\n \"nvd_published_at\": \"2020-09-18T21:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-896r-f27r-55mw\",\n \"published\": \"2021-11-19T20:16:17Z\",\n \"modified\": \"2025-01-17T21:31:38Z\",\n \"aliases\": [\n \"CVE-2021-3918\"\n ],\n \"summary\": \"json-schema is vulnerable to Prototype Pollution\",\n \"details\": \"json-schema before version 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"json-schema\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/json-schema\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.4.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-896r-f27r-55mw/GHSA-896r-f27r-55mw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3918\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/kriszyp/json-schema\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250117-0004\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-915\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-11-15T22:44:27Z\",\n \"nvd_published_at\": \"2021-11-13T09:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9c47-m6qq-7p4h\",\n \"published\": \"2022-12-29T01:51:03Z\",\n \"modified\": \"2024-02-13T21:31:39Z\",\n \"aliases\": [\n \"CVE-2022-46175\"\n ],\n \"summary\": \"Prototype Pollution in JSON5 via Parse Method\",\n \"details\": \"The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object.\\n\\nThis vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.\\n\\n## Impact\\nThis vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.\\n\\n## Mitigation\\nThis vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.\\n\\n## Details\\n \\nSuppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:\\n \\n```js\\nconst JSON5 = require('json5');\\n\\nconst doSomethingDangerous = (props) =\\u003e {\\n if (props.isAdmin) {\\n console.log('Doing dangerous thing as admin.');\\n } else {\\n console.log('Doing dangerous thing as user.');\\n }\\n};\\n\\nconst secCheckKeysSet = (obj, searchKeys) =\\u003e {\\n let searchKeyFound = false;\\n Object.keys(obj).forEach((key) =\\u003e {\\n if (searchKeys.indexOf(key) \\u003e -1) {\\n searchKeyFound = true;\\n }\\n });\\n return searchKeyFound;\\n};\\n\\nconst props = JSON5.parse('{\\\"foo\\\": \\\"bar\\\"}');\\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\\n doSomethingDangerous(props); // \\\"Doing dangerous thing as user.\\\"\\n} else {\\n throw new Error('Forbidden...');\\n}\\n```\\n \\nIf the user attempts to set the `isAdmin` key, their request will be rejected:\\n \\n```js\\nconst props = JSON5.parse('{\\\"foo\\\": \\\"bar\\\", \\\"isAdmin\\\": true}');\\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\\n doSomethingDangerous(props);\\n} else {\\n throw new Error('Forbidden...'); // Error: Forbidden...\\n}\\n```\\n \\nHowever, users can instead set the `__proto__` key to `{\\\"isAdmin\\\": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:\\n \\n```js\\nconst props = JSON5.parse('{\\\"foo\\\": \\\"bar\\\", \\\"__proto__\\\": {\\\"isAdmin\\\": true}}');\\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\\n doSomethingDangerous(props); // \\\"Doing dangerous thing as admin.\\\"\\n} else {\\n throw new Error('Forbidden...');\\n}\\n ```\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"json5\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/json5\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.2.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9c47-m6qq-7p4h/GHSA-9c47-m6qq-7p4h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"json5\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/json5\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9c47-m6qq-7p4h/GHSA-9c47-m6qq-7p4h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-46175\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/json5/json5/issues/199\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/json5/json5/issues/295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/json5/json5/pull/298\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/json5/json5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/11/msg00021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-29T01:51:03Z\",\n \"nvd_published_at\": \"2022-12-24T04:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gjcw-v447-2w7q\",\n \"published\": \"2020-09-01T15:23:18Z\",\n \"modified\": \"2023-11-08T03:58:07.352660Z\",\n \"aliases\": [\n \"CVE-2016-1000223\"\n ],\n \"summary\": \"Forgeable Public/Private Tokens in jws\",\n \"details\": \"Affected versions of the `jws` package allow users to select what algorithm the server will use to verify a provided JWT. A malicious actor can use this behaviour to arbitrarily modify the contents of a JWT while still passing verification. For the common use case of the JWT as a bearer token, the end result is a complete authentication bypass with minimal effort.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 3.0.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"jws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/jws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-gjcw-v447-2w7q/GHSA-gjcw-v447-2w7q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000223\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/brianloveswords/node-jws/commit/585d0e1e97b6747c10cf5b7689ccc5618a89b299#diff-4ac32a78649ca5bdd8e0ba38b7006a1e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/brianloveswords/node-jws\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:jws:20160726\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/88\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-31T18:10:22Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-29mw-wpgm-hmr9\",\n \"published\": \"2022-01-06T20:30:46Z\",\n \"modified\": \"2025-09-29T21:12:31.102523Z\",\n \"aliases\": [\n \"CVE-2020-28500\"\n ],\n \"summary\": \"Regular Expression Denial of Service (ReDoS) in lodash\",\n \"details\": \"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `toNumber`, `trim` and `trimEnd` functions. \\n\\nSteps to reproduce (provided by reporter Liyuan Chen):\\n```js\\nvar lo = require('lodash');\\n\\nfunction build_blank(n) {\\n var ret = \\\"1\\\"\\n for (var i = 0; i \\u003c n; i++) {\\n ret += \\\" \\\"\\n }\\n return ret + \\\"1\\\";\\n}\\nvar s = build_blank(50000) var time0 = Date.now();\\nlo.trim(s) \\nvar time_cost0 = Date.now() - time0;\\nconsole.log(\\\"time_cost0: \\\" + time_cost0);\\nvar time1 = Date.now();\\nlo.toNumber(s) var time_cost1 = Date.now() - time1;\\nconsole.log(\\\"time_cost1: \\\" + time_cost1);\\nvar time2 = Date.now();\\nlo.trimEnd(s);\\nvar time_cost2 = Date.now() - time2;\\nconsole.log(\\\"time_cost2: \\\" + time_cost2);\\n```\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"lodash\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.17.21\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-es\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash-es\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.17.21\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.trimend\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.trimend\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"last_affected\": \"4.5.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.trim\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.trim\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"last_affected\": \"4.5.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/lodash-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.17.21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0\",\n \"4.11.2\",\n \"4.12.0\",\n \"4.13.1\",\n \"4.14.1\",\n \"4.15.0\",\n \"4.16.1\",\n \"4.16.3\",\n \"4.16.4\",\n \"4.16.6\",\n \"4.17.10\",\n \"4.17.11\",\n \"4.17.14\",\n \"4.17.15\",\n \"4.17.2\",\n \"4.17.4\",\n \"4.17.5\",\n \"4.3.0\",\n \"4.5.1\",\n \"4.6.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-29mw-wpgm-hmr9/GHSA-29mw-wpgm-hmr9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28500\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/pull/6139\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/pull/5065\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-LODASH-1018905\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210312-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/lodash/lodash\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-19T22:45:28Z\",\n \"nvd_published_at\": \"2021-02-15T11:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-35jh-r3h4-6jhm\",\n \"published\": \"2021-05-06T16:05:51Z\",\n \"modified\": \"2025-08-12T21:55:57.719943Z\",\n \"aliases\": [\n \"CVE-2021-23337\"\n ],\n \"summary\": \"Command Injection in lodash\",\n \"details\": \"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"lodash\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.21\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-es\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash-es\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.21\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.template\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.template\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"4.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-template\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash-template\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"1.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/lodash-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.7.0\",\n \"0.8.1\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.1\",\n \"0.9.2\",\n \"1.0.0.rc.1\",\n \"1.0.0.rc.2\",\n \"1.0.0.rc.3\",\n \"1.0.1\",\n \"1.1.0\",\n \"1.1.1\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.3.1\",\n \"2.0.0\",\n \"2.1.0\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.1\",\n \"3.2.0\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.1.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.6.0\",\n \"3.7.0\",\n \"3.9.3\",\n \"4.0.0\",\n \"4.11.2\",\n \"4.12.0\",\n \"4.13.1\",\n \"4.14.1\",\n \"4.15.0\",\n \"4.16.1\",\n \"4.16.3\",\n \"4.16.4\",\n \"4.16.6\",\n \"4.17.10\",\n \"4.17.11\",\n \"4.17.14\",\n \"4.17.15\",\n \"4.17.2\",\n \"4.17.4\",\n \"4.17.5\",\n \"4.3.0\",\n \"4.5.1\",\n \"4.6.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-35jh-r3h4-6jhm/GHSA-35jh-r3h4-6jhm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23337\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-LODASH-1040724\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210312-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/lodash/lodash\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-77\",\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-31T23:59:26Z\",\n \"nvd_published_at\": \"2021-02-15T13:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4xc9-xhrj-v574\",\n \"published\": \"2019-02-07T18:16:48Z\",\n \"modified\": \"2025-08-12T21:55:35.778975Z\",\n \"aliases\": [\n \"CVE-2018-16487\"\n ],\n \"summary\": \"Prototype Pollution in lodash\",\n \"details\": \"Versions of `lodash` before 4.17.11 are vulnerable to prototype pollution. \\n\\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 4.17.11 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"lodash\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.11\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-4xc9-xhrj-v574/GHSA-4xc9-xhrj-v574.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/lodash-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.7.0\",\n \"0.8.1\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.1\",\n \"0.9.2\",\n \"1.0.0.rc.1\",\n \"1.0.0.rc.2\",\n \"1.0.0.rc.3\",\n \"1.0.1\",\n \"1.1.0\",\n \"1.1.1\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.3.1\",\n \"2.0.0\",\n \"2.1.0\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.1\",\n \"3.2.0\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.1.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.6.0\",\n \"3.7.0\",\n \"3.9.3\",\n \"4.0.0\",\n \"4.11.2\",\n \"4.12.0\",\n \"4.13.1\",\n \"4.14.1\",\n \"4.15.0\",\n \"4.16.1\",\n \"4.16.3\",\n \"4.16.4\",\n \"4.16.6\",\n \"4.17.10\",\n \"4.17.2\",\n \"4.17.4\",\n \"4.17.5\",\n \"4.3.0\",\n \"4.5.1\",\n \"4.6.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-4xc9-xhrj-v574/GHSA-4xc9-xhrj-v574.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-16487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/380873\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190919-0004\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:59:41Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fvqr-27wr-82fm\",\n \"published\": \"2018-07-26T15:14:52Z\",\n \"modified\": \"2025-08-12T21:55:16.003066Z\",\n \"aliases\": [\n \"CVE-2018-3721\"\n ],\n \"summary\": \"Prototype Pollution in lodash\",\n \"details\": \"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \\n\\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 4.17.5 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"lodash\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-fvqr-27wr-82fm/GHSA-fvqr-27wr-82fm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/lodash-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.7.0\",\n \"0.8.1\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.1\",\n \"0.9.2\",\n \"1.0.0.rc.1\",\n \"1.0.0.rc.2\",\n \"1.0.0.rc.3\",\n \"1.0.1\",\n \"1.1.0\",\n \"1.1.1\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.3.1\",\n \"2.0.0\",\n \"2.1.0\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.1\",\n \"3.2.0\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.1.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.6.0\",\n \"3.7.0\",\n \"3.9.3\",\n \"4.0.0\",\n \"4.11.2\",\n \"4.12.0\",\n \"4.13.1\",\n \"4.14.1\",\n \"4.15.0\",\n \"4.16.1\",\n \"4.16.3\",\n \"4.16.4\",\n \"4.16.6\",\n \"4.17.2\",\n \"4.17.4\",\n \"4.3.0\",\n \"4.5.1\",\n \"4.6.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-fvqr-27wr-82fm/GHSA-fvqr-27wr-82fm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-3721\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/310443\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190919-0004\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-471\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:35:26Z\",\n \"nvd_published_at\": \"2018-06-07T02:29:08Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jf85-cpcp-j695\",\n \"published\": \"2019-07-10T19:45:23Z\",\n \"modified\": \"2025-08-12T21:56:37.293794Z\",\n \"aliases\": [\n \"CVE-2019-10744\"\n ],\n \"summary\": \"Prototype Pollution in lodash\",\n \"details\": \"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\\n\\n## Recommendation\\n\\nUpdate to version 4.17.12 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"lodash\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.12\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-es\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash-es\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.14\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-amd\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash-amd\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.13\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.defaultsdeep\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.defaultsdeep\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.6.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/lodash-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.17.12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.7.0\",\n \"0.8.1\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.1\",\n \"0.9.2\",\n \"1.0.0.rc.1\",\n \"1.0.0.rc.2\",\n \"1.0.0.rc.3\",\n \"1.0.1\",\n \"1.1.0\",\n \"1.1.1\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.3.1\",\n \"2.0.0\",\n \"2.1.0\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.1\",\n \"3.2.0\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.1.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.6.0\",\n \"3.7.0\",\n \"3.9.3\",\n \"4.0.0\",\n \"4.11.2\",\n \"4.12.0\",\n \"4.13.1\",\n \"4.14.1\",\n \"4.15.0\",\n \"4.16.1\",\n \"4.16.3\",\n \"4.16.4\",\n \"4.16.6\",\n \"4.17.10\",\n \"4.17.11\",\n \"4.17.2\",\n \"4.17.4\",\n \"4.17.5\",\n \"4.3.0\",\n \"4.5.1\",\n \"4.6.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-jf85-cpcp-j695/GHSA-jf85-cpcp-j695.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10744\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/pull/4336\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3024\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20191004-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-LODASH-450202\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K47105354?utm_source=f5support\\u0026amp%3Butm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K47105354?utm_source=f5support\\u0026amp;utm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-07-10T19:41:11Z\",\n \"nvd_published_at\": \"2019-07-26T00:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p6mc-m468-83gw\",\n \"published\": \"2020-07-15T19:15:48Z\",\n \"modified\": \"2025-08-12T21:56:17.174859Z\",\n \"aliases\": [\n \"CVE-2020-8203\"\n ],\n \"summary\": \"Prototype Pollution in lodash\",\n \"details\": \"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions `pick`, `set`, `setWith`, `update`, `updateWith`, and `zipObjectDeep` allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.\\n\\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"lodash\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.7.0\"\n },\n {\n \"fixed\": \"4.17.19\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-es\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash-es\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.7.0\"\n },\n {\n \"fixed\": \"4.17.20\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.pick\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.pick\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"last_affected\": \"4.4.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.set\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.set\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.7.0\"\n },\n {\n \"last_affected\": \"4.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.setwith\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.setwith\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"4.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.update\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.update\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"4.10.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash.updatewith\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash.updatewith\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"4.10.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/lodash-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.7.0\"\n },\n {\n \"fixed\": \"4.17.19\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0\",\n \"3.10.1\",\n \"3.7.0\",\n \"3.9.3\",\n \"4.0.0\",\n \"4.11.2\",\n \"4.12.0\",\n \"4.13.1\",\n \"4.14.1\",\n \"4.15.0\",\n \"4.16.1\",\n \"4.16.3\",\n \"4.16.4\",\n \"4.16.6\",\n \"4.17.10\",\n \"4.17.11\",\n \"4.17.14\",\n \"4.17.15\",\n \"4.17.2\",\n \"4.17.4\",\n \"4.17.5\",\n \"4.3.0\",\n \"4.5.1\",\n \"4.6.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-p6mc-m468-83gw/GHSA-p6mc-m468-83gw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-8203\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/issues/4744\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/issues/4874\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/pull/2884\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/712065\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/864701\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/lodash/lodash\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/wiki/Changelog#v41719\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200724-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-07-15T19:14:58Z\",\n \"nvd_published_at\": \"2020-07-15T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-x5rq-j2xg-h7qm\",\n \"published\": \"2019-07-19T16:13:07Z\",\n \"modified\": \"2025-09-29T21:05:48.105698Z\",\n \"aliases\": [\n \"CVE-2019-1010266\"\n ],\n \"summary\": \"Regular Expression Denial of Service (ReDoS) in lodash\",\n \"details\": \"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"lodash\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.7.0\"\n },\n {\n \"fixed\": \"4.17.11\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-es\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash-es\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.7.0\"\n },\n {\n \"fixed\": \"4.17.11\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-amd\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/lodash-amd\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.7.0\"\n },\n {\n \"fixed\": \"4.17.11\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"lodash-rails\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/lodash-rails\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.7.0\"\n },\n {\n \"fixed\": \"4.17.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.11.2\",\n \"4.12.0\",\n \"4.13.1\",\n \"4.14.1\",\n \"4.15.0\",\n \"4.16.1\",\n \"4.16.3\",\n \"4.16.4\",\n \"4.16.6\",\n \"4.17.10\",\n \"4.17.2\",\n \"4.17.4\",\n \"4.17.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-x5rq-j2xg-h7qm/GHSA-x5rq-j2xg-h7qm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/issues/3359\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/pull/6138\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/lodash/lodash\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lodash/lodash/wiki/Changelog\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190919-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-LODASH-73639\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-07-19T16:11:26Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6vfc-qv3f-vr6c\",\n \"published\": \"2022-01-12T22:20:22Z\",\n \"modified\": \"2023-11-08T04:08:07.059316Z\",\n \"aliases\": [\n \"CVE-2022-21670\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in markdown-it\",\n \"details\": \"### Impact\\n\\nSpecial patterns with length \\u003e 50K chars can slow down parser significantly.\\n\\n```js\\nconst md = require('markdown-it')();\\n\\nmd.render(`x ${' '.repeat(150000)} x \\\\nx`);\\n```\\n\\n\\n### Patches\\n\\nUpgrade to v12.3.2+\\n\\n### Workarounds\\n\\nNo.\\n\\n### References\\n\\nFix + test sample: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"markdown-it\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/markdown-it\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"12.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-6vfc-qv3f-vr6c/GHSA-6vfc-qv3f-vr6c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-21670\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/markdown-it/markdown-it\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-10T21:50:05Z\",\n \"nvd_published_at\": \"2022-01-10T21:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-j5p7-jf4q-742q\",\n \"published\": \"2022-12-27T09:30:41Z\",\n \"modified\": \"2023-11-08T03:57:48.904226Z\",\n \"aliases\": [\n \"CVE-2015-10005\"\n ],\n \"summary\": \"markdown-it vulnerable to Inefficient Regular Expression Complexity\",\n \"details\": \"A vulnerability was found in markdown-it up to 2.x. It has been classified as problematic. Affected is an unknown function of the file `lib/common/html_re.js`. The manipulation leads to inefficient regular expression complexity. Upgrading to version 3.0.0 is able to address this issue. The name of the patch is 89c8620157d6e38f9872811620d25138fc9d1b0d. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216852.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"markdown-it\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/markdown-it\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-j5p7-jf4q-742q/GHSA-j5p7-jf4q-742q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-10005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markdown-it/markdown-it/commit/89c8620157d6e38f9872811620d25138fc9d1b0d\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/markdown-it/markdown-it\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markdown-it/markdown-it/releases/tag/3.0.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?ctiid.216852\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?id.216852\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-30T16:27:08Z\",\n \"nvd_published_at\": \"2022-12-27T09:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4r62-v4vq-hr96\",\n \"published\": \"2021-02-08T21:17:58Z\",\n \"modified\": \"2023-11-08T04:04:40.912168Z\",\n \"aliases\": [\n \"CVE-2021-21306\"\n ],\n \"related\": [\n \"CVE-2021-21306\"\n ],\n \"summary\": \"Regular Expression Denial of Service (REDoS) in Marked\",\n \"details\": \"### Impact\\n_What kind of vulnerability is it? Who is impacted?_\\n\\n[Regular expression Denial of Service](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n\\nA Denial of Service attack can affect anyone who runs user generated code through `marked`.\\n\\n### Patches\\n_Has the problem been patched? What versions should users upgrade to?_\\n\\npatched in v2.0.0\\n\\n### Workarounds\\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\\n\\nNone.\\n\\n### References\\n_Are there any links users can visit to find out more?_\\n\\nhttps://github.com/markedjs/marked/issues/1927\\nhttps://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [marked](https://github.com/markedjs/marked/issues)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.1.1\"\n },\n {\n \"fixed\": \"2.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-4r62-v4vq-hr96/GHSA-4r62-v4vq-hr96.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-21306\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/issues/1927\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/pull/1864\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/package/marked\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-02-08T21:17:26Z\",\n \"nvd_published_at\": \"2021-02-08T22:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5v2h-r2cx-5xgj\",\n \"published\": \"2022-01-14T21:04:46Z\",\n \"modified\": \"2023-11-08T04:08:07.532717Z\",\n \"aliases\": [\n \"CVE-2022-21681\"\n ],\n \"summary\": \"Inefficient Regular Expression Complexity in marked\",\n \"details\": \"### Impact\\n\\n_What kind of vulnerability is it?_\\n\\nDenial of service.\\n\\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\\nPoC is the following.\\n\\n```javascript\\nimport * as marked from 'marked';\\n\\nconsole.log(marked.parse(`[x]: x\\n\\n\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](\\\\\\\\[\\\\\\\\](`));\\n```\\n\\n_Who is impacted?_\\n\\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\\n\\n### Patches\\n\\n_Has the problem been patched?_\\n\\nYes\\n\\n_What versions should users upgrade to?_\\n\\n4.0.10\\n\\n### Workarounds\\n\\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\\n\\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\\n\\n### References\\n\\n_Are there any links users can visit to find out more?_\\n\\n- https://marked.js.org/using_advanced#workers\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\\n### For more information\\n\\nIf you have any questions or comments about this advisory:\\n\\n* Open an issue in [marked](https://github.com/markedjs/marked)\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.0.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-5v2h-r2cx-5xgj/GHSA-5v2h-r2cx-5xgj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-21681\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/markedjs/marked\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-14T19:57:17Z\",\n \"nvd_published_at\": \"2022-01-14T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7px7-7xjx-hxm8\",\n \"published\": \"2018-01-04T21:04:19Z\",\n \"modified\": \"2023-11-08T03:58:46.365782Z\",\n \"aliases\": [\n \"CVE-2017-1000427\"\n ],\n \"summary\": \"Marked vulnerable to XSS from data URIs\",\n \"details\": \"marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.3.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/01/GHSA-7px7-7xjx-hxm8/GHSA-7px7-7xjx-hxm8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-1000427\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-7px7-7xjx-hxm8\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/markedjs/marked\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:marked:20170112\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:23:14Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9cw2-jqp5-7x39\",\n \"published\": \"2020-08-31T22:52:52Z\",\n \"modified\": \"2023-11-08T03:57:41.045132Z\",\n \"aliases\": [\n \"CVE-2014-3743\"\n ],\n \"summary\": \"Multiple Content Injection Vulnerabilities in marked\",\n \"details\": \"Versions 0.3.0 and earlier of `marked` are affected by two cross-site scripting vulnerabilities, even when `sanitize: true` is set.\\n\\nThe attack vectors for this vulnerability are GFM Codeblocks and JavaScript URLs.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 0.3.1 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.3.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 0.3.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-9cw2-jqp5-7x39/GHSA-9cw2-jqp5-7x39.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-1850\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/22\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-31T18:08:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cfjh-p3g4-3q2f\",\n \"published\": \"2017-10-24T18:33:36Z\",\n \"modified\": \"2023-11-08T03:57:49.831117Z\",\n \"aliases\": [\n \"CVE-2015-1370\"\n ],\n \"summary\": \"VBScript Content Injection in marked\",\n \"details\": \"Versions 0.3.2 and earlier of `marked` are affected by a cross-site scripting vulnerability even when `sanitize:true` is set. \\n\\n## Proof of Concept ( IE10 Compatibility Mode Only )\\n\\n`[xss link](vbscript:alert(1\\u0026#41;)`\\n\\nwill get a link\\n\\n`\\u003ca href=\\\"vbscript:alert(1)\\\"\\u003exss link\\u003c/a\\u003e`\\n\\n\\n## Recommendation\\n\\nUpdate to version 0.3.3 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.3.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-cfjh-p3g4-3q2f/GHSA-cfjh-p3g4-3q2f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-1370\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chjj/marked/issues/492\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/issues/492\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/evilpacket/marked/commit/3c191144939107c45a7fa11ab6cb88be6694a1ba\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/commit/fc372d1c6293267722e33f2719d57cebd67b3da1\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/markedjs/marked\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/24\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/24/versions\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2015/01/23/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:31:22Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-ch52-vgq2-943f\",\n \"published\": \"2020-09-03T18:15:53Z\",\n \"modified\": \"2020-08-31T18:46:28Z\",\n \"summary\": \"Regular Expression Denial of Service in marked\",\n \"details\": \"Affected versions of `marked` are vulnerable to Regular Expression Denial of Service (ReDoS). The `_label` subrule may significantly degrade parsing performance of malformed input.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 0.7.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.4.0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-ch52-vgq2-943f/GHSA-ch52-vgq2-943f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1076\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-31T18:46:28Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hjcp-j389-59ff\",\n \"published\": \"2017-10-24T18:33:36Z\",\n \"modified\": \"2024-02-09T17:50:43Z\",\n \"aliases\": [\n \"CVE-2015-8854\"\n ],\n \"summary\": \"Regular Expression Denial of Service in marked\",\n \"details\": \"Versions 0.3.3 and earlier of `marked` are affected by a regular expression denial of service ( ReDoS ) vulnerability when passed inputs that reach the `em` inline rule.\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 0.3.4 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.3.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-hjcp-j389-59ff/GHSA-hjcp-j389-59ff.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-8854\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chjj/marked/issues/497\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-hjcp-j389-59ff\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/chjj/marked\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K05052081?utm_source=f5support\\u0026amp;utm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/23\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2016/04/20/11\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:40:28Z\",\n \"nvd_published_at\": \"2017-01-23T21:59:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p9wx-2529-fp83\",\n \"published\": \"2025-05-23T15:31:16Z\",\n \"modified\": \"2025-05-27T15:27:40.131270Z\",\n \"aliases\": [\n \"CVE-2018-25110\"\n ],\n \"summary\": \"Marked allows Regular Expression Denial of Service (ReDoS) attacks\",\n \"details\": \"Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.3.17\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-p9wx-2529-fp83/GHSA-p9wx-2529-fp83.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-25110\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/issues/1070\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/pull/1083\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/markedjs/marked\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-05-27T15:03:47Z\",\n \"nvd_published_at\": \"2025-05-23T15:15:20Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rrrm-qjm4-v8hf\",\n \"published\": \"2022-01-14T21:04:41Z\",\n \"modified\": \"2023-11-08T04:08:07.472715Z\",\n \"aliases\": [\n \"CVE-2022-21680\"\n ],\n \"summary\": \"Inefficient Regular Expression Complexity in marked\",\n \"details\": \"### Impact\\n\\n_What kind of vulnerability is it?_\\n\\nDenial of service.\\n\\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\\nPoC is the following.\\n\\n```javascript\\nimport * as marked from \\\"marked\\\";\\n\\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\\n```\\n\\n_Who is impacted?_\\n\\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\\n\\n### Patches\\n\\n_Has the problem been patched?_\\n\\nYes\\n\\n_What versions should users upgrade to?_\\n\\n4.0.10\\n\\n### Workarounds\\n\\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\\n\\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\\n\\n### References\\n\\n_Are there any links users can visit to find out more?_\\n\\n- https://marked.js.org/using_advanced#workers\\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\\n\\n### For more information\\n\\nIf you have any questions or comments about this advisory:\\n\\n* Open an issue in [marked](https://github.com/markedjs/marked)\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.0.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-rrrm-qjm4-v8hf/GHSA-rrrm-qjm4-v8hf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-21680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/markedjs/marked\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/releases/tag/v4.0.10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-14T19:56:20Z\",\n \"nvd_published_at\": \"2022-01-14T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vfvf-mqq8-rwqc\",\n \"published\": \"2019-02-18T23:58:20Z\",\n \"modified\": \"2023-11-08T03:58:10.903030Z\",\n \"aliases\": [\n \"CVE-2016-10531\"\n ],\n \"summary\": \"Sanitization bypass using HTML Entities in marked\",\n \"details\": \"Affected versions of `marked` are susceptible to a cross-site scripting vulnerability in link components when `sanitize:true` is configured. \\n\\n## Proof of Concept\\n\\nThis flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.\\n\\nFor example:\\n\\nA link URI such as\\n```\\njavascript\\u0026#x58document;alert\\u0026#40;1\\u0026#41;\\n```\\nRenders a valid link that when clicked will execute `alert(1)`.\\n\\n\\n## Recommendation\\n\\nUpdate to version 0.3.6 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.3.6\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-vfvf-mqq8-rwqc/GHSA-vfvf-mqq8-rwqc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-10531\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chjj/marked/pull/592\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-vfvf-mqq8-rwqc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/101\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:57:38Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-x5pg-88wf-qq4p\",\n \"published\": \"2018-07-24T20:10:52Z\",\n \"modified\": \"2023-11-08T03:59:05.647192Z\",\n \"aliases\": [\n \"CVE-2017-16114\"\n ],\n \"summary\": \"Regular Expression Denial of Service in marked\",\n \"details\": \"Affected versions of `marked` are vulnerable to a regular expression denial of service. \\n\\nThe amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.\\n\\n\\n## Recommendation\\n\\nUpdate to version 0.3.9 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.3.9\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-x5pg-88wf-qq4p/GHSA-x5pg-88wf-qq4p.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16114\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chjj/marked/issues/937\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-x5pg-88wf-qq4p\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/531\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T22:02:12Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xf5p-87ch-gxw2\",\n \"published\": \"2019-06-05T14:10:03Z\",\n \"modified\": \"2022-08-02T17:43:57Z\",\n \"summary\": \"Marked ReDoS due to email addresses being evaluated in quadratic time\",\n \"details\": \"Versions of `marked` from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 0.6.2 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"marked\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/marked\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.3.14\"\n },\n {\n \"fixed\": \"0.6.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-xf5p-87ch-gxw2/GHSA-xf5p-87ch-gxw2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/pull/1460\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/markedjs/marked\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/markedjs/marked/releases/tag/v0.6.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-MARKED-174116\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/812\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-05T13:50:35Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4xcv-9jjx-gfj3\",\n \"published\": \"2019-07-05T21:07:58Z\",\n \"modified\": \"2021-08-17T15:44:45Z\",\n \"summary\": \"Denial of Service in mem\",\n \"details\": \"Versions of `mem` prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its `maxAge` property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 4.0.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"mem\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/mem\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-4xcv-9jjx-gfj3/GHSA-4xcv-9jjx-gfj3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1623744\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:mem:20180117\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1084\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-07-03T20:52:42Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-952p-6rrq-rcjv\",\n \"published\": \"2024-05-14T18:30:54Z\",\n \"modified\": \"2024-08-28T13:12:26Z\",\n \"aliases\": [\n \"CVE-2024-4067\"\n ],\n \"related\": [\n \"CGA-6q83-777j-gp5r\",\n \"CGA-7j2f-jxvw-gx52\",\n \"CGA-9hv5-rmvp-37vw\",\n \"CGA-9qj8-ph43-6pq5\"\n ],\n \"summary\": \"Regular Expression Denial of Service (ReDoS) in micromatch\",\n \"details\": \"The NPM package `micromatch` prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in `micromatch.braces()` in `index.js` because the pattern `.*` will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"micromatch\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/micromatch\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.0.8\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-952p-6rrq-rcjv/GHSA-952p-6rrq-rcjv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-4067\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/micromatch/issues/243\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/micromatch/pull/247\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/micromatch/pull/266\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://advisory.checkmarx.net/advisory/CVE-2024-4067\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://devhub.checkmarx.com/cve-details/CVE-2024-4067\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/micromatch/micromatch\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micromatch/micromatch/releases/tag/4.0.8\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-08-21T22:58:52Z\",\n \"nvd_published_at\": \"2024-05-14T15:42:47Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wrvr-8mpx-r7pp\",\n \"published\": \"2018-07-20T16:20:52Z\",\n \"modified\": \"2023-11-08T03:59:07.102650Z\",\n \"aliases\": [\n \"CVE-2017-16138\"\n ],\n \"summary\": \"mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input\",\n \"details\": \"Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.0.3 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"mime\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/mime\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-wrvr-8mpx-r7pp/GHSA-wrvr-8mpx-r7pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"mime\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/mime\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.4.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-wrvr-8mpx-r7pp/GHSA-wrvr-8mpx-r7pp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16138\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/broofa/node-mime/issues/167\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/broofa/mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/broofa/mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/broofa/mime\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T22:01:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f8q6-p94x-37v3\",\n \"published\": \"2022-10-18T12:00:32Z\",\n \"modified\": \"2024-02-14T18:15:16Z\",\n \"aliases\": [\n \"CVE-2022-3517\"\n ],\n \"summary\": \"minimatch ReDoS vulnerability\",\n \"details\": \"A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"minimatch\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/minimatch\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-f8q6-p94x-37v3/GHSA-f8q6-p94x-37v3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3517\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grafana/grafana-image-renderer/issues/329\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/node/issues/42510\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/isaacs/minimatch\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-10-20T18:21:03Z\",\n \"nvd_published_at\": \"2022-10-17T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hxm2-r34f-qmc5\",\n \"published\": \"2018-10-09T00:40:41Z\",\n \"modified\": \"2023-11-08T03:58:11.455886Z\",\n \"aliases\": [\n \"CVE-2016-10540\"\n ],\n \"summary\": \"Regular Expression Denial of Service in minimatch\",\n \"details\": \"Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.\\n\\n\\n## Proof of Concept\\n```js\\nvar minimatch = require(“minimatch”);\\n\\n// utility function for generating long strings\\nvar genstr = function (len, chr) {\\n var result = “”;\\n for (i=0; i\\u003c=len; i++) {\\n result = result + chr;\\n }\\n return result;\\n}\\n\\nvar exploit = “[!” + genstr(1000000, “\\\\\\\\”) + “A”;\\n\\n// minimatch exploit.\\nconsole.log(“starting minimatch”);\\nminimatch(“foo”, exploit);\\nconsole.log(“finishing minimatch”);\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 3.0.2 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"minimatch\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/minimatch\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-hxm2-r34f-qmc5/GHSA-hxm2-r34f-qmc5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-10540\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-hxm2-r34f-qmc5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/118\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:41:28Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vh95-rmgr-6w4m\",\n \"published\": \"2020-04-03T21:48:32Z\",\n \"modified\": \"2025-01-14T08:57:16.325412Z\",\n \"aliases\": [\n \"CVE-2020-7598\"\n ],\n \"summary\": \"Prototype Pollution in minimist\",\n \"details\": \"Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \\nParsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application. \\nThis is exploitable if attackers have control over the arguments being passed to `minimist`.\\n\\n\\n## Recommendation\\n\\nUpgrade to versions 0.2.1, 1.2.3 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"minimist\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/minimist\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.2.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-vh95-rmgr-6w4m/GHSA-vh95-rmgr-6w4m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"minimist\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/minimist\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.2.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-vh95-rmgr-6w4m/GHSA-vh95-rmgr-6w4m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7598\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/substack/minimist\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1179\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-03T21:42:08Z\",\n \"nvd_published_at\": \"2020-03-11T23:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xvch-5gv4-984h\",\n \"published\": \"2022-03-18T00:01:09Z\",\n \"modified\": \"2025-01-14T10:12:15.693708Z\",\n \"aliases\": [\n \"CVE-2021-44906\"\n ],\n \"summary\": \"Prototype Pollution in minimist\",\n \"details\": \"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"minimist\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/minimist\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.2.6\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-xvch-5gv4-984h/GHSA-xvch-5gv4-984h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"minimist\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/minimist\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.2.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-xvch-5gv4-984h/GHSA-xvch-5gv4-984h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-44906\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/issues/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/substack/minimist/issues/164\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/pull/24\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/minimistjs/minimist/commits/v0.2.4\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/substack/minimist\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/substack/minimist/blob/master/index.js#L69\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-18T23:13:40Z\",\n \"nvd_published_at\": \"2022-03-17T16:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3fx5-fwvr-xrjg\",\n \"published\": \"2017-10-24T18:33:36Z\",\n \"modified\": \"2024-08-01T16:44:35Z\",\n \"aliases\": [\n \"CVE-2015-8315\"\n ],\n \"summary\": \"Regular Expression Denial of Service in ms\",\n \"details\": \"Versions of `ms` prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\\n\\n## Proof of Concept\\n```javascript\\nvar ms = require('ms');\\nvar genstr = function (len, chr) {\\n var result = \\\"\\\";\\n for (i=0; i\\u003c=len; i++) {\\n result = result + chr;\\n }\\n\\n return result;\\n}\\n\\nms(genstr(process.argv[2], \\\"5\\\") + \\\" minutea\\\");\\n\\n```\\n\\n### Results\\nShowing increase in execution time based on the input string.\\n```\\n$ time node ms.js 10000\\n\\nreal\\t0m0.758s\\nuser\\t0m0.724s\\nsys\\t0m0.031s\\n\\n$ time node ms.js 20000\\n\\nreal\\t0m2.580s\\nuser\\t0m2.494s\\nsys\\t0m0.047s\\n\\n$ time node ms.js 30000\\n\\nreal\\t0m5.747s\\nuser\\t0m5.483s\\nsys\\t0m0.080s\\n\\n$ time node ms.js 80000\\n\\nreal\\t0m41.022s\\nuser\\t0m38.894s\\nsys\\t0m0.529s\\n```\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ms\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ms\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-3fx5-fwvr-xrjg/GHSA-3fx5-fwvr-xrjg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-8315\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/unshiftio/millisecond\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://nodesecurity.io/advisories/46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K46337613?utm_source=f5support\\u0026amp%3Butm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K46337613?utm_source=f5support\\u0026amp;utm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227190911/http://www.securityfocus.com/bid/96389\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2016/04/20/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/96389\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:55:05Z\",\n \"nvd_published_at\": \"2017-01-23T21:59:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-w9mr-4mfr-499f\",\n \"published\": \"2023-01-05T12:30:27Z\",\n \"modified\": \"2025-11-04T16:42:14Z\",\n \"aliases\": [\n \"CVE-2017-20162\"\n ],\n \"summary\": \"Vercel ms Inefficient Regular Expression Complexity vulnerability\",\n \"details\": \"A vulnerability, which was classified as problematic, has been found in vercel ms up to 1.x. This issue affects the function parse of the file index.js. The manipulation of the argument str leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.0.0 is able to address this issue. The name of the patch is caae2988ba2a37765d055c4eee63d383320ee662. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217451.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ms\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ms\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-w9mr-4mfr-499f/GHSA-w9mr-4mfr-499f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-20162\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/vercel/ms/pull/89\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/vercel/ms\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/vercel/ms/releases/tag/2.0.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241108-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?ctiid.217451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?id.217451\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-10T21:45:33Z\",\n \"nvd_published_at\": \"2023-01-05T12:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mwcw-c2x4-8c55\",\n \"published\": \"2024-12-09T03:30:59Z\",\n \"modified\": \"2025-11-04T16:54:54Z\",\n \"aliases\": [\n \"CVE-2024-55565\"\n ],\n \"related\": [\n \"CGA-7vvh-vj96-x4xv\",\n \"CGA-8vh7-wwpf-5f4g\",\n \"CGA-cr3m-qfmj-rhf8\",\n \"CGA-q99g-63m8-c4r8\"\n ],\n \"summary\": \"Predictable results in nanoid generation when given non-integer values\",\n \"details\": \"When nanoid is called with a fractional value, there were a number of undesirable effects:\\n\\n1. in browser and non-secure, the code infinite loops on while (size--)\\n2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled\\n3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error\\n\\nVersion 3.3.8 and 5.0.9 are fixed.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"nanoid\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/nanoid\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"5.0.9\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-mwcw-c2x4-8c55/GHSA-mwcw-c2x4-8c55.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"nanoid\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/nanoid\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.3.8\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-mwcw-c2x4-8c55/GHSA-mwcw-c2x4-8c55.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-55565\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ai/nanoid/pull/510\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ai/nanoid\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ai/nanoid/compare/3.3.7...3.3.8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ai/nanoid/releases/tag/5.0.9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-12-09T22:42:43Z\",\n \"nvd_published_at\": \"2024-12-09T02:15:19Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qrpm-p2h7-hrv2\",\n \"published\": \"2022-01-21T23:57:06Z\",\n \"modified\": \"2025-11-04T16:35:00Z\",\n \"aliases\": [\n \"CVE-2021-23566\"\n ],\n \"summary\": \"Exposure of Sensitive Information to an Unauthorized Actor in nanoid\",\n \"details\": \"The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"nanoid\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/nanoid\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.1.31\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-qrpm-p2h7-hrv2/GHSA-qrpm-p2h7-hrv2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23566\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ai/nanoid/pull/328\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ai/nanoid\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-NANOID-2332193\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-704\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-18T21:54:04Z\",\n \"nvd_published_at\": \"2022-01-14T20:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-ff6r-5jwm-8292\",\n \"published\": \"2018-07-24T19:51:16Z\",\n \"modified\": \"2023-11-08T03:59:04.794346Z\",\n \"aliases\": [\n \"CVE-2017-16099\"\n ],\n \"summary\": \"Regular Expression Denial of Service in no-case\",\n \"details\": \"Affected versions of `no-case` are vulnerable to a regular expression denial of service when parsing untrusted user input.\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.3.2 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"no-case\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/no-case\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-ff6r-5jwm-8292/GHSA-ff6r-5jwm-8292.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16099\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/blakeembrey/no-case/issues/17\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-ff6r-5jwm-8292\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/529\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:34:26Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r683-j2x4-v87g\",\n \"published\": \"2022-01-21T23:55:52Z\",\n \"modified\": \"2023-11-08T04:07:30.211593Z\",\n \"aliases\": [\n \"CVE-2022-0235\"\n ],\n \"summary\": \"node-fetch forwards secure headers to untrusted sites\",\n \"details\": \"node-fetch forwards secure headers such as `authorization`, `www-authenticate`, `cookie`, \\u0026 `cookie2` when redirecting to a untrusted site.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-fetch\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-fetch\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.1.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-r683-j2x4-v87g/GHSA-r683-j2x4-v87g.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"node-fetch\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-fetch\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-r683-j2x4-v87g/GHSA-r683-j2x4-v87g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/pull/1453\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/node-fetch/node-fetch\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-173\",\n \"CWE-200\",\n \"CWE-601\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-18T22:51:22Z\",\n \"nvd_published_at\": \"2022-01-16T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vp56-6g26-6827\",\n \"published\": \"2022-08-02T00:00:25Z\",\n \"modified\": \"2023-11-08T04:08:52.815695Z\",\n \"aliases\": [\n \"CVE-2022-2596\"\n ],\n \"summary\": \"node-fetch Inefficient Regular Expression Complexity \",\n \"details\": \"[node-fetch](https://www.npmjs.com/package/node-fetch) is a light-weight module that brings window.fetch to node.js.\\n\\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the `isOriginPotentiallyTrustworthy()` function in `referrer.js`, when processing a URL string with alternating letters and periods, such as `'http://' + 'a.a.'.repeat(i) + 'a'`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-fetch\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-fetch\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.2.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-vp56-6g26-6827/GHSA-vp56-6g26-6827.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2596\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/pull/1611\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/commit/28802387292baee467e042e168d92597b5bbbe3d\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/node-fetch/node-fetch\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/releases/tag/v3.2.10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://huntr.dev/bounties/a7e6a136-0a4b-46c4-ad20-802f1dd60bf7\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-08-04T17:37:24Z\",\n \"nvd_published_at\": \"2022-08-01T15:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-w7rc-rwvf-8q5r\",\n \"published\": \"2020-09-10T17:46:21Z\",\n \"modified\": \"2024-07-15T19:46:22Z\",\n \"aliases\": [\n \"CVE-2020-15168\"\n ],\n \"related\": [\n \"CVE-2020-15168\"\n ],\n \"summary\": \"The `size` option isn't honored after following a redirect in node-fetch\",\n \"details\": \"### Impact\\nNode Fetch did not honor the `size` option after following a redirect, which means that when a content size was over the limit, a `FetchError` would never get thrown and the process would end without failure.\\n\\nFor most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after `fetch()` has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.\\n\\n### Patches\\nWe released patched versions for both stable and beta channels:\\n\\n- For `v2`: 2.6.1\\n- For `v3`: 3.0.0-beta.9\\n\\n### Workarounds\\nNone, it is strongly recommended to update as soon as possible.\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [node-fetch](https://github.com/node-fetch/node-fetch/issues/new?assignees=\\u0026labels=question\\u0026template=support-or-usage.md\\u0026title=Question%3A+)\\n* Contact one of the core maintainers.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-fetch\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-fetch\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w7rc-rwvf-8q5r/GHSA-w7rc-rwvf-8q5r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"node-fetch\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-fetch\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-beta.1\"\n },\n {\n \"fixed\": \"3.0.0-beta.9\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.0.0-beta.8\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-w7rc-rwvf-8q5r/GHSA-w7rc-rwvf-8q5r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-15168\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/commit/2358a6c2563d1730a0cdaccc197c611949f6a334\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/node-fetch/node-fetch/commit/eaff0094c4dfdd5b78711a8c4f1b61e33d282072\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/node-fetch/node-fetch\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-09-10T17:44:09Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2r2c-g63r-vccr\",\n \"published\": \"2022-03-18T23:10:48Z\",\n \"modified\": \"2023-11-08T04:08:35.918577Z\",\n \"aliases\": [\n \"CVE-2022-24773\"\n ],\n \"summary\": \"Improper Verification of Cryptographic Signature in `node-forge`\",\n \"details\": \"### Impact\\n\\nRSA PKCS#1 v1.5 signature verification code is not properly checking `DigestInfo` for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.\\n\\n### Patches\\n\\nThe issue has been addressed in `node-forge` `1.3.0`.\\n\\n### For more information\\n\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\\n* Email us at [example email address](mailto:security@digitalbazaar.com)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-forge\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-forge\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-2r2c-g63r-vccr/GHSA-2r2c-g63r-vccr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24773\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/digitalbazaar/forge\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-347\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-18T23:10:48Z\",\n \"nvd_published_at\": \"2022-03-18T14:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5rrq-pxf6-6jx5\",\n \"published\": \"2022-01-08T00:22:42Z\",\n \"modified\": \"2022-01-07T22:20:53Z\",\n \"summary\": \"Prototype Pollution in node-forge debug API.\",\n \"details\": \"### Impact\\nThe `forge.debug` API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.\\n\\n### Patches\\nThe `forge.debug` API and related functions were removed in 1.0.0.\\n\\n### Workarounds\\nDon't use the `forge.debug` API directly or indirectly with untrusted input.\\n\\n### References\\n- https://www.huntr.dev/bounties/1-npm-node-forge/\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [forge](https://github.com/digitalbazaar/forge).\\n* Email us at support@digitalbazaar.com.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-forge\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-forge\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-5rrq-pxf6-6jx5/GHSA-5rrq-pxf6-6jx5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/security/advisories/GHSA-5rrq-pxf6-6jx5\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/digitalbazaar/forge\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-07T22:20:53Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8fr3-hfg3-gpgp\",\n \"published\": \"2022-01-21T23:36:19Z\",\n \"modified\": \"2023-11-08T04:07:28.545607Z\",\n \"aliases\": [\n \"CVE-2022-0122\"\n ],\n \"summary\": \"Open Redirect in node-forge\",\n \"details\": \"parseUrl functionality in node-forge mishandles certain uses of backslash such as `https:/\\\\/\\\\/\\\\` and interprets the URI as a relative path. \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-forge\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-forge\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-8fr3-hfg3-gpgp/GHSA-8fr3-hfg3-gpgp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0122\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/commit/db8016c805371e72b06d8e2edfe0ace0df934a5e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/digitalbazaar/forge\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-601\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-13T18:49:59Z\",\n \"nvd_published_at\": \"2022-01-06T05:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-92xj-mqp7-vmcj\",\n \"published\": \"2020-09-14T21:42:09Z\",\n \"modified\": \"2025-01-14T08:57:27.810691Z\",\n \"aliases\": [\n \"CVE-2020-7720\"\n ],\n \"summary\": \"Prototype Pollution in node-forge\",\n \"details\": \"The package node-forge before 0.10.0 is vulnerable to Prototype Pollution via the util.setPath function. Note: version 0.10.0 is a breaking change removing the vulnerable functions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-forge\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-forge\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.10.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-92xj-mqp7-vmcj/GHSA-92xj-mqp7-vmcj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7720\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/digitalbazaar/forge\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/blob/master/CHANGELOG.md#removed\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-609293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-915\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-09-14T21:41:51Z\",\n \"nvd_published_at\": \"2020-09-01T10:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cfm4-qjh2-4765\",\n \"published\": \"2022-03-18T23:09:54Z\",\n \"modified\": \"2023-11-08T04:08:35.796827Z\",\n \"aliases\": [\n \"CVE-2022-24771\"\n ],\n \"summary\": \"Improper Verification of Cryptographic Signature in node-forge\",\n \"details\": \"### Impact\\n\\nRSA PKCS#1 v1.5 signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used.\\n\\n### Patches\\n\\nThe issue has been addressed in `node-forge` `1.3.0`.\\n\\n### References\\n\\nFor more information, please see\\n[\\\"Bleichenbacher's RSA signature forgery based on implementation error\\\"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\\nby Hal Finney.\\n\\n### For more information\\n\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\\n* Email us at [example email address](mailto:security@digitalbazaar.com)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-forge\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-forge\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-cfm4-qjh2-4765/GHSA-cfm4-qjh2-4765.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24771\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/digitalbazaar/forge\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-347\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-18T23:09:54Z\",\n \"nvd_published_at\": \"2022-03-18T14:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gf8q-jrpm-jvxq\",\n \"published\": \"2022-01-08T00:22:02Z\",\n \"modified\": \"2022-01-07T22:20:43Z\",\n \"summary\": \"URL parsing in node-forge could lead to undesired behavior.\",\n \"details\": \"### Impact\\nThe regex used for the `forge.util.parseUrl` API would not properly parse certain inputs resulting in a parsed data structure that could lead to undesired behavior.\\n\\n### Patches\\n`forge.util.parseUrl` and other very old related URL APIs were removed in 1.0.0 in favor of letting applications use the more modern WHATWG URL Standard API.\\n\\n### Workarounds\\nEnsure code does not directly or indirectly call `forge.util.parseUrl` with untrusted input.\\n\\n### References\\n- https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae/\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\\n* Email us at support@digitalbazaar.com\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-forge\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-forge\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-gf8q-jrpm-jvxq/GHSA-gf8q-jrpm-jvxq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/security/advisories/GHSA-gf8q-jrpm-jvxq\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-0122\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.huntr.dev/bounties/41852c50-3c6d-4703-8c55-4db27164a4ae\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-601\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-07T22:20:43Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wxgw-qj99-44c2\",\n \"published\": \"2022-01-08T00:22:40Z\",\n \"modified\": \"2022-01-07T22:20:50Z\",\n \"summary\": \"Prototype Pollution in node-forge util.setPath API\",\n \"details\": \"### Impact\\n`forge.util.setPath` had a potential prototype pollution issue if called with untrusted keys. This API was not used by forge itself.\\n\\n### Patches\\nThe `forge.util.setPath` API and related functions were removed in 0.10.0.\\n\\n### Workarounds\\nDon't call `forge.util.setPath` directly or indirectly with untrusted keys.\\n\\n### References\\n- https://security.snyk.io/vuln/SNYK-JS-NODEFORGE-598677\\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [forge](https://github.com/digitalbazaar/forge).\\n* Email us at support@digitalbazaar.com.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-forge\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-forge\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.10.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wxgw-qj99-44c2/GHSA-wxgw-qj99-44c2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/security/advisories/GHSA-wxgw-qj99-44c2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-07T22:20:50Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-x4jg-mjrx-434g\",\n \"published\": \"2022-03-18T23:10:28Z\",\n \"modified\": \"2023-11-08T04:08:35.855910Z\",\n \"aliases\": [\n \"CVE-2022-24772\"\n ],\n \"summary\": \"Improper Verification of Cryptographic Signature in node-forge\",\n \"details\": \"### Impact\\n\\nRSA PKCS#1 v1.5 signature verification code does not check for tailing garbage bytes after decoding a `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used.\\n\\n### Patches\\n\\nThe issue has been addressed in `node-forge` `1.3.0`.\\n\\n### References\\n\\nFor more information, please see\\n[\\\"Bleichenbacher's RSA signature forgery based on implementation error\\\"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)\\nby Hal Finney.\\n\\n### For more information\\n\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [forge](https://github.com/digitalbazaar/forge)\\n* Email us at [example email address](mailto:security@digitalbazaar.com)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"node-forge\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/node-forge\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-x4jg-mjrx-434g/GHSA-x4jg-mjrx-434g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24772\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/digitalbazaar/forge/commit/bb822c02df0b61211836472e29b9790cc541cdb2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/digitalbazaar/forge\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-347\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-18T23:10:28Z\",\n \"nvd_published_at\": \"2022-03-18T14:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hj48-42vr-x3v9\",\n \"published\": \"2021-08-10T15:33:47Z\",\n \"modified\": \"2025-01-14T08:57:22.791123Z\",\n \"aliases\": [\n \"CVE-2021-23343\"\n ],\n \"summary\": \"Regular Expression Denial of Service in path-parse\",\n \"details\": \"Affected versions of npm package `path-parse` are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"path-parse\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/path-parse\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-hj48-42vr-x3v9/GHSA-hj48-42vr-x3v9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23343\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jbgutierrez/path-parse/issues/8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jbgutierrez/path-parse/pull/10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jbgutierrez/path-parse\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-19T21:02:21Z\",\n \"nvd_published_at\": \"2021-05-04T09:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9wv6-86v2-598j\",\n \"published\": \"2024-09-09T20:19:15Z\",\n \"modified\": \"2025-01-24T21:31:27Z\",\n \"aliases\": [\n \"CVE-2024-45296\"\n ],\n \"related\": [\n \"CGA-5gf3-hjcj-6qq8\",\n \"CGA-6792-m89f-pxqr\",\n \"CGA-9whg-c95h-926g\",\n \"CGA-fr32-9wwp-hj4r\",\n \"CGA-hvqq-cfqx-vpqj\",\n \"CGA-m4g6-hwg9-252j\",\n \"CGA-p73v-8rhw-pm6p\",\n \"CGA-wxf4-3vvq-3j2r\",\n \"CGA-x8g8-9rwj-j985\"\n ],\n \"summary\": \"path-to-regexp outputs backtracking regular expressions\",\n \"details\": \"### Impact\\n\\nA bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (`.`). For example, `/:a-:b`.\\n\\n### Patches\\n\\nFor users of 0.1, upgrade to `0.1.10`. All other users should upgrade to `8.0.0`.\\n\\nThese versions add backtrack protection when a custom regex pattern is not provided:\\n\\n- [0.1.10](https://github.com/pillarjs/path-to-regexp/releases/tag/v0.1.10)\\n- [1.9.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v1.9.0)\\n- [3.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v3.3.0)\\n- [6.3.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0)\\n\\nThey do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.\\n\\nVersion [7.1.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v7.1.0) can enable `strict: true` and get an error when the regular expression might be bad.\\n\\nVersion [8.0.0](https://github.com/pillarjs/path-to-regexp/releases/tag/v8.0.0) removes the features that can cause a ReDoS.\\n\\n### Workarounds\\n\\nAll versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change `/:a-:b` to `/:a-:b([^-/]+)`.\\n\\nIf paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.\\n\\n### Details\\n\\nUsing `/:a-:b` will produce the regular expression `/^\\\\/([^\\\\/]+?)-([^\\\\/]+?)\\\\/?$/`. This can be exploited by a path such as `/a${'-a'.repeat(8_000)}/a`. [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) has a good example of why this occurs, but the TL;DR is the `/a` at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the `:a-:b` on the repeated 8,000 `-a`.\\n\\nBecause JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.\\n\\n### References\\n\\n* [OWASP](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\\n* [Detailed blog post](https://blakeembrey.com/posts/2024-09-web-redos/)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"path-to-regexp\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/path-to-regexp\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.0\"\n },\n {\n \"fixed\": \"1.9.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"path-to-regexp\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/path-to-regexp\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.1.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"path-to-regexp\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/path-to-regexp\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"8.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"path-to-regexp\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/path-to-regexp\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"3.3.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"path-to-regexp\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/path-to-regexp\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"6.3.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-9wv6-86v2-598j/GHSA-9wv6-86v2-598j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-45296\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250124-0001\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-09-09T20:19:15Z\",\n \"nvd_published_at\": \"2024-09-09T19:15:13Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rhx6-c78j-4q9w\",\n \"published\": \"2024-12-05T22:40:47Z\",\n \"modified\": \"2025-06-03T14:30:56Z\",\n \"aliases\": [\n \"CVE-2024-52798\"\n ],\n \"related\": [\n \"CGA-3q69-c424-w54c\",\n \"CGA-46v3-9cq9-rx8v\",\n \"CGA-677r-6f8m-hg48\",\n \"CGA-6j8p-6x42-wj9m\",\n \"CGA-h864-qfx6-rqww\",\n \"CGA-wwx6-ggqg-hrxj\"\n ],\n \"summary\": \"path-to-regexp contains a ReDoS\",\n \"details\": \"### Impact\\n\\nThe regular expression that is vulnerable to backtracking can be generated in versions before 0.1.12 of `path-to-regexp`, originally reported in CVE-2024-45296\\n\\n### Patches\\n\\nUpgrade to 0.1.12.\\n\\n### Workarounds\\n\\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\\n\\n### References\\n\\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\\n- https://blakeembrey.com/posts/2024-09-web-redos/\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"path-to-regexp\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/path-to-regexp\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.1.12\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-rhx6-c78j-4q9w/GHSA-rhx6-c78j-4q9w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-52798\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blakeembrey.com/posts/2024-09-web-redos\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/pillarjs/path-to-regexp\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250124-0002\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-12-05T22:40:47Z\",\n \"nvd_published_at\": \"2024-12-05T23:15:06Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g6ww-v8xp-vmwg\",\n \"published\": \"2022-02-10T20:21:24Z\",\n \"modified\": \"2025-01-14T08:57:34.966922Z\",\n \"aliases\": [\n \"CVE-2020-7751\"\n ],\n \"summary\": \"Prototype pollution in pathval\",\n \"details\": \"A prototype pollution vulnerability affects all versions of package pathval under 1.1.1.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"pathval\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/pathval\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-g6ww-v8xp-vmwg/GHSA-g6ww-v8xp-vmwg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7751\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chaijs/pathval/pull/58/commits/21a9046cfa0c2697cb41990f3b4316db410e6c8a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chaijs/pathval/pull/58/files\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/chaijs/pathval\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/chaijs/pathval/releases/tag/v1.1.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-PATHVAL-596926\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-20T17:32:20Z\",\n \"nvd_published_at\": \"2020-10-26T12:17:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-566m-qj78-rww5\",\n \"published\": \"2022-01-07T00:21:36Z\",\n \"modified\": \"2025-01-14T08:57:01.148991Z\",\n \"aliases\": [\n \"CVE-2021-23382\"\n ],\n \"summary\": \"Regular Expression Denial of Service in postcss\",\n \"details\": \"The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \\n```regex\\n\\\\/\\\\*\\\\s* sourceMappingURL=(.*)\\n```\\n\\n### PoC\\n```js\\nvar postcss = require(\\\"postcss\\\")\\nfunction build_attack(n) {\\n var ret = \\\"a{}\\\"\\n for (var i = 0; i \\u003c n; i++) {\\n ret += \\\"/*# sourceMappingURL=\\\"\\n }\\n return ret + \\\"!\\\";\\n}\\n```\\n```js\\npostcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i \\u003c= 500000; i++) {\\n if (i % 1000 == 0) {\\n var time = Date.now();\\n var attack_str = build_attack(i) try {\\n postcss.parse(attack_str) var time_cost = Date.now() - time;\\n console.log(\\\"attack_str.length: \\\" + attack_str.length + \\\": \\\" + time_cost + \\\" ms\\\");\\n } catch (e) {\\n var time_cost = Date.now() - time;\\n console.log(\\\"attack_str.length: \\\" + attack_str.length + \\\": \\\" + time_cost + \\\" ms\\\");\\n }\\n }\\n}\\n```\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"postcss\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/postcss\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.2.13\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-566m-qj78-rww5/GHSA-566m-qj78-rww5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"postcss\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/postcss\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.0.36\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-566m-qj78-rww5/GHSA-566m-qj78-rww5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23382\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/postcss/postcss/releases/tag/7.0.36\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-20T21:23:19Z\",\n \"nvd_published_at\": \"2021-04-26T16:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7fh5-64p2-3v2j\",\n \"published\": \"2023-09-30T00:31:10Z\",\n \"modified\": \"2025-11-04T16:45:01Z\",\n \"aliases\": [\n \"CVE-2023-44270\"\n ],\n \"summary\": \"PostCSS line return parsing error\",\n \"details\": \"An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\\\\r` discrepancies, as demonstrated by `@font-face{ font:(\\\\r/*);}` in a rule.\\n\\nThis vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains parts parsed by PostCSS as a CSS comment. After processing by PostCSS, it will be included in the PostCSS output in CSS nodes (rules, properties) despite being originally included in a comment.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"postcss\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/postcss\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"8.4.31\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-7fh5-64p2-3v2j/GHSA-7fh5-64p2-3v2j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-44270\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/issues/2820\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/postcss/postcss\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/postcss/postcss/blob/main/lib/tokenize.js#L25\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/postcss/postcss/releases/tag/8.4.31\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-144\",\n \"CWE-74\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-10-03T15:04:58Z\",\n \"nvd_published_at\": \"2023-09-29T22:15:11Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hwj9-h5mp-3pm3\",\n \"published\": \"2021-05-10T15:29:24Z\",\n \"modified\": \"2025-01-14T08:57:30.487716Z\",\n \"aliases\": [\n \"CVE-2021-23368\"\n ],\n \"summary\": \"Regular Expression Denial of Service in postcss\",\n \"details\": \"The npm package `postcss` from 7.0.0 and before versions 7.0.36 and 8.2.10 is vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"postcss\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/postcss\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.36\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-hwj9-h5mp-3pm3/GHSA-hwj9-h5mp-3pm3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"postcss\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/postcss\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.2.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-hwj9-h5mp-3pm3/GHSA-hwj9-h5mp-3pm3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23368\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r00158f5d770d75d0655c5eef1bdbc6150531606c8f8bcb778f0627be@%3Cdev.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1@%3Cdev.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8def971a66cf3e375178fbee752e1b04a812a047cc478ad292007e33@%3Cdev.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb@%3Ccommits.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-07T17:26:38Z\",\n \"nvd_published_at\": \"2021-04-12T14:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-762f-c2wg-m8c8\",\n \"published\": \"2018-10-09T00:27:15Z\",\n \"modified\": \"2023-11-08T04:00:18.161439Z\",\n \"aliases\": [\n \"CVE-2018-3738\"\n ],\n \"summary\": \"Denial of Service in protobufjs\",\n \"details\": \"Versions of `protobufjs` before 5.0.3 and 6.8.6 are vulnerable to a regular expression denial of service when parsing crafted invalid *.proto files.\\n\\n\\n## Recommendation\\n\\nUpdate to version 5.0.3, 6.8.6 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"protobufjs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/protobufjs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.8.6\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-762f-c2wg-m8c8/GHSA-762f-c2wg-m8c8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"protobufjs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/protobufjs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.0.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-762f-c2wg-m8c8/GHSA-762f-c2wg-m8c8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-3738\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/319576\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-762f-c2wg-m8c8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/dcodeIO/protobuf.js/blob/6.8.5/src/parse.js#L27\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/605\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:21:32Z\",\n \"nvd_published_at\": \"2018-06-07T02:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g954-5hwp-pp24\",\n \"published\": \"2022-05-28T00:00:20Z\",\n \"modified\": \"2025-01-14T10:57:13.409784Z\",\n \"aliases\": [\n \"CVE-2022-25878\"\n ],\n \"summary\": \"Prototype Pollution in protobufjs\",\n \"details\": \"The package protobufjs is vulnerable to Prototype Pollution, which can allow an attacker to add/modify properties of the Object.prototype. Versions after and including 6.10.0 until 6.10.3 and after and including 6.11.0 until 6.11.3 are vulnerable.\\n\\nThis vulnerability can occur in multiple ways:\\n1. by providing untrusted user input to util.setProperty or to ReflectionObject.setParsedOption functions\\n2. by parsing/loading .proto files\\n\\n\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"protobufjs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/protobufjs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.11.0\"\n },\n {\n \"fixed\": \"6.11.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g954-5hwp-pp24/GHSA-g954-5hwp-pp24.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"protobufjs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/protobufjs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.10.0\"\n },\n {\n \"fixed\": \"6.10.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g954-5hwp-pp24/GHSA-g954-5hwp-pp24.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25878\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/pull/1731\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/pull/1735\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/commit/b5f1391dff5515894830a6570e6d73f5511b2e8f\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/protobufjs/protobuf.js\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/blob/d13d5d5688052e366aa2e9169f50dfca376b32cf/src/util.js%23L176-L197\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2841507\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-02T20:36:05Z\",\n \"nvd_published_at\": \"2022-05-27T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h755-8qp9-cq85\",\n \"published\": \"2023-07-05T15:30:24Z\",\n \"modified\": \"2024-06-28T18:31:41Z\",\n \"aliases\": [\n \"CVE-2023-36665\"\n ],\n \"related\": [\n \"CGA-9c79-2q9x-78w6\"\n ],\n \"summary\": \"protobufjs Prototype Pollution vulnerability\",\n \"details\": \"protobuf.js (aka protobufjs) 6.10.0 until 6.11.4 and 7.0.0 until 7.2.4 allows Prototype Pollution, a different vulnerability than CVE-2022-25878. A user-controlled protobuf message can be used by an attacker to pollute the prototype of Object.prototype by adding and overwriting its data and functions. Exploitation can involve: (1) using the function parse to parse protobuf messages on the fly, (2) loading .proto files by using load/loadSync functions, or (3) providing untrusted input to the functions ReflectionObject.setParsedOption and util.setProperty. NOTE: this CVE Record is about `Object.constructor.prototype.\\u003cnew-property\\u003e = ...;` whereas CVE-2022-25878 was about `Object.__proto__.\\u003cnew-property\\u003e = ...;` instead.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"protobufjs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/protobufjs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.2.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-h755-8qp9-cq85/GHSA-h755-8qp9-cq85.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"protobufjs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/protobufjs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.10.0\"\n },\n {\n \"fixed\": \"6.11.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-h755-8qp9-cq85/GHSA-h755-8qp9-cq85.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-36665\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/issues/1918#issuecomment-1723500294\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/pull/1899\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/commit/e66379f451b0393c27d87b37fa7d271619e16b0d\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/protobufjs/protobuf.js\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/commits/release-6.11.4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/compare/protobufjs-v7.2.3...protobufjs-v7.2.4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protobufjs/protobuf.js/releases/tag/protobufjs-v7.2.4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240628-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.code-intelligence.com/blog/cve-protobufjs-prototype-pollution-cve-2023-36665\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-07T20:19:02Z\",\n \"nvd_published_at\": \"2023-07-05T14:15:09Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c2gp-86p4-5935\",\n \"published\": \"2020-09-02T18:25:43Z\",\n \"modified\": \"2023-11-08T04:01:37.201603Z\",\n \"aliases\": [\n \"CVE-2019-5786\"\n ],\n \"summary\": \"Use-After-Free in puppeteer\",\n \"details\": \"Versions of `puppeteer` prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium (CVE-2019-5786). The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 1.13.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"puppeteer\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/puppeteer\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.13.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-c2gp-86p4-5935/GHSA-c2gp-86p4-5935.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-5786\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/GoogleChrome/puppeteer/issues/4141\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crbug.com/936448\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/GoogleChrome/puppeteer\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/824\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-416\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-31T18:37:09Z\",\n \"nvd_published_at\": \"2019-06-27T17:15:13Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f9cm-p3w6-xvr3\",\n \"published\": \"2018-10-09T00:38:48Z\",\n \"modified\": \"2023-11-08T03:57:33.533771Z\",\n \"aliases\": [\n \"CVE-2014-10064\"\n ],\n \"summary\": \"Denial-of-Service Extended Event Loop Blocking in qs\",\n \"details\": \"Versions prior to 1.0.0 of `qs` are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.\\n\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.0.0 or later\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-f9cm-p3w6-xvr3/GHSA-f9cm-p3w6-xvr3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-10064\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-f9cm-p3w6-xvr3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/28\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:34:11Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gqgv-6jq5-jjj9\",\n \"published\": \"2020-04-30T17:16:47Z\",\n \"modified\": \"2023-11-08T03:58:42.086259Z\",\n \"aliases\": [\n \"CVE-2017-1000048\"\n ],\n \"summary\": \"Prototype Pollution Protection Bypass in qs\",\n \"details\": \"Affected version of `qs` are vulnerable to Prototype Pollution because it is possible to bypass the protection. The `qs.parse` function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing `[` or `]` may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.\\n\\n\\n## Recommendation\\n\\nUpgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.0.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.1.0\"\n },\n {\n \"fixed\": \"6.1.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.2.0\"\n },\n {\n \"fixed\": \"6.2.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.3.0\"\n },\n {\n \"fixed\": \"6.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-gqgv-6jq5-jjj9/GHSA-gqgv-6jq5-jjj9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-1000048\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/issues/200\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2672\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ljharb/qs\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:qs:20170213\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1469\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-30T17:16:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hrpp-h998-j3pp\",\n \"published\": \"2022-11-27T00:30:50Z\",\n \"modified\": \"2025-04-29T15:41:43Z\",\n \"aliases\": [\n \"CVE-2022-24999\"\n ],\n \"summary\": \"qs vulnerable to Prototype Pollution\",\n \"details\": \"qs before 6.10.3 allows attackers to cause a Node process hang because an `__ proto__` key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as `a[__proto__]=b\\u0026a[__proto__]\\u0026a[length]=100000000`. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.10.0\"\n },\n {\n \"fixed\": \"6.10.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.9.0\"\n },\n {\n \"fixed\": \"6.9.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.8.0\"\n },\n {\n \"fixed\": \"6.8.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.7.0\"\n },\n {\n \"fixed\": \"6.7.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.6.0\"\n },\n {\n \"fixed\": \"6.6.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.5.0\"\n },\n {\n \"fixed\": \"6.5.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.4.0\"\n },\n {\n \"fixed\": \"6.4.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.3.0\"\n },\n {\n \"fixed\": \"6.3.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.2.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-hrpp-h998-j3pp/GHSA-hrpp-h998-j3pp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-24999\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/pull/428\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/expressjs/express/releases/tag/4.17.3\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ljharb/qs\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/n8tz/CVE-2022-24999\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230908-0005\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-06T14:32:46Z\",\n \"nvd_published_at\": \"2022-11-26T22:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jjv7-qpx3-h62q\",\n \"published\": \"2017-10-24T18:33:36Z\",\n \"modified\": \"2023-11-08T03:57:44.492821Z\",\n \"aliases\": [\n \"CVE-2014-7191\"\n ],\n \"summary\": \"Denial-of-Service Memory Exhaustion in qs\",\n \"details\": \"Versions prior to 1.0 of `qs` are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.0.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"qs\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/qs\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-jjv7-qpx3-h62q/GHSA-jjv7-qpx3-h62q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-7191\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/visionmedia/node-querystring/issues/104\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/raymondfeng/node-querystring/commit/43a604b7847e56bba49d0ce3e222fe89569354d8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2016:1380\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/96729\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-jjv7-qpx3-h62q\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/visionmedia/node-querystring\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/29\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/60026\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/62170\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21685987\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21687263\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21687928\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:43:41Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7xfp-9c55-5vqj\",\n \"published\": \"2018-11-09T17:44:01Z\",\n \"modified\": \"2023-11-08T03:59:00.437371Z\",\n \"aliases\": [\n \"CVE-2017-16026\"\n ],\n \"summary\": \"Remote Memory Exposure in request\",\n \"details\": \"Affected versions of `request` will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of `body` is `number`, then a buffer of that size will be allocated and sent to the remote server as the body.\\n\\n## Proof of Concept\\n\\n```js\\nvar request = require('request');\\nvar http = require('http');\\n\\nvar serveFunction = function (req, res){\\n\\treq.on('data', function (data) {\\n console.log(data)\\n });\\n\\tres.end();\\n};\\nvar server = http.createServer(serveFunction);\\nserver.listen(8000);\\n\\nrequest({\\n\\tmethod: \\\"POST\\\",\\n\\turi: 'http://localhost:8000',\\n\\tmultipart: [{body:500}]\\n},function(err,res,body){});\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.68.0 or later\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"request\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/request\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.49.0\"\n },\n {\n \"fixed\": \"2.68.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-7xfp-9c55-5vqj/GHSA-7xfp-9c55-5vqj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"request\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/request\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.2.6\"\n },\n {\n \"fixed\": \"2.68.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 2.47.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-7xfp-9c55-5vqj/GHSA-7xfp-9c55-5vqj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16026\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/request/request/issues/1904\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/request/request/pull/2018\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/request/request/pull/2022\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/request/request/commit/29d81814bc16bc79cb112b4face8be6fc00061dd\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/request/request\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-201\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:23:42Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p8p7-x288-28g6\",\n \"published\": \"2023-03-16T15:30:19Z\",\n \"modified\": \"2024-03-21T17:47:20Z\",\n \"aliases\": [\n \"CVE-2023-28155\"\n ],\n \"related\": [\n \"CGA-qqwm-8ppm-96fx\",\n \"CGA-rw88-hxpr-jw8v\"\n ],\n \"summary\": \"Server-Side Request Forgery in Request\",\n \"details\": \"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\\n\\nNOTE: The `request` package is no longer supported by the maintainer.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"request\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/request\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"2.88.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-p8p7-x288-28g6/GHSA-p8p7-x288-28g6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"@cypress/request\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/%40cypress/request\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.88.12\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-p8p7-x288-28g6/GHSA-p8p7-x288-28g6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-28155\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/request/request/issues/3442\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/cypress-io/request/pull/28\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/advisory-database/pull/2500\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/request/request/pull/3444\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/cypress-io/request/releases/tag/v3.0.0\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/request/request\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/request/request/blob/master/lib/redirect.js#L111\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230413-0007\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-918\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-03-16T18:33:48Z\",\n \"nvd_published_at\": \"2023-03-16T15:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gcx4-mw62-g8wm\",\n \"published\": \"2024-09-23T22:11:02Z\",\n \"modified\": \"2024-09-26T21:11:53Z\",\n \"aliases\": [\n \"CVE-2024-47068\"\n ],\n \"related\": [\n \"CGA-h8jq-gmpr-v5fp\",\n \"CGA-w3cq-r6w2-f8xg\"\n ],\n \"summary\": \"DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS\",\n \"details\": \"### Summary\\n\\nWe discovered a DOM Clobbering vulnerability in rollup when bundling scripts that use `import.meta.url` or with plugins that emit and reference asset files from code in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present.\\n\\nIt's worth noting that we’ve identifed similar issues in other popular bundlers like Webpack ([CVE-2024-43788](https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986)), which might serve as a good reference.\\n\\n### Details\\n\\n#### Backgrounds\\n\\nDOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:\\n\\n[1] https://scnps.co/papers/sp23_domclob.pdf\\n[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/\\n\\n#### Gadget found in `rollup`\\n\\nWe have identified a DOM Clobbering vulnerability in `rollup` bundled scripts, particularly when the scripts uses `import.meta` and set output in format of `cjs`/`umd`/`iife`. In such cases, `rollup` replaces meta property with the URL retrieved from `document.currentScript`.\\n\\nhttps://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162\\n\\nhttps://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185\\n\\nHowever, this implementation is vulnerable to a DOM Clobbering attack. The `document.currentScript` lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the `src` attribute of the attacker-controlled element (e.g., an `img` tag ) is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.\\n\\n### PoC\\n\\nConsidering a website that contains the following `main.js` script, the devloper decides to use the `rollup` to bundle up the program: `rollup main.js --format cjs --file bundle.js`.\\n\\n```\\nvar s = document.createElement('script')\\ns.src = import.meta.url + 'extra.js'\\ndocument.head.append(s)\\n```\\n\\nThe output `bundle.js` is shown in the following code snippet.\\n\\n```\\n'use strict';\\n\\nvar _documentCurrentScript = typeof document !== 'undefined' ? document.currentScript : null;\\nvar s = document.createElement('script');\\ns.src = (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript \\u0026\\u0026 False \\u0026\\u0026 _documentCurrentScript.src || new URL('bundle.js', document.baseURI).href)) + 'extra.js';\\ndocument.head.append(s);\\n```\\n\\nAdding the `rollup` bundled script, `bundle.js`, as part of the web page source code, the page could load the `extra.js` file from the attacker's domain, `attacker.controlled.server` due to the introduced gadget during bundling. The attacker only needs to insert an `img` tag with the name attribute set to `currentScript`. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.\\n\\n```\\n\\u003c!DOCTYPE html\\u003e\\n\\u003chtml\\u003e\\n\\u003chead\\u003e\\n \\u003ctitle\\u003erollup Example\\u003c/title\\u003e\\n \\u003c!-- Attacker-controlled Script-less HTML Element starts--!\\u003e\\n \\u003cimg name=\\\"currentScript\\\" src=\\\"https://attacker.controlled.server/\\\"\\u003e\\u003c/img\\u003e\\n \\u003c!-- Attacker-controlled Script-less HTML Element ends--!\\u003e\\n\\u003c/head\\u003e\\n\\u003cscript type=\\\"module\\\" crossorigin src=\\\"bundle.js\\\"\\u003e\\u003c/script\\u003e\\n\\u003cbody\\u003e\\n\\u003c/body\\u003e\\n\\u003c/html\\u003e\\n```\\n\\n### Impact\\n\\nThis vulnerability can result in cross-site scripting (XSS) attacks on websites that include rollup-bundled files (configured with an output format of `cjs`, `iife`, or `umd` and use `import.meta`) and allow users to inject certain scriptless HTML tags without properly sanitizing the `name` or `id` attributes.\\n\\n### Patch\\n\\nPatching the following two functions with type checking would be effective mitigations against DOM Clobbering attack.\\n\\n```\\nconst getRelativeUrlFromDocument = (relativePath: string, umd = false) =\\u003e\\n\\tgetResolveUrl(\\n\\t\\t`'${escapeId(relativePath)}', ${\\n\\t\\t\\tumd ? `typeof document === 'undefined' ? location.href : ` : ''\\n\\t\\t}document.currentScript \\u0026\\u0026 document.currentScript.tagName.toUpperCase() === 'SCRIPT' \\u0026\\u0026 document.currentScript.src || document.baseURI`\\n\\t);\\n```\\n\\n```\\nconst getUrlFromDocument = (chunkId: string, umd = false) =\\u003e\\n\\t`${\\n\\t\\tumd ? `typeof document === 'undefined' ? location.href : ` : ''\\n\\t}(${DOCUMENT_CURRENT_SCRIPT} \\u0026\\u0026 ${DOCUMENT_CURRENT_SCRIPT}.tagName.toUpperCase() === 'SCRIPT' \\u0026\\u0026${DOCUMENT_CURRENT_SCRIPT}.src || new URL('${escapeId(\\n\\t\\tchunkId\\n\\t)}', document.baseURI).href)`;\\n```\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"rollup\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/rollup\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.29.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"rollup\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/rollup\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.22.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"rollup\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/rollup\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.79.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-gcx4-mw62-g8wm/GHSA-gcx4-mw62-g8wm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-47068\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/rollup/rollup\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L157-L162\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rollup/rollup/blob/b86ffd776cfa906573d36c3f019316d02445d9ef/src/ast/nodes/MetaProperty.ts#L180-L185\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-09-23T22:11:02Z\",\n \"nvd_published_at\": \"2024-09-23T16:15:06Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c2qf-rxjj-qqgw\",\n \"published\": \"2023-06-21T06:30:28Z\",\n \"modified\": \"2024-12-06T20:34:31Z\",\n \"aliases\": [\n \"CVE-2022-25883\"\n ],\n \"related\": [\n \"CGA-xmx9-rvv8-j9xq\"\n ],\n \"summary\": \"semver vulnerable to Regular Expression Denial of Service\",\n \"details\": \"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"semver\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/semver\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.5.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"semver\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/semver\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.3.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"semver\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/semver\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.7.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-c2qf-rxjj-qqgw/GHSA-c2qf-rxjj-qqgw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25883\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/pull/564\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/pull/585\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/pull/593\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/npm/node-semver\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/blob/main/internal/re.js#L138\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/blob/main/internal/re.js#L160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/blob/main/internal/re.js%23L138\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/npm/node-semver/blob/main/internal/re.js%23L160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241025-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-22T16:52:56Z\",\n \"nvd_published_at\": \"2023-06-21T05:15:09Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-x6fg-f45m-jf5q\",\n \"published\": \"2017-10-24T18:33:36Z\",\n \"modified\": \"2023-11-08T03:58:03.440077Z\",\n \"aliases\": [\n \"CVE-2015-8855\"\n ],\n \"summary\": \"Regular Expression Denial of Service in semver\",\n \"details\": \"Versions 4.3.1 and earlier of `semver` are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 4.3.2 or later\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"semver\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/semver\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-x6fg-f45m-jf5q/GHSA-x6fg-f45m-jf5q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-8855\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-x6fg-f45m-jf5q\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/31\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2016/04/20/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/86957\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T22:02:25Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-76p7-773f-r4q5\",\n \"published\": \"2025-02-10T18:30:47Z\",\n \"modified\": \"2025-06-05T00:31:18Z\",\n \"aliases\": [\n \"CVE-2024-11831\"\n ],\n \"related\": [\n \"CGA-72hf-gjp2-m4hx\"\n ],\n \"summary\": \"Cross-site Scripting (XSS) in serialize-javascript\",\n \"details\": \"A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"serialize-javascript\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/serialize-javascript\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-76p7-773f-r4q5/GHSA-76p7-773f-r4q5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-11831\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yahoo/serialize-javascript/pull/173\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yahoo/serialize-javascript/commit/7f3ac252d86b802454cb43782820aea2e0f6dc25\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2025:0304\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2025:1334\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2025:1468\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2025:4511\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2025:8059\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2025:8479\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2025:8544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2025:8551\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/CVE-2024-11831\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2312579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/yahoo/serialize-javascript\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-02-10T21:19:59Z\",\n \"nvd_published_at\": \"2025-02-10T16:15:37Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h9rv-jmmf-4pgx\",\n \"published\": \"2019-12-05T18:44:37Z\",\n \"modified\": \"2023-11-08T04:01:20.904735Z\",\n \"aliases\": [\n \"CVE-2019-16769\"\n ],\n \"related\": [\n \"CVE-2019-16769\"\n ],\n \"summary\": \"Cross-Site Scripting in serialize-javascript\",\n \"details\": \"Versions of `serialize-javascript` prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.\\n\\n\\n## Recommendation\\n\\nUpgrade to version 2.1.1 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"serialize-javascript\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/serialize-javascript\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.1.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-h9rv-jmmf-4pgx/GHSA-h9rv-jmmf-4pgx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-h9rv-jmmf-4pgx\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-16769\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-h9rv-jmmf-4pgx\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1426\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:39:51Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hxcc-f52p-wc94\",\n \"published\": \"2020-08-11T17:21:13Z\",\n \"modified\": \"2023-11-08T04:04:03.301649Z\",\n \"aliases\": [\n \"CVE-2020-7660\"\n ],\n \"summary\": \"Insecure serialization leading to RCE in serialize-javascript\",\n \"details\": \"serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function \\\"deleteFunctions\\\" within \\\"index.js\\\". \\n\\nAn object such as `{\\\"foo\\\": /1\\\"/, \\\"bar\\\": \\\"a\\\\\\\"@__R-\\u003cUID\\u003e-0__@\\\"}` was serialized as `{\\\"foo\\\": /1\\\"/, \\\"bar\\\": \\\"a\\\\/1\\\"/}`, which allows an attacker to escape the `bar` key. This requires the attacker to control the values of both `foo` and `bar` and guess the value of `\\u003cUID\\u003e`. The UID has a keyspace of approximately 4 billion making it a realistic network attack.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"serialize-javascript\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/serialize-javascript\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-hxcc-f52p-wc94/GHSA-hxcc-f52p-wc94.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7660\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yahoo/serialize-javascript/commit/f21a6fb3ace2353413761e79717b2d210ba6ccbd\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/yahoo/serialize-javascript\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-11T14:14:51Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2m39-62fm-q8r3\",\n \"published\": \"2018-08-15T13:22:23Z\",\n \"modified\": \"2023-11-08T04:00:18.101194Z\",\n \"aliases\": [\n \"CVE-2018-3737\"\n ],\n \"summary\": \"Regular Expression Denial of Service in sshpk\",\n \"details\": \"Versions of `sshpk` before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.13.2, 1.14.1 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"sshpk\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/sshpk\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.13.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-2m39-62fm-q8r3/GHSA-2m39-62fm-q8r3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-3737\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/319593\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-2m39-62fm-q8r3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/joyent/node-sshpk/blob/v1.13.1/lib/formats/ssh.js#L17\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/606\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-185\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:52:29Z\",\n \"nvd_published_at\": \"2018-06-07T02:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46980\",\n \"published\": \"2025-09-08T17:14:19Z\",\n \"modified\": \"2025-09-12T01:13:35Z\",\n \"aliases\": [\n \"GHSA-vfjc-p7x3-q864\"\n ],\n \"summary\": \"Malicious code in strip-ansi (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (3736bb5cc515b07f47ad6b5bb06c367271994c4b6606f1ddeb91a056788c34c2)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"strip-ansi\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/strip-ansi\"\n },\n \"versions\": [\n \"7.1.1\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/strip-ansi/MAL-2025-46980.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-vfjc-p7x3-q864\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-vfjc-p7x3-q864\",\n \"import_time\": \"2025-09-09T00:35:48.417988007Z\",\n \"modified_time\": \"2025-09-08T18:22:51Z\",\n \"sha256\": \"3736bb5cc515b07f47ad6b5bb06c367271994c4b6606f1ddeb91a056788c34c2\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"7.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-vfjc-p7x3-q864\",\n \"import_time\": \"2025-09-10T00:34:05.234284619Z\",\n \"modified_time\": \"2025-09-08T18:22:51Z\",\n \"sha256\": \"b9f36a9a8b8c75ed8926b3ceb034acefa7453d1217cef20a4f5d61388ab51f12\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"7.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-vfjc-p7x3-q864\",\n \"import_time\": \"2025-09-11T00:34:35.487371486Z\",\n \"modified_time\": \"2025-09-10T17:53:32Z\",\n \"sha256\": \"d1a76aaa14b97e80e6fda1c933066728d98ae6717da55eb385cb356dcad097be\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"7.1.1\"\n ]\n },\n {\n \"id\": \"GHSA-vfjc-p7x3-q864\",\n \"import_time\": \"2025-09-12T00:33:58.10631928Z\",\n \"modified_time\": \"2025-09-10T17:53:32Z\",\n \"sha256\": \"e63c6c35fc417d7362b55829617faa7c8e8f920a33c2acda915ae3ab42337209\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"7.1.1\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46981\",\n \"published\": \"2025-09-08T17:16:42Z\",\n \"modified\": \"2025-09-12T01:13:35Z\",\n \"aliases\": [\n \"GHSA-pj3j-3w3f-j752\"\n ],\n \"summary\": \"Malicious code in supports-color (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (52d7b5f7535b1ec1964ec7f0a7019898a143639f62bf70f6a5e6b9e2ca580c12)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"supports-color\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/supports-color\"\n },\n \"versions\": [\n \"10.2.1\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/supports-color/MAL-2025-46981.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-pj3j-3w3f-j752\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-pj3j-3w3f-j752\",\n \"import_time\": \"2025-09-09T00:35:48.417272496Z\",\n \"modified_time\": \"2025-09-08T18:22:23Z\",\n \"sha256\": \"52d7b5f7535b1ec1964ec7f0a7019898a143639f62bf70f6a5e6b9e2ca580c12\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"10.2.1\"\n ]\n },\n {\n \"id\": \"GHSA-pj3j-3w3f-j752\",\n \"import_time\": \"2025-09-10T00:34:05.232662764Z\",\n \"modified_time\": \"2025-09-08T18:22:23Z\",\n \"sha256\": \"6edf0d38ed37ebe4b548be0aeea65438e663532c91f0e021f1981d03f254e638\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"10.2.1\"\n ]\n },\n {\n \"id\": \"GHSA-pj3j-3w3f-j752\",\n \"import_time\": \"2025-09-11T00:34:35.482064314Z\",\n \"modified_time\": \"2025-09-10T17:54:37Z\",\n \"sha256\": \"c6c42dee5c9fab44968a5492f6069d39f9c0dd31e15ea9661b07c4b7a32a92d9\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"10.2.1\"\n ]\n },\n {\n \"id\": \"GHSA-pj3j-3w3f-j752\",\n \"import_time\": \"2025-09-12T00:33:58.094285504Z\",\n \"modified_time\": \"2025-09-10T17:54:37Z\",\n \"sha256\": \"7915f9ca7a3b89c142b1610243be907ffe0c90ae4c03b664c003183d2a14cd36\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"10.2.1\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4wf5-vphf-c2xc\",\n \"published\": \"2022-07-16T00:00:20Z\",\n \"modified\": \"2025-01-14T10:57:13.174999Z\",\n \"aliases\": [\n \"CVE-2022-25858\"\n ],\n \"summary\": \"Terser insecure use of regular expressions leads to ReDoS\",\n \"details\": \"The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"terser\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/terser\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.8.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-4wf5-vphf-c2xc/GHSA-4wf5-vphf-c2xc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"terser\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/terser\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"5.0.0\"\n },\n {\n \"fixed\": \"5.14.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-4wf5-vphf-c2xc/GHSA-4wf5-vphf-c2xc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/terser/terser\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2949722\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-TERSER-2806366\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-20T01:21:59Z\",\n \"nvd_published_at\": \"2022-07-15T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-52f5-9888-hmc6\",\n \"published\": \"2025-08-06T17:06:04Z\",\n \"modified\": \"2025-11-03T21:34:20Z\",\n \"aliases\": [\n \"CVE-2025-54798\"\n ],\n \"related\": [\n \"CGA-24xq-h2j3-3x86\",\n \"CGA-6p3x-59vm-9fq8\"\n ],\n \"summary\": \"tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter\",\n \"details\": \"### Summary\\n\\n`tmp@0.2.3` is vulnerable to an Arbitrary temporary file / directory write via symbolic link `dir` parameter.\\n\\n\\n### Details\\n\\nAccording to the documentation there are some conditions that must be held:\\n\\n```\\n// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50\\n\\nOther breaking changes, i.e.\\n\\n- template must be relative to tmpdir\\n- name must be relative to tmpdir\\n- dir option must be relative to tmpdir //\\u003c-- this assumption can be bypassed using symlinks\\n\\nare still in place.\\n\\nIn order to override the system's tmpdir, you will have to use the newly\\nintroduced tmpdir option.\\n\\n\\n// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375\\n* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.\\n absolute paths are fine as long as they point to a location under the system's default temporary directory.\\n Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, \\n as tmp will not check the availability of the path, nor will it establish the requested path for you.\\n```\\n\\nRelated issue: https://github.com/raszi/node-tmp/issues/207.\\n\\n\\nThe issue occurs because `_resolvePath` does not properly handle symbolic link when resolving paths:\\n```js\\n// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579\\nfunction _resolvePath(name, tmpDir) {\\n if (name.startsWith(tmpDir)) {\\n return path.resolve(name);\\n } else {\\n return path.resolve(path.join(tmpDir, name));\\n }\\n}\\n```\\n\\nIf the `dir` parameter points to a symlink that resolves to a folder outside the `tmpDir`, it's possible to bypass the `_assertIsRelative` check used in `_assertAndSanitizeOptions`:\\n```js\\n// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609\\nfunction _assertIsRelative(name, option, tmpDir) {\\n if (option === 'name') {\\n // assert that name is not absolute and does not contain a path\\n if (path.isAbsolute(name))\\n throw new Error(`${option} option must not contain an absolute path, found \\\"${name}\\\".`);\\n // must not fail on valid .\\u003cname\\u003e or ..\\u003cname\\u003e or similar such constructs\\n let basename = path.basename(name);\\n if (basename === '..' || basename === '.' || basename !== name)\\n throw new Error(`${option} option must not contain a path, found \\\"${name}\\\".`);\\n }\\n else { // if (option === 'dir' || option === 'template') {\\n // assert that dir or template are relative to tmpDir\\n if (path.isAbsolute(name) \\u0026\\u0026 !name.startsWith(tmpDir)) {\\n throw new Error(`${option} option must be relative to \\\"${tmpDir}\\\", found \\\"${name}\\\".`);\\n }\\n let resolvedPath = _resolvePath(name, tmpDir); //\\u003c--- \\n if (!resolvedPath.startsWith(tmpDir))\\n throw new Error(`${option} option must be relative to \\\"${tmpDir}\\\", found \\\"${resolvedPath}\\\".`);\\n }\\n}\\n```\\n\\n\\n### PoC\\n\\nThe following PoC demonstrates how writing a tmp file on a folder outside the `tmpDir` is possible.\\nTested on a Linux machine.\\n\\n- Setup: create a symbolic link inside the `tmpDir` that points to a directory outside of it\\n```bash\\nmkdir $HOME/mydir1\\n\\nln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir\\n```\\n\\n- check the folder is empty:\\n```bash\\nls -lha $HOME/mydir1 | grep \\\"tmp-\\\"\\n```\\n\\n- run the poc\\n```bash\\nnode main.js\\nFile: /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf\\ntest 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'\\ntest 2: dir option must be relative to \\\"/tmp\\\", found \\\"/foo\\\".\\ntest 3: dir option must be relative to \\\"/tmp\\\", found \\\"/home/user/mydir1\\\".\\n```\\n\\n- the temporary file is created under `$HOME/mydir1` (outside the `tmpDir`):\\n```bash\\nls -lha $HOME/mydir1 | grep \\\"tmp-\\\"\\n-rw------- 1 user user 0 Apr X XX:XX tmp-[random-id]\\n```\\n\\n\\n- `main.js`\\n```js\\n// npm i tmp@0.2.3\\n\\nconst tmp = require('tmp');\\n\\nconst tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});\\nconsole.log('File: ', tmpobj.name);\\n\\ntry {\\n tmp.fileSync({ 'dir': 'mydir1'});\\n} catch (err) {\\n console.log('test 1:', err.message)\\n}\\n\\ntry {\\n tmp.fileSync({ 'dir': '/foo'});\\n} catch (err) {\\n console.log('test 2:', err.message)\\n}\\n\\ntry {\\n const fs = require('node:fs');\\n const resolved = fs.realpathSync('/tmp/evil-dir');\\n tmp.fileSync({ 'dir': resolved});\\n} catch (err) {\\n console.log('test 3:', err.message)\\n}\\n```\\n\\n\\nA Potential fix could be to call `fs.realpathSync` (or similar) that resolves also symbolic links.\\n```js\\nfunction _resolvePath(name, tmpDir) {\\n let resolvedPath;\\n if (name.startsWith(tmpDir)) {\\n resolvedPath = path.resolve(name);\\n } else {\\n resolvedPath = path.resolve(path.join(tmpDir, name));\\n }\\n return fs.realpathSync(resolvedPath);\\n}\\n```\\n\\n\\n### Impact\\n\\nArbitrary temporary file / directory write via symlink\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"tmp\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/tmp\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.2.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 0.2.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-52f5-9888-hmc6/GHSA-52f5-9888-hmc6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-54798\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/raszi/node-tmp/issues/207\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/raszi/node-tmp\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-59\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-08-06T17:06:04Z\",\n \"nvd_published_at\": \"2025-08-07T01:15:26Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-72xf-g2v4-qvf3\",\n \"published\": \"2023-07-01T06:30:16Z\",\n \"modified\": \"2024-06-21T21:33:53Z\",\n \"aliases\": [\n \"CVE-2023-26136\"\n ],\n \"related\": [\n \"CGA-hf6q-478m-mm8p\"\n ],\n \"summary\": \"tough-cookie Prototype Pollution vulnerability\",\n \"details\": \"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"tough-cookie\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/tough-cookie\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-72xf-g2v4-qvf3/GHSA-72xf-g2v4-qvf3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-26136\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/salesforce/tough-cookie/issues/282\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/salesforce/tough-cookie\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-07T21:39:57Z\",\n \"nvd_published_at\": \"2023-07-01T05:15:16Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g7q5-pjjr-gqvp\",\n \"published\": \"2018-07-24T20:14:39Z\",\n \"modified\": \"2023-11-08T03:58:56.101045Z\",\n \"aliases\": [\n \"CVE-2017-15010\"\n ],\n \"summary\": \"Regular Expression Denial of Service in tough-cookie\",\n \"details\": \"Affected versions of `tough-cookie` are susceptible to a regular expression denial of service.\\n\\nThe amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.\\n\\nIf node was compiled using the `-DHTTP_MAX_HEADER_SIZE` however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.3.3 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"tough-cookie\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/tough-cookie\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.3.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-g7q5-pjjr-gqvp/GHSA-g7q5-pjjr-gqvp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-15010\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/salesforce/tough-cookie/issues/92\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/salesforce/tough-cookie/commit/f1ed420a6a92ea7a5418df6e39e676556bc0c71d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2912\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2913\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1263\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1264\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-g7q5-pjjr-gqvp\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/salesforce/tough-cookie\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6VEBDTGNHVM677SLZDEHMWOP3ISMZSFT\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:tough-cookie:20170905\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/525\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/101185\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:36:20Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qhv9-728r-6jqg\",\n \"published\": \"2018-10-10T18:57:02Z\",\n \"modified\": \"2023-11-08T03:58:07.908980Z\",\n \"aliases\": [\n \"CVE-2016-1000232\"\n ],\n \"summary\": \"ReDoS via long string of semicolons in tough-cookie\",\n \"details\": \"Affected versions of `tough-cookie` may be vulnerable to regular expression denial of service when long strings of semicolons exist in the `Set-Cookie` header.\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.3.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"tough-cookie\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/tough-cookie\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.3.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qhv9-728r-6jqg/GHSA-qhv9-728r-6jqg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000232\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/salesforce/tough-cookie/commit/615627206357d997d5e6ff9da158997de05235ae\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/salesforce/tough-cookie/commit/e4fc2e0f9ee1b7a818d68f0ac7ea696f377b1534\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2016:2101\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2912\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/cve-2016-1000232\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-qhv9-728r-6jqg\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/salesforce/tough-cookie\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-affected-by-node-js-tough-cookie-module-vulnerability-to-a-denial-of-service-cve-2016-1000232\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/130\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:52:05Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xc7v-wxcw-j472\",\n \"published\": \"2019-06-03T17:08:26Z\",\n \"modified\": \"2020-08-31T18:29:19Z\",\n \"summary\": \"Memory Exposure in tunnel-agent\",\n \"details\": \"Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure.\\n\\nThis is exploitable if user supplied input is provided to the auth value and is a number.\\n\\nProof-of-concept:\\n```js\\nrequire('request')({\\n method: 'GET',\\n uri: 'http://www.example.com',\\n tunnel: true,\\n proxy:{\\n protocol: 'http:',\\n host:'127.0.0.1',\\n port:8080,\\n auth:USERSUPPLIEDINPUT // number\\n }\\n});\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 0.6.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"tunnel-agent\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/tunnel-agent\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.6.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-xc7v-wxcw-j472/GHSA-xc7v-wxcw-j472.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/598\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-03T17:08:06Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-34r7-q49f-h37c\",\n \"published\": \"2017-10-24T18:33:36Z\",\n \"modified\": \"2024-02-16T08:16:42.823655Z\",\n \"aliases\": [\n \"CVE-2015-8857\"\n ],\n \"summary\": \"Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js\",\n \"details\": \"Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.\\n\\n## Recommendation\\n\\nUpgrade UglifyJS to version \\u003e= 2.4.24.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"uglify-js\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/uglify-js\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.4.24\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-34r7-q49f-h37c/GHSA-34r7-q49f-h37c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"uglifier\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/uglifier\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.0\",\n \"0.1.1\",\n \"0.2.0\",\n \"0.3.0\",\n \"0.4.0\",\n \"0.5.0\",\n \"0.5.1\",\n \"0.5.2\",\n \"0.5.3\",\n \"0.5.4\",\n \"1.0.0\",\n \"1.0.1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.2.7\",\n \"1.3.0\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.4.0\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.3\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.7.0\",\n \"2.7.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-34r7-q49f-h37c/GHSA-34r7-q49f-h37c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-8857\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/mishoo/UglifyJS2/issues/751\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lautis/uglifier/commit/4677bfe38142937ff952f95605bcec4618892c3e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/mishoo/UglifyJS2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uglifier/CVE-2015-8857.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227190830/http://www.securityfocus.com/bid/96410\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://zyan.scripts.mit.edu/blog/backdooring-js\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2016/04/20/11\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1254\",\n \"CWE-670\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:54:00Z\",\n \"nvd_published_at\": \"2017-01-23T21:59:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c9f4-xj24-8jqx\",\n \"published\": \"2017-10-24T18:33:36Z\",\n \"modified\": \"2023-11-08T03:58:03.623951Z\",\n \"aliases\": [\n \"CVE-2015-8858\"\n ],\n \"summary\": \"Regular Expression Denial of Service in uglify-js\",\n \"details\": \"Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method.\\n\\n\\n### Proof of Concept\\n\\n```\\nvar u = require('uglify-js');\\nvar genstr = function (len, chr) {\\n var result = \\\"\\\";\\n for (i=0; i\\u003c=len; i++) {\\n result = result + chr;\\n }\\n\\n return result;\\n}\\n\\nu.parse(\\\"var a = \\\" + genstr(process.argv[2], \\\"1\\\") + \\\".1ee7;\\\");\\n```\\n\\n### Results\\n```\\n$ time node test.js 10000\\nreal\\t0m1.091s\\nuser\\t0m1.047s\\nsys\\t0m0.039s\\n\\n$ time node test.js 80000\\nreal\\t0m6.486s\\nuser\\t0m6.229s\\nsys\\t0m0.094s\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.6.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"uglify-js\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/uglify-js\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-c9f4-xj24-8jqx/GHSA-c9f4-xj24-8jqx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-8858\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-c9f4-xj24-8jqx\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/48\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2016/04/20/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/96409\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:30:50Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cf4h-3jhx-xvhq\",\n \"published\": \"2021-05-06T16:09:43Z\",\n \"modified\": \"2025-11-04T16:33:59Z\",\n \"aliases\": [\n \"CVE-2021-23358\"\n ],\n \"summary\": \"Arbitrary Code Execution in underscore\",\n \"details\": \"The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"underscore\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/underscore\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.3.2\"\n },\n {\n \"fixed\": \"1.12.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-cf4h-3jhx-xvhq/GHSA-cf4h-3jhx-xvhq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-23358\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jashkenas/underscore/pull/2917\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2021-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/package/underscore\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4883\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241108-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240808-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jashkenas/underscore/releases/tag/1.12.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jashkenas/underscore\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2025/Apr/14\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-31T21:59:00Z\",\n \"nvd_published_at\": \"2021-03-29T14:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3787-6prv-h9w3\",\n \"published\": \"2024-02-16T16:02:52Z\",\n \"modified\": \"2024-05-02T13:15:07Z\",\n \"aliases\": [\n \"CVE-2024-24758\"\n ],\n \"related\": [\n \"CVE-2024-24758\"\n ],\n \"summary\": \"Undici proxy-authorization header not cleared on cross-origin redirect in fetch\",\n \"details\": \"### Impact\\n\\nUndici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. \\n\\n### Patches\\n\\nThis is patched in v5.28.3 and v6.6.1\\n\\n### Workarounds\\n\\nThere are no known workarounds.\\n\\n### References\\n\\n- https://fetch.spec.whatwg.org/#authentication-entries\\n- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.28.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 5.28.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3787-6prv-h9w3/GHSA-3787-6prv-h9w3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.6.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 6.6.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-3787-6prv-h9w3/GHSA-3787-6prv-h9w3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24758\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/b9da3e40f1f096a06b4caedbb27c2568730434ef\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v5.28.3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v6.6.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240419-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/03/11/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-02-16T16:02:52Z\",\n \"nvd_published_at\": \"2024-02-16T22:15:08Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3cvr-822r-rqcc\",\n \"published\": \"2022-07-21T20:30:10Z\",\n \"modified\": \"2023-11-08T04:09:27.728154Z\",\n \"aliases\": [\n \"CVE-2022-31150\"\n ],\n \"summary\": \"undici before v5.8.0 vulnerable to CRLF injection in request headers\",\n \"details\": \"### Impact\\n\\nIt is possible to inject CRLF sequences into request headers in Undici.\\n\\n```js\\nconst undici = require('undici')\\n\\nconst response = undici.request(\\\"http://127.0.0.1:1000\\\", {\\n headers: {'a': \\\"\\\\r\\\\nb\\\"}\\n})\\n```\\n\\nThe same applies to `path` and `method`\\n\\n### Patches\\n\\nUpdate to v5.8.0\\n\\n### Workarounds\\n\\nSanitize all HTTP headers from untrusted sources to eliminate `\\\\r\\\\n`.\\n\\n### References\\n\\nhttps://hackerone.com/reports/409943\\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116\\n\\n### For more information\\n\\nIf you have any questions or comments about this advisory:\\n\\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-3cvr-822r-rqcc/GHSA-3cvr-822r-rqcc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-3cvr-822r-rqcc\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-31150\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/a29a151d0140d095742d21a004023d024fe93259\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/409943\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v5.8.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220915-0002\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-93\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-21T20:30:10Z\",\n \"nvd_published_at\": \"2022-07-19T21:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3g92-w8c5-73pq\",\n \"published\": \"2024-07-09T13:32:30Z\",\n \"modified\": \"2024-07-09T13:57:47.271493Z\",\n \"aliases\": [\n \"CVE-2024-38372\"\n ],\n \"related\": [\n \"CVE-2024-38372\"\n ],\n \"summary\": \"Undici vulnerable to data leak when using response.arrayBuffer()\",\n \"details\": \"### Impact\\n\\nDepending on network and process conditions of a `fetch()` request, `response.arrayBuffer()` might include portion of memory from the Node.js process.\\n\\n### Patches\\n\\nThis has been patched in v6.19.2.\\n\\n### Workarounds\\n\\nThere are no known workaround.\\n\\n### References\\n\\nhttps://github.com/nodejs/undici/issues/3337\\nhttps://github.com/nodejs/undici/issues/3328\\nhttps://github.com/nodejs/undici/pull/3338\\nhttps://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.14.0\"\n },\n {\n \"fixed\": \"6.19.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-3g92-w8c5-73pq/GHSA-3g92-w8c5-73pq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-38372\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/issues/3328\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/issues/3337\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/pull/3338\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-201\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-07-09T13:32:30Z\",\n \"nvd_published_at\": \"2024-07-08T21:15:12Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5r9g-qh6m-jxff\",\n \"published\": \"2023-02-16T20:46:30Z\",\n \"modified\": \"2024-12-16T15:26:50.318903Z\",\n \"aliases\": [\n \"BIT-node-2023-23936\",\n \"BIT-node-min-2023-23936\",\n \"CVE-2023-23936\"\n ],\n \"related\": [\n \"CVE-2023-23936\"\n ],\n \"summary\": \"CRLF Injection in Nodejs ‘undici’ via host\",\n \"details\": \"### Impact\\n\\nundici library does not protect `host` HTTP header from CRLF injection vulnerabilities.\\n\\n### Patches\\n\\nThis issue was patched in Undici v5.19.1.\\n\\n### Workarounds\\n\\nSanitize the `headers.host` string before passing to undici.\\n\\n### References\\n\\nReported at https://hackerone.com/reports/1820955.\\n\\n### Credits\\n\\nThank you to Zhipeng Zhang ([@timon8](https://hackerone.com/timon8)) for reporting this vulnerability. \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"5.19.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-5r9g-qh6m-jxff/GHSA-5r9g-qh6m-jxff.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23936\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/1820955\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v5.19.1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-74\",\n \"CWE-93\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-16T20:46:30Z\",\n \"nvd_published_at\": \"2023-02-16T18:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8qr4-xgw6-wmr3\",\n \"published\": \"2022-08-18T18:59:46Z\",\n \"modified\": \"2023-11-08T04:09:53.898548Z\",\n \"aliases\": [\n \"CVE-2022-35949\"\n ],\n \"summary\": \"`undici.request` vulnerable to SSRF using absolute URL on `pathname`\",\n \"details\": \"### Impact\\n\\n`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`.\\n\\nIf a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1`\\n\\n```js\\nconst undici = require(\\\"undici\\\")\\nundici.request({origin: \\\"http://example.com\\\", pathname: \\\"//127.0.0.1\\\"})\\n```\\n\\nInstead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`.\\n\\nIf a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.\\n\\n### Patches\\n\\nThis issue was fixed in `undici@5.8.1`.\\n\\n### Workarounds\\n\\nThe best workaround is to validate user input before passing it to the `undici.request` call.\\n\\n## For more information\\nIf you have any questions or comments about this advisory:\\n\\n- Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\\n- To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.8.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 5.8.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8qr4-xgw6-wmr3/GHSA-8qr4-xgw6-wmr3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-8qr4-xgw6-wmr3\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-35949\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/124f7ebf705366b2e1844dff721928d270f87895\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v5.8.2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-918\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-08-18T18:59:46Z\",\n \"nvd_published_at\": \"2022-08-12T23:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9f24-jqhm-jfcw\",\n \"published\": \"2024-02-16T15:59:38Z\",\n \"modified\": \"2024-04-19T09:30:47Z\",\n \"aliases\": [\n \"CVE-2024-24750\"\n ],\n \"related\": [\n \"CVE-2024-24750\"\n ],\n \"summary\": \"fetch(url) leads to a memory leak in undici\",\n \"details\": \"### Impact\\n\\nCalling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. \\n\\n### Patches\\n\\nPatched in v6.6.1\\n\\n### Workarounds\\n\\nMake sure to always consume the incoming body.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.6.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 6.6.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-9f24-jqhm-jfcw/GHSA-9f24-jqhm-jfcw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24750\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/87a48113f1f68f60aa09abb07276d7c35467c663\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v6.6.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240419-0006\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-401\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-02-16T15:59:38Z\",\n \"nvd_published_at\": \"2024-02-16T22:15:07Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9qxr-qj54-h672\",\n \"published\": \"2024-04-04T14:20:54Z\",\n \"modified\": \"2025-11-04T19:44:42Z\",\n \"aliases\": [\n \"CVE-2024-30261\"\n ],\n \"summary\": \"Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect\",\n \"details\": \"### Impact\\n\\nIf an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered.\\n\\n### Patches\\n\\nFixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3.\\nFixes has been released in v5.28.4 and v6.11.1.\\n\\n\\n### Workarounds\\n\\nEnsure that `integrity` cannot be tampered with.\\n\\n### References\\n\\nhttps://hackerone.com/reports/2377760\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.28.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9qxr-qj54-h672/GHSA-9qxr-qj54-h672.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.11.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9qxr-qj54-h672/GHSA-9qxr-qj54-h672.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-30261\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/2377760\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240905-0008\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-284\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-04-04T14:20:54Z\",\n \"nvd_published_at\": \"2024-04-04T15:15:39Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c76h-2ccp-4975\",\n \"published\": \"2025-01-21T21:10:47Z\",\n \"modified\": \"2025-01-21T21:27:05.225594Z\",\n \"aliases\": [\n \"CVE-2025-22150\"\n ],\n \"summary\": \"Use of Insufficiently Random Values in undici\",\n \"details\": \"### Impact\\n\\n[Undici `fetch()` uses Math.random()](https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113) to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.\\n\\nIf there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.\\n\\n### Patches\\n\\nThis is fixed in 5.28.5; 6.21.1; 7.2.3.\\n\\n### Workarounds\\n\\nDo not issue multipart requests to attacker controlled servers.\\n\\n### References\\n\\n* https://hackerone.com/reports/2913312\\n* https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.5.0\"\n },\n {\n \"fixed\": \"5.28.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c76h-2ccp-4975/GHSA-c76h-2ccp-4975.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.21.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c76h-2ccp-4975/GHSA-c76h-2ccp-4975.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.2.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-c76h-2ccp-4975/GHSA-c76h-2ccp-4975.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-22150\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/2913312\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-330\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-01-21T21:10:47Z\",\n \"nvd_published_at\": \"2025-01-21T18:15:14Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cxrh-j4jr-qwg3\",\n \"published\": \"2025-05-15T14:15:06Z\",\n \"modified\": \"2025-05-16T02:07:00Z\",\n \"aliases\": [\n \"CVE-2025-47279\"\n ],\n \"related\": [\n \"CGA-gf48-w429-582m\"\n ],\n \"summary\": \"undici Denial of Service attack via bad certificate data\",\n \"details\": \"### Impact\\n\\nApplications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. \\n\\n### Patches\\n\\nThis has been patched in https://github.com/nodejs/undici/pull/4088.\\n\\n### Workarounds\\n\\nIf a webhook fails, avoid keep calling it repeatedly.\\n\\n### References\\n\\nReported as: https://github.com/nodejs/undici/issues/3895\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.29.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-cxrh-j4jr-qwg3/GHSA-cxrh-j4jr-qwg3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.21.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-cxrh-j4jr-qwg3/GHSA-cxrh-j4jr-qwg3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-cxrh-j4jr-qwg3/GHSA-cxrh-j4jr-qwg3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-47279\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/issues/3895\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/pull/4088\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-401\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-05-15T14:15:06Z\",\n \"nvd_published_at\": \"2025-05-15T18:15:38Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f772-66g8-q5h3\",\n \"published\": \"2022-08-18T19:02:56Z\",\n \"modified\": \"2023-11-08T04:09:53.836338Z\",\n \"aliases\": [\n \"CVE-2022-35948\"\n ],\n \"summary\": \"Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type\",\n \"details\": \"### Impact\\n\\n`=\\u003c undici@5.8.0` users are vulnerable to _CRLF Injection_ on headers when using unsanitized input as request headers, more specifically, inside the `content-type` header.\\n\\nExample:\\n\\n```\\nimport { request } from 'undici'\\n\\nconst unsanitizedContentTypeInput = 'application/json\\\\r\\\\n\\\\r\\\\nGET /foo2 HTTP/1.1'\\n\\nawait request('http://localhost:3000, {\\n method: 'GET',\\n headers: {\\n 'content-type': unsanitizedContentTypeInput\\n },\\n})\\n```\\n\\nThe above snippet will perform two requests in a single `request` API call:\\n\\n1) `http://localhost:3000/`\\n2) `http://localhost:3000/foo2`\\n\\n### Patches\\n\\nThis issue was patched in Undici v5.8.1\\n\\n### Workarounds\\n\\nSanitize input when sending content-type headers using user input.\\n\\n## For more information\\nIf you have any questions or comments about this advisory:\\n\\n- Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\\n- To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.8.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 5.8.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-f772-66g8-q5h3/GHSA-f772-66g8-q5h3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-35948\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v5.8.2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-74\",\n \"CWE-93\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-08-18T19:02:56Z\",\n \"nvd_published_at\": \"2022-08-15T11:21:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-m4v8-wqvr-p9f7\",\n \"published\": \"2024-04-04T14:20:39Z\",\n \"modified\": \"2025-11-04T19:44:28Z\",\n \"aliases\": [\n \"CVE-2024-30260\"\n ],\n \"summary\": \"Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline\",\n \"details\": \"### Impact\\n\\nUndici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`.\\n\\n### Patches\\n\\nThis has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75.\\nFixes has been released in v5.28.4 and v6.11.1.\\n\\n### Workarounds\\n\\nuse `fetch()` or disable `maxRedirections`.\\n\\n### References\\n\\nLinzi Shang reported this.\\n\\n* https://hackerone.com/reports/2408074\\n* https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.28.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-m4v8-wqvr-p9f7/GHSA-m4v8-wqvr-p9f7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.11.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-m4v8-wqvr-p9f7/GHSA-m4v8-wqvr-p9f7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-30260\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/2408074\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240905-0008\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-285\",\n \"CWE-863\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-04-04T14:20:39Z\",\n \"nvd_published_at\": \"2024-04-04T16:15:08Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pgw7-wx7w-2w33\",\n \"published\": \"2022-06-17T01:02:29Z\",\n \"modified\": \"2023-11-08T04:09:35.326222Z\",\n \"aliases\": [\n \"CVE-2022-32210\"\n ],\n \"related\": [\n \"CVE-2022-32210\"\n ],\n \"summary\": \"ProxyAgent vulnerable to MITM\",\n \"details\": \"### Description\\n\\n`Undici.ProxyAgent` never verifies the remote server's certificate, and always exposes all request \\u0026 response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.\\n\\n### Impact\\n\\nThis affects all use of HTTPS via HTTP proxy using **`Undici.ProxyAgent`** with Undici or Node's global `fetch`. In this case, it removes all HTTPS security from all requests sent using Undici's `ProxyAgent`, allowing trivial MitM attacks by anybody on the network path between the client and the target server (local network users, your ISP, the proxy, the target server's ISP, etc).\\nThis less seriously affects HTTPS via HTTPS proxies. When you send HTTPS via a proxy to a remote server, the proxy can freely view or modify all HTTPS traffic unexpectedly (but only the proxy). \\n\\n### Patches\\n\\nThis issue was patched in Undici v5.5.1.\\n\\n### Workarounds\\n\\nAt the time of writing, the only workaround is to not use `ProxyAgent` as a dispatcher for TLS Connections.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.8.2\"\n },\n {\n \"fixed\": \"5.5.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 5.5.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-pgw7-wx7w-2w33/GHSA-pgw7-wx7w-2w33.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-32210\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/1583680\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-295\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-17T01:02:29Z\",\n \"nvd_published_at\": \"2022-07-14T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q768-x9m6-m9qp\",\n \"published\": \"2022-07-21T20:31:05Z\",\n \"modified\": \"2024-12-05T15:41:55.533076Z\",\n \"aliases\": [\n \"CVE-2022-31151\"\n ],\n \"related\": [\n \"CVE-2023-45143\"\n ],\n \"summary\": \"undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect\",\n \"details\": \"### Impact\\n\\nAuthorization headers are already cleared on cross-origin redirect in\\nhttps://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.\\n\\nHowever, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.\\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\\n\\n### Patches\\n\\nThis was patched in v5.8.0.\\n\\n### Workarounds\\n\\nBy default, this vulnerability is not exploitable.\\nDo not enable redirections, i.e. `maxRedirections: 0` (the default). \\n\\n### References\\n\\nhttps://hackerone.com/reports/1635514\\nhttps://curl.se/docs/CVE-2018-1000007.html\\nhttps://curl.se/docs/CVE-2022-27776.html\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [undici repository](https://github.com/nodejs/undici/issues)\\n* To make a report, follow the [SECURITY](https://github.com/nodejs/node/blob/HEAD/SECURITY.md) document\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-q768-x9m6-m9qp/GHSA-q768-x9m6-m9qp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-31151\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/issues/872\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/pull/1441\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/0a5bee9465e627be36bac88edf7d9bbc9626126d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/1635514\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v5.8.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220909-0006\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-346\",\n \"CWE-601\",\n \"CWE-93\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-21T20:31:05Z\",\n \"nvd_published_at\": \"2022-07-21T04:15:00Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r6ch-mqf9-qc9w\",\n \"published\": \"2023-02-16T20:46:10Z\",\n \"modified\": \"2023-11-08T04:11:48.635999Z\",\n \"aliases\": [\n \"CVE-2023-24807\"\n ],\n \"related\": [\n \"CVE-2023-24807\"\n ],\n \"summary\": \"Regular Expression Denial of Service in Headers\",\n \"details\": \"### Impact\\nThe `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the `headerValueNormalize()` utility function.\\n\\n### Patches\\n\\nThis vulnerability was patched in v5.19.1.\\n\\n### Workarounds\\nThere is no workaround. Please update to an unaffected version.\\n\\n### References\\n\\n* https://hackerone.com/bugs?report_id=1784449\\n\\n### Credits\\n\\nCarter Snook reported this vulnerability.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.19.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-r6ch-mqf9-qc9w/GHSA-r6ch-mqf9-qc9w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-24807\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v5.19.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/bugs?report_id=1784449\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-16T20:46:10Z\",\n \"nvd_published_at\": \"2023-02-16T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wqq4-5wpv-mx2g\",\n \"published\": \"2023-10-16T14:05:37Z\",\n \"modified\": \"2024-12-05T15:42:14.323907Z\",\n \"aliases\": [\n \"CVE-2023-45143\"\n ],\n \"related\": [\n \"CVE-2023-45143\"\n ],\n \"summary\": \"Undici's cookie header not cleared on cross-origin redirect in fetch\",\n \"details\": \"### Impact\\n\\nUndici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.\\n\\nAs such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.\\n\\n### Patches\\n\\nThis was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"undici\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/undici\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.26.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-wqq4-5wpv-mx2g/GHSA-wqq4-5wpv-mx2g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-45143\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/2166948\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/nodejs/undici\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/undici/releases/tag/v5.26.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-10-16T14:05:37Z\",\n \"nvd_published_at\": \"2023-10-12T17:15:10Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-333w-rxj3-f55r\",\n \"published\": \"2018-07-24T20:00:30Z\",\n \"modified\": \"2024-04-22T19:37:18Z\",\n \"aliases\": [\n \"CVE-2017-16021\"\n ],\n \"summary\": \"Regular Expression Denial Of Service in uri-js\",\n \"details\": \"Affected versions of `uri-js` is susceptible to a regular expression denial of service vulnerability when user input is sent to the `.parse()` method.\\n\\n\\n\\n## Recommendation\\n\\nUpdate to v3.0.0 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"uri-js\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/uri-js\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-333w-rxj3-f55r/GHSA-333w-rxj3-f55r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-16021\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/garycourt/uri-js/issues/12\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-333w-rxj3-f55r\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://nodesecurity.io/advisories/100\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/100\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:53:45Z\",\n \"nvd_published_at\": \"2018-06-04T19:29:01Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g78m-2chm-r7qv\",\n \"published\": \"2020-06-05T16:16:12Z\",\n \"modified\": \"2025-01-14T08:57:32.136279Z\",\n \"aliases\": [\n \"CVE-2020-7662\"\n ],\n \"related\": [\n \"CVE-2020-7662\"\n ],\n \"summary\": \"Regular Expression Denial of Service in websocket-extensions (NPM package)\",\n \"details\": \"### Impact\\n\\nThe ReDoS flaw allows an attacker to exhaust the server's capacity to process\\nincoming requests by sending a WebSocket handshake request containing a header\\nof the following form:\\n\\n Sec-WebSocket-Extensions: a; b=\\\"\\\\c\\\\c\\\\c\\\\c\\\\c\\\\c\\\\c\\\\c\\\\c\\\\c ...\\n\\nThat is, a header containing an unclosed string parameter value whose content is\\na repeating two-byte sequence of a backslash and some other character. The\\nparser takes exponential time to reject this header as invalid, and this will\\nblock the processing of any other work on the same thread. Thus if you are\\nrunning a single-threaded server, such a request can render your service\\ncompletely unavailable.\\n\\n### Patches\\n\\nUsers should upgrade to version 0.1.4.\\n\\n### Workarounds\\n\\nThere are no known work-arounds other than disabling any public-facing\\nWebSocket functionality you are operating.\\n\\n### References\\n\\n- https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"websocket-extensions\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/websocket-extensions\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.1.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-g78m-2chm-r7qv/GHSA-g78m-2chm-r7qv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/faye/websocket-extensions-node/security/advisories/GHSA-g78m-2chm-r7qv\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7662\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/faye/websocket-extensions-node/commit/29496f6838bfadfe5a2f85dff33ed0ba33873237\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/faye/websocket-extensions-node\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-WEBSOCKETEXTENSIONS-570623\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-03T23:10:26Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-j8xg-fqg3-53r7\",\n \"published\": \"2023-06-22T06:30:18Z\",\n \"modified\": \"2025-02-13T19:00:43Z\",\n \"aliases\": [\n \"CVE-2023-26115\"\n ],\n \"summary\": \"word-wrap vulnerable to Regular Expression Denial of Service\",\n \"details\": \"All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"word-wrap\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/word-wrap\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.2.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-j8xg-fqg3-53r7/GHSA-j8xg-fqg3-53r7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-26115\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jonschlinkert/word-wrap\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1333\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-23T21:36:40Z\",\n \"nvd_published_at\": \"2023-06-22T05:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"MAL-2025-46983\",\n \"published\": \"2025-09-08T17:19:41Z\",\n \"modified\": \"2025-09-12T01:13:35Z\",\n \"aliases\": [\n \"GHSA-2rv4-jp6r-xgq7\"\n ],\n \"summary\": \"Malicious code in wrap-ansi (npm)\",\n \"details\": \"The package was compromised and malicious code added.\\n\\n---\\n_-= Per source details. Do not edit below this line.=-_\\n\\n## Source: ghsa-malware (9e58bb76dd73218635e5f6badd1c9693b827a8eb1be48d0bac75d6f8f85d4b53)\\nAny computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"wrap-ansi\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/wrap-ansi\"\n },\n \"versions\": [\n \"9.0.1\"\n ],\n \"database_specific\": {\n \"cwes\": [\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n },\n {\n \"cweId\": \"CWE-506\",\n \"description\": \"The product contains code that appears to be malicious in nature.\",\n \"name\": \"Embedded Malicious Code\"\n }\n ],\n \"source\": \"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/wrap-ansi/MAL-2025-46983.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised\"\n },\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-2rv4-jp6r-xgq7\"\n }\n ],\n \"database_specific\": {\n \"malicious-packages-origins\": [\n {\n \"id\": \"GHSA-2rv4-jp6r-xgq7\",\n \"import_time\": \"2025-09-09T00:35:48.401637602Z\",\n \"modified_time\": \"2025-09-08T18:21:37Z\",\n \"sha256\": \"9e58bb76dd73218635e5f6badd1c9693b827a8eb1be48d0bac75d6f8f85d4b53\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"9.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-2rv4-jp6r-xgq7\",\n \"import_time\": \"2025-09-10T00:34:05.195235017Z\",\n \"modified_time\": \"2025-09-08T18:21:37Z\",\n \"sha256\": \"4c4bf3872e7828d6ef2152082e1c866e9eacc2f48bbbc739900e1606bed129bb\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"9.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-2rv4-jp6r-xgq7\",\n \"import_time\": \"2025-09-11T00:34:35.442370858Z\",\n \"modified_time\": \"2025-09-10T17:56:24Z\",\n \"sha256\": \"4f48e2f6fc3cfff774a2698e39d7f9079bec18cdd5e1e8221e767925e889497b\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"9.0.1\"\n ]\n },\n {\n \"id\": \"GHSA-2rv4-jp6r-xgq7\",\n \"import_time\": \"2025-09-12T00:33:58.008935793Z\",\n \"modified_time\": \"2025-09-10T17:56:24Z\",\n \"sha256\": \"c05f3bc963e30ddf435d8a80250a8ace01d29fbfbf87ec2fe7d1d50e41d25f2b\",\n \"source\": \"ghsa-malware\",\n \"versions\": [\n \"9.0.1\"\n ]\n }\n ]\n },\n \"credits\": [\n {\n \"name\": \"Amazon Inspector\",\n \"contact\": [\n \"actran@amazon.com\"\n ],\n \"type\": \"FINDER\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2mhh-w6q8-5hxw\",\n \"published\": \"2019-02-18T23:56:42Z\",\n \"modified\": \"2023-11-08T03:58:10.113790Z\",\n \"aliases\": [\n \"CVE-2016-10518\"\n ],\n \"summary\": \"Remote Memory Disclosure in ws\",\n \"details\": \"Versions of `ws` prior to 1.0.1 are affected by a remote memory disclosure vulnerability.\\n\\nIn certain rare circumstances, applications which allow users to control the arguments of a `client.ping()` call will cause `ws` to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.\\n\\n\\n\\n## Proof of Concept\\n```\\nvar ws = require('ws')\\n\\nvar server = new ws.Server({ port: 9000 })\\nvar client = new ws('ws://localhost:9000')\\n\\nclient.on('open', function () {\\n console.log('open')\\n client.ping(50) // this sends a non-zeroed buffer of 50 bytes\\n\\n client.on('pong', function (data) {\\n console.log('got pong')\\n console.log(data) // Data from the client. \\n })\\n})\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.0.1 or greater.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-2mhh-w6q8-5hxw/GHSA-2mhh-w6q8-5hxw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-10518\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/commit/29293ed11b679e0366fa0f6bb9310b330dafd795\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gist.github.com/c0nrad/e92005446c480707a74a\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-2mhh-w6q8-5hxw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/releases/tag/1.0.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/67\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-201\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:52:34Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3h5v-q93c-6h6q\",\n \"published\": \"2024-06-17T19:09:10Z\",\n \"modified\": \"2024-07-15T22:12:28.401556Z\",\n \"aliases\": [\n \"CVE-2024-37890\"\n ],\n \"related\": [\n \"CGA-4mjj-vhp5-59v2\",\n \"CGA-5jj7-2gq6-8p9g\",\n \"CGA-6rmc-53qg-r2v4\",\n \"CGA-cm39-xg6p-r3wr\",\n \"CGA-h8rj-78mh-45v7\",\n \"CGA-hf88-h9xp-mq5f\",\n \"CGA-qv4g-5p29-rxvx\",\n \"CGA-r6qh-9mxv-rrj2\",\n \"CVE-2024-37890\"\n ],\n \"summary\": \"ws affected by a DoS when handling a request with many HTTP headers\",\n \"details\": \"### Impact\\n\\nA request with a number of headers exceeding the[`server.maxHeadersCount`][] threshold could be used to crash a ws server.\\n\\n### Proof of concept\\n\\n```js\\nconst http = require('http');\\nconst WebSocket = require('ws');\\n\\nconst wss = new WebSocket.Server({ port: 0 }, function () {\\n const chars = \\\"!#$%\\u0026'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~\\\".split('');\\n const headers = {};\\n let count = 0;\\n\\n for (let i = 0; i \\u003c chars.length; i++) {\\n if (count === 2000) break;\\n\\n for (let j = 0; j \\u003c chars.length; j++) {\\n const key = chars[i] + chars[j];\\n headers[key] = 'x';\\n\\n if (++count === 2000) break;\\n }\\n }\\n\\n headers.Connection = 'Upgrade';\\n headers.Upgrade = 'websocket';\\n headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';\\n headers['Sec-WebSocket-Version'] = '13';\\n\\n const request = http.request({\\n headers: headers,\\n host: '127.0.0.1',\\n port: wss.address().port\\n });\\n\\n request.end();\\n});\\n```\\n\\n### Patches\\n\\nThe vulnerability was fixed in ws@8.17.1 (https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c) and backported to ws@7.5.10 (https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f), ws@6.2.3 (https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63), and ws@5.2.4 (https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e)\\n\\n### Workarounds\\n\\nIn vulnerable versions of ws, the issue can be mitigated in the following ways:\\n\\n1. Reduce the maximum allowed length of the request headers using the [`--max-http-header-size=size`][] and/or the [`maxHeaderSize`][] options so that no more headers than the `server.maxHeadersCount` limit can be sent.\\n2. Set `server.maxHeadersCount` to `0` so that no limit is applied.\\n\\n### Credits\\n\\nThe vulnerability was reported by [Ryan LaPointe](https://github.com/rrlapointe) in https://github.com/websockets/ws/issues/2230.\\n\\n### References\\n\\n- https://github.com/websockets/ws/issues/2230\\n- https://github.com/websockets/ws/pull/2231\\n\\n[`--max-http-header-size=size`]: https://nodejs.org/api/cli.html#--max-http-header-sizesize\\n[`maxHeaderSize`]: https://nodejs.org/api/http.html#httpcreateserveroptions-requestlistener\\n[`server.maxHeadersCount`]: https://nodejs.org/api/http.html#servermaxheaderscount\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.1.0\"\n },\n {\n \"fixed\": \"5.2.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3h5v-q93c-6h6q/GHSA-3h5v-q93c-6h6q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.2.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3h5v-q93c-6h6q/GHSA-3h5v-q93c-6h6q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.5.10\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3h5v-q93c-6h6q/GHSA-3h5v-q93c-6h6q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.17.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-3h5v-q93c-6h6q/GHSA-3h5v-q93c-6h6q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/issues/2230\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/pull/2231\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/websockets/ws\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-06-17T19:09:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5v72-xg48-5rpm\",\n \"published\": \"2019-06-04T19:37:52Z\",\n \"modified\": \"2021-08-04T21:29:05Z\",\n \"summary\": \"Denial of Service in ws\",\n \"details\": \"Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent.\\n\\n## Proof of concept\\n\\n```\\nconst WebSocket = require('ws');\\nconst net = require('net');\\n\\nconst wss = new WebSocket.Server({ port: 3000 }, function () {\\n const payload = 'constructor'; // or ',;constructor'\\n\\n const request = [\\n 'GET / HTTP/1.1',\\n 'Connection: Upgrade',\\n 'Sec-WebSocket-Key: test',\\n 'Sec-WebSocket-Version: 8',\\n `Sec-WebSocket-Extensions: ${payload}`,\\n 'Upgrade: websocket',\\n '\\\\r\\\\n'\\n ].join('\\\\r\\\\n');\\n\\n const socket = net.connect(3000, function () {\\n socket.resume();\\n socket.write(request);\\n });\\n});\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 3.3.1 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.6\"\n },\n {\n \"fixed\": \"1.1.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-5v72-xg48-5rpm/GHSA-5v72-xg48-5rpm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"3.3.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-5v72-xg48-5rpm/GHSA-5v72-xg48-5rpm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/commit/c4fe46608acd61fbf7397eadc47378903f95b78a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/commit/f8fdcd40ac8be7318a6ee41f5ceb7e77c995b407\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/npm:ws:20171108\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/550\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/550/versions\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-04T19:37:42Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6663-c963-2gqg\",\n \"published\": \"2019-02-18T23:58:35Z\",\n \"modified\": \"2023-11-08T03:58:11.580073Z\",\n \"aliases\": [\n \"CVE-2016-10542\"\n ],\n \"summary\": \"DoS due to excessively large websocket message in ws\",\n \"details\": \"Affected versions of `ws` do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.\\n\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.1.1 or later. \\nAlternatively, set the `maxpayload` option for the `ws` server to a value smaller than 256MB.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-6663-c963-2gqg/GHSA-6663-c963-2gqg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-10542\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/node/issues/7388\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-6663-c963-2gqg\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/120\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:18:11Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6fc8-4gx4-v693\",\n \"published\": \"2021-05-28T19:19:03Z\",\n \"modified\": \"2023-11-08T04:05:55.363871Z\",\n \"aliases\": [\n \"CVE-2021-32640\"\n ],\n \"related\": [\n \"CVE-2021-32640\"\n ],\n \"summary\": \"ReDoS in Sec-Websocket-Protocol header\",\n \"details\": \"### Impact\\n\\nA specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server.\\n\\n### Proof of concept\\n\\n```js\\nfor (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {\\n const value = 'b' + ' '.repeat(length) + 'x';\\n const start = process.hrtime.bigint();\\n\\n value.trim().split(/ *, */);\\n\\n const end = process.hrtime.bigint();\\n\\n console.log('length = %d, time = %f ns', length, end - start);\\n}\\n```\\n\\n### Patches\\n\\nThe vulnerability was fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff) and backported to ws@6.2.2 (https://github.com/websockets/ws/commit/78c676d2a1acefbc05292e9f7ea0a9457704bf1b) and ws@5.2.3 (https://github.com/websockets/ws/commit/76d47c1479002022a3e4357b3c9f0e23a68d4cd2).\\n\\n### Workarounds\\n\\nIn vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.\\n\\n### Credits\\n\\nThe vulnerability was responsibly disclosed along with a fix in private by [Robert McLaughlin](https://github.com/robmcl4) from University of California, Santa Barbara.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.4.6\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6fc8-4gx4-v693/GHSA-6fc8-4gx4-v693.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.2.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6fc8-4gx4-v693/GHSA-6fc8-4gx4-v693.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"ws\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/ws\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"5.0.0\"\n },\n {\n \"fixed\": \"5.2.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6fc8-4gx4-v693/GHSA-6fc8-4gx4-v693.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-32640\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/issues/1895\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/websockets/ws\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdfa7b6253c4d6271e31566ecd5f30b7ce1b8fb2c89d52b8c4e0f4e30@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210706-0005\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-345\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-28T18:18:04Z\",\n \"nvd_published_at\": \"2021-05-25T19:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h4j5-c7cj-74xg\",\n \"published\": \"2021-05-04T18:02:34Z\",\n \"modified\": \"2025-01-14T08:57:22.719908Z\",\n \"aliases\": [\n \"CVE-2020-28502\"\n ],\n \"summary\": \"xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection\",\n \"details\": \"This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (`async=False` on `xhr.open`), malicious user input flowing into `xhr.send` could result in arbitrary code being injected and run.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"xmlhttprequest\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/xmlhttprequest\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-h4j5-c7cj-74xg/GHSA-h4j5-c7cj-74xg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"xmlhttprequest-ssl\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/xmlhttprequest-ssl\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.6.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-h4j5-c7cj-74xg/GHSA-h4j5-c7cj-74xg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28502\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T20:34:02Z\",\n \"nvd_published_at\": \"2021-03-05T18:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c4w7-xm78-47vh\",\n \"published\": \"2021-03-29T16:05:12Z\",\n \"modified\": \"2024-12-05T15:28:53.812442Z\",\n \"aliases\": [\n \"CVE-2020-7774\"\n ],\n \"summary\": \"Prototype Pollution in y18n\",\n \"details\": \"### Overview\\n\\nThe npm package `y18n` before versions 3.2.2, 4.0.1, and 5.0.5 is vulnerable to Prototype Pollution. \\n\\n### POC\\n\\n```js\\nconst y18n = require('y18n')();\\n\\ny18n.setLocale('__proto__');\\ny18n.updateLocale({polluted: true});\\n\\nconsole.log(polluted); // true\\n```\\n\\n### Recommendation\\n\\nUpgrade to version 3.2.2, 4.0.1, 5.0.5 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"y18n\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/y18n\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.2.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c4w7-xm78-47vh/GHSA-c4w7-xm78-47vh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"y18n\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/y18n\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c4w7-xm78-47vh/GHSA-c4w7-xm78-47vh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"y18n\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/y18n\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"5.0.0\"\n },\n {\n \"fixed\": \"5.0.5\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-c4w7-xm78-47vh/GHSA-c4w7-xm78-47vh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7774\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yargs/y18n/issues/96\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yargs/y18n/pull/108\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/yargs/y18n\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-Y18N-1021887\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-20\",\n \"CWE-915\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-12T21:23:11Z\",\n \"nvd_published_at\": \"2020-11-17T13:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p9pc-299p-vxgp\",\n \"published\": \"2020-09-04T18:00:54Z\",\n \"modified\": \"2025-01-14T08:57:10.212240Z\",\n \"aliases\": [\n \"CVE-2020-7608\"\n ],\n \"summary\": \"yargs-parser Vulnerable to Prototype Pollution\",\n \"details\": \"Affected versions of `yargs-parser` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \\nParsing the argument `--foo.__proto__.bar baz'` adds a `bar` property with value `baz` to all objects. This is only exploitable if attackers have control over the arguments being passed to `yargs-parser`.\\n\\n\\n\\n## Recommendation\\n\\nUpgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"yargs-parser\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/yargs-parser\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"13.1.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"yargs-parser\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/yargs-parser\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"14.0.0\"\n },\n {\n \"fixed\": \"15.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"yargs-parser\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/yargs-parser\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"16.0.0\"\n },\n {\n \"fixed\": \"18.1.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"yargs-parser\",\n \"ecosystem\": \"npm\",\n \"purl\": \"pkg:npm/yargs-parser\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 5.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-p9pc-299p-vxgp/GHSA-p9pc-299p-vxgp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7608\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/yargs/yargs-parser\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.npmjs.com/advisories/1500\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-915\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-31T19:01:32Z\",\n \"nvd_published_at\": \"2020-03-16T20:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n }\n ]\n}\n" }, { "path": "internal/remediation/testdata/zeppelin-server/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/remediation/testdata/zeppelin-server/parent/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/remediation/testdata/zeppelin-server/parent/parent/pom.xml", "content": "\n\n\n\n\n 4.0.0\n\n \n org.apache\n apache\n 28\n pom\n\n The Apache Software Foundation\n \n The Apache Software Foundation provides support for the Apache community of open-source software projects.\n The Apache projects are characterized by a collaborative, consensus based development process, an open and\n pragmatic software license, and a desire to create high quality software that leads the way in its field.\n We consider ourselves not simply a group of projects sharing a server, but rather a community of developers\n and users.\n \n https://www.apache.org/\n \n The Apache Software Foundation\n https://www.apache.org/\n \n \n \n Apache License, Version 2.0\n https://www.apache.org/licenses/LICENSE-2.0.txt\n repo\n \n \n\n \n \n Apache Announce List\n announce-subscribe@apache.org\n announce-unsubscribe@apache.org\n announce@apache.org\n https://mail-archives.apache.org/mod_mbox/www-announce/\n \n \n\n \n scm:git:https://gitbox.apache.org/repos/asf/maven-apache-parent.git\n scm:git:https://gitbox.apache.org/repos/asf/maven-apache-parent.git\n https://github.com/apache/maven-apache-parent/tree/${project.scm.tag}\n apache-28\n \n\n \n \n apache.releases.https\n ${distMgmtReleasesName}\n ${distMgmtReleasesUrl}\n \n \n apache.snapshots.https\n ${distMgmtSnapshotsName}\n ${distMgmtSnapshotsUrl}\n \n \n\n \n Apache Release Distribution Repository\n https://repository.apache.org/service/local/staging/deploy/maven2\n Apache Development Snapshot Repository\n https://repository.apache.org/content/repositories/snapshots\n https://www.apache.org/images/asf_logo_wide_2016.png\n UTF-8\n UTF-8\n source-release\n true\n 3.2.5\n 1.8\n ${maven.compiler.target}\n 1.7\n 2.22.2\n 3.7.0\n posix\n 2022-11-14T22:50:41Z\n \n\n \n \n \n org.apache.maven.plugin-tools\n maven-plugin-annotations\n ${maven.plugin.tools.version}\n \n \n \n\n \n \n apache.snapshots\n Apache Snapshot Repository\n https://repository.apache.org/snapshots\n \n false\n \n \n \n \n \n apache.snapshots\n Apache Snapshot Repository\n https://repository.apache.org/snapshots\n \n false\n \n \n \n\n \n \n \n \n \n org.apache.maven.plugins\n maven-antrun-plugin\n 3.1.0\n \n \n org.apache.maven.plugins\n maven-assembly-plugin\n 3.4.2\n \n \n org.apache.maven.plugins\n maven-clean-plugin\n 3.2.0\n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n 3.10.1\n \n \n org.apache.maven.plugins\n maven-dependency-plugin\n 3.3.0\n \n \n org.apache.maven.plugins\n maven-deploy-plugin\n 2.8.2\n \n \n org.apache.maven.plugins\n maven-ear-plugin\n 3.2.0\n \n \n org.apache.maven.plugins\n maven-enforcer-plugin\n 3.1.0\n \n \n org.apache.maven.plugins\n maven-failsafe-plugin\n ${surefire.version}\n \n \n org.apache.maven.plugins\n maven-gpg-plugin\n 3.0.1\n \n \n --digest-algo=SHA512\n \n \n \n \n org.apache.maven.plugins\n maven-help-plugin\n 3.3.0\n \n \n org.apache.maven.plugins\n maven-install-plugin\n 3.0.1\n \n \n org.apache.maven.plugins\n maven-invoker-plugin\n 3.3.0\n \n \n org.apache.maven.plugins\n maven-jar-plugin\n 3.3.0\n \n \n \n true\n true\n \n \n \n \n \n org.apache.maven.plugins\n maven-javadoc-plugin\n 3.4.1\n \n true\n \n \n \n org.apache.maven.plugins\n maven-plugin-plugin\n ${maven.plugin.tools.version}\n \n \n org.apache.maven.plugins\n maven-plugin-report-plugin\n ${maven.plugin.tools.version}\n \n \n org.apache.maven.plugins\n maven-project-info-reports-plugin\n 3.4.1\n \n \n org.eclipse.m2e:lifecycle-mapping\n \n \n \n \n \n org.apache.maven.plugins\n maven-release-plugin\n 3.0.0-M6\n \n false\n deploy\n apache-release\n \n \n \n \n org.apache.maven.plugins\n maven-remote-resources-plugin\n 1.7.0\n \n \n org.apache.maven.plugins\n maven-resources-plugin\n 3.3.0\n \n \n org.apache.maven.plugins\n maven-scm-plugin\n 1.13.0\n \n \n org.apache.maven.plugins\n maven-scm-publish-plugin\n 3.1.0\n \n \n org.apache.maven.plugins\n maven-site-plugin\n 3.12.1\n \n \n org.apache.maven.plugins\n maven-source-plugin\n 3.2.1\n \n \n org.apache.maven.plugins\n maven-surefire-plugin\n ${surefire.version}\n \n \n org.apache.maven.plugins\n maven-surefire-report-plugin\n ${surefire.version}\n \n \n org.apache.maven.plugins\n maven-war-plugin\n 3.3.2\n \n \n org.apache.maven.plugins\n maven-shade-plugin\n 3.4.1\n \n \n org.apache.rat\n apache-rat-plugin\n 0.15\n \n \n \n \n \n \n org.apache.maven.plugins\n maven-remote-resources-plugin\n \n \n process-resource-bundles\n \n process\n \n \n \n org.apache:apache-jar-resource-bundle:1.4\n \n \n \n \n \n \n org.apache.maven.plugins\n maven-enforcer-plugin\n \n \n enforce-maven-version\n \n enforce\n \n \n \n \n ${minimalMavenBuildVersion}\n \n \n \n \n \n enforce-java-version\n \n enforce\n \n \n \n \n ${minimalJavaBuildVersion}\n \n \n \n \n \n \n \n org.apache.maven.plugins\n maven-site-plugin\n \n \n attach-descriptor\n \n attach-descriptor\n \n \n \n \n \n \n\n \n \n \n apache-release\n \n \n \n \n org.apache.maven.plugins\n maven-assembly-plugin\n \n \n org.apache.apache.resources\n apache-source-release-assembly-descriptor\n 1.0.6\n \n \n \n \n source-release-assembly\n package\n \n single\n \n \n true\n \n ${sourceReleaseAssemblyDescriptor}\n \n ${assembly.tarLongFileMode}\n \n \n \n \n \n \n true\n org.apache.maven.plugins\n maven-deploy-plugin\n \n true\n \n \n \n org.apache.maven.plugins\n maven-source-plugin\n \n \n attach-sources\n \n jar-no-fork\n \n \n \n \n \n org.apache.maven.plugins\n maven-javadoc-plugin\n \n \n attach-javadocs\n \n jar\n \n \n \n \n \n \n net.nicoulaj.maven.plugins\n checksum-maven-plugin\n 1.11\n \n \n source-release-checksum\n \n artifacts\n \n \n post-integration-test\n \n \n SHA-512\n \n \n source-release\n true\n false\n \n true\n \n \n \n \n \n \n org.apache.maven.plugins\n maven-gpg-plugin\n \n \n sign-release-artifacts\n \n sign\n \n \n \n \n \n \n \n \n \n only-eclipse\n \n \n m2e.version\n \n \n \n \n \n \n \n org.eclipse.m2e\n lifecycle-mapping\n 1.0.0\n \n \n \n \n \n \n org.apache.maven.plugins\n maven-remote-resources-plugin\n [0,1.8.0)\n \n process\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n" }, { "path": "internal/remediation/testdata/zeppelin-server/parent/pom.xml", "content": "\n\n\n\n\n 4.0.0\n\n org.apache.zeppelin\n zeppelin\n pom\n 0.11.1\n Zeppelin\n Zeppelin project\n https://zeppelin.apache.org\n\n \n org.apache\n apache\n 28\n ./parent\n \n\n \n \n The Apache Software License, Version 2.0\n https://www.apache.org/licenses/LICENSE-2.0.txt\n repo\n \n \n\n \n https://git-wip-us.apache.org/repos/asf/zeppelin.git\n scm:git:https://git-wip-us.apache.org/repos/asf/zeppelin.git\n scm:git:https://git-wip-us.apache.org/repos/asf/zeppelin.git\n \n\n 2013\n\n \n build-tools\n zeppelin-interpreter-parent\n zeppelin-interpreter\n zeppelin-interpreter-shaded\n zeppelin-zengine\n rlang\n zeppelin-jupyter-interpreter\n zeppelin-jupyter-interpreter-shaded\n groovy\n spark\n spark-submit\n submarine\n markdown\n mongodb\n angular\n shell\n livy\n hbase\n jdbc\n file\n flink\n flink-cmd\n influxdb\n python\n cassandra\n elasticsearch\n bigquery\n alluxio\n neo4j\n java\n sparql\n zeppelin-common\n zeppelin-client\n zeppelin-client-examples\n zeppelin-web\n zeppelin-server\n zeppelin-jupyter\n zeppelin-plugins\n zeppelin-distribution\n \n\n \n UTF-8\n\n \n 1.8\n \n ${java.version}\n ${java.version}\n ${scala.2.11.version}\n 2.11\n 2.11.12\n 2.12.17\n 3.2.15\n 1.17.0\n\n \n v16.20.2\n 8.19.4\n 1.12.1\n\n \n 1.7.35\n 1.2.25\n 0.13.0\n 0.62.2\n 2.8.9\n 0.2.2\n 20240205\n 9.4.52.v20230823\n 4.4.1\n 4.5.13\n 4.0.2\n 1.21\n 3.12.0\n 1.10.0\n 2.8.0\n 1.3\n 1.14\n 2.7\n 3.2.2\n 1.4\n 1.10.0\n 1.70\n 3.6.3\n 4.1.14\n 1.6.0\n\n 2.7.7\n 3.0.3\n 3.1.3\n 3.2.4\n 3.3.6\n ${hadoop2.7.version}\n provided\n hadoop-client\n hadoop-yarn-api\n hadoop-client\n\n 2.3.2\n 1.5.4\n 1.16.1\n 3.21.7\n 1.51.0\n 2.14.0\n\n \n 5.7.1\n 3.12.4\n 1.7.0\n 4.2.0\n\n \n 1.8\n 3.2.0\n 1.7.7\n 1.7\n 1.4\n 2.17\n 3.1.0\n 2.7\n 3.8.1\n 3.1.2\n 2.8.2\n 1.6.0\n 3.0.0-M3\n 1.6.0\n 2.17\n 4.0.0\n 1.6\n 3.2.0\n 3.2.0\n 1.0.0\n 3.11.4\n 0.13\n 3.1.0\n 1.4\n 4.6.3\n 2.15.2\n 1.7.1\n 2.0.0\n 1.11.2\n 3.2.1\n 2.22.2\n 1.4.1.Final\n\n 1.19.0\n\n 512m\n\n \n \n \n\n \n \n \n \n com.vladsch.flexmark\n flexmark-all\n ${flexmark.all.version}\n \n \n \n commons-logging\n commons-logging\n \n \n \n\n \n \n org.slf4j\n slf4j-api\n ${slf4j.version}\n \n\n \n org.slf4j\n slf4j-reload4j\n ${slf4j.version}\n \n \n ch.qos.reload4j\n reload4j\n \n \n \n\n \n ch.qos.reload4j\n reload4j\n ${reload4j.version}\n \n\n \n \n org.slf4j\n jcl-over-slf4j\n ${slf4j.version}\n \n\n \n org.apache.thrift\n libthrift\n ${libthrift.version}\n \n \n javax.annotation\n javax.annotation-api\n \n \n \n\n \n org.apache.httpcomponents\n httpcore\n ${httpcomponents.core.version}\n \n\n \n org.apache.httpcomponents\n httpclient\n ${httpcomponents.client.version}\n \n \n \n commons-logging\n commons-logging\n \n \n \n\n \n org.apache.httpcomponents\n httpasyncclient\n ${httpcomponents.asyncclient.version}\n \n \n \n commons-logging\n commons-logging\n \n \n \n\n \n org.apache.commons\n commons-lang3\n ${commons.lang3.version}\n \n\n \n org.apache.commons\n commons-text\n ${commons.text.version}\n \n\n \n org.apache.commons\n commons-exec\n ${commons.exec.version}\n \n\n \n com.google.code.gson\n gson\n ${gson.version}\n \n\n \n org.json\n json\n ${org-json.version}\n \n\n \n org.danilopianini\n gson-extras\n ${gson-extras.version}\n \n\n \n org.apache.commons\n commons-configuration2\n ${commons.configuration2.version}\n \n\n \n \n commons-lang\n commons-lang\n 2.6\n \n\n \n commons-codec\n commons-codec\n ${commons.codec.version}\n \n\n \n commons-io\n commons-io\n ${commons.io.version}\n \n\n \n commons-collections\n commons-collections\n ${commons.collections.version}\n \n\n \n commons-cli\n commons-cli\n ${commons.cli.version}\n \n\n \n \n org.apache.shiro\n shiro-core\n ${shiro.version}\n \n \n org.apache.shiro\n shiro-web\n ${shiro.version}\n \n \n org.apache.shiro\n shiro-config-core\n ${shiro.version}\n \n\n \n org.bouncycastle\n bcpkix-jdk15on\n ${bouncycastle.version}\n \n\n \n org.codehaus.jettison\n jettison\n ${jettison.version}\n \n\n \n org.apache.hadoop\n ${hadoop-client-api.artifact}\n ${hadoop.version}\n ${hadoop.deps.scope}\n \n \n org.apache.zookeeper\n zookeeper\n \n \n org.apache.hadoop\n hadoop-common\n \n \n com.sun.jersey\n jersey-core\n \n \n com.sun.jersey\n jersey-json\n \n \n com.sun.jersey\n jersey-client\n \n \n com.sun.jersey\n jersey-server\n \n \n javax.servlet\n servlet-api\n \n \n org.apache.avro\n avro\n \n \n org.apache.jackrabbit\n jackrabbit-webdav\n \n \n io.netty\n netty\n \n \n io.netty\n netty-all\n \n \n commons-httpclient\n commons-httpclient\n \n \n org.eclipse.jgit\n org.eclipse.jgit\n \n \n com.jcraft\n jsch\n \n \n org.apache.commons\n commons-compress\n \n \n xml-apis\n xml-apis\n \n \n xerces\n xercesImpl\n \n \n com.google.guava\n guava\n \n \n com.google.code.findbugs\n jsr305\n \n \n org.apache.commons\n commons-math3\n \n \n com.fasterxml.jackson.core\n jackson-annotations\n \n \n com.nimbusds\n nimbus-jose-jwt\n \n \n org.eclipse.jetty\n jetty-xml\n \n \n org.eclipse.jetty\n jetty-servlet\n \n \n org.eclipse.jetty\n jetty-util\n \n \n commons-beanutils\n commons-beanutils\n \n \n org.apache.commons\n commons-configuration2\n \n \n commons-beanutils\n commons-beanutils-core\n \n \n org.eclipse.jetty\n jetty-webapp\n \n \n com.fasterxml.jackson.module\n jackson-module-jaxb-annotations\n \n \n com.fasterxml.jackson.core\n jackson-core\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n \n commons-logging\n commons-logging\n \n \n \n\n \n org.apache.hadoop\n hadoop-yarn-common\n ${hadoop.version}\n ${hadoop.deps.scope}\n \n \n asm\n asm\n \n \n org.ow2.asm\n asm\n \n \n org.jboss.netty\n netty\n \n \n javax.servlet\n servlet-api\n \n \n commons-logging\n commons-logging\n \n \n com.sun.jersey\n *\n \n \n com.sun.jersey.jersey-test-framework\n *\n \n \n com.sun.jersey.contribs\n *\n \n \n com.google.guava\n guava\n \n \n org.apache.commons\n commons-compress\n \n \n \n\n \n org.apache.hadoop\n hadoop-yarn-client\n ${hadoop.version}\n ${hadoop.deps.scope}\n \n \n javax.servlet\n servlet-api\n \n \n org.apache.avro\n avro\n \n \n org.apache.jackrabbit\n jackrabbit-webdav\n \n \n io.netty\n netty\n \n \n commons-httpclient\n commons-httpclient\n \n \n org.eclipse.jgit\n org.eclipse.jgit\n \n \n com.jcraft\n jsch\n \n \n org.apache.commons\n commons-compress\n \n \n xml-apis\n xml-apis\n \n \n xerces\n xercesImpl\n \n \n org.codehaus.jackson\n jackson-mapper-asl\n \n \n org.codehaus.jackson\n jackson-core-asl\n \n \n com.google.guava\n guava\n \n \n com.google.code.findbugs\n jsr305\n \n \n org.apache.commons\n commons-math3\n \n \n \n commons-logging\n commons-logging\n \n \n log4j\n log4j\n \n \n \n\n \n org.apache.hadoop\n hadoop-yarn-api\n ${hadoop.version}\n ${hadoop.deps.scope}\n \n \n javax.servlet\n servlet-api\n \n \n org.apache.avro\n avro\n \n \n org.apache.jackrabbit\n jackrabbit-webdav\n \n \n io.netty\n netty\n \n \n commons-httpclient\n commons-httpclient\n \n \n org.eclipse.jgit\n org.eclipse.jgit\n \n \n com.jcraft\n jsch\n \n \n org.apache.commons\n commons-compress\n \n \n xml-apis\n xml-apis\n \n \n xerces\n xercesImpl\n \n \n org.codehaus.jackson\n jackson-mapper-asl\n \n \n org.codehaus.jackson\n jackson-core-asl\n \n \n com.google.guava\n guava\n \n \n com.google.code.findbugs\n jsr305\n \n \n org.apache.commons\n commons-math3\n \n \n \n commons-logging\n commons-logging\n \n \n \n\n\n\n \n org.apache.hadoop\n hadoop-yarn-server-tests\n ${hadoop.version}\n tests\n test\n \n \n org.apache.hadoop\n hadoop-yarn-common\n \n \n com.sun.jersey\n jersey-core\n \n \n com.sun.jersey\n jersey-client\n \n \n com.sun.jersey\n jersey-server\n \n \n javax.servlet\n servlet-api\n \n \n org.apache.avro\n avro\n \n \n org.apache.jackrabbit\n jackrabbit-webdav\n \n \n io.netty\n netty\n \n \n commons-httpclient\n commons-httpclient\n \n \n org.eclipse.jgit\n org.eclipse.jgit\n \n \n com.jcraft\n jsch\n \n \n org.apache.commons\n commons-compress\n \n \n xml-apis\n xml-apis\n \n \n xerces\n xercesImpl\n \n \n org.codehaus.jackson\n jackson-core-asl\n \n \n org.codehaus.jackson\n jackson-jaxrs\n \n \n org.codehaus.jackson\n jackson-xc\n \n \n org.codehaus.jackson\n jackson-mapper-asl\n \n \n com.google.guava\n guava\n \n \n javax.xml.bind\n jaxb-api\n \n \n com.fasterxml.jackson.core\n jackson-core\n \n \n org.eclipse.jetty\n jetty-util\n \n \n com.zaxxer\n HikariCP-java7\n \n \n com.fasterxml.jackson.core\n jackson-annotations\n \n \n com.fasterxml.jackson.module\n jackson-module-jaxb-annotations\n \n \n \n commons-logging\n commons-logging\n \n \n io.dropwizard.metrics\n metrics-core\n \n \n com.google.guava\n guava\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n \n\n \n org.apache.hadoop\n hadoop-common\n ${hadoop.version}\n ${hadoop.deps.scope}\n \n \n com.sun.jersey\n jersey-core\n \n \n com.sun.jersey\n jersey-json\n \n \n com.sun.jersey\n jersey-client\n \n \n com.sun.jersey\n jersey-server\n \n \n javax.servlet\n servlet-api\n \n \n org.apache.avro\n avro\n \n \n org.apache.jackrabbit\n jackrabbit-webdav\n \n \n io.netty\n netty\n \n \n commons-httpclient\n commons-httpclient\n \n \n org.eclipse.jgit\n org.eclipse.jgit\n \n \n com.jcraft\n jsch\n \n \n org.apache.commons\n commons-compress\n \n \n xml-apis\n xml-apis\n \n \n xerces\n xercesImpl\n \n \n org.codehaus.jackson\n jackson-mapper-asl\n \n \n org.codehaus.jackson\n jackson-core-asl\n \n \n com.google.guava\n guava\n \n \n com.google.code.findbugs\n jsr305\n \n \n org.apache.commons\n commons-math3\n \n \n commons-beanutils\n commons-beanutils\n \n \n commons-beanutils\n commons-beanutils-core\n \n \n org.apache.commons\n commons-configuration2\n \n \n org.apache.zookeeper\n zookeeper\n \n \n org.eclipse.jetty\n jetty-servlet\n \n \n org.eclipse.jetty\n jetty-util\n \n \n org.eclipse.jetty\n jetty-webapp\n \n \n org.eclipse.jetty\n jetty-server\n \n \n com.nimbusds\n nimbus-jose-jwt\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n \n commons-logging\n commons-logging\n \n \n org.ow2.asm\n asm\n \n \n com.jamesmurty.utils\n java-xmlbuilder\n \n \n \n\n \n org.apache.hadoop\n hadoop-common\n ${hadoop.version}\n tests\n test\n \n \n com.sun.jersey\n jersey-core\n \n \n com.sun.jersey\n jersey-json\n \n \n com.sun.jersey\n jersey-client\n \n \n com.sun.jersey\n jersey-server\n \n \n javax.servlet\n servlet-api\n \n \n org.apache.avro\n avro\n \n \n org.apache.jackrabbit\n jackrabbit-webdav\n \n \n io.netty\n netty\n \n \n commons-httpclient\n commons-httpclient\n \n \n org.eclipse.jgit\n org.eclipse.jgit\n \n \n com.jcraft\n jsch\n \n \n org.apache.commons\n commons-compress\n \n \n xml-apis\n xml-apis\n \n \n xerces\n xercesImpl\n \n \n org.codehaus.jackson\n jackson-mapper-asl\n \n \n org.codehaus.jackson\n jackson-core-asl\n \n \n com.google.guava\n guava\n \n \n com.google.code.findbugs\n jsr305\n \n \n org.apache.commons\n commons-math3\n \n \n commons-beanutils\n commons-beanutils\n \n \n org.apache.commons\n commons-configuration2\n \n \n org.apache.zookeeper\n zookeeper\n \n \n org.eclipse.jetty\n jetty-servlet\n \n \n org.eclipse.jetty\n jetty-util\n \n \n org.eclipse.jetty\n jetty-webapp\n \n \n org.eclipse.jetty\n jetty-server\n \n \n com.nimbusds\n nimbus-jose-jwt\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n \n commons-logging\n commons-logging\n \n \n log4j\n log4j\n \n \n org.slf4j\n slf4j-log4j12\n \n \n org.ow2.asm\n asm\n \n \n \n\n \n \n org.junit.jupiter\n junit-jupiter-engine\n ${junit.jupiter.version}\n test\n \n\n \n org.junit.jupiter\n junit-jupiter-params\n ${junit.jupiter.version}\n test\n \n\n \n org.assertj\n assertj-core\n ${assertj.version}\n test\n \n\n \n org.mockito\n mockito-core\n ${mockito.version}\n test\n \n\n \n org.testcontainers\n testcontainers\n ${testcontainers.version}\n test\n \n\n \n org.awaitility\n awaitility\n ${awaitility.version}\n test\n \n\n \n org.testcontainers\n neo4j\n ${testcontainers.version}\n test\n \n\n \n org.testcontainers\n junit-jupiter\n ${testcontainers.version}\n test\n \n\n \n org.apache.hadoop\n hadoop-hdfs\n ${hadoop.version}\n test\n \n \n com.sun.jersey\n jersey-json\n \n \n com.sun.jersey\n jersey-client\n \n \n javax.servlet\n servlet-api\n \n \n org.apache.avro\n avro\n \n \n org.apache.jackrabbit\n jackrabbit-webdav\n \n \n io.netty\n netty\n \n \n commons-httpclient\n commons-httpclient\n \n \n org.eclipse.jgit\n org.eclipse.jgit\n \n \n com.jcraft\n jsch\n \n \n org.apache.commons\n commons-compress\n \n \n xml-apis\n xml-apis\n \n \n xerces\n xercesImpl\n \n \n com.google.guava\n guava\n \n \n io.netty\n netty-all\n \n \n org.eclipse.jetty\n jetty-util\n \n \n com.fasterxml.jackson.core\n jackson-annotations\n \n \n \n commons-logging\n commons-logging\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n \n\n \n org.apache.hadoop\n hadoop-hdfs\n ${hadoop.version}\n tests\n test\n \n \n com.sun.jersey\n jersey-json\n \n \n com.sun.jersey\n jersey-client\n \n \n javax.servlet\n servlet-api\n \n \n org.apache.avro\n avro\n \n \n org.apache.jackrabbit\n jackrabbit-webdav\n \n \n io.netty\n netty\n \n \n commons-httpclient\n commons-httpclient\n \n \n org.eclipse.jgit\n org.eclipse.jgit\n \n \n com.jcraft\n jsch\n \n \n org.apache.commons\n commons-compress\n \n \n xml-apis\n xml-apis\n \n \n xerces\n xercesImpl\n \n \n com.google.guava\n guava\n \n \n io.netty\n netty-all\n \n \n org.eclipse.jetty\n jetty-util\n \n \n com.fasterxml.jackson.core\n jackson-annotations\n \n \n \n commons-logging\n commons-logging\n \n \n log4j\n log4j\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n \n\n \n org.apache.hadoop\n ${hadoop-client-runtime.artifact}\n ${hadoop.version}\n ${hadoop.deps.scope}\n \n \n commons-logging\n commons-logging\n \n \n com.google.code.findbugs\n jsr305\n \n \n \n \n org.apache.hadoop\n ${hadoop-client-minicluster.artifact}\n ${hadoop.version}\n test\n \n\n \n \n\n \n\n \n \n org.apache.maven.plugins\n maven-compiler-plugin\n \n ${java.version}\n ${java.version}\n \n \n\n \n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n \n org.apache.maven.plugins\n maven-jar-plugin\n \n \n \n true\n lib/\n theMainClass\n \n \n \n \n\n \n org.apache.maven.plugins\n maven-scm-plugin\n \n developerConnection\n branch-0.1\n branch\n \n \n\n \n org.apache.maven.plugins\n maven-enforcer-plugin\n \n \n enforce-dependency-convergence\n \n \n \n \n true\n \n \n enforce\n \n \n \n \n\n \n org.apache.maven.plugins\n maven-deploy-plugin\n \n\n \n \n\n \n \n \n org.apache.maven.plugins\n maven-jar-plugin\n ${plugin.jar.version}\n \n\n \n org.apache.maven.plugins\n maven-scm-plugin\n ${plugin.scm.version}\n \n\n \n pl.project13.maven\n git-commit-id-plugin\n ${plugin.git.commit.id.version}\n \n\n \n org.apache.maven.plugins\n maven-enforcer-plugin\n ${plugin.enforcer.version}\n \n\n \n org.apache.maven.plugins\n maven-deploy-plugin\n ${plugin.deploy.version}\n \n\n \n org.apache.maven.plugins\n maven-checkstyle-plugin\n ${plugin.checkstyle.version}\n \n true\n ${basedir}/src/main/java,${basedir}/src/main/scala\n ${basedir}/src/test/java\n \n zeppelin/checkstyle.xml\n \n \n \n checkstyle-fail-build\n \n check\n \n \n true\n org/apache/zeppelin/interpreter/thrift/*,org/apache/zeppelin/python/proto/*\n \n \n \n \n \n org.apache.zeppelin\n build-tools\n ${project.version}\n \n \n \n\n \n org.apache.maven.plugins\n maven-clean-plugin\n ${plugin.clean.version}\n \n\n \n net.alchim31.maven\n scala-maven-plugin\n ${plugin.scala.alchim31.version}\n \n all\n \n -unchecked\n -deprecation\n -feature\n \n \n \n\n \n org.apache.maven.plugins\n maven-surefire-plugin\n ${plugin.surefire.version}\n \n -Xmx2g -Xms1g -Dfile.encoding=UTF-8\n \n true\n \n \n ${tests.to.exclude}\n \n \n \n \n\n \n org.apache.maven.plugins\n maven-assembly-plugin\n ${plugin.assembly.version}\n \n\n \n org.codehaus.mojo\n exec-maven-plugin\n ${plugin.exec.version}\n \n\n \n org.codehaus.mojo\n cobertura-maven-plugin\n ${plugin.cobertura.version}\n \n\n \n com.googlecode.maven-download-plugin\n download-maven-plugin\n ${plugin.download.version}\n \n\n \n org.apache.maven.plugins\n maven-antrun-plugin\n ${plugin.antrun.version}\n \n\n \n org.apache.maven.plugins\n maven-dependency-plugin\n ${plugin.dependency.version}\n \n \n copy-dependencies\n process-test-resources\n \n copy-dependencies\n \n \n ${project.build.directory}/lib\n false\n false\n true\n runtime\n \n \n \n \n\n \n org.scalatest\n scalatest-maven-plugin\n ${plugin.scalatest.version}\n \n\n\n \n org.codehaus.mojo\n build-helper-maven-plugin\n ${plugin.buildhelper.version}\n \n\n \n com.github.eirslett\n frontend-maven-plugin\n ${plugin.frontend.version}\n \n\n \n org.apache.maven.plugins\n maven-failsafe-plugin\n ${plugin.failsafe.version}\n \n\n \n com.github.os72\n protoc-jar-maven-plugin\n ${plugin.protobuf.version}\n \n\n \n com.bazaarvoice.maven.plugins\n s3-upload-maven-plugin\n ${plugin.s3.upload.version}\n \n\n \n org.codehaus.mojo\n buildnumber-maven-plugin\n ${plugin.buildnumber.version}\n \n\n \n org.apache.avro\n avro-maven-plugin\n ${plugin.avro.version}\n \n\n \n org.scalatra.scalate\n maven-scalate-plugin_${scala.binary.version}\n ${plugin.scalate.version}\n \n\n \n org.apache.maven.plugins\n maven-source-plugin\n ${plugin.source.version}\n \n\n \n org.apache.maven.plugins\n maven-javadoc-plugin\n ${plugin.javadoc.version}\n \n\n \n org.apache.maven.plugins\n maven-gpg-plugin\n ${plugin.gpg.version}\n \n\n \n org.apache.rat\n apache-rat-plugin\n ${plugin.rat.version}\n \n \n \n \n\n \n \n web-angular\n \n zeppelin-web-angular\n \n \n\n \n vendor-repo\n \n \n cloudera\n https://repository.cloudera.com/artifactory/cloudera-repos/\n \n \n hortonworks\n https://repo.hortonworks.com/content/groups/public/\n \n \n \n\n \n integration\n \n zeppelin-integration\n zeppelin-interpreter-integration\n \n \n\n \n examples\n \n zeppelin-examples\n \n \n\n \n helium-dev\n \n helium-dev\n \n \n\n \n include-hadoop\n \n compile\n \n \n\n \n build-distr\n \n false\n \n \n \n \n \n org.apache.maven.plugins\n maven-surefire-plugin\n \n true\n \n \n\n \n org.apache.maven.plugins\n maven-assembly-plugin\n \n \n make-assembly\n package\n \n single\n \n \n \n \n\n \n \n \n \n\n \n publish-distr\n \n \n \n org.apache.maven.plugins\n maven-surefire-plugin\n \n true\n \n \n\n \n org.apache.maven.plugins\n maven-source-plugin\n \n \n attach-sources\n \n jar\n \n \n \n \n\n \n org.apache.maven.plugins\n maven-javadoc-plugin\n \n \n attach-javadocs\n \n jar\n \n \n \n \n \n \n \n\n \n release-sign-artifacts\n \n \n performRelease\n true\n \n \n \n \n \n org.apache.maven.plugins\n maven-gpg-plugin\n \n \n sign-artifacts\n verify\n \n sign\n \n \n \n \n \n \n \n\n \n rat\n \n \n \n org.apache.rat\n apache-rat-plugin\n \n \n **/*.keywords\n reports/**\n **/.idea/\n **/*.iml\n .git/\n .github/\n .gitignore\n git.properties\n .repository/\n .rat-excludes/\n .Rhistory\n **/*.diff\n **/*.patch\n **/*.avsc\n **/*.avro\n **/*.log\n **/*.ipynb\n **/test/resources/**\n **/.settings/*\n **/.factorypath\n **/.classpath\n **/.project\n **/target/**\n **/derby.log\n **/metastore_db/\n **/logs/**\n **/run/**\n interpreter/**\n **/local-repo/**\n **/null/**\n **/notebook/**\n **/README.md\n DEPENDENCIES\n DEPLOY.md\n STYLE.md\n Roadmap.md\n **/licenses/**\n **/zeppelin-distribution/src/bin_license/**\n conf/interpreter.json\n conf/notebook-authorization.json\n conf/credentials.json\n conf/zeppelin-env.sh\n conf/helium.json\n spark-*-bin*/**\n .spark-dist/**\n **/interpreter-setting.json\n **/constants.json\n scripts/**\n **/**/*.log\n **/**/logs/**\n\n \n **/test/karma.conf.js\n **/test/spec/**\n **/.babelrc\n **/.bowerrc\n .editorconfig\n .eslintrc\n protractor.conf.js\n **/.tmp/**\n **/target/**\n **/node/**\n **/node_modules/**\n **/bower_components/**\n **/dist/**\n **/.buildignore\n **/.npmignore\n **/.jshintrc\n **/yarn.lock\n **/bower.json\n **/src/fonts/Patua-One*\n **/src/fonts/patua-one*\n **/src/fonts/Roboto*\n **/src/fonts/roboto*\n **/src/fonts/fontawesome*\n **/src/fonts/font-awesome*\n **/src/styles/font-awesome*\n **/src/fonts/Simple-Line*\n **/src/fonts/simple-line*\n **/src/fonts/Source-Code-Pro*\n **/src/fonts/source-code-pro*\n **/src/**/**.test.js\n **/e2e/**/**.spec.js\n package-lock.json\n\n \n **/*.json\n **/browserslist\n **/.prettierrc\n **/.prettierignore\n **/.editorconfig\n **/src/**/*.svg\n **/.gitkeep\n\n\n \n **/src/main/java/org/apache/zeppelin/jdbc/SqlCompleter.java\n\n \n docs/assets/themes/zeppelin/bootstrap/**\n docs/assets/themes/zeppelin/css/style.css\n docs/assets/themes/zeppelin/js/docs.js\n docs/assets/themes/zeppelin/js/search.js\n docs/_includes/themes/zeppelin/_jumbotron.html\n docs/_includes/themes/zeppelin/_navigation.html\n\n \n docs/404.html\n docs/_config.yml\n docs/_includes/JB/**\n docs/_layouts/**\n docs/_plugins/**\n docs/atom.xml\n docs/_includes/themes/zeppelin/default.html\n docs/_includes/themes/zeppelin/page.html\n docs/_includes/themes/zeppelin/post.html\n docs/_includes/themes/zeppelin/settings.yml\n docs/Rakefile\n docs/rss.xml\n docs/sitemap.txt\n docs/search_data.json\n **/dependency-reduced-pom.xml\n\n \n docs/assets/themes/zeppelin/js/anchor.min.js\n\n \n docs/assets/themes/zeppelin/js/toc.js\n\n \n docs/assets/themes/zeppelin/js/lunr.min.js\n\n \n docs/assets/themes/zeppelin/css/syntax.css\n\n \n docs/_site/**\n docs/Gemfile.lock\n\n \n **/package.json\n\n zeppelin-jupyter-interpreter/src/main/resources/grpc/jupyter/*.py\n \n \n\n \n \n verify.rat\n verify\n \n check\n \n \n \n \n \n \n \n\n \n\n \n \n \n org.apache.maven.plugins\n maven-checkstyle-plugin\n \n \n aggregate\n false\n \n checkstyle-aggregate\n \n \n \n zeppelin/checkstyle.xml\n org/apache/zeppelin/interpreter/thrift/*,org/apache/zeppelin/python/proto/*\n \n \n \n \n \n \n\n" }, { "path": "internal/remediation/testdata/zeppelin-server/pom.xml", "content": "\n\n\n\n 4.0.0\n\n \n zeppelin\n org.apache.zeppelin\n 0.11.1\n ./parent\n \n\n zeppelin-server\n jar\n Zeppelin: Server\n\n \n\n \n 2.30\n 1.13\n 2.1\n 1.11\n 4.1.0\n 2.12.6.1\n 9.13\n 2.0.0-M15\n\n \n 2.48.2\n 1.4.01\n 2.2\n \n\n \n\n \n ${project.groupId}\n zeppelin-zengine\n ${project.version}\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n com.sun.jersey\n jersey-core\n \n \n com.sun.jersey\n jersey-json\n \n \n com.sun.jersey\n jersey-server\n \n \n com.fasterxml.jackson.core\n jackson-core\n \n \n org.ow2.asm\n asm\n \n \n \n commons-logging\n commons-logging\n \n \n org.slf4j\n slf4j-log4j12\n \n \n org.slf4j\n slf4j-reload4j\n \n \n org.slf4j\n jcl-over-slf4j\n \n \n \n\n \n org.apache.httpcomponents\n httpclient\n \n\n \n org.slf4j\n slf4j-reload4j\n \n \n ch.qos.reload4j\n reload4j\n \n \n org.slf4j\n jcl-over-slf4j\n \n\n \n io.dropwizard.metrics\n metrics-servlets\n ${dropwizard.version}\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n \n\n \n io.micrometer\n micrometer-registry-prometheus\n ${micrometer.version}\n \n \n io.micrometer\n micrometer-registry-jmx\n ${micrometer.version}\n \n \n \n io.dropwizard.metrics\n metrics-jmx\n \n \n \n \n \n io.dropwizard.metrics\n metrics-jmx\n ${dropwizard.version}\n \n\n \n org.glassfish.jersey.core\n jersey-client\n ${jersey.version}\n \n \n javax.annotation\n javax.annotation-api\n \n \n \n \n org.glassfish.jersey.containers\n jersey-container-servlet-core\n ${jersey.version}\n \n \n org.glassfish.jersey.media\n jersey-media-json-jackson\n ${jersey.version}\n \n \n com.fasterxml.jackson.core\n jackson-annotations\n \n \n com.fasterxml.jackson.core\n jackson-databind\n \n \n com.fasterxml.jackson.core\n jackson-core\n \n \n \n \n org.glassfish.jersey.inject\n jersey-hk2\n ${jersey.version}\n \n \n org.glassfish.jersey.core\n jersey-server\n ${jersey.version}\n \n\n \n com.fasterxml.jackson.core\n jackson-databind\n ${jackson.version}\n \n\n \n javax.ws.rs\n javax.ws.rs-api\n ${javax.ws.rsapi.version}\n \n\n \n org.bouncycastle\n bcpkix-jdk15on\n \n\n \n commons-collections\n commons-collections\n \n\n \n org.apache.shiro\n shiro-core\n \n \n commons-beanutils\n commons-beanutils\n \n \n \n \n commons-beanutils\n commons-beanutils\n 1.9.4\n \n \n \n commons-logging\n commons-logging\n \n \n \n\n \n org.apache.shiro\n shiro-web\n \n\n \n org.kohsuke\n libpam4j\n ${libpam4j.version}\n \n \n net.java.dev.jna\n jna\n \n \n \n\n \n net.java.dev.jna\n jna\n ${jna.version}\n \n\n \n org.eclipse.jetty\n jetty-webapp\n ${jetty.version}\n \n\n \n org.eclipse.jetty\n jetty-jmx\n ${jetty.version}\n \n\n \n org.eclipse.jetty.websocket\n javax-websocket-server-impl\n ${jetty.version}\n \n\n \n com.google.code.gson\n gson\n \n\n \n com.nimbusds\n nimbus-jose-jwt\n ${nimbus.version}\n \n\n \n org.quartz-scheduler\n quartz\n ${quartz.scheduler.version}\n \n\n \n org.apache.directory.server\n apacheds-kerberos-codec\n ${kerberos.version}\n \n\n \n org.apache.zeppelin\n zeppelin-zengine\n ${project.version}\n tests\n test\n \n \n com.google.guava\n guava\n \n \n \n\n \n org.junit.jupiter\n junit-jupiter-engine\n test\n \n\n \n org.hamcrest\n hamcrest\n ${hamcrest.version}\n test\n \n\n \n org.mockito\n mockito-core\n test\n \n \n \n org.objenesis\n objenesis\n \n \n \n\n \n org.seleniumhq.selenium\n selenium-java\n ${selenium.java.version}\n test\n \n \n org.seleniumhq.selenium\n selenium-android-driver\n \n \n commons-logging\n commons-logging\n \n \n xml-apis\n xml-apis\n \n \n org.eclipse.jetty.websocket\n websocket-client\n \n \n net.java.dev.jna\n jna\n \n \n org.apache.commons\n commons-lang3\n \n \n com.google.guava\n guava\n \n \n \n\n \n xml-apis\n xml-apis\n ${xml.apis.version}\n test\n \n\n \n org.bitbucket.cowwoc\n diff-match-patch\n 1.1\n \n \n \n \n \n maven-failsafe-plugin\n \n \n \n integration-test\n verify\n \n \n \n \n -Xmx2048m\n \n \n\n \n maven-surefire-plugin\n \n 1\n false\n -Xmx3g -Xms1g -Dfile.encoding=UTF-8\n \n ${tests.to.exclude}\n \n \n 1\n \n \n \n\n \n \n org.apache.maven.plugins\n maven-jar-plugin\n \n \n \n test-jar\n \n \n \n \n\n \n org.apache.maven.plugins\n maven-dependency-plugin\n \n \n \n\n \n \n using-source-tree\n \n true\n \n \n \n\t ../bin\n \n \n \n\n \n using-packaged-distr\n \n false\n \n \n \n\t ../zeppelin-distribution/target/zeppelin-${project.version}/zeppelin-${project.version}/bin\n \n \n \n\n \n hadoop2\n\n \n ${hadoop2.7.version}\n \n \n \n org.apache.hadoop\n hadoop-common\n ${hadoop.version}\n ${hadoop.deps.scope}\n \n \n\n \n \n hadoop3\n \n true\n \n \n ${hadoop3.2.version}\n hadoop-client-api\n hadoop-client-runtime\n \n\n \n \n org.apache.hadoop\n ${hadoop-client-runtime.artifact}\n ${hadoop.version}\n ${hadoop.deps.scope}\n \n \n\n \n\n \n\n\n" }, { "path": "internal/remediation/testdata/zeppelin-server/universe.yaml", "content": "# Automatically generated by generate_mock_resolution_universe on 06 Nov 25 09:05 AEDT. DO NOT EDIT.\nsystem: Maven\nschema: |\n antlr:antlr\n \t2.7.7\n aopalliance:aopalliance\n \t1.0\n asm:asm\n \t3.1\n asm:asm-parent\n \t3.1\n cglib:cglib-nodep\n \t2.1_3\n ch.qos.reload4j:reload4j\n \t1.2.18.3\n \t\tOpt|javax.mail:mail@1.4.7\n \t\tOpt|org.apache.geronimo.specs:geronimo-jms_1.1_spec@1.0\n \t1.2.25\n \t\tOpt|javax.mail:mail@1.4.7\n \t\tOpt|org.apache.geronimo.specs:geronimo-jms_1.1_spec@1.0\n com.esotericsoftware:kryo\n \t4.0.2\n \t\tcom.esotericsoftware:reflectasm@1.11.3\n \t\tcom.esotericsoftware:minlog@1.3.0\n \t\torg.objenesis:objenesis@2.5.1\n com.esotericsoftware:kryo-parent\n \t4.0.2\n \t\tcom.esotericsoftware:minlog@1.3.0\n \t\torg.objenesis:objenesis@2.5.1\n com.esotericsoftware:minlog\n \t1.3.0\n com.esotericsoftware:reflectasm\n \t1.11.3\n \t\torg.ow2.asm:asm@5.0.4\n com.fasterxml.jackson.core:jackson-annotations\n \t2.9.9\n \t2.9.10\n \t2.12.6\n \t2.12.7\n com.fasterxml.jackson.core:jackson-core\n \t2.9.9\n \t2.9.10\n \t2.12.6\n \t2.12.7\n \t2.13.0\n \t2.15.0\n com.fasterxml.jackson.core:jackson-databind\n \t2.9.9\n \t\tcom.fasterxml.jackson.core:jackson-annotations@2.9.0\n \t\tcom.fasterxml.jackson.core:jackson-core@2.9.9\n \t2.9.10.5\n \t\tcom.fasterxml.jackson.core:jackson-annotations@2.9.10\n \t\tcom.fasterxml.jackson.core:jackson-core@2.9.10\n \t2.12.6.1\n \t\tcom.fasterxml.jackson.core:jackson-annotations@2.12.6\n \t\tcom.fasterxml.jackson.core:jackson-core@2.12.6\n \t2.12.7.1\n \t\tcom.fasterxml.jackson.core:jackson-annotations@2.12.7\n \t\tcom.fasterxml.jackson.core:jackson-core@2.12.7\n com.fasterxml.jackson.module:jackson-module-jaxb-annotations\n \t2.9.9\n \t\tcom.fasterxml.jackson.core:jackson-annotations@2.9.0\n \t\tcom.fasterxml.jackson.core:jackson-core@2.9.9\n \t\tcom.fasterxml.jackson.core:jackson-databind@2.9.9\n \t\tScope provided|javax.xml.bind:jaxb-api@2.2\n com.fasterxml.jackson.module:jackson-modules-base\n \t2.9.9\n com.fasterxml.jackson:jackson-base\n \t2.9.9\n \t2.9.10\n \t2.9.10.20200621\n \t2.12.6\n \t2.12.7\n \t2.13.0\n \t2.15.0\n com.fasterxml.jackson:jackson-bom\n \t2.9.6\n \t2.9.9\n \t2.9.10\n \t2.9.10.20200621\n \t2.12.6\n \t2.12.7\n \t2.12.7.20240502\n \t2.13.0\n \t2.15.0\n \t2.17.1\n com.fasterxml.jackson:jackson-parent\n \t2.9.1.1\n \t2.9.1.2\n \t2.12\n \t2.13\n \t2.15\n \t2.17\n com.fasterxml:oss-parent\n \t33\n \t34\n \t41\n \t43\n \t50\n \t58\n com.github.eirslett:frontend-plugin-core\n \t1.6\n \t\torg.codehaus.jackson:jackson-mapper-asl@1.9.13\n \t\torg.codehaus.jackson:jackson-core-asl@1.9.13\n \t\torg.apache.commons:commons-compress@1.5\n \t\tcommons-io:commons-io@1.3.2\n \t\torg.apache.commons:commons-exec@1.3\n \t\torg.apache.httpcomponents:httpclient@4.5.1\n \t\torg.codehaus.plexus:plexus-utils@3.0.22\n \t\torg.slf4j:slf4j-api@1.7.5\n com.github.eirslett:frontend-plugins\n \t1.6\n com.github.stephenc.jcip:jcip-annotations\n \t1.0-1\n com.google.code.findbugs:jsr305\n \t1.3.9\n \t3.0.0\n \t3.0.2\n com.google.code.gson:gson\n \t2.3.1\n \t2.8.9\n com.google.code.gson:gson-parent\n \t2.8.9\n com.google.errorprone:error_prone_annotations\n \t2.0.18\n \t2.1.3\n \t2.18.0\n com.google.errorprone:error_prone_parent\n \t2.0.18\n \t2.1.3\n \t2.18.0\n com.google.guava:failureaccess\n \t1.0.1\n com.google.guava:guava\n \t11.0.2\n \t\tcom.google.code.findbugs:jsr305@1.3.9\n \t\tScope provided|com.google.guava:guava-bootstrap@11.0.2\n \t18.0\n \t\tOpt|com.google.code.findbugs:jsr305@1.3.9\n \t22.0\n \t\tcom.google.code.findbugs:jsr305@1.3.9\n \t\tcom.google.errorprone:error_prone_annotations@2.0.18\n \t\tcom.google.j2objc:j2objc-annotations@1.1\n \t\torg.codehaus.mojo:animal-sniffer-annotations@1.14\n \t24.1.1-jre\n \t\tcom.google.code.findbugs:jsr305@1.3.9\n \t\torg.checkerframework:checker-compat-qual@2.0.0\n \t\tcom.google.errorprone:error_prone_annotations@2.1.3\n \t\tcom.google.j2objc:j2objc-annotations@1.1\n \t\torg.codehaus.mojo:animal-sniffer-annotations@1.14\n \t32.0.0-jre\n \t\tcom.google.guava:failureaccess@1.0.1\n \t\tcom.google.guava:listenablefuture@9999.0-empty-to-avoid-conflict-with-guava\n \t\tcom.google.code.findbugs:jsr305@3.0.2\n \t\torg.checkerframework:checker-qual@3.33.0\n \t\tcom.google.errorprone:error_prone_annotations@2.18.0\n \t\tcom.google.j2objc:j2objc-annotations@2.8\n com.google.guava:guava-parent\n \t11.0.2\n \t18.0\n \t22.0\n \t24.1.1-jre\n \t26.0-android\n \t32.0.0-jre\n com.google.guava:listenablefuture\n \t9999.0-empty-to-avoid-conflict-with-guava\n com.google.inject.extensions:extensions-parent\n \t3.0\n \t\tcom.google.inject:guice@3.0\n com.google.inject.extensions:guice-servlet\n \t3.0\n \t\tScope provided|javax.servlet:servlet-api@2.5\n \t\tcom.google.inject:guice@3.0\n com.google.inject:guice\n \t3.0\n \t\tjavax.inject:javax.inject@1\n \t\taopalliance:aopalliance@1.0\n \t\torg.sonatype.sisu.inject:cglib@2.2.1-v20090111\n com.google.inject:guice-parent\n \t3.0\n com.google.j2objc:j2objc-annotations\n \t1.1\n \t2.8\n com.google.protobuf:protobuf-java\n \t2.5.0\n com.google:google\n \t1\n \t5\n com.googlecode.javaewah:JavaEWAH\n \t0.7.9\n \t1.1.13\n \t1.2.3\n com.helger:parent-pom\n \t1.10.8\n com.helger:profiler\n \t1.1.1\n \t\tScope provided|javax.ws.rs:javax.ws.rs-api@2.1.1\n com.ibm.icu:icu4j\n \t59.1\n com.jamesmurty.utils:java-xmlbuilder\n \t0.4\n com.jcraft:jsch\n \t0.1.53\n \t\tOpt|com.jcraft:jzlib@1.0.7\n \t0.1.54\n \t\tOpt|com.jcraft:jzlib@1.0.7\n com.mchange:c3p0\n \t0.9.5.4\n \t\tcom.mchange:mchange-commons-java@0.2.15\n com.mchange:mchange-commons-java\n \t0.2.15\n \t\tOpt|com.typesafe:config@1.3.0\n \t\tOpt|log4j:log4j@[1.2.14,1.2.15),[1.2.140,1.2.150),[1.2.1400,1.2.1500),[1.2.14000,1.2.15000),[1.2.140000,1.2.150000)\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.7\n \t\tOpt|org.apache.logging.log4j:log4j-core@2.7\n \t\tOpt|org.slf4j:slf4j-api@[1.7.5,1.7.6),[1.7.50,1.7.60),[1.7.500,1.7.600),[1.7.5000,1.7.6000),[1.7.50000,1.7.60000)\n com.nimbusds:nimbus-jose-jwt\n \t9.13\n \t\tcom.github.stephenc.jcip:jcip-annotations@1.0-1\n \t\tOpt|org.bouncycastle:bcprov-jdk15on@1.68\n \t\tOpt|org.bouncycastle:bc-fips@[1.0.2,2.0.0)\n \t\tOpt|org.bouncycastle:bcpkix-jdk15on@1.68\n \t\tOpt|com.google.crypto.tink:tink@1.5.0\n \t9.37.2\n \t\tcom.github.stephenc.jcip:jcip-annotations@1.0-1\n \t\tOpt|org.bouncycastle:bcprov-jdk15on@1.70\n \t\tOpt|org.bouncycastle:bcutil-jdk15on@1.70\n \t\tOpt|org.bouncycastle:bc-fips@[1.0.2,2.0.0)\n \t\tOpt|org.bouncycastle:bcpkix-jdk15on@1.70\n \t\tOpt MavenExclusions com.google.protobuf:protobuf-java,com.google.code.gson:gson|com.google.crypto.tink:tink@1.10.0\n \t9.37.4\n \t\tcom.github.stephenc.jcip:jcip-annotations@1.0-1\n \t\tOpt|org.bouncycastle:bcprov-jdk18on@1.81\n \t\tOpt|org.bouncycastle:bcutil-jdk18on@1.81\n \t\tOpt|org.bouncycastle:bc-fips@[1.0.2,2.0.0)\n \t\tOpt|org.bouncycastle:bcpkix-jdk18on@1.81\n \t\tOpt MavenExclusions com.google.protobuf:protobuf-java,com.google.code.gson:gson|com.google.crypto.tink:tink@1.16.0\n com.openhtmltopdf:openhtmltopdf-core\n \t1.0.0\n com.openhtmltopdf:openhtmltopdf-jsoup-dom-converter\n \t1.0.0\n \t\torg.jsoup:jsoup@1.11.3\n com.openhtmltopdf:openhtmltopdf-parent\n \t1.0.0\n com.openhtmltopdf:openhtmltopdf-pdfbox\n \t1.0.0\n \t\torg.apache.pdfbox:pdfbox@2.0.16\n \t\torg.apache.pdfbox:xmpbox@2.0.16\n \t\tcom.openhtmltopdf:openhtmltopdf-core@1.0.0\n \t\tde.rototor.pdfbox:graphics2d@0.24\n com.openhtmltopdf:openhtmltopdf-rtl-support\n \t1.0.0\n \t\tcom.ibm.icu:icu4j@59.1\n \t\tcom.openhtmltopdf:openhtmltopdf-core@1.0.0\n com.sun.activation:all\n \t1.2.1\n com.sun.activation:jakarta.activation\n \t1.2.1\n com.sun.jersey.contribs:jersey-contribs\n \t1.9\n com.sun.jersey.contribs:jersey-guice\n \t1.9\n \t\tScope provided|javax.servlet:servlet-api@2.5\n \t\tjavax.inject:javax.inject@1\n \t\tcom.google.inject:guice@3.0\n \t\tcom.google.inject.extensions:guice-servlet@3.0\n \t\tcom.sun.jersey:jersey-server@1.9\n com.sun.jersey:jersey-client\n \t1.9\n \t\tScope provided|org.osgi:osgi_R4_core@1.0\n \t\tcom.sun.jersey:jersey-core@1.9\n com.sun.jersey:jersey-core\n \t1.9\n \t\tScope provided|javax.ws.rs:jsr311-api@1.1.1\n \t\tScope provided|javax.mail:mail@1.4\n \t\tScope provided|javax.xml.bind:jaxb-api@2.1\n \t\tScope provided|org.osgi:osgi_R4_core@1.0\n com.sun.jersey:jersey-json\n \t1.9\n \t\torg.codehaus.jettison:jettison@1.1\n \t\tcom.sun.xml.bind:jaxb-impl@2.2.3-1\n \t\torg.codehaus.jackson:jackson-core-asl@1.8.3\n \t\torg.codehaus.jackson:jackson-mapper-asl@1.8.3\n \t\torg.codehaus.jackson:jackson-jaxrs@1.8.3\n \t\torg.codehaus.jackson:jackson-xc@1.8.3\n \t\tcom.sun.jersey:jersey-core@1.9\n com.sun.jersey:jersey-project\n \t1.9\n com.sun.jersey:jersey-server\n \t1.9\n \t\tasm:asm@3.1\n \t\tScope provided|javax.persistence:persistence-api@1.0\n \t\tScope provided|javax.mail:mail@1.4\n \t\tScope provided|javax.xml.bind:jaxb-api@2.1\n \t\tScope provided|javax.servlet:javax.servlet-api@3.0.1\n \t\tScope provided|javax.servlet:jsp-api@2.0\n \t\tScope provided|org.glassfish:javax.ejb@3.1\n \t\tScope provided|org.jboss.weld:weld-osgi-bundle@1.1.0.Final\n \t\tScope provided|ant:ant@1.6.5\n \t\tScope provided|org.osgi:osgi_R4_core@1.0\n \t\tcom.sun.jersey:jersey-core@1.9\n com.sun.xml.bind:jaxb-impl\n \t2.2.3-1\n \t\tjavax.xml.bind:jaxb-api@2.2.2\n com.thoughtworks.paranamer:paranamer\n \t2.3\n \t\tOpt|javax.inject:javax.inject@1\n com.thoughtworks.paranamer:paranamer-parent\n \t2.3\n com.typesafe:config\n \t1.3.2\n com.vladsch.flexmark:flexmark\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-ast@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-builder@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-collection@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-dependency@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-format@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-html@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-sequence@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-visitor@0.62.2\n com.vladsch.flexmark:flexmark-all\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-abbreviation@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-admonition@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-anchorlink@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-aside@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-attributes@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-autolink@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-definition@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-emoji@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-enumerated-reference@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-escaped-character@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-footnotes@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gfm-issues@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gfm-users@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gitlab@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-jekyll-tag@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-media-tags@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-macros@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-ins@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-xwiki-macros@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-superscript@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-tables@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-toc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-typographic@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-wikilink@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-youtube-embedded@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-html2md-converter@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-jira-converter@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-pdf-converter@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-profile-pegdown@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-ast@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-builder@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-collection@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-dependency@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-format@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-html@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-options@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-sequence@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-visitor@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-youtrack-converter@0.62.2\n com.vladsch.flexmark:flexmark-ext-abbreviation\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-autolink@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-admonition\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-anchorlink\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-aside\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-jira-converter@0.62.2\n com.vladsch.flexmark:flexmark-ext-attributes\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-autolink\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\torg.nibor.autolink:autolink@0.6.0\n com.vladsch.flexmark:flexmark-ext-definition\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-emoji\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-jira-converter@0.62.2\n com.vladsch.flexmark:flexmark-ext-enumerated-reference\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-attributes@0.62.2\n com.vladsch.flexmark:flexmark-ext-escaped-character\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-footnotes\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-gfm-issues\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-gfm-strikethrough\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-gfm-tasklist\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-gfm-users\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-gitlab\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-ins\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-jekyll-front-matter\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-yaml-front-matter@0.62.2\n com.vladsch.flexmark:flexmark-ext-jekyll-tag\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-macros\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gitlab@0.62.2\n com.vladsch.flexmark:flexmark-ext-media-tags\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-superscript\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-tables\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-toc\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-typographic\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-wikilink\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-xwiki-macros\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-yaml-front-matter\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-ext-youtube-embedded\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-html2md-converter\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-emoji@0.62.2\n \t\torg.jsoup:jsoup@1.11.3\n com.vladsch.flexmark:flexmark-java\n \t0.62.2\n com.vladsch.flexmark:flexmark-jira-converter\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-tables@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-wikilink@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-ins@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-superscript@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n com.vladsch.flexmark:flexmark-pdf-converter\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\torg.jsoup:jsoup@1.11.3\n \t\tcom.openhtmltopdf:openhtmltopdf-core@1.0.0\n \t\tcom.openhtmltopdf:openhtmltopdf-pdfbox@1.0.0\n \t\tcom.openhtmltopdf:openhtmltopdf-rtl-support@1.0.0\n \t\tcom.openhtmltopdf:openhtmltopdf-jsoup-dom-converter@1.0.0\n com.vladsch.flexmark:flexmark-profile-pegdown\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-abbreviation@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-anchorlink@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-aside@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-autolink@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-definition@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-emoji@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-escaped-character@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-footnotes@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gfm-tasklist@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-ins@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-jekyll-front-matter@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-superscript@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-tables@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-toc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-typographic@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-wikilink@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-ast@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-sequence@0.62.2\n com.vladsch.flexmark:flexmark-util\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-ast@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-builder@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-collection@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-dependency@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-format@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-html@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-options@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-sequence@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-visitor@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-ast\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-collection@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-sequence@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-visitor@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-builder\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-collection\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-data\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-dependency\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-collection@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-format\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-ast@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-collection@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-html@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-sequence@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-html\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-sequence@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-misc\n \t0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-options\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-sequence@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-sequence\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-collection@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-data@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util-misc@0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-util-visitor\n \t0.62.2\n \t\torg.jetbrains:annotations@15.0\n com.vladsch.flexmark:flexmark-youtrack-converter\n \t0.62.2\n \t\tcom.vladsch.flexmark:flexmark-util@0.62.2\n \t\tcom.vladsch.flexmark:flexmark@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-gfm-strikethrough@0.62.2\n \t\tcom.vladsch.flexmark:flexmark-ext-tables@0.62.2\n com.zaxxer:HikariCP-java7\n \t2.4.13\n \t\torg.slf4j:slf4j-api@1.7.21\n \t\tOpt|org.javassist:javassist@3.20.0-GA\n \t\tOpt Scope provided MavenExclusions org.jboss.logging:jboss-logging,org.jboss.logging:jboss-logging-annotations|org.hibernate:hibernate-core@5.0.9.Final\n \t\tOpt Scope provided|io.dropwizard.metrics:metrics-core@3.1.2\n \t\tOpt Scope provided|io.dropwizard.metrics:metrics-healthchecks@3.1.2\n \t\tOpt Scope provided|io.prometheus:simpleclient@0.0.16\n commons-beanutils:commons-beanutils\n \t1.9.4\n \t\tcommons-logging:commons-logging@1.2\n \t\tcommons-collections:commons-collections@3.2.2\n \t1.11.0\n \t\tcommons-logging:commons-logging@1.3.5\n \t\tcommons-collections:commons-collections@3.2.2\n commons-beanutils:commons-beanutils-core\n \t1.8.0\n \t\tcommons-logging:commons-logging@1.1.1\n commons-cli:commons-cli\n \t1.4\n commons-codec:commons-codec\n \t1.10\n \t1.11\n \t1.14\n commons-collections:commons-collections\n \t3.2.1\n \t3.2.2\n commons-configuration:commons-configuration\n \t1.6\n \t\tcommons-collections:commons-collections@3.2.1\n \t\tcommons-lang:commons-lang@2.4\n \t\tcommons-logging:commons-logging@1.1.1\n \t\tcommons-digester:commons-digester@1.8\n \t\tcommons-beanutils:commons-beanutils-core@1.8.0\n \t\tOpt|commons-codec:commons-codec@1.3\n \t\tOpt|commons-jxpath:commons-jxpath@1.3\n \t\tScope provided|xerces:xercesImpl@2.3.0\n \t\tScope provided|xalan:xalan@2.7.0\n \t\tScope provided|xml-apis:xml-apis@1.0.b2\n \t\tOpt|javax.servlet:servlet-api@2.4\n \t\tOpt|javax.mail:mail@1.4\n \t\tOpt|ant:ant@1.6.5\n commons-digester:commons-digester\n \t1.8\n \t\tcommons-beanutils:commons-beanutils@1.7.0\n \t\tcommons-logging:commons-logging@1.1\n \t\tScope provided|xml-apis:xml-apis@1.0.b2\n commons-httpclient:commons-httpclient\n \t3.1\n \t\tcommons-logging:commons-logging@1.0.4\n \t\tcommons-codec:commons-codec@1.2\n commons-io:commons-io\n \t2.4\n \t2.7\n \t2.14.0\n commons-lang:commons-lang\n \t2.6\n commons-logging:commons-logging\n \t1.1.3\n \t\tOpt|log4j:log4j@1.2.17\n \t\tOpt|logkit:logkit@1.0.1\n \t\tOpt|avalon-framework:avalon-framework@4.1.5\n \t\tOpt Scope provided|javax.servlet:servlet-api@2.3\n \t1.2\n \t\tOpt|log4j:log4j@1.2.17\n \t\tOpt|logkit:logkit@1.0.1\n \t\tOpt|avalon-framework:avalon-framework@4.1.5\n \t\tOpt Scope provided|javax.servlet:servlet-api@2.3\n commons-net:commons-net\n \t3.1\n \t3.6\n \t3.9.0\n de.rototor.pdfbox:graphics2d\n \t0.24\n \t\torg.apache.pdfbox:pdfbox@2.0.16\n findbugs:annotations\n \t1.0.0\n io.atomix:atomix\n \t3.0.0-rc5\n \t\tio.atomix:atomix-cluster@3.0.0-rc5\n \t\tio.atomix:atomix-primitive@3.0.0-rc5\n \t\tOpt|io.atomix:atomix-gossip@3.0.0-rc5\n \t\tOpt|io.atomix:atomix-raft@3.0.0-rc5\n \t\tOpt|io.atomix:atomix-primary-backup@3.0.0-rc5\n \t\tio.atomix:atomix-utils@3.0.0-rc5\n \t\tOpt|javax.ws.rs:javax.ws.rs-api@2.0\n \t\torg.slf4j:slf4j-api@1.7.7\n \t3.1.6\n \t\tio.atomix:atomix-cluster@3.1.6\n \t\tio.atomix:atomix-primitive@3.1.6\n \t\tOpt|io.atomix:atomix-gossip@3.1.6\n \t\tOpt|io.atomix:atomix-raft@3.1.6\n \t\tOpt|io.atomix:atomix-primary-backup@3.1.6\n \t\tOpt|io.atomix:atomix-log@3.1.6\n \t\tio.atomix:atomix-utils@3.1.6\n \t\torg.slf4j:slf4j-api@1.7.7\n io.atomix:atomix-cluster\n \t3.0.0-rc5\n \t\tio.atomix:atomix-utils@3.0.0-rc5\n \t\tio.netty:netty-transport@4.1.27.Final\n \t\tio.netty:netty-codec@4.1.27.Final\n \t\tio.netty:netty-handler@4.1.27.Final\n \t\tMavenClassifier linux-x86_64|io.netty:netty-transport-native-epoll@4.1.27.Final\n \t\torg.slf4j:slf4j-api@1.7.7\n \t3.1.6\n \t\tio.atomix:atomix-utils@3.1.6\n \t\tio.netty:netty-transport@4.1.27.Final\n \t\tio.netty:netty-codec@4.1.27.Final\n \t\tio.netty:netty-handler@4.1.27.Final\n \t\tMavenClassifier linux-x86_64|io.netty:netty-transport-native-epoll@4.1.27.Final\n \t\torg.slf4j:slf4j-api@1.7.7\n io.atomix:atomix-parent\n \t3.0.0-rc5\n \t\torg.slf4j:slf4j-api@1.7.7\n \t3.1.6\n \t\torg.slf4j:slf4j-api@1.7.7\n io.atomix:atomix-primary-backup\n \t3.0.0-rc5\n \t\tio.atomix:atomix-primitive@3.0.0-rc5\n \t\tio.atomix:atomix-utils@3.0.0-rc5\n \t\torg.slf4j:slf4j-api@1.7.7\n io.atomix:atomix-primitive\n \t3.0.0-rc5\n \t\tio.atomix:atomix-cluster@3.0.0-rc5\n \t\tio.atomix:atomix-storage@3.0.0-rc5\n \t\tio.atomix:atomix-utils@3.0.0-rc5\n \t\torg.slf4j:slf4j-api@1.7.7\n \t3.1.6\n \t\tio.atomix:atomix-cluster@3.1.6\n \t\tio.atomix:atomix-storage@3.1.6\n \t\tio.atomix:atomix-utils@3.1.6\n \t\torg.slf4j:slf4j-api@1.7.7\n io.atomix:atomix-protocols-parent\n \t3.0.0-rc5\n \t\torg.slf4j:slf4j-api@1.7.7\n io.atomix:atomix-raft\n \t3.0.0-rc5\n \t\tio.atomix:atomix-primitive@3.0.0-rc5\n \t\torg.slf4j:slf4j-api@1.7.7\n io.atomix:atomix-storage\n \t3.0.0-rc5\n \t\tio.atomix:atomix-utils@3.0.0-rc5\n \t\torg.slf4j:slf4j-api@1.7.7\n \t3.1.6\n \t\tio.atomix:atomix-utils@3.1.6\n \t\torg.slf4j:slf4j-api@1.7.7\n io.atomix:atomix-utils\n \t3.0.0-rc5\n \t\tcom.google.guava:guava@22.0\n \t\torg.apache.commons:commons-lang3@3.7\n \t\torg.apache.commons:commons-math3@3.6.1\n \t\tcom.esotericsoftware:kryo@4.0.2\n \t\tcom.typesafe:config@1.3.2\n \t\tio.github.lukehutch:fast-classpath-scanner@2.21\n \t\torg.slf4j:slf4j-api@1.7.7\n \t3.1.6\n \t\tcom.google.guava:guava@22.0\n \t\torg.apache.commons:commons-lang3@3.7\n \t\torg.apache.commons:commons-math3@3.6.1\n \t\tcom.esotericsoftware:kryo@4.0.2\n \t\tcom.typesafe:config@1.3.2\n \t\tio.github.classgraph:classgraph@4.2.3\n \t\torg.slf4j:slf4j-api@1.7.7\n io.dropwizard.metrics:metrics-bom\n \t4.0.7\n \t\torg.slf4j:slf4j-api@1.7.26\n \t4.1.14\n \t\torg.slf4j:slf4j-api@1.7.30\n io.dropwizard.metrics:metrics-core\n \t4.0.7\n \t\torg.slf4j:slf4j-api@1.7.26\n \t4.1.14\n \t\torg.slf4j:slf4j-api@1.7.30\n io.dropwizard.metrics:metrics-healthchecks\n \t4.1.14\n \t\tOpt|io.dropwizard.metrics:metrics-jvm@4.1.14\n \t\torg.slf4j:slf4j-api@1.7.30\n io.dropwizard.metrics:metrics-jmx\n \t4.0.7\n \t\tio.dropwizard.metrics:metrics-core@4.0.7\n \t\torg.slf4j:slf4j-api@1.7.26\n \t4.1.14\n \t\tio.dropwizard.metrics:metrics-core@4.1.14\n \t\torg.slf4j:slf4j-api@1.7.30\n io.dropwizard.metrics:metrics-json\n \t4.1.14\n \t\tio.dropwizard.metrics:metrics-core@4.1.14\n \t\tOpt|io.dropwizard.metrics:metrics-healthchecks@4.1.14\n \t\tcom.fasterxml.jackson.core:jackson-databind@2.9.10.5\n \t\torg.slf4j:slf4j-api@1.7.30\n io.dropwizard.metrics:metrics-jvm\n \t4.1.14\n \t\tio.dropwizard.metrics:metrics-core@4.1.14\n \t\torg.slf4j:slf4j-api@1.7.30\n io.dropwizard.metrics:metrics-parent\n \t4.0.7\n \t\torg.slf4j:slf4j-api@1.7.26\n \t4.1.14\n \t\torg.slf4j:slf4j-api@1.7.30\n io.dropwizard.metrics:metrics-servlets\n \t4.1.14\n \t\tio.dropwizard.metrics:metrics-core@4.1.14\n \t\tio.dropwizard.metrics:metrics-healthchecks@4.1.14\n \t\tio.dropwizard.metrics:metrics-json@4.1.14\n \t\tio.dropwizard.metrics:metrics-jvm@4.1.14\n \t\tcom.helger:profiler@1.1.1\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n \t\tcom.fasterxml.jackson.core:jackson-databind@2.9.10.5\n \t\torg.slf4j:slf4j-api@1.7.30\n io.github.classgraph:classgraph\n \t4.2.3\n \t4.8.112\n \t\tScope provided|org.eclipse.jdt:org.eclipse.jdt.annotation@2.2.600\n io.github.lukehutch:fast-classpath-scanner\n \t2.21\n io.micrometer:micrometer-core\n \t1.6.0\n \t\torg.hdrhistogram:HdrHistogram@2.1.12\n \t\tScope runtime MavenExclusions org.hdrhistogram:HdrHistogram|org.latencyutils:LatencyUtils@2.0.3\n \t\tOpt|com.google.code.findbugs:jsr305@3.0.2\n \t\tOpt|io.dropwizard.metrics:metrics-core@4.0.7\n \t\tOpt|com.google.guava:guava@30.0-jre\n \t\tOpt|com.github.ben-manes.caffeine:caffeine@2.8.6\n \t\tOpt|net.sf.ehcache:ehcache@2.10.6\n \t\tOpt|javax.cache:cache-api@1.1.1\n \t\tOpt|com.hazelcast:hazelcast@4.1-BETA-1\n \t\tOpt|org.hibernate:hibernate-entitymanager@5.4.22.Final\n \t\tOpt|org.eclipse.jetty:jetty-server@9.4.33.v20201020\n \t\tOpt|org.eclipse.jetty:jetty-client@9.4.33.v20201020\n \t\tOpt|org.apache.tomcat.embed:tomcat-embed-core@8.5.59\n \t\tOpt|org.apache.httpcomponents:httpclient@4.5.13\n \t\tOpt|org.apache.httpcomponents:httpasyncclient@4.1.4\n \t\tOpt|com.netflix.hystrix:hystrix-core@1.5.12\n \t\tOpt|ch.qos.logback:logback-classic@1.2.3\n \t\tOpt|org.apache.logging.log4j:log4j-core@2.13.3\n \t\tOpt|io.projectreactor:reactor-core@3.3.11.RELEASE\n \t\tOpt|io.projectreactor.netty:reactor-netty@0.9.13.RELEASE\n \t\tOpt|org.aspectj:aspectjweaver@1.8.14\n \t\tOpt|com.squareup.okhttp3:okhttp@4.10.0-RC1\n \t\tOpt|org.mongodb:mongo-java-driver@3.12.7\n \t\tOpt|org.jooq:jooq@3.13.6\n \t\tOpt|org.apache.kafka:kafka-clients@2.6.0\n \t\tOpt|org.apache.kafka:kafka-streams@2.6.0\n io.micrometer:micrometer-registry-jmx\n \t1.6.0\n \t\tio.micrometer:micrometer-core@1.6.0\n \t\tio.dropwizard.metrics:metrics-jmx@4.0.7\n \t\tOpt|com.google.code.findbugs:jsr305@3.0.2\n io.micrometer:micrometer-registry-prometheus\n \t1.6.0\n \t\tio.micrometer:micrometer-core@1.6.0\n \t\tio.prometheus:simpleclient_common@0.9.0\n \t\tOpt|com.google.code.findbugs:jsr305@3.0.2\n io.netty:netty\n \t3.5.2.Final\n \t\tOpt|org.jboss.marshalling:jboss-marshalling@1.3.14.GA\n \t\tOpt|com.google.protobuf:protobuf-java@2.4.1\n \t\tOpt|javax.servlet:servlet-api@2.5\n \t\tOpt|javax.activation:activation@1.1.1\n \t\tOpt|org.apache.felix:org.osgi.core@1.4.0\n \t\tOpt MavenExclusions org.apache.felix:javax.servlet,org.apache.felix:org.osgi.foundation|org.apache.felix:org.osgi.compendium@1.4.0\n \t\tOpt|org.slf4j:slf4j-api@1.6.4\n \t\tOpt|commons-logging:commons-logging@1.1.1\n \t\tOpt|org.jboss.logging:jboss-logging-spi@2.1.2.GA\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.16\n \t3.7.0.Final\n \t\tOpt|org.jboss.marshalling:jboss-marshalling@1.3.14.GA\n \t\tOpt|com.google.protobuf:protobuf-java@2.5.0\n \t\tOpt|javax.servlet:servlet-api@2.5\n \t\tOpt|javax.activation:activation@1.1.1\n \t\tOpt|org.apache.felix:org.osgi.core@1.4.0\n \t\tOpt MavenExclusions org.apache.felix:javax.servlet,org.apache.felix:org.osgi.foundation|org.apache.felix:org.osgi.compendium@1.4.0\n \t\tOpt|org.slf4j:slf4j-api@1.6.4\n \t\tOpt|commons-logging:commons-logging@1.1.1\n \t\tOpt|org.jboss.logging:jboss-logging-spi@2.1.2.GA\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.16\n \t3.9.8.Final\n \t\tOpt MavenClassifier windows-x86_64|io.netty:netty-tcnative@1.1.30.Fork2\n \t\tOpt|org.jboss.marshalling:jboss-marshalling@1.3.14.GA\n \t\tOpt|com.google.protobuf:protobuf-java@2.5.0\n \t\tOpt|org.bouncycastle:bcpkix-jdk15on@1.50\n \t\tOpt|org.eclipse.jetty.npn:npn-api@1.1.0.v20120525\n \t\tOpt|javax.servlet:servlet-api@2.5\n \t\tOpt|javax.activation:activation@1.1.1\n \t\tOpt|org.apache.felix:org.osgi.core@1.4.0\n \t\tOpt MavenExclusions org.apache.felix:javax.servlet,org.apache.felix:org.osgi.foundation|org.apache.felix:org.osgi.compendium@1.4.0\n \t\tOpt|org.slf4j:slf4j-api@1.6.4\n \t\tOpt|commons-logging:commons-logging@1.1.1\n \t\tOpt|org.jboss.logging:jboss-logging@3.1.4.GA\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.16\n io.netty:netty-bom\n \t4.1.27.Final\n \t4.1.109.Final\n io.netty:netty-buffer\n \t4.1.27.Final\n \t\tio.netty:netty-common@4.1.27.Final\n io.netty:netty-codec\n \t4.1.27.Final\n \t\tio.netty:netty-transport@4.1.27.Final\n \t\tOpt|com.google.protobuf:protobuf-java@2.6.1\n \t\tOpt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5\n \t\tOpt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final\n \t\tOpt|com.jcraft:jzlib@1.1.3\n \t\tOpt|com.ning:compress-lzf@1.0.3\n \t\tOpt|net.jpountz.lz4:lz4@1.3.0\n \t\tOpt|com.github.jponge:lzma-java@1.3\n \t4.1.68.Final\n \t\tio.netty:netty-common@4.1.68.Final\n \t\tio.netty:netty-buffer@4.1.68.Final\n \t\tio.netty:netty-transport@4.1.68.Final\n \t\tOpt|com.google.protobuf:protobuf-java@2.6.1\n \t\tOpt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5\n \t\tOpt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final\n \t\tOpt|com.jcraft:jzlib@1.1.3\n \t\tOpt|com.ning:compress-lzf@1.0.3\n \t\tOpt|net.jpountz.lz4:lz4@1.3.0\n \t\tOpt|com.github.jponge:lzma-java@1.3\n \t\tOpt|com.github.luben:zstd-jni@1.5.0-2\n \t\tOpt|com.aayushatharva.brotli4j:brotli4j@1.5.0\n \t\tOpt|com.aayushatharva.brotli4j:native-linux-x86_64@1.5.0\n \t\tOpt|com.aayushatharva.brotli4j:native-osx-x86_64@1.5.0\n \t\tOpt|com.aayushatharva.brotli4j:native-windows-x86_64@1.5.0\n \t4.1.125.Final\n \t\tio.netty:netty-common@4.1.125.Final\n \t\tio.netty:netty-buffer@4.1.125.Final\n \t\tio.netty:netty-transport@4.1.125.Final\n \t\tOpt|com.google.protobuf:protobuf-java@2.6.1\n \t\tOpt|com.google.protobuf.nano:protobuf-javanano@3.0.0-alpha-5\n \t\tOpt|org.jboss.marshalling:jboss-marshalling@1.4.11.Final\n \t\tOpt|com.jcraft:jzlib@1.1.3\n \t\tOpt|com.ning:compress-lzf@1.0.3\n \t\tOpt|org.lz4:lz4-java@1.8.0\n \t\tOpt|com.github.jponge:lzma-java@1.3\n \t\tOpt|com.github.luben:zstd-jni@1.5.5-11\n \t\tOpt|com.aayushatharva.brotli4j:brotli4j@1.16.0\n \t\tOpt|com.aayushatharva.brotli4j:native-linux-x86_64@1.16.0\n \t\tOpt|com.aayushatharva.brotli4j:native-linux-aarch64@1.16.0\n \t\tOpt|com.aayushatharva.brotli4j:native-linux-riscv64@1.16.0\n \t\tOpt|com.aayushatharva.brotli4j:native-osx-x86_64@1.16.0\n \t\tOpt|com.aayushatharva.brotli4j:native-osx-aarch64@1.16.0\n \t\tOpt|com.aayushatharva.brotli4j:native-windows-x86_64@1.16.0\n io.netty:netty-common\n \t4.1.27.Final\n \t\tOpt|org.slf4j:slf4j-api@1.7.21\n \t\tOpt|commons-logging:commons-logging@1.2\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.6.2\n \t4.1.45.Final\n \t\tScope provided MavenExclusions com.oracle.substratevm:svm-hosted-native-linux-amd64,com.oracle.substratevm:svm-hosted-native-darwin-amd64,com.oracle.substratevm:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,com.oracle.substratevm:objectfile,com.oracle.substratevm:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|com.oracle.substratevm:svm@19.0.0\n \t\tOpt|org.slf4j:slf4j-api@1.7.21\n \t\tOpt|commons-logging:commons-logging@1.2\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.6.2\n \t\tOpt|io.projectreactor.tools:blockhound@1.0.1.RELEASE\n \t4.1.46.Final\n \t\tScope provided MavenExclusions com.oracle.substratevm:svm-hosted-native-linux-amd64,com.oracle.substratevm:svm-hosted-native-darwin-amd64,com.oracle.substratevm:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,com.oracle.substratevm:objectfile,com.oracle.substratevm:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|com.oracle.substratevm:svm@19.0.0\n \t\tOpt|org.slf4j:slf4j-api@1.7.21\n \t\tOpt|commons-logging:commons-logging@1.2\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|log4j:log4j@1.2.17\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.6.2\n \t\tOpt|io.projectreactor.tools:blockhound@1.0.2.RELEASE\n \t4.1.68.Final\n \t\tScope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6\n \t\tOpt|org.slf4j:slf4j-api@1.7.30\n \t\tOpt|commons-logging:commons-logging@1.2\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.14.1\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.6.2\n \t\tOpt|io.projectreactor.tools:blockhound@1.0.6.RELEASE\n \t4.1.94.Final\n \t\tScope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6\n \t\tScope provided|org.jetbrains:annotations-java5@23.0.0\n \t\tOpt|org.slf4j:slf4j-api@1.7.30\n \t\tOpt|commons-logging:commons-logging@1.2\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.17.2\n \t\tOpt|io.projectreactor.tools:blockhound@1.0.6.RELEASE\n \t4.1.115.Final\n \t\tScope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6\n \t\tScope provided|org.jetbrains:annotations-java5@23.0.0\n \t\tOpt|org.slf4j:slf4j-api@1.7.30\n \t\tOpt|commons-logging:commons-logging@1.2\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.17.2\n \t\tOpt|io.projectreactor.tools:blockhound@1.0.6.RELEASE\n \t4.1.118.Final\n \t\tScope provided MavenExclusions org.graalvm.nativeimage:svm-hosted-native-linux-amd64,org.graalvm.nativeimage:svm-hosted-native-darwin-amd64,org.graalvm.nativeimage:svm-hosted-native-windows-amd64,org.graalvm.sdk:graal-sdk,org.graalvm.nativeimage:objectfile,org.graalvm.nativeimage:pointsto,org.graalvm.truffle:truffle-nfi,org.graalvm.compiler:compiler|org.graalvm.nativeimage:svm@19.3.6\n \t\tScope provided|org.jetbrains:annotations-java5@23.0.0\n \t\tOpt|org.slf4j:slf4j-api@1.7.30\n \t\tOpt|commons-logging:commons-logging@1.2\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.17.2\n \t\tOpt|io.projectreactor.tools:blockhound@1.0.10.RELEASE\n \t4.1.125.Final\n \t\tOpt|org.graalvm.nativeimage:svm@19.3.6\n \t\tScope provided|org.jboss:jdk-misc@3.Final\n \t\tScope provided|org.jetbrains:annotations-java5@23.0.0\n \t\tOpt|org.slf4j:slf4j-api@1.7.30\n \t\tOpt|commons-logging:commons-logging@1.2\n \t\tOpt MavenExclusions javax.mail:mail,javax.jms:jms,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.logging.log4j:log4j-1.2-api@2.17.2\n \t\tOpt|org.apache.logging.log4j:log4j-api@2.17.2\n \t\tOpt|io.projectreactor.tools:blockhound@1.0.13.RELEASE\n io.netty:netty-handler\n \t4.1.27.Final\n \t\tio.netty:netty-buffer@4.1.27.Final\n \t\tio.netty:netty-transport@4.1.27.Final\n \t\tio.netty:netty-codec@4.1.27.Final\n \t\tOpt|org.bouncycastle:bcpkix-jdk15on@1.54\n \t\tOpt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010\n \t\tOpt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522\n \t\tOpt|org.conscrypt:conscrypt-openjdk-uber@1.1.3\n \t4.1.45.Final\n \t\tio.netty:netty-common@4.1.45.Final\n \t\tio.netty:netty-buffer@4.1.45.Final\n \t\tio.netty:netty-transport@4.1.45.Final\n \t\tio.netty:netty-codec@4.1.45.Final\n \t\tOpt|org.bouncycastle:bcpkix-jdk15on@1.54\n \t\tOpt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010\n \t\tOpt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522\n \t\tOpt|org.conscrypt:conscrypt-openjdk-uber@1.3.0\n \t4.1.46.Final\n \t\tio.netty:netty-common@4.1.46.Final\n \t\tio.netty:netty-resolver@4.1.46.Final\n \t\tio.netty:netty-buffer@4.1.46.Final\n \t\tio.netty:netty-transport@4.1.46.Final\n \t\tio.netty:netty-codec@4.1.46.Final\n \t\tOpt|org.bouncycastle:bcpkix-jdk15on@1.54\n \t\tOpt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010\n \t\tOpt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522\n \t\tOpt|org.conscrypt:conscrypt-openjdk-uber@1.3.0\n \t4.1.94.Final\n \t\tio.netty:netty-common@4.1.94.Final\n \t\tio.netty:netty-resolver@4.1.94.Final\n \t\tio.netty:netty-buffer@4.1.94.Final\n \t\tio.netty:netty-transport@4.1.94.Final\n \t\tio.netty:netty-transport-native-unix-common@4.1.94.Final\n \t\tio.netty:netty-codec@4.1.94.Final\n \t\tOpt|io.netty:netty-tcnative-classes@2.0.61.Final\n \t\tOpt|org.bouncycastle:bcpkix-jdk15on@1.69\n \t\tOpt|org.bouncycastle:bctls-jdk15on@1.69\n \t\tOpt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010\n \t\tOpt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522\n \t\tOpt|org.conscrypt:conscrypt-openjdk-uber@2.5.2\n \t4.1.118.Final\n \t\tio.netty:netty-common@4.1.118.Final\n \t\tio.netty:netty-resolver@4.1.118.Final\n \t\tio.netty:netty-buffer@4.1.118.Final\n \t\tio.netty:netty-transport@4.1.118.Final\n \t\tio.netty:netty-transport-native-unix-common@4.1.118.Final\n \t\tio.netty:netty-codec@4.1.118.Final\n \t\tOpt|io.netty:netty-tcnative-classes@2.0.70.Final\n \t\tOpt|org.bouncycastle:bcpkix-jdk15on@1.69\n \t\tOpt|org.bouncycastle:bctls-jdk15on@1.69\n \t\tOpt Scope provided|org.eclipse.jetty.npn:npn-api@1.1.1.v20141010\n \t\tOpt Scope provided|org.eclipse.jetty.alpn:alpn-api@1.1.2.v20150522\n \t\tOpt|org.conscrypt:conscrypt-openjdk-uber@2.5.2\n io.netty:netty-parent\n \t4.1.27.Final\n \t4.1.45.Final\n \t4.1.46.Final\n \t4.1.68.Final\n \t4.1.94.Final\n \t4.1.115.Final\n \t4.1.118.Final\n \t4.1.125.Final\n io.netty:netty-resolver\n \t4.1.27.Final\n \t\tio.netty:netty-common@4.1.27.Final\n io.netty:netty-transport\n \t4.1.27.Final\n \t\tio.netty:netty-buffer@4.1.27.Final\n \t\tio.netty:netty-resolver@4.1.27.Final\n io.netty:netty-transport-native-epoll\n \t4.1.27.Final\n \t\tio.netty:netty-common@4.1.27.Final\n \t\tio.netty:netty-buffer@4.1.27.Final\n \t\tio.netty:netty-transport-native-unix-common@4.1.27.Final\n \t\tio.netty:netty-transport@4.1.27.Final\n io.netty:netty-transport-native-unix-common\n \t4.1.27.Final\n \t\tio.netty:netty-common@4.1.27.Final\n \t\tio.netty:netty-transport@4.1.27.Final\n \t4.1.94.Final\n \t\tOpt MavenClassifier sources|io.netty:netty-jni-util@0.0.6.Final\n \t\tio.netty:netty-common@4.1.94.Final\n \t\tio.netty:netty-buffer@4.1.94.Final\n \t\tio.netty:netty-transport@4.1.94.Final\n \t4.1.118.Final\n \t\tOpt MavenClassifier sources|io.netty:netty-jni-util@0.0.9.Final\n \t\tio.netty:netty-common@4.1.118.Final\n \t\tio.netty:netty-buffer@4.1.118.Final\n \t\tio.netty:netty-transport@4.1.118.Final\n io.prometheus:parent\n \t0.9.0\n io.prometheus:simpleclient\n \t0.9.0\n io.prometheus:simpleclient_common\n \t0.9.0\n \t\tio.prometheus:simpleclient@0.9.0\n jakarta.activation:jakarta.activation-api\n \t1.2.1\n jakarta.annotation:ca-parent\n \t1.3.5\n jakarta.annotation:jakarta.annotation-api\n \t1.3.5\n jakarta.persistence:jakarta.persistence-api\n \t2.2.3\n jakarta.servlet:jakarta.servlet-api\n \t4.0.3\n jakarta.validation:jakarta.validation-api\n \t2.0.2\n jakarta.ws.rs:jakarta.ws.rs-api\n \t2.1.6\n jakarta.xml.bind:jakarta.xml.bind-api\n \t2.3.2\n \t\tjakarta.activation:jakarta.activation-api@1.2.1\n jakarta.xml.bind:jakarta.xml.bind-api-parent\n \t2.3.2\n javax.activation:activation\n \t1.1\n javax.annotation:javax.annotation-api\n \t1.3.2\n javax.annotation:jsr250-api\n \t1.0\n javax.enterprise:cdi-api\n \t1.0\n \t\tOpt|javax.el:el-api@2.1.2-b04\n \t\tOpt MavenExclusions jbossws:jboss-jaxrpc,org.jboss.javaee:jboss-transaction-api,jboss.jbossws:jboss-jaxrpc|org.jboss.ejb3:jboss-ejb3-api@3.1.0\n \t\torg.jboss.interceptor:jboss-interceptor-api@1.1\n \t\tjavax.annotation:jsr250-api@1.0\n \t\tjavax.inject:javax.inject@1\n javax.inject:javax.inject\n \t1\n javax.servlet.jsp:jsp-api\n \t2.1\n \t2.2\n \t\tScope provided|org.glassfish:javax.servlet@3.0-b72\n \t\tScope provided|javax.el:el-api@2.2\n javax.servlet:javax.servlet-api\n \t3.1.0\n javax.servlet:servlet-api\n \t2.5\n javax.websocket:javax.websocket-all\n \t1.0\n javax.websocket:javax.websocket-api\n \t1.0\n \t\tOpt|javax.websocket:javax.websocket-client-api@1.0\n javax.websocket:javax.websocket-client-api\n \t1.0\n javax.ws.rs:javax.ws.rs-api\n \t2.1\n javax.xml.bind:jaxb-api\n \t2.2.2\n \t\tjavax.xml.stream:stax-api@1.0-2\n \t\tjavax.activation:activation@1.1\n javax.xml.stream:stax-api\n \t1.0-2\n jline:jline\n \t2.14.3\n net.bytebuddy:byte-buddy\n \t1.11.13\n \t\tScope provided|net.java.dev.jna:jna@5.8.0\n \t\tScope provided|net.java.dev.jna:jna-platform@5.8.0\n \t\tScope provided|com.google.code.findbugs:findbugs-annotations@3.0.1\n net.bytebuddy:byte-buddy-agent\n \t1.11.13\n \t\tScope provided|net.java.dev.jna:jna@5.8.0\n \t\tScope provided|net.java.dev.jna:jna-platform@5.8.0\n \t\tScope provided|com.google.code.findbugs:findbugs-annotations@3.0.1\n net.bytebuddy:byte-buddy-parent\n \t1.11.13\n \t\tScope provided|com.google.code.findbugs:findbugs-annotations@3.0.1\n net.java.dev.jets3t:jets3t\n \t0.9.0\n \t\tcommons-codec:commons-codec@1.4\n \t\tcommons-logging:commons-logging@1.1.1\n \t\tMavenExclusions commons-codec:commons-codec,commons-logging:commons-logging|org.apache.httpcomponents:httpclient@4.1.2\n \t\tMavenExclusions commons-codec:commons-codec,commons-logging:commons-logging|org.apache.httpcomponents:httpcore@4.1.2\n \t\tcom.jamesmurty.utils:java-xmlbuilder@0.4\n net.java.dev.jna:jna\n \t4.1.0\n \t4.5.2\n net.java.dev.jna:jna-platform\n \t4.1.0\n \t\tnet.java.dev.jna:jna@4.1.0\n net.java:jvnet-parent\n \t1\n \t3\n \t4\n \t5\n net.sf.ehcache:ehcache-core\n \t2.4.4\n \t\torg.slf4j:slf4j-api@1.6.1\n \t\tScope provided|org.slf4j:slf4j-jdk14@1.6.1\n \t\tScope provided|javax.servlet:servlet-api@2.4\n \t\tScope provided MavenExclusions javax.transaction:jta,javax.security:jacc,net.sf.ehcache:ehcache|org.hibernate:hibernate-core@3.5.1-Final\n \t\tScope provided|javax.transaction:jta@1.1\n net.sf.ehcache:ehcache-parent\n \t2.2\n net.sourceforge.cssparser:cssparser\n \t0.9.16\n \t\torg.w3c.css:sac@1.3\n net.sourceforge.htmlunit:htmlunit\n \t2.18\n \t\tMavenExclusions xerces:xercesImpl|xalan:xalan@2.7.2\n \t\tcommons-collections:commons-collections@3.2.1\n \t\torg.apache.commons:commons-lang3@3.4\n \t\torg.apache.httpcomponents:httpclient@4.5\n \t\torg.apache.httpcomponents:httpmime@4.5\n \t\tcommons-codec:commons-codec@1.10\n \t\tnet.sourceforge.htmlunit:htmlunit-core-js@2.17\n \t\txerces:xercesImpl@2.11.0\n \t\tMavenExclusions xerces:xercesImpl|net.sourceforge.nekohtml:nekohtml@1.9.22\n \t\tnet.sourceforge.cssparser:cssparser@0.9.16\n \t\tcommons-io:commons-io@2.4\n \t\tcommons-logging:commons-logging@1.2\n \t\torg.eclipse.jetty.websocket:websocket-client@9.2.12.v20150709\n \t2.37.0\n \t\tMavenExclusions xerces:xercesImpl,xml-apis:xml-apis|xalan:xalan@2.7.2\n \t\torg.apache.commons:commons-lang3@3.9\n \t\tMavenExclusions org.apache.commons:commons-lang3|org.apache.commons:commons-text@1.8\n \t\torg.apache.httpcomponents:httpmime@4.5.11\n \t\tnet.sourceforge.htmlunit:htmlunit-core-js@2.37.0\n \t\tnet.sourceforge.htmlunit:neko-htmlunit@2.37.0\n \t\tnet.sourceforge.htmlunit:htmlunit-cssparser@1.5.0\n \t\tcommons-io:commons-io@2.6\n \t\tcommons-logging:commons-logging@1.2\n \t\tcommons-net:commons-net@3.6\n \t\torg.brotli:dec@0.1.2\n \t\torg.eclipse.jetty.websocket:websocket-client@9.4.26.v20200117\n net.sourceforge.htmlunit:htmlunit-core-js\n \t2.17\n \t2.37.0\n net.sourceforge.htmlunit:htmlunit-cssparser\n \t1.5.0\n net.sourceforge.htmlunit:neko-htmlunit\n \t2.37.0\n \t\txerces:xercesImpl@2.12.0\n \t2.61.0\n \t\txerces:xercesImpl@2.12.2\n net.sourceforge.nekohtml:nekohtml\n \t1.9.22\n \t\txerces:xercesImpl@2.11.0\n org.apache.avro:avro\n \t1.7.4\n \t\torg.codehaus.jackson:jackson-core-asl@1.8.8\n \t\torg.codehaus.jackson:jackson-mapper-asl@1.8.8\n \t\tcom.thoughtworks.paranamer:paranamer@2.3\n \t\torg.xerial.snappy:snappy-java@1.0.4.1\n \t\torg.apache.commons:commons-compress@1.4.1\n \t\torg.slf4j:slf4j-api@1.6.4\n \t\tOpt Scope runtime|org.slf4j:slf4j-simple@1.6.4\n org.apache.avro:avro-parent\n \t1.7.4\n \t\torg.slf4j:slf4j-api@1.6.4\n \t\tOpt Scope runtime|org.slf4j:slf4j-simple@1.6.4\n org.apache.avro:avro-toplevel\n \t1.7.4\n org.apache.commons:commons-compress\n \t1.21\n \t\tOpt|com.github.luben:zstd-jni@1.5.0-2\n \t\tOpt|org.brotli:dec@0.1.2\n \t\tOpt|org.tukaani:xz@1.9\n \t\tOpt|asm:asm@3.2\n \t\tScope provided|org.osgi:org.osgi.core@6.0.0\n \t1.26.0\n \t\tOpt|com.github.luben:zstd-jni@1.5.5-11\n \t\tOpt|org.brotli:dec@0.1.2\n \t\tOpt|org.tukaani:xz@1.9\n \t\tOpt|commons-codec:commons-codec@1.16.1\n \t\tOpt|org.ow2.asm:asm@9.6\n \t\tcommons-io:commons-io@2.15.1\n \t\torg.apache.commons:commons-lang3@3.14.0\n \t\tScope provided|org.osgi:org.osgi.core@6.0.0\n org.apache.commons:commons-configuration2\n \t2.8.0\n \t\torg.apache.commons:commons-lang3@3.12.0\n \t\torg.apache.commons:commons-text@1.9\n \t\tMavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.2\n \t\tOpt|commons-beanutils:commons-beanutils@1.9.4\n \t\tOpt|commons-codec:commons-codec@1.15\n \t\tOpt|org.apache.commons:commons-jexl@2.1.1\n \t\tOpt|org.apache.commons:commons-vfs2@2.9.0\n \t\tOpt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3\n \t\tOpt|xml-resolver:xml-resolver@1.2\n \t\tOpt|org.springframework:spring-core@5.3.21\n \t\tOpt|org.springframework:spring-beans@5.3.21\n \t\tScope provided|javax.servlet:servlet-api@2.5\n \t\tOpt|org.yaml:snakeyaml@1.30\n \t\tOpt|com.fasterxml.jackson.core:jackson-databind@2.13.3\n \t\tOpt|log4j:log4j@1.2.17\n \t2.10.1\n \t\torg.apache.commons:commons-lang3@3.14.0\n \t\torg.apache.commons:commons-text@1.11.0\n \t\tMavenExclusions logkit:logkit,avalon-framework:avalon-framework|commons-logging:commons-logging@1.3.0\n \t\tOpt|commons-beanutils:commons-beanutils@1.9.4\n \t\tOpt|commons-codec:commons-codec@1.16.1\n \t\tOpt|org.apache.commons:commons-jexl@2.1.1\n \t\tOpt|org.apache.commons:commons-vfs2@2.9.0\n \t\tOpt MavenExclusions xerces:xerces,ant:ant-optional|commons-jxpath:commons-jxpath@1.3\n \t\tOpt|xml-resolver:xml-resolver@1.2\n \t\tOpt MavenExclusions org.springframework:spring-jcl|org.springframework:spring-core@5.3.33\n \t\tOpt|org.springframework:spring-beans@5.3.33\n \t\tOpt Scope provided|javax.servlet:servlet-api@2.5\n \t\tOpt|org.yaml:snakeyaml@2.2\n \t\tOpt|com.fasterxml.jackson.core:jackson-databind@2.17.0\n \t\tOpt|org.apache.logging.log4j:log4j-1.2-api@2.23.1\n \t\tOpt|org.apache.logging.log4j:log4j-core@2.23.1\n org.apache.commons:commons-exec\n \t1.3\n org.apache.commons:commons-lang3\n \t3.4\n \t3.12.0\n \t3.18.0\n org.apache.commons:commons-math3\n \t3.1.1\n \t3.6.1\n org.apache.commons:commons-parent\n \t9\n \t17\n \t23\n \t24\n \t25\n \t28\n \t34\n \t35\n \t37\n \t39\n \t42\n \t47\n \t50\n \t52\n \t53\n \t54\n \t62\n \t66\n \t67\n \t81\n \t84\n \t85\n org.apache.commons:commons-pool2\n \t2.3\n \t\tOpt|cglib:cglib@3.1\n \t\tOpt|org.ow2.asm:asm-util@5.0.3\n org.apache.commons:commons-text\n \t1.10.0\n \t\torg.apache.commons:commons-lang3@3.12.0\n org.apache.commons:commons-vfs2\n \t2.6.0\n \t\tcommons-logging:commons-logging@1.2\n \t\tOpt|ant:ant@1.6.5\n \t\tOpt|commons-net:commons-net@3.6\n \t\tOpt|org.apache.commons:commons-compress@1.19\n \t\tOpt|org.apache.commons:commons-collections4@4.4\n \t\torg.apache.hadoop:hadoop-hdfs-client@3.2.1\n \t\tOpt MavenExclusions *:*|org.apache.hadoop:hadoop-common@3.2.1\n \t\tOpt MavenExclusions *:*|org.apache.hadoop:hadoop-hdfs@3.2.1\n \t\tOpt|commons-httpclient:commons-httpclient@3.1\n \t\tOpt|org.apache.httpcomponents:httpclient@4.5.10\n \t\tOpt|org.apache.httpcomponents.client5:httpclient5@5.0-beta6\n \t\tOpt|com.jcraft:jsch@0.1.55\n \t2.10.0\n \t\tcommons-logging:commons-logging@1.3.4\n \t\tOpt|commons-net:commons-net@3.11.1\n \t\tOpt|org.apache.commons:commons-compress@1.27.1\n \t\tOpt|org.apache.commons:commons-collections4@4.5.0-M3\n \t\tOpt|commons-httpclient:commons-httpclient@3.1\n \t\tOpt|org.apache.httpcomponents:httpclient@4.5.14\n \t\tOpt|org.apache.httpcomponents.core5:httpcore5@5.3.3\n \t\tOpt|org.apache.httpcomponents.client5:httpclient5@5.4.1\n \t\tOpt|com.jcraft:jsch@0.1.55\n \t\torg.apache.commons:commons-lang3@3.17.0\n \t\tcommons-io:commons-io@2.18.0\n org.apache.commons:commons-vfs2-jackrabbit1\n \t2.6.0\n \t\torg.apache.commons:commons-vfs2@2.6.0\n \t\tcommons-logging:commons-logging@1.2\n \t\tcommons-httpclient:commons-httpclient@3.1\n \t\torg.apache.httpcomponents:httpclient@4.5.10\n \t\torg.apache.jackrabbit:jackrabbit-webdav@1.6.5\n org.apache.commons:commons-vfs2-project\n \t2.6.0\n \t2.10.0\n org.apache.curator:apache-curator\n \t2.7.1\n \t\tMavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6\n \t\tcom.google.guava:guava@16.0.1\n org.apache.curator:curator-client\n \t2.7.1\n \t\torg.slf4j:slf4j-api@1.7.6\n \t\tMavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6\n \t\tcom.google.guava:guava@16.0.1\n org.apache.curator:curator-framework\n \t2.7.1\n \t\torg.apache.curator:curator-client@2.7.1\n \t\tMavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6\n \t\tcom.google.guava:guava@16.0.1\n org.apache.curator:curator-recipes\n \t2.7.1\n \t\torg.apache.curator:curator-framework@2.7.1\n \t\tMavenExclusions com.sun.jmx:jmxri,com.sun.jdmk:jmxtools,javax.jms:jms,junit:junit,org.slf4j:slf4j-log4j12|org.apache.zookeeper:zookeeper@3.4.6\n \t\tcom.google.guava:guava@16.0.1\n org.apache.directory.api:api-asn1-api\n \t1.0.0-M20\n \t\torg.apache.directory.api:api-i18n@1.0.0-M20\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n org.apache.directory.api:api-asn1-ber\n \t1.0.0-M20\n \t\torg.apache.directory.api:api-i18n@1.0.0-M20\n \t\torg.apache.directory.api:api-asn1-api@1.0.0-M20\n \t\torg.apache.directory.api:api-util@1.0.0-M20\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n org.apache.directory.api:api-asn1-parent\n \t1.0.0-M20\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n org.apache.directory.api:api-i18n\n \t1.0.0-M20\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n org.apache.directory.api:api-ldap-model\n \t1.0.0-M20\n \t\torg.apache.directory.api:api-util@1.0.0-M20\n \t\torg.apache.directory.api:api-asn1-api@1.0.0-M20\n \t\torg.apache.directory.api:api-asn1-ber@1.0.0-M20\n \t\torg.apache.directory.api:api-i18n@1.0.0-M20\n \t\torg.apache.mina:mina-core@2.0.7\n \t\tantlr:antlr@2.7.7\n \t\tcommons-lang:commons-lang@2.6\n \t\tcommons-collections:commons-collections@3.2.1\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n \t1.0.0-M31\n \t\torg.apache.directory.api:api-util@1.0.0-M31\n \t\torg.apache.directory.api:api-asn1-api@1.0.0-M31\n \t\torg.apache.directory.api:api-asn1-ber@1.0.0-M31\n \t\torg.apache.directory.api:api-i18n@1.0.0-M31\n \t\torg.apache.mina:mina-core@2.0.9\n \t\tScope provided|antlr:antlr@2.7.7\n \t\torg.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr@2.7.7_5\n \t\tcommons-lang:commons-lang@2.6\n \t\tcommons-collections:commons-collections@3.2.1\n \t\tScope provided|findbugs:annotations@1.0.0\n org.apache.directory.api:api-ldap-parent\n \t1.0.0-M20\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n \t1.0.0-M31\n org.apache.directory.api:api-parent\n \t1.0.0-M20\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n \t1.0.0-M31\n org.apache.directory.api:api-util\n \t1.0.0-M20\n \t\torg.apache.directory.api:api-i18n@1.0.0-M20\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n org.apache.directory.project:project\n \t31\n \t34\n org.apache.directory.server:apacheds-i18n\n \t2.0.0-M15\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n org.apache.directory.server:apacheds-kerberos-codec\n \t2.0.0-M15\n \t\torg.apache.directory.server:apacheds-i18n@2.0.0-M15\n \t\torg.apache.directory.api:api-asn1-api@1.0.0-M20\n \t\torg.apache.directory.api:api-asn1-ber@1.0.0-M20\n \t\torg.apache.directory.api:api-i18n@1.0.0-M20\n \t\torg.apache.directory.api:api-ldap-model@1.0.0-M20\n \t\torg.apache.directory.api:api-util@1.0.0-M20\n \t\tnet.sf.ehcache:ehcache-core@2.4.4\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n org.apache.directory.server:apacheds-parent\n \t2.0.0-M15\n \t\tScope provided|findbugs:annotations@1.0.0\n \t\torg.slf4j:slf4j-api@1.7.5\n org.apache.hadoop:hadoop-annotations\n \t2.7.7\n \t\tScope provided|jdiff:jdiff@1.0.9\n org.apache.hadoop:hadoop-auth\n \t2.7.7\n \t\tScope provided|org.apache.hadoop:hadoop-annotations@2.7.7\n \t\tScope provided|javax.servlet:servlet-api@2.5\n \t\torg.slf4j:slf4j-api@1.7.10\n \t\tcommons-codec:commons-codec@1.4\n \t\tScope runtime MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17\n \t\tScope runtime|org.slf4j:slf4j-log4j12@1.7.10\n \t\torg.apache.httpcomponents:httpclient@4.2.5\n \t\tMavenExclusions org.apache.directory.api:api-asn1-ber,org.apache.directory.api:api-i18n,org.apache.directory.api:api-ldap-model,net.sf.ehcache:ehcache-core|org.apache.directory.server:apacheds-kerberos-codec@2.0.0-M15\n \t\tMavenExclusions junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,org.jboss.netty:netty|org.apache.zookeeper:zookeeper@3.4.6\n \t\torg.apache.curator:curator-framework@2.7.1\n org.apache.hadoop:hadoop-client-api\n \t3.2.4\n org.apache.hadoop:hadoop-client-runtime\n \t3.2.4\n \t\tScope runtime|org.apache.hadoop:hadoop-client-api@3.2.4\n \t\tScope runtime|org.apache.htrace:htrace-core4@4.1.0-incubating\n \t\tScope runtime|org.slf4j:slf4j-api@1.7.35\n \t\tScope runtime MavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:javax.servlet-api|commons-logging:commons-logging@1.1.3\n \t\tScope runtime|com.google.code.findbugs:jsr305@3.0.2\n \t\tOpt Scope runtime MavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|ch.qos.reload4j:reload4j@1.2.18.3\n org.apache.hadoop:hadoop-common\n \t2.7.7\n \t\torg.apache.hadoop:hadoop-annotations@2.7.7\n \t\tcom.google.guava:guava@11.0.2\n \t\tcommons-cli:commons-cli@1.2\n \t\torg.apache.commons:commons-math3@3.1.1\n \t\txmlenc:xmlenc@0.52\n \t\tcommons-httpclient:commons-httpclient@3.1\n \t\tcommons-codec:commons-codec@1.4\n \t\tcommons-io:commons-io@2.4\n \t\tcommons-net:commons-net@3.1\n \t\tcommons-collections:commons-collections@3.2.2\n \t\tjavax.servlet:servlet-api@2.5\n \t\tMavenExclusions org.mortbay.jetty:servlet-api|org.mortbay.jetty:jetty@6.1.26\n \t\torg.mortbay.jetty:jetty-util@6.1.26\n \t\torg.mortbay.jetty:jetty-sslengine@6.1.26\n \t\tScope runtime|javax.servlet.jsp:jsp-api@2.1\n \t\tcom.sun.jersey:jersey-core@1.9\n \t\tMavenExclusions stax:stax-api|com.sun.jersey:jersey-json@1.9\n \t\tcom.sun.jersey:jersey-server@1.9\n \t\tMavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3\n \t\tMavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17\n \t\tnet.java.dev.jets3t:jets3t@0.9.0\n \t\tcommons-lang:commons-lang@2.6\n \t\tcommons-configuration:commons-configuration@1.6\n \t\torg.slf4j:slf4j-api@1.7.10\n \t\tScope runtime|org.slf4j:slf4j-log4j12@1.7.10\n \t\torg.codehaus.jackson:jackson-core-asl@1.9.13\n \t\torg.codehaus.jackson:jackson-mapper-asl@1.9.13\n \t\torg.apache.avro:avro@1.7.4\n \t\tScope provided|org.apache.ant:ant@1.8.1\n \t\tcom.google.protobuf:protobuf-java@2.5.0\n \t\tcom.google.code.gson:gson@2.2.4\n \t\torg.apache.hadoop:hadoop-auth@2.7.7\n \t\tcom.jcraft:jsch@0.1.54\n \t\torg.apache.curator:curator-client@2.7.1\n \t\torg.apache.curator:curator-recipes@2.7.1\n \t\tcom.google.code.findbugs:jsr305@3.0.0\n \t\torg.apache.htrace:htrace-core@3.1.0-incubating\n \t\tMavenExclusions jline:jline,org.jboss.netty:netty,junit:junit,com.sun.jdmk:jmxtools,com.sun.jmx:jmxri|org.apache.zookeeper:zookeeper@3.4.6\n \t\torg.apache.commons:commons-compress@1.4.1\n org.apache.hadoop:hadoop-hdfs\n \t2.7.7\n \t\tScope provided|org.apache.hadoop:hadoop-annotations@2.7.7\n \t\tScope provided|org.apache.hadoop:hadoop-auth@2.7.7\n \t\tScope provided|org.apache.hadoop:hadoop-common@2.7.7\n \t\tcom.google.guava:guava@11.0.2\n \t\tMavenExclusions org.mortbay.jetty:servlet-api|org.mortbay.jetty:jetty@6.1.26\n \t\torg.mortbay.jetty:jetty-util@6.1.26\n \t\tcom.sun.jersey:jersey-core@1.9\n \t\tcom.sun.jersey:jersey-server@1.9\n \t\tcommons-cli:commons-cli@1.2\n \t\tcommons-codec:commons-codec@1.4\n \t\tcommons-io:commons-io@2.4\n \t\tcommons-lang:commons-lang@2.6\n \t\tMavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3\n \t\tcommons-daemon:commons-daemon@1.0.13\n \t\tMavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17\n \t\tcom.google.protobuf:protobuf-java@2.5.0\n \t\tjavax.servlet:servlet-api@2.5\n \t\tScope provided|org.slf4j:slf4j-log4j12@1.7.10\n \t\torg.codehaus.jackson:jackson-core-asl@1.9.13\n \t\torg.codehaus.jackson:jackson-mapper-asl@1.9.13\n \t\txmlenc:xmlenc@0.52\n \t\tio.netty:netty@3.6.2.Final\n \t\tio.netty:netty-all@4.0.23.Final\n \t\txerces:xercesImpl@2.9.1\n \t\torg.apache.htrace:htrace-core@3.1.0-incubating\n \t\torg.fusesource.leveldbjni:leveldbjni-all@1.8\n org.apache.hadoop:hadoop-main\n \t2.7.7\n \t3.2.4\n org.apache.hadoop:hadoop-project\n \t2.7.7\n \t3.2.4\n org.apache.hadoop:hadoop-project-dist\n \t2.7.7\n \t\tScope provided|org.apache.hadoop:hadoop-annotations@2.7.7\n org.apache.hadoop:hadoop-yarn\n \t2.7.7\n org.apache.hadoop:hadoop-yarn-api\n \t2.7.7\n \t\tcommons-lang:commons-lang@2.6\n \t\tcom.google.guava:guava@11.0.2\n \t\tMavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3\n \t\tScope provided|org.apache.hadoop:hadoop-common@2.7.7\n \t\torg.apache.hadoop:hadoop-annotations@2.7.7\n \t\tcom.google.protobuf:protobuf-java@2.5.0\n org.apache.hadoop:hadoop-yarn-client\n \t2.7.7\n \t\tScope provided|org.apache.hadoop:hadoop-common@2.7.7\n \t\tcom.google.guava:guava@11.0.2\n \t\tMavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3\n \t\tcommons-lang:commons-lang@2.6\n \t\tcommons-cli:commons-cli@1.2\n \t\tMavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17\n \t\torg.apache.hadoop:hadoop-annotations@2.7.7\n \t\torg.apache.hadoop:hadoop-yarn-api@2.7.7\n \t\torg.apache.hadoop:hadoop-yarn-common@2.7.7\n org.apache.hadoop:hadoop-yarn-common\n \t2.7.7\n \t\tScope provided|org.apache.hadoop:hadoop-common@2.7.7\n \t\torg.apache.hadoop:hadoop-yarn-api@2.7.7\n \t\tjavax.xml.bind:jaxb-api@2.2.2\n \t\torg.apache.commons:commons-compress@1.4.1\n \t\tcommons-lang:commons-lang@2.6\n \t\tjavax.servlet:servlet-api@2.5\n \t\tcommons-codec:commons-codec@1.4\n \t\torg.mortbay.jetty:jetty-util@6.1.26\n \t\tcom.sun.jersey:jersey-core@1.9\n \t\tcom.sun.jersey:jersey-client@1.9\n \t\torg.codehaus.jackson:jackson-core-asl@1.9.13\n \t\torg.codehaus.jackson:jackson-mapper-asl@1.9.13\n \t\torg.codehaus.jackson:jackson-jaxrs@1.9.13\n \t\torg.codehaus.jackson:jackson-xc@1.9.13\n \t\tcom.google.guava:guava@11.0.2\n \t\tMavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3\n \t\tcommons-cli:commons-cli@1.2\n \t\torg.slf4j:slf4j-api@1.7.10\n \t\torg.apache.hadoop:hadoop-annotations@2.7.7\n \t\tcom.google.inject.extensions:guice-servlet@3.0\n \t\tcom.google.protobuf:protobuf-java@2.5.0\n \t\tcommons-io:commons-io@2.4\n \t\tcom.google.inject:guice@3.0\n \t\tcom.sun.jersey:jersey-server@1.9\n \t\tMavenExclusions stax:stax-api|com.sun.jersey:jersey-json@1.9\n \t\tcom.sun.jersey.contribs:jersey-guice@1.9\n \t\tMavenExclusions com.sun.jdmk:jmxtools,com.sun.jmx:jmxri,javax.mail:mail,javax.jms:jmx,javax.jms:jms|log4j:log4j@1.2.17\n org.apache.hadoop:hadoop-yarn-server-tests\n \t2.7.7\n \t\tScope provided|org.apache.hadoop:hadoop-common@2.7.7\n \t\torg.apache.hadoop:hadoop-annotations@2.7.7\n \t\torg.apache.hadoop:hadoop-yarn-server-common@2.7.7\n \t\torg.apache.hadoop:hadoop-yarn-server-nodemanager@2.7.7\n \t\torg.apache.hadoop:hadoop-yarn-server-resourcemanager@2.7.7\n \t\torg.apache.hadoop:hadoop-yarn-common@2.7.7\n \t\torg.apache.hadoop:hadoop-yarn-api@2.7.7\n \t\tcom.google.guava:guava@11.0.2\n \t\tMavenExclusions avalon-framework:avalon-framework,logkit:logkit,javax.servlet:servlet-api|commons-logging:commons-logging@1.1.3\n org.apache.htrace:htrace\n \t3.1.0-incubating\n \t4.1.0-incubating\n org.apache.htrace:htrace-core\n \t3.1.0-incubating\n org.apache.htrace:htrace-core4\n \t4.1.0-incubating\n org.apache.httpcomponents:httpasyncclient\n \t4.0.2\n \t\torg.apache.httpcomponents:httpcore@4.3.2\n \t\torg.apache.httpcomponents:httpcore-nio@4.3.2\n \t\torg.apache.httpcomponents:httpclient@4.3.5\n \t\tcommons-logging:commons-logging@1.1.3\n org.apache.httpcomponents:httpclient\n \t4.5.1\n \t\torg.apache.httpcomponents:httpcore@4.4.3\n \t\tcommons-logging:commons-logging@1.2\n \t\tcommons-codec:commons-codec@1.9\n \t4.5.13\n \t\torg.apache.httpcomponents:httpcore@4.4.13\n \t\tcommons-logging:commons-logging@1.2\n \t\tcommons-codec:commons-codec@1.11\n org.apache.httpcomponents:httpcomponents-asyncclient\n \t4.0.2\n org.apache.httpcomponents:httpcomponents-client\n \t4.5\n \t4.5.1\n \t4.5.11\n \t4.5.13\n org.apache.httpcomponents:httpcomponents-core\n \t4.3.2\n \t4.4.1\n \t4.4.3\n \t4.4.13\n org.apache.httpcomponents:httpcomponents-parent\n \t11\n org.apache.httpcomponents:httpcore\n \t4.4.1\n \t4.4.3\n \t4.4.13\n org.apache.httpcomponents:httpcore-nio\n \t4.3.2\n \t\torg.apache.httpcomponents:httpcore@4.3.2\n org.apache.httpcomponents:httpmime\n \t4.5\n \t\torg.apache.httpcomponents:httpclient@4.5\n \t4.5.11\n \t\torg.apache.httpcomponents:httpclient@4.5.11\n org.apache.httpcomponents:project\n \t7\n org.apache.jackrabbit:jackrabbit-jcr-commons\n \t1.6.5\n \t\tScope provided|javax.jcr:jcr@1.0\n \t2.22.2\n \t\tScope provided|javax.jcr:jcr@2.0\n \t\tOpt|org.apache.jackrabbit:oak-jackrabbit-api@1.22.22\n \t\tScope provided|org.osgi:org.osgi.annotation@6.0.0\n org.apache.jackrabbit:jackrabbit-parent\n \t1.6.5\n \t2.22.2\n org.apache.jackrabbit:jackrabbit-webdav\n \t1.6.5\n \t\torg.apache.jackrabbit:jackrabbit-jcr-commons@1.6.5\n \t\torg.slf4j:slf4j-api@1.5.3\n \t\tScope provided|javax.servlet:servlet-api@2.3\n \t\tMavenExclusions junit:junit|commons-httpclient:commons-httpclient@3.0\n org.apache.jackrabbit:parent\n \t5\n org.apache.logging.log4j:log4j-bom\n \t2.24.3\n org.apache.logging:logging-parent\n \t11.3.0\n org.apache.lucene:lucene-analyzers-common\n \t8.7.0\n \t\torg.apache.lucene:lucene-core@8.7.0\n org.apache.lucene:lucene-core\n \t8.7.0\n org.apache.lucene:lucene-highlighter\n \t8.7.0\n \t\torg.apache.lucene:lucene-core@8.7.0\n \t\tMavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-memory@8.7.0\n \t\tMavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-queries@8.7.0\n org.apache.lucene:lucene-memory\n \t8.7.0\n \t\torg.apache.lucene:lucene-core@8.7.0\n org.apache.lucene:lucene-parent\n \t8.7.0\n org.apache.lucene:lucene-queries\n \t8.7.0\n \t\torg.apache.lucene:lucene-core@8.7.0\n org.apache.lucene:lucene-queryparser\n \t8.7.0\n \t\torg.apache.lucene:lucene-core@8.7.0\n \t\tMavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-queries@8.7.0\n \t\tMavenExclusions org.apache.lucene:lucene-core|org.apache.lucene:lucene-sandbox@8.7.0\n org.apache.lucene:lucene-sandbox\n \t8.7.0\n \t\torg.apache.lucene:lucene-core@8.7.0\n org.apache.lucene:lucene-solr-grandparent\n \t8.7.0\n org.apache.maven.plugin-tools:maven-plugin-annotations\n \t3.7.0\n org.apache.maven.resolver:maven-resolver\n \t1.4.1\n org.apache.maven.resolver:maven-resolver-api\n \t1.4.1\n org.apache.maven.resolver:maven-resolver-connector-basic\n \t1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-api@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-spi@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-util@1.4.1\n \t\tOpt Scope provided|javax.inject:javax.inject@1\n \t\torg.slf4j:slf4j-api@1.7.25\n org.apache.maven.resolver:maven-resolver-impl\n \t1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-api@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-spi@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-util@1.4.1\n \t\tOpt Scope provided|javax.inject:javax.inject@1\n \t\tOpt Scope provided|org.eclipse.sisu:org.eclipse.sisu.inject@0.3.3\n \t\tOpt Scope provided MavenClassifier no_aop MavenExclusions aopalliance:aopalliance,com.google.code.findbugs:jsr305|org.sonatype.sisu:sisu-guice@3.2.6\n \t\torg.slf4j:slf4j-api@1.7.25\n org.apache.maven.resolver:maven-resolver-spi\n \t1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-api@1.4.1\n org.apache.maven.resolver:maven-resolver-transport-file\n \t1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-api@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-spi@1.4.1\n \t\tOpt Scope provided|javax.inject:javax.inject@1\n \t\torg.slf4j:slf4j-api@1.7.25\n org.apache.maven.resolver:maven-resolver-transport-http\n \t1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-api@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-spi@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-util@1.4.1\n \t\tMavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpclient@4.5.6\n \t\torg.apache.httpcomponents:httpcore@4.4.10\n \t\tScope runtime|org.slf4j:jcl-over-slf4j@1.7.25\n \t\tOpt Scope provided|javax.inject:javax.inject@1\n \t\torg.slf4j:slf4j-api@1.7.25\n org.apache.maven.resolver:maven-resolver-util\n \t1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-api@1.4.1\n org.apache.maven:maven\n \t3.6.3\n org.apache.maven:maven-artifact\n \t3.6.3\n \t\torg.codehaus.plexus:plexus-utils@3.2.1\n \t\torg.apache.commons:commons-lang3@3.8.1\n org.apache.maven:maven-builder-support\n \t3.6.3\n org.apache.maven:maven-model\n \t3.6.3\n \t\torg.codehaus.plexus:plexus-utils@3.2.1\n org.apache.maven:maven-model-builder\n \t3.6.3\n \t\torg.codehaus.plexus:plexus-utils@3.2.1\n \t\torg.codehaus.plexus:plexus-interpolation@1.25\n \t\tjavax.inject:javax.inject@1\n \t\torg.apache.maven:maven-model@3.6.3\n \t\torg.apache.maven:maven-artifact@3.6.3\n \t\torg.apache.maven:maven-builder-support@3.6.3\n \t\torg.eclipse.sisu:org.eclipse.sisu.inject@0.3.4\n org.apache.maven:maven-parent\n \t33\n org.apache.maven:maven-plugin-api\n \t3.6.3\n \t\torg.apache.maven:maven-model@3.6.3\n \t\tMavenExclusions org.apache.maven.wagon:wagon-provider-api|org.apache.maven:maven-artifact@3.6.3\n \t\torg.eclipse.sisu:org.eclipse.sisu.plexus@0.3.4\n \t\torg.codehaus.plexus:plexus-utils@3.2.1\n \t\torg.codehaus.plexus:plexus-classworlds@2.6.0\n org.apache.maven:maven-repository-metadata\n \t3.6.3\n \t\torg.codehaus.plexus:plexus-utils@3.2.1\n org.apache.maven:maven-resolver-provider\n \t3.6.3\n \t\torg.apache.maven:maven-model@3.6.3\n \t\torg.apache.maven:maven-model-builder@3.6.3\n \t\torg.apache.maven:maven-repository-metadata@3.6.3\n \t\torg.apache.maven.resolver:maven-resolver-api@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-spi@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-util@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-impl@1.4.1\n \t\torg.codehaus.plexus:plexus-utils@3.2.1\n \t\tjavax.inject:javax.inject@1\n \t\tOpt MavenClassifier no_aop MavenExclusions aopalliance:aopalliance|com.google.inject:guice@4.2.1\n \t\torg.slf4j:slf4j-api@1.7.29\n org.apache.mina:mina-core\n \t2.0.7\n \t\torg.slf4j:slf4j-api@1.6.6\n \t2.0.9\n \t\torg.slf4j:slf4j-api@1.7.7\n \t2.0.21\n \t\torg.slf4j:slf4j-api@1.7.26\n \t2.0.22\n \t\torg.slf4j:slf4j-api@1.7.26\n \t2.0.27\n \t\torg.slf4j:slf4j-api@1.7.36\n org.apache.mina:mina-parent\n \t2.0.7\n \t\torg.slf4j:slf4j-api@1.6.6\n \t2.0.9\n \t\torg.slf4j:slf4j-api@1.7.7\n \t2.0.21\n \t\torg.slf4j:slf4j-api@1.7.26\n \t2.0.22\n \t\torg.slf4j:slf4j-api@1.7.26\n \t2.0.27\n \t\torg.slf4j:slf4j-api@1.7.36\n org.apache.pdfbox:fontbox\n \t2.0.16\n \t\tcommons-logging:commons-logging@1.2\n \t2.0.23\n \t\tcommons-logging:commons-logging@1.2\n \t2.0.24\n \t\tcommons-logging:commons-logging@1.2\n org.apache.pdfbox:pdfbox\n \t2.0.16\n \t\torg.apache.pdfbox:fontbox@2.0.16\n \t\tcommons-logging:commons-logging@1.2\n \t\tOpt|org.bouncycastle:bcmail-jdk15on@1.60\n \t\tOpt|org.bouncycastle:bcprov-jdk15on@1.60\n \t2.0.23\n \t\torg.apache.pdfbox:fontbox@2.0.23\n \t\tcommons-logging:commons-logging@1.2\n \t\tOpt|org.bouncycastle:bcmail-jdk15on@1.64\n \t\tOpt|org.bouncycastle:bcprov-jdk15on@1.64\n \t2.0.24\n \t\torg.apache.pdfbox:fontbox@2.0.24\n \t\tcommons-logging:commons-logging@1.2\n \t\tOpt|org.bouncycastle:bcmail-jdk15on@1.64\n \t\tOpt|org.bouncycastle:bcprov-jdk15on@1.64\n org.apache.pdfbox:pdfbox-parent\n \t2.0.16\n \t2.0.23\n \t2.0.24\n org.apache.pdfbox:xmpbox\n \t2.0.16\n \t\tcommons-logging:commons-logging@1.2\n org.apache.servicemix.bundles:bundles-pom\n \t6\n org.apache.servicemix.bundles:org.apache.servicemix.bundles.antlr\n \t2.7.7_5\n org.apache.servicemix:servicemix-pom\n \t5\n org.apache.shiro:shiro-cache\n \t1.10.0\n \t\torg.apache.shiro:shiro-lang@1.10.0\n \t1.13.0\n \t\torg.apache.shiro:shiro-lang@1.13.0\n org.apache.shiro:shiro-config\n \t1.10.0\n \t1.13.0\n org.apache.shiro:shiro-config-core\n \t1.10.0\n \t\torg.apache.shiro:shiro-lang@1.10.0\n org.apache.shiro:shiro-config-ogdl\n \t1.10.0\n \t\torg.apache.shiro:shiro-lang@1.10.0\n \t\torg.apache.shiro:shiro-config-core@1.10.0\n \t\torg.apache.shiro:shiro-event@1.10.0\n \t\tMavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4\n \t\tOpt MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.8.0\n \t\torg.slf4j:slf4j-api@1.7.36\n \t1.13.0\n \t\torg.apache.shiro:shiro-lang@1.13.0\n \t\torg.apache.shiro:shiro-config-core@1.13.0\n \t\torg.apache.shiro:shiro-event@1.13.0\n \t\tMavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4\n \t\tOpt MavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.9.0\n \t\torg.slf4j:slf4j-api@1.7.36\n org.apache.shiro:shiro-core\n \t1.10.0\n \t\torg.apache.shiro:shiro-lang@1.10.0\n \t\torg.apache.shiro:shiro-cache@1.10.0\n \t\torg.apache.shiro:shiro-crypto-hash@1.10.0\n \t\torg.apache.shiro:shiro-crypto-cipher@1.10.0\n \t\torg.apache.shiro:shiro-config-core@1.10.0\n \t\torg.apache.shiro:shiro-config-ogdl@1.10.0\n \t\torg.apache.shiro:shiro-event@1.10.0\n \t1.13.0\n \t\torg.apache.shiro:shiro-lang@1.13.0\n \t\torg.apache.shiro:shiro-cache@1.13.0\n \t\torg.apache.shiro:shiro-crypto-hash@1.13.0\n \t\torg.apache.shiro:shiro-crypto-cipher@1.13.0\n \t\torg.apache.shiro:shiro-config-core@1.13.0\n \t\torg.apache.shiro:shiro-config-ogdl@1.13.0\n \t\torg.apache.shiro:shiro-event@1.13.0\n org.apache.shiro:shiro-crypto\n \t1.10.0\n \t1.13.0\n org.apache.shiro:shiro-crypto-cipher\n \t1.10.0\n \t\torg.apache.shiro:shiro-lang@1.10.0\n \t\torg.apache.shiro:shiro-crypto-core@1.10.0\n \t1.13.0\n \t\torg.apache.shiro:shiro-lang@1.13.0\n \t\torg.apache.shiro:shiro-crypto-core@1.13.0\n org.apache.shiro:shiro-crypto-core\n \t1.10.0\n \t\torg.apache.shiro:shiro-lang@1.10.0\n \t1.13.0\n \t\torg.apache.shiro:shiro-lang@1.13.0\n org.apache.shiro:shiro-crypto-hash\n \t1.10.0\n \t\torg.apache.shiro:shiro-lang@1.10.0\n \t\torg.apache.shiro:shiro-crypto-core@1.10.0\n \t1.13.0\n \t\torg.apache.shiro:shiro-lang@1.13.0\n \t\torg.apache.shiro:shiro-crypto-core@1.13.0\n org.apache.shiro:shiro-event\n \t1.10.0\n \t\torg.apache.shiro:shiro-lang@1.10.0\n \t1.13.0\n \t\torg.apache.shiro:shiro-lang@1.13.0\n org.apache.shiro:shiro-lang\n \t1.10.0\n \t\torg.slf4j:slf4j-api@1.7.36\n \t1.13.0\n \t\torg.slf4j:slf4j-api@1.7.36\n org.apache.shiro:shiro-root\n \t1.10.0\n \t1.12.0\n \t1.13.0\n org.apache.shiro:shiro-web\n \t1.10.0\n \t\torg.apache.shiro:shiro-core@1.10.0\n \t\tScope provided|javax.servlet.jsp:jsp-api@2.2\n \t\tScope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5\n \t\tScope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n \t\torg.owasp.encoder:encoder@1.2.3\n \t1.12.0\n \t\torg.apache.shiro:shiro-core@1.12.0\n \t\tScope provided|javax.servlet.jsp:jsp-api@2.2\n \t\tScope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5\n \t\tScope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n \t\torg.owasp.encoder:encoder@1.2.3\n \t1.13.0\n \t\torg.apache.shiro:shiro-core@1.13.0\n \t\tScope provided|javax.servlet.jsp:jsp-api@2.2\n \t\tScope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5\n \t\tScope provided|org.apache.taglibs:taglibs-standard-impl@1.2.5\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n \t\torg.owasp.encoder:encoder@1.2.3\n org.apache.taglibs:taglibs-parent\n \t3\n org.apache.taglibs:taglibs-standard\n \t1.2.5\n org.apache.taglibs:taglibs-standard-impl\n \t1.2.5\n \t\tScope provided|org.apache.taglibs:taglibs-standard-spec@1.2.5\n \t\tScope provided|javax.servlet:servlet-api@2.5\n \t\tScope provided|javax.servlet.jsp:jsp-api@2.1\n \t\tScope provided|javax.el:el-api@1.0\n \t\tOpt Scope provided|xalan:xalan@2.7.1\n org.apache.taglibs:taglibs-standard-spec\n \t1.2.5\n \t\tScope provided|javax.servlet:servlet-api@2.5\n \t\tScope provided|javax.servlet.jsp:jsp-api@2.1\n \t\tScope provided|javax.el:el-api@1.0\n org.apache.thrift:libthrift\n \t0.13.0\n \t\torg.slf4j:slf4j-api@1.7.25\n \t\torg.apache.httpcomponents:httpclient@4.5.6\n \t\torg.apache.httpcomponents:httpcore@4.4.1\n \t\tScope provided|javax.servlet:servlet-api@2.5\n \t\tjavax.annotation:javax.annotation-api@1.3.2\n \t0.14.0\n \t\torg.slf4j:slf4j-api@1.7.28\n \t\torg.apache.httpcomponents:httpclient@4.5.10\n \t\torg.apache.httpcomponents:httpcore@4.4.12\n \t\torg.apache.tomcat.embed:tomcat-embed-core@8.5.46\n \t\tjavax.annotation:javax.annotation-api@1.3.2\n org.apache.tomcat.embed:tomcat-embed-core\n \t8.5.46\n \t\torg.apache.tomcat:tomcat-annotations-api@8.5.46\n \t9.0.106\n \t\torg.apache.tomcat:tomcat-annotations-api@9.0.106\n \t9.0.110\n \t\torg.apache.tomcat:tomcat-annotations-api@9.0.110\n org.apache.tomcat:tomcat-annotations-api\n \t8.5.46\n \t9.0.106\n \t9.0.110\n org.apache.zeppelin:zeppelin\n \t0.11.1\n \t0.12.0\n org.apache.zeppelin:zeppelin-common\n \t0.11.1\n \t\tcom.google.code.gson:gson@2.8.9\n \t\torg.slf4j:slf4j-api@1.7.35\n org.apache.zeppelin:zeppelin-interpreter\n \t0.11.1\n \t\torg.apache.zeppelin:zeppelin-common@0.11.1\n \t\tMavenExclusions org.apache.commons:commons-lang3|io.atomix:atomix@3.0.0-rc5\n \t\tio.atomix:atomix-raft@3.0.0-rc5\n \t\tio.atomix:atomix-primary-backup@3.0.0-rc5\n \t\torg.apache.commons:commons-lang3@3.12.0\n \t\tMavenExclusions commons-logging:commons-logging|org.apache.thrift:libthrift@0.13.0\n \t\tcom.google.code.gson:gson@2.8.9\n \t\tMavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.8.0\n \t\tMavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4\n \t\torg.apache.commons:commons-exec@1.3\n \t\torg.apache.commons:commons-pool2@2.3\n \t\tcommons-io:commons-io@2.7\n \t\tMavenExclusions ch.qos.reload4j:reload4j|org.slf4j:slf4j-reload4j@1.7.35\n \t\tch.qos.reload4j:reload4j@1.2.25\n \t\torg.slf4j:jcl-over-slf4j@1.7.35\n \t\torg.apache.maven:maven-plugin-api@3.6.3\n \t\tMavenExclusions org.codehaus.plexus:plexus-classworlds,org.codehaus.plexus:plexus-utils|org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.4\n \t\torg.apache.maven:maven-resolver-provider@3.6.3\n \t\torg.apache.maven.resolver:maven-resolver-connector-basic@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-transport-file@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-transport-http@1.4.1\n \t\tjline:jline@2.14.3\n \t\tScope provided MavenExclusions log4j:log4j,org.slf4j:slf4j-log4j12|org.apache.hadoop:hadoop-common@2.7.7\n \t\tScope provided MavenExclusions log4j:log4j|org.apache.hadoop:hadoop-yarn-client@2.7.7\n \t0.12.0\n \t\torg.apache.zeppelin:zeppelin-common@0.12.0\n \t\torg.apache.commons:commons-lang3@3.14.0\n \t\tMavenExclusions commons-logging:commons-logging|org.apache.thrift:libthrift@0.13.0\n \t\tcom.google.code.gson:gson@2.8.9\n \t\tcom.google.code.findbugs:jsr305@3.0.2\n \t\tMavenExclusions commons-logging:commons-logging|org.apache.commons:commons-configuration2@2.10.1\n \t\tMavenExclusions commons-logging:commons-logging|commons-beanutils:commons-beanutils@1.9.4\n \t\torg.apache.commons:commons-exec@1.3\n \t\torg.apache.commons:commons-pool2@2.3\n \t\tcommons-io:commons-io@2.15.1\n \t\tMavenExclusions ch.qos.reload4j:reload4j|org.slf4j:slf4j-reload4j@1.7.35\n \t\tch.qos.reload4j:reload4j@1.2.25\n \t\torg.slf4j:jcl-over-slf4j@1.7.35\n \t\torg.apache.maven:maven-plugin-api@3.6.3\n \t\tMavenExclusions org.codehaus.plexus:plexus-classworlds,org.codehaus.plexus:plexus-utils|org.eclipse.sisu:org.eclipse.sisu.plexus@0.3.4\n \t\torg.apache.maven:maven-resolver-provider@3.6.3\n \t\torg.apache.maven.resolver:maven-resolver-connector-basic@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-transport-file@1.4.1\n \t\torg.apache.maven.resolver:maven-resolver-transport-http@1.4.1\n \t\tjline:jline@2.14.3\n \t\tScope provided MavenExclusions commons-logging:commons-logging|org.apache.hadoop:hadoop-client-runtime@3.3.6\n org.apache.zeppelin:zeppelin-jupyter\n \t0.11.1\n \t\tcom.google.code.gson:gson@2.8.9\n \t\torg.danilopianini:gson-extras@0.2.2\n \t\tcommons-cli:commons-cli@1.4\n \t\tMavenExclusions commons-logging:commons-logging|com.vladsch.flexmark:flexmark-all@0.62.2\n \t\torg.apache.commons:commons-lang3@3.12.0\n org.apache.zeppelin:zeppelin-zengine\n \t0.11.1\n \t\torg.apache.zeppelin:zeppelin-common@0.11.1\n \t\torg.apache.zeppelin:zeppelin-interpreter@0.11.1\n \t\tMavenExclusions org.ow2.asm:asm,org.jsoup:jsoup|org.apache.zeppelin:zeppelin-jupyter@0.11.1\n \t\torg.slf4j:slf4j-api@1.7.35\n \t\tcommons-io:commons-io@2.7\n \t\tcommons-cli:commons-cli@1.4\n \t\torg.bouncycastle:bcpkix-jdk15on@1.70\n \t\tMavenExclusions commons-httpclient:commons-httpclient|org.apache.commons:commons-vfs2-jackrabbit1@2.6.0\n \t\tMavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpclient@4.5.13\n \t\tMavenExclusions commons-logging:commons-logging|org.apache.httpcomponents:httpasyncclient@4.0.2\n \t\torg.eclipse.jetty:jetty-client@9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823\n \t\torg.quartz-scheduler:quartz@2.3.2\n \t\tio.micrometer:micrometer-core@1.6.0\n \t\tio.dropwizard.metrics:metrics-healthchecks@4.1.14\n \t\tcom.google.code.gson:gson@2.8.9\n \t\torg.apache.lucene:lucene-core@8.7.0\n \t\torg.apache.lucene:lucene-analyzers-common@8.7.0\n \t\torg.apache.lucene:lucene-queryparser@8.7.0\n \t\torg.apache.lucene:lucene-highlighter@8.7.0\n \t\tMavenExclusions org.codehaus.plexus:plexus-utils,org.apache.commons:commons-compress,com.fasterxml.jackson.core:jackson-databind|com.github.eirslett:frontend-plugin-core@1.6\n \t\tMavenExclusions org.codehaus.plexus:plexus-utils,org.apache.hadoop:hadoop-hdfs-client|org.apache.commons:commons-vfs2@2.6.0\n \t\torg.eclipse.jgit:org.eclipse.jgit@4.5.4.201711221230-r\n \t\torg.codehaus.jettison:jettison@1.5.4\n \t\torg.apache.commons:commons-lang3@3.12.0\n \t\torg.apache.commons:commons-compress@1.21\n \t\tScope provided MavenExclusions log4j:log4j|org.apache.hadoop:hadoop-common@2.7.7\n \t\tScope provided MavenExclusions javax.servlet:servlet-api,org.apache.avro:avro,org.apache.jackrabbit:jackrabbit-webdav,io.netty:netty,commons-httpclient:commons-httpclient,org.eclipse.jgit:org.eclipse.jgit,com.jcraft:jsch,org.apache.commons:commons-compress,xml-apis:xml-apis,xerces:xercesImpl,org.codehaus.jackson:jackson-mapper-asl,org.codehaus.jackson:jackson-core-asl,com.google.guava:guava,com.google.code.findbugs:jsr305,org.apache.commons:commons-math3,commons-logging:commons-logging,log4j:log4j|org.apache.hadoop:hadoop-yarn-client@2.7.7\n org.apache.zookeeper:zookeeper\n \t3.4.6\n \t\torg.slf4j:slf4j-api@1.6.1\n \t\torg.slf4j:slf4j-log4j12@1.6.1\n \t\tOpt|org.apache.maven.wagon:wagon-http@2.4\n \t\tOpt|org.apache.maven:maven-ant-tasks@2.1.3\n \t\tlog4j:log4j@1.2.16\n \t\tjline:jline@0.9.94\n \t\tio.netty:netty@3.7.0.Final\n \t\tOpt|org.vafer:jdeb@0.8\n \t\tOpt|jdiff:jdiff@1.0.9\n \t\tOpt|xerces:xerces@1.4.4\n \t\tOpt|org.apache.rat:apache-rat-tasks@0.6\n \t\tOpt|commons-lang:commons-lang@2.4\n \t\tOpt|commons-collections:commons-collections@3.1\n org.apache:apache\n \t4\n \t6\n \t7\n \t9\n \t10\n \t11\n \t12\n \t13\n \t14\n \t15\n \t16\n \t17\n \t18\n \t19\n \t21\n \t23\n \t24\n \t27\n \t28\n \t29\n \t30\n \t31\n \t33\n \t34\n \t35\n org.apiguardian:apiguardian-api\n \t1.1.0\n org.assertj:assertj-core\n \t1.7.0\n \t\tScope provided|junit:junit@4.10\n \t\tOpt|cglib:cglib-nodep@2.2.2\n org.awaitility:awaitility\n \t4.2.0\n \t\torg.hamcrest:hamcrest@2.1\n org.bitbucket.cowwoc:diff-match-patch\n \t1.1\n org.bouncycastle:bcpkix-jdk15on\n \t1.70\n \t\torg.bouncycastle:bcprov-jdk15on@1.70\n \t\torg.bouncycastle:bcutil-jdk15on@1.70\n org.bouncycastle:bcprov-jdk15on\n \t1.70\n org.bouncycastle:bcutil-jdk15on\n \t1.70\n \t\torg.bouncycastle:bcprov-jdk15on@1.70\n org.brotli:dec\n \t0.1.2\n org.brotli:parent\n \t0.1.2\n org.checkerframework:checker-compat-qual\n \t2.0.0\n org.checkerframework:checker-qual\n \t3.33.0\n org.codehaus.jackson:jackson-core-asl\n \t1.9.13\n org.codehaus.jackson:jackson-jaxrs\n \t1.8.3\n \t\torg.codehaus.jackson:jackson-core-asl@1.8.3\n \t\torg.codehaus.jackson:jackson-mapper-asl@1.8.3\n org.codehaus.jackson:jackson-mapper-asl\n \t1.9.13\n \t\torg.codehaus.jackson:jackson-core-asl@1.9.13\n org.codehaus.jackson:jackson-xc\n \t1.8.3\n \t\torg.codehaus.jackson:jackson-core-asl@1.8.3\n \t\torg.codehaus.jackson:jackson-mapper-asl@1.8.3\n org.codehaus.jettison:jettison\n \t1.5.4\n org.codehaus.mojo:animal-sniffer-annotations\n \t1.14\n org.codehaus.mojo:animal-sniffer-parent\n \t1.14\n org.codehaus.mojo:mojo-parent\n \t34\n org.codehaus.plexus:plexus\n \t2.0.7\n \t5.1\n org.codehaus.plexus:plexus-classworlds\n \t2.6.0\n org.codehaus.plexus:plexus-component-annotations\n \t1.5.5\n org.codehaus.plexus:plexus-containers\n \t1.5.5\n org.codehaus.plexus:plexus-interpolation\n \t1.25\n org.codehaus.plexus:plexus-utils\n \t3.2.1\n org.codehaus:codehaus-parent\n \t1\n \t4\n org.danilopianini:gson-extras\n \t0.2.2\n \t\tcom.google.code.gson:gson@2.8.6\n \t\tScope runtime|javax.annotation:jsr250-api@1.0\n org.eclipse.ee4j:project\n \t1.0.2\n \t1.0.5\n \t1.0.6\n org.eclipse.jetty.websocket:javax-websocket-client-impl\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823\n \t\tjavax.websocket:javax.websocket-client-api@1.0\n org.eclipse.jetty.websocket:javax-websocket-server-impl\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-annotations@9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:javax-websocket-client-impl@9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-server@9.4.52.v20230823\n \t\tjavax.websocket:javax.websocket-api@1.0\n org.eclipse.jetty.websocket:websocket-api\n \t9.2.12.v20150709\n \t9.4.52.v20230823\n org.eclipse.jetty.websocket:websocket-client\n \t9.2.12.v20150709\n \t\torg.eclipse.jetty:jetty-util@9.2.12.v20150709\n \t\torg.eclipse.jetty:jetty-io@9.2.12.v20150709\n \t\torg.eclipse.jetty.websocket:websocket-common@9.2.12.v20150709\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-client@9.4.52.v20230823\n \t\tOpt|org.eclipse.jetty:jetty-xml@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-io@9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-common@9.4.52.v20230823\n org.eclipse.jetty.websocket:websocket-common\n \t9.2.12.v20150709\n \t\torg.eclipse.jetty.websocket:websocket-api@9.2.12.v20150709\n \t\torg.eclipse.jetty:jetty-util@9.2.12.v20150709\n \t\torg.eclipse.jetty:jetty-io@9.2.12.v20150709\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-api@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-io@9.4.52.v20230823\n org.eclipse.jetty.websocket:websocket-parent\n \t9.2.12.v20150709\n \t9.4.52.v20230823\n org.eclipse.jetty.websocket:websocket-server\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-common@9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-client@9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-servlet@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-servlet@9.4.52.v20230823\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n \t\torg.eclipse.jetty:jetty-http@9.4.52.v20230823\n \t\tScope provided|org.eclipse.jetty:jetty-server@9.4.52.v20230823\n org.eclipse.jetty.websocket:websocket-servlet\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty.websocket:websocket-api@9.4.52.v20230823\n \t\tjavax.servlet:javax.servlet-api@3.1.0\n org.eclipse.jetty:jetty-annotations\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-plus@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-webapp@9.4.52.v20230823\n \t\tjavax.annotation:javax.annotation-api@1.3.2\n \t\torg.ow2.asm:asm@9.5\n \t\torg.ow2.asm:asm-commons@9.5\n org.eclipse.jetty:jetty-client\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-http@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-io@9.4.52.v20230823\n \t\tOpt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823\n org.eclipse.jetty:jetty-core\n \t12.0.12\n org.eclipse.jetty:jetty-http\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-io@9.4.52.v20230823\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n \t12.0.12\n \t\torg.eclipse.jetty:jetty-io@12.0.12\n \t\torg.eclipse.jetty:jetty-util@12.0.12\n \t\torg.slf4j:slf4j-api@2.0.13\n org.eclipse.jetty:jetty-io\n \t9.2.12.v20150709\n \t\torg.eclipse.jetty:jetty-util@9.2.12.v20150709\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util@9.4.52.v20230823\n \t\tOpt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823\n org.eclipse.jetty:jetty-jmx\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util@9.4.52.v20230823\n org.eclipse.jetty:jetty-jndi\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util@9.4.52.v20230823\n \t\tScope provided|org.eclipse.jetty:jetty-webapp@9.4.52.v20230823\n \t\tScope provided MavenExclusions org.eclipse.jetty.orbit:javax.activation|org.eclipse.jetty.orbit:javax.mail.glassfish@1.4.1.v201005082020\n org.eclipse.jetty:jetty-parent\n \t14\n \t23\n org.eclipse.jetty:jetty-plus\n \t9.4.52.v20230823\n \t\tScope provided|javax.transaction:javax.transaction-api@1.3\n \t\torg.eclipse.jetty:jetty-webapp@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-jndi@9.4.52.v20230823\n org.eclipse.jetty:jetty-project\n \t9.2.12.v20150709\n \t9.4.52.v20230823\n \t9.4.56.v20240826\n \t9.4.57.v20241219\n \t12.0.12\n org.eclipse.jetty:jetty-security\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-server@9.4.52.v20230823\n org.eclipse.jetty:jetty-server\n \t9.4.52.v20230823\n \t\tjavax.servlet:javax.servlet-api@3.1.0\n \t\torg.eclipse.jetty:jetty-http@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-io@9.4.52.v20230823\n \t\tOpt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823\n \t9.4.56.v20240826\n \t\tjavax.servlet:javax.servlet-api@3.1.0\n \t\torg.eclipse.jetty:jetty-http@9.4.56.v20240826\n \t\torg.eclipse.jetty:jetty-io@9.4.56.v20240826\n \t\tOpt|org.eclipse.jetty:jetty-jmx@9.4.56.v20240826\n \t9.4.57.v20241219\n \t\tjavax.servlet:javax.servlet-api@3.1.0\n \t\torg.eclipse.jetty:jetty-http@9.4.57.v20241219\n \t\torg.eclipse.jetty:jetty-io@9.4.57.v20241219\n \t\tOpt|org.eclipse.jetty:jetty-jmx@9.4.57.v20241219\n org.eclipse.jetty:jetty-servlet\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-security@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util-ajax@9.4.52.v20230823\n \t\tOpt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823\n org.eclipse.jetty:jetty-util\n \t9.2.12.v20150709\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n \t\tOpt Scope provided|org.slf4j:slf4j-api@1.6.6\n \t9.4.52.v20230823\n org.eclipse.jetty:jetty-util-ajax\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util@9.4.52.v20230823\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n org.eclipse.jetty:jetty-webapp\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-xml@9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-servlet@9.4.52.v20230823\n \t\tOpt|org.eclipse.jetty:jetty-jmx@9.4.52.v20230823\n org.eclipse.jetty:jetty-xml\n \t9.4.52.v20230823\n \t\torg.eclipse.jetty:jetty-util@9.4.52.v20230823\n org.eclipse.jgit:org.eclipse.jgit\n \t4.5.4.201711221230-r\n \t\tcom.jcraft:jsch@0.1.53\n \t\tcom.googlecode.javaewah:JavaEWAH@0.7.9\n \t\torg.apache.httpcomponents:httpclient@4.3.6\n \t\torg.slf4j:slf4j-api@1.7.2\n \t\tScope provided|javax.servlet:javax.servlet-api@3.1.0\n \t5.13.3.202401111512-r\n \t\tcom.googlecode.javaewah:JavaEWAH@1.1.13\n \t\torg.slf4j:slf4j-api@1.7.30\n \t6.10.1.202505221210-r\n \t\tcom.googlecode.javaewah:JavaEWAH@1.2.3\n \t\torg.slf4j:slf4j-api@1.7.36\n \t\tcommons-codec:commons-codec@1.17.0\n org.eclipse.jgit:org.eclipse.jgit-parent\n \t4.5.4.201711221230-r\n \t5.13.3.202401111512-r\n \t6.10.1.202505221210-r\n org.eclipse.sisu:org.eclipse.sisu.inject\n \t0.3.4\n \t\tScope provided|com.google.inject:guice@3.0\n org.eclipse.sisu:org.eclipse.sisu.plexus\n \t0.3.4\n \t\tScope provided|com.google.inject:guice@3.0\n \t\tMavenExclusions javax.el:el-api,org.jboss.ejb3:jboss-ejb3-api,org.jboss.interceptor:jboss-interceptor-api|javax.enterprise:cdi-api@1.0\n \t\torg.eclipse.sisu:org.eclipse.sisu.inject@0.3.4\n \t\torg.codehaus.plexus:plexus-component-annotations@1.5.5\n \t\torg.codehaus.plexus:plexus-classworlds@2.5.2\n \t\torg.codehaus.plexus:plexus-utils@3.0.17\n \t\tOpt|junit:junit@4.11\n org.eclipse.sisu:sisu-inject\n \t0.3.4\n org.eclipse.sisu:sisu-plexus\n \t0.3.4\n org.glassfish.hk2.external:aopalliance-repackaged\n \t2.6.1\n \t\tOpt|aopalliance:aopalliance@1.0\n org.glassfish.hk2.external:jakarta.inject\n \t2.6.1\n \t\tOpt|javax.inject:javax.inject@1\n org.glassfish.hk2:external\n \t2.6.1\n org.glassfish.hk2:hk2-api\n \t2.6.1\n \t\tOpt|org.glassfish.hk2:osgi-resource-locator@1.0.3\n \t\torg.glassfish.hk2.external:jakarta.inject@2.6.1\n \t\torg.glassfish.hk2:hk2-utils@2.6.1\n \t\torg.glassfish.hk2.external:aopalliance-repackaged@2.6.1\n org.glassfish.hk2:hk2-locator\n \t2.6.1\n \t\torg.glassfish.hk2.external:jakarta.inject@2.6.1\n \t\torg.glassfish.hk2.external:aopalliance-repackaged@2.6.1\n \t\torg.glassfish.hk2:hk2-api@2.6.1\n \t\torg.glassfish.hk2:hk2-utils@2.6.1\n \t\tjakarta.annotation:jakarta.annotation-api@1.3.4\n \t\torg.javassist:javassist@3.22.0-CR2\n org.glassfish.hk2:hk2-parent\n \t2.6.1\n org.glassfish.hk2:hk2-utils\n \t2.6.1\n \t\tjakarta.annotation:jakarta.annotation-api@1.3.4\n \t\torg.glassfish.hk2.external:jakarta.inject@2.6.1\n \t\tOpt|javax.validation:validation-api@2.0.1.Final\n \t\tOpt|org.hibernate.validator:hibernate-validator@6.0.10.Final\n \t\tOpt|org.jboss.logging:jboss-logging@3.3.1.Final\n \t\tOpt|com.fasterxml:classmate@1.3.3\n org.glassfish.hk2:osgi-resource-locator\n \t1.0.3\n \t\tScope provided|org.osgi:osgi.core@6.0.0\n \t\tScope provided|org.osgi:osgi.cmpn@6.0.0\n org.glassfish.jersey.containers:jersey-container-servlet-core\n \t2.30\n \t\tScope provided|jakarta.servlet:jakarta.servlet-api@4.0.3\n \t\tScope provided|jakarta.persistence:jakarta.persistence-api@2.2.3\n \t\tMavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1\n \t\torg.glassfish.jersey.core:jersey-common@2.30\n \t\torg.glassfish.jersey.core:jersey-server@2.30\n \t\tjakarta.ws.rs:jakarta.ws.rs-api@2.1.6\n org.glassfish.jersey.containers:project\n \t2.30\n \t\torg.glassfish.jersey.core:jersey-common@2.30\n \t\torg.glassfish.jersey.core:jersey-server@2.30\n \t\tjakarta.ws.rs:jakarta.ws.rs-api@2.1.6\n org.glassfish.jersey.core:jersey-client\n \t2.30\n \t\tjakarta.ws.rs:jakarta.ws.rs-api@2.1.6\n \t\torg.glassfish.jersey.core:jersey-common@2.30\n \t\tMavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1\n org.glassfish.jersey.core:jersey-common\n \t2.30\n \t\tjakarta.ws.rs:jakarta.ws.rs-api@2.1.6\n \t\tjakarta.annotation:jakarta.annotation-api@1.3.5\n \t\tScope provided|org.osgi:org.osgi.core@6.0.0\n \t\tMavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1\n \t\torg.glassfish.hk2:osgi-resource-locator@1.0.3\n \t2.34\n \t\tjakarta.ws.rs:jakarta.ws.rs-api@2.1.6\n \t\tjakarta.annotation:jakarta.annotation-api@1.3.5\n \t\tScope provided|org.osgi:org.osgi.core@6.0.0\n \t\tMavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1\n \t\torg.glassfish.hk2:osgi-resource-locator@1.0.3\n org.glassfish.jersey.core:jersey-server\n \t2.30\n \t\torg.glassfish.jersey.core:jersey-common@2.30\n \t\torg.glassfish.jersey.core:jersey-client@2.30\n \t\tjakarta.ws.rs:jakarta.ws.rs-api@2.1.6\n \t\torg.glassfish.jersey.media:jersey-media-jaxb@2.30\n \t\tjakarta.annotation:jakarta.annotation-api@1.3.5\n \t\tMavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1\n \t\tjakarta.validation:jakarta.validation-api@2.0.2\n \t\tScope provided|org.osgi:org.osgi.core@6.0.0\n org.glassfish.jersey.ext:jersey-entity-filtering\n \t2.30\n \t\tScope provided|org.glassfish.jersey.core:jersey-client@2.30\n \t\tScope provided|org.glassfish.jersey.core:jersey-server@2.30\n \t\tjakarta.ws.rs:jakarta.ws.rs-api@2.1.6\n org.glassfish.jersey.ext:project\n \t2.30\n \t\tjakarta.ws.rs:jakarta.ws.rs-api@2.1.6\n org.glassfish.jersey.inject:jersey-hk2\n \t2.30\n \t\torg.glassfish.jersey.core:jersey-common@2.30\n \t\tMavenExclusions jakarta.annotation:jakarta.annotation-api,org.javassist:javassist|org.glassfish.hk2:hk2-locator@2.6.1\n \t\torg.javassist:javassist@3.25.0-GA\n org.glassfish.jersey.inject:project\n \t2.30\n org.glassfish.jersey.media:jersey-media-jaxb\n \t2.30\n \t\torg.glassfish.jersey.core:jersey-common@2.30\n \t\tScope provided|jakarta.xml.bind:jakarta.xml.bind-api@2.3.2\n \t\tMavenExclusions javax.inject:javax.inject|org.glassfish.hk2.external:jakarta.inject@2.6.1\n \t\torg.glassfish.hk2:osgi-resource-locator@1.0.3\n org.glassfish.jersey.media:jersey-media-json-jackson\n \t2.30\n \t\torg.glassfish.jersey.core:jersey-common@2.30\n \t\torg.glassfish.jersey.ext:jersey-entity-filtering@2.30\n \t\tcom.fasterxml.jackson.core:jackson-annotations@2.9.9\n \t\tcom.fasterxml.jackson.core:jackson-databind@2.9.9\n \t\tcom.fasterxml.jackson.module:jackson-module-jaxb-annotations@2.9.9\n org.glassfish.jersey.media:project\n \t2.30\n org.glassfish.jersey:project\n \t2.30\n \t2.34\n org.glassfish.web:jsp\n \t2.2\n org.hamcrest:hamcrest\n \t2.2\n org.hdrhistogram:HdrHistogram\n \t2.1.12\n org.hibernate.search:hibernate-search-bom\n \t7.1.1.Final\n org.infinispan:infinispan-bom\n \t11.0.17.Final\n \t11.0.19.Final\n \t15.0.5.Final\n org.infinispan:infinispan-build-configuration-parent\n \t11.0.17.Final\n \t11.0.19.Final\n \t15.0.5.Final\n org.javassist:javassist\n \t3.25.0-GA\n org.jboss.weld:weld-api-bom\n \t1.0\n org.jboss.weld:weld-api-parent\n \t1.0\n org.jboss.weld:weld-parent\n \t6\n org.jboss:jboss-parent\n \t36\n \t43\n org.jetbrains:annotations\n \t15.0\n org.json:json\n \t20240205\n org.junit.jupiter:junit-jupiter-api\n \t5.7.1\n \t\torg.apiguardian:apiguardian-api@1.1.0\n \t\torg.opentest4j:opentest4j@1.2.0\n \t\torg.junit.platform:junit-platform-commons@1.7.1\n org.junit.jupiter:junit-jupiter-engine\n \t5.7.1\n \t\torg.apiguardian:apiguardian-api@1.1.0\n \t\torg.junit.platform:junit-platform-engine@1.7.1\n \t\torg.junit.jupiter:junit-jupiter-api@5.7.1\n org.junit.jupiter:junit-jupiter-params\n \t5.7.1\n \t\torg.apiguardian:apiguardian-api@1.1.0\n \t\torg.junit.jupiter:junit-jupiter-api@5.7.1\n org.junit.platform:junit-platform-commons\n \t1.7.1\n \t\torg.apiguardian:apiguardian-api@1.1.0\n org.junit.platform:junit-platform-engine\n \t1.7.1\n \t\torg.apiguardian:apiguardian-api@1.1.0\n \t\torg.opentest4j:opentest4j@1.2.0\n \t\torg.junit.platform:junit-platform-commons@1.7.1\n org.junit:junit-bom\n \t5.7.1\n \t5.9.1\n \t5.9.2\n \t5.10.0\n \t5.10.1\n \t5.10.2\n \t5.10.3\n \t5.10.5\n \t5.11.4\n \t5.12.2\n \t5.13.1\n org.kohsuke:libpam4j\n \t1.11\n \t\tnet.java.dev.jna:jna@4.5.2\n org.kohsuke:pom\n \t17\n org.latencyutils:LatencyUtils\n \t2.0.3\n \t\torg.hdrhistogram:HdrHistogram@2.1.8\n org.mockito:mockito-core\n \t3.12.4\n \t\tnet.bytebuddy:byte-buddy@1.11.13\n \t\tnet.bytebuddy:byte-buddy-agent@1.11.13\n \t\torg.objenesis:objenesis@3.2\n org.mortbay.jetty:jetty\n \t6.1.26\n \t\torg.mortbay.jetty:jetty-util@6.1.26\n \t\torg.mortbay.jetty:servlet-api@2.5-20081211\n org.mortbay.jetty:jetty-parent\n \t10\n org.mortbay.jetty:jetty-sslengine\n \t6.1.26\n \t\torg.mortbay.jetty:jetty@6.1.26\n org.mortbay.jetty:jetty-util\n \t6.1.26\n \t\tScope provided|org.mortbay.jetty:servlet-api@2.5-20081211\n \t\tOpt|org.slf4j:slf4j-api@1.3.1\n org.mortbay.jetty:project\n \t6.1.26\n org.nibor.autolink:autolink\n \t0.6.0\n org.objenesis:objenesis\n \t2.5.1\n \t3.2\n org.objenesis:objenesis-parent\n \t2.5.1\n \t3.2\n org.opentest4j:opentest4j\n \t1.2.0\n org.osgi:org.osgi.core\n \t6.0.0\n org.ow2.asm:asm\n \t5.0.4\n \t9.5\n org.ow2.asm:asm-bom\n \t9.7\n org.ow2.asm:asm-commons\n \t9.5\n \t\torg.ow2.asm:asm@9.5\n \t\torg.ow2.asm:asm-tree@9.5\n org.ow2.asm:asm-parent\n \t5.0.4\n org.ow2.asm:asm-tree\n \t9.5\n \t\torg.ow2.asm:asm@9.5\n org.ow2:ow2\n \t1.3\n \t1.5.1\n org.owasp.encoder:encoder\n \t1.2.3\n org.owasp.encoder:encoder-parent\n \t1.2.3\n org.quartz-scheduler:quartz\n \t2.3.2\n \t\tcom.mchange:c3p0@0.9.5.4\n \t\tcom.mchange:mchange-commons-java@0.2.15\n \t\tcom.zaxxer:HikariCP-java7@2.4.13\n \t\torg.slf4j:slf4j-api@1.7.7\n org.quartz-scheduler:quartz-parent\n \t2.3.2\n org.seleniumhq.selenium:selenium-api\n \t2.48.2\n \t\tcom.google.guava:guava@18.0\n \t\tcom.google.code.gson:gson@2.3.1\n \t\torg.apache.httpcomponents:httpclient@4.5.1\n org.seleniumhq.selenium:selenium-chrome-driver\n \t2.48.2\n \t\torg.seleniumhq.selenium:selenium-remote-driver@2.48.2\n org.seleniumhq.selenium:selenium-edge-driver\n \t2.48.2\n \t\torg.seleniumhq.selenium:selenium-remote-driver@2.48.2\n \t\tcommons-io:commons-io@2.4\n \t\torg.apache.commons:commons-exec@1.3\n org.seleniumhq.selenium:selenium-firefox-driver\n \t2.48.2\n \t\torg.seleniumhq.selenium:selenium-remote-driver@2.48.2\n \t\tcommons-io:commons-io@2.4\n \t\torg.apache.commons:commons-exec@1.3\n org.seleniumhq.selenium:selenium-htmlunit-driver\n \t2.48.2\n \t\torg.seleniumhq.selenium:selenium-support@2.48.2\n \t\tnet.sourceforge.htmlunit:htmlunit@2.18\n \t\torg.apache.httpcomponents:httpclient@4.5.1\n org.seleniumhq.selenium:selenium-ie-driver\n \t2.48.2\n \t\tnet.java.dev.jna:jna@4.1.0\n \t\tnet.java.dev.jna:jna-platform@4.1.0\n \t\torg.seleniumhq.selenium:selenium-remote-driver@2.48.2\n org.seleniumhq.selenium:selenium-java\n \t2.48.2\n \t\torg.seleniumhq.selenium:selenium-chrome-driver@2.48.2\n \t\torg.seleniumhq.selenium:selenium-edge-driver@2.48.2\n \t\torg.seleniumhq.selenium:selenium-htmlunit-driver@2.48.2\n \t\torg.seleniumhq.selenium:selenium-firefox-driver@2.48.2\n \t\torg.seleniumhq.selenium:selenium-ie-driver@2.48.2\n \t\torg.seleniumhq.selenium:selenium-safari-driver@2.48.2\n \t\torg.seleniumhq.selenium:selenium-support@2.48.2\n \t\torg.webbitserver:webbit@0.4.14\n \t\torg.seleniumhq.selenium:selenium-leg-rc@2.48.2\n org.seleniumhq.selenium:selenium-leg-rc\n \t2.48.2\n \t\torg.seleniumhq.selenium:selenium-remote-driver@2.48.2\n \t\tOpt|junit:junit@4.12\n \t\tOpt|org.testng:testng@6.8\n org.seleniumhq.selenium:selenium-parent\n \t2.48.2\n org.seleniumhq.selenium:selenium-remote-driver\n \t2.48.2\n \t\tcglib:cglib-nodep@2.1_3\n \t\tcom.google.code.gson:gson@2.3.1\n \t\torg.seleniumhq.selenium:selenium-api@2.48.2\n \t\torg.apache.httpcomponents:httpclient@4.5.1\n \t\tcom.google.guava:guava@18.0\n \t\torg.apache.commons:commons-exec@1.3\n \t\tnet.java.dev.jna:jna@4.1.0\n \t\tnet.java.dev.jna:jna-platform@4.1.0\n org.seleniumhq.selenium:selenium-safari-driver\n \t2.48.2\n \t\torg.seleniumhq.selenium:selenium-remote-driver@2.48.2\n \t\torg.webbitserver:webbit@0.4.14\n org.seleniumhq.selenium:selenium-support\n \t2.48.2\n \t\torg.seleniumhq.selenium:selenium-remote-driver@2.48.2\n \t\tOpt|org.hamcrest:hamcrest-all@1.3\n \t\tOpt|junit:junit@4.12\n org.slf4j:jcl-over-slf4j\n \t1.7.35\n \t\torg.slf4j:slf4j-api@1.7.35\n org.slf4j:slf4j-api\n \t1.7.5\n \t1.7.7\n \t1.7.26\n \t1.7.30\n \t1.7.35\n \t1.7.36\n org.slf4j:slf4j-log4j12\n \t1.7.10\n \t\torg.slf4j:slf4j-api@1.7.10\n \t\tlog4j:log4j@1.2.17\n org.slf4j:slf4j-parent\n \t1.7.5\n \t1.7.7\n \t1.7.10\n \t1.7.26\n \t1.7.30\n \t1.7.35\n \t1.7.36\n org.slf4j:slf4j-reload4j\n \t1.7.35\n \t\torg.slf4j:slf4j-api@1.7.35\n \t\tch.qos.reload4j:reload4j@1.2.18.3\n org.sonatype.forge:forge-parent\n \t6\n org.sonatype.oss:oss-parent\n \t3\n \t5\n \t6\n \t7\n \t9\n org.sonatype.sisu.inject:cglib\n \t2.2.1-v20090111\n \t\tasm:asm@3.1\n \t\tOpt|asm:asm-util@3.1\n \t\tOpt|org.apache.ant:ant@1.8.1\n org.testcontainers:junit-jupiter\n \t1.19.0\n \t\torg.testcontainers:testcontainers@1.19.0\n org.testcontainers:neo4j\n \t1.19.0\n \t\torg.testcontainers:testcontainers@1.19.0\n org.testcontainers:testcontainers\n \t1.19.0\n \t\tjunit:junit@4.13.2\n \t\torg.slf4j:slf4j-api@1.7.36\n \t\torg.apache.commons:commons-compress@1.23.0\n \t\torg.rnorth.duct-tape:duct-tape@1.0.8\n \t\tcom.github.docker-java:docker-java-api@3.3.3\n \t\tcom.github.docker-java:docker-java-transport-zerodep@3.3.3\n \t\tScope provided|com.google.cloud.tools:jib-core@0.23.0\n org.testcontainers:testcontainers-bom\n \t1.16.1\n \t1.19.8\n \t1.20.1\n \t1.20.4\n org.w3c.css:sac\n \t1.3\n org.webbitserver:webbit\n \t0.4.14\n \t\tio.netty:netty@3.5.2.Final\n org.xerial.snappy:snappy-java\n \t1.0.4.1\n \t\tScope provided|org.osgi:core@4.3.0\n xalan:serializer\n \t2.7.2\n \t\txml-apis:xml-apis@1.3.04\n \t\tOpt|xerces:xercesImpl@2.9.1\n xalan:xalan\n \t2.7.2\n \t\txalan:serializer@2.7.2\n \t\tOpt|xerces:xercesImpl@2.9.1\n \t2.7.3\n xerces:xercesImpl\n \t2.11.0\n \t\txml-apis:xml-apis@1.4.01\n \t\tOpt|xml-resolver:xml-resolver@1.2\n \t2.12.0\n \t\txml-apis:xml-apis@1.4.01\n \t\tOpt|xml-resolver:xml-resolver@1.2\n \t2.12.1\n \t\txml-apis:xml-apis@1.4.01\n \t\tOpt|xml-resolver:xml-resolver@1.2\n \t2.12.2\n \t\txml-apis:xml-apis@1.4.01\n \t\tOpt|xml-resolver:xml-resolver@1.2\n xml-apis:xml-apis\n \t1.4.01\n xmlenc:xmlenc\n \t0.52\n" }, { "path": "internal/remediation/testdata/zeppelin-server/vulns.json", "content": "{\n \"vulns\": [\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h46c-h94j-95f3\",\n \"published\": \"2025-06-27T15:22:22Z\",\n \"modified\": \"2025-06-27T16:03:13.670847Z\",\n \"aliases\": [\n \"CVE-2025-52999\"\n ],\n \"related\": [\n \"CGA-88hr-3c27-vpx8\",\n \"CGA-m7mg-3mjw-9pmv\"\n ],\n \"summary\": \"jackson-core can throw a StackoverflowError when processing deeply nested data\",\n \"details\": \"### Impact\\nWith older versions of jackson-core, if you parse an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large.\\n\\n### Patches\\njackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. Change is in https://github.com/FasterXML/jackson-core/pull/943. jackson-core will throw a StreamConstraintsException if the limit is reached.\\njackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs.\\n\\n### Workarounds\\nUsers should avoid parsing input files from untrusted sources.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.15.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.10.0\",\n \"2.10.0.pr1\",\n \"2.10.0.pr2\",\n \"2.10.0.pr3\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\",\n \"2.11.0\",\n \"2.11.0.rc1\",\n \"2.11.1\",\n \"2.11.2\",\n \"2.11.3\",\n \"2.11.4\",\n \"2.12.0\",\n \"2.12.0-rc1\",\n \"2.12.0-rc2\",\n \"2.12.1\",\n \"2.12.2\",\n \"2.12.3\",\n \"2.12.4\",\n \"2.12.5\",\n \"2.12.6\",\n \"2.12.7\",\n \"2.13.0\",\n \"2.13.0-rc1\",\n \"2.13.0-rc2\",\n \"2.13.1\",\n \"2.13.2\",\n \"2.13.3\",\n \"2.13.4\",\n \"2.13.5\",\n \"2.14.0\",\n \"2.14.0-rc1\",\n \"2.14.0-rc2\",\n \"2.14.0-rc3\",\n \"2.14.1\",\n \"2.14.2\",\n \"2.14.3\",\n \"2.15.0-rc1\",\n \"2.15.0-rc2\",\n \"2.15.0-rc3\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.6\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h46c-h94j-95f3/GHSA-h46c-h94j-95f3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-52999\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-core/pull/943\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-core\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-121\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-06-27T15:22:22Z\",\n \"nvd_published_at\": \"2025-06-25T17:15:39Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wf8f-6423-gfxg\",\n \"published\": \"2025-06-07T00:10:42Z\",\n \"modified\": \"2025-06-07T00:54:46.814569Z\",\n \"aliases\": [\n \"CVE-2025-49128\"\n ],\n \"related\": [\n \"CGA-679q-pc95-xgm4\",\n \"CGA-w99f-h8p7-76rg\",\n \"CVE-2025-49128\"\n ],\n \"summary\": \"Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation\",\n \"details\": \"### Overview\\n\\nA flaw in Jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible **information disclosure** in systems using **pooled or reused buffers**, like Netty or Vert.x.\\n\\n### Details\\n\\nThe vulnerability affects the creation of exception messages like:\\n\\n```\\nJsonParseException: Unexpected character ... at [Source: (byte[])...]\\n```\\n\\nWhen `JsonFactory.createParser(byte[] data, int offset, int len)` is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method `_appendSourceDesc` ignores the `offset`, and always starts reading from index `0`.\\n\\nIf the buffer contains residual sensitive data from a previous request, such as credentials or document contents, that data may be exposed if the exception is propagated to the client.\\n\\nThe issue particularly impacts server applications using:\\n\\n* Pooled byte buffers (e.g., Netty)\\n* Frameworks that surface parse errors in HTTP responses\\n* Default Jackson settings (i.e., `INCLUDE_SOURCE_IN_LOCATION` is enabled)\\n\\nA documented real-world example is [CVE-2021-22145](https://nvd.nist.gov/vuln/detail/CVE-2021-22145) in Elasticsearch, which stemmed from the same root cause.\\n\\n### Attack Scenario\\n\\nAn attacker sends malformed JSON to a service using Jackson and pooled byte buffers (e.g., Netty-based HTTP servers). If the server reuses a buffer and includes the parser’s exception in its HTTP 400 response, the attacker may receive residual data from previous requests.\\n\\n### Proof of Concept\\n\\n```java\\nbyte[] buffer = new byte[1000];\\nSystem.arraycopy(\\\"SECRET\\\".getBytes(), 0, buffer, 0, 6);\\nSystem.arraycopy(\\\"{ \\\\\\\"bad\\\\\\\": }\\\".getBytes(), 0, buffer, 700, 10);\\n\\nJsonFactory factory = new JsonFactory();\\nJsonParser parser = factory.createParser(buffer, 700, 20);\\nparser.nextToken(); // throws exception\\n\\n// Exception message will include \\\"SECRET\\\"\\n```\\n\\n### Patches\\nThis issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via [PR #652](https://github.com/FasterXML/jackson-core/pull/652).\\n\\nAll users should upgrade to version 2.13.0 or later.\\n\\n### Workarounds\\nIf upgrading is not immediately possible, applications can mitigate the issue by:\\n\\n1. **Disabling exception message exposure to clients** — avoid returning parsing exception messages in HTTP responses.\\n2. **Disabling source inclusion in exceptions** by setting:\\n\\n ```java\\n jsonFactory.disable(JsonFactory.Feature.INCLUDE_SOURCE_IN_LOCATION);\\n ```\\n\\n This prevents Jackson from embedding any source content in exception messages, avoiding leakage.\\n\\n\\n### References\\n* [Pull Request #652 (Fix implementation)](https://github.com/FasterXML/jackson-core/pull/652)\\n* [CVE-2021-22145 (Elasticsearch exposure of this flaw)](https://nvd.nist.gov/vuln/detail/CVE-2021-22145)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.13.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.10.0\",\n \"2.10.0.pr1\",\n \"2.10.0.pr2\",\n \"2.10.0.pr3\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\",\n \"2.11.0\",\n \"2.11.0.rc1\",\n \"2.11.1\",\n \"2.11.2\",\n \"2.11.3\",\n \"2.11.4\",\n \"2.12.0\",\n \"2.12.0-rc1\",\n \"2.12.0-rc2\",\n \"2.12.1\",\n \"2.12.2\",\n \"2.12.3\",\n \"2.12.4\",\n \"2.12.5\",\n \"2.12.6\",\n \"2.12.7\",\n \"2.13.0-rc1\",\n \"2.13.0-rc2\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.6\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wf8f-6423-gfxg/GHSA-wf8f-6423-gfxg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-core/security/advisories/GHSA-wf8f-6423-gfxg\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-22145\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-49128\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-core/pull/652\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-core/commit/a6c297682737dde13337cb7c3020f299518609a8\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-core\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-209\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-06-07T00:10:42Z\",\n \"nvd_published_at\": \"2025-06-06T22:15:23Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-27xj-rqx5-2255\",\n \"published\": \"2020-05-15T18:58:44Z\",\n \"modified\": \"2024-02-16T08:06:12.878312Z\",\n \"aliases\": [\n \"CVE-2020-11619\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-27xj-rqx5-2255/GHSA-27xj-rqx5-2255.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11619\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2680\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200511-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-23T19:32:22Z\",\n \"nvd_published_at\": \"2020-04-07T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-288c-cq4h-88gq\",\n \"published\": \"2021-02-18T20:51:54Z\",\n \"modified\": \"2024-10-22T05:28:57.400652Z\",\n \"aliases\": [\n \"CGA-jp8x-p2pf-pcp2\",\n \"CVE-2020-25649\"\n ],\n \"summary\": \"XML External Entity (XXE) Injection in Jackson Databind\",\n \"details\": \"A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.6.0\"\n },\n {\n \"fixed\": \"2.6.7.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.7.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0.0\"\n },\n {\n \"fixed\": \"2.9.10.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.6\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.10.0.0\"\n },\n {\n \"fixed\": \"2.10.5.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10.0\",\n \"2.10.0.pr1\",\n \"2.10.0.pr2\",\n \"2.10.0.pr3\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.10.5.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-288c-cq4h-88gq/GHSA-288c-cq4h-88gq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-25649\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2589\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3d932709abd0b5390efe67451653fc9efa9db677\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc82ff47853289e9cd17f5cfbb053c04cafc75ee32e3d7223963f83bb@%3Cdev.knox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc15e90bbef196a5c6c01659e015249d6c9a73581ca9afb8aeecf00d2@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb674520b9f6c808c1bf263b1369e14048ec3243615f35cfd24e33604@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raf13235de6df1d47a717199e1ecd700dff3236632f5c9a1488d9845b@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra95faf968f3463acb3f31a6fbec31453fc5045325f99f396961886d3@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra409f798a1e5a6652b7097429b388650ccd65fd958cee0b6f69bba00@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra1157e57a01d25e36b0dc17959ace758fc21ba36746de29ba1d8b130@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r98bfe3b90ea9408f12c4b447edcb5638703d80bc782430aa0c210a54@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r95a297eb5fd1f2d3a2281f15340e2413f952e9d5503296c3adc7201a@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r94c7e86e546120f157264ba5ba61fd29b3a8d530ed325a9b4fa334d7@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r91722ecfba688b0c565675f8bf380269fde8ec62b54d6161db544c22@%3Ccommits.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90d1e97b0a743cf697d89a792a9b669909cc5a1692d1e0083a22e66c@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r900d4408c4189b376d1ec580ea7740ea6f8710dc2f0b7e9c9eeb5ae0@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8ae961c80930e2717c75025414ce48a432cea1137c02f648b1fb9524@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cusers.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210108-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6X2UT4X6M7DLQYBOOHMXBWGYJ65RL2CT\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1809a1374041a969d77afab21fc38925de066bc97e86157d3ac3402@%3Ccommits.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re96dc7a13e13e56190a5d80f9e5440a0d0c83aeec6467b562fbf2dca@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re16f81d3ad49a93dd2f0cba9f8fc88e5fb89f30bf9a2ad7b6f3e69c1@%3Ccommits.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf9a34726482222c90d50ae1b9847881de67dde8cfde4999633d2cdc@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdca8711bb7aa5d47a44682606cd0ea3497e2e922f22b7ee83e81e6c1@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd6f6bf848c2d47fa4a85c27d011d948778b8f7e58ba495968435a0b3@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd57c7582adc90e233f23f3727db3df9115b27a823b92374f11453f34@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd317f15a675d114dbf5b488d27eeb2467b4424356b16116eb18a652d@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc959cdb57c4fe198316130ff4a5ecbf9d680e356032ff2e9f4f05d54@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc88f2fa2b7bd6443921727aeee7704a1fb02433e722e2abf677e0d3d@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5f8a1608d758936bd6bbc5eed980777437b611537bf6fff40663fc71@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b130fe668503c4b7e2caf1b16f86b7f2070fd1b7ef8f26195a2ffbd@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r45e7350dfc92bb192f3f88e9971c11ab2be0953cc375be3dda5170bd@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r407538adec3185dd35a05c9a26ae2f74425b15132470cf540f41d85b@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3e6ae311842de4e64c5d560a475b7f9cc7e0a9a8649363c6cf7537eb@%3Ccommits.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r31f4ee7d561d56a0c2c2c6eb1d6ce3e05917ff9654fdbfec05dc2b83@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f5c5479f99398ef344b7ebd4d90bc3316236c45d0f3bc42090efcd7@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2eb66c182853c69ecfb52f63d3dec09495e9b65be829fd889a081ae1@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2b6ddb3a4f4cd11d8f6305011e1b7438ba813511f2e3ab3180c7ffda@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2882fc1f3032cd7be66e28787f04ec6f1874ac68d47e310e30ff7eb1@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b7ed0c4b6c4301d4dfd6fdbc5581b0a789d3240cab55d766f33c6c6@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0b8dc3acd4503e4ecb6fbd6ea7d95f59941168d8452ac0ab1d1d96bb@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0881e23bd9034c8f51fdccdc8f4d085ba985dcd738f8520569ca5c3d@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r04529cedaca40c2ff90af4880493f9c88a8ebf4d1d6c861d23108a5a@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r024b7bda9c43c5560d81238748775c5ecfe01b57280f90df1f773949@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r011d1430e8f40dff9550c3bc5d0f48b14c01ba8aecabd91d5e495386@%3Ccommits.turbine.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1887664\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8937a7160717fe8b2221767163c4de4f65bc5466405cb1c5310f9080@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8764bb835bcb8e311c882ff91dd3949c9824e905e880930be56f6ba3@%3Cuser.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r86c78bf7656fdb2dab69cbf17f3d7492300f771025f1a3a65d5e5ce5@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7cb5b4b3e4bd41a8042e5725b7285877a17bcbf07f4eb3f7b316af60@%3Creviews.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r78d53a0a269c18394daf5940105dc8c7f9a2399503c2e78be20abe7e@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r765283e145049df9b8998f14dcd444345555aae02b1610cfb3188bf8@%3Cnotifications.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r73bef1bb601a9f093f915f8075eb49fcca51efade57b817afd5def07@%3Ccommits.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6e3d4f7991542119a4ca6330271d7fbf7b9fb3abab24ada82ddf1ee4@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6cbd599b80e787f02ff7a1391d9278a03f37d6a6f4f943f0f01a62fb@%3Creviews.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cusers.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6b11eca1d646f45eb0d35d174e6b1e47cfae5295b92000856bfb6304@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6a6df5647583541e3cb71c75141008802f7025cee1c430d4ed78f4cc@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6a4f3ef6edfed2e0884269d84798f766779bbbc1005f7884e0800d61@%3Cdev.knox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68d029ee74ab0f3b0569d0c05f5688cb45dd3abe96a6534735252805@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r63c87aab97155f3f3cbe11d030c4a184ea0de440ee714977db02e956@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r605764e05e201db33b3e9c2e66ff620658f07ad74f296abe483f7042@%3Creviews.iotdb.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-02-18T20:41:26Z\",\n \"nvd_published_at\": \"2020-12-03T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3x8x-79m2-3w2w\",\n \"published\": \"2023-03-19T00:30:25Z\",\n \"modified\": \"2025-02-26T22:33:28.884683Z\",\n \"aliases\": [\n \"CGA-fgh7-phh7-cj6x\",\n \"CVE-2021-46877\"\n ],\n \"related\": [\n \"CGA-rxrj-cf2v-c7cp\",\n \"CGA-v95v-8w2m-8jvx\",\n \"CGA-xhwm-c67m-hhvv\"\n ],\n \"summary\": \"jackson-databind possible Denial of Service if using JDK serialization to serialize JsonNode\",\n \"details\": \"jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.10.0\"\n },\n {\n \"fixed\": \"2.12.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10.0\",\n \"2.10.0.pr1\",\n \"2.10.0.pr2\",\n \"2.10.0.pr3\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\",\n \"2.10.5.1\",\n \"2.11.0\",\n \"2.11.0.rc1\",\n \"2.11.1\",\n \"2.11.2\",\n \"2.11.3\",\n \"2.11.4\",\n \"2.12.0\",\n \"2.12.0-rc1\",\n \"2.12.0-rc2\",\n \"2.12.1\",\n \"2.12.2\",\n \"2.12.3\",\n \"2.12.4\",\n \"2.12.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3x8x-79m2-3w2w/GHSA-3x8x-79m2-3w2w.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.13.0\"\n },\n {\n \"fixed\": \"2.13.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.13.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3x8x-79m2-3w2w/GHSA-3x8x-79m2-3w2w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-46877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3328\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12.6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-03-20T21:14:14Z\",\n \"nvd_published_at\": \"2023-03-18T22:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4gq5-ch57-c2mg\",\n \"published\": \"2019-01-04T19:09:49Z\",\n \"modified\": \"2024-03-15T05:20:21.411726Z\",\n \"aliases\": [\n \"CVE-2018-14719\"\n ],\n \"summary\": \"Arbitrary Code Execution in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, and 2.7.9.5 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.7.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-4gq5-ch57-c2mg/GHSA-4gq5-ch57-c2mg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-14719\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2097\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:58:21Z\",\n \"nvd_published_at\": \"2019-01-02T18:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4w82-r329-3q67\",\n \"published\": \"2020-03-04T20:52:14Z\",\n \"modified\": \"2024-03-16T05:18:54.922179Z\",\n \"aliases\": [\n \"CVE-2020-8840\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.7.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.6\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-4w82-r329-3q67/GHSA-4w82-r329-3q67.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-8840\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2620\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/74aba4042fce35ee0b91bd2847e788c10040d78b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/9bb52c7122271df75435ec7e66ecf6b02b1ee14f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra275f29615f35d5b40106d1582a41e5388b2a5131564e9e01a572987@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rac5ee5d686818be7e7c430d35108ee01a88aae54f832d32f62431fd1@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb43f9a65150948a6bebd3cb77ee3e105d40db2820fd547528f4e7f89@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb5eedf90ba3633e171a2ffdfe484651c9490dc5df74c8a29244cbc0e@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb73708bf714ed6dbc1212da082e7703e586077f0c92f3940b2e82caf@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb99c7321eba5d4c907beec46675d52827528b738cfafd48eb4d862f1@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc717fd6c65190f4e592345713f9ef0723fb7d71f624caa2a17caa26a@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcc72b497e3dff2dc62ec9b89ceb90bc4e1b14fc56c3c252a6fcbb013@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdea588d4a0ebf9cb7ce8c3a8f18d0d306507c4f8ba178dd3d20207b8@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf311f13e6356297e0ffe74397fdd25a3687b0a16e687c3ff5b834d8@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf8d389271a291dde3b2f99c36918d6cb1e796958af626cc140fee23@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re7326b8655eab931f2a9ce074fd9a1a51b5db11456bee9b48e1e170c@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re8ae2670ec456ef1c5a2a661a2838ab2cd00e9efa1e88c069f546f21@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf28ab6f224b48452afd567dfffb705fbda0fdbbf6535f6bc69d47e91@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfc1ccfe89332155b72ce17f13a2701d3e7b9ec213324ceb90e79a28a@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200327-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r078e68a926ea6be12e8404e47f45aabf04bb4668e8265c0de41db6db@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1c09b9551f6953dbeca190a4c4b78198cdbb9825fce36f96fe3d8218@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1efc776fc6ce3387593deaa94bbdd296733b1b01408a39c8d1ab9e0e@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2fa8046bd47fb407ca09b5107a80fa6147ba4ebe879caae5c98b7657@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r319f19c74e06c201b9d4e8b282a4e4b2da6dcda022fb46f007dd00d3@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3539bd3a377991217d724879d239e16e86001c54160076408574e1da@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3d20a2660b36551fd8257d479941782af4a7169582449fac1704bde2@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r428d068b2a4923f1a5a4f5fc6381b95205cfe7620169d16db78e9c71@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r446646c5588b10f5e02409ad580b12f314869009cdfbf844ca395cec@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46bebdeb59b8b7212d63a010ca445a9f5c4e9d64dcf693cab6f399d3@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5d8bea8e9d17b6efcf4a0e4e194e91ef46a99f505777a31a60da2b38@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r65ee95fa09c831843bac81eaa582fdddc2b6119912a72d1c83a9b882@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6fdd4c61a09a0c89f581b4ddb3dc6f154ab0c705fcfd0a7358b2e4e5@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7762d69e85c58d6948823424017ef4c08f47de077644277fa18cc116@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7e5c10534ed06bf805473ac85e8412fe3908a8fa4cabf5027bf11220@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8170007fd9b263d65b37d92a7b5d7bc357aedbb113a32838bc4a9485@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8e96c340004b7898cad3204ea51280ef6e4b553a684e1452bf1b18b1@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r94930e39b60fff236160c1c4110fe884dc093044b067aa5fc98d7ee1@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9e59ebaf76fd00b2fa3ff5ebf18fe075ca9f4376216612c696f76718@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9ecf211c22760b00967ebe158c6ed7dba9142078e2a630ab8904a5b7@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-01-fastjason-en\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-25T20:56:51Z\",\n \"nvd_published_at\": \"2020-02-10T21:56:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-57j2-w4cx-62h2\",\n \"published\": \"2022-03-12T00:00:36Z\",\n \"modified\": \"2024-10-22T05:29:08.356656Z\",\n \"aliases\": [\n \"CGA-mh4f-39hj-cv5p\",\n \"CVE-2020-36518\"\n ],\n \"related\": [\n \"CGA-449j-52qq-cgj7\",\n \"CGA-f5fm-pjmq-gwc9\",\n \"CGA-hm6h-h5gf-mh6h\"\n ],\n \"summary\": \"Deeply nested json in jackson-databind\",\n \"details\": \"jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.13.0\"\n },\n {\n \"fixed\": \"2.13.2.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.13.0\",\n \"2.13.1\",\n \"2.13.2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.13.2.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-57j2-w4cx-62h2/GHSA-57j2-w4cx-62h2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.12.6.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.10.0\",\n \"2.10.0.pr1\",\n \"2.10.0.pr2\",\n \"2.10.0.pr3\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\",\n \"2.10.5.1\",\n \"2.11.0\",\n \"2.11.0.rc1\",\n \"2.11.1\",\n \"2.11.2\",\n \"2.11.3\",\n \"2.11.4\",\n \"2.12.0\",\n \"2.12.0-rc1\",\n \"2.12.0-rc2\",\n \"2.12.1\",\n \"2.12.2\",\n \"2.12.3\",\n \"2.12.4\",\n \"2.12.5\",\n \"2.12.6\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.10.8\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.12.6.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-57j2-w4cx-62h2/GHSA-57j2-w4cx-62h2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36518\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2816\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/0a8157c6ca478b1bc7be4ba7dccdb3863275f0de\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3cc52f82ecf943e06c1d7c3b078e405fb3923d2b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/8238ab41d0350fb915797c89d46777b4496b74fd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/b3587924ee5d8695942f364d0d404d48d0ea6126\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/05/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220506-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5283\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-22T14:36:44Z\",\n \"nvd_published_at\": \"2022-03-11T07:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-58pp-9c76-5625\",\n \"published\": \"2020-06-10T21:12:41Z\",\n \"modified\": \"2024-02-16T07:55:08.550842Z\",\n \"aliases\": [\n \"CVE-2020-11112\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-58pp-9c76-5625/GHSA-58pp-9c76-5625.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11112\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2666\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200403-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-10T21:11:14Z\",\n \"nvd_published_at\": \"2020-03-31T05:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5949-rw7g-wx7w\",\n \"published\": \"2021-01-20T21:20:15Z\",\n \"modified\": \"2025-09-15T07:42:14.888352Z\",\n \"aliases\": [\n \"BIT-nifi-2021-20190\",\n \"CVE-2021-20190\"\n ],\n \"summary\": \"Deserialization of untrusted data in jackson-databind\",\n \"details\": \"A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-5949-rw7g-wx7w/GHSA-5949-rw7g-wx7w.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-5949-rw7g-wx7w/GHSA-5949-rw7g-wx7w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-20190\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2854\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/7dbf51bf78d157098074a20bd9da39bd48c18e4a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1916633\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0008\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-01-20T04:44:51Z\",\n \"nvd_published_at\": \"2021-01-19T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5p34-5m6p-p58g\",\n \"published\": \"2020-04-23T21:08:40Z\",\n \"modified\": \"2024-03-14T05:17:58.624150Z\",\n \"aliases\": [\n \"CVE-2020-9546\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-5p34-5m6p-p58g/GHSA-5p34-5m6p-p58g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-9546\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2631\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200904-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-23T19:26:40Z\",\n \"nvd_published_at\": \"2020-03-02T04:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5r5r-6hpj-8gg9\",\n \"published\": \"2021-12-09T19:15:24Z\",\n \"modified\": \"2024-02-18T05:42:28.539166Z\",\n \"aliases\": [\n \"CVE-2020-35728\"\n ],\n \"summary\": \"Serialization gadget exploit in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-5r5r-6hpj-8gg9/GHSA-5r5r-6hpj-8gg9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35728\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2999\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210129-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-07T22:24:20Z\",\n \"nvd_published_at\": \"2020-12-27T05:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5ww9-j83m-q7qx\",\n \"published\": \"2019-05-23T09:32:24Z\",\n \"modified\": \"2024-03-15T01:17:50.016820Z\",\n \"aliases\": [\n \"CVE-2019-12086\"\n ],\n \"summary\": \"Information exposure in FasterXML jackson-databind\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-5ww9-j83m-q7qx/GHSA-5ww9-j83m-q7qx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-12086\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2326\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/efc3c0d02f4743dbaa6d1b9c466772a2f13d966b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/d30f036208ab1c60bd5ce429cb4f7f1a3e5682e8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/05/msg00030.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227030031/http://www.securityfocus.com/bid/109227\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200808181049/http://russiansecurity.expert/2016/04/20/mysql-connect-file-read\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2935\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2936\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2937\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2998\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3044\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3045\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3046\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3050\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3200\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-05-22T04:34:56Z\",\n \"nvd_published_at\": \"2019-05-17T17:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-645p-88qh-w398\",\n \"published\": \"2019-01-04T19:06:55Z\",\n \"modified\": \"2024-03-16T05:19:17.936174Z\",\n \"aliases\": [\n \"CVE-2018-14718\"\n ],\n \"summary\": \"Arbitrary Code Execution in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.7, 2.8.11.3, 2.7.9.5, and 2.6.7.3 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-645p-88qh-w398/GHSA-645p-88qh-w398.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-14718\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2097\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-645p-88qh-w398\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/106601\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:17:52Z\",\n \"nvd_published_at\": \"2019-01-02T18:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6fpp-rgj9-8rwc\",\n \"published\": \"2019-08-01T19:18:00Z\",\n \"modified\": \"2024-03-15T05:18:54.134884Z\",\n \"aliases\": [\n \"CVE-2019-14379\"\n ],\n \"summary\": \"Deserialization of untrusted data in FasterXML jackson-databind\",\n \"details\": \"SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2, 2.8.11.4, and 2.7.9.6 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.9.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-6fpp-rgj9-8rwc/GHSA-6fpp-rgj9-8rwc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-14379\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2387\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:2824\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190814-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.apple.com/kb/HT213189\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2743\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2935\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2936\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2937\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2998\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3044\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3045\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3046\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3050\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3200\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3292\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3297\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3901\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0727\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2022/Mar/23\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1321\",\n \"CWE-915\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-08-01T15:38:02Z\",\n \"nvd_published_at\": \"2019-07-29T12:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6wqp-v4v6-c87c\",\n \"published\": \"2020-06-15T18:44:51Z\",\n \"modified\": \"2024-03-11T05:21:31.707912Z\",\n \"aliases\": [\n \"CVE-2018-12023\"\n ],\n \"summary\": \"Deserialization of Untrusted Data\",\n \"details\": \"An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6wqp-v4v6-c87c/GHSA-6wqp-v4v6-c87c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12023\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2058\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1106\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1107\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1108\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/105659\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-11T21:43:23Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-758m-v56v-grj4\",\n \"published\": \"2020-04-23T21:36:03Z\",\n \"modified\": \"2024-06-25T14:20:03.301633Z\",\n \"aliases\": [\n \"CVE-2020-10969\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-758m-v56v-grj4/GHSA-758m-v56v-grj4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-10969\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2642\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/6ba48457984943df0de92c54144f7dcae01b1221\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200403-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-23T19:28:10Z\",\n \"nvd_published_at\": \"2020-03-26T13:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-85cw-hj65-qqv9\",\n \"published\": \"2019-09-23T18:33:45Z\",\n \"modified\": \"2024-03-15T05:20:15.574552Z\",\n \"aliases\": [\n \"CVE-2019-16335\"\n ],\n \"summary\": \"Polymorphic Typing issue in FasterXML jackson-databind\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-85cw-hj65-qqv9/GHSA-85cw-hj65-qqv9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-16335\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2449\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3200\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Oct/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20191004-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4542\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0159\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0161\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0164\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0445\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0729\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-09-19T09:22:56Z\",\n \"nvd_published_at\": \"2019-09-15T22:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-89qr-369f-5m5x\",\n \"published\": \"2021-12-09T19:15:46Z\",\n \"modified\": \"2024-02-18T05:37:27.581808Z\",\n \"aliases\": [\n \"CVE-2020-36182\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-89qr-369f-5m5x/GHSA-89qr-369f-5m5x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-89qr-369f-5m5x/GHSA-89qr-369f-5m5x.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36182\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:37:58Z\",\n \"nvd_published_at\": \"2021-01-07T00:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8c4j-34r4-xr8g\",\n \"published\": \"2021-12-09T19:16:18Z\",\n \"modified\": \"2024-02-18T05:31:52.762759Z\",\n \"aliases\": [\n \"CVE-2020-36180\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8c4j-34r4-xr8g/GHSA-8c4j-34r4-xr8g.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8c4j-34r4-xr8g/GHSA-8c4j-34r4-xr8g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36180\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:36:46Z\",\n \"nvd_published_at\": \"2021-01-07T00:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8w26-6f25-cm9x\",\n \"published\": \"2021-12-09T19:16:02Z\",\n \"modified\": \"2024-02-18T05:30:48.085017Z\",\n \"aliases\": [\n \"CVE-2020-36185\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-8w26-6f25-cm9x/GHSA-8w26-6f25-cm9x.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36185\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2998\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:37:42Z\",\n \"nvd_published_at\": \"2021-01-06T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-95cm-88f5-f2c7\",\n \"published\": \"2020-04-23T16:32:59Z\",\n \"modified\": \"2024-07-03T21:23:01.986952Z\",\n \"aliases\": [\n \"CVE-2020-10672\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-95cm-88f5-f2c7/GHSA-95cm-88f5-f2c7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-10672\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2659\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/592872f4235c7f2a3280725278da55544032f72d\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200403-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-22T21:12:55Z\",\n \"nvd_published_at\": \"2020-03-18T22:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9gph-22xh-8x98\",\n \"published\": \"2021-12-09T19:15:54Z\",\n \"modified\": \"2024-02-18T05:33:27.617261Z\",\n \"aliases\": [\n \"CVE-2020-36179\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9gph-22xh-8x98/GHSA-9gph-22xh-8x98.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9gph-22xh-8x98/GHSA-9gph-22xh-8x98.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36179\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc255f41d9a61d3dc79a51fb5c713de4ae10e71e3673feeb0b180b436@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:37:47Z\",\n \"nvd_published_at\": \"2021-01-07T00:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9m6f-7xcq-8vf8\",\n \"published\": \"2021-12-09T19:16:34Z\",\n \"modified\": \"2024-02-18T05:32:25.400029Z\",\n \"aliases\": [\n \"CVE-2020-36183\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.00\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9m6f-7xcq-8vf8/GHSA-9m6f-7xcq-8vf8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-9m6f-7xcq-8vf8/GHSA-9m6f-7xcq-8vf8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36183\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/12e23c962ffb4cf1857c5461d72ae54cc8008f29\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:27:59Z\",\n \"nvd_published_at\": \"2021-01-07T00:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9mxf-g3x6-wv74\",\n \"published\": \"2019-01-04T19:07:06Z\",\n \"modified\": \"2024-03-14T05:33:39.459890Z\",\n \"aliases\": [\n \"CVE-2018-14721\"\n ],\n \"summary\": \"Server-Side Request Forgery (SSRF) in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-9mxf-g3x6-wv74/GHSA-9mxf-g3x6-wv74.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-14721\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2097\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-9mxf-g3x6-wv74\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1108\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1107\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1106\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-918\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:29:04Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9vvp-fxw6-jcxr\",\n \"published\": \"2020-05-15T18:58:47Z\",\n \"modified\": \"2024-03-15T01:01:13.767060Z\",\n \"aliases\": [\n \"CVE-2020-11113\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-9vvp-fxw6-jcxr/GHSA-9vvp-fxw6-jcxr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2670\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/e2ba12d5d60715d95105e3e790fc234cfb59893d\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200403-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-23T19:31:52Z\",\n \"nvd_published_at\": \"2020-03-31T05:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c265-37vj-cwcc\",\n \"published\": \"2020-06-18T14:44:48Z\",\n \"modified\": \"2024-06-25T14:18:28.499070Z\",\n \"aliases\": [\n \"CVE-2020-14062\"\n ],\n \"summary\": \"Deserialization of untrusted data in Jackson Databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c265-37vj-cwcc/GHSA-c265-37vj-cwcc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-14062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2704\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/840eae2ca81c597a0010b2126f32dce17d384b70\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/99001cdb6807b5c7b170ec6a9092ecbb618ae79c\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200702-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-18T13:06:04Z\",\n \"nvd_published_at\": \"2020-06-14T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c2q3-4qrh-fm48\",\n \"published\": \"2020-06-18T14:44:50Z\",\n \"modified\": \"2024-02-17T05:36:21.468281Z\",\n \"aliases\": [\n \"CVE-2020-14061\"\n ],\n \"summary\": \"Deserialization of untrusted data in Jackson Databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c2q3-4qrh-fm48/GHSA-c2q3-4qrh-fm48.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-14061\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2698\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/5c8642aeae9c756b438ab7637c90ef3c77966e6e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200702-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-18T13:06:14Z\",\n \"nvd_published_at\": \"2020-06-14T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c8hm-7hpq-7jhg\",\n \"published\": \"2019-01-04T19:07:03Z\",\n \"modified\": \"2024-03-15T01:17:19.251183Z\",\n \"aliases\": [\n \"CVE-2018-19362\"\n ],\n \"summary\": \"com.fasterxml.jackson.core:jackson-databind vulnerable to Deserialization of Untrusted Data\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-c8hm-7hpq-7jhg/GHSA-c8hm-7hpq-7jhg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-19362\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2186\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/72cd4025a229fb28ec133235003dd4616f70afaa\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-c8hm-7hpq-7jhg\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/TINKERPOP-2121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/107985\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:30:35Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cf6r-3wgc-h863\",\n \"published\": \"2020-05-15T18:58:58Z\",\n \"modified\": \"2024-02-18T05:32:56.325249Z\",\n \"aliases\": [\n \"CVE-2019-14892\"\n ],\n \"summary\": \"Polymorphic deserialization of malicious object in jackson-databind\",\n \"details\": \"A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5, and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.7.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-cf6r-3wgc-h863/GHSA-cf6r-3wgc-h863.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-14892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2462\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/41b7f9b90149e9d44a65a8261a8deedc7186f6af\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/819cdbcab51c6da9fb896380f2d46e9b7d4fdc3b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0729\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14892\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200904-0005\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-23T19:29:41Z\",\n \"nvd_published_at\": \"2020-03-02T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cggj-fvv3-cqwv\",\n \"published\": \"2018-10-16T17:45:18Z\",\n \"modified\": \"2024-03-15T01:18:46.938616Z\",\n \"aliases\": [\n \"CVE-2018-7489\"\n ],\n \"summary\": \"FasterXML jackson-databind allows unauthenticated remote code execution \",\n \"details\": \"FasterXML jackson-databind before before 2.6.7.5, 2.7.x before 2.7.9.3, 2.8.x before 2.8.11.1, and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cggj-fvv3-cqwv/GHSA-cggj-fvv3-cqwv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-7489\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/1931\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/e66c0a9d3c926ff1b63bf586c824ead1d02f2a3d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/ca2bfc86af82a1479112004b663ba74c760752e6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/c921f0935d5e41bf206e702d8077a275ba1a6efc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/bc22f90eb7f896ace9567598a99cb1ff6e0f9d9d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4190\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbhf03902en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180328-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-cggj-fvv3-cqwv\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2939\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2090\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2089\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2088\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1786\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1450\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1449\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1448\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1447\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-184\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:31:30Z\",\n \"nvd_published_at\": \"2018-02-26T15:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cjjf-94ff-43w7\",\n \"published\": \"2019-03-25T18:03:09Z\",\n \"modified\": \"2024-03-11T05:19:23.395848Z\",\n \"aliases\": [\n \"CVE-2018-12022\"\n ],\n \"summary\": \"jackson-databind Deserialization of Untrusted Data vulnerability\",\n \"details\": \"An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-cjjf-94ff-43w7/GHSA-cjjf-94ff-43w7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12022\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2052\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/28badf7ef60ac3e7ef151cd8e8ec010b8479226a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/7487cf7eb14be2f65a1eb108e8629c07ef45e0a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/bf261d404c2f79fd3406237710d40ebb03c99d84\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-cjjf-94ff-43w7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZEDLDUYBSTDY4GWDBUXGJNS2RFYTFVRC\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1106\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1107\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1108\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1671098\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/107585\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:42:00Z\",\n \"nvd_published_at\": \"2019-03-21T16:00:12Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cmfg-87vq-g5g4\",\n \"published\": \"2019-07-17T15:26:12Z\",\n \"modified\": \"2024-03-15T01:18:17.903231Z\",\n \"aliases\": [\n \"CVE-2019-12814\"\n ],\n \"summary\": \"Deserialization of untrusted data in FasterXML jackson-databind\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.9.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-cmfg-87vq-g5g4/GHSA-cmfg-87vq-g5g4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-12814\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2341\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bf20574dbc2db255f1fd489942b5720f675e32a2c4f44eb6a36060cd@%3Ccommits.accumulo.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b148fa2e9ef468c4de00de255dd728b74e2a97d935f8ced31eb41ba2@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0a2b2cca072650dbd5882719976c3d353972c44f6736ddf0ba95209@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a78239b1f11cddfa86e4edee19064c40b6272214630bfef070c37957@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a62aa2706105d68f1c02023fe24aaa3c13b4d8a1826181fed07d9682@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a3ae8a8c5e32c413cd27071d3a204166050bf79ce7f1299f6866338f@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8fe2983f6d9fee0aa737e4bd24483f8f5cf9b938b9adad0c4e79b2a4@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/71f9ffd92410a889e27b95a219eaa843fd820f8550898633d85d4ea3@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eff7280055fc717ea8129cd28a9dd57b8446d00b36260c1caee10b87@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190625-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2935\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2936\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2937\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3044\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3045\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3046\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3050\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3200\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3292\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3297\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/129da0204c876f746636018751a086cc581e0e07bcdeb3ee22ff5731@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/15a55e1d837fa686db493137cc0330c7ee1089ed9a9eea7ae7151ef1@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1e04d9381c801b31ab28dec813c31c304b2a596b2a3707fa5462c5c0@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/28be28ffd6471d230943a255c36fe196a54ef5afc494a4781d16e37c@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2ff264b6a94c5363a35c4c88fa93216f60ec54d1d973ed6b76a9f560@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/4b832d1327703d6b287a6d223307f8f884d798821209a10647e93324@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-07-17T14:51:50Z\",\n \"nvd_published_at\": \"2019-06-19T14:15:10Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cvm9-fjm9-3572\",\n \"published\": \"2021-12-09T19:16:10Z\",\n \"modified\": \"2024-02-18T05:25:36.165759Z\",\n \"aliases\": [\n \"CVE-2020-36181\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-cvm9-fjm9-3572/GHSA-cvm9-fjm9-3572.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-cvm9-fjm9-3572/GHSA-cvm9-fjm9-3572.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36181\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:37:23Z\",\n \"nvd_published_at\": \"2021-01-06T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f3j5-rmmp-3fc5\",\n \"published\": \"2020-06-15T18:44:48Z\",\n \"modified\": \"2024-03-15T05:20:35.120151Z\",\n \"aliases\": [\n \"CVE-2019-17267\"\n ],\n \"summary\": \"Improper Input Validation in jackson-databind\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10 and 2.8.11.5. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-f3j5-rmmp-3fc5/GHSA-f3j5-rmmp-3fc5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-f3j5-rmmp-3fc5/GHSA-f3j5-rmmp-3fc5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-17267\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2460\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20191017-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9d727fc681fb3828794acbefcaee31393742b4d73a29461ccd9597a8@%3Cdev.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0445\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0164\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0161\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0159\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3200\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-11T21:47:17Z\",\n \"nvd_published_at\": \"2019-10-07T00:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f9hv-mg5h-xcw9\",\n \"published\": \"2019-01-04T19:06:57Z\",\n \"modified\": \"2024-03-12T05:18:23.439473Z\",\n \"aliases\": [\n \"CVE-2018-19360\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in jackson-databind due to polymorphic deserialization\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-f9hv-mg5h-xcw9/GHSA-f9hv-mg5h-xcw9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-19360\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2186\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-f9hv-mg5h-xcw9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/TINKERPOP-2121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/107985\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:34:16Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f9xh-2qgp-cq57\",\n \"published\": \"2021-12-09T19:16:42Z\",\n \"modified\": \"2024-02-18T05:32:05.421673Z\",\n \"aliases\": [\n \"CVE-2020-36188\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 and 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to `com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-f9xh-2qgp-cq57/GHSA-f9xh-2qgp-cq57.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-f9xh-2qgp-cq57/GHSA-f9xh-2qgp-cq57.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36188\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2996\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:25:02Z\",\n \"nvd_published_at\": \"2021-01-06T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fmmc-742q-jg75\",\n \"published\": \"2019-11-13T00:32:27Z\",\n \"modified\": \"2024-03-16T05:19:55.172981Z\",\n \"aliases\": [\n \"CVE-2019-16943\"\n ],\n \"summary\": \"jackson-databind polymorphic typing issue\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-fmmc-742q-jg75/GHSA-fmmc-742q-jg75.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-16943\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2478\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Oct/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20191017-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4542\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0445\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0164\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0161\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0159\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-11-13T00:30:39Z\",\n \"nvd_published_at\": \"2019-10-01T17:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fqwf-pjwf-7vqv\",\n \"published\": \"2020-05-15T18:59:04Z\",\n \"modified\": \"2024-07-03T21:22:37.578162Z\",\n \"aliases\": [\n \"CVE-2020-10673\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 and 2.6.7.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-fqwf-pjwf-7vqv/GHSA-fqwf-pjwf-7vqv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-fqwf-pjwf-7vqv/GHSA-fqwf-pjwf-7vqv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-10673\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2660\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/1645efbd392989cf015f459a91c999e59c921b15\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200403-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-22T20:59:03Z\",\n \"nvd_published_at\": \"2020-03-18T22:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gjmw-vf9h-g25v\",\n \"published\": \"2019-11-13T00:32:38Z\",\n \"modified\": \"2024-03-16T05:19:37.211801Z\",\n \"aliases\": [\n \"CVE-2019-17531\"\n ],\n \"summary\": \"jackson-databind polymorphic typing issue\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload. \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-gjmw-vf9h-g25v/GHSA-gjmw-vf9h-g25v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-17531\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2498\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20191024-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b3c90d38f99db546de60fea65f99a924d540fae2285f014b79606ca5@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0445\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0164\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0161\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0159\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4192\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-11-13T00:30:58Z\",\n \"nvd_published_at\": \"2019-10-12T21:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gwp4-hfv6-p7hw\",\n \"published\": \"2019-08-01T19:18:06Z\",\n \"modified\": \"2024-03-13T05:27:58.436849Z\",\n \"aliases\": [\n \"CVE-2019-14439\"\n ],\n \"summary\": \"Deserialization of untrusted data in FasterXML jackson-databind\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2, 2.8.11.4, 2.7.9.6, and 2.6.7.3. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/08/GHSA-gwp4-hfv6-p7hw/GHSA-gwp4-hfv6-p7hw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-14439\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2389\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/08/msg00011.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Oct/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190814-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4542\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3200\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-08-01T15:37:50Z\",\n \"nvd_published_at\": \"2019-07-30T11:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gww7-p5w4-wrfv\",\n \"published\": \"2020-03-04T20:52:11Z\",\n \"modified\": \"2024-03-15T01:05:18.790961Z\",\n \"aliases\": [\n \"CVE-2019-20330\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5, and 2.9.x before 2.9.10.2 lacks certain `net.sf.ehcache` blocking.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.7.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.6\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-gww7-p5w4-wrfv/GHSA-gww7-p5w4-wrfv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-20330\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2526\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/eb254813cc822d0af015ce8fe05febf50721dc53\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r909c822409a276ba04dc2ae31179b16f6864ba02c4f9911bdffebf95@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2e572f568de8df5ba151e6aebb225a0629faaf0476bf7c7ed877af8@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra5ce96faec37c26b0aa15b4b6a8b1cbb145a748653e56ae83e9685d0@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra8a80dbc7319916946397823aec0d893d24713cbf7b5aee0e957298c@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb532fed78d031fff477fd840b81946f6d1200f93a63698dae65aa528@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd1f346227e11fc515914f3a7b20d81543e51e5822ba71baa0452634a@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd49cfa41bbb71ef33b53736a6af2aa8ba88c2106e30f2a34902a87d2@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd6c6fef14944f3dcfb58d35f9317eb1c32a700e86c1b5231e45d3d0b@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfa57d9c2a27d3af14c69607fb1a3da00e758b2092aa88eb6a51b6e99@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.10.1...jackson-databind-2.9.10.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2c77dd6ab8344285bd8e481b57cf3029965a4b0036eefccef74cdd44@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r392099ed2757ff2e383b10440594e914d080511d7da1c8fed0612c1f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3f8180d0d25a7c6473ebb9714b0c1d19a73f455ae70d0c5fefc17e6c@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r428735963bee7cb99877b88d3228e28ec28af64646455c4f3e7a3c94@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r50f513772f12e1babf65c7c2b9c16425bac2d945351879e2e267517f@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5c14fdcabdeaba258857bcb67198652e4dce1d33ddc590cd81d82393@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5c3644c97f0434d1ceb48ff48897a67bdbf3baf7efbe7d04625425b3@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5d3d10fdf28110da3f9ac1b7d08d7e252f98d7d37ce0a6bd139a2e4f@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67f4d4c48197454b83d62afbed8bebbda3764e6e3a6e26a848961764@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r707d23bb9ee245f50aa909add0da6e8d8f24719b1278ddd99d2428b2@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7a0821b44247a1e6c6fe5f2943b90ebc4f80a8d1fb0aa9a8b29a59a2@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7fb123e7dad49af5886cfec7135c0fd5b74e4c67af029e1dc91ba744@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8831b7fa5ca87a1cf23ee08d6dedb7877a964c1d2bd869af24056a63@%3Ccommits.zookeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-25T02:46:33Z\",\n \"nvd_published_at\": \"2020-01-03T04:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h3cw-g4mq-c5x2\",\n \"published\": \"2021-12-09T19:14:51Z\",\n \"modified\": \"2024-02-18T05:30:45.329621Z\",\n \"aliases\": [\n \"CVE-2020-24616\"\n ],\n \"summary\": \"Code Injection in jackson-databind\",\n \"details\": \"This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.9.10.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.5\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-h3cw-g4mq-c5x2/GHSA-h3cw-g4mq-c5x2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-24616\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2814\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200904-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\",\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-27T17:38:11Z\",\n \"nvd_published_at\": \"2020-08-25T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h4rc-386g-6m85\",\n \"published\": \"2020-04-23T20:19:02Z\",\n \"modified\": \"2024-03-15T00:46:40.266775Z\",\n \"aliases\": [\n \"CVE-2020-11620\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-h4rc-386g-6m85/GHSA-h4rc-386g-6m85.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11620\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2682\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/77040d85e3eb6710508e6445640ae1a3d5e60c22\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200511-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-22T21:17:03Z\",\n \"nvd_published_at\": \"2020-04-07T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h592-38cm-4ggp\",\n \"published\": \"2018-10-18T17:42:34Z\",\n \"modified\": \"2024-03-15T01:16:50.905794Z\",\n \"aliases\": [\n \"CVE-2017-15095\"\n ],\n \"summary\": \"jackson-databind vulnerable to deserialization flaw leading to unauthenticated remote code execution\",\n \"details\": \"jackson-databind in versions prior to 2.8.11 and 2.9.4 contain a deserialization flaw which allows an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525, blacklisting additonal vulnerable classes.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-h592-38cm-4ggp/GHSA-h592-38cm-4ggp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-15095\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/1680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/1737\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/a054585e2175ad0882f07bcafedecfac86230f1b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/ddfddfba6414adbecaff99684ef66eebd3a92e92\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/e865a7a4464da63ded9f4b1a2328ad85c9ded78b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tolbertam/jackson-databind/commit/80566a0f96b2003863f9d8f9ccc3b562001e147b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3189\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20171214-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200401000000*/http://www.securityfocus.com/bid/103880\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20201221192044/http://www.securitytracker.com/id/1039769\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2017/dsa-4037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3190\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0342\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0478\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0479\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0480\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0481\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0576\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0577\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1447\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1448\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1449\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1450\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-184\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:38:56Z\",\n \"nvd_published_at\": \"2018-02-06T15:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h822-r4r5-v8jg\",\n \"published\": \"2019-09-23T18:33:25Z\",\n \"modified\": \"2024-07-15T22:00:19.609618Z\",\n \"aliases\": [\n \"CVE-2019-14540\"\n ],\n \"related\": [\n \"CGA-2vh6-9p6m-f98h\"\n ],\n \"summary\": \"Polymorphic Typing issue in FasterXML jackson-databind\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10, 2.8.11.5, and 2.6.7.3. It is related to `com.zaxxer.hikari.HikariConfig`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/09/GHSA-h822-r4r5-v8jg/GHSA-h822-r4r5-v8jg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-14540\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2410\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2449\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3200\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8aaf4ee16bbaf6204731d4770d96ebb34b258cd79b491f9cdd7f2540@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Oct/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20191004-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4542\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0159\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0161\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0164\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0445\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-09-19T09:23:48Z\",\n \"nvd_published_at\": \"2019-09-15T22:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-j823-4qch-3rgm\",\n \"published\": \"2020-06-18T14:44:46Z\",\n \"modified\": \"2024-03-15T00:46:13.294633Z\",\n \"aliases\": [\n \"CVE-2020-14060\"\n ],\n \"summary\": \"Deserialization of untrusted data in Jackson Databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-j823-4qch-3rgm/GHSA-j823-4qch-3rgm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-14060\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2688\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/ac7232e3f9004bdb4f11dcb5bc6c1fadf074f5f7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/d1c67a0396e84c08d0558fbb843b5bd1f26e1921\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200702-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-18T13:05:54Z\",\n \"nvd_published_at\": \"2020-06-14T21:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jjjh-jjxp-wpff\",\n \"published\": \"2022-10-03T00:00:31Z\",\n \"modified\": \"2024-10-22T05:28:54.705123Z\",\n \"aliases\": [\n \"CGA-cr64-vww2-xpq8\",\n \"CVE-2022-42003\"\n ],\n \"related\": [\n \"CGA-9gmq-c996-778j\",\n \"CGA-fqmv-h753-pwr7\",\n \"CGA-jv4g-m8ph-wxx4\",\n \"CGA-qh53-92m3-qxq2\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in Jackson-databind\",\n \"details\": \"In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.\\n\\nCommits that introduced vulnerable code are \\nhttps://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc.\\n\\nFix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.\\n\\nThe `2.13.4.1` release does fix this issue, however it also references a non-existent jackson-bom which causes build failures for gradle users. See https://github.com/FasterXML/jackson-databind/issues/3627#issuecomment-1277957548 for details. This is fixed in `2.13.4.2` which is listed in the advisory metadata so that users are not subjected to unnecessary build failures\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.4.0-rc1\"\n },\n {\n \"fixed\": \"2.12.7.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10.0\",\n \"2.10.0.pr1\",\n \"2.10.0.pr2\",\n \"2.10.0.pr3\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\",\n \"2.10.5.1\",\n \"2.11.0\",\n \"2.11.0.rc1\",\n \"2.11.1\",\n \"2.11.2\",\n \"2.11.3\",\n \"2.11.4\",\n \"2.12.0\",\n \"2.12.0-rc1\",\n \"2.12.0-rc2\",\n \"2.12.1\",\n \"2.12.2\",\n \"2.12.3\",\n \"2.12.4\",\n \"2.12.5\",\n \"2.12.6\",\n \"2.12.6.1\",\n \"2.12.7\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.10.8\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.13.0\"\n },\n {\n \"fixed\": \"2.13.4.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.13.0\",\n \"2.13.1\",\n \"2.13.2\",\n \"2.13.2.1\",\n \"2.13.2.2\",\n \"2.13.3\",\n \"2.13.4\",\n \"2.13.4.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-jjjh-jjxp-wpff/GHSA-jjjh-jjxp-wpff.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-42003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3590\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3627\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/2c4a601c626f7790cad9d3c322d244e182838288\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5283\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20221124-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202210-21\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.13.4.1...jackson-databind-2.13.4.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commits/jackson-databind-2.4.0-rc1?after=75b97b8519f0d50c62523ad85170d80a197a2c86+174\\u0026branch=jackson-databind-2.4.0-rc1\\u0026qualified_name=refs%2Ftags%2Fjackson-databind-2.4.0-rc1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/blob/2.13/release-notes/VERSION-2.x\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51020\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-10-04T21:55:46Z\",\n \"nvd_published_at\": \"2022-10-02T05:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-m6x4-97wx-4q27\",\n \"published\": \"2021-12-09T19:16:26Z\",\n \"modified\": \"2024-02-18T05:21:54.725837Z\",\n \"aliases\": [\n \"CVE-2020-36184\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m6x4-97wx-4q27/GHSA-m6x4-97wx-4q27.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36184\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2998\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:30:19Z\",\n \"nvd_published_at\": \"2021-01-06T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mc6h-4qgp-37qh\",\n \"published\": \"2020-06-18T14:44:43Z\",\n \"modified\": \"2024-03-15T00:47:36.920636Z\",\n \"aliases\": [\n \"CVE-2020-14195\"\n ],\n \"summary\": \"Deserialization of untrusted data in Jackson Databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mc6h-4qgp-37qh/GHSA-mc6h-4qgp-37qh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-14195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2765\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/07/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200702-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-18T13:05:45Z\",\n \"nvd_published_at\": \"2020-06-16T16:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mph4-vhrx-mv67\",\n \"published\": \"2019-07-05T21:07:27Z\",\n \"modified\": \"2024-03-15T01:16:21.467932Z\",\n \"aliases\": [\n \"CVE-2019-12384\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in FasterXML jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.9.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-mph4-vhrx-mv67/GHSA-mph4-vhrx-mv67.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-12384\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2334\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1820\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Oct/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190703-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4542\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2720\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2935\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2936\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2937\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2998\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3200\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3292\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3297\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3901\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4352\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.doyensec.com/2019/07/22/jackson-gadgets.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://doyensec.com/research.html\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-27T11:07:42Z\",\n \"nvd_published_at\": \"2019-06-24T16:15:15Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mx7p-6679-8g3q\",\n \"published\": \"2019-10-28T20:51:15Z\",\n \"modified\": \"2024-03-15T01:01:46.432481Z\",\n \"aliases\": [\n \"CVE-2019-16942\"\n ],\n \"summary\": \"Polymorphic Typing in FasterXML jackson-databind\",\n \"details\": \"A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.8.11.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.6.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-mx7p-6679-8g3q/GHSA-mx7p-6679-8g3q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-16942\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2478\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443ac3b37c818a0204714b0b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23e64922e9536c82c1b9c8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f861ff16f879f1fceb5779f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Oct/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20191017-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4542\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a430dbc9be874c41314cc69e697384567a9a24025e819d9485547954@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/GEODE-7255\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0445\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0164\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0161\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0159\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3901\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-10-28T19:19:01Z\",\n \"nvd_published_at\": \"2019-10-01T17:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mx9v-gmh4-mgqw\",\n \"published\": \"2019-01-04T19:07:01Z\",\n \"modified\": \"2024-03-14T05:32:02.133724Z\",\n \"aliases\": [\n \"CVE-2018-19361\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-mx9v-gmh4-mgqw/GHSA-mx9v-gmh4-mgqw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-19361\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2186\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mx9v-gmh4-mgqw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/TINKERPOP-2121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/107985\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:47:38Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p43x-xfjf-5jhr\",\n \"published\": \"2020-05-15T18:59:01Z\",\n \"modified\": \"2024-03-15T00:33:14.700288Z\",\n \"aliases\": [\n \"CVE-2020-9548\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.7.9.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-p43x-xfjf-5jhr/GHSA-p43x-xfjf-5jhr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-9548\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2634\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/1e64db6a2fad331f96c7363fda3bc5f3dffa25bb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200904-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-23T19:24:13Z\",\n \"nvd_published_at\": \"2020-03-02T04:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q93h-jc49-78gg\",\n \"published\": \"2020-05-15T18:59:10Z\",\n \"modified\": \"2024-03-16T05:19:47.711015Z\",\n \"aliases\": [\n \"CVE-2020-9547\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.7.9.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-q93h-jc49-78gg/GHSA-q93h-jc49-78gg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-9547\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2634\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/9f4e97019fb0dd836533d0b6198c88787e235ae2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200904-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/redbe4f1e21bf080f637cf9fbec47729750a2f443a919765360337428@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd4df698d5d8e635144d2994922bf0842e933809eae259521f3b5097@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd49ab9565bec436a896bc00c4b9fc9dce1598e106c318524fbdfec6@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd5a4457be4623038c3989294429bc063eec433a2e55995d81591e2ca@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e958d6d5c5ee16efed73314cd0e445c8dbb4bdcc80fc9d1d6c11fc@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc0d5d0f72da1ed6fc5e438b1ddb3fa090c73006b55f873cf845375ab@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6fecb5e96a6d61e175ff49f33f2713798dd05cf03067c169d195596@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra3e90712f2d59f8cef03fa796f5adf163d32b81fe7b95385f21790e6@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r98c9b6e4c9e17792e2cd1ec3e4aa20b61a791939046d3f10888176bb@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9464a40d25c3ba1a55622db72f113eb494a889656962d098c70c5bb1@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r893a0104e50c1c2559eb9a5812add28ae8c3e5f43712947a9847ec18@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r742ef70d126548dcf7de5be5779355c9d76a9aec71d7a9ef02c6398a@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4accb2e0de9679174efd3d113a059bab71ff3ec53e882790d21c1cc1@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r35d30db00440ef63b791c4b7f7acb036e14d4a23afa2a249cb66c0fd@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-22T20:58:56Z\",\n \"nvd_published_at\": \"2020-03-02T04:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qjw2-hr98-qgfh\",\n \"published\": \"2021-12-09T19:15:36Z\",\n \"modified\": \"2024-02-18T05:20:56.894470Z\",\n \"aliases\": [\n \"CVE-2020-24750\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.7.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qjw2-hr98-qgfh/GHSA-qjw2-hr98-qgfh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.5\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-qjw2-hr98-qgfh/GHSA-qjw2-hr98-qgfh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-24750\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2798\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/2118e71325486c68f089a9761c9d8a11b4ddd1cb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/6cc9f1a1af323cd156f5668a47e43bab324ae16f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/ad5a630174f08d279504bc51ebba8772fd71b86b\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20201009-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:41:09Z\",\n \"nvd_published_at\": \"2020-09-17T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qmqc-x3r4-6v39\",\n \"published\": \"2020-05-15T18:59:07Z\",\n \"modified\": \"2024-12-02T05:41:11.671530Z\",\n \"aliases\": [\n \"CVE-2019-14893\"\n ],\n \"summary\": \"Polymorphic deserialization of malicious object in jackson-databind\",\n \"details\": \"A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-qmqc-x3r4-6v39/GHSA-qmqc-x3r4-6v39.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-14893\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2469\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d83d7962a9bd935c228317\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0729\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14893\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200327-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-22T20:58:45Z\",\n \"nvd_published_at\": \"2020-03-02T21:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qr7j-h6gg-jmgc\",\n \"published\": \"2019-07-16T17:42:21Z\",\n \"modified\": \"2024-03-11T05:21:14.313980Z\",\n \"aliases\": [\n \"CVE-2018-11307\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in jackson-databind\",\n \"details\": \"An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.7.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-qr7j-h6gg-jmgc/GHSA-qr7j-h6gg-jmgc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11307\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-7525\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2032\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/051bd5e447fbc9539e12a4fe90eb989dba0c656\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/27b4defc270454dea6842bd9279f17387eceb73\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/78e78738d69adcb59fdac9fc12d9053ce8809f3d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/7fcf88aff0d1deaa5c3c7be8d58c05ad7ad5da94b59065d8e7c50c5d@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-07-16T00:41:07Z\",\n \"nvd_published_at\": \"2019-07-09T16:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qxxx-2pp7-5hmx\",\n \"published\": \"2018-10-16T17:21:35Z\",\n \"modified\": \"2024-03-11T05:19:49.080060Z\",\n \"aliases\": [\n \"CVE-2017-7525\"\n ],\n \"summary\": \"jackson-databind is vulnerable to a deserialization flaw\",\n \"details\": \"A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.7.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qxxx-2pp7-5hmx/GHSA-qxxx-2pp7-5hmx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-7525\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/1723\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/1599\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/fd8dec2c7fab8b4b4bd60502a0f1d63ec23c24da\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/fa87c1ddbe803ebb7295f5c2ebfe38e12f6e6162\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/680d75b011edd67a2d2a2e9980998a968194c2ef\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/6ce32ffd18facac6abdbbf559c817b47fcb622c1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/90042692085deeb05ae75c569c9909f7dba24415\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-qxxx-2pp7-5hmx\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3c87dc8bca99a2b3b4743713b33d1de05b1d6b761fdf316224e9c81f@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/4641ed8616ccc2c1fbddac2c3dc9900c96387bc226eaf0232d61909b@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5008bcbd45ee65ce39e4220b6ac53d28a24d6bc67d5804e9773a7399@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b1f33fe5ade396bb903fdcabe9f243f7692c7dfce5418d3743c2d346@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2017/dsa-4004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbhf03902en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20171214-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf7f87810c38dc9abf9f93989f76008f504cbf7c1a355214640b2d04c@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r42ac3e39e6265db12d9fc6ae1cd4b5fea7aed9830dc6f6d58228fed7@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f60afd3c7e9ebaaf70fad4a4beb75cf8740ac959017a31e7006c7486@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f095a791bda6c0595f691eddd0febb2d396987eec5cbd29120d8c629@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c9d5ff20929e8a3c8794facf4c4b326a9c10618812eec356caa20b87@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c2ed4c0126b43e324cf740012a0edd371fd36096fd777be7bfe7a2a6@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c10a2bf0fdc3d25faf17bd191d6ec46b29a353fa9c97bebd7c4e5913@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1834\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1835\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1836\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1837\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1839\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1840\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2477\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2546\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2547\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2633\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2635\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2636\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2637\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2638\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3141\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3454\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3455\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3456\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3458\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0294\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0342\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1449\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1450\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0910\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1462702\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cwiki.apache.org/confluence/display/WW/S2-055\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-184\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:53:14Z\",\n \"nvd_published_at\": \"2018-02-06T15:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r3gr-cxrf-hg25\",\n \"published\": \"2021-12-09T19:15:11Z\",\n \"modified\": \"2024-06-25T14:20:21.323050Z\",\n \"aliases\": [\n \"CVE-2020-35491\"\n ],\n \"summary\": \"Serialization gadgets exploit in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r3gr-cxrf-hg25/GHSA-r3gr-cxrf-hg25.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35491\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2986\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210122-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\",\n \"CWE-913\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-08T21:05:38Z\",\n \"nvd_published_at\": \"2020-12-17T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r695-7vr9-jgc2\",\n \"published\": \"2021-12-09T19:16:51Z\",\n \"modified\": \"2024-02-18T05:30:45.856594Z\",\n \"aliases\": [\n \"CVE-2020-36187\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-r695-7vr9-jgc2/GHSA-r695-7vr9-jgc2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36187\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2997\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:23:27Z\",\n \"nvd_published_at\": \"2021-01-06T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rf6r-2c4q-2vwg\",\n \"published\": \"2020-05-15T18:58:54Z\",\n \"modified\": \"2024-03-15T01:05:13.129194Z\",\n \"aliases\": [\n \"CVE-2020-10968\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-rf6r-2c4q-2vwg/GHSA-rf6r-2c4q-2vwg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-10968\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2662\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/05d7e0e13f43e12db6a51726df12c8b4d8040676\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/08fbfacf89a4a4c026a6227a1b470ab7a13e2e88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200403-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-23T19:30:49Z\",\n \"nvd_published_at\": \"2020-03-26T13:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rfx6-vp9g-rh7v\",\n \"published\": \"2018-10-18T17:42:48Z\",\n \"modified\": \"2024-03-11T05:17:47.425595Z\",\n \"aliases\": [\n \"CVE-2017-17485\"\n ],\n \"summary\": \"jackson-databind vulnerable to remote code execution due to incorrect deserialization and blocklist bypass\",\n \"details\": \"FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rfx6-vp9g-rh7v/GHSA-rfx6-vp9g-rh7v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-17485\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/1855\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/10fe7f17ea7c8da2a71e7a0c774b420a1d5c1b50\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/459107dccc9b3ea991af3e6ad0953e54b01ef7c1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/4f16f67ebd22c7522fdbb8a7eb87e3026a807d61\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/eb217dd0f87c5fb471e0668575644aa7eba9a3d3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/irsl/jackson-rce-via-spel\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180201-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbhf03902en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200927162225/http://www.securityfocus.com/archive/1/541652/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4114\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0116\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0342\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0478\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0479\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0480\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0481\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1447\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1448\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1449\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1450\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2930\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:54:38Z\",\n \"nvd_published_at\": \"2018-01-10T18:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rgv9-q543-rqg4\",\n \"published\": \"2022-10-03T00:00:31Z\",\n \"modified\": \"2024-12-02T16:25:52.858445Z\",\n \"aliases\": [\n \"CGA-9vjr-qmvr-wg48\",\n \"CVE-2022-42004\"\n ],\n \"related\": [\n \"CGA-3895-m462-85v8\",\n \"CGA-53rj-39m2-53xg\",\n \"CGA-c8q6-4qp3-vqhh\",\n \"CGA-cw73-ccxx-93pc\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in FasterXML jackson-databind\",\n \"details\": \"In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. This issue can only happen when the `UNWRAP_SINGLE_VALUE_ARRAYS` feature is explicitly enabled.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.12.7.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.10.0\",\n \"2.10.0.pr1\",\n \"2.10.0.pr2\",\n \"2.10.0.pr3\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\",\n \"2.10.5.1\",\n \"2.11.0\",\n \"2.11.0.rc1\",\n \"2.11.1\",\n \"2.11.2\",\n \"2.11.3\",\n \"2.11.4\",\n \"2.12.0\",\n \"2.12.0-rc1\",\n \"2.12.0-rc2\",\n \"2.12.1\",\n \"2.12.2\",\n \"2.12.3\",\n \"2.12.4\",\n \"2.12.5\",\n \"2.12.6\",\n \"2.12.6.1\",\n \"2.12.7\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.10.8\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.13.0\"\n },\n {\n \"fixed\": \"2.13.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.13.0\",\n \"2.13.1\",\n \"2.13.2\",\n \"2.13.2.1\",\n \"2.13.2.2\",\n \"2.13.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rgv9-q543-rqg4/GHSA-rgv9-q543-rqg4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-42004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/3582\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/35de19e7144c4df8ab178b800ba86e80c3d84252\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/11/msg00035.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202210-21\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20221118-0008\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5283\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-10-04T21:56:21Z\",\n \"nvd_published_at\": \"2022-10-02T05:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rpr3-cw39-3pxh\",\n \"published\": \"2022-07-15T19:41:47Z\",\n \"modified\": \"2025-04-14T22:28:33.735201Z\",\n \"aliases\": [\n \"CVE-2020-10650\"\n ],\n \"related\": [\n \"CVE-2020-10650\"\n ],\n \"summary\": \"jackson-databind vulnerable to unsafe deserialization\",\n \"details\": \"The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-rpr3-cw39-3pxh/GHSA-rpr3-cw39-3pxh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-10650\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2658\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/luisgarciacheckmarx/LGV_onefile/issues/19\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/pull/2864\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/a424c038ba0c0d65e579e22001dec925902ac0ef\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/04/msg00032.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230818-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2022.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-15T19:41:47Z\",\n \"nvd_published_at\": \"2022-12-26T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v3xw-c963-f5hc\",\n \"published\": \"2020-05-15T18:58:50Z\",\n \"modified\": \"2024-02-16T08:09:27.960507Z\",\n \"aliases\": [\n \"CVE-2020-11111\"\n ],\n \"summary\": \"jackson-databind mishandles the interaction between serialization gadgets and typing\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-v3xw-c963-f5hc/GHSA-v3xw-c963-f5hc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11111\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2664\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200403-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-04-23T19:31:18Z\",\n \"nvd_published_at\": \"2020-03-31T05:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v585-23hc-c647\",\n \"published\": \"2021-11-19T20:13:06Z\",\n \"modified\": \"2024-02-18T05:22:38.024460Z\",\n \"aliases\": [\n \"CVE-2020-36186\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to `org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-v585-23hc-c647/GHSA-v585-23hc-c647.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36186\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2997\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:16:26Z\",\n \"nvd_published_at\": \"2021-01-06T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vfqx-33qm-g869\",\n \"published\": \"2021-12-09T19:16:59Z\",\n \"modified\": \"2024-02-18T05:24:26.785781Z\",\n \"aliases\": [\n \"CVE-2020-36189\"\n ],\n \"summary\": \"Unsafe Deserialization in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 an 2.6.7.5 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-vfqx-33qm-g869/GHSA-vfqx-33qm-g869.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-vfqx-33qm-g869/GHSA-vfqx-33qm-g869.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-36189\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2996\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/33d96c13fe18a2dad01b19ce195548c9acea9da4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210205-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-18T23:14:22Z\",\n \"nvd_published_at\": \"2021-01-06T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-w3f4-3q6j-rh82\",\n \"published\": \"2020-06-30T20:40:50Z\",\n \"modified\": \"2024-03-11T05:18:22.727055Z\",\n \"aliases\": [\n \"CVE-2018-5968\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in jackson-databind\",\n \"details\": \"FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 2.8.11\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-w3f4-3q6j-rh82/GHSA-w3f4-3q6j-rh82.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-5968\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/1899\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/GulajavaMinistudio/jackson-databind/pull/92/commits/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/454be8bb8c913be18298327a84ca45a280b61605\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/03ea0bec6293d4330b5ad19d1d62aca0e3cb6381\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4114\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbhf03902en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180423-0002\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1525\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0481\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0480\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0479\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0478\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-184\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-30T20:40:31Z\",\n \"nvd_published_at\": \"2018-01-22T04:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wh8g-3j2c-rqj5\",\n \"published\": \"2021-12-09T19:15:00Z\",\n \"modified\": \"2024-03-15T00:31:15.123603Z\",\n \"aliases\": [\n \"CVE-2020-35490\"\n ],\n \"summary\": \"Serialization gadgets exploit in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.9.10.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.2.0\",\n \"2.2.0-rc1\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3.0\",\n \"2.3.0-rc1\",\n \"2.3.1\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.4.0\",\n \"2.4.0-rc1\",\n \"2.4.0-rc2\",\n \"2.4.0-rc3\",\n \"2.4.1\",\n \"2.4.1.1\",\n \"2.4.1.2\",\n \"2.4.1.3\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.5.1\",\n \"2.4.6\",\n \"2.4.6.1\",\n \"2.5.0\",\n \"2.5.0-rc1\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.5.4\",\n \"2.5.5\",\n \"2.6.0\",\n \"2.6.0-rc1\",\n \"2.6.0-rc2\",\n \"2.6.0-rc3\",\n \"2.6.0-rc4\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.7.1\",\n \"2.6.7.2\",\n \"2.6.7.3\",\n \"2.6.7.4\",\n \"2.6.7.5\",\n \"2.7.0\",\n \"2.7.0-rc1\",\n \"2.7.0-rc2\",\n \"2.7.0-rc3\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\",\n \"2.7.9.5\",\n \"2.7.9.6\",\n \"2.7.9.7\",\n \"2.8.0\",\n \"2.8.0.rc1\",\n \"2.8.0.rc2\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.11.3\",\n \"2.8.11.4\",\n \"2.8.11.5\",\n \"2.8.11.6\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.10\",\n \"2.9.10.1\",\n \"2.9.10.2\",\n \"2.9.10.3\",\n \"2.9.10.4\",\n \"2.9.10.5\",\n \"2.9.10.6\",\n \"2.9.10.7\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\",\n \"2.9.7\",\n \"2.9.8\",\n \"2.9.9\",\n \"2.9.9.1\",\n \"2.9.9.2\",\n \"2.9.9.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.10.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wh8g-3j2c-rqj5/GHSA-wh8g-3j2c-rqj5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35490\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2986\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/FasterXML/jackson-databind\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/04/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210122-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-08T21:06:39Z\",\n \"nvd_published_at\": \"2020-12-17T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-x2w5-5m2g-7h5m\",\n \"published\": \"2019-01-04T19:09:46Z\",\n \"modified\": \"2024-03-12T05:18:06.737632Z\",\n \"aliases\": [\n \"CVE-2018-14720\"\n ],\n \"summary\": \"XML External Entity Reference (XXE) in jackson-databind\",\n \"details\": \"FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.0.pr1\",\n \"2.9.0.pr2\",\n \"2.9.0.pr3\",\n \"2.9.0.pr4\",\n \"2.9.1\",\n \"2.9.2\",\n \"2.9.3\",\n \"2.9.4\",\n \"2.9.5\",\n \"2.9.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.11.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.11\",\n \"2.8.11.1\",\n \"2.8.11.2\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.8.1\",\n \"2.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.11.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.fasterxml.jackson.core:jackson-databind\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.fasterxml.jackson.core/jackson-databind\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.9.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.1-1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.7.8\",\n \"2.7.9\",\n \"2.7.9.1\",\n \"2.7.9.2\",\n \"2.7.9.3\",\n \"2.7.9.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.9.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-x2w5-5m2g-7h5m/GHSA-x2w5-5m2g-7h5m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-14720\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/issues/2097\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/82b01bfb6787097427ce97cec6a7127e93718bc05d1efd5eaffc228f@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ba973114605d936be276ee6ce09dfbdbf78aa56f6cdc6e79bfa7b8df@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/03/msg00005.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/May/68\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190530-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4452\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6a78f88716c3c57aa74ec05764a37ab3874769a347805903b393b286@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-x2w5-5m2g-7h5m\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1822\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1108\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1107\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1106\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHBA-2019:0959\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\",\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T22:01:50Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4jrv-ppp4-jm57\",\n \"published\": \"2022-05-03T00:00:44Z\",\n \"modified\": \"2025-01-14T10:57:11.550318Z\",\n \"aliases\": [\n \"CVE-2022-25647\"\n ],\n \"related\": [\n \"CGA-828p-4xp8-m457\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in Gson\",\n \"details\": \"The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.code.gson:gson\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.code.gson/gson\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.8.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.1\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.7.1\",\n \"1.7.2\",\n \"2.0\",\n \"2.1\",\n \"2.2\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.2.4\",\n \"2.3\",\n \"2.3.1\",\n \"2.4\",\n \"2.5\",\n \"2.6\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.7\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4jrv-ppp4-jm57/GHSA-4jrv-ppp4-jm57.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25647\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/gson/pull/1991\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/gson/pull/1991/commits\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/google/gson\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220901-0009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5227\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-05-20T20:31:08Z\",\n \"nvd_published_at\": \"2022-05-01T16:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5mg8-w23w-74h3\",\n \"published\": \"2021-03-25T17:04:19Z\",\n \"modified\": \"2025-02-20T05:28:20.657499Z\",\n \"aliases\": [\n \"CGA-7rjh-334q-pq8g\",\n \"CVE-2020-8908\"\n ],\n \"related\": [\n \"CGA-3f7x-7jf4-vmjh\",\n \"CGA-4jpf-w26h-cg9j\",\n \"CGA-9wv6-wh8w-g624\",\n \"CGA-c59f-3389-82hg\",\n \"CGA-c5f6-f2ff-f6g9\",\n \"CGA-cffm-4mv2-8x2h\",\n \"CGA-f85c-8jfc-2g85\",\n \"CGA-gpmg-5xqr-j8wx\",\n \"CGA-m9rw-cj52-34gw\",\n \"CGA-mh7m-jqq7-vcwx\",\n \"CGA-v8xq-jj26-jf85\",\n \"CGA-vm4c-5phc-7w2r\"\n ],\n \"summary\": \"Information Disclosure in Guava\",\n \"details\": \"A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.guava:guava\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.guava/guava\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"32.0.0-android\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0\",\n \"10.0-rc1\",\n \"10.0-rc2\",\n \"10.0-rc3\",\n \"10.0.1\",\n \"11.0\",\n \"11.0-rc1\",\n \"11.0.1\",\n \"11.0.2\",\n \"12.0\",\n \"12.0-rc1\",\n \"12.0-rc2\",\n \"12.0.1\",\n \"13.0\",\n \"13.0-rc1\",\n \"13.0-rc2\",\n \"13.0.1\",\n \"14.0\",\n \"14.0-rc1\",\n \"14.0-rc2\",\n \"14.0-rc3\",\n \"14.0.1\",\n \"15.0\",\n \"15.0-rc1\",\n \"16.0\",\n \"16.0-rc1\",\n \"16.0.1\",\n \"17.0\",\n \"17.0-rc1\",\n \"17.0-rc2\",\n \"18.0\",\n \"18.0-rc1\",\n \"18.0-rc2\",\n \"19.0\",\n \"19.0-rc1\",\n \"19.0-rc2\",\n \"19.0-rc3\",\n \"20.0\",\n \"20.0-rc1\",\n \"21.0\",\n \"21.0-rc1\",\n \"21.0-rc2\",\n \"22.0\",\n \"22.0-android\",\n \"22.0-rc1\",\n \"22.0-rc1-android\",\n \"23.0\",\n \"23.0-android\",\n \"23.0-rc1\",\n \"23.0-rc1-android\",\n \"23.1-android\",\n \"23.1-jre\",\n \"23.2-android\",\n \"23.2-jre\",\n \"23.3-android\",\n \"23.3-jre\",\n \"23.4-android\",\n \"23.4-jre\",\n \"23.5-android\",\n \"23.5-jre\",\n \"23.6-android\",\n \"23.6-jre\",\n \"23.6.1-android\",\n \"23.6.1-jre\",\n \"24.0-android\",\n \"24.0-jre\",\n \"24.1-android\",\n \"24.1-jre\",\n \"24.1.1-android\",\n \"24.1.1-jre\",\n \"25.0-android\",\n \"25.0-jre\",\n \"25.1-android\",\n \"25.1-jre\",\n \"26.0-android\",\n \"26.0-jre\",\n \"27.0-android\",\n \"27.0-jre\",\n \"27.0.1-android\",\n \"27.0.1-jre\",\n \"27.1-android\",\n \"27.1-jre\",\n \"28.0-android\",\n \"28.0-jre\",\n \"28.1-android\",\n \"28.1-jre\",\n \"28.2-android\",\n \"28.2-jre\",\n \"29.0-android\",\n \"29.0-jre\",\n \"30.0-android\",\n \"30.0-jre\",\n \"30.1-android\",\n \"30.1-jre\",\n \"30.1.1-android\",\n \"30.1.1-jre\",\n \"31.0-android\",\n \"31.0-jre\",\n \"31.0.1-android\",\n \"31.0.1-jre\",\n \"31.1-android\",\n \"31.1-jre\",\n \"r03\",\n \"r05\",\n \"r06\",\n \"r07\",\n \"r08\",\n \"r09\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-8908\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/issues/4011\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/issues/4011#issuecomment-1578991974\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604@%3Ctorque-dev.db.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd5d58088812cf8e677d99b07f73c654014c524c94e7fedbdee047604%40%3Ctorque-dev.db.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd2704306ec729ccac726e50339b8a8f079515cc29ccb77713b16e7c5%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95%40%3Cgithub.arrow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcafc3a637d82bdc9a24036b2ddcad1e519dd0e6f848fcc3d606fd78f%40%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc607bc52f3507b8b9c28c6a747c3122f51ac24afe80af2a670785b97%40%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a@%3Ctorque-dev.db.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc2dbc4633a6eea1fcbce6831876cfa17b73759a98c65326d1896cb1a%40%3Ctorque-dev.db.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3@%3Ctorque-dev.db.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc7642b9800249553f13457e46b813bea1aec99d2bc9106510e00ff3%40%3Ctorque-dev.db.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf@%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8c0f1b7589864396690fe42a91a71dea9412e86eec66dc85bbacaaf%40%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb2364f4cf4d274eab5a7ecfaf64bf575cedf8b0173551997c749d322%40%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3@%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220210-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594@%3Cdev.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfc27e2727a20a574f39273e0432aa97486a332f9b3068f6ac1346594%40%3Cdev.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf9f0fa84b8ae1a285f0210bafec6de2a9eba083007d04640b82aa625%40%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e@%3Cyarn-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf00b688ffa620c990597f829ff85fdbba8bf73ee7bfb34783e1f0d4e%40%3Cyarn-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reebbd63c25bc1a946caa419cec2be78079f8449d1af48e52d47c9e85%40%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27@%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re120f6b3d2f8222121080342c5801fdafca2f5188ceeb3b49c8a1d27%40%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf@%3Cdev.pig.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd7e12d56d49d73e2b8549694974b07561b79b05455f7f781954231bf%40%3Cdev.pig.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra7ab308481ee729f998691e8e3e02e93b1dedfc98f6b1cd3d86923b3%40%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6%40%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3dd8881de891598d622227e9840dd7c2ef1d08abbb49e9690c7ae1bc%40%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2fe45d96eea8434b91592ca08109118f6308d60f6d0e21d52438cfb4%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6@%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r294be9d31c0312d2c0837087204b5d4bf49d0552890e6eec716fa6a6%40%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e@%3Ccommits.ws.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r215b3d50f56faeb2f9383505f3e62faa9f549bb23e8a9848b78a968e%40%3Ccommits.ws.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r161b87f8037bbaff400194a63cd2016c9a69f5949f06dcc79beeab54%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r07ed3e4417ad043a27bee7bb33322e9bfc7d7e6d1719b8e3dfd95c14%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r037fed1d0ebde50c9caf8d99815db3093c344c3f651c5a49a09824ce@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r007add131977f4f576c232b25e024249a3d16f66aad14a4b52819d21%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/google/guava\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba%40%3Cissues.maven.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09@%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7b0e81d8367264d6cad98766a469d64d11248eb654417809bfdacf09%40%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r79e47ed555bdb1180e528420a7a2bb898541367a29a3bc6bbf0baf2c%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222@%3Ccommits.ws.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68d86f4b06c808204f62bcb254fcb5b0432528ee8d37a07ef4bc8222%40%3Ccommits.ws.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6874dfe26eefc41b7c9a5e4a0487846fc4accf8c78ff948b24a1104a%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199@%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5d61b98ceb7bba939a651de5900dbd67be3817db6bfcc41c6e04e199%40%3Cyarn-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b3d93dfdfb7708e796e8762ab40edbde8ff8add48aba53e5ea26f44%40%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r58a8775205ab1839dba43054b09a9ab3b25b423a4170b2413c4067ac%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27@%3Cyarn-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r49549a8322f62cd3acfa4490d25bfba0be04f3f9ff4d14fe36199d27%40%3Cyarn-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4776f62dfae4a0006658542f43034a7fc199350e35a66d4e18164ee6@%3Ccommits.cxf.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-173\",\n \"CWE-200\",\n \"CWE-378\",\n \"CWE-732\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-25T17:01:09Z\",\n \"nvd_published_at\": \"2020-12-10T23:15:00Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7g45-4rm6-3mm3\",\n \"published\": \"2023-06-14T18:30:38Z\",\n \"modified\": \"2025-11-04T17:01:34.109082Z\",\n \"aliases\": [\n \"CGA-g8pm-vcpp-9jxq\",\n \"CVE-2023-2976\"\n ],\n \"related\": [\n \"CGA-3qxr-rw2h-5f86\",\n \"CGA-5wxh-2846-4r2x\",\n \"CGA-6p73-mwqp-2hp8\",\n \"CGA-7xcf-rqw8-qr59\",\n \"CGA-955j-7j6c-gqwh\",\n \"CGA-cwxg-jg7f-p246\",\n \"CGA-gghr-qw4h-4xq9\",\n \"CGA-jf73-gm5w-p8jg\",\n \"CGA-jwxg-cjjq-4858\",\n \"CGA-pp53-gp7c-m793\",\n \"CGA-pq38-jvh7-23gx\",\n \"CGA-px7h-7xf8-q54x\",\n \"CGA-q6xm-fh5w-65wh\",\n \"CGA-x223-m8f5-c9vm\"\n ],\n \"summary\": \"Guava vulnerable to insecure use of temporary directory\",\n \"details\": \"Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.\\n\\nEven though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.guava:guava\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.guava/guava\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0\"\n },\n {\n \"fixed\": \"32.0.0-android\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0\",\n \"10.0-rc1\",\n \"10.0-rc2\",\n \"10.0-rc3\",\n \"10.0.1\",\n \"11.0\",\n \"11.0-rc1\",\n \"11.0.1\",\n \"11.0.2\",\n \"12.0\",\n \"12.0-rc1\",\n \"12.0-rc2\",\n \"12.0.1\",\n \"13.0\",\n \"13.0-rc1\",\n \"13.0-rc2\",\n \"13.0.1\",\n \"14.0\",\n \"14.0-rc1\",\n \"14.0-rc2\",\n \"14.0-rc3\",\n \"14.0.1\",\n \"15.0\",\n \"15.0-rc1\",\n \"16.0\",\n \"16.0-rc1\",\n \"16.0.1\",\n \"17.0\",\n \"17.0-rc1\",\n \"17.0-rc2\",\n \"18.0\",\n \"18.0-rc1\",\n \"18.0-rc2\",\n \"19.0\",\n \"19.0-rc1\",\n \"19.0-rc2\",\n \"19.0-rc3\",\n \"20.0\",\n \"20.0-rc1\",\n \"21.0\",\n \"21.0-rc1\",\n \"21.0-rc2\",\n \"22.0\",\n \"22.0-android\",\n \"22.0-rc1\",\n \"22.0-rc1-android\",\n \"23.0\",\n \"23.0-android\",\n \"23.0-rc1\",\n \"23.0-rc1-android\",\n \"23.1-android\",\n \"23.1-jre\",\n \"23.2-android\",\n \"23.2-jre\",\n \"23.3-android\",\n \"23.3-jre\",\n \"23.4-android\",\n \"23.4-jre\",\n \"23.5-android\",\n \"23.5-jre\",\n \"23.6-android\",\n \"23.6-jre\",\n \"23.6.1-android\",\n \"23.6.1-jre\",\n \"24.0-android\",\n \"24.0-jre\",\n \"24.1-android\",\n \"24.1-jre\",\n \"24.1.1-android\",\n \"24.1.1-jre\",\n \"25.0-android\",\n \"25.0-jre\",\n \"25.1-android\",\n \"25.1-jre\",\n \"26.0-android\",\n \"26.0-jre\",\n \"27.0-android\",\n \"27.0-jre\",\n \"27.0.1-android\",\n \"27.0.1-jre\",\n \"27.1-android\",\n \"27.1-jre\",\n \"28.0-android\",\n \"28.0-jre\",\n \"28.1-android\",\n \"28.1-jre\",\n \"28.2-android\",\n \"28.2-jre\",\n \"29.0-android\",\n \"29.0-jre\",\n \"30.0-android\",\n \"30.0-jre\",\n \"30.1-android\",\n \"30.1-jre\",\n \"30.1.1-android\",\n \"30.1.1-jre\",\n \"31.0-android\",\n \"31.0-jre\",\n \"31.0.1-android\",\n \"31.0.1-jre\",\n \"31.1-android\",\n \"31.1-jre\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-7g45-4rm6-3mm3/GHSA-7g45-4rm6-3mm3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-2976\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/issues/2575\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/issues/6532\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/commit/feb83a1c8fd2e7670b244d5afd23cba5aca43284\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/google/guava\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/releases/tag/v32.0.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230818-0008\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241108-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01006.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-379\",\n \"CWE-552\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-14T21:01:07Z\",\n \"nvd_published_at\": \"2023-06-14T18:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mvr2-9pj6-7w5j\",\n \"published\": \"2020-06-15T20:35:11Z\",\n \"modified\": \"2024-10-22T05:29:03.107335Z\",\n \"aliases\": [\n \"CGA-8223-gxg7-8cjf\",\n \"CVE-2018-10237\"\n ],\n \"related\": [\n \"CGA-4jxw-mwcp-83m9\"\n ],\n \"summary\": \"Denial of Service in Google Guava\",\n \"details\": \"Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.guava:guava\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.guava/guava\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0\"\n },\n {\n \"fixed\": \"24.1.1-android\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0\",\n \"11.0.1\",\n \"11.0.2\",\n \"12.0\",\n \"12.0-rc1\",\n \"12.0-rc2\",\n \"12.0.1\",\n \"13.0\",\n \"13.0-rc1\",\n \"13.0-rc2\",\n \"13.0.1\",\n \"14.0\",\n \"14.0-rc1\",\n \"14.0-rc2\",\n \"14.0-rc3\",\n \"14.0.1\",\n \"15.0\",\n \"15.0-rc1\",\n \"16.0\",\n \"16.0-rc1\",\n \"16.0.1\",\n \"17.0\",\n \"17.0-rc1\",\n \"17.0-rc2\",\n \"18.0\",\n \"18.0-rc1\",\n \"18.0-rc2\",\n \"19.0\",\n \"19.0-rc1\",\n \"19.0-rc2\",\n \"19.0-rc3\",\n \"20.0\",\n \"20.0-rc1\",\n \"21.0\",\n \"21.0-rc1\",\n \"21.0-rc2\",\n \"22.0\",\n \"22.0-android\",\n \"22.0-rc1\",\n \"22.0-rc1-android\",\n \"23.0\",\n \"23.0-android\",\n \"23.0-rc1\",\n \"23.0-rc1-android\",\n \"23.1-android\",\n \"23.1-jre\",\n \"23.2-android\",\n \"23.2-jre\",\n \"23.3-android\",\n \"23.3-jre\",\n \"23.4-android\",\n \"23.4-jre\",\n \"23.5-android\",\n \"23.5-jre\",\n \"23.6-android\",\n \"23.6-jre\",\n \"23.6.1-android\",\n \"23.6.1-jre\",\n \"24.0-android\",\n \"24.0-jre\",\n \"24.1-android\",\n \"24.1-jre\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.guava:guava-jdk5\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.guava/guava-jdk5\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"17.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"13.0\",\n \"14.0.1\",\n \"14.0.1-rc1\",\n \"16.0\",\n \"16.0-rc1\",\n \"17.0\",\n \"17.0-rc1\",\n \"17.0-rc2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.googlecode.guava-osgi:guava-osgi\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.googlecode.guava-osgi/guava-osgi\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"11.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"11.0.0\",\n \"11.0.1\",\n \"3.0.0\",\n \"4.0.0\",\n \"5.0.0\",\n \"6.0.0\",\n \"7.0.0\",\n \"8.0.0\",\n \"9.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"de.mhus.ports:vaadin-shared-deps\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/de.mhus.ports/vaadin-shared-deps\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"7.4.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.3.1\",\n \"1.3.4\",\n \"1.3.6\",\n \"1.3.7\",\n \"1.6.0\",\n \"1.6.1\",\n \"6.2.0\",\n \"7.0.0\",\n \"7.1.0\",\n \"7.2.0\",\n \"7.4.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.hudsonci.lib.guava:guava\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.hudsonci.lib.guava/guava\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"14.0.1-h-3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"14.0.1-h-1\",\n \"14.0.1-h-2\",\n \"14.0.1-h-3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.sonatype.sisu:sisu-guava\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.sonatype.sisu/sisu-guava\"\n },\n \"versions\": [\n \"0.11.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mvr2-9pj6-7w5j/GHSA-mvr2-9pj6-7w5j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-10237\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2423\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r223bc776a077d0795786c38cbc6e7dd808fce1a9161b00ba9c0a5d55@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r22c8173b804cd4a420c43064ba4e363d0022aa421008b1989f7354d4@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r27eb79a87a760335226dbfa6a7b7bffea539a535f8e80c41e482106d@%3Cdev.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2ea4e5e5aa8ad73b001a466c582899620961f47d77a40af712c1fdf9@%3Cdev.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r30e7d7b6bfa630dacc41649a0e96dad75165d50474c1241068aa0f94@%3Cissues.storm.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r38e2ab87528d3c904e7fac496e8fd766b9277656ff95b97d6b6b6dcd@%3Cdev.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3c3b33ee5bef0c67391d27a97cbfd89d44f328cf072b601b58d4e748@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r50fc0bcc734dd82e691d36d209258683141bfc0083739a77e56ad92d@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r841c5e14e1b55281523ebcde661ece00b38a0569e00ef5e12bd5f6ba@%3Cissues.maven.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r95799427b335807a4c54776908125c3e66597b65845ae50096d9278a@%3Cdev.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra0adb9653c7de9539b93cc8434143b655f753b9f60580ff260becb2b@%3Cusers.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra4f44016926dcb034b3b230280a18102062f94ae55b8a31bb92fed84@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra8906723927aef2a599398c238eacfc845b74d812e0093ec2fc70a7d@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb3da574c34bc6bd37972d2266af3093b90d7e437460423c24f477919@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc78f6e84f82cc662860e96526d8ab969f34dbe12dc560e22d9d147a3@%3Cdev.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc8467f357b943ceaa86f289f8bc1a5d1c7955b75d3bac1426f2d4ac1@%3Ccommon-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd01f5ff0164c468ec7abc96ff7646cea3cce6378da2e4aa29c6bcb95@%3Cgithub.arrow.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0c8ec6e044aa2958dd0549ebf8ecead7f5968c9474ba73a504161b2@%3Cdev.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdc56c15693c236e31e1e95f847b8e5e74fc0a05741d47488e7fc8c45@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220629-0008\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2424\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2425\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2428\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2598\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2643\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2740\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2741\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2742\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2743\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2858\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3149\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/google/guava\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/guava/wiki/CVE-2018-10237\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/d/topic/guava-announce/xqWALw4W1vs/discussion\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/19fa48533bc7ea1accf6b12746a74ed888ae6e49a5cf81ae4f807495@%3Ccommon-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/33c6bccfeb7adf644d4d79894ca8f09370be6ed4b20632c2e228d085@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d5dbdd92ac9ceaef90e40f78599f9109f2f345252e0ac9d98e7e084@%3Cgitbox.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3ddd79c801edd99c0978e83dbe2168ebd36fd42acfa5dac38fb03dd6@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/cc48fe770c45a74dc3b37ed0817393e0c96701fc49bc431ed922f3cc@%3Chdfs-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1041707\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-11T18:34:57Z\",\n \"nvd_published_at\": \"2018-04-26T21:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4gg5-vx3j-xwc7\",\n \"published\": \"2022-12-12T15:30:33Z\",\n \"modified\": \"2025-09-02T19:53:43.821640Z\",\n \"aliases\": [\n \"CGA-24m5-8f5h-34wq\",\n \"CVE-2022-3510\"\n ],\n \"related\": [\n \"CGA-fgmv-5mj3-v9vh\",\n \"CGA-g664-j68v-pmw2\",\n \"CGA-rh7m-9hc4-75h6\"\n ],\n \"summary\": \"Protobuf Java vulnerable to Uncontrolled Resource Consumption\",\n \"details\": \"A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.2\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.16.1\",\n \"3.2.0\",\n \"3.2.0-rc.1\",\n \"3.2.0rc2\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.5.1\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.0-rc1\",\n \"3.7.1\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.17.0\"\n },\n {\n \"fixed\": \"3.19.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.16.1\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.17.0\"\n },\n {\n \"fixed\": \"3.19.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-4gg5-vx3j-xwc7/GHSA-4gg5-vx3j-xwc7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3510\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/tree/main/java\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-12T22:34:26Z\",\n \"nvd_published_at\": \"2022-12-12T13:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-735f-pc8j-v9w8\",\n \"published\": \"2024-09-19T16:06:03Z\",\n \"modified\": \"2025-09-10T21:15:49.364660Z\",\n \"aliases\": [\n \"CVE-2024-7254\"\n ],\n \"related\": [\n \"CGA-2232-8fcm-46m9\",\n \"CGA-26vm-c4xx-fw99\",\n \"CGA-3jqr-m622-9v65\",\n \"CGA-3rgp-cw6g-rj22\",\n \"CGA-5j9v-w79r-r73h\",\n \"CGA-6xwj-3x88-p9hm\",\n \"CGA-8cc7-m97x-rcw7\",\n \"CGA-9p42-9pfp-83g9\",\n \"CGA-c87c-r7j2-6c2f\",\n \"CGA-f6ww-g9c8-j27r\",\n \"CGA-gf8j-3f7c-2f6p\",\n \"CGA-grm4-x73v-9xcw\",\n \"CGA-h5p9-89pr-8jw6\",\n \"CGA-h63q-9rr4-x7xq\",\n \"CGA-m76c-26vf-3vhr\",\n \"CGA-pj84-6mcw-q95g\",\n \"CGA-r5c2-7p3p-gp53\",\n \"CGA-rjwj-h86r-xhrh\",\n \"CGA-v28j-qmhq-qrxf\",\n \"CGA-v5fx-59qm-4247\",\n \"CGA-xrwq-83cw-2mjc\",\n \"RUSTSEC-2024-0437\"\n ],\n \"summary\": \"protobuf-java has potential Denial of Service issue\",\n \"details\": \"### Summary\\nWhen parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash.\\n\\nReporter: Alexis Challande, Trail of Bits Ecosystem Security Team \\u003cecosystem@trailofbits.com\\u003e\\n\\nAffected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\\n\\n### Severity\\n[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254) **High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\\nThis is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.\\n\\n### Proof of Concept\\nFor reproduction details, please refer to the unit tests (Protobuf Java [LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java) and [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java)) that identify the specific inputs that exercise this parsing weakness.\\n\\n### Remediation and Mitigation\\nWe have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages:\\n* protobuf-java (3.25.5, 4.27.5, 4.28.2)\\n* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\\n* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\\n* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\\n* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.25.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.1\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0a\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.6.1\",\n \"3.0.0\",\n \"3.0.0-alpha-2\",\n \"3.0.0-alpha-3\",\n \"3.0.0-alpha-3.1\",\n \"3.0.0-beta-1\",\n \"3.0.0-beta-2\",\n \"3.0.0-beta-3\",\n \"3.0.0-beta-4\",\n \"3.0.2\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.16.1\",\n \"3.16.3\",\n \"3.17.0\",\n \"3.17.0-rc-1\",\n \"3.17.0-rc-2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\",\n \"3.19.6\",\n \"3.2.0\",\n \"3.2.0-rc.1\",\n \"3.2.0rc2\",\n \"3.20.0\",\n \"3.20.0-rc-1\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\",\n \"3.20.3\",\n \"3.21.0\",\n \"3.21.0-rc-1\",\n \"3.21.0-rc-2\",\n \"3.21.1\",\n \"3.21.10\",\n \"3.21.11\",\n \"3.21.12\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\",\n \"3.21.7\",\n \"3.21.8\",\n \"3.21.9\",\n \"3.22.0\",\n \"3.22.0-RC1\",\n \"3.22.0-RC3\",\n \"3.22.1\",\n \"3.22.2\",\n \"3.22.3\",\n \"3.22.4\",\n \"3.22.5\",\n \"3.23.0\",\n \"3.23.0-RC2\",\n \"3.23.0-RC3\",\n \"3.23.1\",\n \"3.23.2\",\n \"3.23.3\",\n \"3.23.4\",\n \"3.24.0\",\n \"3.24.0-RC1\",\n \"3.24.0-RC2\",\n \"3.24.0-RC3\",\n \"3.24.1\",\n \"3.24.2\",\n \"3.24.3\",\n \"3.24.4\",\n \"3.25.0\",\n \"3.25.0-RC1\",\n \"3.25.0-RC2\",\n \"3.25.1\",\n \"3.25.2\",\n \"3.25.3\",\n \"3.25.4\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.5.1\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.0-rc1\",\n \"3.7.1\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.25.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.16.1\",\n \"3.16.3\",\n \"3.17.0\",\n \"3.17.0-rc-1\",\n \"3.17.0-rc-2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\",\n \"3.19.6\",\n \"3.20.0\",\n \"3.20.0-rc-1\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\",\n \"3.20.3\",\n \"3.21.0\",\n \"3.21.0-rc-1\",\n \"3.21.0-rc-2\",\n \"3.21.1\",\n \"3.21.10\",\n \"3.21.11\",\n \"3.21.12\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\",\n \"3.21.7\",\n \"3.21.8\",\n \"3.21.9\",\n \"3.22.0\",\n \"3.22.0-RC1\",\n \"3.22.0-RC3\",\n \"3.22.1\",\n \"3.22.2\",\n \"3.22.3\",\n \"3.22.4\",\n \"3.22.5\",\n \"3.23.0\",\n \"3.23.0-RC2\",\n \"3.23.0-RC3\",\n \"3.23.1\",\n \"3.23.2\",\n \"3.23.3\",\n \"3.23.4\",\n \"3.24.0\",\n \"3.24.0-RC1\",\n \"3.24.0-RC2\",\n \"3.24.0-RC3\",\n \"3.24.1\",\n \"3.24.2\",\n \"3.24.3\",\n \"3.24.4\",\n \"3.25.0\",\n \"3.25.0-RC1\",\n \"3.25.0-RC2\",\n \"3.25.1\",\n \"3.25.2\",\n \"3.25.3\",\n \"3.25.4\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.25.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.0-rc-2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\",\n \"3.19.6\",\n \"3.20.0\",\n \"3.20.0-rc-1\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\",\n \"3.20.3\",\n \"3.21.0\",\n \"3.21.0-rc-1\",\n \"3.21.0-rc-2\",\n \"3.21.1\",\n \"3.21.10\",\n \"3.21.11\",\n \"3.21.12\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\",\n \"3.21.7\",\n \"3.21.8\",\n \"3.21.9\",\n \"3.22.0\",\n \"3.22.0-RC1\",\n \"3.22.0-RC3\",\n \"3.22.1\",\n \"3.22.2\",\n \"3.22.3\",\n \"3.22.4\",\n \"3.22.5\",\n \"3.23.0\",\n \"3.23.0-RC2\",\n \"3.23.0-RC3\",\n \"3.23.1\",\n \"3.23.2\",\n \"3.23.3\",\n \"3.23.4\",\n \"3.24.0\",\n \"3.24.0-RC1\",\n \"3.24.0-RC2\",\n \"3.24.0-RC3\",\n \"3.24.1\",\n \"3.24.2\",\n \"3.24.3\",\n \"3.24.4\",\n \"3.25.0\",\n \"3.25.0-RC1\",\n \"3.25.0-RC2\",\n \"3.25.1\",\n \"3.25.2\",\n \"3.25.3\",\n \"3.25.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin-lite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin-lite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.25.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.0-rc-2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\",\n \"3.19.6\",\n \"3.20.0\",\n \"3.20.0-rc-1\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\",\n \"3.20.3\",\n \"3.21.0\",\n \"3.21.0-rc-1\",\n \"3.21.0-rc-2\",\n \"3.21.1\",\n \"3.21.10\",\n \"3.21.11\",\n \"3.21.12\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\",\n \"3.21.7\",\n \"3.21.8\",\n \"3.21.9\",\n \"3.22.0\",\n \"3.22.0-RC1\",\n \"3.22.0-RC3\",\n \"3.22.1\",\n \"3.22.2\",\n \"3.22.3\",\n \"3.22.4\",\n \"3.22.5\",\n \"3.23.0\",\n \"3.23.0-RC2\",\n \"3.23.0-RC3\",\n \"3.23.1\",\n \"3.23.2\",\n \"3.23.3\",\n \"3.23.4\",\n \"3.24.0\",\n \"3.24.0-RC1\",\n \"3.24.0-RC2\",\n \"3.24.0-RC3\",\n \"3.24.1\",\n \"3.24.2\",\n \"3.24.3\",\n \"3.24.4\",\n \"3.25.0\",\n \"3.25.0-RC1\",\n \"3.25.0-RC2\",\n \"3.25.1\",\n \"3.25.2\",\n \"3.25.3\",\n \"3.25.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"google-protobuf\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/google-protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.25.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.0.alpha.1.0\",\n \"3.0.0.alpha.1.1\",\n \"3.0.0.alpha.2.0\",\n \"3.0.0.alpha.3\",\n \"3.0.0.alpha.3.1.pre\",\n \"3.0.0.alpha.4.0\",\n \"3.0.0.alpha.5.0.3\",\n \"3.0.0.alpha.5.0.4\",\n \"3.0.0.alpha.5.0.5\",\n \"3.0.0.alpha.5.0.5.1\",\n \"3.0.2\",\n \"3.1.0\",\n \"3.1.0.0.pre\",\n \"3.10.0.rc.1\",\n \"3.10.1\",\n \"3.11.0\",\n \"3.11.0.rc.1\",\n \"3.11.0.rc.2\",\n \"3.11.1\",\n \"3.11.2\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0.rc.1\",\n \"3.12.0.rc.2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0.rc.3\",\n \"3.14.0\",\n \"3.14.0.rc.1\",\n \"3.14.0.rc.2\",\n \"3.14.0.rc.3\",\n \"3.15.0\",\n \"3.15.0.rc.1\",\n \"3.15.0.rc.2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0.rc.1\",\n \"3.16.0.rc.2\",\n \"3.17.0\",\n \"3.17.0.rc.1\",\n \"3.17.0.rc.2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0.rc.1\",\n \"3.18.0.rc.2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0.rc.1\",\n \"3.19.0.rc.2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\",\n \"3.19.6\",\n \"3.2.0\",\n \"3.2.0.1\",\n \"3.2.0.2\",\n \"3.2.1.pre\",\n \"3.20.0\",\n \"3.20.0.rc.1\",\n \"3.20.0.rc.2\",\n \"3.20.1\",\n \"3.20.1.rc.1\",\n \"3.20.2\",\n \"3.20.3\",\n \"3.21.0\",\n \"3.21.0.rc.1\",\n \"3.21.0.rc.2\",\n \"3.21.1\",\n \"3.21.10\",\n \"3.21.11\",\n \"3.21.12\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\",\n \"3.21.7\",\n \"3.21.8\",\n \"3.21.9\",\n \"3.22.0\",\n \"3.22.0.rc.2\",\n \"3.22.0.rc.3\",\n \"3.22.1\",\n \"3.22.2\",\n \"3.22.3\",\n \"3.22.5\",\n \"3.23.0\",\n \"3.23.0.rc.1\",\n \"3.23.0.rc.2\",\n \"3.23.0.rc.3\",\n \"3.23.1\",\n \"3.23.2\",\n \"3.23.3\",\n \"3.23.4\",\n \"3.24.0\",\n \"3.24.0.rc.2\",\n \"3.24.0.rc.3\",\n \"3.24.1\",\n \"3.24.2\",\n \"3.24.3\",\n \"3.24.4\",\n \"3.25.0\",\n \"3.25.0.rc.1\",\n \"3.25.0.rc.2\",\n \"3.25.1\",\n \"3.25.2\",\n \"3.25.3\",\n \"3.25.4\",\n \"3.3.0\",\n \"3.4.0.1\",\n \"3.4.0.2\",\n \"3.4.1.1\",\n \"3.5.0\",\n \"3.5.0.pre\",\n \"3.5.1\",\n \"3.5.1.1\",\n \"3.5.1.2\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.0.rc.2\",\n \"3.7.0.rc.3\",\n \"3.7.1\",\n \"3.8.0\",\n \"3.8.0.rc.1\",\n \"3.9.0\",\n \"3.9.0.rc.1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"google-protobuf\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/google-protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0.rc.1\"\n },\n {\n \"fixed\": \"4.27.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.26.0\",\n \"4.26.0.rc.1\",\n \"4.26.0.rc.2\",\n \"4.26.0.rc.3\",\n \"4.26.1\",\n \"4.27.0\",\n \"4.27.0.rc.1\",\n \"4.27.0.rc.2\",\n \"4.27.0.rc.3\",\n \"4.27.1\",\n \"4.27.2\",\n \"4.27.3\",\n \"4.27.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"google-protobuf\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/google-protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.28.0.rc.1\"\n },\n {\n \"fixed\": \"4.28.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.28.0\",\n \"4.28.0.rc.1\",\n \"4.28.0.rc.2\",\n \"4.28.0.rc.3\",\n \"4.28.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin-lite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin-lite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0-RC1\"\n },\n {\n \"fixed\": \"4.27.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.26.0\",\n \"4.26.0-RC1\",\n \"4.26.0-RC2\",\n \"4.26.0-RC3\",\n \"4.26.1\",\n \"4.27.0\",\n \"4.27.0-RC1\",\n \"4.27.0-RC2\",\n \"4.27.0-RC3\",\n \"4.27.1\",\n \"4.27.2\",\n \"4.27.3\",\n \"4.27.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin-lite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin-lite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.28.0-RC1\"\n },\n {\n \"fixed\": \"4.28.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.28.0\",\n \"4.28.0-RC1\",\n \"4.28.0-RC2\",\n \"4.28.0-RC3\",\n \"4.28.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0-RC1\"\n },\n {\n \"fixed\": \"4.27.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.26.0\",\n \"4.26.0-RC1\",\n \"4.26.0-RC2\",\n \"4.26.0-RC3\",\n \"4.26.1\",\n \"4.27.0\",\n \"4.27.0-RC1\",\n \"4.27.0-RC2\",\n \"4.27.0-RC3\",\n \"4.27.1\",\n \"4.27.2\",\n \"4.27.3\",\n \"4.27.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.28.0-RC1\"\n },\n {\n \"fixed\": \"4.28.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.28.0\",\n \"4.28.0-RC1\",\n \"4.28.0-RC2\",\n \"4.28.0-RC3\",\n \"4.28.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0-RC1\"\n },\n {\n \"fixed\": \"4.27.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0-rc-1\",\n \"4.0.0-rc-2\",\n \"4.26.0\",\n \"4.26.0-RC1\",\n \"4.26.0-RC2\",\n \"4.26.0-RC3\",\n \"4.26.1\",\n \"4.27.0\",\n \"4.27.0-RC1\",\n \"4.27.0-RC2\",\n \"4.27.0-RC3\",\n \"4.27.1\",\n \"4.27.2\",\n \"4.27.3\",\n \"4.27.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.28.0-RC1\"\n },\n {\n \"fixed\": \"4.28.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.28.0\",\n \"4.28.0-RC1\",\n \"4.28.0-RC2\",\n \"4.28.0-RC3\",\n \"4.28.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0-RC1\"\n },\n {\n \"fixed\": \"4.27.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0-rc-1\",\n \"4.0.0-rc-2\",\n \"4.26.0\",\n \"4.26.0-RC1\",\n \"4.26.0-RC2\",\n \"4.26.0-RC3\",\n \"4.26.1\",\n \"4.27.0\",\n \"4.27.0-RC1\",\n \"4.27.0-RC2\",\n \"4.27.0-RC3\",\n \"4.27.1\",\n \"4.27.2\",\n \"4.27.3\",\n \"4.27.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.28.0-RC1\"\n },\n {\n \"fixed\": \"4.28.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.28.0\",\n \"4.28.0-RC1\",\n \"4.28.0-RC2\",\n \"4.28.0-RC3\",\n \"4.28.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-735f-pc8j-v9w8/GHSA-735f-pc8j-v9w8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-7254\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/commit/4728531c162f2f9e8c2ca1add713cfee2db6be3b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/commit/850fcce9176e2c9070614dab53537760498c926b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/commit/9a5f5fe752a20cbac2e722b06949ac985abdd534\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/commit/ac9fb5b4c71b0dd80985b27684e265d1f03abf46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/commit/d6c82fc55a76481c676f541a255571e8950bb8c3\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/protocolbuffers/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2024-7254.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241213-0010\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250418-0006\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-400\",\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-09-19T16:06:03Z\",\n \"nvd_published_at\": \"2024-09-19T01:15:10Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g5ww-5jh7-63cx\",\n \"published\": \"2022-12-12T15:30:33Z\",\n \"modified\": \"2025-09-02T20:13:15.173427Z\",\n \"aliases\": [\n \"CGA-m9x3-8pwv-rjh3\",\n \"CVE-2022-3509\"\n ],\n \"related\": [\n \"CGA-43ph-pj7p-v2hh\",\n \"CGA-77gj-vphq-h4fj\",\n \"CGA-mr3q-c88f-3c44\"\n ],\n \"summary\": \"Protobuf Java vulnerable to Uncontrolled Resource Consumption\",\n \"details\": \"A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.2\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.16.1\",\n \"3.2.0\",\n \"3.2.0-rc.1\",\n \"3.2.0rc2\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.5.1\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.0-rc1\",\n \"3.7.1\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.17.0\"\n },\n {\n \"fixed\": \"3.19.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.16.1\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-g5ww-5jh7-63cx/GHSA-g5ww-5jh7-63cx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3509\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/blob/v2.6.1/java/core/src/main/java/com/google/protobuf/MessageReflection.java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/blob/v3.0.0/java/core/src/main/java/com/google/protobuf/MessageReflection.java\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/tree/main/java\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-12T22:33:53Z\",\n \"nvd_published_at\": \"2022-12-12T13:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h4h5-3hr4-j3g2\",\n \"published\": \"2022-10-04T22:17:15Z\",\n \"modified\": \"2024-10-22T05:28:55.628053Z\",\n \"aliases\": [\n \"CGA-xp6q-2w42-9mfm\",\n \"CVE-2022-3171\"\n ],\n \"related\": [\n \"CGA-4823-v8jx-rx3q\",\n \"CGA-j4r7-qxxx-756w\",\n \"CGA-jwcm-r7hw-56j9\",\n \"CVE-2022-3171\"\n ],\n \"summary\": \"protobuf-java has a potential Denial of Service issue\",\n \"details\": \"## Summary\\nA potential Denial of Service issue in `protobuf-java` core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated [embedded messages](http://developers.google.com/protocol-buffers/docs/encoding#embedded) with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. \\n\\nReporter: [OSS Fuzz](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771)\\n\\nAffected versions: This issue affects both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime.\\n\\n## Severity\\n\\n[CVE-2022-3171](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3171) Medium - CVSS Score: 5.7 (NOTE: there may be a delay in publication)\\n\\n## Remediation and Mitigation\\n\\nPlease update to the latest available versions of the following packages:\\n\\nprotobuf-java (3.21.7, 3.20.3, 3.19.6, 3.16.3)\\nprotobuf-javalite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\\nprotobuf-kotlin (3.21.7, 3.20.3, 3.19.6, 3.16.3)\\nprotobuf-kotlin-lite (3.21.7, 3.20.3, 3.19.6, 3.16.3)\\ngoogle-protobuf [JRuby gem only] (3.21.7, 3.20.3, 3.19.6)\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0-rc-1\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.0-rc-1\",\n \"3.21.0-rc-2\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0-rc-1\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.0-rc-1\",\n \"3.21.0-rc-2\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"google-protobuf\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/google-protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0.rc.1\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.0.rc.1\",\n \"3.21.0.rc.2\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0-rc-1\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.0-rc-1\",\n \"3.21.0-rc-2\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin-lite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin-lite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.21.0-rc-1\"\n },\n {\n \"fixed\": \"3.21.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.21.0\",\n \"3.21.0-rc-1\",\n \"3.21.0-rc-2\",\n \"3.21.1\",\n \"3.21.2\",\n \"3.21.3\",\n \"3.21.4\",\n \"3.21.5\",\n \"3.21.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0-rc-1\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.0-rc-1\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.17.0-rc-1\"\n },\n {\n \"fixed\": \"3.19.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.0-rc-1\",\n \"3.17.0-rc-2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.1\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0a\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.6.1\",\n \"3.0.0\",\n \"3.0.0-alpha-2\",\n \"3.0.0-alpha-3\",\n \"3.0.0-alpha-3.1\",\n \"3.0.0-beta-1\",\n \"3.0.0-beta-2\",\n \"3.0.0-beta-3\",\n \"3.0.0-beta-4\",\n \"3.0.2\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.16.1\",\n \"3.2.0\",\n \"3.2.0-rc.1\",\n \"3.2.0rc2\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.5.1\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.0-rc1\",\n \"3.7.1\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0-rc-1\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.0-rc-1\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.17.0-rc-1\"\n },\n {\n \"fixed\": \"3.19.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.0-rc-2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"google-protobuf\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/google-protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0.rc.1\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.0.rc.1\",\n \"3.20.0.rc.2\",\n \"3.20.1\",\n \"3.20.1.rc.1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"google-protobuf\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/google-protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.17.0.rc.1\"\n },\n {\n \"fixed\": \"3.19.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.0.rc.1\",\n \"3.17.0.rc.2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0.rc.1\",\n \"3.18.0.rc.2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0.rc.1\",\n \"3.19.0.rc.2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"google-protobuf\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/google-protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.0.alpha.1.0\",\n \"3.0.0.alpha.1.1\",\n \"3.0.0.alpha.2.0\",\n \"3.0.0.alpha.3\",\n \"3.0.0.alpha.3.1.pre\",\n \"3.0.0.alpha.4.0\",\n \"3.0.0.alpha.5.0.3\",\n \"3.0.0.alpha.5.0.4\",\n \"3.0.0.alpha.5.0.5\",\n \"3.0.0.alpha.5.0.5.1\",\n \"3.0.2\",\n \"3.1.0\",\n \"3.1.0.0.pre\",\n \"3.10.0.rc.1\",\n \"3.10.1\",\n \"3.11.0\",\n \"3.11.0.rc.1\",\n \"3.11.0.rc.2\",\n \"3.11.1\",\n \"3.11.2\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0.rc.1\",\n \"3.12.0.rc.2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0.rc.3\",\n \"3.14.0\",\n \"3.14.0.rc.1\",\n \"3.14.0.rc.2\",\n \"3.14.0.rc.3\",\n \"3.15.0\",\n \"3.15.0.rc.1\",\n \"3.15.0.rc.2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0.rc.1\",\n \"3.16.0.rc.2\",\n \"3.2.0\",\n \"3.2.0.1\",\n \"3.2.0.2\",\n \"3.2.1.pre\",\n \"3.3.0\",\n \"3.4.0.1\",\n \"3.4.0.2\",\n \"3.4.1.1\",\n \"3.5.0\",\n \"3.5.0.pre\",\n \"3.5.1\",\n \"3.5.1.1\",\n \"3.5.1.2\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.0.rc.2\",\n \"3.7.0.rc.3\",\n \"3.7.1\",\n \"3.8.0\",\n \"3.8.0.rc.1\",\n \"3.9.0\",\n \"3.9.0.rc.1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0-rc-1\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.0-rc-1\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.17.0-rc-1\"\n },\n {\n \"fixed\": \"3.19.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.0-rc-1\",\n \"3.17.0-rc-2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-javalite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-javalite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.16.1\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin-lite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin-lite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.20.0-rc-1\"\n },\n {\n \"fixed\": \"3.20.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.20.0\",\n \"3.20.0-rc-1\",\n \"3.20.1\",\n \"3.20.1-rc-1\",\n \"3.20.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin-lite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin-lite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.17.0-rc-1\"\n },\n {\n \"fixed\": \"3.19.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.17.0\",\n \"3.17.0-rc-2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0-rc-1\",\n \"3.18.0-rc-2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0-rc-1\",\n \"3.19.0-rc-2\",\n \"3.19.1\",\n \"3.19.2\",\n \"3.19.3\",\n \"3.19.4\",\n \"3.19.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin-lite\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin-lite\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.16.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-h4h5-3hr4-j3g2/GHSA-h4h5-3hr4-j3g2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-3171\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48771\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/protocolbuffers/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/releases/tag/v21.7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/releases/tag/v3.16.3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/releases/tag/v3.19.6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/releases/tag/v3.20.3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/google-protobuf/CVE-2022-3171.yml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBAUKJQL6O4TIWYBENORSY5P43TVB4M3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPCGUT3T5L6C3IDWUPSUO22QDCGQKTOP\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202301-09\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-10-04T22:17:15Z\",\n \"nvd_published_at\": \"2022-10-12T23:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wrvw-hg22-4m67\",\n \"published\": \"2022-01-07T22:31:44Z\",\n \"modified\": \"2024-10-22T05:28:48.749408Z\",\n \"aliases\": [\n \"CGA-h8j8-9v3w-chjj\",\n \"CVE-2021-22569\"\n ],\n \"related\": [\n \"CGA-7g86-w24x-hwm7\",\n \"CGA-8j74-3gff-6wq3\",\n \"CGA-gp73-784m-3935\"\n ],\n \"summary\": \"A potential Denial of Service issue in protobuf-java\",\n \"details\": \"## Summary\\n\\nA potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data.\\n\\nReporter: [OSS-Fuzz](https://github.com/google/oss-fuzz)\\n\\nAffected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf \\\"javalite\\\" users (typically Android) are not affected.\\n\\n## Severity\\n\\n[CVE-2021-22569](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22569) **High** - CVSS Score: 7.5, An implementation weakness in how unknown fields are parsed in Java. A small (~800 KB) malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated GC pauses.\\n\\n## Proof of Concept\\n\\nFor reproduction details, please refer to the oss-fuzz issue that identifies the specific inputs that exercise this parsing weakness.\\n\\n## Remediation and Mitigation\\n\\nPlease update to the latest available versions of the following packages:\\n\\n- protobuf-java (3.16.1, 3.18.2, 3.19.2) \\n- protobuf-kotlin (3.18.2, 3.19.2)\\n- google-protobuf [JRuby gem only] (3.19.2) \\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.16.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.1\",\n \"2.0.3\",\n \"2.1.0\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0a\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.6.1\",\n \"3.0.0\",\n \"3.0.0-alpha-2\",\n \"3.0.0-alpha-3\",\n \"3.0.0-alpha-3.1\",\n \"3.0.0-beta-1\",\n \"3.0.0-beta-2\",\n \"3.0.0-beta-3\",\n \"3.0.0-beta-4\",\n \"3.0.2\",\n \"3.1.0\",\n \"3.10.0\",\n \"3.10.0-rc-1\",\n \"3.11.0\",\n \"3.11.0-rc-1\",\n \"3.11.0-rc-2\",\n \"3.11.1\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0-rc-1\",\n \"3.12.0-rc-2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0-rc-3\",\n \"3.14.0\",\n \"3.14.0-rc-1\",\n \"3.14.0-rc-2\",\n \"3.14.0-rc-3\",\n \"3.15.0\",\n \"3.15.0-rc-1\",\n \"3.15.0-rc-2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0-rc-1\",\n \"3.16.0-rc-2\",\n \"3.2.0\",\n \"3.2.0-rc.1\",\n \"3.2.0rc2\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.4.0\",\n \"3.5.0\",\n \"3.5.1\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.0-rc1\",\n \"3.7.1\",\n \"3.8.0\",\n \"3.8.0-rc-1\",\n \"3.9.0\",\n \"3.9.0-rc-1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"google-protobuf\",\n \"ecosystem\": \"RubyGems\",\n \"purl\": \"pkg:gem/google-protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.19.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.0.alpha.1.0\",\n \"3.0.0.alpha.1.1\",\n \"3.0.0.alpha.2.0\",\n \"3.0.0.alpha.3\",\n \"3.0.0.alpha.3.1.pre\",\n \"3.0.0.alpha.4.0\",\n \"3.0.0.alpha.5.0.3\",\n \"3.0.0.alpha.5.0.4\",\n \"3.0.0.alpha.5.0.5\",\n \"3.0.0.alpha.5.0.5.1\",\n \"3.0.2\",\n \"3.1.0\",\n \"3.1.0.0.pre\",\n \"3.10.0.rc.1\",\n \"3.10.1\",\n \"3.11.0\",\n \"3.11.0.rc.1\",\n \"3.11.0.rc.2\",\n \"3.11.1\",\n \"3.11.2\",\n \"3.11.3\",\n \"3.11.4\",\n \"3.12.0\",\n \"3.12.0.rc.1\",\n \"3.12.0.rc.2\",\n \"3.12.1\",\n \"3.12.2\",\n \"3.12.4\",\n \"3.13.0\",\n \"3.13.0.rc.3\",\n \"3.14.0\",\n \"3.14.0.rc.1\",\n \"3.14.0.rc.2\",\n \"3.14.0.rc.3\",\n \"3.15.0\",\n \"3.15.0.rc.1\",\n \"3.15.0.rc.2\",\n \"3.15.1\",\n \"3.15.2\",\n \"3.15.3\",\n \"3.15.4\",\n \"3.15.5\",\n \"3.15.6\",\n \"3.15.7\",\n \"3.15.8\",\n \"3.16.0\",\n \"3.16.0.rc.1\",\n \"3.16.0.rc.2\",\n \"3.17.0\",\n \"3.17.0.rc.1\",\n \"3.17.0.rc.2\",\n \"3.17.1\",\n \"3.17.2\",\n \"3.17.3\",\n \"3.18.0\",\n \"3.18.0.rc.1\",\n \"3.18.0.rc.2\",\n \"3.18.1\",\n \"3.18.2\",\n \"3.18.3\",\n \"3.19.0\",\n \"3.19.0.rc.1\",\n \"3.19.0.rc.2\",\n \"3.19.1\",\n \"3.2.0\",\n \"3.2.0.1\",\n \"3.2.0.2\",\n \"3.2.1.pre\",\n \"3.3.0\",\n \"3.4.0.1\",\n \"3.4.0.2\",\n \"3.4.1.1\",\n \"3.5.0\",\n \"3.5.0.pre\",\n \"3.5.1\",\n \"3.5.1.1\",\n \"3.5.1.2\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.0.rc.2\",\n \"3.7.0.rc.3\",\n \"3.7.1\",\n \"3.8.0\",\n \"3.8.0.rc.1\",\n \"3.9.0\",\n \"3.9.0.rc.1\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.18.0\"\n },\n {\n \"fixed\": \"3.18.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.18.0\",\n \"3.18.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.19.0\"\n },\n {\n \"fixed\": \"3.19.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.19.0\",\n \"3.19.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.18.0\"\n },\n {\n \"fixed\": \"3.18.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.18.0\",\n \"3.18.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.google.protobuf:protobuf-kotlin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.google.protobuf/protobuf-kotlin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.19.0\"\n },\n {\n \"fixed\": \"3.19.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.19.0\",\n \"3.19.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-wrvw-hg22-4m67/GHSA-wrvw-hg22-4m67.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-wrvw-hg22-4m67\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-22569\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39330\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cloud.google.com/support/bulletins#gcp-2022-001\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/protocolbuffers/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/01/12/4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/01/12/7\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-696\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-07T22:23:14Z\",\n \"nvd_published_at\": \"2022-01-10T14:10:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3vrc-rrpw-r5pw\",\n \"published\": \"2023-02-19T18:30:21Z\",\n \"modified\": \"2024-03-01T14:52:28.150101Z\",\n \"aliases\": [\n \"CVE-2014-125087\"\n ],\n \"summary\": \"java-xmlbuilder vulnerable to XML External Entity Reference\",\n \"details\": \"A vulnerability was found in java-xmlbuilder up to 1.1. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation leads to xml external entity reference. Upgrading to version 1.2 is able to address this issue. The name of the patch is e6fddca201790abab4f2c274341c0bb8835c3e73. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-221480.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.jamesmurty.utils:java-xmlbuilder\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.jamesmurty.utils/java-xmlbuilder\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.3\",\n \"0.4\",\n \"0.6\",\n \"1.0\",\n \"1.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-3vrc-rrpw-r5pw/GHSA-3vrc-rrpw-r5pw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-125087\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jmurty/java-xmlbuilder/issues/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jmurty/java-xmlbuilder/commit/e6fddca201790abab4f2c274341c0bb8835c3e73\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jmurty/java-xmlbuilder\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jmurty/java-xmlbuilder/releases/tag/v1.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240208-0009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?ctiid.221480\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuldb.com/?id.221480\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-03-01T20:46:06Z\",\n \"nvd_published_at\": \"2023-02-19T17:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q446-82vq-w674\",\n \"published\": \"2022-05-13T01:09:33Z\",\n \"modified\": \"2024-02-20T05:33:38.873866Z\",\n \"aliases\": [\n \"CVE-2016-5725\"\n ],\n \"summary\": \"Improper Limitation of a Pathname to a Restricted Directory in JCraft JSch\",\n \"details\": \"Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\\\\ (dot dot backslash) in a response to a recursive GET command.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.jcraft:jsch\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.jcraft/jsch\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.1.54\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.23\",\n \"0.1.24\",\n \"0.1.25\",\n \"0.1.27\",\n \"0.1.29\",\n \"0.1.31\",\n \"0.1.38\",\n \"0.1.41\",\n \"0.1.42\",\n \"0.1.43\",\n \"0.1.43-1\",\n \"0.1.44\",\n \"0.1.44-1\",\n \"0.1.45\",\n \"0.1.46\",\n \"0.1.47\",\n \"0.1.48\",\n \"0.1.49\",\n \"0.1.50\",\n \"0.1.51\",\n \"0.1.52\",\n \"0.1.53\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 0.1.53\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q446-82vq-w674/GHSA-q446-82vq-w674.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-5725\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3115\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00017.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.exploit-db.com/exploits/40411\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/138809/jsch-0.1.53-Path-Traversal.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2016/Sep/53\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.jcraft.com/jsch/ChangeLog\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T19:44:21Z\",\n \"nvd_published_at\": \"2017-01-19T22:59:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-84p2-vf58-xhxv\",\n \"published\": \"2019-04-23T16:03:18Z\",\n \"modified\": \"2024-02-16T08:07:45.873484Z\",\n \"aliases\": [\n \"CVE-2019-5427\"\n ],\n \"summary\": \"Billion laughs attack in c3p0\",\n \"details\": \"c3p0 version \\u003c 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.mchange:c3p0\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.mchange/c3p0\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.9.5.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.9.2\",\n \"0.9.2-pre2-RELEASE\",\n \"0.9.2-pre3\",\n \"0.9.2-pre4\",\n \"0.9.2-pre5\",\n \"0.9.2-pre6\",\n \"0.9.2-pre7\",\n \"0.9.2-pre8\",\n \"0.9.2.1\",\n \"0.9.5\",\n \"0.9.5-pre1\",\n \"0.9.5-pre10\",\n \"0.9.5-pre2\",\n \"0.9.5-pre3\",\n \"0.9.5-pre4\",\n \"0.9.5-pre5\",\n \"0.9.5-pre6\",\n \"0.9.5-pre7\",\n \"0.9.5-pre8\",\n \"0.9.5-pre9\",\n \"0.9.5.1\",\n \"0.9.5.2\",\n \"0.9.5.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 0.9.5.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-84p2-vf58-xhxv/GHSA-84p2-vf58-xhxv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-5427\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hackerone.com/reports/509315\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-776\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-04-23T16:01:51Z\",\n \"nvd_published_at\": \"2019-04-22T21:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q485-j897-qc27\",\n \"published\": \"2019-01-07T19:14:34Z\",\n \"modified\": \"2024-02-17T05:36:17.856971Z\",\n \"aliases\": [\n \"CVE-2018-20433\"\n ],\n \"summary\": \"XML External Entity Reference in mchange:c3p0\",\n \"details\": \"c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.mchange:c3p0\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.mchange/c3p0\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.9.5.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.9.2\",\n \"0.9.2-pre2-RELEASE\",\n \"0.9.2-pre3\",\n \"0.9.2-pre4\",\n \"0.9.2-pre5\",\n \"0.9.2-pre6\",\n \"0.9.2-pre7\",\n \"0.9.2-pre8\",\n \"0.9.2.1\",\n \"0.9.5\",\n \"0.9.5-pre1\",\n \"0.9.5-pre10\",\n \"0.9.5-pre2\",\n \"0.9.5-pre3\",\n \"0.9.5-pre4\",\n \"0.9.5-pre5\",\n \"0.9.5-pre6\",\n \"0.9.5-pre7\",\n \"0.9.5-pre8\",\n \"0.9.5-pre9\",\n \"0.9.5.1\",\n \"0.9.5.2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 0.9.5.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-q485-j897-qc27/GHSA-q485-j897-qc27.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-20433\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-q485-j897-qc27\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/zhutougg/c3p0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/12/msg00021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFIVX6HOVNLAM7W3SUAMHYRNLCVQSAWR\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQ47OFV57Y2DAHMGA5H3JOL4WHRWRFN4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:50:54Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2qp9-wg27-9pcv\",\n \"published\": \"2022-05-13T01:30:32Z\",\n \"modified\": \"2023-11-08T03:58:54.698483Z\",\n \"aliases\": [\n \"CVE-2017-12972\"\n ],\n \"summary\": \"Nimbus JOSE+JWT missing overflow check\",\n \"details\": \"In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.nimbusds:nimbus-jose-jwt\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.nimbusds/nimbus-jose-jwt\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.39\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10\",\n \"2.10.1\",\n \"2.11.0\",\n \"2.12.0\",\n \"2.13.0\",\n \"2.13.1\",\n \"2.14.0\",\n \"2.15.0\",\n \"2.15.1\",\n \"2.15.2\",\n \"2.16\",\n \"2.17\",\n \"2.17.1\",\n \"2.17.2\",\n \"2.18\",\n \"2.18.1\",\n \"2.18.2\",\n \"2.19\",\n \"2.19.1\",\n \"2.20\",\n \"2.21\",\n \"2.22\",\n \"2.22.1\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.26\",\n \"2.26.1\",\n \"2.9\",\n \"3.0\",\n \"3.1\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.10\",\n \"3.2\",\n \"3.2.1\",\n \"3.2.2\",\n \"3.3\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.8.2\",\n \"3.9\",\n \"3.9.1\",\n \"3.9.2\",\n \"4.0\",\n \"4.0-rc1\",\n \"4.0-rc2\",\n \"4.0-rc3\",\n \"4.0-rc4\",\n \"4.0.1\",\n \"4.1\",\n \"4.1.1\",\n \"4.10\",\n \"4.11\",\n \"4.11.1\",\n \"4.11.2\",\n \"4.12\",\n \"4.13\",\n \"4.13.1\",\n \"4.14\",\n \"4.15\",\n \"4.15.1\",\n \"4.16\",\n \"4.16.1\",\n \"4.16.2\",\n \"4.17\",\n \"4.18\",\n \"4.19\",\n \"4.2\",\n \"4.20\",\n \"4.21\",\n \"4.22\",\n \"4.23\",\n \"4.24\",\n \"4.25\",\n \"4.26\",\n \"4.26.1\",\n \"4.27\",\n \"4.27.1\",\n \"4.28\",\n \"4.29\",\n \"4.3\",\n \"4.3.1\",\n \"4.30\",\n \"4.31.1\",\n \"4.32\",\n \"4.33\",\n \"4.34\",\n \"4.34.1\",\n \"4.34.2\",\n \"4.35\",\n \"4.36\",\n \"4.36.1\",\n \"4.37\",\n \"4.37.1\",\n \"4.38\",\n \"4.4\",\n \"4.5\",\n \"4.6\",\n \"4.7\",\n \"4.8\",\n \"4.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2qp9-wg27-9pcv/GHSA-2qp9-wg27-9pcv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-12972\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-345\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-11-08T22:28:09Z\",\n \"nvd_published_at\": \"2017-08-20T16:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f6vf-pq8c-69m4\",\n \"published\": \"2019-10-16T18:31:17Z\",\n \"modified\": \"2024-03-14T05:19:45.441054Z\",\n \"aliases\": [\n \"CVE-2019-17195\"\n ],\n \"summary\": \"Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT\",\n \"details\": \"Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.nimbusds:nimbus-jose-jwt\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.nimbusds/nimbus-jose-jwt\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10\",\n \"2.10.1\",\n \"2.11.0\",\n \"2.12.0\",\n \"2.13.0\",\n \"2.13.1\",\n \"2.14.0\",\n \"2.15.0\",\n \"2.15.1\",\n \"2.15.2\",\n \"2.16\",\n \"2.17\",\n \"2.17.1\",\n \"2.17.2\",\n \"2.18\",\n \"2.18.1\",\n \"2.18.2\",\n \"2.19\",\n \"2.19.1\",\n \"2.20\",\n \"2.21\",\n \"2.22\",\n \"2.22.1\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.26\",\n \"2.26.1\",\n \"2.9\",\n \"3.0\",\n \"3.1\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.10\",\n \"3.2\",\n \"3.2.1\",\n \"3.2.2\",\n \"3.3\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.8.2\",\n \"3.9\",\n \"3.9.1\",\n \"3.9.2\",\n \"4.0\",\n \"4.0-rc1\",\n \"4.0-rc2\",\n \"4.0-rc3\",\n \"4.0-rc4\",\n \"4.0.1\",\n \"4.1\",\n \"4.1.1\",\n \"4.10\",\n \"4.11\",\n \"4.11.1\",\n \"4.11.2\",\n \"4.12\",\n \"4.13\",\n \"4.13.1\",\n \"4.14\",\n \"4.15\",\n \"4.15.1\",\n \"4.16\",\n \"4.16.1\",\n \"4.16.2\",\n \"4.17\",\n \"4.18\",\n \"4.19\",\n \"4.2\",\n \"4.20\",\n \"4.21\",\n \"4.22\",\n \"4.23\",\n \"4.24\",\n \"4.25\",\n \"4.26\",\n \"4.26.1\",\n \"4.27\",\n \"4.27.1\",\n \"4.28\",\n \"4.29\",\n \"4.3\",\n \"4.3.1\",\n \"4.30\",\n \"4.31.1\",\n \"4.32\",\n \"4.33\",\n \"4.34\",\n \"4.34.1\",\n \"4.34.2\",\n \"4.35\",\n \"4.36\",\n \"4.36.1\",\n \"4.37\",\n \"4.37.1\",\n \"4.38\",\n \"4.39\",\n \"4.39.1\",\n \"4.39.2\",\n \"4.4\",\n \"4.40\",\n \"4.41\",\n \"4.41.1\",\n \"4.41.2\",\n \"4.41.3\",\n \"4.5\",\n \"4.6\",\n \"4.7\",\n \"4.8\",\n \"4.9\",\n \"5.0\",\n \"5.1\",\n \"5.10\",\n \"5.11\",\n \"5.12\",\n \"5.13\",\n \"5.14\",\n \"5.2\",\n \"5.3\",\n \"5.4\",\n \"5.5\",\n \"5.6\",\n \"5.7\",\n \"5.8\",\n \"5.9\",\n \"6.0\",\n \"6.0.1\",\n \"6.0.2\",\n \"6.1\",\n \"6.1.1\",\n \"6.2\",\n \"6.3\",\n \"6.3.1\",\n \"6.4\",\n \"6.4.1\",\n \"6.4.2\",\n \"6.5\",\n \"6.5.1\",\n \"6.6\",\n \"6.7\",\n \"6.8\",\n \"7.0\",\n \"7.0.1\",\n \"7.1\",\n \"7.2.1\",\n \"7.3\",\n \"7.4\",\n \"7.5\",\n \"7.5.1\",\n \"7.6\",\n \"7.7\",\n \"7.8\",\n \"7.8.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-f6vf-pq8c-69m4/GHSA-f6vf-pq8c-69m4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-17195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98@%3Cdev.avro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a@%3Cdev.avro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d@%3Ccommon-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://connect2id.com/blog/nimbus-jose-jwt-7-9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-754\",\n \"CWE-755\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-10-16T15:26:53Z\",\n \"nvd_published_at\": \"2019-10-15T14:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gvpg-vgmx-xg6w\",\n \"published\": \"2024-02-11T06:30:27Z\",\n \"modified\": \"2024-10-30T21:46:42.418884Z\",\n \"aliases\": [\n \"CGA-hvjw-cqfw-cqf3\",\n \"CVE-2023-52428\"\n ],\n \"related\": [\n \"CGA-63mv-w982-8q6x\",\n \"CGA-7847-h394-6rg8\",\n \"CGA-7v5w-r37c-32w7\",\n \"CGA-7x8r-hc4w-927c\",\n \"CGA-88mj-xqrj-5rg4\",\n \"CGA-xqhq-97gr-pfg7\"\n ],\n \"summary\": \"Denial of Service in Connect2id Nimbus JOSE+JWT\",\n \"details\": \"In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.nimbusds:nimbus-jose-jwt\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.nimbusds/nimbus-jose-jwt\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.37.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10\",\n \"2.10.1\",\n \"2.11.0\",\n \"2.12.0\",\n \"2.13.0\",\n \"2.13.1\",\n \"2.14.0\",\n \"2.15.0\",\n \"2.15.1\",\n \"2.15.2\",\n \"2.16\",\n \"2.17\",\n \"2.17.1\",\n \"2.17.2\",\n \"2.18\",\n \"2.18.1\",\n \"2.18.2\",\n \"2.19\",\n \"2.19.1\",\n \"2.20\",\n \"2.21\",\n \"2.22\",\n \"2.22.1\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.26\",\n \"2.26.1\",\n \"2.9\",\n \"3.0\",\n \"3.1\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.10\",\n \"3.2\",\n \"3.2.1\",\n \"3.2.2\",\n \"3.3\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.8.2\",\n \"3.9\",\n \"3.9.1\",\n \"3.9.2\",\n \"4.0\",\n \"4.0-rc1\",\n \"4.0-rc2\",\n \"4.0-rc3\",\n \"4.0-rc4\",\n \"4.0.1\",\n \"4.1\",\n \"4.1.1\",\n \"4.10\",\n \"4.11\",\n \"4.11.1\",\n \"4.11.2\",\n \"4.12\",\n \"4.13\",\n \"4.13.1\",\n \"4.14\",\n \"4.15\",\n \"4.15.1\",\n \"4.16\",\n \"4.16.1\",\n \"4.16.2\",\n \"4.17\",\n \"4.18\",\n \"4.19\",\n \"4.2\",\n \"4.20\",\n \"4.21\",\n \"4.22\",\n \"4.23\",\n \"4.24\",\n \"4.25\",\n \"4.26\",\n \"4.26.1\",\n \"4.27\",\n \"4.27.1\",\n \"4.28\",\n \"4.29\",\n \"4.3\",\n \"4.3.1\",\n \"4.30\",\n \"4.31.1\",\n \"4.32\",\n \"4.33\",\n \"4.34\",\n \"4.34.1\",\n \"4.34.2\",\n \"4.35\",\n \"4.36\",\n \"4.36.1\",\n \"4.37\",\n \"4.37.1\",\n \"4.38\",\n \"4.39\",\n \"4.39.1\",\n \"4.39.2\",\n \"4.4\",\n \"4.40\",\n \"4.41\",\n \"4.41.1\",\n \"4.41.2\",\n \"4.41.3\",\n \"4.5\",\n \"4.6\",\n \"4.7\",\n \"4.8\",\n \"4.9\",\n \"5.0\",\n \"5.1\",\n \"5.10\",\n \"5.11\",\n \"5.12\",\n \"5.13\",\n \"5.14\",\n \"5.2\",\n \"5.3\",\n \"5.4\",\n \"5.5\",\n \"5.6\",\n \"5.7\",\n \"5.8\",\n \"5.9\",\n \"6.0\",\n \"6.0.1\",\n \"6.0.2\",\n \"6.1\",\n \"6.1.1\",\n \"6.2\",\n \"6.3\",\n \"6.3.1\",\n \"6.4\",\n \"6.4.1\",\n \"6.4.2\",\n \"6.5\",\n \"6.5.1\",\n \"6.6\",\n \"6.7\",\n \"6.8\",\n \"7.0\",\n \"7.0.1\",\n \"7.1\",\n \"7.2.1\",\n \"7.3\",\n \"7.4\",\n \"7.5\",\n \"7.5.1\",\n \"7.6\",\n \"7.7\",\n \"7.8\",\n \"7.8.1\",\n \"7.9\",\n \"8.0\",\n \"8.1\",\n \"8.10\",\n \"8.11\",\n \"8.12\",\n \"8.13\",\n \"8.14\",\n \"8.14.1\",\n \"8.15\",\n \"8.16\",\n \"8.17\",\n \"8.17.1\",\n \"8.18\",\n \"8.18.1\",\n \"8.19\",\n \"8.2\",\n \"8.2.1\",\n \"8.20\",\n \"8.20.1\",\n \"8.20.2\",\n \"8.21\",\n \"8.21.1\",\n \"8.22\",\n \"8.22.1\",\n \"8.23\",\n \"8.3\",\n \"8.4\",\n \"8.4.1\",\n \"8.5\",\n \"8.5.1\",\n \"8.6\",\n \"8.7\",\n \"8.8\",\n \"8.9\",\n \"9.0\",\n \"9.0.1\",\n \"9.1\",\n \"9.1.1\",\n \"9.1.2\",\n \"9.1.3\",\n \"9.1.4\",\n \"9.1.5\",\n \"9.10\",\n \"9.10.1\",\n \"9.11\",\n \"9.11.1\",\n \"9.11.2\",\n \"9.11.3\",\n \"9.12\",\n \"9.12.1\",\n \"9.13\",\n \"9.14\",\n \"9.15\",\n \"9.15.1\",\n \"9.15.2\",\n \"9.16\",\n \"9.16-preview.1\",\n \"9.16.1\",\n \"9.17\",\n \"9.18\",\n \"9.19\",\n \"9.2\",\n \"9.20\",\n \"9.21\",\n \"9.21.1\",\n \"9.22\",\n \"9.23\",\n \"9.24\",\n \"9.24.1\",\n \"9.24.2\",\n \"9.24.3\",\n \"9.24.4\",\n \"9.25\",\n \"9.25.1\",\n \"9.25.2\",\n \"9.25.3\",\n \"9.25.4\",\n \"9.25.5\",\n \"9.25.6\",\n \"9.26\",\n \"9.27\",\n \"9.28\",\n \"9.29\",\n \"9.3\",\n \"9.30\",\n \"9.30.1\",\n \"9.30.2\",\n \"9.31\",\n \"9.32\",\n \"9.33\",\n \"9.34\",\n \"9.35\",\n \"9.36\",\n \"9.37\",\n \"9.37.1\",\n \"9.4\",\n \"9.4.1\",\n \"9.4.2\",\n \"9.5\",\n \"9.6\",\n \"9.6.1\",\n \"9.7\",\n \"9.8\",\n \"9.8.1\",\n \"9.9\",\n \"9.9.1\",\n \"9.9.2\",\n \"9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-gvpg-vgmx-xg6w/GHSA-gvpg-vgmx-xg6w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-52428\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://connect2id.com/products/nimbus-jose-jwt\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-03-15T14:23:03Z\",\n \"nvd_published_at\": \"2024-02-11T05:15:08Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jfmq-4g4m-99rh\",\n \"published\": \"2022-05-13T01:42:51Z\",\n \"modified\": \"2023-11-08T03:58:54.759362Z\",\n \"aliases\": [\n \"CVE-2017-12973\"\n ],\n \"summary\": \"Nimbus JOSE+JWT vulnerable to padding oracle attack\",\n \"details\": \"Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.nimbusds:nimbus-jose-jwt\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.nimbusds/nimbus-jose-jwt\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.39\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10\",\n \"2.10.1\",\n \"2.11.0\",\n \"2.12.0\",\n \"2.13.0\",\n \"2.13.1\",\n \"2.14.0\",\n \"2.15.0\",\n \"2.15.1\",\n \"2.15.2\",\n \"2.16\",\n \"2.17\",\n \"2.17.1\",\n \"2.17.2\",\n \"2.18\",\n \"2.18.1\",\n \"2.18.2\",\n \"2.19\",\n \"2.19.1\",\n \"2.20\",\n \"2.21\",\n \"2.22\",\n \"2.22.1\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.26\",\n \"2.26.1\",\n \"2.9\",\n \"3.0\",\n \"3.1\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.10\",\n \"3.2\",\n \"3.2.1\",\n \"3.2.2\",\n \"3.3\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.8.2\",\n \"3.9\",\n \"3.9.1\",\n \"3.9.2\",\n \"4.0\",\n \"4.0-rc1\",\n \"4.0-rc2\",\n \"4.0-rc3\",\n \"4.0-rc4\",\n \"4.0.1\",\n \"4.1\",\n \"4.1.1\",\n \"4.10\",\n \"4.11\",\n \"4.11.1\",\n \"4.11.2\",\n \"4.12\",\n \"4.13\",\n \"4.13.1\",\n \"4.14\",\n \"4.15\",\n \"4.15.1\",\n \"4.16\",\n \"4.16.1\",\n \"4.16.2\",\n \"4.17\",\n \"4.18\",\n \"4.19\",\n \"4.2\",\n \"4.20\",\n \"4.21\",\n \"4.22\",\n \"4.23\",\n \"4.24\",\n \"4.25\",\n \"4.26\",\n \"4.26.1\",\n \"4.27\",\n \"4.27.1\",\n \"4.28\",\n \"4.29\",\n \"4.3\",\n \"4.3.1\",\n \"4.30\",\n \"4.31.1\",\n \"4.32\",\n \"4.33\",\n \"4.34\",\n \"4.34.1\",\n \"4.34.2\",\n \"4.35\",\n \"4.36\",\n \"4.36.1\",\n \"4.37\",\n \"4.37.1\",\n \"4.38\",\n \"4.4\",\n \"4.5\",\n \"4.6\",\n \"4.7\",\n \"4.8\",\n \"4.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfmq-4g4m-99rh/GHSA-jfmq-4g4m-99rh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-12973\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/6a29f10f723f406eb25555f55842c59a43a38912\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/223/aescbc-return-immediately-on-invalid-hmac\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-354\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-11-08T23:03:33Z\",\n \"nvd_published_at\": \"2017-08-20T16:29:00Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pfv2-37f7-9m6w\",\n \"published\": \"2022-05-13T01:30:32Z\",\n \"modified\": \"2023-11-08T03:58:54.822926Z\",\n \"aliases\": [\n \"CVE-2017-12974\"\n ],\n \"summary\": \"Improper Verification of Cryptographic Signature in Nimbus JOSE+JWT\",\n \"details\": \"Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.nimbusds:nimbus-jose-jwt\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.nimbusds/nimbus-jose-jwt\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.36\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10\",\n \"2.10.1\",\n \"2.11.0\",\n \"2.12.0\",\n \"2.13.0\",\n \"2.13.1\",\n \"2.14.0\",\n \"2.15.0\",\n \"2.15.1\",\n \"2.15.2\",\n \"2.16\",\n \"2.17\",\n \"2.17.1\",\n \"2.17.2\",\n \"2.18\",\n \"2.18.1\",\n \"2.18.2\",\n \"2.19\",\n \"2.19.1\",\n \"2.20\",\n \"2.21\",\n \"2.22\",\n \"2.22.1\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.26\",\n \"2.26.1\",\n \"2.9\",\n \"3.0\",\n \"3.1\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.10\",\n \"3.2\",\n \"3.2.1\",\n \"3.2.2\",\n \"3.3\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.8.2\",\n \"3.9\",\n \"3.9.1\",\n \"3.9.2\",\n \"4.0\",\n \"4.0-rc1\",\n \"4.0-rc2\",\n \"4.0-rc3\",\n \"4.0-rc4\",\n \"4.0.1\",\n \"4.1\",\n \"4.1.1\",\n \"4.10\",\n \"4.11\",\n \"4.11.1\",\n \"4.11.2\",\n \"4.12\",\n \"4.13\",\n \"4.13.1\",\n \"4.14\",\n \"4.15\",\n \"4.15.1\",\n \"4.16\",\n \"4.16.1\",\n \"4.16.2\",\n \"4.17\",\n \"4.18\",\n \"4.19\",\n \"4.2\",\n \"4.20\",\n \"4.21\",\n \"4.22\",\n \"4.23\",\n \"4.24\",\n \"4.25\",\n \"4.26\",\n \"4.26.1\",\n \"4.27\",\n \"4.27.1\",\n \"4.28\",\n \"4.29\",\n \"4.3\",\n \"4.3.1\",\n \"4.30\",\n \"4.31.1\",\n \"4.32\",\n \"4.33\",\n \"4.34\",\n \"4.34.1\",\n \"4.34.2\",\n \"4.35\",\n \"4.4\",\n \"4.5\",\n \"4.6\",\n \"4.7\",\n \"4.8\",\n \"4.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pfv2-37f7-9m6w/GHSA-pfv2-37f7-9m6w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-12974\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/felx/nimbus-jose-jwt\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-347\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-01T20:20:30Z\",\n \"nvd_published_at\": \"2017-08-20T16:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xwmg-2g98-w7v9\",\n \"published\": \"2025-07-11T03:30:34Z\",\n \"modified\": \"2025-09-19T21:45:11.861171Z\",\n \"aliases\": [\n \"CVE-2025-53864\"\n ],\n \"related\": [\n \"CGA-3852-7xcx-96qx\",\n \"CGA-8gr5-54h9-6g76\",\n \"CGA-c923-6h8p-37xc\",\n \"CGA-cxqr-5r5g-9rgj\",\n \"CGA-mpwh-pghw-hw5x\"\n ],\n \"summary\": \"Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON\",\n \"details\": \"Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.nimbusds:nimbus-jose-jwt\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.nimbusds/nimbus-jose-jwt\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.38-rc1\"\n },\n {\n \"fixed\": \"10.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0\",\n \"10.0.1\",\n \"9.38\",\n \"9.38-rc1\",\n \"9.38-rc3\",\n \"9.38-rc4\",\n \"9.38-rc5\",\n \"9.39\",\n \"9.39.1\",\n \"9.39.2\",\n \"9.39.3\",\n \"9.40\",\n \"9.41\",\n \"9.41.1\",\n \"9.41.2\",\n \"9.42\",\n \"9.43\",\n \"9.44\",\n \"9.45\",\n \"9.46\",\n \"9.47\",\n \"9.48\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xwmg-2g98-w7v9/GHSA-xwmg-2g98-w7v9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.nimbusds:nimbus-jose-jwt\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.nimbusds/nimbus-jose-jwt\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.37.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10\",\n \"2.10.1\",\n \"2.11.0\",\n \"2.12.0\",\n \"2.13.0\",\n \"2.13.1\",\n \"2.14.0\",\n \"2.15.0\",\n \"2.15.1\",\n \"2.15.2\",\n \"2.16\",\n \"2.17\",\n \"2.17.1\",\n \"2.17.2\",\n \"2.18\",\n \"2.18.1\",\n \"2.18.2\",\n \"2.19\",\n \"2.19.1\",\n \"2.20\",\n \"2.21\",\n \"2.22\",\n \"2.22.1\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.26\",\n \"2.26.1\",\n \"2.9\",\n \"3.0\",\n \"3.1\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.10\",\n \"3.2\",\n \"3.2.1\",\n \"3.2.2\",\n \"3.3\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.8.2\",\n \"3.9\",\n \"3.9.1\",\n \"3.9.2\",\n \"4.0\",\n \"4.0-rc1\",\n \"4.0-rc2\",\n \"4.0-rc3\",\n \"4.0-rc4\",\n \"4.0.1\",\n \"4.1\",\n \"4.1.1\",\n \"4.10\",\n \"4.11\",\n \"4.11.1\",\n \"4.11.2\",\n \"4.12\",\n \"4.13\",\n \"4.13.1\",\n \"4.14\",\n \"4.15\",\n \"4.15.1\",\n \"4.16\",\n \"4.16.1\",\n \"4.16.2\",\n \"4.17\",\n \"4.18\",\n \"4.19\",\n \"4.2\",\n \"4.20\",\n \"4.21\",\n \"4.22\",\n \"4.23\",\n \"4.24\",\n \"4.25\",\n \"4.26\",\n \"4.26.1\",\n \"4.27\",\n \"4.27.1\",\n \"4.28\",\n \"4.29\",\n \"4.3\",\n \"4.3.1\",\n \"4.30\",\n \"4.31.1\",\n \"4.32\",\n \"4.33\",\n \"4.34\",\n \"4.34.1\",\n \"4.34.2\",\n \"4.35\",\n \"4.36\",\n \"4.36.1\",\n \"4.37\",\n \"4.37.1\",\n \"4.38\",\n \"4.39\",\n \"4.39.1\",\n \"4.39.2\",\n \"4.4\",\n \"4.40\",\n \"4.41\",\n \"4.41.1\",\n \"4.41.2\",\n \"4.41.3\",\n \"4.5\",\n \"4.6\",\n \"4.7\",\n \"4.8\",\n \"4.9\",\n \"5.0\",\n \"5.1\",\n \"5.10\",\n \"5.11\",\n \"5.12\",\n \"5.13\",\n \"5.14\",\n \"5.2\",\n \"5.3\",\n \"5.4\",\n \"5.5\",\n \"5.6\",\n \"5.7\",\n \"5.8\",\n \"5.9\",\n \"6.0\",\n \"6.0.1\",\n \"6.0.2\",\n \"6.1\",\n \"6.1.1\",\n \"6.2\",\n \"6.3\",\n \"6.3.1\",\n \"6.4\",\n \"6.4.1\",\n \"6.4.2\",\n \"6.5\",\n \"6.5.1\",\n \"6.6\",\n \"6.7\",\n \"6.8\",\n \"7.0\",\n \"7.0.1\",\n \"7.1\",\n \"7.2.1\",\n \"7.3\",\n \"7.4\",\n \"7.5\",\n \"7.5.1\",\n \"7.6\",\n \"7.7\",\n \"7.8\",\n \"7.8.1\",\n \"7.9\",\n \"8.0\",\n \"8.1\",\n \"8.10\",\n \"8.11\",\n \"8.12\",\n \"8.13\",\n \"8.14\",\n \"8.14.1\",\n \"8.15\",\n \"8.16\",\n \"8.17\",\n \"8.17.1\",\n \"8.18\",\n \"8.18.1\",\n \"8.19\",\n \"8.2\",\n \"8.2.1\",\n \"8.20\",\n \"8.20.1\",\n \"8.20.2\",\n \"8.21\",\n \"8.21.1\",\n \"8.22\",\n \"8.22.1\",\n \"8.23\",\n \"8.3\",\n \"8.4\",\n \"8.4.1\",\n \"8.5\",\n \"8.5.1\",\n \"8.6\",\n \"8.7\",\n \"8.8\",\n \"8.9\",\n \"9.0\",\n \"9.0.1\",\n \"9.1\",\n \"9.1.1\",\n \"9.1.2\",\n \"9.1.3\",\n \"9.1.4\",\n \"9.1.5\",\n \"9.10\",\n \"9.10.1\",\n \"9.11\",\n \"9.11.1\",\n \"9.11.2\",\n \"9.11.3\",\n \"9.12\",\n \"9.12.1\",\n \"9.13\",\n \"9.14\",\n \"9.15\",\n \"9.15.1\",\n \"9.15.2\",\n \"9.16\",\n \"9.16-preview.1\",\n \"9.16.1\",\n \"9.17\",\n \"9.18\",\n \"9.19\",\n \"9.2\",\n \"9.20\",\n \"9.21\",\n \"9.21.1\",\n \"9.22\",\n \"9.23\",\n \"9.24\",\n \"9.24.1\",\n \"9.24.2\",\n \"9.24.3\",\n \"9.24.4\",\n \"9.25\",\n \"9.25.1\",\n \"9.25.2\",\n \"9.25.3\",\n \"9.25.4\",\n \"9.25.5\",\n \"9.25.6\",\n \"9.26\",\n \"9.27\",\n \"9.28\",\n \"9.29\",\n \"9.3\",\n \"9.30\",\n \"9.30.1\",\n \"9.30.2\",\n \"9.31\",\n \"9.32\",\n \"9.33\",\n \"9.34\",\n \"9.35\",\n \"9.36\",\n \"9.37\",\n \"9.37.1\",\n \"9.37.2\",\n \"9.37.3\",\n \"9.4\",\n \"9.4.1\",\n \"9.4.2\",\n \"9.5\",\n \"9.6\",\n \"9.6.1\",\n \"9.7\",\n \"9.8\",\n \"9.8.1\",\n \"9.9\",\n \"9.9.1\",\n \"9.9.2\",\n \"9.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xwmg-2g98-w7v9/GHSA-xwmg-2g98-w7v9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-53864\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/gson/commit/1039427ff0100293dd3cf967a53a55282c0fef6b\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f7fb882cc08f027c9ceb874acec3b51c6222861c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/583/stackoverflowerror-due-to-deeply-nested\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/593/back-port-cve-2025-53864-fix-to-9x-branch\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/gson/compare/gson-parent-2.11.0...gson-parent-2.12.0\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-674\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-07-11T16:43:40Z\",\n \"nvd_published_at\": \"2025-07-11T03:16:03Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5m48-vr54-vmh3\",\n \"published\": \"2022-05-17T19:57:08Z\",\n \"modified\": \"2025-06-19T18:13:37.881595Z\",\n \"aliases\": [\n \"CVE-2014-3643\"\n ],\n \"summary\": \"jersey: XXE via parameter entities\",\n \"details\": \"jersey: XXE via parameter entities not disabled by the jersey SAX parser\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"com.sun.jersey:jersey-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.sun.jersey/jersey-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.9-ea\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.3.1\",\n \"1.1.0-ea\",\n \"1.1.1-ea\",\n \"1.1.2-ea\",\n \"1.1.3-ea\",\n \"1.1.4\",\n \"1.1.4.1\",\n \"1.1.5\",\n \"1.1.5-ea-20100104\",\n \"1.1.5-ea-v20091019\",\n \"1.1.5.1\",\n \"1.1.5.2\",\n \"1.10\",\n \"1.10-b01\",\n \"1.10-b02\",\n \"1.10-b03\",\n \"1.10-b04\",\n \"1.10-b05\",\n \"1.11\",\n \"1.11-b01\",\n \"1.11-b02\",\n \"1.11-b03\",\n \"1.11-b04\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.12\",\n \"1.12-b01\",\n \"1.13-b01\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.4-ea01\",\n \"1.4-ea02\",\n \"1.4-ea03\",\n \"1.4-ea04\",\n \"1.4-ea05\",\n \"1.4-ea06\",\n \"1.5\",\n \"1.5-ea01\",\n \"1.5-ea02\",\n \"1.5-ea03\",\n \"1.5-ea04\",\n \"1.5-ea05\",\n \"1.5-ea06\",\n \"1.5-ea07\",\n \"1.5-ea08\",\n \"1.5-ea09\",\n \"1.6\",\n \"1.6-ea01\",\n \"1.6-ea02\",\n \"1.6-ea03\",\n \"1.6-ea04\",\n \"1.6-ea05\",\n \"1.6-ea06\",\n \"1.7\",\n \"1.7-ea01\",\n \"1.7-ea02\",\n \"1.7-ea03\",\n \"1.7-ea04\",\n \"1.7-ea05\",\n \"1.7-ea06\",\n \"1.7-ea07\",\n \"1.8\",\n \"1.8-ea01\",\n \"1.8-ea02\",\n \"1.8-ea03\",\n \"1.8-ea04\",\n \"1.9\",\n \"1.9-ea01\",\n \"1.9-ea02\",\n \"1.9-ea03\",\n \"1.9-ea04\",\n \"1.9-ea06\",\n \"1.9-ea07\",\n \"1.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5m48-vr54-vmh3/GHSA-5m48-vr54-vmh3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-3643\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/javaee/jersey-1.x/commit/49f1e5a6ac608ccb51939205e4739f328f2223e6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/cve-2014-3643\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3643\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/javaee/jersey-1.x\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.sourceclear.com/vulnerability-database/security/xml-external-entity-xxe/java/sid-22175\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-06-19T17:08:27Z\",\n \"nvd_published_at\": \"2019-12-15T22:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6phf-73q6-gh87\",\n \"published\": \"2020-06-15T20:36:17Z\",\n \"modified\": \"2024-03-08T05:28:43.649817Z\",\n \"aliases\": [\n \"CVE-2019-10086\"\n ],\n \"related\": [\n \"CGA-3x75-f9j7-7hm9\"\n ],\n \"summary\": \"Insecure Deserialization in Apache Commons Beanutils\",\n \"details\": \"In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-beanutils:commons-beanutils\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-beanutils/commons-beanutils\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.4.1\",\n \"1.5\",\n \"1.6\",\n \"1.6.1\",\n \"1.7.0\",\n \"1.8.0\",\n \"1.8.0-BETA\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\",\n \"1.9.2\",\n \"1.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6phf-73q6-gh87/GHSA-6phf-73q6-gh87.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10086\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4317\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c@%3Ccommits.dolphinscheduler.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba@%3Ccommits.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0057\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0194\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0805\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0806\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0811\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-beanutils\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db@%3Cdev.rocketmq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825@%3Ccommits.dolphinscheduler.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58@%3Cdev.atlas.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-11T15:08:49Z\",\n \"nvd_published_at\": \"2019-08-20T21:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p66x-2cv9-qq3v\",\n \"published\": \"2020-06-10T23:38:01Z\",\n \"modified\": \"2024-12-01T05:31:59.449737Z\",\n \"aliases\": [\n \"CVE-2014-0114\"\n ],\n \"summary\": \"Arbitrary code execution in Apache Commons BeanUtils\",\n \"details\": \"Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \\\"manipulate\\\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-beanutils:commons-beanutils\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-beanutils/commons-beanutils\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.8.0\"\n },\n {\n \"fixed\": \"1.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\",\n \"1.9.2\",\n \"1.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-p66x-2cv9-qq3v/GHSA-p66x-2cv9-qq3v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-0114\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-beanutils/pull/7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-beanutils/commit/62e82ad92cf4818709d6044aaf257b73d42659a4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639@%3Ccommits.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40@%3Cgitbox.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25@%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20150710065242/http://www.securityfocus.com/archive/1/534161/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20140618110851/http://www.securityfocus.com/bid/67121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-COMMONSBEANUTILS-30077\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180629-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20140911-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/201607-09\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3@%3Cnotifications.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f@%3Cnotifications.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86@%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5@%3Ccommits.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f@%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859@%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/BEANUTILS-463\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-beanutils\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1116665\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1091938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/solutions/869353\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2995\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1@%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd@%3Ccommits.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0@%3Cissues.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://advisories.mageia.org/MGASA-2014-0219.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=140119284401582\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=140801096002766\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=141451023707502\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://openwall.com/lists/oss-security/2014/06/15/10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://openwall.com/lists/oss-security/2014/07/08/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2014/Dec/23\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21674128\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21674812\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675266\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675387\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675689\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675898\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21675972\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676091\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676110\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676303\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676375\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676931\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21677110\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg27042296\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2014/dsa-2940\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ibm.com/support/docview.wss?uid=swg21675496\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2014:095\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vmware.com/security/advisories/VMSA-2014-0008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vmware.com/security/advisories/VMSA-2014-0012.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-10T23:37:42Z\",\n \"nvd_published_at\": \"2014-04-30T10:49:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wxr5-93ph-8wr9\",\n \"published\": \"2025-05-28T15:34:34Z\",\n \"modified\": \"2025-11-03T22:02:52.251771Z\",\n \"aliases\": [\n \"CVE-2025-48734\"\n ],\n \"related\": [\n \"CGA-4m3v-9fm7-3827\",\n \"CGA-4vxj-ffhj-xx7v\",\n \"CGA-6294-j3wv-p997\",\n \"CGA-65c9-4g2c-373p\",\n \"CGA-833r-vwc8-62f8\",\n \"CGA-h6g7-pxcx-m22q\",\n \"CGA-h73m-gfrj-3j4v\",\n \"CGA-hg4r-wggg-wv2r\",\n \"CGA-jqx3-wwgp-2r3g\",\n \"CGA-mh8p-6rr9-xrhf\",\n \"CGA-q9p5-pgm4-hw27\",\n \"CGA-wrw4-qfp6-7h6x\",\n \"CGA-xrg4-fgj3-f9vq\"\n ],\n \"summary\": \"Apache Commons Improper Access Control vulnerability\",\n \"details\": \"Improper Access Control vulnerability in Apache Commons.\\n\\n\\n\\nA special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.\\n\\n\\n\\n\\n\\nReleases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().\\nStarting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.\\n\\nThis issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils\\n\\n 1.x are recommended to upgrade to version 1.11.0, which fixes the issue.\\n\\n\\nUsers of the artifact org.apache.commons:commons-beanutils2\\n\\n 2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-beanutils:commons-beanutils\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-beanutils/commons-beanutils\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0\"\n },\n {\n \"fixed\": \"1.11.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.10.0\",\n \"1.10.1\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.4.1\",\n \"1.5\",\n \"1.6\",\n \"1.6.1\",\n \"1.7.0\",\n \"1.8.0\",\n \"1.8.0-BETA\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.9.0\",\n \"1.9.1\",\n \"1.9.2\",\n \"1.9.3\",\n \"1.9.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.10.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-wxr5-93ph-8wr9/GHSA-wxr5-93ph-8wr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-beanutils2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-beanutils2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0-M1\"\n },\n {\n \"fixed\": \"2.0.0-M2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0-M1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-wxr5-93ph-8wr9/GHSA-wxr5-93ph-8wr9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-48734\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-beanutils/commit/bd20740da25b69552ddef8523beec0837297eaf9\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-beanutils\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/s0hb3jkfj5f3ryx6c57zqtfohb0of1g9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/06/msg00027.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/05/28/6\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-284\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-05-28T17:37:18Z\",\n \"nvd_published_at\": \"2025-05-28T14:15:34Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6hgm-866r-3cjv\",\n \"published\": \"2020-06-15T20:36:20Z\",\n \"modified\": \"2024-11-28T05:40:45.267146Z\",\n \"aliases\": [\n \"CVE-2015-6420\"\n ],\n \"summary\": \"Insecure Deserialization in Apache Commons Collection\",\n \"details\": \"Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-collections4\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-collections4\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"commons-collections:commons-collections\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-collections/commons-collections\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.2.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"2.0\",\n \"2.0.20020914.015953\",\n \"2.0.20020914.020746\",\n \"2.0.20020914.020858\",\n \"2.1\",\n \"2.1.1\",\n \"3.0\",\n \"3.0-dev2\",\n \"3.1\",\n \"3.2\",\n \"3.2.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"net.sourceforge.collections:collections-generic\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/net.sourceforge.collections/collections-generic\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"4.0.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"4.01\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"3.2.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-6hgm-866r-3cjv/GHSA-6hgm-866r-3cjv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-6420\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://arxiv.org/pdf/2306.05534\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-collections\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.kb.cert.org/vuls/id/581311\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/research/tra-2017-14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/research/tra-2017-23\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/78872\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-11T15:58:44Z\",\n \"nvd_published_at\": \"2015-12-15T05:59:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fjq5-5j5f-mvxh\",\n \"published\": \"2022-05-13T01:25:20Z\",\n \"modified\": \"2024-02-17T05:22:18.562352Z\",\n \"aliases\": [\n \"CVE-2015-7501\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in Apache commons collections\",\n \"details\": \"It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-collections:commons-collections\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-collections/commons-collections\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.2.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"2.0\",\n \"2.0.20020914.015953\",\n \"2.0.20020914.020746\",\n \"2.0.20020914.020858\",\n \"2.1\",\n \"2.1.1\",\n \"3.0\",\n \"3.0-dev2\",\n \"3.1\",\n \"3.2\",\n \"3.2.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-collections4\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-collections4\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-collections\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.2.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.2.1_1\",\n \"3.2.1_2\",\n \"3.2.1_3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 3.2.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"net.sourceforge.collections:collections-generic\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/net.sourceforge.collections/collections-generic\"\n },\n \"versions\": [\n \"4.01\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.collections-generic\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.01\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.01_1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.02\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fjq5-5j5f-mvxh/GHSA-fjq5-5j5f-mvxh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-7501\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/vulnerabilities/2059393\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/solutions/2045023\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://arxiv.org/pdf/2306.05534.pdf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1279330\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://commons.apache.org/proper/commons-collections/release_4_1.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-collections\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/COLLECTIONS-580.\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://sourceforge.net/p/collections/code/HEAD/tree\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1773.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-11-03T22:57:31Z\",\n \"nvd_published_at\": \"2017-11-09T17:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pvp8-3xj6-8c6x\",\n \"published\": \"2025-05-09T12:31:33Z\",\n \"modified\": \"2025-05-09T16:27:09.142756Z\",\n \"aliases\": [\n \"CVE-2025-46392\"\n ],\n \"summary\": \"Apache Commons Configuration Uncontrolled Resource Consumption\",\n \"details\": \"Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.\\n\\nThere are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenarios where you only load trusted configurations. \\n\\nUsers that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-configuration:commons-configuration\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-configuration/commons-configuration\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"1.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0-dev-2.20021231.045254\",\n \"1.0-dev-3.20030603.101200\",\n \"1.0-dev-3.20030607.194155\",\n \"1.0-rc1\",\n \"1.0-rc2\",\n \"1.1\",\n \"1.10\",\n \"1.2\",\n \"1.2RC1\",\n \"1.2RC2\",\n \"1.3\",\n \"1.4\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-pvp8-3xj6-8c6x/GHSA-pvp8-3xj6-8c6x.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-46392\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-configuration\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-29131\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-29133\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-05-09T15:54:59Z\",\n \"nvd_published_at\": \"2025-05-09T10:15:17Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3832-9276-x7gf\",\n \"published\": \"2022-05-13T01:10:34Z\",\n \"modified\": \"2024-12-06T05:35:03.860614Z\",\n \"aliases\": [\n \"CVE-2012-5783\"\n ],\n \"related\": [\n \"CGA-36v2-2382-h797\",\n \"CGA-7hvw-h9c4-h6h5\",\n \"CGA-x2pj-p6gm-xpqp\"\n ],\n \"summary\": \"Improper Certificate Validation in Apache Commons HttpClient\",\n \"details\": \"Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.\\n\\nNote that the Commons HttpClient project is [end of life](https://hc.apache.org/httpclient-legacy/). It has been replaced by the Apache HttpComponents project in its [HttpClient](https://hc.apache.org/httpcomponents-client-5.4.x/) and [HttpCore](https://hc.apache.org/httpcomponents-core-5.3.x/) modules. CVE-2012-5783 has been patched in [v4.0](https://repo1.maven.org/maven2/org/apache/httpcomponents/httpclient/4.0/) of the Apache HttpComponents HttpClient module.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-httpclient:commons-httpclient\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-httpclient/commons-httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"20020423\",\n \"3.0\",\n \"3.0.1\",\n \"3.1\",\n \"3.1-alpha1\",\n \"3.1-beta1\",\n \"3.1-jenkins-1\",\n \"3.1-jenkins-2\",\n \"3.1-jenkins-3\",\n \"3.1-rc1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3832-9276-x7gf/GHSA-3832-9276-x7gf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-5783\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:0868\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/79984\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/httpcomponents-client\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/HTTPCLIENT-1265\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-0270.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-0679.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-0680.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-0682.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1853.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0224.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-2769-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-295\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-13T13:58:59Z\",\n \"nvd_published_at\": \"2012-11-04T22:55:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-78wr-2p64-hpwj\",\n \"published\": \"2024-10-03T12:30:48Z\",\n \"modified\": \"2025-01-31T15:38:02.141931Z\",\n \"aliases\": [\n \"CVE-2024-47554\"\n ],\n \"related\": [\n \"CGA-252j-5hcw-3x22\",\n \"CGA-32hx-qx96-46q6\",\n \"CGA-7c3h-fr9p-6vxc\",\n \"CGA-937h-9qvw-8r89\",\n \"CGA-9rwq-q6m2-g373\",\n \"CGA-9w8c-c5fw-q342\",\n \"CGA-g37r-p8hp-mp2c\",\n \"CGA-hr85-ppfv-vg2r\",\n \"CGA-j9w9-457f-3v67\",\n \"CGA-pwg2-7493-q9wm\",\n \"CGA-r6pw-p73w-rq5f\",\n \"CGA-v9q6-cg5v-8pf7\",\n \"CGA-vppp-hq87-2m8x\",\n \"CGA-w8v5-m4jv-f5hj\",\n \"CGA-wcj9-xx49-cqh2\"\n ],\n \"summary\": \"Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader\",\n \"details\": \"Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\\n\\nThe `org.apache.commons.io.input.XmlStreamReader` class may excessively consume CPU resources when processing maliciously crafted input.\\n\\n\\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\\n\\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-io:commons-io\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-io/commons-io\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0\"\n },\n {\n \"fixed\": \"2.14.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.0.1\",\n \"2.1\",\n \"2.10.0\",\n \"2.11.0\",\n \"2.12.0\",\n \"2.13.0\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.5\",\n \"2.6\",\n \"2.7\",\n \"2.8.0\",\n \"2.9.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-78wr-2p64-hpwj/GHSA-78wr-2p64-hpwj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-47554\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-io\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250131-0010\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/10/03/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-10-03T16:52:23Z\",\n \"nvd_published_at\": \"2024-10-03T12:15:02Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gwrp-pvrq-jmwv\",\n \"published\": \"2021-04-26T16:04:00Z\",\n \"modified\": \"2024-03-12T05:31:30.961796Z\",\n \"aliases\": [\n \"CVE-2021-29425\"\n ],\n \"summary\": \"Path Traversal and Improper Input Validation in Apache Commons IO\",\n \"details\": \"In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \\\"//../foo\\\", or \\\"\\\\\\\\..\\\\foo\\\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \\\"limited\\\" path traversal), if the calling code would use the result to construct a path value.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-io:commons-io\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-io/commons-io\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1\",\n \"1.0\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4\",\n \"2.0\",\n \"2.0.1\",\n \"2.1\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.5\",\n \"2.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.cosium.vet:vet\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.cosium.vet/vet\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0\"\n },\n {\n \"last_affected\": \"3.22\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.1\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.5\",\n \"2.2\",\n \"2.3\",\n \"2.6\",\n \"2.7\",\n \"2.8\",\n \"2.9\",\n \"3.0\",\n \"3.10\",\n \"3.11\",\n \"3.12\",\n \"3.13\",\n \"3.14\",\n \"3.15\",\n \"3.16\",\n \"3.17\",\n \"3.18\",\n \"3.19\",\n \"3.22\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.diamondq.common:common-thirdparty.jcasbin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.diamondq.common/common-thirdparty.jcasbin\"\n },\n \"versions\": [\n \"1.4.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.liferay:com.liferay.sass.compiler.jsass\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.liferay/com.liferay.sass.compiler.jsass\"\n },\n \"versions\": [\n \"1.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.virjar:ratel-api\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.virjar/ratel-api\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"last_affected\": \"1.3.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.3.4\",\n \"1.3.5\",\n \"1.3.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"net.hasor:cobble-lang\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/net.hasor/cobble-lang\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.4.1\"\n },\n {\n \"last_affected\": \"4.6.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.4.1\",\n \"4.4.2\",\n \"4.5.0\",\n \"4.5.1\",\n \"4.5.2\",\n \"4.5.3\",\n \"4.5.4\",\n \"4.6.0\",\n \"4.6.1\",\n \"4.6.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-io\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-io\"\n },\n \"versions\": [\n \"1.3.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-io\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.servicemix.bundles/org.apache.servicemix.bundles.commons-io\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.4\"\n },\n {\n \"last_affected\": \"1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.4_1\",\n \"1.4_2\",\n \"1.4_3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.checkerframework.annotatedlib:commons-io\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.checkerframework.annotatedlib/commons-io\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.6\"\n },\n {\n \"fixed\": \"2.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.6\",\n \"2.6.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.smartboot.servlet:servlet-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.smartboot.servlet/servlet-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.1.9\"\n },\n {\n \"last_affected\": \"0.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.9\",\n \"0.2\",\n \"0.2.1\",\n \"0.3\",\n \"0.3.1\",\n \"0.4\",\n \"0.5\",\n \"0.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gwrp-pvrq-jmwv/GHSA-gwrp-pvrq-jmwv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-29425\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220210-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://arxiv.org/pdf/2306.05534.pdf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jensdietrich/xshady-release/tree/main/CVE-2021-29425\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/IO-556\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-26T15:21:31Z\",\n \"nvd_published_at\": \"2021-04-13T07:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-j288-q9x7-2f5v\",\n \"published\": \"2025-07-11T15:31:37Z\",\n \"modified\": \"2025-11-05T20:34:04.566048Z\",\n \"aliases\": [\n \"CVE-2025-48924\"\n ],\n \"related\": [\n \"CGA-22cr-f3cr-c7cm\",\n \"CGA-29x5-f7v5-rrg6\",\n \"CGA-2fmr-p6rq-h6gj\",\n \"CGA-48h5-566h-rvpp\",\n \"CGA-4fcv-jq36-r7hx\",\n \"CGA-523g-m72h-8798\",\n \"CGA-6pxc-gq99-gpx4\",\n \"CGA-6v52-24xf-x875\",\n \"CGA-78fw-62xf-9rm8\",\n \"CGA-7r2r-4fw7-h3qv\",\n \"CGA-8c99-22mx-hg38\",\n \"CGA-8w2x-v747-c9c7\",\n \"CGA-8x43-fp55-w32w\",\n \"CGA-9j28-2jv5-qv67\",\n \"CGA-9rcm-4h29-rv8h\",\n \"CGA-ff3x-mc4g-82q2\",\n \"CGA-g3gg-7c6f-x6qx\",\n \"CGA-hj53-w7gr-6f9r\",\n \"CGA-j6cx-9v8j-x9cc\",\n \"CGA-j84p-prch-g8wm\",\n \"CGA-j8w2-rj92-x353\",\n \"CGA-j93m-mcxv-7hxr\",\n \"CGA-jvxv-2xch-6xjm\",\n \"CGA-m7pc-jwx3-vm7v\",\n \"CGA-mhg4-342v-w7xq\",\n \"CGA-mp4q-mrjj-8862\",\n \"CGA-p7fm-p736-2fmc\",\n \"CGA-p87f-qfxg-x45v\",\n \"CGA-pxx2-65vr-8cc4\",\n \"CGA-rc28-932p-89cv\",\n \"CGA-v52f-47gw-2xcm\",\n \"CGA-vxhq-8vpg-mr2p\"\n ],\n \"summary\": \"Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs\",\n \"details\": \"Uncontrolled Recursion vulnerability in Apache Commons Lang.\\n\\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\\n\\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\\n\\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-lang3\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-lang3\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0\"\n },\n {\n \"fixed\": \"3.18.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0\",\n \"3.0.1\",\n \"3.1\",\n \"3.10\",\n \"3.11\",\n \"3.12.0\",\n \"3.13.0\",\n \"3.14.0\",\n \"3.15.0\",\n \"3.16.0\",\n \"3.17.0\",\n \"3.2\",\n \"3.2.1\",\n \"3.3\",\n \"3.3.1\",\n \"3.3.2\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"commons-lang:commons-lang\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-lang/commons-lang\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0\"\n },\n {\n \"last_affected\": \"2.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.1\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.5\",\n \"2.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-48924\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-lang\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/07/11/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-674\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-07-12T00:48:03Z\",\n \"nvd_published_at\": \"2025-07-11T15:15:24Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cgp8-4m63-fhh5\",\n \"published\": \"2022-12-03T15:30:26Z\",\n \"modified\": \"2023-11-08T04:06:18.513983Z\",\n \"aliases\": [\n \"CVE-2021-37533\"\n ],\n \"summary\": \"Apache Commons Net vulnerable to information leakage via malicious server\",\n \"details\": \"Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.\\nThe default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-net:commons-net\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-net/commons-net\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.9.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.3.0\",\n \"1.4.0\",\n \"1.4.1\",\n \"2.0\",\n \"2.2\",\n \"3.0\",\n \"3.0.1\",\n \"3.1\",\n \"3.2\",\n \"3.3\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.7.1\",\n \"3.7.2\",\n \"3.8.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-cgp8-4m63-fhh5/GHSA-cgp8-4m63-fhh5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-37533\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-net/commit/4fe1bae56e53f32756b1ca3296f3dd2c45e3e060\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-net\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/NET-711\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5307\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/12/03/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-05T23:21:08Z\",\n \"nvd_published_at\": \"2022-12-03T15:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2fqw-684c-pvp7\",\n \"published\": \"2021-12-17T20:40:50Z\",\n \"modified\": \"2023-11-08T04:03:32.892349Z\",\n \"aliases\": [\n \"CVE-2020-35213\"\n ],\n \"summary\": \"An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.\",\n \"details\": \"An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false link event messages sent to a master ONOS node.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.atomix:atomix\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.atomix/atomix\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"3.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.0-beta1\",\n \"0.1.0-beta2\",\n \"0.1.0-beta3\",\n \"0.1.0-beta4\",\n \"0.1.0-beta5\",\n \"1.0.0\",\n \"1.0.0-rc1\",\n \"1.0.0-rc2\",\n \"1.0.0-rc3\",\n \"1.0.0-rc4\",\n \"1.0.0-rc5\",\n \"1.0.0-rc6\",\n \"1.0.0-rc7\",\n \"1.0.0-rc8\",\n \"1.0.0-rc9\",\n \"1.0.1\",\n \"1.0.1-rc1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"2.0.0\",\n \"2.0.0-alpha1\",\n \"2.0.0-raft-beta1\",\n \"2.0.0-raft-final\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.24\",\n \"2.0.25\",\n \"2.0.26\",\n \"2.0.27\",\n \"2.0.28\",\n \"2.0.29\",\n \"2.0.3\",\n \"2.0.30\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\",\n \"2.1.0-beta1\",\n \"2.1.0-beta2\",\n \"2.1.0-beta3\",\n \"3.0.0\",\n \"3.0.0-rc1\",\n \"3.0.0-rc10\",\n \"3.0.0-rc11\",\n \"3.0.0-rc12\",\n \"3.0.0-rc3\",\n \"3.0.0-rc4\",\n \"3.0.0-rc5\",\n \"3.0.0-rc6\",\n \"3.0.0-rc7\",\n \"3.0.0-rc8\",\n \"3.0.0-rc9\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\",\n \"3.1.0\",\n \"3.1.0-beta1\",\n \"3.1.0-beta2\",\n \"3.1.0-beta3\",\n \"3.1.0-beta4\",\n \"3.1.0-rc1\",\n \"3.1.0-rc2\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-2fqw-684c-pvp7/GHSA-2fqw-684c-pvp7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35213\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://docs.google.com/presentation/d/1i8tVVGE8z9Rtl9UTwktOJpkZwT4kBVLgIk307qMiw_8/edit?usp=sharing\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/atomix/atomix\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-74\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-12-17T18:42:16Z\",\n \"nvd_published_at\": \"2021-12-16T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4jhc-wjr3-pwh2\",\n \"published\": \"2021-12-17T20:40:38Z\",\n \"modified\": \"2024-12-03T06:05:23.847552Z\",\n \"aliases\": [\n \"CVE-2020-35211\"\n ],\n \"summary\": \"An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node.\",\n \"details\": \"An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.atomix:atomix\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.atomix/atomix\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"3.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.0-beta1\",\n \"0.1.0-beta2\",\n \"0.1.0-beta3\",\n \"0.1.0-beta4\",\n \"0.1.0-beta5\",\n \"1.0.0\",\n \"1.0.0-rc1\",\n \"1.0.0-rc2\",\n \"1.0.0-rc3\",\n \"1.0.0-rc4\",\n \"1.0.0-rc5\",\n \"1.0.0-rc6\",\n \"1.0.0-rc7\",\n \"1.0.0-rc8\",\n \"1.0.0-rc9\",\n \"1.0.1\",\n \"1.0.1-rc1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"2.0.0\",\n \"2.0.0-alpha1\",\n \"2.0.0-raft-beta1\",\n \"2.0.0-raft-final\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.24\",\n \"2.0.25\",\n \"2.0.26\",\n \"2.0.27\",\n \"2.0.28\",\n \"2.0.29\",\n \"2.0.3\",\n \"2.0.30\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\",\n \"2.1.0-beta1\",\n \"2.1.0-beta2\",\n \"2.1.0-beta3\",\n \"3.0.0\",\n \"3.0.0-rc1\",\n \"3.0.0-rc10\",\n \"3.0.0-rc11\",\n \"3.0.0-rc12\",\n \"3.0.0-rc3\",\n \"3.0.0-rc4\",\n \"3.0.0-rc5\",\n \"3.0.0-rc6\",\n \"3.0.0-rc7\",\n \"3.0.0-rc8\",\n \"3.0.0-rc9\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\",\n \"3.1.0\",\n \"3.1.0-beta1\",\n \"3.1.0-beta2\",\n \"3.1.0-beta3\",\n \"3.1.0-beta4\",\n \"3.1.0-rc1\",\n \"3.1.0-rc2\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-4jhc-wjr3-pwh2/GHSA-4jhc-wjr3-pwh2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35211\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://docs.google.com/presentation/d/1C_IpRfSU-9FMezcHCFZ-qg-15JO-W36yvqcnzI8sQs8/edit?usp=sharing\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/atomix/atomix\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-12-17T18:48:40Z\",\n \"nvd_published_at\": \"2021-12-16T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6vvh-5794-vpmj\",\n \"published\": \"2021-12-17T20:40:58Z\",\n \"modified\": \"2023-11-08T04:03:33.073526Z\",\n \"aliases\": [\n \"CVE-2020-35216\"\n ],\n \"summary\": \"An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.\",\n \"details\": \"An issue in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via false member down event messages.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.atomix:atomix\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.atomix/atomix\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"3.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.0-beta1\",\n \"0.1.0-beta2\",\n \"0.1.0-beta3\",\n \"0.1.0-beta4\",\n \"0.1.0-beta5\",\n \"1.0.0\",\n \"1.0.0-rc1\",\n \"1.0.0-rc2\",\n \"1.0.0-rc3\",\n \"1.0.0-rc4\",\n \"1.0.0-rc5\",\n \"1.0.0-rc6\",\n \"1.0.0-rc7\",\n \"1.0.0-rc8\",\n \"1.0.0-rc9\",\n \"1.0.1\",\n \"1.0.1-rc1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"2.0.0\",\n \"2.0.0-alpha1\",\n \"2.0.0-raft-beta1\",\n \"2.0.0-raft-final\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.24\",\n \"2.0.25\",\n \"2.0.26\",\n \"2.0.27\",\n \"2.0.28\",\n \"2.0.29\",\n \"2.0.3\",\n \"2.0.30\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\",\n \"2.1.0-beta1\",\n \"2.1.0-beta2\",\n \"2.1.0-beta3\",\n \"3.0.0\",\n \"3.0.0-rc1\",\n \"3.0.0-rc10\",\n \"3.0.0-rc11\",\n \"3.0.0-rc12\",\n \"3.0.0-rc3\",\n \"3.0.0-rc4\",\n \"3.0.0-rc5\",\n \"3.0.0-rc6\",\n \"3.0.0-rc7\",\n \"3.0.0-rc8\",\n \"3.0.0-rc9\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\",\n \"3.1.0\",\n \"3.1.0-beta1\",\n \"3.1.0-beta2\",\n \"3.1.0-beta3\",\n \"3.1.0-beta4\",\n \"3.1.0-rc1\",\n \"3.1.0-rc2\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-6vvh-5794-vpmj/GHSA-6vvh-5794-vpmj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35216\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://docs.google.com/presentation/d/1woXwR3vciv7ltFan6LyK5vsWXmaUi8ArZonhk80Gr5U/edit?usp=sharing\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/atomix/atomix\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-362\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-12-17T15:12:52Z\",\n \"nvd_published_at\": \"2021-12-16T20:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7fr2-94h7-ccg2\",\n \"published\": \"2021-12-17T20:41:33Z\",\n \"modified\": \"2024-12-03T06:08:49.974429Z\",\n \"aliases\": [\n \"CVE-2020-35209\"\n ],\n \"summary\": \"An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.\",\n \"details\": \"An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to join a target cluster via providing configuration information.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.atomix:atomix\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.atomix/atomix\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"3.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.0-beta1\",\n \"0.1.0-beta2\",\n \"0.1.0-beta3\",\n \"0.1.0-beta4\",\n \"0.1.0-beta5\",\n \"1.0.0\",\n \"1.0.0-rc1\",\n \"1.0.0-rc2\",\n \"1.0.0-rc3\",\n \"1.0.0-rc4\",\n \"1.0.0-rc5\",\n \"1.0.0-rc6\",\n \"1.0.0-rc7\",\n \"1.0.0-rc8\",\n \"1.0.0-rc9\",\n \"1.0.1\",\n \"1.0.1-rc1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"2.0.0\",\n \"2.0.0-alpha1\",\n \"2.0.0-raft-beta1\",\n \"2.0.0-raft-final\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.24\",\n \"2.0.25\",\n \"2.0.26\",\n \"2.0.27\",\n \"2.0.28\",\n \"2.0.29\",\n \"2.0.3\",\n \"2.0.30\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\",\n \"2.1.0-beta1\",\n \"2.1.0-beta2\",\n \"2.1.0-beta3\",\n \"3.0.0\",\n \"3.0.0-rc1\",\n \"3.0.0-rc10\",\n \"3.0.0-rc11\",\n \"3.0.0-rc12\",\n \"3.0.0-rc3\",\n \"3.0.0-rc4\",\n \"3.0.0-rc5\",\n \"3.0.0-rc6\",\n \"3.0.0-rc7\",\n \"3.0.0-rc8\",\n \"3.0.0-rc9\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\",\n \"3.1.0\",\n \"3.1.0-beta1\",\n \"3.1.0-beta2\",\n \"3.1.0-beta3\",\n \"3.1.0-beta4\",\n \"3.1.0-rc1\",\n \"3.1.0-rc2\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-7fr2-94h7-ccg2/GHSA-7fr2-94h7-ccg2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35209\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://docs.google.com/presentation/d/1W5KU7ffh4dheR8iD54ulABImi6byAhSI-OhEKw2adRo/edit?usp=sharing\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/atomix/atomix\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-12-17T18:40:51Z\",\n \"nvd_published_at\": \"2021-12-16T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g7p8-r2ch-4rmf\",\n \"published\": \"2021-12-17T20:41:45Z\",\n \"modified\": \"2023-11-08T04:03:33.012848Z\",\n \"aliases\": [\n \"CVE-2020-35215\"\n ],\n \"summary\": \"Malicious Atomix node queries expose sensitive information\",\n \"details\": \"An issue in Atomix v3.1.5 allows attackers to access sensitive information when a malicious Atomix node queries distributed variable primitives which contain the entire primitive lists that ONOS nodes use to share important states.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.atomix:atomix\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.atomix/atomix\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"3.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.0-beta1\",\n \"0.1.0-beta2\",\n \"0.1.0-beta3\",\n \"0.1.0-beta4\",\n \"0.1.0-beta5\",\n \"1.0.0\",\n \"1.0.0-rc1\",\n \"1.0.0-rc2\",\n \"1.0.0-rc3\",\n \"1.0.0-rc4\",\n \"1.0.0-rc5\",\n \"1.0.0-rc6\",\n \"1.0.0-rc7\",\n \"1.0.0-rc8\",\n \"1.0.0-rc9\",\n \"1.0.1\",\n \"1.0.1-rc1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"2.0.0\",\n \"2.0.0-alpha1\",\n \"2.0.0-raft-beta1\",\n \"2.0.0-raft-final\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.24\",\n \"2.0.25\",\n \"2.0.26\",\n \"2.0.27\",\n \"2.0.28\",\n \"2.0.29\",\n \"2.0.3\",\n \"2.0.30\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\",\n \"2.1.0-beta1\",\n \"2.1.0-beta2\",\n \"2.1.0-beta3\",\n \"3.0.0\",\n \"3.0.0-rc1\",\n \"3.0.0-rc10\",\n \"3.0.0-rc11\",\n \"3.0.0-rc12\",\n \"3.0.0-rc3\",\n \"3.0.0-rc4\",\n \"3.0.0-rc5\",\n \"3.0.0-rc6\",\n \"3.0.0-rc7\",\n \"3.0.0-rc8\",\n \"3.0.0-rc9\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\",\n \"3.1.0\",\n \"3.1.0-beta1\",\n \"3.1.0-beta2\",\n \"3.1.0-beta3\",\n \"3.1.0-beta4\",\n \"3.1.0-rc1\",\n \"3.1.0-rc2\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-g7p8-r2ch-4rmf/GHSA-g7p8-r2ch-4rmf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35215\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://docs.google.com/presentation/d/1pRRLfdSUqUZ688CZ9e9AyceuXPGp9oyGj7j4bdSsBcw/edit?usp=sharing\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/atomix/atomix\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-668\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-12-17T19:00:58Z\",\n \"nvd_published_at\": \"2021-12-16T20:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-m4h3-7mc2-v295\",\n \"published\": \"2021-12-17T20:41:21Z\",\n \"modified\": \"2024-12-03T05:58:28.108466Z\",\n \"aliases\": [\n \"CVE-2020-35214\"\n ],\n \"summary\": \"An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.\",\n \"details\": \"An issue in Atomix v3.1.5 allows a malicious Atomix node to remove states of ONOS storage via abuse of primitive operations.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.atomix:atomix\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.atomix/atomix\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"3.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.0-beta1\",\n \"0.1.0-beta2\",\n \"0.1.0-beta3\",\n \"0.1.0-beta4\",\n \"0.1.0-beta5\",\n \"1.0.0\",\n \"1.0.0-rc1\",\n \"1.0.0-rc2\",\n \"1.0.0-rc3\",\n \"1.0.0-rc4\",\n \"1.0.0-rc5\",\n \"1.0.0-rc6\",\n \"1.0.0-rc7\",\n \"1.0.0-rc8\",\n \"1.0.0-rc9\",\n \"1.0.1\",\n \"1.0.1-rc1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"2.0.0\",\n \"2.0.0-alpha1\",\n \"2.0.0-raft-beta1\",\n \"2.0.0-raft-final\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.24\",\n \"2.0.25\",\n \"2.0.26\",\n \"2.0.27\",\n \"2.0.28\",\n \"2.0.29\",\n \"2.0.3\",\n \"2.0.30\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\",\n \"2.1.0-beta1\",\n \"2.1.0-beta2\",\n \"2.1.0-beta3\",\n \"3.0.0\",\n \"3.0.0-rc1\",\n \"3.0.0-rc10\",\n \"3.0.0-rc11\",\n \"3.0.0-rc12\",\n \"3.0.0-rc3\",\n \"3.0.0-rc4\",\n \"3.0.0-rc5\",\n \"3.0.0-rc6\",\n \"3.0.0-rc7\",\n \"3.0.0-rc8\",\n \"3.0.0-rc9\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\",\n \"3.1.0\",\n \"3.1.0-beta1\",\n \"3.1.0-beta2\",\n \"3.1.0-beta3\",\n \"3.1.0-beta4\",\n \"3.1.0-rc1\",\n \"3.1.0-rc2\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-m4h3-7mc2-v295/GHSA-m4h3-7mc2-v295.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35214\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://docs.google.com/presentation/d/1wJi4QJko5ZCdADuzmAG9ed-nQLyJVkLBJf6cylAL71A/edit?usp=sharing\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/atomix/atomix\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-12-17T19:11:26Z\",\n \"nvd_published_at\": \"2021-12-16T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mf27-wg66-m8f5\",\n \"published\": \"2021-12-17T20:41:09Z\",\n \"modified\": \"2023-11-08T04:03:32.770438Z\",\n \"aliases\": [\n \"CVE-2020-35210\"\n ],\n \"summary\": \"A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.\",\n \"details\": \"A vulnerability in Atomix v3.1.5 allows attackers to cause a denial of service (DoS) via a Raft session flooding attack using Raft OpenSessionRequest messages.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.atomix:atomix\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.atomix/atomix\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"3.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.1.0-beta1\",\n \"0.1.0-beta2\",\n \"0.1.0-beta3\",\n \"0.1.0-beta4\",\n \"0.1.0-beta5\",\n \"1.0.0\",\n \"1.0.0-rc1\",\n \"1.0.0-rc2\",\n \"1.0.0-rc3\",\n \"1.0.0-rc4\",\n \"1.0.0-rc5\",\n \"1.0.0-rc6\",\n \"1.0.0-rc7\",\n \"1.0.0-rc8\",\n \"1.0.0-rc9\",\n \"1.0.1\",\n \"1.0.1-rc1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"2.0.0\",\n \"2.0.0-alpha1\",\n \"2.0.0-raft-beta1\",\n \"2.0.0-raft-final\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.24\",\n \"2.0.25\",\n \"2.0.26\",\n \"2.0.27\",\n \"2.0.28\",\n \"2.0.29\",\n \"2.0.3\",\n \"2.0.30\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\",\n \"2.1.0-beta1\",\n \"2.1.0-beta2\",\n \"2.1.0-beta3\",\n \"3.0.0\",\n \"3.0.0-rc1\",\n \"3.0.0-rc10\",\n \"3.0.0-rc11\",\n \"3.0.0-rc12\",\n \"3.0.0-rc3\",\n \"3.0.0-rc4\",\n \"3.0.0-rc5\",\n \"3.0.0-rc6\",\n \"3.0.0-rc7\",\n \"3.0.0-rc8\",\n \"3.0.0-rc9\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\",\n \"3.1.0\",\n \"3.1.0-beta1\",\n \"3.1.0-beta2\",\n \"3.1.0-beta3\",\n \"3.1.0-beta4\",\n \"3.1.0-rc1\",\n \"3.1.0-rc2\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.1.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-mf27-wg66-m8f5/GHSA-mf27-wg66-m8f5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-35210\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://docs.google.com/presentation/d/1eZznIciFI06_5UJrXvlLugH2-nmjfYpQO5NyNMc9RxU/edit?usp=sharing\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/atomix/atomix\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-12-17T17:20:09Z\",\n \"nvd_published_at\": \"2021-12-16T20:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v2xm-76pq-phcf\",\n \"published\": \"2024-06-21T06:31:12Z\",\n \"modified\": \"2024-06-25T02:34:01.955562Z\",\n \"aliases\": [\n \"CVE-2021-47621\"\n ],\n \"related\": [\n \"CGA-654j-wjm3-qmg4\",\n \"CGA-g2q2-9vqg-g6xm\",\n \"CGA-pq95-x78h-qx9r\"\n ],\n \"summary\": \"ClassGraph XML External Entity Reference\",\n \"details\": \"ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.github.classgraph:classgraph\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.github.classgraph/classgraph\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.8.112\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0\",\n \"4.0.0-beta-11\",\n \"4.0.0-beta-12\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.0.4\",\n \"4.0.5\",\n \"4.0.6\",\n \"4.0.7\",\n \"4.1.0\",\n \"4.1.1\",\n \"4.1.2\",\n \"4.1.3\",\n \"4.1.4\",\n \"4.1.5\",\n \"4.1.6\",\n \"4.1.7\",\n \"4.2.0\",\n \"4.2.1\",\n \"4.2.10\",\n \"4.2.11\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.4\",\n \"4.2.5\",\n \"4.2.6\",\n \"4.2.7\",\n \"4.2.8\",\n \"4.2.9\",\n \"4.3.0\",\n \"4.3.1\",\n \"4.4.0\",\n \"4.4.1\",\n \"4.4.10\",\n \"4.4.11\",\n \"4.4.12\",\n \"4.4.2\",\n \"4.4.3\",\n \"4.4.4\",\n \"4.4.5\",\n \"4.4.6\",\n \"4.4.7\",\n \"4.4.8\",\n \"4.4.9\",\n \"4.6.0\",\n \"4.6.1\",\n \"4.6.10\",\n \"4.6.11\",\n \"4.6.12\",\n \"4.6.13\",\n \"4.6.14\",\n \"4.6.15\",\n \"4.6.16\",\n \"4.6.17\",\n \"4.6.18\",\n \"4.6.19\",\n \"4.6.2\",\n \"4.6.20\",\n \"4.6.21\",\n \"4.6.22\",\n \"4.6.23\",\n \"4.6.24\",\n \"4.6.25\",\n \"4.6.26\",\n \"4.6.27\",\n \"4.6.28\",\n \"4.6.29\",\n \"4.6.3\",\n \"4.6.30\",\n \"4.6.31\",\n \"4.6.32\",\n \"4.6.4\",\n \"4.6.5\",\n \"4.6.6\",\n \"4.6.7\",\n \"4.6.8\",\n \"4.6.9\",\n \"4.8.0\",\n \"4.8.1\",\n \"4.8.10\",\n \"4.8.100\",\n \"4.8.101\",\n \"4.8.102\",\n \"4.8.103\",\n \"4.8.104\",\n \"4.8.105\",\n \"4.8.106\",\n \"4.8.107\",\n \"4.8.108\",\n \"4.8.109\",\n \"4.8.11\",\n \"4.8.110\",\n \"4.8.111\",\n \"4.8.12\",\n \"4.8.13\",\n \"4.8.14\",\n \"4.8.15\",\n \"4.8.16\",\n \"4.8.17\",\n \"4.8.19\",\n \"4.8.2\",\n \"4.8.20\",\n \"4.8.21\",\n \"4.8.22\",\n \"4.8.23\",\n \"4.8.24\",\n \"4.8.25\",\n \"4.8.26\",\n \"4.8.27\",\n \"4.8.28\",\n \"4.8.29\",\n \"4.8.3\",\n \"4.8.30\",\n \"4.8.31\",\n \"4.8.32\",\n \"4.8.33\",\n \"4.8.34\",\n \"4.8.35\",\n \"4.8.36\",\n \"4.8.37\",\n \"4.8.38\",\n \"4.8.39\",\n \"4.8.4\",\n \"4.8.40\",\n \"4.8.41\",\n \"4.8.42\",\n \"4.8.43\",\n \"4.8.44\",\n \"4.8.45\",\n \"4.8.46\",\n \"4.8.47\",\n \"4.8.48\",\n \"4.8.49\",\n \"4.8.5\",\n \"4.8.50\",\n \"4.8.51\",\n \"4.8.52\",\n \"4.8.53\",\n \"4.8.54\",\n \"4.8.55\",\n \"4.8.56\",\n \"4.8.57\",\n \"4.8.58\",\n \"4.8.59\",\n \"4.8.6\",\n \"4.8.60\",\n \"4.8.61\",\n \"4.8.62\",\n \"4.8.63\",\n \"4.8.64\",\n \"4.8.65\",\n \"4.8.66\",\n \"4.8.67\",\n \"4.8.68\",\n \"4.8.69\",\n \"4.8.7\",\n \"4.8.70\",\n \"4.8.71\",\n \"4.8.72\",\n \"4.8.73\",\n \"4.8.74\",\n \"4.8.75\",\n \"4.8.76\",\n \"4.8.77\",\n \"4.8.78\",\n \"4.8.79\",\n \"4.8.8\",\n \"4.8.80\",\n \"4.8.81\",\n \"4.8.82\",\n \"4.8.83\",\n \"4.8.84\",\n \"4.8.85\",\n \"4.8.86\",\n \"4.8.87\",\n \"4.8.88\",\n \"4.8.89\",\n \"4.8.9\",\n \"4.8.90\",\n \"4.8.91\",\n \"4.8.92\",\n \"4.8.93\",\n \"4.8.94\",\n \"4.8.95\",\n \"4.8.96\",\n \"4.8.97\",\n \"4.8.98\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-v2xm-76pq-phcf/GHSA-v2xm-76pq-phcf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-47621\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/classgraph/classgraph/pull/539\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/classgraph/classgraph/commit/681362ad6b0b9d9abaffb2e07099ce54d7a41fa3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://docs.r3.com/en/platform/corda/4.8/enterprise/release-notes-enterprise.html\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/classgraph/classgraph\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/classgraph/classgraph/releases/tag/classgraph-4.8.112\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-06-21T15:06:26Z\",\n \"nvd_published_at\": \"2024-06-21T06:15:10Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5mcr-gq6c-3hq2\",\n \"published\": \"2021-02-08T21:17:48Z\",\n \"modified\": \"2025-01-14T10:57:08.719345Z\",\n \"aliases\": [\n \"CVE-2021-21290\"\n ],\n \"related\": [\n \"CGA-5mv3-2mc9-76x5\",\n \"CGA-qrw9-p79v-r8f7\",\n \"CVE-2021-21290\",\n \"CVE-2022-24823\"\n ],\n \"summary\": \"Local Information Disclosure Vulnerability in Netty on Unix-Like systems\",\n \"details\": \"### Impact\\n\\nWhen netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled.\\n\\nThe CVSSv3.1 score of this vulnerability is calculated to be a [6.2/10](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\\u0026version=3.1)\\n\\n### Vulnerability Details\\n\\nOn unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems.\\n\\nThe method `File.createTempFile` on unix-like systems creates a random file, but, by default will create this file with the permissions `-rw-r--r--`. Thus, if sensitive information is written to this file, other local users can read this information.\\n\\nThis is the case in netty's `AbstractDiskHttpData` is vulnerable.\\n\\nhttps://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L80-L101\\n\\n`AbstractDiskHttpData` is used as a part of the `DefaultHttpDataFactory` class which is used by `HttpPostRequestDecoder` / `HttpPostMultiPartRequestDecoder`.\\n\\nYou may be affected by this vulnerability your project contains the following code patterns:\\n\\n```java\\nchannelPipeline.addLast(new HttpPostRequestDecoder(...));\\n```\\n\\n```java\\nchannelPipeline.addLast(new HttpPostMultiPartRequestDecoder(...));\\n```\\n\\n### Patches\\n\\nThis has been patched in version `4.1.59.Final`.\\n\\n### Workarounds\\n\\nSpecify your own `java.io.tmpdir` when you start the JVM or use `DefaultHttpDataFactory.setBaseDir(...)` to set the directory to something that is only readable by the current user.\\n\\n### References\\n\\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\\n\\n### Similar Vulnerabilities\\n\\nSimilar, but not the same.\\n\\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\\n - Google Guava - https://github.com/google/guava/issues/4011\\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [netty](https://github.com/netty/netty)\\n* Email us [here](mailto:netty-security@googlegroups.com)\\n\\n### Original Report\\n\\n\\u003e Hi Netty Security Team,\\n\\u003e \\n\\u003e I've been working on some security research leveraging custom CodeQL queries to detect local information disclosure vulnerabilities in java applications. This was the result from running this query against the netty project:\\n\\u003e https://lgtm.com/query/7723301787255288599/\\n\\u003e \\n\\u003e Netty contains three local information disclosure vulnerabilities, so far as I can tell.\\n\\u003e \\n\\u003e One is here, where the private key for the certificate is written to a temporary file.\\n\\u003e \\n\\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L316-L346\\n\\u003e \\n\\u003e One is here, where the certificate is written to a temporary file.\\n\\u003e \\n\\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/handler/src/main/java/io/netty/handler/ssl/util/SelfSignedCertificate.java#L348-L371\\n\\u003e \\n\\u003e The final one is here, where the 'AbstractDiskHttpData' creates a temporary file if the getBaseDirectory() method returns null. I believe that 'AbstractDiskHttpData' is used as a part of the file upload support? If this is the case, any files uploaded would be similarly vulnerable.\\n\\u003e \\n\\u003e https://github.com/netty/netty/blob/e5951d46fc89db507ba7d2968d2ede26378f0b04/codec-http/src/main/java/io/netty/handler/codec/http/multipart/AbstractDiskHttpData.java#L91\\n\\u003e \\n\\u003e All of these vulnerabilities exist because `File.createTempFile(String, String)` will create a temporary file in the system temporary directory if the 'java.io.tmpdir' system property is not explicitly set. It is my understanding that when java creates a file, by default, and using this method, the permissions on that file utilize the umask. In a majority of cases, this means that the file that java creates has the permissions: `-rw-r--r--`, thus, any other local user on that system can read the contents of that file.\\n\\u003e \\n\\u003e Impacted OS:\\n\\u003e - Any OS where the system temporary directory is shared between multiple users. This is not the case for MacOS or Windows.\\n\\u003e \\n\\u003e Mitigation.\\n\\u003e \\n\\u003e Moving to the `Files` API instead will fix this vulnerability. \\n\\u003e https://docs.oracle.com/javase/8/docs/api/java/nio/file/Files.html#createTempFile-java.nio.file.Path-java.lang.String-java.lang.String-java.nio.file.attribute.FileAttribute...-\\n\\u003e \\n\\u003e This API will explicitly set the posix file permissions to something safe, by default.\\n\\u003e \\n\\u003e I recently disclosed a similar vulnerability in JUnit 4:\\n\\u003e https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\\n\\u003e \\n\\u003e If you're also curious, this vulnerability in Jetty was also mine, also involving temporary directories, but is not the same vulnerability as in this case.\\n\\u003e https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\\n\\u003e \\n\\u003e I would appreciate it if we could perform disclosure of this vulnerability leveraging the GitHub security advisories feature here. GitHub has a nice credit system that I appreciate, plus the disclosures, as you can see from the sampling above, end up looking very nice.\\n\\u003e https://github.com/netty/netty/security/advisories\\n\\u003e \\n\\u003e This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.\\n\\u003e \\n\\u003e Cheers,\\n\\u003e Jonathan Leitschuh\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.59.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.6.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-5mcr-gq6c-3hq2/GHSA-5mcr-gq6c-3hq2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-21290\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220210-0011\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4885\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-378\",\n \"CWE-379\",\n \"CWE-668\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-02-08T20:07:45Z\",\n \"nvd_published_at\": \"2021-02-08T20:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7vpq-g998-qpv7\",\n \"published\": \"2022-05-13T01:54:02Z\",\n \"modified\": \"2024-12-08T05:28:34.511125Z\",\n \"aliases\": [\n \"CVE-2014-0193\"\n ],\n \"summary\": \"Netty denial of service vulnerability\",\n \"details\": \"`WebSocket08FrameDecoder` in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a `TextWebSocketFrame` followed by a long stream of `ContinuationWebSocketFrames`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.6.0.Beta1\"\n },\n {\n \"fixed\": \"3.6.9.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.7.0.Final\"\n },\n {\n \"fixed\": \"3.7.1.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.7.0.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.8.0.Final\"\n },\n {\n \"fixed\": \"3.8.2.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.8.0.Final\",\n \"3.8.1.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.9.0.Final\"\n },\n {\n \"fixed\": \"3.9.1.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.9.0.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0.Alpha1\"\n },\n {\n \"fixed\": \"4.0.19.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty-all\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-all\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0.Alpha1\"\n },\n {\n \"fixed\": \"4.0.19.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.2.Final\",\n \"4.0.3.Final\",\n \"4.0.4.Final\",\n \"4.0.5.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7vpq-g998-qpv7/GHSA-7vpq-g998-qpv7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-0193\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/issues/2441\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/8599ab5bdb761bb99d41a975d689f74c12e4892b\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20140509033427/http://www.securityfocus.com/bid/67182\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20140509044857/http://secunia.com/advisories/58280\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20161119201425/http://secunia.com/advisories/59290\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://netty.io/news/2014/04/30/release-day.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1019.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1351.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0675.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0720.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0765.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-08-07T20:25:36Z\",\n \"nvd_published_at\": \"2014-05-06T14:55:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9vjp-v76f-g363\",\n \"published\": \"2021-09-09T17:11:31Z\",\n \"modified\": \"2024-03-11T05:32:25.452063Z\",\n \"aliases\": [\n \"CVE-2021-37137\"\n ],\n \"related\": [\n \"CGA-rmxq-xv79-3xfc\",\n \"CVE-2021-37137\"\n ],\n \"summary\": \" SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way\",\n \"details\": \"### Impact\\nThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.\\n\\nThis vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.\\n\\n### Impact\\n\\nAll users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.\\n\\n### References\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.68.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-37137\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5316\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220210-0012\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-09T14:44:10Z\",\n \"nvd_published_at\": \"2021-10-19T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cqqj-4p63-rrmm\",\n \"published\": \"2020-02-21T18:55:24Z\",\n \"modified\": \"2025-07-02T16:20:12.563640Z\",\n \"aliases\": [\n \"CVE-2019-20444\"\n ],\n \"related\": [\n \"CGA-gg6m-vh7x-6jr4\"\n ],\n \"summary\": \"HTTP Request Smuggling in Netty\",\n \"details\": \"HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an \\\"invalid fold.\\\"\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.44\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\",\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.5.Final\",\n \"4.1.6.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-cqqj-4p63-rrmm/GHSA-cqqj-4p63-rrmm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-20444\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/issues/9866\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/9871/files#diff-e26989b9171ef22c27c9f7d80689cfb059d568c9bd10e75970d96c02d0654878\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/9871\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6%40%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4885\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4532-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9%40%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e%40%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7%40%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-20444/5.0.0.Alpha1/exploit\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0811\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0806\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0805\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0606\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0605\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0601\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0567\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0497\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4%40%3Ccommon-commits.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5%40%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b%40%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-20T20:54:33Z\",\n \"nvd_published_at\": \"2020-01-29T21:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f256-j965-7f32\",\n \"published\": \"2021-03-30T15:10:38Z\",\n \"modified\": \"2025-01-14T08:57:35.768526Z\",\n \"aliases\": [\n \"CVE-2021-21409\"\n ],\n \"related\": [\n \"CGA-494w-f4g6-835m\",\n \"CGA-c2w9-39fx-cvc6\",\n \"CVE-2021-21409\"\n ],\n \"summary\": \"Possible request smuggling in HTTP/2 due missing validation of content-length\",\n \"details\": \"### Impact\\nThe content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1\\n\\nThis is a followup of https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj which did miss to fix this one case. \\n\\n### Patches\\nThis was fixed as part of 4.1.61.Final\\n\\n### Workarounds\\nValidation can be done by the user before proxy the request by validating the header.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec-http2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec-http2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.61.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-f256-j965-7f32/GHSA-f256-j965-7f32.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-21409\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210604-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4885\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-30T15:03:26Z\",\n \"nvd_published_at\": \"2021-03-30T15:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-grg4-wf29-r9vv\",\n \"published\": \"2021-09-09T17:11:21Z\",\n \"modified\": \"2024-03-11T05:19:43.929590Z\",\n \"aliases\": [\n \"CVE-2021-37136\"\n ],\n \"related\": [\n \"CGA-xpcq-6m7h-f8qc\",\n \"CVE-2021-37136\"\n ],\n \"summary\": \"Bzip2Decoder doesn't allow setting size restrictions for decompressed data\",\n \"details\": \"### Impact\\nThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).\\n\\n\\nAll users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack\\n\\n### Workarounds\\nNo workarounds other than not using the `Bzip2Decoder`\\n\\n### References\\n\\nRelevant code areas:\\n\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.68.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\",\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-37136\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5316\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220210-0012\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-09T14:36:56Z\",\n \"nvd_published_at\": \"2021-10-19T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p2v9-g2qv-p635\",\n \"published\": \"2020-02-21T18:55:04Z\",\n \"modified\": \"2024-12-08T05:34:35.794525Z\",\n \"aliases\": [\n \"CVE-2019-20445\"\n ],\n \"related\": [\n \"CGA-3hw4-v37p-xv4c\",\n \"CGA-f836-4mqx-vr2w\"\n ],\n \"summary\": \"HTTP Request Smuggling in Netty\",\n \"details\": \"HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.5.Final\",\n \"4.1.6.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-20445\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/issues/9861\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/9865\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0497\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4532-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4885\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0567\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0601\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0605\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0606\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0805\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0806\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0811\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-20T20:54:25Z\",\n \"nvd_published_at\": \"2020-01-29T21:15:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wm47-8v5p-wjpj\",\n \"published\": \"2021-03-09T18:49:49Z\",\n \"modified\": \"2025-01-14T08:57:03.544654Z\",\n \"aliases\": [\n \"BIT-zookeeper-2021-21295\",\n \"CVE-2021-21295\"\n ],\n \"related\": [\n \"CGA-3q34-9hpp-p3gf\",\n \"CGA-xh32-h668-455p\",\n \"CVE-2021-21295\",\n \"CVE-2021-21409\"\n ],\n \"summary\": \"Possible request smuggling in HTTP/2 due missing validation\",\n \"details\": \"### Impact\\nIf a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1.\\nIf the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. \\n\\nIn a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked.\\n\\nAn attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. A sample attack request looks like:\\n\\n```\\nPOST / HTTP/2\\n:authority:: externaldomain.com\\nContent-Length: 4\\n\\nasdfGET /evilRedirect HTTP/1.1\\nHost: internaldomain.com\\n```\\n\\nUsers are only affected if all of this is `true`:\\n * `HTTP2MultiplexCodec` or `Http2FrameCodec` is used\\n * `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects\\n * These HTTP/1.1 objects are forwarded to another remote peer.\\n \\n\\n### Patches\\nThis has been patched in 4.1.60.Final\\n\\n### Workarounds\\nThe user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.\\n\\n### References\\nRelated change to workaround the problem: https://github.com/Netflix/zuul/pull/980 \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec-http2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec-http2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.60.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-wm47-8v5p-wjpj/GHSA-wm47-8v5p-wjpj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-21295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Netflix/zuul/pull/980\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4885\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210604-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-09T18:47:09Z\",\n \"nvd_published_at\": \"2021-03-09T19:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wx5j-54mm-rqqq\",\n \"published\": \"2021-12-09T19:09:17Z\",\n \"modified\": \"2024-02-22T05:37:31.471154Z\",\n \"aliases\": [\n \"CVE-2021-43797\"\n ],\n \"related\": [\n \"CGA-2vx5-qv6g-67jq\",\n \"CGA-qxv3-xxff-qffv\",\n \"CVE-2021-43797\"\n ],\n \"summary\": \"HTTP request smuggling in netty\",\n \"details\": \"### Impact\\n\\nNetty currently just skips control chars when these are present at the beginning / end of the header name. We should better fail fast as these are not allowed by the spec and could lead to HTTP request smuggling.\\n\\nFailing to do the validation might cause netty to \\\"sanitize\\\" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore and so not do the validation itself.\\n\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.71.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.68.Final\",\n \"4.1.69.Final\",\n \"4.1.7.Final\",\n \"4.1.70.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/12/GHSA-wx5j-54mm-rqqq/GHSA-wx5j-54mm-rqqq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-43797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/11891\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220107-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5316\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-12-09T18:17:28Z\",\n \"nvd_published_at\": \"2021-12-09T19:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xfv3-rrfm-f2rv\",\n \"published\": \"2020-06-30T21:01:21Z\",\n \"modified\": \"2024-02-16T08:04:08.954640Z\",\n \"aliases\": [\n \"CVE-2015-2156\"\n ],\n \"summary\": \"Information Exposure in Netty\",\n \"details\": \"Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-parent\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-parent\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.0.28.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.3.Final\",\n \"4.0.4.Final\",\n \"4.0.5.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.9.8.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.10.0\"\n },\n {\n \"fixed\": \"3.10.3.Final\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.10.0\"\n },\n {\n \"fixed\": \"3.10.3.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.9.8.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-2156\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/3754\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1222923\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2015/05/17/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/74704\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-30T20:59:55Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3p8m-j85q-pgmj\",\n \"published\": \"2025-09-03T18:00:55Z\",\n \"modified\": \"2025-09-04T14:30:07.795314Z\",\n \"aliases\": [\n \"CVE-2025-58057\"\n ],\n \"related\": [\n \"CGA-2q6x-j784-7h79\",\n \"CGA-2v4w-pr95-p9mq\",\n \"CGA-2xm9-r734-f5jh\",\n \"CGA-37rw-3rg8-5p2r\",\n \"CGA-48jf-6j23-46j3\",\n \"CGA-4f95-7j4w-9wc7\",\n \"CGA-553w-99qm-q83c\",\n \"CGA-5hhq-wjmg-gcjp\",\n \"CGA-6hmq-qr85-3xh8\",\n \"CGA-7546-ph65-xxxw\",\n \"CGA-7j2f-rgqc-qr3w\",\n \"CGA-7v5c-p2r6-p462\",\n \"CGA-829h-3xf3-j2qf\",\n \"CGA-83vx-rwv3-3fvr\",\n \"CGA-85wm-6c4p-5865\",\n \"CGA-8635-mm2p-7mfj\",\n \"CGA-875r-5r79-249x\",\n \"CGA-8gfq-pqwq-pv7h\",\n \"CGA-8jcq-2484-6w9x\",\n \"CGA-8x49-65rf-mc5q\",\n \"CGA-929v-xcpg-57wc\",\n \"CGA-948x-68h4-f2cj\",\n \"CGA-94cj-4rxx-5cfm\",\n \"CGA-9jgq-4qx7-v856\",\n \"CGA-9vh6-4325-2mgm\",\n \"CGA-c3rv-cp45-mhjr\",\n \"CGA-c885-5849-wwc2\",\n \"CGA-cfw2-ff39-v6rm\",\n \"CGA-cgr7-w7ff-wqcq\",\n \"CGA-g8vf-gjcg-2fgc\",\n \"CGA-gmwh-588r-7f2g\",\n \"CGA-gxhv-xr39-w63r\",\n \"CGA-h5j9-46vj-f522\",\n \"CGA-j3fg-43p4-p7h8\",\n \"CGA-j9xh-qf5r-6hr3\",\n \"CGA-jm8f-rrgp-45fp\",\n \"CGA-jpqm-5jrf-pxjm\",\n \"CGA-mq82-fgj6-fhmc\",\n \"CGA-p9pq-pmp9-8835\",\n \"CGA-pg9f-mw8h-mhvp\",\n \"CGA-ppc8-78x8-3698\",\n \"CGA-pprc-vhvh-79j3\",\n \"CGA-qw7c-p95f-xfgp\",\n \"CGA-r324-x764-h722\",\n \"CGA-r6gh-cvx2-8mqg\",\n \"CGA-rq57-8qrx-9frv\",\n \"CGA-v923-59cp-2r6q\",\n \"CGA-w9vw-4jr4-m4qp\",\n \"CGA-wfq9-4352-93hp\",\n \"CGA-xghx-54mj-627g\"\n ],\n \"summary\": \"Netty's decoders vulnerable to DoS via zip bomb style attack\",\n \"details\": \"### Summary\\n\\nWith specially crafted input, `BrotliDecoder` and some other decompressing decoders will allocate a large number of reachable byte buffers, which can lead to denial of service.\\n\\n### Details\\n\\n`BrotliDecoder.decompress` has no limit in how often it calls `pull`, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is basically a zip bomb.\\n\\nTested on 4.1.118, but there were no changes to the decoder since.\\n\\n### PoC\\n\\nRun this test case with `-Xmx1G`:\\n\\n```java\\nimport io.netty.buffer.Unpooled;\\nimport io.netty.channel.embedded.EmbeddedChannel;\\n\\nimport java.util.Base64;\\n\\npublic class T {\\n public static void main(String[] args) {\\n EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());\\n channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode(\\\"aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=\\\")));\\n }\\n}\\n```\\n\\nError:\\n\\n```\\nException in thread \\\"main\\\" java.lang.OutOfMemoryError: Cannot reserve 4194304 bytes of direct buffer memory (allocated: 1069580289, limit: 1073741824)\\n\\tat java.base/java.nio.Bits.reserveMemory(Bits.java:178)\\n\\tat java.base/java.nio.DirectByteBuffer.\\u003cinit\\u003e(DirectByteBuffer.java:121)\\n\\tat java.base/java.nio.ByteBuffer.allocateDirect(ByteBuffer.java:332)\\n\\tat io.netty.buffer.PoolArena$DirectArena.allocateDirect(PoolArena.java:718)\\n\\tat io.netty.buffer.PoolArena$DirectArena.newChunk(PoolArena.java:693)\\n\\tat io.netty.buffer.PoolArena.allocateNormal(PoolArena.java:213)\\n\\tat io.netty.buffer.PoolArena.tcacheAllocateNormal(PoolArena.java:195)\\n\\tat io.netty.buffer.PoolArena.allocate(PoolArena.java:137)\\n\\tat io.netty.buffer.PoolArena.allocate(PoolArena.java:127)\\n\\tat io.netty.buffer.PooledByteBufAllocator.newDirectBuffer(PooledByteBufAllocator.java:403)\\n\\tat io.netty.buffer.AbstractByteBufAllocator.directBuffer(AbstractByteBufAllocator.java:188)\\n\\tat io.netty.buffer.AbstractByteBufAllocator.directBuffer(AbstractByteBufAllocator.java:179)\\n\\tat io.netty.buffer.AbstractByteBufAllocator.buffer(AbstractByteBufAllocator.java:116)\\n\\tat io.netty.handler.codec.compression.BrotliDecoder.pull(BrotliDecoder.java:70)\\n\\tat io.netty.handler.codec.compression.BrotliDecoder.decompress(BrotliDecoder.java:101)\\n\\tat io.netty.handler.codec.compression.BrotliDecoder.decode(BrotliDecoder.java:137)\\n\\tat io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)\\n\\tat io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)\\n\\tat io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)\\n\\tat io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)\\n\\tat io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)\\n\\tat io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)\\n\\tat io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)\\n\\tat io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)\\n\\tat io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)\\n\\tat io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)\\n\\tat io.netty.channel.embedded.EmbeddedChannel.writeInbound(EmbeddedChannel.java:348)\\n\\tat io.netty.handler.codec.compression.T.main(T.java:11)\\n```\\n\\n### Impact\\n\\nDoS for anyone using `BrotliDecoder` on untrusted input.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec-compression\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec-compression\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.2.0.Alpha1\"\n },\n {\n \"fixed\": \"4.2.5.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.2.0.Alpha3\",\n \"4.2.0.Alpha4\",\n \"4.2.0.Alpha5\",\n \"4.2.0.Beta1\",\n \"4.2.0.Final\",\n \"4.2.0.RC1\",\n \"4.2.0.RC2\",\n \"4.2.0.RC3\",\n \"4.2.0.RC4\",\n \"4.2.1.Final\",\n \"4.2.2.Final\",\n \"4.2.3.Final\",\n \"4.2.4.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-3p8m-j85q-pgmj/GHSA-3p8m-j85q-pgmj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.125.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\",\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.100.Final\",\n \"4.1.101.Final\",\n \"4.1.102.Final\",\n \"4.1.103.Final\",\n \"4.1.104.Final\",\n \"4.1.105.Final\",\n \"4.1.106.Final\",\n \"4.1.107.Final\",\n \"4.1.108.Final\",\n \"4.1.109.Final\",\n \"4.1.11.Final\",\n \"4.1.110.Final\",\n \"4.1.111.Final\",\n \"4.1.112.Final\",\n \"4.1.113.Final\",\n \"4.1.114.Final\",\n \"4.1.115.Final\",\n \"4.1.116.Final\",\n \"4.1.117.Final\",\n \"4.1.118.Final\",\n \"4.1.119.Final\",\n \"4.1.12.Final\",\n \"4.1.120.Final\",\n \"4.1.121.Final\",\n \"4.1.122.Final\",\n \"4.1.123.Final\",\n \"4.1.124.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.68.Final\",\n \"4.1.69.Final\",\n \"4.1.7.Final\",\n \"4.1.70.Final\",\n \"4.1.71.Final\",\n \"4.1.72.Final\",\n \"4.1.73.Final\",\n \"4.1.74.Final\",\n \"4.1.75.Final\",\n \"4.1.76.Final\",\n \"4.1.77.Final\",\n \"4.1.78.Final\",\n \"4.1.79.Final\",\n \"4.1.8.Final\",\n \"4.1.80.Final\",\n \"4.1.81.Final\",\n \"4.1.82.Final\",\n \"4.1.83.Final\",\n \"4.1.84.Final\",\n \"4.1.85.Final\",\n \"4.1.86.Final\",\n \"4.1.87.Final\",\n \"4.1.88.Final\",\n \"4.1.89.Final\",\n \"4.1.9.Final\",\n \"4.1.90.Final\",\n \"4.1.91.Final\",\n \"4.1.92.Final\",\n \"4.1.93.Final\",\n \"4.1.94.Final\",\n \"4.1.95.Final\",\n \"4.1.96.Final\",\n \"4.1.97.Final\",\n \"4.1.98.Final\",\n \"4.1.99.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-3p8m-j85q-pgmj/GHSA-3p8m-j85q-pgmj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-3p8m-j85q-pgmj\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-58057\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/9d804c54ce962408ae6418255a83a13924f7145d\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-409\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-09-03T18:00:55Z\",\n \"nvd_published_at\": \"2025-09-04T10:42:32Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9vjp-v76f-g363\",\n \"published\": \"2021-09-09T17:11:31Z\",\n \"modified\": \"2024-03-11T05:32:25.452063Z\",\n \"aliases\": [\n \"CVE-2021-37137\"\n ],\n \"related\": [\n \"CGA-rmxq-xv79-3xfc\",\n \"CVE-2021-37137\"\n ],\n \"summary\": \" SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way\",\n \"details\": \"### Impact\\nThe Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well.\\n\\nThis vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.\\n\\n### Impact\\n\\nAll users of SnappyFrameDecoder are affected and so the application may be in risk for a DoS attach due excessive memory usage.\\n\\n### References\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.68.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-9vjp-v76f-g363/GHSA-9vjp-v76f-g363.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-37137\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5316\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220210-0012\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-09T14:44:10Z\",\n \"nvd_published_at\": \"2021-10-19T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-grg4-wf29-r9vv\",\n \"published\": \"2021-09-09T17:11:21Z\",\n \"modified\": \"2024-03-11T05:19:43.929590Z\",\n \"aliases\": [\n \"CVE-2021-37136\"\n ],\n \"related\": [\n \"CGA-xpcq-6m7h-f8qc\",\n \"CVE-2021-37136\"\n ],\n \"summary\": \"Bzip2Decoder doesn't allow setting size restrictions for decompressed data\",\n \"details\": \"### Impact\\nThe Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression).\\n\\n\\nAll users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack\\n\\n### Workarounds\\nNo workarounds other than not using the `Bzip2Decoder`\\n\\n### References\\n\\nRelevant code areas:\\n\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294\\nhttps://github.com/netty/netty/blob/netty-4.1.67.Final/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-codec\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-codec\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.68.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\",\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-grg4-wf29-r9vv/GHSA-grg4-wf29-r9vv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-37136\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5316\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220210-0012\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-09T14:36:56Z\",\n \"nvd_published_at\": \"2021-10-19T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-389x-839f-4rhx\",\n \"published\": \"2025-02-10T18:14:47Z\",\n \"modified\": \"2025-03-19T15:06:40.575662Z\",\n \"aliases\": [\n \"CVE-2025-25193\"\n ],\n \"related\": [\n \"CGA-3vm3-626v-4449\",\n \"CGA-ffqr-c78c-j6h2\",\n \"CGA-rp29-pprx-g77p\",\n \"CGA-xw98-j5vj-f79x\",\n \"CVE-2025-25193\"\n ],\n \"summary\": \"Denial of Service attack on windows app using Netty\",\n \"details\": \"### Summary\\nAn unsafe reading of environment file could potentially cause a denial of service in Netty.\\nWhen loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.\\n\\n### Details\\nA similar issue was previously reported in https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv\\nThis issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit.\\n\\n\\n### PoC\\nThe PoC is the same as for https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv with the detail that the file should only contain null-bytes; 0x00.\\nWhen the null-bytes are encountered by the `InputStreamReader`, it will issue replacement characters in its charset decoding, which will fill up the line-buffer in the `BufferedReader.readLine()`, because the replacement character is not a line-break character.\\n\\n### Impact\\nImpact is the same as https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.118.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\",\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.100.Final\",\n \"4.1.101.Final\",\n \"4.1.102.Final\",\n \"4.1.103.Final\",\n \"4.1.104.Final\",\n \"4.1.105.Final\",\n \"4.1.106.Final\",\n \"4.1.107.Final\",\n \"4.1.108.Final\",\n \"4.1.109.Final\",\n \"4.1.11.Final\",\n \"4.1.110.Final\",\n \"4.1.111.Final\",\n \"4.1.112.Final\",\n \"4.1.113.Final\",\n \"4.1.114.Final\",\n \"4.1.115.Final\",\n \"4.1.116.Final\",\n \"4.1.117.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.68.Final\",\n \"4.1.69.Final\",\n \"4.1.7.Final\",\n \"4.1.70.Final\",\n \"4.1.71.Final\",\n \"4.1.72.Final\",\n \"4.1.73.Final\",\n \"4.1.74.Final\",\n \"4.1.75.Final\",\n \"4.1.76.Final\",\n \"4.1.77.Final\",\n \"4.1.78.Final\",\n \"4.1.79.Final\",\n \"4.1.8.Final\",\n \"4.1.80.Final\",\n \"4.1.81.Final\",\n \"4.1.82.Final\",\n \"4.1.83.Final\",\n \"4.1.84.Final\",\n \"4.1.85.Final\",\n \"4.1.86.Final\",\n \"4.1.87.Final\",\n \"4.1.88.Final\",\n \"4.1.89.Final\",\n \"4.1.9.Final\",\n \"4.1.90.Final\",\n \"4.1.91.Final\",\n \"4.1.92.Final\",\n \"4.1.93.Final\",\n \"4.1.94.Final\",\n \"4.1.95.Final\",\n \"4.1.96.Final\",\n \"4.1.97.Final\",\n \"4.1.98.Final\",\n \"4.1.99.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-389x-839f-4rhx/GHSA-389x-839f-4rhx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-389x-839f-4rhx\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-25193\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/d1fbda62d3a47835d3fb35db8bd42ecc205a5386\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250221-0006\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-02-10T18:14:47Z\",\n \"nvd_published_at\": \"2025-02-10T22:15:38Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xq3w-v528-46rv\",\n \"published\": \"2024-11-12T19:53:17Z\",\n \"modified\": \"2025-02-18T16:16:53.215963Z\",\n \"aliases\": [\n \"CVE-2024-47535\"\n ],\n \"related\": [\n \"CGA-662r-hr8g-368h\",\n \"CGA-6hrh-hv46-9997\",\n \"CGA-6j48-cf22-44cr\",\n \"CGA-896j-whgv-hvrh\",\n \"CGA-954h-x5w4-9mp8\",\n \"CGA-973v-pfgw-gfcx\",\n \"CGA-9g9w-93jp-5j27\",\n \"CGA-cm4q-39fx-m36q\",\n \"CGA-crgc-hmgg-8m6p\",\n \"CGA-fp8m-fwcf-c57x\",\n \"CGA-j7w7-m586-rmf6\",\n \"CGA-m937-hhxp-2gm9\",\n \"CGA-pj55-r8cf-957f\",\n \"CGA-q7qp-mqc2-cqff\",\n \"CGA-qpr4-x3v9-rvj7\",\n \"CGA-vv7m-rc5q-gr82\",\n \"CGA-x6pw-hh9f-9g3j\",\n \"CGA-xpg8-pwc5-69x9\"\n ],\n \"summary\": \"Denial of Service attack on windows app using netty\",\n \"details\": \"### Summary\\n\\nAn unsafe reading of environment file could potentially cause a denial of service in Netty.\\nWhen loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.\\n\\n\\n### Details\\n\\nWhen the library netty is loaded in a java windows application, the library tries to identify the system environnement in which it is executed.\\n\\nAt this stage, Netty tries to load both `/etc/os-release` and `/usr/lib/os-release` even though it is in a Windows environment. \\n\\n\\u003cimg width=\\\"364\\\" alt=\\\"1\\\" src=\\\"https://github.com/user-attachments/assets/9466b181-9394-45a3-b0e3-1dcf105def59\\\"\\u003e\\n\\nIf netty finds this files, it reads them and loads them into memory.\\n\\nBy default :\\n\\n- The JVM maximum memory size is set to 1 GB,\\n- A non-privileged user can create a directory at `C:\\\\` and create files within it.\\n\\n\\u003cimg width=\\\"340\\\" alt=\\\"2\\\" src=\\\"https://github.com/user-attachments/assets/43b359a2-5871-4592-ae2b-ffc40ac76831\\\"\\u003e\\n\\n\\u003cimg width=\\\"523\\\" alt=\\\"3\\\" src=\\\"https://github.com/user-attachments/assets/ad5c6eed-451c-4513-92d5-ba0eee7715c1\\\"\\u003e\\n\\nthe source code identified :\\nhttps://github.com/netty/netty/blob/4.1/common/src/main/java/io/netty/util/internal/PlatformDependent.java\\n\\nDespite the implementation of the function `normalizeOs()` the source code not verify the OS before reading `C:\\\\etc\\\\os-release` and `C:\\\\usr\\\\lib\\\\os-release`.\\n\\n### PoC\\n\\nCreate a file larger than 1 GB of data in `C:\\\\etc\\\\os-release` or `C:\\\\usr\\\\lib\\\\os-release` on a Windows environnement and start your Netty application.\\n\\nTo observe what the application does with the file, the security analyst used \\\"Process Monitor\\\" from the \\\"Windows SysInternals\\\" suite. (https://learn.microsoft.com/en-us/sysinternals/)\\n\\n```\\ncd C:\\\\etc\\nfsutil file createnew os-release 3000000000\\n```\\n\\n\\u003cimg width=\\\"519\\\" alt=\\\"4\\\" src=\\\"https://github.com/user-attachments/assets/39df22a3-462b-4fd0-af9a-aa30077ec08f\\\"\\u003e\\n\\n\\u003cimg width=\\\"517\\\" alt=\\\"5\\\" src=\\\"https://github.com/user-attachments/assets/129dbd50-fc36-4da5-8eb1-582123fb528f\\\"\\u003e\\n\\nThe source code used is the Netty website code example : [Echo ‐ the very basic client and server](https://netty.io/4.1/xref/io/netty/example/echo/package-summary.html).\\n\\nThe vulnerability was tested on the 4.1.112.Final version.\\n\\nThe security analyst tried the same technique for `C:\\\\proc\\\\sys\\\\net\\\\core\\\\somaxconn` with a lot of values to impact Netty but the only things that works is the \\\"larger than 1 GB file\\\" technique. https://github.com/netty/netty/blob/c0fdb8e9f8f256990e902fcfffbbe10754d0f3dd/common/src/main/java/io/netty/util/NetUtil.java#L186\\n\\n### Impact\\n\\nBy loading the \\\"file larger than 1 GB\\\" into the memory, the Netty library exceeds the JVM memory limit and causes a crash in the java Windows application.\\n\\nThis behaviour occurs 100% of the time in both Server mode and Client mode if the large file exists.\\n\\nClient mode :\\n\\n\\u003cimg width=\\\"449\\\" alt=\\\"6\\\" src=\\\"https://github.com/user-attachments/assets/f8fe1ed0-1a42-4490-b9ed-dbc9af7804be\\\"\\u003e\\n\\nServer mode :\\n\\n\\u003cimg width=\\\"464\\\" alt=\\\"7\\\" src=\\\"https://github.com/user-attachments/assets/b34b42bd-4fbd-4170-b93a-d29ba87b88eb\\\"\\u003e\\n\\nsomaxconn :\\n\\n\\u003cimg width=\\\"532\\\" alt=\\\"8\\\" src=\\\"https://github.com/user-attachments/assets/0656b3bb-32c6-4ae2-bff7-d93babba08a3\\\"\\u003e\\n\\n### Severity\\n\\n- Attack vector : \\\"Local\\\" because the attacker needs to be on the system where the Netty application is running.\\n- Attack complexity : \\\"Low\\\" because the attacker only need to create a massive file (regardless of its contents).\\n- Privileges required : \\\"Low\\\" because the attacker requires a user account to exploit the vulnerability.\\n- User intercation : \\\"None\\\" because the administrator don't need to accidentally click anywhere to trigger the vulnerability. Furthermore, the exploitation works with defaults windows/AD settings.\\n- Scope : \\\"Unchanged\\\" because only Netty is affected by the vulnerability.\\n- Confidentiality : \\\"None\\\" because no data is exposed through exploiting the vulnerability.\\n- Integrity : \\\"None\\\" because the explotation of the vulnerability does not allow editing, deleting or adding data elsewhere.\\n- Availability : \\\"High\\\" because the exploitation of this vulnerability crashes the entire java application.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.115.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\",\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.100.Final\",\n \"4.1.101.Final\",\n \"4.1.102.Final\",\n \"4.1.103.Final\",\n \"4.1.104.Final\",\n \"4.1.105.Final\",\n \"4.1.106.Final\",\n \"4.1.107.Final\",\n \"4.1.108.Final\",\n \"4.1.109.Final\",\n \"4.1.11.Final\",\n \"4.1.110.Final\",\n \"4.1.111.Final\",\n \"4.1.112.Final\",\n \"4.1.113.Final\",\n \"4.1.114.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.68.Final\",\n \"4.1.69.Final\",\n \"4.1.7.Final\",\n \"4.1.70.Final\",\n \"4.1.71.Final\",\n \"4.1.72.Final\",\n \"4.1.73.Final\",\n \"4.1.74.Final\",\n \"4.1.75.Final\",\n \"4.1.76.Final\",\n \"4.1.77.Final\",\n \"4.1.78.Final\",\n \"4.1.79.Final\",\n \"4.1.8.Final\",\n \"4.1.80.Final\",\n \"4.1.81.Final\",\n \"4.1.82.Final\",\n \"4.1.83.Final\",\n \"4.1.84.Final\",\n \"4.1.85.Final\",\n \"4.1.86.Final\",\n \"4.1.87.Final\",\n \"4.1.88.Final\",\n \"4.1.89.Final\",\n \"4.1.9.Final\",\n \"4.1.90.Final\",\n \"4.1.91.Final\",\n \"4.1.92.Final\",\n \"4.1.93.Final\",\n \"4.1.94.Final\",\n \"4.1.95.Final\",\n \"4.1.96.Final\",\n \"4.1.97.Final\",\n \"4.1.98.Final\",\n \"4.1.99.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 4.1.114.Final\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-xq3w-v528-46rv/GHSA-xq3w-v528-46rv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-xq3w-v528-46rv\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-47535\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/fbf7a704a82e7449b48bd0bbb679f5661c6d61a3\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-11-12T19:53:17Z\",\n \"nvd_published_at\": \"2024-11-12T16:15:22Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4g8c-wm8x-jfhw\",\n \"published\": \"2025-02-10T17:38:10Z\",\n \"modified\": \"2025-04-16T19:36:10.233999Z\",\n \"aliases\": [\n \"CVE-2025-24970\"\n ],\n \"related\": [\n \"CGA-2rmr-wmhc-2w99\",\n \"CGA-3ff3-j2gh-ch6w\",\n \"CGA-4c9r-4w8v-hrg9\",\n \"CGA-4fc4-gx3h-pr85\",\n \"CGA-4vhm-8vvc-xp32\",\n \"CGA-5j2r-r3qg-5f8j\",\n \"CGA-5w34-p6wm-7m57\",\n \"CGA-75hc-h3fm-76g3\",\n \"CGA-77xw-mv88-q2mp\",\n \"CGA-8qcx-xrm8-v435\",\n \"CGA-92vf-fmhh-m858\",\n \"CGA-9cfj-2vcq-2qmg\",\n \"CGA-f8r8-7qpm-75vh\",\n \"CGA-g9f5-gvgx-jg3v\",\n \"CGA-gj2p-246v-gxg2\",\n \"CGA-hvvp-w5fp-mfj3\",\n \"CGA-pxx2-j5vx-hpc7\",\n \"CGA-q4fc-47cm-pg7p\",\n \"CGA-q847-pq59-hvfv\",\n \"CGA-v2hv-cwjf-vh29\",\n \"CGA-v56f-9x62-8x8w\",\n \"CGA-vpqx-mv83-m9q3\",\n \"CGA-vxw2-mqpj-vp92\",\n \"CGA-w7hc-8fp9-mm8j\",\n \"CGA-xvj3-hqwc-49qg\",\n \"CVE-2025-24970\"\n ],\n \"summary\": \"SslHandler doesn't correctly validate packets which can lead to native crash when using native SSLEngine\",\n \"details\": \"### Impact\\nWhen a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash.\\n\\n### Workarounds\\nAs workaround its possible to either disable the usage of the native SSLEngine or changing the code from:\\n\\n```\\nSslContext context = ...;\\nSslHandler handler = context.newHandler(....);\\n```\\n\\nto:\\n\\n```\\nSslContext context = ...;\\nSSLEngine engine = context.newEngine(....);\\nSslHandler handler = new SslHandler(engine, ....);\\n```\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.1.91.Final\"\n },\n {\n \"fixed\": \"4.1.118.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1.100.Final\",\n \"4.1.101.Final\",\n \"4.1.102.Final\",\n \"4.1.103.Final\",\n \"4.1.104.Final\",\n \"4.1.105.Final\",\n \"4.1.106.Final\",\n \"4.1.107.Final\",\n \"4.1.108.Final\",\n \"4.1.109.Final\",\n \"4.1.110.Final\",\n \"4.1.111.Final\",\n \"4.1.112.Final\",\n \"4.1.113.Final\",\n \"4.1.114.Final\",\n \"4.1.115.Final\",\n \"4.1.116.Final\",\n \"4.1.117.Final\",\n \"4.1.91.Final\",\n \"4.1.92.Final\",\n \"4.1.93.Final\",\n \"4.1.94.Final\",\n \"4.1.95.Final\",\n \"4.1.96.Final\",\n \"4.1.97.Final\",\n \"4.1.98.Final\",\n \"4.1.99.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 4.1.117.Final\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-4g8c-wm8x-jfhw/GHSA-4g8c-wm8x-jfhw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-4g8c-wm8x-jfhw\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-24970\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/87f40725155b2f89adfde68c7732f97c153676c4\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250221-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-detection\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-24970-netty-vulnerability-mitigation\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-02-10T17:38:10Z\",\n \"nvd_published_at\": \"2025-02-10T22:15:38Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6mjq-h674-j845\",\n \"published\": \"2023-06-20T16:33:22Z\",\n \"modified\": \"2024-10-22T05:29:07.697767Z\",\n \"aliases\": [\n \"CGA-4p9j-8g99-x3wm\",\n \"CVE-2023-34462\"\n ],\n \"related\": [\n \"CGA-cp7x-r3q6-pfcj\",\n \"CGA-h5cv-9cc6-j4jf\",\n \"CGA-r5mp-477x-xh5j\",\n \"CGA-rq5c-v396-7c72\",\n \"CGA-xcw6-rv74-mwgj\",\n \"CVE-2023-34462\"\n ],\n \"summary\": \"netty-handler SniHandler 16MB allocation\",\n \"details\": \"### Summary\\nThe `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap.\\n\\n### Details\\nThe `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. \\n\\nNormally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`\\n\\n1/ allocate a 16MB `ByteBuf`\\n2/ not fail `decode` method `in` buffer\\n3/ get out of the loop without an exception\\n\\nThe combination of this without the use of a timeout makes easy to connect to a TCP server and allocate 16MB of heap memory per connection.\\n\\n### Impact\\nIf the user has no idle timeout handler configured it might be possible for a remote peer to send a client hello packet which lead the server to buffer up to 16MB of data per connection. This could lead to a OutOfMemoryError and so result in a DDOS.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.94.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\",\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.46.Final\",\n \"4.1.47.Final\",\n \"4.1.48.Final\",\n \"4.1.49.Final\",\n \"4.1.5.Final\",\n \"4.1.50.Final\",\n \"4.1.51.Final\",\n \"4.1.52.Final\",\n \"4.1.53.Final\",\n \"4.1.54.Final\",\n \"4.1.55.Final\",\n \"4.1.56.Final\",\n \"4.1.57.Final\",\n \"4.1.58.Final\",\n \"4.1.59.Final\",\n \"4.1.6.Final\",\n \"4.1.60.Final\",\n \"4.1.61.Final\",\n \"4.1.62.Final\",\n \"4.1.63.Final\",\n \"4.1.64.Final\",\n \"4.1.65.Final\",\n \"4.1.66.Final\",\n \"4.1.67.Final\",\n \"4.1.68.Final\",\n \"4.1.69.Final\",\n \"4.1.7.Final\",\n \"4.1.70.Final\",\n \"4.1.71.Final\",\n \"4.1.72.Final\",\n \"4.1.73.Final\",\n \"4.1.74.Final\",\n \"4.1.75.Final\",\n \"4.1.76.Final\",\n \"4.1.77.Final\",\n \"4.1.78.Final\",\n \"4.1.79.Final\",\n \"4.1.8.Final\",\n \"4.1.80.Final\",\n \"4.1.81.Final\",\n \"4.1.82.Final\",\n \"4.1.83.Final\",\n \"4.1.84.Final\",\n \"4.1.85.Final\",\n \"4.1.86.Final\",\n \"4.1.87.Final\",\n \"4.1.88.Final\",\n \"4.1.89.Final\",\n \"4.1.9.Final\",\n \"4.1.90.Final\",\n \"4.1.91.Final\",\n \"4.1.92.Final\",\n \"4.1.93.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-6mjq-h674-j845/GHSA-6mjq-h674-j845.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-34462\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230803-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5558\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-20T16:33:22Z\",\n \"nvd_published_at\": \"2023-06-22T23:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9959-6p3m-wxpc\",\n \"published\": \"2020-06-30T21:01:31Z\",\n \"modified\": \"2023-11-08T03:57:37.697735Z\",\n \"aliases\": [\n \"CVE-2014-3488\"\n ],\n \"summary\": \"Denial of service in Netty\",\n \"details\": \"The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.9.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-9959-6p3m-wxpc/GHSA-9959-6p3m-wxpc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-3488\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/issues/2562\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSNETTY-31630\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://netty.io/news/2014/06/11/3-9-2-Final.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/59196\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-119\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-30T20:50:42Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-ff2w-cq2g-wv5f\",\n \"published\": \"2020-02-21T18:55:50Z\",\n \"modified\": \"2024-03-14T05:20:05.937087Z\",\n \"aliases\": [\n \"CVE-2020-7238\"\n ],\n \"summary\": \"HTTP Request Smuggling in Netty\",\n \"details\": \"Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.1.43\"\n },\n {\n \"fixed\": \"4.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1.43.Final\",\n \"4.1.44.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 4.1.44\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-ff2w-cq2g-wv5f/GHSA-ff2w-cq2g-wv5f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-7238\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jdordonezn/CVE-2020-72381/issues/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/issues/9861\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/9865\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4885\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://netty.io/news\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc8d554aad889d12b140d9fd7d2d6fc2e8716e9792f6f4e4b2cdc2d05@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r131e572d003914843552fa45c4398b9903fb74144986e8b107c0a3a7@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0811\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0806\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0805\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0606\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0605\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0601\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0567\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0497\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-20T20:54:49Z\",\n \"nvd_published_at\": \"2020-01-27T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mm9x-g8pc-w292\",\n \"published\": \"2020-06-15T19:36:16Z\",\n \"modified\": \"2024-03-14T05:18:47.685399Z\",\n \"aliases\": [\n \"CVE-2020-11612\"\n ],\n \"summary\": \"Denial of Service in Netty\",\n \"details\": \"The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.1.0\"\n },\n {\n \"fixed\": \"4.1.46\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.45.Final\",\n \"4.1.5.Final\",\n \"4.1.6.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-mm9x-g8pc-w292/GHSA-mm9x-g8pc-w292.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11612\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/issues/6168\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/9924\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9c30b7fca4baedebcb46d6e0f90071b30cc4a0e074164d50122ec5ec@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra98e3a8541a09271f96478d5e22c7e3bd1afdf48641c8be25d62d9f9@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd302ddb501fa02c5119120e5fc21df9a1c00e221c490edbe2d7ad365@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re1ea144e91f03175d661b2d3e97c7d74b912e019613fa90419cf63f4@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ref2c8a0cbb3b8271e5b9a06457ba78ad2028128627186531730f50ef@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ref3943adbc3a8813aee0e3a9dd919bacbb27f626be030a3c6d6c7f83@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf803b65b4a57589d79cf2e83d8ece0539018d32864f932f63c972844@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf9f8bcc4ca8d2788f77455ff594468404732a4497baebe319043f4d5@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfd173eac20d5e5f581c8984b685c836dafea8eb2f7ff85f617704cf1@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rff8859c0d06b1688344b39097f9685c43b461cf2bc41f60f001704e9@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20201223-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4885\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/compare/netty-4.1.45.Final...netty-4.1.46.Final\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r14446ed58208cb6d97b6faa6ebf145f1cf2c70c0886c0c133f4d3b6f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r255ed239e65d0596812362adc474bee96caf7ba042c7ad2f3c62cec7@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r281882fdf9ea89aac02fd2f92786693a956aac2ce9840cce87c7df6b@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2958e4d49ee046e1e561e44fdc114a0d2285927501880f15852a9b53@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r31424427cc6d7db46beac481bdeed9a823fc20bb1b9deede38557f71@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3195127e46c87a680b5d1d3733470f83b886bfd3b890c50df718bed1@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3ea4918d20d0c1fa26cac74cc7cda001d8990bc43473d062867ef70d@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4a7e4e23bd84ac24abf30ab5d5edf989c02b555e1eca6a2f28636692@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4f4a14d6a608db447b725ec2e96c26ac9664d83cd879aa21e2cfeb24@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5030cd8ea5df1e64cf6a7b633eff145992fbca03e8bfc687cd2427ab@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5a0b1f0b1c3bcd66f5177fbd6f6de2d0f8cae24a13ab2669f274251a@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b1ad61552591b747cd31b3a908d5ff2e8f2a8a6847583dd6b7b1ee7@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r69b23a94d4ae45394cabae012dd1f4a963996869c44c478eb1c61082@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7641ee788e1eb1be4bb206a7d15f8a64ec6ef23e5ec6132d5a567695@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7836bbdbe95c99d4d725199f0c169927d4e87ba57e4beeeb699c097a@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r866288c2ada00ce148b7307cdf869f15f24302b3eb2128af33830997@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88e2b91560c065ed67e62adf8f401c417e4d70256d11ea447215a70c@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8a654f11e1172b0effbfd6f8d5b6ca651ae4ac724a976923c268a42f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9addb580456807cd11d6f0c6b6373b7d7161d06d2278866c30c7febb@%3Ccommits.zookeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-119\",\n \"CWE-400\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-11T19:58:52Z\",\n \"nvd_published_at\": \"2020-04-07T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p2v9-g2qv-p635\",\n \"published\": \"2020-02-21T18:55:04Z\",\n \"modified\": \"2024-12-08T05:34:35.794525Z\",\n \"aliases\": [\n \"CVE-2019-20445\"\n ],\n \"related\": [\n \"CGA-3hw4-v37p-xv4c\",\n \"CGA-f836-4mqx-vr2w\"\n ],\n \"summary\": \"HTTP Request Smuggling in Netty\",\n \"details\": \"HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.37.Final\",\n \"4.0.38.Final\",\n \"4.0.39.Final\",\n \"4.0.4.Final\",\n \"4.0.40.Final\",\n \"4.0.41.Final\",\n \"4.0.42.Final\",\n \"4.0.43.Final\",\n \"4.0.44.Final\",\n \"4.0.45.Final\",\n \"4.0.46.Final\",\n \"4.0.47.Final\",\n \"4.0.48.Final\",\n \"4.0.49.Final\",\n \"4.0.5.Final\",\n \"4.0.50.Final\",\n \"4.0.51.Final\",\n \"4.0.52.Final\",\n \"4.0.53.Final\",\n \"4.0.54.Final\",\n \"4.0.55.Final\",\n \"4.0.56.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\",\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\",\n \"4.1.1.Final\",\n \"4.1.10.Final\",\n \"4.1.11.Final\",\n \"4.1.12.Final\",\n \"4.1.13.Final\",\n \"4.1.14.Final\",\n \"4.1.15.Final\",\n \"4.1.16.Final\",\n \"4.1.17.Final\",\n \"4.1.18.Final\",\n \"4.1.19.Final\",\n \"4.1.2.Final\",\n \"4.1.20.Final\",\n \"4.1.21.Final\",\n \"4.1.22.Final\",\n \"4.1.23.Final\",\n \"4.1.24.Final\",\n \"4.1.25.Final\",\n \"4.1.26.Final\",\n \"4.1.27.Final\",\n \"4.1.28.Final\",\n \"4.1.29.Final\",\n \"4.1.3.Final\",\n \"4.1.30.Final\",\n \"4.1.31.Final\",\n \"4.1.32.Final\",\n \"4.1.33.Final\",\n \"4.1.34.Final\",\n \"4.1.35.Final\",\n \"4.1.36.Final\",\n \"4.1.37.Final\",\n \"4.1.38.Final\",\n \"4.1.39.Final\",\n \"4.1.4.Final\",\n \"4.1.40.Final\",\n \"4.1.41.Final\",\n \"4.1.42.Final\",\n \"4.1.43.Final\",\n \"4.1.44.Final\",\n \"4.1.5.Final\",\n \"4.1.6.Final\",\n \"4.1.7.Final\",\n \"4.1.8.Final\",\n \"4.1.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\",\n \"3.10.3.Final\",\n \"3.10.4.Final\",\n \"3.10.5.Final\",\n \"3.10.6.Final\",\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\",\n \"3.9.8.Final\",\n \"3.9.9.Final\",\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 4.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-p2v9-g2qv-p635/GHSA-p2v9-g2qv-p635.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-20445\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/issues/9861\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/9865\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0497\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4532-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4885\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0567\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0601\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0605\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0606\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0805\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0806\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0811\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-20T20:54:25Z\",\n \"nvd_published_at\": \"2020-01-29T21:15:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rv63-gqm8-9w8q\",\n \"published\": \"2022-05-13T01:11:43Z\",\n \"modified\": \"2024-02-16T08:13:46.004283Z\",\n \"aliases\": [\n \"CVE-2016-4970\"\n ],\n \"summary\": \"Loop with Unreachable Exit Condition in Netty\",\n \"details\": \"handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0.Alpha1\"\n },\n {\n \"fixed\": \"4.0.37.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Alpha1\",\n \"4.0.0.Alpha2\",\n \"4.0.0.Alpha3\",\n \"4.0.0.Alpha4\",\n \"4.0.0.Alpha5\",\n \"4.0.0.Alpha6\",\n \"4.0.0.Alpha7\",\n \"4.0.0.Alpha8\",\n \"4.0.0.Beta1\",\n \"4.0.0.Beta2\",\n \"4.0.0.Beta3\",\n \"4.0.0.CR1\",\n \"4.0.0.CR2\",\n \"4.0.0.CR3\",\n \"4.0.0.CR4\",\n \"4.0.0.CR5\",\n \"4.0.0.CR6\",\n \"4.0.0.CR7\",\n \"4.0.0.CR8\",\n \"4.0.0.CR9\",\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.28.Final\",\n \"4.0.29.Final\",\n \"4.0.3.Final\",\n \"4.0.30.Final\",\n \"4.0.31.Final\",\n \"4.0.32.Final\",\n \"4.0.33.Final\",\n \"4.0.34.Final\",\n \"4.0.35.Final\",\n \"4.0.36.Final\",\n \"4.0.4.Final\",\n \"4.0.5.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv63-gqm8-9w8q/GHSA-rv63-gqm8-9w8q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty-handler\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-handler\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.1.0.Beta1\"\n },\n {\n \"fixed\": \"4.1.1.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1.0.Beta1\",\n \"4.1.0.Beta2\",\n \"4.1.0.Beta3\",\n \"4.1.0.Beta4\",\n \"4.1.0.Beta5\",\n \"4.1.0.Beta6\",\n \"4.1.0.Beta7\",\n \"4.1.0.Beta8\",\n \"4.1.0.CR1\",\n \"4.1.0.CR2\",\n \"4.1.0.CR3\",\n \"4.1.0.CR4\",\n \"4.1.0.CR5\",\n \"4.1.0.CR6\",\n \"4.1.0.CR7\",\n \"4.1.0.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rv63-gqm8-9w8q/GHSA-rv63-gqm8-9w8q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-4970\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/5364\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1343616\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/afaa5860e3a6d327eb96c3d82cbd2f5996de815a16854ed1ad310144@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://wiki.opendaylight.org/view/Security_Advisories\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://netty.io/news/2016/06/07/4-0-37-Final.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://netty.io/news/2016/06/07/4-1-1-Final.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0179.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2017-1097.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T19:54:08Z\",\n \"nvd_published_at\": \"2017-04-13T14:59:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xfv3-rrfm-f2rv\",\n \"published\": \"2020-06-30T21:01:21Z\",\n \"modified\": \"2024-02-16T08:04:08.954640Z\",\n \"aliases\": [\n \"CVE-2015-2156\"\n ],\n \"summary\": \"Information Exposure in Netty\",\n \"details\": \"Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"io.netty:netty-parent\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty-parent\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.0.28.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0.Final\",\n \"4.0.1.Final\",\n \"4.0.10.Final\",\n \"4.0.11.Final\",\n \"4.0.12.Final\",\n \"4.0.13.Final\",\n \"4.0.14.Beta1\",\n \"4.0.14.Final\",\n \"4.0.15.Final\",\n \"4.0.16.Final\",\n \"4.0.17.Final\",\n \"4.0.18.Final\",\n \"4.0.19.Final\",\n \"4.0.2.Final\",\n \"4.0.20.Final\",\n \"4.0.21.Final\",\n \"4.0.22.Final\",\n \"4.0.23.Final\",\n \"4.0.24.Final\",\n \"4.0.25.Final\",\n \"4.0.26.Final\",\n \"4.0.27.Final\",\n \"4.0.3.Final\",\n \"4.0.4.Final\",\n \"4.0.5.Final\",\n \"4.0.6.Final\",\n \"4.0.7.Final\",\n \"4.0.8.Final\",\n \"4.0.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.9.8.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0.CR1\",\n \"3.0.0.CR2\",\n \"3.0.0.CR3\",\n \"3.0.0.CR4\",\n \"3.0.0.CR5\",\n \"3.0.0.GA\",\n \"3.0.1.GA\",\n \"3.0.2.GA\",\n \"3.1.0.ALPHA1\",\n \"3.1.0.ALPHA2\",\n \"3.1.0.ALPHA3\",\n \"3.1.0.ALPHA4\",\n \"3.1.0.BETA1\",\n \"3.1.0.BETA2\",\n \"3.1.0.BETA3\",\n \"3.1.0.CR1\",\n \"3.1.0.GA\",\n \"3.1.1.GA\",\n \"3.1.2.GA\",\n \"3.1.3.GA\",\n \"3.1.4.GA\",\n \"3.1.5.GA\",\n \"3.2.0.ALPHA1\",\n \"3.2.0.ALPHA2\",\n \"3.2.0.ALPHA3\",\n \"3.2.0.ALPHA4\",\n \"3.2.0.BETA1\",\n \"3.2.0.CR1\",\n \"3.2.0.Final\",\n \"3.2.1.Final\",\n \"3.2.10.Final\",\n \"3.2.2.Final\",\n \"3.2.3.Final\",\n \"3.2.4.Final\",\n \"3.2.5.Final\",\n \"3.2.6.Final\",\n \"3.2.7.Final\",\n \"3.2.8.Final\",\n \"3.2.9.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.jboss.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.jboss.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.10.0\"\n },\n {\n \"fixed\": \"3.10.3.Final\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.10.0\"\n },\n {\n \"fixed\": \"3.10.3.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.10.0.Final\",\n \"3.10.1.Final\",\n \"3.10.2.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.netty:netty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.netty/netty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.9.8.Final\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.3.0.Final\",\n \"3.3.1.Final\",\n \"3.4.0.Alpha1\",\n \"3.4.0.Alpha2\",\n \"3.4.0.Beta1\",\n \"3.4.0.Final\",\n \"3.4.1.Final\",\n \"3.4.2.Final\",\n \"3.4.3.Final\",\n \"3.4.4.Final\",\n \"3.4.5.Final\",\n \"3.4.6.Final\",\n \"3.5.0.Beta1\",\n \"3.5.0.Final\",\n \"3.5.1.Final\",\n \"3.5.10.Final\",\n \"3.5.11.Final\",\n \"3.5.12.Final\",\n \"3.5.13.Final\",\n \"3.5.2.Final\",\n \"3.5.3.Final\",\n \"3.5.4.Final\",\n \"3.5.5.Final\",\n \"3.5.6.Final\",\n \"3.5.7.Final\",\n \"3.5.8.Final\",\n \"3.5.9.Final\",\n \"3.6.0.Beta1\",\n \"3.6.0.Final\",\n \"3.6.1.Final\",\n \"3.6.10.Final\",\n \"3.6.2.Final\",\n \"3.6.3.Final\",\n \"3.6.4.Final\",\n \"3.6.5.Final\",\n \"3.6.6.Final\",\n \"3.6.7.Final\",\n \"3.6.8.Final\",\n \"3.6.9.Final\",\n \"3.7.0.Final\",\n \"3.7.1.Final\",\n \"3.8.0.Final\",\n \"3.8.1.Final\",\n \"3.8.2.Final\",\n \"3.8.3.Final\",\n \"3.9.0.Final\",\n \"3.9.1.1.Final\",\n \"3.9.1.Final\",\n \"3.9.2.Final\",\n \"3.9.3.Final\",\n \"3.9.4.Final\",\n \"3.9.5.Final\",\n \"3.9.6.Final\",\n \"3.9.7.Final\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-xfv3-rrfm-f2rv/GHSA-xfv3-rrfm-f2rv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-2156\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/pull/3754\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1222923\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/netty/netty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2015/05/17/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/74704\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-30T20:59:55Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3xrr-7m6p-p7xh\",\n \"published\": \"2023-07-06T19:24:13Z\",\n \"modified\": \"2024-02-17T05:32:04.097962Z\",\n \"aliases\": [\n \"CVE-2023-26119\"\n ],\n \"summary\": \"HtmlUnit Code Injection vulnerability\",\n \"details\": \"Versions of the package `net.sourceforge.htmlunit:htmlunit` from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"net.sourceforge.htmlunit:htmlunit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/net.sourceforge.htmlunit/htmlunit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.14\",\n \"2.0\",\n \"2.1\",\n \"2.1.5\",\n \"2.10\",\n \"2.11\",\n \"2.12\",\n \"2.13\",\n \"2.14\",\n \"2.15\",\n \"2.16\",\n \"2.17\",\n \"2.18\",\n \"2.19\",\n \"2.2\",\n \"2.20\",\n \"2.21\",\n \"2.22\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.26\",\n \"2.27\",\n \"2.28\",\n \"2.29\",\n \"2.3\",\n \"2.30\",\n \"2.31\",\n \"2.32\",\n \"2.33\",\n \"2.34.0\",\n \"2.34.1\",\n \"2.35.0\",\n \"2.36.0\",\n \"2.37.0\",\n \"2.38.0\",\n \"2.39.0\",\n \"2.39.1\",\n \"2.4\",\n \"2.40.0\",\n \"2.41.0\",\n \"2.42.0\",\n \"2.43.0\",\n \"2.44.0\",\n \"2.45.0\",\n \"2.46.0\",\n \"2.47.0\",\n \"2.47.1\",\n \"2.48.0\",\n \"2.49.0\",\n \"2.49.1\",\n \"2.5\",\n \"2.50.0\",\n \"2.51.0\",\n \"2.52.0\",\n \"2.53.0\",\n \"2.54.0\",\n \"2.55.0\",\n \"2.56.0\",\n \"2.57.0\",\n \"2.58.0\",\n \"2.59.0\",\n \"2.6\",\n \"2.60.0\",\n \"2.61.0\",\n \"2.62.0\",\n \"2.63.0\",\n \"2.64.0\",\n \"2.65.0\",\n \"2.65.1\",\n \"2.66.0\",\n \"2.67.0\",\n \"2.68.0\",\n \"2.69.0\",\n \"2.7\",\n \"2.70.0\",\n \"2.8\",\n \"2.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-3xrr-7m6p-p7xh/GHSA-3xrr-7m6p-p7xh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-26119\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit/commit/641325bbc84702dc9800ec7037aec061ce21956b\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-NETSOURCEFORGEHTMLUNIT-3252500\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://siebene.github.io/2022/12/30/HtmlUnit-RCE\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-74\",\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-06T22:00:23Z\",\n \"nvd_published_at\": \"2023-04-03T05:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5mh9-r3rr-9597\",\n \"published\": \"2020-05-21T21:08:33Z\",\n \"modified\": \"2024-10-15T23:41:37.767130Z\",\n \"aliases\": [\n \"CVE-2020-5529\"\n ],\n \"summary\": \"Code execution vulnerability in HtmlUnit\",\n \"details\": \"HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application. \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"net.sourceforge.htmlunit:htmlunit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/net.sourceforge.htmlunit/htmlunit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.37.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.14\",\n \"2.0\",\n \"2.1\",\n \"2.1.5\",\n \"2.10\",\n \"2.11\",\n \"2.12\",\n \"2.13\",\n \"2.14\",\n \"2.15\",\n \"2.16\",\n \"2.17\",\n \"2.18\",\n \"2.19\",\n \"2.2\",\n \"2.20\",\n \"2.21\",\n \"2.22\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.26\",\n \"2.27\",\n \"2.28\",\n \"2.29\",\n \"2.3\",\n \"2.30\",\n \"2.31\",\n \"2.32\",\n \"2.33\",\n \"2.34.0\",\n \"2.34.1\",\n \"2.35.0\",\n \"2.36.0\",\n \"2.4\",\n \"2.5\",\n \"2.6\",\n \"2.7\",\n \"2.8\",\n \"2.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-5mh9-r3rr-9597/GHSA-5mh9-r3rr-9597.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-5529\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit/commit/bc1f58d483cc8854a9c4c1739abd5e04a2eb0367\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit/releases/tag/2.37.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://jvn.jp/en/jp/JVN34535327\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563%40%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2cd7f8e61dc6b8a2d9065094cd1f46aa63ad10f237ee363e26e8563@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/08/msg00023.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4584-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-665\",\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-05-21T17:25:38Z\",\n \"nvd_published_at\": \"2020-02-11T12:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6jmm-mp6w-4rrg\",\n \"published\": \"2022-04-26T21:14:57Z\",\n \"modified\": \"2023-11-08T04:09:13.642010Z\",\n \"aliases\": [\n \"CVE-2022-29546\"\n ],\n \"related\": [\n \"CVE-2022-29546\"\n ],\n \"summary\": \"OutOfMemory Exception by specifically crafted processing instruction in NekoHtml Parser\",\n \"details\": \"### Impact\\nNekoHtml Parser suffers from a denial of service vulnerability on versions 2.60.0 and below. A specifically crafted input regarding the parsing of processing instructions leads to heap memory consumption. Please update to version 2.61.0.\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Open an issue in [https://github.com/HtmlUnit/htmlunit-neko](https://github.com/HtmlUnit/htmlunit-neko)\\n* Email us at [rbri at rbri.de]\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"net.sourceforge.htmlunit:neko-htmlunit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/net.sourceforge.htmlunit/neko-htmlunit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.61.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.21\",\n \"2.23\",\n \"2.24\",\n \"2.25\",\n \"2.27\",\n \"2.28\",\n \"2.30\",\n \"2.31\",\n \"2.32\",\n \"2.33\",\n \"2.34.0\",\n \"2.35.0\",\n \"2.36.0\",\n \"2.37.0\",\n \"2.38.0\",\n \"2.39.0\",\n \"2.40.0\",\n \"2.41.0\",\n \"2.42.0\",\n \"2.43.0\",\n \"2.44.0\",\n \"2.45.0\",\n \"2.46.0\",\n \"2.47.0\",\n \"2.47.1\",\n \"2.48.0\",\n \"2.49.0\",\n \"2.50.0\",\n \"2.51.0\",\n \"2.52.0\",\n \"2.53.0\",\n \"2.54.0\",\n \"2.55.0\",\n \"2.56.0\",\n \"2.57.0\",\n \"2.58.0\",\n \"2.59.0\",\n \"2.60.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-6jmm-mp6w-4rrg/GHSA-6jmm-mp6w-4rrg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit-neko/security/advisories/GHSA-6jmm-mp6w-4rrg\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-29546\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit-neko/commit/9d2aecd69223469e40c12ca3edddda09009110cc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit-neko\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-04-26T21:14:57Z\",\n \"nvd_published_at\": \"2022-04-25T03:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g9hh-vvx3-v37v\",\n \"published\": \"2022-04-23T00:03:04Z\",\n \"modified\": \"2024-12-05T05:41:29.184965Z\",\n \"aliases\": [\n \"CVE-2022-28366\"\n ],\n \"summary\": \"Denial of service in HtmlUnit-Neko\",\n \"details\": \"Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24939.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"net.sourceforge.htmlunit:neko-htmlunit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/net.sourceforge.htmlunit/neko-htmlunit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.27\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.21\",\n \"2.23\",\n \"2.24\",\n \"2.25\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-g9hh-vvx3-v37v/GHSA-g9hh-vvx3-v37v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-28366\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/HtmlUnit/htmlunit-neko\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nahsra/antisamy/releases/tag/v1.6.6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-04-26T20:12:38Z\",\n \"nvd_published_at\": \"2022-04-21T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r7pg-v2c8-mfg3\",\n \"published\": \"2024-10-03T12:30:48Z\",\n \"modified\": \"2025-07-10T23:44:42.719245Z\",\n \"aliases\": [\n \"CVE-2024-47561\"\n ],\n \"related\": [\n \"CGA-24wg-f7c9-6234\",\n \"CGA-6hqm-x64f-4f58\",\n \"CGA-6pm2-j37h-3fvw\",\n \"CGA-6pm4-w9vr-cj5w\",\n \"CGA-j4wj-mh37-jf86\",\n \"CGA-r5wx-5789-jqwq\"\n ],\n \"summary\": \"Apache Avro Java SDK: Arbitrary Code Execution when reading Avro Data (Java SDK)\",\n \"details\": \"Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.\\nUsers are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.avro:avro\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.avro/avro\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.11.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10.0\",\n \"1.10.1\",\n \"1.10.2\",\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.11.3\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.7.4\",\n \"1.7.5\",\n \"1.7.6\",\n \"1.7.7\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.9.0\",\n \"1.9.1\",\n \"1.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-r7pg-v2c8-mfg3/GHSA-r7pg-v2c8-mfg3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-47561\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/avro/pull/2934\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/avro/pull/2980\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/avro/commit/8f89868d29272e3afea2ff8de8c85cb81a57d900\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/avro/commit/f6b3bd7e50e6e09fedddb98c61558c022ba31285\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/avro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/AVRO-3985\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241011-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.openwall.com/lists/oss-security/2024/10/03/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/10/03/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-10-03T16:52:52Z\",\n \"nvd_published_at\": \"2024-10-03T11:15:13Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rhrv-645h-fjfh\",\n \"published\": \"2023-09-29T18:30:22Z\",\n \"modified\": \"2025-07-31T14:37:21.698951Z\",\n \"aliases\": [\n \"CVE-2023-39410\",\n \"PYSEC-2023-188\"\n ],\n \"related\": [\n \"CGA-8q34-h6rx-rrwj\",\n \"CGA-x2r8-2m8h-66gj\"\n ],\n \"summary\": \"Apache Avro Java SDK vulnerable to Improper Input Validation\",\n \"details\": \"When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system.\\n\\nThis issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.avro:avro\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.avro/avro\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.11.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10.0\",\n \"1.10.1\",\n \"1.10.2\",\n \"1.11.0\",\n \"1.11.1\",\n \"1.11.2\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.7.4\",\n \"1.7.5\",\n \"1.7.6\",\n \"1.7.7\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.9.0\",\n \"1.9.1\",\n \"1.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-rhrv-645h-fjfh/GHSA-rhrv-645h-fjfh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-39410\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/avro/commit/a12a7e44ddbe060c3dc731863cad5c15f9267828\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/avro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pypa/advisory-database/tree/main/vulns/avro/PYSEC-2023-188.yaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/AVRO-3819\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/q142wj99cwdd0jo5lvdoxzoymlqyjdds\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.openwall.com/lists/oss-security/2023/09/29/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/09/29/6\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-29T22:06:14Z\",\n \"nvd_published_at\": \"2023-09-29T17:15:46Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4265-ccf5-phj5\",\n \"published\": \"2024-02-19T09:30:52Z\",\n \"modified\": \"2025-02-13T19:35:45.384593Z\",\n \"aliases\": [\n \"CGA-9f5h-57xr-g74j\",\n \"CVE-2024-26308\"\n ],\n \"related\": [\n \"CGA-4qfq-4jjg-v7x8\",\n \"CGA-5jhg-gjx7-pq4m\",\n \"CGA-96mq-j5w6-4gc5\",\n \"CGA-cm9w-hfx3-j2p6\",\n \"CGA-ggv5-qcv7-p79c\",\n \"CGA-gjfq-fj8p-3fpm\",\n \"CGA-gp4f-pvwr-2rc6\",\n \"CGA-j2pm-vhxf-h6gg\",\n \"CGA-ppj7-32h7-rr4m\",\n \"CGA-rq5c-r89h-7gmf\",\n \"CGA-x85q-h487-67fx\"\n ],\n \"summary\": \"Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file\",\n \"details\": \"Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26.\\n\\nUsers are recommended to upgrade to version 1.26, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.21\"\n },\n {\n \"fixed\": \"1.26.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.21\",\n \"1.22\",\n \"1.23.0\",\n \"1.24.0\",\n \"1.25.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4265-ccf5-phj5/GHSA-4265-ccf5-phj5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-26308\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-compress\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240307-0009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/02/19/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-02-20T23:59:29Z\",\n \"nvd_published_at\": \"2024-02-19T09:15:38Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4g9r-vxhx-9pgx\",\n \"published\": \"2024-02-19T09:30:50Z\",\n \"modified\": \"2025-11-04T21:07:59.755805Z\",\n \"aliases\": [\n \"CGA-6rmf-ffqm-f8vv\",\n \"CVE-2024-25710\"\n ],\n \"related\": [\n \"CGA-2xg7-8qm4-vx87\",\n \"CGA-3wh2-6f5w-rxm4\",\n \"CGA-679f-cjh5-5f6q\",\n \"CGA-86rr-9236-xpq3\",\n \"CGA-f3gh-9fhg-9hjp\",\n \"CGA-gr35-gp4q-q78f\",\n \"CGA-gxfq-hm2x-69x4\",\n \"CGA-hw3c-xmgp-wcw7\",\n \"CGA-jx86-68h8-6jqw\",\n \"CGA-qm27-j3j5-mwr9\",\n \"CGA-w8q8-p4r5-xxg9\"\n ],\n \"summary\": \"Apache Commons Compress: Denial of service caused by an infinite loop for a corrupted DUMP file\",\n \"details\": \"Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0.\\n\\nUsers are recommended to upgrade to version 1.26.0 which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.3\"\n },\n {\n \"fixed\": \"1.26.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.16.1\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.20\",\n \"1.21\",\n \"1.22\",\n \"1.23.0\",\n \"1.24.0\",\n \"1.25.0\",\n \"1.3\",\n \"1.4\",\n \"1.4.1\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.8.1\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-4g9r-vxhx-9pgx/GHSA-4g9r-vxhx-9pgx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-25710\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-compress\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240307-0010\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2024/Aug/37\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/02/19/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-02-20T23:58:47Z\",\n \"nvd_published_at\": \"2024-02-19T09:15:37Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-53x6-4x5p-rrvv\",\n \"published\": \"2019-10-11T18:41:08Z\",\n \"modified\": \"2024-03-16T05:19:51.255480Z\",\n \"aliases\": [\n \"CVE-2019-12402\"\n ],\n \"summary\": \"Denial of Service in Apache Commons Compress\",\n \"details\": \"The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.15\"\n },\n {\n \"fixed\": \"1.19\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.15\",\n \"1.16\",\n \"1.16.1\",\n \"1.17\",\n \"1.18\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.github.1tchy.java9modular.org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.github.1tchy.java9modular.org.apache.commons/commons-compress\"\n },\n \"versions\": [\n \"1.18.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-53x6-4x5p-rrvv/GHSA-53x6-4x5p-rrvv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-12402\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230818-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZB3GB7YXIOUKIOQ27VTIP6KKGJJ3CKL\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLJIK2AUOZOWXR3S5XXBUNMOF3RTHTI7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re13bd219dd4b651134f6357f12bd07a0344eea7518c577bbdd185265@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdebc1830d6c09c11d5a4804ca26769dbd292d17d361c61dea50915f0@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd3f99d732baed459b425fb0a9e9e14f7843c9459b12037e4a9d753b5@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcc35ab6be300365de5ff9587e0479d10d7d7c79070921837e3693162@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r972f82d821b805d04602976a9736c01b6bf218cfe0c3f48b472db488@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7af60fbd8b2350d49d14e53a3ab2801998b9d1af2d6fcac60b060a53@%3Cdev.brooklyn.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5caf4fcb69d2749225391e61db7216282955204849ba94f83afe011f@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r590c15cebee9b8e757e2f738127a9a71e48ede647a3044c504e050a4@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5103b1c9242c0f812ac96e524344144402cbff9b6e078d1557bc7b1e@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4363c994c8bca033569a98da9218cc0c62bb695c1e47a98e5084e5a0@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r25422df9ad22fec56d9eeca3ab8bd6d66365e9f6bfe311b64730edf5@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r233267e24519bacd0f9fb9f61a1287cb9f4bcb6e75d83f34f405c521@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r21d64797914001119d2fc766b88c6da181dc2308d20f14e7a7f46117@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r05cf37c1e1e662e968cfece1102fcd50fe207181fdbf2c30aadfafd3@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/54cc4e9fa6b24520135f6fa4724dfb3465bc14703c7dc7e52353a0ea@%3Ccommits.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/308cc15f1f1dc53e97046fddbac240e6cd16de89a2746cf257be7f5b@%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jensdietrich/xshady-release/tree/main/CVE-2019-12402\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-09-30T09:39:36Z\",\n \"nvd_published_at\": \"2019-08-30T09:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6fxm-66hq-fc96\",\n \"published\": \"2022-05-13T01:07:05Z\",\n \"modified\": \"2024-11-28T05:48:23.160032Z\",\n \"aliases\": [\n \"CVE-2012-2098\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in Apache Commons Compress\",\n \"details\": \"Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.4.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6fxm-66hq-fc96/GHSA-6fxm-66hq-fc96.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-2098\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/020c03d8ef579e80511023fb46ece30e9c3dd27d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/0600296ab8f8a0bbdfedd483f51b38005eb8e34e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/1ce57d976c4f25fe99edcadf079840c278f3cb84\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/2ab2fcb356753927afaa731b9d2dcc47d3083408\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/654222e628097763ee6ca561ae77be5c06666173\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/6ced422bf5eca3aac05396367bafb33ec21bf74e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/6e95697e783767f3549f00d7d2e1b002eac4a3d4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/8f702469cbf4c451b6dea349290bc4af0f6f76c7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/b06f7b41c936ef1a79589d16ea5c1d8b93f71f66\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/cca0e6e5341aacddefd4c4d36cef7cbdbc2a8777\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/ea31005111f0abede7e43e4ba0012e62e0808b22\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/fdd7459bc5470e90024dbe762249166481cce769\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20140724002926/http://secunia.com/advisories/49286\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20140724023114/http://secunia.com/advisories/49255\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200517014414/http://www.securitytracker.com/id?1027096\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20130525085523/http://www.securityfocus.com/bid/53676\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@\\u003csolr-user.lucene.apache.org\\u003e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-compress\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/75857\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://ant.apache.org/security.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://archives.neohapsis.com/archives/bugtraq/2012-05/0130.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://commons.apache.org/compress/security.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081697.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081746.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105049.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105060.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.org/files/113014/Apache-Commons-Compress-Apache-Ant-Denial-Of-Service.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21644047\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/09/13/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-13T21:10:51Z\",\n \"nvd_published_at\": \"2012-06-29T19:55:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7hfm-57qf-j43q\",\n \"published\": \"2021-08-02T16:55:07Z\",\n \"modified\": \"2024-03-08T05:18:24.619639Z\",\n \"aliases\": [\n \"CVE-2021-35515\"\n ],\n \"summary\": \"Excessive Iteration in Compress\",\n \"details\": \"When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.1\",\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.16.1\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.2\",\n \"1.20\",\n \"1.3\",\n \"1.4\",\n \"1.4.1\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.8.1\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-7hfm-57qf-j43q/GHSA-7hfm-57qf-j43q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-35515\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20211022-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://commons.apache.org/proper/commons-compress/security-reports.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/07/13/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-834\",\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-07-14T17:35:41Z\",\n \"nvd_published_at\": \"2021-07-13T08:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cgwf-w82q-5jrr\",\n \"published\": \"2023-09-14T09:30:28Z\",\n \"modified\": \"2025-02-13T19:34:19.488773Z\",\n \"aliases\": [\n \"CVE-2023-42503\"\n ],\n \"related\": [\n \"CGA-6gcx-2g6m-pvm8\",\n \"CGA-793c-mm63-qv25\"\n ],\n \"summary\": \"Apache Commons Compress denial of service vulnerability\",\n \"details\": \"Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.\\n\\nUsers are recommended to upgrade to version 1.24.0, which fixes the issue.\\n\\nA third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.\\n\\nIn version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.\\n\\nParsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].\\n\\n[1]: https://issues.apache.org/jira/browse/COMPRESS-612 \\n[2]: https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05 \\n[3]: https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html \\n[4]: https://bugs.openjdk.org/browse/JDK-6560193 \\n[5]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098 \\n\\nOnly applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.22\"\n },\n {\n \"fixed\": \"1.24.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.22\",\n \"1.23.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-cgwf-w82q-5jrr/GHSA-cgwf-w82q-5jrr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-42503\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/aae38bfb820159ae7a0b792e779571f6a46b3889\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-compress\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20231020-0003\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-14T19:35:27Z\",\n \"nvd_published_at\": \"2023-09-14T08:15:08Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-crv7-7245-f45f\",\n \"published\": \"2021-08-02T16:55:15Z\",\n \"modified\": \"2024-03-08T05:19:35.252507Z\",\n \"aliases\": [\n \"CVE-2021-35516\"\n ],\n \"summary\": \"Improper Handling of Length Parameter Inconsistency in Compress\",\n \"details\": \"When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.1\",\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.16.1\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.2\",\n \"1.20\",\n \"1.3\",\n \"1.4\",\n \"1.4.1\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.8.1\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-crv7-7245-f45f/GHSA-crv7-7245-f45f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-35516\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20211022-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://commons.apache.org/proper/commons-compress/security-reports.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/07/13/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-130\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-07-14T18:11:52Z\",\n \"nvd_published_at\": \"2021-07-13T08:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h436-432x-8fvx\",\n \"published\": \"2019-03-14T15:41:12Z\",\n \"modified\": \"2024-02-27T18:34:05.707371Z\",\n \"aliases\": [\n \"CVE-2018-1324\"\n ],\n \"summary\": \"Apache Commons Compress vulnerable to denial of service due to infinite loop\",\n \"details\": \"A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.11\"\n },\n {\n \"fixed\": \"1.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.liferay:com.liferay.portal.tools.bundle.support\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.liferay/com.liferay.portal.tools.bundle.support\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.2.7\"\n },\n {\n \"fixed\": \"3.7.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.2.7\",\n \"3.3.0\",\n \"3.4.0\",\n \"3.4.1\",\n \"3.4.2\",\n \"3.4.3\",\n \"3.5.0\",\n \"3.5.1\",\n \"3.5.2\",\n \"3.5.3\",\n \"3.5.4\",\n \"3.5.5\",\n \"3.5.6\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.7.0\",\n \"3.7.1\",\n \"3.7.2\",\n \"3.7.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"io.takari:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/io.takari/commons-compress\"\n },\n \"versions\": [\n \"1.12\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h436-432x-8fvx/GHSA-h436-432x-8fvx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1324\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-compress/commit/2a2f1dc48e22a34ddb72321a4db211da91aa933b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://arxiv.org/pdf/2306.05534.pdf\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-h436-432x-8fvx\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-compress\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jensdietrich/xshady-release/tree/main/CVE-2018-1324\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1c7b6df6d1c5c8583518a0afa017782924918e4d6acfaf23ed5b2089@%3Cdev.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5532dc8d5456b5151e8c286801e2e5769f5c04118b29c3b5d13ea387@%3Cissues.beam.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:38:39Z\",\n \"nvd_published_at\": \"2018-03-16T13:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hrmr-f5m6-m9pq\",\n \"published\": \"2018-10-19T16:41:27Z\",\n \"modified\": \"2024-06-05T17:33:15.862538Z\",\n \"aliases\": [\n \"CVE-2018-11771\"\n ],\n \"summary\": \"Moderate severity vulnerability that affects org.apache.commons:commons-compress\",\n \"details\": \"When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.7\"\n },\n {\n \"fixed\": \"1.18\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.16.1\",\n \"1.17\",\n \"1.7\",\n \"1.8\",\n \"1.8.1\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-hrmr-f5m6-m9pq/GHSA-hrmr-f5m6-m9pq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11771\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9cdd32af7d73e943452167d15801db39e8130409ebb9efb243b3f41@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f28052d04cb8dbaae39bfd3dc8438e58c2a8be306a3f381f4728d7c1@%3Ccommits.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eeecc1669242b28a3777ae13c68b376b0148d589d3d8170340d61120@%3Cdev.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e3eae9e6fc021c4c22dda59a335d21c12eecab480b48115a2f098ef6@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c7954dc1e8fafd7ca1449f078953b419ebf8936e087f235f3bd024be@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b907e70bc422905d7962fd18f863f746bf7b4e7ed9da25c148580c61@%3Cnotifications.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b8ef29df0f1d55aa741170748352ae8e425c7b1d286b2f257711a2dd@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b8da751fc0ca949534cdf2744111da6bb0349d2798fac94b0a50f330@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/714c6ac1b1b50f8557e7342903ef45f1538a7bc60a0b47d6e48c273d@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6c79965066c30d4e330e04d911d3761db41b82c89ae38d9a6b37a6f1@%3Cdev.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/35f60d6d0407c13c39411038ba1aca71d92595ed7041beff4d07f2ee@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3565494c263dfeb4dcb2a71cb24d09a1ca285cd6ac74edc025a3af8a@%3Ccommits.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0adb631517766e793e18a59723e2df08ced41eb9a57478f14781c9f7@%3Cdev.tinkerpop.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-compress\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/105139\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1041503\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:40:55Z\",\n \"nvd_published_at\": \"2018-08-16T15:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mc84-pj99-q6hh\",\n \"published\": \"2021-08-02T16:55:53Z\",\n \"modified\": \"2024-03-08T05:19:48.954731Z\",\n \"aliases\": [\n \"CVE-2021-36090\"\n ],\n \"summary\": \"Improper Handling of Length Parameter Inconsistency in Compress\",\n \"details\": \"When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.1\",\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.16.1\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.2\",\n \"1.20\",\n \"1.3\",\n \"1.4\",\n \"1.4.1\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.8.1\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-mc84-pj99-q6hh/GHSA-mc84-pj99-q6hh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-36090\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://commons.apache.org/proper/commons-compress/security-reports.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3Cuser.ant.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20211022-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3Cnotifications.james.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/07/13/4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/07/13/6\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-130\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-07-14T19:37:10Z\",\n \"nvd_published_at\": \"2021-07-13T08:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xqfj-vm6h-2x34\",\n \"published\": \"2021-08-02T16:55:39Z\",\n \"modified\": \"2024-03-08T05:19:25.295269Z\",\n \"aliases\": [\n \"CVE-2021-35517\"\n ],\n \"summary\": \"Improper Handling of Length Parameter Inconsistency in Compress\",\n \"details\": \"When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-compress\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-compress\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.1\",\n \"1.10\",\n \"1.11\",\n \"1.12\",\n \"1.13\",\n \"1.14\",\n \"1.15\",\n \"1.16\",\n \"1.16.1\",\n \"1.17\",\n \"1.18\",\n \"1.19\",\n \"1.2\",\n \"1.20\",\n \"1.3\",\n \"1.4\",\n \"1.4.1\",\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.8.1\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-xqfj-vm6h-2x34/GHSA-xqfj-vm6h-2x34.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-35517\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20211022-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46@%3Cuser.ant.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://commons.apache.org/proper/commons-compress/security-reports.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/07/13/3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/07/13/5\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-130\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-07-14T18:12:57Z\",\n \"nvd_published_at\": \"2021-07-13T08:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7qx4-pp76-vrqh\",\n \"published\": \"2020-05-21T19:08:08Z\",\n \"modified\": \"2023-11-08T04:02:46.926629Z\",\n \"aliases\": [\n \"CVE-2020-1953\"\n ],\n \"summary\": \"Remote code execution in Apache Commons Configuration\",\n \"details\": \"Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-configuration2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-configuration2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.2\"\n },\n {\n \"fixed\": \"2.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.5\",\n \"2.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/05/GHSA-7qx4-pp76-vrqh/GHSA-7qx4-pp76-vrqh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-1953\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r16a2e949e35780c8974cf66104e812410f3904f752df6b66bf292269@%3Ccommits.servicecomb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-05-21T17:12:19Z\",\n \"nvd_published_at\": \"2020-03-13T15:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9w38-p64v-xpmv\",\n \"published\": \"2024-03-21T09:31:14Z\",\n \"modified\": \"2025-02-13T19:13:50.673769Z\",\n \"aliases\": [\n \"CGA-4phw-5934-cp4w\",\n \"CVE-2024-29133\"\n ],\n \"related\": [\n \"CGA-9pcx-658r-q6cc\",\n \"CGA-f8w3-v8cw-rc4q\",\n \"CGA-gxrv-2q36-c76g\",\n \"CGA-p5h5-jmpp-wgq6\"\n ],\n \"summary\": \"Apache Commons Configuration: StackOverflowError calling ListDelimiterHandler.flatten(Object, int) with a cyclical object tree\",\n \"details\": \"This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' calling 'ListDelimiterHandler.flatten(Object, int)' with a cyclical object tree.\\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-configuration2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-configuration2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0\"\n },\n {\n \"fixed\": \"2.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.1\",\n \"2.1.1\",\n \"2.10.0\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.5\",\n \"2.6\",\n \"2.7\",\n \"2.8.0\",\n \"2.9.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-9w38-p64v-xpmv/GHSA-9w38-p64v-xpmv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-29133\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-configuration/commit/43f4dab021e9acb8db390db2ae80aa0cee4f9ee4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/CONFIGURATION-841\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"apache/commons-configuration\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/03/20/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-03-21T18:59:08Z\",\n \"nvd_published_at\": \"2024-03-21T09:15:07Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xj57-8qj4-c4m6\",\n \"published\": \"2022-07-07T00:00:26Z\",\n \"modified\": \"2024-02-17T05:33:18.672687Z\",\n \"aliases\": [\n \"CVE-2022-33980\"\n ],\n \"summary\": \"Code injection in Apache Commons Configuration\",\n \"details\": \"Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \\\"${prefix:name}\\\", where \\\"prefix\\\" is used to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \\\"script\\\" - execute expressions using the JVM script execution engine (javax.script) - \\\"dns\\\" - resolve dns records - \\\"url\\\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators by default.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-configuration2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-configuration2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.4\"\n },\n {\n \"fixed\": \"2.8.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.4\",\n \"2.5\",\n \"2.6\",\n \"2.7\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-xj57-8qj4-c4m6/GHSA-xj57-8qj4-c4m6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-33980\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://commons.apache.org/proper/commons-configuration/changes-report.html#a2.8.0\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-configuration\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/CONFIGURATION-753\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/CONFIGURATION-764\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20221028-0015\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5290\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/07/06/5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/11/15/4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-74\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-07T16:56:07Z\",\n \"nvd_published_at\": \"2022-07-06T13:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xjp4-hw94-mvp5\",\n \"published\": \"2024-03-21T09:31:14Z\",\n \"modified\": \"2025-02-13T19:12:42.244592Z\",\n \"aliases\": [\n \"CGA-6jvc-fmj8-g22f\",\n \"CVE-2024-29131\"\n ],\n \"related\": [\n \"CGA-2v4p-jwqh-9wqp\",\n \"CGA-grw7-f4vj-7jvv\",\n \"CGA-pg3h-88pr-x67h\",\n \"CGA-qh6m-p54c-m273\"\n ],\n \"summary\": \"Apache Commons Configuration: StackOverflowError adding property in AbstractListDelimiterHandler.flattenIterator()\",\n \"details\": \"This Out-of-bounds Write vulnerability in Apache Commons Configuration affects Apache Commons Configuration: from 2.0 before 2.10.1. User can see this as a 'StackOverflowError' when adding a property in 'AbstractListDelimiterHandler.flattenIterator()'.\\nUsers are recommended to upgrade to version 2.10.1, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-configuration2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-configuration2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0\"\n },\n {\n \"fixed\": \"2.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.1\",\n \"2.1.1\",\n \"2.10.0\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.5\",\n \"2.6\",\n \"2.7\",\n \"2.8.0\",\n \"2.9.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-xjp4-hw94-mvp5/GHSA-xjp4-hw94-mvp5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-29131\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-configuration/commit/56b5c4dcdffbde27870df5a3105d6a5f9b22f554\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-configuration\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/CONFIGURATION-840\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SNKDKEEKZNL5FGCTZKJ6CFXFVWFL5FJ7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YD4AFTIIQW662LUAQRMWS6BBKYSZG3YS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241213-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/03/20/4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-03-21T18:58:52Z\",\n \"nvd_published_at\": \"2024-03-21T09:15:07Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-j288-q9x7-2f5v\",\n \"published\": \"2025-07-11T15:31:37Z\",\n \"modified\": \"2025-11-05T20:34:04.566048Z\",\n \"aliases\": [\n \"CVE-2025-48924\"\n ],\n \"related\": [\n \"CGA-22cr-f3cr-c7cm\",\n \"CGA-29x5-f7v5-rrg6\",\n \"CGA-2fmr-p6rq-h6gj\",\n \"CGA-48h5-566h-rvpp\",\n \"CGA-4fcv-jq36-r7hx\",\n \"CGA-523g-m72h-8798\",\n \"CGA-6pxc-gq99-gpx4\",\n \"CGA-6v52-24xf-x875\",\n \"CGA-78fw-62xf-9rm8\",\n \"CGA-7r2r-4fw7-h3qv\",\n \"CGA-8c99-22mx-hg38\",\n \"CGA-8w2x-v747-c9c7\",\n \"CGA-8x43-fp55-w32w\",\n \"CGA-9j28-2jv5-qv67\",\n \"CGA-9rcm-4h29-rv8h\",\n \"CGA-ff3x-mc4g-82q2\",\n \"CGA-g3gg-7c6f-x6qx\",\n \"CGA-hj53-w7gr-6f9r\",\n \"CGA-j6cx-9v8j-x9cc\",\n \"CGA-j84p-prch-g8wm\",\n \"CGA-j8w2-rj92-x353\",\n \"CGA-j93m-mcxv-7hxr\",\n \"CGA-jvxv-2xch-6xjm\",\n \"CGA-m7pc-jwx3-vm7v\",\n \"CGA-mhg4-342v-w7xq\",\n \"CGA-mp4q-mrjj-8862\",\n \"CGA-p7fm-p736-2fmc\",\n \"CGA-p87f-qfxg-x45v\",\n \"CGA-pxx2-65vr-8cc4\",\n \"CGA-rc28-932p-89cv\",\n \"CGA-v52f-47gw-2xcm\",\n \"CGA-vxhq-8vpg-mr2p\"\n ],\n \"summary\": \"Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs\",\n \"details\": \"Uncontrolled Recursion vulnerability in Apache Commons Lang.\\n\\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\\n\\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.\\n\\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-lang3\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-lang3\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0\"\n },\n {\n \"fixed\": \"3.18.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0\",\n \"3.0.1\",\n \"3.1\",\n \"3.10\",\n \"3.11\",\n \"3.12.0\",\n \"3.13.0\",\n \"3.14.0\",\n \"3.15.0\",\n \"3.16.0\",\n \"3.17.0\",\n \"3.2\",\n \"3.2.1\",\n \"3.3\",\n \"3.3.1\",\n \"3.3.2\",\n \"3.4\",\n \"3.5\",\n \"3.6\",\n \"3.7\",\n \"3.8\",\n \"3.8.1\",\n \"3.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"commons-lang:commons-lang\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-lang/commons-lang\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0\"\n },\n {\n \"last_affected\": \"2.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.1\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.5\",\n \"2.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-j288-q9x7-2f5v/GHSA-j288-q9x7-2f5v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-48924\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-lang\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/07/11/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-674\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-07-12T00:48:03Z\",\n \"nvd_published_at\": \"2025-07-11T15:15:24Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-599f-7c49-w659\",\n \"published\": \"2022-10-13T19:00:17Z\",\n \"modified\": \"2024-02-16T08:09:06.872889Z\",\n \"aliases\": [\n \"CVE-2022-42889\"\n ],\n \"summary\": \"Arbitrary code execution in Apache Commons Text\",\n \"details\": \"Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is \\\"${prefix:name}\\\", where \\\"prefix\\\" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - \\\"script\\\" - execute expressions using the JVM script execution engine (javax.script) - \\\"dns\\\" - resolve dns records - \\\"url\\\" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-text\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-text\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.5\"\n },\n {\n \"fixed\": \"1.10.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-599f-7c49-w659/GHSA-599f-7c49-w659.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.guicedee.services:commons-text\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.guicedee.services/commons-text\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"1.2.2.1-jre17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.70.0.1\",\n \"0.70.0.1-rc1\",\n \"0.70.0.1-rc13\",\n \"0.70.0.1-rc14\",\n \"0.70.0.1-rc15\",\n \"0.70.0.1-rc2\",\n \"0.70.0.1-rc3\",\n \"0.70.0.1-rc4\",\n \"0.70.0.1-rc5\",\n \"0.70.0.2\",\n \"0.70.0.3\",\n \"0.70.0.4\",\n \"0.70.0.5\",\n \"0.70.0.6\",\n \"0.70.0.7\",\n \"1.0.0.0\",\n \"1.0.1.0\",\n \"1.0.1.0-jre12\",\n \"1.0.1.0-jre13\",\n \"1.0.1.0-jre8\",\n \"1.0.1.1\",\n \"1.0.1.1-jre12\",\n \"1.0.1.1-jre13\",\n \"1.0.1.1-jre8\",\n \"1.0.1.2\",\n \"1.0.1.3\",\n \"1.0.1.3-jre12\",\n \"1.0.1.3-jre13\",\n \"1.0.1.3-jre8\",\n \"1.0.1.4\",\n \"1.0.1.4-jre12\",\n \"1.0.1.4-jre13\",\n \"1.0.1.4-jre8\",\n \"1.0.1.5\",\n \"1.0.1.5-jre12\",\n \"1.0.1.5-jre13\",\n \"1.0.1.5-jre8\",\n \"1.0.1.6\",\n \"1.0.1.6-jre12\",\n \"1.0.1.6-jre13\",\n \"1.0.1.7\",\n \"1.0.1.7-jre12\",\n \"1.0.1.7-jre13\",\n \"1.0.1.7-jre8\",\n \"1.0.10.0\",\n \"1.0.10.0-jre13\",\n \"1.0.10.0-jre14\",\n \"1.0.10.1\",\n \"1.0.10.1-jre14\",\n \"1.0.10.3\",\n \"1.0.10.3-jre14\",\n \"1.0.10.4\",\n \"1.0.10.4-jre12\",\n \"1.0.10.4-jre13\",\n \"1.0.10.4-jre14\",\n \"1.0.11.0-jre14\",\n \"1.0.11.2-jre14\",\n \"1.0.11.5\",\n \"1.0.11.5-jre12\",\n \"1.0.11.5-jre14\",\n \"1.0.11.6-jre14\",\n \"1.0.11.7\",\n \"1.0.11.7-jre12\",\n \"1.0.11.7-jre14\",\n \"1.0.12.0\",\n \"1.0.12.0-jre12\",\n \"1.0.12.0-jre13\",\n \"1.0.12.0-jre14\",\n \"1.0.12.0-jre8\",\n \"1.0.12.1\",\n \"1.0.12.1-jre12\",\n \"1.0.12.1-jre14\",\n \"1.0.12.2\",\n \"1.0.12.2-jre12\",\n \"1.0.12.2-jre14\",\n \"1.0.12.3\",\n \"1.0.12.3-jre12\",\n \"1.0.12.3-jre13\",\n \"1.0.12.3-jre14\",\n \"1.0.12.4\",\n \"1.0.12.4-jre12\",\n \"1.0.12.4-jre13\",\n \"1.0.12.4-jre14\",\n \"1.0.12.4-jre8\",\n \"1.0.12.5\",\n \"1.0.12.5-jre14\",\n \"1.0.13.0\",\n \"1.0.13.0-jre12\",\n \"1.0.13.0-jre13\",\n \"1.0.13.0-jre14\",\n \"1.0.13.0-jre8\",\n \"1.0.13.1\",\n \"1.0.13.1-jre13\",\n \"1.0.13.1-jre14\",\n \"1.0.13.1-jre8\",\n \"1.0.13.2\",\n \"1.0.13.2-jre12\",\n \"1.0.13.2-jre13\",\n \"1.0.13.2-jre14\",\n \"1.0.13.2-jre8\",\n \"1.0.13.3\",\n \"1.0.13.3-jre14\",\n \"1.0.13.4\",\n \"1.0.13.4-jre12\",\n \"1.0.13.4-jre13\",\n \"1.0.13.4-jre14\",\n \"1.0.13.5\",\n \"1.0.13.5-jre12\",\n \"1.0.13.5-jre14\",\n \"1.0.13.5-jre8\",\n \"1.0.14.0-RC1-jre14\",\n \"1.0.14.0-RC1-jre8\",\n \"1.0.14.1\",\n \"1.0.14.1-jre12\",\n \"1.0.14.1-jre13\",\n \"1.0.14.1-jre14\",\n \"1.0.14.1-jre8\",\n \"1.0.14.3-jre8\",\n \"1.0.14.4-jre14\",\n \"1.0.14.4-jre8\",\n \"1.0.15.1\",\n \"1.0.15.1-jre12\",\n \"1.0.15.1-jre13\",\n \"1.0.15.1-jre14\",\n \"1.0.15.1-jre8\",\n \"1.0.15.2\",\n \"1.0.15.2-jre12\",\n \"1.0.15.2-jre14\",\n \"1.0.15.2-jre8\",\n \"1.0.15.3-jre14\",\n \"1.0.15.3-jre8\",\n \"1.0.15.4\",\n \"1.0.15.4-jre14\",\n \"1.0.15.4-jre8\",\n \"1.0.15.5\",\n \"1.0.15.5-jre14\",\n \"1.0.15.5-jre8\",\n \"1.0.16.0\",\n \"1.0.16.0-jre14\",\n \"1.0.16.0-jre8\",\n \"1.0.17.0\",\n \"1.0.17.0-jre14\",\n \"1.0.17.1\",\n \"1.0.17.1-jre14\",\n \"1.0.17.1-jre8\",\n \"1.0.18.0\",\n \"1.0.18.0-jre14\",\n \"1.0.18.0-jre15\",\n \"1.0.18.0-jre8\",\n \"1.0.18.1\",\n \"1.0.18.1-jre14\",\n \"1.0.18.1-jre15\",\n \"1.0.18.1-jre8\",\n \"1.0.19.0\",\n \"1.0.19.0-jre14\",\n \"1.0.19.0-jre15\",\n \"1.0.19.1\",\n \"1.0.19.1-jre12\",\n \"1.0.19.1-jre13\",\n \"1.0.19.1-jre14\",\n \"1.0.19.1-jre15\",\n \"1.0.19.1-jre8\",\n \"1.0.19.10\",\n \"1.0.19.10-jre12\",\n \"1.0.19.10-jre14\",\n \"1.0.19.10-jre15\",\n \"1.0.19.10-jre8\",\n \"1.0.19.11\",\n \"1.0.19.11-jre14\",\n \"1.0.19.11-jre8\",\n \"1.0.19.12-jre14\",\n \"1.0.19.12-jre8\",\n \"1.0.19.13\",\n \"1.0.19.13-jre14\",\n \"1.0.19.13-jre15\",\n \"1.0.19.13-jre8\",\n \"1.0.19.2\",\n \"1.0.19.2-jre13\",\n \"1.0.19.2-jre14\",\n \"1.0.19.2-jre15\",\n \"1.0.19.2-jre8\",\n \"1.0.19.3\",\n \"1.0.19.3-jre13\",\n \"1.0.19.3-jre14\",\n \"1.0.19.3-jre15\",\n \"1.0.19.3-jre8\",\n \"1.0.19.4\",\n \"1.0.19.4-jre14\",\n \"1.0.19.4-jre15\",\n \"1.0.19.4-jre8\",\n \"1.0.19.5\",\n \"1.0.19.5-jre14\",\n \"1.0.19.5-jre15\",\n \"1.0.19.5-jre8\",\n \"1.0.19.6\",\n \"1.0.19.6-jre14\",\n \"1.0.19.6-jre8\",\n \"1.0.19.7-jre14\",\n \"1.0.19.7-jre8\",\n \"1.0.19.8-jre8\",\n \"1.0.19.9\",\n \"1.0.19.9-jre13\",\n \"1.0.19.9-jre14\",\n \"1.0.19.9-jre15\",\n \"1.0.19.9-jre8\",\n \"1.0.2.0\",\n \"1.0.2.0-jre12\",\n \"1.0.2.0-jre13\",\n \"1.0.2.0-jre8\",\n \"1.0.2.1\",\n \"1.0.2.1-jre12\",\n \"1.0.2.1-jre13\",\n \"1.0.2.10\",\n \"1.0.2.10-jre12\",\n \"1.0.2.10-jre13\",\n \"1.0.2.11\",\n \"1.0.2.11-jre13\",\n \"1.0.2.12\",\n \"1.0.2.12-jre13\",\n \"1.0.2.13\",\n \"1.0.2.13-jre13\",\n \"1.0.2.14\",\n \"1.0.2.14-jre13\",\n \"1.0.2.15\",\n \"1.0.2.15-jre13\",\n \"1.0.2.16-jre13\",\n \"1.0.2.17-jre13\",\n \"1.0.2.18\",\n \"1.0.2.18-jre12\",\n \"1.0.2.18-jre13\",\n \"1.0.2.2\",\n \"1.0.2.2-jre12\",\n \"1.0.2.2-jre13\",\n \"1.0.2.2-jre8\",\n \"1.0.2.3\",\n \"1.0.2.3-jre12\",\n \"1.0.2.3-jre13\",\n \"1.0.2.3-jre8\",\n \"1.0.2.4\",\n \"1.0.2.4-jre12\",\n \"1.0.2.4-jre13\",\n \"1.0.2.6-jre13\",\n \"1.0.2.7-jre12\",\n \"1.0.2.7-jre13\",\n \"1.0.2.8\",\n \"1.0.2.8-jre12\",\n \"1.0.2.8-jre13\",\n \"1.0.2.9-jre12\",\n \"1.0.2.9-jre13\",\n \"1.0.20.0\",\n \"1.0.20.0-jre14\",\n \"1.0.20.0-jre15\",\n \"1.0.20.0-jre8\",\n \"1.0.20.1\",\n \"1.0.20.1-jre14\",\n \"1.0.20.1-jre15\",\n \"1.0.20.1-jre8\",\n \"1.0.20.2\",\n \"1.0.20.2-jre14\",\n \"1.0.20.2-jre15\",\n \"1.0.20.2-jre8\",\n \"1.0.3.1-jre13\",\n \"1.0.3.2\",\n \"1.0.3.2-jre13\",\n \"1.0.3.3\",\n \"1.0.3.3-jre12\",\n \"1.0.3.3-jre13\",\n \"1.0.4.1-jre13\",\n \"1.0.4.2\",\n \"1.0.4.2-jre13\",\n \"1.0.4.3-jre13\",\n \"1.0.4.4\",\n \"1.0.4.4-jre13\",\n \"1.0.5.0\",\n \"1.0.5.0-jre13\",\n \"1.0.5.1\",\n \"1.0.5.1-jre12\",\n \"1.0.5.1-jre13\",\n \"1.0.5.2\",\n \"1.0.5.2-jre12\",\n \"1.0.5.2-jre13\",\n \"1.0.5.3\",\n \"1.0.5.3-jre12\",\n \"1.0.5.3-jre13\",\n \"1.0.5.4-jre13\",\n \"1.0.5.4-jre14\",\n \"1.0.5.5\",\n \"1.0.5.5-jre12\",\n \"1.0.5.5-jre13\",\n \"1.0.5.5-jre14\",\n \"1.0.6.1\",\n \"1.0.6.1-jre12\",\n \"1.0.6.1-jre13\",\n \"1.0.6.1-jre14\",\n \"1.0.6.2\",\n \"1.0.6.2-jre12\",\n \"1.0.6.2-jre13\",\n \"1.0.6.2-jre14\",\n \"1.0.6.3\",\n \"1.0.6.3-jre12\",\n \"1.0.6.3-jre13\",\n \"1.0.6.3-jre14\",\n \"1.0.6.4-jre14\",\n \"1.0.6.5\",\n \"1.0.6.5-jre12\",\n \"1.0.6.5-jre13\",\n \"1.0.6.5-jre14\",\n \"1.0.6.7\",\n \"1.0.6.7-jre14\",\n \"1.0.7.0\",\n \"1.0.7.0-jre12\",\n \"1.0.7.0-jre13\",\n \"1.0.7.0-jre14\",\n \"1.0.7.1\",\n \"1.0.7.1-jre13\",\n \"1.0.7.1-jre14\",\n \"1.0.7.10\",\n \"1.0.7.10-jre13\",\n \"1.0.7.10-jre14\",\n \"1.0.7.11\",\n \"1.0.7.11-jre14\",\n \"1.0.7.12\",\n \"1.0.7.12-jre12\",\n \"1.0.7.12-jre13\",\n \"1.0.7.12-jre14\",\n \"1.0.7.2-jre14\",\n \"1.0.7.3\",\n \"1.0.7.3-jre13\",\n \"1.0.7.3-jre14\",\n \"1.0.7.4\",\n \"1.0.7.4-jre14\",\n \"1.0.7.5\",\n \"1.0.7.5-jre14\",\n \"1.0.7.6\",\n \"1.0.7.6-jre14\",\n \"1.0.7.9\",\n \"1.0.7.9-jre14\",\n \"1.0.8.1\",\n \"1.0.8.1-jre14\",\n \"1.0.8.12\",\n \"1.0.8.12-jre12\",\n \"1.0.8.12-jre14\",\n \"1.0.8.16\",\n \"1.0.8.16-jre14\",\n \"1.0.8.18\",\n \"1.0.8.18-jre14\",\n \"1.0.8.2\",\n \"1.0.8.2-jre13\",\n \"1.0.8.2-jre14\",\n \"1.0.8.3\",\n \"1.0.8.3-jre13\",\n \"1.0.8.3-jre14\",\n \"1.0.8.4\",\n \"1.0.8.4-jre12\",\n \"1.0.8.4-jre13\",\n \"1.0.8.4-jre14\",\n \"1.0.8.5\",\n \"1.0.8.5-jre12\",\n \"1.0.8.5-jre13\",\n \"1.0.8.5-jre14\",\n \"1.0.8.6-jre14\",\n \"1.0.9.0\",\n \"1.0.9.0-jre14\",\n \"1.0.9.1\",\n \"1.0.9.1-jre14\",\n \"1.0.9.10\",\n \"1.0.9.10-jre14\",\n \"1.0.9.11\",\n \"1.0.9.11-jre14\",\n \"1.0.9.13\",\n \"1.0.9.13-jre14\",\n \"1.0.9.14\",\n \"1.0.9.14-jre14\",\n \"1.0.9.2\",\n \"1.0.9.2-jre14\",\n \"1.0.9.3-jre14\",\n \"1.0.9.4-jre14\",\n \"1.0.9.5-jre14\",\n \"1.0.9.7-jre14\",\n \"1.1.0.0-jre15\",\n \"1.1.0.1\",\n \"1.1.0.1-jre14\",\n \"1.1.0.1-jre15\",\n \"1.1.0.2\",\n \"1.1.0.2-jre14\",\n \"1.1.0.2-jre15\",\n \"1.1.0.3\",\n \"1.1.0.3-jre14\",\n \"1.1.0.3-jre15\",\n \"1.1.0.3-jre8\",\n \"1.1.0.4-jre14\",\n \"1.1.0.4-jre15\",\n \"1.1.0.4-jre8\",\n \"1.1.0.5-jre14\",\n \"1.1.0.5-jre15\",\n \"1.1.0.6\",\n \"1.1.0.6-jre14\",\n \"1.1.0.6-jre15\",\n \"1.1.0.7\",\n \"1.1.0.7-jre14\",\n \"1.1.0.7-jre15\",\n \"1.1.0.7-jre8\",\n \"1.1.0.8-SNAPSHOT-jre14\",\n \"1.1.1.0\",\n \"1.1.1.0-SNAPSHOT-jre14\",\n \"1.1.1.0-SNAPSHOT-jre15\",\n \"1.1.1.0-SNAPSHOT-jre8\",\n \"1.1.1.0-jre14\",\n \"1.1.1.0-jre15\",\n \"1.1.1.0-jre8\",\n \"1.1.1.1-SP1\",\n \"1.1.1.1-jre14-SP1\",\n \"1.1.1.1-jre15-SP1\",\n \"1.1.1.2\",\n \"1.1.1.2-jre14\",\n \"1.1.1.2-jre15\",\n \"1.1.1.3\",\n \"1.1.1.3-jre14\",\n \"1.1.1.3-jre15\",\n \"1.1.1.3-jre16\",\n \"1.1.1.3-jre8\",\n \"1.1.1.4\",\n \"1.1.1.4-jre14\",\n \"1.1.1.4-jre15\",\n \"1.1.1.4-jre16\",\n \"1.1.1.4-jre8\",\n \"1.1.1.5-jre15\",\n \"1.1.1.7\",\n \"1.1.1.7-jre15\",\n \"1.1.1.7-jre16\",\n \"1.1.1.7-jre8\",\n \"1.1.1.8-jre15\",\n \"1.1.1.8-jre16\",\n \"1.1.1.9-jre15\",\n \"1.1.1.9-jre16\",\n \"1.2.0.0-jre16\",\n \"1.2.0.1-jre11\",\n \"1.2.0.1-jre15\",\n \"1.2.0.1-jre16\",\n \"1.2.0.2-jre16\",\n \"1.2.0.3-jre17-rc1\",\n \"1.2.1.1-jre17\",\n \"1.2.1.2-jre17\",\n \"1.2.2.1\",\n \"1.2.2.1-jre17\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-599f-7c49-w659/GHSA-599f-7c49-w659.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-42889\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://arxiv.org/pdf/2306.05534\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-text\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202301-05\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20221020-0004\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/171003/OX-App-Suite-Cross-Site-Scripting-Server-Side-Request-Forgery.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/176650/Apache-Commons-Text-1.9-Remote-Code-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2023/Feb/3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/10/13/4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/10/18/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-10-13T20:22:17Z\",\n \"nvd_published_at\": \"2022-10-13T13:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3936-3gx6-49c4\",\n \"published\": \"2025-03-23T15:30:33Z\",\n \"modified\": \"2025-03-25T03:50:54.932958Z\",\n \"aliases\": [\n \"CVE-2025-30474\"\n ],\n \"summary\": \"Apache Commons VFS Exposure of Sensitive Information to an Unauthorized Actor\",\n \"details\": \"Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Commons VFS.\\n\\nThe FtpFileObject class can throw an exception when a file is not found, revealing the original URI in its message, which may include a password. The fix is to mask the password in the exception message\\nThis issue affects Apache Commons VFS: before 2.10.0.\\n\\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-vfs2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-vfs2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.10.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.1\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.7.0\",\n \"2.8.0\",\n \"2.9.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-3936-3gx6-49c4/GHSA-3936-3gx6-49c4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-30474\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-vfs\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/VFS-169\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/w6ztgnbk6ccry3470x191g3xwrpgy6f4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/03/23/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-03-25T03:23:11Z\",\n \"nvd_published_at\": \"2025-03-23T15:15:14Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9q4x-fr4m-jp86\",\n \"published\": \"2025-03-23T15:30:33Z\",\n \"modified\": \"2025-04-03T01:24:03.415749Z\",\n \"aliases\": [\n \"CVE-2025-27553\"\n ],\n \"summary\": \"Apache Commons VFS Has Relative Path Traversal Vulnerability\",\n \"details\": \"Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0.\\n\\nThe FileObject API in Commons VFS has a 'resolveFile' method that\\ntakes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that \\\"an exception is thrown if the resolved file is not a descendent of\\nthe base file\\\". However, when the path contains encoded \\\"..\\\"\\ncharacters (for example, \\\"%2E%2E/bar.txt\\\"), it might return file objects that are not\\na descendent of the base file, without throwing an exception.\\nThis issue affects Apache Commons VFS: before 2.10.0.\\n\\nUsers are recommended to upgrade to version 2.10.0, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.commons:commons-vfs2\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.commons/commons-vfs2\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.10.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0\",\n \"2.1\",\n \"2.2\",\n \"2.3\",\n \"2.4\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.7.0\",\n \"2.8.0\",\n \"2.9.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-9q4x-fr4m-jp86/GHSA-9q4x-fr4m-jp86.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-27553\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-vfs\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/cnzqowyw9r2pl263cylmxhnvh41hyjcb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/04/msg00006.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/03/23/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-23\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-03-25T03:21:09Z\",\n \"nvd_published_at\": \"2025-03-23T15:15:13Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cx3q-cv6w-mx4h\",\n \"published\": \"2022-05-17T00:51:52Z\",\n \"modified\": \"2023-11-08T03:57:53.766909Z\",\n \"aliases\": [\n \"CVE-2015-3250\"\n ],\n \"summary\": \"Exposure of Sensitive Information to an Unauthorized Actor in Apache Directory LDAP API\",\n \"details\": \"Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct timing attacks via unspecified vectors.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.directory.api:api-ldap-model\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.directory.api/api-ldap-model\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.0-M31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-M14\",\n \"1.0.0-M15\",\n \"1.0.0-M16\",\n \"1.0.0-M17\",\n \"1.0.0-M18\",\n \"1.0.0-M19\",\n \"1.0.0-M20\",\n \"1.0.0-M21\",\n \"1.0.0-M22\",\n \"1.0.0-M23\",\n \"1.0.0-M24\",\n \"1.0.0-M25\",\n \"1.0.0-M26\",\n \"1.0.0-M27\",\n \"1.0.0-M28\",\n \"1.0.0-M29\",\n \"1.0.0-M30\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.0.0-M30\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cx3q-cv6w-mx4h/GHSA-cx3q-cv6w-mx4h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-3250\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1241163\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://directory.apache.org/api/#news_1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2015/07/07/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2015/07/07/5\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T20:17:29Z\",\n \"nvd_published_at\": \"2017-09-07T13:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7q56-mp4c-gggg\",\n \"published\": \"2022-05-17T03:35:31Z\",\n \"modified\": \"2023-11-08T03:58:31.207186Z\",\n \"aliases\": [\n \"CVE-2016-5393\"\n ],\n \"summary\": \"Improper Access Control in Apache Hadoop\",\n \"details\": \"In Apache Hadoop 2.6.x before 2.6.5 and 2.7.x before 2.7.3, a remote user who can authenticate with the HDFS NameNode can possibly run arbitrary commands with the same privileges as the HDFS service.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.6.0\"\n },\n {\n \"fixed\": \"2.6.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7q56-mp4c-gggg/GHSA-7q56-mp4c-gggg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7q56-mp4c-gggg/GHSA-7q56-mp4c-gggg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-5393\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.apache.org/mod_mbox/hadoop-general/201611.mbox/%3CCAA0W1bTbUmUUSF1rjRpX-2DvWutcrPt7TJSWUcSLg1F0gyHG1Q%40mail.gmail.com%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/94574\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-284\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T19:44:12Z\",\n \"nvd_published_at\": \"2016-11-29T06:59:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8r28-r8cp-g6cp\",\n \"published\": \"2022-05-13T01:08:56Z\",\n \"modified\": \"2023-11-08T03:58:30.347713Z\",\n \"aliases\": [\n \"CVE-2016-5001\"\n ],\n \"summary\": \"Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop\",\n \"details\": \"This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.6.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.22.0\",\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.0\"\n },\n {\n \"fixed\": \"2.7.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.0\",\n \"2.7.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8r28-r8cp-g6cp/GHSA-8r28-r8cp-g6cp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-5001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r66de86b9a608c1da70b2d27d765c11ec88edf6e5dd6f379ab33e072a@%3Cuser.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/oss-sec/2016/q4/698\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T19:43:24Z\",\n \"nvd_published_at\": \"2017-08-30T19:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8wm5-8h9c-47pc\",\n \"published\": \"2022-08-05T00:00:24Z\",\n \"modified\": \"2024-02-21T05:29:29.300541Z\",\n \"aliases\": [\n \"CVE-2022-25168\"\n ],\n \"summary\": \"Apache Hadoop argument injection vulnerability\",\n \"details\": \"Apache Hadoop's `FileUtil.unTar(File, File)` API does not escape the input file name before being passed to the shell. An attacker can inject arbitrary commands. This is only used in Hadoop 3.3 InMemoryAliasMap.completeBootstrapTransfer, which is only ever run by a local user. It has been used in Hadoop 2.x for yarn localization, which does enable remote code execution. It is used in Apache Spark, from the SQL command ADD ARCHIVE. As the ADD ARCHIVE command adds new binaries to the classpath, being able to execute shell scripts does not confer new permissions to the caller. SPARK-38305. \\\"Check existence of file before untarring/zipping\\\", which is included in 3.3.0, 3.1.4, 3.2.2, prevents shell commands being executed, regardless of which version of the hadoop libraries are in use. Users should upgrade to Apache Hadoop 2.10.2, 3.2.4, 3.3.3 or upper (including HADOOP-18136).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.10.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.10.0\",\n \"2.10.1\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.9.0\",\n \"2.9.1\",\n \"2.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-alpha\"\n },\n {\n \"fixed\": \"3.2.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.0-alpha1\",\n \"3.0.0-alpha2\",\n \"3.0.0-alpha3\",\n \"3.0.0-alpha4\",\n \"3.0.0-beta1\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.2.0\",\n \"3.2.1\",\n \"3.2.2\",\n \"3.2.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.3.0\"\n },\n {\n \"fixed\": \"3.3.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-8wm5-8h9c-47pc/GHSA-8wm5-8h9c-47pc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-25168\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commit/cae749b076f35f0be13a926ee8cfbb7ce4402746\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hadoop\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/mxqnb39jfrwgs3j6phwvlrfq4mlox130\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220915-0007\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-78\",\n \"CWE-88\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-08-11T21:14:19Z\",\n \"nvd_published_at\": \"2022-08-04T15:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9r7g-325h-mxrm\",\n \"published\": \"2022-05-17T02:53:20Z\",\n \"modified\": \"2023-11-08T03:57:32.986597Z\",\n \"aliases\": [\n \"CVE-2014-0229\"\n ],\n \"summary\": \"Improper Authentication in Apache Hadoop\",\n \"details\": \"Apache Hadoop 0.23.x before 0.23.11 and 2.x before 2.4.1, as used in Cloudera CDH 5.0.x before 5.0.2, do not check authorization for the (1) refreshNamenodes, (2) deleteBlockPool, and (3) shutdownDatanode HDFS admin commands, which allows remote authenticated users to cause a denial of service (DataNodes shutdown) or perform unnecessary operations by issuing a command.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.23.0\"\n },\n {\n \"fixed\": \"0.23.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.4.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9r7g-325h-mxrm/GHSA-9r7g-325h-mxrm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-0229\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#concept_i1q_xvk_2r\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-07T22:54:01Z\",\n \"nvd_published_at\": \"2017-03-23T20:59:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f5fw-25gw-5m92\",\n \"published\": \"2024-09-25T09:30:46Z\",\n \"modified\": \"2025-09-05T16:59:47.705794Z\",\n \"aliases\": [\n \"CVE-2024-23454\"\n ],\n \"summary\": \"Apache Hadoop: Temporary File Local Information Disclosure\",\n \"details\": \"Apache Hadoop’s `RunJar.run()` does not set permissions for temporary directory by default. If sensitive data will be present in this file, all the other local users may be able to view the content. This is because, on unix-like systems, the system temporary directory is shared between all local users. As such, files written in this directory, without setting the correct posix permissions explicitly, may be viewable by all other local users.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.4.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.22.0\",\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.10.0\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.9.0\",\n \"2.9.1\",\n \"2.9.2\",\n \"3.0.0\",\n \"3.0.0-alpha1\",\n \"3.0.0-alpha2\",\n \"3.0.0-alpha3\",\n \"3.0.0-alpha4\",\n \"3.0.0-beta1\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.2.0\",\n \"3.2.1\",\n \"3.2.2\",\n \"3.2.3\",\n \"3.2.4\",\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.2\",\n \"3.3.3\",\n \"3.3.4\",\n \"3.3.5\",\n \"3.3.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-f5fw-25gw-5m92/GHSA-f5fw-25gw-5m92.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-23454\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commit/8c2836402fbb2f619f1fef4ef625a8542e853a64\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hadoop\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/HADOOP-19031\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/xlo7q8kn4tsjvx059r789oz19hzgfkfs\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241101-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/09/25/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-269\",\n \"CWE-378\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-09-25T14:31:09Z\",\n \"nvd_published_at\": \"2024-09-25T08:15:04Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f8vc-wfc8-hxqh\",\n \"published\": \"2022-02-09T22:17:38Z\",\n \"modified\": \"2024-03-08T05:20:12.847694Z\",\n \"aliases\": [\n \"BIT-solr-2020-9492\",\n \"CVE-2020-9492\"\n ],\n \"summary\": \"Improper Privilege Management in Apache Hadoop\",\n \"details\": \"In Apache Hadoop 3.2.0 to 3.2.1, 3.0.0-alpha1 to 3.1.3, and 2.0.0-alpha to 2.10.0, WebHDFS client might send SPNEGO authorization header to remote URL without proper verification.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.2.0\"\n },\n {\n \"fixed\": \"3.2.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.2.0\",\n \"3.2.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.1.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.10.0\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.9.0\",\n \"2.9.1\",\n \"2.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f8vc-wfc8-hxqh/GHSA-f8vc-wfc8-hxqh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-9492\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commit/ca65409836d2949e9a9408d40bec0177b414cd5d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210304-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4129c6b9e0410848bbd3761187ce9c19bc1cd491037b253007df99e@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca4516b00b55b347905df45e5d0432186248223f30497db87aba8710@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc0057ebf32b646ab47f7f5744a8948332e015c39044cbb9d87ea76cd@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb12afaa421d483863c4175e42e5dbd0673917a3cff73f3fca4f8275f@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r941e9be04efe0f455d20aeac88516c0848decd7e7b1d93d5687060f4@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9328eb49305e4cacc80e182bfd8a2efd8e640d940e24f5bfd7d5cb26@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r79323adac584edab99fd5e4b52a013844b784a5d4b600da0662b33d6@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r79201a209df9a4e7f761e537434131b4e39eabec4369a7d668904df4@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6c2fa7949738e9d39606f1d7cd890c93a2633e3357c9aeaf886ea9a6@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6341f2a468ced8872a71997aa1786ce036242413484f0fa68dc9ca02@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r513758942356ccd0d14538ba18a09903fc72716d74be1cb727ea91ff%40%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4a57de5215494c35c8304cf114be75d42df7abc6c0c54bf163c3e370@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r49c9ab444ab1107c6a8be8a0d66602dec32a16d96c2631fec8d309fb@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0a534f1cde7555f7208e9f9b791c1ab396d215eaaef283b3a9153429@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hadoop\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-269\",\n \"CWE-863\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-06T18:29:12Z\",\n \"nvd_published_at\": \"2021-01-26T18:16:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g48f-ff5h-5f64\",\n \"published\": \"2022-05-17T03:44:57Z\",\n \"modified\": \"2023-11-08T03:57:50.385135Z\",\n \"aliases\": [\n \"CVE-2015-1776\"\n ],\n \"summary\": \"Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop\",\n \"details\": \"Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.6.0\"\n },\n {\n \"fixed\": \"2.6.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.6.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g48f-ff5h-5f64/GHSA-g48f-ff5h-5f64.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-1776\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.apache.org/mod_mbox/hadoop-general/201602.mbox/%3CCAGCyb56CPgQMcxZ7jP87SfM5OKGx+E49DtrzCTQ6+nQf2a4nSA@mail.gmail.com%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T20:26:12Z\",\n \"nvd_published_at\": \"2016-04-19T21:59:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gx2c-fvhc-ph4j\",\n \"published\": \"2022-04-08T00:00:21Z\",\n \"modified\": \"2025-10-01T14:55:55.727257Z\",\n \"aliases\": [\n \"CVE-2022-26612\"\n ],\n \"summary\": \"Path traversal in Hadoop\",\n \"details\": \"In Apache Hadoop, The unTar function uses unTarUsingJava function on Windows and the built-in tar utility on Unix and other OSes. As a result, a TAR entry may create a symlink under the expected extraction directory which points to an external directory. A subsequent TAR entry may extract an arbitrary file into the external directory using the symlink name. This however would be caught by the same targetDirPath check on Unix because of the getCanonicalPath call. However on Windows, getCanonicalPath doesn't resolve symbolic links, which bypasses the check. unpackEntries during TAR extraction follows symbolic links which allows writing outside expected base directory on Windows. This was addressed in Apache Hadoop 2.10.2, 3.2.3, 3.3.3, and 3.4.0.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.2.0\"\n },\n {\n \"fixed\": \"3.2.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.2.0\",\n \"3.2.1\",\n \"3.2.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-gx2c-fvhc-ph4j/GHSA-gx2c-fvhc-ph4j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.10.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.22.0\",\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.10.0\",\n \"2.10.1\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.9.0\",\n \"2.9.1\",\n \"2.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-gx2c-fvhc-ph4j/GHSA-gx2c-fvhc-ph4j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.3.0\"\n },\n {\n \"fixed\": \"3.3.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-gx2c-fvhc-ph4j/GHSA-gx2c-fvhc-ph4j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-26612\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hadoop\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commits/rel/release-2.10.2/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commits/rel/release-3.2.3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commits/rel/release-3.3.3/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commits/rel/release-3.4.0/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/HADOOP-18317\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/hslo7wzw2449gv1jyjk8g6ttd7935fyz\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220519-0004\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-04-08T22:06:47Z\",\n \"nvd_published_at\": \"2022-04-07T19:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h24p-qwf4-84q8\",\n \"published\": \"2022-05-17T02:41:57Z\",\n \"modified\": \"2023-11-08T03:59:26.035253Z\",\n \"aliases\": [\n \"CVE-2017-7669\"\n ],\n \"summary\": \"Apache Hadoop's LinuxContainerExecutor runs docker commands as root with insufficient input validation\",\n \"details\": \"In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxContainerExecutor runs docker commands as root with insufficient input validation. When the docker feature is enabled, authenticated users can run commands as root. This issue is fixed in versions 2.8.1 and 3.0.0-alpha3.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.8.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.22.0\",\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.8.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-alpha1\"\n },\n {\n \"fixed\": \"3.0.0-alpha3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0-alpha1\",\n \"3.0.0-alpha2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h24p-qwf4-84q8/GHSA-h24p-qwf4-84q8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-7669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://mail-archives.apache.org/mod_mbox/hadoop-user/201706.mbox/%3C4A2FDA56-491B-4C2A-915F-C9D4A4BDB92A%40apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/98795\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-11-22T18:47:34Z\",\n \"nvd_published_at\": \"2017-06-05T01:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mf7c-35mq-75pj\",\n \"published\": \"2022-05-14T03:24:59Z\",\n \"modified\": \"2023-11-08T03:58:33.830753Z\",\n \"aliases\": [\n \"CVE-2016-6811\"\n ],\n \"summary\": \"Insecure Inherited Permissions in Apache Hadoop\",\n \"details\": \"In Apache Hadoop 2.x before 2.7.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0-alpha\"\n },\n {\n \"fixed\": \"2.7.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mf7c-35mq-75pj/GHSA-mf7c-35mq-75pj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-6811\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9ba3c12bbdfd5b2cae60909e48f92608e00c8d99196390b8cfeca307@%3Cgeneral.hadoop.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-277\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T19:45:49Z\",\n \"nvd_published_at\": \"2017-04-11T14:59:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pxv5-5vmp-3jj4\",\n \"published\": \"2022-05-17T02:54:07Z\",\n \"modified\": \"2024-12-06T05:49:00.331067Z\",\n \"aliases\": [\n \"CVE-2013-2192\"\n ],\n \"summary\": \"Improper Authentication in Apache Hadoop\",\n \"details\": \"The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.6-alpha\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.0.5-alpha\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pxv5-5vmp-3jj4/GHSA-pxv5-5vmp-3jj4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.23.0\"\n },\n {\n \"fixed\": \"0.23.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.23.1\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pxv5-5vmp-3jj4/GHSA-pxv5-5vmp-3jj4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2013-2192\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0037.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0400.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2013/Aug/251\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-08T19:10:34Z\",\n \"nvd_published_at\": \"2014-01-24T18:55:00Z\",\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rmpj-7c96-mrg8\",\n \"published\": \"2022-06-14T00:00:37Z\",\n \"modified\": \"2024-02-22T05:34:28.037449Z\",\n \"aliases\": [\n \"CVE-2021-37404\"\n ],\n \"summary\": \"Apache Hadoop heap overflow before v2.10.2, v3.2.3, v3.3.2\",\n \"details\": \"There is a potential heap buffer overflow in Apache Hadoop libhdfs native code. Opening a file path provided by user without validation may result in a denial of service or arbitrary code execution. Users should upgrade to Apache Hadoop 2.10.2, 3.2.3, 3.3.2 or higher.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.3.0\"\n },\n {\n \"fixed\": \"3.3.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.3.0\",\n \"3.3.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.2.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.1.0\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.1.3\",\n \"3.1.4\",\n \"3.2.0\",\n \"3.2.1\",\n \"3.2.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.10.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.22.0\",\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.10.0\",\n \"2.10.1\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.9.0\",\n \"2.9.1\",\n \"2.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-rmpj-7c96-mrg8/GHSA-rmpj-7c96-mrg8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-37404\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hadoop\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/2h56ztcj3ojc66qzf1nno88vjw9vd4wo\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220715-0007\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-120\",\n \"CWE-131\",\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-17T01:09:36Z\",\n \"nvd_published_at\": \"2022-06-13T07:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-37pw-qw47-4jxm\",\n \"published\": \"2019-05-31T16:09:15Z\",\n \"modified\": \"2024-02-16T08:05:28.334834Z\",\n \"aliases\": [\n \"CVE-2018-8029\"\n ],\n \"summary\": \"Privilege escalation vulnerability in Apache Hadoop\",\n \"details\": \"In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to 2.9.1, and 2.2.0 to 2.8.4, a user who can escalate to yarn user can possibly run arbitrary commands as root user.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.2.0\"\n },\n {\n \"fixed\": \"2.8.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.1.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.1.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-37pw-qw47-4jxm/GHSA-37pw-qw47-4jxm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-8029\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0b8d58e02dbd0fb8bf7320c514fe58da1d6728bdc150f1ba04e0d9fc@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/17084c09e6dedf60efe08028b429c92ffd28aacc28454e4fa924578a@%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a0164b87660223a2d491f83c88f905fe1a9fa8dc795148d9b0d968c8@%3Cdev.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a97c53a81e639ca2fc7b8f61a4fcd1842c2a78544041244a7c624727@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190617-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/108518\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-285\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-05-31T16:08:38Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3v44-382q-55f4\",\n \"published\": \"2018-12-21T17:50:13Z\",\n \"modified\": \"2023-11-08T03:58:58.547397Z\",\n \"aliases\": [\n \"CVE-2017-15713\"\n ],\n \"summary\": \"Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main\",\n \"details\": \"Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before 2.8.3, and 3.0.0-alpha through 3.0.0-beta1 allows a cluster user to expose private files owned by the user running the MapReduce job history server process. The malicious user can construct a configuration file containing XML directives that reference sensitive files on the MapReduce job history server host.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-3v44-382q-55f4/GHSA-3v44-382q-55f4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-3v44-382q-55f4/GHSA-3v44-382q-55f4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-15713\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-3v44-382q-55f4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a790a251ace7213bde9f69777dedb453b1a01a6d18289c14a61d4f91@%3Cgeneral.hadoop.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:56:25Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4fh8-pm7g-pmxq\",\n \"published\": \"2022-02-10T20:28:06Z\",\n \"modified\": \"2024-02-17T05:29:43.227712Z\",\n \"aliases\": [\n \"CVE-2018-11764\"\n ],\n \"summary\": \"Authentication bypass in Apache Hadoop\",\n \"details\": \"Web endpoint authentication check is broken in Apache Hadoop 3.0.0-alpha4, 3.0.0-beta1, and 3.0.0. Authenticated users may impersonate any user even if no proxy user is configured.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-alpha4\"\n },\n {\n \"fixed\": \"3.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0-alpha4\",\n \"3.0.0\",\n \"3.0.0-beta1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-beta1\"\n },\n {\n \"fixed\": \"3.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0-beta1\",\n \"3.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-4fh8-pm7g-pmxq/GHSA-4fh8-pm7g-pmxq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11764\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r790ad0a049cde713b93589ecfd4dd2766fda0fc6807eedb6cf69f5c1%40%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20201103-0003\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-306\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-22T21:44:53Z\",\n \"nvd_published_at\": \"2020-10-21T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5cf4-jqwp-584g\",\n \"published\": \"2019-03-25T16:17:32Z\",\n \"modified\": \"2024-02-19T05:28:21.165145Z\",\n \"aliases\": [\n \"CVE-2018-11767\"\n ],\n \"summary\": \"Improper Privilege Management in org.apache.hadoop:hadoop-main\",\n \"details\": \"In Apache Hadoop 2.9.0 to 2.9.1, 2.8.3 to 2.8.4, 2.7.5 to 2.7.6, KMS blocking users or granting access to users incorrectly, if the system uses non-default groups mapping mechanisms.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.5\"\n },\n {\n \"fixed\": \"2.7.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.5\",\n \"2.7.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.3\"\n },\n {\n \"fixed\": \"2.8.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.3\",\n \"2.8.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-5cf4-jqwp-584g/GHSA-5cf4-jqwp-584g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11767\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-5cf4-jqwp-584g\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/246cf223e7dc0c1dff90b78dccb6c3fe94e1a044dbf98e2333393302@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5a44590b4eedc5e25f5bd3081d1631b52c174b5b99157f7950ddc270@%3Ccommon-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5fb771f66946dd5c99a8a5713347c24873846f555d716f9ac17bccca@%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190416-0009\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-269\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:00:30Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6x48-j4x4-cqw3\",\n \"published\": \"2018-12-21T17:50:29Z\",\n \"modified\": \"2024-03-04T23:01:37.312585Z\",\n \"aliases\": [\n \"CVE-2018-8009\"\n ],\n \"summary\": \"Path Traversal in Hadoop\",\n \"details\": \"Apache Hadoop 3.1.0, 3.0.0-alpha to 3.0.2, 2.9.0 to 2.9.1, 2.8.0 to 2.8.4, 2.0.0-alpha to 2.7.6, 0.23.0 to 0.23.11 is exploitable via the zip slip vulnerability in places that accept a zip file.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.1.0\"\n },\n {\n \"fixed\": \"3.1.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.1.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.0.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-6x48-j4x4-cqw3/GHSA-6x48-j4x4-cqw3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-8009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commit/12258c7cff8d32710fbd8b9088a930e3ce27432\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commit/45a1c680c276c4501402f7bc4cebcf85a6fbc7f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commit/65e55097da2bb3f2fbdf9ba1946da25fe58bec9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commit/6a4ae6f6eeed1392a4828a5721fa1499f65bdde\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hadoop/commit/fc4c20fc3469674cb584a4fb98bac7e3c2277c9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-6x48-j4x4-cqw3\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hadoop\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hadoop.apache.org/cve_list.html#cve-2018-8009-http-cve-mitre-org-cgi-bin-cvename-cgi-name-cve-2018-8009-zip-slip-impact-on-apache-hadoop\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a1c227745ce30acbcf388c5b0cc8423e8bf495d619cd0fa973f7f38d@%3Cuser.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/research/zip-slip-vulnerability\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/105927\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:20:31Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-99qr-9cc9-fv2x\",\n \"published\": \"2018-12-21T17:50:03Z\",\n \"modified\": \"2023-11-08T03:59:20.833209Z\",\n \"aliases\": [\n \"CVE-2017-3166\"\n ],\n \"summary\": \"Moderate severity vulnerability that affects org.apache.hadoop:hadoop-main\",\n \"details\": \"In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-99qr-9cc9-fv2x/GHSA-99qr-9cc9-fv2x.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-3166\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-99qr-9cc9-fv2x\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2e16689b44bdd1976b6368c143a4017fc7159d1f2d02a5d54fe9310f@%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-732\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:28:07Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c6f9-4pmv-m7m6\",\n \"published\": \"2022-05-17T02:54:07Z\",\n \"modified\": \"2024-12-06T05:37:36.225387Z\",\n \"aliases\": [\n \"CVE-2012-1574\"\n ],\n \"summary\": \"Apache Hadoop allows impersonation of arbitrary cluster user accounts\",\n \"details\": \"The Kerberos/MapReduce security functionality in Apache Hadoop 0.20.203.0 through 0.20.205.0, 0.23.x before 0.23.2, and 1.0.x before 1.0.2, as used in Cloudera CDH CDH3u0 through CDH3u2, Cloudera hadoop-0.20-sbin before 0.20.2+923.197, and other products, allows remote authenticated users to impersonate arbitrary cluster user accounts via unspecified vectors.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.23\"\n },\n {\n \"fixed\": \"0.23.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.23.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c6f9-4pmv-m7m6/GHSA-c6f9-4pmv-m7m6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0\"\n },\n {\n \"fixed\": \"1.0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c6f9-4pmv-m7m6/GHSA-c6f9-4pmv-m7m6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-1574\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hadoop\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/fulldisclosure/2012/Apr/70\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20120720041621/https://ccp.cloudera.com/display/DOC/Cloudera+Security+Bulletin#ClouderaSecurityBulletin-MapReducewithSecurity\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20151001135054/http://archives.neohapsis.com/archives/bugtraq/2012-04/0051.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20161215212154/https://www.cloudera.com/documentation/other/security-bulletins/topics/csb_topic_1.html#topic_1_0_2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200229125105/http://www.securityfocus.com/bid/52939\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-08-29T21:08:04Z\",\n \"nvd_published_at\": \"2012-04-12T10:45:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hx83-rpqf-m267\",\n \"published\": \"2019-11-20T01:38:00Z\",\n \"modified\": \"2023-11-08T03:59:47.193372Z\",\n \"aliases\": [\n \"CVE-2018-11768\"\n ],\n \"summary\": \"user/group information can be corrupted across storing in fsimage and reading back from fsimage\",\n \"details\": \"In Apache Hadoop 3.1.0 to 3.1.1, 3.0.0-alpha1 to 3.0.3, 2.9.0 to 2.9.1, and 2.0.0-alpha to 2.8.4, the user/group information can be corrupted across storing in fsimage and reading back from fsimage.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.2.0\"\n },\n {\n \"fixed\": \"2.8.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\",\n \"2.7.7\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.1.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.1\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.1.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-hx83-rpqf-m267/GHSA-hx83-rpqf-m267.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11768\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://hadoop.apache.org/cve_list.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2067a797b330530a6932f4b08f703b3173253d0a2b7c8c524e54adaf@%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2c9cc65864be0058a5d5ed2025dfb9c700bf23d352b0c826c36ff96a@%3Chdfs-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/72ca514e01cd5f08151e74f9929799b4cbe1b6e9e6cd24faa72ffcc6@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9b609d4392d886711e694cf40d86f770022baf42a1b1aa97e8244c87@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/caacbbba2dcc1105163f76f3dfee5fbd22e0417e0783212787086378@%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ceb16af9139ab0fea24aef935b6321581976887df7ad632e9a515dda@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ea6d2dfbefab8ebe46be18b05136b83ae53b7866f1bc60c680a2b600@%3Chdfs-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f20bb4e055d8394fc525cc7772fb84096f706389043e76220c8a29a4@%3Chdfs-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cdev.flink.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02e39d7beb32eebcdbb4b516e95f67d71c90d5d462b26f4078d21eeb@%3Cuser.flink.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-119\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-11-19T03:28:12Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mq8p-h798-xcrp\",\n \"published\": \"2018-12-21T17:50:20Z\",\n \"modified\": \"2023-11-08T03:58:58.669059Z\",\n \"aliases\": [\n \"CVE-2017-15718\"\n ],\n \"summary\": \"Exposure of Sensitive Information in Hadoop\",\n \"details\": \"The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the password for credential store provider used by the NodeManager to YARN Applications.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.3\"\n },\n {\n \"fixed\": \"2.7.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.3\",\n \"2.7.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-mq8p-h798-xcrp/GHSA-mq8p-h798-xcrp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-15718\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mq8p-h798-xcrp\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/773c93c2d8a6a52bbe97610c2b1c2ad205b970e1b8c04fb5b2fccad6@%3Cgeneral.hadoop.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:47:00Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rhh9-cm65-3w54\",\n \"published\": \"2021-04-30T17:29:30Z\",\n \"modified\": \"2024-02-17T05:34:33.603105Z\",\n \"aliases\": [\n \"CVE-2018-11765\"\n ],\n \"summary\": \"Improper Authentication in Apache Hadoop\",\n \"details\": \"In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0-alpha2\"\n },\n {\n \"fixed\": \"3.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.0-alpha2\",\n \"3.0.0-alpha3\",\n \"3.0.0-alpha4\",\n \"3.0.0-beta1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.0.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\",\n \"2.9.1\",\n \"2.9.2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.9.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.8.5\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-rhh9-cm65-3w54/GHSA-rhh9-cm65-3w54.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11765\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r17d94d132b207dad221595fd8b8b18628f5f5ec7e3f5be939ecd8928@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2c7f899911a04164ed1707083fcd4135f8427e04778c87d83509b0da%40%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46447f38ea8c89421614e9efd7de5e656186d35e10fc97cf88477a01@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4dddf1705dbedfa94392913b2dad1cd2d1d89040facd389eea0b3510@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r74825601e93582167eb7cdc2f764c74c9c6d8006fa90018562fda60f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r79b15c5b66c6df175d01d7560adf0cd5c369129b9a161905e0339927@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb21df54a4e39732ce653d2aa5672e36a792b59eb6717f2a06bb8d02a@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb241464d83baa3749b08cd3dabc8dba70a9a9027edcef3b5d4c24ef4@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbe25cac0f499374f8ae17a4a44a8404927b56de28d4c41940d82b7a4@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reea5eb8622afbfbfca46bc758f79db83d90a3263a906c4d1acba4971@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf9dfa8b77585c9227db9637552eebb2ab029255a0db4eb76c2b6c4cf@%3Cdev.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20201016-0005\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-27T21:56:41Z\",\n \"nvd_published_at\": \"2020-09-30T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rqj9-cq6j-958r\",\n \"published\": \"2018-12-21T17:50:26Z\",\n \"modified\": \"2024-12-02T05:44:05.029076Z\",\n \"aliases\": [\n \"CVE-2018-11766\"\n ],\n \"summary\": \"Arbitrary Command Execution in Hadoop\",\n \"details\": \"In Apache Hadoop 2.7.4 to 2.7.6, the security fix for CVE-2016-6811 is incomplete. A user who can escalate to yarn user can possibly run arbitrary commands as root user.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.7.4\"\n },\n {\n \"fixed\": \"2.7.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.7.4\",\n \"2.7.5\",\n \"2.7.6\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.7.6\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/12/GHSA-rqj9-cq6j-958r/GHSA-rqj9-cq6j-958r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11766\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-rqj9-cq6j-958r\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff37bbbe09d5f03090e2dd2c3dea95de16ef4249e731f19b8959ce4c@%3Cgeneral.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/106035\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:55:32Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v569-g72v-q434\",\n \"published\": \"2019-02-12T17:26:12Z\",\n \"modified\": \"2023-11-08T03:59:51.778695Z\",\n \"aliases\": [\n \"CVE-2018-1296\"\n ],\n \"summary\": \"Exposure of Sensitive Information to an Unauthorized Actor in Hadoop\",\n \"details\": \"In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, and 2.5.0 to 2.7.5, HDFS exposes extended attribute key/value pairs during listXAttrs, verifying only path-level search access to the directory rather than path-level read permission to the referent.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\",\n \"2.0.0-alpha\",\n \"2.0.1-alpha\",\n \"2.0.2-alpha\",\n \"2.0.3-alpha\",\n \"2.0.4-alpha\",\n \"2.0.5-alpha\",\n \"2.0.6-alpha\",\n \"2.1.0-beta\",\n \"2.1.1-beta\",\n \"2.2.0\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.8.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.9.0\"\n },\n {\n \"fixed\": \"2.9.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.9.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-v569-g72v-q434/GHSA-v569-g72v-q434.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1296\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-v569-g72v-q434\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a5b15bc76fbdad2ee40761aacf954a13aeef67e305f86d483f267e8e@%3Cuser.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/106764\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:56:41Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v5c9-98f7-2h54\",\n \"published\": \"2022-04-23T00:40:07Z\",\n \"modified\": \"2024-02-16T08:24:21.090651Z\",\n \"aliases\": [\n \"CVE-2012-2945\"\n ],\n \"summary\": \"Hadoop symlink vulnerability\",\n \"details\": \"Hadoop 1.0.3 contains a symlink vulnerability as a result of storing pid files in the shared `/tmp` directory by default.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.hadoop:hadoop-main\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.hadoop/hadoop-main\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.23.1\",\n \"0.23.10\",\n \"0.23.11\",\n \"0.23.3\",\n \"0.23.4\",\n \"0.23.5\",\n \"0.23.6\",\n \"0.23.7\",\n \"0.23.8\",\n \"0.23.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.0.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-v5c9-98f7-2h54/GHSA-v5c9-98f7-2h54.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-2945\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535861\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hadoop\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/fulldisclosure/2012/Jul/3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security-tracker.debian.org/tracker/CVE-2012-2945\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-377\",\n \"CWE-59\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-08-29T19:54:42Z\",\n \"nvd_published_at\": \"2019-10-29T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2x83-r56g-cv47\",\n \"published\": \"2018-10-17T00:05:15Z\",\n \"modified\": \"2024-12-02T05:48:49.049751Z\",\n \"aliases\": [\n \"CVE-2012-6153\"\n ],\n \"summary\": \"Improper certificate validation in org.apache.httpcomponents:httpclient\",\n \"details\": \"http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.httpcomponents/httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.2.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0\",\n \"4.0-alpha1\",\n \"4.0-alpha2\",\n \"4.0-alpha3\",\n \"4.0-alpha4\",\n \"4.0-beta1\",\n \"4.0-beta2\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.1\",\n \"4.1-alpha1\",\n \"4.1-alpha2\",\n \"4.1-beta1\",\n \"4.1.1\",\n \"4.1.2\",\n \"4.1.3\",\n \"4.2\",\n \"4.2-alpha1\",\n \"4.2-beta1\",\n \"4.2.1\",\n \"4.2.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2x83-r56g-cv47/GHSA-2x83-r56g-cv47.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-6153\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/httpcomponents-client/commit/6e14fc146a66e0f3eb362f45f95d1a58ee18886a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/httpcomponents-client/commit/b930227f907af1198765fc47beabbddae344ca7b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/solutions/1165533\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1129916\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-2x83-r56g-cv47\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1098.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1833.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1834.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1836.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1891.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1892.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0125.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0158.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0675.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0720.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0765.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0850.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0851.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1888.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/viewvc?view=revision\\u0026revision=1411705\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-2769-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:53:18Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7r82-7xv7-xcpj\",\n \"published\": \"2021-06-03T23:40:23Z\",\n \"modified\": \"2024-03-15T05:19:17.323914Z\",\n \"aliases\": [\n \"CVE-2020-13956\"\n ],\n \"related\": [\n \"CGA-6936-26rm-54qh\",\n \"CGA-7v36-x4w2-722q\"\n ],\n \"summary\": \"Cross-site scripting in Apache HttpClient\",\n \"details\": \"Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.httpcomponents/httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.5.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0\",\n \"4.0-alpha1\",\n \"4.0-alpha2\",\n \"4.0-alpha3\",\n \"4.0-alpha4\",\n \"4.0-beta1\",\n \"4.0-beta2\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.1\",\n \"4.1-alpha1\",\n \"4.1-alpha2\",\n \"4.1-beta1\",\n \"4.1.1\",\n \"4.1.2\",\n \"4.1.3\",\n \"4.2\",\n \"4.2-alpha1\",\n \"4.2-beta1\",\n \"4.2.1\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.4\",\n \"4.2.5\",\n \"4.2.6\",\n \"4.3\",\n \"4.3-alpha1\",\n \"4.3-beta1\",\n \"4.3-beta2\",\n \"4.3.1\",\n \"4.3.2\",\n \"4.3.3\",\n \"4.3.4\",\n \"4.3.5\",\n \"4.3.6\",\n \"4.4\",\n \"4.4-alpha1\",\n \"4.4-beta1\",\n \"4.4.1\",\n \"4.5\",\n \"4.5.1\",\n \"4.5.10\",\n \"4.5.11\",\n \"4.5.12\",\n \"4.5.2\",\n \"4.5.3\",\n \"4.5.4\",\n \"4.5.5\",\n \"4.5.6\",\n \"4.5.7\",\n \"4.5.8\",\n \"4.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.httpcomponents/httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"5.0.0\"\n },\n {\n \"fixed\": \"5.0.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7r82-7xv7-xcpj/GHSA-7r82-7xv7-xcpj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-13956\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587@%3Cissues.maven.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17@%3Cdev.jackrabbit.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1@%3Ccommits.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220210-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e@%3Ccommits.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707@%3Ccommits.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303@%3Cgitbox.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d@%3Ccommits.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457@%3Cdev.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749@%3Cissues.maven.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/httpcomponents-client\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b@%3Cissues.maven.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f@%3Ccommits.creadur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d@%3Ccommits.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a@%3Cissues.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7@%3Cdev.ranger.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89@%3Cdev.jackrabbit.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05@%3Cdev.drill.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-12T22:25:52Z\",\n \"nvd_published_at\": \"2020-12-02T17:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cfh5-3ghh-wfjx\",\n \"published\": \"2018-10-17T00:05:06Z\",\n \"modified\": \"2024-12-03T06:09:02.246830Z\",\n \"aliases\": [\n \"CVE-2014-3577\"\n ],\n \"summary\": \"Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient\",\n \"details\": \"org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a \\\"CN=\\\" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the \\\"foo,CN=www.apache.org\\\" string in the O field.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.httpcomponents/httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.3.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0\",\n \"4.0-alpha1\",\n \"4.0-alpha2\",\n \"4.0-alpha3\",\n \"4.0-alpha4\",\n \"4.0-beta1\",\n \"4.0-beta2\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.1\",\n \"4.1-alpha1\",\n \"4.1-alpha2\",\n \"4.1-beta1\",\n \"4.1.1\",\n \"4.1.2\",\n \"4.1.3\",\n \"4.2\",\n \"4.2-alpha1\",\n \"4.2-beta1\",\n \"4.2.1\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.4\",\n \"4.2.5\",\n \"4.2.6\",\n \"4.3\",\n \"4.3-alpha1\",\n \"4.3-beta1\",\n \"4.3-beta2\",\n \"4.3.1\",\n \"4.3.2\",\n \"4.3.3\",\n \"4.3.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cfh5-3ghh-wfjx/GHSA-cfh5-3ghh-wfjx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-3577\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/httpcomponents-client/commit/51cc67567765d67f878f0dcef61b5ded454d3122\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://svn.apache.org/viewvc?view=revision\\u0026revision=1614064\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20231027-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/httpcomponents-client\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-cfh5-3ghh-wfjx\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/95327\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/solutions/1165533\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1146.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1166.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1833.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1834.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1836.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1891.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1892.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0125.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0158.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0675.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0720.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0765.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0850.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0851.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1176.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1177.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1888.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1773.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1931.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2014/Aug/48\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/10/06/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-2769-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-347\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:31:17Z\",\n \"nvd_published_at\": \"2014-08-21T14:55:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fmj5-wv96-r2ch\",\n \"published\": \"2018-10-17T00:05:29Z\",\n \"modified\": \"2024-12-08T05:23:13.492634Z\",\n \"aliases\": [\n \"CVE-2015-5262\"\n ],\n \"summary\": \"Denial of service vulnerability in org.apache.httpcomponents:httpclient\",\n \"details\": \"http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.httpcomponents/httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.3.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0\",\n \"4.0-alpha1\",\n \"4.0-alpha2\",\n \"4.0-alpha3\",\n \"4.0-alpha4\",\n \"4.0-beta1\",\n \"4.0-beta2\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.1\",\n \"4.1-alpha1\",\n \"4.1-alpha2\",\n \"4.1-beta1\",\n \"4.1.1\",\n \"4.1.2\",\n \"4.1.3\",\n \"4.2\",\n \"4.2-alpha1\",\n \"4.2-beta1\",\n \"4.2.1\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.4\",\n \"4.2.5\",\n \"4.2.6\",\n \"4.3\",\n \"4.3-alpha1\",\n \"4.3-beta1\",\n \"4.3-beta2\",\n \"4.3.1\",\n \"4.3.2\",\n \"4.3.3\",\n \"4.3.4\",\n \"4.3.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fmj5-wv96-r2ch/GHSA-fmj5-wv96-r2ch.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-5262\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1261538\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-fmj5-wv96-r2ch\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/HTTPCLIENT-1478\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://jenkins.io/security/advisory/2018-02-26\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-October/167999.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-October/168030.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/viewvc?view=revision\\u0026revision=1626784\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1033743\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-2769-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:34:55Z\",\n \"nvd_published_at\": \"2015-10-27T16:59:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gw85-4gmf-m7rh\",\n \"published\": \"2022-05-17T05:39:03Z\",\n \"modified\": \"2024-12-03T06:01:01.943495Z\",\n \"aliases\": [\n \"CVE-2011-1498\"\n ],\n \"summary\": \"Exposure of Sensitive Information to an Unauthorized Actor in Apache HttpClient\",\n \"details\": \"Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.httpcomponents/httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.0.0\"\n },\n {\n \"fixed\": \"4.1.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0\",\n \"4.0.1\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.1\",\n \"4.1-alpha1\",\n \"4.1-alpha2\",\n \"4.1-beta1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-gw85-4gmf-m7rh/GHSA-gw85-4gmf-m7rh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2011-1498\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/httpcomponents-client/commit/a572756592c969affd0ce87885724e74839176fb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=709531\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/httpcomponents-client\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/HTTPCLIENT-1061\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061440.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=httpclient-users\\u0026m=129853896315461\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=httpclient-users\\u0026m=129856318011586\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=httpclient-users\\u0026m=129857589129183\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=httpclient-users\\u0026m=129858274406594\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=httpclient-users\\u0026m=129858299106950\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://openwall.com/lists/oss-security/2011/04/07/7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://openwall.com/lists/oss-security/2011/04/08/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://securityreason.com/securityalert/8298\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-13T17:20:15Z\",\n \"nvd_published_at\": \"2011-07-07T21:55:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pqwh-44jj-p5rm\",\n \"published\": \"2022-05-13T01:25:03Z\",\n \"modified\": \"2024-03-05T17:33:19.157465Z\",\n \"aliases\": [\n \"CVE-2013-4366\"\n ],\n \"summary\": \"Hostname verification in Apache HttpClient 4.3 was disabled by default\",\n \"details\": \"http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.httpcomponents:httpclient\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.httpcomponents/httpclient\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"4.3\"\n },\n {\n \"fixed\": \"4.3.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pqwh-44jj-p5rm/GHSA-pqwh-44jj-p5rm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2013-4366\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/httpcomponents-client/commit/08140864e3e4c0994e094c4cf0507932baf6a66\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/r1528614\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.3.x.txt\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-09T22:47:59Z\",\n \"nvd_published_at\": \"2017-10-30T19:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cxvc-g8f2-4gmm\",\n \"published\": \"2025-09-08T09:31:09Z\",\n \"modified\": \"2025-11-05T21:26:56.180617Z\",\n \"aliases\": [\n \"CVE-2025-58782\"\n ],\n \"summary\": \"Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data\",\n \"details\": \"There is a serialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.\\n\\nThis issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.\\n\\nDeployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data. Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.jackrabbit:jackrabbit-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.jackrabbit/jackrabbit-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"2.22.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0.1\",\n \"1.1\",\n \"1.1.1\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.3\",\n \"1.4\",\n \"1.4.1\",\n \"1.4.10\",\n \"1.4.11\",\n \"1.4.12\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.4.5\",\n \"1.4.6\",\n \"1.4.7\",\n \"1.4.8\",\n \"1.4.9\",\n \"1.5.0\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.5.5\",\n \"1.5.6\",\n \"1.5.7\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.4\",\n \"1.6.5\",\n \"2.0-beta1\",\n \"2.0-beta3\",\n \"2.0-beta4\",\n \"2.0-beta5\",\n \"2.0-beta6\",\n \"2.0.0\",\n \"2.0.3\",\n \"2.0.5\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.5\",\n \"2.1.6\",\n \"2.10.0\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\",\n \"2.10.6\",\n \"2.10.7\",\n \"2.10.8\",\n \"2.10.9\",\n \"2.11.0\",\n \"2.11.1\",\n \"2.11.2\",\n \"2.11.3\",\n \"2.12.0\",\n \"2.12.1\",\n \"2.12.10\",\n \"2.12.11\",\n \"2.12.2\",\n \"2.12.3\",\n \"2.12.4\",\n \"2.12.5\",\n \"2.12.6\",\n \"2.12.7\",\n \"2.12.8\",\n \"2.12.9\",\n \"2.13.0\",\n \"2.13.1\",\n \"2.13.2\",\n \"2.13.3\",\n \"2.13.4\",\n \"2.13.5\",\n \"2.13.6\",\n \"2.13.7\",\n \"2.14.0\",\n \"2.14.1\",\n \"2.14.10\",\n \"2.14.2\",\n \"2.14.3\",\n \"2.14.4\",\n \"2.14.5\",\n \"2.14.6\",\n \"2.14.7\",\n \"2.14.8\",\n \"2.14.9\",\n \"2.15.0\",\n \"2.15.1\",\n \"2.15.2\",\n \"2.15.3\",\n \"2.15.4\",\n \"2.15.5\",\n \"2.15.6\",\n \"2.15.7\",\n \"2.15.8\",\n \"2.16.0\",\n \"2.16.1\",\n \"2.16.10\",\n \"2.16.2\",\n \"2.16.3\",\n \"2.16.4\",\n \"2.16.5\",\n \"2.16.6\",\n \"2.16.7\",\n \"2.16.8\",\n \"2.16.9\",\n \"2.17.0\",\n \"2.17.1\",\n \"2.17.2\",\n \"2.17.3\",\n \"2.17.4\",\n \"2.17.5\",\n \"2.17.6\",\n \"2.17.7\",\n \"2.18.0\",\n \"2.18.1\",\n \"2.18.2\",\n \"2.18.3\",\n \"2.18.4\",\n \"2.18.5\",\n \"2.18.6\",\n \"2.19.0\",\n \"2.19.1\",\n \"2.19.2\",\n \"2.19.3\",\n \"2.19.4\",\n \"2.19.5\",\n \"2.19.6\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.10\",\n \"2.2.11\",\n \"2.2.12\",\n \"2.2.13\",\n \"2.2.2\",\n \"2.2.4\",\n \"2.2.5\",\n \"2.2.7\",\n \"2.2.8\",\n \"2.2.9\",\n \"2.20.0\",\n \"2.20.1\",\n \"2.20.10\",\n \"2.20.11\",\n \"2.20.12\",\n \"2.20.13\",\n \"2.20.14\",\n \"2.20.15\",\n \"2.20.16\",\n \"2.20.17\",\n \"2.20.2\",\n \"2.20.3\",\n \"2.20.4\",\n \"2.20.5\",\n \"2.20.6\",\n \"2.20.7\",\n \"2.20.8\",\n \"2.20.9\",\n \"2.21.0\",\n \"2.21.1\",\n \"2.21.10\",\n \"2.21.11\",\n \"2.21.12\",\n \"2.21.13\",\n \"2.21.14\",\n \"2.21.15\",\n \"2.21.16\",\n \"2.21.17\",\n \"2.21.18\",\n \"2.21.19\",\n \"2.21.2\",\n \"2.21.20\",\n \"2.21.21\",\n \"2.21.22\",\n \"2.21.23\",\n \"2.21.24\",\n \"2.21.25\",\n \"2.21.26-beta\",\n \"2.21.27-beta\",\n \"2.21.3\",\n \"2.21.4\",\n \"2.21.5\",\n \"2.21.6\",\n \"2.21.7\",\n \"2.21.8\",\n \"2.21.9\",\n \"2.22.0\",\n \"2.22.1\",\n \"2.3.0\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.3.6\",\n \"2.3.7\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.6\",\n \"2.4.7\",\n \"2.4.8\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.10\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.6\",\n \"2.6.7\",\n \"2.6.8\",\n \"2.6.9\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-cxvc-g8f2-4gmm/GHSA-cxvc-g8f2-4gmm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.jackrabbit:jackrabbit-jcr-commons\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"2.22.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0.1\",\n \"1.1\",\n \"1.1.1\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.3\",\n \"1.4\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.5\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.4\",\n \"1.6.5\",\n \"2.0-beta1\",\n \"2.0-beta3\",\n \"2.0-beta4\",\n \"2.0-beta5\",\n \"2.0-beta6\",\n \"2.0.0\",\n \"2.0.3\",\n \"2.0.5\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.5\",\n \"2.1.6\",\n \"2.10.0\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\",\n \"2.10.4\",\n \"2.10.5\",\n \"2.10.6\",\n \"2.10.7\",\n \"2.10.8\",\n \"2.10.9\",\n \"2.11.0\",\n \"2.11.1\",\n \"2.11.2\",\n \"2.11.3\",\n \"2.12.0\",\n \"2.12.1\",\n \"2.12.10\",\n \"2.12.11\",\n \"2.12.2\",\n \"2.12.3\",\n \"2.12.4\",\n \"2.12.5\",\n \"2.12.6\",\n \"2.12.7\",\n \"2.12.8\",\n \"2.12.9\",\n \"2.13.0\",\n \"2.13.1\",\n \"2.13.2\",\n \"2.13.3\",\n \"2.13.4\",\n \"2.13.5\",\n \"2.13.6\",\n \"2.13.7\",\n \"2.14.0\",\n \"2.14.1\",\n \"2.14.10\",\n \"2.14.2\",\n \"2.14.3\",\n \"2.14.4\",\n \"2.14.5\",\n \"2.14.6\",\n \"2.14.7\",\n \"2.14.8\",\n \"2.14.9\",\n \"2.15.0\",\n \"2.15.1\",\n \"2.15.2\",\n \"2.15.3\",\n \"2.15.4\",\n \"2.15.5\",\n \"2.15.6\",\n \"2.15.7\",\n \"2.15.8\",\n \"2.16.0\",\n \"2.16.1\",\n \"2.16.10\",\n \"2.16.2\",\n \"2.16.3\",\n \"2.16.4\",\n \"2.16.5\",\n \"2.16.6\",\n \"2.16.7\",\n \"2.16.8\",\n \"2.16.9\",\n \"2.17.0\",\n \"2.17.1\",\n \"2.17.2\",\n \"2.17.3\",\n \"2.17.4\",\n \"2.17.5\",\n \"2.17.6\",\n \"2.17.7\",\n \"2.18.0\",\n \"2.18.1\",\n \"2.18.2\",\n \"2.18.3\",\n \"2.18.4\",\n \"2.18.5\",\n \"2.18.6\",\n \"2.19.0\",\n \"2.19.1\",\n \"2.19.2\",\n \"2.19.3\",\n \"2.19.4\",\n \"2.19.5\",\n \"2.19.6\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.10\",\n \"2.2.11\",\n \"2.2.12\",\n \"2.2.13\",\n \"2.2.2\",\n \"2.2.4\",\n \"2.2.5\",\n \"2.2.7\",\n \"2.2.8\",\n \"2.2.9\",\n \"2.20.0\",\n \"2.20.1\",\n \"2.20.10\",\n \"2.20.11\",\n \"2.20.12\",\n \"2.20.13\",\n \"2.20.14\",\n \"2.20.15\",\n \"2.20.16\",\n \"2.20.17\",\n \"2.20.2\",\n \"2.20.3\",\n \"2.20.4\",\n \"2.20.5\",\n \"2.20.6\",\n \"2.20.7\",\n \"2.20.8\",\n \"2.20.9\",\n \"2.21.0\",\n \"2.21.1\",\n \"2.21.10\",\n \"2.21.11\",\n \"2.21.12\",\n \"2.21.13\",\n \"2.21.14\",\n \"2.21.15\",\n \"2.21.16\",\n \"2.21.17\",\n \"2.21.18\",\n \"2.21.19\",\n \"2.21.2\",\n \"2.21.20\",\n \"2.21.21\",\n \"2.21.22\",\n \"2.21.23\",\n \"2.21.24\",\n \"2.21.25\",\n \"2.21.26-beta\",\n \"2.21.27-beta\",\n \"2.21.3\",\n \"2.21.4\",\n \"2.21.5\",\n \"2.21.6\",\n \"2.21.7\",\n \"2.21.8\",\n \"2.21.9\",\n \"2.22.0\",\n \"2.22.1\",\n \"2.3.0\",\n \"2.3.2\",\n \"2.3.3\",\n \"2.3.4\",\n \"2.3.5\",\n \"2.3.6\",\n \"2.3.7\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.6\",\n \"2.4.7\",\n \"2.4.8\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.5.3\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.10\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\",\n \"2.6.7\",\n \"2.6.8\",\n \"2.6.9\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.7.3\",\n \"2.7.4\",\n \"2.7.5\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.10\",\n \"2.8.2\",\n \"2.8.3\",\n \"2.8.4\",\n \"2.8.5\",\n \"2.8.6\",\n \"2.8.7\",\n \"2.8.8\",\n \"2.8.9\",\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-cxvc-g8f2-4gmm/GHSA-cxvc-g8f2-4gmm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-58782\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/jackrabbit/pull/229\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/jackrabbit\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/JCR-5135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/09/06/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-09-09T15:14:38Z\",\n \"nvd_published_at\": \"2025-09-08T09:15:30Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9fc7-rhq3-wm7x\",\n \"published\": \"2022-05-17T03:48:02Z\",\n \"modified\": \"2024-02-16T08:06:20.906860Z\",\n \"aliases\": [\n \"CVE-2016-6801\"\n ],\n \"summary\": \"Apache Jackrabbit Authentication Hijacking Vulnerability\",\n \"details\": \"Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.jackrabbit:jackrabbit-webdav\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.4.0\"\n },\n {\n \"fixed\": \"2.4.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.4.0\",\n \"2.4.1\",\n \"2.4.2\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.jackrabbit:jackrabbit-webdav\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.6.0\"\n },\n {\n \"fixed\": \"2.6.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.6.4\",\n \"2.6.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.jackrabbit:jackrabbit-webdav\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.8.0\"\n },\n {\n \"fixed\": \"2.8.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.8.0\",\n \"2.8.1\",\n \"2.8.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.jackrabbit:jackrabbit-webdav\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.10.0\"\n },\n {\n \"fixed\": \"2.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.10.0\",\n \"2.10.1\",\n \"2.10.2\",\n \"2.10.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.jackrabbit:jackrabbit-webdav\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.12.0\"\n },\n {\n \"fixed\": \"2.12.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.12.0\",\n \"2.12.1\",\n \"2.12.2\",\n \"2.12.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.jackrabbit:jackrabbit-webdav\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.jackrabbit/jackrabbit-webdav\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.13.0\"\n },\n {\n \"fixed\": \"2.13.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.13.0\",\n \"2.13.1\",\n \"2.13.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9fc7-rhq3-wm7x/GHSA-9fc7-rhq3-wm7x.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-6801\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/jackrabbit/commit/16f2f02fcaef6202a2bf24c449d4fd10eb98f08d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/jackrabbit/commit/ea75d7c2aeaafecd9ab97736bf81c5616f703244\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/jackrabbit/commit/eae001a54aae9c243ac06b5c8f711b2cb2038700\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/jackrabbit\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/JCR-4009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20210123170657/http://www.securityfocus.com/bid/92966\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2016/dsa-3679\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2016/09/14/6\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-352\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-31T22:54:02Z\",\n \"nvd_published_at\": \"2016-09-21T14:25:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5h29-qq92-wj7f\",\n \"published\": \"2022-05-24T16:57:28Z\",\n \"modified\": \"2023-11-08T04:00:32.405493Z\",\n \"aliases\": [\n \"CVE-2019-0231\"\n ],\n \"summary\": \"Cleartext Transmission of Sensitive Information in Apache MINA\",\n \"details\": \"Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.mina:mina-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.mina/mina-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0.21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.1.0\",\n \"1.1.1\",\n \"1.1.2\",\n \"1.1.3\",\n \"1.1.4\",\n \"1.1.5\",\n \"1.1.6\",\n \"1.1.7\",\n \"2.0.0\",\n \"2.0.0-M1\",\n \"2.0.0-M2\",\n \"2.0.0-M3\",\n \"2.0.0-M4\",\n \"2.0.0-M5\",\n \"2.0.0-M6\",\n \"2.0.0-RC1\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.0.20\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h29-qq92-wj7f/GHSA-5h29-qq92-wj7f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.mina:mina-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.mina/mina-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.1.0\"\n },\n {\n \"fixed\": \"2.1.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.1.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5h29-qq92-wj7f/GHSA-5h29-qq92-wj7f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-0231\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-319\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-29T15:48:56Z\",\n \"nvd_published_at\": \"2019-10-01T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6mcm-j9cj-3vc3\",\n \"published\": \"2021-11-03T17:30:35Z\",\n \"modified\": \"2023-11-08T04:07:03.734341Z\",\n \"aliases\": [\n \"CVE-2021-41973\"\n ],\n \"summary\": \"Infinite loop in Apache MINA\",\n \"details\": \"In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.mina:mina-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.mina/mina-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.1.0\"\n },\n {\n \"fixed\": \"2.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mcm-j9cj-3vc3/GHSA-6mcm-j9cj-3vc3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.mina:mina-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.mina/mina-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0.22\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\",\n \"1.1.0\",\n \"1.1.1\",\n \"1.1.2\",\n \"1.1.3\",\n \"1.1.4\",\n \"1.1.5\",\n \"1.1.6\",\n \"1.1.7\",\n \"2.0.0\",\n \"2.0.0-M1\",\n \"2.0.0-M2\",\n \"2.0.0-M3\",\n \"2.0.0-M4\",\n \"2.0.0-M5\",\n \"2.0.0-M6\",\n \"2.0.0-RC1\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-6mcm-j9cj-3vc3/GHSA-6mcm-j9cj-3vc3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-41973\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0b907da9340d5ff4e6c1a4798ef4e79700a668657f27cca8a39e9250%40%3Cdev.mina.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/11/01/8\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-11-02T19:48:48Z\",\n \"nvd_published_at\": \"2021-11-01T09:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-76h9-2vwh-w278\",\n \"published\": \"2024-12-25T12:30:45Z\",\n \"modified\": \"2025-02-12T18:32:35.851404Z\",\n \"aliases\": [\n \"CVE-2024-52046\"\n ],\n \"related\": [\n \"CGA-69xr-35vw-ch6p\"\n ],\n \"summary\": \"Apache MINA Deserialization RCE Vulnerability\",\n \"details\": \"The `ObjectSerializationDecoder` in Apache MINA uses Java’s native deserialization protocol to process incoming serialized data but lacks the necessary security checks and defenses. This vulnerability allows attackers to exploit the deserialization process by sending specially crafted malicious serialized data, potentially leading to remote code execution (RCE) attacks.\\n\\t\\nThis issue affects MINA core versions 2.0.X, 2.1.X and 2.2.X, and will be fixed by the releases 2.0.27, 2.1.10 and 2.2.4.\\n\\nIt's also important to note that an application using MINA core library will only be affected if the IoBuffer#getObject() method is called, and this specific method is potentially called when adding a ProtocolCodecFilter instance using the `ObjectSerializationCodecFactory` class in the filter chain. If your application is specifically using those classes, you have to upgrade to the latest version of MINA core library.\\n\\nUpgrading will  not be enough: you also need to explicitly allow the classes the decoder will accept in the ObjectSerializationDecoder instance, using one of the three new methods:\\n\\n1. \\n     * Accept class names where the supplied ClassNameMatcher matches for deserialization, unless they are otherwise rejected.\\n * `@param classNameMatcher` the matcher to use\\n * / `public void accept(ClassNameMatcher classNameMatcher)`\\n\\n2. \\n * Accept class names that match the supplied pattern for deserialization, unless they are otherwise rejected.\\n * `@param` pattern standard Java regexp\\n * / `public void accept(Pattern pattern)`\\n\\n3.\\n * Accept the wildcard specified classes for deserialization, unless they are otherwise rejected.\\n * `@param` patterns Wildcard file name patterns as defined by `{@link org.apache.commons.io.FilenameUtils#wildcardMatch(String, String) FilenameUtils.wildcardMatch}`\\n * / `public void accept(String... patterns)`\\n\\nBy default, the decoder will reject *all* classes that will be present in the incoming data.\\n\\nNote: The FtpServer, SSHd and Vysper sub-project are not affected by this issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.mina:mina-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.mina/mina-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.2.0\"\n },\n {\n \"fixed\": \"2.2.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-76h9-2vwh-w278/GHSA-76h9-2vwh-w278.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.mina:mina-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.mina/mina-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.1.0\"\n },\n {\n \"fixed\": \"2.1.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.1.6\",\n \"2.1.7\",\n \"2.1.8\",\n \"2.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-76h9-2vwh-w278/GHSA-76h9-2vwh-w278.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.mina:mina-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.mina/mina-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0-M1\"\n },\n {\n \"fixed\": \"2.0.27\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-M1\",\n \"2.0.0-M2\",\n \"2.0.0-M3\",\n \"2.0.0-M4\",\n \"2.0.0-M5\",\n \"2.0.0-M6\",\n \"2.0.0-RC1\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.24\",\n \"2.0.25\",\n \"2.0.26\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-76h9-2vwh-w278/GHSA-76h9-2vwh-w278.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-52046\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/mina\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250103-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/12/25/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\",\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-12-26T15:59:46Z\",\n \"nvd_published_at\": \"2024-12-25T10:15:05Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2h3j-m7gr-25xj\",\n \"published\": \"2021-06-16T17:56:46Z\",\n \"modified\": \"2024-03-15T05:17:16.776669Z\",\n \"aliases\": [\n \"CVE-2021-27807\"\n ],\n \"summary\": \"Excessive Iteration Denial of Service in Apache PDFBox\",\n \"details\": \"A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.23\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-2h3j-m7gr-25xj/GHSA-2h3j-m7gr-25xj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-27807\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/pdfbox/commit/5c5a837140fbb4ef78bb5ef9f29ad537c872c83e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://svn.apache.org/viewvc?view=revision\\u0026revision=1886911\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r818058ff1e4b9f6bef4e5a2e74faff38cb3d3885c1e2db398bc55cfb%40%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4717f902f8bc36d47b3fa978552a25e4ed3ddc2fffb52b94fbc4ab36@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r043edc5dcf9199f7f882ed7906b41cb816753766e88b8792dbf319a9@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/PDFBOX-4892\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/pdfbox\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/03/19/9\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-834\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-22T18:45:15Z\",\n \"nvd_published_at\": \"2021-03-19T16:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4c32-xmgj-2g98\",\n \"published\": \"2018-10-17T18:22:15Z\",\n \"modified\": \"2023-11-08T03:58:24.099687Z\",\n \"aliases\": [\n \"CVE-2016-2175\"\n ],\n \"summary\": \"High severity vulnerability that affects org.apache.pdfbox:pdfbox\",\n \"details\": \"Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.8.12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.8.0-incubating\",\n \"0.8.0-incubator\",\n \"1.0.0\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.3.1\",\n \"1.4.0\",\n \"1.5.0\",\n \"1.6.0\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.10\",\n \"1.8.11\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"1.8.7\",\n \"1.8.8\",\n \"1.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4c32-xmgj-2g98/GHSA-4c32-xmgj-2g98.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4c32-xmgj-2g98/GHSA-4c32-xmgj-2g98.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-2175\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-4c32-xmgj-2g98\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ad5fbc86c1d1821ae1b963e8561ab6d6a5f66b2848e84f5a31477f54@%3Ccommits.tika.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.us.apache.org/mod_mbox/www-announce/201605.mbox/%3C83a03bcf-f86b-4688-37b5-615c080291d8@apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/137214/Apache-PDFBox-1.8.11-2.0.0-XML-Injection.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0179.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0248.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0249.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0272.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/viewvc?view=revision\\u0026revision=1739564\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/viewvc?view=revision\\u0026revision=1739565\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2016/dsa-3606\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/archive/1/538503/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/90902\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:58:03Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6vqp-h455-42mr\",\n \"published\": \"2021-05-13T22:30:13Z\",\n \"modified\": \"2024-03-15T05:36:23.028589Z\",\n \"aliases\": [\n \"CVE-2021-27906\"\n ],\n \"summary\": \"Uncontrolled Memory Allocation in Apache PDFBox\",\n \"details\": \"A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.23\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6vqp-h455-42mr/GHSA-6vqp-h455-42mr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-27906\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/pdfbox/commit/8c47be1011c11dc47300faecffd8ab32fba3646f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PT72QOFDXLJ7PLTN66EMG5EHPTE7TFZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6KDA2U4KL2N3XT3PM4ZJEBBA6JJIH2G4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2AVLKAHFMPH72TTP25INPZPGX5FODK3H\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf35026148ccc0e1af133501c0d003d052883fcc65107b3ff5d3b61cd%40%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re1e35881482e07dc2be6058d9b44483457f36133cac67956686ad9b9@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf78aef4793362e778e21e34328b0456e302bde4b7e74f229df0ee04@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc69140d894c6a9c67a8097a25656cce59b46a5620c354ceba10543c3@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raa35746227f3f8d50fff1db9899524423a718f6f35cd39bd4769fa6c@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9ffe179385637b0b5cbdabd0246118005b4b8232909d2d14cd68ccd3@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7ee634c21816c69ce829d0c41f35afa2a53a99bdd3c7cce8644fdc0e@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6e067a6d83ccb6892d0ff867bd216704f21fb0b6a854dea34be04f12@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r64982b768c8a2220b07aaf813bd099a9863de0d13eb212fd4efe208f@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5c8e2125d18af184c80f7a986fbe47eaf0d30457cd450133adc235ac@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4cbc3f6981cd0a1a482531df9d44e4c42a7f63342a7ba78b7bff8a1b@%3Cnotifications.james.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1d268642f8b52456ee8f876b888b8ed7a9e9568c7770789f3ded7f9e@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1218e60c32829f76943ecaca79237120c2ec1ab266459d711a578b50@%3Cdev.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/PDFBOX-5112\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/pdfbox\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/03/19/10\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-789\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-22T18:36:26Z\",\n \"nvd_published_at\": \"2021-03-19T16:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7grw-6pjh-jpc9\",\n \"published\": \"2021-06-15T15:54:29Z\",\n \"modified\": \"2024-03-08T05:18:50.960251Z\",\n \"aliases\": [\n \"CVE-2021-31812\"\n ],\n \"summary\": \"Infinite Loop in Apache PDFBox\",\n \"details\": \"In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox-parent\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox-parent\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-31812\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/06/12/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-834\",\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-06-14T19:41:33Z\",\n \"nvd_published_at\": \"2021-06-12T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c9jj-3wvg-q65h\",\n \"published\": \"2019-07-05T21:12:54Z\",\n \"modified\": \"2024-02-16T08:10:43.804701Z\",\n \"aliases\": [\n \"CVE-2019-0228\"\n ],\n \"summary\": \"Vulnerability that affects org.apache.pdfbox:pdfbox\",\n \"details\": \"Apache PDFBox 2.0.14 does not properly initialize the XML parser, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted XFDF.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.14\"\n },\n {\n \"fixed\": \"2.0.15\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.14\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-c9jj-3wvg-q65h/GHSA-c9jj-3wvg-q65h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-0228\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-c9jj-3wvg-q65h\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1a3756557f8cb02790b7183ccf7665ae23f608a421c4f723113bca79@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8a19bd6d43e359913341043c2a114f91f9e4ae170059539ad1f5673c@%3Ccommits.tika.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bc8db1bf459f1ad909da47350ed554ee745abe9f25f2b50cad4e06dd@%3Cserver-dev.james.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/be86fcd7cd423a3fe6b73a3cb9d7cac0b619d0deb99e6b5d172c98f4@%3Ccommits.tika.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0a2141abeddae66dd57025f1681c8425834062b7c0c7e0b1d830a95d@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r32b8102392a174b17fd19509a9e76047f74852b77b7bf46af95e45a2@%3Cserver-dev.james.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:30:58Z\",\n \"nvd_published_at\": \"2019-04-17T15:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fg3j-q579-v8x4\",\n \"published\": \"2021-06-15T15:54:32Z\",\n \"modified\": \"2024-03-08T05:34:54.801835Z\",\n \"aliases\": [\n \"CVE-2021-31811\"\n ],\n \"summary\": \"Uncontrolled memory consumption\",\n \"details\": \"In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox-parent\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox-parent\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-31811\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/06/12/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\",\n \"CWE-789\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-06-14T19:39:19Z\",\n \"nvd_published_at\": \"2021-06-12T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gx96-vgf7-hwfg\",\n \"published\": \"2018-10-17T18:22:29Z\",\n \"modified\": \"2024-02-16T08:14:19.885368Z\",\n \"aliases\": [\n \"CVE-2018-11797\"\n ],\n \"summary\": \"In Apache PDFBox a carefully crafted PDF file can trigger an extremely long running computation\",\n \"details\": \"In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.8.0\"\n },\n {\n \"fixed\": \"1.8.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.10\",\n \"1.8.11\",\n \"1.8.12\",\n \"1.8.13\",\n \"1.8.14\",\n \"1.8.15\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"1.8.7\",\n \"1.8.8\",\n \"1.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx96-vgf7-hwfg/GHSA-gx96-vgf7-hwfg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gx96-vgf7-hwfg/GHSA-gx96-vgf7-hwfg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11797\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-gx96-vgf7-hwfg\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/645574bc50b886d39c20b4065d51ccb1cd5d3a6b4750a22edbb565eb@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a9760973a873522f4d4c0a99916ceb74f361d91006b663a0a418d34a@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r54594251369e14c185da9662a5340a52afbbdf75d61c9c3a69c8f2e8@%3Cdev.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/10/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:38:16Z\",\n \"nvd_published_at\": \"2018-10-05T20:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-j2xq-pfff-mvgg\",\n \"published\": \"2022-05-13T01:53:29Z\",\n \"modified\": \"2024-02-20T05:34:40.059516Z\",\n \"aliases\": [\n \"CVE-2018-8036\"\n ],\n \"summary\": \"Loop with Unreachable Exit Condition in Apache PDFBox\",\n \"details\": \"In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.8.0\"\n },\n {\n \"fixed\": \"1.8.15\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.10\",\n \"1.8.11\",\n \"1.8.12\",\n \"1.8.13\",\n \"1.8.14\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"1.8.7\",\n \"1.8.8\",\n \"1.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.8.14\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2xq-pfff-mvgg/GHSA-j2xq-pfff-mvgg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0RC1\"\n },\n {\n \"fixed\": \"2.0.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.0-RC1\",\n \"2.0.0-RC2\",\n \"2.0.0-RC3\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.0.10\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j2xq-pfff-mvgg/GHSA-j2xq-pfff-mvgg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-8036\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9f62f742fd4fcd81654a9533b8a71349b064250840592bcd502dcfb6@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r43491b25b2e5c368c34b106a82eff910a5cea3e90de82ad75cc16540@%3Cdev.syncope.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HKVPTJWZGUB4MH4AAOWMRJHRDBYFHGJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/POPOGHJ5CVMUVCRQU7APBAN5IVZGZFDX\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-29T18:54:14Z\",\n \"nvd_published_at\": \"2018-07-03T20:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7grw-6pjh-jpc9\",\n \"published\": \"2021-06-15T15:54:29Z\",\n \"modified\": \"2024-03-08T05:18:50.960251Z\",\n \"aliases\": [\n \"CVE-2021-31812\"\n ],\n \"summary\": \"Infinite Loop in Apache PDFBox\",\n \"details\": \"In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox-parent\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox-parent\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-7grw-6pjh-jpc9/GHSA-7grw-6pjh-jpc9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-31812\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf251f6c358087107f8c23473468b279d59d50a75db6b4768165c78d3@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2ab0ce69ce8aaff0773b8c1036438387ce004c2afc6f066626e205e%40%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/06/12/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-834\",\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-06-14T19:41:33Z\",\n \"nvd_published_at\": \"2021-06-12T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fg3j-q579-v8x4\",\n \"published\": \"2021-06-15T15:54:32Z\",\n \"modified\": \"2024-03-08T05:34:54.801835Z\",\n \"aliases\": [\n \"CVE-2021-31811\"\n ],\n \"summary\": \"Uncontrolled memory consumption\",\n \"details\": \"In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.pdfbox:pdfbox-parent\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.pdfbox/pdfbox-parent\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.10\",\n \"2.0.11\",\n \"2.0.12\",\n \"2.0.13\",\n \"2.0.14\",\n \"2.0.15\",\n \"2.0.16\",\n \"2.0.17\",\n \"2.0.18\",\n \"2.0.19\",\n \"2.0.2\",\n \"2.0.20\",\n \"2.0.21\",\n \"2.0.22\",\n \"2.0.23\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.0.8\",\n \"2.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-fg3j-q579-v8x4/GHSA-fg3j-q579-v8x4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-31811\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MDJKJQOMVFDFIDS27OQJXNOYHV2O273D\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HHWJRFXZ3PTKLJCOM7WJEYZFKFWMNSV\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe26bcaba564deb505c32711ba68df7ec589797dcd96ff3389a8aaba@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf937c2236e6c79cdb99f76a70690dd345e53dbe0707cb506a202e43e@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e@%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3bd16f0cc8f1fbda46b06a4b8241cd417f71402809baa81548fc20e%40%3Cusers.pdfbox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re0cacd3fb337cdf8469853913ed2b4ddd8f8bfc52ff0ddbe61c1dfba@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4b6db6c3b8ab3c70f1c3bbd725a40920896453ffc2744ade6afd9fb@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2090789e4dcc2c87aacbd87d5f18e2d64dcb9f6eb7c47f5cf7d293cb@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r179cc3b6822c167702ab35fe36093d5da4c99af44238c8a754c6860f@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r143fd8445e0e778f4a85187bd79438630b96b8040e9401751fdb8aea@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r132e9dbbe0ebdc08b39583d8be0a575fdba573d60a42d940228bceff@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/06/12/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\",\n \"CWE-789\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-06-14T19:39:19Z\",\n \"nvd_published_at\": \"2021-06-12T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-26gr-cvq3-qxgf\",\n \"published\": \"2021-05-07T15:53:18Z\",\n \"modified\": \"2023-11-08T04:02:47.183256Z\",\n \"aliases\": [\n \"CVE-2020-1957\"\n ],\n \"summary\": \"Improper Authentication in Apache Shiro\",\n \"details\": \"Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-26gr-cvq3-qxgf/GHSA-26gr-cvq3-qxgf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-1957\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r17f371fc89d34df2d0c8131473fbc68154290e1be238895648f5a1e6%40%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb3982edf8bc8fcaa7a308e25a12d294fb4aac1f1e9d4e14fda639e77@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc64fb2336683feff3580c3c3a8b28e80525077621089641f2f386b63@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/04/msg00014.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-06T20:05:12Z\",\n \"nvd_published_at\": \"2020-03-25T16:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2vgm-wxr3-6w2j\",\n \"published\": \"2021-05-07T15:54:23Z\",\n \"modified\": \"2024-03-15T05:20:51.873553Z\",\n \"aliases\": [\n \"CVE-2020-13933\"\n ],\n \"summary\": \"Authentication bypass in Apache Shiro\",\n \"details\": \"Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.6.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2vgm-wxr3-6w2j/GHSA-2vgm-wxr3-6w2j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-13933\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/08/msg00002.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb5edf49cd1451475dbcf53826ba6ef1bb7872dd6493d6112eb0c2bad@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb47d88af224e396ee34ffb88ee99fb6d04510de5722cf14b7137e6bc@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9ea6d8560d6354d41433ad006069904f0ed083527aa348b5999261a7@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8097b81905f2a113ebdf925bcbc6d8c9d6863c807c9ee42e1e7c9293@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70b907ccb306e9391145e2b10f56cc6914a245f91720a17a486c020a@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70098e336d02047ce4d4e69293fe8d558cd68cde06f6430398959bc4@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ea0224c1971a91dc6ade1f22508119a9c3bd56cef656f0c44bbfabb@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r575301804bfac87a064359cf4b4ae9d514f2d10db7d44120765f4129@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4c1e1249e9e1acb868db0c80728c13f448d07333da06a0f1603c0a33@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4506cedc401d6b8de83787f8436aac83956e411d66848c84785db46d@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r18b45d560d76c4260813c802771cc9678aa651fb8340e09366bfa198@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-05T21:37:50Z\",\n \"nvd_published_at\": \"2020-08-17T21:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-45x9-q6vj-cqgq\",\n \"published\": \"2022-10-12T12:00:16Z\",\n \"modified\": \"2024-02-16T07:57:10.787044Z\",\n \"aliases\": [\n \"CVE-2022-40664\"\n ],\n \"summary\": \"Apache Shiro Authentication Bypass vulnerability\",\n \"details\": \"Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.10.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.8.0\",\n \"1.9.0\",\n \"1.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-45x9-q6vj-cqgq/GHSA-45x9-q6vj-cqgq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-40664\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20221118-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://shiro.apache.org/blog/2022/10/10/2022/apache-shiro-1101-released.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/10/12/2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/10/13/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-10-12T19:43:15Z\",\n \"nvd_published_at\": \"2022-10-12T07:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4cf5-xmhp-3xj7\",\n \"published\": \"2022-06-30T00:00:41Z\",\n \"modified\": \"2023-11-08T04:09:36.762135Z\",\n \"aliases\": [\n \"CVE-2022-32532\"\n ],\n \"summary\": \"Improper Authorization in Apache Shiro\",\n \"details\": \"Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.9.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.8.0\",\n \"1.9.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-4cf5-xmhp-3xj7/GHSA-4cf5-xmhp-3xj7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-32532\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-285\",\n \"CWE-863\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T19:52:31Z\",\n \"nvd_published_at\": \"2022-06-29T00:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-72w9-fcj5-3fcg\",\n \"published\": \"2021-05-07T15:53:10Z\",\n \"modified\": \"2023-11-08T04:02:08.916630Z\",\n \"aliases\": [\n \"CVE-2020-11989\"\n ],\n \"summary\": \"Improper Authentication in Apache Shiro\",\n \"details\": \"Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-72w9-fcj5-3fcg/GHSA-72w9-fcj5-3fcg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-11989\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r408fe60bc8fdfd7c74135249d646d7abadb807ebf90f6fd2b014df21@%3Cdev.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675%40%3Cuser.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r72815a124a119c450b86189767d06848e0d380b1795c6c511d54a675@%3Cuser.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rab1972d6b177f7b5c3dde9cfb0a40f03bca75f0eaf1d8311e5762cb3@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc8b39ea8b3ef71ddc1cd74ffc866546182683c8adecf19c263fe7ac0@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcf3d8041e1232201fe5d74fc612a193e435784d64002409b448b58fe@%3Cdev.geode.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-06T20:07:20Z\",\n \"nvd_published_at\": \"2020-06-22T19:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f6jp-j6w3-w9hm\",\n \"published\": \"2021-09-20T20:18:11Z\",\n \"modified\": \"2024-02-19T05:32:19.684337Z\",\n \"aliases\": [\n \"CVE-2021-41303\"\n ],\n \"summary\": \"Apache Shiro vulnerable to a specially crafted HTTP request causing an authentication bypass\",\n \"details\": \"Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.8.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\",\n \"1.7.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-f6jp-j6w3-w9hm/GHSA-f6jp-j6w3-w9hm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-41303\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raae98bb934e4bde304465896ea02d9798e257e486d04a42221e2c41b@%3Cuser.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re470be1ffea44bca28ccb0e67a4cf5d744e2d2b981d00fdbbf5abc13%40%3Cannounce.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220609-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-20T19:17:39Z\",\n \"nvd_published_at\": \"2021-09-17T09:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jc7h-c423-mpjc\",\n \"published\": \"2024-01-15T12:30:19Z\",\n \"modified\": \"2025-11-04T17:28:02.653382Z\",\n \"aliases\": [\n \"CVE-2023-46749\"\n ],\n \"summary\": \"Apache Shiro vulnerable to path traversal\",\n \"details\": \"Apache Shiro before 1.130 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting \\n\\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.13.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.10.0\",\n \"1.10.1\",\n \"1.11.0\",\n \"1.12.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.8.0\",\n \"1.9.0\",\n \"1.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-jc7h-c423-mpjc/GHSA-jc7h-c423-mpjc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0alpha1\"\n },\n {\n \"fixed\": \"2.0.0-alpha4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0-alpha-1\",\n \"2.0.0-alpha-2\",\n \"2.0.0-alpha-3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 2.0.0alpha4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-jc7h-c423-mpjc/GHSA-jc7h-c423-mpjc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-46749\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/mdv7ftz7k4488rzloxo2fb0p9shnp9wm\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241108-0002\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-01-16T20:34:50Z\",\n \"nvd_published_at\": \"2024-01-15T10:15:26Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p836-389h-j692\",\n \"published\": \"2022-05-14T02:46:17Z\",\n \"modified\": \"2025-10-22T19:25:56.524449Z\",\n \"aliases\": [\n \"CVE-2016-4437\"\n ],\n \"summary\": \"Improper Access Control in Apache Shiro\",\n \"details\": \"Apache Shiro before 1.2.5, when a cipher key has not been configured for the \\\"remember me\\\" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.2.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.2.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p836-389h-j692/GHSA-p836-389h-j692.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-4437\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4%40%3Cannouncements.aurora.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ef3a800c7d727a00e04b78e2f06c5cd8960f09ca28c9b69d94c3c4c4@%3Cannouncements.aurora.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-4437\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2035.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2036.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/archive/1/538570/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/91024\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-284\",\n \"CWE-321\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-06T19:56:32Z\",\n \"nvd_published_at\": \"2016-06-07T14:06:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r679-m633-g7wc\",\n \"published\": \"2020-02-04T22:36:36Z\",\n \"modified\": \"2024-12-05T05:38:38.036634Z\",\n \"aliases\": [\n \"CVE-2019-12422\"\n ],\n \"summary\": \"Improper input validation in Apache Shiro\",\n \"details\": \"Apache Shiro before 1.4.2, when using the default \\\"remember me\\\" configuration, cookies could be susceptible to a padding attack.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.4.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-r679-m633-g7wc/GHSA-r679-m633-g7wc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-12422\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c9db14cfebfb8e74205884ed2bf2e2b30790ce24b7dde9191c82572c@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2d2612c034ab21a3a19d2132d47d3e4aa70105008dd58af62b653040@%3Ccommits.shiro.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-04T21:49:59Z\",\n \"nvd_published_at\": \"2019-11-18T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3jx9-mgwx-4q83\",\n \"published\": \"2022-05-14T02:42:51Z\",\n \"modified\": \"2024-12-04T05:51:17.893997Z\",\n \"aliases\": [\n \"CVE-2010-3863\"\n ],\n \"summary\": \"Apache Shiro Path Traversal vulnerability\",\n \"details\": \"Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-root\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-root\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3jx9-mgwx-4q83/GHSA-3jx9-mgwx-4q83.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2010-3863\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/62959\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20101120091718/http://www.vupen.com/english/advisories/2010/2888\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20101129043410/http://secunia.com/advisories/41989\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20110929165859/http://www.securityfocus.com/bid/44616\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20161017000748/http://www.securityfocus.com/archive/1/514616/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-02-07T22:57:26Z\",\n \"nvd_published_at\": \"2010-11-05T17:00:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7cxr-h8wm-fg4c\",\n \"published\": \"2023-01-14T12:30:23Z\",\n \"modified\": \"2024-02-16T08:23:48.417435Z\",\n \"aliases\": [\n \"CVE-2023-22602\"\n ],\n \"summary\": \"Apache Shiro Interpretation Conflict vulnerability\",\n \"details\": \"When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot \\u003c 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-root\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-root\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.11.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.10.0\",\n \"1.10.1\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.8.0\",\n \"1.9.0\",\n \"1.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-7cxr-h8wm-fg4c/GHSA-7cxr-h8wm-fg4c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-22602\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-436\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-20T21:50:25Z\",\n \"nvd_published_at\": \"2023-01-14T10:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4q2v-j639-cp7p\",\n \"published\": \"2022-05-14T02:46:12Z\",\n \"modified\": \"2023-11-08T03:58:33.527856Z\",\n \"aliases\": [\n \"CVE-2016-6802\"\n ],\n \"summary\": \"Improper Access Control in Apache Shiro\",\n \"details\": \"Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-all\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-all\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4q2v-j639-cp7p/GHSA-4q2v-j639-cp7p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-web\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-web\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4q2v-j639-cp7p/GHSA-4q2v-j639-cp7p.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-6802\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/shiro/commit/b15ab927709ca18ea4a02538be01919a19ab65af\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/SHIRO-584\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://packetstormsecurity.com/files/138709/Apache-Shiro-Filter-Bypass.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-284\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-11-04T22:45:53Z\",\n \"nvd_published_at\": \"2016-09-20T19:59:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hhw5-c326-822h\",\n \"published\": \"2023-12-14T09:30:19Z\",\n \"modified\": \"2025-11-04T17:06:07.324210Z\",\n \"aliases\": [\n \"CVE-2023-46750\"\n ],\n \"summary\": \"Open redirect in Apache Shiro\",\n \"details\": \"URL Redirection to Untrusted Site ('Open Redirect') vulnerability when \\\"form\\\" authentication is used in Apache Shiro.\\nMitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-web\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-web\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.13.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.10.0\",\n \"1.10.1\",\n \"1.11.0\",\n \"1.12.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.8.0\",\n \"1.9.0\",\n \"1.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hhw5-c326-822h/GHSA-hhw5-c326-822h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-web\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-web\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0-alpha-1\"\n },\n {\n \"fixed\": \"2.0.0-alpha-4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0-alpha-1\",\n \"2.0.0-alpha-2\",\n \"2.0.0-alpha-3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-hhw5-c326-822h/GHSA-hhw5-c326-822h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-46750\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/shiro/commit/3b80f5c8e5a95ba31e92e4825ecc0ba3148b555a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/shiro/commit/8400d08d5eac0bc4fae99d28c5adc82dd8a86eda\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240808-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241108-0002\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-601\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-12-15T03:11:05Z\",\n \"nvd_published_at\": \"2023-12-14T09:15:42Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pmhc-2g4f-85cg\",\n \"published\": \"2023-07-24T21:30:39Z\",\n \"modified\": \"2025-02-13T19:12:43.466421Z\",\n \"aliases\": [\n \"CVE-2023-34478\"\n ],\n \"summary\": \"Path Traversal in Apache Shiro\",\n \"details\": \"Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.\\n\\nMitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-web\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-web\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.12.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.10.0\",\n \"1.10.1\",\n \"1.11.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.8.0\",\n \"1.9.0\",\n \"1.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-pmhc-2g4f-85cg/GHSA-pmhc-2g4f-85cg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-web\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-web\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0-alpha-1\"\n },\n {\n \"fixed\": \"2.0.0-alpha-3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0-alpha-1\",\n \"2.0.0-alpha-2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-pmhc-2g4f-85cg/GHSA-pmhc-2g4f-85cg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-34478\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/shiro/commit/c3ede3f94efb442acb0795714a022c2c121d1da0\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/shiro\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/mbv26onkgw9o35rldh7vmq11wpv2t2qk\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230915-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/07/24/4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-25T13:51:45Z\",\n \"nvd_published_at\": \"2023-07-24T19:15:10Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v98j-7crc-wvrj\",\n \"published\": \"2022-02-09T22:03:57Z\",\n \"modified\": \"2023-11-08T04:02:42.580112Z\",\n \"aliases\": [\n \"CVE-2020-17523\"\n ],\n \"summary\": \"Authentication bypass in Apache Shiro\",\n \"details\": \"Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-web\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-web\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.7.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-spring\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-spring\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.7.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0-incubating\",\n \"1.1.0\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.2.3\",\n \"1.2.4\",\n \"1.2.5\",\n \"1.2.6\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.shiro:shiro-spring-boot-starter\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.shiro/shiro-spring-boot-starter\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.7.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.4.0\",\n \"1.4.0-RC2\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.6.0\",\n \"1.7.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-v98j-7crc-wvrj/GHSA-v98j-7crc-wvrj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-17523\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/shiro/pull/263\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/SHIRO-797\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b93ddf97e2c4cda779d22fab30539bdec454cfa5baec4ad0ffae235@%3Cgitbox.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r679ca97813384bdb1a4c087810ba44d9ad9c7c11583979bb7481d196@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r852971e28f54cafa7d325bd7033115c67d613b112a2a1076817390ac@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9d93dfb5df016b1a71a808486bc8f9fbafebbdbc8533625f91253f1d@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce5943430a6136d37a1f2fc201d245fe094e2727a0bc27e3b2d43a39%40%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd4b613e121438b97e3eb263cac3137caddb1dbd8f648b73a4f1898a6@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re25b8317b00a50272a7252c4552cf1a81a97984cc2111ef7728e48e0@%3Cdev.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://shiro.apache.org/download.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-05T21:20:26Z\",\n \"nvd_published_at\": \"2021-02-03T17:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6x4w-8w53-xrvv\",\n \"published\": \"2020-09-14T18:44:01Z\",\n \"modified\": \"2024-12-02T06:03:30.310261Z\",\n \"aliases\": [\n \"CVE-2015-0254\"\n ],\n \"summary\": \"XXE in Apache Standard Taglibs\",\n \"details\": \"Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) \\u003cx:parse\\u003e or (2) \\u003cx:transform\\u003e JSTL XML tag.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.taglibs:taglibs-standard\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.taglibs/taglibs-standard\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.2.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.2.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.taglibs:taglibs-standard-impl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.taglibs/taglibs-standard-impl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.2.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.2.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-0254\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2016:1376\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f@%3Cpluto-dev.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38@%3Cpluto-dev.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077@%3Cpluto-scm.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1695.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1838.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1839.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1840.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1841.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/archive/1/534772/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/72809\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1034934\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-2551-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-09-14T18:42:48Z\",\n \"nvd_published_at\": \"2015-03-09T14:59:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6x4w-8w53-xrvv\",\n \"published\": \"2020-09-14T18:44:01Z\",\n \"modified\": \"2024-12-02T06:03:30.310261Z\",\n \"aliases\": [\n \"CVE-2015-0254\"\n ],\n \"summary\": \"XXE in Apache Standard Taglibs\",\n \"details\": \"Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) \\u003cx:parse\\u003e or (2) \\u003cx:transform\\u003e JSTL XML tag.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.taglibs:taglibs-standard\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.taglibs/taglibs-standard\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.2.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.2.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.taglibs:taglibs-standard-impl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.taglibs/taglibs-standard-impl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.2.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.2.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-6x4w-8w53-xrvv/GHSA-6x4w-8w53-xrvv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-0254\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2016:1376\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f@%3Cpluto-dev.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38@%3Cpluto-dev.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077@%3Cpluto-scm.portals.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1695.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1838.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1839.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1840.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1841.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/archive/1/534772/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/72809\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1034934\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-2551-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-09-14T18:42:48Z\",\n \"nvd_published_at\": \"2015-03-09T14:59:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g2fg-mr77-6vrm\",\n \"published\": \"2021-03-12T21:33:55Z\",\n \"modified\": \"2024-03-15T05:31:48.921973Z\",\n \"aliases\": [\n \"CVE-2020-13949\"\n ],\n \"related\": [\n \"CGA-3pv7-5j5f-w8rx\",\n \"CGA-7fjw-8fvm-77hc\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in Apache Thrift\",\n \"details\": \"In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.thrift:libthrift\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.thrift/libthrift\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.9.3\"\n },\n {\n \"fixed\": \"0.14.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.11.0\",\n \"0.12.0\",\n \"0.13.0\",\n \"0.9.3\",\n \"0.9.3-1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-g2fg-mr77-6vrm/GHSA-g2fg-mr77-6vrm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-13949\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/hbase/pull/2958\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb3574bc1036b577b265be510e6b208f0a5d5d84cd7198347dc8482df@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raea1bb8cf2eb39c5e10543f547bdbbdbb563c2ac6377652f161d4e37@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rae95c2234b6644bfd666b2671a1b42a09f38514d0f27cca3c7d5d55a@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rada9d2244a66ede0be29afc5d5f178a209f9988db56b9b845d955741@%3Ccommits.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rad635e16b300cf434280001ee6ecd2ed2c70987bf16eb862bfa86e02@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/race178e9500ab8a5a6112667d27c48559150cadb60f2814bc67c40af@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra9f7c755790313e1adb95d29794043fb102029e803daf4212ae18063@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra7371efd8363c1cd0f5331aafd359a808cf7277472b8616d7b392128@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra3f7f06a1759c8e2985ed24ae2f5483393c744c1956d661adc873f2c@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9ec75f690dd60fec8621ba992290962705d5b7f0d8fd0a42fab0ac9f@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b51e7c253cb0989b4c03ed9f4e5f0478e427473357209ccc4d08ebf@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r995b945cc8f6ec976d8c52d42ba931a688b45fb32cbdde715b6a816a@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r950ced188d62320fdb84d9e2c6ba896328194952eff7430c4f55e4b0@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r93f23f74315e009f4fb68ef7fc794dceee42cf87fe6613814dcd8c70@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90b4473950e26607ed77f3d70f120166f6a36a3f80888e4eeabcaf91@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8dfbefcd606af6737b62461a45a9af9222040b62eab474ff2287cf75@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r89fdd39965efb7c6d22bc21c286d203252cea476e1782724aca0748e@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r890b8ec5203d70a59a6b1289420d46938d9029ed706aa724978789be@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8897a41f50d4eb19b268bde99328e943ba586f77779efa6de720c39f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r886b6d9a89b6fa0aafbf0a8f8f14351548d6c6f027886a3646dbd075@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r869331422580d35b4e65bd74cf3090298c4651bf4f31bfb19ae769da@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r850522c56c05aa06391546bdb530bb8fc3437f2b77d16e571ae73309@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r812915ecfa541ad2ca65c68a97b2c014dc87141dfaefc4de85049681@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7ae909438ff5a2ffed9211e6ab0bd926396fd0b1fc33f31a406ee704@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7597683cc8b87a31ec864835225a543dad112d7841bf1f17bf7eb8db@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r74eb88b422421c65514c23cb9c2b2216efb9254317ea1b6a264fe6dc@%3Ccommits.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r741364444c3b238ab4a161f67f0d3a8f68acc517a39e6a93aa85d753@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202107-32\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfbb01bb85cdc2022f3b96bdc416dbfcb49a2855b3a340aa88b2e1de9@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf75979ae0ffd526f3afa935a8f0ee13c82808ea8b2bc0325eb9dcd90@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf741d08c7e0ab1542c81ea718467422bd01159ed284796a36ad88311@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf65df763f630163a3f620887efec082080555cee1adb0b8eaf2c7ddb@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf603d25213cfff81d6727c259328846b366fd32a43107637527c9768@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf568168e7f83871969928c0379813da6d034485f8b20fa73884816d6@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdcf00186c34d69826d9c6b1f010136c98b00a586136de0061f7d267e@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdc8e0f92d06decaee5db58de4ded16d80016a7db2240a8db17225c49@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd78cdd87d84499a404202f015f55935db3658bd0983ecec81e6b18c6@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd49d53b146d94a7d3a135f6b505589655ffec24ea470e345d31351bb@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd370fdb419652c5219409b315a6349b07a7e479bd3f151e9a5671774@%3Ccommits.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0734d91f16d5b050f0bcff78b4719300042a34fadf5e52d0edf898e@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcdf62ecd36e39e4ff9c61802eee4927ce9ecff1602eed1493977ef4c@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcae4c66f67e701db44d742156dee1f3e5e4e07ad7ce10c740a76b669@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcace846f74ea9e2af2f7c30cef0796724aa74089f109c8029b850163@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc896ce7761999b088f3adabcb99dde2102b6a66130b8eec6c8265eab@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc7a79b08822337c68705f16ee7ddcfd352313b836e78a4b86c7a7e3d@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc7a241e0af086b226ff9ccabc4a243d206f0f887037994bfd8fcaaeb@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc48ab5455bdece9a4afab53ca0f1e4f742d5baacb241323454a87b4e@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbfbb81e7fb5d5009caf25798f02f42a7bd064a316097303ba2f9ed76@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc5cad06a46d23253a3c819229efedecfc05f89ef53f5fdde77a86d6@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb91c32194eb5006f0b0c8bcdbd512c13495a1b277d4d51d45687f036@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb51977d392b01434b0b5df5c19b9ad5b6178cfea59e676c14f24c053@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb44ec04e5a9b1f87fef97bb5f054010cbfaa3b8586472a3a38a16fca@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r72c3d1582d50b2ca7dd1ee97e81c847a5cf3458be26d42653c39d7a6@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r298a25228868ebc0943d56c8f3641212a0962d2dbcf1507d5860038e@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r286e9a13d3ab0550042997219101cb87871834b8d5ec293b0c60f009@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r27b7d3d95ffa8498899ef1c9de553d469f8fe857640a3f6e58dba640@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r278e96edc4bc13efb2cb1620a73e48f569162b833c6bda3e6ea18b80@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r20f6f8f8cf07986dc5304baed3bf4d8a1c4cf135ff6fe3640be4d7ec@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1fb2d26b81c64ce96c4fd42b9e6842ff315b02c36518213b6c057350@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1dea91f0562e0a960b45b1c5635b2a47b258b77171334276bcf260a7@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1d4a247329a8478073163567bbc8c8cb6b49c6bfc2bf58153a857af1@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r196409cc4df929d540a2e66169104f2b3b258d8bd96b5f083c59ee51@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r191a9279e2863b68e5496ee4ecd8be0d4fe43b324b934f0d1f106e1d@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r18732bb1343894143d68db58fe4c8f56d9cd221b37f1378ed7373372@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r17cca685ad53bc8300ee7fcfe874cb784a222343f217dd076e7dc1b6@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r179119bbfb5610499286a84c316f6789c5afbfa5340edec6eb28d027@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r15eed5d21e16a5cce810c1e096ffcffc36cd08c2f78ce2f9b24b4a6a@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec43e974@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1456eab5f3768be69436d5b0a68b483eb316eb85eb3ef6eba156a302@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r143ca388b0c83fe659db14be76889d50b453b0ee06f423181f736933@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r13f40151513ff095a44a86556c65597a7e55c00f5e19764a05530266@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r12090c81b67d21a814de6cf54428934a5e5613fde222759bbb05e99b@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r117d5d2b08d505b69558a2a31b0a1cf8990cd0385060b147e70e76a9@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1084a911dff90b2733b442ee0f5929d19b168035d447f2d25f534fe4@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r08a7bd19470ef8950d58cc9d9e7b02bc69c43f56c601989a7729cce5@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0372f0af2dad0b76fbd7a6cfdaad29d50384ad48dda475a5026ff9a3@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02f7771863383ae993eb83cdfb70c3cb65a355c913242c850f61f1b8@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02ba8db500d15a5949e9a7742815438002ba1cf1b361bdda52ed40ca@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r01b34416677f1ba869525e1b891ac66fa6f88c024ee4d7cdea6b456b@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/hbase\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6c5b7324274fd361b038c5cc316e99344b7ae20beae7163214fac14d@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ba4f0817f98bf7c1cb314301cb7a24ba11a0b3e7a5be8b0ae3190b0@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ae3c68b0bfe430fb32f24236475276b6302bed625b23f53b68748b5@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r699c031e6921b0ad0f943848e7ba1d0e88c953619d47908618998f76@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6990c849aeafe65366794bfd002febd47b7ffa8cf3c059b400bbb11d@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r668aed02e287c93403e0b8df16089011ee4a96afc8f479809f1fc07f@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r635133a74fa07ef3331cae49a9a088365922266edd58099a6162a5d3@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r62aa6d07b23095d980f348d330ed766560f9a9e940fec051f534ce37@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r587b4a5bcbc290269df0906bafba074f3fe4e50d4e959212f56fa7ea@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r533a172534ae67f6f17c4d33a1b814d3d5ada9ccd4eb442249f33fa2@%3Ccommits.camel.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r515e01a30443cfa2dbb355c44c63149869afd684fb7b0344c58fa67b@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4fa53eacca2ac38904f38dc226caebb3f2f668b2da887f2fd416f4a7@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4d90b6d8de9697beb38814596d3a0d4994fa9aba1f6731a2c648d3ae@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r449288f6a941a2585262e0f4454fdefe169d5faee33314f6f89fab30@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r43dc2b2e928e9d845b07ac075634cb759d91bb852421dc282f87a74a%40%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r421a9a76811c1aed7637b5fe5376ab14c09ccdd7b70d5211d6e76d1e@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r409e296c890753296c544a74d4de0d4a3ce719207a5878262fa2bd71@%3Ccommits.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3f97dbbbb1b2a7324521208bb595392853714e141a37b8f68d395835@%3Cnotifications.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3f3e1d562c528b4bafef2dde51f79dd444a4b68ef24920d68068b6f9@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3e31ec7e8c39db7553be4f4fd4d27cf27c41f1ba9c985995c4ea9c5a@%3Cnotifications.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3de0e0c26d4bd00dd28cab27fb44fba11d1c1d20275f7cce71393dd1@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3a1291a7ab8ee43db87cb0253371489810877028fc6e7c68dc640926@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3550b61639688e0efbc253c6c3e6358851c1f053109f1c149330b535@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f6a547f226579f542eb08793631d1f2d47d7aed7e2f9d11a4e6af9f@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2ed66a3823990306b742b281af1834b9bc85f98259c870b8ffb13d93@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2d180180f37c2ab5cebd711d080d01d8452efa8ad43c5d9cd7064621@%3Cissues.hbase.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-12T19:44:27Z\",\n \"nvd_published_at\": \"2021-02-12T20:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rj7p-rfgp-852x\",\n \"published\": \"2022-05-24T17:00:01Z\",\n \"modified\": \"2024-03-10T05:16:21.459619Z\",\n \"aliases\": [\n \"CVE-2019-0205\"\n ],\n \"related\": [\n \"CGA-3p6j-9f2g-h7xg\"\n ],\n \"summary\": \"Loop with Unreachable Exit Condition in Apache Thrift\",\n \"details\": \"In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.thrift:libthrift\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.thrift/libthrift\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.13.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.11.0\",\n \"0.12.0\",\n \"0.6.1\",\n \"0.7.0\",\n \"0.8.0\",\n \"0.9.0\",\n \"0.9.1\",\n \"0.9.2\",\n \"0.9.3\",\n \"0.9.3-1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 0.12.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rj7p-rfgp-852x/GHSA-rj7p-rfgp-852x.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-0205\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4633082b834eebccd0d322697651d931ab10ca9c51ee7ef18e1f60f4@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r50bf84c60867574238d18cdad5da9f303b618114c35566a3a001ae08@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r53c03e1c979b9c628d0d65e0f49dd9a9f9d7572838727ad11b750575@%3Cuser.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r55609613abab203a1f2c1f3de050b63ae8f5c4a024df0d848d6915ff@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r569b2b3da41ff45bfacfca6787a4a8728edd556e185b69b140181d9d@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r573029c2f8632e3174b9eea7cd57f9c9df33f2f706450e23fc57750a@%3Ccommits.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67a704213d13326771f46c84bbd84c8281bb93946e155e0e40abcb4c@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r73a3c8b80765e3d2430ff51f22b778d0c917919f01815b69ed16cf9d@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7859e767c90c8f4971dec50f801372aa64e88f143c3e8a265a36f9b4@%3Cuser.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r92b7771afee2625209c36727fefdc77033964e9a1daa81ec3327e625@%3Cuser.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r934f312dd5add7276ac2de684d8b237554ff9f34479a812df5fd6aee@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rab740e5c70424ef79fd095a4b076e752109aeee41c4256c2e5e5e142@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb139fa1d2714822d8c6e6f3bd6f5d5c91844d313201185c409288fd9@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rba61c1f3a3b1960a6a694775b1a437751eba0825f30188f69387fe90@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce0d368a78b42c545f26c2e6e91e2b8a91b27b60d0cb45fe1911d337@%3Cnotifications.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re387dc6ca11cb0b0ce4de8e800bb91ca50fee054b80105f5cd34adcb@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf359e5cc6a185494fc0cfe837fe82f7db2ef49242d35cbf3895aebce@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202107-32\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0804\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0805\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0806\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2020:0811\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/003ac686189e6ce7b99267784d04bf60059a8c323eeda5a79a0309b8@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/07bd68ad237a5d513751d6d2731a8828f902c738ea57d85c1a72bad3@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/0d058e1bfd11727c4f2e2adf4b6e403a47c38e22431ab20066a1ac79@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1193444c17f499f92cd198d464a2c1ffc92182c83487345a854914b3@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1c18ec6ebfea0a9211992be952e8b33d0fda202c077979b84a5e09a8@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3dfa054b89274c9109c26ed1843ca15a14c03786f4016d26773878ae@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/928cae83d20d8d8196c26118f7084aa37573e1d31162381fb9454fb5@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9f7150d0b02e72d1154721a412e80cf797f1b7cfa295fcefc67b1381@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a9669756befaeb0f8e08766d3f4d410a0fce85da3a570506f71f0b67@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0c606d4be9aa163d132edf8edd8eb55e7b9464063b99acbbf6e9e287@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0d08f5576286f4a042aabde13ecf58979644f6dc210f25aa9a4d469b@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r137753c9df8dd9065bea27a26af49aadc406b5a57fc584fefa008afd@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b1a92c229ead94d53b3bcde9e624d002b54f1c6fdb830b9f4da20e1@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r228ac842260c2c516af7b09f3cf4cf76e5b9c002e359954a203ab5a5@%3Cdev.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2832722c31d78bef7526e2c701ba4b046736e4c851473194a247392f@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r36581cc7047f007dd6aadbdd34e18545ec2c1eb7ccdae6dd47a877a9@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3887b48b183b6fa43e59398bd170a99239c0a16264cb5175b5b689d0@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-27T16:12:09Z\",\n \"nvd_published_at\": \"2019-10-29T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vx85-mj8c-4qm6\",\n \"published\": \"2019-01-17T13:56:33Z\",\n \"modified\": \"2024-02-16T08:22:18.795904Z\",\n \"aliases\": [\n \"CVE-2018-11798\"\n ],\n \"related\": [\n \"CGA-pmq8-4h9g-36mm\"\n ],\n \"summary\": \"Apache Thrift Node.js static web server sandbox escape\",\n \"details\": \"The Apache Thrift Node.js static web server in versions 0.9.2 through 0.11.0 have been determined to contain a security vulnerability in which a remote user has the ability to access files outside the set webservers docroot path.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.thrift:libthrift\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.thrift/libthrift\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.9.2\"\n },\n {\n \"fixed\": \"0.12.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.11.0\",\n \"0.9.2\",\n \"0.9.3\",\n \"0.9.3-1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-vx85-mj8c-4qm6/GHSA-vx85-mj8c-4qm6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11798\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/thrift/pull/1606\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/thrift/commit/2a2b72f6c8aef200ecee4984f011e06052288ff2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1545\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-vx85-mj8c-4qm6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/THRIFT-4647\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6e9edd282684896cedf615fb67a02bebfe6007f2d5baf03ba52e34fd@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227094236/http://www.securityfocus.com/bid/106501\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-538\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:58:46Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wjxj-f8rg-99wx\",\n \"published\": \"2019-01-17T13:56:40Z\",\n \"modified\": \"2024-03-14T05:20:15.449375Z\",\n \"aliases\": [\n \"CVE-2018-1320\"\n ],\n \"related\": [\n \"CGA-w2gp-wc62-wqxq\"\n ],\n \"summary\": \"Improper Input Validation in Apache Thrift\",\n \"details\": \"Apache Thrift Java client library versions 0.5.0 prior to 0.9.3-1 and 0.10.0 prior to 0.12.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.thrift:libthrift\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.thrift/libthrift\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.5.0\"\n },\n {\n \"fixed\": \"0.9.3-1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.6.1\",\n \"0.7.0\",\n \"0.8.0\",\n \"0.9.0\",\n \"0.9.1\",\n \"0.9.2\",\n \"0.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-wjxj-f8rg-99wx/GHSA-wjxj-f8rg-99wx.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.thrift:libthrift\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.thrift/libthrift\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.10.0\"\n },\n {\n \"fixed\": \"0.12.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.11.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/01/GHSA-wjxj-f8rg-99wx/GHSA-wjxj-f8rg-99wx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1320\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/thrift/commit/7489ed6ac8bad64e72fa83ec9d53e1eeddca6c23\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227094237/http://www.securityfocus.com/bid/106551\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K36361684\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/02/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3d71a6dbb063aa61ba81278fe622b20bfe7501bb3821c27695641ac3@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r261972a3b14cf6f1dcd94b1b265e9ef644a38ccdf0d0238fa0c4d459@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2278846f7ab06ec07a0aa31457235e0ded9191b216cba55f3f315f16@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1015eaadef8314daa9348aa423086a732cfeb998ceb5d42605c9b0b5@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r09c3dcdccf4b74ad13bda79b354e6b793255ccfe245cca1b8cee23f5@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e825ff2f4e129c0ecdb6a19030b53c1ccdf810a8980667628d0c6a80@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dfee89880c84874058c6a584d8128468f8d3c2ac25068ded91073adc@%3Cuser.storm.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dbe3a39b48900318ad44494e8721f786901ba4520cd412c7698f534f@%3Cdev.storm.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/da5234b5e78f1c99190407f791dfe1bf6c58de8d30d15974a9669be3@%3Cuser.thrift.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8be5b16c02567fff61b1284e5df433a4e38617bc7de4804402bf62be@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6b07f6f618155c777191b4fad8ade0f0cf4ed4c12a1a746ce903d816@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d3b6849fcf4cd1e87703b3dde0d57aabeb9ba0193dc0cf3c97f545d@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/187684ac8b94d55256253f5220cb55e8bd568afdf9a8a86e9bbb66c9@%3Cdevnull.infra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/07c3cd5a2953a4b253eee4437b1397b1603d0f886437e19b657d2c54@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/THRIFT-4506\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/thrift/releases/tag/0.9.3.1\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/thrift\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2413\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2019/07/24/3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/106551\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-295\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T22:00:45Z\",\n \"nvd_published_at\": \"2019-01-07T17:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-27hp-xhwr-wr2m\",\n \"published\": \"2024-12-20T18:31:32Z\",\n \"modified\": \"2025-11-03T23:18:11.427349Z\",\n \"aliases\": [\n \"BIT-tomcat-2024-56337\",\n \"CVE-2024-56337\"\n ],\n \"related\": [\n \"CGA-6qvq-rhpg-rc66\",\n \"CGA-9w54-vfw9-4r27\"\n ],\n \"summary\": \"Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability\",\n \"details\": \"Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.\\n\\nThe mitigation for CVE-2024-50379 was incomplete.\\n\\nUsers running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation \\nparameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:\\n- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)\\n- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)\\n- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)\\n\\nTomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.34\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.98\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.34\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.98\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-27hp-xhwr-wr2m/GHSA-27hp-xhwr-wr2m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-56337\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/b2b9qrgjrz1kvo4ym8y2wkfdvwoq6qbp\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250103-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cve.org/CVERecord?id=CVE-2024-50379\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-12-20T19:50:45Z\",\n \"nvd_published_at\": \"2024-12-20T16:15:24Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2rvv-w9r2-rg7m\",\n \"published\": \"2021-05-13T22:30:02Z\",\n \"modified\": \"2024-03-11T16:46:40.808422Z\",\n \"aliases\": [\n \"BIT-tomcat-2021-24122\",\n \"CVE-2021-24122\"\n ],\n \"related\": [\n \"CGA-9cx5-82vv-8fp2\"\n ],\n \"summary\": \"Information Disclosure in Apache Tomcat\",\n \"details\": \"When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0-M1\"\n },\n {\n \"fixed\": \"10.0.0-M10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0-M1\",\n \"10.0.0-M3\",\n \"10.0.0-M4\",\n \"10.0.0-M5\",\n \"10.0.0-M6\",\n \"10.0.0-M7\",\n \"10.0.0-M8\",\n \"10.0.0-M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.0.0-M9\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.40\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.60\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.107\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.100\",\n \"7.0.103\",\n \"7.0.104\",\n \"7.0.105\",\n \"7.0.106\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\",\n \"7.0.94\",\n \"7.0.96\",\n \"7.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-2rvv-w9r2-rg7m/GHSA-2rvv-w9r2-rg7m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-24122\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/800b03140e640f8892f27021e681645e8e320177\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5ca8a9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996cb533\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-7.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210212-0008\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/01/14/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-706\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-06T21:27:31Z\",\n \"nvd_published_at\": \"2021-01-14T15:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3p2h-wqq4-wf4h\",\n \"published\": \"2025-04-28T21:30:43Z\",\n \"modified\": \"2025-11-03T23:18:32.629791Z\",\n \"aliases\": [\n \"BIT-tomcat-2025-31650\",\n \"CVE-2025-31650\"\n ],\n \"related\": [\n \"CGA-757w-cc53-956r\",\n \"CGA-rwp2-7vfm-8j2c\"\n ],\n \"summary\": \"Apache Tomcat Denial of Service via invalid HTTP priority header\",\n \"details\": \"Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.\\n\\nThis issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100.\\n\\nUsers are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.76\"\n },\n {\n \"fixed\": \"9.0.104\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.102\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.10\"\n },\n {\n \"fixed\": \"10.1.40\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M2\"\n },\n {\n \"fixed\": \"11.0.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.76\"\n },\n {\n \"fixed\": \"9.0.104\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.102\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.10\"\n },\n {\n \"fixed\": \"10.1.40\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M2\"\n },\n {\n \"fixed\": \"11.0.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-3p2h-wqq4-wf4h/GHSA-3p2h-wqq4-wf4h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-31650\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/b98e74f517b36929f4208506e5adad22cb767baa\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/f619e6a05029538886d5a9d987925d573b5bb8c2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/04/28/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-459\",\n \"CWE-460\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-04-29T14:59:22Z\",\n \"nvd_published_at\": \"2025-04-28T20:15:20Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3vx3-xf6q-r5xp\",\n \"published\": \"2022-05-13T01:25:13Z\",\n \"modified\": \"2024-04-18T17:16:06.618052Z\",\n \"aliases\": [\n \"CVE-2017-5648\"\n ],\n \"summary\": \"Exposure of Resource to Wrong Sphere in Apache Tomcat\",\n \"details\": \"While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.0.M18\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.0.M17\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.2\",\n \"8.5.3\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.12\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.0.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.5\",\n \"8.0.8\",\n \"8.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.0.41\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.76\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 7.0.75\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.0.M18\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.0.M17\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.2\",\n \"8.5.3\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.12\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.0.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.5\",\n \"8.0.8\",\n \"8.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.0.41\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.76\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 7.0.75\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3vx3-xf6q-r5xp/GHSA-3vx3-xf6q-r5xp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-5648\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/0f7b9465d594b9814e1853d1e3a6e3aa51a21610\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/6bb36dfdf6444efda074893dff493b9eb3648808\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/dfa40863421d7681fed893b4256666491887e38c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat80/commit/6d73b079c55ee25dea1bbd0556bb568a4247dacd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/201705-09\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180614-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20170417124117/http://www.securityfocus.com/bid/97530\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20170420115120/http://www.securitytracker.com/id/1038220\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1809\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1802\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:1801\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2017/dsa-3842\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2017/dsa-3843\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2020/07/20/8\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-668\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-01T13:57:54Z\",\n \"nvd_published_at\": \"2017-04-17T16:59:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-42wg-hm62-jcwg\",\n \"published\": \"2025-06-16T15:32:28Z\",\n \"modified\": \"2025-10-29T16:13:33.340454Z\",\n \"aliases\": [\n \"BIT-tomcat-2025-49124\",\n \"CVE-2025-49124\"\n ],\n \"summary\": \"Apache Tomcat installer for Windows has an untrusted search path vulnerability\",\n \"details\": \"Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.\\n\\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0\"\n },\n {\n \"fixed\": \"10.1.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.23\"\n },\n {\n \"fixed\": \"9.0.106\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0\"\n },\n {\n \"fixed\": \"10.1.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.23\"\n },\n {\n \"fixed\": \"9.0.106\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0\"\n },\n {\n \"fixed\": \"10.1.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.23\"\n },\n {\n \"fixed\": \"9.0.106\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-49124\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/28726cc2e63bed68771f5eb0f65a78dc7080571823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/c56456cda8151c9504dfb7985700824559d769a7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/e0e07812224d327a321babb554f5a5758d30cc49\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/lnow7tt2j6hb9kcpkggx32ht6o90vqzv\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/06/16/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-426\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-10-29T16:05:26Z\",\n \"nvd_published_at\": \"2025-06-16T15:15:24Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-46j3-r4pj-4835\",\n \"published\": \"2018-10-17T16:32:43Z\",\n \"modified\": \"2024-10-21T19:23:25.912196Z\",\n \"aliases\": [\n \"CVE-2018-8034\"\n ],\n \"summary\": \"The host name verification missing in Apache Tomcat\",\n \"details\": \"The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.9\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.32\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.0.53\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.8\",\n \"8.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.35\"\n },\n {\n \"fixed\": \"7.0.90\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 7.0.88\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-46j3-r4pj-4835/GHSA-46j3-r4pj-4835.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-8034\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2c522795166c930741a9cecca76797bf48cb1634\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2835bb4e030c1c741ed0847bb3b9c3822e4fbc8a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00047.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180817-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3723-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227102810/http://www.securityfocus.com/bid/104895\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200517032514/http://www.securitytracker.com/id/1041374\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4281\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0130\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0131\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0450\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1159\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1160\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1161\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1162\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1529\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2205\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283%40minotaur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283@minotaur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/104895\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1041374\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-295\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:57:40Z\",\n \"nvd_published_at\": \"2018-08-01T18:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5j33-cvvr-w245\",\n \"published\": \"2024-12-17T15:31:43Z\",\n \"modified\": \"2025-11-03T22:00:31.720080Z\",\n \"aliases\": [\n \"BIT-tomcat-2024-50379\",\n \"CVE-2024-50379\"\n ],\n \"related\": [\n \"CGA-5749-245m-24vg\"\n ],\n \"summary\": \"Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability\",\n \"details\": \"Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.34\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.98\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.34\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.98\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-50379\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/631500b0c9b2a2a2abb707e3de2e10a5936e5d41\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/684247ae85fa633b9197b32391de59fc54703842\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2d2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/cc7a98b57c6dc1df21979fcff94a36e068f4456c\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250103-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/12/17/4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/12/18/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-12-17T16:39:38Z\",\n \"nvd_published_at\": \"2024-12-17T13:15:18Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5q99-f34m-67gc\",\n \"published\": \"2018-10-17T16:31:02Z\",\n \"modified\": \"2024-03-11T05:31:33.810503Z\",\n \"aliases\": [\n \"CVE-2018-11784\"\n ],\n \"summary\": \"Apache Tomcat Open Redirect vulnerability\",\n \"details\": \"When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.34\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.23\"\n },\n {\n \"fixed\": \"7.0.91\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-5q99-f34m-67gc/GHSA-5q99-f34m-67gc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-11784\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/b76e1dfb3dec3789cc700f8d022c872eb947a221\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/efb860b3ff8ebcf606199b8d0d432f76898040da\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/f9f147359b7c95511b64cd99bbc47917c01b3879\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/10/msg00005.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0130\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/10/msg00006.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Dec/43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181014-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3787-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227030058/http://www.securityfocus.com/bid/105524\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4596\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0131\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0485\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1529\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-5q99-f34m-67gc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://kc.mcafee.com/corporate/index?page=content\\u0026id=SB10284\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/23134c9b5a23892a205dc140cdd8c9c0add233600f76b313dda6bd75@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/163456/Apache-Tomcat-9.0.0M1-Open-Redirect.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-601\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:17:07Z\",\n \"nvd_published_at\": \"2018-10-04T13:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6rxj-58jh-436r\",\n \"published\": \"2018-10-17T16:31:17Z\",\n \"modified\": \"2024-11-29T05:39:06.932138Z\",\n \"aliases\": [\n \"CVE-2018-1304\"\n ],\n \"summary\": \"Apache Tomcat unauthorized access vulnerability\",\n \"details\": \"The URL pattern of \\\"\\\" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.2\",\n \"9.0.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.28\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.3\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.0.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.8\",\n \"8.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.86\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6rxj-58jh-436r/GHSA-6rxj-58jh-436r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1304\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat80/commit/9e700b93e3bf5c605267d20568a964169f9e0b79\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/723ea6a5bc5e7bc49e5ef84273c3b3c164a6a4fd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/5af7c13cff7cc8366c5997418e820989fabb8f48\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2d69fde135302e8cff984bb2131ec69f2e396964\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180706-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3665-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227102806/http://www.securityfocus.com/bid/103170\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200516074457/http://www.securitytracker.com/id/1040427\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4281\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0465\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0466\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1320\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1447\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1448\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1449\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1450\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2939\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2205\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-6rxj-58jh-436r\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:20:10Z\",\n \"nvd_published_at\": \"2018-02-28T20:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6v52-mj5r-7j2m\",\n \"published\": \"2018-10-17T16:33:02Z\",\n \"modified\": \"2024-03-11T05:32:05.311159Z\",\n \"aliases\": [\n \"CVE-2018-8037\"\n ],\n \"summary\": \"Apache Tomcat Race Condition vulnerability\",\n \"details\": \"If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M9\"\n },\n {\n \"fixed\": \"9.0.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v52-mj5r-7j2m/GHSA-6v52-mj5r-7j2m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.5\"\n },\n {\n \"fixed\": \"8.5.32\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6v52-mj5r-7j2m/GHSA-6v52-mj5r-7j2m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-8037\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/4c04369c287233ea2e8e5135f6c31d02e2d76293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ccf2e6bf5205561ad18c2300153e9173ec509d73\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ed4b9d791f9470e4c3de691dd0153a9ce431701b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/f94eedf02b5973598ab3dbbd4504da588e9ba6cb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2867\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180817-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227102808/http://www.securityfocus.com/bid/104894\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200515223903/http://www.securitytracker.com/id/1041376\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4281\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2868\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1529\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-362\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:20:12Z\",\n \"nvd_published_at\": \"2018-08-02T14:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-767j-jfh2-jvrc\",\n \"published\": \"2020-02-28T01:10:58Z\",\n \"modified\": \"2024-02-21T05:31:17.449525Z\",\n \"aliases\": [\n \"CVE-2019-17569\"\n ],\n \"summary\": \"Potential HTTP request smuggling in Apache Tomcat\",\n \"details\": \"The refactoring present in Apache Tomcat versions 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.98\"\n },\n {\n \"fixed\": \"7.0.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.48\"\n },\n {\n \"fixed\": \"8.5.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.49\",\n \"8.5.50\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.28\"\n },\n {\n \"fixed\": \"9.0.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.29\",\n \"9.0.30\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.98\"\n },\n {\n \"fixed\": \"7.0.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.48\"\n },\n {\n \"fixed\": \"8.5.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.49\",\n \"8.5.50\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.28\"\n },\n {\n \"fixed\": \"9.0.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.29\",\n \"9.0.30\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-767j-jfh2-jvrc/GHSA-767j-jfh2-jvrc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-17569\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88def002c5c78534674ca67472e035099fbe088813d50062094a1390%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200327-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4673\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-25T16:19:11Z\",\n \"nvd_published_at\": \"2020-02-24T22:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7w75-32cg-r6g2\",\n \"published\": \"2024-03-13T18:31:34Z\",\n \"modified\": \"2025-10-29T15:11:35.481591Z\",\n \"aliases\": [\n \"BIT-tomcat-2024-24549\",\n \"CVE-2024-24549\"\n ],\n \"related\": [\n \"CGA-g2x6-g84w-c6fq\",\n \"CGA-g7h3-55hg-6wrj\",\n \"CGA-mr75-947f-r7wp\"\n ],\n \"summary\": \"Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests\",\n \"details\": \"Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.\\n\\nUsers are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.0-M16\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.19\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.1.18\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.86\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.85\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.99\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.98\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.99\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.98\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.86\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.85\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.19\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.1.18\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.0-M16\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-7w75-32cg-r6g2/GHSA-7w75-32cg-r6g2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-24549\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/0cac540a882220231ba7a82330483cbd5f6b1f96\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/810f49d5ff6d64b704af85d5b8d0aab9ec3c83f5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240402-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/03/13/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-03-15T16:27:53Z\",\n \"nvd_published_at\": \"2024-03-13T16:15:29Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-83qj-6fr2-vhqg\",\n \"published\": \"2025-03-10T18:31:56Z\",\n \"modified\": \"2025-10-22T19:55:27.684619Z\",\n \"aliases\": [\n \"BIT-tomcat-2025-24813\",\n \"CVE-2025-24813\"\n ],\n \"related\": [\n \"CGA-3gj2-76vf-63rm\"\n ],\n \"summary\": \"Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT\",\n \"details\": \"Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\\n\\nIf all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:\\n- writes enabled for the default servlet (disabled by default)\\n- support for partial PUT (enabled by default)\\n- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads\\n- attacker knowledge of the names of security sensitive files being uploaded\\n- the security sensitive files also being uploaded via partial PUT\\n\\nIf all of the following were true, a malicious user was able to perform remote code execution:\\n- writes enabled for the default servlet (disabled by default)\\n- support for partial PUT (enabled by default)\\n- application was using Tomcat's file based session persistence with the default storage location\\n- application included a library that may be leveraged in a deserialization attack\\n\\nUsers are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.35\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.99\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.35\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.99\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-83qj-6fr2-vhqg/GHSA-83qj-6fr2-vhqg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-24813\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/0a668e0c27f2b7ca0cc7c6eea32253b9b5ecb29c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/f6c01d6577cf9a1e06792be47e623d36acc3b5dc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/absholi7ly/POC-CVE-2025-24813/blob/main/README.md\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/04/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250321-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24813\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-24813-detect-apache-tomcat-rce\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-24813-mitigate-apache-tomcat-rce\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-detect-vulnerability\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.vicarius.io/vsociety/posts/cve-2025-24813-tomcat-mitigation-vulnerability\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/03/10/5\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-44\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-03-10T22:25:00Z\",\n \"nvd_published_at\": \"2025-03-10T17:15:35Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8vmx-qmch-mpqg\",\n \"published\": \"2019-04-18T14:27:35Z\",\n \"modified\": \"2024-03-16T05:19:17.739703Z\",\n \"aliases\": [\n \"CVE-2019-0232\"\n ],\n \"summary\": \"Apache Tomcat OS Command Injection vulnerability\",\n \"details\": \"When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.40\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.94\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-8vmx-qmch-mpqg/GHSA-8vmx-qmch-mpqg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-0232\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190419-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227030103/http://www.securityfocus.com/bid/107906\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.synology.com/security/advisory/Synology_SA_19_17\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1712\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2019/May/4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-78\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:26:43Z\",\n \"nvd_published_at\": \"2019-04-15T15:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9hg2-395j-83rm\",\n \"published\": \"2022-05-13T01:46:13Z\",\n \"modified\": \"2024-04-18T17:16:24.017955Z\",\n \"aliases\": [\n \"CVE-2017-5651\"\n ],\n \"summary\": \"Expected Behavior Violation in Apache Tomcat\",\n \"details\": \"In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.0.M19\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.0.M18\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.2\",\n \"8.5.3\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.12\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.0.M19\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.0.M18\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.2\",\n \"8.5.3\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.12\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9hg2-395j-83rm/GHSA-9hg2-395j-83rm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-5651\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/494429ca210641b6b7affe89a2b0a6c0ff70109b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/9233d9d6a018be4415d4d7d6cb4fe01176adf1a8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20170420113605/http://www.securitytracker.com/id/1038219\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20170417124228/http://www.securityfocus.com/bid/97544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180614-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/201705-09\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/search?q=repo%3Aapache%2Ftomcat+apache.coyote+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\\u0026type=code\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bz.apache.org/bugzilla/show_bug.cgi?id=60918\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-440\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-01T13:44:41Z\",\n \"nvd_published_at\": \"2017-04-17T16:59:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9xcj-c8cr-8c3c\",\n \"published\": \"2019-12-26T18:22:26Z\",\n \"modified\": \"2024-03-10T05:19:10.199468Z\",\n \"aliases\": [\n \"CVE-2019-17563\"\n ],\n \"related\": [\n \"CGA-76c4-v9xm-9m69\"\n ],\n \"summary\": \"In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack\",\n \"details\": \"When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.0.99\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\",\n \"7.0.94\",\n \"7.0.96\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.50\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.30\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-9xcj-c8cr-8c3c/GHSA-9xcj-c8cr-8c3c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-17563\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4596\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4251-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200107-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202003-43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Dec/43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-384\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-12-26T18:22:01Z\",\n \"nvd_published_at\": \"2019-12-23T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c9hw-wf7x-jp9j\",\n \"published\": \"2020-06-15T18:51:21Z\",\n \"modified\": \"2025-10-22T19:30:16.570842Z\",\n \"aliases\": [\n \"BIT-tomcat-2020-1938\",\n \"CVE-2020-1938\"\n ],\n \"related\": [\n \"CGA-w63f-vc82-fh9w\"\n ],\n \"summary\": \"Improper Privilege Management in Tomcat\",\n \"details\": \"When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: returning arbitrary files from anywhere in the web application, processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\",\n \"7.0.94\",\n \"7.0.96\",\n \"7.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-c9hw-wf7x-jp9j/GHSA-c9hw-wf7x-jp9j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-1938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4673\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1938\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200226-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202003-43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.httpd.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://support.blackberry.com/kb/articleDetail?articleNumber=000062739\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-269\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-15T16:10:05Z\",\n \"nvd_published_at\": \"2020-02-24T22:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cx6h-86xw-9x34\",\n \"published\": \"2023-07-06T21:14:59Z\",\n \"modified\": \"2024-04-24T19:31:03.102779Z\",\n \"aliases\": [\n \"BIT-tomcat-2023-28709\",\n \"CVE-2023-28709\"\n ],\n \"summary\": \"Apache Tomcat - Fix for CVE-2023-24998 was incomplete\",\n \"details\": \"The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M2\"\n },\n {\n \"fixed\": \"11.0.0-M5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M3\",\n \"11.0.0-M4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.5\"\n },\n {\n \"fixed\": \"10.1.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.71\"\n },\n {\n \"fixed\": \"9.0.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.85\"\n },\n {\n \"fixed\": \"8.5.88\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-28709\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/5badf94e79e5de206fc0ef3054fd536b1bb787cd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ba848da71c523d94950d3c53c19ea155189df9dc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/fbd81421629afe8b8a3922d59020cde81caea861\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-37\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230616-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5521\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/05/22/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-193\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-06T23:34:50Z\",\n \"nvd_published_at\": \"2023-05-22T11:15:09Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f4qf-m5gf-8jm8\",\n \"published\": \"2024-01-19T12:30:18Z\",\n \"modified\": \"2025-11-03T23:02:07.816346Z\",\n \"aliases\": [\n \"BIT-tomcat-2024-21733\",\n \"CVE-2024-21733\"\n ],\n \"summary\": \"Apache Tomcat vulnerable to Generation of Error Message Containing Sensitive Information\",\n \"details\": \"Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.\\n\\nUsers are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M11\"\n },\n {\n \"fixed\": \"9.0.44\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.7\"\n },\n {\n \"fixed\": \"8.5.64\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-f4qf-m5gf-8jm8/GHSA-f4qf-m5gf-8jm8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-21733\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240216-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/176951/Apache-Tomcat-8.5.63-9.0.43-HTTP-Response-Smuggling.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/01/19/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-209\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-01-29T22:30:43Z\",\n \"nvd_published_at\": \"2024-01-19T11:15:08Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-f98p-9pp6-7q6c\",\n \"published\": \"2022-05-01T23:45:13Z\",\n \"modified\": \"2025-04-09T16:44:52Z\",\n \"aliases\": [\n \"CVE-2008-1947\"\n ],\n \"summary\": \"Apache Tomcat Cross-site scripting (XSS) vulnerability\",\n \"details\": \"Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to `host-manager/html/add`.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"5.5.9\"\n },\n {\n \"fixed\": \"5.5.27\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 5.5.26\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.0.18\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 6.0.16\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"5.5.9\"\n },\n {\n \"fixed\": \"5.5.27\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 5.5.26\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.0.18\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 6.0.16\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-f98p-9pp6-7q6c/GHSA-f98p-9pp6-7q6c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2008-1947\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ab6a6c41ac972c845717c9d639f0335865afab4d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/78ad0fcbe29c824f1f2e45a4e2716247b033250a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/49c71fc59c1b8f8da77aea9eb53e61db168aebab\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/5f00d434c8dc11bd49ce0b4b56fe889839056030\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11534\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200514224656/http://www.securityfocus.com/archive/1/507985/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20201208011750/http://www.securityfocus.com/archive/1/492958/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/42816\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=446393\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/CVE-2008-1947\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2008:1007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2008:0864\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2008:0862\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2008:0648\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=123376588623823\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=139344343412337\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=tomcat-user\\u0026m=121244319501278\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://support.apple.com/kb/HT3216\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://tomcat.apache.org/security-5.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://tomcat.apache.org/security-6.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2008/dsa-1593\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2008:188\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.redhat.com/support/errata/RHSA-2008-0648.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.redhat.com/support/errata/RHSA-2008-0862.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.redhat.com/support/errata/RHSA-2008-0864.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vmware.com/security/advisories/VMSA-2009-0002.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vmware.com/security/advisories/VMSA-2009-0016.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-01-08T22:33:18Z\",\n \"nvd_published_at\": \"2008-06-04T19:32:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fccv-jmmp-qg76\",\n \"published\": \"2023-11-28T18:30:23Z\",\n \"modified\": \"2025-08-08T19:09:25.636121Z\",\n \"aliases\": [\n \"BIT-tomcat-2023-46589\",\n \"CVE-2023-46589\"\n ],\n \"related\": [\n \"CGA-3336-vxcr-qh26\",\n \"CGA-x5p2-8fvm-5gv3\"\n ],\n \"summary\": \"Apache Tomcat Improper Input Validation vulnerability\",\n \"details\": \"Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82, and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.83\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.96\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.83\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.96\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-46589\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20231214-0009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.openwall.com/lists/oss-security/2023/11/28/2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/11/28/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-11-28T23:28:54Z\",\n \"nvd_published_at\": \"2023-11-28T16:15:06Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-ff77-26x5-69cr\",\n \"published\": \"2025-04-28T21:30:43Z\",\n \"modified\": \"2025-11-03T23:15:57.588860Z\",\n \"aliases\": [\n \"BIT-tomcat-2025-31651\",\n \"CVE-2025-31651\"\n ],\n \"related\": [\n \"CGA-576p-jvpw-wc6p\",\n \"CGA-mm2j-x7m9-9wg3\"\n ],\n \"summary\": \"Apache Tomcat Rewrite rule bypass\",\n \"details\": \"Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6, which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.76\"\n },\n {\n \"fixed\": \"9.0.104\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.102\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.10\"\n },\n {\n \"fixed\": \"10.1.40\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M2\"\n },\n {\n \"fixed\": \"11.0.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.76\"\n },\n {\n \"fixed\": \"9.0.104\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.102\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.10\"\n },\n {\n \"fixed\": \"10.1.40\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M2\"\n },\n {\n \"fixed\": \"11.0.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-ff77-26x5-69cr/GHSA-ff77-26x5-69cr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-31651\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/066bf6b6a15a4e7e0941d4acf096841165b97098\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/175dc75fc428930034a6c93fb52f830d955d8e64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ee3ab548e92345eca0cbd1f01649eb36c6f29454\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/fbecc915a10c5a3d634c5e2c6ced4ff479ce9953\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/list.html?announce@tomcat.apache.org\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/04/28/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-116\",\n \"CWE-150\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-04-29T15:03:25Z\",\n \"nvd_published_at\": \"2025-04-28T20:15:20Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g8pj-r55q-5c2v\",\n \"published\": \"2023-10-10T18:31:35Z\",\n \"modified\": \"2025-08-08T19:07:14.800663Z\",\n \"aliases\": [\n \"BIT-tomcat-2023-42795\",\n \"CVE-2023-42795\"\n ],\n \"summary\": \"Apache Tomcat Incomplete Cleanup vulnerability\",\n \"details\": \"Incomplete Cleanup vulnerability in Apache Tomcat.\\n\\nWhen recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.81\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.94\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.81\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.94\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-42795\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/30f8063d7a9b4c43ae4722f5e382a76af1d7a6bf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/44d05d75d696ca10ce251e4e370511e38f20ae75\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/9375d67106f8df9eb9d7b360b2bef052fe67d3d4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/d6db22e411307c97ddf78315c15d5889356eca38\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyxdob56lw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20231103-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5521\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5522\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/10/9\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-459\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-10-10T22:30:05Z\",\n \"nvd_published_at\": \"2023-10-10T18:15:18Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gqp3-2cvr-x8m3\",\n \"published\": \"2025-08-13T15:30:34Z\",\n \"modified\": \"2025-11-05T21:04:59.959358Z\",\n \"aliases\": [\n \"BIT-tomcat-2025-48989\",\n \"CVE-2025-48989\"\n ],\n \"summary\": \"Apache Tomcat Improper Resource Shutdown or Release vulnerability\",\n \"details\": \"Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.44\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.108\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.44\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.108\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-gqp3-2cvr-x8m3/GHSA-gqp3-2cvr-x8m3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-48989\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/73c04a10395774bda71a0b37802cf983662ce255\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/f362c8eb3b8ec5b7f312f7f5610731c0fb299a06\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/f36b8a4eea4ce8a0bc035079e1d259d29f5eb7bf\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.kb.cert.org/vuls/id/767506\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/08/13/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-404\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-08-13T23:09:12Z\",\n \"nvd_published_at\": \"2025-08-13T13:15:34Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h2fw-rfh5-95r3\",\n \"published\": \"2025-05-29T21:31:37Z\",\n \"modified\": \"2025-11-03T23:17:19.299895Z\",\n \"aliases\": [\n \"BIT-tomcat-2025-46701\",\n \"CVE-2025-46701\"\n ],\n \"related\": [\n \"CGA-m722-vhqr-x99v\"\n ],\n \"summary\": \"Apache Tomcat - CGI security constraint bypass\",\n \"details\": \"Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.105\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.41\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.105\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.41\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-h2fw-rfh5-95r3/GHSA-h2fw-rfh5-95r3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-46701\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/0f01966eb60015d975525019e12a087f05ebf01a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/238d2aa54b99f91d1111467e2237d2244c64e558\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2c6800111e7d8d8d5403c07978ea9bff3db5a5a5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8cb95ff03221067c511b3fa66d4f745bc4b0a605\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8df00018a252baa9497615d6420fb6c10466fa74\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/fab7247d2f0e3a29d5daef565f829f383e10e5e2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.41\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.105\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/05/29/4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-178\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-05-29T22:37:21Z\",\n \"nvd_published_at\": \"2025-05-29T19:15:27Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h3gc-qfqq-6h8f\",\n \"published\": \"2025-06-16T15:32:28Z\",\n \"modified\": \"2025-11-03T21:49:36.618679Z\",\n \"aliases\": [\n \"BIT-tomcat-2025-48988\",\n \"CVE-2025-48988\"\n ],\n \"related\": [\n \"CGA-76pw-gh2p-78vh\"\n ],\n \"summary\": \"Apache Tomcat - DoS in multipart upload\",\n \"details\": \"Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.1.41\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.106\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.105\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.1.41\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.106\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.105\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-h3gc-qfqq-6h8f/GHSA-h3gc-qfqq-6h8f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-48988\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/06/16/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-06-16T17:50:09Z\",\n \"nvd_published_at\": \"2025-06-16T15:15:24Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hfrx-6qgj-fp6c\",\n \"published\": \"2023-02-20T18:30:17Z\",\n \"modified\": \"2025-11-04T17:02:38.358233Z\",\n \"aliases\": [\n \"CVE-2023-24998\"\n ],\n \"related\": [\n \"CGA-vhv7-2gww-h7x4\"\n ],\n \"summary\": \"Apache Commons FileUpload denial of service vulnerability\",\n \"details\": \"Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"commons-fileupload:commons-fileupload\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/commons-fileupload/commons-fileupload\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0-beta-1\",\n \"1.0-rc1\",\n \"1.1\",\n \"1.1.1\",\n \"1.2\",\n \"1.2.1\",\n \"1.2.2\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.1-jenkins-1\",\n \"1.3.1-jenkins-2\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.2\",\n \"10.1.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M2\"\n },\n {\n \"fixed\": \"11.0.0-M5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M3\",\n \"11.0.0-M4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.85\"\n },\n {\n \"fixed\": \"8.5.88\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.71\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.2\",\n \"10.1.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M2\"\n },\n {\n \"fixed\": \"11.0.0-M5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M3\",\n \"11.0.0-M4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.85\"\n },\n {\n \"fixed\": \"8.5.88\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.71\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-24998\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5522\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241108-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230302-0013\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-37\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/search?q=repo%3Aapache%2Ftomcat+util.http+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\\u0026type=code\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/commons-fileupload\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://commons.apache.org/proper/commons-fileupload/security-reports.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/05/22/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-22T00:12:07Z\",\n \"nvd_published_at\": \"2023-02-20T16:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hgrr-935x-pq79\",\n \"published\": \"2025-10-27T18:31:13Z\",\n \"modified\": \"2025-11-05T21:08:18.888100Z\",\n \"aliases\": [\n \"CVE-2025-61795\"\n ],\n \"related\": [\n \"CGA-7mvr-5m45-qj72\",\n \"CGA-8r8c-f385-rjq7\",\n \"CGA-9jp5-3v3c-f4mc\",\n \"CGA-g5qh-ggv5-g3xv\",\n \"CGA-j452-cfc3-8ffx\",\n \"CGA-q4w6-262v-263g\",\n \"CGA-v7h9-8q55-77cv\"\n ],\n \"summary\": \"Apache Tomcat Vulnerable to Improper Resource Shutdown or Release\",\n \"details\": \"If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.\\n\\nThe following versions were EOL at the time the CVE was created but are \\nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\\nUsers are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.47\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.45\",\n \"10.1.46\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.40\"\n },\n {\n \"fixed\": \"9.0.110\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.109\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.47\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.45\",\n \"10.1.46\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.40\"\n },\n {\n \"fixed\": \"9.0.110\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.109\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.47\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.45\",\n \"10.1.46\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.40\"\n },\n {\n \"fixed\": \"9.0.110\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.109\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-hgrr-935x-pq79/GHSA-hgrr-935x-pq79.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-61795\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/1cdf5f730ede75a0759492f179ac21ca4ff68e06\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/af6e9181620304c0d818121c29c074e1330610d0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/afa422bd7ca1eef0f507259c682fd876494d9c3b\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.47\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.12\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.110\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/10/27/6\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-404\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-10-28T18:02:45Z\",\n \"nvd_published_at\": \"2025-10-27T18:15:44Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hh3j-x4mc-g48r\",\n \"published\": \"2019-12-26T18:22:36Z\",\n \"modified\": \"2024-03-14T05:19:45.437799Z\",\n \"aliases\": [\n \"CVE-2019-12418\"\n ],\n \"related\": [\n \"CGA-8w25-pmjp-vrmj\"\n ],\n \"summary\": \"Insufficiently Protected Credentials in Apache Tomcat\",\n \"details\": \"When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.0.99\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\",\n \"7.0.94\",\n \"7.0.96\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 7.0.98\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.49\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 8.5.48\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.29\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hh3j-x4mc-g48r/GHSA-hh3j-x4mc-g48r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-12418\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4596\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4251-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K10107360?utm_source=f5support\\u0026amp;utm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200107-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202003-43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Dec/43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-522\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-12-26T18:22:10Z\",\n \"nvd_published_at\": \"2019-12-23T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-j39c-c8hj-x4j3\",\n \"published\": \"2021-06-16T17:45:29Z\",\n \"modified\": \"2024-02-19T05:31:44.331997Z\",\n \"aliases\": [\n \"BIT-tomcat-2021-25122\",\n \"CVE-2021-25122\"\n ],\n \"related\": [\n \"CGA-vhqv-jhjv-679r\"\n ],\n \"summary\": \"Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat\",\n \"details\": \"When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.43\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.63\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-25122\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcd90bf36b1877e1310b87ecd14ed7bbb15da52b297efd9f0e7253a3b@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0463f9a5cbc02a485404c4b990f0da452e5ac5c237808edba11c947@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-34\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210409-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4891\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/03/01/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-24T19:53:13Z\",\n \"nvd_published_at\": \"2021-03-01T12:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jgwr-3qm3-26f3\",\n \"published\": \"2021-03-19T20:11:13Z\",\n \"modified\": \"2024-03-08T05:18:06.945365Z\",\n \"aliases\": [\n \"BIT-tomcat-2021-25329\",\n \"CVE-2021-25329\"\n ],\n \"related\": [\n \"CGA-457j-5q26-g4hx\"\n ],\n \"summary\": \"Potential remote code execution in Apache Tomcat\",\n \"details\": \"The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0-M1\"\n },\n {\n \"fixed\": \"10.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.0-M1\",\n \"10.0.0-M10\",\n \"10.0.0-M3\",\n \"10.0.0-M4\",\n \"10.0.0-M5\",\n \"10.0.0-M6\",\n \"10.0.0-M7\",\n \"10.0.0-M8\",\n \"10.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.41\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.61\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.108\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.100\",\n \"7.0.103\",\n \"7.0.104\",\n \"7.0.105\",\n \"7.0.106\",\n \"7.0.107\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\",\n \"7.0.94\",\n \"7.0.96\",\n \"7.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 7.0.107\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-jgwr-3qm3-26f3/GHSA-jgwr-3qm3-26f3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-25329\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4891\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210409-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202208-34\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/03/01/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-19T20:10:56Z\",\n \"nvd_published_at\": \"2021-03-01T12:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jjpq-gp5q-8q6w\",\n \"published\": \"2019-05-30T03:30:42Z\",\n \"modified\": \"2024-03-11T14:57:09.068862Z\",\n \"aliases\": [\n \"CVE-2019-0221\"\n ],\n \"summary\": \"Cross-site scripting in Apache Tomcat\",\n \"details\": \"The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.40\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.94\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-0221\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Dec/43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202003-43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190606-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K13184144?utm_source=f5support\\u0026amp%3Butm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K13184144?utm_source=f5support\\u0026amp;utm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-7.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4128-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4128-2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4596\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3929\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3931\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2019/May/50\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-05-30T03:30:07Z\",\n \"nvd_published_at\": \"2019-05-28T22:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jx6h-3fjx-cgv5\",\n \"published\": \"2018-10-17T16:31:48Z\",\n \"modified\": \"2024-11-29T05:50:11.687725Z\",\n \"aliases\": [\n \"CVE-2018-1305\"\n ],\n \"summary\": \"Apache Tomcat information exposure vulnerability\",\n \"details\": \"Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0M1\"\n },\n {\n \"fixed\": \"9.0.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.2\",\n \"9.0.4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.28\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.3\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.27\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.85\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 7.0.84\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jx6h-3fjx-cgv5/GHSA-jx6h-3fjx-cgv5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1305\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2349801827f09fb6582a8afdeca704294106ad9a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2aac69f694d42d9219eb27018b3da0ae1bdd73ab\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/3e54b2a6314eda11617ff7a7b899c251e222b1a1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/4d637bc3986e5d09b9363e2144b8ba74fa6eac3a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/c63b96d72cd39287e17b2ba698f4eee0ba508073\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/de6b4fd58b64828f374503b9ec76a12017b92895\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180706-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3665-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227030042/http://www.securityfocus.com/bid/103144\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200516094320/http://www.securitytracker.com/id/1040428\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4281\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0465\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0466\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1320\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2939\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2205\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:44:18Z\",\n \"nvd_published_at\": \"2018-02-23T23:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-m59c-jpc8-m2x4\",\n \"published\": \"2018-10-17T16:32:18Z\",\n \"modified\": \"2024-03-12T05:33:41.550174Z\",\n \"aliases\": [\n \"CVE-2018-1336\"\n ],\n \"summary\": \"In Apache Tomcat there is an improper handing of overflow in the UTF-8 decoder \",\n \"details\": \"An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M9\"\n },\n {\n \"fixed\": \"9.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0RC1\"\n },\n {\n \"fixed\": \"8.0.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.0-RC1\",\n \"8.0.0-RC10\",\n \"8.0.0-RC3\",\n \"8.0.0-RC5\",\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.8\",\n \"8.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.28\"\n },\n {\n \"fixed\": \"7.0.87\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m59c-jpc8-m2x4/GHSA-m59c-jpc8-m2x4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1336\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat80/commit/9e9b7fe1b5732277a26e437f1d32155de6208ef2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/e00812b94e5830b2be3de04f4ae4ade38a700074\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/92cd494555598e99dd691712e8ee426a2f9c2e93\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/156d76a6afeef440d14044a560d6ad1d029361c4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180817-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K73008537?utm_source=f5support\\u0026amp%3Butm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K73008537?utm_source=f5support\\u0026amp;utm_medium=RSS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3723-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20190703075545/http://www.securitytracker.com/id/1041375\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227102810/http://www.securityfocus.com/bid/104898\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4281\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHEA-2018:2188\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHEA-2018:2189\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2700\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2701\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2740\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2741\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2742\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2743\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2921\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2930\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2939\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2945\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:3768\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-835\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:44:57Z\",\n \"nvd_published_at\": \"2018-08-02T14:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mppv-79ch-vw6q\",\n \"published\": \"2023-06-21T12:30:19Z\",\n \"modified\": \"2024-04-24T19:44:03Z\",\n \"aliases\": [\n \"BIT-tomcat-2023-34981\",\n \"CVE-2023-34981\"\n ],\n \"summary\": \"Apache Tomcat vulnerable to information leak\",\n \"details\": \"A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS message would be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M5\"\n },\n {\n \"fixed\": \"11.0.0-M6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.8\"\n },\n {\n \"fixed\": \"10.1.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.74\"\n },\n {\n \"fixed\": \"9.0.75\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.74\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.88\"\n },\n {\n \"fixed\": \"8.5.89\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.88\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-34981\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2f0ca2378415f4cf0748f4bc8fa955f41f803fa5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bz.apache.org/bugzilla/show_bug.cgi?id=66512\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bz.apache.org/bugzilla/show_bug.cgi?id=66591\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230714-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-732\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-21T22:06:39Z\",\n \"nvd_published_at\": \"2023-06-21T11:15:09Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p22x-g9px-3945\",\n \"published\": \"2022-11-01T12:00:30Z\",\n \"modified\": \"2024-04-23T20:46:15.447071Z\",\n \"aliases\": [\n \"BIT-tomcat-2022-42252\",\n \"CVE-2022-42252\"\n ],\n \"summary\": \"Apache Tomcat may reject request containing invalid Content-Length header\",\n \"details\": \"If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.83\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.68\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0-M1\"\n },\n {\n \"fixed\": \"10.0.27\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.0-M1\",\n \"10.0.0-M10\",\n \"10.0.0-M3\",\n \"10.0.0-M4\",\n \"10.0.0-M5\",\n \"10.0.0-M6\",\n \"10.0.0-M7\",\n \"10.0.0-M8\",\n \"10.0.0-M9\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.16\",\n \"10.0.17\",\n \"10.0.18\",\n \"10.0.2\",\n \"10.0.20\",\n \"10.0.21\",\n \"10.0.22\",\n \"10.0.23\",\n \"10.0.26\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.68\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0-M1\"\n },\n {\n \"fixed\": \"10.0.27\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.0-M1\",\n \"10.0.0-M10\",\n \"10.0.0-M3\",\n \"10.0.0-M4\",\n \"10.0.0-M5\",\n \"10.0.0-M6\",\n \"10.0.0-M7\",\n \"10.0.0-M8\",\n \"10.0.0-M9\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.16\",\n \"10.0.17\",\n \"10.0.18\",\n \"10.0.2\",\n \"10.0.20\",\n \"10.0.21\",\n \"10.0.22\",\n \"10.0.23\",\n \"10.0.26\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p22x-g9px-3945/GHSA-p22x-g9px-3945.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-42252\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/0d089a15047faf9cb3c82f80f4d28febd4798920\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/a1c07906d8dcaf7957e5cc97f5cdbac7d18a205a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/c9fe754e5d17e262dfbd3eab2a03ca96ff372dc3\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/zzcxzvqfdqn515zfs3dxb7n8gty589sq\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-37\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\",\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-11-01T18:37:42Z\",\n \"nvd_published_at\": \"2022-11-01T09:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pjfr-qf3p-3q25\",\n \"published\": \"2018-10-17T16:30:31Z\",\n \"modified\": \"2025-10-22T19:26:58.224397Z\",\n \"aliases\": [\n \"CVE-2017-12615\"\n ],\n \"summary\": \"When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server\",\n \"details\": \"When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.79\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-pjfr-qf3p-3q25/GHSA-pjfr-qf3p-3q25.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-12615\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.exploit-db.com/exploits/42953\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20171018-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/breaktoprotect/CVE-2017-12615\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-pjfr-qf3p-3q25\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0466\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0465\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3114\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3081\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3080\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/100901\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1039392\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-434\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:49:21Z\",\n \"nvd_published_at\": \"2017-09-19T13:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q3mw-pvr8-9ggc\",\n \"published\": \"2023-08-25T21:30:48Z\",\n \"modified\": \"2025-08-08T19:07:33.521950Z\",\n \"aliases\": [\n \"BIT-tomcat-2023-41080\",\n \"CVE-2023-41080\"\n ],\n \"related\": [\n \"CGA-chc4-69mh-93g6\"\n ],\n \"summary\": \"Apache Tomcat Open Redirect vulnerability\",\n \"details\": \"URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.80\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.93\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.93\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.80\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-q3mw-pvr8-9ggc/GHSA-q3mw-pvr8-9ggc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-41080\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/4998ad745b67edeadefe541c94ed029b53933d3b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/77c0ce2d169efa248b64b992e547aad549ec906b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230921-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5521\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5522\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-601\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-08-25T22:05:01Z\",\n \"nvd_published_at\": \"2023-08-25T21:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q4hg-rmq2-52q9\",\n \"published\": \"2019-06-26T01:09:40Z\",\n \"modified\": \"2024-03-11T15:55:43.657670Z\",\n \"aliases\": [\n \"CVE-2019-10072\"\n ],\n \"summary\": \"Improper Locking in Apache Tomcat\",\n \"details\": \"The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.20\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-q4hg-rmq2-52q9/GHSA-q4hg-rmq2-52q9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.41\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-q4hg-rmq2-52q9/GHSA-q4hg-rmq2-52q9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10072\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/0bcd69c9dd8ae0ff424f2cd46de51583510b7f35\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/7f748eb6bfaba5207c89dbd7d5adf50fae847145\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8d14c6f21d29768a39be4b6b9517060dc6606758\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/ada725a50a60867af3422c8e612aecaeea856a9a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190625-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K17321505\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4128-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4128-2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227033743/http://www.securityfocus.com/bid/108874\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.synology.com/security/advisory/Synology_SA_19_29\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3931\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3929\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-667\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-06-26T00:56:45Z\",\n \"nvd_published_at\": \"2019-06-21T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qcxh-w3j9-58qr\",\n \"published\": \"2020-06-15T18:51:09Z\",\n \"modified\": \"2024-03-16T05:16:48.960226Z\",\n \"aliases\": [\n \"CVE-2019-0199\"\n ],\n \"summary\": \"Apache Tomcat Denial of Service vulnerability\",\n \"details\": \"The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-qcxh-w3j9-58qr/GHSA-qcxh-w3j9-58qr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.38\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-qcxh-w3j9-58qr/GHSA-qcxh-w3j9-58qr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-0199\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Dec/43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190419-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K17321505\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200227030041/http://www.securityfocus.com/bid/107674\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4596\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3929\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3931\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067%40%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-15T16:43:54Z\",\n \"nvd_published_at\": \"2019-04-10T15:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qppj-fm5r-hxr3\",\n \"published\": \"2023-10-10T21:28:24Z\",\n \"modified\": \"2025-10-22T19:55:03.871944Z\",\n \"aliases\": [\n \"BIT-apisix-2023-44487\",\n \"BIT-aspnet-core-2023-44487\",\n \"BIT-contour-2023-44487\",\n \"BIT-dotnet-2023-44487\",\n \"BIT-dotnet-sdk-2023-44487\",\n \"BIT-envoy-2023-44487\",\n \"BIT-golang-2023-44487\",\n \"BIT-jenkins-2023-44487\",\n \"BIT-kong-2023-44487\",\n \"BIT-nginx-2023-44487\",\n \"BIT-nginx-ingress-controller-2023-44487\",\n \"BIT-node-2023-44487\",\n \"BIT-node-min-2023-44487\",\n \"BIT-solr-2023-44487\",\n \"BIT-tomcat-2023-44487\",\n \"BIT-varnish-2023-44487\",\n \"CGA-4mmr-qwxr-f88g\",\n \"CGA-5jp5-95p2-jw83\",\n \"CGA-5v4r-558c-254r\",\n \"CGA-9w4r-68hh-64j5\",\n \"CGA-m49h-wjp5-j434\",\n \"CGA-mp43-q6p3-96v2\",\n \"CVE-2023-44487\",\n \"GHSA-m425-mq94-257g\",\n \"GO-2023-2153\"\n ],\n \"related\": [\n \"CGA-2299-p283-6754\",\n \"CGA-229m-7869-rw4v\",\n \"CGA-24hx-83pv-289x\",\n \"CGA-2pcr-mcjf-2wpx\",\n \"CGA-2qwx-p2mj-2vg9\",\n \"CGA-2rv9-rcgf-5jmv\",\n \"CGA-2v87-m46r-gjch\",\n \"CGA-2v95-w62h-qj34\",\n \"CGA-2vjm-8pmg-xm38\",\n \"CGA-2wf3-5p85-5cjv\",\n \"CGA-2xxq-x97g-5x4g\",\n \"CGA-349p-pq36-fxj6\",\n \"CGA-376q-594m-cg5h\",\n \"CGA-38xr-m6w5-7mjr\",\n \"CGA-3cjr-qphr-4q8c\",\n \"CGA-3g58-8vg4-j962\",\n \"CGA-3hw4-xp7w-mf8r\",\n \"CGA-3m7w-768w-7c63\",\n \"CGA-3qc4-4rpc-fw57\",\n \"CGA-3wv3-c8pc-vfc7\",\n \"CGA-42pp-gwp5-q5p4\",\n \"CGA-45r2-9m23-x9g6\",\n \"CGA-4779-25p4-j7h2\",\n \"CGA-4c3m-883j-8695\",\n \"CGA-4cgp-vvw6-j596\",\n \"CGA-4pfq-mx97-263v\",\n \"CGA-4qr9-f5q2-prfp\",\n \"CGA-4r3q-fgcw-49c7\",\n \"CGA-4rc6-3vhf-qf99\",\n \"CGA-4wwj-8m9v-fq8x\",\n \"CGA-5454-884w-3j88\",\n \"CGA-556h-c5fj-3w99\",\n \"CGA-56q4-xqhh-mfwx\",\n \"CGA-583h-35v8-3832\",\n \"CGA-59pp-cfxf-c3rf\",\n \"CGA-5gg6-x7qp-xxv4\",\n \"CGA-5m9g-9jqg-pxgg\",\n \"CGA-5q2w-xhwc-rwxc\",\n \"CGA-5rgp-q5p7-2mf5\",\n \"CGA-6642-55rh-hw42\",\n \"CGA-6ggm-gwjp-2q55\",\n \"CGA-6v26-8q96-376f\",\n \"CGA-6w85-h2rp-4xf2\",\n \"CGA-72wg-cw63-gf9v\",\n \"CGA-75wc-3qwg-w6r6\",\n \"CGA-765w-qmch-926x\",\n \"CGA-76j5-w627-hxq8\",\n \"CGA-7942-4mrf-v638\",\n \"CGA-7h6v-hgj5-rc6j\",\n \"CGA-7qcv-pmxr-hc3p\",\n \"CGA-7xrp-cfgv-p96p\",\n \"CGA-824v-jhv4-f4mw\",\n \"CGA-828f-q9xr-h575\",\n \"CGA-85m7-vwm2-3rgx\",\n \"CGA-87mj-vfr9-8342\",\n \"CGA-8893-2h9f-wpwr\",\n \"CGA-88pw-g8rx-54fw\",\n \"CGA-8ff8-px3p-27h2\",\n \"CGA-8gmp-6559-9h7f\",\n \"CGA-8h6j-5683-hj2p\",\n \"CGA-8ph8-2ph8-9526\",\n \"CGA-8qxj-xqxm-g9rj\",\n \"CGA-8w2g-p32j-34q7\",\n \"CGA-92p6-frjm-h6wh\",\n \"CGA-9336-v7qg-9pxr\",\n \"CGA-9653-v8w4-9j5m\",\n \"CGA-97gj-c86j-gmrh\",\n \"CGA-98pg-rvgm-vq7w\",\n \"CGA-9j94-gc38-2m2j\",\n \"CGA-9q26-2wgq-q8jq\",\n \"CGA-c2wj-qvw6-v5cc\",\n \"CGA-c4c9-566q-j9f8\",\n \"CGA-c5rg-gjw6-jhf5\",\n \"CGA-cc75-jr7m-v4rg\",\n \"CGA-cfmf-v2vf-446r\",\n \"CGA-cfpj-5fv4-gmqx\",\n \"CGA-crjx-p8j7-7mfq\",\n \"CGA-cxxg-fmvh-x664\",\n \"CGA-f5x2-3vrj-9h9j\",\n \"CGA-fh68-3rxp-2rr4\",\n \"CGA-fjj9-cf2q-279r\",\n \"CGA-fqmp-xrf6-2pq9\",\n \"CGA-g76q-386m-vw9c\",\n \"CGA-g8fr-g5rp-4g53\",\n \"CGA-gg7w-54jm-jc98\",\n \"CGA-gwxw-7hx6-fhc6\",\n \"CGA-gxgw-6wgc-3c72\",\n \"CGA-h2hr-q994-g57w\",\n \"CGA-h3hf-wvxm-w8fq\",\n \"CGA-h484-fxx6-7hrh\",\n \"CGA-h4hq-pj3g-852q\",\n \"CGA-h5p7-g2cp-wxvq\",\n \"CGA-h8xj-6f7x-vgcr\",\n \"CGA-hfrv-xx9v-v78g\",\n \"CGA-hg38-7g2w-6w7q\",\n \"CGA-hp8r-x64x-9wx8\",\n \"CGA-hq25-jj7j-2jhx\",\n \"CGA-hwq5-r477-jpjj\",\n \"CGA-hwwr-q8hg-7w7m\",\n \"CGA-hxgw-r76p-5q9f\",\n \"CGA-hxx6-782j-x2rg\",\n \"CGA-j7cc-x379-65f6\",\n \"CGA-j822-fhmp-r464\",\n \"CGA-j978-jw6m-g3m2\",\n \"CGA-j9wj-m9g4-3cqr\",\n \"CGA-jchg-g7m5-gx9j\",\n \"CGA-jfxc-mh76-f83w\",\n \"CGA-jm66-m52h-37p8\",\n \"CGA-jp5v-pxgv-mwxm\",\n \"CGA-jpm5-jx7m-gj52\",\n \"CGA-jqqv-mcm2-xfhf\",\n \"CGA-jrm6-4p39-vv8f\",\n \"CGA-m2rg-gw8g-jq3g\",\n \"CGA-m2vf-6j9c-q44v\",\n \"CGA-m2xm-59pf-m2w9\",\n \"CGA-m4ph-vwfq-6p88\",\n \"CGA-m6q6-3rm7-v7r7\",\n \"CGA-m929-58m9-46x7\",\n \"CGA-m96g-hjv2-7739\",\n \"CGA-mfww-9mm5-5q9p\",\n \"CGA-mh7x-f999-qfgr\",\n \"CGA-mh9m-rvrx-x78q\",\n \"CGA-mrg3-v5p6-fcrc\",\n \"CGA-mw67-9v22-xhfj\",\n \"CGA-mxmj-hx3p-86mr\",\n \"CGA-p3wv-wqgx-5f9g\",\n \"CGA-p488-4rp7-4vcq\",\n \"CGA-pm5v-cpg9-6pjv\",\n \"CGA-ppff-fghc-fmx2\",\n \"CGA-ppp5-rgx9-7cp5\",\n \"CGA-pvf6-v7vv-5pm8\",\n \"CGA-pwwr-2v47-j82m\",\n \"CGA-q23v-55fw-7wqq\",\n \"CGA-q2g4-fr75-mfgw\",\n \"CGA-q883-c6c7-5mrg\",\n \"CGA-q8f4-cjcq-pvcw\",\n \"CGA-q9x3-54qc-w4vx\",\n \"CGA-qf93-qqgg-57pp\",\n \"CGA-qg2x-rjrq-27j7\",\n \"CGA-qg4w-crjp-pm66\",\n \"CGA-qgcq-r8vq-cj48\",\n \"CGA-qj23-2j5c-346p\",\n \"CGA-qj39-h7mv-wvvr\",\n \"CGA-qqq4-xppr-35gx\",\n \"CGA-qrj8-7hhv-5fqr\",\n \"CGA-r3jw-5855-vm4v\",\n \"CGA-r3vf-8xgf-j7xf\",\n \"CGA-r65x-gccm-c3h9\",\n \"CGA-r672-cm53-wqp9\",\n \"CGA-r67v-7r7m-7mjm\",\n \"CGA-r6pc-j2w2-hg9j\",\n \"CGA-r83c-wr9j-cf47\",\n \"CGA-r8fq-45qw-f82f\",\n \"CGA-rfpm-7c5c-2jr7\",\n \"CGA-rh6x-pqw3-m94h\",\n \"CGA-rwg6-qrw3-mq94\",\n \"CGA-rwv7-vh72-vwm9\",\n \"CGA-rx36-6r58-w9cv\",\n \"CGA-v2x5-f8g9-xwxg\",\n \"CGA-v33m-mhpg-r9vc\",\n \"CGA-v69x-6w5f-9788\",\n \"CGA-v8m6-hgvj-q9jx\",\n \"CGA-v9r4-ppcg-99fx\",\n \"CGA-vg2f-7w94-hc6j\",\n \"CGA-vhg8-353g-xgjq\",\n \"CGA-vmv2-mcvh-c322\",\n \"CGA-vrwc-ghcx-vgf2\",\n \"CGA-vxx9-w3rw-hmm8\",\n \"CGA-w32j-65w7-364f\",\n \"CGA-w6jr-m8cm-cm2q\",\n \"CGA-w8w4-2885-pj8c\",\n \"CGA-w93r-jjhq-mrfj\",\n \"CGA-wcpm-f328-p4gm\",\n \"CGA-wcvh-j92g-4jf2\",\n \"CGA-wv77-q28p-3ccr\",\n \"CGA-wx95-wrvj-5fxq\",\n \"CGA-wxpj-97pc-mhgh\",\n \"CGA-x3c3-mgmr-7hfc\",\n \"CGA-x3gh-rmf6-3wm3\",\n \"CGA-x477-6cc3-862v\",\n \"CGA-x678-9j63-wf4w\",\n \"CGA-x7vm-wxp7-c7p6\",\n \"CGA-x866-fvq6-vg5f\",\n \"CGA-x87p-5crv-79j5\",\n \"CGA-x8gx-4p34-286q\",\n \"CGA-xfch-66rw-37j9\",\n \"CGA-xffp-8jxx-qx99\",\n \"CGA-xj77-2fg4-p9xh\",\n \"CGA-xq7r-vg65-qvmc\",\n \"CGA-xqpr-wh63-xxmp\",\n \"CGA-xr5x-637v-fqgc\",\n \"CGA-xxmc-xq95-99j2\",\n \"CVE-2023-44487\"\n ],\n \"summary\": \"HTTP/2 Stream Cancellation Attack\",\n \"details\": \"## HTTP/2 Rapid reset attack\\nThe HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.\\n\\nAbuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. \\n\\nThe HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately.\\n\\nThe ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.\\n\\nIn a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.\\n\\nMultiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows.\\n\\n## swift-nio-http2 specific advisory\\nswift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress.\\n\\nswift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"github.com/apple/swift-nio-http2\",\n \"ecosystem\": \"SwiftURL\",\n \"purl\": \"pkg:swift/github.com/apple/swift-nio-http2\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.28.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"golang.org/x/net\",\n \"ecosystem\": \"Go\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.17.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.1.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.16\",\n \"10.0.17\",\n \"10.0.18\",\n \"10.0.2\",\n \"10.0.20\",\n \"10.0.21\",\n \"10.0.22\",\n \"10.0.23\",\n \"10.0.26\",\n \"10.0.27\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.81\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.94\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.1.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.16\",\n \"10.0.17\",\n \"10.0.18\",\n \"10.0.2\",\n \"10.0.20\",\n \"10.0.21\",\n \"10.0.22\",\n \"10.0.23\",\n \"10.0.26\",\n \"10.0.27\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.81\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.94\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty.http2:http2-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.4.53\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.51.v20230217\",\n \"9.4.52.v20230823\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty.http2:http2-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.15\",\n \"10.0.16\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty.http2:http2-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.12\",\n \"11.0.13\",\n \"11.0.14\",\n \"11.0.15\",\n \"11.0.16\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty.http2:http2-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.4.53\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.51.v20230217\",\n \"9.4.52.v20230823\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty.http2:http2-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.15\",\n \"10.0.16\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty.http2:http2-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/http2-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.12\",\n \"11.0.13\",\n \"11.0.14\",\n \"11.0.15\",\n \"11.0.16\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty.http2:jetty-http2-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/jetty-http2-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"12.0.0\"\n },\n {\n \"fixed\": \"12.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"12.0.0\",\n \"12.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty.http2:jetty-http2-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty.http2/jetty-http2-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"12.0.0\"\n },\n {\n \"fixed\": \"12.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"12.0.0\",\n \"12.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.typesafe.akka:akka-http-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.typesafe.akka/akka-http-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"10.5.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0-RC1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.typesafe.akka:akka-http-core_2.13\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.typesafe.akka/akka-http-core_2.13\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"10.5.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.8\",\n \"10.1.9\",\n \"10.2.0\",\n \"10.2.0-M1\",\n \"10.2.0-RC1\",\n \"10.2.0-RC2\",\n \"10.2.1\",\n \"10.2.10\",\n \"10.2.2\",\n \"10.2.3\",\n \"10.2.4\",\n \"10.2.5\",\n \"10.2.5-M1\",\n \"10.2.5-M2\",\n \"10.2.6\",\n \"10.2.7\",\n \"10.2.8\",\n \"10.2.9\",\n \"10.4.0\",\n \"10.4.0-M1\",\n \"10.4.0-M2\",\n \"10.5.0\",\n \"10.5.0-M1\",\n \"10.5.1\",\n \"10.5.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.typesafe.akka:akka-http-core_2.12\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.typesafe.akka/akka-http-core_2.12\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"10.5.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.0-RC2\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.15\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.6+7-e2ba6752\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\",\n \"10.1.0\",\n \"10.1.0-RC1\",\n \"10.1.0-RC2\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.2\",\n \"10.1.3\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\",\n \"10.2.0\",\n \"10.2.0-M1\",\n \"10.2.0-RC1\",\n \"10.2.0-RC2\",\n \"10.2.1\",\n \"10.2.10\",\n \"10.2.2\",\n \"10.2.3\",\n \"10.2.4\",\n \"10.2.5\",\n \"10.2.5-M1\",\n \"10.2.5-M2\",\n \"10.2.6\",\n \"10.2.7\",\n \"10.2.8\",\n \"10.2.9\",\n \"10.4.0\",\n \"10.4.0-M1\",\n \"10.4.0-M2\",\n \"10.5.0\",\n \"10.5.0-M1\",\n \"10.5.1\",\n \"10.5.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"com.typesafe.akka:akka-http-core_2.11\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/com.typesafe.akka/akka-http-core_2.11\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"10.1.15\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.0-RC2\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.15\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.6+7-e2ba6752\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\",\n \"10.1.0\",\n \"10.1.0-RC1\",\n \"10.1.0-RC2\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.2\",\n \"10.1.3\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\",\n \"2.4-ARTERY-M1\",\n \"2.4-ARTERY-M2\",\n \"2.4-ARTERY-M3\",\n \"2.4-ARTERY-M4\",\n \"2.4.10\",\n \"2.4.11\",\n \"2.4.11.1\",\n \"2.4.11.2\",\n \"2.4.2\",\n \"2.4.2-RC1\",\n \"2.4.2-RC2\",\n \"2.4.2-RC3\",\n \"2.4.3\",\n \"2.4.4\",\n \"2.4.5\",\n \"2.4.6\",\n \"2.4.7\",\n \"2.4.8\",\n \"2.4.9\",\n \"2.4.9-RC1\",\n \"2.4.9-RC2\",\n \"3.0.0-RC1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apple/swift-nio-http2/security/advisories/GHSA-qppj-fm5r-hxr3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/h2o/h2o/security/advisories/GHSA-2m7v-gc89-fjqf\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/caddyserver/caddy/issues/5877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/dotnet/announcements/issues/277\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/issues/10679\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/etcd-io/etcd/issues/16740\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/apisix/issues/10320\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/alibaba/tengine/issues/1872\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/akka/akka-http/issues/4323\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/golang/go/issues/63417\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Azure/AKS/issues/3947\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/varnishcache/varnish-cache/issues/3996\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/haproxy/haproxy/issues/2312\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/hyperium/hyper/issues/3337\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tempesta-tech/tempesta/issues/1986\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/junkurihara/rust-rpxy/issues/97\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/opensearch-project/data-prepper/issues/3474\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kazu-yamamoto/http2/issues/93\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/openresty/openresty/issues/930\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ninenines/cowboy/issues/1615\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nodejs/node/pull/50121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/trafficserver/pull/10564\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/envoyproxy/envoy/pull/30055\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/httpd-site/pull/10\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nghttp2/nghttp2/pull/1961\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/akka/akka-http/pull/4325\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/akka/akka-http/pull/4324\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/microsoft/CBL-Mariner/pull/6381\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/facebook/proxygen/pull/466\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/projectcontour/contour/pull/5826\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-go/pull/6703\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/linkerd/website/pull/1695/commits/4b9c6836471bc8270ab48aae6fd2181bc73fd632\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/line/armeria/pull/5232\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kubernetes/kubernetes/pull/121120\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/h2o/h2o/pull/3291\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/944332bb15bd2f3bf76ec2caeb1ff0a58a3bc628\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kazu-yamamoto/http2/commit/f61d41a502bd0f60eb24e1ce14edc7b6df6722a1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://netty.io/news/2023/10/10/4-1-100-Final.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://my.f5.com/manage/s/article/K000137106\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/cve-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XFOIBB4YFICHDM7IBOP7PWXW3FX4HLL2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZB43REMKRQR62NJEI7I5NQ4FSXNLBKRT\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZKQSIKIAT5TJ3WSLU3RDBQ35YX4GY4V3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZLU6U2R2IC2K64NDPNMV55AUAO65MAF4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.w3.org/Archives/Public/ietf-http-wg/2023OctDec/0025.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5521\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5522\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5540\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5549\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5558\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5570\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.eclipse.org/lists/jetty-announce/msg00181.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.haproxy.com/blog/haproxy-is-not-affected-by-the-http-2-rapid-reset-attack-cve-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.netlify.com/blog/netlify-successfully-mitigates-cve-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.openwall.com/lists/oss-security/2023/10/10/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://news.ycombinator.com/item?id=37830987\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://news.ycombinator.com/item?id=37830998\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://news.ycombinator.com/item?id=37831062\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://news.ycombinator.com/item?id=37837043\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://openssf.org/blog/2023/10/10/http-2-rapid-reset-vulnerability-highlights-need-for-rapid-response\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http2-reset-d8Kf32vZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202311-09\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20231016-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240426-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.paloaltonetworks.com/CVE-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.14\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.0-M12\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.94\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.81\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://ubuntu.com/security/CVE-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://edg.io/lp/blog/resets-leaks-ddos-and-the-tale-of-a-hidden-cve\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://forums.swift.org/t/swift-nio-http2-security-update-cve-2023-44487-http-2-dos/67764\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Kong/kong/discussions/11741\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-qppj-fm5r-hxr3\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-vx74-f528-fxqg\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-xpw8-rcwv-8f8p\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/httpd/blob/afcdbeebbff4b0c50ea26cdd16e178c0d1f24152/modules/http2/h2_mplx.c#L1101-L1113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/tree/main/java/org/apache/coyote/http2\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apple/swift-nio-http2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/arkrwn/PoC/tree/main/CVE-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcdannyboy/CVE-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/caddyserver/caddy/releases/tag/v2.7.5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/dotnet/core/blob/e4613450ea0da7fd2fc6b61dfb2c1c1dec1ce9ec/release-notes/6.0/6.0.23/6.0.23.md?plain=1#L73\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc-go/releases\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/grpc/grpc/releases/tag/v1.59.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/icing/mod_h2/blob/0a864782af0a942aa2ad4ed960a6b32cd35bcf0a/mod_http2/README.md?plain=1#L239-L244\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://akka.io/security/akka-http-cve-2023-44487.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://arstechnica.com/security/2023/10/how-ddosers-used-the-http-2-protocol-to-deliver-attacks-of-unprecedented-size\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://aws.amazon.com/security/security-bulletins/AWS-2023-011\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.vespa.ai/cve-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.proxmox.com/show_bug.cgi?id=4988\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2242803\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.suse.com/show_bug.cgi?id=1216123\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cgit.freebsd.org/ports/commit/?id=c64c329c2c1752f46b73e3e6ce9f4329be6629f9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://chaos.social/@icing/111210915918780532\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://community.traefik.io/t/is-traefik-vulnerable-to-cve-2023-44487/20125\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2023-32-vault-consul-and-boundary-affected-by-http-2-rapid-reset-denial-of-service-vulnerability-cve-2023-44487/59715\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/micrictor/http2-rst-stream\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MBEPPC36UBVOZZNAXFHKLFGSLCMN5LI\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFQD3KUEMFBHPAPBGLWQC34L4OWL5HAZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CLB4TW7KALB3EEQWNWCN7OUIWWVWWCG2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIZSEFC3YKCGABA2BZW6ZJRMDZJMB7PJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMEXY22BFG5Q64HQCM5CK2Q7KDKVV4TY\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KSEGD2IWKNUO3DWY4KQGUQM5BISRWHQE\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNMZJCDHGLJJLXO4OXWJMTVQRNWOC7UL\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHUHTSXLXGXS7JYKBXTA3VINUPHTNGVU\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VSRDIV77HNKUSM7SJC5BKE5JSHLHU2NK\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WE2I52RHNNU42PX6NZ2RBUHSFFJ2LVZX\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WLPRQ5TWUQQXYWBJM7ECYDAIL2YVKIUH\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/nghttp2/nghttp2/releases/tag/v1.57.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/oqtane/oqtane.framework/discussions/3367\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/534215\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/534235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/63417\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo/m/UDd7VKQuAAAJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://istio.io/latest/news/security/istio-security-2023-004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://linkerd.io/2023/10/12/linkerd-cve-2023-44487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00024.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00047.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/11/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/11/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/10/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/10/7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/13/4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/13/9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/18/4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/18/8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/19/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/20/8\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-10-10T21:28:24Z\",\n \"nvd_published_at\": \"2023-10-10T14:15:10Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qvf5-hvjx-wm27\",\n \"published\": \"2024-11-18T12:30:43Z\",\n \"modified\": \"2025-01-24T22:02:57.022869Z\",\n \"aliases\": [\n \"BIT-tomcat-2024-52317\",\n \"CVE-2024-52317\"\n ],\n \"summary\": \"Apache Tomcat Request and/or response mix-up\",\n \"details\": \"Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.\\n\\nUsers are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.92\"\n },\n {\n \"fixed\": \"9.0.96\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.92\"\n },\n {\n \"fixed\": \"9.0.96\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.27\"\n },\n {\n \"fixed\": \"10.1.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M23\"\n },\n {\n \"fixed\": \"11.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.27\"\n },\n {\n \"fixed\": \"10.1.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M23\"\n },\n {\n \"fixed\": \"11.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-52317\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/146f94f87ea398fb592c7a20a5ccbef95e9dd72b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/47307ee27abcdea2ee40e33897aca760083de46a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/9e840ccacb40881c03a03b1e0746bfba7369b3bd\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/ty376mrxy1mmxtw3ogo53nc9l3co3dfs\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250124-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/11/18/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-326\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-11-18T21:03:05Z\",\n \"nvd_published_at\": \"2024-11-18T12:15:18Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qxf4-chvg-4r8r\",\n \"published\": \"2020-02-28T01:10:48Z\",\n \"modified\": \"2024-03-14T05:17:09.684982Z\",\n \"aliases\": [\n \"BIT-tomcat-2020-1935\",\n \"CVE-2020-1935\"\n ],\n \"related\": [\n \"CGA-m48x-5w5p-h4vm\"\n ],\n \"summary\": \"Potential HTTP request smuggling in Apache Tomcat\",\n \"details\": \"In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.0.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\",\n \"7.0.94\",\n \"7.0.96\",\n \"7.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"7.0.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\",\n \"7.0.88\",\n \"7.0.90\",\n \"7.0.91\",\n \"7.0.92\",\n \"7.0.93\",\n \"7.0.94\",\n \"7.0.96\",\n \"7.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0\"\n },\n {\n \"fixed\": \"8.5.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.53\",\n \"8.0.8\",\n \"8.0.9\",\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.0.31\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-qxf4-chvg-4r8r/GHSA-qxf4-chvg-4r8r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-1935\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2020/dsa-4673\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/4448-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20200327-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-25T16:18:59Z\",\n \"nvd_published_at\": \"2020-02-24T22:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r4x2-3cq5-hqvp\",\n \"published\": \"2018-10-17T16:32:32Z\",\n \"modified\": \"2024-03-12T05:32:05.310460Z\",\n \"aliases\": [\n \"CVE-2018-8014\"\n ],\n \"summary\": \"The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins\",\n \"details\": \"The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.2\",\n \"9.0.4\",\n \"9.0.5\",\n \"9.0.6\",\n \"9.0.7\",\n \"9.0.8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.8\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.32\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0RC1\"\n },\n {\n \"fixed\": \"8.0.53\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.0-RC1\",\n \"8.0.0-RC10\",\n \"8.0.0-RC3\",\n \"8.0.0-RC5\",\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.47\",\n \"8.0.48\",\n \"8.0.49\",\n \"8.0.5\",\n \"8.0.50\",\n \"8.0.51\",\n \"8.0.52\",\n \"8.0.8\",\n \"8.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.41\"\n },\n {\n \"fixed\": \"7.0.88\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.81\",\n \"7.0.82\",\n \"7.0.84\",\n \"7.0.85\",\n \"7.0.86\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r4x2-3cq5-hqvp/GHSA-r4x2-3cq5-hqvp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-8014\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat80/commit/2c9d8433bd3247a2856d4b2555447108758e813e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/d83a76732e6804739b81d8b2056365307637b42d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/5877390a9605f56d9bd6859a54ccbfb16374a78b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/60f596a21fd6041335a3a1a4015d4512439cecb5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Dec/43\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181018-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3665-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20181017143233/http://www.securityfocus.com/bid/104203\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20201207080723/http://www.securitytracker.com/id/1041888\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20201207101131/http://www.securitytracker.com/id/1040998\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4596\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2469\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2470\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:3768\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0450\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:1529\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:2205\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-r4x2-3cq5-hqvp\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://tomcat.apache.org/security-7.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1188\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:53:40Z\",\n \"nvd_published_at\": \"2018-05-16T16:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r6j3-px5g-cq3x\",\n \"published\": \"2023-10-10T21:31:12Z\",\n \"modified\": \"2025-08-08T18:51:54.671117Z\",\n \"aliases\": [\n \"BIT-tomcat-2023-45648\",\n \"CVE-2023-45648\"\n ],\n \"summary\": \"Apache Tomcat Improper Input Validation vulnerability\",\n \"details\": \"Improper Input Validation vulnerability in Apache Tomcat.\\n\\nTomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single \\nrequest as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.81\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.94\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.2\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.81\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.94\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-45648\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/59583245639d8c42ae0009f4a4a70464d3ea70a0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8ecff306507be8e4fd3adee1ae5de1ea6661a8f4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/c83fe47725f7ae9ae213568d9039171124fb7ec6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/eb5c094e5560764cda436362254997511a3ca1f6\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/2pv8yz1pyp088tsxfb7ogltk9msk0jdp\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20231103-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5521\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5522\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/10/10\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-10-10T22:29:58Z\",\n \"nvd_published_at\": \"2023-10-10T19:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rq2w-37h9-vg94\",\n \"published\": \"2023-01-03T21:30:21Z\",\n \"modified\": \"2024-04-23T22:00:59.346897Z\",\n \"aliases\": [\n \"BIT-tomcat-2022-45143\",\n \"CVE-2022-45143\"\n ],\n \"summary\": \"Apache Tomcat improperly escapes input from JsonErrorReportValve\",\n \"details\": \"The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.83\"\n },\n {\n \"fixed\": \"8.5.84\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.83\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.40\"\n },\n {\n \"fixed\": \"9.0.69\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.68\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0\"\n },\n {\n \"fixed\": \"10.1.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.1.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0\"\n },\n {\n \"fixed\": \"10.1.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.1.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-util\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-util\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.83\"\n },\n {\n \"fixed\": \"8.5.84\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.83\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-util\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-util\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.40\"\n },\n {\n \"fixed\": \"9.0.69\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45143\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202305-37\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-116\",\n \"CWE-74\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-05T12:02:50Z\",\n \"nvd_published_at\": \"2023-01-03T19:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vfww-5hm6-hx2j\",\n \"published\": \"2025-10-27T18:31:13Z\",\n \"modified\": \"2025-11-05T21:08:45.601566Z\",\n \"aliases\": [\n \"CVE-2025-55754\"\n ],\n \"related\": [\n \"CGA-86pw-75p3-rgc3\",\n \"CGA-8f6v-724m-6v95\",\n \"CGA-mffp-g3xg-8r68\"\n ],\n \"summary\": \"Apache Tomcat Vulnerable to Improper Neutralization of Escape, Meta, or Control Sequences\",\n \"details\": \"Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.\\n\\n\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.\\n\\nThe following versions were EOL at the time the CVE was created but are \\nknown to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.\\nUsers are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.40\"\n },\n {\n \"fixed\": \"9.0.109\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.40\"\n },\n {\n \"fixed\": \"9.0.109\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.40\"\n },\n {\n \"fixed\": \"9.0.109\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-vfww-5hm6-hx2j/GHSA-vfww-5hm6-hx2j.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-55754\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/138d7f5cfaae683078948303333c080e6faa75d2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/5a3db092982c0c58d4855304167ee757fe5e79bb\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/a03cabf3a36a42d27d8d997ed31f034f50ba6cd5\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/10/27/5\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-150\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-10-28T17:57:42Z\",\n \"nvd_published_at\": \"2025-10-27T18:15:42Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wc4r-xq3c-5cf3\",\n \"published\": \"2025-06-16T15:32:28Z\",\n \"modified\": \"2025-11-03T23:15:58.045513Z\",\n \"aliases\": [\n \"BIT-tomcat-2025-49125\",\n \"CVE-2025-49125\"\n ],\n \"related\": [\n \"CGA-mqcq-4vj8-j6r4\"\n ],\n \"summary\": \"Apache Tomcat - Security constraint bypass for pre/post-resources\",\n \"details\": \"Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected.\\n\\nUsers are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.1.41\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.106\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.105\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.42\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.1.41\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.106\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.105\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-49125\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/9418e3ff9f1f4c006b4661311ae9376c52d162b9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/d94bd36fb7eb32e790dae0339bc249069649a637\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/06/16/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-288\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-06-16T18:02:12Z\",\n \"nvd_published_at\": \"2025-06-16T15:15:24Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wf5v-jhxj-q632\",\n \"published\": \"2022-05-17T00:24:30Z\",\n \"modified\": \"2024-11-28T05:36:07.555519Z\",\n \"aliases\": [\n \"CVE-2014-0095\"\n ],\n \"summary\": \"Denial of service in Apache Tomcat\",\n \"details\": \"java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a \\\"Content-Length: 0\\\" AJP request to trigger a hang in request processing.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-RC1\"\n },\n {\n \"fixed\": \"8.0.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.0-RC1\",\n \"8.0.0-RC10\",\n \"8.0.0-RC3\",\n \"8.0.0-RC5\",\n \"8.0.1\",\n \"8.0.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf5v-jhxj-q632/GHSA-wf5v-jhxj-q632.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-RC1\"\n },\n {\n \"fixed\": \"8.0.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.0-RC1\",\n \"8.0.0-RC10\",\n \"8.0.0-RC3\",\n \"8.0.0-RC5\",\n \"8.0.1\",\n \"8.0.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf5v-jhxj-q632/GHSA-wf5v-jhxj-q632.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-0095\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/8884dae60ace77a87ed9385442ce429e98c3a479\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat80/commit/77590c897f0e542fe363d70efdf3b82209510aee\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20140713043210/http://www.securitytracker.com/id/1030300\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20141126170141/http://www.securityfocus.com/bid/67673\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20151017043748/http://secunia.com/advisories/60729\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20161024215453/http://secunia.com/advisories/59873\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2014/May/134\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/viewvc?view=revision\\u0026revision=1578392\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://tomcat.apache.org/security-8.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21678231\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21681528\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-01-08T20:19:10Z\",\n \"nvd_published_at\": \"2014-05-31T11:17:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wm9w-rjj3-j356\",\n \"published\": \"2024-07-03T21:39:44Z\",\n \"modified\": \"2025-11-03T22:02:29.679753Z\",\n \"aliases\": [\n \"BIT-tomcat-2024-34750\",\n \"CVE-2024-34750\"\n ],\n \"related\": [\n \"CGA-xv4j-9m39-wrpw\"\n ],\n \"summary\": \"Apache Tomcat - Denial of Service\",\n \"details\": \"Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. \\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100.\\n\\nUsers are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.25\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.90\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.0-M21\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.25\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.4\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M1\"\n },\n {\n \"fixed\": \"9.0.90\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-coyote\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-coyote\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.100\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.23\",\n \"8.5.24\",\n \"8.5.27\",\n \"8.5.28\",\n \"8.5.29\",\n \"8.5.3\",\n \"8.5.30\",\n \"8.5.31\",\n \"8.5.32\",\n \"8.5.33\",\n \"8.5.34\",\n \"8.5.35\",\n \"8.5.37\",\n \"8.5.38\",\n \"8.5.39\",\n \"8.5.4\",\n \"8.5.40\",\n \"8.5.41\",\n \"8.5.42\",\n \"8.5.43\",\n \"8.5.45\",\n \"8.5.46\",\n \"8.5.47\",\n \"8.5.49\",\n \"8.5.5\",\n \"8.5.50\",\n \"8.5.51\",\n \"8.5.53\",\n \"8.5.54\",\n \"8.5.55\",\n \"8.5.56\",\n \"8.5.57\",\n \"8.5.58\",\n \"8.5.59\",\n \"8.5.6\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.8\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.9\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-wm9w-rjj3-j356/GHSA-wm9w-rjj3-j356.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-34750\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5f\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240816-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-755\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-07-05T20:39:41Z\",\n \"nvd_published_at\": \"2024-07-03T20:15:04Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wmwf-9ccg-fff5\",\n \"published\": \"2025-10-27T18:31:13Z\",\n \"modified\": \"2025-11-05T21:07:34.950738Z\",\n \"aliases\": [\n \"CVE-2025-55752\"\n ],\n \"related\": [\n \"CGA-ffp8-8jhj-qx69\",\n \"CGA-wr6g-phvx-mg75\",\n \"CGA-xrp3-jgrh-29hf\"\n ],\n \"summary\": \"Apache Tomcat Vulnerable to Relative Path Traversal\",\n \"details\": \"The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.\\n\\n\\n\\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.\\n\\nThe following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M11\"\n },\n {\n \"fixed\": \"9.0.109\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M11\"\n },\n {\n \"fixed\": \"9.0.109\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-M1\"\n },\n {\n \"fixed\": \"11.0.11\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-M1\",\n \"11.0.0-M10\",\n \"11.0.0-M11\",\n \"11.0.0-M12\",\n \"11.0.0-M13\",\n \"11.0.0-M14\",\n \"11.0.0-M15\",\n \"11.0.0-M16\",\n \"11.0.0-M17\",\n \"11.0.0-M18\",\n \"11.0.0-M19\",\n \"11.0.0-M20\",\n \"11.0.0-M21\",\n \"11.0.0-M22\",\n \"11.0.0-M24\",\n \"11.0.0-M25\",\n \"11.0.0-M26\",\n \"11.0.0-M3\",\n \"11.0.0-M4\",\n \"11.0.0-M5\",\n \"11.0.0-M6\",\n \"11.0.0-M7\",\n \"11.0.0-M9\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.1.0-M1\"\n },\n {\n \"fixed\": \"10.1.45\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.1.0\",\n \"10.1.0-M1\",\n \"10.1.0-M10\",\n \"10.1.0-M11\",\n \"10.1.0-M12\",\n \"10.1.0-M14\",\n \"10.1.0-M15\",\n \"10.1.0-M16\",\n \"10.1.0-M17\",\n \"10.1.0-M2\",\n \"10.1.0-M4\",\n \"10.1.0-M5\",\n \"10.1.0-M6\",\n \"10.1.0-M7\",\n \"10.1.0-M8\",\n \"10.1.1\",\n \"10.1.10\",\n \"10.1.11\",\n \"10.1.12\",\n \"10.1.13\",\n \"10.1.14\",\n \"10.1.15\",\n \"10.1.16\",\n \"10.1.17\",\n \"10.1.18\",\n \"10.1.19\",\n \"10.1.2\",\n \"10.1.20\",\n \"10.1.23\",\n \"10.1.24\",\n \"10.1.25\",\n \"10.1.26\",\n \"10.1.28\",\n \"10.1.29\",\n \"10.1.30\",\n \"10.1.31\",\n \"10.1.33\",\n \"10.1.34\",\n \"10.1.35\",\n \"10.1.36\",\n \"10.1.39\",\n \"10.1.4\",\n \"10.1.40\",\n \"10.1.41\",\n \"10.1.42\",\n \"10.1.43\",\n \"10.1.44\",\n \"10.1.5\",\n \"10.1.6\",\n \"10.1.7\",\n \"10.1.8\",\n \"10.1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0-M11\"\n },\n {\n \"fixed\": \"9.0.109\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\",\n \"9.0.1\",\n \"9.0.10\",\n \"9.0.100\",\n \"9.0.102\",\n \"9.0.104\",\n \"9.0.105\",\n \"9.0.106\",\n \"9.0.107\",\n \"9.0.108\",\n \"9.0.11\",\n \"9.0.12\",\n \"9.0.13\",\n \"9.0.14\",\n \"9.0.16\",\n \"9.0.17\",\n \"9.0.19\",\n \"9.0.2\",\n \"9.0.20\",\n \"9.0.21\",\n \"9.0.22\",\n \"9.0.24\",\n \"9.0.26\",\n \"9.0.27\",\n \"9.0.29\",\n \"9.0.30\",\n \"9.0.31\",\n \"9.0.33\",\n \"9.0.34\",\n \"9.0.35\",\n \"9.0.36\",\n \"9.0.37\",\n \"9.0.38\",\n \"9.0.39\",\n \"9.0.4\",\n \"9.0.40\",\n \"9.0.41\",\n \"9.0.43\",\n \"9.0.44\",\n \"9.0.45\",\n \"9.0.46\",\n \"9.0.48\",\n \"9.0.5\",\n \"9.0.50\",\n \"9.0.52\",\n \"9.0.53\",\n \"9.0.54\",\n \"9.0.55\",\n \"9.0.56\",\n \"9.0.58\",\n \"9.0.59\",\n \"9.0.6\",\n \"9.0.60\",\n \"9.0.62\",\n \"9.0.63\",\n \"9.0.64\",\n \"9.0.65\",\n \"9.0.67\",\n \"9.0.68\",\n \"9.0.69\",\n \"9.0.7\",\n \"9.0.70\",\n \"9.0.71\",\n \"9.0.72\",\n \"9.0.73\",\n \"9.0.74\",\n \"9.0.75\",\n \"9.0.76\",\n \"9.0.78\",\n \"9.0.79\",\n \"9.0.8\",\n \"9.0.80\",\n \"9.0.81\",\n \"9.0.82\",\n \"9.0.83\",\n \"9.0.84\",\n \"9.0.85\",\n \"9.0.86\",\n \"9.0.87\",\n \"9.0.88\",\n \"9.0.89\",\n \"9.0.90\",\n \"9.0.91\",\n \"9.0.93\",\n \"9.0.94\",\n \"9.0.95\",\n \"9.0.96\",\n \"9.0.97\",\n \"9.0.98\",\n \"9.0.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.60\"\n },\n {\n \"last_affected\": \"8.5.100\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.100\",\n \"8.5.60\",\n \"8.5.61\",\n \"8.5.63\",\n \"8.5.64\",\n \"8.5.65\",\n \"8.5.66\",\n \"8.5.68\",\n \"8.5.69\",\n \"8.5.70\",\n \"8.5.71\",\n \"8.5.72\",\n \"8.5.73\",\n \"8.5.75\",\n \"8.5.76\",\n \"8.5.77\",\n \"8.5.78\",\n \"8.5.79\",\n \"8.5.81\",\n \"8.5.82\",\n \"8.5.83\",\n \"8.5.84\",\n \"8.5.85\",\n \"8.5.86\",\n \"8.5.87\",\n \"8.5.88\",\n \"8.5.89\",\n \"8.5.90\",\n \"8.5.91\",\n \"8.5.92\",\n \"8.5.93\",\n \"8.5.94\",\n \"8.5.95\",\n \"8.5.96\",\n \"8.5.97\",\n \"8.5.98\",\n \"8.5.99\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-wmwf-9ccg-fff5/GHSA-wmwf-9ccg-fff5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-55752\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/130d36d8492ef9e4eb22952c17c92423cb35fd06\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/b5042622b8b78340ae65403c55dcb9c7416924df\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/10/27/4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-23\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-10-28T17:55:41Z\",\n \"nvd_published_at\": \"2025-10-27T18:15:42Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xjgh-84hx-56c5\",\n \"published\": \"2022-05-14T01:07:15Z\",\n \"modified\": \"2025-10-22T19:25:42.954468Z\",\n \"aliases\": [\n \"CVE-2017-12617\"\n ],\n \"summary\": \"Unrestricted Upload of File with Dangerous Type Apache Tomcat\",\n \"details\": \"When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.0M27\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.23\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.3\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.22\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-RC1\"\n },\n {\n \"fixed\": \"8.0.47\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.0-RC1\",\n \"8.0.0-RC10\",\n \"8.0.0-RC3\",\n \"8.0.0-RC5\",\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.5\",\n \"8.0.8\",\n \"8.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.0.46\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat:tomcat-catalina\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat/tomcat-catalina\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.82\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 7.0.81\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0.M1\"\n },\n {\n \"fixed\": \"9.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.M1\",\n \"9.0.0.M10\",\n \"9.0.0.M11\",\n \"9.0.0.M13\",\n \"9.0.0.M15\",\n \"9.0.0.M17\",\n \"9.0.0.M18\",\n \"9.0.0.M19\",\n \"9.0.0.M20\",\n \"9.0.0.M21\",\n \"9.0.0.M22\",\n \"9.0.0.M25\",\n \"9.0.0.M26\",\n \"9.0.0.M27\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M6\",\n \"9.0.0.M8\",\n \"9.0.0.M9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.0.0M27\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.5.0\"\n },\n {\n \"fixed\": \"8.5.23\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.5.0\",\n \"8.5.11\",\n \"8.5.12\",\n \"8.5.13\",\n \"8.5.14\",\n \"8.5.15\",\n \"8.5.16\",\n \"8.5.19\",\n \"8.5.2\",\n \"8.5.20\",\n \"8.5.21\",\n \"8.5.3\",\n \"8.5.4\",\n \"8.5.5\",\n \"8.5.6\",\n \"8.5.8\",\n \"8.5.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.5.22\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"8.0.0-RC1\"\n },\n {\n \"fixed\": \"8.0.47\"\n }\n ]\n }\n ],\n \"versions\": [\n \"8.0.0-RC1\",\n \"8.0.0-RC10\",\n \"8.0.0-RC3\",\n \"8.0.0-RC5\",\n \"8.0.1\",\n \"8.0.11\",\n \"8.0.12\",\n \"8.0.14\",\n \"8.0.15\",\n \"8.0.17\",\n \"8.0.18\",\n \"8.0.20\",\n \"8.0.21\",\n \"8.0.22\",\n \"8.0.23\",\n \"8.0.24\",\n \"8.0.26\",\n \"8.0.27\",\n \"8.0.28\",\n \"8.0.29\",\n \"8.0.3\",\n \"8.0.30\",\n \"8.0.32\",\n \"8.0.33\",\n \"8.0.35\",\n \"8.0.36\",\n \"8.0.37\",\n \"8.0.38\",\n \"8.0.39\",\n \"8.0.41\",\n \"8.0.42\",\n \"8.0.43\",\n \"8.0.44\",\n \"8.0.45\",\n \"8.0.46\",\n \"8.0.5\",\n \"8.0.8\",\n \"8.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.0.46\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.tomcat.embed:tomcat-embed-core\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.82\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0\",\n \"7.0.11\",\n \"7.0.12\",\n \"7.0.14\",\n \"7.0.16\",\n \"7.0.19\",\n \"7.0.2\",\n \"7.0.20\",\n \"7.0.21\",\n \"7.0.22\",\n \"7.0.23\",\n \"7.0.25\",\n \"7.0.26\",\n \"7.0.27\",\n \"7.0.28\",\n \"7.0.29\",\n \"7.0.30\",\n \"7.0.32\",\n \"7.0.33\",\n \"7.0.34\",\n \"7.0.35\",\n \"7.0.37\",\n \"7.0.39\",\n \"7.0.4\",\n \"7.0.40\",\n \"7.0.41\",\n \"7.0.42\",\n \"7.0.47\",\n \"7.0.5\",\n \"7.0.50\",\n \"7.0.52\",\n \"7.0.53\",\n \"7.0.54\",\n \"7.0.55\",\n \"7.0.56\",\n \"7.0.57\",\n \"7.0.59\",\n \"7.0.6\",\n \"7.0.61\",\n \"7.0.62\",\n \"7.0.63\",\n \"7.0.64\",\n \"7.0.65\",\n \"7.0.67\",\n \"7.0.68\",\n \"7.0.69\",\n \"7.0.70\",\n \"7.0.72\",\n \"7.0.73\",\n \"7.0.75\",\n \"7.0.76\",\n \"7.0.77\",\n \"7.0.78\",\n \"7.0.79\",\n \"7.0.8\",\n \"7.0.81\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 7.0.81\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-12617\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/a9dd96046d7acb0357c6b7b9e6cc70d186fae663\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/74ad0e216c791454a318c1811300469eedc5c6f3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/512a3c3aecdb52de092c6bacddd71b85c4feda06\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/506d862e7edfa991de198e0f2e4c4540830fa531\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/4cf7dab88282c8f3c92f0b961cdb0096e1d63e88\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/46dfedbc0523d7182be97f4244d7b6c942164485\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/327e8a6644e188764325a013aa2725a60f1b37e5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/31e99502e2c602449a2f8835bd23ade772b77333\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/24aea94807f940ee44aa550378dc903289039ddd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/b577f9a7996b92b650b1649af3c3bae11c120db9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/b7e0435d17aba69f16ae9e8a78ad0f1565b552af\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/bbcbb749c75056a2781f37038d63e646fe972104\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/c177e9668d1278710bdb14c0eb8d2702b3655f5a\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/cf0b37beb0622abdf24acc7110daf883f3fe4f95\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/d5b170705d24c386d76038e5989045c89795c28c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/e650cf1b83e441dbd3863f3f6b61c972cafce19e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/f1b85da754c4760787d68a99e839b50878140b57\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/tomcat/commit/fd52f8601170b91f9d7162510e54563e5bf6bdfe\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3080\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20171018-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20180117-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.f5.com/csp/article/K53173544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbhf03812en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbux03828en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3665-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20171110171954/http://www.securityfocus.com/bid/100954\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20201209024734/http://www.securitytracker.com/id/1039552\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12617\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.exploit-db.com/exploits/42966\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.exploit-db.com/exploits/43008\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3081\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3113\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3114\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0268\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0269\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0270\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0271\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0275\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0465\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:0466\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2939\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/tomcat\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/100954\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1039552\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-434\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-01T21:20:08Z\",\n \"nvd_published_at\": \"2017-10-04T01:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4qw8-pgpr-p9mq\",\n \"published\": \"2021-09-07T22:56:43Z\",\n \"modified\": \"2024-02-16T08:17:18.815800Z\",\n \"aliases\": [\n \"CVE-2019-10095\"\n ],\n \"summary\": \"Bash command injection in Apache Zeppelin\",\n \"details\": \"bash command injection vulnerability in Apache Zeppelin allows an attacker to inject system commands into Spark interpreter settings. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.10.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.5.0-incubating\",\n \"0.6.0\",\n \"0.6.1\",\n \"0.6.2\",\n \"0.7.0\",\n \"0.7.1\",\n \"0.7.2\",\n \"0.7.3\",\n \"0.8.0\",\n \"0.8.1\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.0-preview1\",\n \"0.9.0-preview2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-4qw8-pgpr-p9mq/GHSA-4qw8-pgpr-p9mq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10095\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zeppelin\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b%40%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd56389ba9cab30a6c976b9a4a6df0f85cbe8fba6a60a3cf6e3ba716b@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208%40%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf06e8423833b3daadc30c56a2ff47c48920864d5199476daa897208@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202311-04\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/09/02/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-77\",\n \"CWE-78\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-03T20:16:11Z\",\n \"nvd_published_at\": \"2021-09-02T17:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-87p2-cvhq-q4mv\",\n \"published\": \"2021-09-07T22:56:56Z\",\n \"modified\": \"2024-02-16T08:20:33.718960Z\",\n \"aliases\": [\n \"CVE-2020-13929\"\n ],\n \"summary\": \"Authentication bypass in Apache Zeppelin\",\n \"details\": \"Authentication bypass vulnerability in Apache Zeppelin allows an attacker to bypass Zeppelin authentication mechanism to act as another user. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.10.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.5.0-incubating\",\n \"0.6.0\",\n \"0.6.1\",\n \"0.6.2\",\n \"0.7.0\",\n \"0.7.1\",\n \"0.7.2\",\n \"0.7.3\",\n \"0.8.0\",\n \"0.8.1\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.0-preview1\",\n \"0.9.0-preview2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-87p2-cvhq-q4mv/GHSA-87p2-cvhq-q4mv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-13929\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zeppelin\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028%40%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r768800925d6407a6a87ccae0ec98776b7bda50c0e3ed3d0130dad028@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999%40%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r99529e175a7c1c9a26bd41a02802c8af7aa97319fe561874627eb999@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202311-04\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/09/02/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-03T20:16:12Z\",\n \"nvd_published_at\": \"2021-09-02T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9p8j-hrgf-jc2g\",\n \"published\": \"2022-12-20T21:30:19Z\",\n \"modified\": \"2023-11-08T04:10:58.147637Z\",\n \"aliases\": [\n \"CVE-2022-46870\"\n ],\n \"summary\": \"Apache Zeppelin Cross-site Scripting vulnerability\",\n \"details\": \"An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.5.0-incubating\",\n \"0.6.0\",\n \"0.6.1\",\n \"0.6.2\",\n \"0.7.0\",\n \"0.7.1\",\n \"0.7.2\",\n \"0.7.3\",\n \"0.8.0\",\n \"0.8.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9p8j-hrgf-jc2g/GHSA-9p8j-hrgf-jc2g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-46870\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zeppelin\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/gb1wdnrm1095xw6qznpsycfrht4lwbwc\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-20T22:10:26Z\",\n \"nvd_published_at\": \"2022-12-16T13:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9x2h-hvg6-4r5p\",\n \"published\": \"2019-04-24T16:06:52Z\",\n \"modified\": \"2023-11-08T03:59:52.831613Z\",\n \"aliases\": [\n \"CVE-2018-1317\"\n ],\n \"summary\": \"Improper Authentication in Apache Zeppelin\",\n \"details\": \"In Apache Zeppelin prior to 0.8.0 the cron scheduler was enabled by default and could allow users to run paragraphs as other users without authentication.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.5.0-incubating\",\n \"0.6.0\",\n \"0.6.1\",\n \"0.6.2\",\n \"0.7.0\",\n \"0.7.1\",\n \"0.7.2\",\n \"0.7.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-9x2h-hvg6-4r5p/GHSA-9x2h-hvg6-4r5p.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1317\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2019/04/23/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-04-24T16:07:02Z\",\n \"nvd_published_at\": \"2019-04-23T15:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c538-924g-99q4\",\n \"published\": \"2019-04-24T16:06:59Z\",\n \"modified\": \"2023-11-08T03:58:53.247281Z\",\n \"aliases\": [\n \"CVE-2017-12619\"\n ],\n \"summary\": \"Session Fixation in Apache Zeppelin\",\n \"details\": \"Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation which allowed an attacker to hijack a valid user session. Issue was reported by \\\"stone lone\\\".\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.5.0-incubating\",\n \"0.6.0\",\n \"0.6.1\",\n \"0.6.2\",\n \"0.7.0\",\n \"0.7.1\",\n \"0.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-c538-924g-99q4/GHSA-c538-924g-99q4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-12619\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://zeppelin.apache.org/releases/zeppelin-release-0.7.3.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2019/04/23/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-384\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-04-24T16:04:01Z\",\n \"nvd_published_at\": \"2019-04-23T15:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-gm67-h5wr-w3cv\",\n \"published\": \"2023-07-06T19:24:05Z\",\n \"modified\": \"2024-02-16T08:14:41.034081Z\",\n \"aliases\": [\n \"CVE-2021-28655\"\n ],\n \"summary\": \"Apache Zeppelin Improper Input Validation vulnerability\",\n \"details\": \"The improper Input Validation vulnerability in `Move folder to Trash` feature of Apache Zeppelin allows an attacker to delete the arbitrary files. This issue affects Apache Zeppelin Apache Zeppelin version 0.9.0 and prior versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.10.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.5.0-incubating\",\n \"0.6.0\",\n \"0.6.1\",\n \"0.6.2\",\n \"0.7.0\",\n \"0.7.1\",\n \"0.7.2\",\n \"0.7.3\",\n \"0.8.0\",\n \"0.8.1\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.0-preview1\",\n \"0.9.0-preview2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-gm67-h5wr-w3cv/GHSA-gm67-h5wr-w3cv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-28655\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zeppelin\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/bxs056g3xlsofz0jb3wny9dw4llwptd2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-06T21:44:43Z\",\n \"nvd_published_at\": \"2022-12-16T13:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mf7q-gw5f-q8jj\",\n \"published\": \"2021-09-07T22:55:56Z\",\n \"modified\": \"2024-02-16T08:08:39.299528Z\",\n \"aliases\": [\n \"CVE-2021-27578\"\n ],\n \"summary\": \"Cross-site Scripting in Apache Zeppelin\",\n \"details\": \"Cross Site Scripting vulnerability in markdown interpreter of Apache Zeppelin allows an attacker to inject malicious scripts. This issue affects Apache Zeppelin Apache Zeppelin versions prior to 0.9.0.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.9.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.5.0-incubating\",\n \"0.6.0\",\n \"0.6.1\",\n \"0.6.2\",\n \"0.7.0\",\n \"0.7.1\",\n \"0.7.2\",\n \"0.7.3\",\n \"0.8.0\",\n \"0.8.1\",\n \"0.8.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-mf7q-gw5f-q8jj/GHSA-mf7q-gw5f-q8jj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-27578\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zeppelin\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50%40%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r31012f2c8e39a5e12e14c1de030012cb8b51c037d953d73b291b7b50@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d%40%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d@%3Cannounce.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90590aa5ea788128ecc2e822e1e64d5200b4cb92b06707b38da4cb3d@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202311-04\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/09/02/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-09-03T20:16:10Z\",\n \"nvd_published_at\": \"2021-09-02T17:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r2v5-5vcr-h3vq\",\n \"published\": \"2019-04-24T16:07:36Z\",\n \"modified\": \"2023-11-08T03:59:53.255873Z\",\n \"aliases\": [\n \"CVE-2018-1328\"\n ],\n \"summary\": \"Cross-site Scripting in Apache Zeppelin\",\n \"details\": \"Apache Zeppelin prior to 0.8.0 had a stored XSS issue via Note permissions. Issue reported by \\\"Josna Joseph\\\".\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.5.0-incubating\",\n \"0.6.0\",\n \"0.6.1\",\n \"0.6.2\",\n \"0.7.0\",\n \"0.7.1\",\n \"0.7.2\",\n \"0.7.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r2v5-5vcr-h3vq/GHSA-r2v5-5vcr-h3vq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1328\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff6b995a5a3ba8db4d6b14b4d9dd487e7bf2e3bdd5b375b64a25fd06@%3Cusers.zeppelin.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://zeppelin.apache.org/releases/zeppelin-release-0.8.0.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2019/04/23/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-04-24T16:03:49Z\",\n \"nvd_published_at\": \"2019-04-23T15:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7pgf-ppxw-8624\",\n \"published\": \"2025-07-12T18:30:31Z\",\n \"modified\": \"2025-11-05T20:33:56.241584Z\",\n \"aliases\": [\n \"CVE-2024-41169\"\n ],\n \"summary\": \"Apache Zeppelin exposes server resources to unauthenticated attackers\",\n \"details\": \"The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files.\\n\\nThis issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0.\\n\\nUsers are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin-interpreter\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin-interpreter\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.10.1\"\n },\n {\n \"fixed\": \"0.12.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.1\",\n \"0.11.0\",\n \"0.11.1\",\n \"0.11.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7pgf-ppxw-8624/GHSA-7pgf-ppxw-8624.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.10.1\"\n },\n {\n \"fixed\": \"0.12.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.1\",\n \"0.11.0\",\n \"0.11.1\",\n \"0.11.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-7pgf-ppxw-8624/GHSA-7pgf-ppxw-8624.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-41169\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zeppelin/pull/4841\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zeppelin\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/ZEPPELIN-6101\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/moyym04993c8owh4h0qj98r43tbo8qdd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/07/13/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-664\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-07-14T20:31:20Z\",\n \"nvd_published_at\": \"2025-07-12T17:15:20Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-86jx-wr74-xr74\",\n \"published\": \"2024-04-09T18:30:22Z\",\n \"modified\": \"2024-08-21T19:06:54.380122Z\",\n \"aliases\": [\n \"CVE-2024-31866\"\n ],\n \"summary\": \"Improper escaping in Apache Zeppelin\",\n \"details\": \"Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\\n\\nThe attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES.\\nThis issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\\n\\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin-interpreter\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin-interpreter\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.8.2\"\n },\n {\n \"fixed\": \"0.11.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.10.1\",\n \"0.11.0\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.0-preview1\",\n \"0.9.0-preview2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-86jx-wr74-xr74/GHSA-86jx-wr74-xr74.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-31866\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zeppelin/pull/4715\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zeppelin/commit/dd08a3966ef3b0b40f13d0291d7cac5ec3dd9f9c\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zeppelin\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/04/09/10\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-116\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-05-24T20:11:32Z\",\n \"nvd_published_at\": \"2024-04-09T16:15:08Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rrvf-5w4r-3x7v\",\n \"published\": \"2024-04-09T18:30:22Z\",\n \"modified\": \"2024-10-03T18:26:19.190568Z\",\n \"aliases\": [\n \"CVE-2024-31868\"\n ],\n \"summary\": \"Apache Zeppelin vulnerable to cross-site scripting in the helium module\",\n \"details\": \"Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin.\\n\\nAttackers can modify `helium.json` and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.\\n\\nUsers are recommended to upgrade to version 0.11.1, which fixes the issue.\\n\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zeppelin:zeppelin-interpreter\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zeppelin/zeppelin-interpreter\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0.8.2\"\n },\n {\n \"fixed\": \"0.11.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.10.0\",\n \"0.10.1\",\n \"0.11.0\",\n \"0.8.2\",\n \"0.9.0\",\n \"0.9.0-preview1\",\n \"0.9.0-preview2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-rrvf-5w4r-3x7v/GHSA-rrvf-5w4r-3x7v.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-31868\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zeppelin/pull/4728\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zeppelin/commit/83685795e0ec8d3059fd7a3dbcae5c0532b63b79\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zeppelin\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/55mqs673plsxmgnq7fdf2flftpllyf11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/04/09/11\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-116\",\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-04-11T20:13:12Z\",\n \"nvd_published_at\": \"2024-04-09T16:15:08Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2hmj-97jw-28jh\",\n \"published\": \"2025-09-24T12:30:20Z\",\n \"modified\": \"2025-11-05T20:52:30.268611Z\",\n \"aliases\": [\n \"BIT-zookeeper-2025-58457\",\n \"CVE-2025-58457\"\n ],\n \"related\": [\n \"CGA-g4wh-hpww-wvx9\",\n \"CGA-jcj7-w8c7-27p8\",\n \"CGA-m88p-r4m6-cfxc\"\n ],\n \"summary\": \"Apache ZooKeeper: Insufficient Permission Check in AdminServer Snapshot/Restore Commands\",\n \"details\": \"Improper permission checks in the AdminServer allow an authenticated client with insufficient privileges to invoke the `snapshot` and `restore` commands. The intended requirement is authentication and authorization on the root path (`/`) with **ALL** permission for these operations; however, affected versions permit invocation without that level of authorization. The primary risk is disclosure of cluster state via snapshots to a lesser-privileged client.\\n\\n* **Affected:** `org.apache.zookeeper:zookeeper` 3.9.0 through 3.9.3.\\n* **Fixed:** 3.9.4 (ZOOKEEPER-4964 “check permissions individually during admin server auth”).\\n* **Mitigations:**\\n * Disable both commands (`admin.snapshot.enabled`, `admin.restore.enabled`).\\n * Disable AdminServer (`admin.enableServer`).\\n * Ensure the root ACL is not open; note that ZooKeeper ACLs are not recursive.\\n * Upgrade to 3.9.4.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.9.0\"\n },\n {\n \"fixed\": \"3.9.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.9.0\",\n \"3.9.1\",\n \"3.9.2\",\n \"3.9.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-2hmj-97jw-28jh/GHSA-2hmj-97jw-28jh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-58457\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zookeeper\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://zookeeper.apache.org/doc/current/zookeeperSnapshotAndRestore.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://zookeeper.apache.org/doc/r3.9.4/releasenotes.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://zookeeper.apache.org/security.html#CVE-2025-58457\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://github.com/apache/zookeeper/commit/71e173fcbcc9deb784081cf867bd045df3c32635\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2025/09/24/10\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-280\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-09-24T19:00:08Z\",\n \"nvd_published_at\": \"2025-09-24T10:15:28Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2hw2-62cp-p9p7\",\n \"published\": \"2019-05-29T18:54:11Z\",\n \"modified\": \"2024-03-14T05:19:59.559879Z\",\n \"aliases\": [\n \"CVE-2019-0201\"\n ],\n \"summary\": \"Access control bypass in Apache ZooKeeper\",\n \"details\": \"An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"3.4.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.2\",\n \"3.3.3\",\n \"3.3.4\",\n \"3.3.5\",\n \"3.3.6\",\n \"3.4.0\",\n \"3.4.1\",\n \"3.4.10\",\n \"3.4.11\",\n \"3.4.12\",\n \"3.4.13\",\n \"3.4.2\",\n \"3.4.3\",\n \"3.4.4\",\n \"3.4.5\",\n \"3.4.6\",\n \"3.4.7\",\n \"3.4.8\",\n \"3.4.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-2hw2-62cp-p9p7/GHSA-2hw2-62cp-p9p7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.5.0\"\n },\n {\n \"fixed\": \"3.5.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.5.1-alpha\",\n \"3.5.2-alpha\",\n \"3.5.3-beta\",\n \"3.5.4-beta\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-2hw2-62cp-p9p7/GHSA-2hw2-62cp-p9p7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-0201\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://zookeeper.apache.org/security.html#CVE-2019-0201\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2019/dsa-4461\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190619-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://seclists.org/bugtraq/2019/Jun/13\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/ZOOKEEPER-1392\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:4352\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:3140\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/108427\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-862\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-05-29T18:53:55Z\",\n \"nvd_published_at\": \"2019-05-23T14:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7286-pgfv-vxvh\",\n \"published\": \"2023-10-11T12:30:27Z\",\n \"modified\": \"2025-02-13T19:37:41.243540Z\",\n \"aliases\": [\n \"BIT-zookeeper-2023-44981\",\n \"CVE-2023-44981\"\n ],\n \"related\": [\n \"CGA-r4gp-jw3v-m8j8\"\n ],\n \"summary\": \"Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper\",\n \"details\": \"Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper. If SASL Quorum Peer authentication is enabled in ZooKeeper (quorum.auth.enableSasl=true), the authorization is done by verifying that the instance part in SASL authentication ID is listed in zoo.cfg server list. The instance part in SASL auth ID is optional and if it's missing, like 'eve@EXAMPLE.COM', the authorization check will be skipped. As a result an arbitrary endpoint could join the cluster and begin propagating counterfeit changes to the leader, essentially giving it complete read-write access to the data tree. Quorum Peer authentication is not enabled by default.\\n\\nUsers are recommended to upgrade to version 3.9.1, 3.8.3, 3.7.2, which fixes the issue.\\n\\nAlternately ensure the ensemble election/quorum communication is protected by a firewall as this will mitigate the issue.\\n\\nSee the documentation for more details on correct cluster administration.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.7.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.2\",\n \"3.3.3\",\n \"3.3.4\",\n \"3.3.5\",\n \"3.3.6\",\n \"3.4.0\",\n \"3.4.1\",\n \"3.4.10\",\n \"3.4.11\",\n \"3.4.12\",\n \"3.4.13\",\n \"3.4.14\",\n \"3.4.2\",\n \"3.4.3\",\n \"3.4.4\",\n \"3.4.5\",\n \"3.4.6\",\n \"3.4.7\",\n \"3.4.8\",\n \"3.4.9\",\n \"3.5.0-alpha\",\n \"3.5.1-alpha\",\n \"3.5.10\",\n \"3.5.2-alpha\",\n \"3.5.3-beta\",\n \"3.5.4-beta\",\n \"3.5.5\",\n \"3.5.6\",\n \"3.5.7\",\n \"3.5.8\",\n \"3.5.9\",\n \"3.6.0\",\n \"3.6.1\",\n \"3.6.2\",\n \"3.6.3\",\n \"3.6.4\",\n \"3.7.0\",\n \"3.7.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.8.0\"\n },\n {\n \"fixed\": \"3.8.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.8.0\",\n \"3.8.1\",\n \"3.8.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.9.0\"\n },\n {\n \"fixed\": \"3.9.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.9.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-7286-pgfv-vxvh/GHSA-7286-pgfv-vxvh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-44981\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zookeeper\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5544\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2023/10/11/4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-639\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-10-11T20:36:50Z\",\n \"nvd_published_at\": \"2023-10-11T12:15:11Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7cwj-j333-x7f7\",\n \"published\": \"2022-05-13T01:08:23Z\",\n \"modified\": \"2023-11-08T03:59:22.246576Z\",\n \"aliases\": [\n \"CVE-2017-5637\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in Apache ZooKeeper\",\n \"details\": \"Two four letter word commands \\\"wchp/wchc\\\" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.4.0\"\n },\n {\n \"fixed\": \"3.4.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.4.0\",\n \"3.4.1\",\n \"3.4.2\",\n \"3.4.3\",\n \"3.4.4\",\n \"3.4.5\",\n \"3.4.6\",\n \"3.4.7\",\n \"3.4.8\",\n \"3.4.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.4.9\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7cwj-j333-x7f7/GHSA-7cwj-j333-x7f7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.5.0\"\n },\n {\n \"fixed\": \"3.5.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.5.1-alpha\",\n \"3.5.2-alpha\",\n \"3.5.3-beta\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.5.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7cwj-j333-x7f7/GHSA-7cwj-j333-x7f7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-5637\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2477\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3354\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:3355\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/ZOOKEEPER-2693\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2017/dsa-3871\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/98814\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-01T16:58:11Z\",\n \"nvd_published_at\": \"2017-10-10T01:30:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-ccqf-c5hq-77mp\",\n \"published\": \"2022-05-13T01:05:57Z\",\n \"modified\": \"2023-11-08T04:00:23.872615Z\",\n \"aliases\": [\n \"CVE-2018-8012\"\n ],\n \"summary\": \"Missing Authorization in Apache ZooKeeper\",\n \"details\": \"No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.4.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.3.0\",\n \"3.3.1\",\n \"3.3.2\",\n \"3.3.3\",\n \"3.3.4\",\n \"3.3.5\",\n \"3.3.6\",\n \"3.4.0\",\n \"3.4.1\",\n \"3.4.2\",\n \"3.4.3\",\n \"3.4.4\",\n \"3.4.5\",\n \"3.4.6\",\n \"3.4.7\",\n \"3.4.8\",\n \"3.4.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.4.9\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ccqf-c5hq-77mp/GHSA-ccqf-c5hq-77mp.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.5.0-alpha\"\n },\n {\n \"fixed\": \"3.5.4-beta\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.5.0-alpha\",\n \"3.5.1-alpha\",\n \"3.5.2-alpha\",\n \"3.5.3-beta\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.5.3-beta\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ccqf-c5hq-77mp/GHSA-ccqf-c5hq-77mp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-8012\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f@%3Coak-commits.jackrabbit.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14@%3Cdev.jackrabbit.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870@%3Cdev.jackrabbit.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2@%3Cdev.jackrabbit.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4214\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/104253\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1040948\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-862\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-29T19:03:52Z\",\n \"nvd_published_at\": \"2018-05-21T19:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g93m-8x6h-g5gv\",\n \"published\": \"2024-11-07T12:30:35Z\",\n \"modified\": \"2025-06-30T18:59:23.345066Z\",\n \"aliases\": [\n \"BIT-zookeeper-2024-51504\",\n \"CVE-2024-51504\"\n ],\n \"summary\": \"Apache ZooKeeper: Authentication bypass with IP-based authentication in Admin Server\",\n \"details\": \"When using IPAuthenticationProvider in ZooKeeper Admin Server there is a possibility of Authentication Bypass by Spoofing -- this only impacts IP based authentication implemented in ZooKeeper Admin Server. Default configuration of client's IP address detection in IPAuthenticationProvider, which uses HTTP request headers, is weak and allows an attacker to bypass authentication via spoofing client's IP address in request headers. Default configuration honors X-Forwarded-For HTTP header to read client's IP address. X-Forwarded-For request header is mainly used by proxy servers to identify the client and can be easily spoofed by an attacker pretending that the request comes from a different IP address. Admin Server commands, such as snapshot and restore arbitrarily can be executed on successful exploitation which could potentially lead to information leakage or service availability issues. Users are recommended to upgrade to version 3.9.3, which fixes this issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.9.0\"\n },\n {\n \"fixed\": \"3.9.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.9.0\",\n \"3.9.1\",\n \"3.9.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-g93m-8x6h-g5gv/GHSA-g93m-8x6h-g5gv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-51504\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zookeeper/commit/2c2b74c1c11b6531aabb1bf06782e859048d5983\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zookeeper\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/b3qrmpkto5r6989qr61fw9y2x646kqlh\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/11/06/5\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-290\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-06-30T18:49:25Z\",\n \"nvd_published_at\": \"2024-11-07T10:15:08Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r978-9m6m-6gm6\",\n \"published\": \"2024-03-15T12:30:37Z\",\n \"modified\": \"2025-07-03T16:14:55.159008Z\",\n \"aliases\": [\n \"BIT-zookeeper-2024-23944\",\n \"CVE-2024-23944\"\n ],\n \"related\": [\n \"CGA-7x45-jmmj-p4h3\",\n \"CGA-h562-6hp9-9x2q\",\n \"CGA-mrr6-55fr-72mh\",\n \"CGA-rgr4-3vcx-cj8x\",\n \"CGA-wvcw-6w45-h72m\"\n ],\n \"summary\": \"Apache ZooKeeper vulnerable to information disclosure in persistent watchers handling\",\n \"details\": \"Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. It allows an attacker to monitor child znodes by attaching a persistent watcher (addWatch command) to a parent which the attacker has already access to. ZooKeeper server doesn't do ACL check when the persistent watcher is triggered and as a consequence, the full path of znodes that a watch event gets triggered upon is exposed to the owner of the watcher. It's important to note that only the path is exposed by this vulnerability, not the data of znode, but since znode path can contain sensitive information like user name or login ID, this issue is potentially critical.\\n\\nUsers are recommended to upgrade to version 3.9.2, 3.8.4 which fixes the issue.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.8.0\"\n },\n {\n \"fixed\": \"3.8.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.8.0\",\n \"3.8.1\",\n \"3.8.2\",\n \"3.8.3\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.8.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.9.0\"\n },\n {\n \"fixed\": \"3.9.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.9.0\",\n \"3.9.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.9.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.apache.zookeeper:zookeeper\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.apache.zookeeper/zookeeper\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.6.0\"\n },\n {\n \"last_affected\": \"3.7.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.6.0\",\n \"3.6.1\",\n \"3.6.2\",\n \"3.6.3\",\n \"3.6.4\",\n \"3.7.0\",\n \"3.7.1\",\n \"3.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-r978-9m6m-6gm6/GHSA-r978-9m6m-6gm6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-23944\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zookeeper/commit/29c7b9462681f47c2ac12e609341cf9f52abac5c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zookeeper/commit/65b91d2d9a56157285c2a86b106e67c26520b01d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/zookeeper/commit/daf7cfd04005cff1a4f7cab5ab13d41db88d0cd8\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/zookeeper\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/96s5nqssj03rznz9hv58txdb2k1lr79k\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2024/03/14/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-862\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-03-15T19:35:37Z\",\n \"nvd_published_at\": \"2024-03-15T11:15:08Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4cx2-fc23-5wg6\",\n \"published\": \"2025-08-13T12:31:30Z\",\n \"modified\": \"2025-10-17T14:20:44.810668Z\",\n \"aliases\": [\n \"CVE-2025-8916\"\n ],\n \"summary\": \"Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation\",\n \"details\": \"Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .\\n\\nThis issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcpkix-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcpkix-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.44\"\n },\n {\n \"fixed\": \"1.79\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcpkix-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcpkix-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.44\"\n },\n {\n \"fixed\": \"1.79\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\",\n \"1.78\",\n \"1.78.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcpkix-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcpkix-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.44\"\n },\n {\n \"fixed\": \"1.79\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.71.1\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\",\n \"1.78\",\n \"1.78.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcpkix-fips\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcpkix-fips\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.0.1\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.0.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcpkix-fips\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcpkix-fips\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"2.0.8\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.7\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.0.7\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-4cx2-fc23-5wg6/GHSA-4cx2-fc23-5wg6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-8916\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/310b30a4fbf36d13f6cc201ffa7771715641e67e\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/ff444a479942d88de64004dc82c3ee32a9e9075a\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-08-13T22:52:42Z\",\n \"nvd_published_at\": \"2025-08-13T10:15:27Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-2j2x-hx4g-2gf4\",\n \"published\": \"2018-10-18T17:43:55Z\",\n \"modified\": \"2025-09-12T20:13:20.576466Z\",\n \"aliases\": [\n \"CVE-2016-1000344\"\n ],\n \"summary\": \"In Bouncy Castle JCE Provider the DHIES implementation allowed the use of ECB mode\",\n \"details\": \"In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2j2x-hx4g-2gf4/GHSA-2j2x-hx4g-2gf4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2j2x-hx4g-2gf4/GHSA-2j2x-hx4g-2gf4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-2j2x-hx4g-2gf4/GHSA-2j2x-hx4g-2gf4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000344\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-2j2x-hx4g-2gf4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1310\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:52:17Z\",\n \"nvd_published_at\": \"2018-06-04T21:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4446-656p-f54g\",\n \"published\": \"2018-10-17T16:23:12Z\",\n \"modified\": \"2025-05-12T21:48:36.833343Z\",\n \"aliases\": [\n \"CVE-2018-1000613\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in Bouncy castle\",\n \"details\": \"Legion of the Bouncy Castle Java Cryptography APIs starting in version 1.57 and prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. \\n\\nThis vulnerability appears to have been fixed in 1.60 and later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.57\"\n },\n {\n \"fixed\": \"1.60\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.57\",\n \"1.58\",\n \"1.59\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4446-656p-f54g/GHSA-4446-656p-f54g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1000613\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-4446-656p-f54g\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190204-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-470\",\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:57:10Z\",\n \"nvd_published_at\": \"2018-07-09T20:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4mv7-cq75-3qjm\",\n \"published\": \"2018-10-17T16:27:50Z\",\n \"modified\": \"2025-09-12T20:11:53.388848Z\",\n \"aliases\": [\n \"CVE-2015-7940\"\n ],\n \"summary\": \"Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15\",\n \"details\": \"The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \\\"invalid curve attack.\\\"\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4mv7-cq75-3qjm/GHSA-4mv7-cq75-3qjm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4mv7-cq75-3qjm/GHSA-4mv7-cq75-3qjm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.51\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4mv7-cq75-3qjm/GHSA-4mv7-cq75-3qjm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-7940\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-4mv7-cq75-3qjm\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3727-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2035.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2036.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2015/dsa-3417\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2015/10/22/7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2015/10/22/9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/79091\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1037036\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1037046\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1037053\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:58:37Z\",\n \"nvd_published_at\": \"2015-11-09T16:59:09Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4vhj-98r6-424h\",\n \"published\": \"2018-10-17T16:23:26Z\",\n \"modified\": \"2025-09-12T20:11:46.340387Z\",\n \"aliases\": [\n \"CVE-2016-1000338\"\n ],\n \"summary\": \"In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate\",\n \"details\": \"In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.38\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4vhj-98r6-424h/GHSA-4vhj-98r6-424h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.38\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4vhj-98r6-424h/GHSA-4vhj-98r6-424h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.38\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4vhj-98r6-424h/GHSA-4vhj-98r6-424h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000338\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20231006-0011\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3727-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-347\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T20:59:18Z\",\n \"nvd_published_at\": \"2018-06-01T20:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6xx3-rg99-gc3p\",\n \"published\": \"2021-08-13T15:22:31Z\",\n \"modified\": \"2025-07-17T22:23:36.388813Z\",\n \"aliases\": [\n \"CVE-2020-15522\"\n ],\n \"related\": [\n \"CGA-3544-c7xc-jx43\",\n \"CGA-p736-f9r6-77r7\"\n ],\n \"summary\": \"Timing based private key exposure in Bouncy Castle\",\n \"details\": \"Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bc-fips\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bc-fips\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.2.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.0.1\",\n \"1.0.2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.0.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.66\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk16\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk16\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.66\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.66\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.66\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.66\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.65.01\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.66\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.63\",\n \"1.64\",\n \"1.65\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk16\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk16\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.66\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"BouncyCastle\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/BouncyCastle\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.8.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.7.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.3.1\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"1.8.6.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-6xx3-rg99-gc3p/GHSA-6xx3-rg99-gc3p.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-15522\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210622-0007\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.bouncycastle.org/releasenotes.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-203\",\n \"CWE-362\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-05-21T17:50:36Z\",\n \"nvd_published_at\": \"2021-05-20T12:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-72m5-fvvv-55m6\",\n \"published\": \"2021-04-22T16:16:49Z\",\n \"modified\": \"2025-07-17T22:22:44.756584Z\",\n \"aliases\": [\n \"CVE-2020-26939\"\n ],\n \"summary\": \"Observable Differences in Behavior to Error Inputs in Bouncy Castle\",\n \"details\": \"In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.61\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.61\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk16\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk16\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.61\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bc-fips\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bc-fips\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.61\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk16\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk16\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.61\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.61\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.61\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-72m5-fvvv-55m6/GHSA-72m5-fvvv-55m6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26939\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE-2020-26939\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20201202-0005\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-203\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-20T16:59:30Z\",\n \"nvd_published_at\": \"2020-11-02T22:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-73xv-w5gp-frxh\",\n \"published\": \"2021-04-30T16:14:15Z\",\n \"modified\": \"2024-03-08T05:18:41.838529Z\",\n \"aliases\": [\n \"CVE-2020-28052\"\n ],\n \"summary\": \"Logic error in Legion of the Bouncy Castle BC Java\",\n \"details\": \"An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.65\"\n },\n {\n \"fixed\": \"1.67\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.65\",\n \"1.66\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.65\"\n },\n {\n \"fixed\": \"1.67\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.65\"\n },\n {\n \"fixed\": \"1.67\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.65\",\n \"1.65.01\",\n \"1.66\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.65\"\n },\n {\n \"fixed\": \"1.67\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.65\",\n \"1.66\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.65\"\n },\n {\n \"fixed\": \"1.67\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.65\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk16\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk16\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.65\"\n },\n {\n \"fixed\": \"1.67\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk16\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk16\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.65\"\n },\n {\n \"fixed\": \"1.67\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-73xv-w5gp-frxh/GHSA-73xv-w5gp-frxh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-28052\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.bouncycastle.org/releasenotes.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE-2020-28052\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-670\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-19T00:15:55Z\",\n \"nvd_published_at\": \"2020-12-18T01:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8353-fgcr-xfhx\",\n \"published\": \"2022-05-14T02:14:04Z\",\n \"modified\": \"2024-12-05T05:42:02.521197Z\",\n \"aliases\": [\n \"CVE-2013-1624\"\n ],\n \"summary\": \"Improper Input Validation in Bouncy Castle\",\n \"details\": \"The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.48\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8353-fgcr-xfhx/GHSA-8353-fgcr-xfhx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2013-1624\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://openwall.com/lists/oss-security/2013/02/05/24\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0371.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0372.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/57716\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/57719\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.isg.rhul.ac.uk/tls/TLStiming.pdf\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-08T18:59:52Z\",\n \"nvd_published_at\": \"2013-02-08T19:55:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8477-3v39-ggpm\",\n \"published\": \"2022-05-13T01:01:01Z\",\n \"modified\": \"2023-11-08T04:00:20.719699Z\",\n \"aliases\": [\n \"CVE-2018-5382\"\n ],\n \"summary\": \"Improper Validation of Integrity Check Value in Bouncy Castle\",\n \"details\": \"The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type \\\"BKS-V1\\\" was introduced in 1.49. It should be noted that the use of \\\"BKS-V1\\\" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.50\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8477-3v39-ggpm/GHSA-8477-3v39-ggpm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-5382\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.bouncycastle.org/releasenotes.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.kb.cert.org/vuls/id/306792\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/103453\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-354\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-28T23:51:50Z\",\n \"nvd_published_at\": \"2018-04-16T14:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8xfc-gm6g-vgpv\",\n \"published\": \"2024-05-14T15:32:54Z\",\n \"modified\": \"2024-12-06T15:48:32.838321Z\",\n \"aliases\": [\n \"CGA-h49m-7vwx-446f\",\n \"CGA-pmw5-3929-3rqr\",\n \"CGA-x9cj-c42r-f4mr\",\n \"CVE-2024-29857\"\n ],\n \"related\": [\n \"CGA-29h3-969m-j2cr\",\n \"CGA-448v-pf2r-j83m\",\n \"CGA-4cgj-59hq-h2hc\",\n \"CGA-4ph3-8p4p-wr86\",\n \"CGA-5hp5-r4pg-f3p7\",\n \"CGA-7p4p-m9qg-mv7r\",\n \"CGA-89h2-vv89-63r8\",\n \"CGA-cw5g-gfw6-xx43\",\n \"CGA-f25f-36f8-w45w\",\n \"CGA-f92w-p726-49xr\",\n \"CGA-g9h5-gx89-c9v8\",\n \"CGA-p93x-49fc-v5m3\",\n \"CGA-pfv3-x3hq-59qp\",\n \"CGA-vmgg-m99c-vcmm\",\n \"CGA-xx3m-cg2g-f46r\"\n ],\n \"summary\": \"Bouncy Castle certificate parsing issues cause high CPU usage during parameter evaluation.\",\n \"details\": \"An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.71.1\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.65.01\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bctls-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bctls-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.71.1\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bctls-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bctls-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bctls-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bctls-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bc-fips\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bc-fips\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.2.5\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.0.1\",\n \"1.0.2\",\n \"1.0.2.1\",\n \"1.0.2.3\",\n \"1.0.2.4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"BouncyCastle\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/BouncyCastle\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.7.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.3.1\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"1.8.6.1\",\n \"1.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 2.3.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"BouncyCastle.Cryptography\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/BouncyCastle.Cryptography\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.3.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.3.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8xfc-gm6g-vgpv/GHSA-8xfc-gm6g-vgpv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-29857\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-csharp/commit/56daa6eac526f165416d17f661422d60de0dfd63\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a294501f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/fee80dd230e7fba132d03a34f1dd1d6aae0d0281\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9029857\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9029857\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20241206-0008\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.bouncycastle.org/latest_releases.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-125\",\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-05-14T20:22:01Z\",\n \"nvd_published_at\": \"2024-05-14T15:17:02Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9gp4-qrff-c648\",\n \"published\": \"2018-10-18T18:04:13Z\",\n \"modified\": \"2025-09-12T20:11:27.017633Z\",\n \"aliases\": [\n \"CVE-2016-1000345\"\n ],\n \"summary\": \"Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15\",\n \"details\": \"In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9gp4-qrff-c648/GHSA-9gp4-qrff-c648.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9gp4-qrff-c648/GHSA-9gp4-qrff-c648.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9gp4-qrff-c648/GHSA-9gp4-qrff-c648.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000345\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-9gp4-qrff-c648\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3727-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:28:32Z\",\n \"nvd_published_at\": \"2018-06-04T21:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c8xf-m4ff-jcxj\",\n \"published\": \"2018-10-17T16:23:38Z\",\n \"modified\": \"2025-09-12T20:11:29.725840Z\",\n \"aliases\": [\n \"CVE-2016-1000339\"\n ],\n \"summary\": \"Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15\",\n \"details\": \"In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-c8xf-m4ff-jcxj/GHSA-c8xf-m4ff-jcxj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-c8xf-m4ff-jcxj/GHSA-c8xf-m4ff-jcxj.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-c8xf-m4ff-jcxj/GHSA-c8xf-m4ff-jcxj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000339\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-c8xf-m4ff-jcxj\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3727-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:30:37Z\",\n \"nvd_published_at\": \"2018-06-04T13:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fjqm-246c-mwqg\",\n \"published\": \"2018-10-17T16:27:28Z\",\n \"modified\": \"2025-09-12T20:11:33.148189Z\",\n \"aliases\": [\n \"CVE-2016-1000346\"\n ],\n \"summary\": \"In Bouncy Castle JCE Provider the other party DH public key is not fully validated\",\n \"details\": \"In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fjqm-246c-mwqg/GHSA-fjqm-246c-mwqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fjqm-246c-mwqg/GHSA-fjqm-246c-mwqg.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-fjqm-246c-mwqg/GHSA-fjqm-246c-mwqg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000346\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-fjqm-246c-mwqg\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3727-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:34:48Z\",\n \"nvd_published_at\": \"2018-06-04T21:29:00Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hr8g-6v94-x4m9\",\n \"published\": \"2023-07-05T03:30:23Z\",\n \"modified\": \"2024-10-22T05:28:49.779895Z\",\n \"aliases\": [\n \"CGA-9v29-fwrv-3vmr\",\n \"CVE-2023-33201\"\n ],\n \"related\": [\n \"CGA-38pq-3m5v-j985\",\n \"CGA-g7rp-wcpp-h755\",\n \"CGA-h3hg-g6x6-9xjh\",\n \"CGA-w3f3-pcfm-c69g\"\n ],\n \"summary\": \"Bouncy Castle For Java LDAP injection vulnerability\",\n \"details\": \"Bouncy Castle provides the `X509LDAPCertStoreSpi.java` class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.\\n\\nA potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: `CN=Subject*)(objectclass=`. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.\\n\\nChanges to the `X509LDAPCertStoreSpi.java` class add the additional checking of any X.500 name used to correctly escape wild card characters.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.71.1\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.49\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.49\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.60\",\n \"1.64\",\n \"1.65\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.64\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-debug-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-debug-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.49\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.55\",\n \"1.59\",\n \"1.60\",\n \"1.64\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-debug-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-debug-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.64\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-debug-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-debug-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.74\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.72\",\n \"1.73\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.49\"\n },\n {\n \"last_affected\": \"1.70\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.65.01\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.49\"\n },\n {\n \"last_affected\": \"1.70\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-debug-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-debug-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.49\"\n },\n {\n \"last_affected\": \"1.70\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.52\",\n \"1.53\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-hr8g-6v94-x4m9/GHSA-hr8g-6v94-x4m9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-33201\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/ccf93ca736b89250ff4ce079a5aa56f5cbf0ebbd\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bouncycastle.org\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bouncycastle.org/releasenotes.html#r1rv74\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commits/main/prov/src/main/java/org/bouncycastle/jce/provider/X509LDAPCertStoreSpi.java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE-2023-33201\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/08/msg00000.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230824-0008\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-295\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-06T15:40:29Z\",\n \"nvd_published_at\": \"2023-07-05T03:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qcj7-g2j5-g7r3\",\n \"published\": \"2018-10-17T16:24:12Z\",\n \"modified\": \"2025-09-02T21:09:14.819658Z\",\n \"aliases\": [\n \"CVE-2016-1000342\"\n ],\n \"summary\": \"In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification\",\n \"details\": \"In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qcj7-g2j5-g7r3/GHSA-qcj7-g2j5-g7r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qcj7-g2j5-g7r3/GHSA-qcj7-g2j5-g7r3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qcj7-g2j5-g7r3/GHSA-qcj7-g2j5-g7r3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000342\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647#diff-25c3c78db788365f36839b3f2d3016b9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3727-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-347\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:51:36Z\",\n \"nvd_published_at\": \"2018-06-04T13:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r97x-3g8f-gx3m\",\n \"published\": \"2018-10-17T16:23:50Z\",\n \"modified\": \"2025-09-12T20:11:40.283362Z\",\n \"aliases\": [\n \"CVE-2016-1000340\"\n ],\n \"summary\": \"The Bouncy Castle JCE Provider carry a propagation bug\",\n \"details\": \"In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.51\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r97x-3g8f-gx3m/GHSA-r97x-3g8f-gx3m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.51\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r97x-3g8f-gx3m/GHSA-r97x-3g8f-gx3m.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"1.51\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r97x-3g8f-gx3m/GHSA-r97x-3g8f-gx3m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000340\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/790642084c4e0cadd47352054f868cc8397e2c00#diff-e5934feac8203ca0104ab291a3560a31\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-r97x-3g8f-gx3m\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:54:10Z\",\n \"nvd_published_at\": \"2018-06-04T13:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r9ch-m4fh-fc7q\",\n \"published\": \"2018-10-17T16:24:00Z\",\n \"modified\": \"2025-09-12T20:09:31.244100Z\",\n \"aliases\": [\n \"CVE-2016-1000341\"\n ],\n \"summary\": \"Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15\",\n \"details\": \"In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r9ch-m4fh-fc7q/GHSA-r9ch-m4fh-fc7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r9ch-m4fh-fc7q/GHSA-r9ch-m4fh-fc7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r9ch-m4fh-fc7q/GHSA-r9ch-m4fh-fc7q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000341\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa#diff-e75226a9ca49217a7276b29242ec59ce\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-r9ch-m4fh-fc7q\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3727-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:54:15Z\",\n \"nvd_published_at\": \"2018-06-04T13:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rrvx-pwf8-p59p\",\n \"published\": \"2018-10-17T16:24:22Z\",\n \"modified\": \"2025-09-12T20:11:26.404347Z\",\n \"aliases\": [\n \"CVE-2016-1000343\"\n ],\n \"summary\": \"In Bouncy Castle JCE Provider the DSA key pair generator generates a weak private key if used with default values\",\n \"details\": \"In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrvx-pwf8-p59p/GHSA-rrvx-pwf8-p59p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrvx-pwf8-p59p/GHSA-rrvx-pwf8-p59p.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-rrvx-pwf8-p59p/GHSA-rrvx-pwf8-p59p.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000343\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389#diff-5578e61500abb2b87b300d3114bdfd7d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-rrvx-pwf8-p59p\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://usn.ubuntu.com/3727-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:55:50Z\",\n \"nvd_published_at\": \"2018-06-04T13:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v435-xc8x-wvr9\",\n \"published\": \"2024-05-14T15:32:54Z\",\n \"modified\": \"2024-10-22T05:28:59.209889Z\",\n \"aliases\": [\n \"CGA-2f4h-fc34-cw83\",\n \"CGA-5mrq-75x2-g8hj\",\n \"CGA-9qv8-44xh-vf2p\",\n \"CVE-2024-30171\"\n ],\n \"related\": [\n \"CGA-35r6-m6p6-xc93\",\n \"CGA-38cm-jrfp-jgjm\",\n \"CGA-3cjr-985f-7r7h\",\n \"CGA-7fm6-4c5m-gw2x\",\n \"CGA-8595-m6wp-3rgq\",\n \"CGA-9727-f845-q3xw\",\n \"CGA-9c2c-7969-vffw\",\n \"CGA-9vcm-5pxq-pvv5\",\n \"CGA-fcmx-xq2g-xppj\",\n \"CGA-g4x8-993m-grwh\",\n \"CGA-gfj5-2q78-6f2f\",\n \"CGA-h543-7w38-mv7r\",\n \"CGA-j49x-3x3f-7v84\",\n \"CGA-jjp7-6mw2-545w\",\n \"CGA-vwqh-4f8x-m5r2\"\n ],\n \"summary\": \"Bouncy Castle affected by timing side-channel for RSA key exchange (\\\"The Marvin Attack\\\")\",\n \"details\": \"An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bctls-fips\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bctls-fips\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.19\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\",\n \"1.0.1\",\n \"1.0.10\",\n \"1.0.10.1\",\n \"1.0.10.2\",\n \"1.0.10.3\",\n \"1.0.11\",\n \"1.0.11.1\",\n \"1.0.11.2\",\n \"1.0.11.3\",\n \"1.0.11.4\",\n \"1.0.12\",\n \"1.0.12.1\",\n \"1.0.12.2\",\n \"1.0.12.3\",\n \"1.0.13\",\n \"1.0.14\",\n \"1.0.14.1\",\n \"1.0.16\",\n \"1.0.17\",\n \"1.0.18\",\n \"1.0.2\",\n \"1.0.3\",\n \"1.0.4\",\n \"1.0.5\",\n \"1.0.6\",\n \"1.0.7\",\n \"1.0.8\",\n \"1.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.71.1\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.65.01\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bctls-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bctls-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.71.1\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bctls-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bctls-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bctls-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bctls-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.78\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\",\n \"1.73\",\n \"1.74\",\n \"1.75\",\n \"1.76\",\n \"1.77\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"BouncyCastle\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/BouncyCastle\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.7.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.3.1\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"1.8.6.1\",\n \"1.8.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 2.3.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"BouncyCastle.Cryptography\",\n \"ecosystem\": \"NuGet\",\n \"purl\": \"pkg:nuget/BouncyCastle.Cryptography\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.3.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.3.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v435-xc8x-wvr9/GHSA-v435-xc8x-wvr9.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-30171\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-csharp/commit/c984b8bfd8544dfc55dba91a02cbbbb9c580c217\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/d7d5e735abd64bf0f413f54fd9e495fc02400fb0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/e0569dcb1dea9d421d84fc4c5c5688fe101afa2d\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-csharp/wiki/CVE%E2%80%902024%E2%80%9030171\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240614-0008\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.bouncycastle.org/latest_releases.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-203\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-05-14T20:22:03Z\",\n \"nvd_published_at\": \"2024-05-14T15:21:52Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-w285-wf9q-5w69\",\n \"published\": \"2018-10-17T16:27:38Z\",\n \"modified\": \"2025-09-12T20:11:36.505110Z\",\n \"aliases\": [\n \"CVE-2016-1000352\"\n ],\n \"summary\": \"In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode\",\n \"details\": \"In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-w285-wf9q-5w69/GHSA-w285-wf9q-5w69.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-w285-wf9q-5w69/GHSA-w285-wf9q-5w69.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-w285-wf9q-5w69/GHSA-w285-wf9q-5w69.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-1000352\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2927\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-w285-wf9q-5w69\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181127-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-326\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:59:14Z\",\n \"nvd_published_at\": \"2018-06-04T21:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wjxj-5m7g-mg7q\",\n \"published\": \"2023-11-23T18:30:33Z\",\n \"modified\": \"2024-10-22T05:28:59.117892Z\",\n \"aliases\": [\n \"CGA-q98p-rjg3-8jq7\",\n \"CVE-2023-33202\"\n ],\n \"related\": [\n \"CGA-hq55-qp37-gwm6\"\n ],\n \"summary\": \"Bouncy Castle Denial of Service (DoS)\",\n \"details\": \"Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk16\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk16\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.73\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.73\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.73\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15to18\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15to18\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.73\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\",\n \"1.71\",\n \"1.72\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk16\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk16\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.73\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.65.01\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c 1.70\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcpkix-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcpkix-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.73\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.71.1\",\n \"1.72\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-ext-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-ext-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.73\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\",\n \"1.60\",\n \"1.61\",\n \"1.62\",\n \"1.63\",\n \"1.64\",\n \"1.65\",\n \"1.66\",\n \"1.67\",\n \"1.68\",\n \"1.69\",\n \"1.70\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk18on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk18on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.73\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.71\",\n \"1.71.1\",\n \"1.72\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-wjxj-5m7g-mg7q/GHSA-wjxj-5m7g-mg7q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-33202\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bouncycastle.org\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE-2023-33202\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240125-0001\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-11-24T16:54:01Z\",\n \"nvd_published_at\": \"2023-11-23T16:15:07Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wrwf-pmmj-w989\",\n \"published\": \"2022-05-13T01:14:24Z\",\n \"modified\": \"2023-11-08T03:58:54.947561Z\",\n \"aliases\": [\n \"CVE-2017-13098\"\n ],\n \"summary\": \"Observable Discrepancy in BouncyCastle\",\n \"details\": \"BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \\\"ROBOT.\\\"\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wrwf-pmmj-w989/GHSA-wrwf-pmmj-w989.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-13098\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/bcgit/bc-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://robotattack.org\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20171222-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2017/dsa-4072\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.kb.cert.org/vuls/id/144389\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-203\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-01T20:14:25Z\",\n \"nvd_published_at\": \"2017-12-13T01:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xqj7-j8j5-f2xr\",\n \"published\": \"2018-10-16T17:44:39Z\",\n \"modified\": \"2025-09-12T20:04:13.290612Z\",\n \"aliases\": [\n \"CVE-2018-1000180\"\n ],\n \"summary\": \"Bouncy Castle has a flaw in the Low-level interface to RSA key pair generator\",\n \"details\": \"Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk14\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk14\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.60\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.38\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-xqj7-j8j5-f2xr/GHSA-xqj7-j8j5-f2xr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.60\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.32\",\n \"1.38\",\n \"1.40\",\n \"1.43\",\n \"1.44\",\n \"1.45\",\n \"1.46\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-xqj7-j8j5-f2xr/GHSA-xqj7-j8j5-f2xr.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.bouncycastle:bcprov-jdk15on\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.bouncycastle/bcprov-jdk15on\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.60\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.46\",\n \"1.47\",\n \"1.48\",\n \"1.49\",\n \"1.50\",\n \"1.51\",\n \"1.52\",\n \"1.53\",\n \"1.54\",\n \"1.55\",\n \"1.56\",\n \"1.57\",\n \"1.58\",\n \"1.59\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-xqj7-j8j5-f2xr/GHSA-xqj7-j8j5-f2xr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-1000180\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55ad\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4233\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-iterations-for-mr-primality-test\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190204-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/bcgit/bc-java/wiki/CVE-2018-1000180\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-xqj7-j8j5-f2xr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0877\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2669\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2643\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2428\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2425\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2424\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:2423\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/106567\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-327\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T22:04:14Z\",\n \"nvd_published_at\": \"2018-06-05T13:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c27h-mcmw-48hv\",\n \"published\": \"2022-05-24T16:57:28Z\",\n \"modified\": \"2024-03-11T05:32:32.879730Z\",\n \"aliases\": [\n \"CVE-2019-10202\"\n ],\n \"related\": [\n \"CGA-2267-f6h9-4h4p\",\n \"CGA-2v7f-j393-2r48\",\n \"CGA-5q42-fr7m-wmqh\",\n \"CGA-g9g4-vq86-q338\"\n ],\n \"summary\": \"Deserialization of Untrusted Data in org.codehaus.jackson:jackson-mapper-asl\",\n \"details\": \"A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.jackson:jackson-mapper-asl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.jackson/jackson-mapper-asl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"1.9.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.9.6\",\n \"0.9.7\",\n \"0.9.8\",\n \"0.9.9\",\n \"0.9.9-2\",\n \"0.9.9-3\",\n \"0.9.9-4\",\n \"0.9.9-5\",\n \"0.9.9-6\",\n \"1.0.0\",\n \"1.0.1\",\n \"1.1.0\",\n \"1.1.1\",\n \"1.1.2\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.3.4\",\n \"1.3.5\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.4.5\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.5.5\",\n \"1.5.6\",\n \"1.5.7\",\n \"1.5.8\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.6.5\",\n \"1.6.6\",\n \"1.6.7\",\n \"1.6.9\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.7.4\",\n \"1.7.5\",\n \"1.7.6\",\n \"1.7.7\",\n \"1.7.8\",\n \"1.7.9\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.10\",\n \"1.8.11\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"1.8.7\",\n \"1.8.8\",\n \"1.8.9\",\n \"1.9.0\",\n \"1.9.1\",\n \"1.9.10\",\n \"1.9.11\",\n \"1.9.12\",\n \"1.9.13\",\n \"1.9.2\",\n \"1.9.3\",\n \"1.9.4\",\n \"1.9.5\",\n \"1.9.6\",\n \"1.9.7\",\n \"1.9.8\",\n \"1.9.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c27h-mcmw-48hv/GHSA-c27h-mcmw-48hv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10202\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9@%3Cissues.flume.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/refea6018a2c4e9eb7838cab567ed219c3f726dcd83a5472fbb80d8d9%40%3Cissues.flume.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10202\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-502\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-14T00:56:25Z\",\n \"nvd_published_at\": \"2019-10-01T15:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r6j9-8759-g62w\",\n \"published\": \"2020-02-04T22:39:19Z\",\n \"modified\": \"2025-03-09T12:26:53.613046Z\",\n \"aliases\": [\n \"CGA-6cwv-3jmj-96j9\",\n \"CVE-2019-10172\"\n ],\n \"related\": [\n \"CGA-2wfh-9vp6-5hj5\",\n \"CGA-7pfp-wfcr-cm2m\",\n \"CGA-93w3-x4hw-7w7g\",\n \"CGA-cxxv-5q2j-64j3\",\n \"CGA-r6m9-c4ph-7jgx\"\n ],\n \"summary\": \"Improper Restriction of XML External Entity Reference in jackson-mapper-asl\",\n \"details\": \"A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.jackson:jackson-mapper-asl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.jackson/jackson-mapper-asl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"1.9.13\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.9.6\",\n \"0.9.7\",\n \"0.9.8\",\n \"0.9.9\",\n \"0.9.9-2\",\n \"0.9.9-3\",\n \"0.9.9-4\",\n \"0.9.9-5\",\n \"0.9.9-6\",\n \"1.0.0\",\n \"1.0.1\",\n \"1.1.0\",\n \"1.1.1\",\n \"1.1.2\",\n \"1.2.0\",\n \"1.2.1\",\n \"1.3.0\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.3.4\",\n \"1.3.5\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.4.5\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.5.5\",\n \"1.5.6\",\n \"1.5.7\",\n \"1.5.8\",\n \"1.6.0\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.6.5\",\n \"1.6.6\",\n \"1.6.7\",\n \"1.6.9\",\n \"1.7.0\",\n \"1.7.1\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.7.4\",\n \"1.7.5\",\n \"1.7.6\",\n \"1.7.7\",\n \"1.7.8\",\n \"1.7.9\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.10\",\n \"1.8.11\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"1.8.7\",\n \"1.8.8\",\n \"1.8.9\",\n \"1.9.0\",\n \"1.9.1\",\n \"1.9.10\",\n \"1.9.11\",\n \"1.9.12\",\n \"1.9.13\",\n \"1.9.2\",\n \"1.9.3\",\n \"1.9.4\",\n \"1.9.5\",\n \"1.9.6\",\n \"1.9.7\",\n \"1.9.8\",\n \"1.9.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-r6j9-8759-g62w/GHSA-r6j9-8759-g62w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10172\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/08/msg00039.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra37700b842790883b9082e6b281fb7596f571b13078a4856cd38f2c2%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r80e8882c86c9c17a57396a5ef7c4f08878d629a0291243411be0de3a%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6dea2a887f5eb1d68f124d64b14cd1a04f682f06de8cd01b7e4214e0%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68acf97f4526ba59a33cc6e592261ea4f85d890f99e79c82d57dd589%40%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r634468eb3218ab02713128ff6f4818c618622b2b3de4d958138dde49%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5f16a1bd31a7e94ca78eda686179930781aa3a4a990cd55986703581%40%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r500867b74f42230a3d65b8aec31fc93ac390eeae737c91a759ab94cb%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4bbfa1439d7a4e1712e260bfc3d90f7cf997abfd641cccde6432d4ab%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2020/01/msg00037.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re646dcc2739d92117bf9a76a33c600ed3b65e8b4e9b6f441e366b72b%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re07c51a8026c11e6e5513bfdc66d52d1c1027053e480fb8073356257%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e@%3Ccommon-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd3a34d663e2a25b9ab1e8a1a94712cd5f100f098578aec79af48161e%40%3Ccommon-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd27730cfc3066dfcf15927c8e800603728d5dedf17eee1f8c6e3507c%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9@%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce00a1c60f7df4b10e72fa87827c102f55b074bb91993631df2c21f9%40%3Cdev.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8c09b14fd57d855dc21e0a037dc29258c2cbe9c1966bfff453a02e4%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb47911c179c9f3e8ea3f134b5645e63cd20c6fc63bd0b43ab5864bd1%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb036bf32e4dacc49335e3bdc1be8e53d6f54df692ac8e2251a6884bd%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1f07e61b3ebabd3e5b4aa97bf1b26d98b793fdfa29a23dac60633f55%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1edabcfacdad42d3c830464e9cf07a9a489059a7b7a8642cf055542d%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1cc8bce2cf3dfce08a64c4fa20bf38d33b56ad995cee2e382f522f83%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0fbf2c60967bc9f73d7f5a62ad3b955789f9a14b950f42e99fca9b4e%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0d8c3e32a0a2d8a0b6118f5b3487d363afdda80c996d7b930097383d%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r08e1b73fabd986dcd2ddd7d09480504d1472264bed2f19b1d2002a9c%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r04ecadefb27cda84b699130b11b96427f1d8a7a4066d8292f7f15ed8%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0066c1e862613de402fee04e81cbe00bcd64b64a2711beb9a13c3b25%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10172\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48a32f2dd6976d33f7a12b7e09ec7ea1895f8facba82b565587c28ac%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe@%3Cuser.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r43c6f75d203b8afc4fbd6c3200db0384a18a11c59d085b1a9bb0ccfe%40%3Cuser.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4176155240cdc36aad7869932d9c29551742c7fa630f209fb4a8e649%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r386966780034aadee69ffd82d44555117c9339545b9ce990fe490a3e%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r385c35a7c6f4acaacf37fe22922bb8e2aed9d322d0fa6dc1d45acddb%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r37eb6579fa0bf94a72b6c978e2fee96f68a2b1b3ac1b1ce60aee86cf%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a@%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r356592d9874ab4bc9da4754592f8aa6edc894c95e17e58484bc2af7a%40%3Cissues.hive.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r33d25a342af84102903cd9dec8338a5bcba3ecfce10505bdfe793b92%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d@%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r25e25973e9577c62fd0221b4b52990851adf11cbe33036bd67d4b13d%40%3Ccommits.cassandra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r21ac3570ce865b8f1e5d26e492aeb714a6aaa53a0c9a6f72ef181556@%3Ccommits.cassandra.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-02-04T20:42:17Z\",\n \"nvd_published_at\": \"2019-11-18T17:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-56h3-78gp-v83r\",\n \"published\": \"2022-09-17T00:00:41Z\",\n \"modified\": \"2023-11-08T04:10:22.798161Z\",\n \"aliases\": [\n \"CVE-2022-40149\"\n ],\n \"summary\": \"Jettison parser crash by stackoverflow\",\n \"details\": \"Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.jettison/jettison\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0-RC1\",\n \"1.0-RC2\",\n \"1.0-alpha-1\",\n \"1.0-beta-1\",\n \"1.0.1\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.3.4\",\n \"1.3.5\",\n \"1.3.6\",\n \"1.3.7\",\n \"1.3.8\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.5.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-56h3-78gp-v83r/GHSA-56h3-78gp-v83r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-40149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/issues/45\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/pull/49/files\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jettison-json/jettison\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5312\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-121\",\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-09-20T21:22:04Z\",\n \"nvd_published_at\": \"2022-09-16T10:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7rf3-mqpx-h7xg\",\n \"published\": \"2022-12-13T15:30:26Z\",\n \"modified\": \"2023-11-08T04:10:53.332746Z\",\n \"aliases\": [\n \"CVE-2022-45685\"\n ],\n \"summary\": \"Jettison Out-of-bounds Write vulnerability\",\n \"details\": \"A stack overflow in Jettison before v1.5.2 allows attackers to cause a Denial of Service (DoS) via crafted JSON data.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.jettison/jettison\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0-RC1\",\n \"1.0-RC2\",\n \"1.0-alpha-1\",\n \"1.0-beta-1\",\n \"1.0.1\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.3.4\",\n \"1.3.5\",\n \"1.3.6\",\n \"1.3.7\",\n \"1.3.8\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.5.0\",\n \"1.5.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-7rf3-mqpx-h7xg/GHSA-7rf3-mqpx-h7xg.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45685\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/issues/54\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jettison-json/jettison\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5312\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-04T14:27:01Z\",\n \"nvd_published_at\": \"2022-12-13T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-grr4-wv38-f68w\",\n \"published\": \"2022-12-13T15:30:27Z\",\n \"modified\": \"2023-11-08T04:10:53.577855Z\",\n \"aliases\": [\n \"CVE-2022-45693\"\n ],\n \"summary\": \"Jettison Out-of-bounds Write vulnerability\",\n \"details\": \"Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.jettison/jettison\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0-RC1\",\n \"1.0-RC2\",\n \"1.0-alpha-1\",\n \"1.0-beta-1\",\n \"1.0.1\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.3.4\",\n \"1.3.5\",\n \"1.3.6\",\n \"1.3.7\",\n \"1.3.8\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.5.0\",\n \"1.5.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-grr4-wv38-f68w/GHSA-grr4-wv38-f68w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45693\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/issues/52\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jettison-json/jettison\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5312\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-04T14:25:45Z\",\n \"nvd_published_at\": \"2022-12-13T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q6g2-g7f3-rr83\",\n \"published\": \"2023-03-22T06:30:21Z\",\n \"modified\": \"2024-02-20T05:34:09.671471Z\",\n \"aliases\": [\n \"CVE-2023-1436\"\n ],\n \"summary\": \"Jettison vulnerable to infinite recursion\",\n \"details\": \"An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.jettison/jettison\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0-RC1\",\n \"1.0-RC2\",\n \"1.0-alpha-1\",\n \"1.0-beta-1\",\n \"1.0.1\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.3.4\",\n \"1.3.5\",\n \"1.3.6\",\n \"1.3.7\",\n \"1.3.8\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.5.0\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-q6g2-g7f3-rr83/GHSA-q6g2-g7f3-rr83.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-1436\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/issues/60\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/pull/62\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jettison-json/jettison\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-674\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-03-22T21:23:09Z\",\n \"nvd_published_at\": \"2023-03-22T06:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-x27m-9w8j-5vcw\",\n \"published\": \"2022-09-17T00:00:41Z\",\n \"modified\": \"2024-02-16T08:08:08.595900Z\",\n \"aliases\": [\n \"CVE-2022-40150\"\n ],\n \"summary\": \"Jettison memory exhaustion\",\n \"details\": \"Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.jettison:jettison\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.jettison/jettison\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.5.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0\",\n \"1.0-RC1\",\n \"1.0-RC2\",\n \"1.0-alpha-1\",\n \"1.0-beta-1\",\n \"1.0.1\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.3.1\",\n \"1.3.2\",\n \"1.3.3\",\n \"1.3.4\",\n \"1.3.5\",\n \"1.3.6\",\n \"1.3.7\",\n \"1.3.8\",\n \"1.4.0\",\n \"1.4.1\",\n \"1.5.0\",\n \"1.5.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-x27m-9w8j-5vcw/GHSA-x27m-9w8j-5vcw.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-40150\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jettison-json/jettison/issues/45\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jettison-json/jettison\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/12/msg00045.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5312\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-674\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-09-20T21:20:42Z\",\n \"nvd_published_at\": \"2022-09-16T10:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8vhq-qq4p-grq3\",\n \"published\": \"2022-05-13T01:11:53Z\",\n \"modified\": \"2025-01-14T06:59:30.610519Z\",\n \"aliases\": [\n \"CVE-2017-1000487\"\n ],\n \"summary\": \"OS Command Injection in Plexus-utils\",\n \"details\": \"Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.plexus/plexus-utils\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.4\",\n \"1.0.5\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.4-alpha-1\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.4.5\",\n \"1.4.6\",\n \"1.4.7\",\n \"1.4.8\",\n \"1.4.9\",\n \"1.5\",\n \"1.5.1\",\n \"1.5.10\",\n \"1.5.11\",\n \"1.5.12\",\n \"1.5.13\",\n \"1.5.14\",\n \"1.5.15\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.5.5\",\n \"1.5.6\",\n \"1.5.7\",\n \"1.5.8\",\n \"1.5.9\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.1\",\n \"3.0\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.12\",\n \"3.0.13\",\n \"3.0.14\",\n \"3.0.15\",\n \"3.0.2\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8vhq-qq4p-grq3/GHSA-8vhq-qq4p-grq3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-1000487\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4149\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4146\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62@%3Cdev.avro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62%40%3Cdev.avro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/codehaus-plexus/plexus-utils\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2018:1322\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-78\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-01T21:47:32Z\",\n \"nvd_published_at\": \"2018-01-03T20:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g6ph-x5wf-g337\",\n \"published\": \"2023-09-25T21:30:26Z\",\n \"modified\": \"2024-05-03T20:31:38.024044Z\",\n \"aliases\": [\n \"CVE-2022-4244\"\n ],\n \"summary\": \"plexus-codehaus vulnerable to directory traversal\",\n \"details\": \"A flaw was found in plexus-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with dot-dot-slash (`../`) sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files. \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.plexus/plexus-utils\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.4\",\n \"1.0.5\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.4-alpha-1\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.4.5\",\n \"1.4.6\",\n \"1.4.7\",\n \"1.4.8\",\n \"1.4.9\",\n \"1.5\",\n \"1.5.1\",\n \"1.5.10\",\n \"1.5.11\",\n \"1.5.12\",\n \"1.5.13\",\n \"1.5.14\",\n \"1.5.15\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.5.5\",\n \"1.5.6\",\n \"1.5.7\",\n \"1.5.8\",\n \"1.5.9\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.1\",\n \"3.0\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.12\",\n \"3.0.13\",\n \"3.0.14\",\n \"3.0.15\",\n \"3.0.16\",\n \"3.0.17\",\n \"3.0.18\",\n \"3.0.19\",\n \"3.0.2\",\n \"3.0.20\",\n \"3.0.21\",\n \"3.0.22\",\n \"3.0.23\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-g6ph-x5wf-g337/GHSA-g6ph-x5wf-g337.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4244\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/codehaus-plexus/plexus-utils/issues/4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618ef\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2023:2135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2023:3906\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/CVE-2022-4244\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2149841\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31521\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-26T17:59:40Z\",\n \"nvd_published_at\": \"2023-09-25T20:15:10Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jcwr-x25h-x5fh\",\n \"published\": \"2023-09-25T21:30:26Z\",\n \"modified\": \"2024-05-03T20:32:52.547057Z\",\n \"aliases\": [\n \"CVE-2022-4245\"\n ],\n \"summary\": \"codehaus-plexus vulnerable to XML injection\",\n \"details\": \"A flaw was found in codehaus-plexus. The `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `--\\u003e` sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.codehaus.plexus:plexus-utils\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.codehaus.plexus/plexus-utils\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.4\",\n \"1.0.5\",\n \"1.1\",\n \"1.2\",\n \"1.3\",\n \"1.4\",\n \"1.4-alpha-1\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.4.4\",\n \"1.4.5\",\n \"1.4.6\",\n \"1.4.7\",\n \"1.4.8\",\n \"1.4.9\",\n \"1.5\",\n \"1.5.1\",\n \"1.5.10\",\n \"1.5.11\",\n \"1.5.12\",\n \"1.5.13\",\n \"1.5.14\",\n \"1.5.15\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.5.5\",\n \"1.5.6\",\n \"1.5.7\",\n \"1.5.8\",\n \"1.5.9\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.0.3\",\n \"2.0.4\",\n \"2.0.5\",\n \"2.0.6\",\n \"2.0.7\",\n \"2.1\",\n \"3.0\",\n \"3.0.1\",\n \"3.0.10\",\n \"3.0.11\",\n \"3.0.12\",\n \"3.0.13\",\n \"3.0.14\",\n \"3.0.15\",\n \"3.0.16\",\n \"3.0.17\",\n \"3.0.18\",\n \"3.0.19\",\n \"3.0.2\",\n \"3.0.20\",\n \"3.0.21\",\n \"3.0.22\",\n \"3.0.23\",\n \"3.0.3\",\n \"3.0.4\",\n \"3.0.5\",\n \"3.0.6\",\n \"3.0.7\",\n \"3.0.8\",\n \"3.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-jcwr-x25h-x5fh/GHSA-jcwr-x25h-x5fh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-4245\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/codehaus-plexus/plexus-utils/issues/3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2023:2135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2023:3906\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/CVE-2022-4245\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2149843\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/codehaus-plexus/plexus-utils\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\",\n \"CWE-91\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-26T19:38:53Z\",\n \"nvd_published_at\": \"2023-09-25T20:15:10Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cj7v-27pg-wf7q\",\n \"published\": \"2022-07-07T20:55:34Z\",\n \"modified\": \"2024-02-16T08:00:47.277184Z\",\n \"aliases\": [\n \"CVE-2022-2047\"\n ],\n \"related\": [\n \"CVE-2022-2047\"\n ],\n \"summary\": \"Jetty invalid URI parsing may produce invalid HttpURI.authority\",\n \"details\": \"### Description\\nURI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`.\\n\\nA URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host.\\nHowever, `HttpURI.host` returns `localhost;` which is definitely wrong.\\n\\n### Impact\\nThis can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host.\\n\\n### Patches\\nPatched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47.\\nPatched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10\\n\\n### Workarounds\\nNone.\\n\\n### For more information\\nIf you have any questions or comments about this advisory:\\n* Email us at security@webtide.com.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.4.47\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-cj7v-27pg-wf7q/GHSA-cj7v-27pg-wf7q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-cj7v-27pg-wf7q\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2047\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/08/msg00011.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220901-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5198\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-07T20:55:34Z\",\n \"nvd_published_at\": \"2022-07-07T21:15:00Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-hmr7-m48g-48f6\",\n \"published\": \"2023-09-14T16:17:27Z\",\n \"modified\": \"2024-02-16T07:59:58.440241Z\",\n \"aliases\": [\n \"CVE-2023-40167\"\n ],\n \"related\": [\n \"CGA-j3h8-74jw-2w8w\",\n \"CGA-vqpm-qwj8-mfq5\"\n ],\n \"summary\": \"Jetty accepts \\\"+\\\" prefixed value in Content-Length\",\n \"details\": \"### Impact\\n\\nJetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response.\\n\\n### Workarounds\\n\\nThere is no workaround as there is no known exploit scenario. \\n\\n### Original Report \\n\\n[RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \\\"+\\\" prefixed Content-Length, which could lead to potential HTTP request smuggling.\\n\\nPayload:\\n\\n```\\n POST / HTTP/1.1\\n Host: a.com\\n Content-Length: +16\\n Connection: close\\n ​\\n 0123456789abcdef\\n```\\n\\nWhen sending this payload to Jetty, it can successfully parse and identify the length.\\n\\nWhen sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request.\\n\\nThis behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.4.52\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.51.v20230217\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.51\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.15\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.0.15\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.12\",\n \"11.0.13\",\n \"11.0.14\",\n \"11.0.15\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.15\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"12.0.0\"\n },\n {\n \"fixed\": \"12.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"12.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-hmr7-m48g-48f6/GHSA-hmr7-m48g-48f6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-40167\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5507\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.rfc-editor.org/rfc/rfc9110#section-8.6\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-130\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-14T16:17:27Z\",\n \"nvd_published_at\": \"2023-09-15T20:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qh8g-58pp-2wxh\",\n \"published\": \"2024-10-14T21:11:43Z\",\n \"modified\": \"2025-03-07T14:20:03.913209Z\",\n \"aliases\": [\n \"CVE-2024-6763\"\n ],\n \"related\": [\n \"CGA-ff4f-4xw3-x96m\",\n \"CGA-gp28-g32p-xvfg\",\n \"CGA-r9mv-rv77-836x\"\n ],\n \"summary\": \"Eclipse Jetty URI parsing of invalid authority\",\n \"details\": \"## Summary\\n\\nEclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, `HttpURI`, for URI/URL parsing.\\n\\nThe `HttpURI` class does insufficient validation on the authority segment of a URI. However the behaviour of `HttpURI` differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically `HttpURI` and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.\\n\\n## Details\\n\\n### Affected components\\n\\nThe vulnerable component is the `HttpURI` class when used as a utility class in an application. The Jetty usage of the class is not vulnerable.\\n\\n### Attack overview\\n\\nThe `HttpURI` class does not well validate the authority section of a URI. When presented with an illegal authority that may contain user info (eg username:password#@hostname:port), then the parsing of the URI is not failed. Moreover, the interpretation of what part of the authority is the host name differs from a common browser in that they also do not fail, but they select a different host name from the illegal URI.\\n\\n### Attack scenario\\n\\nA typical attack scenario is illustrated in the diagram below. The Validator checks whether the attacker-supplied URL is on the blocklist. If not, the URI is passed to the Requester for redirection. The Requester is responsible for sending requests to the hostname specified by the URI.\\n\\nThis attack occurs when the Validator is the `org.eclipse.jetty.http.HttpURI` class and the Requester is the `Browser` (include chrome, firefox and Safari). An attacker can send a malformed URI to the Validator (e.g., `http://browser.check%23%40vulndetector.com/` ). After validation, the Validator finds that the hostname is not on the blocklist. However, the Requester can still send requests to the domain with the hostname `vulndetector.com`.\\n\\n## PoC\\n\\npayloads:\\n\\n```\\nhttp://browser.check \\u0026@vulndetector.com/\\nhttp://browser.check #@vulndetector.com/\\nhttp://browser.check?@vulndetector.com/\\nhttp://browser.check#@vulndetector.com/\\nhttp://vulndetector.com\\\\\\\\/\\n```\\n\\nThe problem of 302 redirect parsing in HTML tag scenarios. Below is a poc example. After clicking the button, the browser will open \\\"browser.check\\\", and jetty will parse this URL as \\\"vulndetector.com\\\".\\n\\n```\\n\\u003ca href=\\\"http://browser.check#@vulndetector.com/\\\"\\u003e\\u003c/a\\u003e\\n```\\nA comparison of the parsing differences between Jetty and chrome is shown in the table below (note that neither should accept the URI as valid).\\n\\n| Invalid URI | Jetty | Chrome |\\n| ---------------------------------------------- | ---------------- | ------------- |\\n| http://browser.check \\u0026@vulndetector.com/ | vulndetector.com | browser.check |\\n| http://browser.check #@vulndetector.com/ | vulndetector.com | browser.check |\\n| http://browser.check?@vulndetector.com/ | vulndetector.com | browser.check |\\n| http://browser.check#@vulndetector.com/ | vulndetector.com | browser.check |\\n\\nThe problem of 302 redirect parsing in HTTP 302 Location\\n\\n| Input | Jetty | Chrome |\\n| ------------------------ | -------------- | ------------- |\\n| http://browser.check%5c/ | browser.check\\\\ | browser.check |\\n\\nIt is noteworthy that Spring Web also faced similar security vulnerabilities, being affected by the aforementioned four types of payloads. These issues have since been resolved and have been assigned three CVE numbers [3-5].\\n\\n## Impact\\n\\nThe impact of this vulnerability is limited to developers that use the Jetty HttpURI directly. Example: your project implemented a blocklist to block on some hosts based on HttpURI's handling of authority section. The vulnerability will help attackers bypass the protections that developers have set up for hosts. The vulnerability will lead to **SSRF**[1] and **URL Redirection**[2] vulnerabilities in several cases. \\n\\n## Mitigation\\n\\nThe attacks outlined above rely on decoded user data being passed to the `HttpURI` class. Application should not pass decoded user data as an encoded URI to any URI class/method, including `HttpURI`. Such applications are likely to be vulnerable in other ways. \\nThe immediate solution is to upgrade to a version of the class that will fully validate the characters of the URI authority. Ultimately, Jetty will deprecate and remove support for user info in the authority per [RFC9110 Section 4.2.4](https://datatracker.ietf.org/doc/html/rfc9110#section-4.2.4). \\n\\nNote that the Chrome (and other browsers) parse the invalid user info section improperly as well (due to flawed WhatWG URL parsing rules that do not apply outside of a Web Browser).\\n\\n## Reference\\n\\n[1] https://cwe.mitre.org/data/definitions/918.html\\n[2] https://cwe.mitre.org/data/definitions/601.html\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-http\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-http\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"12.0.12\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.0-alpha0\",\n \"10.0.0.alpha1\",\n \"10.0.0.alpha2\",\n \"10.0.0.beta0\",\n \"10.0.0.beta1\",\n \"10.0.0.beta2\",\n \"10.0.0.beta3\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.15\",\n \"10.0.16\",\n \"10.0.17\",\n \"10.0.18\",\n \"10.0.19\",\n \"10.0.2\",\n \"10.0.20\",\n \"10.0.21\",\n \"10.0.22\",\n \"10.0.23\",\n \"10.0.24\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\",\n \"11.0.0\",\n \"11.0.0-alpha0\",\n \"11.0.0.beta1\",\n \"11.0.0.beta2\",\n \"11.0.0.beta3\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.12\",\n \"11.0.13\",\n \"11.0.14\",\n \"11.0.15\",\n \"11.0.16\",\n \"11.0.17\",\n \"11.0.18\",\n \"11.0.19\",\n \"11.0.2\",\n \"11.0.20\",\n \"11.0.21\",\n \"11.0.22\",\n \"11.0.23\",\n \"11.0.24\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\",\n \"12.0.0\",\n \"12.0.0.alpha0\",\n \"12.0.0.alpha1\",\n \"12.0.0.alpha2\",\n \"12.0.0.alpha3\",\n \"12.0.0.beta0\",\n \"12.0.0.beta1\",\n \"12.0.0.beta2\",\n \"12.0.0.beta3\",\n \"12.0.0.beta4\",\n \"12.0.1\",\n \"12.0.10\",\n \"12.0.11\",\n \"12.0.2\",\n \"12.0.3\",\n \"12.0.4\",\n \"12.0.5\",\n \"12.0.6\",\n \"12.0.7\",\n \"12.0.8\",\n \"12.0.9\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.51.v20230217\",\n \"9.4.52.v20230823\",\n \"9.4.53.v20231009\",\n \"9.4.54.v20240208\",\n \"9.4.55.v20240627\",\n \"9.4.56.v20240826\",\n \"9.4.57.v20241219\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 12.0.11\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-qh8g-58pp-2wxh/GHSA-qh8g-58pp-2wxh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jetty/jetty.project/security/advisories/GHSA-qh8g-58pp-2wxh\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-6763\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jetty/jetty.project/pull/12012\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jetty/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/25\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20250306-0005\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1286\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-10-14T21:11:43Z\",\n \"nvd_published_at\": \"2024-10-14T16:15:04Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-26vr-8j45-3r4w\",\n \"published\": \"2021-04-06T17:31:30Z\",\n \"modified\": \"2024-03-11T05:36:57.484846Z\",\n \"aliases\": [\n \"BIT-jenkins-2021-28165\",\n \"CVE-2021-28165\"\n ],\n \"related\": [\n \"CVE-2021-28165\"\n ],\n \"summary\": \"Jetty vulnerable to incorrect handling of invalid large TLS frame, exhausting CPU resources\",\n \"details\": \"### Impact\\nWhen using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage.\\n\\n### Workarounds\\n\\nThe problem can be worked around by compiling the following class:\\n```java\\npackage org.eclipse.jetty.server.ssl.fix6072;\\n\\nimport java.nio.ByteBuffer;\\nimport javax.net.ssl.SSLEngine;\\nimport javax.net.ssl.SSLEngineResult;\\nimport javax.net.ssl.SSLException;\\nimport javax.net.ssl.SSLHandshakeException;\\n\\nimport org.eclipse.jetty.io.EndPoint;\\nimport org.eclipse.jetty.io.ssl.SslConnection;\\nimport org.eclipse.jetty.server.Connector;\\nimport org.eclipse.jetty.server.SslConnectionFactory;\\nimport org.eclipse.jetty.util.BufferUtil;\\nimport org.eclipse.jetty.util.annotation.Name;\\nimport org.eclipse.jetty.util.ssl.SslContextFactory;\\n\\npublic class SpaceCheckingSslConnectionFactory extends SslConnectionFactory\\n{\\n public SpaceCheckingSslConnectionFactory(@Name(\\\"sslContextFactory\\\") SslContextFactory factory, @Name(\\\"next\\\") String nextProtocol)\\n {\\n super(factory, nextProtocol);\\n }\\n\\n @Override\\n protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine)\\n {\\n return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption())\\n {\\n @Override\\n protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException\\n {\\n SSLEngineResult results = super.unwrap(sslEngine, input, output);\\n\\n if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW ||\\n results.getStatus() == SSLEngineResult.Status.OK \\u0026\\u0026 results.bytesConsumed() == 0 \\u0026\\u0026 results.bytesProduced() == 0) \\u0026\\u0026\\n BufferUtil.space(input) == 0)\\n {\\n BufferUtil.clear(input);\\n throw new SSLHandshakeException(\\\"Encrypted buffer max length exceeded\\\");\\n }\\n return results;\\n }\\n };\\n }\\n}\\n```\\nThis class can be deployed by:\\n + The resulting class file should be put into a jar file (eg sslfix6072.jar)\\n + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib\\n + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules`\\n + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section:\\n\\n```\\n[lib]\\nlib/sslfix6072.jar\\n```\\n\\n+ Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc`\\n+ Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example:\\n```xml\\n \\u003cCall name=\\\"addIfAbsentConnectionFactory\\\"\\u003e\\n \\u003cArg\\u003e\\n \\u003cNew class=\\\"org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory\\\"\\u003e\\n \\u003cArg name=\\\"next\\\"\\u003ehttp/1.1\\u003c/Arg\\u003e\\n \\u003cArg name=\\\"sslContextFactory\\\"\\u003e\\u003cRef refid=\\\"sslContextFactory\\\"/\\u003e\\u003c/Arg\\u003e\\n \\u003c/New\\u003e\\n \\u003c/Arg\\u003e\\n \\u003c/Call\\u003e\\n```\\n+ Restart Jetty\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.2.2\"\n },\n {\n \"fixed\": \"9.4.39\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-26vr-8j45-3r4w/GHSA-26vr-8j45-3r4w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-28165\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b@%3Cdev.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4949\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210611-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1@%3Ccommits.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97@%3Ccommits.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78@%3Ccommits.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2021/04/20/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-551\",\n \"CWE-755\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-02T23:02:13Z\",\n \"nvd_published_at\": \"2021-04-01T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5h9j-q6j2-253f\",\n \"published\": \"2019-12-02T18:13:28Z\",\n \"modified\": \"2024-02-16T08:16:10.159901Z\",\n \"aliases\": [\n \"CVE-2019-17632\"\n ],\n \"summary\": \"Unescaped exception messages in error responses in Jetty\",\n \"details\": \"In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.21.v20190926\"\n },\n {\n \"fixed\": \"9.4.24.v20191120\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.22.v20191022\"\n },\n {\n \"fixed\": \"9.4.24.v20191120\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.23.v20191118\"\n },\n {\n \"fixed\": \"9.4.24.v20191120\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.23.v20191118\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-5h9j-q6j2-253f/GHSA-5h9j-q6j2-253f.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-17632\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAITZ27GKPD2CCNHGT2VBT4VWIBUJJNS\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-12-02T01:09:14Z\",\n \"nvd_published_at\": \"2019-11-25T22:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6x9x-8qw9-9pp6\",\n \"published\": \"2018-10-19T16:16:38Z\",\n \"modified\": \"2024-02-16T08:16:22.832624Z\",\n \"aliases\": [\n \"CVE-2017-7658\"\n ],\n \"summary\": \"Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)\",\n \"details\": \"Eclipse Jetty Server versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decides on the shorter length, but still passes on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary is imposing authorization, the fake pipelined request bypasses that authorization.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.2.25.v20180606\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.3.v20140905\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.3.24.v20180605\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.11.v20180605\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-6x9x-8qw9-9pp6/GHSA-6x9x-8qw9-9pp6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-7658\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-6x9x-8qw9-9pp6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181014-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbst03953en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4278\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/106566\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1041194\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:20:39Z\",\n \"nvd_published_at\": \"2018-06-26T17:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7vx9-xjhr-rw6h\",\n \"published\": \"2019-04-23T16:06:02Z\",\n \"modified\": \"2024-02-16T08:16:44.502362Z\",\n \"aliases\": [\n \"CVE-2019-10241\"\n ],\n \"summary\": \"Cross-site Scripting in Eclipse Jetty\",\n \"details\": \"In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.2.27.v20190403\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.3.v20140905\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.2.26.v20180806\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.3.26.v20190403\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.3.25.v20180904\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.16.v20190411\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.15.v20190215\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-7vx9-xjhr-rw6h/GHSA-7vx9-xjhr-rw6h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10241\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/01e004c3f7c7365863a27e7038b7f32dae56ccf3a496b277c9b7f7b6@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/464892b514c029dfc0c8656a93e1c0de983c473df70fdadbd224e09f@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/8bff534863c7aaf09bb17c3d0532777258dd3a5c7ddda34198cc2742@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcfb37bfba7b3d7e9c7808b5e5a38a98d6bb714d52cf5162bdd48e32@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/d7c4a664a34853f57c2163ab562f39802df5cf809523ea40c97289c1@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190509-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4949\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-04-23T16:02:04Z\",\n \"nvd_published_at\": \"2019-04-22T20:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-84q7-p226-4x5w\",\n \"published\": \"2018-10-19T16:16:27Z\",\n \"modified\": \"2024-02-16T08:17:36.036350Z\",\n \"aliases\": [\n \"CVE-2017-7656\"\n ],\n \"summary\": \"Jetty vulnerable to cache poisoning due to inconsistent HTTP request handling (HTTP Request Smuggling)\",\n \"details\": \"Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), contain an HTTP Request Smuggling Vulnerability that can result in cache poisoning.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.3.24.v20180605\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.3.23.v20180228\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-84q7-p226-4x5w/GHSA-84q7-p226-4x5w.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.11.v20180605\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.10.v20180503\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-84q7-p226-4x5w/GHSA-84q7-p226-4x5w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-7656\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-84q7-p226-4x5w\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbf4565a0b63f9c8b07fab29352a97bbffe76ecafed8b8555c15b83c6@%3Cissues.maven.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181014-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbst03953en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4278\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1041194\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:24:19Z\",\n \"nvd_published_at\": \"2018-06-26T15:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-86wm-rrjm-8wh8\",\n \"published\": \"2020-12-02T18:28:18Z\",\n \"modified\": \"2024-03-10T05:31:38.566956Z\",\n \"aliases\": [\n \"BIT-kafka-2020-27218\",\n \"BIT-spark-2020-27218\",\n \"CVE-2020-27218\"\n ],\n \"related\": [\n \"CVE-2020-27218\"\n ],\n \"summary\": \"Buffer not correctly recycled in Gzip Request inflation\",\n \"details\": \"### Impact\\nIf GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an \\nattacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request\\non the same connection will see that body prepended to it's body.\\n\\nThe attacker will not see any data, but may inject data into the body of the subsequent request\\n\\nCVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\\u0026version=3.1)\\n\\n### Workarounds\\nThe problem can be worked around by either:\\n- Disabling compressed request body inflation by GzipHandler.\\n- By always fully consuming the request content before sending a response.\\n- By adding a `Connection: close` to any response where the servlet does not fully consume request content.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.35.v20201120\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.34\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-86wm-rrjm-8wh8/GHSA-86wm-rrjm-8wh8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-27218\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbbd003149f929b0e2fe58fb315de1658e98377225632e7e4239323fb%40%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rba4bca48d2cdfa8c08afc368a9cc4572ec85a5915ba29b8a194bf505%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8f413dc923070919b09db3ac87d079a2dcc6f0adfbb029e206a7930%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb6a3866c02ac4446451c7d9dceab2373b6d32fb058f9085c6143de30%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb4ca79d1af5237108ce8770b7c46ca78095f62ef21331d9d06142388%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racf9e6ad2482cb9b1e3e1b2c1b443d9d5cf14055fb54dec3d2dcce91%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/racd55c9b704aa68cfb4436f17739b612b5d4f887155e04ed521a4b67%40%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76%40%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbe3f2e0a3c38ed9cbef81507b7cc6e523341865e30dc15c7503adc76@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbea4d456d88b043be86739ab0200ad06ba5a7921064411c098f79831@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc0e35f4e8a8a36127e3ae7a67f325a3a6a4dbe05034130fb04b6f3b6@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1de630c6ed9a958d9f811e816d6d8efb6ca94aed0869bc5cda9d7f8@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a%40%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc2b603b7fa7f8dbfe0b3b59a6140b4d66868db3bf4b29d69a772d72a@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc91c405c08b529b7292c75d9bd497849db700a1297fe3432990f6774@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8ed14a84656fa0bb8df3bf9373c5be80f47ceac1e2ff068ee734fdb3@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8eea4c7797e701f6494c72942dd89f471cda4c2c6e9abbaf05d113d8@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8f5b144e7a7c2b338f01139d891abbaba12a8173ee01110d21bd0b4d@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8fee46fd9f1254150cc55eecf1ea6a448fca1f7cf1d1e7f9c4803fdb@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r94230f46b91c364d39922a8ba0cfe12b8dba1556b14792719a7d921f@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38%40%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r942e21ee90e2617a00a08b17b0ac2db961959bec969b91df61584d38@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8%40%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r964d226dd08527fddd7a44410c50daa9d34d398e5c4793f1d7e19da8@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r96ef6d20c5bd3d42dab500bac56a427e1dce00cf85b083987617643d@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944%40%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r990e0296b188d4530d1053882f687fa4f938f108425db2999a180944@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b46505868794fba04d401956304e63e4d8e39bdc118d30e5e87dcd9@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9d7a86fb0b45e5b1855d4df83a5820eef813d55eae3edf224f3d5055@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f571b086965b35d4e91e47fb67c27b42b62762248b4900ba723599f@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra09a653997cbf10aab8c0deabc0fa49f5a8a8ce4305ce9089b98485f@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e%40%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra1c234f045871827f73e4d68326b067e72d3139e109207345fa57d9e@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88%40%3Cdev.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4ae7ada52c5ecfe805eb86ddc0af399ec8a57bfb0d8c632b8723b88@%3Cdev.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958%40%3Ccommits.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re4e67541a0a25a8589e89f52f8cd163c863fe04b59e048f9f1a04958@%3Ccommits.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re86a6ba09dc74e709db843e3561ead923c8fd1cba32343656dd8c44b@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re9214a4232b7ae204288c283bcee4e39f07da6cc34798e9217ba4eb6@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reb75282901d0969ba6582725ce8672070715d0773f6ff54dedd60156@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ree677ff289ba9a90850f2e3ba7279555df1a170263ba39c5272db236@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf0181750e321518c8afa8001e0529d50a9447714ef4f58d98af57904@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf273267fa2e49314643af3141cec239f97d41de8a59be4ef7e10c65a@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf31e24700f725ef81bc5a2e0444a60e1f295ed0a54c0098362a7bdfa@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559%40%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfa34d2a3e423421a4a1354cf457edba2ce78cee2d3ebd8aab151a559@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfa8879a713480b206c152334419499e6af0878c36217abcc9ab4f0d1@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/10/msg00045.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20201218-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcbc408088ae99dc3167ea293a562a3a9a7295a20e9a1bfc93e43ae1b@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rccc7ba8c51d662e13496df20466d27dbab54d7001e9e7b2f31468a9e@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rce9e232a663d8405c003fe83d5c86c27d1ed65561f3690e824717bc4@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcf7b5818f71bb97fd695eb0f54f8f4f69e15cc5f9ec761ea8be0d0d3@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd20651e102cb6742a9d9322ea7b5fc3ab60a7ffecb50fa9157cbf176@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd9a960429741406f6557fa344a13d50a0c9976dac2e4c46bb54b32d7@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdbdbb4e51f8857e082b464cd128decd7263cf0fb8557f12993562c56@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdde0ad0a03eec962c56b46e70e225918ea2368dcc3fd3488741fad53@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553%40%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff%40%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re014afaa14f4df9d33912ab64dc57249e1c170c7448d7175c6d014ff@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re03a566114435a8cc8eb72158242b0f560c5eeccbb4ee98d22de8373@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3918edd403b0d3857a13ef2ccf3d2bc0231f3b8758e2a5777ea1cd3@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f168fd22c071bdd95ec696e45d2a01e928b9fcadbe94fbabeb1549d@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2ffe719224cbe5897f2d06dd22fc77fa12377c39efe9de0c3bf3f837@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4%40%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r306c8e5aad1b9afc0c9278430fb571950fbb3ab7dd5d369eb618ffa4@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r32a25679d97bf5969d130f8e9b3a3fc54110095397d89952e93dbeb0@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21%40%3Ccommits.samza.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3554a4f192db6008c03f2c6c3e0f1691a9b0d615ce955ef67a876ff7@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3807b1c54066797c4870e03bd2376bdcce9c7c4e6143499f53cd9ca2@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a%40%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r380e9257bacb8551ee6fcf2c59890ae9477b2c78e553fa9ea08e9d9a@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r391d20ab6ec03d6becc7a9f0c5e0f45a7ad8af6b996ae0a49839f6bd@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r39f1b1be8e5c0935f7c515eedf907909474bad15185125daacb36d50@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3b7c8bc7a1cb8acdcf7753f436564d289d22f2906e934d1b11de3a40@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1%40%3Cdev.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3d43529452c5a16338e8267eb911e8aedc64c3241624302e673961c1@%3Cdev.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r00858fe27ee35ac8fa0e1549d67e0efb789d63b791b5300390bd8480@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r01806ad8c9cb0590584baf5b1a60237ad92e4ad5bba082ca04d98179@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r05b7ffde2b8c180709e14bc9ca036407bea3ed9f09b32c4705d23a4a@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r078c1203e48089b2c934b9f86b61bebe8c049e0ea6273b124f349988@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab%40%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0d2de2ab5558da68b504bd30db74da1d97dc152a857f5b7e462288ab@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r153fbefc27a1b2033692f32ef728ca909a7c7bcc1d21b6c35b38bdd5@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r15500b77c52390e2ec048cea4a6b45edf907ea61cd13259193ff8601@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r186748e676e5aeb4eb603361e6367555ae4daecbde55cfd69fa68ec6@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1dd302323c6fe1a542d0371de66a484918fa6c2831ae70d924974bea@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r22776d06582985cca5bd2a92519a2b13b4cae2d8e087318da03c036d@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619%40%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r23ce6b8965e30808daa77a80fcd69833b1fc632d80465d0419eff619@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r25a47cd06750ebb4b0f23a9b7a57c209702c8566a4c970a41ac088df@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2a541f08bf5f847394297c13a5305c2f76c11e46504ce2a49653890a@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2a57c7bbf36afc87f8ad9e1dd2f53a08e85a1b531283fc2efce4fe17%40%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46589f4228aabd5fb16135ff5bef0f77f06cdef64f9785ac3349fa02@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r706562cbbdda569cc556d8a7983d1f9229606e7b51337b820785af26@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70940cb30356642f0c49af49259680d6bd866f51c4e8de0f8a498fb0@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r74ab0f5a5f16ca01eb145403ab753df5b348b8c1656d7c8501d0bfc6@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29%40%3Ccommits.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7669dab41f2b34d56bb67700d869dc9c025ff72e9468204799f5ac29@%3Ccommits.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959%40%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r769e1ba36c607772f7403e7ef2a8ae14d9ddcab4a844f9b28bcf7959@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb%40%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7d37d33f2d68912985daf40203182e3d86f3e81266b7a7f350689eeb@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r81f82ab8ecb83568bafbecf9ce0e73be73980ac1e2af6baf0f344a59@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r821bbffb64da0f062b4e72d1aa600b91e26bc82a28298ab159121215@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r850d1d0413716e8ba6d910cae7b01a0e560636e17d664769b5080ca5@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r870bc5e6e354c3e28ea029cb5726c9e8dd2b88cb0f5f7de1d4e3133d@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421%40%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8b2271909dabb45f0f1482ef35ffe106ae4b0cf8e877eb514e9cd421@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8be8c6f0e404a3179d988eb8afed03ede5f2d5ce986d3f709fb82610@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8c22aad0711321537183ccddcade7274ebf9dcbdcdacc6c4f90f43de@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8c839a0d88cd6504abbe72c260371094f47014b2ba08d8d2c0232e3c@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r489dfc3e259ad3837141985dd9291b93e6b40496cdf58808915d67e9@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4981622ba15e8be1657d30b7c85044c7aabe89751fa7324f8604b834@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4aff5ca6bc94a6f13ff77914fd960185ab70cd6cebe96fffd74543ac@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0%40%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4b2e7417a76e3dd4dc9855c6c138c49484080754a09927454f6d89f0@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab%40%3Ccommits.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r500e22d0aedba1866d0b5e76429b76652a473a0209fa8bf66c9f7aab@%3Ccommits.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r51ec0120b6c849d12fb7fef34db87ef0bf79fcfcd3d703a9800afbba@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r543ea0a861a78d84c22656fb76880d7ab327048cf7ee3ccc7281375d@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997%40%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5464405909eb0e1059d5dd57d10c435b9f19325fdebbadb4f1126997@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e%40%3Ccommits.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5c64173663c71f222ea40617ab362d7a590935fb75c18817fdec377e@%3Ccommits.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5e5cb33b545548ec4684d33bd88b05a0ae89c4d7cac93eb63255f58f@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r602683484f607cd1b9598caf3e549fbb01c43fd46a582a32cc3bb545@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68%40%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6493e43007f41e34cdbbb66622307fa235374dd2ec5bf52c61075a68@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25%40%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r66456df852de06a0eed2c0a50252a2c8d360b8a5c005f63c0b1e3d25@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7%40%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6d5bb60a13e8b539600f86cb72097967b951de5c7ef1e4005cda74a7@%3Cnotifications.zookeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-226\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-12-02T02:25:41Z\",\n \"nvd_published_at\": \"2020-11-28T01:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-872g-2h8h-362q\",\n \"published\": \"2018-10-19T16:16:16Z\",\n \"modified\": \"2024-02-16T08:22:06.138962Z\",\n \"aliases\": [\n \"CVE-2016-4800\"\n ],\n \"summary\": \"Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request\",\n \"details\": \"The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.3.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.2.v20150730\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-872g-2h8h-362q/GHSA-872g-2h8h-362q.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2016-4800\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-872g-2h8h-362q\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190307-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ocert.org/advisories/ocert-2016-001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/90945\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.zerodayinitiative.com/advisories/ZDI-16-362\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-284\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:24:37Z\",\n \"nvd_published_at\": null,\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8mpp-f3f7-xc28\",\n \"published\": \"2022-07-07T20:55:37Z\",\n \"modified\": \"2024-02-22T05:18:31.237834Z\",\n \"aliases\": [\n \"CVE-2022-2191\"\n ],\n \"related\": [\n \"CVE-2022-2191\"\n ],\n \"summary\": \"Jetty SslConnection does not release pooled ByteBuffers in case of errors\",\n \"details\": \"### Impact\\n`SslConnection` does not release `ByteBuffer`s in case of error code paths.\\nFor example, TLS handshakes that require client-auth with clients that send expired certificates will trigger a TLS handshake errors and the `ByteBuffer`s used to process the TLS handshake will be leaked.\\n\\n### Workarounds\\nConfigure explicitly a `RetainableByteBufferPool` with `max[Heap|Direct]Memory` to limit the amount of memory that is leaked.\\nEventually the pool will be full of \\\"active\\\" entries (the leaked ones) and will provide `ByteBuffer`s that will be GCed normally.\\n\\n_With embedded-jetty_\\n\\n``` java\\nint maxBucketSize = 1000;\\nlong maxHeapMemory = 128 * 1024L * 1024L; // 128 MB\\nlong maxDirectMemory = 128 * 1024L * 1024L; // 128 MB\\nRetainableByteBufferPool rbbp = new ArrayRetainableByteBufferPool(0, -1, -1, maxBucketSize, maxHeapMemory, maxDirectMemory);\\n\\nserver.addBean(rbbp); // make sure the ArrayRetainableByteBufferPool is added before the server is started\\nserver.start();\\n```\\n\\n_With jetty-home/jetty-base_\\n\\nCreate a `${jetty.base}/etc/retainable-byte-buffer-config.xml`\\n\\n``` xml\\n\\u003c?xml version=\\\"1.0\\\"?\\u003e\\n\\u003c!DOCTYPE Configure PUBLIC \\\"-//Jetty//Configure//EN\\\" \\\"https://www.eclipse.org/jetty/configure_10_0.dtd\\\"\\u003e\\n\\n\\u003cConfigure id=\\\"Server\\\" class=\\\"org.eclipse.jetty.server.Server\\\"\\u003e\\n \\u003cCall name=\\\"addBean\\\"\\u003e\\n \\u003cArg\\u003e\\n \\u003cNew class=\\\"org.eclipse.jetty.io.ArrayRetainableByteBufferPool\\\"\\u003e\\n \\u003cArg type=\\\"int\\\"\\u003e\\u003cProperty name=\\\"jetty.byteBufferPool.minCapacity\\\" default=\\\"0\\\"/\\u003e\\u003c/Arg\\u003e\\n \\u003cArg type=\\\"int\\\"\\u003e\\u003cProperty name=\\\"jetty.byteBufferPool.factor\\\" default=\\\"-1\\\"/\\u003e\\u003c/Arg\\u003e\\n \\u003cArg type=\\\"int\\\"\\u003e\\u003cProperty name=\\\"jetty.byteBufferPool.maxCapacity\\\" default=\\\"-1\\\"/\\u003e\\u003c/Arg\\u003e\\n \\u003cArg type=\\\"int\\\"\\u003e\\u003cProperty name=\\\"jetty.byteBufferPool.maxBucketSize\\\" default=\\\"1000\\\"/\\u003e\\u003c/Arg\\u003e\\n \\u003cArg type=\\\"long\\\"\\u003e\\u003cProperty name=\\\"jetty.byteBufferPool.maxHeapMemory\\\" default=\\\"128000000\\\"/\\u003e\\u003c/Arg\\u003e\\n \\u003cArg type=\\\"long\\\"\\u003e\\u003cProperty name=\\\"jetty.byteBufferPool.maxDirectMemory\\\" default=\\\"128000000\\\"/\\u003e\\u003c/Arg\\u003e\\n \\u003c/New\\u003e\\n \\u003c/Arg\\u003e\\n \\u003c/Call\\u003e\\n\\u003c/Configure\\u003e\\n```\\n\\nAnd then reference it in `${jetty.base}/start.d/retainable-byte-buffer-config.ini`\\n\\n```\\netc/retainable-byte-buffer-config.xml\\n```\\n\\n\\n### References\\nhttps://github.com/eclipse/jetty.project/issues/8161\\n\\n### For more information\\n* Email us at [security@webtide.com](mailto:security@webtide.com)\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8mpp-f3f7-xc28/GHSA-8mpp-f3f7-xc28.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-8mpp-f3f7-xc28/GHSA-8mpp-f3f7-xc28.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-8mpp-f3f7-xc28\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-2191\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/issues/8161\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220909-0003\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-404\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-07T20:55:37Z\",\n \"nvd_published_at\": \"2022-07-07T21:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9rgv-h7x4-qw8g\",\n \"published\": \"2018-10-19T16:15:56Z\",\n \"modified\": \"2024-02-16T08:16:39.738843Z\",\n \"aliases\": [\n \"CVE-2018-12536\"\n ],\n \"summary\": \"Eclipse Jetty Server generates error message containing sensitive information\",\n \"details\": \"In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.11.v20180605\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.10.v20180503\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9rgv-h7x4-qw8g/GHSA-9rgv-h7x4-qw8g.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.0.0\"\n },\n {\n \"fixed\": \"9.3.24.v20180605\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.3.23.v20180228\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-9rgv-h7x4-qw8g/GHSA-9rgv-h7x4-qw8g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12536\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181014-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbst03953en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200516001904/http://www.securitytracker.com/id/1041194\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-209\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:29:36Z\",\n \"nvd_published_at\": \"2018-06-27T17:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g8m5-722r-8whq\",\n \"published\": \"2024-10-14T21:08:38Z\",\n \"modified\": \"2025-11-03T23:05:59.283307Z\",\n \"aliases\": [\n \"CVE-2024-8184\"\n ],\n \"related\": [\n \"CGA-3v96-9425-c5jg\",\n \"CGA-45xv-w77x-56w8\",\n \"CGA-4x6r-cwfp-wvmh\",\n \"CGA-56m4-5757-c9j7\",\n \"CGA-6wch-9rxv-fw5r\",\n \"CGA-8cjr-ccm5-q989\",\n \"CGA-8vvp-pq4p-2hc6\",\n \"CGA-c7jc-pc4g-5wpx\",\n \"CGA-c8xx-wqr2-vpgm\",\n \"CGA-f4m3-6jhg-xc6m\",\n \"CGA-h6g3-pgx4-5qf9\",\n \"CGA-hmc6-7f6h-r2jp\",\n \"CGA-m9gp-rqph-jfcv\",\n \"CGA-p858-c98g-7rp9\",\n \"CGA-rgmc-7h79-v9m6\",\n \"CGA-vp9g-g9wg-4xpq\",\n \"CGA-xj92-8mfm-x22p\"\n ],\n \"summary\": \"Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks\",\n \"details\": \"### Impact\\nRemote DOS attack can cause out of memory \\n\\n### Description\\nThere exists a security vulnerability in Jetty's `ThreadLimitHandler.getRemote()` which\\ncan be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By\\nrepeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the\\nserver's memory.\\n\\n### Affected Versions\\n\\n* Jetty 12.0.0-12.0.8 (Supported)\\n* Jetty 11.0.0-11.0.23 (EOL)\\n* Jetty 10.0.0-10.0.23 (EOL)\\n* Jetty 9.3.12-9.4.55 (EOL)\\n\\n### Patched Versions\\n\\n* Jetty 12.0.9\\n* Jetty 11.0.24\\n* Jetty 10.0.24\\n* Jetty 9.4.56\\n\\n### Workarounds\\n\\nDo not use `ThreadLimitHandler`. \\nConsider use of `QoSHandler` instead to artificially limit resource utilization.\\n\\n### References\\n\\nJetty 12 - https://github.com/jetty/jetty.project/pull/11723\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"12.0.0\"\n },\n {\n \"fixed\": \"12.0.9\"\n }\n ]\n }\n ],\n \"versions\": [\n \"12.0.0\",\n \"12.0.1\",\n \"12.0.2\",\n \"12.0.3\",\n \"12.0.4\",\n \"12.0.5\",\n \"12.0.6\",\n \"12.0.7\",\n \"12.0.8\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 12.0.8\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.15\",\n \"10.0.16\",\n \"10.0.17\",\n \"10.0.18\",\n \"10.0.19\",\n \"10.0.2\",\n \"10.0.20\",\n \"10.0.21\",\n \"10.0.22\",\n \"10.0.23\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.0.23\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.24\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.12\",\n \"11.0.13\",\n \"11.0.14\",\n \"11.0.15\",\n \"11.0.16\",\n \"11.0.17\",\n \"11.0.18\",\n \"11.0.19\",\n \"11.0.2\",\n \"11.0.20\",\n \"11.0.21\",\n \"11.0.22\",\n \"11.0.23\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.23\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.12\"\n },\n {\n \"fixed\": \"9.4.56\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.30.v20211001\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.51.v20230217\",\n \"9.4.52.v20230823\",\n \"9.4.53.v20231009\",\n \"9.4.54.v20240208\",\n \"9.4.55.v20240627\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.55\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-g8m5-722r-8whq/GHSA-g8m5-722r-8whq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jetty/jetty.project/security/advisories/GHSA-g8m5-722r-8whq\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-8184\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jetty/jetty.project/pull/11723\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jetty/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/30\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2025/04/msg00001.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-10-14T21:08:38Z\",\n \"nvd_published_at\": \"2024-10-14T16:15:04Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-ghgj-3xqr-6jfm\",\n \"published\": \"2018-11-09T17:50:00Z\",\n \"modified\": \"2024-02-16T08:18:50.534710Z\",\n \"aliases\": [\n \"CVE-2015-2080\"\n ],\n \"summary\": \"Jetty vulnerable to exposure of sensitive information to unauthenticated remote users\",\n \"details\": \"The exception handling code in Eclipse Jetty prior to 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.2.9.v20150224\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.2.v20140723\",\n \"9.2.3.v20140905\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.2.8.v20150217\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-ghgj-3xqr-6jfm/GHSA-ghgj-3xqr-6jfm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2015-2080\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-ghgj-3xqr-6jfm\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190307-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://seclists.org/fulldisclosure/2015/Mar/12\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/archive/1/534755/100/1600/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/72768\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1031800\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:37:23Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h2f4-v4c4-6wx4\",\n \"published\": \"2019-03-28T18:33:38Z\",\n \"modified\": \"2024-02-19T05:52:03.950097Z\",\n \"aliases\": [\n \"CVE-2018-12545\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server\",\n \"details\": \"In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.12.v20180830\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.12.RC2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h2f4-v4c4-6wx4/GHSA-h2f4-v4c4-6wx4.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.3.25.v20180904\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.3.24.v20180605\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/03/GHSA-h2f4-v4c4-6wx4/GHSA-h2f4-v4c4-6wx4.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12545\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=538096\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-h2f4-v4c4-6wx4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/13f5241048ec0bf966a6ddd306feaf40de5b20e1f09096b9cddeddf2@%3Ccommits.accumulo.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/70744fe4faba8e2fa7e50a7fc794dd03cb28dad8b21e08ee59bb1606@%3Cdevnull.infra.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/febc94ffec9275dcda64633e0276a1400cd318e571009e4cda9b7a79@%3Cnotifications.accumulo.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIS4LALKZNLF5X5IGNGRSKERG7FY4QG6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:38:26Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-jg2x-r643-w2ch\",\n \"published\": \"2022-05-01T07:43:29Z\",\n \"modified\": \"2024-02-12T16:41:58.146447Z\",\n \"aliases\": [\n \"CVE-2006-6969\"\n ],\n \"summary\": \"Jetty Uses Predictable Session Identifiers\",\n \"details\": \"Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication requirements, and possibly conduct cross-site request forgery attacks.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.2.27\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"5.1.0\"\n },\n {\n \"fixed\": \"5.1.12\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"6.1.0pre1\"\n },\n {\n \"fixed\": \"6.1.0pre3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jg2x-r643-w2ch/GHSA-jg2x-r643-w2ch.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2006-6969\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jetty-project/codehaus-jetty6/commit/36f81d2e7058b012f6718bc2f1e2786694a8a4a1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jetty-project/codehaus-jetty6/commit/b31f606bf8058a38ab6253aa8dc2dfe6a7f83c78\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/32240\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jetty-project/codehaus-jetty6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20070208112816/http://fisheye.codehaus.org/changelog/jetty/?cs=1274\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20070602184857/http://archives.neohapsis.com/archives/bugtraq/2007-02/0070.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20121019131825/http://www.securityfocus.com/archive/1/459164/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200228100052/http://www.securityfocus.com/bid/22405\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-330\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-02-12T16:20:55Z\",\n \"nvd_published_at\": \"2007-02-07T11:28:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-m394-8rww-3jr7\",\n \"published\": \"2021-03-10T03:46:47Z\",\n \"modified\": \"2025-09-15T07:42:08.143128Z\",\n \"aliases\": [\n \"BIT-nifi-2020-27223\",\n \"BIT-solr-2020-27223\",\n \"BIT-spark-2020-27223\",\n \"CVE-2020-27223\"\n ],\n \"related\": [\n \"CVE-2020-27223\"\n ],\n \"summary\": \"DOS vulnerability for Quoted Quality CSV headers\",\n \"details\": \"### Impact\\nWhen Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application.\\n\\nThe only features within Jetty that can trigger this behavior are:\\n\\n- Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc)\\n- `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc)\\n- `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call.\\n- `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header.\\n- `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app)\\n\\n### Versions\\n`QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. \\n\\nCurrently, known vulnerable versions include:\\n\\n- 9.4.6.v20170531 thru to 9.4.36.v20210114\\n- 10.0.0\\n- 11.0.0\\n\\n### Workarounds\\n\\nQuality ordered values are used infrequently by jetty so they can be avoided by:\\n\\n * Do not use the default error page/handler.\\n * Do not deploy the `StatisticsServlet` exposed to the network\\n * Do not call `getLocale` API\\n * Do not enable precompressed static content in the `DefaultServlet` \\n\\n### Patches\\n\\nAll patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php)\\n- 9.4.37.v20210219 and greater\\n- 10.0.1 and greater \\n- 11.0.1 and greater\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.6\"\n },\n {\n \"fixed\": \"9.4.37\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-m394-8rww-3jr7/GHSA-m394-8rww-3jr7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-m394-8rww-3jr7\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-27223\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd666e187ebea2fda8624683ab51e2a5ad2108f762d21bf1a383d7502@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc721fe2910533bffb6bd4d69ea8ff4f36066d260dbcd2d14e041614a@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc052fd4e9e9c01bead74c0b5680355ea5dc3b72d46f253cb65d03e43@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb79b62ac3085e05656e41865f5a7efcbdc7dcd7843abed9c5fe0fef8@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raa6d60b00b67c0550672b4f506f0df75b323dcd25cf574e91e2f2dff@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra47a26c008487b0a739a368c846e168de06c3cd118d31ecedafa679a@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra40a88a2301a3da86e25b501ff4bc88124f2b816c2917d5f3497f8f0@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra384892bab8c03a60613a6a9d5e9cae0a2b800fd882792a55520115e@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2f529da674f25a7351543544f7d621b5227c49a0745913b1194d11e@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8dc1b13b80d39fbf4a9d158850e15cd868f0460c2f364f13dca7050b@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8b1963f16d6cb1230ca7ee73b6ec4f5c48f344191dbb1caabd265ee4@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r897a6a14d03eab09e89b809d2a650f3765065201da5bc3db9a4dd6e8@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r857b31ad16c6e76002bc6cca73c83358ed2595477e288286ee82c48d@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r855b24a3bde3674256152edfc53fb8c9000f9b59db3fecbbde33b211@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7ffd050d3bd7c90d95f4933560b5f4f15971ab9a5f5322fdce116243@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7fbdb7880be1566f943d80fbbeefde2115c086eba1bef3115350a388@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd8e24a3e482e5984bc8c5492dc790413e4fdc1234e3debb94515796b@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdd6c47321db1bfe12c68a898765bf3b6f97e2afa6a501254ed4feaed@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re03a4dbc15df6f390a2f8c0a071c31c8324dbef007e59fdc2592091a@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re0d38cc2b5da28f708fc89de49036f3ace052c47a1202f7d70291614@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re19fa47ec901cc3cf6d7784027198e8113f8bc2dbfd6c9d6d13f5447@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3bd4f831f9be49871cb6adb997289b5dbcd6fe4bc5cb08223254080@%3Cdev.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re43768896273c0b5f1a03d7f0a9d370852074489d51825fdc0d77f0f@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re819198d4732804dc01fca8b5b144689a118ede49f6128968773595c@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reb3c6dc050c7ee18ea154cd94dba85d99aa6b02b84c4bb2138a4abf2@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/reca91f217f9e1ce607ce6e19a1c0b3db82b5b1b58cf39a84d6434695@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf190d1d28e1367d1664ef6bc2f71227566d7b6b39209817a5364da1f@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf6c2efa3137bc8c22707e550a1f9b80f74bca62b9c8a6f768f2c6b86@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf77f4c4583669f1133d58cc4f1964367e253818ed8db986bb2732f7c@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rff630ce92a4d1bb494fc1a3f9b57a3d60819b436505bcd8c6ccc713c@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210401-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2c947376491a20d1cf143bf3c21ed74113e099d806cfe4c490a45ad8@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2c2c7b2971360fb946bbf062c58d7245927dd1ce9150fc9987f65409@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r27ad7843d060762cc942820566eeaa9639f75371afedf8124b943283@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r26d9196f4d2afb9bec2784bcb6fc183aca82e4119bf41bdc613eec01@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b803e6ebdac5f670708878fb1b27cd7a0ce9d774a60e797e58cee6f@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b7ed296a865e3f1337a96ee9cd51f6d154d881a30da36020ca72a4b@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1414ab2b3f4bb4c0e736caff6dc8d15f93f6264f0cca5c47710d7bb3@%3Creviews.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r105f4e52feb051faeb9141ef78f909aaf5129d6ed1fc52e099c79463@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0e25cdf3722a24c53049d37396f0da8502cb4b7cdc481650dc601dbc@%3Cgitbox.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0cdab13815fc419805a332278c8d27e354e78560944fc36db0bdc760@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0c6eced465950743f3041b03767a32b2e98d19731bd72277fc7ea428@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0b639bd9bfaea265022125d18acd2fc6456044b76609ec74772c9567@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r07aedcb1ece62969c406cb84c8f0e22cec7e42cdc272f3176e473320@%3Cusers.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r068dfd35ce2193f6af28b74ff29ab148c2b2cacb235995576f5bea78@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=571128\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7f4ad5eec0bce2821c308bb23cac53df5c94eb84de1c58de9b95c176@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r75ee2a529edb892ac59110cb3f6f91844a932c5034e16c8317f5668d@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r734f996149bb9b1796740385fcbdf3e093eb9aabedc0f20a48ea1d68@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r601f15f3de7ae3a7bbcd780c19155075c56443c2cdc1d193c03b4182@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b7cc6ac733e0b35816751cf45d152ae246a3f40e0b1e62b101c9522@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r562a0cbc5c8cac4d000a27b2854a8ab1b924aa9dd45f8ffbea98e5ad@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5612dc69e1f79c421faf9764ffbc92591e2a69ea417c04cba57f49ea@%3Cuser.karaf.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r521a077885ce79c44a799118c878589e81e525cab72d368e5cfb6f61@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r51f8975ef47c12a46fbfd7da9efea7f08e1d307fe1dc3042514659ae@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4c92ea39167c0f7b096ae8268db496b5451d69606f0304b7c8a994c7@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4a456d89a83752a012d88a60ff4b21def6c9f650b9e69ea9fa11c9f9@%3Cissues.spark.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r492cff8488a7f6eb96700afb5d137b719ddb80a833e77f971d2691c6@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r463b12b27264c5e1e3c48c8c2cc5d33813d2f0d981102548fb3102fb@%3Cissues.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r409ee2bae66bfff6aa89e6c74aff535e6248260d3afcb42bfb3b316b@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3ce0e31b25ad4ee8f7c42b62cfdc72d1b586f5d6accd23f5295b6dd1@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r35ab810c0f3016b3fd3a3fa9088a2d2781b354a810780ce74d022b6c@%3Cdev.kafka.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-03-10T03:46:22Z\",\n \"nvd_published_at\": \"2021-02-26T22:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-m6cp-vxjx-65j6\",\n \"published\": \"2021-06-23T20:23:04Z\",\n \"modified\": \"2024-02-17T05:34:59.415608Z\",\n \"aliases\": [\n \"CVE-2021-34428\"\n ],\n \"related\": [\n \"CVE-2021-34428\"\n ],\n \"summary\": \"SessionListener can prevent a session from being invalidated breaking logout\",\n \"details\": \"### Impact\\nIf an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.\\n\\nThere is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out.\\n\\n### Workarounds\\nThe application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.4.41\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.40\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.0.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-m6cp-vxjx-65j6/GHSA-m6cp-vxjx-65j6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-34428\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210813-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4949\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-613\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-06-22T16:41:00Z\",\n \"nvd_published_at\": \"2021-06-22T15:15:00Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mwcx-532g-8pq3\",\n \"published\": \"2018-10-16T17:44:11Z\",\n \"modified\": \"2024-02-17T05:43:52.147542Z\",\n \"aliases\": [\n \"CVE-2018-12538\"\n ],\n \"summary\": \"Access and integrity issue within Eclipse Jetty\",\n \"details\": \"In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.11.v20180605\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.10.v20180503\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-mwcx-532g-8pq3/GHSA-mwcx-532g-8pq3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2018-12538\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=536018\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mwcx-532g-8pq3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181014-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1041194\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-384\",\n \"CWE-6\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:47:31Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p26g-97m4-6q7c\",\n \"published\": \"2023-04-18T22:19:57Z\",\n \"modified\": \"2024-02-20T05:30:22.058149Z\",\n \"aliases\": [\n \"CVE-2023-26049\"\n ],\n \"related\": [\n \"CGA-6jj8-gqq9-qj3c\",\n \"CVE-2023-26049\"\n ],\n \"summary\": \"Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies\",\n \"details\": \"Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism.\\n\\nIf Jetty sees a cookie VALUE that starts with `\\\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered.\\n\\nSo, a cookie header such as:\\n\\n`DISPLAY_LANGUAGE=\\\"b; JSESSIONID=1337; c=d\\\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d`\\n\\ninstead of 3 separate cookies.\\n\\n### Impact\\nThis has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server.\\n\\n### Patches\\n* 9.4.51.v20230217 - via PR #9352\\n* 10.0.15 - via PR #9339\\n* 11.0.15 - via PR #9339\\n\\n### Workarounds\\nNo workarounds\\n\\n### References\\n* https://www.rfc-editor.org/rfc/rfc2965\\n* https://www.rfc-editor.org/rfc/rfc6265\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.4.51.v20230217\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.12\",\n \"11.0.13\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"12.0.0alpha0\"\n },\n {\n \"fixed\": \"12.0.0.beta0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"12.0.0.alpha0\",\n \"12.0.0.alpha1\",\n \"12.0.0.alpha2\",\n \"12.0.0.alpha3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-p26g-97m4-6q7c/GHSA-p26g-97m4-6q7c.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-26049\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/pull/9339\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/pull/9352\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230526-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5507\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.rfc-editor.org/rfc/rfc2965\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.rfc-editor.org/rfc/rfc6265\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-04-18T22:19:57Z\",\n \"nvd_published_at\": \"2023-04-18T21:15:09Z\",\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-q4rv-gq96-w7c5\",\n \"published\": \"2025-05-08T19:28:34Z\",\n \"modified\": \"2025-05-08T19:57:34.204933Z\",\n \"aliases\": [\n \"CVE-2024-13009\"\n ],\n \"related\": [\n \"CGA-45cx-7c8c-j882\",\n \"CGA-rwgq-jjw3-3vrc\"\n ],\n \"summary\": \"**UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request\",\n \"details\": \"In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.57.v20241219\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.51.v20230217\",\n \"9.4.52.v20230823\",\n \"9.4.53.v20231009\",\n \"9.4.54.v20240208\",\n \"9.4.55.v20240627\",\n \"9.4.56.v20240826\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.56\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-q4rv-gq96-w7c5/GHSA-q4rv-gq96-w7c5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jetty/jetty.project/security/advisories/GHSA-q4rv-gq96-w7c5\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2024-13009\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jetty/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/48\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-404\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-05-08T19:28:34Z\",\n \"nvd_published_at\": \"2025-05-08T18:15:41Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qw69-rqj8-6qw8\",\n \"published\": \"2023-04-19T18:15:45Z\",\n \"modified\": \"2024-02-20T05:33:41.250857Z\",\n \"aliases\": [\n \"CVE-2023-26048\"\n ],\n \"related\": [\n \"CGA-q672-cgj3-7q4g\",\n \"CVE-2023-26048\"\n ],\n \"summary\": \"OutOfMemoryError for large multipart without filename in Eclipse Jetty\",\n \"details\": \"### Impact\\nServlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content.\\n\\nThis happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk.\\n\\nAn attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`.\\nHowever, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time.\\n\\nA very large number of parts may cause the same problem.\\n\\n### Patches\\nPatched in Jetty versions\\n\\n* 9.4.51.v20230217 - via PR #9345\\n* 10.0.14 - via PR #9344\\n* 11.0.14 - via PR #9344\\n\\n### Workarounds\\nMultipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).\\nLimiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues.\\n\\n### References\\n* https://github.com/eclipse/jetty.project/issues/9076\\n* https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.4.51.v20230217\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0\"\n },\n {\n \"fixed\": \"10.0.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0\"\n },\n {\n \"fixed\": \"11.0.14\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.12\",\n \"11.0.13\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-qw69-rqj8-6qw8/GHSA-qw69-rqj8-6qw8.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-26048\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/issues/9076\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/pull/9344\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/pull/9345\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.51.v20230217\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230526-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2023/dsa-5507\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\",\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-04-19T18:15:45Z\",\n \"nvd_published_at\": \"2023-04-18T21:15:08Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qxp4-27vx-xmm3\",\n \"published\": \"2022-05-14T01:27:35Z\",\n \"modified\": \"2024-04-19T19:16:17.732170Z\",\n \"aliases\": [\n \"CVE-2011-4461\"\n ],\n \"summary\": \"Improper Input Validation in Jetty\",\n \"details\": \"Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"8.1.0.RC4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 8.1.0.RC2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qxp4-27vx-xmm3/GHSA-qxp4-27vx-xmm3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2011-4461\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/72017\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190307-0004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=143387688830075\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.kb.cert.org/vuls/id/903934\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ocert.org/advisories/ocert-2011-003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-1429-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-13T18:07:02Z\",\n \"nvd_published_at\": \"2011-12-30T01:55:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-r28m-g6j9-r2h5\",\n \"published\": \"2019-04-23T16:07:18Z\",\n \"modified\": \"2024-02-16T08:10:20.837486Z\",\n \"aliases\": [\n \"CVE-2019-10246\"\n ],\n \"summary\": \"Information Exposure vulnerability in Eclipse Jetty\",\n \"details\": \"In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.2.0\"\n },\n {\n \"fixed\": \"9.2.28.v20190418\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.3.v20140905\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.2.27.v20190403\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.3.27.v20190418\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.3.26.v20190403\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.17.v20190418\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.16.v20190411\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-r28m-g6j9-r2h5/GHSA-r28m-g6j9-r2h5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10246\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=546576\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190509-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-213\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-04-23T16:03:54Z\",\n \"nvd_published_at\": \"2019-04-22T20:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vgg8-72f2-qm23\",\n \"published\": \"2018-10-19T16:15:34Z\",\n \"modified\": \"2024-02-17T05:36:15.080820Z\",\n \"aliases\": [\n \"CVE-2017-7657\"\n ],\n \"summary\": \"Critical severity vulnerability that affects org.eclipse.jetty:jetty-server\",\n \"details\": \"In Eclipse Jetty, versions 9.2.x and older, 9.3.x, transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.2.25.v20180606\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.3.v20140905\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.2.25.v20180105\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-vgg8-72f2-qm23/GHSA-vgg8-72f2-qm23.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.3.24.v20180605\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.3.23.v20180228\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-vgg8-72f2-qm23/GHSA-vgg8-72f2-qm23.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-7657\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2019:0910\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-vgg8-72f2-qm23\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r41af10c4adec8d34a969abeb07fd0d6ad0c86768b751464f1cdd23e8@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9159c9e7ec9eac1613da2dbaddbc15691a13d4dbb2c8be974f42e6ae@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra6f956ed4ec2855583b2d0c8b4802b450f593d37b77509b48cd5d574@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20181014-0001\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US\\u0026docId=emr_na-hpesbst03953en_us\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2018/dsa-4278\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id/1041194\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-190\",\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T21:57:40Z\",\n \"nvd_published_at\": \"2018-06-26T16:29:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-wfcc-pff6-rgc5\",\n \"published\": \"2018-10-19T16:15:46Z\",\n \"modified\": \"2024-02-16T08:22:10.602897Z\",\n \"aliases\": [\n \"CVE-2017-9735\"\n ],\n \"summary\": \"Jetty vulnerable to exposure of sensitive information due to observable discrepancy\",\n \"details\": \"Jetty through 9.4.x contains a timing channel attack in `util/security/Password.java`, which allows attackers to obtain access by observing elapsed times before rejection of incorrect passwords.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.6.v20170531\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.5.v20170502\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.3.20.v20170531\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.3.19.v20170502\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.2.22.v20170606\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.3.v20140905\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.2.21.v20170120\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-9735\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/issues/1556\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.debian.org/864631\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559@%3Ccommon-dev.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20170826163336/http://www.securityfocus.com/bid/99104\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-203\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-16T22:00:10Z\",\n \"nvd_published_at\": \"2017-06-16T21:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-x3rh-m7vp-35f2\",\n \"published\": \"2020-08-05T14:52:59Z\",\n \"modified\": \"2024-03-14T05:49:04.832402Z\",\n \"aliases\": [\n \"CVE-2019-17638\"\n ],\n \"summary\": \"Operation on a Resource after Expiration or Release in Jetty Server\",\n \"details\": \"In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.27\"\n },\n {\n \"fixed\": \"9.4.30.v20200611\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.30.v20200610\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-x3rh-m7vp-35f2/GHSA-x3rh-m7vp-35f2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-17638\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/issues/4936\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/commit/ff8ae56fa939c3477a0cdd1ff56ce3d902f08fba\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-575561\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XE6US6VPZHOWFMUSFGDS5V2DNQPY5MKB\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd98cfd012490cb02caa1a11aaa0cc38bff2d43bcce9b20c2f01063dd@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbe1f230e87ea947593145d0072d0097ddb0af10fee1161db8ca1546c@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra8661fc8c69c647cb06153c1485d48484a833d873f75dfe45937e9de@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9a2cfa56d30782a0c17a5deb951a622d1f5c8de48e1c3b578ffc2a84@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r81f58591fb4716fb867b36956f30c7c8ad4ab3f23abc952d9d86a2a0@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7fc5f2ed49641ea91c433e3cd0fc3d31c0278c87b82b15c33b881415@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r521168299e023fb075b57afe33d17ff1d09e8a10e0fd8c775ea0e028@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4bdd3f7bb6820a79f9416b6667d718a06d269018619a75ce4b759318@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r378e4cdec15e132575aa1dcb6296ffeff2a896745a8991522e266ad4@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r29073905dc9139d0d7a146595694bf57bb9e35e5ec6aa73eb9c8443a@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2020/08/17/1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-672\",\n \"CWE-675\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-08-03T20:11:29Z\",\n \"nvd_published_at\": \"2020-07-09T18:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-xc67-hjx6-cgg6\",\n \"published\": \"2019-04-23T16:07:12Z\",\n \"modified\": \"2024-03-14T05:20:28.011920Z\",\n \"aliases\": [\n \"CVE-2019-10247\"\n ],\n \"summary\": \"Installation information leak in Eclipse Jetty\",\n \"details\": \"In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"9.2.28.v20190418\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.3.v20140905\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.2.27.v20190403\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.3.0\"\n },\n {\n \"fixed\": \"9.3.27.v20190418\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.3.v20150827\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.3.26.v20190403\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-server\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-server\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.0\"\n },\n {\n \"fixed\": \"9.4.17.v20190418\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.16.v20190411\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-xc67-hjx6-cgg6/GHSA-xc67-hjx6-cgg6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-10247\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4949\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20190509-0003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-213\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2019-04-23T16:04:31Z\",\n \"nvd_published_at\": \"2019-04-22T20:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-g3wg-6mcf-8jj6\",\n \"published\": \"2020-11-04T17:50:24Z\",\n \"modified\": \"2024-03-13T05:33:39.122153Z\",\n \"aliases\": [\n \"CVE-2020-27216\"\n ],\n \"related\": [\n \"CVE-2020-27216\"\n ],\n \"summary\": \"Local Temp Directory Hijacking Vulnerability\",\n \"details\": \"### Impact\\nOn Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.\\n\\nAdditionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable.\\n\\nAdditionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted.\\nSee: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR\\n\\nFor example:\\n```java\\nimport java.io.File;\\nimport java.io.IOException;\\nimport javax.servlet.ServletContext;\\nimport javax.servlet.ServletException;\\nimport javax.servlet.http.HttpServlet;\\nimport javax.servlet.http.HttpServletRequest;\\nimport javax.servlet.http.HttpServletResponse;\\n\\npublic class ExampleServlet extends HttpServlet {\\n @Override\\n protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {\\n File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised\\n // do something with that temp dir\\n }\\n}\\n```\\n\\nExample: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them.\\n\\n### CVSSv3.1 Evaluation\\n\\nThis vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\\u0026version=3.1)\\n\\n### Patches\\nFixes were applied to the 9.4.x branch with:\\n- https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb\\n- https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f\\n\\nThese will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3\\n\\n### Workarounds\\n\\nA work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system.\\nFor recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory).\\nAlternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below.\\n\\nThe Jetty search order for finding a temporary directory is as follows:\\n\\n1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it.\\n2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it.\\n3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1)\\n4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it.\\n5. Use `System.getProperty(\\\"java.io.tmpdir\\\")` and use it.\\n\\nJetty will end traversal at the first successful step.\\nTo mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker.\\n\\n#### Setting a Jetty server temporary directory.\\n\\nChoices 3 and 5 apply to the server level, and will impact all deployed webapps on the server.\\n\\nFor choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty.\\n\\nFor choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty.\\n\\n``` shell\\n[jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar\\n```\\n\\n#### Setting a Context specific temporary directory.\\n\\nThe rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/\\u003ccontext\\u003e.xml`)\\n\\nExample (excluding the DTD which is version specific):\\n\\n``` xml\\n\\u003cConfigure class=\\\"org.eclipse.jetty.webapp.WebAppContext\\\"\\u003e\\n \\u003cSet name=\\\"contextPath\\\"\\u003e\\u003cProperty name=\\\"foo\\\"/\\u003e\\u003c/Set\\u003e\\n \\u003cSet name=\\\"war\\\"\\u003e/var/web/webapps/foo.war\\u003c/Set\\u003e\\n \\u003cSet name=\\\"tempDirectory\\\"\\u003e/var/web/work/foo\\u003c/Set\\u003e\\n\\u003c/Configure\\u003e\\n```\\n\\n### References\\n \\n - https://github.com/eclipse/jetty.project/issues/5451\\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\\n - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473)\\n\\n### Similar Vulnerabilities\\n\\nSimilar, but not the same.\\n\\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\\n - Google Guava - https://github.com/google/guava/issues/4011\\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\\n\\n### For more information\\n\\nThe original report of this vulnerability is below:\\n\\n\\u003e On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh \\u003cjonathan.leitschuh@gmail.com\\u003e wrote:\\n\\u003e Hi WebTide Security Team,\\n\\u003e\\n\\u003e I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty.\\n\\u003e\\n\\u003e https://lgtm.com/query/5615014766184643449/\\n\\u003e\\n\\u003e I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users.\\n\\u003e There exists a race condition between the deletion of the temporary file and the creation of the directory.\\n\\u003e\\n\\u003e ```java\\n\\u003e // ensure file will always be unique by appending random digits\\n\\u003e tmpDir = File.createTempFile(temp, \\\".dir\\\", parent); // Attacker knows the full path of the file that will be generated\\n\\u003e // delete the file that was created\\n\\u003e tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty.\\n\\u003e // and make a directory of the same name\\n\\u003e // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory\\n\\u003e tmpDir.mkdirs();\\n\\u003e ```\\n\\u003e\\n\\u003e https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518\\n\\u003e\\n\\u003e In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback.\\n\\u003e\\n\\u003e\\n\\u003e https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468\\n\\u003e\\n\\u003e If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.\\n\\u003e\\n\\u003e Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories\\n\\u003e\\n\\u003e **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.**\\n\\u003e\\n\\u003e Cheers,\\n\\u003e Jonathan Leitschuh\\n\\n\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.4.33.v20201020\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.4.33\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.pre4\",\n \"7.0.0.pre5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0.beta1\"\n },\n {\n \"fixed\": \"10.0.0.beta3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0.beta1\",\n \"10.0.0.beta2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.0.0.beta2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0.beta1\"\n },\n {\n \"fixed\": \"10.0.0.beta3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.0.0.beta2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0.beta1\"\n },\n {\n \"fixed\": \"11.0.0.beta3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0.beta1\",\n \"11.0.0.beta2\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.0.beta2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0.beta1\"\n },\n {\n \"fixed\": \"11.0.0.beta3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.0.beta2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/11/GHSA-g3wg-6mcf-8jj6/GHSA-g3wg-6mcf-8jj6.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-27216\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/issues/5451\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/github/codeql/pull/4473\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raa9c370ab42d737e93bc1795bb6a2187d7c60210cd5e3b3ce8f3c484@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rad255c736fad46135f1339408cb0147d0671e45c376c3be85ceeec1a@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rae15d73cabef55bad148e4e6449b05da95646a2a8db3fc938e858dff@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/raf9c581b793c30ff8f55f2415c7bd337eb69775aae607bf9ed1b16fb@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rafb023a7c61180a1027819678eb2068b0b60cd5c2559cb8490e26c81@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb077d35f2940191daeefca0d6449cddb2e9d06bcf8f5af4da2df3ca2@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb5f2558ea2ac63633dfb04db1e8a6ea6bb1a2b8614899095e16c6233@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb69b1d7008a4b3de5ce5867e41a455693907026bc70ead06867aa323@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb7e159636b26156f6ef2b2a1a79b3ec9a026923b5456713e68f7c18e@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb81a018f83fe02c95a2138a7bb4f1e1677bd7e1fc1e7024280c2292d@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8ad3745cb94c60d44cc369aff436eaf03dbc93112cefc86a2ed53ba@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb8c007f87dc57731a7b9a3b05364530422535b7e0bc6a0c5b68d4d55@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc5a622401924fadab61e07393235838918228b3d8a1a6704295b032@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbf99e4495461099cad9aa62e0164f8f25a7f97b791b4ace56e375f8d@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1646894341450fdc4f7e96a88f5e2cf18d8004714f98aec6b831b3e@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1d9b8e9d17749d4d2b9abaaa72c422d090315bd6bc0ae73a16abc1c@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re08b03cd1754b32f342664eead415af48092c630c8e3e0deba862a26@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1d45051310b11c6d6476f20d71b08ea97cb76846cbf61d196bac1c3f@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8cacf91ae1b17cc6531d20953c52fa52f6fd3191deb3383446086ab7@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8dd01541fc49d24ec223365a9974231cbd7378b749247a89b0a52210@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8fead0144bb84d8714695c43607dca9c5101aa028a431ec695882fe5@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90b5ac6e2bf190a5297bda58c7ec76d01cd86ff050b2470fcd9f4b35@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r911c1879258ebf98bca172c0673350eb7ea6569ca1735888d4cb7adc@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r916b6542bd5b15a8a7ff8fc14a0e0331e8e3e9d682f22768ae71d775@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r93b240be16e642579ed794325bae31b040e1af896ecc12466642e19d@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r93d5e81e879120d8d87925dbdd4045cb3afa9b066f4370f60b626ce3@%3Ccommits.druid.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9b790fe3a93121199f41258474222f15002b2f729495aa7ecbf90718@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9c010b79140452294292379183e7fe8e3533c5bb4db3f3fb39a6df61@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9cc76b98f87738791b8ec3736755f92444d3c8cb26bd4e4ffdb5c1cc@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9cd444f944241dc26d9b8b007fe8971ed7f005b56befef7a4f4fb827@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9d9b4b93df7f92cdf1147db0fc169be1776c93d1fbc63bc65721fffd@%3Cdev.knox.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9f8c45a2a4540911cd8bd0485f67e8091883c9234d7a3aeb349c46c1@%3Creviews.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra1f19625cc67ac1b459c558f2ea5647d71ce51c6fe4f4cb03baec849@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra55e04d5a73afcb8383f4386e2b26832c6e3972e53827021ab885943@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra5b7313d8cc9411db6790adfba33f2cf0665cb77adb7b02043c95867@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re5706141ca397587f7ee0f500a39ccc590a41f802fc125fc135cb92f@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ree506849c4f04376793b1a3076bc017da60b8a2ef2702dc214ff826f@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/refbbb0eb65c185d1fa491cee08ac8ed32708ce3b269133a6da264317@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf00ea6376f3d0e8b8f62cf6d4a4f28b24e27193acd2c851f618aa41e@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf3bc023a7cc729aeac72f482e2eeeab9008aa6b1dadbeb3f45320cae@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfd9f102864a039f7fda64a580dfe1a342d65d7b723ca06dc9fbceb31@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe5caef1fd6cf4b8ceac1b63c33195f2908517b665c946c020d3fbd6@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rfe6ba83d14545e982400dea89e68b10113cb5202a3dcb558ce64842d@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rff0ad6a7dac2182421e2db2407e44fbb61a89904adfd91538f21fbf8@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20201123-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2021/dsa-4949\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc2e24756d28580eeac811c5c6a12012c9f424b6e5bffb89f98ee3d03@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc44d1147f78496ec9932a38b28795ff4fd0c4fa6e3b6f5cc33c14d29@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc4b972ea10c5a65c6a88a6e233778718ab9af7f484affdd5e5de0cff@%3Ccommits.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc77918636d8744d50312e4f67ba2e01f47db3ec5144540df8745cb38@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc8dd95802be0cca8d7d0929c0c8484ede384ecb966b2a9dc7197b089@%3Creviews.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc9d2ab8a6c7835182f20b01104798e67c75db655c869733a0713a590@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rccedec4cfd5df6761255b71349e3b7c27ee0745bd33698a71b1775cf@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcdcf32952397c83a1d617a8c9cd5c15c98b8d0d38a607972956bde7e@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcdd56ab4255801a0964dcce3285e87f2c6994e6469e189f6836f34e3@%3Cnotifications.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcfb95a7c69c4b9c082ea1918e812dfc45aa0d1e120fd47f68251a336@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcff5caebfd535195276aaabc1b631fd55a4ff6b14e2bdfe33f18ff91@%3Creviews.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd58b60ab2e49ebf21022e59e280feb25899ff785c88f31fe314aa5b9@%3Ccommits.shiro.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd7e62e2972a41c2658f41a824b8bdd15644d80fcadc51fe7b7c855de@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdbf1cd0ab330c032f3a09b453cb6405dccc905ad53765323bddab957@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdddb4b06e86fd58a1beda132f22192af2f9b56aae8849cb3767ccd55@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rde782fd8e133f7e04e50c8aaa4774df524367764eb5b85bf60d96747@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1dbb87c9255ecefadd8de514fa1d35c1d493c0527d7672cf40505d04@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1ed79516bd6d248ea9f0e704dbfd7de740d5a75b71c7be8699fec824@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1ef28b89ff0281c87ba3a7659058789bf28a99b8074191f1c3678db8@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1fe31643fc34b4a33ae3d416d92c271aa97663f1782767d25e1d9ff8@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2122537d3f9beb0ce59f44371a951b226406719919656ed000984bd0@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r279254a1bd6434c943da52000476f307e62b6910755387aeca1ec9a1@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2aa316d008dab9ae48350b330d15dc1b863ea2a933558fbfc42b91a6@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2d17b2a4803096ba427f3575599ea29b55f5cf9dbc1f12ba044cae1a@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2e02700f7cfecb213de50be83e066086bea90278cd753db7fdc2ccff@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2f732ee49d00610683ab5ddb4692ab25136b00bfd132ca3a590218a9@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3042a9dd2973aa229e52d022df7813e4d74b67df73bfa6d97bb0caf8@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r336b1694a01858111e4625fb9ab2b07ad43a64a525cf6402e06aa6bf@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r351298dd39fc1ab63303be94b0c0d08acd72b17448e0346d7386189b@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r382870d6ccfd60533eb0d980688261723ed8a0704dafa691c4e9aa68@%3Ccommits.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3a763de620be72b6d74f46ec4bf39c9f35f8a0b39993212c0ac778ec@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3b0ce1549a1ccdd7e51ec66daf8d54d46f1571edbda88ed09c96d7da@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cwe.mitre.org/data/definitions/378.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://cwe.mitre.org/data/definitions/379.html\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0259b14ae69b87821e27fed1f5333ea86018294fd31aab16b1fac84e@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r07525dc424ed69b3919618599e762f9ac03791490ca9d724f2241442@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r09b345099b4f88d2bed7f195a96145849243fb4e53661aa3bcf4c176@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0d7ad4f02c44d5d53a9ffcbca7ff4a8138241322da9c5c35b5429630@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0d95e01f52667f44835c40f6dea72bb4397f33cd70a564ea74f3836d@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0df8fe10fc36028cf6d0381ab66510917d0d68bc5ef7042001d03830@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0e9efe032cc65433251ee6470c66c334d4e7db9101e24cf91a3961f2@%3Ccommits.directory.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0f5e9b93133ef3aaf31484bc3e15cc4b85f8af0fe4de2dacd9379d72@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r100c5c7586a23a19fdb54d8a32e17cd0944bdaa46277b35c397056f6@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r171846414347ec5fed38241a9f8a009bd2c89d902154c6102b1fb39a@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r185d10aae8161c08726f3ba9a1f1c47dfb97624ea6212fa217173204@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r18b6f10d9939419bae9c225d5058c97533cb376c9d6d0a0733ddd48d@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r19e8b338af511641d211ff45c43646fe1ae19dc9897d69939c09cabe@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r1d40368a309f9d835dcdd900249966e4fcbdf98c1cc4c84db2cd9964@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6b83ca85c8f9a6794b1f85bc70d1385ed7bc1ad07750d0977537154a@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6dfa64ecc3d67c1a71c08bfa04064549179d499f8e20a8285c57bd51@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6f51a654ac2e67e3d1c65a8957cbbb127c3f15b64b4fcd626df03633@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r70f8bcccd304bd66c1aca657dbfc2bf11f73add9032571b01f1f733d@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r71da5f51ef04cb95abae560425dce9667740cbd567920f516f76efb7@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r73b5a9b677b707bbb7c1469ea746312c47838b312603bada9e382bba@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r761a52f1e214efec286ee80045d0012e955eebaa72395ad62cccbcfc@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r769411eb43dd9ef77665700deb7fc491fc3ceb532914260c90b56f2f@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r77dd041d8025a869156481d2268c67ad17121f64e31f9b4a1a220145@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7bdc83513c12db1827b79b8d57a7a0975a25d28bc6c5efe590ec1e02@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7da5ae60d7973e8894cfe92f49ecb5b47417eefab4c77cc87514d3cf@%3Cdev.felix.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8045eedd6bb74efcd8e01130796adbab98ee4a0d1273509fb1f2077a@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r819857361f5a156e90d6d06ccf6c41026bc99030d60d0804be3a9957@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r827d17bf6900eddc686f4b6ee16fc5e52ca0070f8df7612222c40ac5@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r874688141495df766e62be095f1dfb0bf4a24ca0340d8e0215c03fab@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r87b0c69fef09277333a7e1716926d1f237d462e143a335854ddd922f@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r87d8337300a635d66f0bb838bf635cdfcbba6b92c608a7813adbf4f4@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8866f0cd2a3b319288b7eea20ac137b9f260c813d10ee2db88b65d32@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3e05ab0922876e74fea975d70af82b98580f4c14ba643c4f8a9e3a94@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3f32cb4965239399c22497a0aabb015b28b2372d4897185a6ef0ccd7@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r407c316f6113dfc76f7bb3cb1693f08274c521064a92e5214197548e@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4179c71908778cc0598ee8ee1eaed9b88fc5483c65373f45e087f650@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r44115ebfbf3b7d294d7a75f2d30bcc822dab186ebbcc2dce11915ca9@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4946ffd86ad6eb7cb7863311235c914cb41232380de8d9dcdb3c115c@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4f29fb24639ebc5d15fc477656ebc2b3aa00fcfbe197000009c26b40@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r503045a75f4419d083cb63ac89e765d6fb8b10c7dacc0c54fce07cff@%3Creviews.iotdb.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r547bb14c88c5da2588d853ed3030be0109efa537dd797877dff14afd@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5494fdaf4a0a42a15c49841ba7ae577d466d09239ee1050458da0f29@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r556787f1ab14da034d79dfff0c123c05877bbe89ef163fd359b4564c@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r568d354961fa88f206dc345411fb11d245c6dc1a8da3e80187fc6706@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r58f5b14dc5ae43583db3a7e872419aca97ebe47bcd7f7334f4128016@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r59e0878013d329dcc481eeafebdb0ee445b1e2852d0c4827b1ddaff2@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5a07f274f355c914054c7357ad6d3456ffaca064f26cd780acb90a9a@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5a9462096c71593e771602beb0e69357adb5175d9a5c18d5181e0ab4@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6236ae4adc401e3b2f2575c22865f2f6c6ea9ff1d7b264b40d9602af@%3Cissues.beam.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r66e99d973fd79ddbcb3fbdb24f4767fe9b911f5b0abb05d7b6f65801@%3Ccommits.zookeeper.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-378\",\n \"CWE-379\",\n \"CWE-552\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-11-04T17:48:31Z\",\n \"nvd_published_at\": \"2020-10-23T13:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-v7ff-8wcx-gmc5\",\n \"published\": \"2021-04-06T17:31:01Z\",\n \"modified\": \"2024-03-15T05:19:57.447892Z\",\n \"aliases\": [\n \"CVE-2021-28164\"\n ],\n \"related\": [\n \"CVE-2021-28164\"\n ],\n \"summary\": \"Authorization Before Parsing and Canonicalization in jetty\",\n \"details\": \"Release 9.4.37 introduced a more precise implementation of [RFC3986](https://tools.ietf.org/html/rfc3986#section-3.3) with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations. The default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the `WEB-INF` directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the `web.xml` file. This can reveal sensitive information regarding the implementation of a web application. Workarounds found by HttpCompliance mode RFC7230_NO_AMBIGUOUS_URIS can be enabled by updating `start.d/http.ini` to include: jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.37\"\n },\n {\n \"fixed\": \"9.4.39\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-v7ff-8wcx-gmc5/GHSA-v7ff-8wcx-gmc5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-28164\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210611-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-551\",\n \"CWE-863\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-02T20:28:10Z\",\n \"nvd_published_at\": \"2021-04-01T15:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vjv5-gp2w-65vm\",\n \"published\": \"2021-07-19T15:15:24Z\",\n \"modified\": \"2024-03-08T05:16:35.196736Z\",\n \"aliases\": [\n \"CVE-2021-34429\"\n ],\n \"related\": [\n \"CVE-2021-34429\"\n ],\n \"summary\": \"Encoded URIs can access WEB-INF directory in Eclipse Jetty\",\n \"details\": \"### Description\\nURIs can be crafted using some encoded characters to access the content of the `WEB-INF` directory and/or bypass some security constraints.\\nThis is a variation of the vulnerability reported in [CVE-2021-28164](https://nvd.nist.gov/vuln/detail/CVE-2021-28164)/[GHSA-v7ff-8wcx-gmc5](https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5).\\n\\n### Impact\\nThe default compliance mode allows requests with URIs that contain a %u002e segment to access protected resources within the WEB-INF directory. For example, a request to `/%u002e/WEB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. Similarly, an encoded null character can prevent correct normalization so that /.%00/WEB-INF/web.xml cal also retrieve the web.xml file.\\n\\n### Workarounds\\nSome Jetty [rewrite rules](https://www.eclipse.org/jetty/documentation/jetty-9/index.html#rewrite-handler) can be deployed to rewrite any request containing encoded dot segments or null characters in the raw request URI, to a known not found resource:\\n```xml\\n\\u003cCall name=\\\"addRule\\\"\\u003e\\n \\u003cArg\\u003e\\n \\u003cNew class=\\\"org.eclipse.jetty.rewrite.handler.RewriteRegexRule\\\"\\u003e\\n \\u003cSet name=\\\"regex\\\"\\u003e.*/(?:\\\\.+/)+.*\\u003c/Set\\u003e\\n \\u003cSet name=\\\"replacement\\\"\\u003e/WEB-INF/Not-Found\\u003c/Set\\u003e\\n \\u003c/New\\u003e\\n \\u003c/Arg\\u003e\\n\\u003c/Call\\u003e\\n\\u003cCall name=\\\"addRule\\\"\\u003e\\n \\u003cArg\\u003e\\n \\u003cNew class=\\\"org.eclipse.jetty.rewrite.handler.ValidUrlRule\\\"/\\u003e\\n \\u003c/Arg\\u003e\\n\\u003c/Call\\u003e\\n```\\n\\n### Analysis\\nPrior to 9.4.37, Jetty was protected from this style of attack by two lines of defense:\\n + URIs were decoded first and then normalized for `.` and `..` sequences. Whilst this is not according to the RFC, it did remove relative segments that were encoded or parameterized and made the resulting URI paths safe from any repeated normalization (often done by URI manipulation and file system mapping).\\n + The `FileResource` class treated any difference between absolute path and canonical path of a resource as an alias, and thus the resource would not be served by default.\\n\\nPrior to 9.4.37, the `FileResource` class was replaced by the `PathResource` class that did not treat normalization differences as aliases. Then release 9.4.37 updated the URI parsing to be compliant with the RFC, in that normalization is done before decoding. This allowed various encodings or adornments to relative path segments that would not be normalized by the pure RFC URI normalization, but were normalized by the file system, thus allowing protected resources to be accessed via an alias. Specifically by decoding URIs after normalization, it left them vulnerable to any subsequent normalization (potentially after checking security constraints) changing the URI singificantly. Such extra normalization is often down by URI manipulation code and file systems.\\n\\nWith Jetty releases 9.4.43, 10.0.6, 11.0.6, we have restored several lines of defense:\\n + URIs are first decoded and then normalized which is not strictly according to the current RFC. Since the normalization is done after decoding, the URI paths produced are safe from further normalisation and the referenced resource cannot easily be so changed after passing security constraints.\\n + During URI parsing checks are made for some specific segments/characters that are possible to be seen ambiguously by an application (e.g. encode dot segments, encoded separators, empty segments, parameterized dot segments and/or null characters). So even though Jetty code handles these URIs correctly, there is a risk that an application may not do so, thus such requests are rejected with a 400 Bad Request unless a specific compliance mode is set.\\n + Once decoded and normalized by initial URI processing, Jetty will not decode or normalize a received URI again within its own resource handling. This avoids to possibility of double decode attacks.\\n + The `ContextHandler.getResource(String path)` method always checks that the passed path is normalized, only accepting a non normal path if approved by an AliasChecker. This is the method that is directly used by Jetty resource serving.\\n + The API methods like `ServletContext.getResource(String path)` will normalize the prior to calling `ContextHandler.getResource(String path)`. This allows applications to use non normal paths.\\n + The `PathResource` class now considers any difference in normal/canonical name between a request resource name and the found resource name to be an alias, which will only be served if approved by an explicit `AliasChecker`\\n\\nIn summary, the defense is a front line of detection of specific known URI alias attacks, with the last line defense of not allowing any aliasing of resources.\\n\\nMany thanks to @cangqingzhe from @CloverSecLabs for reporting this issue. \",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"9.4.37\"\n },\n {\n \"fixed\": \"9.4.43\"\n }\n ]\n }\n ],\n \"versions\": [\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.1\"\n },\n {\n \"fixed\": \"10.0.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.1\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-webapp\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-webapp\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.1\"\n },\n {\n \"fixed\": \"11.0.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.1\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-vjv5-gp2w-65vm/GHSA-vjv5-gp2w-65vm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-34429\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba@%3Cissues.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210819-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.43.v20210629\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1@%3Cdev.santuario.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c@%3Ccommits.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45@%3Cnotifications.zookeeper.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c@%3Cdev.hbase.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe@%3Ccommits.kafka.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\",\n \"CWE-551\",\n \"CWE-863\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-07-15T21:33:21Z\",\n \"nvd_published_at\": \"2021-07-15T17:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-58qw-p7qm-5rvh\",\n \"published\": \"2023-07-10T21:52:39Z\",\n \"modified\": \"2024-12-02T05:55:39.987028Z\",\n \"related\": [\n \"CGA-36vh-w34f-wv6m\",\n \"CGA-cvc4-35r3-qcp6\"\n ],\n \"summary\": \"Eclipse Jetty XmlParser allows arbitrary DOCTYPE declarations\",\n \"details\": \"### From the reporter\\n\\n\\u003e `XmlParser` is vulnerable to XML external entity (XXE) vulnerability.\\n\\u003e XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit\\n\\u003e this vulnerability in order to achieve SSRF or cause a denial of service.\\n\\u003e One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the\\n\\u003e WAR includes a malicious web.xml.\\n\\n### Impact\\nThere are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. \\n\\nThus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory.\\n\\nHowever, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely.\\n\\n### Patches\\nAbility to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067\\n\\n### Workarounds\\nDon't use `XmlParser` to parse data from users.\\n\\n\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-xml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-xml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"10.0.0-alpha0\"\n },\n {\n \"fixed\": \"10.0.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"10.0.0\",\n \"10.0.0-alpha0\",\n \"10.0.0.alpha1\",\n \"10.0.0.alpha2\",\n \"10.0.0.beta0\",\n \"10.0.0.beta1\",\n \"10.0.0.beta2\",\n \"10.0.0.beta3\",\n \"10.0.1\",\n \"10.0.10\",\n \"10.0.11\",\n \"10.0.12\",\n \"10.0.13\",\n \"10.0.14\",\n \"10.0.15\",\n \"10.0.2\",\n \"10.0.3\",\n \"10.0.4\",\n \"10.0.5\",\n \"10.0.6\",\n \"10.0.7\",\n \"10.0.8\",\n \"10.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 10.0.15\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-xml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-xml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"11.0.0-alpha0\"\n },\n {\n \"fixed\": \"11.0.16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"11.0.0\",\n \"11.0.0-alpha0\",\n \"11.0.0.beta1\",\n \"11.0.0.beta2\",\n \"11.0.0.beta3\",\n \"11.0.1\",\n \"11.0.10\",\n \"11.0.11\",\n \"11.0.12\",\n \"11.0.13\",\n \"11.0.14\",\n \"11.0.15\",\n \"11.0.2\",\n \"11.0.3\",\n \"11.0.4\",\n \"11.0.5\",\n \"11.0.6\",\n \"11.0.7\",\n \"11.0.8\",\n \"11.0.9\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 11.0.15\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-xml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-xml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"12.0.0.alpha0\"\n },\n {\n \"fixed\": \"12.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"12.0.0.alpha0\",\n \"12.0.0.alpha1\",\n \"12.0.0.alpha2\",\n \"12.0.0.alpha3\",\n \"12.0.0.beta0\",\n \"12.0.0.beta1\",\n \"12.0.0.beta2\",\n \"12.0.0.beta3\",\n \"12.0.0.beta4\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 12.0.0.beta4\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jetty:jetty-xml\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jetty/jetty-xml\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"9.4.52.v20230823\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.M0\",\n \"7.0.0.M1\",\n \"7.0.0.M2\",\n \"7.0.0.M3\",\n \"7.0.0.M4\",\n \"7.0.0.RC0\",\n \"7.0.0.RC1\",\n \"7.0.0.RC2\",\n \"7.0.0.RC3\",\n \"7.0.0.RC4\",\n \"7.0.0.RC5\",\n \"7.0.0.RC6\",\n \"7.0.0.v20091005\",\n \"7.0.1.v20091125\",\n \"7.0.2.RC0\",\n \"7.0.2.v20100331\",\n \"7.1.0.RC0\",\n \"7.1.0.RC1\",\n \"7.1.0.v20100505\",\n \"7.1.1.v20100517\",\n \"7.1.2.v20100523\",\n \"7.1.3.v20100526\",\n \"7.1.4.v20100610\",\n \"7.1.5.v20100705\",\n \"7.1.6.v20100715\",\n \"7.2.0.RC0\",\n \"7.2.0.v20101020\",\n \"7.2.1.v20101111\",\n \"7.2.2.v20101205\",\n \"7.3.0.v20110203\",\n \"7.3.1.v20110307\",\n \"7.4.0.RC0\",\n \"7.4.0.v20110414\",\n \"7.4.1.v20110513\",\n \"7.4.2.v20110526\",\n \"7.4.3.v20110701\",\n \"7.4.4.v20110707\",\n \"7.4.5.v20110725\",\n \"7.5.0.RC0\",\n \"7.5.0.RC1\",\n \"7.5.0.RC2\",\n \"7.5.0.v20110901\",\n \"7.5.1.v20110908\",\n \"7.5.2.v20111006\",\n \"7.5.3.v20111011\",\n \"7.5.4.v20111024\",\n \"7.6.0.RC0\",\n \"7.6.0.RC1\",\n \"7.6.0.RC2\",\n \"7.6.0.RC3\",\n \"7.6.0.RC4\",\n \"7.6.0.RC5\",\n \"7.6.0.v20120127\",\n \"7.6.1.v20120215\",\n \"7.6.10.v20130312\",\n \"7.6.11.v20130520\",\n \"7.6.12.v20130726\",\n \"7.6.13.v20130916\",\n \"7.6.14.v20131031\",\n \"7.6.15.v20140411\",\n \"7.6.16.v20140903\",\n \"7.6.17.v20150415\",\n \"7.6.18.v20150929\",\n \"7.6.19.v20160209\",\n \"7.6.2.v20120308\",\n \"7.6.20.v20160902\",\n \"7.6.21.v20160908\",\n \"7.6.3.v20120416\",\n \"7.6.4.v20120524\",\n \"7.6.5.v20120716\",\n \"7.6.6.v20120903\",\n \"7.6.7.v20120910\",\n \"7.6.8.v20121106\",\n \"7.6.9.v20130131\",\n \"8.0.0.M0\",\n \"8.0.0.M1\",\n \"8.0.0.M2\",\n \"8.0.0.M3\",\n \"8.0.0.RC0\",\n \"8.0.0.v20110901\",\n \"8.0.1.v20110908\",\n \"8.0.2.v20111006\",\n \"8.0.3.v20111011\",\n \"8.0.4.v20111024\",\n \"8.1.0.RC0\",\n \"8.1.0.RC1\",\n \"8.1.0.RC2\",\n \"8.1.0.RC4\",\n \"8.1.0.RC5\",\n \"8.1.0.v20120127\",\n \"8.1.1.v20120215\",\n \"8.1.10.v20130312\",\n \"8.1.11.v20130520\",\n \"8.1.12.v20130726\",\n \"8.1.13.v20130916\",\n \"8.1.14.v20131031\",\n \"8.1.15.v20140411\",\n \"8.1.16.v20140903\",\n \"8.1.17.v20150415\",\n \"8.1.18.v20150929\",\n \"8.1.19.v20160209\",\n \"8.1.2.v20120308\",\n \"8.1.20.v20160902\",\n \"8.1.21.v20160908\",\n \"8.1.22.v20160922\",\n \"8.1.3.v20120416\",\n \"8.1.4.v20120524\",\n \"8.1.5.v20120716\",\n \"8.1.6.v20120903\",\n \"8.1.7.v20120910\",\n \"8.1.8.v20121106\",\n \"8.1.9.v20130131\",\n \"8.2.0.v20160908\",\n \"9.0.0.M0\",\n \"9.0.0.M1\",\n \"9.0.0.M2\",\n \"9.0.0.M3\",\n \"9.0.0.M4\",\n \"9.0.0.M5\",\n \"9.0.0.RC0\",\n \"9.0.0.RC1\",\n \"9.0.0.RC2\",\n \"9.0.0.v20130308\",\n \"9.0.1.v20130408\",\n \"9.0.2.v20130417\",\n \"9.0.3.v20130506\",\n \"9.0.4.v20130625\",\n \"9.0.5.v20130815\",\n \"9.0.6.v20130930\",\n \"9.0.7.v20131107\",\n \"9.1.0.M0\",\n \"9.1.0.RC0\",\n \"9.1.0.RC1\",\n \"9.1.0.RC2\",\n \"9.1.0.v20131115\",\n \"9.1.1.v20140108\",\n \"9.1.2.v20140210\",\n \"9.1.3.v20140225\",\n \"9.1.4.v20140401\",\n \"9.1.5.v20140505\",\n \"9.1.6.v20160112\",\n \"9.2.0.M0\",\n \"9.2.0.M1\",\n \"9.2.0.RC0\",\n \"9.2.0.v20140526\",\n \"9.2.1.v20140609\",\n \"9.2.10.v20150310\",\n \"9.2.11.M0\",\n \"9.2.11.v20150529\",\n \"9.2.12.M0\",\n \"9.2.12.v20150709\",\n \"9.2.13.v20150730\",\n \"9.2.14.v20151106\",\n \"9.2.15.v20160210\",\n \"9.2.16.v20160414\",\n \"9.2.17.v20160517\",\n \"9.2.18.v20160721\",\n \"9.2.19.v20160908\",\n \"9.2.2.v20140723\",\n \"9.2.20.v20161216\",\n \"9.2.21.v20170120\",\n \"9.2.22.v20170606\",\n \"9.2.23.v20171218\",\n \"9.2.24.v20180105\",\n \"9.2.25.v20180606\",\n \"9.2.26.v20180806\",\n \"9.2.27.v20190403\",\n \"9.2.28.v20190418\",\n \"9.2.29.v20191105\",\n \"9.2.3.v20140905\",\n \"9.2.30.v20200428\",\n \"9.2.4.v20141103\",\n \"9.2.5.v20141112\",\n \"9.2.6.v20141205\",\n \"9.2.7.v20150116\",\n \"9.2.8.v20150217\",\n \"9.2.9.v20150224\",\n \"9.3.0.M0\",\n \"9.3.0.M1\",\n \"9.3.0.M2\",\n \"9.3.0.RC0\",\n \"9.3.0.RC1\",\n \"9.3.0.v20150612\",\n \"9.3.1.v20150714\",\n \"9.3.10.M0\",\n \"9.3.10.v20160621\",\n \"9.3.11.M0\",\n \"9.3.11.v20160721\",\n \"9.3.12.v20160915\",\n \"9.3.13.M0\",\n \"9.3.13.v20161014\",\n \"9.3.14.v20161028\",\n \"9.3.15.v20161220\",\n \"9.3.16.v20170120\",\n \"9.3.17.RC0\",\n \"9.3.17.v20170317\",\n \"9.3.18.v20170406\",\n \"9.3.19.v20170502\",\n \"9.3.2.v20150730\",\n \"9.3.20.v20170531\",\n \"9.3.21.M0\",\n \"9.3.21.RC0\",\n \"9.3.21.v20170918\",\n \"9.3.22.v20171030\",\n \"9.3.23.v20180228\",\n \"9.3.24.v20180605\",\n \"9.3.25.v20180904\",\n \"9.3.26.v20190403\",\n \"9.3.27.v20190418\",\n \"9.3.28.v20191105\",\n \"9.3.29.v20201019\",\n \"9.3.3.v20150827\",\n \"9.3.30.v20211001\",\n \"9.3.4.RC0\",\n \"9.3.4.RC1\",\n \"9.3.4.v20151007\",\n \"9.3.5.v20151012\",\n \"9.3.6.v20151106\",\n \"9.3.7.RC0\",\n \"9.3.7.RC1\",\n \"9.3.7.v20160115\",\n \"9.3.8.RC0\",\n \"9.3.8.v20160314\",\n \"9.3.9.M0\",\n \"9.3.9.M1\",\n \"9.3.9.v20160517\",\n \"9.4.0.M0\",\n \"9.4.0.M1\",\n \"9.4.0.RC0\",\n \"9.4.0.RC1\",\n \"9.4.0.RC2\",\n \"9.4.0.RC3\",\n \"9.4.0.v20161208\",\n \"9.4.0.v20180619\",\n \"9.4.1.v20170120\",\n \"9.4.1.v20180619\",\n \"9.4.10.RC0\",\n \"9.4.10.RC1\",\n \"9.4.10.v20180503\",\n \"9.4.11.v20180605\",\n \"9.4.12.RC0\",\n \"9.4.12.RC1\",\n \"9.4.12.RC2\",\n \"9.4.12.v20180830\",\n \"9.4.13.v20181111\",\n \"9.4.14.v20181114\",\n \"9.4.15.v20190215\",\n \"9.4.16.v20190411\",\n \"9.4.17.v20190418\",\n \"9.4.18.v20190429\",\n \"9.4.19.v20190610\",\n \"9.4.2.v20170220\",\n \"9.4.2.v20180619\",\n \"9.4.20.v20190813\",\n \"9.4.21.v20190926\",\n \"9.4.22.v20191022\",\n \"9.4.23.v20191118\",\n \"9.4.24.v20191120\",\n \"9.4.25.v20191220\",\n \"9.4.26.v20200117\",\n \"9.4.27.v20200227\",\n \"9.4.28.v20200408\",\n \"9.4.29.v20200521\",\n \"9.4.3.v20170317\",\n \"9.4.3.v20180619\",\n \"9.4.30.v20200611\",\n \"9.4.31.v20200723\",\n \"9.4.32.v20200930\",\n \"9.4.33.v20201020\",\n \"9.4.34.v20201102\",\n \"9.4.35.v20201120\",\n \"9.4.36.v20210114\",\n \"9.4.37.v20210219\",\n \"9.4.38.v20210224\",\n \"9.4.39.v20210325\",\n \"9.4.4.v20170414\",\n \"9.4.4.v20180619\",\n \"9.4.40.v20210413\",\n \"9.4.41.v20210516\",\n \"9.4.42.v20210604\",\n \"9.4.43.v20210629\",\n \"9.4.44.v20210927\",\n \"9.4.45.v20220203\",\n \"9.4.46.v20220331\",\n \"9.4.47.v20220610\",\n \"9.4.48.v20220622\",\n \"9.4.49.v20220914\",\n \"9.4.5.v20170502\",\n \"9.4.5.v20180619\",\n \"9.4.50.v20221201\",\n \"9.4.51.v20230217\",\n \"9.4.6.v20170531\",\n \"9.4.6.v20180619\",\n \"9.4.7.RC0\",\n \"9.4.7.v20170914\",\n \"9.4.7.v20180619\",\n \"9.4.8.v20171121\",\n \"9.4.8.v20180619\",\n \"9.4.9.v20180320\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 9.4.51\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-58qw-p7qm-5rvh/GHSA-58qw-p7qm-5rvh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/security/advisories/GHSA-58qw-p7qm-5rvh\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/pull/10067\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/releases/tag/jetty-10.0.16\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/releases/tag/jetty-11.0.16\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/releases/tag/jetty-12.0.0\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.52.v20230823\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-07-10T21:52:39Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3p86-9955-h393\",\n \"published\": \"2023-09-18T15:30:18Z\",\n \"modified\": \"2024-04-11T19:46:07.697031Z\",\n \"aliases\": [\n \"CVE-2023-4759\"\n ],\n \"related\": [\n \"CGA-f3hc-jjwc-wwjp\"\n ],\n \"summary\": \"Arbitrary File Overwrite in Eclipse JGit \",\n \"details\": \"Arbitrary File Overwrite in Eclipse JGit \\u003c= 6.6.0\\n\\nIn Eclipse JGit, all versions \\u003c= 6.6.0.202305301015-r, a symbolic link present in a specially crafted git repository can be used to write a file to locations outside the working tree when this repository is cloned with JGit to a case-insensitive filesystem, or when a checkout from a clone of such a repository is performed on a case-insensitive filesystem.\\n\\nThis can happen on checkout (DirCacheCheckout), merge (ResolveMerger via its WorkingTreeUpdater), pull (PullCommand using merge), and when applying a patch (PatchApplier). This can be exploited for remote code execution (RCE), for instance if the file written outside the working tree is a git filter that gets executed on a subsequent git command.\\n\\nThe issue occurs only on case-insensitive filesystems, like the default filesystems on Windows and macOS. The user performing the clone or checkout must have the rights to create symbolic links for the problem to occur, and symbolic links must be enabled in the git configuration.\\n\\nSetting git configuration option core.symlinks = false before checking out avoids the problem.\\n\\nThe issue was fixed in Eclipse JGit version 6.6.1.202309021850-r and 6.7.0.202309050840-r, available via Maven Central https://repo1.maven.org/maven2/org/eclipse/jgit/  and repo.eclipse.org https://repo.eclipse.org/content/repositories/jgit-releases/ . A backport is available in 5.13.3 starting from 5.13.3.202401111512-r.\\n\\nThe JGit maintainers would like to thank RyotaK for finding and reporting this issue.\\n\\n\\n\\n\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jgit:org.eclipse.jgit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jgit/org.eclipse.jgit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"6.0.0.202111291000-r\"\n },\n {\n \"fixed\": \"6.6.1.202309021850-r\"\n }\n ]\n }\n ],\n \"versions\": [\n \"6.0.0.202111291000-r\",\n \"6.1.0.202203080745-r\",\n \"6.2.0.202206071550-r\",\n \"6.3.0.202209071007-r\",\n \"6.4.0.202211300538-r\",\n \"6.5.0.202303070854-r\",\n \"6.6.0.202305301015-r\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 6.6.0.202305301015-r\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3p86-9955-h393/GHSA-3p86-9955-h393.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jgit:org.eclipse.jgit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jgit/org.eclipse.jgit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.13.3.202401111512-r\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.2.0.201112221803-r\",\n \"1.3.0.201202151440-r\",\n \"2.0.0.201206130900-r\",\n \"2.1.0.201209190230-r\",\n \"2.2.0.201212191850-r\",\n \"2.3.1.201302201838-r\",\n \"3.0.0.201306101825-r\",\n \"3.1.0.201310021548-r\",\n \"3.2.0.201312181205-r\",\n \"3.3.0.201403021825-r\",\n \"3.3.1.201403241930-r\",\n \"3.3.2.201404171909-r\",\n \"3.4.0.201405051725-m7\",\n \"3.4.0.201405211411-rc1\",\n \"3.4.0.201405281120-rc2\",\n \"3.4.0.201406041058-rc3\",\n \"3.4.0.201406110918-r\",\n \"3.4.1.201406201815-r\",\n \"3.4.2.201412180340-r\",\n \"3.5.0.201409071800-rc1\",\n \"3.5.0.201409260305-r\",\n \"3.5.1.201410131835-r\",\n \"3.5.2.201411120430-r\",\n \"3.5.3.201412180710-r\",\n \"3.6.0.201411121045-m1\",\n \"3.6.0.201412230720-r\",\n \"3.6.1.201501031845-r\",\n \"3.6.2.201501210735-r\",\n \"3.7.0.201502260915-r\",\n \"3.7.1.201504261725-r\",\n \"4.0.0.201505050340-m2\",\n \"4.0.0.201505260635-rc2\",\n \"4.0.0.201506020755-rc3\",\n \"4.0.0.201506090130-r\",\n \"4.0.1.201506240215-r\",\n \"4.0.2.201509141540-r\",\n \"4.0.3.201509231615-r\",\n \"4.1.0.201509280440-r\",\n \"4.1.1.201511131810-r\",\n \"4.1.2.201602141800-r\",\n \"4.10.0.201712302008-r\",\n \"4.11.0.201803080745-r\",\n \"4.11.1.201807311124-r\",\n \"4.11.2.201809100523-r\",\n \"4.11.3.201809181037-r\",\n \"4.11.4.201810060650-r\",\n \"4.11.5.201810191925-r\",\n \"4.11.6.201812241910-r\",\n \"4.11.7.201903122105-r\",\n \"4.11.8.201904181247-r\",\n \"4.11.9.201909030838-r\",\n \"4.2.0.201601211800-r\",\n \"4.3.0.201604071810-r\",\n \"4.3.1.201605051710-r\",\n \"4.4.0.201605250940-rc1\",\n \"4.4.0.201606070830-r\",\n \"4.4.1.201607150455-r\",\n \"4.5.0.201609210915-r\",\n \"4.5.1.201703201650-r\",\n \"4.5.2.201704071617-r\",\n \"4.5.3.201708160445-r\",\n \"4.5.4.201711221230-r\",\n \"4.5.5.201812240535-r\",\n \"4.5.6.201903121547-r\",\n \"4.5.7.201904151645-r\",\n \"4.6.0.201612231935-r\",\n \"4.6.1.201703071140-r\",\n \"4.7.0.201704051617-r\",\n \"4.7.1.201706071930-r\",\n \"4.7.2.201807261330-r\",\n \"4.7.3.201809090215-r\",\n \"4.7.4.201809180905-r\",\n \"4.7.5.201810051826-r\",\n \"4.7.6.201810191618-r\",\n \"4.7.7.201812240805-r\",\n \"4.7.8.201903121755-r\",\n \"4.7.9.201904161809-r\",\n \"4.8.0.201705170830-rc1\",\n \"4.8.0.201706111038-r\",\n \"4.9.0.201710071750-r\",\n \"4.9.1.201712030800-r\",\n \"4.9.10.201904181027-r\",\n \"4.9.2.201712150930-r\",\n \"4.9.3.201807311005-r\",\n \"4.9.4.201809090327-r\",\n \"4.9.5.201809180939-r\",\n \"4.9.6.201810051924-r\",\n \"4.9.7.201810191756-r\",\n \"4.9.8.201812241815-r\",\n \"4.9.9.201903122025-r\",\n \"5.0.0.201805151920-m7\",\n \"5.0.0.201805221745-rc1\",\n \"5.0.0.201805301535-rc2\",\n \"5.0.0.201806131550-r\",\n \"5.0.1.201806211838-r\",\n \"5.0.2.201807311906-r\",\n \"5.0.3.201809091024-r\",\n \"5.1.0.201809111528-r\",\n \"5.1.1.201809181055-r\",\n \"5.1.10.201908230655-r\",\n \"5.1.11.201909031202-r\",\n \"5.1.12.201910011832-r\",\n \"5.1.13.202002110435-r\",\n \"5.1.14.202011251942-r\",\n \"5.1.15.202012011955-r\",\n \"5.1.16.202106041830-r\",\n \"5.1.2.201810061102-r\",\n \"5.1.3.201810200350-r\",\n \"5.1.5.201812261915-r\",\n \"5.1.6.201903130242-r\",\n \"5.1.7.201904200442-r\",\n \"5.1.8.201906050907-r\",\n \"5.1.9.201908210455-r\",\n \"5.10.0.202012080955-r\",\n \"5.11.0.202103091610-r\",\n \"5.11.1.202105131744-r\",\n \"5.12.0.202106070339-r\",\n \"5.13.0.202109080827-r\",\n \"5.13.1.202206130422-r\",\n \"5.13.2.202306221912-r\",\n \"5.2.0.201812061821-r\",\n \"5.2.1.201812262042-r\",\n \"5.2.2.201904231744-r\",\n \"5.3.0.201903130848-r\",\n \"5.3.1.201904271842-r\",\n \"5.3.2.201906051522-r\",\n \"5.3.4.201908231101-r\",\n \"5.3.5.201909031855-r\",\n \"5.3.6.201910020505-r\",\n \"5.3.7.202002110540-r\",\n \"5.3.8.202011260953-r\",\n \"5.3.9.202012012026-r\",\n \"5.4.0.201906121030-r\",\n \"5.4.2.201908231537-r\",\n \"5.4.3.201909031940-r\",\n \"5.5.0.201909110433-r\",\n \"5.5.1.201910021850-r\",\n \"5.6.0.201912101111-r\",\n \"5.6.1.202002131546-r\",\n \"5.7.0.202003090808-r\",\n \"5.7.0.202003110725-r\",\n \"5.8.0.202006091008-r\",\n \"5.8.1.202007141445-r\",\n \"5.9.0.202009080501-r\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-3p86-9955-h393/GHSA-3p86-9955-h393.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-4759\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse-jgit/jgit/issues/30\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://git.eclipse.org/c/jgit/jgit.git\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://projects.eclipse.org/projects/technology.jgit/releases/5.13.3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://projects.eclipse.org/projects/technology.jgit/releases/6.6.1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-178\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-18T19:17:54Z\",\n \"nvd_published_at\": \"2023-09-12T10:15:29Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6vvc-c2m3-cjf3\",\n \"published\": \"2022-05-17T19:57:29Z\",\n \"modified\": \"2024-09-25T20:01:24.028730Z\",\n \"aliases\": [\n \"CVE-2014-9390\",\n \"PYSEC-2020-217\"\n ],\n \"summary\": \"JGit Improper Input Validation vulnerability\",\n \"details\": \"Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine; libgit2; Egit; and JGit allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jgit:org.eclipse.jgit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jgit/org.eclipse.jgit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.5.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.2.0.201112221803-r\",\n \"1.3.0.201202151440-r\",\n \"2.0.0.201206130900-r\",\n \"2.1.0.201209190230-r\",\n \"2.2.0.201212191850-r\",\n \"2.3.1.201302201838-r\",\n \"3.0.0.201306101825-r\",\n \"3.1.0.201310021548-r\",\n \"3.2.0.201312181205-r\",\n \"3.3.0.201403021825-r\",\n \"3.3.1.201403241930-r\",\n \"3.3.2.201404171909-r\",\n \"3.4.0.201405051725-m7\",\n \"3.4.0.201405211411-rc1\",\n \"3.4.0.201405281120-rc2\",\n \"3.4.0.201406041058-rc3\",\n \"3.4.0.201406110918-r\",\n \"3.4.1.201406201815-r\",\n \"3.4.2.201412180340-r\",\n \"3.5.0.201409071800-rc1\",\n \"3.5.0.201409260305-r\",\n \"3.5.1.201410131835-r\",\n \"3.5.2.201411120430-r\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vvc-c2m3-cjf3/GHSA-6vvc-c2m3-cjf3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"mercurial\",\n \"ecosystem\": \"PyPI\",\n \"purl\": \"pkg:pypi/mercurial\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.2.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"0.8.1\",\n \"0.9\",\n \"0.9.1\",\n \"0.9.2\",\n \"0.9.3\",\n \"0.9.4\",\n \"0.9.5\",\n \"1.0\",\n \"1.0.1\",\n \"1.0.2\",\n \"1.1\",\n \"1.1.1\",\n \"1.1.2\",\n \"1.2\",\n \"1.2.1\",\n \"1.3\",\n \"1.3.1\",\n \"1.4\",\n \"1.4.1\",\n \"1.4.2\",\n \"1.4.3\",\n \"1.5\",\n \"1.5.1\",\n \"1.5.2\",\n \"1.5.3\",\n \"1.5.4\",\n \"1.6\",\n \"1.6.1\",\n \"1.6.2\",\n \"1.6.3\",\n \"1.6.4\",\n \"1.7\",\n \"1.7.1\",\n \"1.7.2\",\n \"1.7.3\",\n \"1.7.5\",\n \"1.8\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.4\",\n \"1.9\",\n \"1.9.1\",\n \"1.9.2\",\n \"1.9.3\",\n \"2.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.1\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.2\",\n \"2.2.2\",\n \"2.3\",\n \"2.4.1\",\n \"2.5\",\n \"2.5.1\",\n \"2.5.2\",\n \"2.6\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.3\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\",\n \"2.8\",\n \"2.8.1\",\n \"2.8.2\",\n \"2.9\",\n \"2.9.1\",\n \"3.0\",\n \"3.0.1\",\n \"3.1\",\n \"3.1.1\",\n \"3.1.2\",\n \"3.2\",\n \"3.2.1\",\n \"3.2.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6vvc-c2m3-cjf3/GHSA-6vvc-c2m3-cjf3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-9390\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/libgit2/libgit2/commit/928429c5c96a701bcbcafacb2421a82602b36915\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/blog/1938-git-client-vulnerability-announced\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/pypa/advisory-database/tree/main/vulns/mercurial/PYSEC-2020-217.yaml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://libgit2.org/security\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://news.ycombinator.com/item?id=8769667\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20211204220400/https://securitytracker.com/id?1031404\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://article.gmane.org/gmane.linux.kernel/1853266\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://git-blame.blogspot.com/2014/12/git-1856-195-205-214-and-221-and.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://mercurial.selenic.com/wiki/WhatsNew\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://securitytracker.com/id?1031404\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://support.apple.com/kb/HT204147\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-26T23:53:52Z\",\n \"nvd_published_at\": \"2020-02-12T02:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n },\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vrpq-qp53-qv56\",\n \"published\": \"2025-05-21T21:31:37Z\",\n \"modified\": \"2025-10-14T14:04:29.533722Z\",\n \"aliases\": [\n \"CVE-2025-4949\"\n ],\n \"related\": [\n \"CGA-2h3q-7r7p-cmjc\",\n \"CGA-693f-m3w9-2fg3\",\n \"CGA-h9p7-2rvv-2cw5\",\n \"CGA-x238-2v8w-3j6m\"\n ],\n \"summary\": \"Eclipse JGit XML External Entity (XXE) Vulnerability\",\n \"details\": \"In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.eclipse.jgit:org.eclipse.jgit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jgit/org.eclipse.jgit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.2.0.202503040940-r\"\n },\n {\n \"fixed\": \"7.2.1.202505142326-r\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.2.0.202503040940-r\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-vrpq-qp53-qv56/GHSA-vrpq-qp53-qv56.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jgit:org.eclipse.jgit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jgit/org.eclipse.jgit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.1.0.202411261347-r\"\n },\n {\n \"fixed\": \"7.1.1.202505221757-r\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.1.0.202411261347-r\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-vrpq-qp53-qv56/GHSA-vrpq-qp53-qv56.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jgit:org.eclipse.jgit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jgit/org.eclipse.jgit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0.202409031743-r\"\n },\n {\n \"fixed\": \"7.0.1.202505221510-r\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.202409031743-r\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-vrpq-qp53-qv56/GHSA-vrpq-qp53-qv56.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.eclipse.jgit:org.eclipse.jgit\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.eclipse.jgit/org.eclipse.jgit\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.10.1.202505221210-r\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.2.0.201112221803-r\",\n \"1.3.0.201202151440-r\",\n \"2.0.0.201206130900-r\",\n \"2.1.0.201209190230-r\",\n \"2.2.0.201212191850-r\",\n \"2.3.1.201302201838-r\",\n \"3.0.0.201306101825-r\",\n \"3.1.0.201310021548-r\",\n \"3.2.0.201312181205-r\",\n \"3.3.0.201403021825-r\",\n \"3.3.1.201403241930-r\",\n \"3.3.2.201404171909-r\",\n \"3.4.0.201405051725-m7\",\n \"3.4.0.201405211411-rc1\",\n \"3.4.0.201405281120-rc2\",\n \"3.4.0.201406041058-rc3\",\n \"3.4.0.201406110918-r\",\n \"3.4.1.201406201815-r\",\n \"3.4.2.201412180340-r\",\n \"3.5.0.201409071800-rc1\",\n \"3.5.0.201409260305-r\",\n \"3.5.1.201410131835-r\",\n \"3.5.2.201411120430-r\",\n \"3.5.3.201412180710-r\",\n \"3.6.0.201411121045-m1\",\n \"3.6.0.201412230720-r\",\n \"3.6.1.201501031845-r\",\n \"3.6.2.201501210735-r\",\n \"3.7.0.201502260915-r\",\n \"3.7.1.201504261725-r\",\n \"4.0.0.201505050340-m2\",\n \"4.0.0.201505260635-rc2\",\n \"4.0.0.201506020755-rc3\",\n \"4.0.0.201506090130-r\",\n \"4.0.1.201506240215-r\",\n \"4.0.2.201509141540-r\",\n \"4.0.3.201509231615-r\",\n \"4.1.0.201509280440-r\",\n \"4.1.1.201511131810-r\",\n \"4.1.2.201602141800-r\",\n \"4.10.0.201712302008-r\",\n \"4.11.0.201803080745-r\",\n \"4.11.1.201807311124-r\",\n \"4.11.2.201809100523-r\",\n \"4.11.3.201809181037-r\",\n \"4.11.4.201810060650-r\",\n \"4.11.5.201810191925-r\",\n \"4.11.6.201812241910-r\",\n \"4.11.7.201903122105-r\",\n \"4.11.8.201904181247-r\",\n \"4.11.9.201909030838-r\",\n \"4.2.0.201601211800-r\",\n \"4.3.0.201604071810-r\",\n \"4.3.1.201605051710-r\",\n \"4.4.0.201605250940-rc1\",\n \"4.4.0.201606070830-r\",\n \"4.4.1.201607150455-r\",\n \"4.5.0.201609210915-r\",\n \"4.5.1.201703201650-r\",\n \"4.5.2.201704071617-r\",\n \"4.5.3.201708160445-r\",\n \"4.5.4.201711221230-r\",\n \"4.5.5.201812240535-r\",\n \"4.5.6.201903121547-r\",\n \"4.5.7.201904151645-r\",\n \"4.6.0.201612231935-r\",\n \"4.6.1.201703071140-r\",\n \"4.7.0.201704051617-r\",\n \"4.7.1.201706071930-r\",\n \"4.7.2.201807261330-r\",\n \"4.7.3.201809090215-r\",\n \"4.7.4.201809180905-r\",\n \"4.7.5.201810051826-r\",\n \"4.7.6.201810191618-r\",\n \"4.7.7.201812240805-r\",\n \"4.7.8.201903121755-r\",\n \"4.7.9.201904161809-r\",\n \"4.8.0.201705170830-rc1\",\n \"4.8.0.201706111038-r\",\n \"4.9.0.201710071750-r\",\n \"4.9.1.201712030800-r\",\n \"4.9.10.201904181027-r\",\n \"4.9.2.201712150930-r\",\n \"4.9.3.201807311005-r\",\n \"4.9.4.201809090327-r\",\n \"4.9.5.201809180939-r\",\n \"4.9.6.201810051924-r\",\n \"4.9.7.201810191756-r\",\n \"4.9.8.201812241815-r\",\n \"4.9.9.201903122025-r\",\n \"5.0.0.201805151920-m7\",\n \"5.0.0.201805221745-rc1\",\n \"5.0.0.201805301535-rc2\",\n \"5.0.0.201806131550-r\",\n \"5.0.1.201806211838-r\",\n \"5.0.2.201807311906-r\",\n \"5.0.3.201809091024-r\",\n \"5.1.0.201809111528-r\",\n \"5.1.1.201809181055-r\",\n \"5.1.10.201908230655-r\",\n \"5.1.11.201909031202-r\",\n \"5.1.12.201910011832-r\",\n \"5.1.13.202002110435-r\",\n \"5.1.14.202011251942-r\",\n \"5.1.15.202012011955-r\",\n \"5.1.16.202106041830-r\",\n \"5.1.2.201810061102-r\",\n \"5.1.3.201810200350-r\",\n \"5.1.5.201812261915-r\",\n \"5.1.6.201903130242-r\",\n \"5.1.7.201904200442-r\",\n \"5.1.8.201906050907-r\",\n \"5.1.9.201908210455-r\",\n \"5.10.0.202012080955-r\",\n \"5.11.0.202103091610-r\",\n \"5.11.1.202105131744-r\",\n \"5.12.0.202106070339-r\",\n \"5.13.0.202109080827-r\",\n \"5.13.1.202206130422-r\",\n \"5.13.2.202306221912-r\",\n \"5.13.3.202401111512-r\",\n \"5.13.4.202507202350-r\",\n \"5.13.5.202508271544-r\",\n \"5.2.0.201812061821-r\",\n \"5.2.1.201812262042-r\",\n \"5.2.2.201904231744-r\",\n \"5.3.0.201903130848-r\",\n \"5.3.1.201904271842-r\",\n \"5.3.2.201906051522-r\",\n \"5.3.4.201908231101-r\",\n \"5.3.5.201909031855-r\",\n \"5.3.6.201910020505-r\",\n \"5.3.7.202002110540-r\",\n \"5.3.8.202011260953-r\",\n \"5.3.9.202012012026-r\",\n \"5.4.0.201906121030-r\",\n \"5.4.2.201908231537-r\",\n \"5.4.3.201909031940-r\",\n \"5.5.0.201909110433-r\",\n \"5.5.1.201910021850-r\",\n \"5.6.0.201912101111-r\",\n \"5.6.1.202002131546-r\",\n \"5.7.0.202003090808-r\",\n \"5.7.0.202003110725-r\",\n \"5.8.0.202006091008-r\",\n \"5.8.1.202007141445-r\",\n \"5.9.0.202009080501-r\",\n \"6.0.0.202111291000-r\",\n \"6.1.0.202203080745-r\",\n \"6.10.0.202406032230-r\",\n \"6.2.0.202206071550-r\",\n \"6.3.0.202209071007-r\",\n \"6.4.0.202211300538-r\",\n \"6.5.0.202303070854-r\",\n \"6.6.0.202305301015-r\",\n \"6.6.1.202309021850-r\",\n \"6.7.0.202309050840-r\",\n \"6.8.0.202311291450-r\",\n \"6.9.0.202403050737-r\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-vrpq-qp53-qv56/GHSA-vrpq-qp53-qv56.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2025-4949\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse-jgit/jgit\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://projects.eclipse.org/projects/technology.jgit/releases/5.13.4\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://projects.eclipse.org/projects/technology.jgit/releases/6.10.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://projects.eclipse.org/projects/technology.jgit/releases/7.0.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://projects.eclipse.org/projects/technology.jgit/releases/7.1.1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2025-05-22T18:49:33Z\",\n \"nvd_published_at\": \"2025-05-21T07:16:01Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V4\",\n \"score\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/S:N/AU:Y/R:U/V:D/RE:L/U:Green\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-c43q-5hpj-4crv\",\n \"published\": \"2021-04-23T16:55:01Z\",\n \"modified\": \"2024-03-08T05:18:14.836767Z\",\n \"aliases\": [\n \"CVE-2021-28168\"\n ],\n \"related\": [\n \"CVE-2021-28168\"\n ],\n \"summary\": \"Local information disclosure via system temporary directory\",\n \"details\": \"## Impact\\nEclipse Jersey 2.28 - 2.33 and Eclipse Jersey 3.0.0 - 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the `File.createTempFile` which creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.\\n\\n## Workaround\\n\\nThis issue can be mitigated by manually setting the `java.io.tmpdir` system property when launching the JVM.\\n\\n## Patches\\n\\nJersey 2.34 and 3.0.2 forward sets the correct permissions on the temporary file created by Jersey.\\n\\n### References\\n \\n - https://github.com/eclipse-ee4j/jersey/pull/4712\\n - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html)\\n - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html)\\n\\n## Similar Vulnerabilities\\n\\nSimilar, but not the same:\\n\\n - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp\\n - Google Guava - https://github.com/google/guava/issues/4011\\n - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945\\n - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824\\n - Eclipse Jetty - https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6\\n\\n\\n---\\n\\nOriginal Disclosure:\\n\\n\\u003e Hello Jersey Security Team,\\n\\u003e \\n\\u003e Utilizing a custom CodeQL query written as a part of the [GitHub Security Lab](https://securitylab.github.com/) [Bug Bounty program](https://securitylab.github.com/bounties), I've unearthed a local temporary file information disclosure vulnerability.\\n\\u003e \\n\\u003e You can see the custom CodeQL query utilized here:\\n\\u003e https://lgtm.com/query/8831016213790320486/\\n\\u003e \\n\\u003e This particular vulnerability exists because on unix-like systems (not including modern versions of MacOS) the system temporary directory is shared between all users. As such, failure to correctly set file permissions and/or verify exclusive creation of directories can lead to either local information disclosure, or local file hijacking by another user.\\n\\u003e \\n\\u003e This vulnerability impacts the following locations in this project's source:\\n\\u003e \\n\\u003e - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/FileProvider.java#L64-L73\\n\\u003e - https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/media/multipart/src/main/java/org/glassfish/jersey/media/multipart/internal/FormDataParamValueParamProvider.java#L202-L208\\n\\u003e \\n\\u003e This vulnerability exists because of the vulnerability in the `Utils.createTempFile`:\\n\\u003e \\n\\u003e https://github.com/eclipse-ee4j/jersey/blob/01c6a32a2064aeff2caa8133472e33affeb8a29a/core-common/src/main/java/org/glassfish/jersey/message/internal/Utils.java#L42-L53\\n\\u003e \\n\\u003e This is because `File.createTempFile` creates a file inside of the system temporary directory with the permissions: `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system.\\n\\u003e \\n\\u003e If there is sensitive information written to these files, it is disclosed to other local users on this system.\\n\\u003e \\n\\u003e The fix for this vulnerability is to use the `Files` API (instead of the `File` API) to create temporary files/directories as this new API correctly sets the posix file permissions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.glassfish.jersey.core:jersey-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.glassfish.jersey.core/jersey-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"2.28\"\n },\n {\n \"fixed\": \"2.34\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.28\",\n \"2.29\",\n \"2.29.1\",\n \"2.30\",\n \"2.30.1\",\n \"2.31\",\n \"2.32\",\n \"2.33\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.33\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-c43q-5hpj-4crv/GHSA-c43q-5hpj-4crv.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.glassfish.jersey.core:jersey-common\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.glassfish.jersey.core/jersey-common\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"3.0.0\"\n },\n {\n \"fixed\": \"3.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"3.0.0\",\n \"3.0.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 3.0.1\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-c43q-5hpj-4crv/GHSA-c43q-5hpj-4crv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-28168\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/eclipse-ee4j/jersey/pull/4712\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-378\",\n \"CWE-379\",\n \"CWE-668\",\n \"CWE-732\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2021-04-22T19:22:31Z\",\n \"nvd_published_at\": \"2021-04-22T18:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-3vqj-43w4-2q58\",\n \"published\": \"2022-12-13T15:30:26Z\",\n \"modified\": \"2024-04-15T20:32:09.965200Z\",\n \"aliases\": [\n \"CVE-2022-45688\"\n ],\n \"summary\": \"json stack overflow vulnerability\",\n \"details\": \"A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"cn.hutool:hutool-json\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/cn.hutool/hutool-json\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.8.25\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.0.0\",\n \"4.0.1\",\n \"4.0.10\",\n \"4.0.11\",\n \"4.0.12\",\n \"4.0.2\",\n \"4.0.3\",\n \"4.0.4\",\n \"4.0.5\",\n \"4.0.6\",\n \"4.0.7\",\n \"4.0.8\",\n \"4.0.9\",\n \"4.1.0\",\n \"4.1.1\",\n \"4.1.10\",\n \"4.1.11\",\n \"4.1.12\",\n \"4.1.13\",\n \"4.1.14\",\n \"4.1.15\",\n \"4.1.16\",\n \"4.1.17\",\n \"4.1.18\",\n \"4.1.19\",\n \"4.1.2\",\n \"4.1.20\",\n \"4.1.21\",\n \"4.1.3\",\n \"4.1.4\",\n \"4.1.5\",\n \"4.1.6\",\n \"4.1.7\",\n \"4.1.8\",\n \"4.1.9\",\n \"4.2.1\",\n \"4.3.0\",\n \"4.3.1\",\n \"4.3.2\",\n \"4.4.0\",\n \"4.4.1\",\n \"4.4.2\",\n \"4.4.3\",\n \"4.4.4\",\n \"4.4.5\",\n \"4.5.0\",\n \"4.5.1\",\n \"4.5.10\",\n \"4.5.11\",\n \"4.5.12\",\n \"4.5.13\",\n \"4.5.14\",\n \"4.5.15\",\n \"4.5.16\",\n \"4.5.17\",\n \"4.5.18\",\n \"4.5.2\",\n \"4.5.3\",\n \"4.5.4\",\n \"4.5.5\",\n \"4.5.6\",\n \"4.5.7\",\n \"4.5.8\",\n \"4.5.9\",\n \"4.6.0\",\n \"4.6.1\",\n \"4.6.10\",\n \"4.6.11\",\n \"4.6.12\",\n \"4.6.13\",\n \"4.6.14\",\n \"4.6.15\",\n \"4.6.16\",\n \"4.6.17\",\n \"4.6.2\",\n \"4.6.3\",\n \"4.6.4\",\n \"4.6.5\",\n \"4.6.6\",\n \"4.6.7\",\n \"4.6.8\",\n \"5.0.0\",\n \"5.0.1\",\n \"5.0.2\",\n \"5.0.3\",\n \"5.0.4\",\n \"5.0.5\",\n \"5.0.6\",\n \"5.0.7\",\n \"5.1.0\",\n \"5.1.1\",\n \"5.1.2\",\n \"5.1.3\",\n \"5.1.4\",\n \"5.1.5\",\n \"5.2.0\",\n \"5.2.1\",\n \"5.2.2\",\n \"5.2.3\",\n \"5.2.4\",\n \"5.2.5\",\n \"5.3.0\",\n \"5.3.1\",\n \"5.3.10\",\n \"5.3.2\",\n \"5.3.3\",\n \"5.3.4\",\n \"5.3.5\",\n \"5.3.6\",\n \"5.3.7\",\n \"5.3.8\",\n \"5.3.9\",\n \"5.4.0\",\n \"5.4.1\",\n \"5.4.2\",\n \"5.4.3\",\n \"5.4.4\",\n \"5.4.5\",\n \"5.4.6\",\n \"5.4.7\",\n \"5.5.0\",\n \"5.5.1\",\n \"5.5.2\",\n \"5.5.3\",\n \"5.5.4\",\n \"5.5.5\",\n \"5.5.6\",\n \"5.5.7\",\n \"5.5.8\",\n \"5.5.9\",\n \"5.6.0\",\n \"5.6.1\",\n \"5.6.2\",\n \"5.6.3\",\n \"5.6.4\",\n \"5.6.5\",\n \"5.6.6\",\n \"5.6.7\",\n \"5.7.0\",\n \"5.7.1\",\n \"5.7.10\",\n \"5.7.11\",\n \"5.7.12\",\n \"5.7.13\",\n \"5.7.14\",\n \"5.7.15\",\n \"5.7.16\",\n \"5.7.17\",\n \"5.7.18\",\n \"5.7.19\",\n \"5.7.2\",\n \"5.7.20\",\n \"5.7.21\",\n \"5.7.22\",\n \"5.7.3\",\n \"5.7.4\",\n \"5.7.5\",\n \"5.7.6\",\n \"5.7.7\",\n \"5.7.8\",\n \"5.7.9\",\n \"5.8.0\",\n \"5.8.0.M1\",\n \"5.8.0.M2\",\n \"5.8.0.M3\",\n \"5.8.0.M4\",\n \"5.8.1\",\n \"5.8.10\",\n \"5.8.11\",\n \"5.8.12\",\n \"5.8.13\",\n \"5.8.14\",\n \"5.8.15\",\n \"5.8.16\",\n \"5.8.17\",\n \"5.8.18\",\n \"5.8.19\",\n \"5.8.2\",\n \"5.8.20\",\n \"5.8.21\",\n \"5.8.22\",\n \"5.8.23\",\n \"5.8.24\",\n \"5.8.3\",\n \"5.8.4\",\n \"5.8.4.M1\",\n \"5.8.5\",\n \"5.8.6\",\n \"5.8.7\",\n \"5.8.8\",\n \"5.8.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3vqj-43w4-2q58/GHSA-3vqj-43w4-2q58.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.json:json\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.json/json\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"20230227\"\n }\n ]\n }\n ],\n \"versions\": [\n \"20070829\",\n \"20080701\",\n \"20090211\",\n \"20131018\",\n \"20140107\",\n \"20141113\",\n \"20150729\",\n \"20151123\",\n \"20160212\",\n \"20160807\",\n \"20160810\",\n \"20170516\",\n \"20171018\",\n \"20180130\",\n \"20180813\",\n \"20190722\",\n \"20200518\",\n \"20201115\",\n \"20210307\",\n \"20211205\",\n \"20220320\",\n \"20220924\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-3vqj-43w4-2q58/GHSA-3vqj-43w4-2q58.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-45688\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/dromara/hutool/issues/2748\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/stleary/JSON-java/issues/708\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/dromara/hutool/commit/6a2b585de0a380e8c12016dbaa1620b69be11b8c\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/stleary/JSON-java/commit/a6e412bded7a0ad605adfeca029318f184c32102\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/dromara/hutool/releases/tag/5.8.25\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-12-13T19:25:03Z\",\n \"nvd_published_at\": \"2022-12-13T15:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4jq9-2xhw-jpx7\",\n \"published\": \"2023-11-14T22:24:08Z\",\n \"modified\": \"2025-08-22T21:25:08.510140Z\",\n \"aliases\": [\n \"CVE-2023-5072\"\n ],\n \"related\": [\n \"CGA-7g9h-xgv7-r8j3\"\n ],\n \"summary\": \"Java: DoS Vulnerability in JSON-JAVA\",\n \"details\": \"### Summary\\nA denial of service vulnerability in JSON-Java was discovered by [ClusterFuzz](https://google.github.io/clusterfuzz/). A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using `\\\\` to escape special characters, including `\\\\` itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of `\\\\` characters in the escaped string.\\n\\n### Severity\\nHigh - Because this is an already-fixed DoS vulnerability, the only remaining impact possible is for existing binaries that have not been updated yet.\\n\\n### Proof of Concept\\n```java\\npackage orgjsonbug;\\n\\nimport org.json.JSONObject;\\n\\n/**\\n * Illustrates a bug in JSON-Java.\\n */\\npublic class Bug {\\n private static String makeNested(int depth) {\\n if (depth == 0) {\\n return \\\"{\\\\\\\"a\\\\\\\":1}\\\";\\n }\\n return \\\"{\\\\\\\"a\\\\\\\":1;\\\\t\\\\0\\\" + makeNested(depth - 1) + \\\":1}\\\";\\n }\\n\\n public static void main(String[] args) {\\n String input = makeNested(30);\\n System.out.printf(\\\"Input string has length %d: %s\\\\n\\\", input.length(), input);\\n JSONObject output = new JSONObject(input);\\n System.out.printf(\\\"Output JSONObject has length %d: %s\\\\n\\\", output.toString().length(), output);\\n }\\n}\\n```\\nWhen run, this reports that the input string has length 367. Then, after a long pause, the program crashes inside new JSONObject with OutOfMemoryError.\\n\\n### Further Analysis\\nThe issue is fixed by [this PR](https://github.com/stleary/JSON-java/pull/759).\\n\\n### Timeline\\n**Date reported**: 07/14/2023\\n**Date fixed**: \\n**Date disclosed**: 10/12/2023\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.json:json\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.json/json\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"20231013\"\n }\n ]\n }\n ],\n \"versions\": [\n \"20070829\",\n \"20080701\",\n \"20090211\",\n \"20131018\",\n \"20140107\",\n \"20141113\",\n \"20150729\",\n \"20151123\",\n \"20160212\",\n \"20160807\",\n \"20160810\",\n \"20170516\",\n \"20171018\",\n \"20180130\",\n \"20180813\",\n \"20190722\",\n \"20200518\",\n \"20201115\",\n \"20210307\",\n \"20211205\",\n \"20220320\",\n \"20220924\",\n \"20230227\",\n \"20230618\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 20230618\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-4jq9-2xhw-jpx7/GHSA-4jq9-2xhw-jpx7.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/google/security-research/security/advisories/GHSA-4jq9-2xhw-jpx7\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-5072\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/stleary/JSON-java/issues/758\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/stleary/JSON-java/issues/771\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/stleary/JSON-java/pull/759\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/stleary/JSON-java/commit/60662e2f8384d3449822a3a1179bfe8de67b55bb\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/stleary/JSON-java\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-358\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-11-14T22:24:08Z\",\n \"nvd_published_at\": null,\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-x9rg-q5fx-fx66\",\n \"published\": \"2022-05-13T01:38:10Z\",\n \"modified\": \"2023-11-08T03:58:52.089972Z\",\n \"aliases\": [\n \"CVE-2017-12197\"\n ],\n \"summary\": \"Improper Input Validation in libpam4j\",\n \"details\": \"It was found that libpam4j prior to 1.10 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.kohsuke:libpam4j\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.kohsuke/libpam4j\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.10\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.5\",\n \"1.6\",\n \"1.7\",\n \"1.8\",\n \"1.9\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x9rg-q5fx-fx66/GHSA-x9rg-q5fx-fx66.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2017-12197\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kohsuke/libpam4j/issues/18\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/kohsuke/libpam4j/commit/02ffdff218283629ba4a902e7fe2fd44646abc21\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2904\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2905\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2017:2906\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1503103\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/kohsuke/libpam4j\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2017/11/msg00008.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2017/dsa-4025\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-01T21:27:13Z\",\n \"nvd_published_at\": \"2018-01-18T21:29:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-4jjw-xrr6-9v3p\",\n \"published\": \"2022-05-01T18:45:22Z\",\n \"modified\": \"2024-12-06T05:26:52.443882Z\",\n \"aliases\": [\n \"CVE-2007-6672\"\n ],\n \"summary\": \"Mortbay Jetty Double Slash URI Information Disclosure Vulnerability\",\n \"details\": \"Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass protection mechanisms and read the source of files via multiple `/` (slash) characters in the URI.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"6.1.5\"\n },\n {\n \"fixed\": \"6.1.7\"\n }\n ]\n }\n ],\n \"versions\": [\n \"6.1.5\",\n \"6.1.6\",\n \"6.1.6rc0\",\n \"6.1.6rc1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 6.1.6\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4jjw-xrr6-9v3p/GHSA-4jjw-xrr6-9v3p.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2007-6672\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20080113051254/http://www.kb.cert.org/vuls/id/553235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20080120225723/http://jira.codehaus.org/browse/JETTY-386\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20080120225728/http://jira.codehaus.org/browse/JETTY/fixforversion/13950\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20080517012615/http://www.securityfocus.com/bid/27117\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-08-22T23:30:03Z\",\n \"nvd_published_at\": \"2008-01-08T11:46:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-5mq8-h82p-wjf2\",\n \"published\": \"2022-04-30T18:21:21Z\",\n \"modified\": \"2024-11-28T05:41:39.980409Z\",\n \"aliases\": [\n \"CVE-2002-1533\"\n ],\n \"summary\": \"Jetty Javascript Inclusion Vulnerability\",\n \"details\": \"Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script via an HTTP request to a .jsp file whose name contains the malicious script and some encoded linefeed characters (`%0a`).\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.1.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"test-6.0.0\",\n \"test-6.0.0rc3\",\n \"test-6.0.0rc4\",\n \"test-6.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-5mq8-h82p-wjf2/GHSA-5mq8-h82p-wjf2.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2002-1533\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20040705203137/http://xforce.iss.net/xforce/xfdb/10219\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20041213153950/http://archives.neohapsis.com/archives/bugtraq/2002-09/0337.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20061020173202/http://www.securityfocus.com/bid/5821\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-80\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-02-12T20:43:18Z\",\n \"nvd_published_at\": \"2003-03-31T05:00:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-6jxp-7g74-2rc3\",\n \"published\": \"2022-05-02T03:56:13Z\",\n \"modified\": \"2023-11-08T03:56:54.368997Z\",\n \"aliases\": [\n \"CVE-2009-4611\"\n ],\n \"summary\": \"Improper input validation in Mort Bay Jetty\",\n \"details\": \"Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"6.0.0\"\n },\n {\n \"fixed\": \"6.1.23\"\n }\n ]\n }\n ],\n \"versions\": [\n \"6.0.0\",\n \"6.0.1\",\n \"6.0.2\",\n \"6.1.0\",\n \"6.1.0pre0\",\n \"6.1.0pre1\",\n \"6.1.0pre2\",\n \"6.1.0pre3\",\n \"6.1.0rc0\",\n \"6.1.0rc1\",\n \"6.1.0rc2\",\n \"6.1.0rc3\",\n \"6.1.1\",\n \"6.1.10\",\n \"6.1.11\",\n \"6.1.12\",\n \"6.1.12.rc2\",\n \"6.1.12.rc3\",\n \"6.1.12.rc4\",\n \"6.1.12.rc5\",\n \"6.1.12rc1\",\n \"6.1.14\",\n \"6.1.15\",\n \"6.1.15.pre0\",\n \"6.1.15.rc2\",\n \"6.1.15.rc3\",\n \"6.1.15.rc4\",\n \"6.1.15.rc5\",\n \"6.1.16\",\n \"6.1.17\",\n \"6.1.18\",\n \"6.1.19\",\n \"6.1.1rc0\",\n \"6.1.1rc1\",\n \"6.1.2\",\n \"6.1.20\",\n \"6.1.21\",\n \"6.1.22\",\n \"6.1.2pre0\",\n \"6.1.2pre1\",\n \"6.1.2rc0\",\n \"6.1.2rc1\",\n \"6.1.2rc2\",\n \"6.1.2rc4\",\n \"6.1.2rc5\",\n \"6.1.3\",\n \"6.1.4\",\n \"6.1.4rc0\",\n \"6.1.4rc1\",\n \"6.1.5\",\n \"6.1.5rc0\",\n \"6.1.6\",\n \"6.1.6rc0\",\n \"6.1.6rc1\",\n \"6.1.7\",\n \"6.1.8\",\n \"6.1.9\",\n \"6.1H.10\",\n \"6.1H.14\",\n \"6.1H.14.1\",\n \"6.1H.22\",\n \"6.1H.4-beta\",\n \"6.1H.4rc1\",\n \"6.1H.5-beta\",\n \"6.1H.6\",\n \"6.1H.7\",\n \"6.1H.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6jxp-7g74-2rc3/GHSA-6jxp-7g74-2rc3.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0\"\n },\n {\n \"fixed\": \"7.0.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"7.0.0.pre4\",\n \"7.0.0.pre5\",\n \"7.0.0pre0\",\n \"7.0.0pre1\",\n \"7.0.0pre2\",\n \"7.0.0pre3\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6jxp-7g74-2rc3/GHSA-6jxp-7g74-2rc3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2009-4611\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://fossies.org/linux/jetty-distribution/VERSION.txt\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.eclipse.org/jetty/about.php\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ush.it/team/ush/hack_httpd_escape/adv.txt\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-10T22:42:57Z\",\n \"nvd_published_at\": \"2010-01-13T20:30:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-8h77-9vh5-hw5g\",\n \"published\": \"2022-05-01T18:35:00Z\",\n \"modified\": \"2023-11-08T03:56:48.926359Z\",\n \"aliases\": [\n \"CVE-2007-5613\"\n ],\n \"summary\": \"Mortbay Jetty vulnerable to Cross-site scripting\",\n \"details\": \"Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.1.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"4.2.10\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.9\",\n \"6.0.0\",\n \"6.0.0Beta1\",\n \"6.0.0beta1\",\n \"6.0.0beta10\",\n \"6.0.0beta11\",\n \"6.0.0beta12\",\n \"6.0.0beta14\",\n \"6.0.0beta15\",\n \"6.0.0beta16\",\n \"6.0.0beta17\",\n \"6.0.0beta2\",\n \"6.0.0beta3\",\n \"6.0.0beta4\",\n \"6.0.0beta5\",\n \"6.0.0beta6\",\n \"6.0.0beta7\",\n \"6.0.0beta8\",\n \"6.0.0beta9\",\n \"6.0.0rc0\",\n \"6.0.0rc1\",\n \"6.0.0rc2\",\n \"6.0.0rc3\",\n \"6.0.0rc4\",\n \"6.0.1\",\n \"6.0.2\",\n \"6.1.0\",\n \"6.1.0pre0\",\n \"6.1.0pre1\",\n \"6.1.0pre2\",\n \"6.1.0pre3\",\n \"6.1.0rc0\",\n \"6.1.0rc1\",\n \"6.1.0rc2\",\n \"6.1.0rc3\",\n \"6.1.1\",\n \"6.1.1rc0\",\n \"6.1.1rc1\",\n \"6.1.2\",\n \"6.1.2pre0\",\n \"6.1.2pre1\",\n \"6.1.2rc0\",\n \"6.1.2rc1\",\n \"6.1.2rc2\",\n \"6.1.2rc4\",\n \"6.1.2rc5\",\n \"6.1.3\",\n \"6.1.4\",\n \"6.1.4rc0\",\n \"6.1.4rc1\",\n \"6.1.5\",\n \"6.1.5rc0\",\n \"6.1.6rc0\",\n \"6.1.6rc1\",\n \"6.1H.10\",\n \"6.1H.14\",\n \"6.1H.14.1\",\n \"6.1H.22\",\n \"6.1H.4-beta\",\n \"6.1H.4rc1\",\n \"6.1H.5-beta\",\n \"6.1H.6\",\n \"6.1H.7\",\n \"6.1H.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8h77-9vh5-hw5g/GHSA-8h77-9vh5-hw5g.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2007-5613\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00227.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00250.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.kb.cert.org/vuls/id/237888\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-79\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-07T23:53:04Z\",\n \"nvd_published_at\": \"2007-12-05T11:46:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-966r-962g-2jq5\",\n \"published\": \"2022-05-01T18:35:01Z\",\n \"modified\": \"2024-12-03T06:26:22.232759Z\",\n \"aliases\": [\n \"CVE-2007-5615\"\n ],\n \"summary\": \"Mortbay Jetty CRLF Injection Vulnerability\",\n \"details\": \"CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.1.6rc0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"4.2.10\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.9\",\n \"6.0.0\",\n \"6.0.0Beta1\",\n \"6.0.0beta1\",\n \"6.0.0beta10\",\n \"6.0.0beta11\",\n \"6.0.0beta12\",\n \"6.0.0beta14\",\n \"6.0.0beta15\",\n \"6.0.0beta16\",\n \"6.0.0beta17\",\n \"6.0.0beta2\",\n \"6.0.0beta3\",\n \"6.0.0beta4\",\n \"6.0.0beta5\",\n \"6.0.0beta6\",\n \"6.0.0beta7\",\n \"6.0.0beta8\",\n \"6.0.0beta9\",\n \"6.0.0rc0\",\n \"6.0.0rc1\",\n \"6.0.0rc2\",\n \"6.0.0rc3\",\n \"6.0.0rc4\",\n \"6.0.1\",\n \"6.0.2\",\n \"6.1.0\",\n \"6.1.0pre0\",\n \"6.1.0pre1\",\n \"6.1.0pre2\",\n \"6.1.0pre3\",\n \"6.1.0rc0\",\n \"6.1.0rc1\",\n \"6.1.0rc2\",\n \"6.1.0rc3\",\n \"6.1.1\",\n \"6.1.1rc0\",\n \"6.1.1rc1\",\n \"6.1.2\",\n \"6.1.2pre0\",\n \"6.1.2pre1\",\n \"6.1.2rc0\",\n \"6.1.2rc1\",\n \"6.1.2rc2\",\n \"6.1.2rc4\",\n \"6.1.2rc5\",\n \"6.1.3\",\n \"6.1.4\",\n \"6.1.4rc0\",\n \"6.1.4rc1\",\n \"6.1.5\",\n \"6.1.5rc0\",\n \"6.1H.10\",\n \"6.1H.14\",\n \"6.1H.14.1\",\n \"6.1H.22\",\n \"6.1H.4-beta\",\n \"6.1H.4rc1\",\n \"6.1H.5-beta\",\n \"6.1H.6\",\n \"6.1H.7\",\n \"6.1H.8\",\n \"test-6.0.0\",\n \"test-6.0.0rc3\",\n \"test-6.0.0rc4\",\n \"test-6.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-966r-962g-2jq5/GHSA-966r-962g-2jq5.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2007-5615\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/jetty-project/codehaus-jetty6/commit/0d2592ea3183914163d0921e4855bd3e18582a05\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20071007232422/http://svn.codehaus.org:80/jetty/jetty/trunk/VERSION.txt\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20150112202621/http://www.securityfocus.com/bid/26696\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00227.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00250.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.kb.cert.org/vuls/id/212984\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-94\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-21T23:12:42Z\",\n \"nvd_published_at\": \"2007-12-05T11:46:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9986-w5h5-vw59\",\n \"published\": \"2022-05-02T03:26:04Z\",\n \"modified\": \"2024-02-16T08:15:58.735824Z\",\n \"aliases\": [\n \"CVE-2009-1523\"\n ],\n \"summary\": \"Directory traversal in Mort Bay Jetty\",\n \"details\": \"Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.1.17\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"4.2.10\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.9\",\n \"6.0.0\",\n \"6.0.0Beta1\",\n \"6.0.0beta1\",\n \"6.0.0beta10\",\n \"6.0.0beta11\",\n \"6.0.0beta12\",\n \"6.0.0beta14\",\n \"6.0.0beta15\",\n \"6.0.0beta16\",\n \"6.0.0beta17\",\n \"6.0.0beta2\",\n \"6.0.0beta3\",\n \"6.0.0beta4\",\n \"6.0.0beta5\",\n \"6.0.0beta6\",\n \"6.0.0beta7\",\n \"6.0.0beta8\",\n \"6.0.0beta9\",\n \"6.0.0rc0\",\n \"6.0.0rc1\",\n \"6.0.0rc2\",\n \"6.0.0rc3\",\n \"6.0.0rc4\",\n \"6.0.1\",\n \"6.0.2\",\n \"6.1.0\",\n \"6.1.0pre0\",\n \"6.1.0pre1\",\n \"6.1.0pre2\",\n \"6.1.0pre3\",\n \"6.1.0rc0\",\n \"6.1.0rc1\",\n \"6.1.0rc2\",\n \"6.1.0rc3\",\n \"6.1.1\",\n \"6.1.10\",\n \"6.1.11\",\n \"6.1.12\",\n \"6.1.12.rc2\",\n \"6.1.12.rc3\",\n \"6.1.12.rc4\",\n \"6.1.12.rc5\",\n \"6.1.12rc1\",\n \"6.1.14\",\n \"6.1.15\",\n \"6.1.15.pre0\",\n \"6.1.15.rc2\",\n \"6.1.15.rc3\",\n \"6.1.15.rc4\",\n \"6.1.15.rc5\",\n \"6.1.16\",\n \"6.1.1rc0\",\n \"6.1.1rc1\",\n \"6.1.2\",\n \"6.1.2pre0\",\n \"6.1.2pre1\",\n \"6.1.2rc0\",\n \"6.1.2rc1\",\n \"6.1.2rc2\",\n \"6.1.2rc4\",\n \"6.1.2rc5\",\n \"6.1.3\",\n \"6.1.4\",\n \"6.1.4rc0\",\n \"6.1.4rc1\",\n \"6.1.5\",\n \"6.1.5rc0\",\n \"6.1.6\",\n \"6.1.6rc0\",\n \"6.1.6rc1\",\n \"6.1.7\",\n \"6.1.8\",\n \"6.1.9\",\n \"6.1H.10\",\n \"6.1H.14\",\n \"6.1H.14.1\",\n \"6.1H.22\",\n \"6.1H.4-beta\",\n \"6.1H.4rc1\",\n \"6.1H.5-beta\",\n \"6.1H.6\",\n \"6.1H.7\",\n \"6.1H.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9986-w5h5-vw59/GHSA-9986-w5h5-vw59.json\"\n }\n },\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"7.0.0.M0\"\n },\n {\n \"fixed\": \"7.0.0.M2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9986-w5h5-vw59/GHSA-9986-w5h5-vw59.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2009-1523\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=499867\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01257.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01259.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01262.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02282388\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://jira.codehaus.org/browse/JETTY-1004\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.kb.cert.org/vuls/id/402580\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.kb.cert.org/vuls/id/CRDY-7RKQCY\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/34800\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/35675\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id?1022563\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vupen.com/english/advisories/2009/1900\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vupen.com/english/advisories/2010/1792\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-08-03T17:32:50Z\",\n \"nvd_published_at\": \"2009-05-05T17:30:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-cwq3-qp8v-w8q3\",\n \"published\": \"2022-05-01T02:20:38Z\",\n \"modified\": \"2024-11-28T05:34:11.091547Z\",\n \"aliases\": [\n \"CVE-2005-3747\"\n ],\n \"summary\": \"Mortbay Jetty Discloses JSP Source Code\",\n \"details\": \"Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash (`%5C`) characters. NOTE: this might be the same issue as CVE-2006-2758.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"5.1.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"4.2.10\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.9\",\n \"test-6.0.0\",\n \"test-6.0.0rc3\",\n \"test-6.0.0rc4\",\n \"test-6.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cwq3-qp8v-w8q3/GHSA-cwq3-qp8v-w8q3.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2005-3747\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://sourceforge.net/project/shownotes.php?release_id=372086\\u0026group_id=7322\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/archive/1/450315/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/15515\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-200\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-18T23:46:51Z\",\n \"nvd_published_at\": \"2005-11-22T11:03:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fvh3-4v5r-cvvc\",\n \"published\": \"2022-05-01T18:35:01Z\",\n \"modified\": \"2023-11-08T03:56:48.986632Z\",\n \"aliases\": [\n \"CVE-2007-5614\"\n ],\n \"summary\": \"Improper Authentication in Mortbay Jetty\",\n \"details\": \"Mortbay Jetty before 6.1.6rc1 does not properly handle \\\"certain quote sequences\\\" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.1.6\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"4.2.10\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.9\",\n \"6.0.0\",\n \"6.0.0Beta1\",\n \"6.0.0beta1\",\n \"6.0.0beta10\",\n \"6.0.0beta11\",\n \"6.0.0beta12\",\n \"6.0.0beta14\",\n \"6.0.0beta15\",\n \"6.0.0beta16\",\n \"6.0.0beta17\",\n \"6.0.0beta2\",\n \"6.0.0beta3\",\n \"6.0.0beta4\",\n \"6.0.0beta5\",\n \"6.0.0beta6\",\n \"6.0.0beta7\",\n \"6.0.0beta8\",\n \"6.0.0beta9\",\n \"6.0.0rc0\",\n \"6.0.0rc1\",\n \"6.0.0rc2\",\n \"6.0.0rc3\",\n \"6.0.0rc4\",\n \"6.0.1\",\n \"6.0.2\",\n \"6.1.0\",\n \"6.1.0pre0\",\n \"6.1.0pre1\",\n \"6.1.0pre2\",\n \"6.1.0pre3\",\n \"6.1.0rc0\",\n \"6.1.0rc1\",\n \"6.1.0rc2\",\n \"6.1.0rc3\",\n \"6.1.1\",\n \"6.1.1rc0\",\n \"6.1.1rc1\",\n \"6.1.2\",\n \"6.1.2pre0\",\n \"6.1.2pre1\",\n \"6.1.2rc0\",\n \"6.1.2rc1\",\n \"6.1.2rc2\",\n \"6.1.2rc4\",\n \"6.1.2rc5\",\n \"6.1.3\",\n \"6.1.4\",\n \"6.1.4rc0\",\n \"6.1.4rc1\",\n \"6.1.5\",\n \"6.1.5rc0\",\n \"6.1.6rc0\",\n \"6.1.6rc1\",\n \"6.1H.10\",\n \"6.1H.14\",\n \"6.1H.14.1\",\n \"6.1H.22\",\n \"6.1H.4-beta\",\n \"6.1H.4rc1\",\n \"6.1H.5-beta\",\n \"6.1H.6\",\n \"6.1H.7\",\n \"6.1H.8\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-fvh3-4v5r-cvvc/GHSA-fvh3-4v5r-cvvc.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2007-5614\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.eclipse.org/jetty/about.php\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00227.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00250.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.kb.cert.org/vuls/id/438616\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-287\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-08T22:32:50Z\",\n \"nvd_published_at\": \"2007-12-05T11:46:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-mq4x-8whh-jx73\",\n \"published\": \"2022-05-01T07:02:10Z\",\n \"modified\": \"2023-11-08T03:56:46.786542Z\",\n \"aliases\": [\n \"CVE-2006-2759\"\n ],\n \"summary\": \"Improper Input Validation in Mortbay Jetty \",\n \"details\": \"jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary script source code via a capital P in the .jsp extension, and probably other mixed case manipulations.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"6.0.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"4.2.10\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.9\",\n \"6.0.0Beta1\",\n \"6.0.0beta1\",\n \"6.0.0beta10\",\n \"6.0.0beta11\",\n \"6.0.0beta12\",\n \"6.0.0beta14\",\n \"6.0.0beta15\",\n \"6.0.0beta16\",\n \"6.0.0beta17\",\n \"6.0.0beta2\",\n \"6.0.0beta3\",\n \"6.0.0beta4\",\n \"6.0.0beta5\",\n \"6.0.0beta6\",\n \"6.0.0beta7\",\n \"6.0.0beta8\",\n \"6.0.0beta9\",\n \"6.0.0rc0\",\n \"6.0.0rc1\",\n \"6.0.0rc2\",\n \"6.0.0rc3\",\n \"6.0.0rc4\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mq4x-8whh-jx73/GHSA-mq4x-8whh-jx73.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2006-2759\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/eclipse/jetty.project\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.eclipse.org/jetty/about.php\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-08T22:32:53Z\",\n \"nvd_published_at\": \"2006-06-02T01:02:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-p5rr-q5g6-gm42\",\n \"published\": \"2022-04-29T03:01:19Z\",\n \"modified\": \"2024-11-28T05:30:07.803612Z\",\n \"aliases\": [\n \"CVE-2004-2381\"\n ],\n \"summary\": \"Jetty HTTP Server Denial of Service vulnerability\",\n \"details\": \"HttpRequest.java in Jetty HTTP Server before 4.2.19 allows remote attackers to cause denial of service (memory usage and application crash) via HTTP requests with a large Content-Length.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"4.2.19\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"4.2.10\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.9\",\n \"test-6.0.0\",\n \"test-6.0.0rc3\",\n \"test-6.0.0rc4\",\n \"test-6.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-p5rr-q5g6-gm42/GHSA-p5rr-q5g6-gm42.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2004-2381\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/15537\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://cvs.sourceforge.net/viewcvs.py/jetty/Jetty/src/org/mortbay/http/HttpRequest.java?r1=1.75\\u0026r2=1.76\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://sourceforge.net/project/shownotes.php?release_id=224743\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.osvdb.org/4387\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-18T22:57:43Z\",\n \"nvd_published_at\": \"2004-12-31T05:00:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qmgj-5h75-jr67\",\n \"published\": \"2022-05-01T07:02:10Z\",\n \"modified\": \"2024-11-28T05:30:12.510709Z\",\n \"aliases\": [\n \"CVE-2006-2758\"\n ],\n \"summary\": \"Jetty Directory Traversal Vulnerability\",\n \"details\": \"Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary files via a `%2e%2e%5c` (encoded `../`) in the URL. NOTE: this might be the same issue as CVE-2005-3747.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.mortbay.jetty:jetty\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.mortbay.jetty/jetty\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"6.0.beta16\"\n }\n ]\n }\n ],\n \"versions\": [\n \"4.1-rc1\",\n \"4.1-rc6\",\n \"4.2.10\",\n \"4.2.12\",\n \"4.2.2\",\n \"4.2.3\",\n \"4.2.9\",\n \"6.0.0Beta1\",\n \"6.0.0beta1\",\n \"6.0.0beta10\",\n \"6.0.0beta11\",\n \"6.0.0beta12\",\n \"6.0.0beta14\",\n \"6.0.0beta15\",\n \"6.0.0beta16\",\n \"6.0.0beta17\",\n \"6.0.0beta2\",\n \"6.0.0beta3\",\n \"6.0.0beta4\",\n \"6.0.0beta5\",\n \"6.0.0beta6\",\n \"6.0.0beta7\",\n \"6.0.0beta8\",\n \"6.0.0beta9\",\n \"6.0.0rc0\",\n \"6.0.0rc1\",\n \"6.0.0rc2\",\n \"6.0.0rc3\",\n \"6.0.0rc4\",\n \"test-6.0.0\",\n \"test-6.0.0rc3\",\n \"test-6.0.0rc4\",\n \"test-6.0.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qmgj-5h75-jr67/GHSA-qmgj-5h75-jr67.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2006-2758\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jetty-project/codehaus-jetty6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://web.archive.org/web/20200302050157/http://securitytracker.com/id?1016168\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-22\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2024-02-12T16:10:17Z\",\n \"nvd_published_at\": \"2006-06-02T01:02:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9qcf-c26r-x5rf\",\n \"published\": \"2020-07-01T17:55:03Z\",\n \"modified\": \"2024-10-15T23:39:47.179091Z\",\n \"aliases\": [\n \"CVE-2019-13990\"\n ],\n \"summary\": \"XML external entity injection in Terracotta Quartz Scheduler\",\n \"details\": \"initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.quartz-scheduler:quartz\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.quartz-scheduler/quartz\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.3.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.7.2\",\n \"1.7.3\",\n \"1.8.0\",\n \"1.8.1\",\n \"1.8.2\",\n \"1.8.3\",\n \"1.8.4\",\n \"1.8.5\",\n \"1.8.6\",\n \"2.0.0\",\n \"2.0.1\",\n \"2.0.2\",\n \"2.1.0\",\n \"2.1.1\",\n \"2.1.2\",\n \"2.1.3\",\n \"2.1.4\",\n \"2.1.5\",\n \"2.1.6\",\n \"2.1.7\",\n \"2.2.0\",\n \"2.2.1\",\n \"2.2.2\",\n \"2.2.3\",\n \"2.3.0\",\n \"2.3.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/07/GHSA-9qcf-c26r-x5rf/GHSA-9qcf-c26r-x5rf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2019-13990\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/quartz-scheduler/quartz/issues/467\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/quartz-scheduler/quartz/pull/501\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/quartz-scheduler/quartz/commit/13c1d45aa1db15d0fa0e4997139c99ba219be551\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r3a6884e8d819f32cde8c07b98934de3e80467859880f784950bf44cf@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/re9b56ac1934d7bf16afc83eac1c39c98c1b20b4b15891dce923bf8aa@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20221028-0002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-ORGQUARTZSCHEDULER-461170\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r21df13c8bd2c2eae4b9661aae814c4a2a814d1f7875c765b8b115c9a%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf@%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f74b170d3d58d7a24db1afd3908bb0ab58a3900e16e73275674cdfaf%40%3Ccommits.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/e493e718a50f21201e05e82d42a8796b4046e83f0d286b90e58e0629%40%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/6b6e3480b19856365fb5eef03aa0915a4679de4b019a1e975502d949%40%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/1870324fea41ea68cff2fd1bf6ee2747432dc1d9d22a22cc681e0ec3%40%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82@%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/172d405e556e2f1204be126bb3eb28c5115af91bcc1651b4e870bb82%40%3Cdev.tomee.apache.org%3E\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/quartz-scheduler/quartz\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://confluence.atlassian.com/security/ssot-117-cve-2019-13990-xxe-xml-external-entity-injection-vulnerability-in-jira-service-management-data-center-and-jira-service-management-server-1295385959.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-611\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-07-01T17:54:54Z\",\n \"nvd_published_at\": \"2019-07-26T19:15:00Z\",\n \"severity\": \"CRITICAL\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-55g7-9cwv-5qfv\",\n \"published\": \"2023-09-25T18:30:18Z\",\n \"modified\": \"2024-02-16T08:07:08.591827Z\",\n \"aliases\": [\n \"CVE-2023-43642\"\n ],\n \"related\": [\n \"CGA-82h8-5945-hf9h\",\n \"CGA-hp96-wjrq-9f66\",\n \"CVE-2023-43642\"\n ],\n \"summary\": \"snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact\",\n \"details\": \"### Summary\\n\\nsnappy-java is a data compression library in Java. Its SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too-large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. \\n\\n### Scope\\n\\nAll versions of snappy-java including the latest released version 1.1.10.3. A fix is applied in 1.1.10.4\\n\\n### Details\\nWhile performing mitigation efforts related to [CVE-2023-34455](https://nvd.nist.gov/vuln/detail/CVE-2023-34455) in Confluent products, our Application Security team closely analyzed the fix that was accepted and merged into snappy-java version 1.1.10.1 in [this](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea) commit. The check on [line 421](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR421) only attempts to check if chunkSize is not a negative value. We believe that this is an inadequate fix as it misses an upper-bounds check for overly positive values such as 0x7FFFFFFF (or (2,147,483,647 in decimal) before actually [attempting to allocate](https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea#diff-c3e53610267092989965e8c7dd2d4417d355ff7f560f9e8075b365f32569079fR429) the provided unverified number of bytes via the “chunkSize” variable. This missing upper-bounds check can lead to the applications depending upon snappy-java to allocate an inappropriate number of bytes on the heap which can then cause an java.lang.OutOfMemoryError exception. Under some specific conditions and contexts, this can lead to a Denial-of-Service (DoS) attack with a direct impact on the availability of the dependent implementations based on the usage of the snappy-java library for compression/decompression needs.\\n\\n### PoC\\nCompile and run the following code:\\n```\\npackage org.example;\\nimport org.xerial.snappy.SnappyInputStream;\\n\\nimport java.io.*;\\n\\npublic class Main {\\n\\n public static void main(String[] args) throws IOException {\\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};\\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\\n byte[] out = new byte[50];\\n try {\\n in.read(out);\\n }\\n catch (Exception ignored) {\\n }\\n }\\n}\\n```\\n\\n### Impact\\nDenial of Service of applications dependent on snappy-java especially if `ExitOnOutOfMemoryError` or `CrashOnOutOfMemoryError` is configured on the JVM.\\n\\n### Credits\\nJan Werner, Mukul Khullar and Bharadwaj Machiraju from Confluent's Application Security team. \\n\\nWe kindly request for a new CVE ID to be assigned once you acknowledge this vulnerability.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.xerial.snappy:snappy-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.xerial.snappy/snappy-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.10.4\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.1-rc1\",\n \"1.0.1-rc2\",\n \"1.0.1-rc3\",\n \"1.0.1-rc4\",\n \"1.0.3\",\n \"1.0.3-rc1\",\n \"1.0.3-rc2\",\n \"1.0.3-rc3\",\n \"1.0.3-rc4\",\n \"1.0.3.1\",\n \"1.0.3.2\",\n \"1.0.3.3\",\n \"1.0.4\",\n \"1.0.4.1\",\n \"1.0.5\",\n \"1.0.5-M1\",\n \"1.0.5-M2\",\n \"1.0.5-M3\",\n \"1.0.5-M4\",\n \"1.0.5.1\",\n \"1.0.5.2\",\n \"1.0.5.3\",\n \"1.0.5.4\",\n \"1.1.0\",\n \"1.1.0-M1\",\n \"1.1.0-M2\",\n \"1.1.0-M3\",\n \"1.1.0-M4\",\n \"1.1.0.1\",\n \"1.1.1\",\n \"1.1.1-M1\",\n \"1.1.1-M2\",\n \"1.1.1-M3\",\n \"1.1.1-M4\",\n \"1.1.1.1\",\n \"1.1.1.2\",\n \"1.1.1.3\",\n \"1.1.1.4\",\n \"1.1.1.5\",\n \"1.1.1.6\",\n \"1.1.1.7\",\n \"1.1.10.0\",\n \"1.1.10.1\",\n \"1.1.10.2\",\n \"1.1.10.3\",\n \"1.1.2\",\n \"1.1.2-M1\",\n \"1.1.2-RC1\",\n \"1.1.2-RC2\",\n \"1.1.2-RC3\",\n \"1.1.2.1\",\n \"1.1.2.2\",\n \"1.1.2.3\",\n \"1.1.2.4\",\n \"1.1.2.5\",\n \"1.1.2.6\",\n \"1.1.3-M1\",\n \"1.1.3-M2\",\n \"1.1.4\",\n \"1.1.4-M1\",\n \"1.1.4-M2\",\n \"1.1.4-M3\",\n \"1.1.7\",\n \"1.1.7.1\",\n \"1.1.7.2\",\n \"1.1.7.3\",\n \"1.1.7.4\",\n \"1.1.7.5\",\n \"1.1.7.6\",\n \"1.1.7.7\",\n \"1.1.7.8\",\n \"1.1.8\",\n \"1.1.8.1\",\n \"1.1.8.2\",\n \"1.1.8.3\",\n \"1.1.8.4\",\n \"1.1.9.0\",\n \"1.1.9.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.1.10.3\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-55g7-9cwv-5qfv/GHSA-55g7-9cwv-5qfv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-43642\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/xerial/snappy-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/releases/tag/v1.1.10.4\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-09-25T18:30:18Z\",\n \"nvd_published_at\": \"2023-09-25T20:15:11Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-fjpj-2g6w-x25r\",\n \"published\": \"2023-06-15T16:28:08Z\",\n \"modified\": \"2024-02-16T08:21:07.894811Z\",\n \"aliases\": [\n \"CVE-2023-34454\"\n ],\n \"related\": [\n \"CGA-4248-v6xc-823x\"\n ],\n \"summary\": \"snappy-java's Integer Overflow vulnerability in compress leads to DoS\",\n \"details\": \"## Summary\\nDue to unchecked multiplications, an integer overflow may occur, causing an unrecoverable fatal error.\\n## Impact\\nDenial of Service\\n## Description\\nThe function [compress(char[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169) in the file [Snappy.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java) receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the [rawCompress](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422) function.\\n\\n```java\\npublic static byte[] compress(char[] input)\\n throws IOException\\n {\\n return rawCompress(input, input.length * 2); // char uses 2 bytes\\n }\\n\\n```\\n\\nSince the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.\\n\\n```java\\n public static byte[] rawCompress(Object data, int byteSize)\\n throws IOException\\n {\\n byte[] buf = new byte[Snappy.maxCompressedLength(byteSize)];\\n int compressedByteSize = impl.rawCompress(data, 0, byteSize, buf, 0);\\n byte[] result = new byte[compressedByteSize];\\n System.arraycopy(buf, 0, result, 0, compressedByteSize);\\n return result;\\n }\\n\\n```\\n\\nSince the maxCompressedLength function treats the length as an unsigned integer, it doesn’t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a “java.lang.NegativeArraySizeException” exception will be raised while trying to allocate the array “buf”. On the other side, if the result is positive, the “buf” array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.\\nThe same issue exists also when using the “compress” functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won’t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.\\n\\n\\n## Steps To Reproduce\\nCompile and run the following code:\\n\\n```java\\npackage org.example;\\nimport org.xerial.snappy.Snappy;\\n\\nimport java.io.*;\\n\\npublic class Main {\\n\\n public static void main(String[] args) throws IOException {\\n char[] uncompressed = new char[0x40000000];\\n byte[] compressed = Snappy.compress(uncompressed);\\n }\\n}\\n\\n```\\n\\nThe program will crash, creating crashdumps and showing the following error (or similar):\\n\\n```\\n#\\n# A fatal error has been detected by the Java Runtime Environment:\\n#\\n# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0000000063a01c20, pid=21164, tid=508\\n#\\n.......\\n```\\n\\n\\nAlternatively - compile and run the following code:\\n\\n```java\\npackage org.example;\\nimport org.xerial.snappy.Snappy;\\n\\nimport java.io.*;\\n\\npublic class Main {\\n\\n public static void main(String[] args) throws IOException {\\n char[] uncompressed = new char[0x3fffffff];\\n byte[] compressed = Snappy.compress(uncompressed);\\n }\\n}\\n```\\n\\nThe program will crash with the following error (or similar), since the maxCompressedLength returns a value that is interpreted as negative by java:\\n\\n```\\nException in thread \\\"main\\\" java.lang.NegativeArraySizeException: -1789569677\\n\\tat org.xerial.snappy.Snappy.rawCompress(Snappy.java:425)\\n\\tat org.xerial.snappy.Snappy.compress(Snappy.java:172)\\n\\tat org.example.Main.main(Main.java:10)\\n\\n```\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.xerial.snappy:snappy-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.xerial.snappy/snappy-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.1-rc1\",\n \"1.0.1-rc2\",\n \"1.0.1-rc3\",\n \"1.0.1-rc4\",\n \"1.0.3\",\n \"1.0.3-rc1\",\n \"1.0.3-rc2\",\n \"1.0.3-rc3\",\n \"1.0.3-rc4\",\n \"1.0.3.1\",\n \"1.0.3.2\",\n \"1.0.3.3\",\n \"1.0.4\",\n \"1.0.4.1\",\n \"1.0.5\",\n \"1.0.5-M1\",\n \"1.0.5-M2\",\n \"1.0.5-M3\",\n \"1.0.5-M4\",\n \"1.0.5.1\",\n \"1.0.5.2\",\n \"1.0.5.3\",\n \"1.0.5.4\",\n \"1.1.0\",\n \"1.1.0-M1\",\n \"1.1.0-M2\",\n \"1.1.0-M3\",\n \"1.1.0-M4\",\n \"1.1.0.1\",\n \"1.1.1\",\n \"1.1.1-M1\",\n \"1.1.1-M2\",\n \"1.1.1-M3\",\n \"1.1.1-M4\",\n \"1.1.1.1\",\n \"1.1.1.2\",\n \"1.1.1.3\",\n \"1.1.1.4\",\n \"1.1.1.5\",\n \"1.1.1.6\",\n \"1.1.1.7\",\n \"1.1.10.0\",\n \"1.1.2\",\n \"1.1.2-M1\",\n \"1.1.2-RC1\",\n \"1.1.2-RC2\",\n \"1.1.2-RC3\",\n \"1.1.2.1\",\n \"1.1.2.2\",\n \"1.1.2.3\",\n \"1.1.2.4\",\n \"1.1.2.5\",\n \"1.1.2.6\",\n \"1.1.3-M1\",\n \"1.1.3-M2\",\n \"1.1.4\",\n \"1.1.4-M1\",\n \"1.1.4-M2\",\n \"1.1.4-M3\",\n \"1.1.7\",\n \"1.1.7.1\",\n \"1.1.7.2\",\n \"1.1.7.3\",\n \"1.1.7.4\",\n \"1.1.7.5\",\n \"1.1.7.6\",\n \"1.1.7.7\",\n \"1.1.7.8\",\n \"1.1.8\",\n \"1.1.8.1\",\n \"1.1.8.2\",\n \"1.1.8.3\",\n \"1.1.8.4\",\n \"1.1.9.0\",\n \"1.1.9.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.1.10.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-fjpj-2g6w-x25r/GHSA-fjpj-2g6w-x25r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/security/advisories/GHSA-fjpj-2g6w-x25r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-34454\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/xerial/snappy-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-190\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-15T16:28:08Z\",\n \"nvd_published_at\": \"2023-06-15T17:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-pqr6-cmr2-h8hf\",\n \"published\": \"2023-06-15T16:13:20Z\",\n \"modified\": \"2024-02-16T08:00:57.023897Z\",\n \"aliases\": [\n \"CVE-2023-34453\"\n ],\n \"related\": [\n \"CGA-8pqj-995r-975g\",\n \"CVE-2023-34453\"\n ],\n \"summary\": \"snappy-java's Integer Overflow vulnerability in shuffle leads to DoS\",\n \"details\": \"## Summary\\nDue to unchecked multiplications, an integer overflow may occur, causing a fatal error.\\n## Impact\\nDenial of Service\\n## Description\\nThe function [shuffle(int[] input)](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107) in the file [BitShuffle.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java) receives an array of integers and applies a bit shuffle on it. It does so by multiplying the length by 4 and passing it to the natively compiled shuffle function.\\n\\n```java\\npublic static byte[] shuffle(int[] input) throws IOException {\\n byte[] output = new byte[input.length * 4];\\n int numProcessed = impl.shuffle(input, 0, 4, input.length * 4, output, 0);\\n assert(numProcessed == input.length * 4);\\n return output;\\n }\\n\\n```\\n\\nSince the length is not tested, the multiplication by four can cause an integer overflow and become a smaller value than the true size, or even zero or negative. In the case of a negative value, a “java.lang.NegativeArraySizeException” exception will raise, which can crash the program. In a case of a value that is zero or too small, the code that afterwards references the shuffled array will assume a bigger size of the array, which might cause exceptions such as “java.lang.ArrayIndexOutOfBoundsException”.\\nThe same issue exists also when using the “shuffle” functions that receive a double, float, long and short, each using a different multiplier that may cause the same issue.\\n\\n## Steps To Reproduce\\nCompile and run the following code:\\n\\n```java\\npackage org.example;\\nimport org.xerial.snappy.BitShuffle;\\n\\nimport java.io.*;\\n\\n\\npublic class Main {\\n\\n public static void main(String[] args) throws IOException {\\n int[] original = new int[0x40000000];\\n byte[] shuffled = BitShuffle.shuffle(original);\\n System.out.println(shuffled[0]);\\n }\\n}\\n\\n```\\nThe program will crash, showing the following error (or similar):\\n\\n```\\nException in thread \\\"main\\\" java.lang.ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0\\n\\tat org.example.Main.main(Main.java:12)\\n\\nProcess finished with exit code 1\\n\\n```\\n\\nAlternatively - compile and run the following code:\\n\\n```java\\npackage org.example;\\nimport org.xerial.snappy.BitShuffle;\\n\\nimport java.io.*;\\n\\n\\npublic class Main {\\n\\n public static void main(String[] args) throws IOException {\\n int[] original = new int[0x20000000];\\n byte[] shuffled = BitShuffle.shuffle(original);\\n }\\n}\\n\\n```\\nThe program will crash with the following error (or similar):\\n\\n```\\nException in thread \\\"main\\\" java.lang.NegativeArraySizeException: -2147483648\\n\\tat org.xerial.snappy.BitShuffle.shuffle(BitShuffle.java:108)\\n\\tat org.example.Main.main(Main.java:11)\\n```\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.xerial.snappy:snappy-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.xerial.snappy/snappy-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.1-rc1\",\n \"1.0.1-rc2\",\n \"1.0.1-rc3\",\n \"1.0.1-rc4\",\n \"1.0.3\",\n \"1.0.3-rc1\",\n \"1.0.3-rc2\",\n \"1.0.3-rc3\",\n \"1.0.3-rc4\",\n \"1.0.3.1\",\n \"1.0.3.2\",\n \"1.0.3.3\",\n \"1.0.4\",\n \"1.0.4.1\",\n \"1.0.5\",\n \"1.0.5-M1\",\n \"1.0.5-M2\",\n \"1.0.5-M3\",\n \"1.0.5-M4\",\n \"1.0.5.1\",\n \"1.0.5.2\",\n \"1.0.5.3\",\n \"1.0.5.4\",\n \"1.1.0\",\n \"1.1.0-M1\",\n \"1.1.0-M2\",\n \"1.1.0-M3\",\n \"1.1.0-M4\",\n \"1.1.0.1\",\n \"1.1.1\",\n \"1.1.1-M1\",\n \"1.1.1-M2\",\n \"1.1.1-M3\",\n \"1.1.1-M4\",\n \"1.1.1.1\",\n \"1.1.1.2\",\n \"1.1.1.3\",\n \"1.1.1.4\",\n \"1.1.1.5\",\n \"1.1.1.6\",\n \"1.1.1.7\",\n \"1.1.10.0\",\n \"1.1.2\",\n \"1.1.2-M1\",\n \"1.1.2-RC1\",\n \"1.1.2-RC2\",\n \"1.1.2-RC3\",\n \"1.1.2.1\",\n \"1.1.2.2\",\n \"1.1.2.3\",\n \"1.1.2.4\",\n \"1.1.2.5\",\n \"1.1.2.6\",\n \"1.1.3-M1\",\n \"1.1.3-M2\",\n \"1.1.4\",\n \"1.1.4-M1\",\n \"1.1.4-M2\",\n \"1.1.4-M3\",\n \"1.1.7\",\n \"1.1.7.1\",\n \"1.1.7.2\",\n \"1.1.7.3\",\n \"1.1.7.4\",\n \"1.1.7.5\",\n \"1.1.7.6\",\n \"1.1.7.7\",\n \"1.1.7.8\",\n \"1.1.8\",\n \"1.1.8.1\",\n \"1.1.8.2\",\n \"1.1.8.3\",\n \"1.1.8.4\",\n \"1.1.9.0\",\n \"1.1.9.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.1.10.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-pqr6-cmr2-h8hf/GHSA-pqr6-cmr2-h8hf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/security/advisories/GHSA-pqr6-cmr2-h8hf\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-34453\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/commit/820e2e074c58748b41dbd547f4edba9e108ad905\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/xerial/snappy-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-190\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-15T16:13:20Z\",\n \"nvd_published_at\": \"2023-06-15T17:15:09Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-qcwq-55hx-v3vh\",\n \"published\": \"2023-06-15T17:15:06Z\",\n \"modified\": \"2024-02-17T05:36:43.827976Z\",\n \"aliases\": [\n \"CVE-2023-34455\"\n ],\n \"related\": [\n \"CGA-644v-gq8j-xww8\",\n \"CVE-2023-34455\"\n ],\n \"summary\": \"snappy-java's unchecked chunk length leads to DoS\",\n \"details\": \"## Summary\\nDue to use of an unchecked chunk length, an unrecoverable fatal error can occur.\\n## Impact\\nDenial of Service\\n## Description\\nThe code in the function [hasNextChunk](https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388) in the file [SnappyInputStream.java](https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java) checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk.\\n\\n\\n\\n```java\\n int readBytes = readNext(header, 0, 4);\\n if (readBytes \\u003c 4) {\\n return false;\\n }\\n\\n int chunkSize = SnappyOutputStream.readInt(header, 0);\\n if (chunkSize == SnappyCodec.MAGIC_HEADER_HEAD) {\\n .........\\n }\\n\\n // extend the compressed data buffer size\\n if (compressed == null || chunkSize \\u003e compressed.length) {\\n compressed = new byte[chunkSize];\\n }\\n\\n```\\n\\nIn the case that the “compressed” variable is null, a byte array is allocated with the size given by the input data. Since the code doesn’t test the legality of the “chunkSize” variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a “java.lang.NegativeArraySizeException” exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal “java.lang.OutOfMemoryError” error.\\n\\n\\n## Steps To Reproduce\\nCompile and run the following code:\\n\\n```java\\npackage org.example;\\nimport org.xerial.snappy.SnappyInputStream;\\n\\nimport java.io.*;\\n\\npublic class Main {\\n\\n public static void main(String[] args) throws IOException {\\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0x7f, (byte) 0xff, (byte) 0xff, (byte) 0xff};\\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\\n byte[] out = new byte[50];\\n try {\\n in.read(out);\\n }\\n catch (Exception ignored) {\\n\\n }\\n }\\n}\\n```\\n\\nThe program will crash with the following error (or similar), even though there is a catch clause, since “OutOfMemoryError” does not get caught by catching the “Exception” class:\\n\\n```\\nException in thread \\\"main\\\" java.lang.OutOfMemoryError: Requested array size exceeds VM limit\\n\\tat org.xerial.snappy.SnappyInputStream.hasNextChunk(SnappyInputStream.java:422)\\n\\tat org.xerial.snappy.SnappyInputStream.read(SnappyInputStream.java:167)\\n\\tat java.base/java.io.InputStream.read(InputStream.java:217)\\n\\tat org.example.Main.main(Main.java:12)\\n\\n```\\n\\n\\nAlternatively - compile and run the following code:\\n\\n```java\\npackage org.example;\\nimport org.xerial.snappy.SnappyInputStream;\\n\\nimport java.io.*;\\n\\npublic class Main {\\n\\n public static void main(String[] args) throws IOException {\\n byte[] data = {-126, 'S', 'N', 'A', 'P', 'P', 'Y', 0, 0, 0, 0, 0, 0, 0, 0, 0,(byte) 0xff, (byte) 0xff, (byte) 0xff, (byte) 0xff};\\n SnappyInputStream in = new SnappyInputStream(new ByteArrayInputStream(data));\\n byte[] out = new byte[50];\\n in.read(out);\\n }\\n}\\n```\\n\\nThe program will crash with the following error (or similar):\\n\\n```\\nException in thread \\\"main\\\" java.lang.NegativeArraySizeException: -1\\n\\tat org.xerial.snappy.SnappyInputStream.hasNextChunk(SnappyInputStream.java:422)\\n\\tat org.xerial.snappy.SnappyInputStream.read(SnappyInputStream.java:167)\\n\\tat java.base/java.io.InputStream.read(InputStream.java:217)\\n\\tat org.example.Main.main(Main.java:12)\\n\\n```\\n\\n\\nIt is important to note that these examples were written by using a flow that is generally used by developers, and can be seen for example in the Apache project “flume”: https://github.com/apache/flume/blob/f9dbb2de255d59e35e3668a5c6c66a268a055207/flume-ng-channels/flume-file-channel/src/main/java/org/apache/flume/channel/file/Serialization.java#L278. Since they used try-catch, the “NegativeArraySizeException” exception won’t harm their users, but the “OutOfMemoryError” error can.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"org.xerial.snappy:snappy-java\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/org.xerial.snappy/snappy-java\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.10.1\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.1-rc1\",\n \"1.0.1-rc2\",\n \"1.0.1-rc3\",\n \"1.0.1-rc4\",\n \"1.0.3\",\n \"1.0.3-rc1\",\n \"1.0.3-rc2\",\n \"1.0.3-rc3\",\n \"1.0.3-rc4\",\n \"1.0.3.1\",\n \"1.0.3.2\",\n \"1.0.3.3\",\n \"1.0.4\",\n \"1.0.4.1\",\n \"1.0.5\",\n \"1.0.5-M1\",\n \"1.0.5-M2\",\n \"1.0.5-M3\",\n \"1.0.5-M4\",\n \"1.0.5.1\",\n \"1.0.5.2\",\n \"1.0.5.3\",\n \"1.0.5.4\",\n \"1.1.0\",\n \"1.1.0-M1\",\n \"1.1.0-M2\",\n \"1.1.0-M3\",\n \"1.1.0-M4\",\n \"1.1.0.1\",\n \"1.1.1\",\n \"1.1.1-M1\",\n \"1.1.1-M2\",\n \"1.1.1-M3\",\n \"1.1.1-M4\",\n \"1.1.1.1\",\n \"1.1.1.2\",\n \"1.1.1.3\",\n \"1.1.1.4\",\n \"1.1.1.5\",\n \"1.1.1.6\",\n \"1.1.1.7\",\n \"1.1.10.0\",\n \"1.1.2\",\n \"1.1.2-M1\",\n \"1.1.2-RC1\",\n \"1.1.2-RC2\",\n \"1.1.2-RC3\",\n \"1.1.2.1\",\n \"1.1.2.2\",\n \"1.1.2.3\",\n \"1.1.2.4\",\n \"1.1.2.5\",\n \"1.1.2.6\",\n \"1.1.3-M1\",\n \"1.1.3-M2\",\n \"1.1.4\",\n \"1.1.4-M1\",\n \"1.1.4-M2\",\n \"1.1.4-M3\",\n \"1.1.7\",\n \"1.1.7.1\",\n \"1.1.7.2\",\n \"1.1.7.3\",\n \"1.1.7.4\",\n \"1.1.7.5\",\n \"1.1.7.6\",\n \"1.1.7.7\",\n \"1.1.7.8\",\n \"1.1.8\",\n \"1.1.8.1\",\n \"1.1.8.2\",\n \"1.1.8.3\",\n \"1.1.8.4\",\n \"1.1.9.0\",\n \"1.1.9.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 1.1.10.0\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-qcwq-55hx-v3vh/GHSA-qcwq-55hx-v3vh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-34455\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/xerial/snappy-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20230818-0009\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-770\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-15T17:15:06Z\",\n \"nvd_published_at\": \"2023-06-15T18:15:09Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-9339-86wc-4qgf\",\n \"published\": \"2022-07-20T00:00:18Z\",\n \"modified\": \"2024-06-25T02:34:59.864497Z\",\n \"aliases\": [\n \"CVE-2022-34169\"\n ],\n \"summary\": \"Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets\",\n \"details\": \"The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.\\n\\nA fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"xalan:xalan\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/xalan/xalan\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.1.0\",\n \"2.3.1\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.D1\",\n \"2.6.0\",\n \"2.7.0\",\n \"2.7.1\",\n \"2.7.2\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-34169\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://xalan.apache.org\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5256\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5192\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.debian.org/security/2022/dsa-5188\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20220729-0009\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/202401-25\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/x3f7xv3p1g32qj2hlg8wd57pwcpld471\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=da3e0d06b467247643ce04e88d3346739d119f21\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=ab57211e5d2e97cbed06786f919fa9b749c83573\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=2e60d0a9a5b822c4abf9051857973b1c6babfe81\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://gitbox.apache.org/repos/asf?p=xalan-java.git\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/07/19/5\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/07/19/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/07/20/2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/07/20/3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/10/18/2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/11/04/8\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/11/07/2\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-681\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-21T22:28:36Z\",\n \"nvd_published_at\": \"2022-07-19T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-rc2w-r4jq-7pfx\",\n \"published\": \"2022-05-13T01:05:38Z\",\n \"modified\": \"2025-04-13T23:37:05.402190Z\",\n \"aliases\": [\n \"CVE-2014-0107\"\n ],\n \"summary\": \"Improper Authorization in Apache Xalan-Java\",\n \"details\": \"The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"xalan:xalan\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/xalan/xalan\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.7.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.1.0\",\n \"2.3.1\",\n \"2.4.0\",\n \"2.4.1\",\n \"2.5.0\",\n \"2.5.1\",\n \"2.5.D1\",\n \"2.6.0\",\n \"2.7.0\",\n \"2.7.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rc2w-r4jq-7pfx/GHSA-rc2w-r4jq-7pfx.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2014-0107\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/92023\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/xalan-java\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/XALANJ-2435\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r0c00afcab8f238562e27b3ae7b8af1913c62bc60838fb8b34c19e26b@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r2900489bc665a2e32d021bb21f6ce2cb8e6bb5973490eebb9a346bca@%3Cdev.tomcat.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.gentoo.org/glsa/201604-02\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.tenable.com/security/tns-2018-15\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0348.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1351.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1888.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/viewvc?view=revision\\u0026revision=1581058\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21674334\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21676093\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21677145\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21680703\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21681933\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2014/dsa-2886\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ibm.com/support/docview.wss?uid=swg21677967\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ocert.org/advisories/ocert-2014-002.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-285\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-07T23:02:09Z\",\n \"nvd_published_at\": \"2014-04-15T23:13:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-334p-wv2m-w3vp\",\n \"published\": \"2020-06-15T18:51:30Z\",\n \"modified\": \"2024-12-02T05:40:14.119313Z\",\n \"aliases\": [\n \"CVE-2009-2625\"\n ],\n \"summary\": \"Denial of service in Apache Xerces2\",\n \"details\": \"XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"xerces:xercesImpl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/xerces/xercesImpl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.10.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.2\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.2-jaxb-1.0.6\",\n \"2.7.1\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-334p-wv2m-w3vp/GHSA-334p-wv2m-w3vp.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2009-2625\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/xerces2-j/commit/0bdf77af1d4fd26ec2e630fb6d12e2dfa77bc12b\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=512921\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rhn.redhat.com/errata/RHSA-2009-1199.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rhn.redhat.com/errata/RHSA-2009-1200.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rhn.redhat.com/errata/RHSA-2009-1201.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rhn.redhat.com/errata/RHSA-2009-1636.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rhn.redhat.com/errata/RHSA-2009-1637.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rhn.redhat.com/errata/RHSA-2009-1649.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rhn.redhat.com/errata/RHSA-2009-1650.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://snyk.io/vuln/SNYK-JAVA-XERCES-32014\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=125787273209737\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1232.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2012-1537.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/36162\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/36176\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/36180\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/36199\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/37300\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/37460\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/37671\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/37754\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/38231\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/38342\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/43300\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://secunia.com/advisories/50549\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://slackware.com/security/viewer.php?l=slackware-security\\u0026y=2011\\u0026m=slackware-security.486026\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055\\u0026r2=787352\\u0026pathrev=787353\\u0026diff_format=h\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.cert.fi/en/reports/2009/vulnerability2009085.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.codenomicon.com/labs/xml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.debian.org/security/2010/dsa-1984\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2009:209\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.mandriva.com/security/advisories?name=MDVSA-2011:108\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.networkworld.com/columnists/2009/080509-xml-flaw.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2009/09/06/1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2009/10/22/9\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2009/10/23/6\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2009/10/26/3\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.redhat.com/support/errata/RHSA-2009-1615.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.redhat.com/support/errata/RHSA-2011-0858.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/archive/1/507985/100/0/threaded\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securityfocus.com/bid/35958\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.securitytracker.com/id?1022680\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-890-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.us-cert.gov/cas/techalerts/TA09-294A.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.us-cert.gov/cas/techalerts/TA10-012A.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vmware.com/security/advisories/VMSA-2009-0016.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vupen.com/english/advisories/2009/2543\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vupen.com/english/advisories/2009/3316\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.vupen.com/english/advisories/2011/0359\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-15T15:55:30Z\",\n \"nvd_published_at\": \"2009-08-06T15:30:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-7j4h-8wpf-rqfh\",\n \"published\": \"2022-05-13T01:01:06Z\",\n \"modified\": \"2024-12-03T06:18:52.393319Z\",\n \"aliases\": [\n \"CVE-2013-4002\"\n ],\n \"summary\": \"Missing XML Validation in Apache Xerces2\",\n \"details\": \"XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"xerces:xercesImpl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/xerces/xercesImpl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.12.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.2\",\n \"2.10.0\",\n \"2.11.0\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.2-jaxb-1.0.6\",\n \"2.7.1\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7j4h-8wpf-rqfh/GHSA-7j4h-8wpf-rqfh.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2013-4002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/xerces2-j/commit/266e837852e0f0e3c8c1ad572b6fc4dbb4ded17\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/errata/RHSA-2014:0414\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/85260\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/apache/xerces2-j\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/XERCESJ-1679\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=138674031212883\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://marc.info/?l=bugtraq\\u0026m=138674073720143\\u0026w=2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1059.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1060.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1081.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1440.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1447.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1451.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2013-1505.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1818.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1821.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1822.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1823.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0675.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0720.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0765.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0773.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://security.gentoo.org/glsa/glsa-201406-32.xml\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://support.apple.com/kb/HT5982\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250\\u0026r2=1499506\\u0026view=patch\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21644197\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21653371\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www-01.ibm.com/support/docview.wss?uid=swg21657539\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ibm.com/support/docview.wss?uid=swg21648172\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-2033-1\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.ubuntu.com/usn/USN-2089-1\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-112\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-07-08T19:14:49Z\",\n \"nvd_published_at\": \"2013-07-23T11:03:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-h65f-jvqw-m9fj\",\n \"published\": \"2022-01-27T16:13:07Z\",\n \"modified\": \"2024-02-16T08:21:32.697367Z\",\n \"aliases\": [\n \"CVE-2022-23437\"\n ],\n \"summary\": \"Infinite Loop in Apache Xerces Java\",\n \"details\": \"There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"xerces:xercesImpl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/xerces/xercesImpl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.12.2\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.2\",\n \"2.10.0\",\n \"2.11.0\",\n \"2.12.0\",\n \"2.12.1\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.2-jaxb-1.0.6\",\n \"2.7.1\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-h65f-jvqw-m9fj/GHSA-h65f-jvqw-m9fj.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-23437\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/jboss/xerces\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20221028-0005\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpuapr2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"http://www.openwall.com/lists/oss-security/2022/01/24/3\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-91\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-01-25T20:46:16Z\",\n \"nvd_published_at\": \"2022-01-24T15:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-vmqm-g3vh-847m\",\n \"published\": \"2020-06-15T18:51:38Z\",\n \"modified\": \"2024-03-11T05:17:10.701030Z\",\n \"aliases\": [\n \"CVE-2012-0881\"\n ],\n \"summary\": \"Denial of service in Apache Xerces2\",\n \"details\": \"Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"xerces:xercesImpl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/xerces/xercesImpl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.12.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.2\",\n \"2.10.0\",\n \"2.11.0\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.2-jaxb-1.0.6\",\n \"2.7.1\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/06/GHSA-vmqm-g3vh-847m/GHSA-vmqm-g3vh-847m.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2012-0881\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/apache/xerces2-j/commit/992b5d9c24102ad20330d36c0a71162753a37449\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://www.openwall.com/lists/oss-security/2014/07/08/11\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56@%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56%40%3Ccommon-issues.hadoop.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.apache.org/jira/browse/XERCESJ-1685\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=787104\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2020-06-15T15:51:37Z\",\n \"nvd_published_at\": \"2017-10-30T16:29:00Z\",\n \"severity\": \"HIGH\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"\n }\n ]\n },\n {\n \"schema_version\": \"1.7.3\",\n \"id\": \"GHSA-w4jq-qh47-hvjq\",\n \"published\": \"2022-02-15T01:37:41Z\",\n \"modified\": \"2023-11-08T04:02:26.293474Z\",\n \"aliases\": [\n \"CVE-2020-14338\"\n ],\n \"summary\": \"Improper Input Validation in Xerces\",\n \"details\": \"A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the \\\"use-grammar-pool-only\\\" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. All xerces jboss versions before 2.12.0.SP3.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"xerces:xercesImpl\",\n \"ecosystem\": \"Maven\",\n \"purl\": \"pkg:maven/xerces/xercesImpl\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.12.0.sp3\"\n }\n ]\n }\n ],\n \"versions\": [\n \"2.0.0\",\n \"2.0.2\",\n \"2.10.0\",\n \"2.11.0\",\n \"2.2.1\",\n \"2.3.0\",\n \"2.4.0\",\n \"2.5.0\",\n \"2.6.0\",\n \"2.6.1\",\n \"2.6.2\",\n \"2.6.2-jaxb-1.0.6\",\n \"2.7.1\",\n \"2.8.0\",\n \"2.8.1\",\n \"2.9.0\",\n \"2.9.1\"\n ],\n \"database_specific\": {\n \"last_known_affected_version_range\": \"\\u003c= 2.12.0.sp2\",\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-w4jq-qh47-hvjq/GHSA-w4jq-qh47-hvjq.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-14338\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1860054\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-24T01:25:49Z\",\n \"nvd_published_at\": \"2020-09-17T15:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"\n }\n ]\n }\n ]\n}\n" }, { "path": "internal/remediation/testhelpers_test.go", "content": "package remediation_test\n\nimport (\n\t\"cmp\"\n\t\"maps\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/clienttest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc parseRemediationFixture(t *testing.T, universePath, vulnPath, manifestPath string, opts resolution.ResolveOpts) (*resolution.Result, client.ResolutionClient) {\n\tt.Helper()\n\n\trw, err := manifest.GetReadWriter(manifestPath, \"\")\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to get ReadWriter: %v\", err)\n\t}\n\n\tf, err := depfile.OpenLocalDepFile(manifestPath)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to open manifest: %v\", err)\n\t}\n\tdefer f.Close()\n\n\tm, err := rw.Read(f)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to parse manifest: %v\", err)\n\t}\n\n\tcl := clienttest.NewMockResolutionClient(t, universePath, vulnPath)\n\n\tres, err := resolution.Resolve(t.Context(), cl, m, opts)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to resolve manifest: %v\", err)\n\t}\n\n\treturn res, cl\n}\n\nfunc checkRemediationResults(t *testing.T, res []resolution.Difference) {\n\t// ResolutionDiff is too large when dumped as JSON.\n\t// Extract & compare a subset of fields that are relevant for the tests.\n\tt.Helper()\n\n\ttype minimalVuln struct {\n\t\tID string\n\t\tAffectedNodes []resolve.NodeID\n\t}\n\n\ttoMinimalVuln := func(v resolution.Vulnerability) minimalVuln {\n\t\tt.Helper()\n\t\tnodes := make(map[resolve.NodeID]struct{})\n\t\tfor _, sg := range v.Subgraphs {\n\t\t\tnodes[sg.Dependency] = struct{}{}\n\t\t}\n\t\tsortedNodes := slices.AppendSeq(make([]resolve.NodeID, 0, len(nodes)), maps.Keys(nodes))\n\t\tslices.Sort(sortedNodes)\n\n\t\treturn minimalVuln{\n\t\t\tID: v.OSV.GetId(),\n\t\t\tAffectedNodes: sortedNodes,\n\t\t}\n\t}\n\n\ttype minimalPatch struct {\n\t\tDeps []manifest.DependencyPatch // TODO: The dep.Type does not marshal to JSON.\n\t\tEcosystemSpecific any\n\t}\n\n\ttype minimalDiff struct {\n\t\tPatch minimalPatch\n\t\tRemovedVulns []minimalVuln\n\t\tAddedVulns []minimalVuln\n\t}\n\n\tminimalRes := make([]minimalDiff, len(res))\n\tfor i, diff := range res {\n\t\tminimalRes[i].Patch = minimalPatch{\n\t\t\tDeps: diff.Deps,\n\t\t\tEcosystemSpecific: diff.EcosystemSpecific,\n\t\t}\n\t\tminimalRes[i].AddedVulns = make([]minimalVuln, len(diff.AddedVulns))\n\t\tfor j, v := range diff.AddedVulns {\n\t\t\tminimalRes[i].AddedVulns[j] = toMinimalVuln(v)\n\t\t}\n\t\tminimalRes[i].RemovedVulns = make([]minimalVuln, len(diff.RemovedVulns))\n\t\tfor j, v := range diff.RemovedVulns {\n\t\t\tminimalRes[i].RemovedVulns[j] = toMinimalVuln(v)\n\t\t}\n\t\tcmpFn := func(a, b minimalVuln) int {\n\t\t\tif c := cmp.Compare(a.ID, b.ID); c != 0 {\n\t\t\t\treturn c\n\t\t\t}\n\n\t\t\treturn slices.Compare(a.AffectedNodes, b.AffectedNodes)\n\t\t}\n\t\tslices.SortFunc(minimalRes[i].AddedVulns, cmpFn)\n\t\tslices.SortFunc(minimalRes[i].RemovedVulns, cmpFn)\n\t}\n\n\ttestutility.NewSnapshot().MatchJSON(t, minimalRes)\n}\n" }, { "path": "internal/remediation/testmain_test.go", "content": "package remediation_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "internal/remediation/upgrade/config.go", "content": "// Package upgrade provides functionality for parsing upgrade configurations for remediation.\npackage upgrade\n\nimport (\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n)\n\ntype Config map[string]Level\n\nfunc NewConfig() Config {\n\treturn make(Config)\n}\n\n// Set the allowed upgrade level for a given pkg name.\n// If level for pkg was previously set, sets the package to the new level and returns true.\n// Otherwise, sets the package's level and returns false.\nfunc (c Config) Set(pkg string, level Level) bool {\n\t_, alreadySet := c[pkg]\n\tc[pkg] = level\n\n\treturn alreadySet\n}\n\n// SetDefault sets the default allowed upgrade level packages that weren't explicitly set.\n// If default was previously set, sets the default to the new level and returns true.\n// Otherwise, sets the default and returns false.\nfunc (c Config) SetDefault(level Level) bool {\n\t// Empty package name is used as the default level.\n\treturn c.Set(\"\", level)\n}\n\n// Get the allowed Level for the given pkg name.\nfunc (c Config) Get(pkg string) Level {\n\tif lvl, ok := c[pkg]; ok {\n\t\treturn lvl\n\t}\n\n\t// Empty package name is used as the default level.\n\treturn c[\"\"]\n}\n\nfunc ParseUpgradeConfig(specs []string) Config {\n\tconfig := NewConfig()\n\n\tfor _, spec := range specs {\n\t\tidx := strings.LastIndex(spec, \":\")\n\t\tif idx == 0 {\n\t\t\tcmdlogger.Warnf(\"WARNING: `--upgrade-config %s` - skipping empty package name\", spec)\n\t\t\tcontinue\n\t\t}\n\t\tpkg := \"\"\n\t\tlevelStr := spec\n\t\tif idx > 0 {\n\t\t\tpkg = spec[:idx]\n\t\t\tlevelStr = spec[idx+1:]\n\t\t}\n\t\tvar level Level\n\t\tswitch levelStr {\n\t\tcase \"major\":\n\t\t\tlevel = Major\n\t\tcase \"minor\":\n\t\t\tlevel = Minor\n\t\tcase \"patch\":\n\t\t\tlevel = Patch\n\t\tcase \"none\":\n\t\t\tlevel = None\n\t\tdefault:\n\t\t\tcmdlogger.Warnf(\"WARNING: `--upgrade-config %s` - invalid level string '%s'\", spec, levelStr)\n\t\t\tcontinue\n\t\t}\n\t\tif config.Set(pkg, level) { // returns true if was previously set\n\t\t\tcmdlogger.Warnf(\"WARNING: `--upgrade-config %s` - config for package specified multiple times\", spec)\n\t\t}\n\t}\n\n\treturn config\n}\n" }, { "path": "internal/remediation/upgrade/config_test.go", "content": "package upgrade_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n)\n\nfunc configSetExpect(t *testing.T, config upgrade.Config, pkg string, level upgrade.Level, want bool) {\n\tt.Helper()\n\tgot := config.Set(pkg, level)\n\tif got != want {\n\t\tt.Errorf(\"Set(%v, %v) got %v, want %v\", pkg, level, got, want)\n\t}\n}\n\nfunc configSetDefaultExpect(t *testing.T, config upgrade.Config, level upgrade.Level, want bool) {\n\tt.Helper()\n\tgot := config.SetDefault(level)\n\tif got != want {\n\t\tt.Errorf(\"SetDefault(%v) got %v, want %v\", level, got, want)\n\t}\n}\n\nfunc configGetExpect(t *testing.T, config upgrade.Config, pkg string, want upgrade.Level) {\n\tt.Helper()\n\tif got := config.Get(pkg); got != want {\n\t\tt.Errorf(\"Get(%v) got %v, want %v\", pkg, got, want)\n\t}\n}\n\nfunc TestConfig(t *testing.T) {\n\tt.Parallel()\n\tconfig := upgrade.NewConfig()\n\n\t// Default everything to allow major\n\tconfigGetExpect(t, config, \"foo\", upgrade.Major)\n\tconfigGetExpect(t, config, \"bar\", upgrade.Major)\n\n\t// Set specific package\n\tconfigSetExpect(t, config, \"foo\", upgrade.Minor, false)\n\tconfigGetExpect(t, config, \"foo\", upgrade.Minor)\n\tconfigGetExpect(t, config, \"bar\", upgrade.Major)\n\n\t// Set package again\n\tconfigSetExpect(t, config, \"foo\", upgrade.None, true)\n\tconfigGetExpect(t, config, \"foo\", upgrade.None)\n\tconfigGetExpect(t, config, \"bar\", upgrade.Major)\n\n\t// Set default\n\tconfigSetDefaultExpect(t, config, upgrade.Patch, false)\n\tconfigGetExpect(t, config, \"foo\", upgrade.None)\n\tconfigGetExpect(t, config, \"bar\", upgrade.Patch)\n\n\t// Set default again\n\tconfigSetDefaultExpect(t, config, upgrade.Major, true)\n\tconfigGetExpect(t, config, \"foo\", upgrade.None)\n\tconfigGetExpect(t, config, \"bar\", upgrade.Major)\n\n\t// Set other package\n\tconfigSetExpect(t, config, \"bar\", upgrade.Minor, false)\n\tconfigGetExpect(t, config, \"foo\", upgrade.None)\n\tconfigGetExpect(t, config, \"bar\", upgrade.Minor)\n\tconfigGetExpect(t, config, \"baz\", upgrade.Major)\n}\n" }, { "path": "internal/remediation/upgrade/level.go", "content": "package upgrade\n\nimport (\n\t\"deps.dev/util/semver\"\n)\n\ntype Level int\n\nconst (\n\tMajor Level = iota\n\tMinor\n\tPatch\n\tNone\n)\n\n// Allows returns if the semver.Diff is allowable for this upgrade level constraint.\nfunc (level Level) Allows(diff semver.Diff) bool {\n\tif diff == semver.Same {\n\t\treturn true\n\t}\n\n\tswitch level {\n\tcase Major:\n\t\treturn true\n\tcase Minor:\n\t\treturn diff != semver.DiffMajor\n\tcase Patch:\n\t\treturn (diff != semver.DiffMajor) && (diff != semver.DiffMinor)\n\tcase None:\n\t\treturn false\n\tdefault: // Invalid level\n\t\treturn false\n\t}\n}\n" }, { "path": "internal/remediation/upgrade/level_test.go", "content": "package upgrade_test\n\nimport (\n\t\"slices\"\n\t\"testing\"\n\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n)\n\nfunc TestLevelAllows(t *testing.T) {\n\tt.Parallel()\n\t// Check every combination of Level + Diff\n\tallDiffs := [...]semver.Diff{\n\t\tsemver.Same,\n\t\tsemver.DiffOther,\n\t\tsemver.DiffMajor,\n\t\tsemver.DiffMinor,\n\t\tsemver.DiffPatch,\n\t\tsemver.DiffPrerelease,\n\t\tsemver.DiffBuild,\n\t}\n\n\tlevelDisallowed := map[upgrade.Level][]semver.Diff{\n\t\tupgrade.Major: {},\n\t\tupgrade.Minor: {semver.DiffMajor},\n\t\tupgrade.Patch: {semver.DiffMajor, semver.DiffMinor},\n\t\tupgrade.None: allDiffs[1:], // everything but semver.Same\n\t}\n\n\tfor level, disallowed := range levelDisallowed {\n\t\tfor _, diff := range allDiffs {\n\t\t\twant := !slices.Contains(disallowed, diff)\n\t\t\tgot := level.Allows(diff)\n\t\t\tif want != got {\n\t\t\t\tt.Errorf(\"(Level: %v, Diff: %v) Allows() = %v, want %v\", level, diff, got, want)\n\t\t\t}\n\t\t}\n\t}\n}\n" }, { "path": "internal/reporter/cyclonedx.go", "content": "package reporter\n\nimport (\n\t\"io\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype cycloneDXReporter struct {\n\twriter io.Writer\n\tversion models.CycloneDXVersion\n}\n\nfunc (r *cycloneDXReporter) PrintResult(vulnerabilityResults *models.VulnerabilityResults) error {\n\terrs := output.PrintCycloneDXResults(vulnerabilityResults, r.version, r.writer)\n\tif errs != nil {\n\t\tfor err := range strings.SplitSeq(errs.Error(), \"\\n\") {\n\t\t\tcmdlogger.Warnf(\"Failed to parse package URL: %v\", err)\n\t\t}\n\t}\n\n\treturn nil\n}\n" }, { "path": "internal/reporter/format.go", "content": "package reporter\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nvar format = []string{\"table\", \"html\", \"vertical\", \"json\", \"markdown\", \"sarif\", \"gh-annotations\", \"cyclonedx-1-4\", \"cyclonedx-1-5\", \"spdx-2-3\"}\n\nfunc Format() []string {\n\treturn format\n}\n\nfunc newResultPrinter(format string, writer io.Writer, terminalWidth int, showAllVulns bool) (resultPrinter, error) {\n\tswitch format {\n\tcase \"html\":\n\t\treturn &htmlReporter{writer}, nil\n\tcase \"json\":\n\t\treturn &jsonReporter{writer}, nil\n\tcase \"vertical\":\n\t\treturn &verticalReporter{writer, terminalWidth, showAllVulns}, nil\n\tcase \"table\":\n\t\treturn &tableReporter{writer, false, terminalWidth, showAllVulns}, nil\n\tcase \"markdown\":\n\t\treturn &tableReporter{writer, true, terminalWidth, showAllVulns}, nil\n\tcase \"sarif\":\n\t\treturn &sarifReporter{writer}, nil\n\tcase \"gh-annotations\":\n\t\treturn &ghAnnotationsReporter{writer}, nil\n\tcase \"cyclonedx-1-4\":\n\t\treturn &cycloneDXReporter{writer, models.CycloneDXVersion14}, nil\n\tcase \"cyclonedx-1-5\":\n\t\treturn &cycloneDXReporter{writer, models.CycloneDXVersion15}, nil\n\tcase \"cyclonedx-1-6\":\n\t\treturn &cycloneDXReporter{writer, models.CycloneDXVersion16}, nil\n\tcase \"spdx-2-3\":\n\t\treturn &spdxReporter{writer}, nil\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"%v is not a valid format\", format)\n\t}\n}\n" }, { "path": "internal/reporter/gh-annotations_reporter.go", "content": "package reporter\n\nimport (\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype ghAnnotationsReporter struct {\n\twriter io.Writer\n}\n\nfunc (r *ghAnnotationsReporter) PrintResult(vulnResult *models.VulnerabilityResults) error {\n\treturn output.PrintGHAnnotationReport(vulnResult, r.writer)\n}\n" }, { "path": "internal/reporter/html_reporter.go", "content": "package reporter\n\nimport (\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype htmlReporter struct {\n\twriter io.Writer\n}\n\nfunc (r *htmlReporter) PrintResult(vulnResult *models.VulnerabilityResults) error {\n\treturn output.PrintHTMLResults(vulnResult, r.writer)\n}\n" }, { "path": "internal/reporter/json_reporter.go", "content": "package reporter\n\nimport (\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype jsonReporter struct {\n\twriter io.Writer\n}\n\nfunc (r *jsonReporter) PrintResult(vulnResult *models.VulnerabilityResults) error {\n\treturn output.PrintJSONResults(vulnResult, r.writer)\n}\n" }, { "path": "internal/reporter/reporter.go", "content": "// Package reporter provides functionality for reporting scan results in various formats.\npackage reporter\n\nimport (\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype resultPrinter interface {\n\t// PrintResult prints the models.VulnerabilityResults per the logic of the\n\t// actual reporter\n\tPrintResult(vulnResult *models.VulnerabilityResults) error\n}\n\nfunc PrintResult(\n\tvulnResult *models.VulnerabilityResults,\n\tformat string,\n\twriter io.Writer,\n\tterminalWidth int,\n\tshowAllVulns bool,\n) error {\n\tr, err := newResultPrinter(format, writer, terminalWidth, showAllVulns)\n\n\tif err != nil {\n\t\treturn err\n\t}\n\n\treturn r.PrintResult(vulnResult)\n}\n" }, { "path": "internal/reporter/reporter_test.go", "content": "package reporter_test\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/reporter\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc TestPrintResult(t *testing.T) {\n\tt.Parallel()\n\n\tfor _, format := range reporter.Format() {\n\t\tstdout := &bytes.Buffer{}\n\n\t\terr := reporter.PrintResult(&models.VulnerabilityResults{}, format, stdout, 0, false)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Reporter for '%s' format not implemented\", format)\n\t\t}\n\t}\n}\n\nfunc TestPrintResult_UnsupportedFormatter(t *testing.T) {\n\tt.Parallel()\n\n\tstdout := &bytes.Buffer{}\n\n\terr := reporter.PrintResult(&models.VulnerabilityResults{}, \"unsupported\", stdout, 0, true)\n\n\tif err == nil {\n\t\tt.Errorf(\"Did not get expected error\")\n\t}\n}\n" }, { "path": "internal/reporter/sarif_reporter.go", "content": "package reporter\n\nimport (\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype sarifReporter struct {\n\twriter io.Writer\n}\n\nfunc (r *sarifReporter) PrintResult(vulnResult *models.VulnerabilityResults) error {\n\treturn output.PrintSARIFReport(vulnResult, r.writer)\n}\n" }, { "path": "internal/reporter/spdx.go", "content": "package reporter\n\nimport (\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype spdxReporter struct {\n\twriter io.Writer\n}\n\nfunc (r *spdxReporter) PrintResult(vulnResult *models.VulnerabilityResults) error {\n\treturn output.PrintSPDXResults(vulnResult, r.writer)\n}\n" }, { "path": "internal/reporter/table_reporter.go", "content": "package reporter\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype tableReporter struct {\n\twriter io.Writer\n\tmarkdown bool\n\t// 0 indicates not a terminal output\n\tterminalWidth int\n\tshowAllVulns bool\n}\n\nfunc (r *tableReporter) PrintResult(vulnResult *models.VulnerabilityResults) error {\n\tif len(vulnResult.Results) == 0 && vulnResult.LicenseSummary == nil && !cmdlogger.HasErrored() {\n\t\tfmt.Fprintf(r.writer, \"No issues found\\n\")\n\t\treturn nil\n\t}\n\n\tif r.markdown {\n\t\toutput.PrintMarkdownTableResults(vulnResult, r.writer, r.showAllVulns)\n\t} else {\n\t\toutput.PrintTableResults(vulnResult, r.writer, r.terminalWidth, r.showAllVulns)\n\t}\n\n\treturn nil\n}\n" }, { "path": "internal/reporter/vertical_reporter.go", "content": "package reporter\n\nimport (\n\t\"fmt\"\n\t\"io\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/jedib0t/go-pretty/v6/text\"\n)\n\ntype verticalReporter struct {\n\twriter io.Writer\n\t// 0 indicates not a terminal output\n\tterminalWidth int\n\tshowAllVulns bool\n}\n\nfunc (r *verticalReporter) PrintResult(vulnResult *models.VulnerabilityResults) error {\n\tif len(vulnResult.Results) == 0 && vulnResult.LicenseSummary == nil && !cmdlogger.HasErrored() {\n\t\tfmt.Fprintf(r.writer, \"No issues found\\n\")\n\t\treturn nil\n\t}\n\n\tif r.terminalWidth <= 0 {\n\t\ttext.DisableColors()\n\t}\n\n\toutput.PrintVerticalResults(vulnResult, r.writer, r.showAllVulns)\n\n\treturn nil\n}\n" }, { "path": "internal/resolution/__snapshots__/resolve_test.snap", "content": "\n[TestResolve/complex - 1]\ncomplex 9.9.9\n├─ reg|KnownAs=\"chuck\"|Selector=\"\" | alice@^1.0.0 1.0.1\n│ └─ $1@^2.0.0\n├─ 1: reg|Selector=\"\" | bob@2.2.2 2.2.2\n└─ reg|Selector=\"\" | dave@~3.3.3 3.3.3\n ├─ $1@^2.2.2\n └─ reg|KnownAs=\"duck\"|Selector=\"\" | chuck@^2.0.0 2.0.0\n └─ $1@^2.0.1\n\n---\n\n[TestResolve/complex - 2]\n[\n {\n \"ID\": \"CMPLX-0000-0000\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 1,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"complex\",\n \"VersionType\": 1,\n \"Version\": \"9.9.9\"\n },\n \"Distance\": 1,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"alice\",\n \"VersionType\": 1,\n \"Version\": \"1.0.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n },\n {\n \"ID\": \"CMPLX-1000-0000\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 2,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"complex\",\n \"VersionType\": 1,\n \"Version\": \"9.9.9\"\n },\n \"Distance\": 1,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"2.2.2\",\n \"Type\": {}\n },\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 0,\n \"To\": 3,\n \"Requirement\": \"~3.3.3\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"alice\",\n \"VersionType\": 1,\n \"Version\": \"1.0.1\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 1,\n \"To\": 2,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bob\",\n \"VersionType\": 1,\n \"Version\": \"2.2.2\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"2.2.2\",\n \"Type\": {}\n },\n {\n \"From\": 1,\n \"To\": 2,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 3,\n \"To\": 2,\n \"Requirement\": \"^2.2.2\",\n \"Type\": {}\n },\n {\n \"From\": 4,\n \"To\": 2,\n \"Requirement\": \"^2.0.1\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n },\n \"3\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dave\",\n \"VersionType\": 1,\n \"Version\": \"3.3.3\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 3,\n \"Requirement\": \"~3.3.3\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 3,\n \"To\": 2,\n \"Requirement\": \"^2.2.2\",\n \"Type\": {}\n },\n {\n \"From\": 3,\n \"To\": 4,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"4\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"chuck\",\n \"VersionType\": 1,\n \"Version\": \"2.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 3,\n \"To\": 4,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 4,\n \"To\": 2,\n \"Requirement\": \"^2.0.1\",\n \"Type\": {}\n }\n ]\n }\n }\n }\n ]\n },\n {\n \"ID\": \"CMPLX-2000-0000\",\n \"DevOnly\": true,\n \"Subgraphs\": [\n {\n \"Dependency\": 4,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"complex\",\n \"VersionType\": 1,\n \"Version\": \"9.9.9\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 3,\n \"Requirement\": \"~3.3.3\",\n \"Type\": {}\n }\n ]\n },\n \"3\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dave\",\n \"VersionType\": 1,\n \"Version\": \"3.3.3\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 3,\n \"Requirement\": \"~3.3.3\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 3,\n \"To\": 4,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"4\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"chuck\",\n \"VersionType\": 1,\n \"Version\": \"2.0.0\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 3,\n \"To\": 4,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n }\n]\n---\n\n[TestResolve/diamond - 1]\ndiamond 1.0.0\n├─ reg|Selector=\"\" | pkg@^1.0.0 1.0.0\n│ └─ 1: reg|Selector=\"\" | bad@^1.0.0 1.1.1\n└─ reg|Selector=\"\" | dep-one@^1.0.0 1.0.0\n ├─ $1@^1.0.0\n └─ reg|Selector=\"\" | dep-two@^1.0.0 1.0.0\n └─ $1@^1.0.0\n\n---\n\n[TestResolve/diamond - 2]\n[\n {\n \"ID\": \"DIA-000-000\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 3,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"diamond\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"pkg\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 1,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dep-one\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 2,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 2,\n \"To\": 4,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"3\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 1,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 2,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 4,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n },\n \"4\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dep-two\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 2,\n \"To\": 4,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 4,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n }\n }\n }\n ]\n }\n]\n---\n\n[TestResolve/different-pkgs - 1]\ndifferent-pkgs 3.0.0\n├─ reg|Selector=\"\" | bad2@^1.0.0 1.0.0\n└─ reg|Selector=\"\" | dependency@^1.0.0 1.0.0\n └─ reg|Selector=\"\" | bad@^1.0.0 1.1.1\n\n---\n\n[TestResolve/different-pkgs - 2]\n[\n {\n \"ID\": \"OSV-000-000\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 3,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"different-pkgs\",\n \"VersionType\": 1,\n \"Version\": \"3.0.0\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 2,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"3\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 2,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n },\n {\n \"ID\": \"OSV-000-001\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 1,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"different-pkgs\",\n \"VersionType\": 1,\n \"Version\": \"3.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad2\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n },\n {\n \"Dependency\": 3,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"different-pkgs\",\n \"VersionType\": 1,\n \"Version\": \"3.0.0\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 2,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"3\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 2,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n }\n]\n---\n\n[TestResolve/direct - 1]\ndirect 1.0.0\n└─ reg|Selector=\"\" | bad@^2.0.0 2.2.2\n\n---\n\n[TestResolve/direct - 2]\n[\n {\n \"ID\": \"OSV-000-001\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 1,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"direct\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"2.2.2\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n }\n]\n---\n\n[TestResolve/duplicates - 1]\nduplicates 1.1.1\n├─ reg|KnownAs=\"bad-aliased\"|Selector=\"\" | bad@^1.0.0 1.1.1\n├─ reg|Selector=\"\" | dependency@^2.0.0 2.0.0\n│ └─ reg|Selector=\"\" | bad@^2.0.0 2.2.2\n└─ reg|KnownAs=\"dependency-v1\"|Selector=\"\" | dependency@^1.0.0 1.0.0\n └─ reg|Selector=\"\" | bad@^1.0.0 1.1.1\n\n---\n\n[TestResolve/duplicates - 2]\n[\n {\n \"ID\": \"OSV-000-000\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 1,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"duplicates\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 1,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n },\n {\n \"Dependency\": 5,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"duplicates\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"3\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 3,\n \"To\": 5,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"5\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 3,\n \"To\": 5,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n },\n {\n \"ID\": \"OSV-000-001\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 1,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"duplicates\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 1,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n },\n {\n \"Dependency\": 4,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"duplicates\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"2.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 2,\n \"To\": 4,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"4\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"2.2.2\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 2,\n \"To\": 4,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n },\n {\n \"Dependency\": 5,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"duplicates\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"3\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 3,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 3,\n \"To\": 5,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"5\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 3,\n \"To\": 5,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n }\n]\n---\n\n[TestResolve/existing - 1]\nexisting 1.0.0\n└─ opt|Selector=\"\" | dependency@^2.0.0 2.0.0\n └─ reg|Selector=\"\" | bad@^2.0.0 2.2.2\n\n---\n\n[TestResolve/existing - 2]\n[\n {\n \"ID\": \"OSV-000-001\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 2,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"existing\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"2.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 1,\n \"To\": 2,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"2.2.2\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 1,\n \"To\": 2,\n \"Requirement\": \"^2.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n }\n]\n---\n\n[TestResolve/non-problem - 1]\nnon-problem 1.0.0\n├─ 1: reg|Selector=\"\" | bad@^1.0.0 1.1.1\n└─ reg|Selector=\"\" | dependency@^3.0.0 3.0.0\n └─ $1@*\n\n---\n\n[TestResolve/non-problem - 2]\n[\n {\n \"ID\": \"OSV-000-000\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 1,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"non-problem\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^3.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 2,\n \"To\": 1,\n \"Requirement\": \"*\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"3.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^3.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 2,\n \"To\": 1,\n \"Requirement\": \"*\",\n \"Type\": {}\n }\n ]\n }\n }\n }\n ]\n },\n {\n \"ID\": \"OSV-000-001\",\n \"DevOnly\": false,\n \"Subgraphs\": [\n {\n \"Dependency\": 1,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"non-problem\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^3.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n },\n {\n \"From\": 2,\n \"To\": 1,\n \"Requirement\": \"*\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"3.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 2,\n \"Requirement\": \"^3.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 2,\n \"To\": 1,\n \"Requirement\": \"*\",\n \"Type\": {}\n }\n ]\n }\n }\n }\n ]\n }\n]\n---\n\n[TestResolve/simple - 1]\nsimple 1.0.0\n└─ reg|Selector=\"\" | dependency@^1.0.0 1.0.0\n └─ reg|Selector=\"\" | bad@^1.0.0 1.1.1\n\n---\n\n[TestResolve/simple - 2]\n[\n {\n \"ID\": \"OSV-000-000\",\n \"DevOnly\": true,\n \"Subgraphs\": [\n {\n \"Dependency\": 2,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"simple\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 1,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 1,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n },\n {\n \"ID\": \"OSV-000-001\",\n \"DevOnly\": true,\n \"Subgraphs\": [\n {\n \"Dependency\": 2,\n \"Nodes\": {\n \"0\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"simple\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 2,\n \"Parents\": null,\n \"Children\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"1\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"dependency\",\n \"VersionType\": 1,\n \"Version\": \"1.0.0\"\n },\n \"Distance\": 1,\n \"Parents\": [\n {\n \"From\": 0,\n \"To\": 1,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": [\n {\n \"From\": 1,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ]\n },\n \"2\": {\n \"Version\": {\n \"System\": 3,\n \"Name\": \"bad\",\n \"VersionType\": 1,\n \"Version\": \"1.1.1\"\n },\n \"Distance\": 0,\n \"Parents\": [\n {\n \"From\": 1,\n \"To\": 2,\n \"Requirement\": \"^1.0.0\",\n \"Type\": {}\n }\n ],\n \"Children\": null\n }\n }\n }\n ]\n }\n]\n---\n" }, { "path": "internal/resolution/client/client.go", "content": "// Package client defines the clients for resolving dependencies for various ecosystems.\npackage client\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\n\tpb \"deps.dev/api/v3\"\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientinterfaces\"\n\t\"github.com/google/osv-scanner/v2/internal/depsdev\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"google.golang.org/grpc\"\n\t\"google.golang.org/grpc/credentials\"\n)\n\ntype ResolutionClient struct {\n\tDependencyClient\n\tclientinterfaces.VulnerabilityMatcher\n}\n\ntype DependencyClient interface {\n\tresolve.Client\n\t// WriteCache writes a manifest-specific resolution cache.\n\tWriteCache(filepath string) error\n\t// LoadCache loads a manifest-specific resolution cache.\n\tLoadCache(filepath string) error\n\t// AddRegistries adds the specified registries to fetch data.\n\tAddRegistries(registries []Registry) error\n}\n\ntype Registry any\n\n// PreFetch loads cache, then makes and caches likely queries needed for resolving a package with a list of requirements\nfunc PreFetch(ctx context.Context, c DependencyClient, requirements []resolve.RequirementVersion, manifestPath string) {\n\t// It doesn't matter if loading the cache fails\n\t_ = c.LoadCache(manifestPath)\n\n\tcertPool, err := x509.SystemCertPool()\n\tif err != nil {\n\t\treturn\n\t}\n\tcreds := credentials.NewClientTLSFromCert(certPool, \"\")\n\tdialOpts := []grpc.DialOption{\n\t\tgrpc.WithTransportCredentials(creds),\n\t\tgrpc.WithUserAgent(\"osv-scanner/\" + version.OSVVersion),\n\t}\n\n\tconn, err := grpc.NewClient(depsdev.DepsdevAPI, dialOpts...)\n\tif err != nil {\n\t\treturn\n\t}\n\tinsights := pb.NewInsightsClient(conn)\n\n\t// Use the deps.dev client to fetch complete dependency graphs of our direct imports\n\tfor _, im := range requirements {\n\t\t// There are potentially a huge number of management/import dependencies.\n\t\tif im.Type.HasAttr(dep.MavenDependencyOrigin) {\n\t\t\tcontinue\n\t\t}\n\n\t\tvar vk resolve.Version\n\t\tvar constraint *semver.Constraint\n\t\t// Maven registry client may be slow calling MatchingVersions which makes requests to `maven-metadata.xml`.\n\t\t// We can avoid this by only calling MatchingVersions for non-soft requirements.\n\t\tif im.System == resolve.Maven {\n\t\t\tif constraint, err = semver.Maven.ParseConstraint(im.Version); err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tif constraint != nil && constraint.IsSimple() {\n\t\t\t// If the requirement is a simple version, use it as the VersionKey,\n\t\t\t// so we do not need to call MatchingVersions to get available versions.\n\t\t\tvk = resolve.Version{\n\t\t\t\tVersionKey: im.VersionKey,\n\t\t\t}\n\t\t} else {\n\t\t\t// Get the preferred version of the import requirement\n\t\t\tvks, err := c.MatchingVersions(ctx, im.VersionKey)\n\t\t\tif err != nil || len(vks) == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tvk = vks[len(vks)-1]\n\t\t}\n\n\t\t// Make a request for the precomputed dependency tree\n\t\tresp, err := insights.GetDependencies(ctx, &pb.GetDependenciesRequest{\n\t\t\tVersionKey: &pb.VersionKey{\n\t\t\t\tSystem: pb.System(vk.System),\n\t\t\t\tName: vk.Name,\n\t\t\t\tVersion: vk.Version,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\n\t\t// Send off queries to cache the packages in the dependency tree\n\t\tnodes := resp.GetNodes()\n\t\tfor _, node := range nodes {\n\t\t\tpbvk := node.GetVersionKey()\n\t\t\tvk := resolve.VersionKey{\n\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.System(pbvk.GetSystem()),\n\t\t\t\t\tName: pbvk.GetName(),\n\t\t\t\t},\n\t\t\t\tVersion: pbvk.GetVersion(),\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t}\n\n\t\t\t// TODO: We might want to limit the number of goroutines this creates.\n\t\t\tgo c.Requirements(ctx, vk) //nolint:errcheck\n\t\t\tgo c.Version(ctx, vk) //nolint:errcheck\n\t\t\tif vk.System != resolve.Maven {\n\t\t\t\t// Avoid making requests to `maven-metadata.xml`\n\t\t\t\tgo c.Versions(ctx, vk.PackageKey) //nolint:errcheck\n\t\t\t}\n\t\t}\n\t}\n\t// don't bother waiting for goroutines to finish.\n}\n" }, { "path": "internal/resolution/client/depsdev_client.go", "content": "package client\n\nimport (\n\t\"encoding/gob\"\n\t\"os\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n)\n\nconst depsDevCacheExt = \".resolve.deps\"\n\n// DepsDevClient is a ResolutionClient wrapping the official resolve.APIClient\ntype DepsDevClient struct {\n\tresolve.APIClient\n\n\tc *datasource.CachedInsightsClient\n}\n\nfunc NewDepsDevClient(addr string, userAgent string) (*DepsDevClient, error) {\n\tc, err := datasource.NewCachedInsightsClient(addr, userAgent)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &DepsDevClient{APIClient: *resolve.NewAPIClient(c), c: c}, nil\n}\n\nfunc (d *DepsDevClient) AddRegistries(_ []Registry) error { return nil }\n\nfunc (d *DepsDevClient) WriteCache(path string) error {\n\tf, err := os.Create(path + depsDevCacheExt)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\treturn gob.NewEncoder(f).Encode(d.c)\n}\n\nfunc (d *DepsDevClient) LoadCache(path string) error {\n\tf, err := os.Open(path + depsDevCacheExt)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\treturn gob.NewDecoder(f).Decode(&d.c)\n}\n" }, { "path": "internal/resolution/client/helper.go", "content": "package client\n\nimport (\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/util\"\n)\n\n// GraphToInventory is a helper function to convert a Graph into an Package for use with VulnerabilityMatcher.\nfunc GraphToInventory(g *resolve.Graph) []*extractor.Package {\n\t// g.Nodes[0] is the root node of the graph that should be excluded.\n\tinv := make([]*extractor.Package, len(g.Nodes)-1)\n\tfor i, n := range g.Nodes[1:] {\n\t\tinv[i] = &extractor.Package{\n\t\t\tName: n.Version.Name,\n\t\t\tVersion: n.Version.Version,\n\t\t\tPURLType: util.PURLType[n.Version.System],\n\t\t}\n\t}\n\n\treturn inv\n}\n" }, { "path": "internal/resolution/client/maven_registry_client.go", "content": "package client\n\nimport (\n\t\"context\"\n\t\"encoding/gob\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\n\t\"deps.dev/util/maven\"\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/version\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\tmavenutil \"github.com/google/osv-scanner/v2/internal/utility/maven\"\n)\n\nconst mavenRegistryCacheExt = \".resolve.maven\"\n\ntype MavenRegistryClient struct {\n\tapi *datasource.MavenRegistryAPIClient\n}\n\nfunc NewMavenRegistryClient(registry string) (*MavenRegistryClient, error) {\n\tclient, err := datasource.NewMavenRegistryAPIClient(datasource.MavenRegistry{URL: registry, ReleasesEnabled: true})\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn &MavenRegistryClient{api: client}, nil\n}\n\nfunc (c *MavenRegistryClient) Version(ctx context.Context, vk resolve.VersionKey) (resolve.Version, error) {\n\tg, a, found := strings.Cut(vk.Name, \":\")\n\tif !found {\n\t\treturn resolve.Version{}, fmt.Errorf(\"invalid Maven package name %s\", vk.Name)\n\t}\n\tproj, err := c.api.GetProject(ctx, g, a, vk.Version)\n\tif err != nil {\n\t\treturn resolve.Version{}, err\n\t}\n\n\tregs := make([]string, len(proj.Repositories))\n\t// Repositories are served as dependency registries.\n\t// https://github.com/google/deps.dev/blob/main/util/resolve/api.go#L106\n\tfor i, repo := range proj.Repositories {\n\t\tregs[i] = \"dep:\" + string(repo.URL)\n\t}\n\tvar attr version.AttrSet\n\tif len(regs) > 0 {\n\t\tattr.SetAttr(version.Registries, strings.Join(regs, \"|\"))\n\t}\n\n\treturn resolve.Version{VersionKey: vk, AttrSet: attr}, nil\n}\n\n// Versions returns all available versions of the given package from the maven-metadata.xml file\n//\n// TODO: we should also include versions not listed in the metadata file\n// There exist versions in the repository but not listed in the metada file,\n// for example version 20030203.000550 of package commons-io:commons-io\n// https://repo1.maven.org/maven2/commons-io/commons-io/20030203.000550/.\n// A package may depend on such version if a soft requirement of this version\n// is declared.\n// We need to find out if there are such versions and include them in the\n// returned versions.\nfunc (c *MavenRegistryClient) Versions(ctx context.Context, pk resolve.PackageKey) ([]resolve.Version, error) {\n\tif pk.System != resolve.Maven {\n\t\treturn nil, fmt.Errorf(\"wrong system: %v\", pk.System)\n\t}\n\n\tg, a, found := strings.Cut(pk.Name, \":\")\n\tif !found {\n\t\treturn nil, fmt.Errorf(\"invalid Maven package name %s\", pk.Name)\n\t}\n\tversions, err := c.api.GetVersions(ctx, g, a)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvks := make([]resolve.Version, len(versions))\n\tfor i, v := range versions {\n\t\tvks[i] = resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersion: string(v),\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t}}\n\t}\n\n\treturn vks, nil\n}\n\nfunc (c *MavenRegistryClient) Requirements(ctx context.Context, vk resolve.VersionKey) ([]resolve.RequirementVersion, error) {\n\tif vk.System != resolve.Maven {\n\t\treturn nil, fmt.Errorf(\"wrong system: %v\", vk.System)\n\t}\n\n\tg, a, found := strings.Cut(vk.Name, \":\")\n\tif !found {\n\t\treturn nil, fmt.Errorf(\"invalid Maven package name %s\", vk.Name)\n\t}\n\tproj, err := c.api.GetProject(ctx, g, a, vk.Version)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Only merge default profiles by passing empty JDK and OS information.\n\tif err := proj.MergeProfiles(\"\", maven.ActivationOS{}); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// We should not add registries defined in dependencies pom.xml files.\n\tapiWithoutRegistries := c.api.WithoutRegistries()\n\t// We need to merge parents for potential dependencies in parents.\n\tif err := mavenutil.MergeParents(ctx, apiWithoutRegistries, &proj, proj.Parent, 1, \"\", false); err != nil {\n\t\treturn nil, err\n\t}\n\tproj.ProcessDependencies(func(groupID, artifactID, version maven.String) (maven.DependencyManagement, error) {\n\t\treturn mavenutil.GetDependencyManagement(ctx, apiWithoutRegistries, groupID, artifactID, version)\n\t})\n\n\treqs := make([]resolve.RequirementVersion, 0, len(proj.Dependencies))\n\tfor _, d := range proj.Dependencies {\n\t\treqs = append(reqs, resolve.RequirementVersion{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: d.Name(),\n\t\t\t\t},\n\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\tVersion: string(d.Version),\n\t\t\t},\n\t\t\tType: resolve.MavenDepType(d, \"\"),\n\t\t})\n\t}\n\n\treturn reqs, nil\n}\n\nfunc (c *MavenRegistryClient) MatchingVersions(ctx context.Context, vk resolve.VersionKey) ([]resolve.Version, error) {\n\tif vk.System != resolve.Maven {\n\t\treturn nil, fmt.Errorf(\"wrong system: %v\", vk.System)\n\t}\n\n\tversions, err := c.Versions(ctx, vk.PackageKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn resolve.MatchRequirement(vk, versions), nil\n}\n\nfunc (c *MavenRegistryClient) AddRegistries(registries []Registry) error {\n\tfor _, reg := range registries {\n\t\tspecific, ok := reg.(datasource.MavenRegistry)\n\t\tif !ok {\n\t\t\treturn errors.New(\"invalid Maven registry information\")\n\t\t}\n\t\tif err := c.api.AddRegistry(specific); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (c *MavenRegistryClient) WriteCache(path string) error {\n\tf, err := os.Create(path + mavenRegistryCacheExt)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\treturn gob.NewEncoder(f).Encode(c.api)\n}\n\nfunc (c *MavenRegistryClient) LoadCache(path string) error {\n\tf, err := os.Open(path + mavenRegistryCacheExt)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\treturn gob.NewDecoder(f).Decode(&c.api)\n}\n" }, { "path": "internal/resolution/client/npm_registry_client.go", "content": "package client\n\nimport (\n\t\"context\"\n\t\"crypto/x509\"\n\t\"encoding/gob\"\n\t\"fmt\"\n\t\"os\"\n\t\"slices\"\n\t\"strings\"\n\n\tpb \"deps.dev/api/v3\"\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/depsdev\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"google.golang.org/grpc\"\n\t\"google.golang.org/grpc/credentials\"\n)\n\nconst npmRegistryCacheExt = \".resolve.npm\"\n\ntype NpmRegistryClient struct {\n\tapi *datasource.NpmRegistryAPIClient\n\n\t// Fallback client for dealing with bundleDependencies.\n\tic pb.InsightsClient\n\tfallback *resolve.APIClient\n}\n\nfunc NewNpmRegistryClient(workdir string) (*NpmRegistryClient, error) {\n\tapi, err := datasource.NewNpmRegistryAPIClient(workdir)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tcertPool, err := x509.SystemCertPool()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"getting system cert pool: %w\", err)\n\t}\n\tcreds := credentials.NewClientTLSFromCert(certPool, \"\")\n\tdialOpts := []grpc.DialOption{\n\t\tgrpc.WithTransportCredentials(creds),\n\t\tgrpc.WithUserAgent(\"osv-scanner_fix/\" + version.OSVVersion),\n\t}\n\n\tconn, err := grpc.NewClient(depsdev.DepsdevAPI, dialOpts...)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"dialling %q: %w\", depsdev.DepsdevAPI, err)\n\t}\n\tic := pb.NewInsightsClient(conn)\n\n\treturn &NpmRegistryClient{\n\t\tapi: api,\n\t\tic: ic,\n\t\tfallback: resolve.NewAPIClient(ic),\n\t}, nil\n}\n\nfunc (c *NpmRegistryClient) Version(ctx context.Context, vk resolve.VersionKey) (resolve.Version, error) {\n\tif isNpmBundle(vk.PackageKey) { // bundled dependencies, fallback to deps.dev client\n\t\treturn c.fallback.Version(ctx, vk)\n\t}\n\n\treturn resolve.Version{VersionKey: vk}, nil\n}\n\nfunc (c *NpmRegistryClient) Versions(ctx context.Context, pk resolve.PackageKey) ([]resolve.Version, error) {\n\tif isNpmBundle(pk) { // bundled dependencies, fallback to deps.dev client\n\t\treturn c.fallback.Versions(ctx, pk)\n\t}\n\n\tvers, err := c.api.Versions(ctx, pk.Name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvks := make([]resolve.Version, len(vers.Versions))\n\tfor i, v := range vers.Versions {\n\t\tvks[i] = resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersion: v,\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t}}\n\t}\n\n\tslices.SortFunc(vks, func(a, b resolve.Version) int { return semver.NPM.Compare(a.Version, b.Version) })\n\n\treturn vks, nil\n}\n\nfunc (c *NpmRegistryClient) Requirements(ctx context.Context, vk resolve.VersionKey) ([]resolve.RequirementVersion, error) {\n\tif vk.System != resolve.NPM {\n\t\treturn nil, fmt.Errorf(\"unsupported system: %v\", vk.System)\n\t}\n\n\tif isNpmBundle(vk.PackageKey) { // bundled dependencies, fallback to deps.dev client\n\t\treturn c.fallback.Requirements(ctx, vk)\n\t}\n\tdependencies, err := c.api.Dependencies(ctx, vk.Name, vk.Version)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Preallocate the dependency slice, which will hold all the dependencies of each type.\n\t// The npm resolver expects bundled dependencies included twice in different forms:\n\t// {foo@*|Scope=\"bundle\"} and {mangled-name-of>0.1.2>foo@1.2.3}, hence the 2*len(bundled)\n\tdepCount := len(dependencies.Dependencies) + len(dependencies.DevDependencies) +\n\t\tlen(dependencies.OptionalDependencies) + len(dependencies.PeerDependencies) +\n\t\t2*len(dependencies.BundleDependencies)\n\tdeps := make([]resolve.RequirementVersion, 0, depCount)\n\taddDeps := func(ds map[string]string, t dep.Type) {\n\t\tfor name, req := range ds {\n\t\t\ttyp := t.Clone()\n\t\t\tif r, ok := strings.CutPrefix(req, \"npm:\"); ok {\n\t\t\t\t// This dependency is aliased, add it as a\n\t\t\t\t// dependency on the actual name, with the\n\t\t\t\t// KnownAs attribute set to the alias.\n\t\t\t\ttyp.AddAttr(dep.KnownAs, name)\n\t\t\t\tname = r\n\t\t\t\treq = \"\"\n\t\t\t\tif i := strings.LastIndex(r, \"@\"); i > 0 {\n\t\t\t\t\tname = r[:i]\n\t\t\t\t\treq = r[i+1:]\n\t\t\t\t}\n\t\t\t}\n\t\t\tdeps = append(deps, resolve.RequirementVersion{\n\t\t\t\tType: typ,\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\t\tName: name,\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: req,\n\t\t\t\t},\n\t\t\t})\n\t\t}\n\t}\n\taddDeps(dependencies.Dependencies, dep.NewType())\n\taddDeps(dependencies.DevDependencies, dep.NewType(dep.Dev))\n\taddDeps(dependencies.OptionalDependencies, dep.NewType(dep.Opt))\n\n\tpeerType := dep.NewType()\n\tpeerType.AddAttr(dep.Scope, \"peer\")\n\taddDeps(dependencies.PeerDependencies, peerType)\n\n\t// The resolver expects bundleDependencies to be present as regular\n\t// dependencies with a \"*\" version specifier, even if they were already\n\t// in the regular dependencies.\n\tbundleType := dep.NewType()\n\tbundleType.AddAttr(dep.Scope, \"bundle\")\n\tfor _, name := range dependencies.BundleDependencies {\n\t\tdeps = append(deps, resolve.RequirementVersion{\n\t\t\tType: bundleType,\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: name,\n\t\t\t\t},\n\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\tVersion: \"*\",\n\t\t\t},\n\t\t})\n\t}\n\n\t// Correctly resolving the bundled dependencies would require downloading the package.\n\t// Instead, call the fallback deps.dev client to get the bundled dependencies with mangled names.\n\tif len(dependencies.BundleDependencies) > 0 {\n\t\tfallbackReqs, err := c.fallback.Requirements(ctx, vk)\n\t\tif err != nil {\n\t\t\t// TODO: make some placeholder if the package doesn't exist on deps.dev\n\t\t\treturn nil, err\n\t\t}\n\t\tfor _, req := range fallbackReqs {\n\t\t\tif isNpmBundle(req.PackageKey) {\n\t\t\t\tdeps = append(deps, req)\n\t\t\t}\n\t\t}\n\t}\n\n\tresolve.SortDependencies(deps)\n\n\treturn deps, nil\n}\n\nfunc (c *NpmRegistryClient) MatchingVersions(ctx context.Context, vk resolve.VersionKey) ([]resolve.Version, error) {\n\tif isNpmBundle(vk.PackageKey) { // bundled dependencies, fallback to deps.dev client\n\t\treturn c.fallback.MatchingVersions(ctx, vk)\n\t}\n\n\tversions, err := c.api.Versions(ctx, vk.Name)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif concVer, ok := versions.Tags[vk.Version]; ok {\n\t\t// matched a tag, return just the concrete version of the tag\n\t\treturn []resolve.Version{{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: vk.PackageKey,\n\t\t\t\tVersion: concVer,\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t},\n\t\t}}, nil\n\t}\n\n\tresVersions := make([]resolve.Version, len(versions.Versions))\n\tfor i, v := range versions.Versions {\n\t\tresVersions[i] = resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: vk.PackageKey,\n\t\t\t\tVersion: v,\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t},\n\t\t}\n\t}\n\n\treturn resolve.MatchRequirement(vk, resVersions), nil\n}\n\nfunc isNpmBundle(pk resolve.PackageKey) bool {\n\t// Bundles are represented in resolution with a 'mangled' name containing its origin e.g. \"root-pkg>1.0.0>bundled-package\"\n\t// '>' is not a valid character for a npm package, so it'll only be found here.\n\treturn strings.Contains(pk.Name, \">\")\n}\n\nfunc (c *NpmRegistryClient) AddRegistries(_ []Registry) error { return nil }\n\nfunc (c *NpmRegistryClient) WriteCache(path string) error {\n\tf, err := os.Create(path + npmRegistryCacheExt)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\treturn gob.NewEncoder(f).Encode(c.api)\n}\n\nfunc (c *NpmRegistryClient) LoadCache(path string) error {\n\tf, err := os.Open(path + npmRegistryCacheExt)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\treturn gob.NewDecoder(f).Decode(&c.api)\n}\n" }, { "path": "internal/resolution/client/override_client.go", "content": "package client\n\nimport (\n\t\"context\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n)\n\n// OverrideClient wraps a DependencyClient, allowing for custom packages & versions to be added\ntype OverrideClient struct {\n\tDependencyClient\n\n\t// Can't quite reuse resolve.LocalClient because it automatically creates dependencies\n\tpkgVers map[resolve.PackageKey][]resolve.Version // versions of a package\n\tverDeps map[resolve.VersionKey][]resolve.RequirementVersion // dependencies of a version\n}\n\nfunc NewOverrideClient(c DependencyClient) *OverrideClient {\n\treturn &OverrideClient{\n\t\tDependencyClient: c,\n\t\tpkgVers: make(map[resolve.PackageKey][]resolve.Version),\n\t\tverDeps: make(map[resolve.VersionKey][]resolve.RequirementVersion),\n\t}\n}\n\nfunc (c *OverrideClient) AddVersion(v resolve.Version, deps []resolve.RequirementVersion) {\n\t// TODO: Inserting multiple co-dependent requirements may not work, depending on order\n\tversions := c.pkgVers[v.PackageKey]\n\tsem := v.Semver()\n\t// Only add it to the versions if not already there (and keep versions sorted)\n\tidx, ok := slices.BinarySearchFunc(versions, v, func(a, b resolve.Version) int {\n\t\treturn sem.Compare(a.Version, b.Version)\n\t})\n\tif !ok {\n\t\tversions = slices.Insert(versions, idx, v)\n\t}\n\tc.pkgVers[v.PackageKey] = versions\n\tc.verDeps[v.VersionKey] = slices.Clone(deps) // overwrites dependencies if called multiple times with same version\n}\n\nfunc (c *OverrideClient) Version(ctx context.Context, vk resolve.VersionKey) (resolve.Version, error) {\n\tfor _, v := range c.pkgVers[vk.PackageKey] {\n\t\tif v.VersionKey == vk {\n\t\t\treturn v, nil\n\t\t}\n\t}\n\n\treturn c.DependencyClient.Version(ctx, vk)\n}\n\nfunc (c *OverrideClient) Versions(ctx context.Context, pk resolve.PackageKey) ([]resolve.Version, error) {\n\tif vers, ok := c.pkgVers[pk]; ok {\n\t\treturn vers, nil\n\t}\n\n\treturn c.DependencyClient.Versions(ctx, pk)\n}\n\nfunc (c *OverrideClient) Requirements(ctx context.Context, vk resolve.VersionKey) ([]resolve.RequirementVersion, error) {\n\tif deps, ok := c.verDeps[vk]; ok {\n\t\treturn deps, nil\n\t}\n\n\treturn c.DependencyClient.Requirements(ctx, vk)\n}\n\nfunc (c *OverrideClient) MatchingVersions(ctx context.Context, vk resolve.VersionKey) ([]resolve.Version, error) {\n\tif vs, ok := c.pkgVers[vk.PackageKey]; ok {\n\t\treturn resolve.MatchRequirement(vk, vs), nil\n\t}\n\n\treturn c.DependencyClient.MatchingVersions(ctx, vk)\n}\n" }, { "path": "internal/resolution/clienttest/mock_resolution_client.go", "content": "// Package clienttest provides a mock resolution client for testing.\npackage clienttest\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"os\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/schema\"\n\t\"github.com/goccy/go-yaml\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n)\n\ntype ResolutionUniverse struct {\n\tSystem string `yaml:\"system\"`\n\tSchema string `yaml:\"schema\"`\n}\n\ntype VulnerabilityMatcher struct {\n\tVulns []*osvschema.Vulnerability `json:\"vulns\"`\n}\n\n// UnmarshalJSON unmarshals the mock vulns. The Vulnerability field is a proto\n// message, so it needs to be unmarshaled with protojson.\nfunc (vm *VulnerabilityMatcher) UnmarshalJSON(data []byte) error {\n\tvar raw map[string][]json.RawMessage\n\tif err := json.Unmarshal(data, &raw); err != nil {\n\t\treturn err\n\t}\n\tfor _, v := range raw[\"vulns\"] {\n\t\tif string(v) == \"null\" {\n\t\t\tvm.Vulns = append(vm.Vulns, nil)\n\t\t\tcontinue\n\t\t}\n\t\tvuln := &osvschema.Vulnerability{}\n\t\tif err := protojson.Unmarshal(v, vuln); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tvm.Vulns = append(vm.Vulns, vuln)\n\t}\n\n\treturn nil\n}\n\nfunc (vm *VulnerabilityMatcher) MatchVulnerabilities(_ context.Context, pkgs []*extractor.Package) ([][]*osvschema.Vulnerability, error) {\n\tresult := make([][]*osvschema.Vulnerability, len(pkgs))\n\tfor i, pkg := range pkgs {\n\t\tresult[i] = localmatcher.VulnerabilitiesAffectingPackage(vm.Vulns, pkg)\n\t}\n\n\treturn result, nil\n}\n\ntype mockDependencyClient struct {\n\t*resolve.LocalClient\n}\n\nfunc (mdc mockDependencyClient) LoadCache(string) error { return nil }\nfunc (mdc mockDependencyClient) WriteCache(string) error { return nil }\nfunc (mdc mockDependencyClient) AddRegistries(_ []client.Registry) error { return nil }\n\nfunc NewMockResolutionClient(t *testing.T, universeYaml, vulnJSON string) client.ResolutionClient {\n\tt.Helper()\n\n\tf, err := os.Open(vulnJSON)\n\tif err != nil {\n\t\tt.Fatalf(\"failed reading mock vulnerability file: %v\", err)\n\t}\n\n\tvar vm VulnerabilityMatcher\n\tif err := json.NewDecoder(f).Decode(&vm); err != nil {\n\t\tt.Fatalf(\"failed decoding mock vulns: %v\", err)\n\t}\n\n\tcl := client.ResolutionClient{\n\t\tVulnerabilityMatcher: &vm,\n\t}\n\n\tf, err = os.Open(universeYaml)\n\tif err != nil {\n\t\tt.Fatalf(\"failed opening mock universe: %v\", err)\n\t}\n\tdefer f.Close()\n\tdec := yaml.NewDecoder(f)\n\n\tvar universe ResolutionUniverse\n\tif err := dec.Decode(&universe); err != nil {\n\t\tt.Fatalf(\"failed decoding mock universe: %v\", err)\n\t}\n\n\tvar sys resolve.System\n\tswitch strings.ToLower(universe.System) {\n\tcase \"npm\":\n\t\tsys = resolve.NPM\n\tcase \"maven\":\n\t\tsys = resolve.Maven\n\tdefault:\n\t\tt.Fatalf(\"unknown ecosystem in universe: %s\", universe.System)\n\t}\n\n\t// schema needs a strict tab indentation, which is awkward to do within the YAML.\n\t// Replace double space from yaml with single tab\n\tuniverse.Schema = strings.ReplaceAll(universe.Schema, \" \", \"\\t\")\n\tsch, err := schema.New(universe.Schema, sys)\n\tif err != nil {\n\t\tt.Fatalf(\"failed parsing schema: %v\", err)\n\t}\n\n\tcl.DependencyClient = mockDependencyClient{sch.NewClient()}\n\n\treturn cl\n}\n" }, { "path": "internal/resolution/dependency_subgraph.go", "content": "package resolution\n\nimport (\n\t\"context\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/util\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\ntype GraphNode struct {\n\tVersion resolve.VersionKey\n\tDistance int // The shortest distance to the end Dependency Node (which has a Distance of 0)\n\tParents []resolve.Edge // Parent edges i.e. with Edge.To == this ID\n\tChildren []resolve.Edge // Child edges i.e. with Edge.From == this ID\n}\n\ntype DependencySubgraph struct {\n\tDependency resolve.NodeID // The NodeID of the end dependency of this subgraph.\n\tNodes map[resolve.NodeID]GraphNode\n}\n\n// ComputeSubgraphs computes the DependencySubgraphs for each specified NodeID.\n// The computed Subgraphs contains all nodes and edges that transitively depend on the specified node, and the node itself.\n//\n// Modifying any of the returned DependencySubgraphs may cause unexpected behaviour.\nfunc ComputeSubgraphs(g *resolve.Graph, nodes []resolve.NodeID) []*DependencySubgraph {\n\t// Find the parent nodes of each node in graph, for easier traversal.\n\t// These slices are shared between the returned subgraphs.\n\tparentEdges := make(map[resolve.NodeID][]resolve.Edge)\n\tfor _, e := range g.Edges {\n\t\t// Check for a self-dependency, just in case.\n\t\tif e.From == e.To {\n\t\t\tcontinue\n\t\t}\n\t\tparentEdges[e.To] = append(parentEdges[e.To], e)\n\t}\n\n\t// For each node, compute the subgraph.\n\tsubGraphs := make([]*DependencySubgraph, 0, len(nodes))\n\tfor _, nodeID := range nodes {\n\t\t// Starting at the node of interest, visit all unvisited parents,\n\t\t// adding the corresponding edges to the GraphNodes.\n\t\tgNodes := make(map[resolve.NodeID]GraphNode)\n\t\tseen := make(map[resolve.NodeID]struct{})\n\t\tseen[nodeID] = struct{}{}\n\t\ttoProcess := []resolve.NodeID{nodeID}\n\t\tcurrDistance := 0 // The current distance from end dependency.\n\t\tfor len(toProcess) > 0 {\n\t\t\t// Track the next set of nodes to process, which will be +1 Distance away from end.\n\t\t\tvar next []resolve.NodeID\n\t\t\tfor _, node := range toProcess {\n\t\t\t\t// Construct the GraphNode\n\t\t\t\tparents := parentEdges[node]\n\t\t\t\tgNode := gNodes[node] // Grab the existing GraphNode, which will have some Children populated.\n\t\t\t\tgNode.Version = g.Nodes[node].Version\n\t\t\t\tgNode.Distance = currDistance\n\t\t\t\tgNode.Parents = parents\n\t\t\t\tgNodes[node] = gNode\n\t\t\t\t// Populate parent's children and add to next set.\n\t\t\t\tfor _, edge := range parents {\n\t\t\t\t\tnID := edge.From\n\t\t\t\t\tpNode := gNodes[nID]\n\t\t\t\t\tpNode.Children = append(pNode.Children, edge)\n\t\t\t\t\tgNodes[nID] = pNode\n\t\t\t\t\tif _, ok := seen[nID]; !ok {\n\t\t\t\t\t\tseen[nID] = struct{}{}\n\t\t\t\t\t\tnext = append(next, nID)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\ttoProcess = next\n\t\t\tcurrDistance++\n\t\t}\n\n\t\tsubGraphs = append(subGraphs, &DependencySubgraph{\n\t\t\tDependency: nodeID,\n\t\t\tNodes: gNodes,\n\t\t})\n\t}\n\n\treturn subGraphs\n}\n\n// IsDevOnly checks if this DependencySubgraph solely contains dev (or test) dependencies.\n// If groups is nil, checks the dep.Type of the direct graph edges for the Dev Attr (for in-place).\n// Otherwise, uses the groups of the direct dependencies to determine if a non-dev path exists (for relax/override).\nfunc (ds *DependencySubgraph) IsDevOnly(groups map[manifest.RequirementKey][]string) bool {\n\tif groups != nil {\n\t\t// Check if any of the direct dependencies are not in the dev group.\n\t\treturn !slices.ContainsFunc(ds.Nodes[0].Children, func(e resolve.Edge) bool {\n\t\t\treq := resolve.RequirementVersion{\n\t\t\t\tVersionKey: ds.Nodes[e.To].Version,\n\t\t\t\tType: e.Type.Clone(),\n\t\t\t}\n\n\t\t\treqGroups := groups[manifest.MakeRequirementKey(req)]\n\t\t\tswitch req.System {\n\t\t\tcase resolve.NPM:\n\t\t\t\treturn !slices.Contains(reqGroups, \"dev\")\n\t\t\tcase resolve.Maven:\n\t\t\t\treturn !slices.Contains(reqGroups, \"test\")\n\t\t\tcase resolve.UnknownSystem:\n\t\t\t\tfallthrough\n\t\t\tdefault:\n\t\t\t\treturn true\n\t\t\t}\n\t\t})\n\t}\n\n\t// groups == nil\n\t// Check if any of the direct dependencies do not have the Dev attr.\n\tfor _, e := range ds.Nodes[0].Children {\n\t\tif e.Type.HasAttr(dep.Dev) {\n\t\t\tcontinue\n\t\t}\n\t\t// As a workaround for npm workspaces, check for the Dev attr in the direct dependency's dependencies.\n\t\tfor _, e2 := range ds.Nodes[e.To].Children {\n\t\t\tif !e2.Type.HasAttr(dep.Dev) {\n\t\t\t\treturn false\n\t\t\t}\n\t\t}\n\t\t// If the vulnerable dependency is a direct dependency, it'd have no Children.\n\t\t// Since we've already checked that it doesn't have the Dev attr, it must be a non-dev dependency.\n\t\tif e.To == ds.Dependency {\n\t\t\treturn false\n\t\t}\n\t}\n\n\treturn true\n}\n\n// ConstrainingSubgraph tries to construct a subgraph of the subgraph that includes only the edges that contribute to a vulnerability.\n// It identifies the dependencies which constrain the vulnerable package to use a vulnerable version.\n// This is used by the 'relax' remediation strategy to identify which direct dependencies need to be updated.\n//\n// e.g. for a subgraph with:\n//\n//\tA -> C@<2.0\n//\tB -> C@<3.0\n//\tC resolves to C@1.9\n//\n// If the vuln affecting C is fixed in version 2.0, the constraining subgraph would only contain A,\n// since B would allow versions >=2.0 of C to be selected if not for A.\n//\n// This is a heuristic approach and may produce false positives (meaning possibly unnecessary dependencies would be flagged to be relaxed).\n// If the constraining subgraph cannot be computed for some reason, returns the original DependencySubgraph.\nfunc (ds *DependencySubgraph) ConstrainingSubgraph(ctx context.Context, cl resolve.Client, vuln *osvschema.Vulnerability) *DependencySubgraph {\n\t// Just check if the direct requirement of the vulnerable package is constraining it.\n\t// This still has some false positives.\n\t// e.g. if we have\n\t// A@* -> B@2.*\n\t// D@* -> B@2.1.1 -> C@1.0.0\n\t// resolving both together picks B@2.1.1 & thus constrains C to C@1.0.0 for A\n\t// But resolving A alone could pick B@2.2.0 which might not depend on C\n\t// Similarly, a direct dependency could be constrained by an indirect dependency with similar results.\n\tend := ds.Nodes[ds.Dependency]\n\tnewParents := make([]resolve.Edge, 0, len(end.Parents))\n\tfor _, pEdge := range end.Parents {\n\t\t// Check if the latest allowable version of the package is vulnerable\n\t\tvk := end.Version\n\t\tvk.Version = pEdge.Requirement\n\t\tvk.VersionType = resolve.Requirement\n\t\tvers, err := cl.MatchingVersions(ctx, vk)\n\t\tif err != nil || len(vers) == 0 {\n\t\t\t// Could not determine MatchingVersions - assume this is constraining.\n\t\t\tnewParents = append(newParents, pEdge)\n\t\t\tcontinue\n\t\t}\n\t\tbestVK := vers[len(vers)-1] // This should be the highest version for npm\n\n\t\tif vulns.IsAffected(vuln, util.VKToPackageInfo(bestVK.VersionKey)) {\n\t\t\tnewParents = append(newParents, pEdge)\n\t\t}\n\t}\n\n\tif len(newParents) == 0 {\n\t\t// There has to be at least one constraining path for the vulnerability to appear.\n\t\t// If our heuristic couldn't determine any, treat the whole subgraph as constraining.\n\t\treturn ds\n\t}\n\n\t// Rebuild the DependencySubgraph using the dependency's newParents.\n\t// Same logic as in ComputeSubgraphs.\n\tnewNodes := make(map[resolve.NodeID]GraphNode)\n\tnewNodes[ds.Dependency] = GraphNode{\n\t\tVersion: end.Version,\n\t\tDistance: 0,\n\t\tParents: newParents,\n\t}\n\n\tseen := make(map[resolve.NodeID]struct{})\n\tseen[ds.Dependency] = struct{}{}\n\ttoProcess := make([]resolve.NodeID, 0, len(newParents))\n\tfor _, e := range newParents {\n\t\ttoProcess = append(toProcess, e.From)\n\t\tseen[e.From] = struct{}{}\n\t}\n\n\tcurrDistance := 1\n\tfor len(toProcess) > 0 {\n\t\tvar next []resolve.NodeID\n\t\tfor _, nID := range toProcess {\n\t\t\toldNode := ds.Nodes[nID]\n\t\t\tnewNode := GraphNode{\n\t\t\t\tVersion: oldNode.Version,\n\t\t\t\tDistance: currDistance,\n\t\t\t\tParents: slices.Clone(oldNode.Parents),\n\t\t\t\tChildren: slices.Clone(oldNode.Children),\n\t\t\t}\n\t\t\t// Remove the non-constraining edge from the node's children if it ends up in the subgraph.\n\t\t\tnewNode.Children = slices.DeleteFunc(newNode.Children, func(e resolve.Edge) bool {\n\t\t\t\tif e.To != ds.Dependency {\n\t\t\t\t\treturn false\n\t\t\t\t}\n\n\t\t\t\treturn !slices.ContainsFunc(newParents, func(pEdge resolve.Edge) bool {\n\t\t\t\t\treturn pEdge.From == e.From &&\n\t\t\t\t\t\tpEdge.Requirement == e.Requirement &&\n\t\t\t\t\t\tpEdge.Type.Compare(e.Type) == 0\n\t\t\t\t})\n\t\t\t})\n\t\t\tnewNodes[nID] = newNode\n\t\t\tfor _, e := range newNode.Parents {\n\t\t\t\tif _, ok := seen[e.From]; !ok {\n\t\t\t\t\tseen[e.From] = struct{}{}\n\t\t\t\t\tnext = append(next, e.From)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\ttoProcess = next\n\t\tcurrDistance++\n\t}\n\t// Remove children edges to nodes that are not in the computed subgraph.\n\tfor nID, edge := range newNodes {\n\t\tedge.Children = slices.DeleteFunc(edge.Children, func(e resolve.Edge) bool {\n\t\t\t_, ok := seen[e.To]\n\t\t\treturn !ok\n\t\t})\n\t\tnewNodes[nID] = edge\n\t}\n\n\treturn &DependencySubgraph{\n\t\tDependency: ds.Dependency,\n\t\tNodes: newNodes,\n\t}\n}\n" }, { "path": "internal/resolution/dependency_subgraph_test.go", "content": "package resolution_test\n\nimport (\n\t\"cmp\"\n\t\"maps\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/schema\"\n\tgocmp \"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nfunc TestDependencySubgraph(t *testing.T) {\n\tt.Parallel()\n\tg, err := schema.ParseResolve(`\na 0.0.1\n\tb@^1.0.1 1.0.1\n\t\t$c@^1.0.0\n\t\td: d@^2.2.2 2.2.2\n\tc: c@^1.0.2 1.0.2\n\t\te@1.0.0 1.0.0\n\t\t\t$d@^2.0.0\n\tf@^1.1.1 1.1.1\n\t\t$c@^1.0.1\n\t\tg@^2.2.2 2.2.2\n\t\t\th@^3.3.3 3.3.3\n\t\t\t\t$d@^2.2.0\n`, resolve.NPM)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to parse test graph: %v\", err)\n\t}\n\n\tnodes := make([]resolve.NodeID, len(g.Nodes)-1)\n\tfor i := range nodes {\n\t\tnodes[i] = resolve.NodeID(i + 1)\n\t}\n\n\tsubgraphs := resolution.ComputeSubgraphs(g, nodes)\n\tfor _, sg := range subgraphs {\n\t\tcheckSubgraphVersions(t, sg, g)\n\t\tcheckSubgraphEdges(t, sg)\n\t\tcheckSubgraphNodesReachable(t, sg)\n\t\tcheckSubgraphDistances(t, sg)\n\t}\n}\n\nfunc TestConstrainingSubgraph(t *testing.T) {\n\tt.Parallel()\n\tconst vulnPkgName = \"vuln\"\n\tg, err := schema.ParseResolve(`\nroot 1.0.0\n\tvuln: vuln@<3 1.0.1\n\tnonprob1@^1.0.0 1.0.0\n\t\t$vuln@>1\n\tprob1@^1.0.0 1.0.0\n\t\t$vuln@^1.0.0\n\tprob2@^2.0.0 2.0.0\n\t\tnonprob2@* 1.0.0\n\t\t\t$vuln@*\n\t\t$vuln@*\n\t\tdep@3.0.0 3.0.0\n\t\t\t$vuln@1.0.1\n`, resolve.NPM)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to parse test graph: %v\", err)\n\t}\n\n\tnID := slices.IndexFunc(g.Nodes, func(n resolve.Node) bool { return n.Version.Name == vulnPkgName })\n\tif nID < 0 {\n\t\tt.Fatalf(\"failed to find vulnerable node in test graph\")\n\t}\n\tsubgraph := resolution.ComputeSubgraphs(g, []resolve.NodeID{resolve.NodeID(nID)})[0]\n\n\tcl := resolve.NewLocalClient()\n\tv := resolve.Version{\n\t\tVersionKey: resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t\tName: vulnPkgName,\n\t\t\t},\n\t\t\tVersionType: resolve.Concrete,\n\t\t},\n\t}\n\tv.Version = \"1.0.0\"\n\tcl.AddVersion(v, []resolve.RequirementVersion{})\n\tv.Version = \"1.0.1\"\n\tcl.AddVersion(v, []resolve.RequirementVersion{})\n\tv.Version = \"2.0.0\"\n\tcl.AddVersion(v, []resolve.RequirementVersion{})\n\tvuln := &osvschema.Vulnerability{\n\t\tId: \"VULN-001\",\n\t\tAffected: []*osvschema.Affected{{\n\t\t\tPackage: &osvschema.Package{\n\t\t\t\tEcosystem: \"npm\",\n\t\t\t\tName: vulnPkgName,\n\t\t\t},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\t{\n\t\t\t\t\tType: osvschema.Range_SEMVER,\n\t\t\t\t\tEvents: []*osvschema.Event{{Introduced: \"0\"}, {Fixed: \"2.0.0\"}},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t}}\n\tgot := subgraph.ConstrainingSubgraph(t.Context(), cl, vuln)\n\tcheckSubgraphVersions(t, got, g)\n\tcheckSubgraphEdges(t, got)\n\tcheckSubgraphNodesReachable(t, got)\n\tcheckSubgraphDistances(t, got)\n\n\t// Checking that we have the expected remaining nodes\n\texpectedRemoved := []string{\"nonprob1\", \"nonprob2\"}\n\tfor _, pkgName := range expectedRemoved {\n\t\tnID := slices.IndexFunc(g.Nodes, func(n resolve.Node) bool { return n.Version.Name == pkgName })\n\t\tif nID < 0 {\n\t\t\tt.Fatalf(\"failed to find expected node in test graph\")\n\t\t}\n\t\tif _, found := got.Nodes[resolve.NodeID(nID)]; found {\n\t\t\tt.Errorf(\"non-constraining node was not removed from constraining subgraph: %s\", pkgName)\n\t\t}\n\t}\n\tif len(got.Nodes) != len(subgraph.Nodes)-len(expectedRemoved) {\n\t\tt.Errorf(\"extraneous nodes found in constraining subgraph\")\n\t}\n\tfor nID := range got.Nodes {\n\t\tif _, ok := subgraph.Nodes[nID]; !ok {\n\t\t\tt.Errorf(\"extraneous node (%v) found in constraining subgraph\", nID)\n\t\t}\n\t}\n\n\t// Check that ConstrainingSubgraph is stable if reapplied\n\tagain := got.ConstrainingSubgraph(t.Context(), cl, vuln)\n\tif diff := gocmp.Diff(got, again); diff != \"\" {\n\t\tt.Errorf(\"ConstrainingSubgraph output changed on reapply (-want +got):\\n%s\", diff)\n\t}\n}\n\nfunc TestSubgraphIsDevOnly(t *testing.T) {\n\tt.Parallel()\n\tg, err := schema.ParseResolve(`\na 1.0.0\n\tb@1.0.0 1.0.0\n\t\tprod: prod@1.0.0 1.0.0\n\tDev|c@1.0.0 1.0.0\n\t\t$prod@1.0.0\n\t\tdev: dev@1.0.0 1.0.0\n\tDev|d@1.0.0 1.0.0\n\t\t$dev@1.0.0\n`, resolve.NPM)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to parse test graph: %v\", err)\n\t}\n\n\tprodID := slices.IndexFunc(g.Nodes, func(n resolve.Node) bool { return n.Version.Name == \"prod\" })\n\tif prodID < 0 {\n\t\tt.Fatalf(\"failed to find vulnerable node in test graph\")\n\t}\n\tdevID := slices.IndexFunc(g.Nodes, func(n resolve.Node) bool { return n.Version.Name == \"dev\" })\n\tif devID < 0 {\n\t\tt.Fatalf(\"failed to find vulnerable node in test graph\")\n\t}\n\n\tsubgraphs := resolution.ComputeSubgraphs(g, []resolve.NodeID{resolve.NodeID(prodID), resolve.NodeID(devID)})\n\tprodGraph := subgraphs[0]\n\tdevGraph := subgraphs[1]\n\n\tif prodGraph.IsDevOnly(nil) {\n\t\tt.Errorf(\"non-dev subgraph has IsDevOnly(nil) == true\")\n\t}\n\tif !devGraph.IsDevOnly(nil) {\n\t\tt.Errorf(\"dev-only subgraph has IsDevOnly(nil) == false\")\n\t}\n\n\tgroups := map[manifest.RequirementKey][]string{\n\t\t{PackageKey: resolve.PackageKey{System: resolve.NPM, Name: \"c\"}, EcosystemSpecific: \"\"}: {\"dev\"},\n\t\t{PackageKey: resolve.PackageKey{System: resolve.NPM, Name: \"d\"}, EcosystemSpecific: \"\"}: {\"dev\"},\n\t}\n\tif prodGraph.IsDevOnly(groups) {\n\t\tt.Errorf(\"non-dev subgraph has IsDevOnly(groups) == true\")\n\t}\n\tif !devGraph.IsDevOnly(groups) {\n\t\tt.Errorf(\"dev-only subgraph has IsDevOnly(groups) == false\")\n\t}\n}\n\nfunc checkSubgraphVersions(t *testing.T, sg *resolution.DependencySubgraph, g *resolve.Graph) {\n\t// Check that the nodes and versions in the subgraph are correct\n\tt.Helper()\n\tif _, ok := sg.Nodes[0]; !ok {\n\t\tt.Errorf(\"DependencySubgraph missing root node (0)\")\n\t}\n\tif _, ok := sg.Nodes[sg.Dependency]; !ok {\n\t\tt.Errorf(\"DependencySubgraph missing Dependency node (%v)\", sg.Dependency)\n\t}\n\tfor nID, node := range sg.Nodes {\n\t\tif nID < 0 || int(nID) >= len(g.Nodes) {\n\t\t\tt.Errorf(\"DependencySubgraph contains invalid node ID: %v\", nID)\n\t\t\tcontinue\n\t\t}\n\t\twant := g.Nodes[nID].Version\n\t\tgot := node.Version\n\t\tif diff := gocmp.Diff(want, got); diff != \"\" {\n\t\t\tt.Errorf(\"DependencySubgraph node %v does not match Graph (-want +got):\\n%s\", nID, diff)\n\t\t}\n\t}\n}\n\nfunc checkSubgraphEdges(t *testing.T, sg *resolution.DependencySubgraph) {\n\t// Check that every edge in a node's Parents appears in that parent's Children and vice versa.\n\tt.Helper()\n\t// Check the root node has no parents & end node has no children\n\tif root, ok := sg.Nodes[0]; !ok {\n\t\tt.Errorf(\"DependencySubgraph missing root node (0)\")\n\t} else if len(root.Parents) != 0 {\n\t\tt.Errorf(\"DependencySubgraph root node (0) has parent nodes: %v\", root.Parents)\n\t}\n\tif end, ok := sg.Nodes[sg.Dependency]; !ok {\n\t\tt.Errorf(\"DependencySubgraph missing Dependency node (%v)\", sg.Dependency)\n\t} else if len(end.Children) != 0 {\n\t\tt.Errorf(\"DependencySubgraph Dependency node (%v) has child nodes: %v\", sg.Dependency, end.Children)\n\t}\n\n\tedgeEq := func(a, b resolve.Edge) bool {\n\t\treturn a.From == b.From &&\n\t\t\ta.To == b.To &&\n\t\t\ta.Requirement == b.Requirement &&\n\t\t\ta.Type.Compare(b.Type) == 0\n\t}\n\n\t// Check each node's parents/children for same edges\n\tfor nID, node := range sg.Nodes {\n\t\t// Only the root node should have no parents\n\t\tif len(node.Parents) == 0 && nID != 0 {\n\t\t\tt.Errorf(\"DependencySubgraph node %v has no parent nodes\", nID)\n\t\t}\n\t\tfor _, e := range node.Parents {\n\t\t\tif e.To != nID {\n\t\t\t\tt.Errorf(\"DependencySubgraph node %v contains invalid parent edge: %v\", nID, e)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tparent, ok := sg.Nodes[e.From]\n\t\t\tif !ok {\n\t\t\t\tt.Errorf(\"DependencySubgraph edge missing node in subgraph: %v\", e)\n\t\t\t}\n\t\t\tif !slices.ContainsFunc(parent.Children, func(edge resolve.Edge) bool { return edgeEq(e, edge) }) {\n\t\t\t\tt.Errorf(\"DependencySubgraph node %v missing child edge: %v\", e.From, e)\n\t\t\t}\n\t\t}\n\n\t\t// Only the end node should have no children\n\t\tif len(node.Children) == 0 && nID != sg.Dependency {\n\t\t\tt.Errorf(\"DependencySubgraph node %v has no child nodes\", nID)\n\t\t}\n\t\tfor _, e := range node.Children {\n\t\t\tif e.From != nID {\n\t\t\t\tt.Errorf(\"DependencySubgraph node %v contains invalid child edge: %v\", nID, e)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tchild, ok := sg.Nodes[e.To]\n\t\t\tif !ok {\n\t\t\t\tt.Errorf(\"DependencySubgraph edge missing node in subgraph: %v\", e)\n\t\t\t}\n\t\t\tif !slices.ContainsFunc(child.Parents, func(edge resolve.Edge) bool { return edgeEq(e, edge) }) {\n\t\t\t\tt.Errorf(\"DependencySubgraph node %v missing parent edge: %v\", e.To, e)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc checkSubgraphNodesReachable(t *testing.T, sg *resolution.DependencySubgraph) {\n\t// Check that every node in the subgraph is reachable from the root node.\n\tt.Helper()\n\tseen := make(map[resolve.NodeID]struct{})\n\ttodo := make([]resolve.NodeID, 0, len(sg.Nodes))\n\ttodo = append(todo, 0)\n\tseen[0] = struct{}{}\n\tfor len(todo) > 0 {\n\t\tnID := todo[0]\n\t\ttodo = todo[1:]\n\t\tnode, ok := sg.Nodes[nID]\n\t\tif !ok {\n\t\t\tt.Errorf(\"DependencySubgraph missing expected node %v\", nID)\n\t\t\tcontinue\n\t\t}\n\t\tfor _, e := range node.Children {\n\t\t\tif _, ok := seen[e.To]; !ok {\n\t\t\t\ttodo = append(todo, e.To)\n\t\t\t\tseen[e.To] = struct{}{}\n\t\t\t}\n\t\t}\n\t}\n\n\tgot := slices.Sorted(maps.Keys(seen))\n\twant := slices.Sorted(maps.Keys(sg.Nodes))\n\tif diff := gocmp.Diff(want, got); diff != \"\" {\n\t\tt.Errorf(\"DependencySubgraph reachable nodes mismatch (-want +got):\\n%s\", diff)\n\t}\n}\n\nfunc checkSubgraphDistances(t *testing.T, sg *resolution.DependencySubgraph) {\n\t// Check that the distances of each node have the correct value.\n\tt.Helper()\n\tif end, ok := sg.Nodes[sg.Dependency]; !ok {\n\t\tt.Errorf(\"DependencySubgraph missing Dependency node (%v)\", sg.Dependency)\n\t} else if end.Distance != 0 {\n\t\tt.Errorf(\"DependencySubgraph end Dependency distance is not 0\")\n\t}\n\n\t// Each node's distance should be one more than its smallest child's distance.\n\tfor nID, node := range sg.Nodes {\n\t\t// The end dependency should have a distance of 0\n\t\tif nID == sg.Dependency {\n\t\t\tif node.Distance != 0 {\n\t\t\t\tt.Errorf(\"DependencySubgraph Dependency node (%v) has nonzero distance: %d\", nID, node.Distance)\n\t\t\t}\n\n\t\t\tcontinue\n\t\t}\n\n\t\tif len(node.Children) == 0 {\n\t\t\tt.Errorf(\"DependencySubgraph node %v has no child nodes\", nID)\n\t\t\tcontinue\n\t\t}\n\t\te := slices.MinFunc(node.Children, func(a, b resolve.Edge) int { return cmp.Compare(sg.Nodes[a.To].Distance, sg.Nodes[b.To].Distance) })\n\t\twant := sg.Nodes[e.To].Distance + 1\n\t\tif node.Distance != want {\n\t\t\tt.Errorf(\"DependencySubgraph node %v Distance = %d, want = %d\", nID, node.Distance, want)\n\t\t}\n\t}\n}\n" }, { "path": "internal/resolution/depfile/depfile.go", "content": "// Package depfile provides a temporary abstraction for files that have been opened for extraction.\n// TODO(michaelkedar): This is used for guided remediation, and will be removed after the migration to OSV-Scalibr is complete.\npackage depfile\n\nimport (\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n)\n\n// DepFile is an abstraction for a file that has been opened for extraction,\n// and that knows how to open other DepFiles relative to itself.\ntype DepFile interface {\n\tio.Reader\n\n\t// Open opens an NestedDepFile based on the path of the\n\t// current DepFile if the provided path is relative.\n\t//\n\t// If the path is an absolute path, then it is opened absolutely.\n\tOpen(path string) (NestedDepFile, error)\n\n\tPath() string\n}\n\n// NestedDepFile is an abstraction for a file that has been opened while extracting another file,\n// and would need to be closed.\ntype NestedDepFile interface {\n\tio.Closer\n\tDepFile\n}\n\n// A LocalFile represents a file that exists on the local filesystem.\ntype LocalFile struct {\n\t// TODO(rexpan): This should be *os.File, as that would allow us to access other underlying functions that definitely will exist\n\tio.ReadCloser\n\n\tpath string\n}\n\nfunc (f LocalFile) Open(path string) (NestedDepFile, error) {\n\tif filepath.IsAbs(path) {\n\t\treturn OpenLocalDepFile(path)\n\t}\n\n\treturn OpenLocalDepFile(filepath.Join(filepath.Dir(f.path), path))\n}\n\nfunc (f LocalFile) Path() string { return f.path }\n\nfunc OpenLocalDepFile(path string) (NestedDepFile, error) {\n\tr, err := os.Open(path)\n\n\tif err != nil {\n\t\treturn LocalFile{}, err\n\t}\n\n\t// Very unlikely to have Abs return an error if the file opens correctly\n\tpath, _ = filepath.Abs(path)\n\n\treturn LocalFile{r, path}, nil\n}\n" }, { "path": "internal/resolution/lockfile/__snapshots__/npm_test.snap", "content": "\n[TestNpmWrite - 1]\n{\n \"name\": \"r\",\n \"version\": \"1.0.0\",\n \"lockfileVersion\": 2,\n \"requires\": true,\n \"packages\": {\n \"\": {\n \"name\": \"r\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"workspaces\": [\n \"W\"\n ],\n \"dependencies\": {\n \"@fake-registry/a\": \"^1.2.3\",\n \"@fake-registry/b\": \"^1.0.1\"\n },\n \"devDependencies\": {\n \"a-dev\": \"npm:@fake-registry/a@^2.3.4\"\n }\n },\n \"node_modules/@fake-registry/a\": {\n \"version\": \"1.2.4\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fa/-/a-1.2.4.tgz\",\n \"integrity\": \"sha512-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==\",\n \"license\": \"OriginalLicenseDoNotSteal\",\n \"dependencies\": {\n \"@fake-registry/b\": \"^1.0.0\",\n \"@fake-registry/e\": \"^1.0.0\"\n }\n },\n \"node_modules/@fake-registry/b\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fb/-/b-1.0.1.tgz\",\n \"integrity\": \"sha512-uocjkNUbEPBa/oFFYNq+CkWkkr4My+gJQHnB1fFqIrIQtvjbQ/4dtp/6Kmfb5SFJ/bVfAGZ8mmC+c3Bz4JISYQ==\",\n \"license\": \"ISC\"\n },\n \"node_modules/@fake-registry/c\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fc/-/c-1.1.1.tgz\",\n \"integrity\": \"sha512-bihWUzvU62dcwPN4TguhntQpC1zpj7H0fHAhffya6tl3BCrEdjqO4oEpNHF/jtU5PPvY0L60mJNUS6MbizEVrA==\",\n \"dev\": true,\n \"license\": \"BSD-2-Clause\",\n \"peerDependencies\": {\n \"@fake-registry/d\": \"^2.0.0\"\n }\n },\n \"node_modules/@fake-registry/d\": {\n \"version\": \"2.2.2\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fd/-/d-2.2.2.tgz\",\n \"integrity\": \"sha512-YLeJVbfOCJZcUizGgpvPesIVSY9TYmWz2HcF+7mWxSuXuvu13FABprnRSDGEhljBRM+QAaUD+nbUHWenq2vL4w==\",\n \"dev\": true,\n \"license\": \"ISC\"\n },\n \"node_modules/a-dev\": {\n \"name\": \"@fake-registry/a\",\n \"version\": \"2.3.5\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz\",\n \"integrity\": \"none\",\n \"dev\": true,\n \"license\": \"Stolen\",\n \"optionalDependencies\": {\n \"@fake-registry/b\": \"*\"\n }\n },\n \"node_modules/a-dev/node_modules/@fake-registry/b\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fb/-/b-2.0.0.tgz\",\n \"integrity\": \"sha512-ZYMUG0g+wowBRAVWuRMI9mV8/3IJ5tYw1i+Xedy5LjVo7RAQaOqJbhEWvdubBlkmaXSoI666cdnJIX/SI6FPpw==\",\n \"dev\": true,\n \"license\": \"ISC\",\n \"dependencies\": {\n \"@fake-registry/c\": \"^1.0.0\",\n \"@fake-registry/d\": \"^2.0.0\"\n }\n },\n \"node_modules/w\": {\n \"resolved\": \"W\",\n \"link\": true\n },\n \"W\": {\n \"name\": \"w\",\n \"version\": \"1.0.0\",\n \"license\": \"ISC\",\n \"devDependencies\": {\n \"@fake-registry/a\": \"^2.3.4\"\n }\n },\n \"W/node_modules/@fake-registry/a\": {\n \"version\": \"2.3.5\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz\",\n \"integrity\": \"none\",\n \"dev\": true,\n \"license\": \"Stolen\",\n \"optionalDependencies\": {\n \"@fake-registry/b\": \"*\"\n }\n },\n \"W/node_modules/@fake-registry/b\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fb/-/b-2.0.0.tgz\",\n \"integrity\": \"sha512-ZYMUG0g+wowBRAVWuRMI9mV8/3IJ5tYw1i+Xedy5LjVo7RAQaOqJbhEWvdubBlkmaXSoI666cdnJIX/SI6FPpw==\",\n \"dev\": true,\n \"license\": \"ISC\",\n \"dependencies\": {\n \"@fake-registry/c\": \"^1.0.0\",\n \"@fake-registry/d\": \"^2.0.0\"\n }\n }\n },\n \"dependencies\": {\n \"@fake-registry/a\": {\n \"version\": \"1.2.4\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fa/-/a-1.2.4.tgz\",\n \"integrity\": \"sha512-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==\",\n \"requires\": {\n \"@fake-registry/b\": \"^1.0.0\",\n \"@fake-registry/e\": \"^1.0.0\"\n }\n },\n \"@fake-registry/b\": {\n \"version\": \"1.0.1\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fb/-/b-1.0.1.tgz\",\n \"integrity\": \"sha512-uocjkNUbEPBa/oFFYNq+CkWkkr4My+gJQHnB1fFqIrIQtvjbQ/4dtp/6Kmfb5SFJ/bVfAGZ8mmC+c3Bz4JISYQ==\"\n },\n \"@fake-registry/c\": {\n \"version\": \"1.1.1\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fc/-/c-1.1.1.tgz\",\n \"integrity\": \"sha512-bihWUzvU62dcwPN4TguhntQpC1zpj7H0fHAhffya6tl3BCrEdjqO4oEpNHF/jtU5PPvY0L60mJNUS6MbizEVrA==\",\n \"dev\": true,\n \"requires\": {}\n },\n \"@fake-registry/d\": {\n \"version\": \"2.2.2\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fd/-/d-2.2.2.tgz\",\n \"integrity\": \"sha512-YLeJVbfOCJZcUizGgpvPesIVSY9TYmWz2HcF+7mWxSuXuvu13FABprnRSDGEhljBRM+QAaUD+nbUHWenq2vL4w==\",\n \"dev\": true\n },\n \"a-dev\": {\n \"version\": \"npm:@fake-registry/a@2.3.5\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz\",\n \"integrity\": \"none\",\n \"dev\": true,\n \"requires\": {\n \"@fake-registry/b\": \"*\"\n },\n \"dependencies\": {\n \"@fake-registry/b\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fb/-/b-2.0.0.tgz\",\n \"integrity\": \"sha512-ZYMUG0g+wowBRAVWuRMI9mV8/3IJ5tYw1i+Xedy5LjVo7RAQaOqJbhEWvdubBlkmaXSoI666cdnJIX/SI6FPpw==\",\n \"dev\": true,\n \"requires\": {\n \"@fake-registry/c\": \"^1.0.0\",\n \"@fake-registry/d\": \"^2.0.0\"\n }\n }\n }\n },\n \"w\": {\n \"version\": \"file:W\",\n \"requires\": {\n \"@fake-registry/a\": \"^2.3.4\"\n },\n \"dependencies\": {\n \"@fake-registry/a\": {\n \"version\": \"2.3.5\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz\",\n \"integrity\": \"none\",\n \"dev\": true,\n \"requires\": {\n \"@fake-registry/b\": \"*\"\n }\n },\n \"@fake-registry/b\": {\n \"version\": \"2.0.0\",\n \"resolved\": \"http://localhost:4873/@fake-registry%2fb/-/b-2.0.0.tgz\",\n \"integrity\": \"sha512-ZYMUG0g+wowBRAVWuRMI9mV8/3IJ5tYw1i+Xedy5LjVo7RAQaOqJbhEWvdubBlkmaXSoI666cdnJIX/SI6FPpw==\",\n \"dev\": true,\n \"requires\": {\n \"@fake-registry/c\": \"^1.0.0\",\n \"@fake-registry/d\": \"^2.0.0\"\n }\n }\n }\n }\n }\n}\n\n---\n" }, { "path": "internal/resolution/lockfile/lockfile.go", "content": "// Package lockfile provides functionality for reading and writing lockfiles.\npackage lockfile\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"path/filepath\"\n\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n)\n\ntype DependencyPatch struct {\n\tPkg resolve.PackageKey\n\tOrigVersion string\n\tNewVersion string\n}\n\ntype ReadWriter interface {\n\t// System returns which ecosystem this ReadWriter is for.\n\tSystem() resolve.System\n\t// Read parses a lockfile into a resolved graph\n\tRead(file depfile.DepFile) (*resolve.Graph, error)\n\t// Write applies the DependencyPatches to the lockfile, with minimal changes to the file.\n\t// `original` is the original lockfile to read from. The updated lockfile is written to `output`.\n\tWrite(original depfile.DepFile, output io.Writer, patches []DependencyPatch) error\n}\n\nfunc Overwrite(rw ReadWriter, filename string, patches []DependencyPatch) error {\n\tr, err := depfile.OpenLocalDepFile(filename)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar buf bytes.Buffer\n\terr = rw.Write(r, &buf, patches)\n\tr.Close() // Make sure the file is closed before we start writing to it.\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t//nolint:gosec // Complaining about the 0644 permissions.\n\t// The file already exists anyway so the permissions don't matter.\n\tif err := os.WriteFile(filename, buf.Bytes(), 0644); err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc GetReadWriter(pathToLockfile string) (ReadWriter, error) {\n\tbase := filepath.Base(pathToLockfile)\n\tswitch base {\n\tcase \"package-lock.json\":\n\t\treturn NpmReadWriter{}, nil\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unsupported lockfile type: %s\", base)\n\t}\n}\n" }, { "path": "internal/resolution/lockfile/npm.go", "content": "package lockfile\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n)\n\ntype NpmReadWriter struct{}\n\nfunc (NpmReadWriter) System() resolve.System { return resolve.NPM }\n\ntype npmLockDependency struct {\n\t// For an aliased package, Version is like \"npm:[name]@[version]\"\n\tVersion string `json:\"version\"`\n\tDependencies map[string]npmLockDependency `json:\"dependencies,omitempty\"`\n\n\tDev bool `json:\"dev,omitempty\"`\n\tOptional bool `json:\"optional,omitempty\"`\n\n\tRequires map[string]string `json:\"requires,omitempty\"`\n}\n\ntype npmLockPackage struct {\n\t// For an aliased package, Name is the real package name\n\tName string `json:\"name\"`\n\tVersion string `json:\"version\"`\n\tResolved string `json:\"resolved\"`\n\n\tDependencies map[string]string `json:\"dependencies,omitempty\"`\n\tDevDependencies map[string]string `json:\"devDependencies,omitempty\"`\n\tOptionalDependencies map[string]string `json:\"optionalDependencies,omitempty\"`\n\tPeerDependencies map[string]string `json:\"peerDependencies,omitempty\"`\n\n\tDev bool `json:\"dev,omitempty\"`\n\tDevOptional bool `json:\"devOptional,omitempty\"`\n\tOptional bool `json:\"optional,omitempty\"`\n\n\tLink bool `json:\"link,omitempty\"`\n}\n\ntype npmLockfile struct {\n\tVersion int `json:\"lockfileVersion\"`\n\t// npm v1- lockfiles use \"dependencies\"\n\tDependencies map[string]npmLockDependency `json:\"dependencies,omitempty\"`\n\t// npm v2+ lockfiles use \"packages\"\n\tPackages map[string]npmLockPackage `json:\"packages,omitempty\"`\n}\n\ntype npmDependencyVersionSpec struct {\n\tVersion string\n\tDepType dep.Type\n}\n\ntype npmNodeModule struct {\n\tNodeID resolve.NodeID\n\tParent *npmNodeModule\n\tChildren map[string]*npmNodeModule // keyed on package name\n\tDeps map[string]npmDependencyVersionSpec\n\tActualName string // set if the node is an alias, the real package name this refers to\n}\n\nfunc (n npmNodeModule) IsAliased() bool {\n\treturn len(n.ActualName) > 0\n}\n\nfunc (rw NpmReadWriter) Read(file depfile.DepFile) (*resolve.Graph, error) {\n\tdec := json.NewDecoder(file)\n\tvar lockJSON npmLockfile\n\tif err := dec.Decode(&lockJSON); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Build the node_modules directory tree in memory & add unconnected nodes into graph\n\tvar g *resolve.Graph\n\tvar nodeModuleTree *npmNodeModule\n\tvar err error\n\tswitch {\n\tcase lockJSON.Packages != nil:\n\t\tg, nodeModuleTree, err = rw.nodesFromPackages(lockJSON)\n\tcase lockJSON.Dependencies != nil:\n\t\tmanifestFile, ferr := file.Open(\"package.json\")\n\t\tif ferr != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to open package.json (required for parsing lockfileVersion 1): %w\", err)\n\t\t}\n\t\tdefer manifestFile.Close()\n\t\tg, nodeModuleTree, err = rw.nodesFromDependencies(lockJSON, manifestFile)\n\tdefault:\n\t\treturn nil, errors.New(\"no dependencies in package-lock.json\")\n\t}\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"error when parsing package-lock.json: %w\", err)\n\t}\n\n\t// Traverse the graph (somewhat inefficiently) to add edges between nodes\n\taliasNodes := make(map[resolve.NodeID]string)\n\ttodo := []*npmNodeModule{nodeModuleTree}\n\tseen := make(map[*npmNodeModule]struct{})\n\tseen[nodeModuleTree] = struct{}{}\n\n\tfor len(todo) > 0 {\n\t\tnode := todo[0]\n\t\ttodo = todo[1:]\n\t\tif node.IsAliased() {\n\t\t\t// Note which nodes that have to be renamed because of aliasing\n\t\t\t// Don't rename them now because we rely on the names for working out edges\n\t\t\taliasNodes[node.NodeID] = node.ActualName\n\t\t}\n\n\t\t// Add the directory's children to the queue\n\t\tfor _, child := range node.Children {\n\t\t\tif _, ok := seen[child]; !ok {\n\t\t\t\ttodo = append(todo, child)\n\t\t\t\tseen[child] = struct{}{}\n\t\t\t}\n\t\t}\n\n\t\t// Add edges to the correct dependency nodes\n\t\tfor depName, depSpec := range node.Deps {\n\t\t\tdepNode := rw.findDependencyNode(node, depName)\n\t\t\tif depNode == -1 {\n\t\t\t\t// The dependency is apparently not in the package-lock.json.\n\t\t\t\t// This probably means the lockfile is malformed, and npm would usually error installing this.\n\t\t\t\t// But there are some cases (with workspaces) that npm doesn't error.\n\t\t\t\t// We just always ignore the error to make it work.\n\t\t\t\t// TODO: g.AddError(...)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif err := g.AddEdge(node.NodeID, depNode, depSpec.Version, depSpec.DepType); err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t}\n\n\t// Add alias KnownAs attribute and rename them correctly\n\tfor i, e := range g.Edges {\n\t\tif _, ok := aliasNodes[e.To]; ok {\n\t\t\tname := g.Nodes[e.To].Version.Name\n\t\t\tg.Edges[i].Type.AddAttr(dep.KnownAs, name)\n\t\t}\n\t}\n\tfor i := range g.Nodes {\n\t\tif name, ok := aliasNodes[resolve.NodeID(i)]; ok {\n\t\t\tg.Nodes[i].Version.Name = name\n\t\t}\n\t}\n\n\treturn g, nil\n}\n\nfunc (rw NpmReadWriter) findDependencyNode(node *npmNodeModule, depName string) resolve.NodeID {\n\t// Walk up the node_modules to find which node would be used as the requirement\n\tfor node != nil {\n\t\tif child, ok := node.Children[depName]; ok {\n\t\t\treturn child.NodeID\n\t\t}\n\t\tnode = node.Parent\n\t}\n\n\treturn resolve.NodeID(-1)\n}\n\nfunc (rw NpmReadWriter) reVersionAliasedDeps(deps map[string]npmDependencyVersionSpec) {\n\t// for the dependency maps, change versions from \"npm:pkg@version\" to \"version\"\n\tfor k, v := range deps {\n\t\t_, v.Version = manifest.SplitNPMAlias(v.Version)\n\t\tdeps[k] = v\n\t}\n}\n\nfunc (rw NpmReadWriter) Write(original depfile.DepFile, output io.Writer, patches []DependencyPatch) error {\n\tvar buf strings.Builder\n\t_, err := io.Copy(&buf, original)\n\tif err != nil {\n\t\treturn err\n\t}\n\tlock := buf.String()\n\n\tpatchMap := make(map[string]map[string]string) // name -> old -> new\n\tfor _, p := range patches {\n\t\tif _, ok := patchMap[p.Pkg.Name]; !ok {\n\t\t\tpatchMap[p.Pkg.Name] = make(map[string]string)\n\t\t}\n\t\tpatchMap[p.Pkg.Name][p.OrigVersion] = p.NewVersion\n\t}\n\n\tapi, err := datasource.NewNpmRegistryAPIClient(filepath.Dir(original.Path()))\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif lock, err = rw.modifyPackageLockPackages(lock, patchMap, api); err != nil {\n\t\treturn err\n\t}\n\n\tif lock, err = rw.modifyPackageLockDependencies(lock, patchMap, api); err != nil {\n\t\treturn err\n\t}\n\n\t// Write out modified package-lock.json\n\t_, err = io.WriteString(output, lock)\n\n\treturn err\n}\n" }, { "path": "internal/resolution/lockfile/npm_test.go", "content": "package lockfile_test\n\nimport (\n\t\"bytes\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/schema\"\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/lockfile\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestNpmReadV2(t *testing.T) {\n\tt.Parallel()\n\n\t// This lockfile was generated using a private registry with https://verdaccio.org/\n\t// Mock packages were published to it and installed with npm.\n\tdf, err := depfile.OpenLocalDepFile(\"./testdata/npm_v2/package-lock.json\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tnpmRW := lockfile.NpmReadWriter{}\n\tgot, err := npmRW.Read(df)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to read file: %v\", err)\n\t}\n\n\tif err := got.Canon(); err != nil {\n\t\tt.Fatalf(\"failed canonicalizing got graph: %v\", err)\n\t}\n\n\twant, err := schema.ParseResolve(`\nr 1.0.0\n\t@fake-registry/a@^1.2.3 1.2.3\n\t\tOpt|$b@^1.0.0\n\tb: @fake-registry/b@^1.0.1 1.0.1\n\tDev KnownAs a-dev|@fake-registry/a@^2.3.4 2.3.4\n\t\t@fake-registry/b@^2.0.0 2.0.0\n\t\t\tc: @fake-registry/c@^1.0.0 1.1.1\n\t\t\t\tScope peer|$d@^2.0.0\n\t\t\td: @fake-registry/d@^2.0.0 2.2.2\n\t# workspace\n\tw@* 1.0.0\n\t\tDev|@fake-registry/a@^2.3.4 2.3.4\n\t\t\t@fake-registry/b@^2.0.0 2.0.0\n\t\t\t\t$c@^1.0.0\n\t\t\t\t$d@^2.0.0\n`, resolve.NPM)\n\tif err != nil {\n\t\tt.Fatalf(\"error parsing want graph: %v\", err)\n\t}\n\n\tif err := want.Canon(); err != nil {\n\t\tt.Fatalf(\"failed canonicalizing want graph: %v\", err)\n\t}\n\n\tif diff := cmp.Diff(want, got); diff != \"\" {\n\t\tt.Errorf(\"npm lockfile mismatch (-want +got):\\n%s\", diff)\n\t}\n}\n\nfunc TestNpmReadV1(t *testing.T) {\n\tt.Parallel()\n\n\t// This lockfile was generated using a private registry with https://verdaccio.org/\n\t// Mock packages were published to it and installed with npm.\n\tdf, err := depfile.OpenLocalDepFile(\"./testdata/npm_v1/package-lock.json\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tnpmRW := lockfile.NpmReadWriter{}\n\tgot, err := npmRW.Read(df)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to read file: %v\", err)\n\t}\n\n\tif err := got.Canon(); err != nil {\n\t\tt.Fatalf(\"failed canonicalizing got graph: %v\", err)\n\t}\n\n\twant, err := schema.ParseResolve(`\nr 1.0.0\n\t@fake-registry/a@^1.2.3 1.2.3\n\t\t$b@^1.0.0\n\tb: @fake-registry/b@^1.0.1 1.0.1\n\tDev KnownAs a-dev|@fake-registry/a@^2.3.4 2.3.4\n\t\t# all indirect dependencies become regular because it's impossible to tell type in v1\n\t\t@fake-registry/b@^2.0.0 2.0.0\n\t\t\t@fake-registry/c@^1.0.0 1.1.1\n\t\t\t\t# peerDependencies are not supported in v1\n\t\t\t@fake-registry/d@^2.0.0 2.2.2\n\t# v1 does not support workspaces\n`, resolve.NPM)\n\tif err != nil {\n\t\tt.Fatalf(\"error parsing want graph: %v\", err)\n\t}\n\n\tif err := want.Canon(); err != nil {\n\t\tt.Fatalf(\"failed canonicalizing want graph: %v\", err)\n\t}\n\n\tif diff := cmp.Diff(want, got); diff != \"\" {\n\t\tt.Errorf(\"npm lockfile mismatch (-want +got):\\n%s\", diff)\n\t}\n}\n\nfunc TestNpmReadTypeOrder(t *testing.T) {\n\tt.Parallel()\n\n\t// Testing the behavior when a package is included in multiple dependency type fields.\n\t// Empirically, devDependencies > optionalDependencies > dependencies > peerDependencies\n\n\t// This lockfile was manually constructed.\n\tdf, err := depfile.OpenLocalDepFile(\"./testdata/npm_type_order/package-lock.json\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tnpmRW := lockfile.NpmReadWriter{}\n\tgot, err := npmRW.Read(df)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to read file: %v\", err)\n\t}\n\n\tif err := got.Canon(); err != nil {\n\t\tt.Fatalf(\"failed canonicalizing got graph: %v\", err)\n\t}\n\n\twant, err := schema.ParseResolve(`\nroot 1.0.0\n\tDev|a@4.0.0 4.0.0\n\tOpt|b@3.0.0 3.0.0\n\tc@2.0.0 2.0.0\n\tScope peer|d@1.0.0 1.0.0\n`, resolve.NPM)\n\tif err != nil {\n\t\tt.Fatalf(\"error parsing want graph: %v\", err)\n\t}\n\n\tif err := want.Canon(); err != nil {\n\t\tt.Fatalf(\"failed canonicalizing want graph: %v\", err)\n\t}\n\n\tif diff := cmp.Diff(want, got); diff != \"\" {\n\t\tt.Errorf(\"npm lockfile mismatch (-want +got):\\n%s\", diff)\n\t}\n}\n\nfunc TestNpmWrite(t *testing.T) {\n\tt.Parallel()\n\n\t// Set up mock npm registry\n\tsrv := testutility.NewMockHTTPServer(t)\n\tsrv.SetResponseFromFile(t, \"/@fake-registry%2fa/1.2.4\", \"./testdata/npm_registry/@fake-registry-a-1.2.4.json\")\n\tsrv.SetResponseFromFile(t, \"/@fake-registry%2fa/2.3.5\", \"./testdata/npm_registry/@fake-registry-a-2.3.5.json\")\n\n\t// Copy package-lock.json to temporary directory\n\tdir := testutility.CreateTestDir(t)\n\tb, err := os.ReadFile(\"./testdata/npm_v2/package-lock.json\")\n\tif err != nil {\n\t\tt.Fatalf(\"could not read test file: %v\", err)\n\t}\n\tfile := filepath.Join(dir, \"package-lock.json\")\n\tif err := os.WriteFile(file, b, 0600); err != nil {\n\t\tt.Fatalf(\"could not copy test file: %v\", err)\n\t}\n\n\t// create an npmrc file in temp directory pointing to mock registry\n\tnpmrcFile, err := os.Create(filepath.Join(dir, \".npmrc\"))\n\tif err != nil {\n\t\tt.Fatalf(\"could not create .npmrc file: %v\", err)\n\t}\n\tif _, err := npmrcFile.WriteString(\"registry=\" + srv.URL); err != nil {\n\t\tt.Fatalf(\"failed writing npmrc file: %v\", err)\n\t}\n\n\tpatches := []lockfile.DependencyPatch{\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t\tName: \"@fake-registry/a\",\n\t\t\t},\n\t\t\tOrigVersion: \"1.2.3\",\n\t\t\tNewVersion: \"1.2.4\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t\tName: \"@fake-registry/a\",\n\t\t\t},\n\t\t\tOrigVersion: \"2.3.4\",\n\t\t\tNewVersion: \"2.3.5\",\n\t\t},\n\t}\n\n\tdf, err := depfile.OpenLocalDepFile(file)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tbuf := new(bytes.Buffer)\n\tnpmRW := lockfile.NpmReadWriter{}\n\tif err := npmRW.Write(df, buf, patches); err != nil {\n\t\tt.Fatalf(\"unable to update npm package-lock.json: %v\", err)\n\t}\n\ttestutility.NewSnapshot().WithCRLFReplacement().MatchText(t, buf.String())\n}\n" }, { "path": "internal/resolution/lockfile/npm_v1.go", "content": "package lockfile\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"strings\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/tidwall/gjson\"\n\t\"github.com/tidwall/sjson\"\n)\n\n// Old-style (npm < 7 / lockfileVersion 1) dependencies structure\n// https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json\n// Installed packages stored in recursive \"dependencies\" object\n// with \"requires\" field listing direct dependencies, and each possibly having their own \"dependencies\"\n// No dependency information package-lock.json for the root node, so we must also have the package.json\nfunc (rw NpmReadWriter) nodesFromDependencies(lockJSON npmLockfile, manifestFile io.Reader) (*resolve.Graph, *npmNodeModule, error) {\n\t// Need to grab the root requirements from the package.json, since it's not in the lockfile\n\tvar manifestJSON manifest.PackageJSON\n\tif err := json.NewDecoder(manifestFile).Decode(&manifestJSON); err != nil {\n\t\treturn nil, nil, err\n\t}\n\n\tnodeModuleTree := &npmNodeModule{\n\t\tChildren: make(map[string]*npmNodeModule),\n\t\tDeps: make(map[string]npmDependencyVersionSpec),\n\t}\n\n\t// The order we process dependency types here is to match npm's behavior.\n\tfor name, version := range manifestJSON.PeerDependencies {\n\t\tvar typ dep.Type\n\t\ttyp.AddAttr(dep.Scope, \"peer\")\n\t\t// TODO: check peerDependenciesMeta for optional peer dependencies\n\t\tnodeModuleTree.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: typ}\n\t}\n\tfor name, version := range manifestJSON.Dependencies {\n\t\tnodeModuleTree.Deps[name] = npmDependencyVersionSpec{Version: version}\n\t}\n\tfor name, version := range manifestJSON.OptionalDependencies {\n\t\tnodeModuleTree.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: dep.NewType(dep.Opt)}\n\t}\n\tfor name, version := range manifestJSON.DevDependencies {\n\t\tnodeModuleTree.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: dep.NewType(dep.Dev)}\n\t}\n\trw.reVersionAliasedDeps(nodeModuleTree.Deps)\n\n\tvar g resolve.Graph\n\tnodeModuleTree.NodeID = g.AddNode(resolve.VersionKey{\n\t\tPackageKey: resolve.PackageKey{\n\t\t\tSystem: resolve.NPM,\n\t\t\tName: manifestJSON.Name,\n\t\t},\n\t\tVersionType: resolve.Concrete,\n\t\tVersion: manifestJSON.Version,\n\t})\n\n\terr := rw.computeDependenciesRecursive(&g, nodeModuleTree, lockJSON.Dependencies)\n\n\treturn &g, nodeModuleTree, err\n}\n\nfunc (rw NpmReadWriter) computeDependenciesRecursive(g *resolve.Graph, parent *npmNodeModule, deps map[string]npmLockDependency) error {\n\tfor name, d := range deps {\n\t\tactualName, version := manifest.SplitNPMAlias(d.Version)\n\t\tnID := g.AddNode(resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t\tName: name,\n\t\t\t},\n\t\t\tVersionType: resolve.Concrete,\n\t\t\tVersion: version,\n\t\t})\n\t\tnm := &npmNodeModule{\n\t\t\tParent: parent,\n\t\t\tNodeID: nID,\n\t\t\tChildren: make(map[string]*npmNodeModule),\n\t\t\tDeps: make(map[string]npmDependencyVersionSpec),\n\t\t\tActualName: actualName,\n\t\t}\n\n\t\t// The requires map includes regular dependencies AND optionalDependencies\n\t\t// but it does not include peerDependencies or devDependencies.\n\t\t// The generated graphs will lack the edges between peers\n\t\tfor name, version := range d.Requires {\n\t\t\tnm.Deps[name] = npmDependencyVersionSpec{Version: version}\n\t\t}\n\t\trw.reVersionAliasedDeps(nm.Deps)\n\n\t\tparent.Children[name] = nm\n\t\tif d.Dependencies != nil {\n\t\t\tif err := rw.computeDependenciesRecursive(g, nm, d.Dependencies); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc (rw NpmReadWriter) modifyPackageLockDependencies(lockJSON string, patches map[string]map[string]string, api *datasource.NpmRegistryAPIClient) (string, error) {\n\tif !gjson.Get(lockJSON, \"dependencies\").Exists() {\n\t\treturn lockJSON, nil\n\t}\n\n\treturn rw.modifyPackageLockDependenciesRecurse(lockJSON, \"dependencies\", 1, patches, api)\n}\n\nfunc (rw NpmReadWriter) modifyPackageLockDependenciesRecurse(lockJSON, path string, depth int, patches map[string]map[string]string, api *datasource.NpmRegistryAPIClient) (string, error) {\n\tfor pkg, data := range gjson.Get(lockJSON, path).Map() {\n\t\tpkgPath := fmt.Sprintf(\"%s.%s\", path, gjson.Escape(pkg))\n\t\tif data.Get(\"dependencies\").Exists() {\n\t\t\tvar err error\n\t\t\tlockJSON, err = rw.modifyPackageLockDependenciesRecurse(lockJSON, pkgPath+\".dependencies\", depth+1, patches, api)\n\t\t\tif err != nil {\n\t\t\t\treturn lockJSON, err\n\t\t\t}\n\t\t}\n\t\tisAlias := false\n\t\trealPkg, version := manifest.SplitNPMAlias(data.Get(\"version\").String())\n\t\tif realPkg != \"\" {\n\t\t\tisAlias = true\n\t\t\tpkg = realPkg\n\t\t}\n\n\t\tif upgrades, ok := patches[pkg]; ok {\n\t\t\tif newVer, ok := upgrades[version]; ok {\n\t\t\t\t// update dependency in place\n\t\t\t\tnpmData, err := api.FullJSON(context.Background(), pkg, newVer)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn lockJSON, err\n\t\t\t\t}\n\t\t\t\t// From what I can tell, the only fields to update are \"version\" \"resolved\" \"integrity\" and \"requires\"\n\t\t\t\tnewVersion := npmData.Get(\"version\").String()\n\t\t\t\tif isAlias {\n\t\t\t\t\tnewVersion = fmt.Sprintf(\"npm:%s@%s\", pkg, newVersion)\n\t\t\t\t}\n\t\t\t\tlockJSON, _ = sjson.Set(lockJSON, pkgPath+\".version\", newVersion)\n\t\t\t\tlockJSON, _ = sjson.Set(lockJSON, pkgPath+\".resolved\", npmData.Get(\"dist.tarball\").String())\n\t\t\t\tlockJSON, _ = sjson.Set(lockJSON, pkgPath+\".integrity\", npmData.Get(\"dist.integrity\").String())\n\t\t\t\t// formatting & padding to output for the correct level at this depth\n\t\t\t\tpretty := fmt.Sprintf(\"|@pretty:{\\\"prefix\\\": %q}\", strings.Repeat(\" \", 4*depth+2))\n\t\t\t\treqs := npmData.Get(\"dependencies\" + pretty)\n\t\t\t\tif !reqs.Exists() {\n\t\t\t\t\tlockJSON, _ = sjson.Delete(lockJSON, pkgPath+\".requires\")\n\t\t\t\t} else {\n\t\t\t\t\ttext := reqs.Raw\n\t\t\t\t\t// remove trailing newlines that @pretty creates for objects\n\t\t\t\t\ttext = strings.TrimSuffix(text, \"\\n\")\n\t\t\t\t\tlockJSON, _ = sjson.SetRaw(lockJSON, pkgPath+\".requires\", text)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn lockJSON, nil\n}\n" }, { "path": "internal/resolution/lockfile/npm_v2.go", "content": "package lockfile\n\nimport (\n\t\"cmp\"\n\t\"context\"\n\t\"errors\"\n\t\"maps\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/tidwall/gjson\"\n\t\"github.com/tidwall/pretty\"\n\t\"github.com/tidwall/sjson\"\n)\n\n// New-style (npm >= 7 / lockfileVersion 2+) structure\n// https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json\n// Installed packages are in the flat \"packages\" object, keyed by the install path\n// e.g. \"node_modules/foo/node_modules/bar\"\n// packages contain most information from their own manifests.\nfunc (rw NpmReadWriter) nodesFromPackages(lockJSON npmLockfile) (*resolve.Graph, *npmNodeModule, error) {\n\tvar g resolve.Graph\n\t// Create graph nodes and reconstruct the node_modules folder structure in memory\n\troot, ok := lockJSON.Packages[\"\"]\n\tif !ok {\n\t\treturn nil, nil, errors.New(\"missing root node\")\n\t}\n\tnID := g.AddNode(resolve.VersionKey{\n\t\tPackageKey: resolve.PackageKey{\n\t\t\tSystem: resolve.NPM,\n\t\t\tName: root.Name,\n\t\t},\n\t\tVersionType: resolve.Concrete,\n\t\tVersion: root.Version,\n\t})\n\tnodeModuleTree := rw.makeNodeModuleDeps(root, true)\n\tnodeModuleTree.NodeID = nID\n\n\t// paths for npm workspace subfolders, not inside root node_modules\n\tworkspaceModules := make(map[string]*npmNodeModule)\n\tworkspaceModules[\"\"] = nodeModuleTree\n\n\t// iterate keys by node_modules depth\n\tfor _, k := range rw.packageNamesByNodeModuleDepth(lockJSON.Packages) {\n\t\tif k == \"\" {\n\t\t\t// skip the root node\n\t\t\tcontinue\n\t\t}\n\t\tpkg, ok := lockJSON.Packages[k]\n\t\tif !ok {\n\t\t\tpanic(\"key not in packages\")\n\t\t}\n\t\tpath := strings.Split(k, \"node_modules/\")\n\t\tif len(path) == 1 {\n\t\t\t// the path does not contain \"node_modules/\", assume this is a workspace directory\n\t\t\tnID := g.AddNode(resolve.VersionKey{\n\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: path[0], // This will get replaced by the name from the symlink\n\t\t\t\t},\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\tVersion: pkg.Version,\n\t\t\t})\n\t\t\tm := rw.makeNodeModuleDeps(pkg, true) // NB: including the dev dependencies\n\t\t\tm.NodeID = nID\n\t\t\tworkspaceModules[path[0]] = m\n\n\t\t\tcontinue\n\t\t}\n\n\t\tif pkg.Link {\n\t\t\t// This is the symlink to the workspace directory in node_modules\n\t\t\tif len(path) != 2 || path[0] != \"\" {\n\t\t\t\t// Not sure what situation would lead to this\n\t\t\t\tpanic(\"Found symlink in package-lock.json that's not in root node_modules directory\")\n\t\t\t}\n\t\t\tm := workspaceModules[pkg.Resolved]\n\t\t\tif m == nil {\n\t\t\t\t// Can symlinks show up without workspaces?\n\t\t\t\tpanic(\"symlink in package-lock.json processed before real directory\")\n\t\t\t}\n\n\t\t\t// attach the workspace to the tree\n\t\t\tpkgName := path[1]\n\t\t\tnodeModuleTree.Children[pkgName] = m\n\t\t\tif pkg.Resolved == \"\" {\n\t\t\t\t// weird case: the root directory is symlinked into its own node_modules\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tm.Parent = nodeModuleTree\n\n\t\t\t// rename the node to the name it would be referred to as in package.json\n\t\t\tg.Nodes[m.NodeID].Version.Name = pkgName\n\t\t\t// add it as a dependency of the root node, so it's not orphaned\n\t\t\tif _, ok := nodeModuleTree.Deps[pkgName]; !ok {\n\t\t\t\tnodeModuleTree.Deps[pkgName] = npmDependencyVersionSpec{Version: \"*\"}\n\t\t\t}\n\n\t\t\tcontinue\n\t\t}\n\n\t\t// find the direct parent package by traversing the path\n\t\tparent := nodeModuleTree\n\t\tif path[0] != \"\" {\n\t\t\t// jump to the corresponding workspace if package is in one\n\t\t\tif parent, ok = workspaceModules[strings.TrimSuffix(path[0], \"/\")]; !ok {\n\t\t\t\t// The package exists in a node_modules of a folder that doesn't belong to this project.\n\t\t\t\t// npm seems to silently ignore these, so we will too.\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\n\t\tparentFound := true\n\t\tfor _, p := range path[1 : len(path)-1] { // skip root directory\n\t\t\tp = strings.TrimSuffix(p, \"/\")\n\t\t\tif parent, parentFound = parent.Children[p]; !parentFound {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\tif !parentFound {\n\t\t\t// The package this supposed to be installed under is not installed.\n\t\t\t// npm seems to silently ignore these, so we will too.\n\t\t\tcontinue\n\t\t}\n\n\t\tname := path[len(path)-1]\n\t\tnID := g.AddNode(resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t\tName: name,\n\t\t\t},\n\t\t\tVersionType: resolve.Concrete,\n\t\t\tVersion: pkg.Version,\n\t\t})\n\t\tparent.Children[name] = rw.makeNodeModuleDeps(pkg, false)\n\t\tparent.Children[name].NodeID = nID\n\t\tparent.Children[name].Parent = parent\n\t\tparent.Children[name].ActualName = pkg.Name\n\t}\n\n\treturn &g, nodeModuleTree, nil\n}\n\nfunc (rw NpmReadWriter) makeNodeModuleDeps(pkg npmLockPackage, includeDev bool) *npmNodeModule {\n\tnm := npmNodeModule{\n\t\tChildren: make(map[string]*npmNodeModule),\n\t\tDeps: make(map[string]npmDependencyVersionSpec),\n\t}\n\n\t// The order we process dependency types here is to match npm's behavior.\n\tfor name, version := range pkg.PeerDependencies {\n\t\tvar typ dep.Type\n\t\ttyp.AddAttr(dep.Scope, \"peer\")\n\t\t// TODO: check peerDependenciesMeta for optional peer dependencies\n\t\tnm.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: typ}\n\t}\n\tfor name, version := range pkg.Dependencies {\n\t\tnm.Deps[name] = npmDependencyVersionSpec{Version: version}\n\t}\n\tfor name, version := range pkg.OptionalDependencies {\n\t\tnm.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: dep.NewType(dep.Opt)}\n\t}\n\tif includeDev {\n\t\tfor name, version := range pkg.DevDependencies {\n\t\t\tnm.Deps[name] = npmDependencyVersionSpec{Version: version, DepType: dep.NewType(dep.Dev)}\n\t\t}\n\t}\n\trw.reVersionAliasedDeps(nm.Deps)\n\n\treturn &nm\n}\n\nfunc (rw NpmReadWriter) packageNamesByNodeModuleDepth(packages map[string]npmLockPackage) []string {\n\tkeys := slices.AppendSeq(make([]string, 0, len(packages)), maps.Keys(packages))\n\tslices.SortFunc(keys, func(a, b string) int {\n\t\taSplit := strings.Split(a, \"node_modules/\")\n\t\tbSplit := strings.Split(b, \"node_modules/\")\n\t\tif c := cmp.Compare(len(aSplit), len(bSplit)); c != 0 {\n\t\t\treturn c\n\t\t}\n\t\t// sort alphabetically if they're the same depth\n\t\treturn cmp.Compare(a, b)\n\t})\n\n\treturn keys\n}\n\nfunc (rw NpmReadWriter) modifyPackageLockPackages(lockJSON string, patches map[string]map[string]string, api *datasource.NpmRegistryAPIClient) (string, error) {\n\tpackages := gjson.Get(lockJSON, \"packages\")\n\tif !packages.Exists() {\n\t\treturn lockJSON, nil\n\t}\n\n\tfor key, value := range packages.Map() {\n\t\tparts := strings.Split(key, \"node_modules/\")\n\t\tif len(parts) == 0 {\n\t\t\tcontinue\n\t\t}\n\t\tpkg := parts[len(parts)-1]\n\t\tif n := value.Get(\"name\"); n.Exists() { // if this is an alias, use the real package as the name\n\t\t\tpkg = n.String()\n\t\t}\n\t\tif upgrades, ok := patches[pkg]; ok {\n\t\t\tif newVer, ok := upgrades[value.Get(\"version\").String()]; ok {\n\t\t\t\tfullPath := \"packages.\" + gjson.Escape(key)\n\t\t\t\tvar err error\n\t\t\t\tif lockJSON, err = rw.updatePackage(lockJSON, fullPath, pkg, newVer, api); err != nil {\n\t\t\t\t\treturn lockJSON, err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn lockJSON, nil\n}\n\nfunc (rw NpmReadWriter) updatePackage(jsonText, jsonPath, packageName, newVersion string, api *datasource.NpmRegistryAPIClient) (string, error) {\n\tnpmData, err := api.FullJSON(context.Background(), packageName, newVersion)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\t// The \"dependencies\" returned from the registry includes (can include?) both optional and regular dependencies\n\t// But the \"optionalDependencies\" are (always?) removed from \"dependencies\" package-lock.json.\n\tfor _, opt := range npmData.Get(\"optionalDependencies|@keys\").Array() {\n\t\tdepName := gjson.Escape(opt.String())\n\t\ts, _ := sjson.Delete(npmData.Raw, \"dependencies.\"+depName)\n\t\tnpmData = gjson.Parse(s)\n\t}\n\n\tif len(npmData.Get(\"dependencies\").Map()) == 0 {\n\t\ts, _ := sjson.Delete(npmData.Raw, \"dependencies\")\n\t\tnpmData = gjson.Parse(s)\n\t}\n\n\tpkgData := gjson.Get(jsonText, jsonPath)\n\tpkgText := pkgData.Raw\n\n\t// I can't find a consistent list of what fields should be included in package-lock.json packages\n\t// https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json#packages seems list some\n\t// but I've seen fields not listed there get included, and fields that it says to include (e.g. license) missing;\n\t// Might fill in as much of package.json? https://docs.npmjs.com/cli/v9/configuring-npm/package-json\n\t// It also seems to depend on npm version?\n\t// Instead, just modify the fields that are present\n\tkeyArray := pkgData.Get(\"@keys\").Array()\n\t// If dependency types were not previously present, we want to add them.\n\tnecessaryKeys := []string{\"dependencies\", \"optionalDependencies\", \"peerDependencies\"}\n\n\tkeys := make([]string, len(keyArray), len(keyArray)+len(necessaryKeys))\n\tfor i, key := range keyArray {\n\t\tkeys[i] = gjson.Escape(key.String())\n\t}\n\tfor _, key := range necessaryKeys {\n\t\tif npmData.Get(key).Exists() && !pkgData.Get(key).Exists() {\n\t\t\tkeys = append(keys, key)\n\t\t}\n\t}\n\tfor _, key := range keys {\n\t\tswitch key {\n\t\tcase \"resolved\":\n\t\t\tpkgText, _ = sjson.Set(pkgText, \"resolved\", npmData.Get(\"dist.tarball\").String())\n\t\tcase \"integrity\":\n\t\t\tpkgText, _ = sjson.Set(pkgText, \"integrity\", npmData.Get(\"dist.integrity\").String())\n\t\tcase \"bin\":\n\t\t\t// the api formats the paths as \"./path/to\", while package-lock.json seem to use \"path/to\"\n\t\t\t// TODO: smarter way for indentation\n\t\t\tnewVal := npmData.Get(key)\n\t\t\tif newVal.Exists() {\n\t\t\t\ttext := newVal.Raw\n\t\t\t\tfor k, v := range newVal.Map() {\n\t\t\t\t\ttext, _ = sjson.Set(text, k, filepath.Clean(v.String()))\n\t\t\t\t}\n\t\t\t\tpkgText, _ = sjson.SetRaw(pkgText, \"bin\", text)\n\t\t\t} else {\n\t\t\t\t// explicitly remove it if it's no longer present\n\t\t\t\tpkgText, _ = sjson.Delete(pkgText, \"bin\")\n\t\t\t}\n\t\t// if all dependencies have been removed, explicitly remove the field\n\t\tcase \"dependencies\":\n\t\t\tfallthrough\n\t\tcase \"devDependencies\": // shouldn't show up in package-lock.json\n\t\t\tfallthrough\n\t\tcase \"peerDependencies\":\n\t\t\tfallthrough\n\t\tcase \"optionalDependencies\":\n\t\t\tif !npmData.Get(key).Exists() {\n\t\t\t\t// TODO: Think of the orphaned children\n\t\t\t\tpkgText, _ = sjson.Delete(pkgText, key)\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tfallthrough\n\t\tdefault:\n\t\t\tnewVal := npmData.Get(key)\n\t\t\tif newVal.Exists() {\n\t\t\t\tpkgText, _ = sjson.SetRaw(pkgText, key, newVal.Raw)\n\t\t\t}\n\t\t\t// if it doesn't exist, assume it's one of the package-lock flags e.g. \"dev\"\n\t\t\t// TODO: It could be a removed field\n\t\t}\n\t}\n\n\t// pretty the json because setting nested objects breaks the formatting.\n\t// Setting Prefix & Indent to account for the fact that this is not the top-level object.\n\tpkgText = string(pretty.PrettyOptions([]byte(pkgText), &pretty.Options{Prefix: \" \", Indent: \" \"}))\n\tpkgText = strings.TrimSpace(pkgText) // remove leading spaces & newline pretty creates\n\n\treturn sjson.SetRaw(jsonText, jsonPath, pkgText)\n}\n" }, { "path": "internal/resolution/lockfile/testdata/npm_registry/@fake-registry-a-1.2.4.json", "content": "{\n \"name\": \"@fake-registry/a\",\n \"version\": \"1.2.4\",\n \"description\": \"package a\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": {\n \"name\": \"a author\"\n },\n \"license\": \"OriginalLicenseDoNotSteal\",\n \"dependencies\": {\n \"@fake-registry/b\": \"^1.0.0\",\n \"@fake-registry/e\": \"^1.0.0\"\n },\n \"_id\": \"@fake-registry/a@1.2.4\",\n \"_nodeVersion\": \"10.24.1\",\n \"_npmVersion\": \"7.24.2\",\n \"dist\": {\n \"integrity\": \"sha512-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==\",\n \"shasum\": \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\",\n \"tarball\": \"http://localhost:4873/@fake-registry%2fa/-/a-1.2.4.tgz\"\n },\n \"contributors\": []\n}" }, { "path": "internal/resolution/lockfile/testdata/npm_registry/@fake-registry-a-2.3.5.json", "content": "{\n \"name\": \"@fake-registry/a\",\n \"version\": \"2.3.5\",\n \"description\": \"package a@2\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": {\n \"name\": \"a@2 author\"\n },\n \"license\": \"Stolen\",\n \"optionalDependencies\": {\n \"@fake-registry/b\": \"*\"\n },\n \"dependencies\": {\n \"@fake-registry/b\": \"*\"\n },\n \"_id\": \"@fake-registry/a@2.3.5\",\n \"_nodeVersion\": \"10.24.1\",\n \"_npmVersion\": \"7.24.2\",\n \"dist\": {\n \"integrity\": \"none\",\n \"shasum\": \"ffffffff\",\n \"tarball\": \"http://localhost:4873/@fake-registry%2fa/-/a-2.3.5.tgz\"\n },\n \"contributors\": []\n}" }, { "path": "internal/resolution/lockfile/testdata/npm_v1/osv-scanner.toml", "content": "[[IgnoredVulns]]\nid = \"MAL-2024-7419\"\nreason = \"Packages in this test lockfile are not installed\"\n\n[[IgnoredVulns]]\nid = \"MAL-2024-7420\"\nreason = \"Packages in this test lockfile are not installed\"\n" }, { "path": "internal/resolution/lockfile/testdata/npm_v1/package.json", "content": "{\n \"name\": \"r\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"@fake-registry/a\": \"^1.2.3\",\n \"@fake-registry/b\": \"^1.0.1\"\n },\n \"devDependencies\": {\n \"a-dev\": \"npm:@fake-registry/a@^2.3.4\"\n }\n}\n" }, { "path": "internal/resolution/lockfile/testdata/npm_v2/osv-scanner.toml", "content": "[[IgnoredVulns]]\nid = \"MAL-2024-7419\"\nreason = \"Packages in this test lockfile are not installed\"\n\n[[IgnoredVulns]]\nid = \"MAL-2024-7420\"\nreason = \"Packages in this test lockfile are not installed\"\n" }, { "path": "internal/resolution/lockfile/testmain_test.go", "content": "package lockfile_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "internal/resolution/manifest/__snapshots__/maven_test.snap", "content": "\n[TestMavenReadWrite - 1]\n\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0\n\n my-app\n \n http://www.example.com\n Don't escape. Escape "this".\n \n \n Ol' Cap'n Napkins\n \n \n Ol" Cap"n Napkins\n \n \n \n \n \n \n \n\n\n \n \n \n \n \n\n \n org.parent\n parent-pom\n 1.1.1\n ../parent/pom.xml\n \n\n \n UTF-8\n 1.7\n 1.7\n 4.12\n \n ../bin\n \n \n\n \n \n junit\n junit\n ${junit.version}\n test\n \n \n org.example\n abc\n 1.0.1\n \n \n \n org.example\n no-version\n \n \n org.example\n exclusions\n 1.0.0\n \n \n org.exclude\n exclude\n \n \n \n \n\n \n \n \n org.example\n xyz\n 2.0.0\n \n \n org.example\n no-version\n 2.0.0\n \n \n org.import\n import\n 1.0.0\n pom\n import\n \n \n \n\n \n \n profile-one\n \n true\n \n \n 2.3.4\n \n \n \n org.profile\n abc\n 1.2.3\n \n \n org.profile\n def\n ${def.version}\n \n \n \n \n profile-two\n \n \n \n org.import\n xyz\n 6.6.6\n import\n pom\n \n \n \n \n \n\n \n \n \n \n org.plugin\n plugin\n 1.0.0\n \n \n org.dep\n plugin-dep\n 2.3.3\n \n \n \n \n \n \n\n\n\n---\n\n[TestMavenWrite - 1]\n\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0\n\n my-app\n \n http://www.example.com\n Don't escape. Escape "this".\n \n \n Ol' Cap'n Napkins\n \n \n Ol" Cap"n Napkins\n \n \n \n \n \n \n \n\n\n \n \n \n \n \n\n \n org.parent\n parent-pom\n 1.1.1\n ../parent/pom.xml\n \n\n \n UTF-8\n 1.7\n 1.7\n 4.13.2\n \n ../bin\n \n \n\n \n \n junit\n junit\n ${junit.version}\n test\n \n \n org.example\n abc\n 1.0.2\n \n \n \n org.example\n no-version\n \n \n org.example\n exclusions\n 1.0.0\n \n \n org.exclude\n exclude\n \n \n \n \n\n \n \n \n org.example\n extra-one\n 6.6.6\n \n \n org.example\n extra-two\n 9.9.9\n \n \n org.example\n xyz\n 2.0.1\n \n \n org.example\n no-version\n 2.0.0\n \n \n org.import\n import\n 1.0.0\n pom\n import\n \n \n \n\n \n \n profile-one\n \n true\n \n \n 2.3.5\n \n \n \n org.profile\n abc\n 1.2.4\n \n \n org.profile\n def\n ${def.version}\n \n \n \n \n profile-two\n \n \n \n org.import\n xyz\n 7.0.0\n import\n pom\n \n \n \n \n \n\n \n \n \n \n org.plugin\n plugin\n 1.0.0\n \n \n org.dep\n plugin-dep\n 2.3.4\n \n \n \n \n \n \n\n\n\n---\n\n[TestMavenWriteDM - 1]\n\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0\n\n my-app\n \n http://www.example.com\n\n \n org.parent\n parent-pom\n 1.2.0\n \n\n \n \n junit\n junit\n 4.13.2\n \n \n\n \n \n \n org.management\n abc\n 1.2.3\n \n \n org.management\n xyz\n 2.3.4\n \n \n \n\n\n\n---\n" }, { "path": "internal/resolution/manifest/__snapshots__/npm_test.snap", "content": "\n[TestNpmWrite - 1]\n{\n \"name\": \"npm-manifest\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo /\"Error: no test specified/\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"cliui\": \"npm:@isaacs/cliui@^9.0.0\",\n \"jquery\": \"~0.0.1\",\n \"lodash\": \"^4.17.21\",\n \"string-width\": \"^7.1.0\",\n \"string-width-aliased\": \"npm:string-width@^6.1.0\"\n },\n \"devDependencies\": {\n \"eslint\": \"*\"\n },\n \"optionalDependencies\": {\n \"glob\": \"^1.0.0\"\n },\n \"peerDependencies\": {\n \"@babel/core\": \"^7.24.0\"\n }\n}\n\n---\n" }, { "path": "internal/resolution/manifest/manifest.go", "content": "// Package manifest provides functionality for reading and writing manifest files.\npackage manifest\n\nimport (\n\t\"bytes\"\n\t\"fmt\"\n\t\"io\"\n\t\"maps\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n)\n\ntype Manifest struct {\n\tFilePath string // Path to the manifest file on disk\n\tRoot resolve.Version // Version representing this package\n\tRequirements []resolve.RequirementVersion // All direct requirements, including dev\n\tGroups map[RequirementKey][]string // Dependency groups that the imports belong to\n\tLocalManifests []Manifest // manifests of local packages\n\tEcosystemSpecific any // Any ecosystem-specific information needed\n}\n\nfunc newManifest() Manifest {\n\treturn Manifest{\n\t\tGroups: make(map[RequirementKey][]string),\n\t}\n}\n\nfunc (m Manifest) System() resolve.System {\n\treturn m.Root.System\n}\n\nfunc (m Manifest) Clone() Manifest {\n\treturn Manifest{\n\t\tFilePath: m.FilePath,\n\t\tRoot: m.Root,\n\t\tRequirements: slices.Clone(m.Requirements),\n\t\tGroups: maps.Clone(m.Groups),\n\t\tLocalManifests: slices.Clone(m.LocalManifests),\n\t\tEcosystemSpecific: m.EcosystemSpecific, // TODO: Deep copy this?\n\t}\n}\n\ntype DependencyPatch struct {\n\tPkg resolve.PackageKey // The package this applies to\n\tType dep.Type // The dependency type\n\tOrigRequire string // The original requirement string e.g. \"1.*.*\"\n\tNewRequire string // The new requirement string e.g. \"2.*.*\"\n\tOrigResolved string // The version the original resolves to e.g. \"1.2.3\" (for display only)\n\tNewResolved string // The version the new resolves to e.g. \"2.4.6\" (for display only)\n}\n\ntype Patch struct {\n\tManifest *Manifest // The original manifest\n\tDeps []DependencyPatch // Changed direct dependencies\n\tEcosystemSpecific any // Any ecosystem-specific information\n}\n\ntype ReadWriter interface {\n\t// System returns which ecosystem this ReadWriter is for.\n\tSystem() resolve.System\n\t// Read parses a manifest file into a Manifest, possibly recursively following references to other local manifest files\n\tRead(file depfile.DepFile) (Manifest, error)\n\t// Write applies the Patch to the manifest, with minimal changes to the file.\n\t// `original` is the original manifest file to read from. The updated manifest is written to `output`.\n\tWrite(original depfile.DepFile, output io.Writer, patches Patch) error\n}\n\n// Overwrite applies the ManifestPatch to the manifest at filename.\n// Used so as to not have the same file open for reading and writing at the same time.\nfunc Overwrite(rw ReadWriter, filename string, p Patch) error {\n\tr, err := depfile.OpenLocalDepFile(filename)\n\tif err != nil {\n\t\treturn err\n\t}\n\tvar buf bytes.Buffer\n\terr = rw.Write(r, &buf, p)\n\tr.Close() // Make sure the file is closed before we start writing to it.\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t//nolint:gosec // Complaining about the 0644 permissions.\n\t// The file already exists anyway so the permissions don't matter.\n\tif err := os.WriteFile(filename, buf.Bytes(), 0644); err != nil {\n\t\treturn err\n\t}\n\n\treturn nil\n}\n\nfunc GetReadWriter(pathToManifest string, registry string) (ReadWriter, error) {\n\tbase := filepath.Base(pathToManifest)\n\tswitch base {\n\tcase \"pom.xml\":\n\t\treturn NewMavenReadWriter(registry)\n\tcase \"package.json\":\n\t\treturn NpmReadWriter{}, nil\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"unsupported manifest type: %s\", base)\n\t}\n}\n\n// A RequirementKey is a comparable type that uniquely identifies a package dependency in a manifest.\n// It does not include the version specification.\ntype RequirementKey struct {\n\tresolve.PackageKey\n\n\tEcosystemSpecific any\n}\n\nfunc MakeRequirementKey(requirement resolve.RequirementVersion) RequirementKey {\n\tswitch requirement.System {\n\tcase resolve.NPM:\n\t\treturn npmRequirementKey(requirement)\n\tcase resolve.Maven:\n\t\treturn mavenRequirementKey(requirement)\n\tcase resolve.UnknownSystem:\n\t\tfallthrough\n\tdefault:\n\t\treturn RequirementKey{PackageKey: requirement.PackageKey}\n\t}\n}\n" }, { "path": "internal/resolution/manifest/maven.go", "content": "package manifest\n\nimport (\n\t\"bytes\"\n\t\"cmp\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"deps.dev/util/maven\"\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\tinternalxml \"github.com/google/osv-scanner/v2/internal/thirdparty/xml\"\n\tmavenutil \"github.com/google/osv-scanner/v2/internal/utility/maven\"\n)\n\nfunc mavenRequirementKey(requirement resolve.RequirementVersion) RequirementKey {\n\t// Maven dependencies must have unique groupId:artifactId:type:classifier.\n\tartifactType, _ := requirement.Type.GetAttr(dep.MavenArtifactType)\n\tclassifier, _ := requirement.Type.GetAttr(dep.MavenClassifier)\n\n\treturn RequirementKey{\n\t\tPackageKey: requirement.PackageKey,\n\t\tEcosystemSpecific: struct{ ArtifactType, Classifier string }{\n\t\t\tArtifactType: artifactType,\n\t\t\tClassifier: classifier,\n\t\t},\n\t}\n}\n\ntype MavenReadWriter struct {\n\t*datasource.MavenRegistryAPIClient\n}\n\nfunc (MavenReadWriter) System() resolve.System { return resolve.Maven }\n\nfunc NewMavenReadWriter(registry string) (MavenReadWriter, error) {\n\tclient, err := datasource.NewMavenRegistryAPIClient(datasource.MavenRegistry{URL: registry, ReleasesEnabled: true})\n\tif err != nil {\n\t\treturn MavenReadWriter{}, err\n\t}\n\n\treturn MavenReadWriter{MavenRegistryAPIClient: client}, nil\n}\n\ntype MavenManifestSpecific struct {\n\tParent maven.Parent\n\tProperties []PropertyWithOrigin // Properties from the base project\n\tOriginalRequirements []DependencyWithOrigin // Dependencies from the base project\n\tRequirementsForUpdates []resolve.RequirementVersion // Requirements that we only need for updates\n\tRepositories []maven.Repository\n}\n\ntype PropertyWithOrigin struct {\n\tmaven.Property\n\n\tOrigin string // Origin indicates where the property comes from\n}\n\ntype DependencyWithOrigin struct {\n\tmaven.Dependency\n\n\tOrigin string // Origin indicates where the dependency comes from\n}\n\nfunc (m MavenReadWriter) Read(df depfile.DepFile) (Manifest, error) {\n\tctx := context.Background()\n\n\tvar project maven.Project\n\tif err := datasource.NewMavenDecoder(df).Decode(&project); err != nil {\n\t\treturn Manifest{}, fmt.Errorf(\"failed to unmarshal project: %w\", err)\n\t}\n\tproperties := buildPropertiesWithOrigins(project, \"\")\n\torigRequirements := buildOriginalRequirements(project, \"\")\n\n\tvar reqsForUpdates []resolve.RequirementVersion\n\tif project.Parent.GroupID != \"\" && project.Parent.ArtifactID != \"\" {\n\t\treqsForUpdates = append(reqsForUpdates, resolve.RequirementVersion{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: project.Parent.Name(),\n\t\t\t\t},\n\t\t\t\t// Parent version is a concrete version, but we model parent as dependency here.\n\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\tVersion: string(project.Parent.Version),\n\t\t\t},\n\t\t\tType: resolve.MavenDepType(maven.Dependency{Type: \"pom\"}, mavenutil.OriginParent),\n\t\t})\n\t}\n\n\t// Empty JDK and ActivationOS indicates merging the default profiles.\n\tif err := project.MergeProfiles(\"\", maven.ActivationOS{}); err != nil {\n\t\treturn Manifest{}, fmt.Errorf(\"failed to merge profiles: %w\", err)\n\t}\n\n\t// TODO: there may be properties in repo.Releases.Enabled and repo.Snapshots.Enabled\n\tfor _, repo := range project.Repositories {\n\t\tif err := m.AddRegistry(datasource.MavenRegistry{\n\t\t\tURL: string(repo.URL),\n\t\t\tID: string(repo.ID),\n\t\t\tReleasesEnabled: repo.Releases.Enabled.Boolean(),\n\t\t\tSnapshotsEnabled: repo.Snapshots.Enabled.Boolean(),\n\t\t}); err != nil {\n\t\t\treturn Manifest{}, fmt.Errorf(\"failed to add registry %s: %w\", repo.URL, err)\n\t\t}\n\t}\n\n\t// Merging parents data by parsing local parent pom.xml or fetching from upstream.\n\tif err := mavenutil.MergeParents(ctx, m.MavenRegistryAPIClient, &project, project.Parent, 1, df.Path(), true); err != nil {\n\t\treturn Manifest{}, fmt.Errorf(\"failed to merge parents: %w\", err)\n\t}\n\n\t// For dependency management imports, the dependencies that imports\n\t// dependencies from other projects will be replaced by the imported\n\t// dependencies, so add them to requirements first.\n\tfor _, dmDep := range project.DependencyManagement.Dependencies {\n\t\tif dmDep.Scope == \"import\" && dmDep.Type == \"pom\" {\n\t\t\treqsForUpdates = append(reqsForUpdates, makeRequirementVersion(dmDep, mavenutil.OriginManagement))\n\t\t}\n\t}\n\n\t// Process the dependencies:\n\t// - dedupe dependencies and dependency management\n\t// - import dependency management\n\t// - fill in missing dependency version requirement\n\tproject.ProcessDependencies(func(groupID, artifactID, version maven.String) (maven.DependencyManagement, error) {\n\t\treturn mavenutil.GetDependencyManagement(ctx, m.MavenRegistryAPIClient, groupID, artifactID, version)\n\t})\n\n\tgroups := make(map[RequirementKey][]string)\n\trequirements := addRequirements([]resolve.RequirementVersion{}, groups, project.Dependencies, \"\")\n\trequirements = addRequirements(requirements, groups, project.DependencyManagement.Dependencies, mavenutil.OriginManagement)\n\n\t// Requirements may not appear in the dependency graph but needs to be updated.\n\tfor _, profile := range project.Profiles {\n\t\treqsForUpdates = addRequirements(reqsForUpdates, groups, profile.Dependencies, \"\")\n\t\treqsForUpdates = addRequirements(reqsForUpdates, groups, profile.DependencyManagement.Dependencies, mavenutil.OriginManagement)\n\t}\n\tfor _, plugin := range project.Build.PluginManagement.Plugins {\n\t\treqsForUpdates = addRequirements(reqsForUpdates, groups, plugin.Dependencies, \"\")\n\t}\n\n\treturn Manifest{\n\t\tFilePath: df.Path(),\n\t\tRoot: resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: project.ProjectKey.Name(),\n\t\t\t\t},\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\tVersion: string(project.Version),\n\t\t\t},\n\t\t},\n\t\tRequirements: requirements,\n\t\tGroups: groups,\n\t\tEcosystemSpecific: MavenManifestSpecific{\n\t\t\tParent: project.Parent,\n\t\t\tProperties: properties,\n\t\t\tOriginalRequirements: origRequirements,\n\t\t\tRequirementsForUpdates: reqsForUpdates,\n\t\t\tRepositories: project.Repositories,\n\t\t},\n\t}, nil\n}\n\nfunc addRequirements(reqs []resolve.RequirementVersion, groups map[RequirementKey][]string, deps []maven.Dependency, origin string) []resolve.RequirementVersion {\n\tfor _, d := range deps {\n\t\treqVer := makeRequirementVersion(d, origin)\n\t\treqs = append(reqs, reqVer)\n\t\tif d.Scope != \"\" {\n\t\t\treqKey := mavenRequirementKey(reqVer)\n\t\t\tgroups[reqKey] = append(groups[reqKey], string(d.Scope))\n\t\t}\n\t}\n\n\treturn reqs\n}\n\nfunc buildPropertiesWithOrigins(project maven.Project, originPrefix string) []PropertyWithOrigin {\n\tcount := len(project.Properties.Properties)\n\tfor _, prof := range project.Profiles {\n\t\tcount += len(prof.Properties.Properties)\n\t}\n\tproperties := make([]PropertyWithOrigin, 0, count)\n\tfor _, prop := range project.Properties.Properties {\n\t\tproperties = append(properties, PropertyWithOrigin{Property: prop})\n\t}\n\tfor _, profile := range project.Profiles {\n\t\tfor _, prop := range profile.Properties.Properties {\n\t\t\tproperties = append(properties, PropertyWithOrigin{\n\t\t\t\tProperty: prop,\n\t\t\t\tOrigin: mavenOrigin(originPrefix, mavenutil.OriginProfile, string(profile.ID)),\n\t\t\t})\n\t\t}\n\t}\n\n\treturn properties\n}\n\nfunc buildOriginalRequirements(project maven.Project, originPrefix string) []DependencyWithOrigin {\n\tvar dependencies []DependencyWithOrigin\n\tif project.Parent.GroupID != \"\" && project.Parent.ArtifactID != \"\" {\n\t\tdependencies = append(dependencies, DependencyWithOrigin{\n\t\t\tDependency: maven.Dependency{\n\t\t\t\tGroupID: project.Parent.GroupID,\n\t\t\t\tArtifactID: project.Parent.ArtifactID,\n\t\t\t\tVersion: project.Parent.Version,\n\t\t\t\tType: \"pom\",\n\t\t\t},\n\t\t\tOrigin: mavenOrigin(originPrefix, mavenutil.OriginParent),\n\t\t})\n\t}\n\tfor _, d := range project.Dependencies {\n\t\tdependencies = append(dependencies, DependencyWithOrigin{Dependency: d, Origin: originPrefix})\n\t}\n\tfor _, d := range project.DependencyManagement.Dependencies {\n\t\tdependencies = append(dependencies, DependencyWithOrigin{\n\t\t\tDependency: d,\n\t\t\tOrigin: mavenOrigin(originPrefix, mavenutil.OriginManagement),\n\t\t})\n\t}\n\tfor _, prof := range project.Profiles {\n\t\tfor _, d := range prof.Dependencies {\n\t\t\tdependencies = append(dependencies, DependencyWithOrigin{\n\t\t\t\tDependency: d,\n\t\t\t\tOrigin: mavenOrigin(originPrefix, mavenutil.OriginProfile, string(prof.ID)),\n\t\t\t})\n\t\t}\n\t\tfor _, d := range prof.DependencyManagement.Dependencies {\n\t\t\tdependencies = append(dependencies, DependencyWithOrigin{\n\t\t\t\tDependency: d,\n\t\t\t\tOrigin: mavenOrigin(originPrefix, mavenutil.OriginProfile, string(prof.ID), mavenutil.OriginManagement),\n\t\t\t})\n\t\t}\n\t}\n\tfor _, plugin := range project.Build.PluginManagement.Plugins {\n\t\tfor _, d := range plugin.Dependencies {\n\t\t\tdependencies = append(dependencies, DependencyWithOrigin{\n\t\t\t\tDependency: d,\n\t\t\t\tOrigin: mavenOrigin(originPrefix, mavenutil.OriginPlugin, plugin.Name()),\n\t\t\t})\n\t\t}\n\t}\n\n\treturn dependencies\n}\n\n// For dependencies in profiles and plugins, we use origin to indicate where they are from.\n// The origin is in the format prefix@identifier[@postfix] (where @ is the separator):\n// - prefix indicates it is from profile or plugin\n// - identifier to locate the profile/plugin which is profile ID or plugin name\n// - (optional) suffix indicates if this is a dependency management\nfunc makeRequirementVersion(dependency maven.Dependency, origin string) resolve.RequirementVersion {\n\t// Treat test & optional dependencies as regular dependencies to force the resolver to resolve them.\n\tif dependency.Scope == \"test\" {\n\t\tdependency.Scope = \"\"\n\t}\n\tdependency.Optional = \"\"\n\n\treturn resolve.RequirementVersion{\n\t\tVersionKey: resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: dependency.Name(),\n\t\t\t},\n\t\t\tVersionType: resolve.Requirement,\n\t\t\tVersion: string(dependency.Version),\n\t\t},\n\t\tType: resolve.MavenDepType(dependency, origin),\n\t}\n}\n\nfunc mavenOrigin(list ...string) string {\n\tresult := \"\"\n\tfor _, str := range list {\n\t\tif result != \"\" && str != \"\" {\n\t\t\tresult += \"@\"\n\t\t}\n\t\tif str != \"\" {\n\t\t\tresult += str\n\t\t}\n\t}\n\n\treturn result\n}\n\nfunc (MavenReadWriter) Write(df depfile.DepFile, w io.Writer, patch Patch) error {\n\tspecific, ok := patch.Manifest.EcosystemSpecific.(MavenManifestSpecific)\n\tif !ok {\n\t\treturn errors.New(\"invalid MavenManifestSpecific data\")\n\t}\n\n\t// Walk through local parent pom.xml for original dependencies and properties.\n\t// TODO: investigate if this can be done when merging parents in manifest reading\n\tcurrentPath := df.Path()\n\tparent := specific.Parent\n\tvisited := make(map[maven.ProjectKey]bool, mavenutil.MaxParent)\n\tfor range mavenutil.MaxParent {\n\t\tif parent.GroupID == \"\" || parent.ArtifactID == \"\" || parent.Version == \"\" {\n\t\t\tbreak\n\t\t}\n\t\tif visited[parent.ProjectKey] {\n\t\t\t// A cycle of parents is detected\n\t\t\treturn errors.New(\"a cycle of parents is detected\")\n\t\t}\n\t\tvisited[parent.ProjectKey] = true\n\n\t\tcurrentPath = mavenutil.ParentPOMPath(currentPath, string(parent.RelativePath))\n\t\tif currentPath == \"\" {\n\t\t\t// No more local parent pom.xml exists.\n\t\t\tbreak\n\t\t}\n\n\t\tf, err := os.Open(currentPath)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to open parent file %s: %w\", currentPath, err)\n\t\t}\n\n\t\tvar proj maven.Project\n\t\terr = datasource.NewMavenDecoder(f).Decode(&proj)\n\t\tf.Close()\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"failed to unmarshal project: %w\", err)\n\t\t}\n\t\tif mavenutil.ProjectKey(proj) != parent.ProjectKey || proj.Packaging != \"pom\" {\n\t\t\t// This is not the project that we are looking for, we should fetch from upstream\n\t\t\t// that we don't have write access so we give up here.\n\t\t\tbreak\n\t\t}\n\n\t\torigin := mavenOrigin(mavenutil.OriginParent, currentPath)\n\t\tspecific.OriginalRequirements = append(specific.OriginalRequirements, buildOriginalRequirements(proj, origin)...)\n\t\tspecific.Properties = append(specific.Properties, buildPropertiesWithOrigins(proj, origin)...)\n\t\tparent = proj.Parent\n\t}\n\n\tallPatches, err := buildPatches(patch.Deps, specific)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tfor path, patches := range allPatches {\n\t\tif path == \"\" {\n\t\t\t// Base pom.xml is going to be written later.\n\t\t\tcontinue\n\t\t}\n\t\t// TODO: investigate how to test parent manifests are updated.\n\t\tdepFile, err := depfile.OpenLocalDepFile(path)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tin := new(bytes.Buffer)\n\t\tif _, err := in.ReadFrom(depFile); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to read from DepFile: %w\", err)\n\t\t}\n\t\tdepFile.Close() // Make sure the file is closed before we start writing to it.\n\n\t\tout := new(bytes.Buffer)\n\t\tif err := write(in.String(), out, patches); err != nil {\n\t\t\treturn err\n\t\t}\n\t\t//nolint:gosec\n\t\tif err := os.WriteFile(path, out.Bytes(), 0644); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tin := new(bytes.Buffer)\n\tif _, err := in.ReadFrom(df); err != nil {\n\t\treturn fmt.Errorf(\"failed to read from DepFile: %w\", err)\n\t}\n\n\treturn write(in.String(), w, allPatches[\"\"])\n}\n\ntype MavenPatches struct {\n\tDependencyPatches MavenDependencyPatches\n\tPropertyPatches MavenPropertyPatches\n}\n\ntype MavenPatch struct {\n\tmaven.DependencyKey\n\n\tNewRequire string\n}\n\n// MavenDependencyPatches represent the dependencies to be updated, which\n// is a map of dependency patches of each origin.\ntype MavenDependencyPatches map[string]map[MavenPatch]bool // origin -> patch -> whether from this project\n\n// addPatch adds a patch to the patches map indexed by origin.\n// exist indicates whether this patch comes from the project.\nfunc (m MavenDependencyPatches) addPatch(changedDep DependencyPatch, exist bool) error {\n\td, o, err := resolve.MavenDepTypeToDependency(changedDep.Type)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"MavenDepTypeToDependency: %w\", err)\n\t}\n\n\t// If this dependency did not already exist in the project, we want to add it to the dependencyManagement section\n\tif !exist {\n\t\to = mavenutil.OriginManagement\n\t}\n\n\tsubstrings := strings.Split(changedDep.Pkg.Name, \":\")\n\tif len(substrings) != 2 {\n\t\treturn fmt.Errorf(\"invalid Maven name: %s\", changedDep.Pkg.Name)\n\t}\n\td.GroupID = maven.String(substrings[0])\n\td.ArtifactID = maven.String(substrings[1])\n\n\tif _, ok := m[o]; !ok {\n\t\tm[o] = make(map[MavenPatch]bool)\n\t}\n\tm[o][MavenPatch{\n\t\tDependencyKey: d.Key(),\n\t\tNewRequire: changedDep.NewRequire,\n\t}] = exist\n\n\treturn nil\n}\n\n// MavenPropertyPatches represent the properties to be updated, which\n// is a map of properties of each origin.\ntype MavenPropertyPatches map[string]map[string]string // origin -> tag -> value\n\n// parentPathFromOrigin returns the parent path embedded in origin,\n// as well as the remaining origin string.\nfunc parentPathFromOrigin(origin string) (string, string) {\n\ttokens := strings.Split(origin, \"@\")\n\tif len(tokens) <= 1 {\n\t\treturn \"\", origin\n\t}\n\tif tokens[0] != mavenutil.OriginParent {\n\t\treturn \"\", origin\n\t}\n\n\treturn tokens[1], strings.Join(tokens[2:], \"\")\n}\n\n// buildPatches returns dependency patches ready for updates.\nfunc buildPatches(patches []DependencyPatch, specific MavenManifestSpecific) (map[string]MavenPatches, error) {\n\tresult := make(map[string]MavenPatches)\n\tfor _, patch := range patches {\n\t\tvar path string\n\t\torigDep := originalDependency(patch, specific.OriginalRequirements)\n\t\tpath, origDep.Origin = parentPathFromOrigin(origDep.Origin)\n\t\tif _, ok := result[path]; !ok {\n\t\t\tresult[path] = MavenPatches{\n\t\t\t\tDependencyPatches: MavenDependencyPatches{},\n\t\t\t\tPropertyPatches: MavenPropertyPatches{},\n\t\t\t}\n\t\t}\n\t\tif origDep.Name() == \":\" {\n\t\t\t// An empty name indicates the dependency is not found, so the original dependency is not in the base project.\n\t\t\t// If the patch is from suggest (origRequire is set), we ignore this patch.\n\t\t\t// If the patch is from override (origRequire is empty), we add this patch.\n\t\t\tif patch.OrigRequire == \"\" {\n\t\t\t\tif err := result[path].DependencyPatches.addPatch(patch, false); err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tcontinue\n\t\t}\n\n\t\tpatch.Type = resolve.MavenDepType(origDep.Dependency, origDep.Origin)\n\t\tif !origDep.Version.ContainsProperty() {\n\t\t\t// The original requirement does not contain a property placeholder.\n\t\t\tif err := result[path].DependencyPatches.addPatch(patch, true); err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\tcontinue\n\t\t}\n\n\t\tproperties, ok := generatePropertyPatches(string(origDep.Version), patch.NewRequire)\n\t\tif !ok {\n\t\t\t// Not able to update properties to update the requirement.\n\t\t\t// Update the dependency directly instead.\n\t\t\tif err := result[path].DependencyPatches.addPatch(patch, true); err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\tcontinue\n\t\t}\n\n\t\tdepOrigin := origDep.Origin\n\t\tif strings.HasPrefix(depOrigin, mavenutil.OriginProfile) {\n\t\t\t// Dependency management is not indicated in property origin.\n\t\t\tdepOrigin, _ = strings.CutSuffix(depOrigin, \"@\"+mavenutil.OriginManagement)\n\t\t} else {\n\t\t\t// Properties are defined either universally or in a profile. For property\n\t\t\t// origin not starting with 'profile', this is an universal property.\n\t\t\tdepOrigin = \"\"\n\t\t}\n\n\t\tfor name, value := range properties {\n\t\t\t// A dependency in a profile may contain properties from this profile or\n\t\t\t// properties universally defined. We need to figure out the origin of these\n\t\t\t// properties. If a property is defined both universally and in the profile,\n\t\t\t// we use the profile's origin.\n\t\t\tpropertyOrigin := \"\"\n\t\t\tfor _, p := range specific.Properties {\n\t\t\t\tif p.Name == name && p.Origin != \"\" && p.Origin == depOrigin {\n\t\t\t\t\tpropertyOrigin = depOrigin\n\t\t\t\t}\n\t\t\t}\n\t\t\tif _, ok := result[path].PropertyPatches[propertyOrigin]; !ok {\n\t\t\t\tresult[path].PropertyPatches[propertyOrigin] = make(map[string]string)\n\t\t\t}\n\t\t\t// This property has been set to update to a value. If both values are the\n\t\t\t// same, we do nothing; otherwise, instead of updating the property, we\n\t\t\t// should update the dependency directly.\n\t\t\tif preset, ok := result[path].PropertyPatches[propertyOrigin][name]; !ok {\n\t\t\t\tresult[path].PropertyPatches[propertyOrigin][name] = value\n\t\t\t} else if preset != value {\n\t\t\t\tif err := result[path].DependencyPatches.addPatch(patch, true); err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn result, nil\n}\n\n// originalDependency returns the original dependency of a dependency patch.\n// If the dependency is not found in any local pom.xml, an empty dependency is returned.\nfunc originalDependency(patch DependencyPatch, origDeps []DependencyWithOrigin) DependencyWithOrigin {\n\tIDs := strings.Split(patch.Pkg.Name, \":\")\n\tif len(IDs) != 2 {\n\t\treturn DependencyWithOrigin{}\n\t}\n\n\tdependency, _, _ := resolve.MavenDepTypeToDependency(patch.Type)\n\tdependency.GroupID = maven.String(IDs[0])\n\tdependency.ArtifactID = maven.String(IDs[1])\n\n\tfor _, d := range origDeps {\n\t\tif d.Key() == dependency.Key() && d.Version != \"\" {\n\t\t\t// If the version is empty, keep looking until we find some non-empty requirement.\n\t\t\treturn d\n\t\t}\n\t}\n\n\treturn DependencyWithOrigin{}\n}\n\n// generatePropertyPatches returns whether we are able to assign values to\n// placeholder keys to convert s1 to s2, as well as the generated patches.\n// s1 contains property placeholders like '${name}' and s2 is the target string.\nfunc generatePropertyPatches(s1, s2 string) (map[string]string, bool) {\n\tpatches := make(map[string]string)\n\tok := generatePropertyPatchesAux(s1, s2, patches)\n\n\treturn patches, ok\n}\n\n// generatePropertyPatchesAux generates property patches and store them in patches.\n// TODO: property may refer to another property ${${name}.version}\nfunc generatePropertyPatchesAux(s1, s2 string, patches map[string]string) bool {\n\tstart := strings.Index(s1, \"${\")\n\tif s1[:start] != s2[:start] {\n\t\t// Cannot update property to match the prefix\n\t\treturn false\n\t}\n\tend := strings.Index(s1, \"}\")\n\tnext := strings.Index(s1[end+1:], \"${\")\n\tif next < 0 {\n\t\t// There are no more placeholders.\n\t\tremainder := s1[end+1:]\n\t\tif remainder == s2[len(s2)-len(remainder):] {\n\t\t\tpatches[s1[start+2:end]] = s2[start : len(s2)-len(remainder)]\n\t\t\treturn true\n\t\t}\n\t} else if match := strings.Index(s2[start:], s1[end+1:end+1+next]); match > 0 {\n\t\t// Try to match the substring between two property placeholders.\n\t\tpatches[s1[start+2:end]] = s2[start : start+match]\n\t\treturn generatePropertyPatchesAux(s1[end+1:], s2[start+match:], patches)\n\t}\n\n\treturn false\n}\n\nfunc projectStartElement(raw string) string {\n\tstart := strings.Index(raw, \"\")\n\tif end < 0 {\n\t\treturn \"\"\n\t}\n\n\treturn raw[start : start+end+1]\n}\n\n// Only for writing dependencies that are not from the base project.\ntype dependencyManagement struct {\n\tDependencies []dependency `xml:\"dependencies>dependency,omitempty\"`\n}\n\ntype dependency struct {\n\tGroupID string `xml:\"groupId,omitempty\"`\n\tArtifactID string `xml:\"artifactId,omitempty\"`\n\tVersion string `xml:\"version,omitempty\"`\n\tType string `xml:\"type,omitempty\"`\n\tClassifier string `xml:\"classifier,omitempty\"`\n}\n\nfunc makeDependency(patch MavenPatch) dependency {\n\td := dependency{\n\t\tGroupID: string(patch.GroupID),\n\t\tArtifactID: string(patch.ArtifactID),\n\t\tVersion: patch.NewRequire,\n\t\tClassifier: string(patch.Classifier),\n\t}\n\tif patch.Type != \"\" && patch.Type != \"jar\" {\n\t\td.Type = string(patch.Type)\n\t}\n\n\treturn d\n}\n\nfunc compareDependency(d1, d2 dependency) int {\n\tif i := cmp.Compare(d1.GroupID, d2.GroupID); i != 0 {\n\t\treturn i\n\t}\n\tif i := cmp.Compare(d1.ArtifactID, d2.ArtifactID); i != 0 {\n\t\treturn i\n\t}\n\tif i := cmp.Compare(d1.Type, d2.Type); i != 0 {\n\t\treturn i\n\t}\n\tif i := cmp.Compare(d1.Classifier, d2.Classifier); i != 0 {\n\t\treturn i\n\t}\n\n\treturn cmp.Compare(d1.Version, d2.Version)\n}\n\nfunc write(raw string, w io.Writer, patches MavenPatches) error {\n\tdec := internalxml.NewDecoder(bytes.NewReader([]byte(raw)))\n\tenc := internalxml.NewEncoder(w)\n\n\tfor {\n\t\ttoken, err := dec.Token()\n\t\tif errors.Is(err, io.EOF) {\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"getting token: %w\", err)\n\t\t}\n\n\t\tif tt, ok := token.(internalxml.StartElement); ok {\n\t\t\tif tt.Name.Local == \"project\" {\n\t\t\t\ttype RawProject struct {\n\t\t\t\t\tInnerXML string `xml:\",innerxml\"`\n\t\t\t\t}\n\t\t\t\tvar rawProj RawProject\n\t\t\t\tif err := dec.DecodeElement(&rawProj, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\n\t\t\t\t// xml.EncodeToken writes a start element with its all name spaces.\n\t\t\t\t// It's very common to have a start project element with a few name spaces in Maven.\n\t\t\t\t// Thus this would cause a big diff when we try to encode the start element of project.\n\n\t\t\t\t// We first capture the raw start element string and write it.\n\t\t\t\tprojectStart := projectStartElement(raw)\n\t\t\t\tif projectStart == \"\" {\n\t\t\t\t\treturn errors.New(\"unable to get start element of project\")\n\t\t\t\t}\n\t\t\t\tif _, err := w.Write([]byte(projectStart)); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"writing start element of project: %w\", err)\n\t\t\t\t}\n\n\t\t\t\t// Then we update the project by passing the innerXML and name spaces are not passed.\n\t\t\t\tupdated := make(map[string]bool) // origin -> updated\n\t\t\t\tif err := writeProject(w, enc, rawProj.InnerXML, \"\", \"\", patches.DependencyPatches, patches.PropertyPatches, updated); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"updating project: %w\", err)\n\t\t\t\t}\n\n\t\t\t\t// Check whether dependency management is updated, if not, add a new section of dependency management.\n\t\t\t\tif dmPatches := patches.DependencyPatches[mavenutil.OriginManagement]; len(dmPatches) > 0 && !updated[mavenutil.OriginManagement] {\n\t\t\t\t\tenc.Indent(\" \", \" \")\n\t\t\t\t\tvar dm dependencyManagement\n\t\t\t\t\tfor p := range dmPatches {\n\t\t\t\t\t\tdm.Dependencies = append(dm.Dependencies, makeDependency(p))\n\t\t\t\t\t}\n\t\t\t\t\t// Sort dependency management for consistency in testing.\n\t\t\t\t\tslices.SortFunc(dm.Dependencies, compareDependency)\n\t\t\t\t\tif err := enc.Encode(dm); err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\tif _, err := w.Write([]byte(\"\\n\\n\")); err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\tenc.Indent(\"\", \"\")\n\t\t\t\t}\n\n\t\t\t\t// Finally we write the end element of project.\n\t\t\t\tif _, err := w.Write([]byte(\"\")); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"writing start element of project: %w\", err)\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tif err := enc.EncodeToken(token); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif err := enc.Flush(); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc writeProject(w io.Writer, enc *internalxml.Encoder, raw, prefix, id string, patches MavenDependencyPatches, properties MavenPropertyPatches, updated map[string]bool) error {\n\tdec := internalxml.NewDecoder(bytes.NewReader([]byte(raw)))\n\tfor {\n\t\ttoken, err := dec.Token()\n\t\tif errors.Is(err, io.EOF) {\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tif tt, ok := token.(internalxml.StartElement); ok {\n\t\t\tswitch tt.Name.Local {\n\t\t\tcase \"parent\":\n\t\t\t\tupdated[\"parent\"] = true\n\t\t\t\ttype RawParent struct {\n\t\t\t\t\tmaven.ProjectKey\n\n\t\t\t\t\tInnerXML string `xml:\",innerxml\"`\n\t\t\t\t}\n\t\t\t\tvar rawParent RawParent\n\t\t\t\tif err := dec.DecodeElement(&rawParent, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\treq := string(rawParent.Version)\n\t\t\t\tif parentPatches, ok := patches[\"parent\"]; ok {\n\t\t\t\t\t// There should only be one parent patch\n\t\t\t\t\tif len(parentPatches) > 1 {\n\t\t\t\t\t\treturn fmt.Errorf(\"multiple parent patches: %v\", parentPatches)\n\t\t\t\t\t}\n\t\t\t\t\tfor k := range parentPatches {\n\t\t\t\t\t\treq = k.NewRequire\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif err := writeString(enc, \"\"+rawParent.InnerXML+\"\", map[string]string{\"version\": req}); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"updating parent: %w\", err)\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\tcase \"properties\":\n\t\t\t\ttype RawProperties struct {\n\t\t\t\t\tInnerXML string `xml:\",innerxml\"`\n\t\t\t\t}\n\t\t\t\tvar rawProperties RawProperties\n\t\t\t\tif err := dec.DecodeElement(&rawProperties, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif err := writeString(enc, \"\"+rawProperties.InnerXML+\"\", properties[mavenOrigin(prefix, id)]); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"updating properties: %w\", err)\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\tcase \"profile\":\n\t\t\t\tif prefix != \"\" || id != \"\" {\n\t\t\t\t\t// Skip updating if prefix or id is set to avoid infinite recursion\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t\ttype RawProfile struct {\n\t\t\t\t\tmaven.Profile\n\n\t\t\t\t\tInnerXML string `xml:\",innerxml\"`\n\t\t\t\t}\n\t\t\t\tvar rawProfile RawProfile\n\t\t\t\tif err := dec.DecodeElement(&rawProfile, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif err := writeProject(w, enc, \"\"+rawProfile.InnerXML+\"\", mavenutil.OriginProfile, string(rawProfile.ID), patches, properties, updated); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"updating profile: %w\", err)\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\tcase \"plugin\":\n\t\t\t\tif prefix != \"\" || id != \"\" {\n\t\t\t\t\t// Skip updating if prefix or id is set to avoid infinite recursion\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t\ttype RawPlugin struct {\n\t\t\t\t\tmaven.Plugin\n\n\t\t\t\t\tInnerXML string `xml:\",innerxml\"`\n\t\t\t\t}\n\t\t\t\tvar rawPlugin RawPlugin\n\t\t\t\tif err := dec.DecodeElement(&rawPlugin, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif err := writeProject(w, enc, \"\"+rawPlugin.InnerXML+\"\", mavenutil.OriginPlugin, rawPlugin.Name(), patches, properties, updated); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"updating profile: %w\", err)\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\tcase \"dependencyManagement\":\n\t\t\t\ttype RawDependencyManagement struct {\n\t\t\t\t\tmaven.DependencyManagement\n\n\t\t\t\t\tInnerXML string `xml:\",innerxml\"`\n\t\t\t\t}\n\t\t\t\tvar rawDepMgmt RawDependencyManagement\n\t\t\t\tif err := dec.DecodeElement(&rawDepMgmt, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\to := mavenOrigin(prefix, id, mavenutil.OriginManagement)\n\t\t\t\tupdated[o] = true\n\t\t\t\tdmPatches := patches[o]\n\t\t\t\tif err := writeDependency(w, enc, \"\"+rawDepMgmt.InnerXML+\"\", dmPatches); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"updating dependency management: %w\", err)\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\tcase \"dependencies\":\n\t\t\t\ttype RawDependencies struct {\n\t\t\t\t\tDependencies []maven.Dependency `xml:\"dependencies\"`\n\t\t\t\t\tInnerXML string `xml:\",innerxml\"`\n\t\t\t\t}\n\t\t\t\tvar rawDeps RawDependencies\n\t\t\t\tif err := dec.DecodeElement(&rawDeps, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\to := mavenOrigin(prefix, id)\n\t\t\t\tupdated[o] = true\n\t\t\t\tdepPatches := patches[o]\n\t\t\t\tif err := writeDependency(w, enc, \"\"+rawDeps.InnerXML+\"\", depPatches); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"updating dependencies: %w\", err)\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tif err := enc.EncodeToken(token); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn enc.Flush()\n}\n\n// indentation returns the indentation of the dependency element.\n// If dependencies or dependency elements are not found, the default\n// indentation (four space) is returned.\nfunc indentation(raw string) string {\n\ti := strings.Index(raw, \"\")\n\tif i < 0 {\n\t\treturn \" \"\n\t}\n\n\traw = raw[i+len(\"\"):]\n\t// Find the first dependency element.\n\tj := strings.Index(raw, \"\")\n\tif j < 0 {\n\t\treturn \" \"\n\t}\n\n\traw = raw[:j]\n\t// Find the last new line and get the space between.\n\tk := strings.LastIndex(raw, \"\\n\")\n\tif k < 0 {\n\t\treturn \" \"\n\t}\n\n\treturn raw[k+1:]\n}\n\nfunc writeDependency(w io.Writer, enc *internalxml.Encoder, raw string, patches map[MavenPatch]bool) error {\n\tdec := internalxml.NewDecoder(bytes.NewReader([]byte(raw)))\n\tfor {\n\t\ttoken, err := dec.Token()\n\t\tif errors.Is(err, io.EOF) {\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\tif tt, ok := token.(internalxml.StartElement); ok {\n\t\t\tif tt.Name.Local == \"dependencies\" {\n\t\t\t\t// We still need to write the start element \n\t\t\t\tif err := enc.EncodeToken(token); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif err := enc.Flush(); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\n\t\t\t\t// Write patches that are not in the base project.\n\t\t\t\tvar deps []dependency\n\t\t\t\tfor p, ok := range patches {\n\t\t\t\t\tif !ok {\n\t\t\t\t\t\tdeps = append(deps, makeDependency(p))\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif len(deps) == 0 {\n\t\t\t\t\t// No dependencies to add\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\t// Sort dependencies for consistency in testing.\n\t\t\t\tslices.SortFunc(deps, compareDependency)\n\n\t\t\t\tenc.Indent(indentation(raw), \" \")\n\n\t\t\t\t// Write a new line to keep the format.\n\t\t\t\tif _, err := w.Write([]byte(\"\\n\")); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tfor _, d := range deps {\n\t\t\t\t\tif err := enc.Encode(d); err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tenc.Indent(\"\", \"\")\n\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif tt.Name.Local == \"dependency\" {\n\t\t\t\ttype RawDependency struct {\n\t\t\t\t\tmaven.Dependency\n\n\t\t\t\t\tInnerXML string `xml:\",innerxml\"`\n\t\t\t\t}\n\t\t\t\tvar rawDep RawDependency\n\t\t\t\tif err := dec.DecodeElement(&rawDep, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\treq := string(rawDep.Version)\n\t\t\t\tfor patch := range patches {\n\t\t\t\t\t// A Maven dependency key consists of Type and Classifier together with GroupID and ArtifactID.\n\t\t\t\t\tif patch.DependencyKey == rawDep.Key() {\n\t\t\t\t\t\treq = patch.NewRequire\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// xml.EncodeElement writes all empty elements and may not follow the existing format.\n\t\t\t\t// Passing the innerXML can help to keep the original format.\n\t\t\t\tif err := writeString(enc, \"\"+rawDep.InnerXML+\"\", map[string]string{\"version\": req}); err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"updating dependency: %w\", err)\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\n\t\tif err := enc.EncodeToken(token); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn enc.Flush()\n}\n\n// writeString writes XML string specified by raw with replacements specified in values.\nfunc writeString(enc *internalxml.Encoder, raw string, values map[string]string) error {\n\tdec := internalxml.NewDecoder(bytes.NewReader([]byte(raw)))\n\tfor {\n\t\ttoken, err := dec.Token()\n\t\tif errors.Is(err, io.EOF) {\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif tt, ok := token.(internalxml.StartElement); ok {\n\t\t\tif value, ok2 := values[tt.Name.Local]; ok2 {\n\t\t\t\tvar str string\n\t\t\t\tif err := dec.DecodeElement(&str, &tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif err := enc.EncodeElement(value, tt); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tif err := enc.EncodeToken(token); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn enc.Flush()\n}\n" }, { "path": "internal/resolution/manifest/maven_test.go", "content": "package manifest\n\nimport (\n\t\"bytes\"\n\t\"path/filepath\"\n\t\"reflect\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"deps.dev/util/maven\"\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nvar (\n\tdepMgmt = depTypeWithOrigin(\"management\")\n\tdepParent = depTypeWithOrigin(\"parent\")\n\tdepPlugin = depTypeWithOrigin(\"plugin@org.plugin:plugin\")\n\tdepProfileOne = depTypeWithOrigin(\"profile@profile-one\")\n\tdepProfileTwoMgmt = depTypeWithOrigin(\"profile@profile-two@management\")\n)\n\nfunc depTypeWithOrigin(origin string) dep.Type {\n\tvar result dep.Type\n\tresult.AddAttr(dep.MavenDependencyOrigin, origin)\n\n\treturn result\n}\n\nfunc mavenReqKey(t *testing.T, name, artifactType, classifier string) RequirementKey {\n\tt.Helper()\n\tvar typ dep.Type\n\tif artifactType != \"\" {\n\t\ttyp.AddAttr(dep.MavenArtifactType, artifactType)\n\t}\n\tif classifier != \"\" {\n\t\ttyp.AddAttr(dep.MavenClassifier, classifier)\n\t}\n\n\treturn MakeRequirementKey(resolve.RequirementVersion{\n\t\tVersionKey: resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tName: name,\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t},\n\t\t},\n\t\tType: typ,\n\t})\n}\n\nfunc TestMavenReadWrite(t *testing.T) {\n\tt.Parallel()\n\n\tsrv := testutility.NewMockHTTPServer(t)\n\tsrv.SetResponse(t, \"org/upstream/parent-pom/1.2.3/parent-pom-1.2.3.pom\", []byte(`\n\t\n\t org.upstream\n\t parent-pom\n\t 1.2.3\n\t pom\n\t \n\t\t\tbbb\n\t\t 2.2.2\n\t \n\t \n\t\t\n\t\t \n\t\t\torg.example\n\t\t\t${bbb.artifact}\n\t\t\t${bbb.version}\n\t\t \n\t\t\n\t \n\t\n\t`))\n\tsrv.SetResponse(t, \"org/import/import/1.0.0/import-1.0.0.pom\", []byte(`\n\t\n\t org.import\n\t import\n\t 1.0.0\n\t pom\n\t \n\t\t 3.3.3\n\t \n\t \n\t\t \n\t\t \n\t\t\t org.example\n\t\t\t ccc\n\t\t\t ${ccc.version}\n\t\t \n\t\t \n\t \n\t\n\t`))\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\tdf, err := depfile.OpenLocalDepFile(filepath.Join(cwd, \"testdata\", \"maven\", \"my-app\", \"pom.xml\"))\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tclient, _ := datasource.NewMavenRegistryAPIClient(datasource.MavenRegistry{URL: srv.URL, ReleasesEnabled: true})\n\tmavenRW := MavenReadWriter{MavenRegistryAPIClient: client}\n\n\tgot, err := mavenRW.Read(df)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to read file: %v\", err)\n\t}\n\tif !strings.HasSuffix(got.FilePath, \"pom.xml\") {\n\t\tt.Errorf(\"manifest file path %v does not have pom.xml\", got.FilePath)\n\t}\n\tgot.FilePath = \"\"\n\n\tdepType := depMgmt.Clone()\n\tdepType.AddAttr(dep.MavenArtifactType, \"pom\")\n\tdepType.AddAttr(dep.Scope, \"import\")\n\n\tdepParent.AddAttr(dep.MavenArtifactType, \"pom\")\n\n\tvar depExclusions dep.Type\n\tdepExclusions.AddAttr(dep.MavenExclusions, \"org.exclude:exclude\")\n\n\twant := Manifest{\n\t\tRoot: resolve.Version{\n\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\tName: \"com.mycompany.app:my-app\",\n\t\t\t\t},\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\tVersion: \"1.0\",\n\t\t\t},\n\t\t},\n\t\tRequirements: []resolve.RequirementVersion{\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"junit:junit\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"4.12\",\n\t\t\t\t},\n\t\t\t\t// Type: dep.NewType(dep.Test), test scope is ignored to make resolution work.\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:abc\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.0.1\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:no-version\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"2.0.0\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:exclusions\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t\tType: depExclusions,\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.profile:abc\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.profile:def\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"2.3.4\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:ddd\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:xyz\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"2.0.0\",\n\t\t\t\t},\n\t\t\t\tType: depMgmt,\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:no-version\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"2.0.0\",\n\t\t\t\t},\n\t\t\t\tType: depMgmt,\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:aaa\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"1.1.1\",\n\t\t\t\t},\n\t\t\t\tType: depMgmt,\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:bbb\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"2.2.2\",\n\t\t\t\t},\n\t\t\t\tType: depMgmt,\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: \"org.example:ccc\",\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: \"3.3.3\",\n\t\t\t\t},\n\t\t\t\tType: depMgmt,\n\t\t\t},\n\t\t},\n\t\tGroups: map[RequirementKey][]string{\n\t\t\tmavenReqKey(t, \"junit:junit\", \"\", \"\"): {\"test\"},\n\t\t\tmavenReqKey(t, \"org.import:xyz\", \"pom\", \"\"): {\"import\"},\n\t\t},\n\t\tEcosystemSpecific: MavenManifestSpecific{\n\t\t\tParent: maven.Parent{\n\t\t\t\tProjectKey: maven.ProjectKey{\n\t\t\t\t\tGroupID: \"org.parent\",\n\t\t\t\t\tArtifactID: \"parent-pom\",\n\t\t\t\t\tVersion: \"1.1.1\",\n\t\t\t\t},\n\t\t\t\tRelativePath: \"../parent/pom.xml\",\n\t\t\t},\n\t\t\tProperties: []PropertyWithOrigin{\n\t\t\t\t{Property: maven.Property{Name: \"project.build.sourceEncoding\", Value: \"UTF-8\"}},\n\t\t\t\t{Property: maven.Property{Name: \"maven.compiler.source\", Value: \"1.7\"}},\n\t\t\t\t{Property: maven.Property{Name: \"maven.compiler.target\", Value: \"1.7\"}},\n\t\t\t\t{Property: maven.Property{Name: \"junit.version\", Value: \"4.12\"}},\n\t\t\t\t{Property: maven.Property{Name: \"zeppelin.daemon.package.base\", Value: \"../bin\"}},\n\t\t\t\t{Property: maven.Property{Name: \"def.version\", Value: \"2.3.4\"}, Origin: \"profile@profile-one\"},\n\t\t\t},\n\t\t\tOriginalRequirements: []DependencyWithOrigin{\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.parent\", ArtifactID: \"parent-pom\", Version: \"1.1.1\", Type: \"pom\"},\n\t\t\t\t\tOrigin: \"parent\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"junit\", ArtifactID: \"junit\", Version: \"${junit.version}\", Scope: \"test\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"abc\", Version: \"1.0.1\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"no-version\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"exclusions\", Version: \"1.0.0\",\n\t\t\t\t\t\tExclusions: []maven.Exclusion{\n\t\t\t\t\t\t\t{GroupID: \"org.exclude\", ArtifactID: \"exclude\"},\n\t\t\t\t\t\t}},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"xyz\", Version: \"2.0.0\"},\n\t\t\t\t\tOrigin: \"management\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"no-version\", Version: \"2.0.0\"},\n\t\t\t\t\tOrigin: \"management\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.import\", ArtifactID: \"import\", Version: \"1.0.0\", Scope: \"import\", Type: \"pom\"},\n\t\t\t\t\tOrigin: \"management\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.profile\", ArtifactID: \"abc\", Version: \"1.2.3\"},\n\t\t\t\t\tOrigin: \"profile@profile-one\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.profile\", ArtifactID: \"def\", Version: \"${def.version}\"},\n\t\t\t\t\tOrigin: \"profile@profile-one\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.import\", ArtifactID: \"xyz\", Version: \"6.6.6\", Scope: \"import\", Type: \"pom\"},\n\t\t\t\t\tOrigin: \"profile@profile-two@management\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tDependency: maven.Dependency{GroupID: \"org.dep\", ArtifactID: \"plugin-dep\", Version: \"2.3.3\"},\n\t\t\t\t\tOrigin: \"plugin@org.plugin:plugin\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tRequirementsForUpdates: []resolve.RequirementVersion{\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.parent:parent-pom\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"1.1.1\",\n\t\t\t\t\t},\n\t\t\t\t\tType: depParent,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.import:import\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t},\n\t\t\t\t\tType: depType,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.profile:abc\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"1.2.3\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.profile:def\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"${def.version}\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.import:xyz\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"6.6.6\",\n\t\t\t\t\t},\n\t\t\t\t\tType: depType,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\t\tName: \"org.dep:plugin-dep\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t\tVersion: \"2.3.3\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tif diff := cmp.Diff(want, got); diff != \"\" {\n\t\tt.Errorf(\"Maven manifest mismatch (-want +got):\\n%s\", diff)\n\t}\n\n\t// Re-open the file for writing.\n\tdf, err = depfile.OpenLocalDepFile(filepath.Join(cwd, \"testdata\", \"maven\", \"my-app\", \"pom.xml\"))\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tout := new(bytes.Buffer)\n\t// There are no patches since we are only testing tabs are not escaped.\n\tif err := mavenRW.Write(df, out, Patch{Manifest: &want}); err != nil {\n\t\tt.Fatalf(\"failed to write Maven pom.xml: %v\", err)\n\t}\n\ttestutility.NewSnapshot().WithCRLFReplacement().MatchText(t, out.String())\n}\n\nfunc TestMavenWrite(t *testing.T) {\n\tt.Parallel()\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\tdf, err := depfile.OpenLocalDepFile(filepath.Join(cwd, \"testdata\", \"maven\", \"my-app\", \"pom.xml\"))\n\tif err != nil {\n\t\tt.Fatalf(\"fail to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tin := new(bytes.Buffer)\n\tif _, err := in.ReadFrom(df); err != nil {\n\t\tt.Fatalf(\"failed to read from DepFile: %v\", err)\n\t}\n\n\tpatches := MavenPatches{\n\t\tDependencyPatches: MavenDependencyPatches{\n\t\t\t\"\": map[MavenPatch]bool{\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\tArtifactID: \"abc\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"1.0.2\",\n\t\t\t\t}: true,\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\tArtifactID: \"no-version\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"2.0.1\",\n\t\t\t\t}: true,\n\t\t\t},\n\t\t\t\"management\": map[MavenPatch]bool{\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\tArtifactID: \"xyz\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"2.0.1\",\n\t\t\t\t}: true,\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\tArtifactID: \"extra-one\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"6.6.6\",\n\t\t\t\t}: false,\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\tArtifactID: \"extra-two\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"9.9.9\",\n\t\t\t\t}: false,\n\t\t\t},\n\t\t\t\"profile@profile-one\": map[MavenPatch]bool{\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.profile\",\n\t\t\t\t\t\tArtifactID: \"abc\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"1.2.4\",\n\t\t\t\t}: true,\n\t\t\t},\n\t\t\t\"profile@profile-two@management\": map[MavenPatch]bool{\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.import\",\n\t\t\t\t\t\tArtifactID: \"xyz\",\n\t\t\t\t\t\tType: \"pom\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"7.0.0\",\n\t\t\t\t}: true,\n\t\t\t},\n\t\t\t\"plugin@org.plugin:plugin\": map[MavenPatch]bool{\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.dep\",\n\t\t\t\t\t\tArtifactID: \"plugin-dep\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"2.3.4\",\n\t\t\t\t}: true,\n\t\t\t},\n\t\t},\n\t\tPropertyPatches: MavenPropertyPatches{\n\t\t\t\"\": {\n\t\t\t\t\"junit.version\": \"4.13.2\",\n\t\t\t},\n\t\t\t\"profile@profile-one\": {\n\t\t\t\t\"def.version\": \"2.3.5\",\n\t\t\t},\n\t\t},\n\t}\n\n\tout := new(bytes.Buffer)\n\tif err := write(in.String(), out, patches); err != nil {\n\t\tt.Fatalf(\"unable to update Maven pom.xml: %v\", err)\n\t}\n\ttestutility.NewSnapshot().WithCRLFReplacement().MatchText(t, out.String())\n}\n\nfunc TestMavenWriteDM(t *testing.T) {\n\tt.Parallel()\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\tdf, err := depfile.OpenLocalDepFile(filepath.Join(cwd, \"testdata\", \"maven\", \"no-dependency-management.xml\"))\n\tif err != nil {\n\t\tt.Fatalf(\"fail to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tin := new(bytes.Buffer)\n\tif _, err := in.ReadFrom(df); err != nil {\n\t\tt.Fatalf(\"failed to read from DepFile: %v\", err)\n\t}\n\n\tpatches := MavenPatches{\n\t\tDependencyPatches: MavenDependencyPatches{\n\t\t\t\"\": map[MavenPatch]bool{\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"junit\",\n\t\t\t\t\t\tArtifactID: \"junit\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"4.13.2\",\n\t\t\t\t}: true,\n\t\t\t},\n\t\t\t\"parent\": map[MavenPatch]bool{\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.parent\",\n\t\t\t\t\t\tArtifactID: \"parent-pom\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"1.2.0\",\n\t\t\t\t}: true,\n\t\t\t},\n\t\t\t\"management\": map[MavenPatch]bool{\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.management\",\n\t\t\t\t\t\tArtifactID: \"abc\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"1.2.3\",\n\t\t\t\t}: false,\n\t\t\t\t{\n\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\tGroupID: \"org.management\",\n\t\t\t\t\t\tArtifactID: \"xyz\",\n\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t},\n\t\t\t\t\tNewRequire: \"2.3.4\",\n\t\t\t\t}: false,\n\t\t\t},\n\t\t},\n\t}\n\n\tout := new(bytes.Buffer)\n\tif err := write(in.String(), out, patches); err != nil {\n\t\tt.Fatalf(\"unable to update Maven pom.xml: %v\", err)\n\t}\n\ttestutility.NewSnapshot().WithCRLFReplacement().MatchText(t, out.String())\n}\n\nfunc Test_buildPatches(t *testing.T) {\n\tt.Parallel()\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\tparentPath := filepath.Join(cwd, \"testdata\", \"maven\", \"parent\", \"pom.xml\")\n\n\tdepProfileTwoMgmt.AddAttr(dep.MavenArtifactType, \"pom\")\n\tdepProfileTwoMgmt.AddAttr(dep.Scope, \"import\")\n\n\tdepParent.AddAttr(dep.MavenArtifactType, \"pom\")\n\n\tpatches := []DependencyPatch{\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.dep:plugin-dep\",\n\t\t\t},\n\t\t\tType: depPlugin,\n\t\t\tNewRequire: \"2.3.4\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:abc\",\n\t\t\t},\n\t\t\tNewRequire: \"1.0.2\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:aaa\",\n\t\t\t},\n\t\t\tNewRequire: \"1.2.0\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:ddd\",\n\t\t\t},\n\t\t\tNewRequire: \"1.3.0\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:property\",\n\t\t\t},\n\t\t\tNewRequire: \"1.0.1\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:same-property\",\n\t\t\t},\n\t\t\tNewRequire: \"1.0.1\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:another-property\",\n\t\t\t},\n\t\t\tNewRequire: \"1.1.0\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:property-no-update\",\n\t\t\t},\n\t\t\tNewRequire: \"2.0.0\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:xyz\",\n\t\t\t},\n\t\t\tType: depMgmt,\n\t\t\tNewRequire: \"2.0.1\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.import:xyz\",\n\t\t\t},\n\t\t\tType: depProfileTwoMgmt,\n\t\t\tNewRequire: \"6.7.0\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.profile:abc\",\n\t\t\t},\n\t\t\tType: depProfileOne,\n\t\t\tNewRequire: \"1.2.4\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.profile:def\",\n\t\t\t},\n\t\t\tType: depProfileOne,\n\t\t\tNewRequire: \"2.3.5\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.parent:parent-pom\",\n\t\t\t},\n\t\t\tType: depParent,\n\t\t\tNewRequire: \"1.2.0\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:suggest\",\n\t\t\t},\n\t\t\tType: depMgmt,\n\t\t\tOrigRequire: \"1.0.0\",\n\t\t\tNewRequire: \"2.0.0\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:override\",\n\t\t\t},\n\t\t\tType: depMgmt,\n\t\t\tNewRequire: \"2.0.0\",\n\t\t},\n\t\t{\n\t\t\tPkg: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: \"org.example:no-version\",\n\t\t\t},\n\t\t\tType: depMgmt,\n\t\t\tNewRequire: \"2.0.1\",\n\t\t},\n\t}\n\tspecific := MavenManifestSpecific{\n\t\tParent: maven.Parent{\n\t\t\tProjectKey: maven.ProjectKey{\n\t\t\t\tGroupID: \"org.parent\",\n\t\t\t\tArtifactID: \"parent-pom\",\n\t\t\t\tVersion: \"1.1.1\",\n\t\t\t},\n\t\t\tRelativePath: \"../parent/pom.xml\",\n\t\t},\n\t\tProperties: []PropertyWithOrigin{\n\t\t\t{Property: maven.Property{Name: \"property.version\", Value: \"1.0.0\"}},\n\t\t\t{Property: maven.Property{Name: \"no.update.minor\", Value: \"9\"}},\n\t\t\t{Property: maven.Property{Name: \"def.version\", Value: \"2.3.4\"}, Origin: \"profile@profile-one\"},\n\t\t\t{Property: maven.Property{Name: \"aaa.version\", Value: \"1.1.1\"}, Origin: \"parent@\" + parentPath},\n\t\t},\n\t\tOriginalRequirements: []DependencyWithOrigin{\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.parent\", ArtifactID: \"parent-pom\", Version: \"1.2.0\", Type: \"pom\"},\n\t\t\t\tOrigin: \"parent\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"junit\", ArtifactID: \"junit\", Version: \"${junit.version}\", Scope: \"test\"},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"abc\", Version: \"1.0.1\"},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"no-updates\", Version: \"9.9.9\"},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"no-version\"},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"property\", Version: \"${property.version}\"},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"property-no-update\", Version: \"1.${no.update.minor}\"},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"same-property\", Version: \"${property.version}\"},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"another-property\", Version: \"${property.version}\"},\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"no-version\", Version: \"2.0.0\"},\n\t\t\t\tOrigin: \"management\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"xyz\", Version: \"2.0.0\"},\n\t\t\t\tOrigin: \"management\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.profile\", ArtifactID: \"abc\", Version: \"1.2.3\"},\n\t\t\t\tOrigin: \"profile@profile-one\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.profile\", ArtifactID: \"def\", Version: \"${def.version}\"},\n\t\t\t\tOrigin: \"profile@profile-one\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.import\", ArtifactID: \"xyz\", Version: \"6.6.6\", Scope: \"import\", Type: \"pom\"},\n\t\t\t\tOrigin: \"profile@profile-two@management\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.dep\", ArtifactID: \"plugin-dep\", Version: \"2.3.3\"},\n\t\t\t\tOrigin: \"plugin@org.plugin:plugin\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"ddd\", Version: \"1.2.3\"},\n\t\t\t\tOrigin: \"parent@\" + parentPath,\n\t\t\t},\n\t\t\t{\n\t\t\t\tDependency: maven.Dependency{GroupID: \"org.example\", ArtifactID: \"aaa\", Version: \"${aaa.version}\"},\n\t\t\t\tOrigin: \"parent@\" + parentPath + \"@management\",\n\t\t\t},\n\t\t},\n\t}\n\twant := map[string]MavenPatches{\n\t\t\"\": {\n\t\t\tDependencyPatches: MavenDependencyPatches{\n\t\t\t\t\"\": map[MavenPatch]bool{\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\t\tArtifactID: \"abc\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"1.0.2\",\n\t\t\t\t\t}: true,\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\t\tArtifactID: \"another-property\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"1.1.0\",\n\t\t\t\t\t}: true,\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\t\tArtifactID: \"property-no-update\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"2.0.0\",\n\t\t\t\t\t}: true,\n\t\t\t\t},\n\t\t\t\t\"management\": map[MavenPatch]bool{\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\t\tArtifactID: \"xyz\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"2.0.1\",\n\t\t\t\t\t}: true,\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\t\tArtifactID: \"no-version\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"2.0.1\",\n\t\t\t\t\t}: true,\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\t\tArtifactID: \"override\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"2.0.0\",\n\t\t\t\t\t}: false,\n\t\t\t\t},\n\t\t\t\t\"profile@profile-one\": map[MavenPatch]bool{\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.profile\",\n\t\t\t\t\t\t\tArtifactID: \"abc\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"1.2.4\",\n\t\t\t\t\t}: true,\n\t\t\t\t},\n\t\t\t\t\"profile@profile-two@management\": map[MavenPatch]bool{\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.import\",\n\t\t\t\t\t\t\tArtifactID: \"xyz\",\n\t\t\t\t\t\t\tType: \"pom\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"6.7.0\",\n\t\t\t\t\t}: true,\n\t\t\t\t},\n\t\t\t\t\"plugin@org.plugin:plugin\": map[MavenPatch]bool{\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.dep\",\n\t\t\t\t\t\t\tArtifactID: \"plugin-dep\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"2.3.4\",\n\t\t\t\t\t}: true,\n\t\t\t\t},\n\t\t\t\t\"parent\": map[MavenPatch]bool{\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.parent\",\n\t\t\t\t\t\t\tArtifactID: \"parent-pom\",\n\t\t\t\t\t\t\tType: \"pom\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"1.2.0\",\n\t\t\t\t\t}: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\tPropertyPatches: MavenPropertyPatches{\n\t\t\t\t\"\": {\n\t\t\t\t\t\"property.version\": \"1.0.1\",\n\t\t\t\t},\n\t\t\t\t\"profile@profile-one\": {\n\t\t\t\t\t\"def.version\": \"2.3.5\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tparentPath: {\n\t\t\tDependencyPatches: MavenDependencyPatches{\n\t\t\t\t\"\": map[MavenPatch]bool{\n\t\t\t\t\t{\n\t\t\t\t\t\tDependencyKey: maven.DependencyKey{\n\t\t\t\t\t\t\tGroupID: \"org.example\",\n\t\t\t\t\t\t\tArtifactID: \"ddd\",\n\t\t\t\t\t\t\tType: \"jar\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tNewRequire: \"1.3.0\",\n\t\t\t\t\t}: true,\n\t\t\t\t},\n\t\t\t},\n\t\t\tPropertyPatches: MavenPropertyPatches{\n\t\t\t\t\"\": {\n\t\t\t\t\t\"aaa.version\": \"1.2.0\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tallPatches, err := buildPatches(patches, specific)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to build patches: %v\", err)\n\t}\n\tif diff := cmp.Diff(want, allPatches); diff != \"\" {\n\t\tt.Errorf(\"result patches mismatch (-want +got):\\n%s\", diff)\n\t}\n}\n\nfunc Test_generatePropertyPatches(t *testing.T) {\n\tt.Parallel()\n\ttests := []struct {\n\t\ts1 string\n\t\ts2 string\n\t\tpossible bool\n\t\tpatches map[string]string\n\t}{\n\t\t{\"${version}\", \"1.2.3\", true, map[string]string{\"version\": \"1.2.3\"}},\n\t\t{\"${major}.2.3\", \"1.2.3\", true, map[string]string{\"major\": \"1\"}},\n\t\t{\"1.${minor}.3\", \"1.2.3\", true, map[string]string{\"minor\": \"2\"}},\n\t\t{\"1.2.${patch}\", \"1.2.3\", true, map[string]string{\"patch\": \"3\"}},\n\t\t{\"${major}.${minor}.${patch}\", \"1.2.3\", true, map[string]string{\"major\": \"1\", \"minor\": \"2\", \"patch\": \"3\"}},\n\t\t{\"${major}.2.3\", \"2.0.0\", false, map[string]string{}},\n\t\t{\"1.${minor}.3\", \"2.0.0\", false, map[string]string{}},\n\t}\n\tfor _, tt := range tests {\n\t\tpatches, ok := generatePropertyPatches(tt.s1, tt.s2)\n\t\tif ok != tt.possible || !reflect.DeepEqual(patches, tt.patches) {\n\t\t\tt.Errorf(\"generatePropertyPatches(%s, %s): got %v %v, want %v %v\", tt.s1, tt.s2, patches, ok, tt.patches, tt.possible)\n\t\t}\n\t}\n}\n" }, { "path": "internal/resolution/manifest/npm.go", "content": "package manifest\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/tidwall/gjson\"\n\t\"github.com/tidwall/sjson\"\n)\n\nfunc npmRequirementKey(requirement resolve.RequirementVersion) RequirementKey {\n\t// Npm requirements are the uniquely identified by the key in the dependencies fields (which ends up being the path in node_modules)\n\t// Declaring a dependency in multiple places (dependencies, devDependencies, optionalDependencies) only installs it once at one version.\n\t// Aliases & non-registry dependencies are keyed on their 'KnownAs' attribute.\n\tknownAs, _ := requirement.Type.GetAttr(dep.KnownAs)\n\treturn RequirementKey{\n\t\tPackageKey: requirement.PackageKey,\n\t\tEcosystemSpecific: knownAs,\n\t}\n}\n\ntype NpmReadWriter struct{}\n\nfunc (NpmReadWriter) System() resolve.System { return resolve.NPM }\n\ntype PackageJSON struct {\n\tName string `json:\"name\"`\n\tVersion string `json:\"version\"`\n\t// TODO: yarn allows workspaces to be a object OR a list:\n\t// https://classic.yarnpkg.com/blog/2018/02/15/nohoist/\n\tWorkspaces []string `json:\"workspaces\"`\n\tDependencies map[string]string `json:\"dependencies\"`\n\tDevDependencies map[string]string `json:\"devDependencies\"`\n\tOptionalDependencies map[string]string `json:\"optionalDependencies\"`\n\n\t// These fields are currently only used when parsing package-lock.json\n\tPeerDependencies map[string]string `json:\"peerDependencies\"`\n\t// BundleDependencies []string `json:\"bundleDependencies\"`\n}\n\nfunc (rw NpmReadWriter) Read(f depfile.DepFile) (Manifest, error) {\n\tdec := json.NewDecoder(f)\n\tvar packagejson PackageJSON\n\tif err := dec.Decode(&packagejson); err != nil {\n\t\treturn Manifest{}, err\n\t}\n\n\t// Create the root node.\n\tmanif := newManifest()\n\tmanif.FilePath = f.Path()\n\tmanif.Root = resolve.Version{\n\t\tVersionKey: resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tName: packagejson.Name,\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t},\n\t\t\tVersion: packagejson.Version,\n\t\t\tVersionType: resolve.Concrete,\n\t\t}}\n\n\t// Find all package.json files in the workspaces & parse those too.\n\tvar workspaces []string\n\tfor _, pattern := range packagejson.Workspaces {\n\t\tmatch, err := filepath.Glob(filepath.Join(filepath.Dir(f.Path()), pattern, \"package.json\"))\n\t\tif err != nil {\n\t\t\treturn Manifest{}, err\n\t\t}\n\t\tworkspaces = append(workspaces, match...)\n\t}\n\n\t// workspaces seem to be evaluated in sorted path order\n\tslices.Sort(workspaces)\n\tworkspaceNames := make(map[string]struct{})\n\tfor _, path := range workspaces {\n\t\twsFile, err := f.Open(path)\n\t\tif err != nil {\n\t\t\treturn Manifest{}, err\n\t\t}\n\t\tdefer wsFile.Close()\n\t\t// TODO: Workspaces can't have workspaces of their own.\n\t\t// Avoid attempting to resolve them recursively.\n\t\tm, err := rw.Read(wsFile)\n\t\tif err != nil {\n\t\t\treturn Manifest{}, err\n\t\t}\n\t\tmanif.LocalManifests = append(manif.LocalManifests, m)\n\t\tworkspaceNames[m.Root.Name] = struct{}{}\n\t}\n\n\tisWorkspace := func(req resolve.RequirementVersion) bool {\n\t\tif req.Type.HasAttr(dep.KnownAs) {\n\t\t\t// \"alias\": \"npm:pkg@*\" seems to always take the real 'pkg',\n\t\t\t// even if there's a workspace with the same name.\n\t\t\treturn false\n\t\t}\n\t\t_, ok := workspaceNames[req.Name]\n\n\t\treturn ok\n\t}\n\n\tworkspaceReqVers := make(map[resolve.PackageKey]resolve.RequirementVersion)\n\n\t// empirically, the dev version takes precedence over optional, which takes precedence over regular, if they conflict.\n\tfor pkg, ver := range packagejson.Dependencies {\n\t\treq := rw.makeNPMReqVer(pkg, ver)\n\t\tif isWorkspace(req) {\n\t\t\t// workspaces seem to always be evaluated separately\n\t\t\tworkspaceReqVers[req.PackageKey] = req\n\t\t\tcontinue\n\t\t}\n\t\tmanif.Requirements = append(manif.Requirements, req)\n\t}\n\n\tfor pkg, ver := range packagejson.OptionalDependencies {\n\t\treq := rw.makeNPMReqVer(pkg, ver)\n\t\treq.Type.AddAttr(dep.Opt, \"\")\n\t\tif isWorkspace(req) {\n\t\t\t// workspaces seem to always be evaluated separately\n\t\t\tworkspaceReqVers[req.PackageKey] = req\n\t\t\tcontinue\n\t\t}\n\t\tidx := slices.IndexFunc(manif.Requirements, func(imp resolve.RequirementVersion) bool {\n\t\t\treturn imp.PackageKey == req.PackageKey\n\t\t})\n\t\tif idx != -1 {\n\t\t\tmanif.Requirements[idx] = req\n\t\t} else {\n\t\t\tmanif.Requirements = append(manif.Requirements, req)\n\t\t}\n\t\tmanif.Groups[npmRequirementKey(req)] = []string{\"optional\"}\n\t}\n\n\tfor pkg, ver := range packagejson.DevDependencies {\n\t\treq := rw.makeNPMReqVer(pkg, ver)\n\t\tif isWorkspace(req) {\n\t\t\t// workspaces seem to always be evaluated separately\n\t\t\tworkspaceReqVers[req.PackageKey] = req\n\t\t\tcontinue\n\t\t}\n\t\tidx := slices.IndexFunc(manif.Requirements, func(imp resolve.RequirementVersion) bool {\n\t\t\treturn imp.PackageKey == req.PackageKey\n\t\t})\n\t\tif idx != -1 {\n\t\t\t// In newer versions of npm, having a package in both the `dependencies` and `devDependencies`\n\t\t\t// makes it treated as ONLY a devDependency (using the devDependency version)\n\t\t\t// npm v6 and below seems to do the opposite and there's no easy way of seeing the npm version :/\n\t\t\tmanif.Requirements[idx] = req\n\t\t} else {\n\t\t\tmanif.Requirements = append(manif.Requirements, req)\n\t\t}\n\t\tmanif.Groups[npmRequirementKey(req)] = []string{\"dev\"}\n\t}\n\n\tresolve.SortDependencies(manif.Requirements)\n\n\t// resolve workspaces after regular requirements\n\tfor i, m := range manif.LocalManifests {\n\t\timp, ok := workspaceReqVers[m.Root.PackageKey]\n\t\tif !ok { // The workspace isn't directly used by the root package, add it as a 'requirement' anyway so it's resolved\n\t\t\timp = resolve.RequirementVersion{\n\t\t\t\tType: dep.NewType(),\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: m.Root.PackageKey,\n\t\t\t\t\tVersion: \"*\", // use the 'any' specifier so we always match the sub-package version\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t},\n\t\t\t}\n\t\t}\n\t\t// Add an extra identifier to the workspace package names so name collisions don't overwrite indirect dependencies\n\t\timp.Name += \":workspace\"\n\t\tmanif.LocalManifests[i].Root.Name = imp.Name\n\t\tmanif.Requirements = append(manif.Requirements, imp)\n\t\t// replace the workspace's sibling requirements\n\t\tfor j, req := range m.Requirements {\n\t\t\tif isWorkspace(req) {\n\t\t\t\tmanif.LocalManifests[i].Requirements[j].Name = req.Name + \":workspace\"\n\t\t\t\treqKey := npmRequirementKey(req)\n\t\t\t\tif g, ok := m.Groups[reqKey]; ok {\n\t\t\t\t\tnewKey := npmRequirementKey(manif.LocalManifests[i].Requirements[j])\n\t\t\t\t\tmanif.LocalManifests[i].Groups[newKey] = g\n\t\t\t\t\tdelete(manif.LocalManifests[i].Groups, reqKey)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn manif, nil\n}\n\nfunc (rw NpmReadWriter) makeNPMReqVer(pkg, ver string) resolve.RequirementVersion {\n\t// TODO: URLs, Git, GitHub, `file:`\n\ttyp := dep.NewType() // don't use dep.NewType(dep.Dev) for devDeps to force the resolver to resolve them\n\trealPkg, realVer := SplitNPMAlias(ver)\n\tif realPkg != \"\" {\n\t\t// This dependency is aliased, add it as a\n\t\t// dependency on the actual name, with the\n\t\t// KnownAs attribute set to the alias.\n\t\ttyp.AddAttr(dep.KnownAs, pkg)\n\t\tpkg = realPkg\n\t\tver = realVer\n\t}\n\tif strings.Contains(ver, \":\") {\n\t\t// TODO: Also check for GitHub URLs - https://docs.npmjs.com/cli/v10/configuring-npm/package-json#github-urls\n\t\t// Unhandled version prefix\n\t\t// e.g. `git+https://...`, `file:...`\n\t\t// TODO: Do a proper match for possibilities:\n\t\t// https://docs.npmjs.com/cli/v10/configuring-npm/package-json#urls-as-dependencies\n\t\t// TODO: resolve the package.json from the file/repo into a local Manifest (and uniquely refer to it somehow)\n\n\t\t// For now we want to avoid fatal resolution errors.\n\t\t// The resolver fatally errors if the package is not found, but not if the version is not found.\n\t\t// As a hack, assign the name as an alias of a real package, but keep the version invalid/non-existent.\n\t\ttyp.AddAttr(dep.KnownAs, pkg)\n\t\tpkg = \"-\" // This is a real npm package!\n\t\t// TODO: don't add this to the manifest, return some non-fatal errors to surface instead of relying on resolution errors\n\t}\n\n\treturn resolve.RequirementVersion{\n\t\tType: typ,\n\t\tVersionKey: resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tName: pkg,\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t},\n\t\t\tVersion: ver,\n\t\t\tVersionType: resolve.Requirement,\n\t\t},\n\t}\n}\n\nfunc (NpmReadWriter) Write(r depfile.DepFile, w io.Writer, patch Patch) error {\n\t// Read the whole package.json into a string so we can use sjson to write in-place.\n\tvar buf strings.Builder\n\t_, err := io.Copy(&buf, r)\n\tif err != nil {\n\t\treturn err\n\t}\n\tmanif := buf.String()\n\n\tfor _, changedDep := range patch.Deps {\n\t\tname := changedDep.Pkg.Name\n\t\torigVer := changedDep.OrigRequire\n\t\tnewVer := changedDep.NewRequire\n\t\tif knownAs, ok := changedDep.Type.GetAttr(dep.KnownAs); ok {\n\t\t\t// reconstruct alias versioning\n\t\t\torigVer = fmt.Sprintf(\"npm:%s@%s\", name, origVer)\n\t\t\tnewVer = fmt.Sprintf(\"npm:%s@%s\", name, newVer)\n\t\t\tname = knownAs\n\t\t}\n\t\t// Don't know what kind of dependency this is, so check them all.\n\t\t// Check them in dev -> optional -> prod because that's the order npm seems to use when they conflict.\n\t\t// Check devDependency first because npm>=7 uses only the devDependency if it exists in both.\n\t\talreadyMatched := false\n\t\tdepStr := \"devDependencies.\" + name\n\t\tif res := gjson.Get(manif, depStr); res.Exists() {\n\t\t\tif res.Str != origVer {\n\t\t\t\tpanic(\"original dependency version does not match what is in package.json\")\n\t\t\t}\n\t\t\talreadyMatched = true\n\t\t\tmanif, err = sjson.Set(manif, depStr, newVer)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\tdepStr = \"optionalDependencies.\" + name\n\t\tif res := gjson.Get(manif, depStr); res.Exists() {\n\t\t\tif res.Str != origVer {\n\t\t\t\tif alreadyMatched {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tpanic(\"original dependency version does not match what is in package.json\")\n\t\t\t}\n\t\t\talreadyMatched = true\n\t\t\tmanif, err = sjson.Set(manif, depStr, newVer)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\n\t\tdepStr = \"dependencies.\" + name\n\t\tif res := gjson.Get(manif, depStr); res.Exists() {\n\t\t\tif res.Str != origVer {\n\t\t\t\tif alreadyMatched {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tpanic(\"original dependency version does not match what is in package.json\")\n\t\t\t}\n\t\t\tmanif, err = sjson.Set(manif, depStr, newVer)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t}\n\n\t// Write out modified package.json\n\t_, err = io.WriteString(w, manif)\n\n\treturn err\n}\n\n// SplitNPMAlias extracts the real package name and version from an alias-specified version.\n//\n// e.g. \"npm:pkg@^1.2.3\" -> name: \"pkg\", version: \"^1.2.3\"\n//\n// If the version is not an alias specifier, the name will be empty and the version unchanged.\nfunc SplitNPMAlias(v string) (name, version string) {\n\tif r, ok := strings.CutPrefix(v, \"npm:\"); ok {\n\t\tif i := strings.LastIndex(r, \"@\"); i > 0 {\n\t\t\treturn r[:i], r[i+1:]\n\t\t}\n\n\t\treturn r, \"\" // alias with no version specified\n\t}\n\n\treturn \"\", v // not an alias\n}\n" }, { "path": "internal/resolution/manifest/npm_test.go", "content": "package manifest_test\n\nimport (\n\t\"bytes\"\n\t\"reflect\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc aliasType(t *testing.T, aliasedName string) dep.Type {\n\tt.Helper()\n\tvar typ dep.Type\n\ttyp.AddAttr(dep.KnownAs, aliasedName)\n\n\treturn typ\n}\n\nfunc npmVK(t *testing.T, name, version string, versionType resolve.VersionType) resolve.VersionKey {\n\tt.Helper()\n\treturn resolve.VersionKey{\n\t\tPackageKey: resolve.PackageKey{\n\t\t\tSystem: resolve.NPM,\n\t\t\tName: name,\n\t\t},\n\t\tVersion: version,\n\t\tVersionType: versionType,\n\t}\n}\n\nfunc npmReqKey(t *testing.T, name, knownAs string) manifest.RequirementKey {\n\tt.Helper()\n\tvar typ dep.Type\n\tif knownAs != \"\" {\n\t\ttyp.AddAttr(dep.KnownAs, knownAs)\n\t}\n\n\treturn manifest.MakeRequirementKey(resolve.RequirementVersion{\n\t\tVersionKey: resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tName: name,\n\t\t\t\tSystem: resolve.NPM,\n\t\t\t},\n\t\t},\n\t\tType: typ,\n\t})\n}\n\nfunc TestNpmRead(t *testing.T) {\n\tt.Parallel()\n\n\tdf, err := depfile.OpenLocalDepFile(\"./testdata/package.json\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tnpmRW := manifest.NpmReadWriter{}\n\tgot, err := npmRW.Read(df)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to read file: %v\", err)\n\t}\n\tif !strings.HasSuffix(got.FilePath, \"package.json\") {\n\t\tt.Errorf(\"manifest file path %v does not have package.json\", got.FilePath)\n\t}\n\tgot.FilePath = \"\"\n\n\twant := manifest.Manifest{\n\t\tRoot: resolve.Version{\n\t\t\tVersionKey: npmVK(t, \"npm-manifest\", \"1.0.0\", resolve.Concrete),\n\t\t},\n\t\t// npm dependencies should resolve in alphabetical order, regardless of type\n\t\tRequirements: []resolve.RequirementVersion{\n\t\t\t// TODO: @babel/core peerDependency currently not resolved\n\t\t\t{\n\t\t\t\tType: aliasType(t, \"cliui\"), // sorts on aliased name, not real package name\n\t\t\t\tVersionKey: npmVK(t, \"@isaacs/cliui\", \"^8.0.2\", resolve.Requirement),\n\t\t\t},\n\t\t\t{\n\t\t\t\t// Type: dep.NewType(dep.Dev), devDependencies treated as prod to make resolution work\n\t\t\t\tVersionKey: npmVK(t, \"eslint\", \"^8.57.0\", resolve.Requirement),\n\t\t\t},\n\t\t\t{\n\t\t\t\tType: dep.NewType(dep.Opt),\n\t\t\t\tVersionKey: npmVK(t, \"glob\", \"^10.3.10\", resolve.Requirement),\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: npmVK(t, \"jquery\", \"latest\", resolve.Requirement),\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: npmVK(t, \"lodash\", \"4.17.17\", resolve.Requirement),\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: npmVK(t, \"string-width\", \"^5.1.2\", resolve.Requirement),\n\t\t\t},\n\t\t\t{\n\t\t\t\tType: aliasType(t, \"string-width-aliased\"),\n\t\t\t\tVersionKey: npmVK(t, \"string-width\", \"^4.2.3\", resolve.Requirement),\n\t\t\t},\n\t\t},\n\t\tGroups: map[manifest.RequirementKey][]string{\n\t\t\tnpmReqKey(t, \"eslint\", \"\"): {\"dev\"},\n\t\t\tnpmReqKey(t, \"glob\", \"\"): {\"optional\"},\n\t\t},\n\t}\n\tif !reflect.DeepEqual(got, want) {\n\t\tt.Errorf(\"npm manifest mismatch:\\ngot %v\\nwant %v\\n\", got, want)\n\t}\n}\n\nfunc TestNpmWorkspaceRead(t *testing.T) {\n\tt.Parallel()\n\n\tdf, err := depfile.OpenLocalDepFile(\"./testdata/npm-workspaces/package.json\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tnpmRW := manifest.NpmReadWriter{}\n\tgot, err := npmRW.Read(df)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to read file: %v\", err)\n\t}\n\tif !strings.HasSuffix(got.FilePath, \"package.json\") {\n\t\tt.Errorf(\"manifest file path %v does not have package.json\", got.FilePath)\n\t}\n\tgot.FilePath = \"\"\n\tfor i, local := range got.LocalManifests {\n\t\tif !strings.HasSuffix(local.FilePath, \"package.json\") {\n\t\t\tt.Errorf(\"local manifest file path %v does not have package.json\", local.FilePath)\n\t\t}\n\t\tgot.LocalManifests[i].FilePath = \"\"\n\t}\n\n\twant := manifest.Manifest{\n\t\tRoot: resolve.Version{\n\t\t\tVersionKey: npmVK(t, \"npm-workspace-test\", \"1.0.0\", resolve.Concrete),\n\t\t},\n\t\tRequirements: []resolve.RequirementVersion{\n\t\t\t// root dependencies always before workspace\n\t\t\t{\n\t\t\t\tType: aliasType(t, \"jquery-real\"),\n\t\t\t\tVersionKey: npmVK(t, \"jquery\", \"^3.7.1\", resolve.Requirement),\n\t\t\t},\n\t\t\t// workspaces in path order\n\t\t\t{\n\t\t\t\tVersionKey: npmVK(t, \"jquery:workspace\", \"^3.7.1\", resolve.Requirement),\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: npmVK(t, \"@workspace/ugh:workspace\", \"*\", resolve.Requirement),\n\t\t\t},\n\t\t\t{\n\t\t\t\tVersionKey: npmVK(t, \"z-z-z:workspace\", \"*\", resolve.Requirement),\n\t\t\t},\n\t\t},\n\t\tGroups: map[manifest.RequirementKey][]string{\n\t\t\tnpmReqKey(t, \"jquery\", \"jquery-real\"): {\"dev\"},\n\t\t\t// excludes workspace dev dependency\n\t\t},\n\t\tLocalManifests: []manifest.Manifest{\n\t\t\t{\n\t\t\t\tRoot: resolve.Version{\n\t\t\t\t\tVersionKey: npmVK(t, \"jquery:workspace\", \"3.7.1\", resolve.Concrete),\n\t\t\t\t},\n\t\t\t\tRequirements: []resolve.RequirementVersion{\n\t\t\t\t\t{\n\t\t\t\t\t\tVersionKey: npmVK(t, \"semver\", \"^7.6.0\", resolve.Requirement),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tGroups: map[manifest.RequirementKey][]string{},\n\t\t\t},\n\t\t\t{\n\t\t\t\tRoot: resolve.Version{\n\t\t\t\t\tVersionKey: npmVK(t, \"@workspace/ugh:workspace\", \"0.0.1\", resolve.Concrete),\n\t\t\t\t},\n\t\t\t\tRequirements: []resolve.RequirementVersion{\n\t\t\t\t\t{\n\t\t\t\t\t\tVersionKey: npmVK(t, \"jquery:workspace\", \"*\", resolve.Requirement),\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tVersionKey: npmVK(t, \"semver\", \"^6.3.1\", resolve.Requirement),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tGroups: map[manifest.RequirementKey][]string{\n\t\t\t\t\tnpmReqKey(t, \"jquery:workspace\", \"\"): {\"dev\"},\n\t\t\t\t\tnpmReqKey(t, \"semver\", \"\"): {\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tRoot: resolve.Version{\n\t\t\t\t\tVersionKey: npmVK(t, \"z-z-z:workspace\", \"1.0.0\", resolve.Concrete),\n\t\t\t\t},\n\t\t\t\tRequirements: []resolve.RequirementVersion{\n\t\t\t\t\t{\n\t\t\t\t\t\tVersionKey: npmVK(t, \"@workspace/ugh:workspace\", \"*\", resolve.Requirement),\n\t\t\t\t\t},\n\t\t\t\t\t{\n\t\t\t\t\t\tVersionKey: npmVK(t, \"semver\", \"^5.7.2\", resolve.Requirement),\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tGroups: map[manifest.RequirementKey][]string{},\n\t\t\t},\n\t\t},\n\t}\n\tif !reflect.DeepEqual(got, want) {\n\t\tt.Errorf(\"npm manifest mismatch:\\ngot %v\\nwant %v\\n\", got, want)\n\t}\n}\n\nfunc TestNpmWrite(t *testing.T) {\n\tt.Parallel()\n\n\tdf, err := depfile.OpenLocalDepFile(\"./testdata/package.json\")\n\tif err != nil {\n\t\tt.Fatalf(\"failed to open file: %v\", err)\n\t}\n\tdefer df.Close()\n\n\tchanges := manifest.Patch{\n\t\tDeps: []manifest.DependencyPatch{\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: \"lodash\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"4.17.17\",\n\t\t\t\tNewRequire: \"^4.17.21\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: \"eslint\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"^8.57.0\",\n\t\t\t\tNewRequire: \"*\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: \"glob\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"^10.3.10\",\n\t\t\t\tNewRequire: \"^1.0.0\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: \"jquery\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"latest\",\n\t\t\t\tNewRequire: \"~0.0.1\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: \"@isaacs/cliui\",\n\t\t\t\t},\n\t\t\t\tType: aliasType(t, \"cliui\"),\n\t\t\t\tOrigRequire: \"^8.0.2\",\n\t\t\t\tNewRequire: \"^9.0.0\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: \"string-width\",\n\t\t\t\t},\n\t\t\t\tOrigRequire: \"^5.1.2\",\n\t\t\t\tNewRequire: \"^7.1.0\",\n\t\t\t},\n\t\t\t{\n\t\t\t\tPkg: resolve.PackageKey{\n\t\t\t\t\tSystem: resolve.NPM,\n\t\t\t\t\tName: \"string-width\",\n\t\t\t\t},\n\t\t\t\tType: aliasType(t, \"string-width-aliased\"),\n\t\t\t\tOrigRequire: \"^4.2.3\",\n\t\t\t\tNewRequire: \"^6.1.0\",\n\t\t\t},\n\t\t},\n\t}\n\n\tbuf := new(bytes.Buffer)\n\tnpmRW := manifest.NpmReadWriter{}\n\tif err := npmRW.Write(df, buf, changes); err != nil {\n\t\tt.Fatalf(\"unable to update npm package.json: %v\", err)\n\t}\n\ttestutility.NewSnapshot().WithCRLFReplacement().MatchText(t, buf.String())\n}\n" }, { "path": "internal/resolution/manifest/testdata/maven/my-app/osv-scanner.toml", "content": "[[PackageOverrides]]\nignore = true\n" }, { "path": "internal/resolution/manifest/testdata/maven/my-app/pom.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0\n\n my-app\n \n http://www.example.com\n Don't escape. Escape "this".\n \n \n Ol' Cap'n Napkins\n \n \n Ol" Cap"n Napkins\n \n \n \n \n \n \n \n\n\n \n \n \n \n \n\n \n org.parent\n parent-pom\n 1.1.1\n ../parent/pom.xml\n \n\n \n UTF-8\n 1.7\n 1.7\n 4.12\n\t \n\t ../bin\n\t \n \n\n \n \n junit\n junit\n ${junit.version}\n test\n \n \n org.example\n abc\n 1.0.1\n \n \n \n org.example\n no-version\n \n \n org.example\n exclusions\n 1.0.0\n \n \n org.exclude\n exclude\n \n \n \n \n\n \n \n \n org.example\n xyz\n 2.0.0\n \n \n org.example\n no-version\n 2.0.0\n \n \n org.import\n import\n 1.0.0\n pom\n import\n \n \n \n\n \n \n profile-one\n \n true\n \n \n 2.3.4\n \n \n \n org.profile\n abc\n 1.2.3\n \n \n org.profile\n def\n ${def.version}\n \n \n \n \n profile-two\n \n \n \n org.import\n xyz\n 6.6.6\n import\n pom\n \n \n \n \n \n\n \n \n \n \n org.plugin\n plugin\n 1.0.0\n \n \n org.dep\n plugin-dep\n 2.3.3\n \n \n \n \n \n \n\n\n" }, { "path": "internal/resolution/manifest/testdata/maven/no-dependency-management.xml", "content": "\n\n\n 4.0.0\n\n com.mycompany.app\n my-app\n 1.0\n\n my-app\n \n http://www.example.com\n\n \n org.parent\n parent-pom\n 1.1.1\n \n\n \n \n junit\n junit\n 4.12\n \n \n\n\n" }, { "path": "internal/resolution/manifest/testdata/maven/parent/grandparent/mismatch.xml", "content": "\n\n 4.0.0\n\n org.upstream\n wrong-parent\n 1.1.1\n\n pom\n\n\n" }, { "path": "internal/resolution/manifest/testdata/maven/parent/grandparent/pom.xml", "content": "\n\n\n 4.0.0\n\n org.grandparent\n grandparent-pom\n 1.1.1\n\n my-app\n \n http://www.example.com\n\n pom\n\n \n org.upstream\n parent-pom\n 1.2.3\n ./mismatch.xml\n \n\n\n" }, { "path": "internal/resolution/manifest/testdata/maven/parent/pom.xml", "content": "\n\n\n 4.0.0\n\n org.parent\n parent-pom\n 1.1.1\n\n my-app\n \n http://www.example.com\n\n pom\n\n \n org.grandparent\n grandparent-pom\n 1.1.1\n ./grandparent\n \n\n \n 1.1.1\n \n\n \n \n org.example\n ddd\n 1.2.3\n \n \n\n \n \n \n org.example\n aaa\n ${aaa.version}\n \n \n \n\n\n" }, { "path": "internal/resolution/manifest/testdata/npm-workspaces/package.json", "content": "{\n \"name\": \"npm-workspace-test\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"workspaces\": [\n \"z\",\n \"ws/*\"\n ],\n \"devDependencies\": {\n \"jquery\": \"^3.7.1\",\n \"jquery-real\": \"npm:jquery@^3.7.1\"\n },\n \"dependencies\": {\n \"@workspace/ugh\": \"*\"\n }\n}\n" }, { "path": "internal/resolution/manifest/testdata/npm-workspaces/ws/jquery/package.json", "content": "{\n \"name\": \"jquery\",\n \"version\": \"3.7.1\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"semver\": \"^7.6.0\"\n }\n}\n" }, { "path": "internal/resolution/manifest/testdata/npm-workspaces/ws/ugh/package.json", "content": "{\n \"name\": \"@workspace/ugh\",\n \"version\": \"0.0.1\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"devDependencies\": {\n \"jquery\": \"*\",\n \"semver\": \"^6.3.1\"\n },\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\"\n}\n" }, { "path": "internal/resolution/manifest/testdata/npm-workspaces/z/package.json", "content": "{\n \"name\": \"z-z-z\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"@workspace/ugh\": \"*\",\n \"semver\": \"^5.7.2\"\n }\n}\n" }, { "path": "internal/resolution/manifest/testdata/package.json", "content": "{\n \"name\": \"npm-manifest\",\n \"version\": \"1.0.0\",\n \"description\": \"\",\n \"main\": \"index.js\",\n \"scripts\": {\n \"test\": \"echo \\\"Error: no test specified\\\" && exit 1\"\n },\n \"author\": \"\",\n \"license\": \"ISC\",\n \"dependencies\": {\n \"cliui\": \"npm:@isaacs/cliui@^8.0.2\",\n \"jquery\": \"latest\",\n \"lodash\": \"4.17.17\",\n \"string-width\": \"^5.1.2\",\n \"string-width-aliased\": \"npm:string-width@^4.2.3\"\n },\n \"devDependencies\": {\n \"eslint\": \"^8.57.0\"\n },\n \"optionalDependencies\": {\n \"glob\": \"^10.3.10\"\n },\n \"peerDependencies\": {\n \"@babel/core\": \"^7.24.0\"\n }\n}\n" }, { "path": "internal/resolution/manifest/testmain_test.go", "content": "package manifest_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "internal/resolution/resolve.go", "content": "// Package resolution provides functionality for resolving dependencies and vulnerabilities.\npackage resolution\n\nimport (\n\t\"cmp\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"slices\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"deps.dev/util/resolve/maven\"\n\t\"deps.dev/util/resolve/npm\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\tmavenutil \"github.com/google/osv-scanner/v2/internal/utility/maven\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\ntype Vulnerability struct {\n\tOSV *osvschema.Vulnerability\n\tDevOnly bool\n\t// Subgraphs are the collections of nodes and edges that reach the vulnerable node.\n\t// Subgraphs all contain the root node (NodeID 0) with no incoming edges (Parents),\n\t// and the vulnerable node (NodeID DependencySubgraph.Dependency) with no outgoing edges (Children).\n\tSubgraphs []*DependencySubgraph\n}\n\nfunc (rv Vulnerability) IsDirect() bool {\n\tfor _, sg := range rv.Subgraphs {\n\t\tif sg.Nodes[0].Distance == 1 {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\ntype Result struct {\n\tManifest manifest.Manifest\n\tGraph *resolve.Graph\n\tVulns []Vulnerability\n\tUnfilteredVulns []Vulnerability\n}\n\ntype NodeError struct {\n\tNodeID resolve.NodeID\n\tError resolve.NodeError\n}\n\nfunc (res *Result) Errors() []NodeError {\n\tvar errs []NodeError\n\tfor i, n := range res.Graph.Nodes {\n\t\tfor _, err := range n.Errors {\n\t\t\terrs = append(errs, NodeError{\n\t\t\t\tNodeID: resolve.NodeID(i),\n\t\t\t\tError: err,\n\t\t\t})\n\t\t}\n\t}\n\n\treturn errs\n}\n\nfunc getResolver(sys resolve.System, cl resolve.Client) (resolve.Resolver, error) {\n\tswitch sys {\n\tcase resolve.NPM:\n\t\treturn npm.NewResolver(cl), nil\n\tcase resolve.Maven:\n\t\treturn maven.NewResolver(cl), nil\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"no resolver for ecosystem %v\", sys)\n\t}\n}\n\ntype ResolveOpts struct {\n\tMavenManagement bool // whether to include unresolved dependencyManagement dependencies in resolved graph.\n}\n\nfunc Resolve(ctx context.Context, cl client.ResolutionClient, m manifest.Manifest, opts ResolveOpts) (*Result, error) {\n\tc := client.NewOverrideClient(cl.DependencyClient)\n\tc.AddVersion(m.Root, m.Requirements)\n\tfor _, loc := range m.LocalManifests {\n\t\tc.AddVersion(loc.Root, loc.Requirements)\n\t\t// TODO: may need to do this recursively\n\t}\n\tcl.DependencyClient = c\n\tr, err := getResolver(m.System(), cl.DependencyClient)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tgraph, err := r.Resolve(ctx, m.Root.VersionKey)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tgraph, err = resolvePostProcess(ctx, cl, m, opts, graph)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif len(graph.Error) > 0 {\n\t\treturn nil, errors.New(graph.Error)\n\t}\n\n\tresult := &Result{\n\t\tManifest: m.Clone(),\n\t\tGraph: graph,\n\t}\n\n\tif err := result.computeVulns(ctx, cl); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Make a copy of the found vulns, as `Vulns` may be filtered according to specified criteria.\n\tresult.UnfilteredVulns = slices.Clone(result.Vulns)\n\n\treturn result, nil\n}\n\nfunc resolvePostProcess(ctx context.Context, cl client.ResolutionClient, m manifest.Manifest, opts ResolveOpts, graph *resolve.Graph) (*resolve.Graph, error) {\n\tif m.System() == resolve.Maven && opts.MavenManagement {\n\t\t// Add a node & edge for each dependency in dependencyManagement that doesn't already appear in the resolved graph\n\t\tmanifestSpecific, ok := m.EcosystemSpecific.(manifest.MavenManifestSpecific)\n\t\tif !ok {\n\t\t\treturn graph, errors.New(\"invalid MavenManifestSpecific data\")\n\t\t}\n\n\t\t// Search through OriginalRequirements management dependencies in this pom only (not parents).\n\t\t// TODO: Possibly refactor RequirementsForUpdates for this purpose.\n\t\tfor _, req := range manifestSpecific.OriginalRequirements {\n\t\t\tif req.Origin != mavenutil.OriginManagement {\n\t\t\t\t// TODO: also check management in activated profiles and dependencies in inactive profiles.\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\t// Unique identifier for this package.\n\t\t\treqKey := manifest.MakeRequirementKey(resolve.RequirementVersion{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tSystem: resolve.Maven,\n\t\t\t\t\t\tName: req.Name(),\n\t\t\t\t\t},\n\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\tVersion: string(req.Version),\n\t\t\t\t},\n\t\t\t\tType: resolve.MavenDepType(req.Dependency, req.Origin),\n\t\t\t})\n\n\t\t\t// Find the current version of the dependencyManagement dependency, after property interpolation & changes from remediation.\n\t\t\tidx := slices.IndexFunc(m.Requirements, func(rv resolve.RequirementVersion) bool {\n\t\t\t\tif origin, _ := rv.Type.GetAttr(dep.MavenDependencyOrigin); origin != mavenutil.OriginManagement {\n\t\t\t\t\treturn false\n\t\t\t\t}\n\n\t\t\t\treturn reqKey == manifest.MakeRequirementKey(rv)\n\t\t\t})\n\n\t\t\tif idx == -1 {\n\t\t\t\t// Ideally, this would be an error, but there a few known instances where this lookup fails:\n\t\t\t\t// 1. The artifact name contain a property (properties aren't substituted in OriginalRequirements, but are in Manifest.Requirements)\n\t\t\t\t// 2. Missing properties (due to e.g. un-activated profiles) cause the dependency to be invalid, and therefore excluded from Manifest.Requirements.\n\t\t\t\t// Ignore these dependencies in these cases so that we can still remediation vulns in the other packages.\n\t\t\t\t// TODO: logging\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\trv := m.Requirements[idx]\n\n\t\t\t// See if the package is already in the resolved graph.\n\t\t\t// Check the edges so we can make sure the ArtifactTypes and Classifiers match.\n\t\t\tif !slices.ContainsFunc(graph.Edges, func(e resolve.Edge) bool {\n\t\t\t\treturn reqKey == manifest.MakeRequirementKey(resolve.RequirementVersion{\n\t\t\t\t\tVersionKey: graph.Nodes[e.To].Version,\n\t\t\t\t\tType: e.Type,\n\t\t\t\t})\n\t\t\t}) {\n\t\t\t\t// Management dependency not in graph - create the node.\n\t\t\t\t// Find the version the management requirement would resolve to.\n\t\t\t\t// First assume it's a soft requirement.\n\t\t\t\tvk := rv.VersionKey\n\t\t\t\tvk.VersionType = resolve.Concrete\n\t\t\t\tif _, err := cl.Version(ctx, vk); err != nil {\n\t\t\t\t\t// Not a soft requirement - try to find a match.\n\t\t\t\t\tvk.VersionType = resolve.Requirement\n\t\t\t\t\tvks, err := cl.MatchingVersions(ctx, vk)\n\t\t\t\t\tif err != nil || len(vks) == 0 {\n\t\t\t\t\t\terr = graph.AddError(0, vk, fmt.Sprintf(\"could not find a version that satisfies requirement %s for package %s\", vk.Version, vk.Name))\n\t\t\t\t\t\tif err != nil {\n\t\t\t\t\t\t\treturn nil, err\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tvk = vks[len(vks)-1].VersionKey\n\t\t\t\t}\n\t\t\t\t// Add the node & and edge from the root.\n\t\t\t\tnID := graph.AddNode(vk)\n\t\t\t\tif err := graph.AddEdge(0, nID, rv.Version, rv.Type.Clone()); err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn graph, nil\n}\n\n// computeVulns scans for vulnerabilities in a resolved graph and populates res.Vulns\nfunc (res *Result) computeVulns(ctx context.Context, cl client.ResolutionClient) error {\n\tnodeVulns, err := cl.MatchVulnerabilities(ctx, client.GraphToInventory(res.Graph))\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// GraphToInventory/MatchVulnerabilities excludes the root node of the graph.\n\t// Prepend an element to nodeVulns so that the indices line up with graph.Nodes[i] <=> nodeVulns[i]\n\tnodeVulns = append([][]*osvschema.Vulnerability{nil}, nodeVulns...)\n\n\t// Find all dependency paths to the vulnerable dependencies\n\tvar vulnerableNodes []resolve.NodeID\n\tvulnInfo := make(map[string]*osvschema.Vulnerability)\n\tfor i, vulns := range nodeVulns {\n\t\tif len(vulns) > 0 {\n\t\t\tvulnerableNodes = append(vulnerableNodes, resolve.NodeID(i))\n\t\t}\n\t\tfor _, vuln := range vulns {\n\t\t\tvulnInfo[vuln.GetId()] = vuln\n\t\t}\n\t}\n\n\tnodeSubgraphs := ComputeSubgraphs(res.Graph, vulnerableNodes)\n\tvulnSubgraphs := make(map[string][]*DependencySubgraph)\n\tfor i, nID := range vulnerableNodes {\n\t\tfor _, vuln := range nodeVulns[nID] {\n\t\t\tvulnSubgraphs[vuln.GetId()] = append(vulnSubgraphs[vuln.GetId()], nodeSubgraphs[i])\n\t\t}\n\t}\n\n\t// construct the resolution.Vulnerability\n\t// TODO: This constructs a single resolution.Vulnerability per vulnerability ID.\n\t// The scan action treats vulns with the same ID but affecting different versions of a package as distinct.\n\t// TODO: Combine aliased IDs\n\tfor id, vuln := range vulnInfo {\n\t\trv := Vulnerability{OSV: vuln, DevOnly: true}\n\t\trv.Subgraphs = vulnSubgraphs[id]\n\t\trv.DevOnly = !slices.ContainsFunc(rv.Subgraphs, func(ds *DependencySubgraph) bool { return !ds.IsDevOnly(res.Manifest.Groups) })\n\t\tres.Vulns = append(res.Vulns, rv)\n\t}\n\n\treturn nil\n}\n\n// FilterVulns populates Vulns with the UnfilteredVulns that satisfy matchFn\nfunc (res *Result) FilterVulns(matchFn func(Vulnerability) bool) {\n\tvar matchedVulns []Vulnerability\n\tfor _, v := range res.UnfilteredVulns {\n\t\tif matchFn(v) {\n\t\t\tmatchedVulns = append(matchedVulns, v)\n\t\t}\n\t}\n\tres.Vulns = matchedVulns\n}\n\ntype Difference struct {\n\tmanifest.Patch\n\n\tOriginal *Result\n\tNew *Result\n\tRemovedVulns []Vulnerability\n\tAddedVulns []Vulnerability\n}\n\nfunc (res *Result) CalculateDiff(other *Result) Difference {\n\tdiff := Difference{\n\t\tOriginal: res,\n\t\tNew: other,\n\t\tPatch: manifest.Patch{Manifest: &res.Manifest},\n\t}\n\t// Find the changed requirements and the versions they resolve to\n\tfor i, oldReq := range res.Manifest.Requirements { // assuming these are in the same order and none are added/removed\n\t\tnewReq := other.Manifest.Requirements[i]\n\t\tif oldReq.Version == newReq.Version {\n\t\t\tcontinue\n\t\t}\n\t\t// Find the node in the graph to find which actual version it resolved to\n\t\tvar oldResolved string\n\t\tfor _, e := range res.Graph.Edges {\n\t\t\ttoNode := res.Graph.Nodes[e.To]\n\t\t\tif e.From == 0 && toNode.Version.PackageKey == oldReq.PackageKey {\n\t\t\t\toldResolved = toNode.Version.Version\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tvar newResolved string\n\t\tfor _, e := range other.Graph.Edges {\n\t\t\ttoNode := other.Graph.Nodes[e.To]\n\t\t\tif e.From == 0 && toNode.Version.PackageKey == newReq.PackageKey {\n\t\t\t\tnewResolved = toNode.Version.Version\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tdiff.Deps = append(diff.Deps, manifest.DependencyPatch{\n\t\t\tPkg: oldReq.PackageKey,\n\t\t\tType: oldReq.Type.Clone(),\n\t\t\tOrigRequire: oldReq.Version,\n\t\t\tOrigResolved: oldResolved,\n\t\t\tNewRequire: newReq.Version,\n\t\t\tNewResolved: newResolved,\n\t\t})\n\t}\n\n\t// Compute differences in present vulnerabilities.\n\t// Currently this relies on vulnerability IDs being unique in the Vulns slice.\n\toldVulns := make(map[string]int, len(res.Vulns))\n\tfor i, v := range res.Vulns {\n\t\toldVulns[v.OSV.GetId()] = i\n\t}\n\tfor _, v := range other.Vulns {\n\t\tif _, ok := oldVulns[v.OSV.GetId()]; ok {\n\t\t\t// The vuln already existed.\n\t\t\tdelete(oldVulns, v.OSV.GetId()) // delete so we know what's been removed\n\t\t} else {\n\t\t\t// This vuln was not in the original resolution - it was newly added\n\t\t\tdiff.AddedVulns = append(diff.AddedVulns, v)\n\t\t}\n\t}\n\t// Any remaining oldVulns have been removed in the new resolution\n\tfor _, idx := range oldVulns {\n\t\tdiff.RemovedVulns = append(diff.RemovedVulns, res.Vulns[idx])\n\t}\n\n\treturn diff\n}\n\n// Compare compares ResolutionDiffs based on 'effectiveness' (best first):\n//\n// Sort order:\n// 1. (number of fixed vulns - introduced vulns) / (number of changed direct dependencies) [descending]\n// (i.e. more efficient first)\n// 2. number of fixed vulns [descending]\n// 3. number of changed direct dependencies [ascending]\n// 4. changed direct dependency name package names [ascending]\n// 5. size of changed direct dependency bump [ascending]\nfunc (a Difference) Compare(b Difference) int {\n\t// 1. (fixed - introduced) / (changes) [desc]\n\t// Multiply out to avoid float casts\n\taRatio := (len(a.RemovedVulns) - len(a.AddedVulns)) * (len(b.Deps))\n\tbRatio := (len(b.RemovedVulns) - len(b.AddedVulns)) * (len(a.Deps))\n\tif c := cmp.Compare(aRatio, bRatio); c != 0 {\n\t\treturn -c\n\t}\n\n\t// 2. number of fixed vulns [desc]\n\tif c := cmp.Compare(len(a.RemovedVulns), len(b.RemovedVulns)); c != 0 {\n\t\treturn -c\n\t}\n\n\t// 3. number of changed deps [asc]\n\tif c := cmp.Compare(len(a.Deps), len(b.Deps)); c != 0 {\n\t\treturn c\n\t}\n\n\t// 4. changed names [asc]\n\tfor i, aDep := range a.Deps {\n\t\tbDep := b.Deps[i]\n\t\tif c := aDep.Pkg.Compare(bDep.Pkg); c != 0 {\n\t\t\treturn c\n\t\t}\n\t}\n\n\t// 5. dependency bump amount [asc]\n\tfor i, aDep := range a.Deps {\n\t\tbDep := b.Deps[i]\n\t\tsv := aDep.Pkg.Semver()\n\t\tif c := sv.Compare(aDep.NewResolved, bDep.NewResolved); c != 0 {\n\t\t\treturn c\n\t\t}\n\t}\n\n\treturn 0\n}\n" }, { "path": "internal/resolution/resolve_test.go", "content": "package resolution_test\n\nimport (\n\t\"cmp\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/clienttest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc checkResult(t *testing.T, result *resolution.Result) {\n\tt.Helper()\n\tsnap := testutility.NewSnapshot()\n\tsnap.MatchText(t, result.Graph.String())\n\n\ttype minimalVuln struct {\n\t\tID string\n\t\tDevOnly bool\n\t\tSubgraphs []*resolution.DependencySubgraph\n\t}\n\n\tminVulns := make([]minimalVuln, len(result.Vulns))\n\tfor i, v := range result.Vulns {\n\t\tminVulns[i] = minimalVuln{\n\t\t\tID: v.OSV.GetId(),\n\t\t\tDevOnly: v.DevOnly,\n\t\t\tSubgraphs: v.Subgraphs,\n\t\t}\n\t}\n\tslices.SortFunc(minVulns, func(a, b minimalVuln) int {\n\t\treturn cmp.Compare(a.ID, b.ID)\n\t})\n\tsnap.MatchJSON(t, minVulns)\n}\n\nfunc TestResolve(t *testing.T) {\n\tt.Parallel()\n\n\taliasType := func(knownAs string) dep.Type {\n\t\tt.Helper()\n\t\ttyp := dep.NewType()\n\t\ttyp.AddAttr(dep.KnownAs, knownAs)\n\n\t\treturn typ\n\t}\n\n\ttype requirement struct {\n\t\tname string\n\t\tversion string\n\t\ttyp dep.Type\n\t\tgroups []string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\tversion string\n\t\tsystem resolve.System\n\t\tuniverse string\n\t\tvulns string\n\t\trequirements []requirement\n\t\topts resolution.ResolveOpts\n\t}{\n\t\t{\n\t\t\tname: \"simple\", // simple root -> dependency -> vuln\n\t\t\tversion: \"1.0.0\",\n\t\t\tsystem: resolve.NPM,\n\t\t\tuniverse: \"./testdata/basic-universe.yaml\",\n\t\t\tvulns: \"./testdata/basic-vulns.json\",\n\t\t\trequirements: []requirement{\n\t\t\t\t{\n\t\t\t\t\tname: \"dependency\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t\tgroups: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"direct\", // vulnerability in direct dependency\n\t\t\tversion: \"1.0.0\",\n\t\t\tsystem: resolve.NPM,\n\t\t\tuniverse: \"./testdata/basic-universe.yaml\",\n\t\t\tvulns: \"./testdata/basic-vulns.json\",\n\t\t\trequirements: []requirement{\n\t\t\t\t{\n\t\t\t\t\tname: \"bad\",\n\t\t\t\t\tversion: \"^2.0.0\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"duplicates\", // same package with vulns included multiple times\n\t\t\tversion: \"1.1.1\",\n\t\t\tsystem: resolve.NPM,\n\t\t\tuniverse: \"./testdata/basic-universe.yaml\",\n\t\t\tvulns: \"./testdata/basic-vulns.json\",\n\t\t\trequirements: []requirement{\n\t\t\t\t{\n\t\t\t\t\tname: \"bad\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t\ttyp: aliasType(\"bad-aliased\"),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tname: \"dependency\",\n\t\t\t\t\tversion: \"^2.0.0\",\n\t\t\t\t\tgroups: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tname: \"dependency\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t\ttyp: aliasType(\"dependency-v1\"),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"different-pkgs\", // same vuln in two different packages\n\t\t\tversion: \"3.0.0\",\n\t\t\tsystem: resolve.NPM,\n\t\t\tuniverse: \"./testdata/basic-universe.yaml\",\n\t\t\tvulns: \"./testdata/basic-vulns.json\",\n\t\t\trequirements: []requirement{\n\t\t\t\t{\n\t\t\t\t\tname: \"bad2\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tname: \"dependency\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"existing\", // manifest package/version exists in universe already\n\t\t\tversion: \"1.0.0\",\n\t\t\tsystem: resolve.NPM,\n\t\t\tuniverse: \"./testdata/basic-universe.yaml\",\n\t\t\tvulns: \"./testdata/basic-vulns.json\",\n\t\t\trequirements: []requirement{\n\t\t\t\t{\n\t\t\t\t\tname: \"dependency\",\n\t\t\t\t\tversion: \"^2.0.0\",\n\t\t\t\t\ttyp: dep.NewType(dep.Opt),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"non-problem\", // non-problem chains\n\t\t\tversion: \"1.0.0\",\n\t\t\tsystem: resolve.NPM,\n\t\t\tuniverse: \"./testdata/basic-universe.yaml\",\n\t\t\tvulns: \"./testdata/basic-vulns.json\",\n\t\t\trequirements: []requirement{\n\t\t\t\t{\n\t\t\t\t\tname: \"bad\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tname: \"dependency\",\n\t\t\t\t\tversion: \"^3.0.0\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"diamond\", // diamond dependency on vulnerable pkg\n\t\t\tversion: \"1.0.0\",\n\t\t\tsystem: resolve.NPM,\n\t\t\tuniverse: \"./testdata/diamond-universe.yaml\",\n\t\t\tvulns: \"./testdata/diamond-vulns.json\",\n\t\t\trequirements: []requirement{\n\t\t\t\t{\n\t\t\t\t\tname: \"pkg\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tname: \"dep-one\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t\tgroups: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"complex\", // more complex graph/vulnerability structure\n\t\t\tversion: \"9.9.9\",\n\t\t\tsystem: resolve.NPM,\n\t\t\tuniverse: \"./testdata/complex-universe.yaml\",\n\t\t\tvulns: \"./testdata/complex-vulns.json\",\n\t\t\trequirements: []requirement{\n\t\t\t\t{\n\t\t\t\t\tname: \"alice\",\n\t\t\t\t\tversion: \"^1.0.0\",\n\t\t\t\t\ttyp: aliasType(\"chuck\"),\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tname: \"bob\",\n\t\t\t\t\tversion: \"2.2.2\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tname: \"dave\",\n\t\t\t\t\tversion: \"~3.3.3\",\n\t\t\t\t\tgroups: []string{\"dev\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tcl := clienttest.NewMockResolutionClient(t, tt.universe, tt.vulns)\n\t\t\tvar m manifest.Manifest\n\t\t\tm.Root = resolve.Version{\n\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\tName: tt.name,\n\t\t\t\t\t\tSystem: tt.system,\n\t\t\t\t\t},\n\t\t\t\t\tVersion: tt.version,\n\t\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t\t},\n\t\t\t}\n\t\t\tm.Groups = make(map[manifest.RequirementKey][]string)\n\t\t\tm.Requirements = make([]resolve.RequirementVersion, len(tt.requirements))\n\t\t\tfor i, req := range tt.requirements {\n\t\t\t\tm.Requirements[i] = resolve.RequirementVersion{\n\t\t\t\t\tVersionKey: resolve.VersionKey{\n\t\t\t\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\t\t\t\tName: req.name,\n\t\t\t\t\t\t\tSystem: tt.system,\n\t\t\t\t\t\t},\n\t\t\t\t\t\tVersion: req.version,\n\t\t\t\t\t\tVersionType: resolve.Requirement,\n\t\t\t\t\t},\n\t\t\t\t\tType: req.typ,\n\t\t\t\t}\n\t\t\t\tm.Groups[manifest.MakeRequirementKey(m.Requirements[i])] = req.groups\n\t\t\t}\n\n\t\t\tres, err := resolution.Resolve(t.Context(), cl, m, tt.opts)\n\t\t\tif err != nil {\n\t\t\t\tt.Fatalf(\"error resolving: %v\", err)\n\t\t\t}\n\t\t\tcheckResult(t, res)\n\t\t})\n\t}\n}\n" }, { "path": "internal/resolution/testdata/basic-universe.yaml", "content": "system: npm\nschema: |\n dependency\n 0.0.1\n 1.0.0 \n bad@^1.0.0\n 2.0.0\n bad@^2.0.0\n 3.0.0\n bad@*\n bad\n 1.0.0\n 1.1.1\n 2.0.0\n 2.2.2\n bad2\n 1.0.0\n existing\n 1.0.0\n bad@^1.0.0\n bad2@^1.0.0\n dependency@^0.0.1\n" }, { "path": "internal/resolution/testdata/basic-vulns.json", "content": "{\n \"vulns\": [\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"bad\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"OSV-000-000\"\n },\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"bad\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n },\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"bad2\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"OSV-000-001\"\n },\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"dependency\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"OSV-000-002\"\n },\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"existing\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"OSV-000-003\"\n }\n ]\n}\n" }, { "path": "internal/resolution/testdata/complex-universe.yaml", "content": "system: npm\nschema: |\n alice\n 1.0.0\n 1.0.1\n bob@^2.0.0\n bob\n 2.0.0\n 2.0.1\n 2.2.2\n chuck\n 2.0.0\n bob@^2.0.1\n dave\n 3.3.3\n bob@^2.2.2\n KnownAs duck|chuck@^2.0.0\n" }, { "path": "internal/resolution/testdata/complex-vulns.json", "content": "{\n \"vulns\": [\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"alice\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"1.0.1\"\n },\n {\n \"fixed\": \"2.0.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"CMPLX-0000-0000\"\n },\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"bob\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"CMPLX-1000-0000\"\n },\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"chuck\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.0.1\"\n },\n {\n \"introduced\": \"2.0.0\"\n },\n {\n \"fixed\": \"3.0.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"CMPLX-2000-0000\"\n },\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"dave\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"3.3.2\"\n },\n {\n \"introduced\": \"3.3.4\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"CMPLX-3000-0000\"\n }\n ]\n}\n" }, { "path": "internal/resolution/testdata/diamond-universe.yaml", "content": "system: npm\nschema: |\n pkg\n 1.0.0\n bad@^1.0.0\n dep-one\n 1.0.0\n bad@^1.0.0\n dep-two@^1.0.0\n dep-two\n 1.0.0\n bad@^1.0.0\n bad\n 1.0.0\n 1.1.1\n" }, { "path": "internal/resolution/testdata/diamond-vulns.json", "content": "{\n \"vulns\": [\n {\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"npm\",\n \"name\": \"bad\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"2.0.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"id\": \"DIA-000-000\"\n }\n ]\n}\n" }, { "path": "internal/resolution/testmain_test.go", "content": "package resolution_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "internal/resolution/util/depsdev.go", "content": "// Package util provides utility functions for dependency resolution.\npackage util\n\nimport (\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/purl\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n)\n\n// OSVEcosystem maps resolve.System constants to osvschema.Ecosystem constants\n//\n// TODO: use osvschema.Ecosystem or imodel's osvecosystem.Parsed\nvar OSVEcosystem = map[resolve.System]osvconstants.Ecosystem{\n\tresolve.NPM: osvconstants.EcosystemNPM,\n\tresolve.Maven: osvconstants.EcosystemMaven,\n}\n\nvar PURLType = map[resolve.System]string{\n\tresolve.NPM: purl.TypeNPM,\n\tresolve.Maven: purl.TypeMaven,\n}\n\nfunc VKToPackageInfo(vk resolve.VersionKey) *extractor.Package {\n\treturn &extractor.Package{\n\t\tName: vk.Name,\n\t\tVersion: vk.Version,\n\t\tPURLType: PURLType[vk.System],\n\t}\n}\n" }, { "path": "internal/scalibrenricher/govulncheck/source/govulncheck.go", "content": "// Copyright 2025 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n// Package source provides an enricher that uses govulncheck to scan Go source code.\npackage source\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"io\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"slices\"\n\n\t\"github.com/google/osv-scalibr/enricher\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/inventory/vex\"\n\t\"github.com/google/osv-scalibr/log\"\n\t\"github.com/google/osv-scalibr/plugin\"\n\t\"golang.org/x/vuln/scan\"\n)\n\nconst (\n\t// Name is the unique name of this enricher.\n\tName = \"enricher/reachability/govulncheck/source\"\n)\n\n// Enricher is an enricher that runs govulncheck on Go source code.\ntype Enricher struct{}\n\n// Name returns the name of the enricher.\nfunc (e *Enricher) Name() string {\n\treturn Name\n}\n\n// Version returns the version of the enricher.\nfunc (e *Enricher) Version() int {\n\treturn 0\n}\n\n// Requirements returns the requirements of the enricher.\nfunc (e *Enricher) Requirements() *plugin.Capabilities {\n\treturn &plugin.Capabilities{\n\t\tNetwork: plugin.NetworkOnline,\n\t\tDirectFS: true,\n\t}\n}\n\n// RequiredPlugins returns the names of the plugins required by this enricher.\nfunc (e *Enricher) RequiredPlugins() []string {\n\treturn []string{gomod.Name}\n}\n\nfunc NewEnricher() Enricher {\n\treturn Enricher{}\n}\n\n// Enrich runs govulncheck on the Go modules in the inventory.\nfunc (e *Enricher) Enrich(ctx context.Context, input *enricher.ScanInput, inv *inventory.Inventory) error {\n\tcmd := exec.CommandContext(ctx, \"go\", \"version\")\n\t_, err := cmd.Output()\n\tif err != nil {\n\t\tlog.Infof(\"Skipping call analysis on Go code since Go is not installed.\")\n\t\treturn nil //nolint:nilerr\n\t}\n\n\tgoModVersions := make(map[string]string)\n\tfor _, pkg := range inv.Packages {\n\t\tif !slices.Contains(pkg.Plugins, gomod.Name) {\n\t\t\tcontinue\n\t\t}\n\t\tif pkg.Name == \"stdlib\" {\n\t\t\tloc := pkg.Location.PathOrEmpty()\n\n\t\t\tif loc == \"\" || goModVersions[loc] != \"\" {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\t// Set GOVERSION to the Go version in go.mod.\n\t\t\tgoModVersions[loc] = pkg.Version\n\t\t}\n\t}\n\n\tfor goModLocation, goVersion := range goModVersions {\n\t\tmodDir := filepath.Dir(goModLocation)\n\t\tabsModDir := filepath.Join(input.ScanRoot.Path, modDir)\n\t\tfindings, err := e.runGovulncheck(ctx, absModDir, goVersion)\n\t\tif err != nil {\n\t\t\tlog.Errorf(\"govulncheck on %s: %v\", modDir, err)\n\t\t\tcontinue\n\t\t}\n\n\t\tif len(findings) == 0 {\n\t\t\tcontinue\n\t\t}\n\n\t\te.addSignals(inv, findings)\n\t}\n\n\treturn nil\n}\n\nfunc (e *Enricher) addSignals(inv *inventory.Inventory, idToFindings map[string][]*Finding) {\n\tfor _, pv := range inv.PackageVulns {\n\t\tfindings, exist := idToFindings[pv.Vulnerability.GetId()]\n\t\t// Skip if no findings for this package vulnerability ID\n\t\tif !exist {\n\t\t\tcontinue\n\t\t}\n\n\t\tisReachable := false\n\t\tfor _, f := range findings {\n\t\t\tif len(f.Trace) > 0 && f.Trace[0].Function != \"\" {\n\t\t\t\tisReachable = true\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\n\t\tif !isReachable {\n\t\t\tpv.ExploitabilitySignals = append(pv.ExploitabilitySignals, &vex.FindingExploitabilitySignal{\n\t\t\t\tPlugin: Name,\n\t\t\t\tJustification: vex.VulnerableCodeNotInExecutePath,\n\t\t\t})\n\t\t}\n\t}\n}\n\nfunc (e *Enricher) runGovulncheck(ctx context.Context, absModDir string, goVersion string) (map[string][]*Finding, error) {\n\tcmd := scan.Command(ctx, \"-C\", absModDir, \"-json\", \"./...\")\n\tvar b bytes.Buffer\n\tcmd.Stdout = &b\n\tcmd.Env = append(os.Environ(), \"GOVERSION=go\"+goVersion)\n\tif err := cmd.Start(); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := cmd.Wait(); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Group the output of govulncheck based on the OSV ID.\n\th := &osvHandler{\n\t\tidToFindings: map[string][]*Finding{},\n\t}\n\tif err := handleJSON(bytes.NewReader(b.Bytes()), h); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn h.idToFindings, nil\n}\n\ntype osvHandler struct {\n\tidToFindings map[string][]*Finding\n}\n\nfunc (h *osvHandler) Finding(f *Finding) {\n\th.idToFindings[f.OSV] = append(h.idToFindings[f.OSV], f)\n}\n\nfunc handleJSON(from io.Reader, to *osvHandler) error {\n\tdec := json.NewDecoder(from)\n\tfor dec.More() {\n\t\tmsg := Message{}\n\t\tif err := dec.Decode(&msg); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif msg.Finding != nil {\n\t\t\tto.Finding(msg.Finding)\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// New returns a new govulncheck source enricher.\nfunc New() enricher.Enricher {\n\treturn &Enricher{}\n}\n" }, { "path": "internal/scalibrenricher/govulncheck/source/govulncheck_test.go", "content": "// Copyright 2025 Google LLC\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n//\thttp://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\npackage source\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scalibr/enricher\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod\"\n\tscalibrfs \"github.com/google/osv-scalibr/fs\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/inventory/vex\"\n\t\"github.com/google/osv-scalibr/purl\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nconst testdata = \"./testdata\"\nconst reachableVulnID = \"GO-2023-1558\"\nconst unreachableVulnID = \"GO-2021-0053\"\n\nfunc TestEnricher(t *testing.T) {\n\tt.Parallel()\n\tpkgs := setupPackages()\n\tvulns := setupPackageVulns()\n\tinput := enricher.ScanInput{\n\t\tScanRoot: &scalibrfs.ScanRoot{\n\t\t\tPath: testdata,\n\t\t\tFS: scalibrfs.DirFS(\".\"),\n\t\t},\n\t}\n\n\tinv := inventory.Inventory{\n\t\tPackages: pkgs,\n\t\tPackageVulns: vulns,\n\t}\n\n\tenr := NewEnricher()\n\terr := enr.Enrich(t.Context(), &input, &inv)\n\n\tif err != nil {\n\t\tt.Fatalf(\"govulncheck enrich failed: %s\", err)\n\t}\n\n\tfor _, vuln := range inv.PackageVulns {\n\t\tswitch vuln.Vulnerability.GetId() {\n\t\tcase reachableVulnID:\n\t\t\tif len(vuln.ExploitabilitySignals) != 0 {\n\t\t\t\tt.Fatalf(\"govulncheck enrich failed, expected %s to be reachable, but marked as unreachable\", reachableVulnID)\n\t\t\t}\n\t\tcase unreachableVulnID:\n\t\t\tif len(vuln.ExploitabilitySignals) == 0 || vuln.ExploitabilitySignals[0].Justification != vex.VulnerableCodeNotInExecutePath {\n\t\t\t\tt.Fatalf(\"govulncheck enrich failed, expected %s to be unreachable, but marked as reachable\", unreachableVulnID)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc setupPackages() []*extractor.Package {\n\treturn []*extractor.Package{\n\t\t{\n\t\t\tName: \"stdlib\",\n\t\t\tVersion: \"1.19\",\n\t\t\tPURLType: purl.TypeGolang,\n\t\t\tLocation: extractor.LocationFromPath(filepath.Join(\".\", \"go.mod\")),\n\t\t\tPlugins: []string{gomod.Name},\n\t\t},\n\t\t{\n\t\t\tName: \"github.com/gogo/protobuf\",\n\t\t\tVersion: \"1.3.1\",\n\t\t\tPURLType: purl.TypeGolang,\n\t\t\tLocation: extractor.LocationFromPath(filepath.Join(\".\", \"go.mod\")),\n\t\t\tPlugins: []string{gomod.Name},\n\t\t},\n\t\t{\n\t\t\tName: \"github.com/ipfs/go-bitfield\",\n\t\t\tVersion: \"1.0.0\",\n\t\t\tPURLType: purl.TypeGolang,\n\t\t\tLocation: extractor.LocationFromPath(filepath.Join(\".\", \"go.mod\")),\n\t\t\tPlugins: []string{gomod.Name},\n\t\t},\n\t\t{\n\t\t\tName: \"golang.org/x/image\",\n\t\t\tVersion: \"0.4.0\",\n\t\t\tPURLType: purl.TypeGolang,\n\t\t\tLocation: extractor.LocationFromPath(filepath.Join(\".\", \"go.mod\")),\n\t\t\tPlugins: []string{gomod.Name},\n\t\t},\n\t}\n}\n\nfunc setupPackageVulns() []*inventory.PackageVuln {\n\treturn []*inventory.PackageVuln{\n\t\t{\n\t\t\tVulnerability: &osvschema.Vulnerability{\n\t\t\t\tId: reachableVulnID,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tVulnerability: &osvschema.Vulnerability{\n\t\t\t\tId: unreachableVulnID,\n\t\t\t},\n\t\t},\n\t}\n}\n" }, { "path": "internal/scalibrenricher/govulncheck/source/result.go", "content": "// Copied from\n// https://github.com/golang/vuln/blob/267a472bf377fa105988693c2a597d2b8de36ad8/internal/govulncheck/result.go\n// and modified.\n\npackage source\n\n// Message is an entry in the output stream. It will always have exactly one\n// field filled in.\ntype Message struct {\n\tFinding *Finding `json:\"finding,omitempty\"`\n\n\t// The Config, Progress, and OSV fields from the JSON output are removed, since they\n\t// are not used.\n}\n\n// Finding represents a single finding.\ntype Finding struct {\n\t// OSV is the id of the detected vulnerability.\n\tOSV string `json:\"osv,omitempty\"`\n\n\t// FixedVersion is the module version where the vulnerability was\n\t// fixed. This is empty if a fix is not available.\n\t//\n\t// If there are multiple fixed versions in the OSV report, this will\n\t// be the fixed version in the latest range event for the OSV report.\n\t//\n\t// For example, if the range events are\n\t// {introduced: 0, fixed: 1.0.0} and {introduced: 1.1.0}, the fixed version\n\t// will be empty.\n\t//\n\t// For the stdlib, we will show the fixed version closest to the\n\t// Go version that is used. For example, if a fix is available in 1.17.5 and\n\t// 1.18.5, and the GOVERSION is 1.17.3, 1.17.5 will be returned as the\n\t// fixed version.\n\tFixedVersion string `json:\"fixed_version,omitempty\"`\n\n\t// Trace contains an entry for each frame in the trace.\n\t//\n\t// Frames are sorted starting from the imported vulnerable symbol\n\t// until the entry point. The first frame in Frames should match\n\t// Symbol.\n\t//\n\t// In binary mode, trace will contain a single-frame with no position\n\t// information.\n\t//\n\t// When a package is imported but no vulnerable symbol is called, the trace\n\t// will contain a single-frame with no symbol or position information.\n\tTrace []*Frame `json:\"trace,omitempty\"`\n}\n\n// Frame represents an entry in a finding trace.\ntype Frame struct {\n\t// Module is the module path of the module containing this symbol.\n\t//\n\t// Importable packages in the standard library will have the path \"stdlib\".\n\tModule string `json:\"module\"`\n\n\t// Version is the module version from the build graph.\n\tVersion string `json:\"version,omitempty\"`\n\n\t// Package is the import path.\n\tPackage string `json:\"package,omitempty\"`\n\n\t// Function is the function name.\n\tFunction string `json:\"function,omitempty\"`\n\n\t// Receiver is the receiver type if the called symbol is a method.\n\t//\n\t// The client can create the final symbol name by\n\t// prepending Receiver to FuncName.\n\tReceiver string `json:\"receiver,omitempty\"`\n\n\t// Position describes an arbitrary source position\n\t// including the file, line, and column location.\n\t// A Position is valid if the line number is > 0.\n\tPosition *Position `json:\"position,omitempty\"`\n}\n\n// Position is a copy of token.Position used to marshal/unmarshal\n// JSON correctly.\ntype Position struct {\n\tFilename string `json:\"filename,omitempty\"` // filename, if any\n\tOffset int `json:\"offset\"` // offset, starting at 0\n\tLine int `json:\"line\"` // line number, starting at 1\n\tColumn int `json:\"column\"` // column number, starting at 1 (byte count)\n}\n" }, { "path": "internal/scalibrenricher/govulncheck/source/testdata/go.mod", "content": "module github.com/ossf-tests/osv-e2e\n\ngo 1.19\n\nrequire github.com/gogo/protobuf v1.3.1\n\nrequire github.com/ipfs/go-bitfield v1.0.0\n\nrequire golang.org/x/image v0.4.0 // indirect\n" }, { "path": "internal/scalibrenricher/govulncheck/source/testdata/go.sum", "content": "github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=\ngithub.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=\ngithub.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ=\ngithub.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus=\ngithub.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=\ngithub.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=\ngithub.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=\ngolang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ=\ngolang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4=\ngolang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=\ngolang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=\ngolang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=\ngolang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\n" }, { "path": "internal/scalibrenricher/govulncheck/source/testdata/main.go", "content": "package main\n\nimport (\n\t\"log\"\n\t\"net/http\"\n\n\t\"github.com/gogo/protobuf/plugin/unmarshal\"\n\t\"github.com/gogo/protobuf/version\"\n\t\"github.com/ipfs/go-bitfield\"\n)\n\nfunc main() {\n\tprint(version.AtLeast(\"v1.2.3\"))\n\tunmarshal.NewUnmarshal()\n\n\tbitfield.NewBitfield(14)\n\n\t// Test stdlib\n\terr := http.ListenAndServe(\":8080\", nil)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n}\n" }, { "path": "internal/scalibrenricher/govulncheck/source/testdata/osv-scanner.toml", "content": "[[PackageOverrides]]\nname = \"stdlib\"\necosystem = \"Go\"\nignore = true\nreason = \"This is an intentionally vulnerable test project\"\n\n[[PackageOverrides]]\nname = \"golang.org/x/image\"\necosystem = \"Go\"\nignore = true\nreason = \"This is an intentionally vulnerable test project\"\n\n[[PackageOverrides]]\nname = \"github.com/ipfs/go-bitfield\"\necosystem = \"Go\"\nignore = true\nreason = \"This is an intentionally vulnerable test project\"\n\n[[PackageOverrides]]\nname = \"github.com/gogo/protobuf\"\necosystem = \"Go\"\nignore = true\nreason = \"This is an intentionally vulnerable test project\"\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/.gitignore", "content": "*.diff\n*.patch\n*.orig\n*.rej\n\n*~\n*.a\n*.lo\n*.o\n*.dylib\n\n*.gcda\n*.gcno\n*.gcov\n\n/example\n/example64\n/examplesh\n/libz.so*\n/minigzip\n/minigzip64\n/minigzipsh\n/zlib.pc\n/configure.log\n\n.DS_Store\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/CMakeLists.txt", "content": "cmake_minimum_required(VERSION 2.4.4...3.15.0)\nset(CMAKE_ALLOW_LOOSE_LOOP_CONSTRUCTS ON)\n\nproject(zlib C)\n\nset(VERSION \"1.3\")\n\nset(INSTALL_BIN_DIR \"${CMAKE_INSTALL_PREFIX}/bin\" CACHE PATH \"Installation directory for executables\")\nset(INSTALL_LIB_DIR \"${CMAKE_INSTALL_PREFIX}/lib\" CACHE PATH \"Installation directory for libraries\")\nset(INSTALL_INC_DIR \"${CMAKE_INSTALL_PREFIX}/include\" CACHE PATH \"Installation directory for headers\")\nset(INSTALL_MAN_DIR \"${CMAKE_INSTALL_PREFIX}/share/man\" CACHE PATH \"Installation directory for manual pages\")\nset(INSTALL_PKGCONFIG_DIR \"${CMAKE_INSTALL_PREFIX}/share/pkgconfig\" CACHE PATH \"Installation directory for pkgconfig (.pc) files\")\n\ninclude(CheckTypeSize)\ninclude(CheckFunctionExists)\ninclude(CheckIncludeFile)\ninclude(CheckCSourceCompiles)\nenable_testing()\n\ncheck_include_file(sys/types.h HAVE_SYS_TYPES_H)\ncheck_include_file(stdint.h HAVE_STDINT_H)\ncheck_include_file(stddef.h HAVE_STDDEF_H)\n\n#\n# Check to see if we have large file support\n#\nset(CMAKE_REQUIRED_DEFINITIONS -D_LARGEFILE64_SOURCE=1)\n# We add these other definitions here because CheckTypeSize.cmake\n# in CMake 2.4.x does not automatically do so and we want\n# compatibility with CMake 2.4.x.\nif(HAVE_SYS_TYPES_H)\n list(APPEND CMAKE_REQUIRED_DEFINITIONS -DHAVE_SYS_TYPES_H)\nendif()\nif(HAVE_STDINT_H)\n list(APPEND CMAKE_REQUIRED_DEFINITIONS -DHAVE_STDINT_H)\nendif()\nif(HAVE_STDDEF_H)\n list(APPEND CMAKE_REQUIRED_DEFINITIONS -DHAVE_STDDEF_H)\nendif()\ncheck_type_size(off64_t OFF64_T)\nif(HAVE_OFF64_T)\n add_definitions(-D_LARGEFILE64_SOURCE=1)\nendif()\nset(CMAKE_REQUIRED_DEFINITIONS) # clear variable\n\n#\n# Check for fseeko\n#\ncheck_function_exists(fseeko HAVE_FSEEKO)\nif(NOT HAVE_FSEEKO)\n add_definitions(-DNO_FSEEKO)\nendif()\n\n#\n# Check for unistd.h\n#\ncheck_include_file(unistd.h Z_HAVE_UNISTD_H)\n\nif(MSVC)\n set(CMAKE_DEBUG_POSTFIX \"d\")\n add_definitions(-D_CRT_SECURE_NO_DEPRECATE)\n add_definitions(-D_CRT_NONSTDC_NO_DEPRECATE)\n include_directories(${CMAKE_CURRENT_SOURCE_DIR})\nendif()\n\nif(NOT CMAKE_CURRENT_SOURCE_DIR STREQUAL CMAKE_CURRENT_BINARY_DIR)\n # If we're doing an out of source build and the user has a zconf.h\n # in their source tree...\n if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h)\n message(STATUS \"Renaming\")\n message(STATUS \" ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h\")\n message(STATUS \"to 'zconf.h.included' because this file is included with zlib\")\n message(STATUS \"but CMake generates it automatically in the build directory.\")\n file(RENAME ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h ${CMAKE_CURRENT_SOURCE_DIR}/zconf.h.included)\n endif()\nendif()\n\nset(ZLIB_PC ${CMAKE_CURRENT_BINARY_DIR}/zlib.pc)\nconfigure_file( ${CMAKE_CURRENT_SOURCE_DIR}/zlib.pc.cmakein\n\t\t${ZLIB_PC} @ONLY)\nconfigure_file(\t${CMAKE_CURRENT_SOURCE_DIR}/zconf.h.cmakein\n\t\t${CMAKE_CURRENT_BINARY_DIR}/zconf.h @ONLY)\ninclude_directories(${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_SOURCE_DIR})\n\n\n#============================================================================\n# zlib\n#============================================================================\n\nset(ZLIB_PUBLIC_HDRS\n ${CMAKE_CURRENT_BINARY_DIR}/zconf.h\n zlib.h\n)\nset(ZLIB_PRIVATE_HDRS\n crc32.h\n deflate.h\n gzguts.h\n inffast.h\n inffixed.h\n inflate.h\n inftrees.h\n trees.h\n zutil.h\n)\nset(ZLIB_SRCS\n adler32.c\n compress.c\n crc32.c\n deflate.c\n gzclose.c\n gzlib.c\n gzread.c\n gzwrite.c\n inflate.c\n infback.c\n inftrees.c\n inffast.c\n trees.c\n uncompr.c\n zutil.c\n)\n\nif(NOT MINGW)\n set(ZLIB_DLL_SRCS\n win32/zlib1.rc # If present will override custom build rule below.\n )\nendif()\n\n# parse the full version number from zlib.h and include in ZLIB_FULL_VERSION\nfile(READ ${CMAKE_CURRENT_SOURCE_DIR}/zlib.h _zlib_h_contents)\nstring(REGEX REPLACE \".*#define[ \\t]+ZLIB_VERSION[ \\t]+\\\"([-0-9A-Za-z.]+)\\\".*\"\n \"\\\\1\" ZLIB_FULL_VERSION ${_zlib_h_contents})\n\nif(MINGW)\n # This gets us DLL resource information when compiling on MinGW.\n if(NOT CMAKE_RC_COMPILER)\n set(CMAKE_RC_COMPILER windres.exe)\n endif()\n\n add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/zlib1rc.obj\n COMMAND ${CMAKE_RC_COMPILER}\n -D GCC_WINDRES\n -I ${CMAKE_CURRENT_SOURCE_DIR}\n -I ${CMAKE_CURRENT_BINARY_DIR}\n -o ${CMAKE_CURRENT_BINARY_DIR}/zlib1rc.obj\n -i ${CMAKE_CURRENT_SOURCE_DIR}/win32/zlib1.rc)\n set(ZLIB_DLL_SRCS ${CMAKE_CURRENT_BINARY_DIR}/zlib1rc.obj)\nendif(MINGW)\n\nadd_library(zlib SHARED ${ZLIB_SRCS} ${ZLIB_DLL_SRCS} ${ZLIB_PUBLIC_HDRS} ${ZLIB_PRIVATE_HDRS})\nadd_library(zlibstatic STATIC ${ZLIB_SRCS} ${ZLIB_PUBLIC_HDRS} ${ZLIB_PRIVATE_HDRS})\nset_target_properties(zlib PROPERTIES DEFINE_SYMBOL ZLIB_DLL)\nset_target_properties(zlib PROPERTIES SOVERSION 1)\n\nif(NOT CYGWIN)\n # This property causes shared libraries on Linux to have the full version\n # encoded into their final filename. We disable this on Cygwin because\n # it causes cygz-${ZLIB_FULL_VERSION}.dll to be created when cygz.dll\n # seems to be the default.\n #\n # This has no effect with MSVC, on that platform the version info for\n # the DLL comes from the resource file win32/zlib1.rc\n set_target_properties(zlib PROPERTIES VERSION ${ZLIB_FULL_VERSION})\nendif()\n\nif(UNIX)\n # On unix-like platforms the library is almost always called libz\n set_target_properties(zlib zlibstatic PROPERTIES OUTPUT_NAME z)\n if(NOT APPLE)\n set_target_properties(zlib PROPERTIES LINK_FLAGS \"-Wl,--version-script,\\\"${CMAKE_CURRENT_SOURCE_DIR}/zlib.map\\\"\")\n endif()\nelseif(BUILD_SHARED_LIBS AND WIN32)\n # Creates zlib1.dll when building shared library version\n set_target_properties(zlib PROPERTIES SUFFIX \"1.dll\")\nendif()\n\nif(NOT SKIP_INSTALL_LIBRARIES AND NOT SKIP_INSTALL_ALL )\n install(TARGETS zlib zlibstatic\n RUNTIME DESTINATION \"${INSTALL_BIN_DIR}\"\n ARCHIVE DESTINATION \"${INSTALL_LIB_DIR}\"\n LIBRARY DESTINATION \"${INSTALL_LIB_DIR}\" )\nendif()\nif(NOT SKIP_INSTALL_HEADERS AND NOT SKIP_INSTALL_ALL )\n install(FILES ${ZLIB_PUBLIC_HDRS} DESTINATION \"${INSTALL_INC_DIR}\")\nendif()\nif(NOT SKIP_INSTALL_FILES AND NOT SKIP_INSTALL_ALL )\n install(FILES zlib.3 DESTINATION \"${INSTALL_MAN_DIR}/man3\")\nendif()\nif(NOT SKIP_INSTALL_FILES AND NOT SKIP_INSTALL_ALL )\n install(FILES ${ZLIB_PC} DESTINATION \"${INSTALL_PKGCONFIG_DIR}\")\nendif()\n\n#============================================================================\n# Example binaries\n#============================================================================\n\nadd_executable(example test/example.c)\ntarget_link_libraries(example zlib)\nadd_test(example example)\n\nadd_executable(minigzip test/minigzip.c)\ntarget_link_libraries(minigzip zlib)\n\nif(HAVE_OFF64_T)\n add_executable(example64 test/example.c)\n target_link_libraries(example64 zlib)\n set_target_properties(example64 PROPERTIES COMPILE_FLAGS \"-D_FILE_OFFSET_BITS=64\")\n add_test(example64 example64)\n\n add_executable(minigzip64 test/minigzip.c)\n target_link_libraries(minigzip64 zlib)\n set_target_properties(minigzip64 PROPERTIES COMPILE_FLAGS \"-D_FILE_OFFSET_BITS=64\")\nendif()\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/ChangeLog", "content": "\n ChangeLog file for zlib\n\nChanges in 1.3 (18 Aug 2023)\n- Remove K&R function definitions and zlib2ansi\n- Fix bug in deflateBound() for level 0 and memLevel 9\n- Fix bug when gzungetc() is used immediately after gzopen()\n- Fix bug when using gzflush() with a very small buffer\n- Fix crash when gzsetparams() attempted for transparent write\n- Fix test/example.c to work with FORCE_STORED\n- Rewrite of zran in examples (see zran.c version history)\n- Fix minizip to allow it to open an empty zip file\n- Fix reading disk number start on zip64 files in minizip\n- Fix logic error in minizip argument processing\n- Add minizip testing to Makefile\n- Read multiple bytes instead of byte-by-byte in minizip unzip.c\n- Add memory sanitizer to configure (--memory)\n- Various portability improvements\n- Various documentation improvements\n- Various spelling and typo corrections\n\nChanges in 1.2.13 (13 Oct 2022)\n- Fix configure issue that discarded provided CC definition\n- Correct incorrect inputs provided to the CRC functions\n- Repair prototypes and exporting of new CRC functions\n- Fix inflateBack to detect invalid input with distances too far\n- Have infback() deliver all of the available output up to any error\n- Fix a bug when getting a gzip header extra field with inflate()\n- Fix bug in block type selection when Z_FIXED used\n- Tighten deflateBound bounds\n- Remove deleted assembler code references\n- Various portability and appearance improvements\n\nChanges in 1.2.12 (27 Mar 2022)\n- Cygwin does not have _wopen(), so do not create gzopen_w() there\n- Permit a deflateParams() parameter change as soon as possible\n- Limit hash table inserts after switch from stored deflate\n- Fix bug when window full in deflate_stored()\n- Fix CLEAR_HASH macro to be usable as a single statement\n- Avoid a conversion error in gzseek when off_t type too small\n- Have Makefile return non-zero error code on test failure\n- Avoid some conversion warnings in gzread.c and gzwrite.c\n- Update use of errno for newer Windows CE versions\n- Small speedup to inflate [psumbera]\n- Return an error if the gzputs string length can't fit in an int\n- Add address checking in clang to -w option of configure\n- Don't compute check value for raw inflate if asked to validate\n- Handle case where inflateSync used when header never processed\n- Avoid the use of ptrdiff_t\n- Avoid an undefined behavior of memcpy() in gzappend()\n- Avoid undefined behaviors of memcpy() in gz*printf()\n- Avoid an undefined behavior of memcpy() in _tr_stored_block()\n- Make the names in functions declarations identical to definitions\n- Remove old assembler code in which bugs have manifested\n- Fix deflateEnd() to not report an error at start of raw deflate\n- Add legal disclaimer to README\n- Emphasize the need to continue decompressing gzip members\n- Correct the initialization requirements for deflateInit2()\n- Fix a bug that can crash deflate on some input when using Z_FIXED\n- Assure that the number of bits for deflatePrime() is valid\n- Use a structure to make globals in enough.c evident\n- Use a macro for the printf format of big_t in enough.c\n- Clean up code style in enough.c, update version\n- Use inline function instead of macro for index in enough.c\n- Clarify that prefix codes are counted in enough.c\n- Show all the codes for the maximum tables size in enough.c\n- Add gznorm.c example, which normalizes gzip files\n- Fix the zran.c example to work on a multiple-member gzip file\n- Add tables for crc32_combine(), to speed it up by a factor of 200\n- Add crc32_combine_gen() and crc32_combine_op() for fast combines\n- Speed up software CRC-32 computation by a factor of 1.5 to 3\n- Use atomic test and set, if available, for dynamic CRC tables\n- Don't bother computing check value after successful inflateSync()\n- Correct comment in crc32.c\n- Add use of the ARMv8 crc32 instructions when requested\n- Use ARM crc32 instructions if the ARM architecture has them\n- Explicitly note that the 32-bit check values are 32 bits\n- Avoid adding empty gzip member after gzflush with Z_FINISH\n- Fix memory leak on error in gzlog.c\n- Fix error in comment on the polynomial representation of a byte\n- Clarify gz* function interfaces, referring to parameter names\n- Change macro name in inflate.c to avoid collision in VxWorks\n- Correct typo in blast.c\n- Improve portability of contrib/minizip\n- Fix indentation in minizip's zip.c\n- Replace black/white with allow/block. (theresa-m)\n- minizip warning fix if MAXU32 already defined. (gvollant)\n- Fix unztell64() in minizip to work past 4GB. (DaniÃĢl HÃļrchner)\n- Clean up minizip to reduce warnings for testing\n- Add fallthrough comments for gcc\n- Eliminate use of ULL constants\n- Separate out address sanitizing from warnings in configure\n- Remove destructive aspects of make distclean\n- Check for cc masquerading as gcc or clang in configure\n- Fix crc32.c to compile local functions only if used\n\nChanges in 1.2.11 (15 Jan 2017)\n- Fix deflate stored bug when pulling last block from window\n- Permit immediate deflateParams changes before any deflate input\n\nChanges in 1.2.10 (2 Jan 2017)\n- Avoid warnings on snprintf() return value\n- Fix bug in deflate_stored() for zero-length input\n- Fix bug in gzwrite.c that produced corrupt gzip files\n- Remove files to be installed before copying them in Makefile.in\n- Add warnings when compiling with assembler code\n\nChanges in 1.2.9 (31 Dec 2016)\n- Fix contrib/minizip to permit unzipping with desktop API [Zouzou]\n- Improve contrib/blast to return unused bytes\n- Assure that gzoffset() is correct when appending\n- Improve compress() and uncompress() to support large lengths\n- Fix bug in test/example.c where error code not saved\n- Remedy Coverity warning [Randers-Pehrson]\n- Improve speed of gzprintf() in transparent mode\n- Fix inflateInit2() bug when windowBits is 16 or 32\n- Change DEBUG macro to ZLIB_DEBUG\n- Avoid uninitialized access by gzclose_w()\n- Allow building zlib outside of the source directory\n- Fix bug that accepted invalid zlib header when windowBits is zero\n- Fix gzseek() problem on MinGW due to buggy _lseeki64 there\n- Loop on write() calls in gzwrite.c in case of non-blocking I/O\n- Add --warn (-w) option to ./configure for more compiler warnings\n- Reject a window size of 256 bytes if not using the zlib wrapper\n- Fix bug when level 0 used with Z_HUFFMAN or Z_RLE\n- Add --debug (-d) option to ./configure to define ZLIB_DEBUG\n- Fix bugs in creating a very large gzip header\n- Add uncompress2() function, which returns the input size used\n- Assure that deflateParams() will not switch functions mid-block\n- Dramatically speed up deflation for level 0 (storing)\n- Add gzfread(), duplicating the interface of fread()\n- Add gzfwrite(), duplicating the interface of fwrite()\n- Add deflateGetDictionary() function\n- Use snprintf() for later versions of Microsoft C\n- Fix *Init macros to use z_ prefix when requested\n- Replace as400 with os400 for OS/400 support [Monnerat]\n- Add crc32_z() and adler32_z() functions with size_t lengths\n- Update Visual Studio project files [AraHaan]\n\nChanges in 1.2.8 (28 Apr 2013)\n- Update contrib/minizip/iowin32.c for Windows RT [Vollant]\n- Do not force Z_CONST for C++\n- Clean up contrib/vstudio [Roß]\n- Correct spelling error in zlib.h\n- Fix mixed line endings in contrib/vstudio\n\nChanges in 1.2.7.3 (13 Apr 2013)\n- Fix version numbers and DLL names in contrib/vstudio/*/zlib.rc\n\nChanges in 1.2.7.2 (13 Apr 2013)\n- Change check for a four-byte type back to hexadecimal\n- Fix typo in win32/Makefile.msc\n- Add casts in gzwrite.c for pointer differences\n\nChanges in 1.2.7.1 (24 Mar 2013)\n- Replace use of unsafe string functions with snprintf if available\n- Avoid including stddef.h on Windows for Z_SOLO compile [Niessink]\n- Fix gzgetc undefine when Z_PREFIX set [Turk]\n- Eliminate use of mktemp in Makefile (not always available)\n- Fix bug in 'F' mode for gzopen()\n- Add inflateGetDictionary() function\n- Correct comment in deflate.h\n- Use _snprintf for snprintf in Microsoft C\n- On Darwin, only use /usr/bin/libtool if libtool is not Apple\n- Delete \"--version\" file if created by \"ar --version\" [Richard G.]\n- Fix configure check for veracity of compiler error return codes\n- Fix CMake compilation of static lib for MSVC2010 x64\n- Remove unused variable in infback9.c\n- Fix argument checks in gzlog_compress() and gzlog_write()\n- Clean up the usage of z_const and respect const usage within zlib\n- Clean up examples/gzlog.[ch] comparisons of different types\n- Avoid shift equal to bits in type (caused endless loop)\n- Fix uninitialized value bug in gzputc() introduced by const patches\n- Fix memory allocation error in examples/zran.c [Nor]\n- Fix bug where gzopen(), gzclose() would write an empty file\n- Fix bug in gzclose() when gzwrite() runs out of memory\n- Check for input buffer malloc failure in examples/gzappend.c\n- Add note to contrib/blast to use binary mode in stdio\n- Fix comparisons of differently signed integers in contrib/blast\n- Check for invalid code length codes in contrib/puff\n- Fix serious but very rare decompression bug in inftrees.c\n- Update inflateBack() comments, since inflate() can be faster\n- Use underscored I/O function names for WINAPI_FAMILY\n- Add _tr_flush_bits to the external symbols prefixed by --zprefix\n- Add contrib/vstudio/vc10 pre-build step for static only\n- Quote --version-script argument in CMakeLists.txt\n- Don't specify --version-script on Apple platforms in CMakeLists.txt\n- Fix casting error in contrib/testzlib/testzlib.c\n- Fix types in contrib/minizip to match result of get_crc_table()\n- Simplify contrib/vstudio/vc10 with 'd' suffix\n- Add TOP support to win32/Makefile.msc\n- Support i686 and amd64 assembler builds in CMakeLists.txt\n- Fix typos in the use of _LARGEFILE64_SOURCE in zconf.h\n- Add vc11 and vc12 build files to contrib/vstudio\n- Add gzvprintf() as an undocumented function in zlib\n- Fix configure for Sun shell\n- Remove runtime check in configure for four-byte integer type\n- Add casts and consts to ease user conversion to C++\n- Add man pages for minizip and miniunzip\n- In Makefile uninstall, don't rm if preceding cd fails\n- Do not return Z_BUF_ERROR if deflateParam() has nothing to write\n\nChanges in 1.2.7 (2 May 2012)\n- Replace use of memmove() with a simple copy for portability\n- Test for existence of strerror\n- Restore gzgetc_ for backward compatibility with 1.2.6\n- Fix build with non-GNU make on Solaris\n- Require gcc 4.0 or later on Mac OS X to use the hidden attribute\n- Include unistd.h for Watcom C\n- Use __WATCOMC__ instead of __WATCOM__\n- Do not use the visibility attribute if NO_VIZ defined\n- Improve the detection of no hidden visibility attribute\n- Avoid using __int64 for gcc or solo compilation\n- Cast to char * in gzprintf to avoid warnings [Zinser]\n- Fix make_vms.com for VAX [Zinser]\n- Don't use library or built-in byte swaps\n- Simplify test and use of gcc hidden attribute\n- Fix bug in gzclose_w() when gzwrite() fails to allocate memory\n- Add \"x\" (O_EXCL) and \"e\" (O_CLOEXEC) modes support to gzopen()\n- Fix bug in test/minigzip.c for configure --solo\n- Fix contrib/vstudio project link errors [Mohanathas]\n- Add ability to choose the builder in make_vms.com [Schweda]\n- Add DESTDIR support to mingw32 win32/Makefile.gcc\n- Fix comments in win32/Makefile.gcc for proper usage\n- Allow overriding the default install locations for cmake\n- Generate and install the pkg-config file with cmake\n- Build both a static and a shared version of zlib with cmake\n- Include version symbols for cmake builds\n- If using cmake with MSVC, add the source directory to the includes\n- Remove unneeded EXTRA_CFLAGS from win32/Makefile.gcc [Truta]\n- Move obsolete emx makefile to old [Truta]\n- Allow the use of -Wundef when compiling or using zlib\n- Avoid the use of the -u option with mktemp\n- Improve inflate() documentation on the use of Z_FINISH\n- Recognize clang as gcc\n- Add gzopen_w() in Windows for wide character path names\n- Rename zconf.h in CMakeLists.txt to move it out of the way\n- Add source directory in CMakeLists.txt for building examples\n- Look in build directory for zlib.pc in CMakeLists.txt\n- Remove gzflags from zlibvc.def in vc9 and vc10\n- Fix contrib/minizip compilation in the MinGW environment\n- Update ./configure for Solaris, support --64 [Mooney]\n- Remove -R. from Solaris shared build (possible security issue)\n- Avoid race condition for parallel make (-j) running example\n- Fix type mismatch between get_crc_table() and crc_table\n- Fix parsing of version with \"-\" in CMakeLists.txt [Snider, Ziegler]\n- Fix the path to zlib.map in CMakeLists.txt\n- Force the native libtool in Mac OS X to avoid GNU libtool [Beebe]\n- Add instructions to win32/Makefile.gcc for shared install [Torri]\n\nChanges in 1.2.6.1 (12 Feb 2012)\n- Avoid the use of the Objective-C reserved name \"id\"\n- Include io.h in gzguts.h for Microsoft compilers\n- Fix problem with ./configure --prefix and gzgetc macro\n- Include gz_header definition when compiling zlib solo\n- Put gzflags() functionality back in zutil.c\n- Avoid library header include in crc32.c for Z_SOLO\n- Use name in GCC_CLASSIC as C compiler for coverage testing, if set\n- Minor cleanup in contrib/minizip/zip.c [Vollant]\n- Update make_vms.com [Zinser]\n- Remove unnecessary gzgetc_ function\n- Use optimized byte swap operations for Microsoft and GNU [Snyder]\n- Fix minor typo in zlib.h comments [Rzesniowiecki]\n\nChanges in 1.2.6 (29 Jan 2012)\n- Update the Pascal interface in contrib/pascal\n- Fix function numbers for gzgetc_ in zlibvc.def files\n- Fix configure.ac for contrib/minizip [Schiffer]\n- Fix large-entry detection in minizip on 64-bit systems [Schiffer]\n- Have ./configure use the compiler return code for error indication\n- Fix CMakeLists.txt for cross compilation [McClure]\n- Fix contrib/minizip/zip.c for 64-bit architectures [Dalsnes]\n- Fix compilation of contrib/minizip on FreeBSD [Marquez]\n- Correct suggested usages in win32/Makefile.msc [Shachar, Horvath]\n- Include io.h for Turbo C / Borland C on all platforms [Truta]\n- Make version explicit in contrib/minizip/configure.ac [Bosmans]\n- Avoid warning for no encryption in contrib/minizip/zip.c [Vollant]\n- Minor cleanup up contrib/minizip/unzip.c [Vollant]\n- Fix bug when compiling minizip with C++ [Vollant]\n- Protect for long name and extra fields in contrib/minizip [Vollant]\n- Avoid some warnings in contrib/minizip [Vollant]\n- Add -I../.. -L../.. to CFLAGS for minizip and miniunzip\n- Add missing libs to minizip linker command\n- Add support for VPATH builds in contrib/minizip\n- Add an --enable-demos option to contrib/minizip/configure\n- Add the generation of configure.log by ./configure\n- Exit when required parameters not provided to win32/Makefile.gcc\n- Have gzputc return the character written instead of the argument\n- Use the -m option on ldconfig for BSD systems [Tobias]\n- Correct in zlib.map when deflateResetKeep was added\n\nChanges in 1.2.5.3 (15 Jan 2012)\n- Restore gzgetc function for binary compatibility\n- Do not use _lseeki64 under Borland C++ [Truta]\n- Update win32/Makefile.msc to build test/*.c [Truta]\n- Remove old/visualc6 given CMakefile and other alternatives\n- Update AS400 build files and documentation [Monnerat]\n- Update win32/Makefile.gcc to build test/*.c [Truta]\n- Permit stronger flushes after Z_BLOCK flushes\n- Avoid extraneous empty blocks when doing empty flushes\n- Permit Z_NULL arguments to deflatePending\n- Allow deflatePrime() to insert bits in the middle of a stream\n- Remove second empty static block for Z_PARTIAL_FLUSH\n- Write out all of the available bits when using Z_BLOCK\n- Insert the first two strings in the hash table after a flush\n\nChanges in 1.2.5.2 (17 Dec 2011)\n- fix ld error: unable to find version dependency 'ZLIB_1.2.5'\n- use relative symlinks for shared libs\n- Avoid searching past window for Z_RLE strategy\n- Assure that high-water mark initialization is always applied in deflate\n- Add assertions to fill_window() in deflate.c to match comments\n- Update python link in README\n- Correct spelling error in gzread.c\n- Fix bug in gzgets() for a concatenated empty gzip stream\n- Correct error in comment for gz_make()\n- Change gzread() and related to ignore junk after gzip streams\n- Allow gzread() and related to continue after gzclearerr()\n- Allow gzrewind() and gzseek() after a premature end-of-file\n- Simplify gzseek() now that raw after gzip is ignored\n- Change gzgetc() to a macro for speed (~40% speedup in testing)\n- Fix gzclose() to return the actual error last encountered\n- Always add large file support for windows\n- Include zconf.h for windows large file support\n- Include zconf.h.cmakein for windows large file support\n- Update zconf.h.cmakein on make distclean\n- Merge vestigial vsnprintf determination from zutil.h to gzguts.h\n- Clarify how gzopen() appends in zlib.h comments\n- Correct documentation of gzdirect() since junk at end now ignored\n- Add a transparent write mode to gzopen() when 'T' is in the mode\n- Update python link in zlib man page\n- Get inffixed.h and MAKEFIXED result to match\n- Add a ./config --solo option to make zlib subset with no library use\n- Add undocumented inflateResetKeep() function for CAB file decoding\n- Add --cover option to ./configure for gcc coverage testing\n- Add #define ZLIB_CONST option to use const in the z_stream interface\n- Add comment to gzdopen() in zlib.h to use dup() when using fileno()\n- Note behavior of uncompress() to provide as much data as it can\n- Add files in contrib/minizip to aid in building libminizip\n- Split off AR options in Makefile.in and configure\n- Change ON macro to Z_ARG to avoid application conflicts\n- Facilitate compilation with Borland C++ for pragmas and vsnprintf\n- Include io.h for Turbo C / Borland C++\n- Move example.c and minigzip.c to test/\n- Simplify incomplete code table filling in inflate_table()\n- Remove code from inflate.c and infback.c that is impossible to execute\n- Test the inflate code with full coverage\n- Allow deflateSetDictionary, inflateSetDictionary at any time (in raw)\n- Add deflateResetKeep and fix inflateResetKeep to retain dictionary\n- Fix gzwrite.c to accommodate reduced memory zlib compilation\n- Have inflate() with Z_FINISH avoid the allocation of a window\n- Do not set strm->adler when doing raw inflate\n- Fix gzeof() to behave just like feof() when read is not past end of file\n- Fix bug in gzread.c when end-of-file is reached\n- Avoid use of Z_BUF_ERROR in gz* functions except for premature EOF\n- Document gzread() capability to read concurrently written files\n- Remove hard-coding of resource compiler in CMakeLists.txt [Blammo]\n\nChanges in 1.2.5.1 (10 Sep 2011)\n- Update FAQ entry on shared builds (#13)\n- Avoid symbolic argument to chmod in Makefile.in\n- Fix bug and add consts in contrib/puff [Oberhumer]\n- Update contrib/puff/zeros.raw test file to have all block types\n- Add full coverage test for puff in contrib/puff/Makefile\n- Fix static-only-build install in Makefile.in\n- Fix bug in unzGetCurrentFileInfo() in contrib/minizip [Kuno]\n- Add libz.a dependency to shared in Makefile.in for parallel builds\n- Spell out \"number\" (instead of \"nb\") in zlib.h for total_in, total_out\n- Replace $(...) with `...` in configure for non-bash sh [Bowler]\n- Add darwin* to Darwin* and solaris* to SunOS\\ 5* in configure [Groffen]\n- Add solaris* to Linux* in configure to allow gcc use [Groffen]\n- Add *bsd* to Linux* case in configure [Bar-Lev]\n- Add inffast.obj to dependencies in win32/Makefile.msc\n- Correct spelling error in deflate.h [Kohler]\n- Change libzdll.a again to libz.dll.a (!) in win32/Makefile.gcc\n- Add test to configure for GNU C looking for gcc in output of $cc -v\n- Add zlib.pc generation to win32/Makefile.gcc [Weigelt]\n- Fix bug in zlib.h for _FILE_OFFSET_BITS set and _LARGEFILE64_SOURCE not\n- Add comment in zlib.h that adler32_combine with len2 < 0 makes no sense\n- Make NO_DIVIDE option in adler32.c much faster (thanks to John Reiser)\n- Make stronger test in zconf.h to include unistd.h for LFS\n- Apply Darwin patches for 64-bit file offsets to contrib/minizip [Slack]\n- Fix zlib.h LFS support when Z_PREFIX used\n- Add updated as400 support (removed from old) [Monnerat]\n- Avoid deflate sensitivity to volatile input data\n- Avoid division in adler32_combine for NO_DIVIDE\n- Clarify the use of Z_FINISH with deflateBound() amount of space\n- Set binary for output file in puff.c\n- Use u4 type for crc_table to avoid conversion warnings\n- Apply casts in zlib.h to avoid conversion warnings\n- Add OF to prototypes for adler32_combine_ and crc32_combine_ [Miller]\n- Improve inflateSync() documentation to note indeterminacy\n- Add deflatePending() function to return the amount of pending output\n- Correct the spelling of \"specification\" in FAQ [Randers-Pehrson]\n- Add a check in configure for stdarg.h, use for gzprintf()\n- Check that pointers fit in ints when gzprint() compiled old style\n- Add dummy name before $(SHAREDLIBV) in Makefile [Bar-Lev, Bowler]\n- Delete line in configure that adds -L. libz.a to LDFLAGS [Weigelt]\n- Add debug records in assembler code [Londer]\n- Update RFC references to use http://tools.ietf.org/html/... [Li]\n- Add --archs option, use of libtool to configure for Mac OS X [Borstel]\n\nChanges in 1.2.5 (19 Apr 2010)\n- Disable visibility attribute in win32/Makefile.gcc [Bar-Lev]\n- Default to libdir as sharedlibdir in configure [Nieder]\n- Update copyright dates on modified source files\n- Update trees.c to be able to generate modified trees.h\n- Exit configure for MinGW, suggesting win32/Makefile.gcc\n- Check for NULL path in gz_open [Homurlu]\n\nChanges in 1.2.4.5 (18 Apr 2010)\n- Set sharedlibdir in configure [Torok]\n- Set LDFLAGS in Makefile.in [Bar-Lev]\n- Avoid mkdir objs race condition in Makefile.in [Bowler]\n- Add ZLIB_INTERNAL in front of internal inter-module functions and arrays\n- Define ZLIB_INTERNAL to hide internal functions and arrays for GNU C\n- Don't use hidden attribute when it is a warning generator (e.g. Solaris)\n\nChanges in 1.2.4.4 (18 Apr 2010)\n- Fix CROSS_PREFIX executable testing, CHOST extract, mingw* [Torok]\n- Undefine _LARGEFILE64_SOURCE in zconf.h if it is zero, but not if empty\n- Try to use bash or ksh regardless of functionality of /bin/sh\n- Fix configure incompatibility with NetBSD sh\n- Remove attempt to run under bash or ksh since have better NetBSD fix\n- Fix win32/Makefile.gcc for MinGW [Bar-Lev]\n- Add diagnostic messages when using CROSS_PREFIX in configure\n- Added --sharedlibdir option to configure [Weigelt]\n- Use hidden visibility attribute when available [Frysinger]\n\nChanges in 1.2.4.3 (10 Apr 2010)\n- Only use CROSS_PREFIX in configure for ar and ranlib if they exist\n- Use CROSS_PREFIX for nm [Bar-Lev]\n- Assume _LARGEFILE64_SOURCE defined is equivalent to true\n- Avoid use of undefined symbols in #if with && and ||\n- Make *64 prototypes in gzguts.h consistent with functions\n- Add -shared load option for MinGW in configure [Bowler]\n- Move z_off64_t to public interface, use instead of off64_t\n- Remove ! from shell test in configure (not portable to Solaris)\n- Change +0 macro tests to -0 for possibly increased portability\n\nChanges in 1.2.4.2 (9 Apr 2010)\n- Add consistent carriage returns to readme.txt's in masmx86 and masmx64\n- Really provide prototypes for *64 functions when building without LFS\n- Only define unlink() in minigzip.c if unistd.h not included\n- Update README to point to contrib/vstudio project files\n- Move projects/vc6 to old/ and remove projects/\n- Include stdlib.h in minigzip.c for setmode() definition under WinCE\n- Clean up assembler builds in win32/Makefile.msc [Rowe]\n- Include sys/types.h for Microsoft for off_t definition\n- Fix memory leak on error in gz_open()\n- Symbolize nm as $NM in configure [Weigelt]\n- Use TEST_LDSHARED instead of LDSHARED to link test programs [Weigelt]\n- Add +0 to _FILE_OFFSET_BITS and _LFS64_LARGEFILE in case not defined\n- Fix bug in gzeof() to take into account unused input data\n- Avoid initialization of structures with variables in puff.c\n- Updated win32/README-WIN32.txt [Rowe]\n\nChanges in 1.2.4.1 (28 Mar 2010)\n- Remove the use of [a-z] constructs for sed in configure [gentoo 310225]\n- Remove $(SHAREDLIB) from LIBS in Makefile.in [Creech]\n- Restore \"for debugging\" comment on sprintf() in gzlib.c\n- Remove fdopen for MVS from gzguts.h\n- Put new README-WIN32.txt in win32 [Rowe]\n- Add check for shell to configure and invoke another shell if needed\n- Fix big fat stinking bug in gzseek() on uncompressed files\n- Remove vestigial F_OPEN64 define in zutil.h\n- Set and check the value of _LARGEFILE_SOURCE and _LARGEFILE64_SOURCE\n- Avoid errors on non-LFS systems when applications define LFS macros\n- Set EXE to \".exe\" in configure for MINGW [Kahle]\n- Match crc32() in crc32.c exactly to the prototype in zlib.h [Sherrill]\n- Add prefix for cross-compilation in win32/makefile.gcc [Bar-Lev]\n- Add DLL install in win32/makefile.gcc [Bar-Lev]\n- Allow Linux* or linux* from uname in configure [Bar-Lev]\n- Allow ldconfig to be redefined in configure and Makefile.in [Bar-Lev]\n- Add cross-compilation prefixes to configure [Bar-Lev]\n- Match type exactly in gz_load() invocation in gzread.c\n- Match type exactly of zcalloc() in zutil.c to zlib.h alloc_func\n- Provide prototypes for *64 functions when building zlib without LFS\n- Don't use -lc when linking shared library on MinGW\n- Remove errno.h check in configure and vestigial errno code in zutil.h\n\nChanges in 1.2.4 (14 Mar 2010)\n- Fix VER3 extraction in configure for no fourth subversion\n- Update zlib.3, add docs to Makefile.in to make .pdf out of it\n- Add zlib.3.pdf to distribution\n- Don't set error code in gzerror() if passed pointer is NULL\n- Apply destination directory fixes to CMakeLists.txt [Lowman]\n- Move #cmakedefine's to a new zconf.in.cmakein\n- Restore zconf.h for builds that don't use configure or cmake\n- Add distclean to dummy Makefile for convenience\n- Update and improve INDEX, README, and FAQ\n- Update CMakeLists.txt for the return of zconf.h [Lowman]\n- Update contrib/vstudio/vc9 and vc10 [Vollant]\n- Change libz.dll.a back to libzdll.a in win32/Makefile.gcc\n- Apply license and readme changes to contrib/asm686 [Raiter]\n- Check file name lengths and add -c option in minigzip.c [Li]\n- Update contrib/amd64 and contrib/masmx86/ [Vollant]\n- Avoid use of \"eof\" parameter in trees.c to not shadow library variable\n- Update make_vms.com for removal of zlibdefs.h [Zinser]\n- Update assembler code and vstudio projects in contrib [Vollant]\n- Remove outdated assembler code contrib/masm686 and contrib/asm586\n- Remove old vc7 and vc8 from contrib/vstudio\n- Update win32/Makefile.msc, add ZLIB_VER_SUBREVISION [Rowe]\n- Fix memory leaks in gzclose_r() and gzclose_w(), file leak in gz_open()\n- Add contrib/gcc_gvmat64 for longest_match and inflate_fast [Vollant]\n- Remove *64 functions from win32/zlib.def (they're not 64-bit yet)\n- Fix bug in void-returning vsprintf() case in gzwrite.c\n- Fix name change from inflate.h in contrib/inflate86/inffas86.c\n- Check if temporary file exists before removing in make_vms.com [Zinser]\n- Fix make install and uninstall for --static option\n- Fix usage of _MSC_VER in gzguts.h and zutil.h [Truta]\n- Update readme.txt in contrib/masmx64 and masmx86 to assemble\n\nChanges in 1.2.3.9 (21 Feb 2010)\n- Expunge gzio.c\n- Move as400 build information to old\n- Fix updates in contrib/minizip and contrib/vstudio\n- Add const to vsnprintf test in configure to avoid warnings [Weigelt]\n- Delete zconf.h (made by configure) [Weigelt]\n- Change zconf.in.h to zconf.h.in per convention [Weigelt]\n- Check for NULL buf in gzgets()\n- Return empty string for gzgets() with len == 1 (like fgets())\n- Fix description of gzgets() in zlib.h for end-of-file, NULL return\n- Update minizip to 1.1 [Vollant]\n- Avoid MSVC loss of data warnings in gzread.c, gzwrite.c\n- Note in zlib.h that gzerror() should be used to distinguish from EOF\n- Remove use of snprintf() from gzlib.c\n- Fix bug in gzseek()\n- Update contrib/vstudio, adding vc9 and vc10 [Kuno, Vollant]\n- Fix zconf.h generation in CMakeLists.txt [Lowman]\n- Improve comments in zconf.h where modified by configure\n\nChanges in 1.2.3.8 (13 Feb 2010)\n- Clean up text files (tabs, trailing whitespace, etc.) [Oberhumer]\n- Use z_off64_t in gz_zero() and gz_skip() to match state->skip\n- Avoid comparison problem when sizeof(int) == sizeof(z_off64_t)\n- Revert to Makefile.in from 1.2.3.6 (live with the clutter)\n- Fix missing error return in gzflush(), add zlib.h note\n- Add *64 functions to zlib.map [Levin]\n- Fix signed/unsigned comparison in gz_comp()\n- Use SFLAGS when testing shared linking in configure\n- Add --64 option to ./configure to use -m64 with gcc\n- Fix ./configure --help to correctly name options\n- Have make fail if a test fails [Levin]\n- Avoid buffer overrun in contrib/masmx64/gvmat64.asm [Simpson]\n- Remove assembler object files from contrib\n\nChanges in 1.2.3.7 (24 Jan 2010)\n- Always gzopen() with O_LARGEFILE if available\n- Fix gzdirect() to work immediately after gzopen() or gzdopen()\n- Make gzdirect() more precise when the state changes while reading\n- Improve zlib.h documentation in many places\n- Catch memory allocation failure in gz_open()\n- Complete close operation if seek forward in gzclose_w() fails\n- Return Z_ERRNO from gzclose_r() if close() fails\n- Return Z_STREAM_ERROR instead of EOF for gzclose() being passed NULL\n- Return zero for gzwrite() errors to match zlib.h description\n- Return -1 on gzputs() error to match zlib.h description\n- Add zconf.in.h to allow recovery from configure modification [Weigelt]\n- Fix static library permissions in Makefile.in [Weigelt]\n- Avoid warnings in configure tests that hide functionality [Weigelt]\n- Add *BSD and DragonFly to Linux case in configure [gentoo 123571]\n- Change libzdll.a to libz.dll.a in win32/Makefile.gcc [gentoo 288212]\n- Avoid access of uninitialized data for first inflateReset2 call [Gomes]\n- Keep object files in subdirectories to reduce the clutter somewhat\n- Remove default Makefile and zlibdefs.h, add dummy Makefile\n- Add new external functions to Z_PREFIX, remove duplicates, z_z_ -> z_\n- Remove zlibdefs.h completely -- modify zconf.h instead\n\nChanges in 1.2.3.6 (17 Jan 2010)\n- Avoid void * arithmetic in gzread.c and gzwrite.c\n- Make compilers happier with const char * for gz_error message\n- Avoid unused parameter warning in inflate.c\n- Avoid signed-unsigned comparison warning in inflate.c\n- Indent #pragma's for traditional C\n- Fix usage of strwinerror() in glib.c, change to gz_strwinerror()\n- Correct email address in configure for system options\n- Update make_vms.com and add make_vms.com to contrib/minizip [Zinser]\n- Update zlib.map [Brown]\n- Fix Makefile.in for Solaris 10 make of example64 and minizip64 [Torok]\n- Apply various fixes to CMakeLists.txt [Lowman]\n- Add checks on len in gzread() and gzwrite()\n- Add error message for no more room for gzungetc()\n- Remove zlib version check in gzwrite()\n- Defer compression of gzprintf() result until need to\n- Use snprintf() in gzdopen() if available\n- Remove USE_MMAP configuration determination (only used by minigzip)\n- Remove examples/pigz.c (available separately)\n- Update examples/gun.c to 1.6\n\nChanges in 1.2.3.5 (8 Jan 2010)\n- Add space after #if in zutil.h for some compilers\n- Fix relatively harmless bug in deflate_fast() [Exarevsky]\n- Fix same problem in deflate_slow()\n- Add $(SHAREDLIBV) to LIBS in Makefile.in [Brown]\n- Add deflate_rle() for faster Z_RLE strategy run-length encoding\n- Add deflate_huff() for faster Z_HUFFMAN_ONLY encoding\n- Change name of \"write\" variable in inffast.c to avoid library collisions\n- Fix premature EOF from gzread() in gzio.c [Brown]\n- Use zlib header window size if windowBits is 0 in inflateInit2()\n- Remove compressBound() call in deflate.c to avoid linking compress.o\n- Replace use of errno in gz* with functions, support WinCE [Alves]\n- Provide alternative to perror() in minigzip.c for WinCE [Alves]\n- Don't use _vsnprintf on later versions of MSVC [Lowman]\n- Add CMake build script and input file [Lowman]\n- Update contrib/minizip to 1.1 [Svensson, Vollant]\n- Moved nintendods directory from contrib to root\n- Replace gzio.c with a new set of routines with the same functionality\n- Add gzbuffer(), gzoffset(), gzclose_r(), gzclose_w() as part of above\n- Update contrib/minizip to 1.1b\n- Change gzeof() to return 0 on error instead of -1 to agree with zlib.h\n\nChanges in 1.2.3.4 (21 Dec 2009)\n- Use old school .SUFFIXES in Makefile.in for FreeBSD compatibility\n- Update comments in configure and Makefile.in for default --shared\n- Fix test -z's in configure [Marquess]\n- Build examplesh and minigzipsh when not testing\n- Change NULL's to Z_NULL's in deflate.c and in comments in zlib.h\n- Import LDFLAGS from the environment in configure\n- Fix configure to populate SFLAGS with discovered CFLAGS options\n- Adapt make_vms.com to the new Makefile.in [Zinser]\n- Add zlib2ansi script for C++ compilation [Marquess]\n- Add _FILE_OFFSET_BITS=64 test to make test (when applicable)\n- Add AMD64 assembler code for longest match to contrib [Teterin]\n- Include options from $SFLAGS when doing $LDSHARED\n- Simplify 64-bit file support by introducing z_off64_t type\n- Make shared object files in objs directory to work around old Sun cc\n- Use only three-part version number for Darwin shared compiles\n- Add rc option to ar in Makefile.in for when ./configure not run\n- Add -WI,-rpath,. to LDFLAGS for OSF 1 V4*\n- Set LD_LIBRARYN32_PATH for SGI IRIX shared compile\n- Protect against _FILE_OFFSET_BITS being defined when compiling zlib\n- Rename Makefile.in targets allstatic to static and allshared to shared\n- Fix static and shared Makefile.in targets to be independent\n- Correct error return bug in gz_open() by setting state [Brown]\n- Put spaces before ;;'s in configure for better sh compatibility\n- Add pigz.c (parallel implementation of gzip) to examples/\n- Correct constant in crc32.c to UL [Leventhal]\n- Reject negative lengths in crc32_combine()\n- Add inflateReset2() function to work like inflateEnd()/inflateInit2()\n- Include sys/types.h for _LARGEFILE64_SOURCE [Brown]\n- Correct typo in doc/algorithm.txt [Janik]\n- Fix bug in adler32_combine() [Zhu]\n- Catch missing-end-of-block-code error in all inflates and in puff\n Assures that random input to inflate eventually results in an error\n- Added enough.c (calculation of ENOUGH for inftrees.h) to examples/\n- Update ENOUGH and its usage to reflect discovered bounds\n- Fix gzerror() error report on empty input file [Brown]\n- Add ush casts in trees.c to avoid pedantic runtime errors\n- Fix typo in zlib.h uncompress() description [Reiss]\n- Correct inflate() comments with regard to automatic header detection\n- Remove deprecation comment on Z_PARTIAL_FLUSH (it stays)\n- Put new version of gzlog (2.0) in examples with interruption recovery\n- Add puff compile option to permit invalid distance-too-far streams\n- Add puff TEST command options, ability to read piped input\n- Prototype the *64 functions in zlib.h when _FILE_OFFSET_BITS == 64, but\n _LARGEFILE64_SOURCE not defined\n- Fix Z_FULL_FLUSH to truly erase the past by resetting s->strstart\n- Fix deflateSetDictionary() to use all 32K for output consistency\n- Remove extraneous #define MIN_LOOKAHEAD in deflate.c (in deflate.h)\n- Clear bytes after deflate lookahead to avoid use of uninitialized data\n- Change a limit in inftrees.c to be more transparent to Coverity Prevent\n- Update win32/zlib.def with exported symbols from zlib.h\n- Correct spelling errors in zlib.h [Willem, Sobrado]\n- Allow Z_BLOCK for deflate() to force a new block\n- Allow negative bits in inflatePrime() to delete existing bit buffer\n- Add Z_TREES flush option to inflate() to return at end of trees\n- Add inflateMark() to return current state information for random access\n- Add Makefile for NintendoDS to contrib [Costa]\n- Add -w in configure compile tests to avoid spurious warnings [Beucler]\n- Fix typos in zlib.h comments for deflateSetDictionary()\n- Fix EOF detection in transparent gzread() [Maier]\n\nChanges in 1.2.3.3 (2 October 2006)\n- Make --shared the default for configure, add a --static option\n- Add compile option to permit invalid distance-too-far streams\n- Add inflateUndermine() function which is required to enable above\n- Remove use of \"this\" variable name for C++ compatibility [Marquess]\n- Add testing of shared library in make test, if shared library built\n- Use ftello() and fseeko() if available instead of ftell() and fseek()\n- Provide two versions of all functions that use the z_off_t type for\n binary compatibility -- a normal version and a 64-bit offset version,\n per the Large File Support Extension when _LARGEFILE64_SOURCE is\n defined; use the 64-bit versions by default when _FILE_OFFSET_BITS\n is defined to be 64\n- Add a --uname= option to configure to perhaps help with cross-compiling\n\nChanges in 1.2.3.2 (3 September 2006)\n- Turn off silly Borland warnings [Hay]\n- Use off64_t and define _LARGEFILE64_SOURCE when present\n- Fix missing dependency on inffixed.h in Makefile.in\n- Rig configure --shared to build both shared and static [Teredesai, Truta]\n- Remove zconf.in.h and instead create a new zlibdefs.h file\n- Fix contrib/minizip/unzip.c non-encrypted after encrypted [Vollant]\n- Add treebuild.xml (see http://treebuild.metux.de/) [Weigelt]\n\nChanges in 1.2.3.1 (16 August 2006)\n- Add watcom directory with OpenWatcom make files [Daniel]\n- Remove #undef of FAR in zconf.in.h for MVS [Fedtke]\n- Update make_vms.com [Zinser]\n- Use -fPIC for shared build in configure [Teredesai, Nicholson]\n- Use only major version number for libz.so on IRIX and OSF1 [Reinholdtsen]\n- Use fdopen() (not _fdopen()) for Interix in zutil.h [Bäck]\n- Add some FAQ entries about the contrib directory\n- Update the MVS question in the FAQ\n- Avoid extraneous reads after EOF in gzio.c [Brown]\n- Correct spelling of \"successfully\" in gzio.c [Randers-Pehrson]\n- Add comments to zlib.h about gzerror() usage [Brown]\n- Set extra flags in gzip header in gzopen() like deflate() does\n- Make configure options more compatible with double-dash conventions\n [Weigelt]\n- Clean up compilation under Solaris SunStudio cc [Rowe, Reinholdtsen]\n- Fix uninstall target in Makefile.in [Truta]\n- Add pkgconfig support [Weigelt]\n- Use $(DESTDIR) macro in Makefile.in [Reinholdtsen, Weigelt]\n- Replace set_data_type() with a more accurate detect_data_type() in\n trees.c, according to the txtvsbin.txt document [Truta]\n- Swap the order of #include and #include \"zlib.h\" in\n gzio.c, example.c and minigzip.c [Truta]\n- Shut up annoying VS2005 warnings about standard C deprecation [Rowe,\n Truta] (where?)\n- Fix target \"clean\" from win32/Makefile.bor [Truta]\n- Create .pdb and .manifest files in win32/makefile.msc [Ziegler, Rowe]\n- Update zlib www home address in win32/DLL_FAQ.txt [Truta]\n- Update contrib/masmx86/inffas32.asm for VS2005 [Vollant, Van Wassenhove]\n- Enable browse info in the \"Debug\" and \"ASM Debug\" configurations in\n the Visual C++ 6 project, and set (non-ASM) \"Debug\" as default [Truta]\n- Add pkgconfig support [Weigelt]\n- Add ZLIB_VER_MAJOR, ZLIB_VER_MINOR and ZLIB_VER_REVISION in zlib.h,\n for use in win32/zlib1.rc [Polushin, Rowe, Truta]\n- Add a document that explains the new text detection scheme to\n doc/txtvsbin.txt [Truta]\n- Add rfc1950.txt, rfc1951.txt and rfc1952.txt to doc/ [Truta]\n- Move algorithm.txt into doc/ [Truta]\n- Synchronize FAQ with website\n- Fix compressBound(), was low for some pathological cases [Fearnley]\n- Take into account wrapper variations in deflateBound()\n- Set examples/zpipe.c input and output to binary mode for Windows\n- Update examples/zlib_how.html with new zpipe.c (also web site)\n- Fix some warnings in examples/gzlog.c and examples/zran.c (it seems\n that gcc became pickier in 4.0)\n- Add zlib.map for Linux: \"All symbols from zlib-1.1.4 remain\n un-versioned, the patch adds versioning only for symbols introduced in\n zlib-1.2.0 or later. It also declares as local those symbols which are\n not designed to be exported.\" [Levin]\n- Update Z_PREFIX list in zconf.in.h, add --zprefix option to configure\n- Do not initialize global static by default in trees.c, add a response\n NO_INIT_GLOBAL_POINTERS to initialize them if needed [Marquess]\n- Don't use strerror() in gzio.c under WinCE [Yakimov]\n- Don't use errno.h in zutil.h under WinCE [Yakimov]\n- Move arguments for AR to its usage to allow replacing ar [Marot]\n- Add HAVE_VISIBILITY_PRAGMA in zconf.in.h for Mozilla [Randers-Pehrson]\n- Improve inflateInit() and inflateInit2() documentation\n- Fix structure size comment in inflate.h\n- Change configure help option from --h* to --help [Santos]\n\nChanges in 1.2.3 (18 July 2005)\n- Apply security vulnerability fixes to contrib/infback9 as well\n- Clean up some text files (carriage returns, trailing space)\n- Update testzlib, vstudio, masmx64, and masmx86 in contrib [Vollant]\n\nChanges in 1.2.2.4 (11 July 2005)\n- Add inflatePrime() function for starting inflation at bit boundary\n- Avoid some Visual C warnings in deflate.c\n- Avoid more silly Visual C warnings in inflate.c and inftrees.c for 64-bit\n compile\n- Fix some spelling errors in comments [Betts]\n- Correct inflateInit2() error return documentation in zlib.h\n- Add zran.c example of compressed data random access to examples\n directory, shows use of inflatePrime()\n- Fix cast for assignments to strm->state in inflate.c and infback.c\n- Fix zlibCompileFlags() in zutil.c to use 1L for long shifts [Oberhumer]\n- Move declarations of gf2 functions to right place in crc32.c [Oberhumer]\n- Add cast in trees.c t avoid a warning [Oberhumer]\n- Avoid some warnings in fitblk.c, gun.c, gzjoin.c in examples [Oberhumer]\n- Update make_vms.com [Zinser]\n- Initialize state->write in inflateReset() since copied in inflate_fast()\n- Be more strict on incomplete code sets in inflate_table() and increase\n ENOUGH and MAXD -- this repairs a possible security vulnerability for\n invalid inflate input. Thanks to Tavis Ormandy and Markus Oberhumer for\n discovering the vulnerability and providing test cases\n- Add ia64 support to configure for HP-UX [Smith]\n- Add error return to gzread() for format or i/o error [Levin]\n- Use malloc.h for OS/2 [Necasek]\n\nChanges in 1.2.2.3 (27 May 2005)\n- Replace 1U constants in inflate.c and inftrees.c for 64-bit compile\n- Typecast fread() return values in gzio.c [Vollant]\n- Remove trailing space in minigzip.c outmode (VC++ can't deal with it)\n- Fix crc check bug in gzread() after gzungetc() [Heiner]\n- Add the deflateTune() function to adjust internal compression parameters\n- Add a fast gzip decompressor, gun.c, to examples (use of inflateBack)\n- Remove an incorrect assertion in examples/zpipe.c\n- Add C++ wrapper in infback9.h [Donais]\n- Fix bug in inflateCopy() when decoding fixed codes\n- Note in zlib.h how much deflateSetDictionary() actually uses\n- Remove USE_DICT_HEAD in deflate.c (would mess up inflate if used)\n- Add _WIN32_WCE to define WIN32 in zconf.in.h [Spencer]\n- Don't include stderr.h or errno.h for _WIN32_WCE in zutil.h [Spencer]\n- Add gzdirect() function to indicate transparent reads\n- Update contrib/minizip [Vollant]\n- Fix compilation of deflate.c when both ASMV and FASTEST [Oberhumer]\n- Add casts in crc32.c to avoid warnings [Oberhumer]\n- Add contrib/masmx64 [Vollant]\n- Update contrib/asm586, asm686, masmx86, testzlib, vstudio [Vollant]\n\nChanges in 1.2.2.2 (30 December 2004)\n- Replace structure assignments in deflate.c and inflate.c with zmemcpy to\n avoid implicit memcpy calls (portability for no-library compilation)\n- Increase sprintf() buffer size in gzdopen() to allow for large numbers\n- Add INFLATE_STRICT to check distances against zlib header\n- Improve WinCE errno handling and comments [Chang]\n- Remove comment about no gzip header processing in FAQ\n- Add Z_FIXED strategy option to deflateInit2() to force fixed trees\n- Add updated make_vms.com [Coghlan], update README\n- Create a new \"examples\" directory, move gzappend.c there, add zpipe.c,\n fitblk.c, gzlog.[ch], gzjoin.c, and zlib_how.html\n- Add FAQ entry and comments in deflate.c on uninitialized memory access\n- Add Solaris 9 make options in configure [Gilbert]\n- Allow strerror() usage in gzio.c for STDC\n- Fix DecompressBuf in contrib/delphi/ZLib.pas [ManChesTer]\n- Update contrib/masmx86/inffas32.asm and gvmat32.asm [Vollant]\n- Use z_off_t for adler32_combine() and crc32_combine() lengths\n- Make adler32() much faster for small len\n- Use OS_CODE in deflate() default gzip header\n\nChanges in 1.2.2.1 (31 October 2004)\n- Allow inflateSetDictionary() call for raw inflate\n- Fix inflate header crc check bug for file names and comments\n- Add deflateSetHeader() and gz_header structure for custom gzip headers\n- Add inflateGetheader() to retrieve gzip headers\n- Add crc32_combine() and adler32_combine() functions\n- Add alloc_func, free_func, in_func, out_func to Z_PREFIX list\n- Use zstreamp consistently in zlib.h (inflate_back functions)\n- Remove GUNZIP condition from definition of inflate_mode in inflate.h\n and in contrib/inflate86/inffast.S [Truta, Anderson]\n- Add support for AMD64 in contrib/inflate86/inffas86.c [Anderson]\n- Update projects/README.projects and projects/visualc6 [Truta]\n- Update win32/DLL_FAQ.txt [Truta]\n- Avoid warning under NO_GZCOMPRESS in gzio.c; fix typo [Truta]\n- Deprecate Z_ASCII; use Z_TEXT instead [Truta]\n- Use a new algorithm for setting strm->data_type in trees.c [Truta]\n- Do not define an exit() prototype in zutil.c unless DEBUG defined\n- Remove prototype of exit() from zutil.c, example.c, minigzip.c [Truta]\n- Add comment in zlib.h for Z_NO_FLUSH parameter to deflate()\n- Fix Darwin build version identification [Peterson]\n\nChanges in 1.2.2 (3 October 2004)\n- Update zlib.h comments on gzip in-memory processing\n- Set adler to 1 in inflateReset() to support Java test suite [Walles]\n- Add contrib/dotzlib [Ravn]\n- Update win32/DLL_FAQ.txt [Truta]\n- Update contrib/minizip [Vollant]\n- Move contrib/visual-basic.txt to old/ [Truta]\n- Fix assembler builds in projects/visualc6/ [Truta]\n\nChanges in 1.2.1.2 (9 September 2004)\n- Update INDEX file\n- Fix trees.c to update strm->data_type (no one ever noticed!)\n- Fix bug in error case in inflate.c, infback.c, and infback9.c [Brown]\n- Add \"volatile\" to crc table flag declaration (for DYNAMIC_CRC_TABLE)\n- Add limited multitasking protection to DYNAMIC_CRC_TABLE\n- Add NO_vsnprintf for VMS in zutil.h [Mozilla]\n- Don't declare strerror() under VMS [Mozilla]\n- Add comment to DYNAMIC_CRC_TABLE to use get_crc_table() to initialize\n- Update contrib/ada [Anisimkov]\n- Update contrib/minizip [Vollant]\n- Fix configure to not hardcode directories for Darwin [Peterson]\n- Fix gzio.c to not return error on empty files [Brown]\n- Fix indentation; update version in contrib/delphi/ZLib.pas and\n contrib/pascal/zlibpas.pas [Truta]\n- Update mkasm.bat in contrib/masmx86 [Truta]\n- Update contrib/untgz [Truta]\n- Add projects/README.projects [Truta]\n- Add project for MS Visual C++ 6.0 in projects/visualc6 [Cadieux, Truta]\n- Update win32/DLL_FAQ.txt [Truta]\n- Update list of Z_PREFIX symbols in zconf.h [Randers-Pehrson, Truta]\n- Remove an unnecessary assignment to curr in inftrees.c [Truta]\n- Add OS/2 to exe builds in configure [Poltorak]\n- Remove err dummy parameter in zlib.h [Kientzle]\n\nChanges in 1.2.1.1 (9 January 2004)\n- Update email address in README\n- Several FAQ updates\n- Fix a big fat bug in inftrees.c that prevented decoding valid\n dynamic blocks with only literals and no distance codes --\n Thanks to \"Hot Emu\" for the bug report and sample file\n- Add a note to puff.c on no distance codes case\n\nChanges in 1.2.1 (17 November 2003)\n- Remove a tab in contrib/gzappend/gzappend.c\n- Update some interfaces in contrib for new zlib functions\n- Update zlib version number in some contrib entries\n- Add Windows CE definition for ptrdiff_t in zutil.h [Mai, Truta]\n- Support shared libraries on Hurd and KFreeBSD [Brown]\n- Fix error in NO_DIVIDE option of adler32.c\n\nChanges in 1.2.0.8 (4 November 2003)\n- Update version in contrib/delphi/ZLib.pas and contrib/pascal/zlibpas.pas\n- Add experimental NO_DIVIDE #define in adler32.c\n - Possibly faster on some processors (let me know if it is)\n- Correct Z_BLOCK to not return on first inflate call if no wrap\n- Fix strm->data_type on inflate() return to correctly indicate EOB\n- Add deflatePrime() function for appending in the middle of a byte\n- Add contrib/gzappend for an example of appending to a stream\n- Update win32/DLL_FAQ.txt [Truta]\n- Delete Turbo C comment in README [Truta]\n- Improve some indentation in zconf.h [Truta]\n- Fix infinite loop on bad input in configure script [Church]\n- Fix gzeof() for concatenated gzip files [Johnson]\n- Add example to contrib/visual-basic.txt [Michael B.]\n- Add -p to mkdir's in Makefile.in [vda]\n- Fix configure to properly detect presence or lack of printf functions\n- Add AS400 support [Monnerat]\n- Add a little Cygwin support [Wilson]\n\nChanges in 1.2.0.7 (21 September 2003)\n- Correct some debug formats in contrib/infback9\n- Cast a type in a debug statement in trees.c\n- Change search and replace delimiter in configure from % to # [Beebe]\n- Update contrib/untgz to 0.2 with various fixes [Truta]\n- Add build support for Amiga [Nikl]\n- Remove some directories in old that have been updated to 1.2\n- Add dylib building for Mac OS X in configure and Makefile.in\n- Remove old distribution stuff from Makefile\n- Update README to point to DLL_FAQ.txt, and add comment on Mac OS X\n- Update links in README\n\nChanges in 1.2.0.6 (13 September 2003)\n- Minor FAQ updates\n- Update contrib/minizip to 1.00 [Vollant]\n- Remove test of gz functions in example.c when GZ_COMPRESS defined [Truta]\n- Update POSTINC comment for 68060 [Nikl]\n- Add contrib/infback9 with deflate64 decoding (unsupported)\n- For MVS define NO_vsnprintf and undefine FAR [van Burik]\n- Add pragma for fdopen on MVS [van Burik]\n\nChanges in 1.2.0.5 (8 September 2003)\n- Add OF to inflateBackEnd() declaration in zlib.h\n- Remember start when using gzdopen in the middle of a file\n- Use internal off_t counters in gz* functions to properly handle seeks\n- Perform more rigorous check for distance-too-far in inffast.c\n- Add Z_BLOCK flush option to return from inflate at block boundary\n- Set strm->data_type on return from inflate\n - Indicate bits unused, if at block boundary, and if in last block\n- Replace size_t with ptrdiff_t in crc32.c, and check for correct size\n- Add condition so old NO_DEFLATE define still works for compatibility\n- FAQ update regarding the Windows DLL [Truta]\n- INDEX update: add qnx entry, remove aix entry [Truta]\n- Install zlib.3 into mandir [Wilson]\n- Move contrib/zlib_dll_FAQ.txt to win32/DLL_FAQ.txt; update [Truta]\n- Adapt the zlib interface to the new DLL convention guidelines [Truta]\n- Introduce ZLIB_WINAPI macro to allow the export of functions using\n the WINAPI calling convention, for Visual Basic [Vollant, Truta]\n- Update msdos and win32 scripts and makefiles [Truta]\n- Export symbols by name, not by ordinal, in win32/zlib.def [Truta]\n- Add contrib/ada [Anisimkov]\n- Move asm files from contrib/vstudio/vc70_32 to contrib/asm386 [Truta]\n- Rename contrib/asm386 to contrib/masmx86 [Truta, Vollant]\n- Add contrib/masm686 [Truta]\n- Fix offsets in contrib/inflate86 and contrib/masmx86/inffas32.asm\n [Truta, Vollant]\n- Update contrib/delphi; rename to contrib/pascal; add example [Truta]\n- Remove contrib/delphi2; add a new contrib/delphi [Truta]\n- Avoid inclusion of the nonstandard in contrib/iostream,\n and fix some method prototypes [Truta]\n- Fix the ZCR_SEED2 constant to avoid warnings in contrib/minizip\n [Truta]\n- Avoid the use of backslash (\\) in contrib/minizip [Vollant]\n- Fix file time handling in contrib/untgz; update makefiles [Truta]\n- Update contrib/vstudio/vc70_32 to comply with the new DLL guidelines\n [Vollant]\n- Remove contrib/vstudio/vc15_16 [Vollant]\n- Rename contrib/vstudio/vc70_32 to contrib/vstudio/vc7 [Truta]\n- Update README.contrib [Truta]\n- Invert the assignment order of match_head and s->prev[...] in\n INSERT_STRING [Truta]\n- Compare TOO_FAR with 32767 instead of 32768, to avoid 16-bit warnings\n [Truta]\n- Compare function pointers with 0, not with NULL or Z_NULL [Truta]\n- Fix prototype of syncsearch in inflate.c [Truta]\n- Introduce ASMINF macro to be enabled when using an ASM implementation\n of inflate_fast [Truta]\n- Change NO_DEFLATE to NO_GZCOMPRESS [Truta]\n- Modify test_gzio in example.c to take a single file name as a\n parameter [Truta]\n- Exit the example.c program if gzopen fails [Truta]\n- Add type casts around strlen in example.c [Truta]\n- Remove casting to sizeof in minigzip.c; give a proper type\n to the variable compared with SUFFIX_LEN [Truta]\n- Update definitions of STDC and STDC99 in zconf.h [Truta]\n- Synchronize zconf.h with the new Windows DLL interface [Truta]\n- Use SYS16BIT instead of __32BIT__ to distinguish between\n 16- and 32-bit platforms [Truta]\n- Use far memory allocators in small 16-bit memory models for\n Turbo C [Truta]\n- Add info about the use of ASMV, ASMINF and ZLIB_WINAPI in\n zlibCompileFlags [Truta]\n- Cygwin has vsnprintf [Wilson]\n- In Windows16, OS_CODE is 0, as in MSDOS [Truta]\n- In Cygwin, OS_CODE is 3 (Unix), not 11 (Windows32) [Wilson]\n\nChanges in 1.2.0.4 (10 August 2003)\n- Minor FAQ updates\n- Be more strict when checking inflateInit2's windowBits parameter\n- Change NO_GUNZIP compile option to NO_GZIP to cover deflate as well\n- Add gzip wrapper option to deflateInit2 using windowBits\n- Add updated QNX rule in configure and qnx directory [Bonnefoy]\n- Make inflate distance-too-far checks more rigorous\n- Clean up FAR usage in inflate\n- Add casting to sizeof() in gzio.c and minigzip.c\n\nChanges in 1.2.0.3 (19 July 2003)\n- Fix silly error in gzungetc() implementation [Vollant]\n- Update contrib/minizip and contrib/vstudio [Vollant]\n- Fix printf format in example.c\n- Correct cdecl support in zconf.in.h [Anisimkov]\n- Minor FAQ updates\n\nChanges in 1.2.0.2 (13 July 2003)\n- Add ZLIB_VERNUM in zlib.h for numerical preprocessor comparisons\n- Attempt to avoid warnings in crc32.c for pointer-int conversion\n- Add AIX to configure, remove aix directory [Bakker]\n- Add some casts to minigzip.c\n- Improve checking after insecure sprintf() or vsprintf() calls\n- Remove #elif's from crc32.c\n- Change leave label to inf_leave in inflate.c and infback.c to avoid\n library conflicts\n- Remove inflate gzip decoding by default--only enable gzip decoding by\n special request for stricter backward compatibility\n- Add zlibCompileFlags() function to return compilation information\n- More typecasting in deflate.c to avoid warnings\n- Remove leading underscore from _Capital #defines [Truta]\n- Fix configure to link shared library when testing\n- Add some Windows CE target adjustments [Mai]\n- Remove #define ZLIB_DLL in zconf.h [Vollant]\n- Add zlib.3 [Rodgers]\n- Update RFC URL in deflate.c and algorithm.txt [Mai]\n- Add zlib_dll_FAQ.txt to contrib [Truta]\n- Add UL to some constants [Truta]\n- Update minizip and vstudio [Vollant]\n- Remove vestigial NEED_DUMMY_RETURN from zconf.in.h\n- Expand use of NO_DUMMY_DECL to avoid all dummy structures\n- Added iostream3 to contrib [Schwardt]\n- Replace rewind() with fseek() for WinCE [Truta]\n- Improve setting of zlib format compression level flags\n - Report 0 for huffman and rle strategies and for level == 0 or 1\n - Report 2 only for level == 6\n- Only deal with 64K limit when necessary at compile time [Truta]\n- Allow TOO_FAR check to be turned off at compile time [Truta]\n- Add gzclearerr() function [Souza]\n- Add gzungetc() function\n\nChanges in 1.2.0.1 (17 March 2003)\n- Add Z_RLE strategy for run-length encoding [Truta]\n - When Z_RLE requested, restrict matches to distance one\n - Update zlib.h, minigzip.c, gzopen(), gzdopen() for Z_RLE\n- Correct FASTEST compilation to allow level == 0\n- Clean up what gets compiled for FASTEST\n- Incorporate changes to zconf.in.h [Vollant]\n - Refine detection of Turbo C need for dummy returns\n - Refine ZLIB_DLL compilation\n - Include additional header file on VMS for off_t typedef\n- Try to use _vsnprintf where it supplants vsprintf [Vollant]\n- Add some casts in inffast.c\n- Enhance comments in zlib.h on what happens if gzprintf() tries to\n write more than 4095 bytes before compression\n- Remove unused state from inflateBackEnd()\n- Remove exit(0) from minigzip.c, example.c\n- Get rid of all those darn tabs\n- Add \"check\" target to Makefile.in that does the same thing as \"test\"\n- Add \"mostlyclean\" and \"maintainer-clean\" targets to Makefile.in\n- Update contrib/inflate86 [Anderson]\n- Update contrib/testzlib, contrib/vstudio, contrib/minizip [Vollant]\n- Add msdos and win32 directories with makefiles [Truta]\n- More additions and improvements to the FAQ\n\nChanges in 1.2.0 (9 March 2003)\n- New and improved inflate code\n - About 20% faster\n - Does not allocate 32K window unless and until needed\n - Automatically detects and decompresses gzip streams\n - Raw inflate no longer needs an extra dummy byte at end\n - Added inflateBack functions using a callback interface--even faster\n than inflate, useful for file utilities (gzip, zip)\n - Added inflateCopy() function to record state for random access on\n externally generated deflate streams (e.g. in gzip files)\n - More readable code (I hope)\n- New and improved crc32()\n - About 50% faster, thanks to suggestions from Rodney Brown\n- Add deflateBound() and compressBound() functions\n- Fix memory leak in deflateInit2()\n- Permit setting dictionary for raw deflate (for parallel deflate)\n- Fix const declaration for gzwrite()\n- Check for some malloc() failures in gzio.c\n- Fix bug in gzopen() on single-byte file 0x1f\n- Fix bug in gzread() on concatenated file with 0x1f at end of buffer\n and next buffer doesn't start with 0x8b\n- Fix uncompress() to return Z_DATA_ERROR on truncated input\n- Free memory at end of example.c\n- Remove MAX #define in trees.c (conflicted with some libraries)\n- Fix static const's in deflate.c, gzio.c, and zutil.[ch]\n- Declare malloc() and free() in gzio.c if STDC not defined\n- Use malloc() instead of calloc() in zutil.c if int big enough\n- Define STDC for AIX\n- Add aix/ with approach for compiling shared library on AIX\n- Add HP-UX support for shared libraries in configure\n- Add OpenUNIX support for shared libraries in configure\n- Use $cc instead of gcc to build shared library\n- Make prefix directory if needed when installing\n- Correct Macintosh avoidance of typedef Byte in zconf.h\n- Correct Turbo C memory allocation when under Linux\n- Use libz.a instead of -lz in Makefile (assure use of compiled library)\n- Update configure to check for snprintf or vsnprintf functions and their\n return value, warn during make if using an insecure function\n- Fix configure problem with compile-time knowledge of HAVE_UNISTD_H that\n is lost when library is used--resolution is to build new zconf.h\n- Documentation improvements (in zlib.h):\n - Document raw deflate and inflate\n - Update RFCs URL\n - Point out that zlib and gzip formats are different\n - Note that Z_BUF_ERROR is not fatal\n - Document string limit for gzprintf() and possible buffer overflow\n - Note requirement on avail_out when flushing\n - Note permitted values of flush parameter of inflate()\n- Add some FAQs (and even answers) to the FAQ\n- Add contrib/inflate86/ for x86 faster inflate\n- Add contrib/blast/ for PKWare Data Compression Library decompression\n- Add contrib/puff/ simple inflate for deflate format description\n\nChanges in 1.1.4 (11 March 2002)\n- ZFREE was repeated on same allocation on some error conditions\n This creates a security problem described in\n http://www.zlib.org/advisory-2002-03-11.txt\n- Returned incorrect error (Z_MEM_ERROR) on some invalid data\n- Avoid accesses before window for invalid distances with inflate window\n less than 32K\n- force windowBits > 8 to avoid a bug in the encoder for a window size\n of 256 bytes. (A complete fix will be available in 1.1.5)\n\nChanges in 1.1.3 (9 July 1998)\n- fix \"an inflate input buffer bug that shows up on rare but persistent\n occasions\" (Mark)\n- fix gzread and gztell for concatenated .gz files (Didier Le Botlan)\n- fix gzseek(..., SEEK_SET) in write mode\n- fix crc check after a gzeek (Frank Faubert)\n- fix miniunzip when the last entry in a zip file is itself a zip file\n (J Lillge)\n- add contrib/asm586 and contrib/asm686 (Brian Raiter)\n See http://www.muppetlabs.com/~breadbox/software/assembly.html\n- add support for Delphi 3 in contrib/delphi (Bob Dellaca)\n- add support for C++Builder 3 and Delphi 3 in contrib/delphi2 (Davide Moretti)\n- do not exit prematurely in untgz if 0 at start of block (Magnus Holmgren)\n- use macro EXTERN instead of extern to support DLL for BeOS (Sander Stoks)\n- added a FAQ file\n\n- Support gzdopen on Mac with Metrowerks (Jason Linhart)\n- Do not redefine Byte on Mac (Brad Pettit & Jason Linhart)\n- define SEEK_END too if SEEK_SET is not defined (Albert Chin-A-Young)\n- avoid some warnings with Borland C (Tom Tanner)\n- fix a problem in contrib/minizip/zip.c for 16-bit MSDOS (Gilles Vollant)\n- emulate utime() for WIN32 in contrib/untgz (Gilles Vollant)\n- allow several arguments to configure (Tim Mooney, Frodo Looijaard)\n- use libdir and includedir in Makefile.in (Tim Mooney)\n- support shared libraries on OSF1 V4 (Tim Mooney)\n- remove so_locations in \"make clean\" (Tim Mooney)\n- fix maketree.c compilation error (Glenn, Mark)\n- Python interface to zlib now in Python 1.5 (Jeremy Hylton)\n- new Makefile.riscos (Rich Walker)\n- initialize static descriptors in trees.c for embedded targets (Nick Smith)\n- use \"foo-gz\" in example.c for RISCOS and VMS (Nick Smith)\n- add the OS/2 files in Makefile.in too (Andrew Zabolotny)\n- fix fdopen and halloc macros for Microsoft C 6.0 (Tom Lane)\n- fix maketree.c to allow clean compilation of inffixed.h (Mark)\n- fix parameter check in deflateCopy (Gunther Nikl)\n- cleanup trees.c, use compressed_len only in debug mode (Christian Spieler)\n- Many portability patches by Christian Spieler:\n . zutil.c, zutil.h: added \"const\" for zmem*\n . Make_vms.com: fixed some typos\n . Make_vms.com: msdos/Makefile.*: removed zutil.h from some dependency lists\n . msdos/Makefile.msc: remove \"default rtl link library\" info from obj files\n . msdos/Makefile.*: use model-dependent name for the built zlib library\n . msdos/Makefile.emx, nt/Makefile.emx, nt/Makefile.gcc:\n new makefiles, for emx (DOS/OS2), emx&rsxnt and mingw32 (Windows 9x / NT)\n- use define instead of typedef for Bytef also for MSC small/medium (Tom Lane)\n- replace __far with _far for better portability (Christian Spieler, Tom Lane)\n- fix test for errno.h in configure (Tim Newsham)\n\nChanges in 1.1.2 (19 March 98)\n- added contrib/minzip, mini zip and unzip based on zlib (Gilles Vollant)\n See http://www.winimage.com/zLibDll/unzip.html\n- preinitialize the inflate tables for fixed codes, to make the code\n completely thread safe (Mark)\n- some simplifications and slight speed-up to the inflate code (Mark)\n- fix gzeof on non-compressed files (Allan Schrum)\n- add -std1 option in configure for OSF1 to fix gzprintf (Martin Mokrejs)\n- use default value of 4K for Z_BUFSIZE for 16-bit MSDOS (Tim Wegner + Glenn)\n- added os2/Makefile.def and os2/zlib.def (Andrew Zabolotny)\n- add shared lib support for UNIX_SV4.2MP (MATSUURA Takanori)\n- do not wrap extern \"C\" around system includes (Tom Lane)\n- mention zlib binding for TCL in README (Andreas Kupries)\n- added amiga/Makefile.pup for Amiga powerUP SAS/C PPC (Andreas Kleinert)\n- allow \"make install prefix=...\" even after configure (Glenn Randers-Pehrson)\n- allow \"configure --prefix $HOME\" (Tim Mooney)\n- remove warnings in example.c and gzio.c (Glenn Randers-Pehrson)\n- move Makefile.sas to amiga/Makefile.sas\n\nChanges in 1.1.1 (27 Feb 98)\n- fix macros _tr_tally_* in deflate.h for debug mode (Glenn Randers-Pehrson)\n- remove block truncation heuristic which had very marginal effect for zlib\n (smaller lit_bufsize than in gzip 1.2.4) and degraded a little the\n compression ratio on some files. This also allows inlining _tr_tally for\n matches in deflate_slow\n- added msdos/Makefile.w32 for WIN32 Microsoft Visual C++ (Bob Frazier)\n\nChanges in 1.1.0 (24 Feb 98)\n- do not return STREAM_END prematurely in inflate (John Bowler)\n- revert to the zlib 1.0.8 inflate to avoid the gcc 2.8.0 bug (Jeremy Buhler)\n- compile with -DFASTEST to get compression code optimized for speed only\n- in minigzip, try mmap'ing the input file first (Miguel Albrecht)\n- increase size of I/O buffers in minigzip.c and gzio.c (not a big gain\n on Sun but significant on HP)\n\n- add a pointer to experimental unzip library in README (Gilles Vollant)\n- initialize variable gcc in configure (Chris Herborth)\n\nChanges in 1.0.9 (17 Feb 1998)\n- added gzputs and gzgets functions\n- do not clear eof flag in gzseek (Mark Diekhans)\n- fix gzseek for files in transparent mode (Mark Diekhans)\n- do not assume that vsprintf returns the number of bytes written (Jens Krinke)\n- replace EXPORT with ZEXPORT to avoid conflict with other programs\n- added compress2 in zconf.h, zlib.def, zlib.dnt\n- new asm code from Gilles Vollant in contrib/asm386\n- simplify the inflate code (Mark):\n . Replace ZALLOC's in huft_build() with single ZALLOC in inflate_blocks_new()\n . ZALLOC the length list in inflate_trees_fixed() instead of using stack\n . ZALLOC the value area for huft_build() instead of using stack\n . Simplify Z_FINISH check in inflate()\n\n- Avoid gcc 2.8.0 comparison bug a little differently than zlib 1.0.8\n- in inftrees.c, avoid cc -O bug on HP (Farshid Elahi)\n- in zconf.h move the ZLIB_DLL stuff earlier to avoid problems with\n the declaration of FAR (Gilles Vollant)\n- install libz.so* with mode 755 (executable) instead of 644 (Marc Lehmann)\n- read_buf buf parameter of type Bytef* instead of charf*\n- zmemcpy parameters are of type Bytef*, not charf* (Joseph Strout)\n- do not redeclare unlink in minigzip.c for WIN32 (John Bowler)\n- fix check for presence of directories in \"make install\" (Ian Willis)\n\nChanges in 1.0.8 (27 Jan 1998)\n- fixed offsets in contrib/asm386/gvmat32.asm (Gilles Vollant)\n- fix gzgetc and gzputc for big endian systems (Markus Oberhumer)\n- added compress2() to allow setting the compression level\n- include sys/types.h to get off_t on some systems (Marc Lehmann & QingLong)\n- use constant arrays for the static trees in trees.c instead of computing\n them at run time (thanks to Ken Raeburn for this suggestion). To create\n trees.h, compile with GEN_TREES_H and run \"make test\"\n- check return code of example in \"make test\" and display result\n- pass minigzip command line options to file_compress\n- simplifying code of inflateSync to avoid gcc 2.8 bug\n\n- support CC=\"gcc -Wall\" in configure -s (QingLong)\n- avoid a flush caused by ftell in gzopen for write mode (Ken Raeburn)\n- fix test for shared library support to avoid compiler warnings\n- zlib.lib -> zlib.dll in msdos/zlib.rc (Gilles Vollant)\n- check for TARGET_OS_MAC in addition to MACOS (Brad Pettit)\n- do not use fdopen for Metrowerks on Mac (Brad Pettit))\n- add checks for gzputc and gzputc in example.c\n- avoid warnings in gzio.c and deflate.c (Andreas Kleinert)\n- use const for the CRC table (Ken Raeburn)\n- fixed \"make uninstall\" for shared libraries\n- use Tracev instead of Trace in infblock.c\n- in example.c use correct compressed length for test_sync\n- suppress +vnocompatwarnings in configure for HPUX (not always supported)\n\nChanges in 1.0.7 (20 Jan 1998)\n- fix gzseek which was broken in write mode\n- return error for gzseek to negative absolute position\n- fix configure for Linux (Chun-Chung Chen)\n- increase stack space for MSC (Tim Wegner)\n- get_crc_table and inflateSyncPoint are EXPORTed (Gilles Vollant)\n- define EXPORTVA for gzprintf (Gilles Vollant)\n- added man page zlib.3 (Rick Rodgers)\n- for contrib/untgz, fix makedir() and improve Makefile\n\n- check gzseek in write mode in example.c\n- allocate extra buffer for seeks only if gzseek is actually called\n- avoid signed/unsigned comparisons (Tim Wegner, Gilles Vollant)\n- add inflateSyncPoint in zconf.h\n- fix list of exported functions in nt/zlib.dnt and mdsos/zlib.def\n\nChanges in 1.0.6 (19 Jan 1998)\n- add functions gzprintf, gzputc, gzgetc, gztell, gzeof, gzseek, gzrewind and\n gzsetparams (thanks to Roland Giersig and Kevin Ruland for some of this code)\n- Fix a deflate bug occurring only with compression level 0 (thanks to\n Andy Buckler for finding this one)\n- In minigzip, pass transparently also the first byte for .Z files\n- return Z_BUF_ERROR instead of Z_OK if output buffer full in uncompress()\n- check Z_FINISH in inflate (thanks to Marc Schluper)\n- Implement deflateCopy (thanks to Adam Costello)\n- make static libraries by default in configure, add --shared option\n- move MSDOS or Windows specific files to directory msdos\n- suppress the notion of partial flush to simplify the interface\n (but the symbol Z_PARTIAL_FLUSH is kept for compatibility with 1.0.4)\n- suppress history buffer provided by application to simplify the interface\n (this feature was not implemented anyway in 1.0.4)\n- next_in and avail_in must be initialized before calling inflateInit or\n inflateInit2\n- add EXPORT in all exported functions (for Windows DLL)\n- added Makefile.nt (thanks to Stephen Williams)\n- added the unsupported \"contrib\" directory:\n contrib/asm386/ by Gilles Vollant \n 386 asm code replacing longest_match()\n contrib/iostream/ by Kevin Ruland \n A C++ I/O streams interface to the zlib gz* functions\n contrib/iostream2/ by Tyge Løvset \n Another C++ I/O streams interface\n contrib/untgz/ by \"Pedro A. Aranda Guti\\irrez\" \n A very simple tar.gz file extractor using zlib\n contrib/visual-basic.txt by Carlos Rios \n How to use compress(), uncompress() and the gz* functions from VB\n- pass params -f (filtered data), -h (huffman only), -1 to -9 (compression\n level) in minigzip (thanks to Tom Lane)\n\n- use const for rommable constants in deflate\n- added test for gzseek and gztell in example.c\n- add undocumented function inflateSyncPoint() (hack for Paul Mackerras)\n- add undocumented function zError to convert error code to string\n (for Tim Smithers)\n- Allow compilation of gzio with -DNO_DEFLATE to avoid the compression code\n- Use default memcpy for Symantec MSDOS compiler\n- Add EXPORT keyword for check_func (needed for Windows DLL)\n- add current directory to LD_LIBRARY_PATH for \"make test\"\n- create also a link for libz.so.1\n- added support for FUJITSU UXP/DS (thanks to Toshiaki Nomura)\n- use $(SHAREDLIB) instead of libz.so in Makefile.in (for HPUX)\n- added -soname for Linux in configure (Chun-Chung Chen,\n- assign numbers to the exported functions in zlib.def (for Windows DLL)\n- add advice in zlib.h for best usage of deflateSetDictionary\n- work around compiler bug on Atari (cast Z_NULL in call of s->checkfn)\n- allow compilation with ANSI keywords only enabled for TurboC in large model\n- avoid \"versionString\"[0] (Borland bug)\n- add NEED_DUMMY_RETURN for Borland\n- use variable z_verbose for tracing in debug mode (L. Peter Deutsch)\n- allow compilation with CC\n- defined STDC for OS/2 (David Charlap)\n- limit external names to 8 chars for MVS (Thomas Lund)\n- in minigzip.c, use static buffers only for 16-bit systems\n- fix suffix check for \"minigzip -d foo.gz\"\n- do not return an error for the 2nd of two consecutive gzflush() (Felix Lee)\n- use _fdopen instead of fdopen for MSC >= 6.0 (Thomas Fanslau)\n- added makelcc.bat for lcc-win32 (Tom St Denis)\n- in Makefile.dj2, use copy and del instead of install and rm (Frank Donahoe)\n- Avoid expanded $Id$. Use \"rcs -kb\" or \"cvs admin -kb\" to avoid Id expansion\n- check for unistd.h in configure (for off_t)\n- remove useless check parameter in inflate_blocks_free\n- avoid useless assignment of s->check to itself in inflate_blocks_new\n- do not flush twice in gzclose (thanks to Ken Raeburn)\n- rename FOPEN as F_OPEN to avoid clash with /usr/include/sys/file.h\n- use NO_ERRNO_H instead of enumeration of operating systems with errno.h\n- work around buggy fclose on pipes for HP/UX\n- support zlib DLL with BORLAND C++ 5.0 (thanks to Glenn Randers-Pehrson)\n- fix configure if CC is already equal to gcc\n\nChanges in 1.0.5 (3 Jan 98)\n- Fix inflate to terminate gracefully when fed corrupted or invalid data\n- Use const for rommable constants in inflate\n- Eliminate memory leaks on error conditions in inflate\n- Removed some vestigial code in inflate\n- Update web address in README\n\nChanges in 1.0.4 (24 Jul 96)\n- In very rare conditions, deflate(s, Z_FINISH) could fail to produce an EOF\n bit, so the decompressor could decompress all the correct data but went\n on to attempt decompressing extra garbage data. This affected minigzip too\n- zlibVersion and gzerror return const char* (needed for DLL)\n- port to RISCOS (no fdopen, no multiple dots, no unlink, no fileno)\n- use z_error only for DEBUG (avoid problem with DLLs)\n\nChanges in 1.0.3 (2 Jul 96)\n- use z_streamp instead of z_stream *, which is now a far pointer in MSDOS\n small and medium models; this makes the library incompatible with previous\n versions for these models. (No effect in large model or on other systems.)\n- return OK instead of BUF_ERROR if previous deflate call returned with\n avail_out as zero but there is nothing to do\n- added memcmp for non STDC compilers\n- define NO_DUMMY_DECL for more Mac compilers (.h files merged incorrectly)\n- define __32BIT__ if __386__ or i386 is defined (pb. with Watcom and SCO)\n- better check for 16-bit mode MSC (avoids problem with Symantec)\n\nChanges in 1.0.2 (23 May 96)\n- added Windows DLL support\n- added a function zlibVersion (for the DLL support)\n- fixed declarations using Bytef in infutil.c (pb with MSDOS medium model)\n- Bytef is define's instead of typedef'd only for Borland C\n- avoid reading uninitialized memory in example.c\n- mention in README that the zlib format is now RFC1950\n- updated Makefile.dj2\n- added algorithm.doc\n\nChanges in 1.0.1 (20 May 96) [1.0 skipped to avoid confusion]\n- fix array overlay in deflate.c which sometimes caused bad compressed data\n- fix inflate bug with empty stored block\n- fix MSDOS medium model which was broken in 0.99\n- fix deflateParams() which could generate bad compressed data\n- Bytef is define'd instead of typedef'ed (work around Borland bug)\n- added an INDEX file\n- new makefiles for DJGPP (Makefile.dj2), 32-bit Borland (Makefile.b32),\n Watcom (Makefile.wat), Amiga SAS/C (Makefile.sas)\n- speed up adler32 for modern machines without auto-increment\n- added -ansi for IRIX in configure\n- static_init_done in trees.c is an int\n- define unlink as delete for VMS\n- fix configure for QNX\n- add configure branch for SCO and HPUX\n- avoid many warnings (unused variables, dead assignments, etc...)\n- no fdopen for BeOS\n- fix the Watcom fix for 32 bit mode (define FAR as empty)\n- removed redefinition of Byte for MKWERKS\n- work around an MWKERKS bug (incorrect merge of all .h files)\n\nChanges in 0.99 (27 Jan 96)\n- allow preset dictionary shared between compressor and decompressor\n- allow compression level 0 (no compression)\n- add deflateParams in zlib.h: allow dynamic change of compression level\n and compression strategy\n- test large buffers and deflateParams in example.c\n- add optional \"configure\" to build zlib as a shared library\n- suppress Makefile.qnx, use configure instead\n- fixed deflate for 64-bit systems (detected on Cray)\n- fixed inflate_blocks for 64-bit systems (detected on Alpha)\n- declare Z_DEFLATED in zlib.h (possible parameter for deflateInit2)\n- always return Z_BUF_ERROR when deflate() has nothing to do\n- deflateInit and inflateInit are now macros to allow version checking\n- prefix all global functions and types with z_ with -DZ_PREFIX\n- make falloc completely reentrant (inftrees.c)\n- fixed very unlikely race condition in ct_static_init\n- free in reverse order of allocation to help memory manager\n- use zlib-1.0/* instead of zlib/* inside the tar.gz\n- make zlib warning-free with \"gcc -O3 -Wall -Wwrite-strings -Wpointer-arith\n -Wconversion -Wstrict-prototypes -Wmissing-prototypes\"\n- allow gzread on concatenated .gz files\n- deflateEnd now returns Z_DATA_ERROR if it was premature\n- deflate is finally (?) fully deterministic (no matches beyond end of input)\n- Document Z_SYNC_FLUSH\n- add uninstall in Makefile\n- Check for __cpluplus in zlib.h\n- Better test in ct_align for partial flush\n- avoid harmless warnings for Borland C++\n- initialize hash_head in deflate.c\n- avoid warning on fdopen (gzio.c) for HP cc -Aa\n- include stdlib.h for STDC compilers\n- include errno.h for Cray\n- ignore error if ranlib doesn't exist\n- call ranlib twice for NeXTSTEP\n- use exec_prefix instead of prefix for libz.a\n- renamed ct_* as _tr_* to avoid conflict with applications\n- clear z->msg in inflateInit2 before any error return\n- initialize opaque in example.c, gzio.c, deflate.c and inflate.c\n- fixed typo in zconf.h (_GNUC__ => __GNUC__)\n- check for WIN32 in zconf.h and zutil.c (avoid farmalloc in 32-bit mode)\n- fix typo in Make_vms.com (f$trnlnm -> f$getsyi)\n- in fcalloc, normalize pointer if size > 65520 bytes\n- don't use special fcalloc for 32 bit Borland C++\n- use STDC instead of __GO32__ to avoid redeclaring exit, calloc, etc.\n- use Z_BINARY instead of BINARY\n- document that gzclose after gzdopen will close the file\n- allow \"a\" as mode in gzopen\n- fix error checking in gzread\n- allow skipping .gz extra-field on pipes\n- added reference to Perl interface in README\n- put the crc table in FAR data (I dislike more and more the medium model :)\n- added get_crc_table\n- added a dimension to all arrays (Borland C can't count)\n- workaround Borland C bug in declaration of inflate_codes_new & inflate_fast\n- guard against multiple inclusion of *.h (for precompiled header on Mac)\n- Watcom C pretends to be Microsoft C small model even in 32 bit mode\n- don't use unsized arrays to avoid silly warnings by Visual C++:\n warning C4746: 'inflate_mask' : unsized array treated as '__far'\n (what's wrong with far data in far model?)\n- define enum out of inflate_blocks_state to allow compilation with C++\n\nChanges in 0.95 (16 Aug 95)\n- fix MSDOS small and medium model (now easier to adapt to any compiler)\n- inlined send_bits\n- fix the final (:-) bug for deflate with flush (output was correct but\n not completely flushed in rare occasions)\n- default window size is same for compression and decompression\n (it's now sufficient to set MAX_WBITS in zconf.h)\n- voidp -> voidpf and voidnp -> voidp (for consistency with other\n typedefs and because voidnp was not near in large model)\n\nChanges in 0.94 (13 Aug 95)\n- support MSDOS medium model\n- fix deflate with flush (could sometimes generate bad output)\n- fix deflateReset (zlib header was incorrectly suppressed)\n- added support for VMS\n- allow a compression level in gzopen()\n- gzflush now calls fflush\n- For deflate with flush, flush even if no more input is provided\n- rename libgz.a as libz.a\n- avoid complex expression in infcodes.c triggering Turbo C bug\n- work around a problem with gcc on Alpha (in INSERT_STRING)\n- don't use inline functions (problem with some gcc versions)\n- allow renaming of Byte, uInt, etc... with #define\n- avoid warning about (unused) pointer before start of array in deflate.c\n- avoid various warnings in gzio.c, example.c, infblock.c, adler32.c, zutil.c\n- avoid reserved word 'new' in trees.c\n\nChanges in 0.93 (25 June 95)\n- temporarily disable inline functions\n- make deflate deterministic\n- give enough lookahead for PARTIAL_FLUSH\n- Set binary mode for stdin/stdout in minigzip.c for OS/2\n- don't even use signed char in inflate (not portable enough)\n- fix inflate memory leak for segmented architectures\n\nChanges in 0.92 (3 May 95)\n- don't assume that char is signed (problem on SGI)\n- Clear bit buffer when starting a stored block\n- no memcpy on Pyramid\n- suppressed inftest.c\n- optimized fill_window, put longest_match inline for gcc\n- optimized inflate on stored blocks\n- untabify all sources to simplify patches\n\nChanges in 0.91 (2 May 95)\n- Default MEM_LEVEL is 8 (not 9 for Unix) as documented in zlib.h\n- Document the memory requirements in zconf.h\n- added \"make install\"\n- fix sync search logic in inflateSync\n- deflate(Z_FULL_FLUSH) now works even if output buffer too short\n- after inflateSync, don't scare people with just \"lo world\"\n- added support for DJGPP\n\nChanges in 0.9 (1 May 95)\n- don't assume that zalloc clears the allocated memory (the TurboC bug\n was Mark's bug after all :)\n- let again gzread copy uncompressed data unchanged (was working in 0.71)\n- deflate(Z_FULL_FLUSH), inflateReset and inflateSync are now fully implemented\n- added a test of inflateSync in example.c\n- moved MAX_WBITS to zconf.h because users might want to change that\n- document explicitly that zalloc(64K) on MSDOS must return a normalized\n pointer (zero offset)\n- added Makefiles for Microsoft C, Turbo C, Borland C++\n- faster crc32()\n\nChanges in 0.8 (29 April 95)\n- added fast inflate (inffast.c)\n- deflate(Z_FINISH) now returns Z_STREAM_END when done. Warning: this\n is incompatible with previous versions of zlib which returned Z_OK\n- work around a TurboC compiler bug (bad code for b << 0, see infutil.h)\n (actually that was not a compiler bug, see 0.81 above)\n- gzread no longer reads one extra byte in certain cases\n- In gzio destroy(), don't reference a freed structure\n- avoid many warnings for MSDOS\n- avoid the ERROR symbol which is used by MS Windows\n\nChanges in 0.71 (14 April 95)\n- Fixed more MSDOS compilation problems :( There is still a bug with\n TurboC large model\n\nChanges in 0.7 (14 April 95)\n- Added full inflate support\n- Simplified the crc32() interface. The pre- and post-conditioning\n (one's complement) is now done inside crc32(). WARNING: this is\n incompatible with previous versions; see zlib.h for the new usage\n\nChanges in 0.61 (12 April 95)\n- workaround for a bug in TurboC. example and minigzip now work on MSDOS\n\nChanges in 0.6 (11 April 95)\n- added minigzip.c\n- added gzdopen to reopen a file descriptor as gzFile\n- added transparent reading of non-gziped files in gzread\n- fixed bug in gzread (don't read crc as data)\n- fixed bug in destroy (gzio.c) (don't return Z_STREAM_END for gzclose)\n- don't allocate big arrays in the stack (for MSDOS)\n- fix some MSDOS compilation problems\n\nChanges in 0.5:\n- do real compression in deflate.c. Z_PARTIAL_FLUSH is supported but\n not yet Z_FULL_FLUSH\n- support decompression but only in a single step (forced Z_FINISH)\n- added opaque object for zalloc and zfree\n- added deflateReset and inflateReset\n- added a variable zlib_version for consistency checking\n- renamed the 'filter' parameter of deflateInit2 as 'strategy'\n Added Z_FILTERED and Z_HUFFMAN_ONLY constants\n\nChanges in 0.4:\n- avoid \"zip\" everywhere, use zlib instead of ziplib\n- suppress Z_BLOCK_FLUSH, interpret Z_PARTIAL_FLUSH as block flush\n if compression method == 8\n- added adler32 and crc32\n- renamed deflateOptions as deflateInit2, call one or the other but not both\n- added the method parameter for deflateInit2\n- added inflateInit2\n- simplified considerably deflateInit and inflateInit by not supporting\n user-provided history buffer. This is supported only in deflateInit2\n and inflateInit2\n\nChanges in 0.3:\n- prefix all macro names with Z_\n- use Z_FINISH instead of deflateEnd to finish compression\n- added Z_HUFFMAN_ONLY\n- added gzerror()\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/FAQ", "content": "\n Frequently Asked Questions about zlib\n\n\nIf your question is not there, please check the zlib home page\nhttp://zlib.net/ which may have more recent information.\nThe latest zlib FAQ is at http://zlib.net/zlib_faq.html\n\n\n 1. Is zlib Y2K-compliant?\n\n Yes. zlib doesn't handle dates.\n\n 2. Where can I get a Windows DLL version?\n\n The zlib sources can be compiled without change to produce a DLL. See the\n file win32/DLL_FAQ.txt in the zlib distribution. Pointers to the\n precompiled DLL are found in the zlib web site at http://zlib.net/ .\n\n 3. Where can I get a Visual Basic interface to zlib?\n\n See\n * http://marknelson.us/1997/01/01/zlib-engine/\n * win32/DLL_FAQ.txt in the zlib distribution\n\n 4. compress() returns Z_BUF_ERROR.\n\n Make sure that before the call of compress(), the length of the compressed\n buffer is equal to the available size of the compressed buffer and not\n zero. For Visual Basic, check that this parameter is passed by reference\n (\"as any\"), not by value (\"as long\").\n\n 5. deflate() or inflate() returns Z_BUF_ERROR.\n\n Before making the call, make sure that avail_in and avail_out are not zero.\n When setting the parameter flush equal to Z_FINISH, also make sure that\n avail_out is big enough to allow processing all pending input. Note that a\n Z_BUF_ERROR is not fatal--another call to deflate() or inflate() can be\n made with more input or output space. A Z_BUF_ERROR may in fact be\n unavoidable depending on how the functions are used, since it is not\n possible to tell whether or not there is more output pending when\n strm.avail_out returns with zero. See http://zlib.net/zlib_how.html for a\n heavily annotated example.\n\n 6. Where's the zlib documentation (man pages, etc.)?\n\n It's in zlib.h . Examples of zlib usage are in the files test/example.c\n and test/minigzip.c, with more in examples/ .\n\n 7. Why don't you use GNU autoconf or libtool or ...?\n\n Because we would like to keep zlib as a very small and simple package.\n zlib is rather portable and doesn't need much configuration.\n\n 8. I found a bug in zlib.\n\n Most of the time, such problems are due to an incorrect usage of zlib.\n Please try to reproduce the problem with a small program and send the\n corresponding source to us at zlib@gzip.org . Do not send multi-megabyte\n data files without prior agreement.\n\n 9. Why do I get \"undefined reference to gzputc\"?\n\n If \"make test\" produces something like\n\n example.o(.text+0x154): undefined reference to `gzputc'\n\n check that you don't have old files libz.* in /usr/lib, /usr/local/lib or\n /usr/X11R6/lib. Remove any old versions, then do \"make install\".\n\n10. I need a Delphi interface to zlib.\n\n See the contrib/delphi directory in the zlib distribution.\n\n11. Can zlib handle .zip archives?\n\n Not by itself, no. See the directory contrib/minizip in the zlib\n distribution.\n\n12. Can zlib handle .Z files?\n\n No, sorry. You have to spawn an uncompress or gunzip subprocess, or adapt\n the code of uncompress on your own.\n\n13. How can I make a Unix shared library?\n\n By default a shared (and a static) library is built for Unix. So:\n\n make distclean\n ./configure\n make\n\n14. How do I install a shared zlib library on Unix?\n\n After the above, then:\n\n make install\n\n However, many flavors of Unix come with a shared zlib already installed.\n Before going to the trouble of compiling a shared version of zlib and\n trying to install it, you may want to check if it's already there! If you\n can #include , it's there. The -lz option will probably link to\n it. You can check the version at the top of zlib.h or with the\n ZLIB_VERSION symbol defined in zlib.h .\n\n15. I have a question about OttoPDF.\n\n We are not the authors of OttoPDF. The real author is on the OttoPDF web\n site: Joel Hainley, jhainley@myndkryme.com.\n\n16. Can zlib decode Flate data in an Adobe PDF file?\n\n Yes. See http://www.pdflib.com/ . To modify PDF forms, see\n http://sourceforge.net/projects/acroformtool/ .\n\n17. Why am I getting this \"register_frame_info not found\" error on Solaris?\n\n After installing zlib 1.1.4 on Solaris 2.6, running applications using zlib\n generates an error such as:\n\n ld.so.1: rpm: fatal: relocation error: file /usr/local/lib/libz.so:\n symbol __register_frame_info: referenced symbol not found\n\n The symbol __register_frame_info is not part of zlib, it is generated by\n the C compiler (cc or gcc). You must recompile applications using zlib\n which have this problem. This problem is specific to Solaris. See\n http://www.sunfreeware.com for Solaris versions of zlib and applications\n using zlib.\n\n18. Why does gzip give an error on a file I make with compress/deflate?\n\n The compress and deflate functions produce data in the zlib format, which\n is different and incompatible with the gzip format. The gz* functions in\n zlib on the other hand use the gzip format. Both the zlib and gzip formats\n use the same compressed data format internally, but have different headers\n and trailers around the compressed data.\n\n19. Ok, so why are there two different formats?\n\n The gzip format was designed to retain the directory information about a\n single file, such as the name and last modification date. The zlib format\n on the other hand was designed for in-memory and communication channel\n applications, and has a much more compact header and trailer and uses a\n faster integrity check than gzip.\n\n20. Well that's nice, but how do I make a gzip file in memory?\n\n You can request that deflate write the gzip format instead of the zlib\n format using deflateInit2(). You can also request that inflate decode the\n gzip format using inflateInit2(). Read zlib.h for more details.\n\n21. Is zlib thread-safe?\n\n Yes. However any library routines that zlib uses and any application-\n provided memory allocation routines must also be thread-safe. zlib's gz*\n functions use stdio library routines, and most of zlib's functions use the\n library memory allocation routines by default. zlib's *Init* functions\n allow for the application to provide custom memory allocation routines.\n\n Of course, you should only operate on any given zlib or gzip stream from a\n single thread at a time.\n\n22. Can I use zlib in my commercial application?\n\n Yes. Please read the license in zlib.h.\n\n23. Is zlib under the GNU license?\n\n No. Please read the license in zlib.h.\n\n24. The license says that altered source versions must be \"plainly marked\". So\n what exactly do I need to do to meet that requirement?\n\n You need to change the ZLIB_VERSION and ZLIB_VERNUM #defines in zlib.h. In\n particular, the final version number needs to be changed to \"f\", and an\n identification string should be appended to ZLIB_VERSION. Version numbers\n x.x.x.f are reserved for modifications to zlib by others than the zlib\n maintainers. For example, if the version of the base zlib you are altering\n is \"1.2.3.4\", then in zlib.h you should change ZLIB_VERNUM to 0x123f, and\n ZLIB_VERSION to something like \"1.2.3.f-zachary-mods-v3\". You can also\n update the version strings in deflate.c and inftrees.c.\n\n For altered source distributions, you should also note the origin and\n nature of the changes in zlib.h, as well as in ChangeLog and README, along\n with the dates of the alterations. The origin should include at least your\n name (or your company's name), and an email address to contact for help or\n issues with the library.\n\n Note that distributing a compiled zlib library along with zlib.h and\n zconf.h is also a source distribution, and so you should change\n ZLIB_VERSION and ZLIB_VERNUM and note the origin and nature of the changes\n in zlib.h as you would for a full source distribution.\n\n25. Will zlib work on a big-endian or little-endian architecture, and can I\n exchange compressed data between them?\n\n Yes and yes.\n\n26. Will zlib work on a 64-bit machine?\n\n Yes. It has been tested on 64-bit machines, and has no dependence on any\n data types being limited to 32-bits in length. If you have any\n difficulties, please provide a complete problem report to zlib@gzip.org\n\n27. Will zlib decompress data from the PKWare Data Compression Library?\n\n No. The PKWare DCL uses a completely different compressed data format than\n does PKZIP and zlib. However, you can look in zlib's contrib/blast\n directory for a possible solution to your problem.\n\n28. Can I access data randomly in a compressed stream?\n\n No, not without some preparation. If when compressing you periodically use\n Z_FULL_FLUSH, carefully write all the pending data at those points, and\n keep an index of those locations, then you can start decompression at those\n points. You have to be careful to not use Z_FULL_FLUSH too often, since it\n can significantly degrade compression. Alternatively, you can scan a\n deflate stream once to generate an index, and then use that index for\n random access. See examples/zran.c .\n\n29. Does zlib work on MVS, OS/390, CICS, etc.?\n\n It has in the past, but we have not heard of any recent evidence. There\n were working ports of zlib 1.1.4 to MVS, but those links no longer work.\n If you know of recent, successful applications of zlib on these operating\n systems, please let us know. Thanks.\n\n30. Is there some simpler, easier to read version of inflate I can look at to\n understand the deflate format?\n\n First off, you should read RFC 1951. Second, yes. Look in zlib's\n contrib/puff directory.\n\n31. Does zlib infringe on any patents?\n\n As far as we know, no. In fact, that was originally the whole point behind\n zlib. Look here for some more information:\n\n http://www.gzip.org/#faq11\n\n32. Can zlib work with greater than 4 GB of data?\n\n Yes. inflate() and deflate() will process any amount of data correctly.\n Each call of inflate() or deflate() is limited to input and output chunks\n of the maximum value that can be stored in the compiler's \"unsigned int\"\n type, but there is no limit to the number of chunks. Note however that the\n strm.total_in and strm_total_out counters may be limited to 4 GB. These\n counters are provided as a convenience and are not used internally by\n inflate() or deflate(). The application can easily set up its own counters\n updated after each call of inflate() or deflate() to count beyond 4 GB.\n compress() and uncompress() may be limited to 4 GB, since they operate in a\n single call. gzseek() and gztell() may be limited to 4 GB depending on how\n zlib is compiled. See the zlibCompileFlags() function in zlib.h.\n\n The word \"may\" appears several times above since there is a 4 GB limit only\n if the compiler's \"long\" type is 32 bits. If the compiler's \"long\" type is\n 64 bits, then the limit is 16 exabytes.\n\n33. Does zlib have any security vulnerabilities?\n\n The only one that we are aware of is potentially in gzprintf(). If zlib is\n compiled to use sprintf() or vsprintf(), then there is no protection\n against a buffer overflow of an 8K string space (or other value as set by\n gzbuffer()), other than the caller of gzprintf() assuring that the output\n will not exceed 8K. On the other hand, if zlib is compiled to use\n snprintf() or vsnprintf(), which should normally be the case, then there is\n no vulnerability. The ./configure script will display warnings if an\n insecure variation of sprintf() will be used by gzprintf(). Also the\n zlibCompileFlags() function will return information on what variant of\n sprintf() is used by gzprintf().\n\n If you don't have snprintf() or vsnprintf() and would like one, you can\n find a portable implementation here:\n\n http://www.ijs.si/software/snprintf/\n\n Note that you should be using the most recent version of zlib. Versions\n 1.1.3 and before were subject to a double-free vulnerability, and versions\n 1.2.1 and 1.2.2 were subject to an access exception when decompressing\n invalid compressed data.\n\n34. Is there a Java version of zlib?\n\n Probably what you want is to use zlib in Java. zlib is already included\n as part of the Java SDK in the java.util.zip package. If you really want\n a version of zlib written in the Java language, look on the zlib home\n page for links: http://zlib.net/ .\n\n35. I get this or that compiler or source-code scanner warning when I crank it\n up to maximally-pedantic. Can't you guys write proper code?\n\n Many years ago, we gave up attempting to avoid warnings on every compiler\n in the universe. It just got to be a waste of time, and some compilers\n were downright silly as well as contradicted each other. So now, we simply\n make sure that the code always works.\n\n36. Valgrind (or some similar memory access checker) says that deflate is\n performing a conditional jump that depends on an uninitialized value.\n Isn't that a bug?\n\n No. That is intentional for performance reasons, and the output of deflate\n is not affected. This only started showing up recently since zlib 1.2.x\n uses malloc() by default for allocations, whereas earlier versions used\n calloc(), which zeros out the allocated memory. Even though the code was\n correct, versions 1.2.4 and later was changed to not stimulate these\n checkers.\n\n37. Will zlib read the (insert any ancient or arcane format here) compressed\n data format?\n\n Probably not. Look in the comp.compression FAQ for pointers to various\n formats and associated software.\n\n38. How can I encrypt/decrypt zip files with zlib?\n\n zlib doesn't support encryption. The original PKZIP encryption is very\n weak and can be broken with freely available programs. To get strong\n encryption, use GnuPG, http://www.gnupg.org/ , which already includes zlib\n compression. For PKZIP compatible \"encryption\", look at\n http://www.info-zip.org/\n\n39. What's the difference between the \"gzip\" and \"deflate\" HTTP 1.1 encodings?\n\n \"gzip\" is the gzip format, and \"deflate\" is the zlib format. They should\n probably have called the second one \"zlib\" instead to avoid confusion with\n the raw deflate compressed data format. While the HTTP 1.1 RFC 2616\n correctly points to the zlib specification in RFC 1950 for the \"deflate\"\n transfer encoding, there have been reports of servers and browsers that\n incorrectly produce or expect raw deflate data per the deflate\n specification in RFC 1951, most notably Microsoft. So even though the\n \"deflate\" transfer encoding using the zlib format would be the more\n efficient approach (and in fact exactly what the zlib format was designed\n for), using the \"gzip\" transfer encoding is probably more reliable due to\n an unfortunate choice of name on the part of the HTTP 1.1 authors.\n\n Bottom line: use the gzip format for HTTP 1.1 encoding.\n\n40. Does zlib support the new \"Deflate64\" format introduced by PKWare?\n\n No. PKWare has apparently decided to keep that format proprietary, since\n they have not documented it as they have previous compression formats. In\n any case, the compression improvements are so modest compared to other more\n modern approaches, that it's not worth the effort to implement.\n\n41. I'm having a problem with the zip functions in zlib, can you help?\n\n There are no zip functions in zlib. You are probably using minizip by\n Giles Vollant, which is found in the contrib directory of zlib. It is not\n part of zlib. In fact none of the stuff in contrib is part of zlib. The\n files in there are not supported by the zlib authors. You need to contact\n the authors of the respective contribution for help.\n\n42. The match.asm code in contrib is under the GNU General Public License.\n Since it's part of zlib, doesn't that mean that all of zlib falls under the\n GNU GPL?\n\n No. The files in contrib are not part of zlib. They were contributed by\n other authors and are provided as a convenience to the user within the zlib\n distribution. Each item in contrib has its own license.\n\n43. Is zlib subject to export controls? What is its ECCN?\n\n zlib is not subject to export controls, and so is classified as EAR99.\n\n44. Can you please sign these lengthy legal documents and fax them back to us\n so that we can use your software in our product?\n\n No. Go away. Shoo.\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/INDEX", "content": "CMakeLists.txt cmake build file\nChangeLog history of changes\nFAQ Frequently Asked Questions about zlib\nINDEX this file\nMakefile dummy Makefile that tells you to ./configure\nMakefile.in template for Unix Makefile\nREADME guess what\nconfigure configure script for Unix\nmake_vms.com makefile for VMS\ntest/example.c zlib usages examples for build testing\ntest/minigzip.c minimal gzip-like functionality for build testing\ntest/infcover.c inf*.c code coverage for build coverage testing\ntreebuild.xml XML description of source file dependencies\nzconf.h.cmakein zconf.h template for cmake\nzconf.h.in zconf.h template for configure\nzlib.3 Man page for zlib\nzlib.3.pdf Man page in PDF format\nzlib.map Linux symbol information\nzlib.pc.in Template for pkg-config descriptor\nzlib.pc.cmakein zlib.pc template for cmake\nzlib2ansi perl script to convert source files for C++ compilation\n\namiga/ makefiles for Amiga SAS C\nas400/ makefiles for AS/400\ndoc/ documentation for formats and algorithms\nmsdos/ makefiles for MSDOS\nnintendods/ makefile for Nintendo DS\nold/ makefiles for various architectures and zlib documentation\n files that have not yet been updated for zlib 1.2.x\nqnx/ makefiles for QNX\nwatcom/ makefiles for OpenWatcom\nwin32/ makefiles for Windows\n\n zlib public header files (required for library use):\nzconf.h\nzlib.h\n\n private source files used to build the zlib library:\nadler32.c\ncompress.c\ncrc32.c\ncrc32.h\ndeflate.c\ndeflate.h\ngzclose.c\ngzguts.h\ngzlib.c\ngzread.c\ngzwrite.c\ninfback.c\ninffast.c\ninffast.h\ninffixed.h\ninflate.c\ninflate.h\ninftrees.c\ninftrees.h\ntrees.c\ntrees.h\nuncompr.c\nzutil.c\nzutil.h\n\n source files for sample programs\nSee examples/README.examples\n\n unsupported contributions by third parties\nSee contrib/README.contrib\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/LICENSE", "content": "Copyright notice:\n\n (C) 1995-2022 Jean-loup Gailly and Mark Adler\n\n This software is provided 'as-is', without any express or implied\n warranty. In no event will the authors be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this software must not be misrepresented; you must not\n claim that you wrote the original software. If you use this software\n in a product, an acknowledgment in the product documentation would be\n appreciated but is not required.\n 2. Altered source versions must be plainly marked as such, and must not be\n misrepresented as being the original software.\n 3. This notice may not be removed or altered from any source distribution.\n\n Jean-loup Gailly Mark Adler\n jloup@gzip.org madler@alumni.caltech.edu\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/Makefile", "content": "all:\n\t-@echo \"Please use ./configure first. Thank you.\"\n\ndistclean:\n\tmake -f Makefile.in distclean\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/Makefile.in", "content": "# Makefile for zlib\n# Copyright (C) 1995-2017 Jean-loup Gailly, Mark Adler\n# For conditions of distribution and use, see copyright notice in zlib.h\n\n# To compile and test, type:\n# ./configure; make test\n# Normally configure builds both a static and a shared library.\n# If you want to build just a static library, use: ./configure --static\n\n# To install /usr/local/lib/libz.* and /usr/local/include/zlib.h, type:\n# make install\n# To install in $HOME instead of /usr/local, use:\n# make install prefix=$HOME\n\nCC=cc\n\nCFLAGS=-O\n#CFLAGS=-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7\n#CFLAGS=-g -DZLIB_DEBUG\n#CFLAGS=-O3 -Wall -Wwrite-strings -Wpointer-arith -Wconversion \\\n# -Wstrict-prototypes -Wmissing-prototypes\n\nSFLAGS=-O\nLDFLAGS=\nTEST_LDFLAGS=$(LDFLAGS) -L. libz.a\nLDSHARED=$(CC)\nCPP=$(CC) -E\n\nSTATICLIB=libz.a\nSHAREDLIB=libz.so\nSHAREDLIBV=libz.so.1.3\nSHAREDLIBM=libz.so.1\nLIBS=$(STATICLIB) $(SHAREDLIBV)\n\nAR=ar\nARFLAGS=rc\nRANLIB=ranlib\nLDCONFIG=ldconfig\nLDSHAREDLIBC=-lc\nTAR=tar\nSHELL=/bin/sh\nEXE=\n\nprefix = /usr/local\nexec_prefix = ${prefix}\nlibdir = ${exec_prefix}/lib\nsharedlibdir = ${libdir}\nincludedir = ${prefix}/include\nmandir = ${prefix}/share/man\nman3dir = ${mandir}/man3\npkgconfigdir = ${libdir}/pkgconfig\nSRCDIR=\nZINC=\nZINCOUT=-I.\n\nOBJZ = adler32.o crc32.o deflate.o infback.o inffast.o inflate.o inftrees.o trees.o zutil.o\nOBJG = compress.o uncompr.o gzclose.o gzlib.o gzread.o gzwrite.o\nOBJC = $(OBJZ) $(OBJG)\n\nPIC_OBJZ = adler32.lo crc32.lo deflate.lo infback.lo inffast.lo inflate.lo inftrees.lo trees.lo zutil.lo\nPIC_OBJG = compress.lo uncompr.lo gzclose.lo gzlib.lo gzread.lo gzwrite.lo\nPIC_OBJC = $(PIC_OBJZ) $(PIC_OBJG)\n\n# to use the asm code: make OBJA=match.o, PIC_OBJA=match.lo\nOBJA =\nPIC_OBJA =\n\nOBJS = $(OBJC) $(OBJA)\n\nPIC_OBJS = $(PIC_OBJC) $(PIC_OBJA)\n\nall: static shared\n\nstatic: example$(EXE) minigzip$(EXE)\n\nshared: examplesh$(EXE) minigzipsh$(EXE)\n\nall64: example64$(EXE) minigzip64$(EXE)\n\ncheck: test\n\ntest: all teststatic testshared\n\nteststatic: static\n\t@TMPST=tmpst_$$; \\\n\tif echo hello world | ${QEMU_RUN} ./minigzip | ${QEMU_RUN} ./minigzip -d && ${QEMU_RUN} ./example $$TMPST ; then \\\n\t echo '\t\t*** zlib test OK ***'; \\\n\telse \\\n\t echo '\t\t*** zlib test FAILED ***'; false; \\\n\tfi\n\t@rm -f tmpst_$$\n\ntestshared: shared\n\t@LD_LIBRARY_PATH=`pwd`:$(LD_LIBRARY_PATH) ; export LD_LIBRARY_PATH; \\\n\tLD_LIBRARYN32_PATH=`pwd`:$(LD_LIBRARYN32_PATH) ; export LD_LIBRARYN32_PATH; \\\n\tDYLD_LIBRARY_PATH=`pwd`:$(DYLD_LIBRARY_PATH) ; export DYLD_LIBRARY_PATH; \\\n\tSHLIB_PATH=`pwd`:$(SHLIB_PATH) ; export SHLIB_PATH; \\\n\tTMPSH=tmpsh_$$; \\\n\tif echo hello world | ${QEMU_RUN} ./minigzipsh | ${QEMU_RUN} ./minigzipsh -d && ${QEMU_RUN} ./examplesh $$TMPSH; then \\\n\t echo '\t\t*** zlib shared test OK ***'; \\\n\telse \\\n\t echo '\t\t*** zlib shared test FAILED ***'; false; \\\n\tfi\n\t@rm -f tmpsh_$$\n\ntest64: all64\n\t@TMP64=tmp64_$$; \\\n\tif echo hello world | ${QEMU_RUN} ./minigzip64 | ${QEMU_RUN} ./minigzip64 -d && ${QEMU_RUN} ./example64 $$TMP64; then \\\n\t echo '\t\t*** zlib 64-bit test OK ***'; \\\n\telse \\\n\t echo '\t\t*** zlib 64-bit test FAILED ***'; false; \\\n\tfi\n\t@rm -f tmp64_$$\n\ninfcover.o: $(SRCDIR)test/infcover.c $(SRCDIR)zlib.h zconf.h\n\t$(CC) $(CFLAGS) $(ZINCOUT) -c -o $@ $(SRCDIR)test/infcover.c\n\ninfcover: infcover.o libz.a\n\t$(CC) $(CFLAGS) -o $@ infcover.o libz.a\n\ncover: infcover\n\trm -f *.gcda\n\t${QEMU_RUN} ./infcover\n\tgcov inf*.c\n\nlibz.a: $(OBJS)\n\t$(AR) $(ARFLAGS) $@ $(OBJS)\n\t-@ ($(RANLIB) $@ || true) >/dev/null 2>&1\n\nmatch.o: match.S\n\t$(CPP) match.S > _match.s\n\t$(CC) -c _match.s\n\tmv _match.o match.o\n\trm -f _match.s\n\nmatch.lo: match.S\n\t$(CPP) match.S > _match.s\n\t$(CC) -c -fPIC _match.s\n\tmv _match.o match.lo\n\trm -f _match.s\n\nexample.o: $(SRCDIR)test/example.c $(SRCDIR)zlib.h zconf.h\n\t$(CC) $(CFLAGS) $(ZINCOUT) -c -o $@ $(SRCDIR)test/example.c\n\nminigzip.o: $(SRCDIR)test/minigzip.c $(SRCDIR)zlib.h zconf.h\n\t$(CC) $(CFLAGS) $(ZINCOUT) -c -o $@ $(SRCDIR)test/minigzip.c\n\nexample64.o: $(SRCDIR)test/example.c $(SRCDIR)zlib.h zconf.h\n\t$(CC) $(CFLAGS) $(ZINCOUT) -D_FILE_OFFSET_BITS=64 -c -o $@ $(SRCDIR)test/example.c\n\nminigzip64.o: $(SRCDIR)test/minigzip.c $(SRCDIR)zlib.h zconf.h\n\t$(CC) $(CFLAGS) $(ZINCOUT) -D_FILE_OFFSET_BITS=64 -c -o $@ $(SRCDIR)test/minigzip.c\n\n\nadler32.o: $(SRCDIR)adler32.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)adler32.c\n\ncrc32.o: $(SRCDIR)crc32.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)crc32.c\n\ndeflate.o: $(SRCDIR)deflate.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)deflate.c\n\ninfback.o: $(SRCDIR)infback.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)infback.c\n\ninffast.o: $(SRCDIR)inffast.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)inffast.c\n\ninflate.o: $(SRCDIR)inflate.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)inflate.c\n\ninftrees.o: $(SRCDIR)inftrees.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)inftrees.c\n\ntrees.o: $(SRCDIR)trees.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)trees.c\n\nzutil.o: $(SRCDIR)zutil.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)zutil.c\n\ncompress.o: $(SRCDIR)compress.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)compress.c\n\nuncompr.o: $(SRCDIR)uncompr.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)uncompr.c\n\ngzclose.o: $(SRCDIR)gzclose.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)gzclose.c\n\ngzlib.o: $(SRCDIR)gzlib.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)gzlib.c\n\ngzread.o: $(SRCDIR)gzread.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)gzread.c\n\ngzwrite.o: $(SRCDIR)gzwrite.c\n\t$(CC) $(CFLAGS) $(ZINC) -c -o $@ $(SRCDIR)gzwrite.c\n\n\nadler32.lo: $(SRCDIR)adler32.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/adler32.o $(SRCDIR)adler32.c\n\t-@mv objs/adler32.o $@\n\ncrc32.lo: $(SRCDIR)crc32.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/crc32.o $(SRCDIR)crc32.c\n\t-@mv objs/crc32.o $@\n\ndeflate.lo: $(SRCDIR)deflate.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/deflate.o $(SRCDIR)deflate.c\n\t-@mv objs/deflate.o $@\n\ninfback.lo: $(SRCDIR)infback.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/infback.o $(SRCDIR)infback.c\n\t-@mv objs/infback.o $@\n\ninffast.lo: $(SRCDIR)inffast.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/inffast.o $(SRCDIR)inffast.c\n\t-@mv objs/inffast.o $@\n\ninflate.lo: $(SRCDIR)inflate.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/inflate.o $(SRCDIR)inflate.c\n\t-@mv objs/inflate.o $@\n\ninftrees.lo: $(SRCDIR)inftrees.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/inftrees.o $(SRCDIR)inftrees.c\n\t-@mv objs/inftrees.o $@\n\ntrees.lo: $(SRCDIR)trees.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/trees.o $(SRCDIR)trees.c\n\t-@mv objs/trees.o $@\n\nzutil.lo: $(SRCDIR)zutil.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/zutil.o $(SRCDIR)zutil.c\n\t-@mv objs/zutil.o $@\n\ncompress.lo: $(SRCDIR)compress.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/compress.o $(SRCDIR)compress.c\n\t-@mv objs/compress.o $@\n\nuncompr.lo: $(SRCDIR)uncompr.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/uncompr.o $(SRCDIR)uncompr.c\n\t-@mv objs/uncompr.o $@\n\ngzclose.lo: $(SRCDIR)gzclose.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/gzclose.o $(SRCDIR)gzclose.c\n\t-@mv objs/gzclose.o $@\n\ngzlib.lo: $(SRCDIR)gzlib.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/gzlib.o $(SRCDIR)gzlib.c\n\t-@mv objs/gzlib.o $@\n\ngzread.lo: $(SRCDIR)gzread.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/gzread.o $(SRCDIR)gzread.c\n\t-@mv objs/gzread.o $@\n\ngzwrite.lo: $(SRCDIR)gzwrite.c\n\t-@mkdir objs 2>/dev/null || test -d objs\n\t$(CC) $(SFLAGS) $(ZINC) -DPIC -c -o objs/gzwrite.o $(SRCDIR)gzwrite.c\n\t-@mv objs/gzwrite.o $@\n\n\nplacebo $(SHAREDLIBV): $(PIC_OBJS) libz.a\n\t$(LDSHARED) $(SFLAGS) -o $@ $(PIC_OBJS) $(LDSHAREDLIBC) $(LDFLAGS)\n\trm -f $(SHAREDLIB) $(SHAREDLIBM)\n\tln -s $@ $(SHAREDLIB)\n\tln -s $@ $(SHAREDLIBM)\n\t-@rmdir objs\n\nexample$(EXE): example.o $(STATICLIB)\n\t$(CC) $(CFLAGS) -o $@ example.o $(TEST_LDFLAGS)\n\nminigzip$(EXE): minigzip.o $(STATICLIB)\n\t$(CC) $(CFLAGS) -o $@ minigzip.o $(TEST_LDFLAGS)\n\nexamplesh$(EXE): example.o $(SHAREDLIBV)\n\t$(CC) $(CFLAGS) -o $@ example.o $(LDFLAGS) -L. $(SHAREDLIBV)\n\nminigzipsh$(EXE): minigzip.o $(SHAREDLIBV)\n\t$(CC) $(CFLAGS) -o $@ minigzip.o $(LDFLAGS) -L. $(SHAREDLIBV)\n\nexample64$(EXE): example64.o $(STATICLIB)\n\t$(CC) $(CFLAGS) -o $@ example64.o $(TEST_LDFLAGS)\n\nminigzip64$(EXE): minigzip64.o $(STATICLIB)\n\t$(CC) $(CFLAGS) -o $@ minigzip64.o $(TEST_LDFLAGS)\n\ninstall-libs: $(LIBS)\n\t-@if [ ! -d $(DESTDIR)$(exec_prefix) ]; then mkdir -p $(DESTDIR)$(exec_prefix); fi\n\t-@if [ ! -d $(DESTDIR)$(libdir) ]; then mkdir -p $(DESTDIR)$(libdir); fi\n\t-@if [ ! -d $(DESTDIR)$(sharedlibdir) ]; then mkdir -p $(DESTDIR)$(sharedlibdir); fi\n\t-@if [ ! -d $(DESTDIR)$(man3dir) ]; then mkdir -p $(DESTDIR)$(man3dir); fi\n\t-@if [ ! -d $(DESTDIR)$(pkgconfigdir) ]; then mkdir -p $(DESTDIR)$(pkgconfigdir); fi\n\trm -f $(DESTDIR)$(libdir)/$(STATICLIB)\n\tcp $(STATICLIB) $(DESTDIR)$(libdir)\n\tchmod 644 $(DESTDIR)$(libdir)/$(STATICLIB)\n\t-@($(RANLIB) $(DESTDIR)$(libdir)/libz.a || true) >/dev/null 2>&1\n\t-@if test -n \"$(SHAREDLIBV)\"; then \\\n\t rm -f $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBV); \\\n\t cp $(SHAREDLIBV) $(DESTDIR)$(sharedlibdir); \\\n\t echo \"cp $(SHAREDLIBV) $(DESTDIR)$(sharedlibdir)\"; \\\n\t chmod 755 $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBV); \\\n\t echo \"chmod 755 $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBV)\"; \\\n\t rm -f $(DESTDIR)$(sharedlibdir)/$(SHAREDLIB) $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBM); \\\n\t ln -s $(SHAREDLIBV) $(DESTDIR)$(sharedlibdir)/$(SHAREDLIB); \\\n\t ln -s $(SHAREDLIBV) $(DESTDIR)$(sharedlibdir)/$(SHAREDLIBM); \\\n\t ($(LDCONFIG) || true) >/dev/null 2>&1; \\\n\tfi\n\trm -f $(DESTDIR)$(man3dir)/zlib.3\n\tcp $(SRCDIR)zlib.3 $(DESTDIR)$(man3dir)\n\tchmod 644 $(DESTDIR)$(man3dir)/zlib.3\n\trm -f $(DESTDIR)$(pkgconfigdir)/zlib.pc\n\tcp zlib.pc $(DESTDIR)$(pkgconfigdir)\n\tchmod 644 $(DESTDIR)$(pkgconfigdir)/zlib.pc\n# The ranlib in install is needed on NeXTSTEP which checks file times\n# ldconfig is for Linux\n\ninstall: install-libs\n\t-@if [ ! -d $(DESTDIR)$(includedir) ]; then mkdir -p $(DESTDIR)$(includedir); fi\n\trm -f $(DESTDIR)$(includedir)/zlib.h $(DESTDIR)$(includedir)/zconf.h\n\tcp $(SRCDIR)zlib.h zconf.h $(DESTDIR)$(includedir)\n\tchmod 644 $(DESTDIR)$(includedir)/zlib.h $(DESTDIR)$(includedir)/zconf.h\n\nuninstall:\n\tcd $(DESTDIR)$(includedir) && rm -f zlib.h zconf.h\n\tcd $(DESTDIR)$(libdir) && rm -f libz.a; \\\n\tif test -n \"$(SHAREDLIBV)\" -a -f $(SHAREDLIBV); then \\\n\t rm -f $(SHAREDLIBV) $(SHAREDLIB) $(SHAREDLIBM); \\\n\tfi\n\tcd $(DESTDIR)$(man3dir) && rm -f zlib.3\n\tcd $(DESTDIR)$(pkgconfigdir) && rm -f zlib.pc\n\ndocs: zlib.3.pdf\n\nzlib.3.pdf: $(SRCDIR)zlib.3\n\tgroff -mandoc -f H -T ps $(SRCDIR)zlib.3 | ps2pdf - $@\n\nzconf.h.cmakein: $(SRCDIR)zconf.h.in\n\t-@ TEMPFILE=zconfh_$$; \\\n\techo \"/#define ZCONF_H/ a\\\\\\\\\\n#cmakedefine Z_PREFIX\\\\\\\\\\n#cmakedefine Z_HAVE_UNISTD_H\\n\" >> $$TEMPFILE &&\\\n\tsed -f $$TEMPFILE $(SRCDIR)zconf.h.in > $@ &&\\\n\ttouch -r $(SRCDIR)zconf.h.in $@ &&\\\n\trm $$TEMPFILE\n\nzconf: $(SRCDIR)zconf.h.in\n\tcp -p $(SRCDIR)zconf.h.in zconf.h\n\nminizip-test: static\n\tcd contrib/minizip && { CFLAGS=\"$(CFLAGS)\" $(MAKE) test ; cd ../.. ; }\n\nminizip-clean:\n\tcd contrib/minizip && { $(MAKE) clean ; cd ../.. ; }\n\nmostlyclean: clean\nclean: minizip-clean\n\trm -f *.o *.lo *~ \\\n\t example$(EXE) minigzip$(EXE) examplesh$(EXE) minigzipsh$(EXE) \\\n\t example64$(EXE) minigzip64$(EXE) \\\n\t infcover \\\n\t libz.* foo.gz so_locations \\\n\t _match.s maketree contrib/infback9/*.o\n\trm -rf objs\n\trm -f *.gcda *.gcno *.gcov\n\trm -f contrib/infback9/*.gcda contrib/infback9/*.gcno contrib/infback9/*.gcov\n\nmaintainer-clean: distclean\ndistclean: clean zconf zconf.h.cmakein\n\trm -f Makefile zlib.pc configure.log\n\t-@rm -f .DS_Store\n\t@if [ -f Makefile.in ]; then \\\n\tprintf 'all:\\n\\t-@echo \"Please use ./configure first. Thank you.\"\\n' > Makefile ; \\\n\tprintf '\\ndistclean:\\n\\tmake -f Makefile.in distclean\\n' >> Makefile ; \\\n\ttouch -r $(SRCDIR)Makefile.in Makefile ; fi\n\ntags:\n\tetags $(SRCDIR)*.[ch]\n\nadler32.o zutil.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h\ngzclose.o gzlib.o gzread.o gzwrite.o: $(SRCDIR)zlib.h zconf.h $(SRCDIR)gzguts.h\ncompress.o example.o minigzip.o uncompr.o: $(SRCDIR)zlib.h zconf.h\ncrc32.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)crc32.h\ndeflate.o: $(SRCDIR)deflate.h $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h\ninfback.o inflate.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h $(SRCDIR)inflate.h $(SRCDIR)inffast.h $(SRCDIR)inffixed.h\ninffast.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h $(SRCDIR)inflate.h $(SRCDIR)inffast.h\ninftrees.o: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h\ntrees.o: $(SRCDIR)deflate.h $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)trees.h\n\nadler32.lo zutil.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h\ngzclose.lo gzlib.lo gzread.lo gzwrite.lo: $(SRCDIR)zlib.h zconf.h $(SRCDIR)gzguts.h\ncompress.lo example.lo minigzip.lo uncompr.lo: $(SRCDIR)zlib.h zconf.h\ncrc32.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)crc32.h\ndeflate.lo: $(SRCDIR)deflate.h $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h\ninfback.lo inflate.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h $(SRCDIR)inflate.h $(SRCDIR)inffast.h $(SRCDIR)inffixed.h\ninffast.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h $(SRCDIR)inflate.h $(SRCDIR)inffast.h\ninftrees.lo: $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)inftrees.h\ntrees.lo: $(SRCDIR)deflate.h $(SRCDIR)zutil.h $(SRCDIR)zlib.h zconf.h $(SRCDIR)trees.h\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/README", "content": "ZLIB DATA COMPRESSION LIBRARY\n\nzlib 1.3 is a general purpose data compression library. All the code is\nthread safe. The data format used by the zlib library is described by RFCs\n(Request for Comments) 1950 to 1952 in the files\nhttp://tools.ietf.org/html/rfc1950 (zlib format), rfc1951 (deflate format) and\nrfc1952 (gzip format).\n\nAll functions of the compression library are documented in the file zlib.h\n(volunteer to write man pages welcome, contact zlib@gzip.org). A usage example\nof the library is given in the file test/example.c which also tests that\nthe library is working correctly. Another example is given in the file\ntest/minigzip.c. The compression library itself is composed of all source\nfiles in the root directory.\n\nTo compile all files and run the test program, follow the instructions given at\nthe top of Makefile.in. In short \"./configure; make test\", and if that goes\nwell, \"make install\" should work for most flavors of Unix. For Windows, use\none of the special makefiles in win32/ or contrib/vstudio/ . For VMS, use\nmake_vms.com.\n\nQuestions about zlib should be sent to , or to Gilles Vollant\n for the Windows DLL version. The zlib home page is\nhttp://zlib.net/ . Before reporting a problem, please check this site to\nverify that you have the latest version of zlib; otherwise get the latest\nversion and check whether the problem still exists or not.\n\nPLEASE read the zlib FAQ http://zlib.net/zlib_faq.html before asking for help.\n\nMark Nelson wrote an article about zlib for the Jan. 1997\nissue of Dr. Dobb's Journal; a copy of the article is available at\nhttps://marknelson.us/posts/1997/01/01/zlib-engine.html .\n\nThe changes made in version 1.3 are documented in the file ChangeLog.\n\nUnsupported third party contributions are provided in directory contrib/ .\n\nzlib is available in Java using the java.util.zip package. Follow the API\nDocumentation link at: https://docs.oracle.com/search/?q=java.util.zip .\n\nA Perl interface to zlib and bzip2 written by Paul Marquess \ncan be found at https://github.com/pmqs/IO-Compress .\n\nA Python interface to zlib written by A.M. Kuchling is\navailable in Python 1.5 and later versions, see\nhttp://docs.python.org/library/zlib.html .\n\nzlib is built into tcl: http://wiki.tcl.tk/4610 .\n\nAn experimental package to read and write files in .zip format, written on top\nof zlib by Gilles Vollant , is available in the\ncontrib/minizip directory of zlib.\n\n\nNotes for some targets:\n\n- For Windows DLL versions, please see win32/DLL_FAQ.txt\n\n- For 64-bit Irix, deflate.c must be compiled without any optimization. With\n -O, one libpng test fails. The test works in 32 bit mode (with the -n32\n compiler flag). The compiler bug has been reported to SGI.\n\n- zlib doesn't work with gcc 2.6.3 on a DEC 3000/300LX under OSF/1 2.1 it works\n when compiled with cc.\n\n- On Digital Unix 4.0D (formerly OSF/1) on AlphaServer, the cc option -std1 is\n necessary to get gzprintf working correctly. This is done by configure.\n\n- zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works with\n other compilers. Use \"make test\" to check your compiler.\n\n- gzdopen is not supported on RISCOS or BEOS.\n\n- For PalmOs, see http://palmzlib.sourceforge.net/\n\n\nAcknowledgments:\n\n The deflate format used by zlib was defined by Phil Katz. The deflate and\n zlib specifications were written by L. Peter Deutsch. Thanks to all the\n people who reported problems and suggested various improvements in zlib; they\n are too numerous to cite here.\n\nCopyright notice:\n\n (C) 1995-2023 Jean-loup Gailly and Mark Adler\n\n This software is provided 'as-is', without any express or implied\n warranty. In no event will the authors be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this software must not be misrepresented; you must not\n claim that you wrote the original software. If you use this software\n in a product, an acknowledgment in the product documentation would be\n appreciated but is not required.\n 2. Altered source versions must be plainly marked as such, and must not be\n misrepresented as being the original software.\n 3. This notice may not be removed or altered from any source distribution.\n\n Jean-loup Gailly Mark Adler\n jloup@gzip.org madler@alumni.caltech.edu\n\nIf you use the zlib library in a product, we would appreciate *not* receiving\nlengthy legal documents to sign. The sources are provided for free but without\nwarranty of any kind. The library has been entirely written by Jean-loup\nGailly and Mark Adler; it does not include third-party code. We make all\ncontributions to and distributions of this project solely in our personal\ncapacity, and are not conveying any rights to any intellectual property of\nany third parties.\n\nIf you redistribute modified sources, we would appreciate that you include in\nthe file ChangeLog history information documenting your changes. Please read\nthe FAQ for more information on the distribution of modified source versions.\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/adler32.c", "content": "/* adler32.c -- compute the Adler-32 checksum of a data stream\n * Copyright (C) 1995-2011, 2016 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* @(#) $Id$ */\n\n#include \"zutil.h\"\n\n#define BASE 65521U /* largest prime smaller than 65536 */\n#define NMAX 5552\n/* NMAX is the largest n such that 255n(n+1)/2 + (n+1)(BASE-1) <= 2^32-1 */\n\n#define DO1(buf,i) {adler += (buf)[i]; sum2 += adler;}\n#define DO2(buf,i) DO1(buf,i); DO1(buf,i+1);\n#define DO4(buf,i) DO2(buf,i); DO2(buf,i+2);\n#define DO8(buf,i) DO4(buf,i); DO4(buf,i+4);\n#define DO16(buf) DO8(buf,0); DO8(buf,8);\n\n/* use NO_DIVIDE if your processor does not do division in hardware --\n try it both ways to see which is faster */\n#ifdef NO_DIVIDE\n/* note that this assumes BASE is 65521, where 65536 % 65521 == 15\n (thank you to John Reiser for pointing this out) */\n# define CHOP(a) \\\n do { \\\n unsigned long tmp = a >> 16; \\\n a &= 0xffffUL; \\\n a += (tmp << 4) - tmp; \\\n } while (0)\n# define MOD28(a) \\\n do { \\\n CHOP(a); \\\n if (a >= BASE) a -= BASE; \\\n } while (0)\n# define MOD(a) \\\n do { \\\n CHOP(a); \\\n MOD28(a); \\\n } while (0)\n# define MOD63(a) \\\n do { /* this assumes a is not negative */ \\\n z_off64_t tmp = a >> 32; \\\n a &= 0xffffffffL; \\\n a += (tmp << 8) - (tmp << 5) + tmp; \\\n tmp = a >> 16; \\\n a &= 0xffffL; \\\n a += (tmp << 4) - tmp; \\\n tmp = a >> 16; \\\n a &= 0xffffL; \\\n a += (tmp << 4) - tmp; \\\n if (a >= BASE) a -= BASE; \\\n } while (0)\n#else\n# define MOD(a) a %= BASE\n# define MOD28(a) a %= BASE\n# define MOD63(a) a %= BASE\n#endif\n\n/* ========================================================================= */\nuLong ZEXPORT adler32_z(uLong adler, const Bytef *buf, z_size_t len) {\n unsigned long sum2;\n unsigned n;\n\n /* split Adler-32 into component sums */\n sum2 = (adler >> 16) & 0xffff;\n adler &= 0xffff;\n\n /* in case user likes doing a byte at a time, keep it fast */\n if (len == 1) {\n adler += buf[0];\n if (adler >= BASE)\n adler -= BASE;\n sum2 += adler;\n if (sum2 >= BASE)\n sum2 -= BASE;\n return adler | (sum2 << 16);\n }\n\n /* initial Adler-32 value (deferred check for len == 1 speed) */\n if (buf == Z_NULL)\n return 1L;\n\n /* in case short lengths are provided, keep it somewhat fast */\n if (len < 16) {\n while (len--) {\n adler += *buf++;\n sum2 += adler;\n }\n if (adler >= BASE)\n adler -= BASE;\n MOD28(sum2); /* only added so many BASE's */\n return adler | (sum2 << 16);\n }\n\n /* do length NMAX blocks -- requires just one modulo operation */\n while (len >= NMAX) {\n len -= NMAX;\n n = NMAX / 16; /* NMAX is divisible by 16 */\n do {\n DO16(buf); /* 16 sums unrolled */\n buf += 16;\n } while (--n);\n MOD(adler);\n MOD(sum2);\n }\n\n /* do remaining bytes (less than NMAX, still just one modulo) */\n if (len) { /* avoid modulos if none remaining */\n while (len >= 16) {\n len -= 16;\n DO16(buf);\n buf += 16;\n }\n while (len--) {\n adler += *buf++;\n sum2 += adler;\n }\n MOD(adler);\n MOD(sum2);\n }\n\n /* return recombined sums */\n return adler | (sum2 << 16);\n}\n\n/* ========================================================================= */\nuLong ZEXPORT adler32(uLong adler, const Bytef *buf, uInt len) {\n return adler32_z(adler, buf, len);\n}\n\n/* ========================================================================= */\nlocal uLong adler32_combine_(uLong adler1, uLong adler2, z_off64_t len2) {\n unsigned long sum1;\n unsigned long sum2;\n unsigned rem;\n\n /* for negative len, return invalid adler32 as a clue for debugging */\n if (len2 < 0)\n return 0xffffffffUL;\n\n /* the derivation of this formula is left as an exercise for the reader */\n MOD63(len2); /* assumes len2 >= 0 */\n rem = (unsigned)len2;\n sum1 = adler1 & 0xffff;\n sum2 = rem * sum1;\n MOD(sum2);\n sum1 += (adler2 & 0xffff) + BASE - 1;\n sum2 += ((adler1 >> 16) & 0xffff) + ((adler2 >> 16) & 0xffff) + BASE - rem;\n if (sum1 >= BASE) sum1 -= BASE;\n if (sum1 >= BASE) sum1 -= BASE;\n if (sum2 >= ((unsigned long)BASE << 1)) sum2 -= ((unsigned long)BASE << 1);\n if (sum2 >= BASE) sum2 -= BASE;\n return sum1 | (sum2 << 16);\n}\n\n/* ========================================================================= */\nuLong ZEXPORT adler32_combine(uLong adler1, uLong adler2, z_off_t len2) {\n return adler32_combine_(adler1, adler2, len2);\n}\n\nuLong ZEXPORT adler32_combine64(uLong adler1, uLong adler2, z_off64_t len2) {\n return adler32_combine_(adler1, adler2, len2);\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/amiga/Makefile.pup", "content": "# Amiga powerUP (TM) Makefile\n# makefile for libpng and SAS C V6.58/7.00 PPC compiler\n# Copyright (C) 1998 by Andreas R. Kleinert\n\nLIBNAME\t= libzip.a\n\nCC\t= scppc\nCFLAGS\t= NOSTKCHK NOSINT OPTIMIZE OPTGO OPTPEEP OPTINLOCAL OPTINL \\\n\t OPTLOOP OPTRDEP=8 OPTDEP=8 OPTCOMP=8 NOVER\nAR\t= ppc-amigaos-ar cr\nRANLIB\t= ppc-amigaos-ranlib\nLD\t= ppc-amigaos-ld -r\nLDFLAGS\t= -o\nLDLIBS\t= LIB:scppc.a LIB:end.o\nRM\t= delete quiet\n\nOBJS = adler32.o compress.o crc32.o gzclose.o gzlib.o gzread.o gzwrite.o \\\n uncompr.o deflate.o trees.o zutil.o inflate.o infback.o inftrees.o inffast.o\n\nTEST_OBJS = example.o minigzip.o\n\nall: example minigzip\n\ncheck: test\ntest: all\n\texample\n\techo hello world | minigzip | minigzip -d\n\n$(LIBNAME): $(OBJS)\n\t$(AR) $@ $(OBJS)\n\t-$(RANLIB) $@\n\nexample: example.o $(LIBNAME)\n\t$(LD) $(LDFLAGS) $@ LIB:c_ppc.o $@.o $(LIBNAME) $(LDLIBS)\n\nminigzip: minigzip.o $(LIBNAME)\n\t$(LD) $(LDFLAGS) $@ LIB:c_ppc.o $@.o $(LIBNAME) $(LDLIBS)\n\nmostlyclean: clean\nclean:\n\t$(RM) *.o example minigzip $(LIBNAME) foo.gz\n\nzip:\n\tzip -ul9 zlib README ChangeLog Makefile Make????.??? Makefile.?? \\\n\t descrip.mms *.[ch]\n\ntgz:\n\tcd ..; tar cfz zlib/zlib.tgz zlib/README zlib/ChangeLog zlib/Makefile \\\n\t zlib/Make????.??? zlib/Makefile.?? zlib/descrip.mms zlib/*.[ch]\n\n# DO NOT DELETE THIS LINE -- make depend depends on it.\n\nadler32.o: zlib.h zconf.h\ncompress.o: zlib.h zconf.h\ncrc32.o: crc32.h zlib.h zconf.h\ndeflate.o: deflate.h zutil.h zlib.h zconf.h\nexample.o: zlib.h zconf.h\ngzclose.o: zlib.h zconf.h gzguts.h\ngzlib.o: zlib.h zconf.h gzguts.h\ngzread.o: zlib.h zconf.h gzguts.h\ngzwrite.o: zlib.h zconf.h gzguts.h\ninffast.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h\ninflate.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h\ninfback.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h\ninftrees.o: zutil.h zlib.h zconf.h inftrees.h\nminigzip.o: zlib.h zconf.h\ntrees.o: deflate.h zutil.h zlib.h zconf.h trees.h\nuncompr.o: zlib.h zconf.h\nzutil.o: zutil.h zlib.h zconf.h\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/amiga/Makefile.sas", "content": "# SMakefile for zlib\n# Modified from the standard UNIX Makefile Copyright Jean-loup Gailly\n# Osma Ahvenlampi \n# Amiga, SAS/C 6.56 & Smake\n\nCC=sc\nCFLAGS=OPT\n#CFLAGS=OPT CPU=68030\n#CFLAGS=DEBUG=LINE\nLDFLAGS=LIB z.lib\n\nSCOPTIONS=OPTSCHED OPTINLINE OPTALIAS OPTTIME OPTINLOCAL STRMERGE \\\n NOICONS PARMS=BOTH NOSTACKCHECK UTILLIB NOVERSION ERRORREXX \\\n DEF=POSTINC\n\nOBJS = adler32.o compress.o crc32.o gzclose.o gzlib.o gzread.o gzwrite.o \\\n uncompr.o deflate.o trees.o zutil.o inflate.o infback.o inftrees.o inffast.o\n\nTEST_OBJS = example.o minigzip.o\n\nall: SCOPTIONS example minigzip\n\ncheck: test\ntest: all\n\texample\n\techo hello world | minigzip | minigzip -d\n\ninstall: z.lib\n\tcopy clone zlib.h zconf.h INCLUDE:\n\tcopy clone z.lib LIB:\n\nz.lib: $(OBJS)\n\toml z.lib r $(OBJS)\n\nexample: example.o z.lib\n\t$(CC) $(CFLAGS) LINK TO $@ example.o $(LDFLAGS)\n\nminigzip: minigzip.o z.lib\n\t$(CC) $(CFLAGS) LINK TO $@ minigzip.o $(LDFLAGS)\n\nmostlyclean: clean\nclean:\n\t-delete force quiet example minigzip *.o z.lib foo.gz *.lnk SCOPTIONS\n\nSCOPTIONS: Makefile.sas\n\tcopy to $@ (uLong)max ? max : (uInt)left;\n left -= stream.avail_out;\n }\n if (stream.avail_in == 0) {\n stream.avail_in = sourceLen > (uLong)max ? max : (uInt)sourceLen;\n sourceLen -= stream.avail_in;\n }\n err = deflate(&stream, sourceLen ? Z_NO_FLUSH : Z_FINISH);\n } while (err == Z_OK);\n\n *destLen = stream.total_out;\n deflateEnd(&stream);\n return err == Z_STREAM_END ? Z_OK : err;\n}\n\n/* ===========================================================================\n */\nint ZEXPORT compress(Bytef *dest, uLongf *destLen, const Bytef *source,\n uLong sourceLen) {\n return compress2(dest, destLen, source, sourceLen, Z_DEFAULT_COMPRESSION);\n}\n\n/* ===========================================================================\n If the default memLevel or windowBits for deflateInit() is changed, then\n this function needs to be updated.\n */\nuLong ZEXPORT compressBound(uLong sourceLen) {\n return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) +\n (sourceLen >> 25) + 13;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/configure", "content": "#!/bin/sh\n# configure script for zlib.\n#\n# Normally configure builds both a static and a shared library.\n# If you want to build just a static library, use: ./configure --static\n#\n# To impose specific compiler or flags or install directory, use for example:\n# prefix=$HOME CC=cc CFLAGS=\"-O4\" ./configure\n# or for csh/tcsh users:\n# (setenv prefix $HOME; setenv CC cc; setenv CFLAGS \"-O4\"; ./configure)\n\n# Incorrect settings of CC or CFLAGS may prevent creating a shared library.\n# If you have problems, try without defining CC and CFLAGS before reporting\n# an error.\n\n# start off configure.log\necho -------------------- >> configure.log\necho $0 $* >> configure.log\ndate >> configure.log\n\n# get source directory\nSRCDIR=`dirname $0`\nif test $SRCDIR = \".\"; then\n ZINC=\"\"\n ZINCOUT=\"-I.\"\n SRCDIR=\"\"\nelse\n ZINC='-include zconf.h'\n ZINCOUT='-I. -I$(SRCDIR)'\n SRCDIR=\"$SRCDIR/\"\nfi\n\n# set command prefix for cross-compilation\nif [ -n \"${CHOST}\" ]; then\n uname=${CHOST}\n mname=${CHOST}\n CROSS_PREFIX=\"${CHOST}-\"\nelse\n mname=`(uname -a || echo unknown) 2>/dev/null`\nfi\n\n# destination name for static library\nSTATICLIB=libz.a\n\n# extract zlib version numbers from zlib.h\nVER=`sed -n -e '/VERSION \"/s/.*\"\\(.*\\)\".*/\\1/p' < ${SRCDIR}zlib.h`\nVER1=`sed -n -e '/VERSION \"/s/.*\"\\([0-9]*\\)\\\\..*/\\1/p' < ${SRCDIR}zlib.h`\n\n# establish commands for library building\nif \"${CROSS_PREFIX}ar\" --version >/dev/null 2>/dev/null || test $? -lt 126; then\n AR=${AR-\"${CROSS_PREFIX}ar\"}\n test -n \"${CROSS_PREFIX}\" && echo Using ${AR} | tee -a configure.log\nelse\n AR=${AR-\"ar\"}\n test -n \"${CROSS_PREFIX}\" && echo Using ${AR} | tee -a configure.log\nfi\nARFLAGS=${ARFLAGS-\"rc\"}\nif \"${CROSS_PREFIX}ranlib\" --version >/dev/null 2>/dev/null || test $? -lt 126; then\n RANLIB=${RANLIB-\"${CROSS_PREFIX}ranlib\"}\n test -n \"${CROSS_PREFIX}\" && echo Using ${RANLIB} | tee -a configure.log\nelse\n RANLIB=${RANLIB-\"ranlib\"}\nfi\nif \"${CROSS_PREFIX}nm\" --version >/dev/null 2>/dev/null || test $? -lt 126; then\n NM=${NM-\"${CROSS_PREFIX}nm\"}\n test -n \"${CROSS_PREFIX}\" && echo Using ${NM} | tee -a configure.log\nelse\n NM=${NM-\"nm\"}\nfi\n\n# set defaults before processing command line options\nLDCONFIG=${LDCONFIG-\"ldconfig\"}\nLDSHAREDLIBC=\"${LDSHAREDLIBC--lc}\"\nARCHS=\nprefix=${prefix-/usr/local}\nexec_prefix=${exec_prefix-'${prefix}'}\nlibdir=${libdir-'${exec_prefix}/lib'}\nsharedlibdir=${sharedlibdir-'${libdir}'}\nincludedir=${includedir-'${prefix}/include'}\nmandir=${mandir-'${prefix}/share/man'}\nshared_ext='.so'\nshared=1\nsolo=0\ncover=0\nzprefix=0\nzconst=0\nbuild64=0\ngcc=0\nwarn=0\ndebug=0\naddress=0\nmemory=0\nold_cc=\"$CC\"\nold_cflags=\"$CFLAGS\"\nOBJC='$(OBJZ) $(OBJG)'\nPIC_OBJC='$(PIC_OBJZ) $(PIC_OBJG)'\n\n# leave this script, optionally in a bad way\nleave()\n{\n if test \"$*\" != \"0\"; then\n echo \"** $0 aborting.\" | tee -a configure.log\n fi\n rm -rf $test.[co] $test $test$shared_ext $test.gcno $test.dSYM ./--version\n echo -------------------- >> configure.log\n echo >> configure.log\n echo >> configure.log\n exit $1\n}\n\n# process command line options\nwhile test $# -ge 1\ndo\ncase \"$1\" in\n -h* | --help)\n echo 'usage:' | tee -a configure.log\n echo ' configure [--const] [--zprefix] [--prefix=PREFIX] [--eprefix=EXPREFIX]' | tee -a configure.log\n echo ' [--static] [--64] [--libdir=LIBDIR] [--sharedlibdir=LIBDIR]' | tee -a configure.log\n echo ' [--includedir=INCLUDEDIR] [--archs=\"-arch i386 -arch x86_64\"]' | tee -a configure.log\n exit 0 ;;\n -p*=* | --prefix=*) prefix=`echo $1 | sed 's/.*=//'`; shift ;;\n -e*=* | --eprefix=*) exec_prefix=`echo $1 | sed 's/.*=//'`; shift ;;\n -l*=* | --libdir=*) libdir=`echo $1 | sed 's/.*=//'`; shift ;;\n --sharedlibdir=*) sharedlibdir=`echo $1 | sed 's/.*=//'`; shift ;;\n -i*=* | --includedir=*) includedir=`echo $1 | sed 's/.*=//'`;shift ;;\n -u*=* | --uname=*) uname=`echo $1 | sed 's/.*=//'`;shift ;;\n -p* | --prefix) prefix=\"$2\"; shift; shift ;;\n -e* | --eprefix) exec_prefix=\"$2\"; shift; shift ;;\n -l* | --libdir) libdir=\"$2\"; shift; shift ;;\n -i* | --includedir) includedir=\"$2\"; shift; shift ;;\n -s* | --shared | --enable-shared) shared=1; shift ;;\n -t | --static) shared=0; shift ;;\n --solo) solo=1; shift ;;\n --cover) cover=1; shift ;;\n -z* | --zprefix) zprefix=1; shift ;;\n -6* | --64) build64=1; shift ;;\n -a*=* | --archs=*) ARCHS=`echo $1 | sed 's/.*=//'`; shift ;;\n --sysconfdir=*) echo \"ignored option: --sysconfdir\" | tee -a configure.log; shift ;;\n --localstatedir=*) echo \"ignored option: --localstatedir\" | tee -a configure.log; shift ;;\n -c* | --const) zconst=1; shift ;;\n -w* | --warn) warn=1; shift ;;\n -d* | --debug) debug=1; shift ;;\n --sanitize) address=1; shift ;;\n --address) address=1; shift ;;\n --memory) memory=1; shift ;;\n *)\n echo \"unknown option: $1\" | tee -a configure.log\n echo \"$0 --help for help\" | tee -a configure.log\n leave 1;;\n esac\ndone\n\n# temporary file name\ntest=ztest$$\n\n# put arguments in log, also put test file in log if used in arguments\nshow()\n{\n case \"$*\" in\n *$test.c*)\n echo === $test.c === >> configure.log\n cat $test.c >> configure.log\n echo === >> configure.log;;\n esac\n echo $* >> configure.log\n}\n\n# check for gcc vs. cc and set compile and link flags based on the system identified by uname\ncat > $test.c </dev/null 2>&1; then\n cc=${CROSS_PREFIX}gcc\n else\n cc=${CROSS_PREFIX}cc\n fi\nelse\n cc=${CC}\nfi\n\ncase \"$cc\" in\n *gcc*) gcc=1 ;;\n *clang*) gcc=1 ;;\nesac\ncase `$cc -v 2>&1` in\n *gcc*) gcc=1 ;;\n *clang*) gcc=1 ;;\nesac\n\nshow $cc -c $test.c\nif test \"$gcc\" -eq 1 && ($cc -c $test.c) >> configure.log 2>&1; then\n echo ... using gcc >> configure.log\n CC=\"$cc\"\n CFLAGS=\"${CFLAGS--O3}\"\n SFLAGS=\"${CFLAGS--O3} -fPIC\"\n if test \"$ARCHS\"; then\n CFLAGS=\"${CFLAGS} ${ARCHS}\"\n LDFLAGS=\"${LDFLAGS} ${ARCHS}\"\n fi\n if test $build64 -eq 1; then\n CFLAGS=\"${CFLAGS} -m64\"\n SFLAGS=\"${SFLAGS} -m64\"\n fi\n if test \"$warn\" -eq 1; then\n if test \"$zconst\" -eq 1; then\n CFLAGS=\"${CFLAGS} -Wall -Wextra -Wcast-qual -DZLIB_CONST\"\n else\n CFLAGS=\"${CFLAGS} -Wall -Wextra\"\n fi\n fi\n if test $address -eq 1; then\n CFLAGS=\"${CFLAGS} -g -fsanitize=address -fno-omit-frame-pointer\"\n fi\n if test $memory -eq 1; then\n CFLAGS=\"${CFLAGS} -g -fsanitize=memory -fno-omit-frame-pointer\"\n fi\n if test $debug -eq 1; then\n CFLAGS=\"${CFLAGS} -DZLIB_DEBUG\"\n SFLAGS=\"${SFLAGS} -DZLIB_DEBUG\"\n fi\n if test -z \"$uname\"; then\n uname=`(uname -s || echo unknown) 2>/dev/null`\n fi\n case \"$uname\" in\n Linux* | linux* | *-linux* | GNU | GNU/* | solaris*)\n case \"$mname\" in\n *sparc*)\n LDFLAGS=\"${LDFLAGS} -Wl,--no-warn-rwx-segments\" ;;\n esac\n LDSHARED=${LDSHARED-\"$cc -shared -Wl,-soname,libz.so.1,--version-script,${SRCDIR}zlib.map\"} ;;\n *BSD | *bsd* | DragonFly)\n LDSHARED=${LDSHARED-\"$cc -shared -Wl,-soname,libz.so.1,--version-script,${SRCDIR}zlib.map\"}\n LDCONFIG=\"ldconfig -m\" ;;\n CYGWIN* | Cygwin* | cygwin* | *-cygwin* | OS/2*)\n EXE='.exe' ;;\n MINGW* | mingw* | *-mingw*)\n rm -f $test.[co] $test $test$shared_ext\n echo \"If this doesn't work for you, try win32/Makefile.gcc.\" | tee -a configure.log\n LDSHARED=${LDSHARED-\"$cc -shared\"}\n LDSHAREDLIBC=\"\"\n EXE='.exe' ;;\n QNX*) # This is for QNX6. I suppose that the QNX rule below is for QNX2,QNX4\n # (alain.bonnefoy@icbt.com)\n LDSHARED=${LDSHARED-\"$cc -shared -Wl,-hlibz.so.1\"} ;;\n HP-UX*)\n LDSHARED=${LDSHARED-\"$cc -shared $SFLAGS\"}\n case `(uname -m || echo unknown) 2>/dev/null` in\n ia64)\n shared_ext='.so'\n SHAREDLIB='libz.so' ;;\n *)\n shared_ext='.sl'\n SHAREDLIB='libz.sl' ;;\n esac ;;\n AIX*)\n LDFLAGS=\"${LDFLAGS} -Wl,-brtl\" ;;\n Darwin* | darwin* | *-darwin*)\n shared_ext='.dylib'\n SHAREDLIB=libz$shared_ext\n SHAREDLIBV=libz.$VER$shared_ext\n SHAREDLIBM=libz.$VER1$shared_ext\n LDSHARED=${LDSHARED-\"$cc -dynamiclib -install_name $libdir/$SHAREDLIBM -compatibility_version $VER1 -current_version $VER\"}\n if \"${CROSS_PREFIX}libtool\" -V 2>&1 | grep Apple > /dev/null; then\n AR=\"${CROSS_PREFIX}libtool\"\n elif libtool -V 2>&1 | grep Apple > /dev/null; then\n AR=\"libtool\"\n else\n AR=\"/usr/bin/libtool\"\n fi\n ARFLAGS=\"-o\" ;;\n *)\n LDSHARED=${LDSHARED-\"$cc -shared\"} ;;\n esac\nelse\n # find system name and corresponding cc options\n CC=${CC-cc}\n gcc=0\n echo ... using $CC >> configure.log\n if test -z \"$uname\"; then\n uname=`(uname -sr || echo unknown) 2>/dev/null`\n fi\n case \"$uname\" in\n HP-UX*) SFLAGS=${CFLAGS-\"-O +z\"}\n CFLAGS=${CFLAGS-\"-O\"}\n# LDSHARED=${LDSHARED-\"ld -b +vnocompatwarnings\"}\n LDSHARED=${LDSHARED-\"ld -b\"}\n case `(uname -m || echo unknown) 2>/dev/null` in\n ia64)\n shared_ext='.so'\n SHAREDLIB='libz.so' ;;\n *)\n shared_ext='.sl'\n SHAREDLIB='libz.sl' ;;\n esac ;;\n IRIX*) SFLAGS=${CFLAGS-\"-ansi -O2 -rpath .\"}\n CFLAGS=${CFLAGS-\"-ansi -O2\"}\n LDSHARED=${LDSHARED-\"cc -shared -Wl,-soname,libz.so.1\"} ;;\n OSF1\\ V4*) SFLAGS=${CFLAGS-\"-O -std1\"}\n CFLAGS=${CFLAGS-\"-O -std1\"}\n LDFLAGS=\"${LDFLAGS} -Wl,-rpath,.\"\n LDSHARED=${LDSHARED-\"cc -shared -Wl,-soname,libz.so -Wl,-msym -Wl,-rpath,$(libdir) -Wl,-set_version,${VER}:1.0\"} ;;\n OSF1*) SFLAGS=${CFLAGS-\"-O -std1\"}\n CFLAGS=${CFLAGS-\"-O -std1\"}\n LDSHARED=${LDSHARED-\"cc -shared -Wl,-soname,libz.so.1\"} ;;\n QNX*) SFLAGS=${CFLAGS-\"-4 -O\"}\n CFLAGS=${CFLAGS-\"-4 -O\"}\n LDSHARED=${LDSHARED-\"cc\"}\n RANLIB=${RANLIB-\"true\"}\n AR=\"cc\"\n ARFLAGS=\"-A\" ;;\n SCO_SV\\ 3.2*) SFLAGS=${CFLAGS-\"-O3 -dy -KPIC \"}\n CFLAGS=${CFLAGS-\"-O3\"}\n LDSHARED=${LDSHARED-\"cc -dy -KPIC -G\"} ;;\n SunOS\\ 5* | solaris*)\n LDSHARED=${LDSHARED-\"cc -G -h libz$shared_ext.$VER1\"}\n SFLAGS=${CFLAGS-\"-fast -KPIC\"}\n CFLAGS=${CFLAGS-\"-fast\"}\n if test $build64 -eq 1; then\n # old versions of SunPRO/Workshop/Studio don't support -m64,\n # but newer ones do. Check for it.\n flag64=`$CC -flags | egrep -- '^-m64'`\n if test x\"$flag64\" != x\"\" ; then\n CFLAGS=\"${CFLAGS} -m64\"\n SFLAGS=\"${SFLAGS} -m64\"\n else\n case `(uname -m || echo unknown) 2>/dev/null` in\n i86*)\n SFLAGS=\"$SFLAGS -xarch=amd64\"\n CFLAGS=\"$CFLAGS -xarch=amd64\" ;;\n *)\n SFLAGS=\"$SFLAGS -xarch=v9\"\n CFLAGS=\"$CFLAGS -xarch=v9\" ;;\n esac\n fi\n fi\n if test -n \"$ZINC\"; then\n ZINC='-I- -I. -I$(SRCDIR)'\n fi\n ;;\n SunOS\\ 4*) SFLAGS=${CFLAGS-\"-O2 -PIC\"}\n CFLAGS=${CFLAGS-\"-O2\"}\n LDSHARED=${LDSHARED-\"ld\"} ;;\n SunStudio\\ 9*) SFLAGS=${CFLAGS-\"-fast -xcode=pic32 -xtarget=ultra3 -xarch=v9b\"}\n CFLAGS=${CFLAGS-\"-fast -xtarget=ultra3 -xarch=v9b\"}\n LDSHARED=${LDSHARED-\"cc -xarch=v9b\"} ;;\n UNIX_System_V\\ 4.2.0)\n SFLAGS=${CFLAGS-\"-KPIC -O\"}\n CFLAGS=${CFLAGS-\"-O\"}\n LDSHARED=${LDSHARED-\"cc -G\"} ;;\n UNIX_SV\\ 4.2MP)\n SFLAGS=${CFLAGS-\"-Kconform_pic -O\"}\n CFLAGS=${CFLAGS-\"-O\"}\n LDSHARED=${LDSHARED-\"cc -G\"} ;;\n OpenUNIX\\ 5)\n SFLAGS=${CFLAGS-\"-KPIC -O\"}\n CFLAGS=${CFLAGS-\"-O\"}\n LDSHARED=${LDSHARED-\"cc -G\"} ;;\n AIX*) # Courtesy of dbakker@arrayasolutions.com\n SFLAGS=${CFLAGS-\"-O -qmaxmem=8192\"}\n CFLAGS=${CFLAGS-\"-O -qmaxmem=8192\"}\n LDSHARED=${LDSHARED-\"xlc -G\"} ;;\n # send working options for other systems to zlib@gzip.org\n *) SFLAGS=${CFLAGS-\"-O\"}\n CFLAGS=${CFLAGS-\"-O\"}\n LDSHARED=${LDSHARED-\"cc -shared\"} ;;\n esac\nfi\n\n# destination names for shared library if not defined above\nSHAREDLIB=${SHAREDLIB-\"libz$shared_ext\"}\nSHAREDLIBV=${SHAREDLIBV-\"libz$shared_ext.$VER\"}\nSHAREDLIBM=${SHAREDLIBM-\"libz$shared_ext.$VER1\"}\n\necho >> configure.log\n\n# define functions for testing compiler and library characteristics and logging the results\n\ncat > $test.c </dev/null; then\n try()\n {\n show $*\n test \"`( $* ) 2>&1 | tee -a configure.log`\" = \"\"\n }\n echo - using any output from compiler to indicate an error >> configure.log\nelse\n try()\n {\n show $*\n got=`( $* ) 2>&1`\n ret=$?\n if test \"$got\" != \"\"; then\n printf \"%s\\n\" \"$got\" >> configure.log\n fi\n if test $ret -ne 0; then\n echo \"(exit code \"$ret\")\" >> configure.log\n fi\n return $ret\n }\nfi\n\ntryboth()\n{\n show $*\n got=`( $* ) 2>&1`\n ret=$?\n if test \"$got\" != \"\"; then\n printf \"%s\\n\" \"$got\" >> configure.log\n fi\n if test $ret -ne 0; then\n echo \"(exit code \"$ret\")\" >> configure.log\n return $ret\n fi\n test \"$got\" = \"\"\n}\n\ncat > $test.c << EOF\nint foo() { return 0; }\nEOF\necho \"Checking for obsessive-compulsive compiler options...\" >> configure.log\nif try $CC -c $CFLAGS $test.c; then\n :\nelse\n echo \"Compiler error reporting is too harsh for $0 (perhaps remove -Werror).\" | tee -a configure.log\n leave 1\nfi\n\necho >> configure.log\n\n# see if shared library build supported\ncat > $test.c <> configure.log\n\n# check for size_t\ncat > $test.c <\n#include \nsize_t dummy = 0;\nEOF\nif try $CC -c $CFLAGS $test.c; then\n echo \"Checking for size_t... Yes.\" | tee -a configure.log\nelse\n echo \"Checking for size_t... No.\" | tee -a configure.log\n # find a size_t integer type\n # check for long long\n cat > $test.c << EOF\nlong long dummy = 0;\nEOF\n if try $CC -c $CFLAGS $test.c; then\n echo \"Checking for long long... Yes.\" | tee -a configure.log\n cat > $test.c <\nint main(void) {\n if (sizeof(void *) <= sizeof(int)) puts(\"int\");\n else if (sizeof(void *) <= sizeof(long)) puts(\"long\");\n else puts(\"z_longlong\");\n return 0;\n}\nEOF\n else\n echo \"Checking for long long... No.\" | tee -a configure.log\n cat > $test.c <\nint main(void) {\n if (sizeof(void *) <= sizeof(int)) puts(\"int\");\n else puts(\"long\");\n return 0;\n}\nEOF\n fi\n if try $CC $CFLAGS -o $test $test.c; then\n sizet=`./$test`\n echo \"Checking for a pointer-size integer type...\" $sizet\".\" | tee -a configure.log\n CFLAGS=\"${CFLAGS} -DNO_SIZE_T=${sizet}\"\n SFLAGS=\"${SFLAGS} -DNO_SIZE_T=${sizet}\"\n else\n echo \"Checking for a pointer-size integer type... not found.\" | tee -a configure.log\n fi\nfi\n\necho >> configure.log\n\n# check for large file support, and if none, check for fseeko()\ncat > $test.c <\noff64_t dummy = 0;\nEOF\nif try $CC -c $CFLAGS -D_LARGEFILE64_SOURCE=1 $test.c; then\n CFLAGS=\"${CFLAGS} -D_LARGEFILE64_SOURCE=1\"\n SFLAGS=\"${SFLAGS} -D_LARGEFILE64_SOURCE=1\"\n ALL=\"${ALL} all64\"\n TEST=\"${TEST} test64\"\n echo \"Checking for off64_t... Yes.\" | tee -a configure.log\n echo \"Checking for fseeko... Yes.\" | tee -a configure.log\nelse\n echo \"Checking for off64_t... No.\" | tee -a configure.log\n echo >> configure.log\n cat > $test.c <\nint main(void) {\n fseeko(NULL, 0, 0);\n return 0;\n}\nEOF\n if try $CC $CFLAGS -o $test $test.c; then\n echo \"Checking for fseeko... Yes.\" | tee -a configure.log\n else\n CFLAGS=\"${CFLAGS} -DNO_FSEEKO\"\n SFLAGS=\"${SFLAGS} -DNO_FSEEKO\"\n echo \"Checking for fseeko... No.\" | tee -a configure.log\n fi\nfi\n\necho >> configure.log\n\n# check for strerror() for use by gz* functions\ncat > $test.c <\n#include \nint main() { return strlen(strerror(errno)); }\nEOF\nif try $CC $CFLAGS -o $test $test.c; then\n echo \"Checking for strerror... Yes.\" | tee -a configure.log\nelse\n CFLAGS=\"${CFLAGS} -DNO_STRERROR\"\n SFLAGS=\"${SFLAGS} -DNO_STRERROR\"\n echo \"Checking for strerror... No.\" | tee -a configure.log\nfi\n\n# copy clean zconf.h for subsequent edits\ncp -p ${SRCDIR}zconf.h.in zconf.h\n\necho >> configure.log\n\n# check for unistd.h and save result in zconf.h\ncat > $test.c <\nint main() { return 0; }\nEOF\nif try $CC -c $CFLAGS $test.c; then\n sed < zconf.h \"/^#ifdef HAVE_UNISTD_H.* may be/s/def HAVE_UNISTD_H\\(.*\\) may be/ 1\\1 was/\" > zconf.temp.h\n mv zconf.temp.h zconf.h\n echo \"Checking for unistd.h... Yes.\" | tee -a configure.log\nelse\n echo \"Checking for unistd.h... No.\" | tee -a configure.log\nfi\n\necho >> configure.log\n\n# check for stdarg.h and save result in zconf.h\ncat > $test.c <\nint main() { return 0; }\nEOF\nif try $CC -c $CFLAGS $test.c; then\n sed < zconf.h \"/^#ifdef HAVE_STDARG_H.* may be/s/def HAVE_STDARG_H\\(.*\\) may be/ 1\\1 was/\" > zconf.temp.h\n mv zconf.temp.h zconf.h\n echo \"Checking for stdarg.h... Yes.\" | tee -a configure.log\nelse\n echo \"Checking for stdarg.h... No.\" | tee -a configure.log\nfi\n\n# if the z_ prefix was requested, save that in zconf.h\nif test $zprefix -eq 1; then\n sed < zconf.h \"/#ifdef Z_PREFIX.* may be/s/def Z_PREFIX\\(.*\\) may be/ 1\\1 was/\" > zconf.temp.h\n mv zconf.temp.h zconf.h\n echo >> configure.log\n echo \"Using z_ prefix on all symbols.\" | tee -a configure.log\nfi\n\n# if --solo compilation was requested, save that in zconf.h and remove gz stuff from object lists\nif test $solo -eq 1; then\n sed '/#define ZCONF_H/a\\\n#define Z_SOLO\n\n' < zconf.h > zconf.temp.h\n mv zconf.temp.h zconf.h\nOBJC='$(OBJZ)'\nPIC_OBJC='$(PIC_OBJZ)'\nfi\n\n# if code coverage testing was requested, use older gcc if defined, e.g. \"gcc-4.2\" on Mac OS X\nif test $cover -eq 1; then\n CFLAGS=\"${CFLAGS} -fprofile-arcs -ftest-coverage\"\n if test -n \"$GCC_CLASSIC\"; then\n CC=$GCC_CLASSIC\n fi\nfi\n\necho >> configure.log\n\n# conduct a series of tests to resolve eight possible cases of using \"vs\" or \"s\" printf functions\n# (using stdarg or not), with or without \"n\" (proving size of buffer), and with or without a\n# return value. The most secure result is vsnprintf() with a return value. snprintf() with a\n# return value is secure as well, but then gzprintf() will be limited to 20 arguments.\ncat > $test.c <\n#include \n#include \"zconf.h\"\nint main()\n{\n#ifndef STDC\n choke me\n#endif\n return 0;\n}\nEOF\nif try $CC -c $CFLAGS $test.c; then\n echo \"Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().\" | tee -a configure.log\n\n echo >> configure.log\n cat > $test.c <\n#include \nint mytest(const char *fmt, ...)\n{\n char buf[20];\n va_list ap;\n va_start(ap, fmt);\n vsnprintf(buf, sizeof(buf), fmt, ap);\n va_end(ap);\n return 0;\n}\nint main()\n{\n return (mytest(\"Hello%d\\n\", 1));\n}\nEOF\n if try $CC $CFLAGS -o $test $test.c; then\n echo \"Checking for vsnprintf() in stdio.h... Yes.\" | tee -a configure.log\n\n echo >> configure.log\n cat >$test.c <\n#include \nint mytest(const char *fmt, ...)\n{\n int n;\n char buf[20];\n va_list ap;\n va_start(ap, fmt);\n n = vsnprintf(buf, sizeof(buf), fmt, ap);\n va_end(ap);\n return n;\n}\nint main()\n{\n return (mytest(\"Hello%d\\n\", 1));\n}\nEOF\n\n if try $CC -c $CFLAGS $test.c; then\n echo \"Checking for return value of vsnprintf()... Yes.\" | tee -a configure.log\n else\n CFLAGS=\"$CFLAGS -DHAS_vsnprintf_void\"\n SFLAGS=\"$SFLAGS -DHAS_vsnprintf_void\"\n echo \"Checking for return value of vsnprintf()... No.\" | tee -a configure.log\n echo \" WARNING: apparently vsnprintf() does not return a value. zlib\" | tee -a configure.log\n echo \" can build but will be open to possible string-format security\" | tee -a configure.log\n echo \" vulnerabilities.\" | tee -a configure.log\n fi\n else\n CFLAGS=\"$CFLAGS -DNO_vsnprintf\"\n SFLAGS=\"$SFLAGS -DNO_vsnprintf\"\n echo \"Checking for vsnprintf() in stdio.h... No.\" | tee -a configure.log\n echo \" WARNING: vsnprintf() not found, falling back to vsprintf(). zlib\" | tee -a configure.log\n echo \" can build but will be open to possible buffer-overflow security\" | tee -a configure.log\n echo \" vulnerabilities.\" | tee -a configure.log\n\n echo >> configure.log\n cat >$test.c <\n#include \nint mytest(const char *fmt, ...)\n{\n int n;\n char buf[20];\n va_list ap;\n va_start(ap, fmt);\n n = vsprintf(buf, fmt, ap);\n va_end(ap);\n return n;\n}\nint main()\n{\n return (mytest(\"Hello%d\\n\", 1));\n}\nEOF\n\n if try $CC -c $CFLAGS $test.c; then\n echo \"Checking for return value of vsprintf()... Yes.\" | tee -a configure.log\n else\n CFLAGS=\"$CFLAGS -DHAS_vsprintf_void\"\n SFLAGS=\"$SFLAGS -DHAS_vsprintf_void\"\n echo \"Checking for return value of vsprintf()... No.\" | tee -a configure.log\n echo \" WARNING: apparently vsprintf() does not return a value. zlib\" | tee -a configure.log\n echo \" can build but will be open to possible string-format security\" | tee -a configure.log\n echo \" vulnerabilities.\" | tee -a configure.log\n fi\n fi\nelse\n echo \"Checking whether to use vs[n]printf() or s[n]printf()... using s[n]printf().\" | tee -a configure.log\n\n echo >> configure.log\n cat >$test.c <\nint mytest()\n{\n char buf[20];\n snprintf(buf, sizeof(buf), \"%s\", \"foo\");\n return 0;\n}\nint main()\n{\n return (mytest());\n}\nEOF\n\n if try $CC $CFLAGS -o $test $test.c; then\n echo \"Checking for snprintf() in stdio.h... Yes.\" | tee -a configure.log\n\n echo >> configure.log\n cat >$test.c <\nint mytest()\n{\n char buf[20];\n return snprintf(buf, sizeof(buf), \"%s\", \"foo\");\n}\nint main()\n{\n return (mytest());\n}\nEOF\n\n if try $CC -c $CFLAGS $test.c; then\n echo \"Checking for return value of snprintf()... Yes.\" | tee -a configure.log\n else\n CFLAGS=\"$CFLAGS -DHAS_snprintf_void\"\n SFLAGS=\"$SFLAGS -DHAS_snprintf_void\"\n echo \"Checking for return value of snprintf()... No.\" | tee -a configure.log\n echo \" WARNING: apparently snprintf() does not return a value. zlib\" | tee -a configure.log\n echo \" can build but will be open to possible string-format security\" | tee -a configure.log\n echo \" vulnerabilities.\" | tee -a configure.log\n fi\n else\n CFLAGS=\"$CFLAGS -DNO_snprintf\"\n SFLAGS=\"$SFLAGS -DNO_snprintf\"\n echo \"Checking for snprintf() in stdio.h... No.\" | tee -a configure.log\n echo \" WARNING: snprintf() not found, falling back to sprintf(). zlib\" | tee -a configure.log\n echo \" can build but will be open to possible buffer-overflow security\" | tee -a configure.log\n echo \" vulnerabilities.\" | tee -a configure.log\n\n echo >> configure.log\n cat >$test.c <\nint mytest()\n{\n char buf[20];\n return sprintf(buf, \"%s\", \"foo\");\n}\nint main()\n{\n return (mytest());\n}\nEOF\n\n if try $CC -c $CFLAGS $test.c; then\n echo \"Checking for return value of sprintf()... Yes.\" | tee -a configure.log\n else\n CFLAGS=\"$CFLAGS -DHAS_sprintf_void\"\n SFLAGS=\"$SFLAGS -DHAS_sprintf_void\"\n echo \"Checking for return value of sprintf()... No.\" | tee -a configure.log\n echo \" WARNING: apparently sprintf() does not return a value. zlib\" | tee -a configure.log\n echo \" can build but will be open to possible string-format security\" | tee -a configure.log\n echo \" vulnerabilities.\" | tee -a configure.log\n fi\n fi\nfi\n\n# see if we can hide zlib internal symbols that are linked between separate source files\nif test \"$gcc\" -eq 1; then\n echo >> configure.log\n cat > $test.c <> configure.log\necho ALL = $ALL >> configure.log\necho AR = $AR >> configure.log\necho ARFLAGS = $ARFLAGS >> configure.log\necho CC = $CC >> configure.log\necho CFLAGS = $CFLAGS >> configure.log\necho CPP = $CPP >> configure.log\necho EXE = $EXE >> configure.log\necho LDCONFIG = $LDCONFIG >> configure.log\necho LDFLAGS = $LDFLAGS >> configure.log\necho LDSHARED = $LDSHARED >> configure.log\necho LDSHAREDLIBC = $LDSHAREDLIBC >> configure.log\necho OBJC = $OBJC >> configure.log\necho PIC_OBJC = $PIC_OBJC >> configure.log\necho RANLIB = $RANLIB >> configure.log\necho SFLAGS = $SFLAGS >> configure.log\necho SHAREDLIB = $SHAREDLIB >> configure.log\necho SHAREDLIBM = $SHAREDLIBM >> configure.log\necho SHAREDLIBV = $SHAREDLIBV >> configure.log\necho STATICLIB = $STATICLIB >> configure.log\necho TEST = $TEST >> configure.log\necho VER = $VER >> configure.log\necho SRCDIR = $SRCDIR >> configure.log\necho exec_prefix = $exec_prefix >> configure.log\necho includedir = $includedir >> configure.log\necho libdir = $libdir >> configure.log\necho mandir = $mandir >> configure.log\necho prefix = $prefix >> configure.log\necho sharedlibdir = $sharedlibdir >> configure.log\necho uname = $uname >> configure.log\n\n# update Makefile with the configure results\nsed < ${SRCDIR}Makefile.in \"\n/^CC *=/s#=.*#=$CC#\n/^CFLAGS *=/s#=.*#=$CFLAGS#\n/^SFLAGS *=/s#=.*#=$SFLAGS#\n/^LDFLAGS *=/s#=.*#=$LDFLAGS#\n/^LDSHARED *=/s#=.*#=$LDSHARED#\n/^CPP *=/s#=.*#=$CPP#\n/^STATICLIB *=/s#=.*#=$STATICLIB#\n/^SHAREDLIB *=/s#=.*#=$SHAREDLIB#\n/^SHAREDLIBV *=/s#=.*#=$SHAREDLIBV#\n/^SHAREDLIBM *=/s#=.*#=$SHAREDLIBM#\n/^AR *=/s#=.*#=$AR#\n/^ARFLAGS *=/s#=.*#=$ARFLAGS#\n/^RANLIB *=/s#=.*#=$RANLIB#\n/^LDCONFIG *=/s#=.*#=$LDCONFIG#\n/^LDSHAREDLIBC *=/s#=.*#=$LDSHAREDLIBC#\n/^EXE *=/s#=.*#=$EXE#\n/^SRCDIR *=/s#=.*#=$SRCDIR#\n/^ZINC *=/s#=.*#=$ZINC#\n/^ZINCOUT *=/s#=.*#=$ZINCOUT#\n/^prefix *=/s#=.*#=$prefix#\n/^exec_prefix *=/s#=.*#=$exec_prefix#\n/^libdir *=/s#=.*#=$libdir#\n/^sharedlibdir *=/s#=.*#=$sharedlibdir#\n/^includedir *=/s#=.*#=$includedir#\n/^mandir *=/s#=.*#=$mandir#\n/^OBJC *=/s#=.*#= $OBJC#\n/^PIC_OBJC *=/s#=.*#= $PIC_OBJC#\n/^all: */s#:.*#: $ALL#\n/^test: */s#:.*#: $TEST#\n\" > Makefile\n\n# create zlib.pc with the configure results\nsed < ${SRCDIR}zlib.pc.in \"\n/^CC *=/s#=.*#=$CC#\n/^CFLAGS *=/s#=.*#=$CFLAGS#\n/^CPP *=/s#=.*#=$CPP#\n/^LDSHARED *=/s#=.*#=$LDSHARED#\n/^STATICLIB *=/s#=.*#=$STATICLIB#\n/^SHAREDLIB *=/s#=.*#=$SHAREDLIB#\n/^SHAREDLIBV *=/s#=.*#=$SHAREDLIBV#\n/^SHAREDLIBM *=/s#=.*#=$SHAREDLIBM#\n/^AR *=/s#=.*#=$AR#\n/^ARFLAGS *=/s#=.*#=$ARFLAGS#\n/^RANLIB *=/s#=.*#=$RANLIB#\n/^EXE *=/s#=.*#=$EXE#\n/^prefix *=/s#=.*#=$prefix#\n/^exec_prefix *=/s#=.*#=$exec_prefix#\n/^libdir *=/s#=.*#=$libdir#\n/^sharedlibdir *=/s#=.*#=$sharedlibdir#\n/^includedir *=/s#=.*#=$includedir#\n/^mandir *=/s#=.*#=$mandir#\n/^LDFLAGS *=/s#=.*#=$LDFLAGS#\n\" | sed -e \"\ns/\\@VERSION\\@/$VER/g;\n\" > zlib.pc\n\n# done\nleave 0\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/crc32.c", "content": "/* crc32.c -- compute the CRC-32 of a data stream\n * Copyright (C) 1995-2022 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n *\n * This interleaved implementation of a CRC makes use of pipelined multiple\n * arithmetic-logic units, commonly found in modern CPU cores. It is due to\n * Kadatch and Jenkins (2010). See doc/crc-doc.1.0.pdf in this distribution.\n */\n\n/* @(#) $Id$ */\n\n/*\n Note on the use of DYNAMIC_CRC_TABLE: there is no mutex or semaphore\n protection on the static variables used to control the first-use generation\n of the crc tables. Therefore, if you #define DYNAMIC_CRC_TABLE, you should\n first call get_crc_table() to initialize the tables before allowing more than\n one thread to use crc32().\n\n MAKECRCH can be #defined to write out crc32.h. A main() routine is also\n produced, so that this one source file can be compiled to an executable.\n */\n\n#ifdef MAKECRCH\n# include \n# ifndef DYNAMIC_CRC_TABLE\n# define DYNAMIC_CRC_TABLE\n# endif /* !DYNAMIC_CRC_TABLE */\n#endif /* MAKECRCH */\n\n#include \"zutil.h\" /* for Z_U4, Z_U8, z_crc_t, and FAR definitions */\n\n /*\n A CRC of a message is computed on N braids of words in the message, where\n each word consists of W bytes (4 or 8). If N is 3, for example, then three\n running sparse CRCs are calculated respectively on each braid, at these\n indices in the array of words: 0, 3, 6, ..., 1, 4, 7, ..., and 2, 5, 8, ...\n This is done starting at a word boundary, and continues until as many blocks\n of N * W bytes as are available have been processed. The results are combined\n into a single CRC at the end. For this code, N must be in the range 1..6 and\n W must be 4 or 8. The upper limit on N can be increased if desired by adding\n more #if blocks, extending the patterns apparent in the code. In addition,\n crc32.h would need to be regenerated, if the maximum N value is increased.\n\n N and W are chosen empirically by benchmarking the execution time on a given\n processor. The choices for N and W below were based on testing on Intel Kaby\n Lake i7, AMD Ryzen 7, ARM Cortex-A57, Sparc64-VII, PowerPC POWER9, and MIPS64\n Octeon II processors. The Intel, AMD, and ARM processors were all fastest\n with N=5, W=8. The Sparc, PowerPC, and MIPS64 were all fastest at N=5, W=4.\n They were all tested with either gcc or clang, all using the -O3 optimization\n level. Your mileage may vary.\n */\n\n/* Define N */\n#ifdef Z_TESTN\n# define N Z_TESTN\n#else\n# define N 5\n#endif\n#if N < 1 || N > 6\n# error N must be in 1..6\n#endif\n\n/*\n z_crc_t must be at least 32 bits. z_word_t must be at least as long as\n z_crc_t. It is assumed here that z_word_t is either 32 bits or 64 bits, and\n that bytes are eight bits.\n */\n\n/*\n Define W and the associated z_word_t type. If W is not defined, then a\n braided calculation is not used, and the associated tables and code are not\n compiled.\n */\n#ifdef Z_TESTW\n# if Z_TESTW-1 != -1\n# define W Z_TESTW\n# endif\n#else\n# ifdef MAKECRCH\n# define W 8 /* required for MAKECRCH */\n# else\n# if defined(__x86_64__) || defined(__aarch64__)\n# define W 8\n# else\n# define W 4\n# endif\n# endif\n#endif\n#ifdef W\n# if W == 8 && defined(Z_U8)\n typedef Z_U8 z_word_t;\n# elif defined(Z_U4)\n# undef W\n# define W 4\n typedef Z_U4 z_word_t;\n# else\n# undef W\n# endif\n#endif\n\n/* If available, use the ARM processor CRC32 instruction. */\n#if defined(__aarch64__) && defined(__ARM_FEATURE_CRC32) && W == 8\n# define ARMCRC32\n#endif\n\n#if defined(W) && (!defined(ARMCRC32) || defined(DYNAMIC_CRC_TABLE))\n/*\n Swap the bytes in a z_word_t to convert between little and big endian. Any\n self-respecting compiler will optimize this to a single machine byte-swap\n instruction, if one is available. This assumes that word_t is either 32 bits\n or 64 bits.\n */\nlocal z_word_t byte_swap(z_word_t word) {\n# if W == 8\n return\n (word & 0xff00000000000000) >> 56 |\n (word & 0xff000000000000) >> 40 |\n (word & 0xff0000000000) >> 24 |\n (word & 0xff00000000) >> 8 |\n (word & 0xff000000) << 8 |\n (word & 0xff0000) << 24 |\n (word & 0xff00) << 40 |\n (word & 0xff) << 56;\n# else /* W == 4 */\n return\n (word & 0xff000000) >> 24 |\n (word & 0xff0000) >> 8 |\n (word & 0xff00) << 8 |\n (word & 0xff) << 24;\n# endif\n}\n#endif\n\n#ifdef DYNAMIC_CRC_TABLE\n/* =========================================================================\n * Table of powers of x for combining CRC-32s, filled in by make_crc_table()\n * below.\n */\n local z_crc_t FAR x2n_table[32];\n#else\n/* =========================================================================\n * Tables for byte-wise and braided CRC-32 calculations, and a table of powers\n * of x for combining CRC-32s, all made by make_crc_table().\n */\n# include \"crc32.h\"\n#endif\n\n/* CRC polynomial. */\n#define POLY 0xedb88320 /* p(x) reflected, with x^32 implied */\n\n/*\n Return a(x) multiplied by b(x) modulo p(x), where p(x) is the CRC polynomial,\n reflected. For speed, this requires that a not be zero.\n */\nlocal z_crc_t multmodp(z_crc_t a, z_crc_t b) {\n z_crc_t m, p;\n\n m = (z_crc_t)1 << 31;\n p = 0;\n for (;;) {\n if (a & m) {\n p ^= b;\n if ((a & (m - 1)) == 0)\n break;\n }\n m >>= 1;\n b = b & 1 ? (b >> 1) ^ POLY : b >> 1;\n }\n return p;\n}\n\n/*\n Return x^(n * 2^k) modulo p(x). Requires that x2n_table[] has been\n initialized.\n */\nlocal z_crc_t x2nmodp(z_off64_t n, unsigned k) {\n z_crc_t p;\n\n p = (z_crc_t)1 << 31; /* x^0 == 1 */\n while (n) {\n if (n & 1)\n p = multmodp(x2n_table[k & 31], p);\n n >>= 1;\n k++;\n }\n return p;\n}\n\n#ifdef DYNAMIC_CRC_TABLE\n/* =========================================================================\n * Build the tables for byte-wise and braided CRC-32 calculations, and a table\n * of powers of x for combining CRC-32s.\n */\nlocal z_crc_t FAR crc_table[256];\n#ifdef W\n local z_word_t FAR crc_big_table[256];\n local z_crc_t FAR crc_braid_table[W][256];\n local z_word_t FAR crc_braid_big_table[W][256];\n local void braid(z_crc_t [][256], z_word_t [][256], int, int);\n#endif\n#ifdef MAKECRCH\n local void write_table(FILE *, const z_crc_t FAR *, int);\n local void write_table32hi(FILE *, const z_word_t FAR *, int);\n local void write_table64(FILE *, const z_word_t FAR *, int);\n#endif /* MAKECRCH */\n\n/*\n Define a once() function depending on the availability of atomics. If this is\n compiled with DYNAMIC_CRC_TABLE defined, and if CRCs will be computed in\n multiple threads, and if atomics are not available, then get_crc_table() must\n be called to initialize the tables and must return before any threads are\n allowed to compute or combine CRCs.\n */\n\n/* Definition of once functionality. */\ntypedef struct once_s once_t;\n\n/* Check for the availability of atomics. */\n#if defined(__STDC__) && __STDC_VERSION__ >= 201112L && \\\n !defined(__STDC_NO_ATOMICS__)\n\n#include \n\n/* Structure for once(), which must be initialized with ONCE_INIT. */\nstruct once_s {\n atomic_flag begun;\n atomic_int done;\n};\n#define ONCE_INIT {ATOMIC_FLAG_INIT, 0}\n\n/*\n Run the provided init() function exactly once, even if multiple threads\n invoke once() at the same time. The state must be a once_t initialized with\n ONCE_INIT.\n */\nlocal void once(once_t *state, void (*init)(void)) {\n if (!atomic_load(&state->done)) {\n if (atomic_flag_test_and_set(&state->begun))\n while (!atomic_load(&state->done))\n ;\n else {\n init();\n atomic_store(&state->done, 1);\n }\n }\n}\n\n#else /* no atomics */\n\n/* Structure for once(), which must be initialized with ONCE_INIT. */\nstruct once_s {\n volatile int begun;\n volatile int done;\n};\n#define ONCE_INIT {0, 0}\n\n/* Test and set. Alas, not atomic, but tries to minimize the period of\n vulnerability. */\nlocal int test_and_set(int volatile *flag) {\n int was;\n\n was = *flag;\n *flag = 1;\n return was;\n}\n\n/* Run the provided init() function once. This is not thread-safe. */\nlocal void once(once_t *state, void (*init)(void)) {\n if (!state->done) {\n if (test_and_set(&state->begun))\n while (!state->done)\n ;\n else {\n init();\n state->done = 1;\n }\n }\n}\n\n#endif\n\n/* State for once(). */\nlocal once_t made = ONCE_INIT;\n\n/*\n Generate tables for a byte-wise 32-bit CRC calculation on the polynomial:\n x^32+x^26+x^23+x^22+x^16+x^12+x^11+x^10+x^8+x^7+x^5+x^4+x^2+x+1.\n\n Polynomials over GF(2) are represented in binary, one bit per coefficient,\n with the lowest powers in the most significant bit. Then adding polynomials\n is just exclusive-or, and multiplying a polynomial by x is a right shift by\n one. If we call the above polynomial p, and represent a byte as the\n polynomial q, also with the lowest power in the most significant bit (so the\n byte 0xb1 is the polynomial x^7+x^3+x^2+1), then the CRC is (q*x^32) mod p,\n where a mod b means the remainder after dividing a by b.\n\n This calculation is done using the shift-register method of multiplying and\n taking the remainder. The register is initialized to zero, and for each\n incoming bit, x^32 is added mod p to the register if the bit is a one (where\n x^32 mod p is p+x^32 = x^26+...+1), and the register is multiplied mod p by x\n (which is shifting right by one and adding x^32 mod p if the bit shifted out\n is a one). We start with the highest power (least significant bit) of q and\n repeat for all eight bits of q.\n\n The table is simply the CRC of all possible eight bit values. This is all the\n information needed to generate CRCs on data a byte at a time for all\n combinations of CRC register values and incoming bytes.\n */\n\nlocal void make_crc_table(void) {\n unsigned i, j, n;\n z_crc_t p;\n\n /* initialize the CRC of bytes tables */\n for (i = 0; i < 256; i++) {\n p = i;\n for (j = 0; j < 8; j++)\n p = p & 1 ? (p >> 1) ^ POLY : p >> 1;\n crc_table[i] = p;\n#ifdef W\n crc_big_table[i] = byte_swap(p);\n#endif\n }\n\n /* initialize the x^2^n mod p(x) table */\n p = (z_crc_t)1 << 30; /* x^1 */\n x2n_table[0] = p;\n for (n = 1; n < 32; n++)\n x2n_table[n] = p = multmodp(p, p);\n\n#ifdef W\n /* initialize the braiding tables -- needs x2n_table[] */\n braid(crc_braid_table, crc_braid_big_table, N, W);\n#endif\n\n#ifdef MAKECRCH\n {\n /*\n The crc32.h header file contains tables for both 32-bit and 64-bit\n z_word_t's, and so requires a 64-bit type be available. In that case,\n z_word_t must be defined to be 64-bits. This code then also generates\n and writes out the tables for the case that z_word_t is 32 bits.\n */\n#if !defined(W) || W != 8\n# error Need a 64-bit integer type in order to generate crc32.h.\n#endif\n FILE *out;\n int k, n;\n z_crc_t ltl[8][256];\n z_word_t big[8][256];\n\n out = fopen(\"crc32.h\", \"w\");\n if (out == NULL) return;\n\n /* write out little-endian CRC table to crc32.h */\n fprintf(out,\n \"/* crc32.h -- tables for rapid CRC calculation\\n\"\n \" * Generated automatically by crc32.c\\n */\\n\"\n \"\\n\"\n \"local const z_crc_t FAR crc_table[] = {\\n\"\n \" \");\n write_table(out, crc_table, 256);\n fprintf(out,\n \"};\\n\");\n\n /* write out big-endian CRC table for 64-bit z_word_t to crc32.h */\n fprintf(out,\n \"\\n\"\n \"#ifdef W\\n\"\n \"\\n\"\n \"#if W == 8\\n\"\n \"\\n\"\n \"local const z_word_t FAR crc_big_table[] = {\\n\"\n \" \");\n write_table64(out, crc_big_table, 256);\n fprintf(out,\n \"};\\n\");\n\n /* write out big-endian CRC table for 32-bit z_word_t to crc32.h */\n fprintf(out,\n \"\\n\"\n \"#else /* W == 4 */\\n\"\n \"\\n\"\n \"local const z_word_t FAR crc_big_table[] = {\\n\"\n \" \");\n write_table32hi(out, crc_big_table, 256);\n fprintf(out,\n \"};\\n\"\n \"\\n\"\n \"#endif\\n\");\n\n /* write out braid tables for each value of N */\n for (n = 1; n <= 6; n++) {\n fprintf(out,\n \"\\n\"\n \"#if N == %d\\n\", n);\n\n /* compute braid tables for this N and 64-bit word_t */\n braid(ltl, big, n, 8);\n\n /* write out braid tables for 64-bit z_word_t to crc32.h */\n fprintf(out,\n \"\\n\"\n \"#if W == 8\\n\"\n \"\\n\"\n \"local const z_crc_t FAR crc_braid_table[][256] = {\\n\");\n for (k = 0; k < 8; k++) {\n fprintf(out, \" {\");\n write_table(out, ltl[k], 256);\n fprintf(out, \"}%s\", k < 7 ? \",\\n\" : \"\");\n }\n fprintf(out,\n \"};\\n\"\n \"\\n\"\n \"local const z_word_t FAR crc_braid_big_table[][256] = {\\n\");\n for (k = 0; k < 8; k++) {\n fprintf(out, \" {\");\n write_table64(out, big[k], 256);\n fprintf(out, \"}%s\", k < 7 ? \",\\n\" : \"\");\n }\n fprintf(out,\n \"};\\n\");\n\n /* compute braid tables for this N and 32-bit word_t */\n braid(ltl, big, n, 4);\n\n /* write out braid tables for 32-bit z_word_t to crc32.h */\n fprintf(out,\n \"\\n\"\n \"#else /* W == 4 */\\n\"\n \"\\n\"\n \"local const z_crc_t FAR crc_braid_table[][256] = {\\n\");\n for (k = 0; k < 4; k++) {\n fprintf(out, \" {\");\n write_table(out, ltl[k], 256);\n fprintf(out, \"}%s\", k < 3 ? \",\\n\" : \"\");\n }\n fprintf(out,\n \"};\\n\"\n \"\\n\"\n \"local const z_word_t FAR crc_braid_big_table[][256] = {\\n\");\n for (k = 0; k < 4; k++) {\n fprintf(out, \" {\");\n write_table32hi(out, big[k], 256);\n fprintf(out, \"}%s\", k < 3 ? \",\\n\" : \"\");\n }\n fprintf(out,\n \"};\\n\"\n \"\\n\"\n \"#endif\\n\"\n \"\\n\"\n \"#endif\\n\");\n }\n fprintf(out,\n \"\\n\"\n \"#endif\\n\");\n\n /* write out zeros operator table to crc32.h */\n fprintf(out,\n \"\\n\"\n \"local const z_crc_t FAR x2n_table[] = {\\n\"\n \" \");\n write_table(out, x2n_table, 32);\n fprintf(out,\n \"};\\n\");\n fclose(out);\n }\n#endif /* MAKECRCH */\n}\n\n#ifdef MAKECRCH\n\n/*\n Write the 32-bit values in table[0..k-1] to out, five per line in\n hexadecimal separated by commas.\n */\nlocal void write_table(FILE *out, const z_crc_t FAR *table, int k) {\n int n;\n\n for (n = 0; n < k; n++)\n fprintf(out, \"%s0x%08lx%s\", n == 0 || n % 5 ? \"\" : \" \",\n (unsigned long)(table[n]),\n n == k - 1 ? \"\" : (n % 5 == 4 ? \",\\n\" : \", \"));\n}\n\n/*\n Write the high 32-bits of each value in table[0..k-1] to out, five per line\n in hexadecimal separated by commas.\n */\nlocal void write_table32hi(FILE *out, const z_word_t FAR *table, int k) {\n int n;\n\n for (n = 0; n < k; n++)\n fprintf(out, \"%s0x%08lx%s\", n == 0 || n % 5 ? \"\" : \" \",\n (unsigned long)(table[n] >> 32),\n n == k - 1 ? \"\" : (n % 5 == 4 ? \",\\n\" : \", \"));\n}\n\n/*\n Write the 64-bit values in table[0..k-1] to out, three per line in\n hexadecimal separated by commas. This assumes that if there is a 64-bit\n type, then there is also a long long integer type, and it is at least 64\n bits. If not, then the type cast and format string can be adjusted\n accordingly.\n */\nlocal void write_table64(FILE *out, const z_word_t FAR *table, int k) {\n int n;\n\n for (n = 0; n < k; n++)\n fprintf(out, \"%s0x%016llx%s\", n == 0 || n % 3 ? \"\" : \" \",\n (unsigned long long)(table[n]),\n n == k - 1 ? \"\" : (n % 3 == 2 ? \",\\n\" : \", \"));\n}\n\n/* Actually do the deed. */\nint main(void) {\n make_crc_table();\n return 0;\n}\n\n#endif /* MAKECRCH */\n\n#ifdef W\n/*\n Generate the little and big-endian braid tables for the given n and z_word_t\n size w. Each array must have room for w blocks of 256 elements.\n */\nlocal void braid(z_crc_t ltl[][256], z_word_t big[][256], int n, int w) {\n int k;\n z_crc_t i, p, q;\n for (k = 0; k < w; k++) {\n p = x2nmodp((n * w + 3 - k) << 3, 0);\n ltl[k][0] = 0;\n big[w - 1 - k][0] = 0;\n for (i = 1; i < 256; i++) {\n ltl[k][i] = q = multmodp(i << 24, p);\n big[w - 1 - k][i] = byte_swap(q);\n }\n }\n}\n#endif\n\n#endif /* DYNAMIC_CRC_TABLE */\n\n/* =========================================================================\n * This function can be used by asm versions of crc32(), and to force the\n * generation of the CRC tables in a threaded application.\n */\nconst z_crc_t FAR * ZEXPORT get_crc_table(void) {\n#ifdef DYNAMIC_CRC_TABLE\n once(&made, make_crc_table);\n#endif /* DYNAMIC_CRC_TABLE */\n return (const z_crc_t FAR *)crc_table;\n}\n\n/* =========================================================================\n * Use ARM machine instructions if available. This will compute the CRC about\n * ten times faster than the braided calculation. This code does not check for\n * the presence of the CRC instruction at run time. __ARM_FEATURE_CRC32 will\n * only be defined if the compilation specifies an ARM processor architecture\n * that has the instructions. For example, compiling with -march=armv8.1-a or\n * -march=armv8-a+crc, or -march=native if the compile machine has the crc32\n * instructions.\n */\n#ifdef ARMCRC32\n\n/*\n Constants empirically determined to maximize speed. These values are from\n measurements on a Cortex-A57. Your mileage may vary.\n */\n#define Z_BATCH 3990 /* number of words in a batch */\n#define Z_BATCH_ZEROS 0xa10d3d0c /* computed from Z_BATCH = 3990 */\n#define Z_BATCH_MIN 800 /* fewest words in a final batch */\n\nunsigned long ZEXPORT crc32_z(unsigned long crc, const unsigned char FAR *buf,\n z_size_t len) {\n z_crc_t val;\n z_word_t crc1, crc2;\n const z_word_t *word;\n z_word_t val0, val1, val2;\n z_size_t last, last2, i;\n z_size_t num;\n\n /* Return initial CRC, if requested. */\n if (buf == Z_NULL) return 0;\n\n#ifdef DYNAMIC_CRC_TABLE\n once(&made, make_crc_table);\n#endif /* DYNAMIC_CRC_TABLE */\n\n /* Pre-condition the CRC */\n crc = (~crc) & 0xffffffff;\n\n /* Compute the CRC up to a word boundary. */\n while (len && ((z_size_t)buf & 7) != 0) {\n len--;\n val = *buf++;\n __asm__ volatile(\"crc32b %w0, %w0, %w1\" : \"+r\"(crc) : \"r\"(val));\n }\n\n /* Prepare to compute the CRC on full 64-bit words word[0..num-1]. */\n word = (z_word_t const *)buf;\n num = len >> 3;\n len &= 7;\n\n /* Do three interleaved CRCs to realize the throughput of one crc32x\n instruction per cycle. Each CRC is calculated on Z_BATCH words. The\n three CRCs are combined into a single CRC after each set of batches. */\n while (num >= 3 * Z_BATCH) {\n crc1 = 0;\n crc2 = 0;\n for (i = 0; i < Z_BATCH; i++) {\n val0 = word[i];\n val1 = word[i + Z_BATCH];\n val2 = word[i + 2 * Z_BATCH];\n __asm__ volatile(\"crc32x %w0, %w0, %x1\" : \"+r\"(crc) : \"r\"(val0));\n __asm__ volatile(\"crc32x %w0, %w0, %x1\" : \"+r\"(crc1) : \"r\"(val1));\n __asm__ volatile(\"crc32x %w0, %w0, %x1\" : \"+r\"(crc2) : \"r\"(val2));\n }\n word += 3 * Z_BATCH;\n num -= 3 * Z_BATCH;\n crc = multmodp(Z_BATCH_ZEROS, crc) ^ crc1;\n crc = multmodp(Z_BATCH_ZEROS, crc) ^ crc2;\n }\n\n /* Do one last smaller batch with the remaining words, if there are enough\n to pay for the combination of CRCs. */\n last = num / 3;\n if (last >= Z_BATCH_MIN) {\n last2 = last << 1;\n crc1 = 0;\n crc2 = 0;\n for (i = 0; i < last; i++) {\n val0 = word[i];\n val1 = word[i + last];\n val2 = word[i + last2];\n __asm__ volatile(\"crc32x %w0, %w0, %x1\" : \"+r\"(crc) : \"r\"(val0));\n __asm__ volatile(\"crc32x %w0, %w0, %x1\" : \"+r\"(crc1) : \"r\"(val1));\n __asm__ volatile(\"crc32x %w0, %w0, %x1\" : \"+r\"(crc2) : \"r\"(val2));\n }\n word += 3 * last;\n num -= 3 * last;\n val = x2nmodp(last, 6);\n crc = multmodp(val, crc) ^ crc1;\n crc = multmodp(val, crc) ^ crc2;\n }\n\n /* Compute the CRC on any remaining words. */\n for (i = 0; i < num; i++) {\n val0 = word[i];\n __asm__ volatile(\"crc32x %w0, %w0, %x1\" : \"+r\"(crc) : \"r\"(val0));\n }\n word += num;\n\n /* Complete the CRC on any remaining bytes. */\n buf = (const unsigned char FAR *)word;\n while (len) {\n len--;\n val = *buf++;\n __asm__ volatile(\"crc32b %w0, %w0, %w1\" : \"+r\"(crc) : \"r\"(val));\n }\n\n /* Return the CRC, post-conditioned. */\n return crc ^ 0xffffffff;\n}\n\n#else\n\n#ifdef W\n\n/*\n Return the CRC of the W bytes in the word_t data, taking the\n least-significant byte of the word as the first byte of data, without any pre\n or post conditioning. This is used to combine the CRCs of each braid.\n */\nlocal z_crc_t crc_word(z_word_t data) {\n int k;\n for (k = 0; k < W; k++)\n data = (data >> 8) ^ crc_table[data & 0xff];\n return (z_crc_t)data;\n}\n\nlocal z_word_t crc_word_big(z_word_t data) {\n int k;\n for (k = 0; k < W; k++)\n data = (data << 8) ^\n crc_big_table[(data >> ((W - 1) << 3)) & 0xff];\n return data;\n}\n\n#endif\n\n/* ========================================================================= */\nunsigned long ZEXPORT crc32_z(unsigned long crc, const unsigned char FAR *buf,\n z_size_t len) {\n /* Return initial CRC, if requested. */\n if (buf == Z_NULL) return 0;\n\n#ifdef DYNAMIC_CRC_TABLE\n once(&made, make_crc_table);\n#endif /* DYNAMIC_CRC_TABLE */\n\n /* Pre-condition the CRC */\n crc = (~crc) & 0xffffffff;\n\n#ifdef W\n\n /* If provided enough bytes, do a braided CRC calculation. */\n if (len >= N * W + W - 1) {\n z_size_t blks;\n z_word_t const *words;\n unsigned endian;\n int k;\n\n /* Compute the CRC up to a z_word_t boundary. */\n while (len && ((z_size_t)buf & (W - 1)) != 0) {\n len--;\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n }\n\n /* Compute the CRC on as many N z_word_t blocks as are available. */\n blks = len / (N * W);\n len -= blks * N * W;\n words = (z_word_t const *)buf;\n\n /* Do endian check at execution time instead of compile time, since ARM\n processors can change the endianness at execution time. If the\n compiler knows what the endianness will be, it can optimize out the\n check and the unused branch. */\n endian = 1;\n if (*(unsigned char *)&endian) {\n /* Little endian. */\n\n z_crc_t crc0;\n z_word_t word0;\n#if N > 1\n z_crc_t crc1;\n z_word_t word1;\n#if N > 2\n z_crc_t crc2;\n z_word_t word2;\n#if N > 3\n z_crc_t crc3;\n z_word_t word3;\n#if N > 4\n z_crc_t crc4;\n z_word_t word4;\n#if N > 5\n z_crc_t crc5;\n z_word_t word5;\n#endif\n#endif\n#endif\n#endif\n#endif\n\n /* Initialize the CRC for each braid. */\n crc0 = crc;\n#if N > 1\n crc1 = 0;\n#if N > 2\n crc2 = 0;\n#if N > 3\n crc3 = 0;\n#if N > 4\n crc4 = 0;\n#if N > 5\n crc5 = 0;\n#endif\n#endif\n#endif\n#endif\n#endif\n\n /*\n Process the first blks-1 blocks, computing the CRCs on each braid\n independently.\n */\n while (--blks) {\n /* Load the word for each braid into registers. */\n word0 = crc0 ^ words[0];\n#if N > 1\n word1 = crc1 ^ words[1];\n#if N > 2\n word2 = crc2 ^ words[2];\n#if N > 3\n word3 = crc3 ^ words[3];\n#if N > 4\n word4 = crc4 ^ words[4];\n#if N > 5\n word5 = crc5 ^ words[5];\n#endif\n#endif\n#endif\n#endif\n#endif\n words += N;\n\n /* Compute and update the CRC for each word. The loop should\n get unrolled. */\n crc0 = crc_braid_table[0][word0 & 0xff];\n#if N > 1\n crc1 = crc_braid_table[0][word1 & 0xff];\n#if N > 2\n crc2 = crc_braid_table[0][word2 & 0xff];\n#if N > 3\n crc3 = crc_braid_table[0][word3 & 0xff];\n#if N > 4\n crc4 = crc_braid_table[0][word4 & 0xff];\n#if N > 5\n crc5 = crc_braid_table[0][word5 & 0xff];\n#endif\n#endif\n#endif\n#endif\n#endif\n for (k = 1; k < W; k++) {\n crc0 ^= crc_braid_table[k][(word0 >> (k << 3)) & 0xff];\n#if N > 1\n crc1 ^= crc_braid_table[k][(word1 >> (k << 3)) & 0xff];\n#if N > 2\n crc2 ^= crc_braid_table[k][(word2 >> (k << 3)) & 0xff];\n#if N > 3\n crc3 ^= crc_braid_table[k][(word3 >> (k << 3)) & 0xff];\n#if N > 4\n crc4 ^= crc_braid_table[k][(word4 >> (k << 3)) & 0xff];\n#if N > 5\n crc5 ^= crc_braid_table[k][(word5 >> (k << 3)) & 0xff];\n#endif\n#endif\n#endif\n#endif\n#endif\n }\n }\n\n /*\n Process the last block, combining the CRCs of the N braids at the\n same time.\n */\n crc = crc_word(crc0 ^ words[0]);\n#if N > 1\n crc = crc_word(crc1 ^ words[1] ^ crc);\n#if N > 2\n crc = crc_word(crc2 ^ words[2] ^ crc);\n#if N > 3\n crc = crc_word(crc3 ^ words[3] ^ crc);\n#if N > 4\n crc = crc_word(crc4 ^ words[4] ^ crc);\n#if N > 5\n crc = crc_word(crc5 ^ words[5] ^ crc);\n#endif\n#endif\n#endif\n#endif\n#endif\n words += N;\n }\n else {\n /* Big endian. */\n\n z_word_t crc0, word0, comb;\n#if N > 1\n z_word_t crc1, word1;\n#if N > 2\n z_word_t crc2, word2;\n#if N > 3\n z_word_t crc3, word3;\n#if N > 4\n z_word_t crc4, word4;\n#if N > 5\n z_word_t crc5, word5;\n#endif\n#endif\n#endif\n#endif\n#endif\n\n /* Initialize the CRC for each braid. */\n crc0 = byte_swap(crc);\n#if N > 1\n crc1 = 0;\n#if N > 2\n crc2 = 0;\n#if N > 3\n crc3 = 0;\n#if N > 4\n crc4 = 0;\n#if N > 5\n crc5 = 0;\n#endif\n#endif\n#endif\n#endif\n#endif\n\n /*\n Process the first blks-1 blocks, computing the CRCs on each braid\n independently.\n */\n while (--blks) {\n /* Load the word for each braid into registers. */\n word0 = crc0 ^ words[0];\n#if N > 1\n word1 = crc1 ^ words[1];\n#if N > 2\n word2 = crc2 ^ words[2];\n#if N > 3\n word3 = crc3 ^ words[3];\n#if N > 4\n word4 = crc4 ^ words[4];\n#if N > 5\n word5 = crc5 ^ words[5];\n#endif\n#endif\n#endif\n#endif\n#endif\n words += N;\n\n /* Compute and update the CRC for each word. The loop should\n get unrolled. */\n crc0 = crc_braid_big_table[0][word0 & 0xff];\n#if N > 1\n crc1 = crc_braid_big_table[0][word1 & 0xff];\n#if N > 2\n crc2 = crc_braid_big_table[0][word2 & 0xff];\n#if N > 3\n crc3 = crc_braid_big_table[0][word3 & 0xff];\n#if N > 4\n crc4 = crc_braid_big_table[0][word4 & 0xff];\n#if N > 5\n crc5 = crc_braid_big_table[0][word5 & 0xff];\n#endif\n#endif\n#endif\n#endif\n#endif\n for (k = 1; k < W; k++) {\n crc0 ^= crc_braid_big_table[k][(word0 >> (k << 3)) & 0xff];\n#if N > 1\n crc1 ^= crc_braid_big_table[k][(word1 >> (k << 3)) & 0xff];\n#if N > 2\n crc2 ^= crc_braid_big_table[k][(word2 >> (k << 3)) & 0xff];\n#if N > 3\n crc3 ^= crc_braid_big_table[k][(word3 >> (k << 3)) & 0xff];\n#if N > 4\n crc4 ^= crc_braid_big_table[k][(word4 >> (k << 3)) & 0xff];\n#if N > 5\n crc5 ^= crc_braid_big_table[k][(word5 >> (k << 3)) & 0xff];\n#endif\n#endif\n#endif\n#endif\n#endif\n }\n }\n\n /*\n Process the last block, combining the CRCs of the N braids at the\n same time.\n */\n comb = crc_word_big(crc0 ^ words[0]);\n#if N > 1\n comb = crc_word_big(crc1 ^ words[1] ^ comb);\n#if N > 2\n comb = crc_word_big(crc2 ^ words[2] ^ comb);\n#if N > 3\n comb = crc_word_big(crc3 ^ words[3] ^ comb);\n#if N > 4\n comb = crc_word_big(crc4 ^ words[4] ^ comb);\n#if N > 5\n comb = crc_word_big(crc5 ^ words[5] ^ comb);\n#endif\n#endif\n#endif\n#endif\n#endif\n words += N;\n crc = byte_swap(comb);\n }\n\n /*\n Update the pointer to the remaining bytes to process.\n */\n buf = (unsigned char const *)words;\n }\n\n#endif /* W */\n\n /* Complete the computation of the CRC on any remaining bytes. */\n while (len >= 8) {\n len -= 8;\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n }\n while (len) {\n len--;\n crc = (crc >> 8) ^ crc_table[(crc ^ *buf++) & 0xff];\n }\n\n /* Return the CRC, post-conditioned. */\n return crc ^ 0xffffffff;\n}\n\n#endif\n\n/* ========================================================================= */\nunsigned long ZEXPORT crc32(unsigned long crc, const unsigned char FAR *buf,\n uInt len) {\n return crc32_z(crc, buf, len);\n}\n\n/* ========================================================================= */\nuLong ZEXPORT crc32_combine64(uLong crc1, uLong crc2, z_off64_t len2) {\n#ifdef DYNAMIC_CRC_TABLE\n once(&made, make_crc_table);\n#endif /* DYNAMIC_CRC_TABLE */\n return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);\n}\n\n/* ========================================================================= */\nuLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2) {\n return crc32_combine64(crc1, crc2, (z_off64_t)len2);\n}\n\n/* ========================================================================= */\nuLong ZEXPORT crc32_combine_gen64(z_off64_t len2) {\n#ifdef DYNAMIC_CRC_TABLE\n once(&made, make_crc_table);\n#endif /* DYNAMIC_CRC_TABLE */\n return x2nmodp(len2, 3);\n}\n\n/* ========================================================================= */\nuLong ZEXPORT crc32_combine_gen(z_off_t len2) {\n return crc32_combine_gen64((z_off64_t)len2);\n}\n\n/* ========================================================================= */\nuLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op) {\n return multmodp(op, crc1) ^ (crc2 & 0xffffffff);\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/crc32.h", "content": "/* crc32.h -- tables for rapid CRC calculation\n * Generated automatically by crc32.c\n */\n\nlocal const z_crc_t FAR crc_table[] = {\n 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,\n 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,\n 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,\n 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,\n 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,\n 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,\n 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,\n 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,\n 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,\n 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,\n 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,\n 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,\n 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,\n 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,\n 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,\n 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,\n 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,\n 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,\n 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,\n 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,\n 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,\n 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,\n 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,\n 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,\n 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,\n 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,\n 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,\n 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,\n 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,\n 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,\n 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,\n 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,\n 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,\n 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,\n 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,\n 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,\n 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,\n 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,\n 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,\n 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,\n 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,\n 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,\n 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,\n 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,\n 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,\n 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,\n 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,\n 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,\n 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,\n 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,\n 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,\n 0x2d02ef8d};\n\n#ifdef W\n\n#if W == 8\n\nlocal const z_word_t FAR crc_big_table[] = {\n 0x0000000000000000, 0x9630077700000000, 0x2c610eee00000000,\n 0xba51099900000000, 0x19c46d0700000000, 0x8ff46a7000000000,\n 0x35a563e900000000, 0xa395649e00000000, 0x3288db0e00000000,\n 0xa4b8dc7900000000, 0x1ee9d5e000000000, 0x88d9d29700000000,\n 0x2b4cb60900000000, 0xbd7cb17e00000000, 0x072db8e700000000,\n 0x911dbf9000000000, 0x6410b71d00000000, 0xf220b06a00000000,\n 0x4871b9f300000000, 0xde41be8400000000, 0x7dd4da1a00000000,\n 0xebe4dd6d00000000, 0x51b5d4f400000000, 0xc785d38300000000,\n 0x56986c1300000000, 0xc0a86b6400000000, 0x7af962fd00000000,\n 0xecc9658a00000000, 0x4f5c011400000000, 0xd96c066300000000,\n 0x633d0ffa00000000, 0xf50d088d00000000, 0xc8206e3b00000000,\n 0x5e10694c00000000, 0xe44160d500000000, 0x727167a200000000,\n 0xd1e4033c00000000, 0x47d4044b00000000, 0xfd850dd200000000,\n 0x6bb50aa500000000, 0xfaa8b53500000000, 0x6c98b24200000000,\n 0xd6c9bbdb00000000, 0x40f9bcac00000000, 0xe36cd83200000000,\n 0x755cdf4500000000, 0xcf0dd6dc00000000, 0x593dd1ab00000000,\n 0xac30d92600000000, 0x3a00de5100000000, 0x8051d7c800000000,\n 0x1661d0bf00000000, 0xb5f4b42100000000, 0x23c4b35600000000,\n 0x9995bacf00000000, 0x0fa5bdb800000000, 0x9eb8022800000000,\n 0x0888055f00000000, 0xb2d90cc600000000, 0x24e90bb100000000,\n 0x877c6f2f00000000, 0x114c685800000000, 0xab1d61c100000000,\n 0x3d2d66b600000000, 0x9041dc7600000000, 0x0671db0100000000,\n 0xbc20d29800000000, 0x2a10d5ef00000000, 0x8985b17100000000,\n 0x1fb5b60600000000, 0xa5e4bf9f00000000, 0x33d4b8e800000000,\n 0xa2c9077800000000, 0x34f9000f00000000, 0x8ea8099600000000,\n 0x18980ee100000000, 0xbb0d6a7f00000000, 0x2d3d6d0800000000,\n 0x976c649100000000, 0x015c63e600000000, 0xf4516b6b00000000,\n 0x62616c1c00000000, 0xd830658500000000, 0x4e0062f200000000,\n 0xed95066c00000000, 0x7ba5011b00000000, 0xc1f4088200000000,\n 0x57c40ff500000000, 0xc6d9b06500000000, 0x50e9b71200000000,\n 0xeab8be8b00000000, 0x7c88b9fc00000000, 0xdf1ddd6200000000,\n 0x492dda1500000000, 0xf37cd38c00000000, 0x654cd4fb00000000,\n 0x5861b24d00000000, 0xce51b53a00000000, 0x7400bca300000000,\n 0xe230bbd400000000, 0x41a5df4a00000000, 0xd795d83d00000000,\n 0x6dc4d1a400000000, 0xfbf4d6d300000000, 0x6ae9694300000000,\n 0xfcd96e3400000000, 0x468867ad00000000, 0xd0b860da00000000,\n 0x732d044400000000, 0xe51d033300000000, 0x5f4c0aaa00000000,\n 0xc97c0ddd00000000, 0x3c71055000000000, 0xaa41022700000000,\n 0x10100bbe00000000, 0x86200cc900000000, 0x25b5685700000000,\n 0xb3856f2000000000, 0x09d466b900000000, 0x9fe461ce00000000,\n 0x0ef9de5e00000000, 0x98c9d92900000000, 0x2298d0b000000000,\n 0xb4a8d7c700000000, 0x173db35900000000, 0x810db42e00000000,\n 0x3b5cbdb700000000, 0xad6cbac000000000, 0x2083b8ed00000000,\n 0xb6b3bf9a00000000, 0x0ce2b60300000000, 0x9ad2b17400000000,\n 0x3947d5ea00000000, 0xaf77d29d00000000, 0x1526db0400000000,\n 0x8316dc7300000000, 0x120b63e300000000, 0x843b649400000000,\n 0x3e6a6d0d00000000, 0xa85a6a7a00000000, 0x0bcf0ee400000000,\n 0x9dff099300000000, 0x27ae000a00000000, 0xb19e077d00000000,\n 0x44930ff000000000, 0xd2a3088700000000, 0x68f2011e00000000,\n 0xfec2066900000000, 0x5d5762f700000000, 0xcb67658000000000,\n 0x71366c1900000000, 0xe7066b6e00000000, 0x761bd4fe00000000,\n 0xe02bd38900000000, 0x5a7ada1000000000, 0xcc4add6700000000,\n 0x6fdfb9f900000000, 0xf9efbe8e00000000, 0x43beb71700000000,\n 0xd58eb06000000000, 0xe8a3d6d600000000, 0x7e93d1a100000000,\n 0xc4c2d83800000000, 0x52f2df4f00000000, 0xf167bbd100000000,\n 0x6757bca600000000, 0xdd06b53f00000000, 0x4b36b24800000000,\n 0xda2b0dd800000000, 0x4c1b0aaf00000000, 0xf64a033600000000,\n 0x607a044100000000, 0xc3ef60df00000000, 0x55df67a800000000,\n 0xef8e6e3100000000, 0x79be694600000000, 0x8cb361cb00000000,\n 0x1a8366bc00000000, 0xa0d26f2500000000, 0x36e2685200000000,\n 0x95770ccc00000000, 0x03470bbb00000000, 0xb916022200000000,\n 0x2f26055500000000, 0xbe3bbac500000000, 0x280bbdb200000000,\n 0x925ab42b00000000, 0x046ab35c00000000, 0xa7ffd7c200000000,\n 0x31cfd0b500000000, 0x8b9ed92c00000000, 0x1daede5b00000000,\n 0xb0c2649b00000000, 0x26f263ec00000000, 0x9ca36a7500000000,\n 0x0a936d0200000000, 0xa906099c00000000, 0x3f360eeb00000000,\n 0x8567077200000000, 0x1357000500000000, 0x824abf9500000000,\n 0x147ab8e200000000, 0xae2bb17b00000000, 0x381bb60c00000000,\n 0x9b8ed29200000000, 0x0dbed5e500000000, 0xb7efdc7c00000000,\n 0x21dfdb0b00000000, 0xd4d2d38600000000, 0x42e2d4f100000000,\n 0xf8b3dd6800000000, 0x6e83da1f00000000, 0xcd16be8100000000,\n 0x5b26b9f600000000, 0xe177b06f00000000, 0x7747b71800000000,\n 0xe65a088800000000, 0x706a0fff00000000, 0xca3b066600000000,\n 0x5c0b011100000000, 0xff9e658f00000000, 0x69ae62f800000000,\n 0xd3ff6b6100000000, 0x45cf6c1600000000, 0x78e20aa000000000,\n 0xeed20dd700000000, 0x5483044e00000000, 0xc2b3033900000000,\n 0x612667a700000000, 0xf71660d000000000, 0x4d47694900000000,\n 0xdb776e3e00000000, 0x4a6ad1ae00000000, 0xdc5ad6d900000000,\n 0x660bdf4000000000, 0xf03bd83700000000, 0x53aebca900000000,\n 0xc59ebbde00000000, 0x7fcfb24700000000, 0xe9ffb53000000000,\n 0x1cf2bdbd00000000, 0x8ac2baca00000000, 0x3093b35300000000,\n 0xa6a3b42400000000, 0x0536d0ba00000000, 0x9306d7cd00000000,\n 0x2957de5400000000, 0xbf67d92300000000, 0x2e7a66b300000000,\n 0xb84a61c400000000, 0x021b685d00000000, 0x942b6f2a00000000,\n 0x37be0bb400000000, 0xa18e0cc300000000, 0x1bdf055a00000000,\n 0x8def022d00000000};\n\n#else /* W == 4 */\n\nlocal const z_word_t FAR crc_big_table[] = {\n 0x00000000, 0x96300777, 0x2c610eee, 0xba510999, 0x19c46d07,\n 0x8ff46a70, 0x35a563e9, 0xa395649e, 0x3288db0e, 0xa4b8dc79,\n 0x1ee9d5e0, 0x88d9d297, 0x2b4cb609, 0xbd7cb17e, 0x072db8e7,\n 0x911dbf90, 0x6410b71d, 0xf220b06a, 0x4871b9f3, 0xde41be84,\n 0x7dd4da1a, 0xebe4dd6d, 0x51b5d4f4, 0xc785d383, 0x56986c13,\n 0xc0a86b64, 0x7af962fd, 0xecc9658a, 0x4f5c0114, 0xd96c0663,\n 0x633d0ffa, 0xf50d088d, 0xc8206e3b, 0x5e10694c, 0xe44160d5,\n 0x727167a2, 0xd1e4033c, 0x47d4044b, 0xfd850dd2, 0x6bb50aa5,\n 0xfaa8b535, 0x6c98b242, 0xd6c9bbdb, 0x40f9bcac, 0xe36cd832,\n 0x755cdf45, 0xcf0dd6dc, 0x593dd1ab, 0xac30d926, 0x3a00de51,\n 0x8051d7c8, 0x1661d0bf, 0xb5f4b421, 0x23c4b356, 0x9995bacf,\n 0x0fa5bdb8, 0x9eb80228, 0x0888055f, 0xb2d90cc6, 0x24e90bb1,\n 0x877c6f2f, 0x114c6858, 0xab1d61c1, 0x3d2d66b6, 0x9041dc76,\n 0x0671db01, 0xbc20d298, 0x2a10d5ef, 0x8985b171, 0x1fb5b606,\n 0xa5e4bf9f, 0x33d4b8e8, 0xa2c90778, 0x34f9000f, 0x8ea80996,\n 0x18980ee1, 0xbb0d6a7f, 0x2d3d6d08, 0x976c6491, 0x015c63e6,\n 0xf4516b6b, 0x62616c1c, 0xd8306585, 0x4e0062f2, 0xed95066c,\n 0x7ba5011b, 0xc1f40882, 0x57c40ff5, 0xc6d9b065, 0x50e9b712,\n 0xeab8be8b, 0x7c88b9fc, 0xdf1ddd62, 0x492dda15, 0xf37cd38c,\n 0x654cd4fb, 0x5861b24d, 0xce51b53a, 0x7400bca3, 0xe230bbd4,\n 0x41a5df4a, 0xd795d83d, 0x6dc4d1a4, 0xfbf4d6d3, 0x6ae96943,\n 0xfcd96e34, 0x468867ad, 0xd0b860da, 0x732d0444, 0xe51d0333,\n 0x5f4c0aaa, 0xc97c0ddd, 0x3c710550, 0xaa410227, 0x10100bbe,\n 0x86200cc9, 0x25b56857, 0xb3856f20, 0x09d466b9, 0x9fe461ce,\n 0x0ef9de5e, 0x98c9d929, 0x2298d0b0, 0xb4a8d7c7, 0x173db359,\n 0x810db42e, 0x3b5cbdb7, 0xad6cbac0, 0x2083b8ed, 0xb6b3bf9a,\n 0x0ce2b603, 0x9ad2b174, 0x3947d5ea, 0xaf77d29d, 0x1526db04,\n 0x8316dc73, 0x120b63e3, 0x843b6494, 0x3e6a6d0d, 0xa85a6a7a,\n 0x0bcf0ee4, 0x9dff0993, 0x27ae000a, 0xb19e077d, 0x44930ff0,\n 0xd2a30887, 0x68f2011e, 0xfec20669, 0x5d5762f7, 0xcb676580,\n 0x71366c19, 0xe7066b6e, 0x761bd4fe, 0xe02bd389, 0x5a7ada10,\n 0xcc4add67, 0x6fdfb9f9, 0xf9efbe8e, 0x43beb717, 0xd58eb060,\n 0xe8a3d6d6, 0x7e93d1a1, 0xc4c2d838, 0x52f2df4f, 0xf167bbd1,\n 0x6757bca6, 0xdd06b53f, 0x4b36b248, 0xda2b0dd8, 0x4c1b0aaf,\n 0xf64a0336, 0x607a0441, 0xc3ef60df, 0x55df67a8, 0xef8e6e31,\n 0x79be6946, 0x8cb361cb, 0x1a8366bc, 0xa0d26f25, 0x36e26852,\n 0x95770ccc, 0x03470bbb, 0xb9160222, 0x2f260555, 0xbe3bbac5,\n 0x280bbdb2, 0x925ab42b, 0x046ab35c, 0xa7ffd7c2, 0x31cfd0b5,\n 0x8b9ed92c, 0x1daede5b, 0xb0c2649b, 0x26f263ec, 0x9ca36a75,\n 0x0a936d02, 0xa906099c, 0x3f360eeb, 0x85670772, 0x13570005,\n 0x824abf95, 0x147ab8e2, 0xae2bb17b, 0x381bb60c, 0x9b8ed292,\n 0x0dbed5e5, 0xb7efdc7c, 0x21dfdb0b, 0xd4d2d386, 0x42e2d4f1,\n 0xf8b3dd68, 0x6e83da1f, 0xcd16be81, 0x5b26b9f6, 0xe177b06f,\n 0x7747b718, 0xe65a0888, 0x706a0fff, 0xca3b0666, 0x5c0b0111,\n 0xff9e658f, 0x69ae62f8, 0xd3ff6b61, 0x45cf6c16, 0x78e20aa0,\n 0xeed20dd7, 0x5483044e, 0xc2b30339, 0x612667a7, 0xf71660d0,\n 0x4d476949, 0xdb776e3e, 0x4a6ad1ae, 0xdc5ad6d9, 0x660bdf40,\n 0xf03bd837, 0x53aebca9, 0xc59ebbde, 0x7fcfb247, 0xe9ffb530,\n 0x1cf2bdbd, 0x8ac2baca, 0x3093b353, 0xa6a3b424, 0x0536d0ba,\n 0x9306d7cd, 0x2957de54, 0xbf67d923, 0x2e7a66b3, 0xb84a61c4,\n 0x021b685d, 0x942b6f2a, 0x37be0bb4, 0xa18e0cc3, 0x1bdf055a,\n 0x8def022d};\n\n#endif\n\n#if N == 1\n\n#if W == 8\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0xccaa009e, 0x4225077d, 0x8e8f07e3, 0x844a0efa,\n 0x48e00e64, 0xc66f0987, 0x0ac50919, 0xd3e51bb5, 0x1f4f1b2b,\n 0x91c01cc8, 0x5d6a1c56, 0x57af154f, 0x9b0515d1, 0x158a1232,\n 0xd92012ac, 0x7cbb312b, 0xb01131b5, 0x3e9e3656, 0xf23436c8,\n 0xf8f13fd1, 0x345b3f4f, 0xbad438ac, 0x767e3832, 0xaf5e2a9e,\n 0x63f42a00, 0xed7b2de3, 0x21d12d7d, 0x2b142464, 0xe7be24fa,\n 0x69312319, 0xa59b2387, 0xf9766256, 0x35dc62c8, 0xbb53652b,\n 0x77f965b5, 0x7d3c6cac, 0xb1966c32, 0x3f196bd1, 0xf3b36b4f,\n 0x2a9379e3, 0xe639797d, 0x68b67e9e, 0xa41c7e00, 0xaed97719,\n 0x62737787, 0xecfc7064, 0x205670fa, 0x85cd537d, 0x496753e3,\n 0xc7e85400, 0x0b42549e, 0x01875d87, 0xcd2d5d19, 0x43a25afa,\n 0x8f085a64, 0x562848c8, 0x9a824856, 0x140d4fb5, 0xd8a74f2b,\n 0xd2624632, 0x1ec846ac, 0x9047414f, 0x5ced41d1, 0x299dc2ed,\n 0xe537c273, 0x6bb8c590, 0xa712c50e, 0xadd7cc17, 0x617dcc89,\n 0xeff2cb6a, 0x2358cbf4, 0xfa78d958, 0x36d2d9c6, 0xb85dde25,\n 0x74f7debb, 0x7e32d7a2, 0xb298d73c, 0x3c17d0df, 0xf0bdd041,\n 0x5526f3c6, 0x998cf358, 0x1703f4bb, 0xdba9f425, 0xd16cfd3c,\n 0x1dc6fda2, 0x9349fa41, 0x5fe3fadf, 0x86c3e873, 0x4a69e8ed,\n 0xc4e6ef0e, 0x084cef90, 0x0289e689, 0xce23e617, 0x40ace1f4,\n 0x8c06e16a, 0xd0eba0bb, 0x1c41a025, 0x92cea7c6, 0x5e64a758,\n 0x54a1ae41, 0x980baedf, 0x1684a93c, 0xda2ea9a2, 0x030ebb0e,\n 0xcfa4bb90, 0x412bbc73, 0x8d81bced, 0x8744b5f4, 0x4beeb56a,\n 0xc561b289, 0x09cbb217, 0xac509190, 0x60fa910e, 0xee7596ed,\n 0x22df9673, 0x281a9f6a, 0xe4b09ff4, 0x6a3f9817, 0xa6959889,\n 0x7fb58a25, 0xb31f8abb, 0x3d908d58, 0xf13a8dc6, 0xfbff84df,\n 0x37558441, 0xb9da83a2, 0x7570833c, 0x533b85da, 0x9f918544,\n 0x111e82a7, 0xddb48239, 0xd7718b20, 0x1bdb8bbe, 0x95548c5d,\n 0x59fe8cc3, 0x80de9e6f, 0x4c749ef1, 0xc2fb9912, 0x0e51998c,\n 0x04949095, 0xc83e900b, 0x46b197e8, 0x8a1b9776, 0x2f80b4f1,\n 0xe32ab46f, 0x6da5b38c, 0xa10fb312, 0xabcaba0b, 0x6760ba95,\n 0xe9efbd76, 0x2545bde8, 0xfc65af44, 0x30cfafda, 0xbe40a839,\n 0x72eaa8a7, 0x782fa1be, 0xb485a120, 0x3a0aa6c3, 0xf6a0a65d,\n 0xaa4de78c, 0x66e7e712, 0xe868e0f1, 0x24c2e06f, 0x2e07e976,\n 0xe2ade9e8, 0x6c22ee0b, 0xa088ee95, 0x79a8fc39, 0xb502fca7,\n 0x3b8dfb44, 0xf727fbda, 0xfde2f2c3, 0x3148f25d, 0xbfc7f5be,\n 0x736df520, 0xd6f6d6a7, 0x1a5cd639, 0x94d3d1da, 0x5879d144,\n 0x52bcd85d, 0x9e16d8c3, 0x1099df20, 0xdc33dfbe, 0x0513cd12,\n 0xc9b9cd8c, 0x4736ca6f, 0x8b9ccaf1, 0x8159c3e8, 0x4df3c376,\n 0xc37cc495, 0x0fd6c40b, 0x7aa64737, 0xb60c47a9, 0x3883404a,\n 0xf42940d4, 0xfeec49cd, 0x32464953, 0xbcc94eb0, 0x70634e2e,\n 0xa9435c82, 0x65e95c1c, 0xeb665bff, 0x27cc5b61, 0x2d095278,\n 0xe1a352e6, 0x6f2c5505, 0xa386559b, 0x061d761c, 0xcab77682,\n 0x44387161, 0x889271ff, 0x825778e6, 0x4efd7878, 0xc0727f9b,\n 0x0cd87f05, 0xd5f86da9, 0x19526d37, 0x97dd6ad4, 0x5b776a4a,\n 0x51b26353, 0x9d1863cd, 0x1397642e, 0xdf3d64b0, 0x83d02561,\n 0x4f7a25ff, 0xc1f5221c, 0x0d5f2282, 0x079a2b9b, 0xcb302b05,\n 0x45bf2ce6, 0x89152c78, 0x50353ed4, 0x9c9f3e4a, 0x121039a9,\n 0xdeba3937, 0xd47f302e, 0x18d530b0, 0x965a3753, 0x5af037cd,\n 0xff6b144a, 0x33c114d4, 0xbd4e1337, 0x71e413a9, 0x7b211ab0,\n 0xb78b1a2e, 0x39041dcd, 0xf5ae1d53, 0x2c8e0fff, 0xe0240f61,\n 0x6eab0882, 0xa201081c, 0xa8c40105, 0x646e019b, 0xeae10678,\n 0x264b06e6},\n {0x00000000, 0xa6770bb4, 0x979f1129, 0x31e81a9d, 0xf44f2413,\n 0x52382fa7, 0x63d0353a, 0xc5a73e8e, 0x33ef4e67, 0x959845d3,\n 0xa4705f4e, 0x020754fa, 0xc7a06a74, 0x61d761c0, 0x503f7b5d,\n 0xf64870e9, 0x67de9cce, 0xc1a9977a, 0xf0418de7, 0x56368653,\n 0x9391b8dd, 0x35e6b369, 0x040ea9f4, 0xa279a240, 0x5431d2a9,\n 0xf246d91d, 0xc3aec380, 0x65d9c834, 0xa07ef6ba, 0x0609fd0e,\n 0x37e1e793, 0x9196ec27, 0xcfbd399c, 0x69ca3228, 0x582228b5,\n 0xfe552301, 0x3bf21d8f, 0x9d85163b, 0xac6d0ca6, 0x0a1a0712,\n 0xfc5277fb, 0x5a257c4f, 0x6bcd66d2, 0xcdba6d66, 0x081d53e8,\n 0xae6a585c, 0x9f8242c1, 0x39f54975, 0xa863a552, 0x0e14aee6,\n 0x3ffcb47b, 0x998bbfcf, 0x5c2c8141, 0xfa5b8af5, 0xcbb39068,\n 0x6dc49bdc, 0x9b8ceb35, 0x3dfbe081, 0x0c13fa1c, 0xaa64f1a8,\n 0x6fc3cf26, 0xc9b4c492, 0xf85cde0f, 0x5e2bd5bb, 0x440b7579,\n 0xe27c7ecd, 0xd3946450, 0x75e36fe4, 0xb044516a, 0x16335ade,\n 0x27db4043, 0x81ac4bf7, 0x77e43b1e, 0xd19330aa, 0xe07b2a37,\n 0x460c2183, 0x83ab1f0d, 0x25dc14b9, 0x14340e24, 0xb2430590,\n 0x23d5e9b7, 0x85a2e203, 0xb44af89e, 0x123df32a, 0xd79acda4,\n 0x71edc610, 0x4005dc8d, 0xe672d739, 0x103aa7d0, 0xb64dac64,\n 0x87a5b6f9, 0x21d2bd4d, 0xe47583c3, 0x42028877, 0x73ea92ea,\n 0xd59d995e, 0x8bb64ce5, 0x2dc14751, 0x1c295dcc, 0xba5e5678,\n 0x7ff968f6, 0xd98e6342, 0xe86679df, 0x4e11726b, 0xb8590282,\n 0x1e2e0936, 0x2fc613ab, 0x89b1181f, 0x4c162691, 0xea612d25,\n 0xdb8937b8, 0x7dfe3c0c, 0xec68d02b, 0x4a1fdb9f, 0x7bf7c102,\n 0xdd80cab6, 0x1827f438, 0xbe50ff8c, 0x8fb8e511, 0x29cfeea5,\n 0xdf879e4c, 0x79f095f8, 0x48188f65, 0xee6f84d1, 0x2bc8ba5f,\n 0x8dbfb1eb, 0xbc57ab76, 0x1a20a0c2, 0x8816eaf2, 0x2e61e146,\n 0x1f89fbdb, 0xb9fef06f, 0x7c59cee1, 0xda2ec555, 0xebc6dfc8,\n 0x4db1d47c, 0xbbf9a495, 0x1d8eaf21, 0x2c66b5bc, 0x8a11be08,\n 0x4fb68086, 0xe9c18b32, 0xd82991af, 0x7e5e9a1b, 0xefc8763c,\n 0x49bf7d88, 0x78576715, 0xde206ca1, 0x1b87522f, 0xbdf0599b,\n 0x8c184306, 0x2a6f48b2, 0xdc27385b, 0x7a5033ef, 0x4bb82972,\n 0xedcf22c6, 0x28681c48, 0x8e1f17fc, 0xbff70d61, 0x198006d5,\n 0x47abd36e, 0xe1dcd8da, 0xd034c247, 0x7643c9f3, 0xb3e4f77d,\n 0x1593fcc9, 0x247be654, 0x820cede0, 0x74449d09, 0xd23396bd,\n 0xe3db8c20, 0x45ac8794, 0x800bb91a, 0x267cb2ae, 0x1794a833,\n 0xb1e3a387, 0x20754fa0, 0x86024414, 0xb7ea5e89, 0x119d553d,\n 0xd43a6bb3, 0x724d6007, 0x43a57a9a, 0xe5d2712e, 0x139a01c7,\n 0xb5ed0a73, 0x840510ee, 0x22721b5a, 0xe7d525d4, 0x41a22e60,\n 0x704a34fd, 0xd63d3f49, 0xcc1d9f8b, 0x6a6a943f, 0x5b828ea2,\n 0xfdf58516, 0x3852bb98, 0x9e25b02c, 0xafcdaab1, 0x09baa105,\n 0xfff2d1ec, 0x5985da58, 0x686dc0c5, 0xce1acb71, 0x0bbdf5ff,\n 0xadcafe4b, 0x9c22e4d6, 0x3a55ef62, 0xabc30345, 0x0db408f1,\n 0x3c5c126c, 0x9a2b19d8, 0x5f8c2756, 0xf9fb2ce2, 0xc813367f,\n 0x6e643dcb, 0x982c4d22, 0x3e5b4696, 0x0fb35c0b, 0xa9c457bf,\n 0x6c636931, 0xca146285, 0xfbfc7818, 0x5d8b73ac, 0x03a0a617,\n 0xa5d7ada3, 0x943fb73e, 0x3248bc8a, 0xf7ef8204, 0x519889b0,\n 0x6070932d, 0xc6079899, 0x304fe870, 0x9638e3c4, 0xa7d0f959,\n 0x01a7f2ed, 0xc400cc63, 0x6277c7d7, 0x539fdd4a, 0xf5e8d6fe,\n 0x647e3ad9, 0xc209316d, 0xf3e12bf0, 0x55962044, 0x90311eca,\n 0x3646157e, 0x07ae0fe3, 0xa1d90457, 0x579174be, 0xf1e67f0a,\n 0xc00e6597, 0x66796e23, 0xa3de50ad, 0x05a95b19, 0x34414184,\n 0x92364a30},\n {0x00000000, 0xcb5cd3a5, 0x4dc8a10b, 0x869472ae, 0x9b914216,\n 0x50cd91b3, 0xd659e31d, 0x1d0530b8, 0xec53826d, 0x270f51c8,\n 0xa19b2366, 0x6ac7f0c3, 0x77c2c07b, 0xbc9e13de, 0x3a0a6170,\n 0xf156b2d5, 0x03d6029b, 0xc88ad13e, 0x4e1ea390, 0x85427035,\n 0x9847408d, 0x531b9328, 0xd58fe186, 0x1ed33223, 0xef8580f6,\n 0x24d95353, 0xa24d21fd, 0x6911f258, 0x7414c2e0, 0xbf481145,\n 0x39dc63eb, 0xf280b04e, 0x07ac0536, 0xccf0d693, 0x4a64a43d,\n 0x81387798, 0x9c3d4720, 0x57619485, 0xd1f5e62b, 0x1aa9358e,\n 0xebff875b, 0x20a354fe, 0xa6372650, 0x6d6bf5f5, 0x706ec54d,\n 0xbb3216e8, 0x3da66446, 0xf6fab7e3, 0x047a07ad, 0xcf26d408,\n 0x49b2a6a6, 0x82ee7503, 0x9feb45bb, 0x54b7961e, 0xd223e4b0,\n 0x197f3715, 0xe82985c0, 0x23755665, 0xa5e124cb, 0x6ebdf76e,\n 0x73b8c7d6, 0xb8e41473, 0x3e7066dd, 0xf52cb578, 0x0f580a6c,\n 0xc404d9c9, 0x4290ab67, 0x89cc78c2, 0x94c9487a, 0x5f959bdf,\n 0xd901e971, 0x125d3ad4, 0xe30b8801, 0x28575ba4, 0xaec3290a,\n 0x659ffaaf, 0x789aca17, 0xb3c619b2, 0x35526b1c, 0xfe0eb8b9,\n 0x0c8e08f7, 0xc7d2db52, 0x4146a9fc, 0x8a1a7a59, 0x971f4ae1,\n 0x5c439944, 0xdad7ebea, 0x118b384f, 0xe0dd8a9a, 0x2b81593f,\n 0xad152b91, 0x6649f834, 0x7b4cc88c, 0xb0101b29, 0x36846987,\n 0xfdd8ba22, 0x08f40f5a, 0xc3a8dcff, 0x453cae51, 0x8e607df4,\n 0x93654d4c, 0x58399ee9, 0xdeadec47, 0x15f13fe2, 0xe4a78d37,\n 0x2ffb5e92, 0xa96f2c3c, 0x6233ff99, 0x7f36cf21, 0xb46a1c84,\n 0x32fe6e2a, 0xf9a2bd8f, 0x0b220dc1, 0xc07ede64, 0x46eaacca,\n 0x8db67f6f, 0x90b34fd7, 0x5bef9c72, 0xdd7beedc, 0x16273d79,\n 0xe7718fac, 0x2c2d5c09, 0xaab92ea7, 0x61e5fd02, 0x7ce0cdba,\n 0xb7bc1e1f, 0x31286cb1, 0xfa74bf14, 0x1eb014d8, 0xd5ecc77d,\n 0x5378b5d3, 0x98246676, 0x852156ce, 0x4e7d856b, 0xc8e9f7c5,\n 0x03b52460, 0xf2e396b5, 0x39bf4510, 0xbf2b37be, 0x7477e41b,\n 0x6972d4a3, 0xa22e0706, 0x24ba75a8, 0xefe6a60d, 0x1d661643,\n 0xd63ac5e6, 0x50aeb748, 0x9bf264ed, 0x86f75455, 0x4dab87f0,\n 0xcb3ff55e, 0x006326fb, 0xf135942e, 0x3a69478b, 0xbcfd3525,\n 0x77a1e680, 0x6aa4d638, 0xa1f8059d, 0x276c7733, 0xec30a496,\n 0x191c11ee, 0xd240c24b, 0x54d4b0e5, 0x9f886340, 0x828d53f8,\n 0x49d1805d, 0xcf45f2f3, 0x04192156, 0xf54f9383, 0x3e134026,\n 0xb8873288, 0x73dbe12d, 0x6eded195, 0xa5820230, 0x2316709e,\n 0xe84aa33b, 0x1aca1375, 0xd196c0d0, 0x5702b27e, 0x9c5e61db,\n 0x815b5163, 0x4a0782c6, 0xcc93f068, 0x07cf23cd, 0xf6999118,\n 0x3dc542bd, 0xbb513013, 0x700de3b6, 0x6d08d30e, 0xa65400ab,\n 0x20c07205, 0xeb9ca1a0, 0x11e81eb4, 0xdab4cd11, 0x5c20bfbf,\n 0x977c6c1a, 0x8a795ca2, 0x41258f07, 0xc7b1fda9, 0x0ced2e0c,\n 0xfdbb9cd9, 0x36e74f7c, 0xb0733dd2, 0x7b2fee77, 0x662adecf,\n 0xad760d6a, 0x2be27fc4, 0xe0beac61, 0x123e1c2f, 0xd962cf8a,\n 0x5ff6bd24, 0x94aa6e81, 0x89af5e39, 0x42f38d9c, 0xc467ff32,\n 0x0f3b2c97, 0xfe6d9e42, 0x35314de7, 0xb3a53f49, 0x78f9ecec,\n 0x65fcdc54, 0xaea00ff1, 0x28347d5f, 0xe368aefa, 0x16441b82,\n 0xdd18c827, 0x5b8cba89, 0x90d0692c, 0x8dd55994, 0x46898a31,\n 0xc01df89f, 0x0b412b3a, 0xfa1799ef, 0x314b4a4a, 0xb7df38e4,\n 0x7c83eb41, 0x6186dbf9, 0xaada085c, 0x2c4e7af2, 0xe712a957,\n 0x15921919, 0xdececabc, 0x585ab812, 0x93066bb7, 0x8e035b0f,\n 0x455f88aa, 0xc3cbfa04, 0x089729a1, 0xf9c19b74, 0x329d48d1,\n 0xb4093a7f, 0x7f55e9da, 0x6250d962, 0xa90c0ac7, 0x2f987869,\n 0xe4c4abcc},\n {0x00000000, 0x3d6029b0, 0x7ac05360, 0x47a07ad0, 0xf580a6c0,\n 0xc8e08f70, 0x8f40f5a0, 0xb220dc10, 0x30704bc1, 0x0d106271,\n 0x4ab018a1, 0x77d03111, 0xc5f0ed01, 0xf890c4b1, 0xbf30be61,\n 0x825097d1, 0x60e09782, 0x5d80be32, 0x1a20c4e2, 0x2740ed52,\n 0x95603142, 0xa80018f2, 0xefa06222, 0xd2c04b92, 0x5090dc43,\n 0x6df0f5f3, 0x2a508f23, 0x1730a693, 0xa5107a83, 0x98705333,\n 0xdfd029e3, 0xe2b00053, 0xc1c12f04, 0xfca106b4, 0xbb017c64,\n 0x866155d4, 0x344189c4, 0x0921a074, 0x4e81daa4, 0x73e1f314,\n 0xf1b164c5, 0xccd14d75, 0x8b7137a5, 0xb6111e15, 0x0431c205,\n 0x3951ebb5, 0x7ef19165, 0x4391b8d5, 0xa121b886, 0x9c419136,\n 0xdbe1ebe6, 0xe681c256, 0x54a11e46, 0x69c137f6, 0x2e614d26,\n 0x13016496, 0x9151f347, 0xac31daf7, 0xeb91a027, 0xd6f18997,\n 0x64d15587, 0x59b17c37, 0x1e1106e7, 0x23712f57, 0x58f35849,\n 0x659371f9, 0x22330b29, 0x1f532299, 0xad73fe89, 0x9013d739,\n 0xd7b3ade9, 0xead38459, 0x68831388, 0x55e33a38, 0x124340e8,\n 0x2f236958, 0x9d03b548, 0xa0639cf8, 0xe7c3e628, 0xdaa3cf98,\n 0x3813cfcb, 0x0573e67b, 0x42d39cab, 0x7fb3b51b, 0xcd93690b,\n 0xf0f340bb, 0xb7533a6b, 0x8a3313db, 0x0863840a, 0x3503adba,\n 0x72a3d76a, 0x4fc3feda, 0xfde322ca, 0xc0830b7a, 0x872371aa,\n 0xba43581a, 0x9932774d, 0xa4525efd, 0xe3f2242d, 0xde920d9d,\n 0x6cb2d18d, 0x51d2f83d, 0x167282ed, 0x2b12ab5d, 0xa9423c8c,\n 0x9422153c, 0xd3826fec, 0xeee2465c, 0x5cc29a4c, 0x61a2b3fc,\n 0x2602c92c, 0x1b62e09c, 0xf9d2e0cf, 0xc4b2c97f, 0x8312b3af,\n 0xbe729a1f, 0x0c52460f, 0x31326fbf, 0x7692156f, 0x4bf23cdf,\n 0xc9a2ab0e, 0xf4c282be, 0xb362f86e, 0x8e02d1de, 0x3c220dce,\n 0x0142247e, 0x46e25eae, 0x7b82771e, 0xb1e6b092, 0x8c869922,\n 0xcb26e3f2, 0xf646ca42, 0x44661652, 0x79063fe2, 0x3ea64532,\n 0x03c66c82, 0x8196fb53, 0xbcf6d2e3, 0xfb56a833, 0xc6368183,\n 0x74165d93, 0x49767423, 0x0ed60ef3, 0x33b62743, 0xd1062710,\n 0xec660ea0, 0xabc67470, 0x96a65dc0, 0x248681d0, 0x19e6a860,\n 0x5e46d2b0, 0x6326fb00, 0xe1766cd1, 0xdc164561, 0x9bb63fb1,\n 0xa6d61601, 0x14f6ca11, 0x2996e3a1, 0x6e369971, 0x5356b0c1,\n 0x70279f96, 0x4d47b626, 0x0ae7ccf6, 0x3787e546, 0x85a73956,\n 0xb8c710e6, 0xff676a36, 0xc2074386, 0x4057d457, 0x7d37fde7,\n 0x3a978737, 0x07f7ae87, 0xb5d77297, 0x88b75b27, 0xcf1721f7,\n 0xf2770847, 0x10c70814, 0x2da721a4, 0x6a075b74, 0x576772c4,\n 0xe547aed4, 0xd8278764, 0x9f87fdb4, 0xa2e7d404, 0x20b743d5,\n 0x1dd76a65, 0x5a7710b5, 0x67173905, 0xd537e515, 0xe857cca5,\n 0xaff7b675, 0x92979fc5, 0xe915e8db, 0xd475c16b, 0x93d5bbbb,\n 0xaeb5920b, 0x1c954e1b, 0x21f567ab, 0x66551d7b, 0x5b3534cb,\n 0xd965a31a, 0xe4058aaa, 0xa3a5f07a, 0x9ec5d9ca, 0x2ce505da,\n 0x11852c6a, 0x562556ba, 0x6b457f0a, 0x89f57f59, 0xb49556e9,\n 0xf3352c39, 0xce550589, 0x7c75d999, 0x4115f029, 0x06b58af9,\n 0x3bd5a349, 0xb9853498, 0x84e51d28, 0xc34567f8, 0xfe254e48,\n 0x4c059258, 0x7165bbe8, 0x36c5c138, 0x0ba5e888, 0x28d4c7df,\n 0x15b4ee6f, 0x521494bf, 0x6f74bd0f, 0xdd54611f, 0xe03448af,\n 0xa794327f, 0x9af41bcf, 0x18a48c1e, 0x25c4a5ae, 0x6264df7e,\n 0x5f04f6ce, 0xed242ade, 0xd044036e, 0x97e479be, 0xaa84500e,\n 0x4834505d, 0x755479ed, 0x32f4033d, 0x0f942a8d, 0xbdb4f69d,\n 0x80d4df2d, 0xc774a5fd, 0xfa148c4d, 0x78441b9c, 0x4524322c,\n 0x028448fc, 0x3fe4614c, 0x8dc4bd5c, 0xb0a494ec, 0xf704ee3c,\n 0xca64c78c},\n {0x00000000, 0xb8bc6765, 0xaa09c88b, 0x12b5afee, 0x8f629757,\n 0x37def032, 0x256b5fdc, 0x9dd738b9, 0xc5b428ef, 0x7d084f8a,\n 0x6fbde064, 0xd7018701, 0x4ad6bfb8, 0xf26ad8dd, 0xe0df7733,\n 0x58631056, 0x5019579f, 0xe8a530fa, 0xfa109f14, 0x42acf871,\n 0xdf7bc0c8, 0x67c7a7ad, 0x75720843, 0xcdce6f26, 0x95ad7f70,\n 0x2d111815, 0x3fa4b7fb, 0x8718d09e, 0x1acfe827, 0xa2738f42,\n 0xb0c620ac, 0x087a47c9, 0xa032af3e, 0x188ec85b, 0x0a3b67b5,\n 0xb28700d0, 0x2f503869, 0x97ec5f0c, 0x8559f0e2, 0x3de59787,\n 0x658687d1, 0xdd3ae0b4, 0xcf8f4f5a, 0x7733283f, 0xeae41086,\n 0x525877e3, 0x40edd80d, 0xf851bf68, 0xf02bf8a1, 0x48979fc4,\n 0x5a22302a, 0xe29e574f, 0x7f496ff6, 0xc7f50893, 0xd540a77d,\n 0x6dfcc018, 0x359fd04e, 0x8d23b72b, 0x9f9618c5, 0x272a7fa0,\n 0xbafd4719, 0x0241207c, 0x10f48f92, 0xa848e8f7, 0x9b14583d,\n 0x23a83f58, 0x311d90b6, 0x89a1f7d3, 0x1476cf6a, 0xaccaa80f,\n 0xbe7f07e1, 0x06c36084, 0x5ea070d2, 0xe61c17b7, 0xf4a9b859,\n 0x4c15df3c, 0xd1c2e785, 0x697e80e0, 0x7bcb2f0e, 0xc377486b,\n 0xcb0d0fa2, 0x73b168c7, 0x6104c729, 0xd9b8a04c, 0x446f98f5,\n 0xfcd3ff90, 0xee66507e, 0x56da371b, 0x0eb9274d, 0xb6054028,\n 0xa4b0efc6, 0x1c0c88a3, 0x81dbb01a, 0x3967d77f, 0x2bd27891,\n 0x936e1ff4, 0x3b26f703, 0x839a9066, 0x912f3f88, 0x299358ed,\n 0xb4446054, 0x0cf80731, 0x1e4da8df, 0xa6f1cfba, 0xfe92dfec,\n 0x462eb889, 0x549b1767, 0xec277002, 0x71f048bb, 0xc94c2fde,\n 0xdbf98030, 0x6345e755, 0x6b3fa09c, 0xd383c7f9, 0xc1366817,\n 0x798a0f72, 0xe45d37cb, 0x5ce150ae, 0x4e54ff40, 0xf6e89825,\n 0xae8b8873, 0x1637ef16, 0x048240f8, 0xbc3e279d, 0x21e91f24,\n 0x99557841, 0x8be0d7af, 0x335cb0ca, 0xed59b63b, 0x55e5d15e,\n 0x47507eb0, 0xffec19d5, 0x623b216c, 0xda874609, 0xc832e9e7,\n 0x708e8e82, 0x28ed9ed4, 0x9051f9b1, 0x82e4565f, 0x3a58313a,\n 0xa78f0983, 0x1f336ee6, 0x0d86c108, 0xb53aa66d, 0xbd40e1a4,\n 0x05fc86c1, 0x1749292f, 0xaff54e4a, 0x322276f3, 0x8a9e1196,\n 0x982bbe78, 0x2097d91d, 0x78f4c94b, 0xc048ae2e, 0xd2fd01c0,\n 0x6a4166a5, 0xf7965e1c, 0x4f2a3979, 0x5d9f9697, 0xe523f1f2,\n 0x4d6b1905, 0xf5d77e60, 0xe762d18e, 0x5fdeb6eb, 0xc2098e52,\n 0x7ab5e937, 0x680046d9, 0xd0bc21bc, 0x88df31ea, 0x3063568f,\n 0x22d6f961, 0x9a6a9e04, 0x07bda6bd, 0xbf01c1d8, 0xadb46e36,\n 0x15080953, 0x1d724e9a, 0xa5ce29ff, 0xb77b8611, 0x0fc7e174,\n 0x9210d9cd, 0x2aacbea8, 0x38191146, 0x80a57623, 0xd8c66675,\n 0x607a0110, 0x72cfaefe, 0xca73c99b, 0x57a4f122, 0xef189647,\n 0xfdad39a9, 0x45115ecc, 0x764dee06, 0xcef18963, 0xdc44268d,\n 0x64f841e8, 0xf92f7951, 0x41931e34, 0x5326b1da, 0xeb9ad6bf,\n 0xb3f9c6e9, 0x0b45a18c, 0x19f00e62, 0xa14c6907, 0x3c9b51be,\n 0x842736db, 0x96929935, 0x2e2efe50, 0x2654b999, 0x9ee8defc,\n 0x8c5d7112, 0x34e11677, 0xa9362ece, 0x118a49ab, 0x033fe645,\n 0xbb838120, 0xe3e09176, 0x5b5cf613, 0x49e959fd, 0xf1553e98,\n 0x6c820621, 0xd43e6144, 0xc68bceaa, 0x7e37a9cf, 0xd67f4138,\n 0x6ec3265d, 0x7c7689b3, 0xc4caeed6, 0x591dd66f, 0xe1a1b10a,\n 0xf3141ee4, 0x4ba87981, 0x13cb69d7, 0xab770eb2, 0xb9c2a15c,\n 0x017ec639, 0x9ca9fe80, 0x241599e5, 0x36a0360b, 0x8e1c516e,\n 0x866616a7, 0x3eda71c2, 0x2c6fde2c, 0x94d3b949, 0x090481f0,\n 0xb1b8e695, 0xa30d497b, 0x1bb12e1e, 0x43d23e48, 0xfb6e592d,\n 0xe9dbf6c3, 0x516791a6, 0xccb0a91f, 0x740cce7a, 0x66b96194,\n 0xde0506f1},\n {0x00000000, 0x01c26a37, 0x0384d46e, 0x0246be59, 0x0709a8dc,\n 0x06cbc2eb, 0x048d7cb2, 0x054f1685, 0x0e1351b8, 0x0fd13b8f,\n 0x0d9785d6, 0x0c55efe1, 0x091af964, 0x08d89353, 0x0a9e2d0a,\n 0x0b5c473d, 0x1c26a370, 0x1de4c947, 0x1fa2771e, 0x1e601d29,\n 0x1b2f0bac, 0x1aed619b, 0x18abdfc2, 0x1969b5f5, 0x1235f2c8,\n 0x13f798ff, 0x11b126a6, 0x10734c91, 0x153c5a14, 0x14fe3023,\n 0x16b88e7a, 0x177ae44d, 0x384d46e0, 0x398f2cd7, 0x3bc9928e,\n 0x3a0bf8b9, 0x3f44ee3c, 0x3e86840b, 0x3cc03a52, 0x3d025065,\n 0x365e1758, 0x379c7d6f, 0x35dac336, 0x3418a901, 0x3157bf84,\n 0x3095d5b3, 0x32d36bea, 0x331101dd, 0x246be590, 0x25a98fa7,\n 0x27ef31fe, 0x262d5bc9, 0x23624d4c, 0x22a0277b, 0x20e69922,\n 0x2124f315, 0x2a78b428, 0x2bbade1f, 0x29fc6046, 0x283e0a71,\n 0x2d711cf4, 0x2cb376c3, 0x2ef5c89a, 0x2f37a2ad, 0x709a8dc0,\n 0x7158e7f7, 0x731e59ae, 0x72dc3399, 0x7793251c, 0x76514f2b,\n 0x7417f172, 0x75d59b45, 0x7e89dc78, 0x7f4bb64f, 0x7d0d0816,\n 0x7ccf6221, 0x798074a4, 0x78421e93, 0x7a04a0ca, 0x7bc6cafd,\n 0x6cbc2eb0, 0x6d7e4487, 0x6f38fade, 0x6efa90e9, 0x6bb5866c,\n 0x6a77ec5b, 0x68315202, 0x69f33835, 0x62af7f08, 0x636d153f,\n 0x612bab66, 0x60e9c151, 0x65a6d7d4, 0x6464bde3, 0x662203ba,\n 0x67e0698d, 0x48d7cb20, 0x4915a117, 0x4b531f4e, 0x4a917579,\n 0x4fde63fc, 0x4e1c09cb, 0x4c5ab792, 0x4d98dda5, 0x46c49a98,\n 0x4706f0af, 0x45404ef6, 0x448224c1, 0x41cd3244, 0x400f5873,\n 0x4249e62a, 0x438b8c1d, 0x54f16850, 0x55330267, 0x5775bc3e,\n 0x56b7d609, 0x53f8c08c, 0x523aaabb, 0x507c14e2, 0x51be7ed5,\n 0x5ae239e8, 0x5b2053df, 0x5966ed86, 0x58a487b1, 0x5deb9134,\n 0x5c29fb03, 0x5e6f455a, 0x5fad2f6d, 0xe1351b80, 0xe0f771b7,\n 0xe2b1cfee, 0xe373a5d9, 0xe63cb35c, 0xe7fed96b, 0xe5b86732,\n 0xe47a0d05, 0xef264a38, 0xeee4200f, 0xeca29e56, 0xed60f461,\n 0xe82fe2e4, 0xe9ed88d3, 0xebab368a, 0xea695cbd, 0xfd13b8f0,\n 0xfcd1d2c7, 0xfe976c9e, 0xff5506a9, 0xfa1a102c, 0xfbd87a1b,\n 0xf99ec442, 0xf85cae75, 0xf300e948, 0xf2c2837f, 0xf0843d26,\n 0xf1465711, 0xf4094194, 0xf5cb2ba3, 0xf78d95fa, 0xf64fffcd,\n 0xd9785d60, 0xd8ba3757, 0xdafc890e, 0xdb3ee339, 0xde71f5bc,\n 0xdfb39f8b, 0xddf521d2, 0xdc374be5, 0xd76b0cd8, 0xd6a966ef,\n 0xd4efd8b6, 0xd52db281, 0xd062a404, 0xd1a0ce33, 0xd3e6706a,\n 0xd2241a5d, 0xc55efe10, 0xc49c9427, 0xc6da2a7e, 0xc7184049,\n 0xc25756cc, 0xc3953cfb, 0xc1d382a2, 0xc011e895, 0xcb4dafa8,\n 0xca8fc59f, 0xc8c97bc6, 0xc90b11f1, 0xcc440774, 0xcd866d43,\n 0xcfc0d31a, 0xce02b92d, 0x91af9640, 0x906dfc77, 0x922b422e,\n 0x93e92819, 0x96a63e9c, 0x976454ab, 0x9522eaf2, 0x94e080c5,\n 0x9fbcc7f8, 0x9e7eadcf, 0x9c381396, 0x9dfa79a1, 0x98b56f24,\n 0x99770513, 0x9b31bb4a, 0x9af3d17d, 0x8d893530, 0x8c4b5f07,\n 0x8e0de15e, 0x8fcf8b69, 0x8a809dec, 0x8b42f7db, 0x89044982,\n 0x88c623b5, 0x839a6488, 0x82580ebf, 0x801eb0e6, 0x81dcdad1,\n 0x8493cc54, 0x8551a663, 0x8717183a, 0x86d5720d, 0xa9e2d0a0,\n 0xa820ba97, 0xaa6604ce, 0xaba46ef9, 0xaeeb787c, 0xaf29124b,\n 0xad6fac12, 0xacadc625, 0xa7f18118, 0xa633eb2f, 0xa4755576,\n 0xa5b73f41, 0xa0f829c4, 0xa13a43f3, 0xa37cfdaa, 0xa2be979d,\n 0xb5c473d0, 0xb40619e7, 0xb640a7be, 0xb782cd89, 0xb2cddb0c,\n 0xb30fb13b, 0xb1490f62, 0xb08b6555, 0xbbd72268, 0xba15485f,\n 0xb853f606, 0xb9919c31, 0xbcde8ab4, 0xbd1ce083, 0xbf5a5eda,\n 0xbe9834ed},\n {0x00000000, 0x191b3141, 0x32366282, 0x2b2d53c3, 0x646cc504,\n 0x7d77f445, 0x565aa786, 0x4f4196c7, 0xc8d98a08, 0xd1c2bb49,\n 0xfaefe88a, 0xe3f4d9cb, 0xacb54f0c, 0xb5ae7e4d, 0x9e832d8e,\n 0x87981ccf, 0x4ac21251, 0x53d92310, 0x78f470d3, 0x61ef4192,\n 0x2eaed755, 0x37b5e614, 0x1c98b5d7, 0x05838496, 0x821b9859,\n 0x9b00a918, 0xb02dfadb, 0xa936cb9a, 0xe6775d5d, 0xff6c6c1c,\n 0xd4413fdf, 0xcd5a0e9e, 0x958424a2, 0x8c9f15e3, 0xa7b24620,\n 0xbea97761, 0xf1e8e1a6, 0xe8f3d0e7, 0xc3de8324, 0xdac5b265,\n 0x5d5daeaa, 0x44469feb, 0x6f6bcc28, 0x7670fd69, 0x39316bae,\n 0x202a5aef, 0x0b07092c, 0x121c386d, 0xdf4636f3, 0xc65d07b2,\n 0xed705471, 0xf46b6530, 0xbb2af3f7, 0xa231c2b6, 0x891c9175,\n 0x9007a034, 0x179fbcfb, 0x0e848dba, 0x25a9de79, 0x3cb2ef38,\n 0x73f379ff, 0x6ae848be, 0x41c51b7d, 0x58de2a3c, 0xf0794f05,\n 0xe9627e44, 0xc24f2d87, 0xdb541cc6, 0x94158a01, 0x8d0ebb40,\n 0xa623e883, 0xbf38d9c2, 0x38a0c50d, 0x21bbf44c, 0x0a96a78f,\n 0x138d96ce, 0x5ccc0009, 0x45d73148, 0x6efa628b, 0x77e153ca,\n 0xbabb5d54, 0xa3a06c15, 0x888d3fd6, 0x91960e97, 0xded79850,\n 0xc7cca911, 0xece1fad2, 0xf5facb93, 0x7262d75c, 0x6b79e61d,\n 0x4054b5de, 0x594f849f, 0x160e1258, 0x0f152319, 0x243870da,\n 0x3d23419b, 0x65fd6ba7, 0x7ce65ae6, 0x57cb0925, 0x4ed03864,\n 0x0191aea3, 0x188a9fe2, 0x33a7cc21, 0x2abcfd60, 0xad24e1af,\n 0xb43fd0ee, 0x9f12832d, 0x8609b26c, 0xc94824ab, 0xd05315ea,\n 0xfb7e4629, 0xe2657768, 0x2f3f79f6, 0x362448b7, 0x1d091b74,\n 0x04122a35, 0x4b53bcf2, 0x52488db3, 0x7965de70, 0x607eef31,\n 0xe7e6f3fe, 0xfefdc2bf, 0xd5d0917c, 0xcccba03d, 0x838a36fa,\n 0x9a9107bb, 0xb1bc5478, 0xa8a76539, 0x3b83984b, 0x2298a90a,\n 0x09b5fac9, 0x10aecb88, 0x5fef5d4f, 0x46f46c0e, 0x6dd93fcd,\n 0x74c20e8c, 0xf35a1243, 0xea412302, 0xc16c70c1, 0xd8774180,\n 0x9736d747, 0x8e2de606, 0xa500b5c5, 0xbc1b8484, 0x71418a1a,\n 0x685abb5b, 0x4377e898, 0x5a6cd9d9, 0x152d4f1e, 0x0c367e5f,\n 0x271b2d9c, 0x3e001cdd, 0xb9980012, 0xa0833153, 0x8bae6290,\n 0x92b553d1, 0xddf4c516, 0xc4eff457, 0xefc2a794, 0xf6d996d5,\n 0xae07bce9, 0xb71c8da8, 0x9c31de6b, 0x852aef2a, 0xca6b79ed,\n 0xd37048ac, 0xf85d1b6f, 0xe1462a2e, 0x66de36e1, 0x7fc507a0,\n 0x54e85463, 0x4df36522, 0x02b2f3e5, 0x1ba9c2a4, 0x30849167,\n 0x299fa026, 0xe4c5aeb8, 0xfdde9ff9, 0xd6f3cc3a, 0xcfe8fd7b,\n 0x80a96bbc, 0x99b25afd, 0xb29f093e, 0xab84387f, 0x2c1c24b0,\n 0x350715f1, 0x1e2a4632, 0x07317773, 0x4870e1b4, 0x516bd0f5,\n 0x7a468336, 0x635db277, 0xcbfad74e, 0xd2e1e60f, 0xf9ccb5cc,\n 0xe0d7848d, 0xaf96124a, 0xb68d230b, 0x9da070c8, 0x84bb4189,\n 0x03235d46, 0x1a386c07, 0x31153fc4, 0x280e0e85, 0x674f9842,\n 0x7e54a903, 0x5579fac0, 0x4c62cb81, 0x8138c51f, 0x9823f45e,\n 0xb30ea79d, 0xaa1596dc, 0xe554001b, 0xfc4f315a, 0xd7626299,\n 0xce7953d8, 0x49e14f17, 0x50fa7e56, 0x7bd72d95, 0x62cc1cd4,\n 0x2d8d8a13, 0x3496bb52, 0x1fbbe891, 0x06a0d9d0, 0x5e7ef3ec,\n 0x4765c2ad, 0x6c48916e, 0x7553a02f, 0x3a1236e8, 0x230907a9,\n 0x0824546a, 0x113f652b, 0x96a779e4, 0x8fbc48a5, 0xa4911b66,\n 0xbd8a2a27, 0xf2cbbce0, 0xebd08da1, 0xc0fdde62, 0xd9e6ef23,\n 0x14bce1bd, 0x0da7d0fc, 0x268a833f, 0x3f91b27e, 0x70d024b9,\n 0x69cb15f8, 0x42e6463b, 0x5bfd777a, 0xdc656bb5, 0xc57e5af4,\n 0xee530937, 0xf7483876, 0xb809aeb1, 0xa1129ff0, 0x8a3fcc33,\n 0x9324fd72},\n {0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,\n 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,\n 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,\n 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,\n 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,\n 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,\n 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,\n 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,\n 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,\n 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,\n 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,\n 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,\n 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,\n 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,\n 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,\n 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,\n 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,\n 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,\n 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,\n 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,\n 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,\n 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,\n 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,\n 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,\n 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,\n 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,\n 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,\n 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,\n 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,\n 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,\n 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,\n 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,\n 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,\n 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,\n 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,\n 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,\n 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,\n 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,\n 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,\n 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,\n 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,\n 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,\n 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,\n 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,\n 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,\n 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,\n 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,\n 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,\n 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,\n 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,\n 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,\n 0x2d02ef8d}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x0000000000000000, 0x9630077700000000, 0x2c610eee00000000,\n 0xba51099900000000, 0x19c46d0700000000, 0x8ff46a7000000000,\n 0x35a563e900000000, 0xa395649e00000000, 0x3288db0e00000000,\n 0xa4b8dc7900000000, 0x1ee9d5e000000000, 0x88d9d29700000000,\n 0x2b4cb60900000000, 0xbd7cb17e00000000, 0x072db8e700000000,\n 0x911dbf9000000000, 0x6410b71d00000000, 0xf220b06a00000000,\n 0x4871b9f300000000, 0xde41be8400000000, 0x7dd4da1a00000000,\n 0xebe4dd6d00000000, 0x51b5d4f400000000, 0xc785d38300000000,\n 0x56986c1300000000, 0xc0a86b6400000000, 0x7af962fd00000000,\n 0xecc9658a00000000, 0x4f5c011400000000, 0xd96c066300000000,\n 0x633d0ffa00000000, 0xf50d088d00000000, 0xc8206e3b00000000,\n 0x5e10694c00000000, 0xe44160d500000000, 0x727167a200000000,\n 0xd1e4033c00000000, 0x47d4044b00000000, 0xfd850dd200000000,\n 0x6bb50aa500000000, 0xfaa8b53500000000, 0x6c98b24200000000,\n 0xd6c9bbdb00000000, 0x40f9bcac00000000, 0xe36cd83200000000,\n 0x755cdf4500000000, 0xcf0dd6dc00000000, 0x593dd1ab00000000,\n 0xac30d92600000000, 0x3a00de5100000000, 0x8051d7c800000000,\n 0x1661d0bf00000000, 0xb5f4b42100000000, 0x23c4b35600000000,\n 0x9995bacf00000000, 0x0fa5bdb800000000, 0x9eb8022800000000,\n 0x0888055f00000000, 0xb2d90cc600000000, 0x24e90bb100000000,\n 0x877c6f2f00000000, 0x114c685800000000, 0xab1d61c100000000,\n 0x3d2d66b600000000, 0x9041dc7600000000, 0x0671db0100000000,\n 0xbc20d29800000000, 0x2a10d5ef00000000, 0x8985b17100000000,\n 0x1fb5b60600000000, 0xa5e4bf9f00000000, 0x33d4b8e800000000,\n 0xa2c9077800000000, 0x34f9000f00000000, 0x8ea8099600000000,\n 0x18980ee100000000, 0xbb0d6a7f00000000, 0x2d3d6d0800000000,\n 0x976c649100000000, 0x015c63e600000000, 0xf4516b6b00000000,\n 0x62616c1c00000000, 0xd830658500000000, 0x4e0062f200000000,\n 0xed95066c00000000, 0x7ba5011b00000000, 0xc1f4088200000000,\n 0x57c40ff500000000, 0xc6d9b06500000000, 0x50e9b71200000000,\n 0xeab8be8b00000000, 0x7c88b9fc00000000, 0xdf1ddd6200000000,\n 0x492dda1500000000, 0xf37cd38c00000000, 0x654cd4fb00000000,\n 0x5861b24d00000000, 0xce51b53a00000000, 0x7400bca300000000,\n 0xe230bbd400000000, 0x41a5df4a00000000, 0xd795d83d00000000,\n 0x6dc4d1a400000000, 0xfbf4d6d300000000, 0x6ae9694300000000,\n 0xfcd96e3400000000, 0x468867ad00000000, 0xd0b860da00000000,\n 0x732d044400000000, 0xe51d033300000000, 0x5f4c0aaa00000000,\n 0xc97c0ddd00000000, 0x3c71055000000000, 0xaa41022700000000,\n 0x10100bbe00000000, 0x86200cc900000000, 0x25b5685700000000,\n 0xb3856f2000000000, 0x09d466b900000000, 0x9fe461ce00000000,\n 0x0ef9de5e00000000, 0x98c9d92900000000, 0x2298d0b000000000,\n 0xb4a8d7c700000000, 0x173db35900000000, 0x810db42e00000000,\n 0x3b5cbdb700000000, 0xad6cbac000000000, 0x2083b8ed00000000,\n 0xb6b3bf9a00000000, 0x0ce2b60300000000, 0x9ad2b17400000000,\n 0x3947d5ea00000000, 0xaf77d29d00000000, 0x1526db0400000000,\n 0x8316dc7300000000, 0x120b63e300000000, 0x843b649400000000,\n 0x3e6a6d0d00000000, 0xa85a6a7a00000000, 0x0bcf0ee400000000,\n 0x9dff099300000000, 0x27ae000a00000000, 0xb19e077d00000000,\n 0x44930ff000000000, 0xd2a3088700000000, 0x68f2011e00000000,\n 0xfec2066900000000, 0x5d5762f700000000, 0xcb67658000000000,\n 0x71366c1900000000, 0xe7066b6e00000000, 0x761bd4fe00000000,\n 0xe02bd38900000000, 0x5a7ada1000000000, 0xcc4add6700000000,\n 0x6fdfb9f900000000, 0xf9efbe8e00000000, 0x43beb71700000000,\n 0xd58eb06000000000, 0xe8a3d6d600000000, 0x7e93d1a100000000,\n 0xc4c2d83800000000, 0x52f2df4f00000000, 0xf167bbd100000000,\n 0x6757bca600000000, 0xdd06b53f00000000, 0x4b36b24800000000,\n 0xda2b0dd800000000, 0x4c1b0aaf00000000, 0xf64a033600000000,\n 0x607a044100000000, 0xc3ef60df00000000, 0x55df67a800000000,\n 0xef8e6e3100000000, 0x79be694600000000, 0x8cb361cb00000000,\n 0x1a8366bc00000000, 0xa0d26f2500000000, 0x36e2685200000000,\n 0x95770ccc00000000, 0x03470bbb00000000, 0xb916022200000000,\n 0x2f26055500000000, 0xbe3bbac500000000, 0x280bbdb200000000,\n 0x925ab42b00000000, 0x046ab35c00000000, 0xa7ffd7c200000000,\n 0x31cfd0b500000000, 0x8b9ed92c00000000, 0x1daede5b00000000,\n 0xb0c2649b00000000, 0x26f263ec00000000, 0x9ca36a7500000000,\n 0x0a936d0200000000, 0xa906099c00000000, 0x3f360eeb00000000,\n 0x8567077200000000, 0x1357000500000000, 0x824abf9500000000,\n 0x147ab8e200000000, 0xae2bb17b00000000, 0x381bb60c00000000,\n 0x9b8ed29200000000, 0x0dbed5e500000000, 0xb7efdc7c00000000,\n 0x21dfdb0b00000000, 0xd4d2d38600000000, 0x42e2d4f100000000,\n 0xf8b3dd6800000000, 0x6e83da1f00000000, 0xcd16be8100000000,\n 0x5b26b9f600000000, 0xe177b06f00000000, 0x7747b71800000000,\n 0xe65a088800000000, 0x706a0fff00000000, 0xca3b066600000000,\n 0x5c0b011100000000, 0xff9e658f00000000, 0x69ae62f800000000,\n 0xd3ff6b6100000000, 0x45cf6c1600000000, 0x78e20aa000000000,\n 0xeed20dd700000000, 0x5483044e00000000, 0xc2b3033900000000,\n 0x612667a700000000, 0xf71660d000000000, 0x4d47694900000000,\n 0xdb776e3e00000000, 0x4a6ad1ae00000000, 0xdc5ad6d900000000,\n 0x660bdf4000000000, 0xf03bd83700000000, 0x53aebca900000000,\n 0xc59ebbde00000000, 0x7fcfb24700000000, 0xe9ffb53000000000,\n 0x1cf2bdbd00000000, 0x8ac2baca00000000, 0x3093b35300000000,\n 0xa6a3b42400000000, 0x0536d0ba00000000, 0x9306d7cd00000000,\n 0x2957de5400000000, 0xbf67d92300000000, 0x2e7a66b300000000,\n 0xb84a61c400000000, 0x021b685d00000000, 0x942b6f2a00000000,\n 0x37be0bb400000000, 0xa18e0cc300000000, 0x1bdf055a00000000,\n 0x8def022d00000000},\n {0x0000000000000000, 0x41311b1900000000, 0x8262363200000000,\n 0xc3532d2b00000000, 0x04c56c6400000000, 0x45f4777d00000000,\n 0x86a75a5600000000, 0xc796414f00000000, 0x088ad9c800000000,\n 0x49bbc2d100000000, 0x8ae8effa00000000, 0xcbd9f4e300000000,\n 0x0c4fb5ac00000000, 0x4d7eaeb500000000, 0x8e2d839e00000000,\n 0xcf1c988700000000, 0x5112c24a00000000, 0x1023d95300000000,\n 0xd370f47800000000, 0x9241ef6100000000, 0x55d7ae2e00000000,\n 0x14e6b53700000000, 0xd7b5981c00000000, 0x9684830500000000,\n 0x59981b8200000000, 0x18a9009b00000000, 0xdbfa2db000000000,\n 0x9acb36a900000000, 0x5d5d77e600000000, 0x1c6c6cff00000000,\n 0xdf3f41d400000000, 0x9e0e5acd00000000, 0xa224849500000000,\n 0xe3159f8c00000000, 0x2046b2a700000000, 0x6177a9be00000000,\n 0xa6e1e8f100000000, 0xe7d0f3e800000000, 0x2483dec300000000,\n 0x65b2c5da00000000, 0xaaae5d5d00000000, 0xeb9f464400000000,\n 0x28cc6b6f00000000, 0x69fd707600000000, 0xae6b313900000000,\n 0xef5a2a2000000000, 0x2c09070b00000000, 0x6d381c1200000000,\n 0xf33646df00000000, 0xb2075dc600000000, 0x715470ed00000000,\n 0x30656bf400000000, 0xf7f32abb00000000, 0xb6c231a200000000,\n 0x75911c8900000000, 0x34a0079000000000, 0xfbbc9f1700000000,\n 0xba8d840e00000000, 0x79dea92500000000, 0x38efb23c00000000,\n 0xff79f37300000000, 0xbe48e86a00000000, 0x7d1bc54100000000,\n 0x3c2ade5800000000, 0x054f79f000000000, 0x447e62e900000000,\n 0x872d4fc200000000, 0xc61c54db00000000, 0x018a159400000000,\n 0x40bb0e8d00000000, 0x83e823a600000000, 0xc2d938bf00000000,\n 0x0dc5a03800000000, 0x4cf4bb2100000000, 0x8fa7960a00000000,\n 0xce968d1300000000, 0x0900cc5c00000000, 0x4831d74500000000,\n 0x8b62fa6e00000000, 0xca53e17700000000, 0x545dbbba00000000,\n 0x156ca0a300000000, 0xd63f8d8800000000, 0x970e969100000000,\n 0x5098d7de00000000, 0x11a9ccc700000000, 0xd2fae1ec00000000,\n 0x93cbfaf500000000, 0x5cd7627200000000, 0x1de6796b00000000,\n 0xdeb5544000000000, 0x9f844f5900000000, 0x58120e1600000000,\n 0x1923150f00000000, 0xda70382400000000, 0x9b41233d00000000,\n 0xa76bfd6500000000, 0xe65ae67c00000000, 0x2509cb5700000000,\n 0x6438d04e00000000, 0xa3ae910100000000, 0xe29f8a1800000000,\n 0x21cca73300000000, 0x60fdbc2a00000000, 0xafe124ad00000000,\n 0xeed03fb400000000, 0x2d83129f00000000, 0x6cb2098600000000,\n 0xab2448c900000000, 0xea1553d000000000, 0x29467efb00000000,\n 0x687765e200000000, 0xf6793f2f00000000, 0xb748243600000000,\n 0x741b091d00000000, 0x352a120400000000, 0xf2bc534b00000000,\n 0xb38d485200000000, 0x70de657900000000, 0x31ef7e6000000000,\n 0xfef3e6e700000000, 0xbfc2fdfe00000000, 0x7c91d0d500000000,\n 0x3da0cbcc00000000, 0xfa368a8300000000, 0xbb07919a00000000,\n 0x7854bcb100000000, 0x3965a7a800000000, 0x4b98833b00000000,\n 0x0aa9982200000000, 0xc9fab50900000000, 0x88cbae1000000000,\n 0x4f5def5f00000000, 0x0e6cf44600000000, 0xcd3fd96d00000000,\n 0x8c0ec27400000000, 0x43125af300000000, 0x022341ea00000000,\n 0xc1706cc100000000, 0x804177d800000000, 0x47d7369700000000,\n 0x06e62d8e00000000, 0xc5b500a500000000, 0x84841bbc00000000,\n 0x1a8a417100000000, 0x5bbb5a6800000000, 0x98e8774300000000,\n 0xd9d96c5a00000000, 0x1e4f2d1500000000, 0x5f7e360c00000000,\n 0x9c2d1b2700000000, 0xdd1c003e00000000, 0x120098b900000000,\n 0x533183a000000000, 0x9062ae8b00000000, 0xd153b59200000000,\n 0x16c5f4dd00000000, 0x57f4efc400000000, 0x94a7c2ef00000000,\n 0xd596d9f600000000, 0xe9bc07ae00000000, 0xa88d1cb700000000,\n 0x6bde319c00000000, 0x2aef2a8500000000, 0xed796bca00000000,\n 0xac4870d300000000, 0x6f1b5df800000000, 0x2e2a46e100000000,\n 0xe136de6600000000, 0xa007c57f00000000, 0x6354e85400000000,\n 0x2265f34d00000000, 0xe5f3b20200000000, 0xa4c2a91b00000000,\n 0x6791843000000000, 0x26a09f2900000000, 0xb8aec5e400000000,\n 0xf99fdefd00000000, 0x3accf3d600000000, 0x7bfde8cf00000000,\n 0xbc6ba98000000000, 0xfd5ab29900000000, 0x3e099fb200000000,\n 0x7f3884ab00000000, 0xb0241c2c00000000, 0xf115073500000000,\n 0x32462a1e00000000, 0x7377310700000000, 0xb4e1704800000000,\n 0xf5d06b5100000000, 0x3683467a00000000, 0x77b25d6300000000,\n 0x4ed7facb00000000, 0x0fe6e1d200000000, 0xccb5ccf900000000,\n 0x8d84d7e000000000, 0x4a1296af00000000, 0x0b238db600000000,\n 0xc870a09d00000000, 0x8941bb8400000000, 0x465d230300000000,\n 0x076c381a00000000, 0xc43f153100000000, 0x850e0e2800000000,\n 0x42984f6700000000, 0x03a9547e00000000, 0xc0fa795500000000,\n 0x81cb624c00000000, 0x1fc5388100000000, 0x5ef4239800000000,\n 0x9da70eb300000000, 0xdc9615aa00000000, 0x1b0054e500000000,\n 0x5a314ffc00000000, 0x996262d700000000, 0xd85379ce00000000,\n 0x174fe14900000000, 0x567efa5000000000, 0x952dd77b00000000,\n 0xd41ccc6200000000, 0x138a8d2d00000000, 0x52bb963400000000,\n 0x91e8bb1f00000000, 0xd0d9a00600000000, 0xecf37e5e00000000,\n 0xadc2654700000000, 0x6e91486c00000000, 0x2fa0537500000000,\n 0xe836123a00000000, 0xa907092300000000, 0x6a54240800000000,\n 0x2b653f1100000000, 0xe479a79600000000, 0xa548bc8f00000000,\n 0x661b91a400000000, 0x272a8abd00000000, 0xe0bccbf200000000,\n 0xa18dd0eb00000000, 0x62defdc000000000, 0x23efe6d900000000,\n 0xbde1bc1400000000, 0xfcd0a70d00000000, 0x3f838a2600000000,\n 0x7eb2913f00000000, 0xb924d07000000000, 0xf815cb6900000000,\n 0x3b46e64200000000, 0x7a77fd5b00000000, 0xb56b65dc00000000,\n 0xf45a7ec500000000, 0x370953ee00000000, 0x763848f700000000,\n 0xb1ae09b800000000, 0xf09f12a100000000, 0x33cc3f8a00000000,\n 0x72fd249300000000},\n {0x0000000000000000, 0x376ac20100000000, 0x6ed4840300000000,\n 0x59be460200000000, 0xdca8090700000000, 0xebc2cb0600000000,\n 0xb27c8d0400000000, 0x85164f0500000000, 0xb851130e00000000,\n 0x8f3bd10f00000000, 0xd685970d00000000, 0xe1ef550c00000000,\n 0x64f91a0900000000, 0x5393d80800000000, 0x0a2d9e0a00000000,\n 0x3d475c0b00000000, 0x70a3261c00000000, 0x47c9e41d00000000,\n 0x1e77a21f00000000, 0x291d601e00000000, 0xac0b2f1b00000000,\n 0x9b61ed1a00000000, 0xc2dfab1800000000, 0xf5b5691900000000,\n 0xc8f2351200000000, 0xff98f71300000000, 0xa626b11100000000,\n 0x914c731000000000, 0x145a3c1500000000, 0x2330fe1400000000,\n 0x7a8eb81600000000, 0x4de47a1700000000, 0xe0464d3800000000,\n 0xd72c8f3900000000, 0x8e92c93b00000000, 0xb9f80b3a00000000,\n 0x3cee443f00000000, 0x0b84863e00000000, 0x523ac03c00000000,\n 0x6550023d00000000, 0x58175e3600000000, 0x6f7d9c3700000000,\n 0x36c3da3500000000, 0x01a9183400000000, 0x84bf573100000000,\n 0xb3d5953000000000, 0xea6bd33200000000, 0xdd01113300000000,\n 0x90e56b2400000000, 0xa78fa92500000000, 0xfe31ef2700000000,\n 0xc95b2d2600000000, 0x4c4d622300000000, 0x7b27a02200000000,\n 0x2299e62000000000, 0x15f3242100000000, 0x28b4782a00000000,\n 0x1fdeba2b00000000, 0x4660fc2900000000, 0x710a3e2800000000,\n 0xf41c712d00000000, 0xc376b32c00000000, 0x9ac8f52e00000000,\n 0xada2372f00000000, 0xc08d9a7000000000, 0xf7e7587100000000,\n 0xae591e7300000000, 0x9933dc7200000000, 0x1c25937700000000,\n 0x2b4f517600000000, 0x72f1177400000000, 0x459bd57500000000,\n 0x78dc897e00000000, 0x4fb64b7f00000000, 0x16080d7d00000000,\n 0x2162cf7c00000000, 0xa474807900000000, 0x931e427800000000,\n 0xcaa0047a00000000, 0xfdcac67b00000000, 0xb02ebc6c00000000,\n 0x87447e6d00000000, 0xdefa386f00000000, 0xe990fa6e00000000,\n 0x6c86b56b00000000, 0x5bec776a00000000, 0x0252316800000000,\n 0x3538f36900000000, 0x087faf6200000000, 0x3f156d6300000000,\n 0x66ab2b6100000000, 0x51c1e96000000000, 0xd4d7a66500000000,\n 0xe3bd646400000000, 0xba03226600000000, 0x8d69e06700000000,\n 0x20cbd74800000000, 0x17a1154900000000, 0x4e1f534b00000000,\n 0x7975914a00000000, 0xfc63de4f00000000, 0xcb091c4e00000000,\n 0x92b75a4c00000000, 0xa5dd984d00000000, 0x989ac44600000000,\n 0xaff0064700000000, 0xf64e404500000000, 0xc124824400000000,\n 0x4432cd4100000000, 0x73580f4000000000, 0x2ae6494200000000,\n 0x1d8c8b4300000000, 0x5068f15400000000, 0x6702335500000000,\n 0x3ebc755700000000, 0x09d6b75600000000, 0x8cc0f85300000000,\n 0xbbaa3a5200000000, 0xe2147c5000000000, 0xd57ebe5100000000,\n 0xe839e25a00000000, 0xdf53205b00000000, 0x86ed665900000000,\n 0xb187a45800000000, 0x3491eb5d00000000, 0x03fb295c00000000,\n 0x5a456f5e00000000, 0x6d2fad5f00000000, 0x801b35e100000000,\n 0xb771f7e000000000, 0xeecfb1e200000000, 0xd9a573e300000000,\n 0x5cb33ce600000000, 0x6bd9fee700000000, 0x3267b8e500000000,\n 0x050d7ae400000000, 0x384a26ef00000000, 0x0f20e4ee00000000,\n 0x569ea2ec00000000, 0x61f460ed00000000, 0xe4e22fe800000000,\n 0xd388ede900000000, 0x8a36abeb00000000, 0xbd5c69ea00000000,\n 0xf0b813fd00000000, 0xc7d2d1fc00000000, 0x9e6c97fe00000000,\n 0xa90655ff00000000, 0x2c101afa00000000, 0x1b7ad8fb00000000,\n 0x42c49ef900000000, 0x75ae5cf800000000, 0x48e900f300000000,\n 0x7f83c2f200000000, 0x263d84f000000000, 0x115746f100000000,\n 0x944109f400000000, 0xa32bcbf500000000, 0xfa958df700000000,\n 0xcdff4ff600000000, 0x605d78d900000000, 0x5737bad800000000,\n 0x0e89fcda00000000, 0x39e33edb00000000, 0xbcf571de00000000,\n 0x8b9fb3df00000000, 0xd221f5dd00000000, 0xe54b37dc00000000,\n 0xd80c6bd700000000, 0xef66a9d600000000, 0xb6d8efd400000000,\n 0x81b22dd500000000, 0x04a462d000000000, 0x33cea0d100000000,\n 0x6a70e6d300000000, 0x5d1a24d200000000, 0x10fe5ec500000000,\n 0x27949cc400000000, 0x7e2adac600000000, 0x494018c700000000,\n 0xcc5657c200000000, 0xfb3c95c300000000, 0xa282d3c100000000,\n 0x95e811c000000000, 0xa8af4dcb00000000, 0x9fc58fca00000000,\n 0xc67bc9c800000000, 0xf1110bc900000000, 0x740744cc00000000,\n 0x436d86cd00000000, 0x1ad3c0cf00000000, 0x2db902ce00000000,\n 0x4096af9100000000, 0x77fc6d9000000000, 0x2e422b9200000000,\n 0x1928e99300000000, 0x9c3ea69600000000, 0xab54649700000000,\n 0xf2ea229500000000, 0xc580e09400000000, 0xf8c7bc9f00000000,\n 0xcfad7e9e00000000, 0x9613389c00000000, 0xa179fa9d00000000,\n 0x246fb59800000000, 0x1305779900000000, 0x4abb319b00000000,\n 0x7dd1f39a00000000, 0x3035898d00000000, 0x075f4b8c00000000,\n 0x5ee10d8e00000000, 0x698bcf8f00000000, 0xec9d808a00000000,\n 0xdbf7428b00000000, 0x8249048900000000, 0xb523c68800000000,\n 0x88649a8300000000, 0xbf0e588200000000, 0xe6b01e8000000000,\n 0xd1dadc8100000000, 0x54cc938400000000, 0x63a6518500000000,\n 0x3a18178700000000, 0x0d72d58600000000, 0xa0d0e2a900000000,\n 0x97ba20a800000000, 0xce0466aa00000000, 0xf96ea4ab00000000,\n 0x7c78ebae00000000, 0x4b1229af00000000, 0x12ac6fad00000000,\n 0x25c6adac00000000, 0x1881f1a700000000, 0x2feb33a600000000,\n 0x765575a400000000, 0x413fb7a500000000, 0xc429f8a000000000,\n 0xf3433aa100000000, 0xaafd7ca300000000, 0x9d97bea200000000,\n 0xd073c4b500000000, 0xe71906b400000000, 0xbea740b600000000,\n 0x89cd82b700000000, 0x0cdbcdb200000000, 0x3bb10fb300000000,\n 0x620f49b100000000, 0x55658bb000000000, 0x6822d7bb00000000,\n 0x5f4815ba00000000, 0x06f653b800000000, 0x319c91b900000000,\n 0xb48adebc00000000, 0x83e01cbd00000000, 0xda5e5abf00000000,\n 0xed3498be00000000},\n {0x0000000000000000, 0x6567bcb800000000, 0x8bc809aa00000000,\n 0xeeafb51200000000, 0x5797628f00000000, 0x32f0de3700000000,\n 0xdc5f6b2500000000, 0xb938d79d00000000, 0xef28b4c500000000,\n 0x8a4f087d00000000, 0x64e0bd6f00000000, 0x018701d700000000,\n 0xb8bfd64a00000000, 0xddd86af200000000, 0x3377dfe000000000,\n 0x5610635800000000, 0x9f57195000000000, 0xfa30a5e800000000,\n 0x149f10fa00000000, 0x71f8ac4200000000, 0xc8c07bdf00000000,\n 0xada7c76700000000, 0x4308727500000000, 0x266fcecd00000000,\n 0x707fad9500000000, 0x1518112d00000000, 0xfbb7a43f00000000,\n 0x9ed0188700000000, 0x27e8cf1a00000000, 0x428f73a200000000,\n 0xac20c6b000000000, 0xc9477a0800000000, 0x3eaf32a000000000,\n 0x5bc88e1800000000, 0xb5673b0a00000000, 0xd00087b200000000,\n 0x6938502f00000000, 0x0c5fec9700000000, 0xe2f0598500000000,\n 0x8797e53d00000000, 0xd187866500000000, 0xb4e03add00000000,\n 0x5a4f8fcf00000000, 0x3f28337700000000, 0x8610e4ea00000000,\n 0xe377585200000000, 0x0dd8ed4000000000, 0x68bf51f800000000,\n 0xa1f82bf000000000, 0xc49f974800000000, 0x2a30225a00000000,\n 0x4f579ee200000000, 0xf66f497f00000000, 0x9308f5c700000000,\n 0x7da740d500000000, 0x18c0fc6d00000000, 0x4ed09f3500000000,\n 0x2bb7238d00000000, 0xc518969f00000000, 0xa07f2a2700000000,\n 0x1947fdba00000000, 0x7c20410200000000, 0x928ff41000000000,\n 0xf7e848a800000000, 0x3d58149b00000000, 0x583fa82300000000,\n 0xb6901d3100000000, 0xd3f7a18900000000, 0x6acf761400000000,\n 0x0fa8caac00000000, 0xe1077fbe00000000, 0x8460c30600000000,\n 0xd270a05e00000000, 0xb7171ce600000000, 0x59b8a9f400000000,\n 0x3cdf154c00000000, 0x85e7c2d100000000, 0xe0807e6900000000,\n 0x0e2fcb7b00000000, 0x6b4877c300000000, 0xa20f0dcb00000000,\n 0xc768b17300000000, 0x29c7046100000000, 0x4ca0b8d900000000,\n 0xf5986f4400000000, 0x90ffd3fc00000000, 0x7e5066ee00000000,\n 0x1b37da5600000000, 0x4d27b90e00000000, 0x284005b600000000,\n 0xc6efb0a400000000, 0xa3880c1c00000000, 0x1ab0db8100000000,\n 0x7fd7673900000000, 0x9178d22b00000000, 0xf41f6e9300000000,\n 0x03f7263b00000000, 0x66909a8300000000, 0x883f2f9100000000,\n 0xed58932900000000, 0x546044b400000000, 0x3107f80c00000000,\n 0xdfa84d1e00000000, 0xbacff1a600000000, 0xecdf92fe00000000,\n 0x89b82e4600000000, 0x67179b5400000000, 0x027027ec00000000,\n 0xbb48f07100000000, 0xde2f4cc900000000, 0x3080f9db00000000,\n 0x55e7456300000000, 0x9ca03f6b00000000, 0xf9c783d300000000,\n 0x176836c100000000, 0x720f8a7900000000, 0xcb375de400000000,\n 0xae50e15c00000000, 0x40ff544e00000000, 0x2598e8f600000000,\n 0x73888bae00000000, 0x16ef371600000000, 0xf840820400000000,\n 0x9d273ebc00000000, 0x241fe92100000000, 0x4178559900000000,\n 0xafd7e08b00000000, 0xcab05c3300000000, 0x3bb659ed00000000,\n 0x5ed1e55500000000, 0xb07e504700000000, 0xd519ecff00000000,\n 0x6c213b6200000000, 0x094687da00000000, 0xe7e932c800000000,\n 0x828e8e7000000000, 0xd49eed2800000000, 0xb1f9519000000000,\n 0x5f56e48200000000, 0x3a31583a00000000, 0x83098fa700000000,\n 0xe66e331f00000000, 0x08c1860d00000000, 0x6da63ab500000000,\n 0xa4e140bd00000000, 0xc186fc0500000000, 0x2f29491700000000,\n 0x4a4ef5af00000000, 0xf376223200000000, 0x96119e8a00000000,\n 0x78be2b9800000000, 0x1dd9972000000000, 0x4bc9f47800000000,\n 0x2eae48c000000000, 0xc001fdd200000000, 0xa566416a00000000,\n 0x1c5e96f700000000, 0x79392a4f00000000, 0x97969f5d00000000,\n 0xf2f123e500000000, 0x05196b4d00000000, 0x607ed7f500000000,\n 0x8ed162e700000000, 0xebb6de5f00000000, 0x528e09c200000000,\n 0x37e9b57a00000000, 0xd946006800000000, 0xbc21bcd000000000,\n 0xea31df8800000000, 0x8f56633000000000, 0x61f9d62200000000,\n 0x049e6a9a00000000, 0xbda6bd0700000000, 0xd8c101bf00000000,\n 0x366eb4ad00000000, 0x5309081500000000, 0x9a4e721d00000000,\n 0xff29cea500000000, 0x11867bb700000000, 0x74e1c70f00000000,\n 0xcdd9109200000000, 0xa8beac2a00000000, 0x4611193800000000,\n 0x2376a58000000000, 0x7566c6d800000000, 0x10017a6000000000,\n 0xfeaecf7200000000, 0x9bc973ca00000000, 0x22f1a45700000000,\n 0x479618ef00000000, 0xa939adfd00000000, 0xcc5e114500000000,\n 0x06ee4d7600000000, 0x6389f1ce00000000, 0x8d2644dc00000000,\n 0xe841f86400000000, 0x51792ff900000000, 0x341e934100000000,\n 0xdab1265300000000, 0xbfd69aeb00000000, 0xe9c6f9b300000000,\n 0x8ca1450b00000000, 0x620ef01900000000, 0x07694ca100000000,\n 0xbe519b3c00000000, 0xdb36278400000000, 0x3599929600000000,\n 0x50fe2e2e00000000, 0x99b9542600000000, 0xfcdee89e00000000,\n 0x12715d8c00000000, 0x7716e13400000000, 0xce2e36a900000000,\n 0xab498a1100000000, 0x45e63f0300000000, 0x208183bb00000000,\n 0x7691e0e300000000, 0x13f65c5b00000000, 0xfd59e94900000000,\n 0x983e55f100000000, 0x2106826c00000000, 0x44613ed400000000,\n 0xaace8bc600000000, 0xcfa9377e00000000, 0x38417fd600000000,\n 0x5d26c36e00000000, 0xb389767c00000000, 0xd6eecac400000000,\n 0x6fd61d5900000000, 0x0ab1a1e100000000, 0xe41e14f300000000,\n 0x8179a84b00000000, 0xd769cb1300000000, 0xb20e77ab00000000,\n 0x5ca1c2b900000000, 0x39c67e0100000000, 0x80fea99c00000000,\n 0xe599152400000000, 0x0b36a03600000000, 0x6e511c8e00000000,\n 0xa716668600000000, 0xc271da3e00000000, 0x2cde6f2c00000000,\n 0x49b9d39400000000, 0xf081040900000000, 0x95e6b8b100000000,\n 0x7b490da300000000, 0x1e2eb11b00000000, 0x483ed24300000000,\n 0x2d596efb00000000, 0xc3f6dbe900000000, 0xa691675100000000,\n 0x1fa9b0cc00000000, 0x7ace0c7400000000, 0x9461b96600000000,\n 0xf10605de00000000},\n {0x0000000000000000, 0xb029603d00000000, 0x6053c07a00000000,\n 0xd07aa04700000000, 0xc0a680f500000000, 0x708fe0c800000000,\n 0xa0f5408f00000000, 0x10dc20b200000000, 0xc14b703000000000,\n 0x7162100d00000000, 0xa118b04a00000000, 0x1131d07700000000,\n 0x01edf0c500000000, 0xb1c490f800000000, 0x61be30bf00000000,\n 0xd197508200000000, 0x8297e06000000000, 0x32be805d00000000,\n 0xe2c4201a00000000, 0x52ed402700000000, 0x4231609500000000,\n 0xf21800a800000000, 0x2262a0ef00000000, 0x924bc0d200000000,\n 0x43dc905000000000, 0xf3f5f06d00000000, 0x238f502a00000000,\n 0x93a6301700000000, 0x837a10a500000000, 0x3353709800000000,\n 0xe329d0df00000000, 0x5300b0e200000000, 0x042fc1c100000000,\n 0xb406a1fc00000000, 0x647c01bb00000000, 0xd455618600000000,\n 0xc489413400000000, 0x74a0210900000000, 0xa4da814e00000000,\n 0x14f3e17300000000, 0xc564b1f100000000, 0x754dd1cc00000000,\n 0xa537718b00000000, 0x151e11b600000000, 0x05c2310400000000,\n 0xb5eb513900000000, 0x6591f17e00000000, 0xd5b8914300000000,\n 0x86b821a100000000, 0x3691419c00000000, 0xe6ebe1db00000000,\n 0x56c281e600000000, 0x461ea15400000000, 0xf637c16900000000,\n 0x264d612e00000000, 0x9664011300000000, 0x47f3519100000000,\n 0xf7da31ac00000000, 0x27a091eb00000000, 0x9789f1d600000000,\n 0x8755d16400000000, 0x377cb15900000000, 0xe706111e00000000,\n 0x572f712300000000, 0x4958f35800000000, 0xf971936500000000,\n 0x290b332200000000, 0x9922531f00000000, 0x89fe73ad00000000,\n 0x39d7139000000000, 0xe9adb3d700000000, 0x5984d3ea00000000,\n 0x8813836800000000, 0x383ae35500000000, 0xe840431200000000,\n 0x5869232f00000000, 0x48b5039d00000000, 0xf89c63a000000000,\n 0x28e6c3e700000000, 0x98cfa3da00000000, 0xcbcf133800000000,\n 0x7be6730500000000, 0xab9cd34200000000, 0x1bb5b37f00000000,\n 0x0b6993cd00000000, 0xbb40f3f000000000, 0x6b3a53b700000000,\n 0xdb13338a00000000, 0x0a84630800000000, 0xbaad033500000000,\n 0x6ad7a37200000000, 0xdafec34f00000000, 0xca22e3fd00000000,\n 0x7a0b83c000000000, 0xaa71238700000000, 0x1a5843ba00000000,\n 0x4d77329900000000, 0xfd5e52a400000000, 0x2d24f2e300000000,\n 0x9d0d92de00000000, 0x8dd1b26c00000000, 0x3df8d25100000000,\n 0xed82721600000000, 0x5dab122b00000000, 0x8c3c42a900000000,\n 0x3c15229400000000, 0xec6f82d300000000, 0x5c46e2ee00000000,\n 0x4c9ac25c00000000, 0xfcb3a26100000000, 0x2cc9022600000000,\n 0x9ce0621b00000000, 0xcfe0d2f900000000, 0x7fc9b2c400000000,\n 0xafb3128300000000, 0x1f9a72be00000000, 0x0f46520c00000000,\n 0xbf6f323100000000, 0x6f15927600000000, 0xdf3cf24b00000000,\n 0x0eaba2c900000000, 0xbe82c2f400000000, 0x6ef862b300000000,\n 0xded1028e00000000, 0xce0d223c00000000, 0x7e24420100000000,\n 0xae5ee24600000000, 0x1e77827b00000000, 0x92b0e6b100000000,\n 0x2299868c00000000, 0xf2e326cb00000000, 0x42ca46f600000000,\n 0x5216664400000000, 0xe23f067900000000, 0x3245a63e00000000,\n 0x826cc60300000000, 0x53fb968100000000, 0xe3d2f6bc00000000,\n 0x33a856fb00000000, 0x838136c600000000, 0x935d167400000000,\n 0x2374764900000000, 0xf30ed60e00000000, 0x4327b63300000000,\n 0x102706d100000000, 0xa00e66ec00000000, 0x7074c6ab00000000,\n 0xc05da69600000000, 0xd081862400000000, 0x60a8e61900000000,\n 0xb0d2465e00000000, 0x00fb266300000000, 0xd16c76e100000000,\n 0x614516dc00000000, 0xb13fb69b00000000, 0x0116d6a600000000,\n 0x11caf61400000000, 0xa1e3962900000000, 0x7199366e00000000,\n 0xc1b0565300000000, 0x969f277000000000, 0x26b6474d00000000,\n 0xf6cce70a00000000, 0x46e5873700000000, 0x5639a78500000000,\n 0xe610c7b800000000, 0x366a67ff00000000, 0x864307c200000000,\n 0x57d4574000000000, 0xe7fd377d00000000, 0x3787973a00000000,\n 0x87aef70700000000, 0x9772d7b500000000, 0x275bb78800000000,\n 0xf72117cf00000000, 0x470877f200000000, 0x1408c71000000000,\n 0xa421a72d00000000, 0x745b076a00000000, 0xc472675700000000,\n 0xd4ae47e500000000, 0x648727d800000000, 0xb4fd879f00000000,\n 0x04d4e7a200000000, 0xd543b72000000000, 0x656ad71d00000000,\n 0xb510775a00000000, 0x0539176700000000, 0x15e537d500000000,\n 0xa5cc57e800000000, 0x75b6f7af00000000, 0xc59f979200000000,\n 0xdbe815e900000000, 0x6bc175d400000000, 0xbbbbd59300000000,\n 0x0b92b5ae00000000, 0x1b4e951c00000000, 0xab67f52100000000,\n 0x7b1d556600000000, 0xcb34355b00000000, 0x1aa365d900000000,\n 0xaa8a05e400000000, 0x7af0a5a300000000, 0xcad9c59e00000000,\n 0xda05e52c00000000, 0x6a2c851100000000, 0xba56255600000000,\n 0x0a7f456b00000000, 0x597ff58900000000, 0xe95695b400000000,\n 0x392c35f300000000, 0x890555ce00000000, 0x99d9757c00000000,\n 0x29f0154100000000, 0xf98ab50600000000, 0x49a3d53b00000000,\n 0x983485b900000000, 0x281de58400000000, 0xf86745c300000000,\n 0x484e25fe00000000, 0x5892054c00000000, 0xe8bb657100000000,\n 0x38c1c53600000000, 0x88e8a50b00000000, 0xdfc7d42800000000,\n 0x6feeb41500000000, 0xbf94145200000000, 0x0fbd746f00000000,\n 0x1f6154dd00000000, 0xaf4834e000000000, 0x7f3294a700000000,\n 0xcf1bf49a00000000, 0x1e8ca41800000000, 0xaea5c42500000000,\n 0x7edf646200000000, 0xcef6045f00000000, 0xde2a24ed00000000,\n 0x6e0344d000000000, 0xbe79e49700000000, 0x0e5084aa00000000,\n 0x5d50344800000000, 0xed79547500000000, 0x3d03f43200000000,\n 0x8d2a940f00000000, 0x9df6b4bd00000000, 0x2ddfd48000000000,\n 0xfda574c700000000, 0x4d8c14fa00000000, 0x9c1b447800000000,\n 0x2c32244500000000, 0xfc48840200000000, 0x4c61e43f00000000,\n 0x5cbdc48d00000000, 0xec94a4b000000000, 0x3cee04f700000000,\n 0x8cc764ca00000000},\n {0x0000000000000000, 0xa5d35ccb00000000, 0x0ba1c84d00000000,\n 0xae72948600000000, 0x1642919b00000000, 0xb391cd5000000000,\n 0x1de359d600000000, 0xb830051d00000000, 0x6d8253ec00000000,\n 0xc8510f2700000000, 0x66239ba100000000, 0xc3f0c76a00000000,\n 0x7bc0c27700000000, 0xde139ebc00000000, 0x70610a3a00000000,\n 0xd5b256f100000000, 0x9b02d60300000000, 0x3ed18ac800000000,\n 0x90a31e4e00000000, 0x3570428500000000, 0x8d40479800000000,\n 0x28931b5300000000, 0x86e18fd500000000, 0x2332d31e00000000,\n 0xf68085ef00000000, 0x5353d92400000000, 0xfd214da200000000,\n 0x58f2116900000000, 0xe0c2147400000000, 0x451148bf00000000,\n 0xeb63dc3900000000, 0x4eb080f200000000, 0x3605ac0700000000,\n 0x93d6f0cc00000000, 0x3da4644a00000000, 0x9877388100000000,\n 0x20473d9c00000000, 0x8594615700000000, 0x2be6f5d100000000,\n 0x8e35a91a00000000, 0x5b87ffeb00000000, 0xfe54a32000000000,\n 0x502637a600000000, 0xf5f56b6d00000000, 0x4dc56e7000000000,\n 0xe81632bb00000000, 0x4664a63d00000000, 0xe3b7faf600000000,\n 0xad077a0400000000, 0x08d426cf00000000, 0xa6a6b24900000000,\n 0x0375ee8200000000, 0xbb45eb9f00000000, 0x1e96b75400000000,\n 0xb0e423d200000000, 0x15377f1900000000, 0xc08529e800000000,\n 0x6556752300000000, 0xcb24e1a500000000, 0x6ef7bd6e00000000,\n 0xd6c7b87300000000, 0x7314e4b800000000, 0xdd66703e00000000,\n 0x78b52cf500000000, 0x6c0a580f00000000, 0xc9d904c400000000,\n 0x67ab904200000000, 0xc278cc8900000000, 0x7a48c99400000000,\n 0xdf9b955f00000000, 0x71e901d900000000, 0xd43a5d1200000000,\n 0x01880be300000000, 0xa45b572800000000, 0x0a29c3ae00000000,\n 0xaffa9f6500000000, 0x17ca9a7800000000, 0xb219c6b300000000,\n 0x1c6b523500000000, 0xb9b80efe00000000, 0xf7088e0c00000000,\n 0x52dbd2c700000000, 0xfca9464100000000, 0x597a1a8a00000000,\n 0xe14a1f9700000000, 0x4499435c00000000, 0xeaebd7da00000000,\n 0x4f388b1100000000, 0x9a8adde000000000, 0x3f59812b00000000,\n 0x912b15ad00000000, 0x34f8496600000000, 0x8cc84c7b00000000,\n 0x291b10b000000000, 0x8769843600000000, 0x22bad8fd00000000,\n 0x5a0ff40800000000, 0xffdca8c300000000, 0x51ae3c4500000000,\n 0xf47d608e00000000, 0x4c4d659300000000, 0xe99e395800000000,\n 0x47ecadde00000000, 0xe23ff11500000000, 0x378da7e400000000,\n 0x925efb2f00000000, 0x3c2c6fa900000000, 0x99ff336200000000,\n 0x21cf367f00000000, 0x841c6ab400000000, 0x2a6efe3200000000,\n 0x8fbda2f900000000, 0xc10d220b00000000, 0x64de7ec000000000,\n 0xcaacea4600000000, 0x6f7fb68d00000000, 0xd74fb39000000000,\n 0x729cef5b00000000, 0xdcee7bdd00000000, 0x793d271600000000,\n 0xac8f71e700000000, 0x095c2d2c00000000, 0xa72eb9aa00000000,\n 0x02fde56100000000, 0xbacde07c00000000, 0x1f1ebcb700000000,\n 0xb16c283100000000, 0x14bf74fa00000000, 0xd814b01e00000000,\n 0x7dc7ecd500000000, 0xd3b5785300000000, 0x7666249800000000,\n 0xce56218500000000, 0x6b857d4e00000000, 0xc5f7e9c800000000,\n 0x6024b50300000000, 0xb596e3f200000000, 0x1045bf3900000000,\n 0xbe372bbf00000000, 0x1be4777400000000, 0xa3d4726900000000,\n 0x06072ea200000000, 0xa875ba2400000000, 0x0da6e6ef00000000,\n 0x4316661d00000000, 0xe6c53ad600000000, 0x48b7ae5000000000,\n 0xed64f29b00000000, 0x5554f78600000000, 0xf087ab4d00000000,\n 0x5ef53fcb00000000, 0xfb26630000000000, 0x2e9435f100000000,\n 0x8b47693a00000000, 0x2535fdbc00000000, 0x80e6a17700000000,\n 0x38d6a46a00000000, 0x9d05f8a100000000, 0x33776c2700000000,\n 0x96a430ec00000000, 0xee111c1900000000, 0x4bc240d200000000,\n 0xe5b0d45400000000, 0x4063889f00000000, 0xf8538d8200000000,\n 0x5d80d14900000000, 0xf3f245cf00000000, 0x5621190400000000,\n 0x83934ff500000000, 0x2640133e00000000, 0x883287b800000000,\n 0x2de1db7300000000, 0x95d1de6e00000000, 0x300282a500000000,\n 0x9e70162300000000, 0x3ba34ae800000000, 0x7513ca1a00000000,\n 0xd0c096d100000000, 0x7eb2025700000000, 0xdb615e9c00000000,\n 0x63515b8100000000, 0xc682074a00000000, 0x68f093cc00000000,\n 0xcd23cf0700000000, 0x189199f600000000, 0xbd42c53d00000000,\n 0x133051bb00000000, 0xb6e30d7000000000, 0x0ed3086d00000000,\n 0xab0054a600000000, 0x0572c02000000000, 0xa0a19ceb00000000,\n 0xb41ee81100000000, 0x11cdb4da00000000, 0xbfbf205c00000000,\n 0x1a6c7c9700000000, 0xa25c798a00000000, 0x078f254100000000,\n 0xa9fdb1c700000000, 0x0c2eed0c00000000, 0xd99cbbfd00000000,\n 0x7c4fe73600000000, 0xd23d73b000000000, 0x77ee2f7b00000000,\n 0xcfde2a6600000000, 0x6a0d76ad00000000, 0xc47fe22b00000000,\n 0x61acbee000000000, 0x2f1c3e1200000000, 0x8acf62d900000000,\n 0x24bdf65f00000000, 0x816eaa9400000000, 0x395eaf8900000000,\n 0x9c8df34200000000, 0x32ff67c400000000, 0x972c3b0f00000000,\n 0x429e6dfe00000000, 0xe74d313500000000, 0x493fa5b300000000,\n 0xececf97800000000, 0x54dcfc6500000000, 0xf10fa0ae00000000,\n 0x5f7d342800000000, 0xfaae68e300000000, 0x821b441600000000,\n 0x27c818dd00000000, 0x89ba8c5b00000000, 0x2c69d09000000000,\n 0x9459d58d00000000, 0x318a894600000000, 0x9ff81dc000000000,\n 0x3a2b410b00000000, 0xef9917fa00000000, 0x4a4a4b3100000000,\n 0xe438dfb700000000, 0x41eb837c00000000, 0xf9db866100000000,\n 0x5c08daaa00000000, 0xf27a4e2c00000000, 0x57a912e700000000,\n 0x1919921500000000, 0xbccacede00000000, 0x12b85a5800000000,\n 0xb76b069300000000, 0x0f5b038e00000000, 0xaa885f4500000000,\n 0x04facbc300000000, 0xa129970800000000, 0x749bc1f900000000,\n 0xd1489d3200000000, 0x7f3a09b400000000, 0xdae9557f00000000,\n 0x62d9506200000000, 0xc70a0ca900000000, 0x6978982f00000000,\n 0xccabc4e400000000},\n {0x0000000000000000, 0xb40b77a600000000, 0x29119f9700000000,\n 0x9d1ae83100000000, 0x13244ff400000000, 0xa72f385200000000,\n 0x3a35d06300000000, 0x8e3ea7c500000000, 0x674eef3300000000,\n 0xd345989500000000, 0x4e5f70a400000000, 0xfa54070200000000,\n 0x746aa0c700000000, 0xc061d76100000000, 0x5d7b3f5000000000,\n 0xe97048f600000000, 0xce9cde6700000000, 0x7a97a9c100000000,\n 0xe78d41f000000000, 0x5386365600000000, 0xddb8919300000000,\n 0x69b3e63500000000, 0xf4a90e0400000000, 0x40a279a200000000,\n 0xa9d2315400000000, 0x1dd946f200000000, 0x80c3aec300000000,\n 0x34c8d96500000000, 0xbaf67ea000000000, 0x0efd090600000000,\n 0x93e7e13700000000, 0x27ec969100000000, 0x9c39bdcf00000000,\n 0x2832ca6900000000, 0xb528225800000000, 0x012355fe00000000,\n 0x8f1df23b00000000, 0x3b16859d00000000, 0xa60c6dac00000000,\n 0x12071a0a00000000, 0xfb7752fc00000000, 0x4f7c255a00000000,\n 0xd266cd6b00000000, 0x666dbacd00000000, 0xe8531d0800000000,\n 0x5c586aae00000000, 0xc142829f00000000, 0x7549f53900000000,\n 0x52a563a800000000, 0xe6ae140e00000000, 0x7bb4fc3f00000000,\n 0xcfbf8b9900000000, 0x41812c5c00000000, 0xf58a5bfa00000000,\n 0x6890b3cb00000000, 0xdc9bc46d00000000, 0x35eb8c9b00000000,\n 0x81e0fb3d00000000, 0x1cfa130c00000000, 0xa8f164aa00000000,\n 0x26cfc36f00000000, 0x92c4b4c900000000, 0x0fde5cf800000000,\n 0xbbd52b5e00000000, 0x79750b4400000000, 0xcd7e7ce200000000,\n 0x506494d300000000, 0xe46fe37500000000, 0x6a5144b000000000,\n 0xde5a331600000000, 0x4340db2700000000, 0xf74bac8100000000,\n 0x1e3be47700000000, 0xaa3093d100000000, 0x372a7be000000000,\n 0x83210c4600000000, 0x0d1fab8300000000, 0xb914dc2500000000,\n 0x240e341400000000, 0x900543b200000000, 0xb7e9d52300000000,\n 0x03e2a28500000000, 0x9ef84ab400000000, 0x2af33d1200000000,\n 0xa4cd9ad700000000, 0x10c6ed7100000000, 0x8ddc054000000000,\n 0x39d772e600000000, 0xd0a73a1000000000, 0x64ac4db600000000,\n 0xf9b6a58700000000, 0x4dbdd22100000000, 0xc38375e400000000,\n 0x7788024200000000, 0xea92ea7300000000, 0x5e999dd500000000,\n 0xe54cb68b00000000, 0x5147c12d00000000, 0xcc5d291c00000000,\n 0x78565eba00000000, 0xf668f97f00000000, 0x42638ed900000000,\n 0xdf7966e800000000, 0x6b72114e00000000, 0x820259b800000000,\n 0x36092e1e00000000, 0xab13c62f00000000, 0x1f18b18900000000,\n 0x9126164c00000000, 0x252d61ea00000000, 0xb83789db00000000,\n 0x0c3cfe7d00000000, 0x2bd068ec00000000, 0x9fdb1f4a00000000,\n 0x02c1f77b00000000, 0xb6ca80dd00000000, 0x38f4271800000000,\n 0x8cff50be00000000, 0x11e5b88f00000000, 0xa5eecf2900000000,\n 0x4c9e87df00000000, 0xf895f07900000000, 0x658f184800000000,\n 0xd1846fee00000000, 0x5fbac82b00000000, 0xebb1bf8d00000000,\n 0x76ab57bc00000000, 0xc2a0201a00000000, 0xf2ea168800000000,\n 0x46e1612e00000000, 0xdbfb891f00000000, 0x6ff0feb900000000,\n 0xe1ce597c00000000, 0x55c52eda00000000, 0xc8dfc6eb00000000,\n 0x7cd4b14d00000000, 0x95a4f9bb00000000, 0x21af8e1d00000000,\n 0xbcb5662c00000000, 0x08be118a00000000, 0x8680b64f00000000,\n 0x328bc1e900000000, 0xaf9129d800000000, 0x1b9a5e7e00000000,\n 0x3c76c8ef00000000, 0x887dbf4900000000, 0x1567577800000000,\n 0xa16c20de00000000, 0x2f52871b00000000, 0x9b59f0bd00000000,\n 0x0643188c00000000, 0xb2486f2a00000000, 0x5b3827dc00000000,\n 0xef33507a00000000, 0x7229b84b00000000, 0xc622cfed00000000,\n 0x481c682800000000, 0xfc171f8e00000000, 0x610df7bf00000000,\n 0xd506801900000000, 0x6ed3ab4700000000, 0xdad8dce100000000,\n 0x47c234d000000000, 0xf3c9437600000000, 0x7df7e4b300000000,\n 0xc9fc931500000000, 0x54e67b2400000000, 0xe0ed0c8200000000,\n 0x099d447400000000, 0xbd9633d200000000, 0x208cdbe300000000,\n 0x9487ac4500000000, 0x1ab90b8000000000, 0xaeb27c2600000000,\n 0x33a8941700000000, 0x87a3e3b100000000, 0xa04f752000000000,\n 0x1444028600000000, 0x895eeab700000000, 0x3d559d1100000000,\n 0xb36b3ad400000000, 0x07604d7200000000, 0x9a7aa54300000000,\n 0x2e71d2e500000000, 0xc7019a1300000000, 0x730aedb500000000,\n 0xee10058400000000, 0x5a1b722200000000, 0xd425d5e700000000,\n 0x602ea24100000000, 0xfd344a7000000000, 0x493f3dd600000000,\n 0x8b9f1dcc00000000, 0x3f946a6a00000000, 0xa28e825b00000000,\n 0x1685f5fd00000000, 0x98bb523800000000, 0x2cb0259e00000000,\n 0xb1aacdaf00000000, 0x05a1ba0900000000, 0xecd1f2ff00000000,\n 0x58da855900000000, 0xc5c06d6800000000, 0x71cb1ace00000000,\n 0xfff5bd0b00000000, 0x4bfecaad00000000, 0xd6e4229c00000000,\n 0x62ef553a00000000, 0x4503c3ab00000000, 0xf108b40d00000000,\n 0x6c125c3c00000000, 0xd8192b9a00000000, 0x56278c5f00000000,\n 0xe22cfbf900000000, 0x7f3613c800000000, 0xcb3d646e00000000,\n 0x224d2c9800000000, 0x96465b3e00000000, 0x0b5cb30f00000000,\n 0xbf57c4a900000000, 0x3169636c00000000, 0x856214ca00000000,\n 0x1878fcfb00000000, 0xac738b5d00000000, 0x17a6a00300000000,\n 0xa3add7a500000000, 0x3eb73f9400000000, 0x8abc483200000000,\n 0x0482eff700000000, 0xb089985100000000, 0x2d93706000000000,\n 0x999807c600000000, 0x70e84f3000000000, 0xc4e3389600000000,\n 0x59f9d0a700000000, 0xedf2a70100000000, 0x63cc00c400000000,\n 0xd7c7776200000000, 0x4add9f5300000000, 0xfed6e8f500000000,\n 0xd93a7e6400000000, 0x6d3109c200000000, 0xf02be1f300000000,\n 0x4420965500000000, 0xca1e319000000000, 0x7e15463600000000,\n 0xe30fae0700000000, 0x5704d9a100000000, 0xbe74915700000000,\n 0x0a7fe6f100000000, 0x97650ec000000000, 0x236e796600000000,\n 0xad50dea300000000, 0x195ba90500000000, 0x8441413400000000,\n 0x304a369200000000},\n {0x0000000000000000, 0x9e00aacc00000000, 0x7d07254200000000,\n 0xe3078f8e00000000, 0xfa0e4a8400000000, 0x640ee04800000000,\n 0x87096fc600000000, 0x1909c50a00000000, 0xb51be5d300000000,\n 0x2b1b4f1f00000000, 0xc81cc09100000000, 0x561c6a5d00000000,\n 0x4f15af5700000000, 0xd115059b00000000, 0x32128a1500000000,\n 0xac1220d900000000, 0x2b31bb7c00000000, 0xb53111b000000000,\n 0x56369e3e00000000, 0xc83634f200000000, 0xd13ff1f800000000,\n 0x4f3f5b3400000000, 0xac38d4ba00000000, 0x32387e7600000000,\n 0x9e2a5eaf00000000, 0x002af46300000000, 0xe32d7bed00000000,\n 0x7d2dd12100000000, 0x6424142b00000000, 0xfa24bee700000000,\n 0x1923316900000000, 0x87239ba500000000, 0x566276f900000000,\n 0xc862dc3500000000, 0x2b6553bb00000000, 0xb565f97700000000,\n 0xac6c3c7d00000000, 0x326c96b100000000, 0xd16b193f00000000,\n 0x4f6bb3f300000000, 0xe379932a00000000, 0x7d7939e600000000,\n 0x9e7eb66800000000, 0x007e1ca400000000, 0x1977d9ae00000000,\n 0x8777736200000000, 0x6470fcec00000000, 0xfa70562000000000,\n 0x7d53cd8500000000, 0xe353674900000000, 0x0054e8c700000000,\n 0x9e54420b00000000, 0x875d870100000000, 0x195d2dcd00000000,\n 0xfa5aa24300000000, 0x645a088f00000000, 0xc848285600000000,\n 0x5648829a00000000, 0xb54f0d1400000000, 0x2b4fa7d800000000,\n 0x324662d200000000, 0xac46c81e00000000, 0x4f41479000000000,\n 0xd141ed5c00000000, 0xedc29d2900000000, 0x73c237e500000000,\n 0x90c5b86b00000000, 0x0ec512a700000000, 0x17ccd7ad00000000,\n 0x89cc7d6100000000, 0x6acbf2ef00000000, 0xf4cb582300000000,\n 0x58d978fa00000000, 0xc6d9d23600000000, 0x25de5db800000000,\n 0xbbdef77400000000, 0xa2d7327e00000000, 0x3cd798b200000000,\n 0xdfd0173c00000000, 0x41d0bdf000000000, 0xc6f3265500000000,\n 0x58f38c9900000000, 0xbbf4031700000000, 0x25f4a9db00000000,\n 0x3cfd6cd100000000, 0xa2fdc61d00000000, 0x41fa499300000000,\n 0xdffae35f00000000, 0x73e8c38600000000, 0xede8694a00000000,\n 0x0eefe6c400000000, 0x90ef4c0800000000, 0x89e6890200000000,\n 0x17e623ce00000000, 0xf4e1ac4000000000, 0x6ae1068c00000000,\n 0xbba0ebd000000000, 0x25a0411c00000000, 0xc6a7ce9200000000,\n 0x58a7645e00000000, 0x41aea15400000000, 0xdfae0b9800000000,\n 0x3ca9841600000000, 0xa2a92eda00000000, 0x0ebb0e0300000000,\n 0x90bba4cf00000000, 0x73bc2b4100000000, 0xedbc818d00000000,\n 0xf4b5448700000000, 0x6ab5ee4b00000000, 0x89b261c500000000,\n 0x17b2cb0900000000, 0x909150ac00000000, 0x0e91fa6000000000,\n 0xed9675ee00000000, 0x7396df2200000000, 0x6a9f1a2800000000,\n 0xf49fb0e400000000, 0x17983f6a00000000, 0x899895a600000000,\n 0x258ab57f00000000, 0xbb8a1fb300000000, 0x588d903d00000000,\n 0xc68d3af100000000, 0xdf84fffb00000000, 0x4184553700000000,\n 0xa283dab900000000, 0x3c83707500000000, 0xda853b5300000000,\n 0x4485919f00000000, 0xa7821e1100000000, 0x3982b4dd00000000,\n 0x208b71d700000000, 0xbe8bdb1b00000000, 0x5d8c549500000000,\n 0xc38cfe5900000000, 0x6f9ede8000000000, 0xf19e744c00000000,\n 0x1299fbc200000000, 0x8c99510e00000000, 0x9590940400000000,\n 0x0b903ec800000000, 0xe897b14600000000, 0x76971b8a00000000,\n 0xf1b4802f00000000, 0x6fb42ae300000000, 0x8cb3a56d00000000,\n 0x12b30fa100000000, 0x0bbacaab00000000, 0x95ba606700000000,\n 0x76bdefe900000000, 0xe8bd452500000000, 0x44af65fc00000000,\n 0xdaafcf3000000000, 0x39a840be00000000, 0xa7a8ea7200000000,\n 0xbea12f7800000000, 0x20a185b400000000, 0xc3a60a3a00000000,\n 0x5da6a0f600000000, 0x8ce74daa00000000, 0x12e7e76600000000,\n 0xf1e068e800000000, 0x6fe0c22400000000, 0x76e9072e00000000,\n 0xe8e9ade200000000, 0x0bee226c00000000, 0x95ee88a000000000,\n 0x39fca87900000000, 0xa7fc02b500000000, 0x44fb8d3b00000000,\n 0xdafb27f700000000, 0xc3f2e2fd00000000, 0x5df2483100000000,\n 0xbef5c7bf00000000, 0x20f56d7300000000, 0xa7d6f6d600000000,\n 0x39d65c1a00000000, 0xdad1d39400000000, 0x44d1795800000000,\n 0x5dd8bc5200000000, 0xc3d8169e00000000, 0x20df991000000000,\n 0xbedf33dc00000000, 0x12cd130500000000, 0x8ccdb9c900000000,\n 0x6fca364700000000, 0xf1ca9c8b00000000, 0xe8c3598100000000,\n 0x76c3f34d00000000, 0x95c47cc300000000, 0x0bc4d60f00000000,\n 0x3747a67a00000000, 0xa9470cb600000000, 0x4a40833800000000,\n 0xd44029f400000000, 0xcd49ecfe00000000, 0x5349463200000000,\n 0xb04ec9bc00000000, 0x2e4e637000000000, 0x825c43a900000000,\n 0x1c5ce96500000000, 0xff5b66eb00000000, 0x615bcc2700000000,\n 0x7852092d00000000, 0xe652a3e100000000, 0x05552c6f00000000,\n 0x9b5586a300000000, 0x1c761d0600000000, 0x8276b7ca00000000,\n 0x6171384400000000, 0xff71928800000000, 0xe678578200000000,\n 0x7878fd4e00000000, 0x9b7f72c000000000, 0x057fd80c00000000,\n 0xa96df8d500000000, 0x376d521900000000, 0xd46add9700000000,\n 0x4a6a775b00000000, 0x5363b25100000000, 0xcd63189d00000000,\n 0x2e64971300000000, 0xb0643ddf00000000, 0x6125d08300000000,\n 0xff257a4f00000000, 0x1c22f5c100000000, 0x82225f0d00000000,\n 0x9b2b9a0700000000, 0x052b30cb00000000, 0xe62cbf4500000000,\n 0x782c158900000000, 0xd43e355000000000, 0x4a3e9f9c00000000,\n 0xa939101200000000, 0x3739bade00000000, 0x2e307fd400000000,\n 0xb030d51800000000, 0x53375a9600000000, 0xcd37f05a00000000,\n 0x4a146bff00000000, 0xd414c13300000000, 0x37134ebd00000000,\n 0xa913e47100000000, 0xb01a217b00000000, 0x2e1a8bb700000000,\n 0xcd1d043900000000, 0x531daef500000000, 0xff0f8e2c00000000,\n 0x610f24e000000000, 0x8208ab6e00000000, 0x1c0801a200000000,\n 0x0501c4a800000000, 0x9b016e6400000000, 0x7806e1ea00000000,\n 0xe6064b2600000000}};\n\n#else /* W == 4 */\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0xb8bc6765, 0xaa09c88b, 0x12b5afee, 0x8f629757,\n 0x37def032, 0x256b5fdc, 0x9dd738b9, 0xc5b428ef, 0x7d084f8a,\n 0x6fbde064, 0xd7018701, 0x4ad6bfb8, 0xf26ad8dd, 0xe0df7733,\n 0x58631056, 0x5019579f, 0xe8a530fa, 0xfa109f14, 0x42acf871,\n 0xdf7bc0c8, 0x67c7a7ad, 0x75720843, 0xcdce6f26, 0x95ad7f70,\n 0x2d111815, 0x3fa4b7fb, 0x8718d09e, 0x1acfe827, 0xa2738f42,\n 0xb0c620ac, 0x087a47c9, 0xa032af3e, 0x188ec85b, 0x0a3b67b5,\n 0xb28700d0, 0x2f503869, 0x97ec5f0c, 0x8559f0e2, 0x3de59787,\n 0x658687d1, 0xdd3ae0b4, 0xcf8f4f5a, 0x7733283f, 0xeae41086,\n 0x525877e3, 0x40edd80d, 0xf851bf68, 0xf02bf8a1, 0x48979fc4,\n 0x5a22302a, 0xe29e574f, 0x7f496ff6, 0xc7f50893, 0xd540a77d,\n 0x6dfcc018, 0x359fd04e, 0x8d23b72b, 0x9f9618c5, 0x272a7fa0,\n 0xbafd4719, 0x0241207c, 0x10f48f92, 0xa848e8f7, 0x9b14583d,\n 0x23a83f58, 0x311d90b6, 0x89a1f7d3, 0x1476cf6a, 0xaccaa80f,\n 0xbe7f07e1, 0x06c36084, 0x5ea070d2, 0xe61c17b7, 0xf4a9b859,\n 0x4c15df3c, 0xd1c2e785, 0x697e80e0, 0x7bcb2f0e, 0xc377486b,\n 0xcb0d0fa2, 0x73b168c7, 0x6104c729, 0xd9b8a04c, 0x446f98f5,\n 0xfcd3ff90, 0xee66507e, 0x56da371b, 0x0eb9274d, 0xb6054028,\n 0xa4b0efc6, 0x1c0c88a3, 0x81dbb01a, 0x3967d77f, 0x2bd27891,\n 0x936e1ff4, 0x3b26f703, 0x839a9066, 0x912f3f88, 0x299358ed,\n 0xb4446054, 0x0cf80731, 0x1e4da8df, 0xa6f1cfba, 0xfe92dfec,\n 0x462eb889, 0x549b1767, 0xec277002, 0x71f048bb, 0xc94c2fde,\n 0xdbf98030, 0x6345e755, 0x6b3fa09c, 0xd383c7f9, 0xc1366817,\n 0x798a0f72, 0xe45d37cb, 0x5ce150ae, 0x4e54ff40, 0xf6e89825,\n 0xae8b8873, 0x1637ef16, 0x048240f8, 0xbc3e279d, 0x21e91f24,\n 0x99557841, 0x8be0d7af, 0x335cb0ca, 0xed59b63b, 0x55e5d15e,\n 0x47507eb0, 0xffec19d5, 0x623b216c, 0xda874609, 0xc832e9e7,\n 0x708e8e82, 0x28ed9ed4, 0x9051f9b1, 0x82e4565f, 0x3a58313a,\n 0xa78f0983, 0x1f336ee6, 0x0d86c108, 0xb53aa66d, 0xbd40e1a4,\n 0x05fc86c1, 0x1749292f, 0xaff54e4a, 0x322276f3, 0x8a9e1196,\n 0x982bbe78, 0x2097d91d, 0x78f4c94b, 0xc048ae2e, 0xd2fd01c0,\n 0x6a4166a5, 0xf7965e1c, 0x4f2a3979, 0x5d9f9697, 0xe523f1f2,\n 0x4d6b1905, 0xf5d77e60, 0xe762d18e, 0x5fdeb6eb, 0xc2098e52,\n 0x7ab5e937, 0x680046d9, 0xd0bc21bc, 0x88df31ea, 0x3063568f,\n 0x22d6f961, 0x9a6a9e04, 0x07bda6bd, 0xbf01c1d8, 0xadb46e36,\n 0x15080953, 0x1d724e9a, 0xa5ce29ff, 0xb77b8611, 0x0fc7e174,\n 0x9210d9cd, 0x2aacbea8, 0x38191146, 0x80a57623, 0xd8c66675,\n 0x607a0110, 0x72cfaefe, 0xca73c99b, 0x57a4f122, 0xef189647,\n 0xfdad39a9, 0x45115ecc, 0x764dee06, 0xcef18963, 0xdc44268d,\n 0x64f841e8, 0xf92f7951, 0x41931e34, 0x5326b1da, 0xeb9ad6bf,\n 0xb3f9c6e9, 0x0b45a18c, 0x19f00e62, 0xa14c6907, 0x3c9b51be,\n 0x842736db, 0x96929935, 0x2e2efe50, 0x2654b999, 0x9ee8defc,\n 0x8c5d7112, 0x34e11677, 0xa9362ece, 0x118a49ab, 0x033fe645,\n 0xbb838120, 0xe3e09176, 0x5b5cf613, 0x49e959fd, 0xf1553e98,\n 0x6c820621, 0xd43e6144, 0xc68bceaa, 0x7e37a9cf, 0xd67f4138,\n 0x6ec3265d, 0x7c7689b3, 0xc4caeed6, 0x591dd66f, 0xe1a1b10a,\n 0xf3141ee4, 0x4ba87981, 0x13cb69d7, 0xab770eb2, 0xb9c2a15c,\n 0x017ec639, 0x9ca9fe80, 0x241599e5, 0x36a0360b, 0x8e1c516e,\n 0x866616a7, 0x3eda71c2, 0x2c6fde2c, 0x94d3b949, 0x090481f0,\n 0xb1b8e695, 0xa30d497b, 0x1bb12e1e, 0x43d23e48, 0xfb6e592d,\n 0xe9dbf6c3, 0x516791a6, 0xccb0a91f, 0x740cce7a, 0x66b96194,\n 0xde0506f1},\n {0x00000000, 0x01c26a37, 0x0384d46e, 0x0246be59, 0x0709a8dc,\n 0x06cbc2eb, 0x048d7cb2, 0x054f1685, 0x0e1351b8, 0x0fd13b8f,\n 0x0d9785d6, 0x0c55efe1, 0x091af964, 0x08d89353, 0x0a9e2d0a,\n 0x0b5c473d, 0x1c26a370, 0x1de4c947, 0x1fa2771e, 0x1e601d29,\n 0x1b2f0bac, 0x1aed619b, 0x18abdfc2, 0x1969b5f5, 0x1235f2c8,\n 0x13f798ff, 0x11b126a6, 0x10734c91, 0x153c5a14, 0x14fe3023,\n 0x16b88e7a, 0x177ae44d, 0x384d46e0, 0x398f2cd7, 0x3bc9928e,\n 0x3a0bf8b9, 0x3f44ee3c, 0x3e86840b, 0x3cc03a52, 0x3d025065,\n 0x365e1758, 0x379c7d6f, 0x35dac336, 0x3418a901, 0x3157bf84,\n 0x3095d5b3, 0x32d36bea, 0x331101dd, 0x246be590, 0x25a98fa7,\n 0x27ef31fe, 0x262d5bc9, 0x23624d4c, 0x22a0277b, 0x20e69922,\n 0x2124f315, 0x2a78b428, 0x2bbade1f, 0x29fc6046, 0x283e0a71,\n 0x2d711cf4, 0x2cb376c3, 0x2ef5c89a, 0x2f37a2ad, 0x709a8dc0,\n 0x7158e7f7, 0x731e59ae, 0x72dc3399, 0x7793251c, 0x76514f2b,\n 0x7417f172, 0x75d59b45, 0x7e89dc78, 0x7f4bb64f, 0x7d0d0816,\n 0x7ccf6221, 0x798074a4, 0x78421e93, 0x7a04a0ca, 0x7bc6cafd,\n 0x6cbc2eb0, 0x6d7e4487, 0x6f38fade, 0x6efa90e9, 0x6bb5866c,\n 0x6a77ec5b, 0x68315202, 0x69f33835, 0x62af7f08, 0x636d153f,\n 0x612bab66, 0x60e9c151, 0x65a6d7d4, 0x6464bde3, 0x662203ba,\n 0x67e0698d, 0x48d7cb20, 0x4915a117, 0x4b531f4e, 0x4a917579,\n 0x4fde63fc, 0x4e1c09cb, 0x4c5ab792, 0x4d98dda5, 0x46c49a98,\n 0x4706f0af, 0x45404ef6, 0x448224c1, 0x41cd3244, 0x400f5873,\n 0x4249e62a, 0x438b8c1d, 0x54f16850, 0x55330267, 0x5775bc3e,\n 0x56b7d609, 0x53f8c08c, 0x523aaabb, 0x507c14e2, 0x51be7ed5,\n 0x5ae239e8, 0x5b2053df, 0x5966ed86, 0x58a487b1, 0x5deb9134,\n 0x5c29fb03, 0x5e6f455a, 0x5fad2f6d, 0xe1351b80, 0xe0f771b7,\n 0xe2b1cfee, 0xe373a5d9, 0xe63cb35c, 0xe7fed96b, 0xe5b86732,\n 0xe47a0d05, 0xef264a38, 0xeee4200f, 0xeca29e56, 0xed60f461,\n 0xe82fe2e4, 0xe9ed88d3, 0xebab368a, 0xea695cbd, 0xfd13b8f0,\n 0xfcd1d2c7, 0xfe976c9e, 0xff5506a9, 0xfa1a102c, 0xfbd87a1b,\n 0xf99ec442, 0xf85cae75, 0xf300e948, 0xf2c2837f, 0xf0843d26,\n 0xf1465711, 0xf4094194, 0xf5cb2ba3, 0xf78d95fa, 0xf64fffcd,\n 0xd9785d60, 0xd8ba3757, 0xdafc890e, 0xdb3ee339, 0xde71f5bc,\n 0xdfb39f8b, 0xddf521d2, 0xdc374be5, 0xd76b0cd8, 0xd6a966ef,\n 0xd4efd8b6, 0xd52db281, 0xd062a404, 0xd1a0ce33, 0xd3e6706a,\n 0xd2241a5d, 0xc55efe10, 0xc49c9427, 0xc6da2a7e, 0xc7184049,\n 0xc25756cc, 0xc3953cfb, 0xc1d382a2, 0xc011e895, 0xcb4dafa8,\n 0xca8fc59f, 0xc8c97bc6, 0xc90b11f1, 0xcc440774, 0xcd866d43,\n 0xcfc0d31a, 0xce02b92d, 0x91af9640, 0x906dfc77, 0x922b422e,\n 0x93e92819, 0x96a63e9c, 0x976454ab, 0x9522eaf2, 0x94e080c5,\n 0x9fbcc7f8, 0x9e7eadcf, 0x9c381396, 0x9dfa79a1, 0x98b56f24,\n 0x99770513, 0x9b31bb4a, 0x9af3d17d, 0x8d893530, 0x8c4b5f07,\n 0x8e0de15e, 0x8fcf8b69, 0x8a809dec, 0x8b42f7db, 0x89044982,\n 0x88c623b5, 0x839a6488, 0x82580ebf, 0x801eb0e6, 0x81dcdad1,\n 0x8493cc54, 0x8551a663, 0x8717183a, 0x86d5720d, 0xa9e2d0a0,\n 0xa820ba97, 0xaa6604ce, 0xaba46ef9, 0xaeeb787c, 0xaf29124b,\n 0xad6fac12, 0xacadc625, 0xa7f18118, 0xa633eb2f, 0xa4755576,\n 0xa5b73f41, 0xa0f829c4, 0xa13a43f3, 0xa37cfdaa, 0xa2be979d,\n 0xb5c473d0, 0xb40619e7, 0xb640a7be, 0xb782cd89, 0xb2cddb0c,\n 0xb30fb13b, 0xb1490f62, 0xb08b6555, 0xbbd72268, 0xba15485f,\n 0xb853f606, 0xb9919c31, 0xbcde8ab4, 0xbd1ce083, 0xbf5a5eda,\n 0xbe9834ed},\n {0x00000000, 0x191b3141, 0x32366282, 0x2b2d53c3, 0x646cc504,\n 0x7d77f445, 0x565aa786, 0x4f4196c7, 0xc8d98a08, 0xd1c2bb49,\n 0xfaefe88a, 0xe3f4d9cb, 0xacb54f0c, 0xb5ae7e4d, 0x9e832d8e,\n 0x87981ccf, 0x4ac21251, 0x53d92310, 0x78f470d3, 0x61ef4192,\n 0x2eaed755, 0x37b5e614, 0x1c98b5d7, 0x05838496, 0x821b9859,\n 0x9b00a918, 0xb02dfadb, 0xa936cb9a, 0xe6775d5d, 0xff6c6c1c,\n 0xd4413fdf, 0xcd5a0e9e, 0x958424a2, 0x8c9f15e3, 0xa7b24620,\n 0xbea97761, 0xf1e8e1a6, 0xe8f3d0e7, 0xc3de8324, 0xdac5b265,\n 0x5d5daeaa, 0x44469feb, 0x6f6bcc28, 0x7670fd69, 0x39316bae,\n 0x202a5aef, 0x0b07092c, 0x121c386d, 0xdf4636f3, 0xc65d07b2,\n 0xed705471, 0xf46b6530, 0xbb2af3f7, 0xa231c2b6, 0x891c9175,\n 0x9007a034, 0x179fbcfb, 0x0e848dba, 0x25a9de79, 0x3cb2ef38,\n 0x73f379ff, 0x6ae848be, 0x41c51b7d, 0x58de2a3c, 0xf0794f05,\n 0xe9627e44, 0xc24f2d87, 0xdb541cc6, 0x94158a01, 0x8d0ebb40,\n 0xa623e883, 0xbf38d9c2, 0x38a0c50d, 0x21bbf44c, 0x0a96a78f,\n 0x138d96ce, 0x5ccc0009, 0x45d73148, 0x6efa628b, 0x77e153ca,\n 0xbabb5d54, 0xa3a06c15, 0x888d3fd6, 0x91960e97, 0xded79850,\n 0xc7cca911, 0xece1fad2, 0xf5facb93, 0x7262d75c, 0x6b79e61d,\n 0x4054b5de, 0x594f849f, 0x160e1258, 0x0f152319, 0x243870da,\n 0x3d23419b, 0x65fd6ba7, 0x7ce65ae6, 0x57cb0925, 0x4ed03864,\n 0x0191aea3, 0x188a9fe2, 0x33a7cc21, 0x2abcfd60, 0xad24e1af,\n 0xb43fd0ee, 0x9f12832d, 0x8609b26c, 0xc94824ab, 0xd05315ea,\n 0xfb7e4629, 0xe2657768, 0x2f3f79f6, 0x362448b7, 0x1d091b74,\n 0x04122a35, 0x4b53bcf2, 0x52488db3, 0x7965de70, 0x607eef31,\n 0xe7e6f3fe, 0xfefdc2bf, 0xd5d0917c, 0xcccba03d, 0x838a36fa,\n 0x9a9107bb, 0xb1bc5478, 0xa8a76539, 0x3b83984b, 0x2298a90a,\n 0x09b5fac9, 0x10aecb88, 0x5fef5d4f, 0x46f46c0e, 0x6dd93fcd,\n 0x74c20e8c, 0xf35a1243, 0xea412302, 0xc16c70c1, 0xd8774180,\n 0x9736d747, 0x8e2de606, 0xa500b5c5, 0xbc1b8484, 0x71418a1a,\n 0x685abb5b, 0x4377e898, 0x5a6cd9d9, 0x152d4f1e, 0x0c367e5f,\n 0x271b2d9c, 0x3e001cdd, 0xb9980012, 0xa0833153, 0x8bae6290,\n 0x92b553d1, 0xddf4c516, 0xc4eff457, 0xefc2a794, 0xf6d996d5,\n 0xae07bce9, 0xb71c8da8, 0x9c31de6b, 0x852aef2a, 0xca6b79ed,\n 0xd37048ac, 0xf85d1b6f, 0xe1462a2e, 0x66de36e1, 0x7fc507a0,\n 0x54e85463, 0x4df36522, 0x02b2f3e5, 0x1ba9c2a4, 0x30849167,\n 0x299fa026, 0xe4c5aeb8, 0xfdde9ff9, 0xd6f3cc3a, 0xcfe8fd7b,\n 0x80a96bbc, 0x99b25afd, 0xb29f093e, 0xab84387f, 0x2c1c24b0,\n 0x350715f1, 0x1e2a4632, 0x07317773, 0x4870e1b4, 0x516bd0f5,\n 0x7a468336, 0x635db277, 0xcbfad74e, 0xd2e1e60f, 0xf9ccb5cc,\n 0xe0d7848d, 0xaf96124a, 0xb68d230b, 0x9da070c8, 0x84bb4189,\n 0x03235d46, 0x1a386c07, 0x31153fc4, 0x280e0e85, 0x674f9842,\n 0x7e54a903, 0x5579fac0, 0x4c62cb81, 0x8138c51f, 0x9823f45e,\n 0xb30ea79d, 0xaa1596dc, 0xe554001b, 0xfc4f315a, 0xd7626299,\n 0xce7953d8, 0x49e14f17, 0x50fa7e56, 0x7bd72d95, 0x62cc1cd4,\n 0x2d8d8a13, 0x3496bb52, 0x1fbbe891, 0x06a0d9d0, 0x5e7ef3ec,\n 0x4765c2ad, 0x6c48916e, 0x7553a02f, 0x3a1236e8, 0x230907a9,\n 0x0824546a, 0x113f652b, 0x96a779e4, 0x8fbc48a5, 0xa4911b66,\n 0xbd8a2a27, 0xf2cbbce0, 0xebd08da1, 0xc0fdde62, 0xd9e6ef23,\n 0x14bce1bd, 0x0da7d0fc, 0x268a833f, 0x3f91b27e, 0x70d024b9,\n 0x69cb15f8, 0x42e6463b, 0x5bfd777a, 0xdc656bb5, 0xc57e5af4,\n 0xee530937, 0xf7483876, 0xb809aeb1, 0xa1129ff0, 0x8a3fcc33,\n 0x9324fd72},\n {0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419,\n 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4,\n 0xe0d5e91e, 0x97d2d988, 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07,\n 0x90bf1d91, 0x1db71064, 0x6ab020f2, 0xf3b97148, 0x84be41de,\n 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7, 0x136c9856,\n 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,\n 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4,\n 0xa2677172, 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50ab56b,\n 0x35b5a8fa, 0x42b2986c, 0xdbbbc9d6, 0xacbcf940, 0x32d86ce3,\n 0x45df5c75, 0xdcd60dcf, 0xabd13d59, 0x26d930ac, 0x51de003a,\n 0xc8d75180, 0xbfd06116, 0x21b4f4b5, 0x56b3c423, 0xcfba9599,\n 0xb8bda50f, 0x2802b89e, 0x5f058808, 0xc60cd9b2, 0xb10be924,\n 0x2f6f7c87, 0x58684c11, 0xc1611dab, 0xb6662d3d, 0x76dc4190,\n 0x01db7106, 0x98d220bc, 0xefd5102a, 0x71b18589, 0x06b6b51f,\n 0x9fbfe4a5, 0xe8b8d433, 0x7807c9a2, 0x0f00f934, 0x9609a88e,\n 0xe10e9818, 0x7f6a0dbb, 0x086d3d2d, 0x91646c97, 0xe6635c01,\n 0x6b6b51f4, 0x1c6c6162, 0x856530d8, 0xf262004e, 0x6c0695ed,\n 0x1b01a57b, 0x8208f4c1, 0xf50fc457, 0x65b0d9c6, 0x12b7e950,\n 0x8bbeb8ea, 0xfcb9887c, 0x62dd1ddf, 0x15da2d49, 0x8cd37cf3,\n 0xfbd44c65, 0x4db26158, 0x3ab551ce, 0xa3bc0074, 0xd4bb30e2,\n 0x4adfa541, 0x3dd895d7, 0xa4d1c46d, 0xd3d6f4fb, 0x4369e96a,\n 0x346ed9fc, 0xad678846, 0xda60b8d0, 0x44042d73, 0x33031de5,\n 0xaa0a4c5f, 0xdd0d7cc9, 0x5005713c, 0x270241aa, 0xbe0b1010,\n 0xc90c2086, 0x5768b525, 0x206f85b3, 0xb966d409, 0xce61e49f,\n 0x5edef90e, 0x29d9c998, 0xb0d09822, 0xc7d7a8b4, 0x59b33d17,\n 0x2eb40d81, 0xb7bd5c3b, 0xc0ba6cad, 0xedb88320, 0x9abfb3b6,\n 0x03b6e20c, 0x74b1d29a, 0xead54739, 0x9dd277af, 0x04db2615,\n 0x73dc1683, 0xe3630b12, 0x94643b84, 0x0d6d6a3e, 0x7a6a5aa8,\n 0xe40ecf0b, 0x9309ff9d, 0x0a00ae27, 0x7d079eb1, 0xf00f9344,\n 0x8708a3d2, 0x1e01f268, 0x6906c2fe, 0xf762575d, 0x806567cb,\n 0x196c3671, 0x6e6b06e7, 0xfed41b76, 0x89d32be0, 0x10da7a5a,\n 0x67dd4acc, 0xf9b9df6f, 0x8ebeeff9, 0x17b7be43, 0x60b08ed5,\n 0xd6d6a3e8, 0xa1d1937e, 0x38d8c2c4, 0x4fdff252, 0xd1bb67f1,\n 0xa6bc5767, 0x3fb506dd, 0x48b2364b, 0xd80d2bda, 0xaf0a1b4c,\n 0x36034af6, 0x41047a60, 0xdf60efc3, 0xa867df55, 0x316e8eef,\n 0x4669be79, 0xcb61b38c, 0xbc66831a, 0x256fd2a0, 0x5268e236,\n 0xcc0c7795, 0xbb0b4703, 0x220216b9, 0x5505262f, 0xc5ba3bbe,\n 0xb2bd0b28, 0x2bb45a92, 0x5cb36a04, 0xc2d7ffa7, 0xb5d0cf31,\n 0x2cd99e8b, 0x5bdeae1d, 0x9b64c2b0, 0xec63f226, 0x756aa39c,\n 0x026d930a, 0x9c0906a9, 0xeb0e363f, 0x72076785, 0x05005713,\n 0x95bf4a82, 0xe2b87a14, 0x7bb12bae, 0x0cb61b38, 0x92d28e9b,\n 0xe5d5be0d, 0x7cdcefb7, 0x0bdbdf21, 0x86d3d2d4, 0xf1d4e242,\n 0x68ddb3f8, 0x1fda836e, 0x81be16cd, 0xf6b9265b, 0x6fb077e1,\n 0x18b74777, 0x88085ae6, 0xff0f6a70, 0x66063bca, 0x11010b5c,\n 0x8f659eff, 0xf862ae69, 0x616bffd3, 0x166ccf45, 0xa00ae278,\n 0xd70dd2ee, 0x4e048354, 0x3903b3c2, 0xa7672661, 0xd06016f7,\n 0x4969474d, 0x3e6e77db, 0xaed16a4a, 0xd9d65adc, 0x40df0b66,\n 0x37d83bf0, 0xa9bcae53, 0xdebb9ec5, 0x47b2cf7f, 0x30b5ffe9,\n 0xbdbdf21c, 0xcabac28a, 0x53b39330, 0x24b4a3a6, 0xbad03605,\n 0xcdd70693, 0x54de5729, 0x23d967bf, 0xb3667a2e, 0xc4614ab8,\n 0x5d681b02, 0x2a6f2b94, 0xb40bbe37, 0xc30c8ea1, 0x5a05df1b,\n 0x2d02ef8d}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x00000000, 0x96300777, 0x2c610eee, 0xba510999, 0x19c46d07,\n 0x8ff46a70, 0x35a563e9, 0xa395649e, 0x3288db0e, 0xa4b8dc79,\n 0x1ee9d5e0, 0x88d9d297, 0x2b4cb609, 0xbd7cb17e, 0x072db8e7,\n 0x911dbf90, 0x6410b71d, 0xf220b06a, 0x4871b9f3, 0xde41be84,\n 0x7dd4da1a, 0xebe4dd6d, 0x51b5d4f4, 0xc785d383, 0x56986c13,\n 0xc0a86b64, 0x7af962fd, 0xecc9658a, 0x4f5c0114, 0xd96c0663,\n 0x633d0ffa, 0xf50d088d, 0xc8206e3b, 0x5e10694c, 0xe44160d5,\n 0x727167a2, 0xd1e4033c, 0x47d4044b, 0xfd850dd2, 0x6bb50aa5,\n 0xfaa8b535, 0x6c98b242, 0xd6c9bbdb, 0x40f9bcac, 0xe36cd832,\n 0x755cdf45, 0xcf0dd6dc, 0x593dd1ab, 0xac30d926, 0x3a00de51,\n 0x8051d7c8, 0x1661d0bf, 0xb5f4b421, 0x23c4b356, 0x9995bacf,\n 0x0fa5bdb8, 0x9eb80228, 0x0888055f, 0xb2d90cc6, 0x24e90bb1,\n 0x877c6f2f, 0x114c6858, 0xab1d61c1, 0x3d2d66b6, 0x9041dc76,\n 0x0671db01, 0xbc20d298, 0x2a10d5ef, 0x8985b171, 0x1fb5b606,\n 0xa5e4bf9f, 0x33d4b8e8, 0xa2c90778, 0x34f9000f, 0x8ea80996,\n 0x18980ee1, 0xbb0d6a7f, 0x2d3d6d08, 0x976c6491, 0x015c63e6,\n 0xf4516b6b, 0x62616c1c, 0xd8306585, 0x4e0062f2, 0xed95066c,\n 0x7ba5011b, 0xc1f40882, 0x57c40ff5, 0xc6d9b065, 0x50e9b712,\n 0xeab8be8b, 0x7c88b9fc, 0xdf1ddd62, 0x492dda15, 0xf37cd38c,\n 0x654cd4fb, 0x5861b24d, 0xce51b53a, 0x7400bca3, 0xe230bbd4,\n 0x41a5df4a, 0xd795d83d, 0x6dc4d1a4, 0xfbf4d6d3, 0x6ae96943,\n 0xfcd96e34, 0x468867ad, 0xd0b860da, 0x732d0444, 0xe51d0333,\n 0x5f4c0aaa, 0xc97c0ddd, 0x3c710550, 0xaa410227, 0x10100bbe,\n 0x86200cc9, 0x25b56857, 0xb3856f20, 0x09d466b9, 0x9fe461ce,\n 0x0ef9de5e, 0x98c9d929, 0x2298d0b0, 0xb4a8d7c7, 0x173db359,\n 0x810db42e, 0x3b5cbdb7, 0xad6cbac0, 0x2083b8ed, 0xb6b3bf9a,\n 0x0ce2b603, 0x9ad2b174, 0x3947d5ea, 0xaf77d29d, 0x1526db04,\n 0x8316dc73, 0x120b63e3, 0x843b6494, 0x3e6a6d0d, 0xa85a6a7a,\n 0x0bcf0ee4, 0x9dff0993, 0x27ae000a, 0xb19e077d, 0x44930ff0,\n 0xd2a30887, 0x68f2011e, 0xfec20669, 0x5d5762f7, 0xcb676580,\n 0x71366c19, 0xe7066b6e, 0x761bd4fe, 0xe02bd389, 0x5a7ada10,\n 0xcc4add67, 0x6fdfb9f9, 0xf9efbe8e, 0x43beb717, 0xd58eb060,\n 0xe8a3d6d6, 0x7e93d1a1, 0xc4c2d838, 0x52f2df4f, 0xf167bbd1,\n 0x6757bca6, 0xdd06b53f, 0x4b36b248, 0xda2b0dd8, 0x4c1b0aaf,\n 0xf64a0336, 0x607a0441, 0xc3ef60df, 0x55df67a8, 0xef8e6e31,\n 0x79be6946, 0x8cb361cb, 0x1a8366bc, 0xa0d26f25, 0x36e26852,\n 0x95770ccc, 0x03470bbb, 0xb9160222, 0x2f260555, 0xbe3bbac5,\n 0x280bbdb2, 0x925ab42b, 0x046ab35c, 0xa7ffd7c2, 0x31cfd0b5,\n 0x8b9ed92c, 0x1daede5b, 0xb0c2649b, 0x26f263ec, 0x9ca36a75,\n 0x0a936d02, 0xa906099c, 0x3f360eeb, 0x85670772, 0x13570005,\n 0x824abf95, 0x147ab8e2, 0xae2bb17b, 0x381bb60c, 0x9b8ed292,\n 0x0dbed5e5, 0xb7efdc7c, 0x21dfdb0b, 0xd4d2d386, 0x42e2d4f1,\n 0xf8b3dd68, 0x6e83da1f, 0xcd16be81, 0x5b26b9f6, 0xe177b06f,\n 0x7747b718, 0xe65a0888, 0x706a0fff, 0xca3b0666, 0x5c0b0111,\n 0xff9e658f, 0x69ae62f8, 0xd3ff6b61, 0x45cf6c16, 0x78e20aa0,\n 0xeed20dd7, 0x5483044e, 0xc2b30339, 0x612667a7, 0xf71660d0,\n 0x4d476949, 0xdb776e3e, 0x4a6ad1ae, 0xdc5ad6d9, 0x660bdf40,\n 0xf03bd837, 0x53aebca9, 0xc59ebbde, 0x7fcfb247, 0xe9ffb530,\n 0x1cf2bdbd, 0x8ac2baca, 0x3093b353, 0xa6a3b424, 0x0536d0ba,\n 0x9306d7cd, 0x2957de54, 0xbf67d923, 0x2e7a66b3, 0xb84a61c4,\n 0x021b685d, 0x942b6f2a, 0x37be0bb4, 0xa18e0cc3, 0x1bdf055a,\n 0x8def022d},\n {0x00000000, 0x41311b19, 0x82623632, 0xc3532d2b, 0x04c56c64,\n 0x45f4777d, 0x86a75a56, 0xc796414f, 0x088ad9c8, 0x49bbc2d1,\n 0x8ae8effa, 0xcbd9f4e3, 0x0c4fb5ac, 0x4d7eaeb5, 0x8e2d839e,\n 0xcf1c9887, 0x5112c24a, 0x1023d953, 0xd370f478, 0x9241ef61,\n 0x55d7ae2e, 0x14e6b537, 0xd7b5981c, 0x96848305, 0x59981b82,\n 0x18a9009b, 0xdbfa2db0, 0x9acb36a9, 0x5d5d77e6, 0x1c6c6cff,\n 0xdf3f41d4, 0x9e0e5acd, 0xa2248495, 0xe3159f8c, 0x2046b2a7,\n 0x6177a9be, 0xa6e1e8f1, 0xe7d0f3e8, 0x2483dec3, 0x65b2c5da,\n 0xaaae5d5d, 0xeb9f4644, 0x28cc6b6f, 0x69fd7076, 0xae6b3139,\n 0xef5a2a20, 0x2c09070b, 0x6d381c12, 0xf33646df, 0xb2075dc6,\n 0x715470ed, 0x30656bf4, 0xf7f32abb, 0xb6c231a2, 0x75911c89,\n 0x34a00790, 0xfbbc9f17, 0xba8d840e, 0x79dea925, 0x38efb23c,\n 0xff79f373, 0xbe48e86a, 0x7d1bc541, 0x3c2ade58, 0x054f79f0,\n 0x447e62e9, 0x872d4fc2, 0xc61c54db, 0x018a1594, 0x40bb0e8d,\n 0x83e823a6, 0xc2d938bf, 0x0dc5a038, 0x4cf4bb21, 0x8fa7960a,\n 0xce968d13, 0x0900cc5c, 0x4831d745, 0x8b62fa6e, 0xca53e177,\n 0x545dbbba, 0x156ca0a3, 0xd63f8d88, 0x970e9691, 0x5098d7de,\n 0x11a9ccc7, 0xd2fae1ec, 0x93cbfaf5, 0x5cd76272, 0x1de6796b,\n 0xdeb55440, 0x9f844f59, 0x58120e16, 0x1923150f, 0xda703824,\n 0x9b41233d, 0xa76bfd65, 0xe65ae67c, 0x2509cb57, 0x6438d04e,\n 0xa3ae9101, 0xe29f8a18, 0x21cca733, 0x60fdbc2a, 0xafe124ad,\n 0xeed03fb4, 0x2d83129f, 0x6cb20986, 0xab2448c9, 0xea1553d0,\n 0x29467efb, 0x687765e2, 0xf6793f2f, 0xb7482436, 0x741b091d,\n 0x352a1204, 0xf2bc534b, 0xb38d4852, 0x70de6579, 0x31ef7e60,\n 0xfef3e6e7, 0xbfc2fdfe, 0x7c91d0d5, 0x3da0cbcc, 0xfa368a83,\n 0xbb07919a, 0x7854bcb1, 0x3965a7a8, 0x4b98833b, 0x0aa99822,\n 0xc9fab509, 0x88cbae10, 0x4f5def5f, 0x0e6cf446, 0xcd3fd96d,\n 0x8c0ec274, 0x43125af3, 0x022341ea, 0xc1706cc1, 0x804177d8,\n 0x47d73697, 0x06e62d8e, 0xc5b500a5, 0x84841bbc, 0x1a8a4171,\n 0x5bbb5a68, 0x98e87743, 0xd9d96c5a, 0x1e4f2d15, 0x5f7e360c,\n 0x9c2d1b27, 0xdd1c003e, 0x120098b9, 0x533183a0, 0x9062ae8b,\n 0xd153b592, 0x16c5f4dd, 0x57f4efc4, 0x94a7c2ef, 0xd596d9f6,\n 0xe9bc07ae, 0xa88d1cb7, 0x6bde319c, 0x2aef2a85, 0xed796bca,\n 0xac4870d3, 0x6f1b5df8, 0x2e2a46e1, 0xe136de66, 0xa007c57f,\n 0x6354e854, 0x2265f34d, 0xe5f3b202, 0xa4c2a91b, 0x67918430,\n 0x26a09f29, 0xb8aec5e4, 0xf99fdefd, 0x3accf3d6, 0x7bfde8cf,\n 0xbc6ba980, 0xfd5ab299, 0x3e099fb2, 0x7f3884ab, 0xb0241c2c,\n 0xf1150735, 0x32462a1e, 0x73773107, 0xb4e17048, 0xf5d06b51,\n 0x3683467a, 0x77b25d63, 0x4ed7facb, 0x0fe6e1d2, 0xccb5ccf9,\n 0x8d84d7e0, 0x4a1296af, 0x0b238db6, 0xc870a09d, 0x8941bb84,\n 0x465d2303, 0x076c381a, 0xc43f1531, 0x850e0e28, 0x42984f67,\n 0x03a9547e, 0xc0fa7955, 0x81cb624c, 0x1fc53881, 0x5ef42398,\n 0x9da70eb3, 0xdc9615aa, 0x1b0054e5, 0x5a314ffc, 0x996262d7,\n 0xd85379ce, 0x174fe149, 0x567efa50, 0x952dd77b, 0xd41ccc62,\n 0x138a8d2d, 0x52bb9634, 0x91e8bb1f, 0xd0d9a006, 0xecf37e5e,\n 0xadc26547, 0x6e91486c, 0x2fa05375, 0xe836123a, 0xa9070923,\n 0x6a542408, 0x2b653f11, 0xe479a796, 0xa548bc8f, 0x661b91a4,\n 0x272a8abd, 0xe0bccbf2, 0xa18dd0eb, 0x62defdc0, 0x23efe6d9,\n 0xbde1bc14, 0xfcd0a70d, 0x3f838a26, 0x7eb2913f, 0xb924d070,\n 0xf815cb69, 0x3b46e642, 0x7a77fd5b, 0xb56b65dc, 0xf45a7ec5,\n 0x370953ee, 0x763848f7, 0xb1ae09b8, 0xf09f12a1, 0x33cc3f8a,\n 0x72fd2493},\n {0x00000000, 0x376ac201, 0x6ed48403, 0x59be4602, 0xdca80907,\n 0xebc2cb06, 0xb27c8d04, 0x85164f05, 0xb851130e, 0x8f3bd10f,\n 0xd685970d, 0xe1ef550c, 0x64f91a09, 0x5393d808, 0x0a2d9e0a,\n 0x3d475c0b, 0x70a3261c, 0x47c9e41d, 0x1e77a21f, 0x291d601e,\n 0xac0b2f1b, 0x9b61ed1a, 0xc2dfab18, 0xf5b56919, 0xc8f23512,\n 0xff98f713, 0xa626b111, 0x914c7310, 0x145a3c15, 0x2330fe14,\n 0x7a8eb816, 0x4de47a17, 0xe0464d38, 0xd72c8f39, 0x8e92c93b,\n 0xb9f80b3a, 0x3cee443f, 0x0b84863e, 0x523ac03c, 0x6550023d,\n 0x58175e36, 0x6f7d9c37, 0x36c3da35, 0x01a91834, 0x84bf5731,\n 0xb3d59530, 0xea6bd332, 0xdd011133, 0x90e56b24, 0xa78fa925,\n 0xfe31ef27, 0xc95b2d26, 0x4c4d6223, 0x7b27a022, 0x2299e620,\n 0x15f32421, 0x28b4782a, 0x1fdeba2b, 0x4660fc29, 0x710a3e28,\n 0xf41c712d, 0xc376b32c, 0x9ac8f52e, 0xada2372f, 0xc08d9a70,\n 0xf7e75871, 0xae591e73, 0x9933dc72, 0x1c259377, 0x2b4f5176,\n 0x72f11774, 0x459bd575, 0x78dc897e, 0x4fb64b7f, 0x16080d7d,\n 0x2162cf7c, 0xa4748079, 0x931e4278, 0xcaa0047a, 0xfdcac67b,\n 0xb02ebc6c, 0x87447e6d, 0xdefa386f, 0xe990fa6e, 0x6c86b56b,\n 0x5bec776a, 0x02523168, 0x3538f369, 0x087faf62, 0x3f156d63,\n 0x66ab2b61, 0x51c1e960, 0xd4d7a665, 0xe3bd6464, 0xba032266,\n 0x8d69e067, 0x20cbd748, 0x17a11549, 0x4e1f534b, 0x7975914a,\n 0xfc63de4f, 0xcb091c4e, 0x92b75a4c, 0xa5dd984d, 0x989ac446,\n 0xaff00647, 0xf64e4045, 0xc1248244, 0x4432cd41, 0x73580f40,\n 0x2ae64942, 0x1d8c8b43, 0x5068f154, 0x67023355, 0x3ebc7557,\n 0x09d6b756, 0x8cc0f853, 0xbbaa3a52, 0xe2147c50, 0xd57ebe51,\n 0xe839e25a, 0xdf53205b, 0x86ed6659, 0xb187a458, 0x3491eb5d,\n 0x03fb295c, 0x5a456f5e, 0x6d2fad5f, 0x801b35e1, 0xb771f7e0,\n 0xeecfb1e2, 0xd9a573e3, 0x5cb33ce6, 0x6bd9fee7, 0x3267b8e5,\n 0x050d7ae4, 0x384a26ef, 0x0f20e4ee, 0x569ea2ec, 0x61f460ed,\n 0xe4e22fe8, 0xd388ede9, 0x8a36abeb, 0xbd5c69ea, 0xf0b813fd,\n 0xc7d2d1fc, 0x9e6c97fe, 0xa90655ff, 0x2c101afa, 0x1b7ad8fb,\n 0x42c49ef9, 0x75ae5cf8, 0x48e900f3, 0x7f83c2f2, 0x263d84f0,\n 0x115746f1, 0x944109f4, 0xa32bcbf5, 0xfa958df7, 0xcdff4ff6,\n 0x605d78d9, 0x5737bad8, 0x0e89fcda, 0x39e33edb, 0xbcf571de,\n 0x8b9fb3df, 0xd221f5dd, 0xe54b37dc, 0xd80c6bd7, 0xef66a9d6,\n 0xb6d8efd4, 0x81b22dd5, 0x04a462d0, 0x33cea0d1, 0x6a70e6d3,\n 0x5d1a24d2, 0x10fe5ec5, 0x27949cc4, 0x7e2adac6, 0x494018c7,\n 0xcc5657c2, 0xfb3c95c3, 0xa282d3c1, 0x95e811c0, 0xa8af4dcb,\n 0x9fc58fca, 0xc67bc9c8, 0xf1110bc9, 0x740744cc, 0x436d86cd,\n 0x1ad3c0cf, 0x2db902ce, 0x4096af91, 0x77fc6d90, 0x2e422b92,\n 0x1928e993, 0x9c3ea696, 0xab546497, 0xf2ea2295, 0xc580e094,\n 0xf8c7bc9f, 0xcfad7e9e, 0x9613389c, 0xa179fa9d, 0x246fb598,\n 0x13057799, 0x4abb319b, 0x7dd1f39a, 0x3035898d, 0x075f4b8c,\n 0x5ee10d8e, 0x698bcf8f, 0xec9d808a, 0xdbf7428b, 0x82490489,\n 0xb523c688, 0x88649a83, 0xbf0e5882, 0xe6b01e80, 0xd1dadc81,\n 0x54cc9384, 0x63a65185, 0x3a181787, 0x0d72d586, 0xa0d0e2a9,\n 0x97ba20a8, 0xce0466aa, 0xf96ea4ab, 0x7c78ebae, 0x4b1229af,\n 0x12ac6fad, 0x25c6adac, 0x1881f1a7, 0x2feb33a6, 0x765575a4,\n 0x413fb7a5, 0xc429f8a0, 0xf3433aa1, 0xaafd7ca3, 0x9d97bea2,\n 0xd073c4b5, 0xe71906b4, 0xbea740b6, 0x89cd82b7, 0x0cdbcdb2,\n 0x3bb10fb3, 0x620f49b1, 0x55658bb0, 0x6822d7bb, 0x5f4815ba,\n 0x06f653b8, 0x319c91b9, 0xb48adebc, 0x83e01cbd, 0xda5e5abf,\n 0xed3498be},\n {0x00000000, 0x6567bcb8, 0x8bc809aa, 0xeeafb512, 0x5797628f,\n 0x32f0de37, 0xdc5f6b25, 0xb938d79d, 0xef28b4c5, 0x8a4f087d,\n 0x64e0bd6f, 0x018701d7, 0xb8bfd64a, 0xddd86af2, 0x3377dfe0,\n 0x56106358, 0x9f571950, 0xfa30a5e8, 0x149f10fa, 0x71f8ac42,\n 0xc8c07bdf, 0xada7c767, 0x43087275, 0x266fcecd, 0x707fad95,\n 0x1518112d, 0xfbb7a43f, 0x9ed01887, 0x27e8cf1a, 0x428f73a2,\n 0xac20c6b0, 0xc9477a08, 0x3eaf32a0, 0x5bc88e18, 0xb5673b0a,\n 0xd00087b2, 0x6938502f, 0x0c5fec97, 0xe2f05985, 0x8797e53d,\n 0xd1878665, 0xb4e03add, 0x5a4f8fcf, 0x3f283377, 0x8610e4ea,\n 0xe3775852, 0x0dd8ed40, 0x68bf51f8, 0xa1f82bf0, 0xc49f9748,\n 0x2a30225a, 0x4f579ee2, 0xf66f497f, 0x9308f5c7, 0x7da740d5,\n 0x18c0fc6d, 0x4ed09f35, 0x2bb7238d, 0xc518969f, 0xa07f2a27,\n 0x1947fdba, 0x7c204102, 0x928ff410, 0xf7e848a8, 0x3d58149b,\n 0x583fa823, 0xb6901d31, 0xd3f7a189, 0x6acf7614, 0x0fa8caac,\n 0xe1077fbe, 0x8460c306, 0xd270a05e, 0xb7171ce6, 0x59b8a9f4,\n 0x3cdf154c, 0x85e7c2d1, 0xe0807e69, 0x0e2fcb7b, 0x6b4877c3,\n 0xa20f0dcb, 0xc768b173, 0x29c70461, 0x4ca0b8d9, 0xf5986f44,\n 0x90ffd3fc, 0x7e5066ee, 0x1b37da56, 0x4d27b90e, 0x284005b6,\n 0xc6efb0a4, 0xa3880c1c, 0x1ab0db81, 0x7fd76739, 0x9178d22b,\n 0xf41f6e93, 0x03f7263b, 0x66909a83, 0x883f2f91, 0xed589329,\n 0x546044b4, 0x3107f80c, 0xdfa84d1e, 0xbacff1a6, 0xecdf92fe,\n 0x89b82e46, 0x67179b54, 0x027027ec, 0xbb48f071, 0xde2f4cc9,\n 0x3080f9db, 0x55e74563, 0x9ca03f6b, 0xf9c783d3, 0x176836c1,\n 0x720f8a79, 0xcb375de4, 0xae50e15c, 0x40ff544e, 0x2598e8f6,\n 0x73888bae, 0x16ef3716, 0xf8408204, 0x9d273ebc, 0x241fe921,\n 0x41785599, 0xafd7e08b, 0xcab05c33, 0x3bb659ed, 0x5ed1e555,\n 0xb07e5047, 0xd519ecff, 0x6c213b62, 0x094687da, 0xe7e932c8,\n 0x828e8e70, 0xd49eed28, 0xb1f95190, 0x5f56e482, 0x3a31583a,\n 0x83098fa7, 0xe66e331f, 0x08c1860d, 0x6da63ab5, 0xa4e140bd,\n 0xc186fc05, 0x2f294917, 0x4a4ef5af, 0xf3762232, 0x96119e8a,\n 0x78be2b98, 0x1dd99720, 0x4bc9f478, 0x2eae48c0, 0xc001fdd2,\n 0xa566416a, 0x1c5e96f7, 0x79392a4f, 0x97969f5d, 0xf2f123e5,\n 0x05196b4d, 0x607ed7f5, 0x8ed162e7, 0xebb6de5f, 0x528e09c2,\n 0x37e9b57a, 0xd9460068, 0xbc21bcd0, 0xea31df88, 0x8f566330,\n 0x61f9d622, 0x049e6a9a, 0xbda6bd07, 0xd8c101bf, 0x366eb4ad,\n 0x53090815, 0x9a4e721d, 0xff29cea5, 0x11867bb7, 0x74e1c70f,\n 0xcdd91092, 0xa8beac2a, 0x46111938, 0x2376a580, 0x7566c6d8,\n 0x10017a60, 0xfeaecf72, 0x9bc973ca, 0x22f1a457, 0x479618ef,\n 0xa939adfd, 0xcc5e1145, 0x06ee4d76, 0x6389f1ce, 0x8d2644dc,\n 0xe841f864, 0x51792ff9, 0x341e9341, 0xdab12653, 0xbfd69aeb,\n 0xe9c6f9b3, 0x8ca1450b, 0x620ef019, 0x07694ca1, 0xbe519b3c,\n 0xdb362784, 0x35999296, 0x50fe2e2e, 0x99b95426, 0xfcdee89e,\n 0x12715d8c, 0x7716e134, 0xce2e36a9, 0xab498a11, 0x45e63f03,\n 0x208183bb, 0x7691e0e3, 0x13f65c5b, 0xfd59e949, 0x983e55f1,\n 0x2106826c, 0x44613ed4, 0xaace8bc6, 0xcfa9377e, 0x38417fd6,\n 0x5d26c36e, 0xb389767c, 0xd6eecac4, 0x6fd61d59, 0x0ab1a1e1,\n 0xe41e14f3, 0x8179a84b, 0xd769cb13, 0xb20e77ab, 0x5ca1c2b9,\n 0x39c67e01, 0x80fea99c, 0xe5991524, 0x0b36a036, 0x6e511c8e,\n 0xa7166686, 0xc271da3e, 0x2cde6f2c, 0x49b9d394, 0xf0810409,\n 0x95e6b8b1, 0x7b490da3, 0x1e2eb11b, 0x483ed243, 0x2d596efb,\n 0xc3f6dbe9, 0xa6916751, 0x1fa9b0cc, 0x7ace0c74, 0x9461b966,\n 0xf10605de}};\n\n#endif\n\n#endif\n\n#if N == 2\n\n#if W == 8\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0xae689191, 0x87a02563, 0x29c8b4f2, 0xd4314c87,\n 0x7a59dd16, 0x539169e4, 0xfdf9f875, 0x73139f4f, 0xdd7b0ede,\n 0xf4b3ba2c, 0x5adb2bbd, 0xa722d3c8, 0x094a4259, 0x2082f6ab,\n 0x8eea673a, 0xe6273e9e, 0x484faf0f, 0x61871bfd, 0xcfef8a6c,\n 0x32167219, 0x9c7ee388, 0xb5b6577a, 0x1bdec6eb, 0x9534a1d1,\n 0x3b5c3040, 0x129484b2, 0xbcfc1523, 0x4105ed56, 0xef6d7cc7,\n 0xc6a5c835, 0x68cd59a4, 0x173f7b7d, 0xb957eaec, 0x909f5e1e,\n 0x3ef7cf8f, 0xc30e37fa, 0x6d66a66b, 0x44ae1299, 0xeac68308,\n 0x642ce432, 0xca4475a3, 0xe38cc151, 0x4de450c0, 0xb01da8b5,\n 0x1e753924, 0x37bd8dd6, 0x99d51c47, 0xf11845e3, 0x5f70d472,\n 0x76b86080, 0xd8d0f111, 0x25290964, 0x8b4198f5, 0xa2892c07,\n 0x0ce1bd96, 0x820bdaac, 0x2c634b3d, 0x05abffcf, 0xabc36e5e,\n 0x563a962b, 0xf85207ba, 0xd19ab348, 0x7ff222d9, 0x2e7ef6fa,\n 0x8016676b, 0xa9ded399, 0x07b64208, 0xfa4fba7d, 0x54272bec,\n 0x7def9f1e, 0xd3870e8f, 0x5d6d69b5, 0xf305f824, 0xdacd4cd6,\n 0x74a5dd47, 0x895c2532, 0x2734b4a3, 0x0efc0051, 0xa09491c0,\n 0xc859c864, 0x663159f5, 0x4ff9ed07, 0xe1917c96, 0x1c6884e3,\n 0xb2001572, 0x9bc8a180, 0x35a03011, 0xbb4a572b, 0x1522c6ba,\n 0x3cea7248, 0x9282e3d9, 0x6f7b1bac, 0xc1138a3d, 0xe8db3ecf,\n 0x46b3af5e, 0x39418d87, 0x97291c16, 0xbee1a8e4, 0x10893975,\n 0xed70c100, 0x43185091, 0x6ad0e463, 0xc4b875f2, 0x4a5212c8,\n 0xe43a8359, 0xcdf237ab, 0x639aa63a, 0x9e635e4f, 0x300bcfde,\n 0x19c37b2c, 0xb7abeabd, 0xdf66b319, 0x710e2288, 0x58c6967a,\n 0xf6ae07eb, 0x0b57ff9e, 0xa53f6e0f, 0x8cf7dafd, 0x229f4b6c,\n 0xac752c56, 0x021dbdc7, 0x2bd50935, 0x85bd98a4, 0x784460d1,\n 0xd62cf140, 0xffe445b2, 0x518cd423, 0x5cfdedf4, 0xf2957c65,\n 0xdb5dc897, 0x75355906, 0x88cca173, 0x26a430e2, 0x0f6c8410,\n 0xa1041581, 0x2fee72bb, 0x8186e32a, 0xa84e57d8, 0x0626c649,\n 0xfbdf3e3c, 0x55b7afad, 0x7c7f1b5f, 0xd2178ace, 0xbadad36a,\n 0x14b242fb, 0x3d7af609, 0x93126798, 0x6eeb9fed, 0xc0830e7c,\n 0xe94bba8e, 0x47232b1f, 0xc9c94c25, 0x67a1ddb4, 0x4e696946,\n 0xe001f8d7, 0x1df800a2, 0xb3909133, 0x9a5825c1, 0x3430b450,\n 0x4bc29689, 0xe5aa0718, 0xcc62b3ea, 0x620a227b, 0x9ff3da0e,\n 0x319b4b9f, 0x1853ff6d, 0xb63b6efc, 0x38d109c6, 0x96b99857,\n 0xbf712ca5, 0x1119bd34, 0xece04541, 0x4288d4d0, 0x6b406022,\n 0xc528f1b3, 0xade5a817, 0x038d3986, 0x2a458d74, 0x842d1ce5,\n 0x79d4e490, 0xd7bc7501, 0xfe74c1f3, 0x501c5062, 0xdef63758,\n 0x709ea6c9, 0x5956123b, 0xf73e83aa, 0x0ac77bdf, 0xa4afea4e,\n 0x8d675ebc, 0x230fcf2d, 0x72831b0e, 0xdceb8a9f, 0xf5233e6d,\n 0x5b4baffc, 0xa6b25789, 0x08dac618, 0x211272ea, 0x8f7ae37b,\n 0x01908441, 0xaff815d0, 0x8630a122, 0x285830b3, 0xd5a1c8c6,\n 0x7bc95957, 0x5201eda5, 0xfc697c34, 0x94a42590, 0x3accb401,\n 0x130400f3, 0xbd6c9162, 0x40956917, 0xeefdf886, 0xc7354c74,\n 0x695ddde5, 0xe7b7badf, 0x49df2b4e, 0x60179fbc, 0xce7f0e2d,\n 0x3386f658, 0x9dee67c9, 0xb426d33b, 0x1a4e42aa, 0x65bc6073,\n 0xcbd4f1e2, 0xe21c4510, 0x4c74d481, 0xb18d2cf4, 0x1fe5bd65,\n 0x362d0997, 0x98459806, 0x16afff3c, 0xb8c76ead, 0x910fda5f,\n 0x3f674bce, 0xc29eb3bb, 0x6cf6222a, 0x453e96d8, 0xeb560749,\n 0x839b5eed, 0x2df3cf7c, 0x043b7b8e, 0xaa53ea1f, 0x57aa126a,\n 0xf9c283fb, 0xd00a3709, 0x7e62a698, 0xf088c1a2, 0x5ee05033,\n 0x7728e4c1, 0xd9407550, 0x24b98d25, 0x8ad11cb4, 0xa319a846,\n 0x0d7139d7},\n {0x00000000, 0xb9fbdbe8, 0xa886b191, 0x117d6a79, 0x8a7c6563,\n 0x3387be8b, 0x22fad4f2, 0x9b010f1a, 0xcf89cc87, 0x7672176f,\n 0x670f7d16, 0xdef4a6fe, 0x45f5a9e4, 0xfc0e720c, 0xed731875,\n 0x5488c39d, 0x44629f4f, 0xfd9944a7, 0xece42ede, 0x551ff536,\n 0xce1efa2c, 0x77e521c4, 0x66984bbd, 0xdf639055, 0x8beb53c8,\n 0x32108820, 0x236de259, 0x9a9639b1, 0x019736ab, 0xb86ced43,\n 0xa911873a, 0x10ea5cd2, 0x88c53e9e, 0x313ee576, 0x20438f0f,\n 0x99b854e7, 0x02b95bfd, 0xbb428015, 0xaa3fea6c, 0x13c43184,\n 0x474cf219, 0xfeb729f1, 0xefca4388, 0x56319860, 0xcd30977a,\n 0x74cb4c92, 0x65b626eb, 0xdc4dfd03, 0xcca7a1d1, 0x755c7a39,\n 0x64211040, 0xdddacba8, 0x46dbc4b2, 0xff201f5a, 0xee5d7523,\n 0x57a6aecb, 0x032e6d56, 0xbad5b6be, 0xaba8dcc7, 0x1253072f,\n 0x89520835, 0x30a9d3dd, 0x21d4b9a4, 0x982f624c, 0xcafb7b7d,\n 0x7300a095, 0x627dcaec, 0xdb861104, 0x40871e1e, 0xf97cc5f6,\n 0xe801af8f, 0x51fa7467, 0x0572b7fa, 0xbc896c12, 0xadf4066b,\n 0x140fdd83, 0x8f0ed299, 0x36f50971, 0x27886308, 0x9e73b8e0,\n 0x8e99e432, 0x37623fda, 0x261f55a3, 0x9fe48e4b, 0x04e58151,\n 0xbd1e5ab9, 0xac6330c0, 0x1598eb28, 0x411028b5, 0xf8ebf35d,\n 0xe9969924, 0x506d42cc, 0xcb6c4dd6, 0x7297963e, 0x63eafc47,\n 0xda1127af, 0x423e45e3, 0xfbc59e0b, 0xeab8f472, 0x53432f9a,\n 0xc8422080, 0x71b9fb68, 0x60c49111, 0xd93f4af9, 0x8db78964,\n 0x344c528c, 0x253138f5, 0x9ccae31d, 0x07cbec07, 0xbe3037ef,\n 0xaf4d5d96, 0x16b6867e, 0x065cdaac, 0xbfa70144, 0xaeda6b3d,\n 0x1721b0d5, 0x8c20bfcf, 0x35db6427, 0x24a60e5e, 0x9d5dd5b6,\n 0xc9d5162b, 0x702ecdc3, 0x6153a7ba, 0xd8a87c52, 0x43a97348,\n 0xfa52a8a0, 0xeb2fc2d9, 0x52d41931, 0x4e87f0bb, 0xf77c2b53,\n 0xe601412a, 0x5ffa9ac2, 0xc4fb95d8, 0x7d004e30, 0x6c7d2449,\n 0xd586ffa1, 0x810e3c3c, 0x38f5e7d4, 0x29888dad, 0x90735645,\n 0x0b72595f, 0xb28982b7, 0xa3f4e8ce, 0x1a0f3326, 0x0ae56ff4,\n 0xb31eb41c, 0xa263de65, 0x1b98058d, 0x80990a97, 0x3962d17f,\n 0x281fbb06, 0x91e460ee, 0xc56ca373, 0x7c97789b, 0x6dea12e2,\n 0xd411c90a, 0x4f10c610, 0xf6eb1df8, 0xe7967781, 0x5e6dac69,\n 0xc642ce25, 0x7fb915cd, 0x6ec47fb4, 0xd73fa45c, 0x4c3eab46,\n 0xf5c570ae, 0xe4b81ad7, 0x5d43c13f, 0x09cb02a2, 0xb030d94a,\n 0xa14db333, 0x18b668db, 0x83b767c1, 0x3a4cbc29, 0x2b31d650,\n 0x92ca0db8, 0x8220516a, 0x3bdb8a82, 0x2aa6e0fb, 0x935d3b13,\n 0x085c3409, 0xb1a7efe1, 0xa0da8598, 0x19215e70, 0x4da99ded,\n 0xf4524605, 0xe52f2c7c, 0x5cd4f794, 0xc7d5f88e, 0x7e2e2366,\n 0x6f53491f, 0xd6a892f7, 0x847c8bc6, 0x3d87502e, 0x2cfa3a57,\n 0x9501e1bf, 0x0e00eea5, 0xb7fb354d, 0xa6865f34, 0x1f7d84dc,\n 0x4bf54741, 0xf20e9ca9, 0xe373f6d0, 0x5a882d38, 0xc1892222,\n 0x7872f9ca, 0x690f93b3, 0xd0f4485b, 0xc01e1489, 0x79e5cf61,\n 0x6898a518, 0xd1637ef0, 0x4a6271ea, 0xf399aa02, 0xe2e4c07b,\n 0x5b1f1b93, 0x0f97d80e, 0xb66c03e6, 0xa711699f, 0x1eeab277,\n 0x85ebbd6d, 0x3c106685, 0x2d6d0cfc, 0x9496d714, 0x0cb9b558,\n 0xb5426eb0, 0xa43f04c9, 0x1dc4df21, 0x86c5d03b, 0x3f3e0bd3,\n 0x2e4361aa, 0x97b8ba42, 0xc33079df, 0x7acba237, 0x6bb6c84e,\n 0xd24d13a6, 0x494c1cbc, 0xf0b7c754, 0xe1caad2d, 0x583176c5,\n 0x48db2a17, 0xf120f1ff, 0xe05d9b86, 0x59a6406e, 0xc2a74f74,\n 0x7b5c949c, 0x6a21fee5, 0xd3da250d, 0x8752e690, 0x3ea93d78,\n 0x2fd45701, 0x962f8ce9, 0x0d2e83f3, 0xb4d5581b, 0xa5a83262,\n 0x1c53e98a},\n {0x00000000, 0x9d0fe176, 0xe16ec4ad, 0x7c6125db, 0x19ac8f1b,\n 0x84a36e6d, 0xf8c24bb6, 0x65cdaac0, 0x33591e36, 0xae56ff40,\n 0xd237da9b, 0x4f383bed, 0x2af5912d, 0xb7fa705b, 0xcb9b5580,\n 0x5694b4f6, 0x66b23c6c, 0xfbbddd1a, 0x87dcf8c1, 0x1ad319b7,\n 0x7f1eb377, 0xe2115201, 0x9e7077da, 0x037f96ac, 0x55eb225a,\n 0xc8e4c32c, 0xb485e6f7, 0x298a0781, 0x4c47ad41, 0xd1484c37,\n 0xad2969ec, 0x3026889a, 0xcd6478d8, 0x506b99ae, 0x2c0abc75,\n 0xb1055d03, 0xd4c8f7c3, 0x49c716b5, 0x35a6336e, 0xa8a9d218,\n 0xfe3d66ee, 0x63328798, 0x1f53a243, 0x825c4335, 0xe791e9f5,\n 0x7a9e0883, 0x06ff2d58, 0x9bf0cc2e, 0xabd644b4, 0x36d9a5c2,\n 0x4ab88019, 0xd7b7616f, 0xb27acbaf, 0x2f752ad9, 0x53140f02,\n 0xce1bee74, 0x988f5a82, 0x0580bbf4, 0x79e19e2f, 0xe4ee7f59,\n 0x8123d599, 0x1c2c34ef, 0x604d1134, 0xfd42f042, 0x41b9f7f1,\n 0xdcb61687, 0xa0d7335c, 0x3dd8d22a, 0x581578ea, 0xc51a999c,\n 0xb97bbc47, 0x24745d31, 0x72e0e9c7, 0xefef08b1, 0x938e2d6a,\n 0x0e81cc1c, 0x6b4c66dc, 0xf64387aa, 0x8a22a271, 0x172d4307,\n 0x270bcb9d, 0xba042aeb, 0xc6650f30, 0x5b6aee46, 0x3ea74486,\n 0xa3a8a5f0, 0xdfc9802b, 0x42c6615d, 0x1452d5ab, 0x895d34dd,\n 0xf53c1106, 0x6833f070, 0x0dfe5ab0, 0x90f1bbc6, 0xec909e1d,\n 0x719f7f6b, 0x8cdd8f29, 0x11d26e5f, 0x6db34b84, 0xf0bcaaf2,\n 0x95710032, 0x087ee144, 0x741fc49f, 0xe91025e9, 0xbf84911f,\n 0x228b7069, 0x5eea55b2, 0xc3e5b4c4, 0xa6281e04, 0x3b27ff72,\n 0x4746daa9, 0xda493bdf, 0xea6fb345, 0x77605233, 0x0b0177e8,\n 0x960e969e, 0xf3c33c5e, 0x6eccdd28, 0x12adf8f3, 0x8fa21985,\n 0xd936ad73, 0x44394c05, 0x385869de, 0xa55788a8, 0xc09a2268,\n 0x5d95c31e, 0x21f4e6c5, 0xbcfb07b3, 0x8373efe2, 0x1e7c0e94,\n 0x621d2b4f, 0xff12ca39, 0x9adf60f9, 0x07d0818f, 0x7bb1a454,\n 0xe6be4522, 0xb02af1d4, 0x2d2510a2, 0x51443579, 0xcc4bd40f,\n 0xa9867ecf, 0x34899fb9, 0x48e8ba62, 0xd5e75b14, 0xe5c1d38e,\n 0x78ce32f8, 0x04af1723, 0x99a0f655, 0xfc6d5c95, 0x6162bde3,\n 0x1d039838, 0x800c794e, 0xd698cdb8, 0x4b972cce, 0x37f60915,\n 0xaaf9e863, 0xcf3442a3, 0x523ba3d5, 0x2e5a860e, 0xb3556778,\n 0x4e17973a, 0xd318764c, 0xaf795397, 0x3276b2e1, 0x57bb1821,\n 0xcab4f957, 0xb6d5dc8c, 0x2bda3dfa, 0x7d4e890c, 0xe041687a,\n 0x9c204da1, 0x012facd7, 0x64e20617, 0xf9ede761, 0x858cc2ba,\n 0x188323cc, 0x28a5ab56, 0xb5aa4a20, 0xc9cb6ffb, 0x54c48e8d,\n 0x3109244d, 0xac06c53b, 0xd067e0e0, 0x4d680196, 0x1bfcb560,\n 0x86f35416, 0xfa9271cd, 0x679d90bb, 0x02503a7b, 0x9f5fdb0d,\n 0xe33efed6, 0x7e311fa0, 0xc2ca1813, 0x5fc5f965, 0x23a4dcbe,\n 0xbeab3dc8, 0xdb669708, 0x4669767e, 0x3a0853a5, 0xa707b2d3,\n 0xf1930625, 0x6c9ce753, 0x10fdc288, 0x8df223fe, 0xe83f893e,\n 0x75306848, 0x09514d93, 0x945eace5, 0xa478247f, 0x3977c509,\n 0x4516e0d2, 0xd81901a4, 0xbdd4ab64, 0x20db4a12, 0x5cba6fc9,\n 0xc1b58ebf, 0x97213a49, 0x0a2edb3f, 0x764ffee4, 0xeb401f92,\n 0x8e8db552, 0x13825424, 0x6fe371ff, 0xf2ec9089, 0x0fae60cb,\n 0x92a181bd, 0xeec0a466, 0x73cf4510, 0x1602efd0, 0x8b0d0ea6,\n 0xf76c2b7d, 0x6a63ca0b, 0x3cf77efd, 0xa1f89f8b, 0xdd99ba50,\n 0x40965b26, 0x255bf1e6, 0xb8541090, 0xc435354b, 0x593ad43d,\n 0x691c5ca7, 0xf413bdd1, 0x8872980a, 0x157d797c, 0x70b0d3bc,\n 0xedbf32ca, 0x91de1711, 0x0cd1f667, 0x5a454291, 0xc74aa3e7,\n 0xbb2b863c, 0x2624674a, 0x43e9cd8a, 0xdee62cfc, 0xa2870927,\n 0x3f88e851},\n {0x00000000, 0xdd96d985, 0x605cb54b, 0xbdca6cce, 0xc0b96a96,\n 0x1d2fb313, 0xa0e5dfdd, 0x7d730658, 0x5a03d36d, 0x87950ae8,\n 0x3a5f6626, 0xe7c9bfa3, 0x9abab9fb, 0x472c607e, 0xfae60cb0,\n 0x2770d535, 0xb407a6da, 0x69917f5f, 0xd45b1391, 0x09cdca14,\n 0x74becc4c, 0xa92815c9, 0x14e27907, 0xc974a082, 0xee0475b7,\n 0x3392ac32, 0x8e58c0fc, 0x53ce1979, 0x2ebd1f21, 0xf32bc6a4,\n 0x4ee1aa6a, 0x937773ef, 0xb37e4bf5, 0x6ee89270, 0xd322febe,\n 0x0eb4273b, 0x73c72163, 0xae51f8e6, 0x139b9428, 0xce0d4dad,\n 0xe97d9898, 0x34eb411d, 0x89212dd3, 0x54b7f456, 0x29c4f20e,\n 0xf4522b8b, 0x49984745, 0x940e9ec0, 0x0779ed2f, 0xdaef34aa,\n 0x67255864, 0xbab381e1, 0xc7c087b9, 0x1a565e3c, 0xa79c32f2,\n 0x7a0aeb77, 0x5d7a3e42, 0x80ece7c7, 0x3d268b09, 0xe0b0528c,\n 0x9dc354d4, 0x40558d51, 0xfd9fe19f, 0x2009381a, 0xbd8d91ab,\n 0x601b482e, 0xddd124e0, 0x0047fd65, 0x7d34fb3d, 0xa0a222b8,\n 0x1d684e76, 0xc0fe97f3, 0xe78e42c6, 0x3a189b43, 0x87d2f78d,\n 0x5a442e08, 0x27372850, 0xfaa1f1d5, 0x476b9d1b, 0x9afd449e,\n 0x098a3771, 0xd41ceef4, 0x69d6823a, 0xb4405bbf, 0xc9335de7,\n 0x14a58462, 0xa96fe8ac, 0x74f93129, 0x5389e41c, 0x8e1f3d99,\n 0x33d55157, 0xee4388d2, 0x93308e8a, 0x4ea6570f, 0xf36c3bc1,\n 0x2efae244, 0x0ef3da5e, 0xd36503db, 0x6eaf6f15, 0xb339b690,\n 0xce4ab0c8, 0x13dc694d, 0xae160583, 0x7380dc06, 0x54f00933,\n 0x8966d0b6, 0x34acbc78, 0xe93a65fd, 0x944963a5, 0x49dfba20,\n 0xf415d6ee, 0x29830f6b, 0xbaf47c84, 0x6762a501, 0xdaa8c9cf,\n 0x073e104a, 0x7a4d1612, 0xa7dbcf97, 0x1a11a359, 0xc7877adc,\n 0xe0f7afe9, 0x3d61766c, 0x80ab1aa2, 0x5d3dc327, 0x204ec57f,\n 0xfdd81cfa, 0x40127034, 0x9d84a9b1, 0xa06a2517, 0x7dfcfc92,\n 0xc036905c, 0x1da049d9, 0x60d34f81, 0xbd459604, 0x008ffaca,\n 0xdd19234f, 0xfa69f67a, 0x27ff2fff, 0x9a354331, 0x47a39ab4,\n 0x3ad09cec, 0xe7464569, 0x5a8c29a7, 0x871af022, 0x146d83cd,\n 0xc9fb5a48, 0x74313686, 0xa9a7ef03, 0xd4d4e95b, 0x094230de,\n 0xb4885c10, 0x691e8595, 0x4e6e50a0, 0x93f88925, 0x2e32e5eb,\n 0xf3a43c6e, 0x8ed73a36, 0x5341e3b3, 0xee8b8f7d, 0x331d56f8,\n 0x13146ee2, 0xce82b767, 0x7348dba9, 0xaede022c, 0xd3ad0474,\n 0x0e3bddf1, 0xb3f1b13f, 0x6e6768ba, 0x4917bd8f, 0x9481640a,\n 0x294b08c4, 0xf4ddd141, 0x89aed719, 0x54380e9c, 0xe9f26252,\n 0x3464bbd7, 0xa713c838, 0x7a8511bd, 0xc74f7d73, 0x1ad9a4f6,\n 0x67aaa2ae, 0xba3c7b2b, 0x07f617e5, 0xda60ce60, 0xfd101b55,\n 0x2086c2d0, 0x9d4cae1e, 0x40da779b, 0x3da971c3, 0xe03fa846,\n 0x5df5c488, 0x80631d0d, 0x1de7b4bc, 0xc0716d39, 0x7dbb01f7,\n 0xa02dd872, 0xdd5ede2a, 0x00c807af, 0xbd026b61, 0x6094b2e4,\n 0x47e467d1, 0x9a72be54, 0x27b8d29a, 0xfa2e0b1f, 0x875d0d47,\n 0x5acbd4c2, 0xe701b80c, 0x3a976189, 0xa9e01266, 0x7476cbe3,\n 0xc9bca72d, 0x142a7ea8, 0x695978f0, 0xb4cfa175, 0x0905cdbb,\n 0xd493143e, 0xf3e3c10b, 0x2e75188e, 0x93bf7440, 0x4e29adc5,\n 0x335aab9d, 0xeecc7218, 0x53061ed6, 0x8e90c753, 0xae99ff49,\n 0x730f26cc, 0xcec54a02, 0x13539387, 0x6e2095df, 0xb3b64c5a,\n 0x0e7c2094, 0xd3eaf911, 0xf49a2c24, 0x290cf5a1, 0x94c6996f,\n 0x495040ea, 0x342346b2, 0xe9b59f37, 0x547ff3f9, 0x89e92a7c,\n 0x1a9e5993, 0xc7088016, 0x7ac2ecd8, 0xa754355d, 0xda273305,\n 0x07b1ea80, 0xba7b864e, 0x67ed5fcb, 0x409d8afe, 0x9d0b537b,\n 0x20c13fb5, 0xfd57e630, 0x8024e068, 0x5db239ed, 0xe0785523,\n 0x3dee8ca6},\n {0x00000000, 0x9ba54c6f, 0xec3b9e9f, 0x779ed2f0, 0x03063b7f,\n 0x98a37710, 0xef3da5e0, 0x7498e98f, 0x060c76fe, 0x9da93a91,\n 0xea37e861, 0x7192a40e, 0x050a4d81, 0x9eaf01ee, 0xe931d31e,\n 0x72949f71, 0x0c18edfc, 0x97bda193, 0xe0237363, 0x7b863f0c,\n 0x0f1ed683, 0x94bb9aec, 0xe325481c, 0x78800473, 0x0a149b02,\n 0x91b1d76d, 0xe62f059d, 0x7d8a49f2, 0x0912a07d, 0x92b7ec12,\n 0xe5293ee2, 0x7e8c728d, 0x1831dbf8, 0x83949797, 0xf40a4567,\n 0x6faf0908, 0x1b37e087, 0x8092ace8, 0xf70c7e18, 0x6ca93277,\n 0x1e3dad06, 0x8598e169, 0xf2063399, 0x69a37ff6, 0x1d3b9679,\n 0x869eda16, 0xf10008e6, 0x6aa54489, 0x14293604, 0x8f8c7a6b,\n 0xf812a89b, 0x63b7e4f4, 0x172f0d7b, 0x8c8a4114, 0xfb1493e4,\n 0x60b1df8b, 0x122540fa, 0x89800c95, 0xfe1ede65, 0x65bb920a,\n 0x11237b85, 0x8a8637ea, 0xfd18e51a, 0x66bda975, 0x3063b7f0,\n 0xabc6fb9f, 0xdc58296f, 0x47fd6500, 0x33658c8f, 0xa8c0c0e0,\n 0xdf5e1210, 0x44fb5e7f, 0x366fc10e, 0xadca8d61, 0xda545f91,\n 0x41f113fe, 0x3569fa71, 0xaeccb61e, 0xd95264ee, 0x42f72881,\n 0x3c7b5a0c, 0xa7de1663, 0xd040c493, 0x4be588fc, 0x3f7d6173,\n 0xa4d82d1c, 0xd346ffec, 0x48e3b383, 0x3a772cf2, 0xa1d2609d,\n 0xd64cb26d, 0x4de9fe02, 0x3971178d, 0xa2d45be2, 0xd54a8912,\n 0x4eefc57d, 0x28526c08, 0xb3f72067, 0xc469f297, 0x5fccbef8,\n 0x2b545777, 0xb0f11b18, 0xc76fc9e8, 0x5cca8587, 0x2e5e1af6,\n 0xb5fb5699, 0xc2658469, 0x59c0c806, 0x2d582189, 0xb6fd6de6,\n 0xc163bf16, 0x5ac6f379, 0x244a81f4, 0xbfefcd9b, 0xc8711f6b,\n 0x53d45304, 0x274cba8b, 0xbce9f6e4, 0xcb772414, 0x50d2687b,\n 0x2246f70a, 0xb9e3bb65, 0xce7d6995, 0x55d825fa, 0x2140cc75,\n 0xbae5801a, 0xcd7b52ea, 0x56de1e85, 0x60c76fe0, 0xfb62238f,\n 0x8cfcf17f, 0x1759bd10, 0x63c1549f, 0xf86418f0, 0x8ffaca00,\n 0x145f866f, 0x66cb191e, 0xfd6e5571, 0x8af08781, 0x1155cbee,\n 0x65cd2261, 0xfe686e0e, 0x89f6bcfe, 0x1253f091, 0x6cdf821c,\n 0xf77ace73, 0x80e41c83, 0x1b4150ec, 0x6fd9b963, 0xf47cf50c,\n 0x83e227fc, 0x18476b93, 0x6ad3f4e2, 0xf176b88d, 0x86e86a7d,\n 0x1d4d2612, 0x69d5cf9d, 0xf27083f2, 0x85ee5102, 0x1e4b1d6d,\n 0x78f6b418, 0xe353f877, 0x94cd2a87, 0x0f6866e8, 0x7bf08f67,\n 0xe055c308, 0x97cb11f8, 0x0c6e5d97, 0x7efac2e6, 0xe55f8e89,\n 0x92c15c79, 0x09641016, 0x7dfcf999, 0xe659b5f6, 0x91c76706,\n 0x0a622b69, 0x74ee59e4, 0xef4b158b, 0x98d5c77b, 0x03708b14,\n 0x77e8629b, 0xec4d2ef4, 0x9bd3fc04, 0x0076b06b, 0x72e22f1a,\n 0xe9476375, 0x9ed9b185, 0x057cfdea, 0x71e41465, 0xea41580a,\n 0x9ddf8afa, 0x067ac695, 0x50a4d810, 0xcb01947f, 0xbc9f468f,\n 0x273a0ae0, 0x53a2e36f, 0xc807af00, 0xbf997df0, 0x243c319f,\n 0x56a8aeee, 0xcd0de281, 0xba933071, 0x21367c1e, 0x55ae9591,\n 0xce0bd9fe, 0xb9950b0e, 0x22304761, 0x5cbc35ec, 0xc7197983,\n 0xb087ab73, 0x2b22e71c, 0x5fba0e93, 0xc41f42fc, 0xb381900c,\n 0x2824dc63, 0x5ab04312, 0xc1150f7d, 0xb68bdd8d, 0x2d2e91e2,\n 0x59b6786d, 0xc2133402, 0xb58de6f2, 0x2e28aa9d, 0x489503e8,\n 0xd3304f87, 0xa4ae9d77, 0x3f0bd118, 0x4b933897, 0xd03674f8,\n 0xa7a8a608, 0x3c0dea67, 0x4e997516, 0xd53c3979, 0xa2a2eb89,\n 0x3907a7e6, 0x4d9f4e69, 0xd63a0206, 0xa1a4d0f6, 0x3a019c99,\n 0x448dee14, 0xdf28a27b, 0xa8b6708b, 0x33133ce4, 0x478bd56b,\n 0xdc2e9904, 0xabb04bf4, 0x3015079b, 0x428198ea, 0xd924d485,\n 0xaeba0675, 0x351f4a1a, 0x4187a395, 0xda22effa, 0xadbc3d0a,\n 0x36197165},\n {0x00000000, 0xc18edfc0, 0x586cb9c1, 0x99e26601, 0xb0d97382,\n 0x7157ac42, 0xe8b5ca43, 0x293b1583, 0xbac3e145, 0x7b4d3e85,\n 0xe2af5884, 0x23218744, 0x0a1a92c7, 0xcb944d07, 0x52762b06,\n 0x93f8f4c6, 0xaef6c4cb, 0x6f781b0b, 0xf69a7d0a, 0x3714a2ca,\n 0x1e2fb749, 0xdfa16889, 0x46430e88, 0x87cdd148, 0x1435258e,\n 0xd5bbfa4e, 0x4c599c4f, 0x8dd7438f, 0xa4ec560c, 0x656289cc,\n 0xfc80efcd, 0x3d0e300d, 0x869c8fd7, 0x47125017, 0xdef03616,\n 0x1f7ee9d6, 0x3645fc55, 0xf7cb2395, 0x6e294594, 0xafa79a54,\n 0x3c5f6e92, 0xfdd1b152, 0x6433d753, 0xa5bd0893, 0x8c861d10,\n 0x4d08c2d0, 0xd4eaa4d1, 0x15647b11, 0x286a4b1c, 0xe9e494dc,\n 0x7006f2dd, 0xb1882d1d, 0x98b3389e, 0x593de75e, 0xc0df815f,\n 0x01515e9f, 0x92a9aa59, 0x53277599, 0xcac51398, 0x0b4bcc58,\n 0x2270d9db, 0xe3fe061b, 0x7a1c601a, 0xbb92bfda, 0xd64819ef,\n 0x17c6c62f, 0x8e24a02e, 0x4faa7fee, 0x66916a6d, 0xa71fb5ad,\n 0x3efdd3ac, 0xff730c6c, 0x6c8bf8aa, 0xad05276a, 0x34e7416b,\n 0xf5699eab, 0xdc528b28, 0x1ddc54e8, 0x843e32e9, 0x45b0ed29,\n 0x78bedd24, 0xb93002e4, 0x20d264e5, 0xe15cbb25, 0xc867aea6,\n 0x09e97166, 0x900b1767, 0x5185c8a7, 0xc27d3c61, 0x03f3e3a1,\n 0x9a1185a0, 0x5b9f5a60, 0x72a44fe3, 0xb32a9023, 0x2ac8f622,\n 0xeb4629e2, 0x50d49638, 0x915a49f8, 0x08b82ff9, 0xc936f039,\n 0xe00de5ba, 0x21833a7a, 0xb8615c7b, 0x79ef83bb, 0xea17777d,\n 0x2b99a8bd, 0xb27bcebc, 0x73f5117c, 0x5ace04ff, 0x9b40db3f,\n 0x02a2bd3e, 0xc32c62fe, 0xfe2252f3, 0x3fac8d33, 0xa64eeb32,\n 0x67c034f2, 0x4efb2171, 0x8f75feb1, 0x169798b0, 0xd7194770,\n 0x44e1b3b6, 0x856f6c76, 0x1c8d0a77, 0xdd03d5b7, 0xf438c034,\n 0x35b61ff4, 0xac5479f5, 0x6ddaa635, 0x77e1359f, 0xb66fea5f,\n 0x2f8d8c5e, 0xee03539e, 0xc738461d, 0x06b699dd, 0x9f54ffdc,\n 0x5eda201c, 0xcd22d4da, 0x0cac0b1a, 0x954e6d1b, 0x54c0b2db,\n 0x7dfba758, 0xbc757898, 0x25971e99, 0xe419c159, 0xd917f154,\n 0x18992e94, 0x817b4895, 0x40f59755, 0x69ce82d6, 0xa8405d16,\n 0x31a23b17, 0xf02ce4d7, 0x63d41011, 0xa25acfd1, 0x3bb8a9d0,\n 0xfa367610, 0xd30d6393, 0x1283bc53, 0x8b61da52, 0x4aef0592,\n 0xf17dba48, 0x30f36588, 0xa9110389, 0x689fdc49, 0x41a4c9ca,\n 0x802a160a, 0x19c8700b, 0xd846afcb, 0x4bbe5b0d, 0x8a3084cd,\n 0x13d2e2cc, 0xd25c3d0c, 0xfb67288f, 0x3ae9f74f, 0xa30b914e,\n 0x62854e8e, 0x5f8b7e83, 0x9e05a143, 0x07e7c742, 0xc6691882,\n 0xef520d01, 0x2edcd2c1, 0xb73eb4c0, 0x76b06b00, 0xe5489fc6,\n 0x24c64006, 0xbd242607, 0x7caaf9c7, 0x5591ec44, 0x941f3384,\n 0x0dfd5585, 0xcc738a45, 0xa1a92c70, 0x6027f3b0, 0xf9c595b1,\n 0x384b4a71, 0x11705ff2, 0xd0fe8032, 0x491ce633, 0x889239f3,\n 0x1b6acd35, 0xdae412f5, 0x430674f4, 0x8288ab34, 0xabb3beb7,\n 0x6a3d6177, 0xf3df0776, 0x3251d8b6, 0x0f5fe8bb, 0xced1377b,\n 0x5733517a, 0x96bd8eba, 0xbf869b39, 0x7e0844f9, 0xe7ea22f8,\n 0x2664fd38, 0xb59c09fe, 0x7412d63e, 0xedf0b03f, 0x2c7e6fff,\n 0x05457a7c, 0xc4cba5bc, 0x5d29c3bd, 0x9ca71c7d, 0x2735a3a7,\n 0xe6bb7c67, 0x7f591a66, 0xbed7c5a6, 0x97ecd025, 0x56620fe5,\n 0xcf8069e4, 0x0e0eb624, 0x9df642e2, 0x5c789d22, 0xc59afb23,\n 0x041424e3, 0x2d2f3160, 0xeca1eea0, 0x754388a1, 0xb4cd5761,\n 0x89c3676c, 0x484db8ac, 0xd1afdead, 0x1021016d, 0x391a14ee,\n 0xf894cb2e, 0x6176ad2f, 0xa0f872ef, 0x33008629, 0xf28e59e9,\n 0x6b6c3fe8, 0xaae2e028, 0x83d9f5ab, 0x42572a6b, 0xdbb54c6a,\n 0x1a3b93aa},\n {0x00000000, 0xefc26b3e, 0x04f5d03d, 0xeb37bb03, 0x09eba07a,\n 0xe629cb44, 0x0d1e7047, 0xe2dc1b79, 0x13d740f4, 0xfc152bca,\n 0x172290c9, 0xf8e0fbf7, 0x1a3ce08e, 0xf5fe8bb0, 0x1ec930b3,\n 0xf10b5b8d, 0x27ae81e8, 0xc86cead6, 0x235b51d5, 0xcc993aeb,\n 0x2e452192, 0xc1874aac, 0x2ab0f1af, 0xc5729a91, 0x3479c11c,\n 0xdbbbaa22, 0x308c1121, 0xdf4e7a1f, 0x3d926166, 0xd2500a58,\n 0x3967b15b, 0xd6a5da65, 0x4f5d03d0, 0xa09f68ee, 0x4ba8d3ed,\n 0xa46ab8d3, 0x46b6a3aa, 0xa974c894, 0x42437397, 0xad8118a9,\n 0x5c8a4324, 0xb348281a, 0x587f9319, 0xb7bdf827, 0x5561e35e,\n 0xbaa38860, 0x51943363, 0xbe56585d, 0x68f38238, 0x8731e906,\n 0x6c065205, 0x83c4393b, 0x61182242, 0x8eda497c, 0x65edf27f,\n 0x8a2f9941, 0x7b24c2cc, 0x94e6a9f2, 0x7fd112f1, 0x901379cf,\n 0x72cf62b6, 0x9d0d0988, 0x763ab28b, 0x99f8d9b5, 0x9eba07a0,\n 0x71786c9e, 0x9a4fd79d, 0x758dbca3, 0x9751a7da, 0x7893cce4,\n 0x93a477e7, 0x7c661cd9, 0x8d6d4754, 0x62af2c6a, 0x89989769,\n 0x665afc57, 0x8486e72e, 0x6b448c10, 0x80733713, 0x6fb15c2d,\n 0xb9148648, 0x56d6ed76, 0xbde15675, 0x52233d4b, 0xb0ff2632,\n 0x5f3d4d0c, 0xb40af60f, 0x5bc89d31, 0xaac3c6bc, 0x4501ad82,\n 0xae361681, 0x41f47dbf, 0xa32866c6, 0x4cea0df8, 0xa7ddb6fb,\n 0x481fddc5, 0xd1e70470, 0x3e256f4e, 0xd512d44d, 0x3ad0bf73,\n 0xd80ca40a, 0x37cecf34, 0xdcf97437, 0x333b1f09, 0xc2304484,\n 0x2df22fba, 0xc6c594b9, 0x2907ff87, 0xcbdbe4fe, 0x24198fc0,\n 0xcf2e34c3, 0x20ec5ffd, 0xf6498598, 0x198beea6, 0xf2bc55a5,\n 0x1d7e3e9b, 0xffa225e2, 0x10604edc, 0xfb57f5df, 0x14959ee1,\n 0xe59ec56c, 0x0a5cae52, 0xe16b1551, 0x0ea97e6f, 0xec756516,\n 0x03b70e28, 0xe880b52b, 0x0742de15, 0xe6050901, 0x09c7623f,\n 0xe2f0d93c, 0x0d32b202, 0xefeea97b, 0x002cc245, 0xeb1b7946,\n 0x04d91278, 0xf5d249f5, 0x1a1022cb, 0xf12799c8, 0x1ee5f2f6,\n 0xfc39e98f, 0x13fb82b1, 0xf8cc39b2, 0x170e528c, 0xc1ab88e9,\n 0x2e69e3d7, 0xc55e58d4, 0x2a9c33ea, 0xc8402893, 0x278243ad,\n 0xccb5f8ae, 0x23779390, 0xd27cc81d, 0x3dbea323, 0xd6891820,\n 0x394b731e, 0xdb976867, 0x34550359, 0xdf62b85a, 0x30a0d364,\n 0xa9580ad1, 0x469a61ef, 0xadaddaec, 0x426fb1d2, 0xa0b3aaab,\n 0x4f71c195, 0xa4467a96, 0x4b8411a8, 0xba8f4a25, 0x554d211b,\n 0xbe7a9a18, 0x51b8f126, 0xb364ea5f, 0x5ca68161, 0xb7913a62,\n 0x5853515c, 0x8ef68b39, 0x6134e007, 0x8a035b04, 0x65c1303a,\n 0x871d2b43, 0x68df407d, 0x83e8fb7e, 0x6c2a9040, 0x9d21cbcd,\n 0x72e3a0f3, 0x99d41bf0, 0x761670ce, 0x94ca6bb7, 0x7b080089,\n 0x903fbb8a, 0x7ffdd0b4, 0x78bf0ea1, 0x977d659f, 0x7c4ade9c,\n 0x9388b5a2, 0x7154aedb, 0x9e96c5e5, 0x75a17ee6, 0x9a6315d8,\n 0x6b684e55, 0x84aa256b, 0x6f9d9e68, 0x805ff556, 0x6283ee2f,\n 0x8d418511, 0x66763e12, 0x89b4552c, 0x5f118f49, 0xb0d3e477,\n 0x5be45f74, 0xb426344a, 0x56fa2f33, 0xb938440d, 0x520fff0e,\n 0xbdcd9430, 0x4cc6cfbd, 0xa304a483, 0x48331f80, 0xa7f174be,\n 0x452d6fc7, 0xaaef04f9, 0x41d8bffa, 0xae1ad4c4, 0x37e20d71,\n 0xd820664f, 0x3317dd4c, 0xdcd5b672, 0x3e09ad0b, 0xd1cbc635,\n 0x3afc7d36, 0xd53e1608, 0x24354d85, 0xcbf726bb, 0x20c09db8,\n 0xcf02f686, 0x2ddeedff, 0xc21c86c1, 0x292b3dc2, 0xc6e956fc,\n 0x104c8c99, 0xff8ee7a7, 0x14b95ca4, 0xfb7b379a, 0x19a72ce3,\n 0xf66547dd, 0x1d52fcde, 0xf29097e0, 0x039bcc6d, 0xec59a753,\n 0x076e1c50, 0xe8ac776e, 0x0a706c17, 0xe5b20729, 0x0e85bc2a,\n 0xe147d714},\n {0x00000000, 0x177b1443, 0x2ef62886, 0x398d3cc5, 0x5dec510c,\n 0x4a97454f, 0x731a798a, 0x64616dc9, 0xbbd8a218, 0xaca3b65b,\n 0x952e8a9e, 0x82559edd, 0xe634f314, 0xf14fe757, 0xc8c2db92,\n 0xdfb9cfd1, 0xacc04271, 0xbbbb5632, 0x82366af7, 0x954d7eb4,\n 0xf12c137d, 0xe657073e, 0xdfda3bfb, 0xc8a12fb8, 0x1718e069,\n 0x0063f42a, 0x39eec8ef, 0x2e95dcac, 0x4af4b165, 0x5d8fa526,\n 0x640299e3, 0x73798da0, 0x82f182a3, 0x958a96e0, 0xac07aa25,\n 0xbb7cbe66, 0xdf1dd3af, 0xc866c7ec, 0xf1ebfb29, 0xe690ef6a,\n 0x392920bb, 0x2e5234f8, 0x17df083d, 0x00a41c7e, 0x64c571b7,\n 0x73be65f4, 0x4a335931, 0x5d484d72, 0x2e31c0d2, 0x394ad491,\n 0x00c7e854, 0x17bcfc17, 0x73dd91de, 0x64a6859d, 0x5d2bb958,\n 0x4a50ad1b, 0x95e962ca, 0x82927689, 0xbb1f4a4c, 0xac645e0f,\n 0xc80533c6, 0xdf7e2785, 0xe6f31b40, 0xf1880f03, 0xde920307,\n 0xc9e91744, 0xf0642b81, 0xe71f3fc2, 0x837e520b, 0x94054648,\n 0xad887a8d, 0xbaf36ece, 0x654aa11f, 0x7231b55c, 0x4bbc8999,\n 0x5cc79dda, 0x38a6f013, 0x2fdde450, 0x1650d895, 0x012bccd6,\n 0x72524176, 0x65295535, 0x5ca469f0, 0x4bdf7db3, 0x2fbe107a,\n 0x38c50439, 0x014838fc, 0x16332cbf, 0xc98ae36e, 0xdef1f72d,\n 0xe77ccbe8, 0xf007dfab, 0x9466b262, 0x831da621, 0xba909ae4,\n 0xadeb8ea7, 0x5c6381a4, 0x4b1895e7, 0x7295a922, 0x65eebd61,\n 0x018fd0a8, 0x16f4c4eb, 0x2f79f82e, 0x3802ec6d, 0xe7bb23bc,\n 0xf0c037ff, 0xc94d0b3a, 0xde361f79, 0xba5772b0, 0xad2c66f3,\n 0x94a15a36, 0x83da4e75, 0xf0a3c3d5, 0xe7d8d796, 0xde55eb53,\n 0xc92eff10, 0xad4f92d9, 0xba34869a, 0x83b9ba5f, 0x94c2ae1c,\n 0x4b7b61cd, 0x5c00758e, 0x658d494b, 0x72f65d08, 0x169730c1,\n 0x01ec2482, 0x38611847, 0x2f1a0c04, 0x6655004f, 0x712e140c,\n 0x48a328c9, 0x5fd83c8a, 0x3bb95143, 0x2cc24500, 0x154f79c5,\n 0x02346d86, 0xdd8da257, 0xcaf6b614, 0xf37b8ad1, 0xe4009e92,\n 0x8061f35b, 0x971ae718, 0xae97dbdd, 0xb9eccf9e, 0xca95423e,\n 0xddee567d, 0xe4636ab8, 0xf3187efb, 0x97791332, 0x80020771,\n 0xb98f3bb4, 0xaef42ff7, 0x714de026, 0x6636f465, 0x5fbbc8a0,\n 0x48c0dce3, 0x2ca1b12a, 0x3bdaa569, 0x025799ac, 0x152c8def,\n 0xe4a482ec, 0xf3df96af, 0xca52aa6a, 0xdd29be29, 0xb948d3e0,\n 0xae33c7a3, 0x97befb66, 0x80c5ef25, 0x5f7c20f4, 0x480734b7,\n 0x718a0872, 0x66f11c31, 0x029071f8, 0x15eb65bb, 0x2c66597e,\n 0x3b1d4d3d, 0x4864c09d, 0x5f1fd4de, 0x6692e81b, 0x71e9fc58,\n 0x15889191, 0x02f385d2, 0x3b7eb917, 0x2c05ad54, 0xf3bc6285,\n 0xe4c776c6, 0xdd4a4a03, 0xca315e40, 0xae503389, 0xb92b27ca,\n 0x80a61b0f, 0x97dd0f4c, 0xb8c70348, 0xafbc170b, 0x96312bce,\n 0x814a3f8d, 0xe52b5244, 0xf2504607, 0xcbdd7ac2, 0xdca66e81,\n 0x031fa150, 0x1464b513, 0x2de989d6, 0x3a929d95, 0x5ef3f05c,\n 0x4988e41f, 0x7005d8da, 0x677ecc99, 0x14074139, 0x037c557a,\n 0x3af169bf, 0x2d8a7dfc, 0x49eb1035, 0x5e900476, 0x671d38b3,\n 0x70662cf0, 0xafdfe321, 0xb8a4f762, 0x8129cba7, 0x9652dfe4,\n 0xf233b22d, 0xe548a66e, 0xdcc59aab, 0xcbbe8ee8, 0x3a3681eb,\n 0x2d4d95a8, 0x14c0a96d, 0x03bbbd2e, 0x67dad0e7, 0x70a1c4a4,\n 0x492cf861, 0x5e57ec22, 0x81ee23f3, 0x969537b0, 0xaf180b75,\n 0xb8631f36, 0xdc0272ff, 0xcb7966bc, 0xf2f45a79, 0xe58f4e3a,\n 0x96f6c39a, 0x818dd7d9, 0xb800eb1c, 0xaf7bff5f, 0xcb1a9296,\n 0xdc6186d5, 0xe5ecba10, 0xf297ae53, 0x2d2e6182, 0x3a5575c1,\n 0x03d84904, 0x14a35d47, 0x70c2308e, 0x67b924cd, 0x5e341808,\n 0x494f0c4b}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x0000000000000000, 0x43147b1700000000, 0x8628f62e00000000,\n 0xc53c8d3900000000, 0x0c51ec5d00000000, 0x4f45974a00000000,\n 0x8a791a7300000000, 0xc96d616400000000, 0x18a2d8bb00000000,\n 0x5bb6a3ac00000000, 0x9e8a2e9500000000, 0xdd9e558200000000,\n 0x14f334e600000000, 0x57e74ff100000000, 0x92dbc2c800000000,\n 0xd1cfb9df00000000, 0x7142c0ac00000000, 0x3256bbbb00000000,\n 0xf76a368200000000, 0xb47e4d9500000000, 0x7d132cf100000000,\n 0x3e0757e600000000, 0xfb3bdadf00000000, 0xb82fa1c800000000,\n 0x69e0181700000000, 0x2af4630000000000, 0xefc8ee3900000000,\n 0xacdc952e00000000, 0x65b1f44a00000000, 0x26a58f5d00000000,\n 0xe399026400000000, 0xa08d797300000000, 0xa382f18200000000,\n 0xe0968a9500000000, 0x25aa07ac00000000, 0x66be7cbb00000000,\n 0xafd31ddf00000000, 0xecc766c800000000, 0x29fbebf100000000,\n 0x6aef90e600000000, 0xbb20293900000000, 0xf834522e00000000,\n 0x3d08df1700000000, 0x7e1ca40000000000, 0xb771c56400000000,\n 0xf465be7300000000, 0x3159334a00000000, 0x724d485d00000000,\n 0xd2c0312e00000000, 0x91d44a3900000000, 0x54e8c70000000000,\n 0x17fcbc1700000000, 0xde91dd7300000000, 0x9d85a66400000000,\n 0x58b92b5d00000000, 0x1bad504a00000000, 0xca62e99500000000,\n 0x8976928200000000, 0x4c4a1fbb00000000, 0x0f5e64ac00000000,\n 0xc63305c800000000, 0x85277edf00000000, 0x401bf3e600000000,\n 0x030f88f100000000, 0x070392de00000000, 0x4417e9c900000000,\n 0x812b64f000000000, 0xc23f1fe700000000, 0x0b527e8300000000,\n 0x4846059400000000, 0x8d7a88ad00000000, 0xce6ef3ba00000000,\n 0x1fa14a6500000000, 0x5cb5317200000000, 0x9989bc4b00000000,\n 0xda9dc75c00000000, 0x13f0a63800000000, 0x50e4dd2f00000000,\n 0x95d8501600000000, 0xd6cc2b0100000000, 0x7641527200000000,\n 0x3555296500000000, 0xf069a45c00000000, 0xb37ddf4b00000000,\n 0x7a10be2f00000000, 0x3904c53800000000, 0xfc38480100000000,\n 0xbf2c331600000000, 0x6ee38ac900000000, 0x2df7f1de00000000,\n 0xe8cb7ce700000000, 0xabdf07f000000000, 0x62b2669400000000,\n 0x21a61d8300000000, 0xe49a90ba00000000, 0xa78eebad00000000,\n 0xa481635c00000000, 0xe795184b00000000, 0x22a9957200000000,\n 0x61bdee6500000000, 0xa8d08f0100000000, 0xebc4f41600000000,\n 0x2ef8792f00000000, 0x6dec023800000000, 0xbc23bbe700000000,\n 0xff37c0f000000000, 0x3a0b4dc900000000, 0x791f36de00000000,\n 0xb07257ba00000000, 0xf3662cad00000000, 0x365aa19400000000,\n 0x754eda8300000000, 0xd5c3a3f000000000, 0x96d7d8e700000000,\n 0x53eb55de00000000, 0x10ff2ec900000000, 0xd9924fad00000000,\n 0x9a8634ba00000000, 0x5fbab98300000000, 0x1caec29400000000,\n 0xcd617b4b00000000, 0x8e75005c00000000, 0x4b498d6500000000,\n 0x085df67200000000, 0xc130971600000000, 0x8224ec0100000000,\n 0x4718613800000000, 0x040c1a2f00000000, 0x4f00556600000000,\n 0x0c142e7100000000, 0xc928a34800000000, 0x8a3cd85f00000000,\n 0x4351b93b00000000, 0x0045c22c00000000, 0xc5794f1500000000,\n 0x866d340200000000, 0x57a28ddd00000000, 0x14b6f6ca00000000,\n 0xd18a7bf300000000, 0x929e00e400000000, 0x5bf3618000000000,\n 0x18e71a9700000000, 0xdddb97ae00000000, 0x9ecfecb900000000,\n 0x3e4295ca00000000, 0x7d56eedd00000000, 0xb86a63e400000000,\n 0xfb7e18f300000000, 0x3213799700000000, 0x7107028000000000,\n 0xb43b8fb900000000, 0xf72ff4ae00000000, 0x26e04d7100000000,\n 0x65f4366600000000, 0xa0c8bb5f00000000, 0xe3dcc04800000000,\n 0x2ab1a12c00000000, 0x69a5da3b00000000, 0xac99570200000000,\n 0xef8d2c1500000000, 0xec82a4e400000000, 0xaf96dff300000000,\n 0x6aaa52ca00000000, 0x29be29dd00000000, 0xe0d348b900000000,\n 0xa3c733ae00000000, 0x66fbbe9700000000, 0x25efc58000000000,\n 0xf4207c5f00000000, 0xb734074800000000, 0x72088a7100000000,\n 0x311cf16600000000, 0xf871900200000000, 0xbb65eb1500000000,\n 0x7e59662c00000000, 0x3d4d1d3b00000000, 0x9dc0644800000000,\n 0xded41f5f00000000, 0x1be8926600000000, 0x58fce97100000000,\n 0x9191881500000000, 0xd285f30200000000, 0x17b97e3b00000000,\n 0x54ad052c00000000, 0x8562bcf300000000, 0xc676c7e400000000,\n 0x034a4add00000000, 0x405e31ca00000000, 0x893350ae00000000,\n 0xca272bb900000000, 0x0f1ba68000000000, 0x4c0fdd9700000000,\n 0x4803c7b800000000, 0x0b17bcaf00000000, 0xce2b319600000000,\n 0x8d3f4a8100000000, 0x44522be500000000, 0x074650f200000000,\n 0xc27addcb00000000, 0x816ea6dc00000000, 0x50a11f0300000000,\n 0x13b5641400000000, 0xd689e92d00000000, 0x959d923a00000000,\n 0x5cf0f35e00000000, 0x1fe4884900000000, 0xdad8057000000000,\n 0x99cc7e6700000000, 0x3941071400000000, 0x7a557c0300000000,\n 0xbf69f13a00000000, 0xfc7d8a2d00000000, 0x3510eb4900000000,\n 0x7604905e00000000, 0xb3381d6700000000, 0xf02c667000000000,\n 0x21e3dfaf00000000, 0x62f7a4b800000000, 0xa7cb298100000000,\n 0xe4df529600000000, 0x2db233f200000000, 0x6ea648e500000000,\n 0xab9ac5dc00000000, 0xe88ebecb00000000, 0xeb81363a00000000,\n 0xa8954d2d00000000, 0x6da9c01400000000, 0x2ebdbb0300000000,\n 0xe7d0da6700000000, 0xa4c4a17000000000, 0x61f82c4900000000,\n 0x22ec575e00000000, 0xf323ee8100000000, 0xb037959600000000,\n 0x750b18af00000000, 0x361f63b800000000, 0xff7202dc00000000,\n 0xbc6679cb00000000, 0x795af4f200000000, 0x3a4e8fe500000000,\n 0x9ac3f69600000000, 0xd9d78d8100000000, 0x1ceb00b800000000,\n 0x5fff7baf00000000, 0x96921acb00000000, 0xd58661dc00000000,\n 0x10baece500000000, 0x53ae97f200000000, 0x82612e2d00000000,\n 0xc175553a00000000, 0x0449d80300000000, 0x475da31400000000,\n 0x8e30c27000000000, 0xcd24b96700000000, 0x0818345e00000000,\n 0x4b0c4f4900000000},\n {0x0000000000000000, 0x3e6bc2ef00000000, 0x3dd0f50400000000,\n 0x03bb37eb00000000, 0x7aa0eb0900000000, 0x44cb29e600000000,\n 0x47701e0d00000000, 0x791bdce200000000, 0xf440d71300000000,\n 0xca2b15fc00000000, 0xc990221700000000, 0xf7fbe0f800000000,\n 0x8ee03c1a00000000, 0xb08bfef500000000, 0xb330c91e00000000,\n 0x8d5b0bf100000000, 0xe881ae2700000000, 0xd6ea6cc800000000,\n 0xd5515b2300000000, 0xeb3a99cc00000000, 0x9221452e00000000,\n 0xac4a87c100000000, 0xaff1b02a00000000, 0x919a72c500000000,\n 0x1cc1793400000000, 0x22aabbdb00000000, 0x21118c3000000000,\n 0x1f7a4edf00000000, 0x6661923d00000000, 0x580a50d200000000,\n 0x5bb1673900000000, 0x65daa5d600000000, 0xd0035d4f00000000,\n 0xee689fa000000000, 0xedd3a84b00000000, 0xd3b86aa400000000,\n 0xaaa3b64600000000, 0x94c874a900000000, 0x9773434200000000,\n 0xa91881ad00000000, 0x24438a5c00000000, 0x1a2848b300000000,\n 0x19937f5800000000, 0x27f8bdb700000000, 0x5ee3615500000000,\n 0x6088a3ba00000000, 0x6333945100000000, 0x5d5856be00000000,\n 0x3882f36800000000, 0x06e9318700000000, 0x0552066c00000000,\n 0x3b39c48300000000, 0x4222186100000000, 0x7c49da8e00000000,\n 0x7ff2ed6500000000, 0x41992f8a00000000, 0xccc2247b00000000,\n 0xf2a9e69400000000, 0xf112d17f00000000, 0xcf79139000000000,\n 0xb662cf7200000000, 0x88090d9d00000000, 0x8bb23a7600000000,\n 0xb5d9f89900000000, 0xa007ba9e00000000, 0x9e6c787100000000,\n 0x9dd74f9a00000000, 0xa3bc8d7500000000, 0xdaa7519700000000,\n 0xe4cc937800000000, 0xe777a49300000000, 0xd91c667c00000000,\n 0x54476d8d00000000, 0x6a2caf6200000000, 0x6997988900000000,\n 0x57fc5a6600000000, 0x2ee7868400000000, 0x108c446b00000000,\n 0x1337738000000000, 0x2d5cb16f00000000, 0x488614b900000000,\n 0x76edd65600000000, 0x7556e1bd00000000, 0x4b3d235200000000,\n 0x3226ffb000000000, 0x0c4d3d5f00000000, 0x0ff60ab400000000,\n 0x319dc85b00000000, 0xbcc6c3aa00000000, 0x82ad014500000000,\n 0x811636ae00000000, 0xbf7df44100000000, 0xc66628a300000000,\n 0xf80dea4c00000000, 0xfbb6dda700000000, 0xc5dd1f4800000000,\n 0x7004e7d100000000, 0x4e6f253e00000000, 0x4dd412d500000000,\n 0x73bfd03a00000000, 0x0aa40cd800000000, 0x34cfce3700000000,\n 0x3774f9dc00000000, 0x091f3b3300000000, 0x844430c200000000,\n 0xba2ff22d00000000, 0xb994c5c600000000, 0x87ff072900000000,\n 0xfee4dbcb00000000, 0xc08f192400000000, 0xc3342ecf00000000,\n 0xfd5fec2000000000, 0x988549f600000000, 0xa6ee8b1900000000,\n 0xa555bcf200000000, 0x9b3e7e1d00000000, 0xe225a2ff00000000,\n 0xdc4e601000000000, 0xdff557fb00000000, 0xe19e951400000000,\n 0x6cc59ee500000000, 0x52ae5c0a00000000, 0x51156be100000000,\n 0x6f7ea90e00000000, 0x166575ec00000000, 0x280eb70300000000,\n 0x2bb580e800000000, 0x15de420700000000, 0x010905e600000000,\n 0x3f62c70900000000, 0x3cd9f0e200000000, 0x02b2320d00000000,\n 0x7ba9eeef00000000, 0x45c22c0000000000, 0x46791beb00000000,\n 0x7812d90400000000, 0xf549d2f500000000, 0xcb22101a00000000,\n 0xc89927f100000000, 0xf6f2e51e00000000, 0x8fe939fc00000000,\n 0xb182fb1300000000, 0xb239ccf800000000, 0x8c520e1700000000,\n 0xe988abc100000000, 0xd7e3692e00000000, 0xd4585ec500000000,\n 0xea339c2a00000000, 0x932840c800000000, 0xad43822700000000,\n 0xaef8b5cc00000000, 0x9093772300000000, 0x1dc87cd200000000,\n 0x23a3be3d00000000, 0x201889d600000000, 0x1e734b3900000000,\n 0x676897db00000000, 0x5903553400000000, 0x5ab862df00000000,\n 0x64d3a03000000000, 0xd10a58a900000000, 0xef619a4600000000,\n 0xecdaadad00000000, 0xd2b16f4200000000, 0xabaab3a000000000,\n 0x95c1714f00000000, 0x967a46a400000000, 0xa811844b00000000,\n 0x254a8fba00000000, 0x1b214d5500000000, 0x189a7abe00000000,\n 0x26f1b85100000000, 0x5fea64b300000000, 0x6181a65c00000000,\n 0x623a91b700000000, 0x5c51535800000000, 0x398bf68e00000000,\n 0x07e0346100000000, 0x045b038a00000000, 0x3a30c16500000000,\n 0x432b1d8700000000, 0x7d40df6800000000, 0x7efbe88300000000,\n 0x40902a6c00000000, 0xcdcb219d00000000, 0xf3a0e37200000000,\n 0xf01bd49900000000, 0xce70167600000000, 0xb76bca9400000000,\n 0x8900087b00000000, 0x8abb3f9000000000, 0xb4d0fd7f00000000,\n 0xa10ebf7800000000, 0x9f657d9700000000, 0x9cde4a7c00000000,\n 0xa2b5889300000000, 0xdbae547100000000, 0xe5c5969e00000000,\n 0xe67ea17500000000, 0xd815639a00000000, 0x554e686b00000000,\n 0x6b25aa8400000000, 0x689e9d6f00000000, 0x56f55f8000000000,\n 0x2fee836200000000, 0x1185418d00000000, 0x123e766600000000,\n 0x2c55b48900000000, 0x498f115f00000000, 0x77e4d3b000000000,\n 0x745fe45b00000000, 0x4a3426b400000000, 0x332ffa5600000000,\n 0x0d4438b900000000, 0x0eff0f5200000000, 0x3094cdbd00000000,\n 0xbdcfc64c00000000, 0x83a404a300000000, 0x801f334800000000,\n 0xbe74f1a700000000, 0xc76f2d4500000000, 0xf904efaa00000000,\n 0xfabfd84100000000, 0xc4d41aae00000000, 0x710de23700000000,\n 0x4f6620d800000000, 0x4cdd173300000000, 0x72b6d5dc00000000,\n 0x0bad093e00000000, 0x35c6cbd100000000, 0x367dfc3a00000000,\n 0x08163ed500000000, 0x854d352400000000, 0xbb26f7cb00000000,\n 0xb89dc02000000000, 0x86f602cf00000000, 0xffedde2d00000000,\n 0xc1861cc200000000, 0xc23d2b2900000000, 0xfc56e9c600000000,\n 0x998c4c1000000000, 0xa7e78eff00000000, 0xa45cb91400000000,\n 0x9a377bfb00000000, 0xe32ca71900000000, 0xdd4765f600000000,\n 0xdefc521d00000000, 0xe09790f200000000, 0x6dcc9b0300000000,\n 0x53a759ec00000000, 0x501c6e0700000000, 0x6e77ace800000000,\n 0x176c700a00000000, 0x2907b2e500000000, 0x2abc850e00000000,\n 0x14d747e100000000},\n {0x0000000000000000, 0xc0df8ec100000000, 0xc1b96c5800000000,\n 0x0166e29900000000, 0x8273d9b000000000, 0x42ac577100000000,\n 0x43cab5e800000000, 0x83153b2900000000, 0x45e1c3ba00000000,\n 0x853e4d7b00000000, 0x8458afe200000000, 0x4487212300000000,\n 0xc7921a0a00000000, 0x074d94cb00000000, 0x062b765200000000,\n 0xc6f4f89300000000, 0xcbc4f6ae00000000, 0x0b1b786f00000000,\n 0x0a7d9af600000000, 0xcaa2143700000000, 0x49b72f1e00000000,\n 0x8968a1df00000000, 0x880e434600000000, 0x48d1cd8700000000,\n 0x8e25351400000000, 0x4efabbd500000000, 0x4f9c594c00000000,\n 0x8f43d78d00000000, 0x0c56eca400000000, 0xcc89626500000000,\n 0xcdef80fc00000000, 0x0d300e3d00000000, 0xd78f9c8600000000,\n 0x1750124700000000, 0x1636f0de00000000, 0xd6e97e1f00000000,\n 0x55fc453600000000, 0x9523cbf700000000, 0x9445296e00000000,\n 0x549aa7af00000000, 0x926e5f3c00000000, 0x52b1d1fd00000000,\n 0x53d7336400000000, 0x9308bda500000000, 0x101d868c00000000,\n 0xd0c2084d00000000, 0xd1a4ead400000000, 0x117b641500000000,\n 0x1c4b6a2800000000, 0xdc94e4e900000000, 0xddf2067000000000,\n 0x1d2d88b100000000, 0x9e38b39800000000, 0x5ee73d5900000000,\n 0x5f81dfc000000000, 0x9f5e510100000000, 0x59aaa99200000000,\n 0x9975275300000000, 0x9813c5ca00000000, 0x58cc4b0b00000000,\n 0xdbd9702200000000, 0x1b06fee300000000, 0x1a601c7a00000000,\n 0xdabf92bb00000000, 0xef1948d600000000, 0x2fc6c61700000000,\n 0x2ea0248e00000000, 0xee7faa4f00000000, 0x6d6a916600000000,\n 0xadb51fa700000000, 0xacd3fd3e00000000, 0x6c0c73ff00000000,\n 0xaaf88b6c00000000, 0x6a2705ad00000000, 0x6b41e73400000000,\n 0xab9e69f500000000, 0x288b52dc00000000, 0xe854dc1d00000000,\n 0xe9323e8400000000, 0x29edb04500000000, 0x24ddbe7800000000,\n 0xe40230b900000000, 0xe564d22000000000, 0x25bb5ce100000000,\n 0xa6ae67c800000000, 0x6671e90900000000, 0x67170b9000000000,\n 0xa7c8855100000000, 0x613c7dc200000000, 0xa1e3f30300000000,\n 0xa085119a00000000, 0x605a9f5b00000000, 0xe34fa47200000000,\n 0x23902ab300000000, 0x22f6c82a00000000, 0xe22946eb00000000,\n 0x3896d45000000000, 0xf8495a9100000000, 0xf92fb80800000000,\n 0x39f036c900000000, 0xbae50de000000000, 0x7a3a832100000000,\n 0x7b5c61b800000000, 0xbb83ef7900000000, 0x7d7717ea00000000,\n 0xbda8992b00000000, 0xbcce7bb200000000, 0x7c11f57300000000,\n 0xff04ce5a00000000, 0x3fdb409b00000000, 0x3ebda20200000000,\n 0xfe622cc300000000, 0xf35222fe00000000, 0x338dac3f00000000,\n 0x32eb4ea600000000, 0xf234c06700000000, 0x7121fb4e00000000,\n 0xb1fe758f00000000, 0xb098971600000000, 0x704719d700000000,\n 0xb6b3e14400000000, 0x766c6f8500000000, 0x770a8d1c00000000,\n 0xb7d503dd00000000, 0x34c038f400000000, 0xf41fb63500000000,\n 0xf57954ac00000000, 0x35a6da6d00000000, 0x9f35e17700000000,\n 0x5fea6fb600000000, 0x5e8c8d2f00000000, 0x9e5303ee00000000,\n 0x1d4638c700000000, 0xdd99b60600000000, 0xdcff549f00000000,\n 0x1c20da5e00000000, 0xdad422cd00000000, 0x1a0bac0c00000000,\n 0x1b6d4e9500000000, 0xdbb2c05400000000, 0x58a7fb7d00000000,\n 0x987875bc00000000, 0x991e972500000000, 0x59c119e400000000,\n 0x54f117d900000000, 0x942e991800000000, 0x95487b8100000000,\n 0x5597f54000000000, 0xd682ce6900000000, 0x165d40a800000000,\n 0x173ba23100000000, 0xd7e42cf000000000, 0x1110d46300000000,\n 0xd1cf5aa200000000, 0xd0a9b83b00000000, 0x107636fa00000000,\n 0x93630dd300000000, 0x53bc831200000000, 0x52da618b00000000,\n 0x9205ef4a00000000, 0x48ba7df100000000, 0x8865f33000000000,\n 0x890311a900000000, 0x49dc9f6800000000, 0xcac9a44100000000,\n 0x0a162a8000000000, 0x0b70c81900000000, 0xcbaf46d800000000,\n 0x0d5bbe4b00000000, 0xcd84308a00000000, 0xcce2d21300000000,\n 0x0c3d5cd200000000, 0x8f2867fb00000000, 0x4ff7e93a00000000,\n 0x4e910ba300000000, 0x8e4e856200000000, 0x837e8b5f00000000,\n 0x43a1059e00000000, 0x42c7e70700000000, 0x821869c600000000,\n 0x010d52ef00000000, 0xc1d2dc2e00000000, 0xc0b43eb700000000,\n 0x006bb07600000000, 0xc69f48e500000000, 0x0640c62400000000,\n 0x072624bd00000000, 0xc7f9aa7c00000000, 0x44ec915500000000,\n 0x84331f9400000000, 0x8555fd0d00000000, 0x458a73cc00000000,\n 0x702ca9a100000000, 0xb0f3276000000000, 0xb195c5f900000000,\n 0x714a4b3800000000, 0xf25f701100000000, 0x3280fed000000000,\n 0x33e61c4900000000, 0xf339928800000000, 0x35cd6a1b00000000,\n 0xf512e4da00000000, 0xf474064300000000, 0x34ab888200000000,\n 0xb7beb3ab00000000, 0x77613d6a00000000, 0x7607dff300000000,\n 0xb6d8513200000000, 0xbbe85f0f00000000, 0x7b37d1ce00000000,\n 0x7a51335700000000, 0xba8ebd9600000000, 0x399b86bf00000000,\n 0xf944087e00000000, 0xf822eae700000000, 0x38fd642600000000,\n 0xfe099cb500000000, 0x3ed6127400000000, 0x3fb0f0ed00000000,\n 0xff6f7e2c00000000, 0x7c7a450500000000, 0xbca5cbc400000000,\n 0xbdc3295d00000000, 0x7d1ca79c00000000, 0xa7a3352700000000,\n 0x677cbbe600000000, 0x661a597f00000000, 0xa6c5d7be00000000,\n 0x25d0ec9700000000, 0xe50f625600000000, 0xe46980cf00000000,\n 0x24b60e0e00000000, 0xe242f69d00000000, 0x229d785c00000000,\n 0x23fb9ac500000000, 0xe324140400000000, 0x60312f2d00000000,\n 0xa0eea1ec00000000, 0xa188437500000000, 0x6157cdb400000000,\n 0x6c67c38900000000, 0xacb84d4800000000, 0xaddeafd100000000,\n 0x6d01211000000000, 0xee141a3900000000, 0x2ecb94f800000000,\n 0x2fad766100000000, 0xef72f8a000000000, 0x2986003300000000,\n 0xe9598ef200000000, 0xe83f6c6b00000000, 0x28e0e2aa00000000,\n 0xabf5d98300000000, 0x6b2a574200000000, 0x6a4cb5db00000000,\n 0xaa933b1a00000000},\n {0x0000000000000000, 0x6f4ca59b00000000, 0x9f9e3bec00000000,\n 0xf0d29e7700000000, 0x7f3b060300000000, 0x1077a39800000000,\n 0xe0a53def00000000, 0x8fe9987400000000, 0xfe760c0600000000,\n 0x913aa99d00000000, 0x61e837ea00000000, 0x0ea4927100000000,\n 0x814d0a0500000000, 0xee01af9e00000000, 0x1ed331e900000000,\n 0x719f947200000000, 0xfced180c00000000, 0x93a1bd9700000000,\n 0x637323e000000000, 0x0c3f867b00000000, 0x83d61e0f00000000,\n 0xec9abb9400000000, 0x1c4825e300000000, 0x7304807800000000,\n 0x029b140a00000000, 0x6dd7b19100000000, 0x9d052fe600000000,\n 0xf2498a7d00000000, 0x7da0120900000000, 0x12ecb79200000000,\n 0xe23e29e500000000, 0x8d728c7e00000000, 0xf8db311800000000,\n 0x9797948300000000, 0x67450af400000000, 0x0809af6f00000000,\n 0x87e0371b00000000, 0xe8ac928000000000, 0x187e0cf700000000,\n 0x7732a96c00000000, 0x06ad3d1e00000000, 0x69e1988500000000,\n 0x993306f200000000, 0xf67fa36900000000, 0x79963b1d00000000,\n 0x16da9e8600000000, 0xe60800f100000000, 0x8944a56a00000000,\n 0x0436291400000000, 0x6b7a8c8f00000000, 0x9ba812f800000000,\n 0xf4e4b76300000000, 0x7b0d2f1700000000, 0x14418a8c00000000,\n 0xe49314fb00000000, 0x8bdfb16000000000, 0xfa40251200000000,\n 0x950c808900000000, 0x65de1efe00000000, 0x0a92bb6500000000,\n 0x857b231100000000, 0xea37868a00000000, 0x1ae518fd00000000,\n 0x75a9bd6600000000, 0xf0b7633000000000, 0x9ffbc6ab00000000,\n 0x6f2958dc00000000, 0x0065fd4700000000, 0x8f8c653300000000,\n 0xe0c0c0a800000000, 0x10125edf00000000, 0x7f5efb4400000000,\n 0x0ec16f3600000000, 0x618dcaad00000000, 0x915f54da00000000,\n 0xfe13f14100000000, 0x71fa693500000000, 0x1eb6ccae00000000,\n 0xee6452d900000000, 0x8128f74200000000, 0x0c5a7b3c00000000,\n 0x6316dea700000000, 0x93c440d000000000, 0xfc88e54b00000000,\n 0x73617d3f00000000, 0x1c2dd8a400000000, 0xecff46d300000000,\n 0x83b3e34800000000, 0xf22c773a00000000, 0x9d60d2a100000000,\n 0x6db24cd600000000, 0x02fee94d00000000, 0x8d17713900000000,\n 0xe25bd4a200000000, 0x12894ad500000000, 0x7dc5ef4e00000000,\n 0x086c522800000000, 0x6720f7b300000000, 0x97f269c400000000,\n 0xf8becc5f00000000, 0x7757542b00000000, 0x181bf1b000000000,\n 0xe8c96fc700000000, 0x8785ca5c00000000, 0xf61a5e2e00000000,\n 0x9956fbb500000000, 0x698465c200000000, 0x06c8c05900000000,\n 0x8921582d00000000, 0xe66dfdb600000000, 0x16bf63c100000000,\n 0x79f3c65a00000000, 0xf4814a2400000000, 0x9bcdefbf00000000,\n 0x6b1f71c800000000, 0x0453d45300000000, 0x8bba4c2700000000,\n 0xe4f6e9bc00000000, 0x142477cb00000000, 0x7b68d25000000000,\n 0x0af7462200000000, 0x65bbe3b900000000, 0x95697dce00000000,\n 0xfa25d85500000000, 0x75cc402100000000, 0x1a80e5ba00000000,\n 0xea527bcd00000000, 0x851ede5600000000, 0xe06fc76000000000,\n 0x8f2362fb00000000, 0x7ff1fc8c00000000, 0x10bd591700000000,\n 0x9f54c16300000000, 0xf01864f800000000, 0x00cafa8f00000000,\n 0x6f865f1400000000, 0x1e19cb6600000000, 0x71556efd00000000,\n 0x8187f08a00000000, 0xeecb551100000000, 0x6122cd6500000000,\n 0x0e6e68fe00000000, 0xfebcf68900000000, 0x91f0531200000000,\n 0x1c82df6c00000000, 0x73ce7af700000000, 0x831ce48000000000,\n 0xec50411b00000000, 0x63b9d96f00000000, 0x0cf57cf400000000,\n 0xfc27e28300000000, 0x936b471800000000, 0xe2f4d36a00000000,\n 0x8db876f100000000, 0x7d6ae88600000000, 0x12264d1d00000000,\n 0x9dcfd56900000000, 0xf28370f200000000, 0x0251ee8500000000,\n 0x6d1d4b1e00000000, 0x18b4f67800000000, 0x77f853e300000000,\n 0x872acd9400000000, 0xe866680f00000000, 0x678ff07b00000000,\n 0x08c355e000000000, 0xf811cb9700000000, 0x975d6e0c00000000,\n 0xe6c2fa7e00000000, 0x898e5fe500000000, 0x795cc19200000000,\n 0x1610640900000000, 0x99f9fc7d00000000, 0xf6b559e600000000,\n 0x0667c79100000000, 0x692b620a00000000, 0xe459ee7400000000,\n 0x8b154bef00000000, 0x7bc7d59800000000, 0x148b700300000000,\n 0x9b62e87700000000, 0xf42e4dec00000000, 0x04fcd39b00000000,\n 0x6bb0760000000000, 0x1a2fe27200000000, 0x756347e900000000,\n 0x85b1d99e00000000, 0xeafd7c0500000000, 0x6514e47100000000,\n 0x0a5841ea00000000, 0xfa8adf9d00000000, 0x95c67a0600000000,\n 0x10d8a45000000000, 0x7f9401cb00000000, 0x8f469fbc00000000,\n 0xe00a3a2700000000, 0x6fe3a25300000000, 0x00af07c800000000,\n 0xf07d99bf00000000, 0x9f313c2400000000, 0xeeaea85600000000,\n 0x81e20dcd00000000, 0x713093ba00000000, 0x1e7c362100000000,\n 0x9195ae5500000000, 0xfed90bce00000000, 0x0e0b95b900000000,\n 0x6147302200000000, 0xec35bc5c00000000, 0x837919c700000000,\n 0x73ab87b000000000, 0x1ce7222b00000000, 0x930eba5f00000000,\n 0xfc421fc400000000, 0x0c9081b300000000, 0x63dc242800000000,\n 0x1243b05a00000000, 0x7d0f15c100000000, 0x8ddd8bb600000000,\n 0xe2912e2d00000000, 0x6d78b65900000000, 0x023413c200000000,\n 0xf2e68db500000000, 0x9daa282e00000000, 0xe803954800000000,\n 0x874f30d300000000, 0x779daea400000000, 0x18d10b3f00000000,\n 0x9738934b00000000, 0xf87436d000000000, 0x08a6a8a700000000,\n 0x67ea0d3c00000000, 0x1675994e00000000, 0x79393cd500000000,\n 0x89eba2a200000000, 0xe6a7073900000000, 0x694e9f4d00000000,\n 0x06023ad600000000, 0xf6d0a4a100000000, 0x999c013a00000000,\n 0x14ee8d4400000000, 0x7ba228df00000000, 0x8b70b6a800000000,\n 0xe43c133300000000, 0x6bd58b4700000000, 0x04992edc00000000,\n 0xf44bb0ab00000000, 0x9b07153000000000, 0xea98814200000000,\n 0x85d424d900000000, 0x7506baae00000000, 0x1a4a1f3500000000,\n 0x95a3874100000000, 0xfaef22da00000000, 0x0a3dbcad00000000,\n 0x6571193600000000},\n {0x0000000000000000, 0x85d996dd00000000, 0x4bb55c6000000000,\n 0xce6ccabd00000000, 0x966ab9c000000000, 0x13b32f1d00000000,\n 0xdddfe5a000000000, 0x5806737d00000000, 0x6dd3035a00000000,\n 0xe80a958700000000, 0x26665f3a00000000, 0xa3bfc9e700000000,\n 0xfbb9ba9a00000000, 0x7e602c4700000000, 0xb00ce6fa00000000,\n 0x35d5702700000000, 0xdaa607b400000000, 0x5f7f916900000000,\n 0x91135bd400000000, 0x14cacd0900000000, 0x4cccbe7400000000,\n 0xc91528a900000000, 0x0779e21400000000, 0x82a074c900000000,\n 0xb77504ee00000000, 0x32ac923300000000, 0xfcc0588e00000000,\n 0x7919ce5300000000, 0x211fbd2e00000000, 0xa4c62bf300000000,\n 0x6aaae14e00000000, 0xef73779300000000, 0xf54b7eb300000000,\n 0x7092e86e00000000, 0xbefe22d300000000, 0x3b27b40e00000000,\n 0x6321c77300000000, 0xe6f851ae00000000, 0x28949b1300000000,\n 0xad4d0dce00000000, 0x98987de900000000, 0x1d41eb3400000000,\n 0xd32d218900000000, 0x56f4b75400000000, 0x0ef2c42900000000,\n 0x8b2b52f400000000, 0x4547984900000000, 0xc09e0e9400000000,\n 0x2fed790700000000, 0xaa34efda00000000, 0x6458256700000000,\n 0xe181b3ba00000000, 0xb987c0c700000000, 0x3c5e561a00000000,\n 0xf2329ca700000000, 0x77eb0a7a00000000, 0x423e7a5d00000000,\n 0xc7e7ec8000000000, 0x098b263d00000000, 0x8c52b0e000000000,\n 0xd454c39d00000000, 0x518d554000000000, 0x9fe19ffd00000000,\n 0x1a38092000000000, 0xab918dbd00000000, 0x2e481b6000000000,\n 0xe024d1dd00000000, 0x65fd470000000000, 0x3dfb347d00000000,\n 0xb822a2a000000000, 0x764e681d00000000, 0xf397fec000000000,\n 0xc6428ee700000000, 0x439b183a00000000, 0x8df7d28700000000,\n 0x082e445a00000000, 0x5028372700000000, 0xd5f1a1fa00000000,\n 0x1b9d6b4700000000, 0x9e44fd9a00000000, 0x71378a0900000000,\n 0xf4ee1cd400000000, 0x3a82d66900000000, 0xbf5b40b400000000,\n 0xe75d33c900000000, 0x6284a51400000000, 0xace86fa900000000,\n 0x2931f97400000000, 0x1ce4895300000000, 0x993d1f8e00000000,\n 0x5751d53300000000, 0xd28843ee00000000, 0x8a8e309300000000,\n 0x0f57a64e00000000, 0xc13b6cf300000000, 0x44e2fa2e00000000,\n 0x5edaf30e00000000, 0xdb0365d300000000, 0x156faf6e00000000,\n 0x90b639b300000000, 0xc8b04ace00000000, 0x4d69dc1300000000,\n 0x830516ae00000000, 0x06dc807300000000, 0x3309f05400000000,\n 0xb6d0668900000000, 0x78bcac3400000000, 0xfd653ae900000000,\n 0xa563499400000000, 0x20badf4900000000, 0xeed615f400000000,\n 0x6b0f832900000000, 0x847cf4ba00000000, 0x01a5626700000000,\n 0xcfc9a8da00000000, 0x4a103e0700000000, 0x12164d7a00000000,\n 0x97cfdba700000000, 0x59a3111a00000000, 0xdc7a87c700000000,\n 0xe9aff7e000000000, 0x6c76613d00000000, 0xa21aab8000000000,\n 0x27c33d5d00000000, 0x7fc54e2000000000, 0xfa1cd8fd00000000,\n 0x3470124000000000, 0xb1a9849d00000000, 0x17256aa000000000,\n 0x92fcfc7d00000000, 0x5c9036c000000000, 0xd949a01d00000000,\n 0x814fd36000000000, 0x049645bd00000000, 0xcafa8f0000000000,\n 0x4f2319dd00000000, 0x7af669fa00000000, 0xff2fff2700000000,\n 0x3143359a00000000, 0xb49aa34700000000, 0xec9cd03a00000000,\n 0x694546e700000000, 0xa7298c5a00000000, 0x22f01a8700000000,\n 0xcd836d1400000000, 0x485afbc900000000, 0x8636317400000000,\n 0x03efa7a900000000, 0x5be9d4d400000000, 0xde30420900000000,\n 0x105c88b400000000, 0x95851e6900000000, 0xa0506e4e00000000,\n 0x2589f89300000000, 0xebe5322e00000000, 0x6e3ca4f300000000,\n 0x363ad78e00000000, 0xb3e3415300000000, 0x7d8f8bee00000000,\n 0xf8561d3300000000, 0xe26e141300000000, 0x67b782ce00000000,\n 0xa9db487300000000, 0x2c02deae00000000, 0x7404add300000000,\n 0xf1dd3b0e00000000, 0x3fb1f1b300000000, 0xba68676e00000000,\n 0x8fbd174900000000, 0x0a64819400000000, 0xc4084b2900000000,\n 0x41d1ddf400000000, 0x19d7ae8900000000, 0x9c0e385400000000,\n 0x5262f2e900000000, 0xd7bb643400000000, 0x38c813a700000000,\n 0xbd11857a00000000, 0x737d4fc700000000, 0xf6a4d91a00000000,\n 0xaea2aa6700000000, 0x2b7b3cba00000000, 0xe517f60700000000,\n 0x60ce60da00000000, 0x551b10fd00000000, 0xd0c2862000000000,\n 0x1eae4c9d00000000, 0x9b77da4000000000, 0xc371a93d00000000,\n 0x46a83fe000000000, 0x88c4f55d00000000, 0x0d1d638000000000,\n 0xbcb4e71d00000000, 0x396d71c000000000, 0xf701bb7d00000000,\n 0x72d82da000000000, 0x2ade5edd00000000, 0xaf07c80000000000,\n 0x616b02bd00000000, 0xe4b2946000000000, 0xd167e44700000000,\n 0x54be729a00000000, 0x9ad2b82700000000, 0x1f0b2efa00000000,\n 0x470d5d8700000000, 0xc2d4cb5a00000000, 0x0cb801e700000000,\n 0x8961973a00000000, 0x6612e0a900000000, 0xe3cb767400000000,\n 0x2da7bcc900000000, 0xa87e2a1400000000, 0xf078596900000000,\n 0x75a1cfb400000000, 0xbbcd050900000000, 0x3e1493d400000000,\n 0x0bc1e3f300000000, 0x8e18752e00000000, 0x4074bf9300000000,\n 0xc5ad294e00000000, 0x9dab5a3300000000, 0x1872ccee00000000,\n 0xd61e065300000000, 0x53c7908e00000000, 0x49ff99ae00000000,\n 0xcc260f7300000000, 0x024ac5ce00000000, 0x8793531300000000,\n 0xdf95206e00000000, 0x5a4cb6b300000000, 0x94207c0e00000000,\n 0x11f9ead300000000, 0x242c9af400000000, 0xa1f50c2900000000,\n 0x6f99c69400000000, 0xea40504900000000, 0xb246233400000000,\n 0x379fb5e900000000, 0xf9f37f5400000000, 0x7c2ae98900000000,\n 0x93599e1a00000000, 0x168008c700000000, 0xd8ecc27a00000000,\n 0x5d3554a700000000, 0x053327da00000000, 0x80eab10700000000,\n 0x4e867bba00000000, 0xcb5fed6700000000, 0xfe8a9d4000000000,\n 0x7b530b9d00000000, 0xb53fc12000000000, 0x30e657fd00000000,\n 0x68e0248000000000, 0xed39b25d00000000, 0x235578e000000000,\n 0xa68cee3d00000000},\n {0x0000000000000000, 0x76e10f9d00000000, 0xadc46ee100000000,\n 0xdb25617c00000000, 0x1b8fac1900000000, 0x6d6ea38400000000,\n 0xb64bc2f800000000, 0xc0aacd6500000000, 0x361e593300000000,\n 0x40ff56ae00000000, 0x9bda37d200000000, 0xed3b384f00000000,\n 0x2d91f52a00000000, 0x5b70fab700000000, 0x80559bcb00000000,\n 0xf6b4945600000000, 0x6c3cb26600000000, 0x1addbdfb00000000,\n 0xc1f8dc8700000000, 0xb719d31a00000000, 0x77b31e7f00000000,\n 0x015211e200000000, 0xda77709e00000000, 0xac967f0300000000,\n 0x5a22eb5500000000, 0x2cc3e4c800000000, 0xf7e685b400000000,\n 0x81078a2900000000, 0x41ad474c00000000, 0x374c48d100000000,\n 0xec6929ad00000000, 0x9a88263000000000, 0xd87864cd00000000,\n 0xae996b5000000000, 0x75bc0a2c00000000, 0x035d05b100000000,\n 0xc3f7c8d400000000, 0xb516c74900000000, 0x6e33a63500000000,\n 0x18d2a9a800000000, 0xee663dfe00000000, 0x9887326300000000,\n 0x43a2531f00000000, 0x35435c8200000000, 0xf5e991e700000000,\n 0x83089e7a00000000, 0x582dff0600000000, 0x2eccf09b00000000,\n 0xb444d6ab00000000, 0xc2a5d93600000000, 0x1980b84a00000000,\n 0x6f61b7d700000000, 0xafcb7ab200000000, 0xd92a752f00000000,\n 0x020f145300000000, 0x74ee1bce00000000, 0x825a8f9800000000,\n 0xf4bb800500000000, 0x2f9ee17900000000, 0x597feee400000000,\n 0x99d5238100000000, 0xef342c1c00000000, 0x34114d6000000000,\n 0x42f042fd00000000, 0xf1f7b94100000000, 0x8716b6dc00000000,\n 0x5c33d7a000000000, 0x2ad2d83d00000000, 0xea78155800000000,\n 0x9c991ac500000000, 0x47bc7bb900000000, 0x315d742400000000,\n 0xc7e9e07200000000, 0xb108efef00000000, 0x6a2d8e9300000000,\n 0x1ccc810e00000000, 0xdc664c6b00000000, 0xaa8743f600000000,\n 0x71a2228a00000000, 0x07432d1700000000, 0x9dcb0b2700000000,\n 0xeb2a04ba00000000, 0x300f65c600000000, 0x46ee6a5b00000000,\n 0x8644a73e00000000, 0xf0a5a8a300000000, 0x2b80c9df00000000,\n 0x5d61c64200000000, 0xabd5521400000000, 0xdd345d8900000000,\n 0x06113cf500000000, 0x70f0336800000000, 0xb05afe0d00000000,\n 0xc6bbf19000000000, 0x1d9e90ec00000000, 0x6b7f9f7100000000,\n 0x298fdd8c00000000, 0x5f6ed21100000000, 0x844bb36d00000000,\n 0xf2aabcf000000000, 0x3200719500000000, 0x44e17e0800000000,\n 0x9fc41f7400000000, 0xe92510e900000000, 0x1f9184bf00000000,\n 0x69708b2200000000, 0xb255ea5e00000000, 0xc4b4e5c300000000,\n 0x041e28a600000000, 0x72ff273b00000000, 0xa9da464700000000,\n 0xdf3b49da00000000, 0x45b36fea00000000, 0x3352607700000000,\n 0xe877010b00000000, 0x9e960e9600000000, 0x5e3cc3f300000000,\n 0x28ddcc6e00000000, 0xf3f8ad1200000000, 0x8519a28f00000000,\n 0x73ad36d900000000, 0x054c394400000000, 0xde69583800000000,\n 0xa88857a500000000, 0x68229ac000000000, 0x1ec3955d00000000,\n 0xc5e6f42100000000, 0xb307fbbc00000000, 0xe2ef738300000000,\n 0x940e7c1e00000000, 0x4f2b1d6200000000, 0x39ca12ff00000000,\n 0xf960df9a00000000, 0x8f81d00700000000, 0x54a4b17b00000000,\n 0x2245bee600000000, 0xd4f12ab000000000, 0xa210252d00000000,\n 0x7935445100000000, 0x0fd44bcc00000000, 0xcf7e86a900000000,\n 0xb99f893400000000, 0x62bae84800000000, 0x145be7d500000000,\n 0x8ed3c1e500000000, 0xf832ce7800000000, 0x2317af0400000000,\n 0x55f6a09900000000, 0x955c6dfc00000000, 0xe3bd626100000000,\n 0x3898031d00000000, 0x4e790c8000000000, 0xb8cd98d600000000,\n 0xce2c974b00000000, 0x1509f63700000000, 0x63e8f9aa00000000,\n 0xa34234cf00000000, 0xd5a33b5200000000, 0x0e865a2e00000000,\n 0x786755b300000000, 0x3a97174e00000000, 0x4c7618d300000000,\n 0x975379af00000000, 0xe1b2763200000000, 0x2118bb5700000000,\n 0x57f9b4ca00000000, 0x8cdcd5b600000000, 0xfa3dda2b00000000,\n 0x0c894e7d00000000, 0x7a6841e000000000, 0xa14d209c00000000,\n 0xd7ac2f0100000000, 0x1706e26400000000, 0x61e7edf900000000,\n 0xbac28c8500000000, 0xcc23831800000000, 0x56aba52800000000,\n 0x204aaab500000000, 0xfb6fcbc900000000, 0x8d8ec45400000000,\n 0x4d24093100000000, 0x3bc506ac00000000, 0xe0e067d000000000,\n 0x9601684d00000000, 0x60b5fc1b00000000, 0x1654f38600000000,\n 0xcd7192fa00000000, 0xbb909d6700000000, 0x7b3a500200000000,\n 0x0ddb5f9f00000000, 0xd6fe3ee300000000, 0xa01f317e00000000,\n 0x1318cac200000000, 0x65f9c55f00000000, 0xbedca42300000000,\n 0xc83dabbe00000000, 0x089766db00000000, 0x7e76694600000000,\n 0xa553083a00000000, 0xd3b207a700000000, 0x250693f100000000,\n 0x53e79c6c00000000, 0x88c2fd1000000000, 0xfe23f28d00000000,\n 0x3e893fe800000000, 0x4868307500000000, 0x934d510900000000,\n 0xe5ac5e9400000000, 0x7f2478a400000000, 0x09c5773900000000,\n 0xd2e0164500000000, 0xa40119d800000000, 0x64abd4bd00000000,\n 0x124adb2000000000, 0xc96fba5c00000000, 0xbf8eb5c100000000,\n 0x493a219700000000, 0x3fdb2e0a00000000, 0xe4fe4f7600000000,\n 0x921f40eb00000000, 0x52b58d8e00000000, 0x2454821300000000,\n 0xff71e36f00000000, 0x8990ecf200000000, 0xcb60ae0f00000000,\n 0xbd81a19200000000, 0x66a4c0ee00000000, 0x1045cf7300000000,\n 0xd0ef021600000000, 0xa60e0d8b00000000, 0x7d2b6cf700000000,\n 0x0bca636a00000000, 0xfd7ef73c00000000, 0x8b9ff8a100000000,\n 0x50ba99dd00000000, 0x265b964000000000, 0xe6f15b2500000000,\n 0x901054b800000000, 0x4b3535c400000000, 0x3dd43a5900000000,\n 0xa75c1c6900000000, 0xd1bd13f400000000, 0x0a98728800000000,\n 0x7c797d1500000000, 0xbcd3b07000000000, 0xca32bfed00000000,\n 0x1117de9100000000, 0x67f6d10c00000000, 0x9142455a00000000,\n 0xe7a34ac700000000, 0x3c862bbb00000000, 0x4a67242600000000,\n 0x8acde94300000000, 0xfc2ce6de00000000, 0x270987a200000000,\n 0x51e8883f00000000},\n {0x0000000000000000, 0xe8dbfbb900000000, 0x91b186a800000000,\n 0x796a7d1100000000, 0x63657c8a00000000, 0x8bbe873300000000,\n 0xf2d4fa2200000000, 0x1a0f019b00000000, 0x87cc89cf00000000,\n 0x6f17727600000000, 0x167d0f6700000000, 0xfea6f4de00000000,\n 0xe4a9f54500000000, 0x0c720efc00000000, 0x751873ed00000000,\n 0x9dc3885400000000, 0x4f9f624400000000, 0xa74499fd00000000,\n 0xde2ee4ec00000000, 0x36f51f5500000000, 0x2cfa1ece00000000,\n 0xc421e57700000000, 0xbd4b986600000000, 0x559063df00000000,\n 0xc853eb8b00000000, 0x2088103200000000, 0x59e26d2300000000,\n 0xb139969a00000000, 0xab36970100000000, 0x43ed6cb800000000,\n 0x3a8711a900000000, 0xd25cea1000000000, 0x9e3ec58800000000,\n 0x76e53e3100000000, 0x0f8f432000000000, 0xe754b89900000000,\n 0xfd5bb90200000000, 0x158042bb00000000, 0x6cea3faa00000000,\n 0x8431c41300000000, 0x19f24c4700000000, 0xf129b7fe00000000,\n 0x8843caef00000000, 0x6098315600000000, 0x7a9730cd00000000,\n 0x924ccb7400000000, 0xeb26b66500000000, 0x03fd4ddc00000000,\n 0xd1a1a7cc00000000, 0x397a5c7500000000, 0x4010216400000000,\n 0xa8cbdadd00000000, 0xb2c4db4600000000, 0x5a1f20ff00000000,\n 0x23755dee00000000, 0xcbaea65700000000, 0x566d2e0300000000,\n 0xbeb6d5ba00000000, 0xc7dca8ab00000000, 0x2f07531200000000,\n 0x3508528900000000, 0xddd3a93000000000, 0xa4b9d42100000000,\n 0x4c622f9800000000, 0x7d7bfbca00000000, 0x95a0007300000000,\n 0xecca7d6200000000, 0x041186db00000000, 0x1e1e874000000000,\n 0xf6c57cf900000000, 0x8faf01e800000000, 0x6774fa5100000000,\n 0xfab7720500000000, 0x126c89bc00000000, 0x6b06f4ad00000000,\n 0x83dd0f1400000000, 0x99d20e8f00000000, 0x7109f53600000000,\n 0x0863882700000000, 0xe0b8739e00000000, 0x32e4998e00000000,\n 0xda3f623700000000, 0xa3551f2600000000, 0x4b8ee49f00000000,\n 0x5181e50400000000, 0xb95a1ebd00000000, 0xc03063ac00000000,\n 0x28eb981500000000, 0xb528104100000000, 0x5df3ebf800000000,\n 0x249996e900000000, 0xcc426d5000000000, 0xd64d6ccb00000000,\n 0x3e96977200000000, 0x47fcea6300000000, 0xaf2711da00000000,\n 0xe3453e4200000000, 0x0b9ec5fb00000000, 0x72f4b8ea00000000,\n 0x9a2f435300000000, 0x802042c800000000, 0x68fbb97100000000,\n 0x1191c46000000000, 0xf94a3fd900000000, 0x6489b78d00000000,\n 0x8c524c3400000000, 0xf538312500000000, 0x1de3ca9c00000000,\n 0x07eccb0700000000, 0xef3730be00000000, 0x965d4daf00000000,\n 0x7e86b61600000000, 0xacda5c0600000000, 0x4401a7bf00000000,\n 0x3d6bdaae00000000, 0xd5b0211700000000, 0xcfbf208c00000000,\n 0x2764db3500000000, 0x5e0ea62400000000, 0xb6d55d9d00000000,\n 0x2b16d5c900000000, 0xc3cd2e7000000000, 0xbaa7536100000000,\n 0x527ca8d800000000, 0x4873a94300000000, 0xa0a852fa00000000,\n 0xd9c22feb00000000, 0x3119d45200000000, 0xbbf0874e00000000,\n 0x532b7cf700000000, 0x2a4101e600000000, 0xc29afa5f00000000,\n 0xd895fbc400000000, 0x304e007d00000000, 0x49247d6c00000000,\n 0xa1ff86d500000000, 0x3c3c0e8100000000, 0xd4e7f53800000000,\n 0xad8d882900000000, 0x4556739000000000, 0x5f59720b00000000,\n 0xb78289b200000000, 0xcee8f4a300000000, 0x26330f1a00000000,\n 0xf46fe50a00000000, 0x1cb41eb300000000, 0x65de63a200000000,\n 0x8d05981b00000000, 0x970a998000000000, 0x7fd1623900000000,\n 0x06bb1f2800000000, 0xee60e49100000000, 0x73a36cc500000000,\n 0x9b78977c00000000, 0xe212ea6d00000000, 0x0ac911d400000000,\n 0x10c6104f00000000, 0xf81debf600000000, 0x817796e700000000,\n 0x69ac6d5e00000000, 0x25ce42c600000000, 0xcd15b97f00000000,\n 0xb47fc46e00000000, 0x5ca43fd700000000, 0x46ab3e4c00000000,\n 0xae70c5f500000000, 0xd71ab8e400000000, 0x3fc1435d00000000,\n 0xa202cb0900000000, 0x4ad930b000000000, 0x33b34da100000000,\n 0xdb68b61800000000, 0xc167b78300000000, 0x29bc4c3a00000000,\n 0x50d6312b00000000, 0xb80dca9200000000, 0x6a51208200000000,\n 0x828adb3b00000000, 0xfbe0a62a00000000, 0x133b5d9300000000,\n 0x09345c0800000000, 0xe1efa7b100000000, 0x9885daa000000000,\n 0x705e211900000000, 0xed9da94d00000000, 0x054652f400000000,\n 0x7c2c2fe500000000, 0x94f7d45c00000000, 0x8ef8d5c700000000,\n 0x66232e7e00000000, 0x1f49536f00000000, 0xf792a8d600000000,\n 0xc68b7c8400000000, 0x2e50873d00000000, 0x573afa2c00000000,\n 0xbfe1019500000000, 0xa5ee000e00000000, 0x4d35fbb700000000,\n 0x345f86a600000000, 0xdc847d1f00000000, 0x4147f54b00000000,\n 0xa99c0ef200000000, 0xd0f673e300000000, 0x382d885a00000000,\n 0x222289c100000000, 0xcaf9727800000000, 0xb3930f6900000000,\n 0x5b48f4d000000000, 0x89141ec000000000, 0x61cfe57900000000,\n 0x18a5986800000000, 0xf07e63d100000000, 0xea71624a00000000,\n 0x02aa99f300000000, 0x7bc0e4e200000000, 0x931b1f5b00000000,\n 0x0ed8970f00000000, 0xe6036cb600000000, 0x9f6911a700000000,\n 0x77b2ea1e00000000, 0x6dbdeb8500000000, 0x8566103c00000000,\n 0xfc0c6d2d00000000, 0x14d7969400000000, 0x58b5b90c00000000,\n 0xb06e42b500000000, 0xc9043fa400000000, 0x21dfc41d00000000,\n 0x3bd0c58600000000, 0xd30b3e3f00000000, 0xaa61432e00000000,\n 0x42bab89700000000, 0xdf7930c300000000, 0x37a2cb7a00000000,\n 0x4ec8b66b00000000, 0xa6134dd200000000, 0xbc1c4c4900000000,\n 0x54c7b7f000000000, 0x2dadcae100000000, 0xc576315800000000,\n 0x172adb4800000000, 0xfff120f100000000, 0x869b5de000000000,\n 0x6e40a65900000000, 0x744fa7c200000000, 0x9c945c7b00000000,\n 0xe5fe216a00000000, 0x0d25dad300000000, 0x90e6528700000000,\n 0x783da93e00000000, 0x0157d42f00000000, 0xe98c2f9600000000,\n 0xf3832e0d00000000, 0x1b58d5b400000000, 0x6232a8a500000000,\n 0x8ae9531c00000000},\n {0x0000000000000000, 0x919168ae00000000, 0x6325a08700000000,\n 0xf2b4c82900000000, 0x874c31d400000000, 0x16dd597a00000000,\n 0xe469915300000000, 0x75f8f9fd00000000, 0x4f9f137300000000,\n 0xde0e7bdd00000000, 0x2cbab3f400000000, 0xbd2bdb5a00000000,\n 0xc8d322a700000000, 0x59424a0900000000, 0xabf6822000000000,\n 0x3a67ea8e00000000, 0x9e3e27e600000000, 0x0faf4f4800000000,\n 0xfd1b876100000000, 0x6c8aefcf00000000, 0x1972163200000000,\n 0x88e37e9c00000000, 0x7a57b6b500000000, 0xebc6de1b00000000,\n 0xd1a1349500000000, 0x40305c3b00000000, 0xb284941200000000,\n 0x2315fcbc00000000, 0x56ed054100000000, 0xc77c6def00000000,\n 0x35c8a5c600000000, 0xa459cd6800000000, 0x7d7b3f1700000000,\n 0xecea57b900000000, 0x1e5e9f9000000000, 0x8fcff73e00000000,\n 0xfa370ec300000000, 0x6ba6666d00000000, 0x9912ae4400000000,\n 0x0883c6ea00000000, 0x32e42c6400000000, 0xa37544ca00000000,\n 0x51c18ce300000000, 0xc050e44d00000000, 0xb5a81db000000000,\n 0x2439751e00000000, 0xd68dbd3700000000, 0x471cd59900000000,\n 0xe34518f100000000, 0x72d4705f00000000, 0x8060b87600000000,\n 0x11f1d0d800000000, 0x6409292500000000, 0xf598418b00000000,\n 0x072c89a200000000, 0x96bde10c00000000, 0xacda0b8200000000,\n 0x3d4b632c00000000, 0xcfffab0500000000, 0x5e6ec3ab00000000,\n 0x2b963a5600000000, 0xba0752f800000000, 0x48b39ad100000000,\n 0xd922f27f00000000, 0xfaf67e2e00000000, 0x6b67168000000000,\n 0x99d3dea900000000, 0x0842b60700000000, 0x7dba4ffa00000000,\n 0xec2b275400000000, 0x1e9fef7d00000000, 0x8f0e87d300000000,\n 0xb5696d5d00000000, 0x24f805f300000000, 0xd64ccdda00000000,\n 0x47dda57400000000, 0x32255c8900000000, 0xa3b4342700000000,\n 0x5100fc0e00000000, 0xc09194a000000000, 0x64c859c800000000,\n 0xf559316600000000, 0x07edf94f00000000, 0x967c91e100000000,\n 0xe384681c00000000, 0x721500b200000000, 0x80a1c89b00000000,\n 0x1130a03500000000, 0x2b574abb00000000, 0xbac6221500000000,\n 0x4872ea3c00000000, 0xd9e3829200000000, 0xac1b7b6f00000000,\n 0x3d8a13c100000000, 0xcf3edbe800000000, 0x5eafb34600000000,\n 0x878d413900000000, 0x161c299700000000, 0xe4a8e1be00000000,\n 0x7539891000000000, 0x00c170ed00000000, 0x9150184300000000,\n 0x63e4d06a00000000, 0xf275b8c400000000, 0xc812524a00000000,\n 0x59833ae400000000, 0xab37f2cd00000000, 0x3aa69a6300000000,\n 0x4f5e639e00000000, 0xdecf0b3000000000, 0x2c7bc31900000000,\n 0xbdeaabb700000000, 0x19b366df00000000, 0x88220e7100000000,\n 0x7a96c65800000000, 0xeb07aef600000000, 0x9eff570b00000000,\n 0x0f6e3fa500000000, 0xfddaf78c00000000, 0x6c4b9f2200000000,\n 0x562c75ac00000000, 0xc7bd1d0200000000, 0x3509d52b00000000,\n 0xa498bd8500000000, 0xd160447800000000, 0x40f12cd600000000,\n 0xb245e4ff00000000, 0x23d48c5100000000, 0xf4edfd5c00000000,\n 0x657c95f200000000, 0x97c85ddb00000000, 0x0659357500000000,\n 0x73a1cc8800000000, 0xe230a42600000000, 0x10846c0f00000000,\n 0x811504a100000000, 0xbb72ee2f00000000, 0x2ae3868100000000,\n 0xd8574ea800000000, 0x49c6260600000000, 0x3c3edffb00000000,\n 0xadafb75500000000, 0x5f1b7f7c00000000, 0xce8a17d200000000,\n 0x6ad3daba00000000, 0xfb42b21400000000, 0x09f67a3d00000000,\n 0x9867129300000000, 0xed9feb6e00000000, 0x7c0e83c000000000,\n 0x8eba4be900000000, 0x1f2b234700000000, 0x254cc9c900000000,\n 0xb4dda16700000000, 0x4669694e00000000, 0xd7f801e000000000,\n 0xa200f81d00000000, 0x339190b300000000, 0xc125589a00000000,\n 0x50b4303400000000, 0x8996c24b00000000, 0x1807aae500000000,\n 0xeab362cc00000000, 0x7b220a6200000000, 0x0edaf39f00000000,\n 0x9f4b9b3100000000, 0x6dff531800000000, 0xfc6e3bb600000000,\n 0xc609d13800000000, 0x5798b99600000000, 0xa52c71bf00000000,\n 0x34bd191100000000, 0x4145e0ec00000000, 0xd0d4884200000000,\n 0x2260406b00000000, 0xb3f128c500000000, 0x17a8e5ad00000000,\n 0x86398d0300000000, 0x748d452a00000000, 0xe51c2d8400000000,\n 0x90e4d47900000000, 0x0175bcd700000000, 0xf3c174fe00000000,\n 0x62501c5000000000, 0x5837f6de00000000, 0xc9a69e7000000000,\n 0x3b12565900000000, 0xaa833ef700000000, 0xdf7bc70a00000000,\n 0x4eeaafa400000000, 0xbc5e678d00000000, 0x2dcf0f2300000000,\n 0x0e1b837200000000, 0x9f8aebdc00000000, 0x6d3e23f500000000,\n 0xfcaf4b5b00000000, 0x8957b2a600000000, 0x18c6da0800000000,\n 0xea72122100000000, 0x7be37a8f00000000, 0x4184900100000000,\n 0xd015f8af00000000, 0x22a1308600000000, 0xb330582800000000,\n 0xc6c8a1d500000000, 0x5759c97b00000000, 0xa5ed015200000000,\n 0x347c69fc00000000, 0x9025a49400000000, 0x01b4cc3a00000000,\n 0xf300041300000000, 0x62916cbd00000000, 0x1769954000000000,\n 0x86f8fdee00000000, 0x744c35c700000000, 0xe5dd5d6900000000,\n 0xdfbab7e700000000, 0x4e2bdf4900000000, 0xbc9f176000000000,\n 0x2d0e7fce00000000, 0x58f6863300000000, 0xc967ee9d00000000,\n 0x3bd326b400000000, 0xaa424e1a00000000, 0x7360bc6500000000,\n 0xe2f1d4cb00000000, 0x10451ce200000000, 0x81d4744c00000000,\n 0xf42c8db100000000, 0x65bde51f00000000, 0x97092d3600000000,\n 0x0698459800000000, 0x3cffaf1600000000, 0xad6ec7b800000000,\n 0x5fda0f9100000000, 0xce4b673f00000000, 0xbbb39ec200000000,\n 0x2a22f66c00000000, 0xd8963e4500000000, 0x490756eb00000000,\n 0xed5e9b8300000000, 0x7ccff32d00000000, 0x8e7b3b0400000000,\n 0x1fea53aa00000000, 0x6a12aa5700000000, 0xfb83c2f900000000,\n 0x09370ad000000000, 0x98a6627e00000000, 0xa2c188f000000000,\n 0x3350e05e00000000, 0xc1e4287700000000, 0x507540d900000000,\n 0x258db92400000000, 0xb41cd18a00000000, 0x46a819a300000000,\n 0xd739710d00000000}};\n\n#else /* W == 4 */\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0xccaa009e, 0x4225077d, 0x8e8f07e3, 0x844a0efa,\n 0x48e00e64, 0xc66f0987, 0x0ac50919, 0xd3e51bb5, 0x1f4f1b2b,\n 0x91c01cc8, 0x5d6a1c56, 0x57af154f, 0x9b0515d1, 0x158a1232,\n 0xd92012ac, 0x7cbb312b, 0xb01131b5, 0x3e9e3656, 0xf23436c8,\n 0xf8f13fd1, 0x345b3f4f, 0xbad438ac, 0x767e3832, 0xaf5e2a9e,\n 0x63f42a00, 0xed7b2de3, 0x21d12d7d, 0x2b142464, 0xe7be24fa,\n 0x69312319, 0xa59b2387, 0xf9766256, 0x35dc62c8, 0xbb53652b,\n 0x77f965b5, 0x7d3c6cac, 0xb1966c32, 0x3f196bd1, 0xf3b36b4f,\n 0x2a9379e3, 0xe639797d, 0x68b67e9e, 0xa41c7e00, 0xaed97719,\n 0x62737787, 0xecfc7064, 0x205670fa, 0x85cd537d, 0x496753e3,\n 0xc7e85400, 0x0b42549e, 0x01875d87, 0xcd2d5d19, 0x43a25afa,\n 0x8f085a64, 0x562848c8, 0x9a824856, 0x140d4fb5, 0xd8a74f2b,\n 0xd2624632, 0x1ec846ac, 0x9047414f, 0x5ced41d1, 0x299dc2ed,\n 0xe537c273, 0x6bb8c590, 0xa712c50e, 0xadd7cc17, 0x617dcc89,\n 0xeff2cb6a, 0x2358cbf4, 0xfa78d958, 0x36d2d9c6, 0xb85dde25,\n 0x74f7debb, 0x7e32d7a2, 0xb298d73c, 0x3c17d0df, 0xf0bdd041,\n 0x5526f3c6, 0x998cf358, 0x1703f4bb, 0xdba9f425, 0xd16cfd3c,\n 0x1dc6fda2, 0x9349fa41, 0x5fe3fadf, 0x86c3e873, 0x4a69e8ed,\n 0xc4e6ef0e, 0x084cef90, 0x0289e689, 0xce23e617, 0x40ace1f4,\n 0x8c06e16a, 0xd0eba0bb, 0x1c41a025, 0x92cea7c6, 0x5e64a758,\n 0x54a1ae41, 0x980baedf, 0x1684a93c, 0xda2ea9a2, 0x030ebb0e,\n 0xcfa4bb90, 0x412bbc73, 0x8d81bced, 0x8744b5f4, 0x4beeb56a,\n 0xc561b289, 0x09cbb217, 0xac509190, 0x60fa910e, 0xee7596ed,\n 0x22df9673, 0x281a9f6a, 0xe4b09ff4, 0x6a3f9817, 0xa6959889,\n 0x7fb58a25, 0xb31f8abb, 0x3d908d58, 0xf13a8dc6, 0xfbff84df,\n 0x37558441, 0xb9da83a2, 0x7570833c, 0x533b85da, 0x9f918544,\n 0x111e82a7, 0xddb48239, 0xd7718b20, 0x1bdb8bbe, 0x95548c5d,\n 0x59fe8cc3, 0x80de9e6f, 0x4c749ef1, 0xc2fb9912, 0x0e51998c,\n 0x04949095, 0xc83e900b, 0x46b197e8, 0x8a1b9776, 0x2f80b4f1,\n 0xe32ab46f, 0x6da5b38c, 0xa10fb312, 0xabcaba0b, 0x6760ba95,\n 0xe9efbd76, 0x2545bde8, 0xfc65af44, 0x30cfafda, 0xbe40a839,\n 0x72eaa8a7, 0x782fa1be, 0xb485a120, 0x3a0aa6c3, 0xf6a0a65d,\n 0xaa4de78c, 0x66e7e712, 0xe868e0f1, 0x24c2e06f, 0x2e07e976,\n 0xe2ade9e8, 0x6c22ee0b, 0xa088ee95, 0x79a8fc39, 0xb502fca7,\n 0x3b8dfb44, 0xf727fbda, 0xfde2f2c3, 0x3148f25d, 0xbfc7f5be,\n 0x736df520, 0xd6f6d6a7, 0x1a5cd639, 0x94d3d1da, 0x5879d144,\n 0x52bcd85d, 0x9e16d8c3, 0x1099df20, 0xdc33dfbe, 0x0513cd12,\n 0xc9b9cd8c, 0x4736ca6f, 0x8b9ccaf1, 0x8159c3e8, 0x4df3c376,\n 0xc37cc495, 0x0fd6c40b, 0x7aa64737, 0xb60c47a9, 0x3883404a,\n 0xf42940d4, 0xfeec49cd, 0x32464953, 0xbcc94eb0, 0x70634e2e,\n 0xa9435c82, 0x65e95c1c, 0xeb665bff, 0x27cc5b61, 0x2d095278,\n 0xe1a352e6, 0x6f2c5505, 0xa386559b, 0x061d761c, 0xcab77682,\n 0x44387161, 0x889271ff, 0x825778e6, 0x4efd7878, 0xc0727f9b,\n 0x0cd87f05, 0xd5f86da9, 0x19526d37, 0x97dd6ad4, 0x5b776a4a,\n 0x51b26353, 0x9d1863cd, 0x1397642e, 0xdf3d64b0, 0x83d02561,\n 0x4f7a25ff, 0xc1f5221c, 0x0d5f2282, 0x079a2b9b, 0xcb302b05,\n 0x45bf2ce6, 0x89152c78, 0x50353ed4, 0x9c9f3e4a, 0x121039a9,\n 0xdeba3937, 0xd47f302e, 0x18d530b0, 0x965a3753, 0x5af037cd,\n 0xff6b144a, 0x33c114d4, 0xbd4e1337, 0x71e413a9, 0x7b211ab0,\n 0xb78b1a2e, 0x39041dcd, 0xf5ae1d53, 0x2c8e0fff, 0xe0240f61,\n 0x6eab0882, 0xa201081c, 0xa8c40105, 0x646e019b, 0xeae10678,\n 0x264b06e6},\n {0x00000000, 0xa6770bb4, 0x979f1129, 0x31e81a9d, 0xf44f2413,\n 0x52382fa7, 0x63d0353a, 0xc5a73e8e, 0x33ef4e67, 0x959845d3,\n 0xa4705f4e, 0x020754fa, 0xc7a06a74, 0x61d761c0, 0x503f7b5d,\n 0xf64870e9, 0x67de9cce, 0xc1a9977a, 0xf0418de7, 0x56368653,\n 0x9391b8dd, 0x35e6b369, 0x040ea9f4, 0xa279a240, 0x5431d2a9,\n 0xf246d91d, 0xc3aec380, 0x65d9c834, 0xa07ef6ba, 0x0609fd0e,\n 0x37e1e793, 0x9196ec27, 0xcfbd399c, 0x69ca3228, 0x582228b5,\n 0xfe552301, 0x3bf21d8f, 0x9d85163b, 0xac6d0ca6, 0x0a1a0712,\n 0xfc5277fb, 0x5a257c4f, 0x6bcd66d2, 0xcdba6d66, 0x081d53e8,\n 0xae6a585c, 0x9f8242c1, 0x39f54975, 0xa863a552, 0x0e14aee6,\n 0x3ffcb47b, 0x998bbfcf, 0x5c2c8141, 0xfa5b8af5, 0xcbb39068,\n 0x6dc49bdc, 0x9b8ceb35, 0x3dfbe081, 0x0c13fa1c, 0xaa64f1a8,\n 0x6fc3cf26, 0xc9b4c492, 0xf85cde0f, 0x5e2bd5bb, 0x440b7579,\n 0xe27c7ecd, 0xd3946450, 0x75e36fe4, 0xb044516a, 0x16335ade,\n 0x27db4043, 0x81ac4bf7, 0x77e43b1e, 0xd19330aa, 0xe07b2a37,\n 0x460c2183, 0x83ab1f0d, 0x25dc14b9, 0x14340e24, 0xb2430590,\n 0x23d5e9b7, 0x85a2e203, 0xb44af89e, 0x123df32a, 0xd79acda4,\n 0x71edc610, 0x4005dc8d, 0xe672d739, 0x103aa7d0, 0xb64dac64,\n 0x87a5b6f9, 0x21d2bd4d, 0xe47583c3, 0x42028877, 0x73ea92ea,\n 0xd59d995e, 0x8bb64ce5, 0x2dc14751, 0x1c295dcc, 0xba5e5678,\n 0x7ff968f6, 0xd98e6342, 0xe86679df, 0x4e11726b, 0xb8590282,\n 0x1e2e0936, 0x2fc613ab, 0x89b1181f, 0x4c162691, 0xea612d25,\n 0xdb8937b8, 0x7dfe3c0c, 0xec68d02b, 0x4a1fdb9f, 0x7bf7c102,\n 0xdd80cab6, 0x1827f438, 0xbe50ff8c, 0x8fb8e511, 0x29cfeea5,\n 0xdf879e4c, 0x79f095f8, 0x48188f65, 0xee6f84d1, 0x2bc8ba5f,\n 0x8dbfb1eb, 0xbc57ab76, 0x1a20a0c2, 0x8816eaf2, 0x2e61e146,\n 0x1f89fbdb, 0xb9fef06f, 0x7c59cee1, 0xda2ec555, 0xebc6dfc8,\n 0x4db1d47c, 0xbbf9a495, 0x1d8eaf21, 0x2c66b5bc, 0x8a11be08,\n 0x4fb68086, 0xe9c18b32, 0xd82991af, 0x7e5e9a1b, 0xefc8763c,\n 0x49bf7d88, 0x78576715, 0xde206ca1, 0x1b87522f, 0xbdf0599b,\n 0x8c184306, 0x2a6f48b2, 0xdc27385b, 0x7a5033ef, 0x4bb82972,\n 0xedcf22c6, 0x28681c48, 0x8e1f17fc, 0xbff70d61, 0x198006d5,\n 0x47abd36e, 0xe1dcd8da, 0xd034c247, 0x7643c9f3, 0xb3e4f77d,\n 0x1593fcc9, 0x247be654, 0x820cede0, 0x74449d09, 0xd23396bd,\n 0xe3db8c20, 0x45ac8794, 0x800bb91a, 0x267cb2ae, 0x1794a833,\n 0xb1e3a387, 0x20754fa0, 0x86024414, 0xb7ea5e89, 0x119d553d,\n 0xd43a6bb3, 0x724d6007, 0x43a57a9a, 0xe5d2712e, 0x139a01c7,\n 0xb5ed0a73, 0x840510ee, 0x22721b5a, 0xe7d525d4, 0x41a22e60,\n 0x704a34fd, 0xd63d3f49, 0xcc1d9f8b, 0x6a6a943f, 0x5b828ea2,\n 0xfdf58516, 0x3852bb98, 0x9e25b02c, 0xafcdaab1, 0x09baa105,\n 0xfff2d1ec, 0x5985da58, 0x686dc0c5, 0xce1acb71, 0x0bbdf5ff,\n 0xadcafe4b, 0x9c22e4d6, 0x3a55ef62, 0xabc30345, 0x0db408f1,\n 0x3c5c126c, 0x9a2b19d8, 0x5f8c2756, 0xf9fb2ce2, 0xc813367f,\n 0x6e643dcb, 0x982c4d22, 0x3e5b4696, 0x0fb35c0b, 0xa9c457bf,\n 0x6c636931, 0xca146285, 0xfbfc7818, 0x5d8b73ac, 0x03a0a617,\n 0xa5d7ada3, 0x943fb73e, 0x3248bc8a, 0xf7ef8204, 0x519889b0,\n 0x6070932d, 0xc6079899, 0x304fe870, 0x9638e3c4, 0xa7d0f959,\n 0x01a7f2ed, 0xc400cc63, 0x6277c7d7, 0x539fdd4a, 0xf5e8d6fe,\n 0x647e3ad9, 0xc209316d, 0xf3e12bf0, 0x55962044, 0x90311eca,\n 0x3646157e, 0x07ae0fe3, 0xa1d90457, 0x579174be, 0xf1e67f0a,\n 0xc00e6597, 0x66796e23, 0xa3de50ad, 0x05a95b19, 0x34414184,\n 0x92364a30},\n {0x00000000, 0xcb5cd3a5, 0x4dc8a10b, 0x869472ae, 0x9b914216,\n 0x50cd91b3, 0xd659e31d, 0x1d0530b8, 0xec53826d, 0x270f51c8,\n 0xa19b2366, 0x6ac7f0c3, 0x77c2c07b, 0xbc9e13de, 0x3a0a6170,\n 0xf156b2d5, 0x03d6029b, 0xc88ad13e, 0x4e1ea390, 0x85427035,\n 0x9847408d, 0x531b9328, 0xd58fe186, 0x1ed33223, 0xef8580f6,\n 0x24d95353, 0xa24d21fd, 0x6911f258, 0x7414c2e0, 0xbf481145,\n 0x39dc63eb, 0xf280b04e, 0x07ac0536, 0xccf0d693, 0x4a64a43d,\n 0x81387798, 0x9c3d4720, 0x57619485, 0xd1f5e62b, 0x1aa9358e,\n 0xebff875b, 0x20a354fe, 0xa6372650, 0x6d6bf5f5, 0x706ec54d,\n 0xbb3216e8, 0x3da66446, 0xf6fab7e3, 0x047a07ad, 0xcf26d408,\n 0x49b2a6a6, 0x82ee7503, 0x9feb45bb, 0x54b7961e, 0xd223e4b0,\n 0x197f3715, 0xe82985c0, 0x23755665, 0xa5e124cb, 0x6ebdf76e,\n 0x73b8c7d6, 0xb8e41473, 0x3e7066dd, 0xf52cb578, 0x0f580a6c,\n 0xc404d9c9, 0x4290ab67, 0x89cc78c2, 0x94c9487a, 0x5f959bdf,\n 0xd901e971, 0x125d3ad4, 0xe30b8801, 0x28575ba4, 0xaec3290a,\n 0x659ffaaf, 0x789aca17, 0xb3c619b2, 0x35526b1c, 0xfe0eb8b9,\n 0x0c8e08f7, 0xc7d2db52, 0x4146a9fc, 0x8a1a7a59, 0x971f4ae1,\n 0x5c439944, 0xdad7ebea, 0x118b384f, 0xe0dd8a9a, 0x2b81593f,\n 0xad152b91, 0x6649f834, 0x7b4cc88c, 0xb0101b29, 0x36846987,\n 0xfdd8ba22, 0x08f40f5a, 0xc3a8dcff, 0x453cae51, 0x8e607df4,\n 0x93654d4c, 0x58399ee9, 0xdeadec47, 0x15f13fe2, 0xe4a78d37,\n 0x2ffb5e92, 0xa96f2c3c, 0x6233ff99, 0x7f36cf21, 0xb46a1c84,\n 0x32fe6e2a, 0xf9a2bd8f, 0x0b220dc1, 0xc07ede64, 0x46eaacca,\n 0x8db67f6f, 0x90b34fd7, 0x5bef9c72, 0xdd7beedc, 0x16273d79,\n 0xe7718fac, 0x2c2d5c09, 0xaab92ea7, 0x61e5fd02, 0x7ce0cdba,\n 0xb7bc1e1f, 0x31286cb1, 0xfa74bf14, 0x1eb014d8, 0xd5ecc77d,\n 0x5378b5d3, 0x98246676, 0x852156ce, 0x4e7d856b, 0xc8e9f7c5,\n 0x03b52460, 0xf2e396b5, 0x39bf4510, 0xbf2b37be, 0x7477e41b,\n 0x6972d4a3, 0xa22e0706, 0x24ba75a8, 0xefe6a60d, 0x1d661643,\n 0xd63ac5e6, 0x50aeb748, 0x9bf264ed, 0x86f75455, 0x4dab87f0,\n 0xcb3ff55e, 0x006326fb, 0xf135942e, 0x3a69478b, 0xbcfd3525,\n 0x77a1e680, 0x6aa4d638, 0xa1f8059d, 0x276c7733, 0xec30a496,\n 0x191c11ee, 0xd240c24b, 0x54d4b0e5, 0x9f886340, 0x828d53f8,\n 0x49d1805d, 0xcf45f2f3, 0x04192156, 0xf54f9383, 0x3e134026,\n 0xb8873288, 0x73dbe12d, 0x6eded195, 0xa5820230, 0x2316709e,\n 0xe84aa33b, 0x1aca1375, 0xd196c0d0, 0x5702b27e, 0x9c5e61db,\n 0x815b5163, 0x4a0782c6, 0xcc93f068, 0x07cf23cd, 0xf6999118,\n 0x3dc542bd, 0xbb513013, 0x700de3b6, 0x6d08d30e, 0xa65400ab,\n 0x20c07205, 0xeb9ca1a0, 0x11e81eb4, 0xdab4cd11, 0x5c20bfbf,\n 0x977c6c1a, 0x8a795ca2, 0x41258f07, 0xc7b1fda9, 0x0ced2e0c,\n 0xfdbb9cd9, 0x36e74f7c, 0xb0733dd2, 0x7b2fee77, 0x662adecf,\n 0xad760d6a, 0x2be27fc4, 0xe0beac61, 0x123e1c2f, 0xd962cf8a,\n 0x5ff6bd24, 0x94aa6e81, 0x89af5e39, 0x42f38d9c, 0xc467ff32,\n 0x0f3b2c97, 0xfe6d9e42, 0x35314de7, 0xb3a53f49, 0x78f9ecec,\n 0x65fcdc54, 0xaea00ff1, 0x28347d5f, 0xe368aefa, 0x16441b82,\n 0xdd18c827, 0x5b8cba89, 0x90d0692c, 0x8dd55994, 0x46898a31,\n 0xc01df89f, 0x0b412b3a, 0xfa1799ef, 0x314b4a4a, 0xb7df38e4,\n 0x7c83eb41, 0x6186dbf9, 0xaada085c, 0x2c4e7af2, 0xe712a957,\n 0x15921919, 0xdececabc, 0x585ab812, 0x93066bb7, 0x8e035b0f,\n 0x455f88aa, 0xc3cbfa04, 0x089729a1, 0xf9c19b74, 0x329d48d1,\n 0xb4093a7f, 0x7f55e9da, 0x6250d962, 0xa90c0ac7, 0x2f987869,\n 0xe4c4abcc},\n {0x00000000, 0x3d6029b0, 0x7ac05360, 0x47a07ad0, 0xf580a6c0,\n 0xc8e08f70, 0x8f40f5a0, 0xb220dc10, 0x30704bc1, 0x0d106271,\n 0x4ab018a1, 0x77d03111, 0xc5f0ed01, 0xf890c4b1, 0xbf30be61,\n 0x825097d1, 0x60e09782, 0x5d80be32, 0x1a20c4e2, 0x2740ed52,\n 0x95603142, 0xa80018f2, 0xefa06222, 0xd2c04b92, 0x5090dc43,\n 0x6df0f5f3, 0x2a508f23, 0x1730a693, 0xa5107a83, 0x98705333,\n 0xdfd029e3, 0xe2b00053, 0xc1c12f04, 0xfca106b4, 0xbb017c64,\n 0x866155d4, 0x344189c4, 0x0921a074, 0x4e81daa4, 0x73e1f314,\n 0xf1b164c5, 0xccd14d75, 0x8b7137a5, 0xb6111e15, 0x0431c205,\n 0x3951ebb5, 0x7ef19165, 0x4391b8d5, 0xa121b886, 0x9c419136,\n 0xdbe1ebe6, 0xe681c256, 0x54a11e46, 0x69c137f6, 0x2e614d26,\n 0x13016496, 0x9151f347, 0xac31daf7, 0xeb91a027, 0xd6f18997,\n 0x64d15587, 0x59b17c37, 0x1e1106e7, 0x23712f57, 0x58f35849,\n 0x659371f9, 0x22330b29, 0x1f532299, 0xad73fe89, 0x9013d739,\n 0xd7b3ade9, 0xead38459, 0x68831388, 0x55e33a38, 0x124340e8,\n 0x2f236958, 0x9d03b548, 0xa0639cf8, 0xe7c3e628, 0xdaa3cf98,\n 0x3813cfcb, 0x0573e67b, 0x42d39cab, 0x7fb3b51b, 0xcd93690b,\n 0xf0f340bb, 0xb7533a6b, 0x8a3313db, 0x0863840a, 0x3503adba,\n 0x72a3d76a, 0x4fc3feda, 0xfde322ca, 0xc0830b7a, 0x872371aa,\n 0xba43581a, 0x9932774d, 0xa4525efd, 0xe3f2242d, 0xde920d9d,\n 0x6cb2d18d, 0x51d2f83d, 0x167282ed, 0x2b12ab5d, 0xa9423c8c,\n 0x9422153c, 0xd3826fec, 0xeee2465c, 0x5cc29a4c, 0x61a2b3fc,\n 0x2602c92c, 0x1b62e09c, 0xf9d2e0cf, 0xc4b2c97f, 0x8312b3af,\n 0xbe729a1f, 0x0c52460f, 0x31326fbf, 0x7692156f, 0x4bf23cdf,\n 0xc9a2ab0e, 0xf4c282be, 0xb362f86e, 0x8e02d1de, 0x3c220dce,\n 0x0142247e, 0x46e25eae, 0x7b82771e, 0xb1e6b092, 0x8c869922,\n 0xcb26e3f2, 0xf646ca42, 0x44661652, 0x79063fe2, 0x3ea64532,\n 0x03c66c82, 0x8196fb53, 0xbcf6d2e3, 0xfb56a833, 0xc6368183,\n 0x74165d93, 0x49767423, 0x0ed60ef3, 0x33b62743, 0xd1062710,\n 0xec660ea0, 0xabc67470, 0x96a65dc0, 0x248681d0, 0x19e6a860,\n 0x5e46d2b0, 0x6326fb00, 0xe1766cd1, 0xdc164561, 0x9bb63fb1,\n 0xa6d61601, 0x14f6ca11, 0x2996e3a1, 0x6e369971, 0x5356b0c1,\n 0x70279f96, 0x4d47b626, 0x0ae7ccf6, 0x3787e546, 0x85a73956,\n 0xb8c710e6, 0xff676a36, 0xc2074386, 0x4057d457, 0x7d37fde7,\n 0x3a978737, 0x07f7ae87, 0xb5d77297, 0x88b75b27, 0xcf1721f7,\n 0xf2770847, 0x10c70814, 0x2da721a4, 0x6a075b74, 0x576772c4,\n 0xe547aed4, 0xd8278764, 0x9f87fdb4, 0xa2e7d404, 0x20b743d5,\n 0x1dd76a65, 0x5a7710b5, 0x67173905, 0xd537e515, 0xe857cca5,\n 0xaff7b675, 0x92979fc5, 0xe915e8db, 0xd475c16b, 0x93d5bbbb,\n 0xaeb5920b, 0x1c954e1b, 0x21f567ab, 0x66551d7b, 0x5b3534cb,\n 0xd965a31a, 0xe4058aaa, 0xa3a5f07a, 0x9ec5d9ca, 0x2ce505da,\n 0x11852c6a, 0x562556ba, 0x6b457f0a, 0x89f57f59, 0xb49556e9,\n 0xf3352c39, 0xce550589, 0x7c75d999, 0x4115f029, 0x06b58af9,\n 0x3bd5a349, 0xb9853498, 0x84e51d28, 0xc34567f8, 0xfe254e48,\n 0x4c059258, 0x7165bbe8, 0x36c5c138, 0x0ba5e888, 0x28d4c7df,\n 0x15b4ee6f, 0x521494bf, 0x6f74bd0f, 0xdd54611f, 0xe03448af,\n 0xa794327f, 0x9af41bcf, 0x18a48c1e, 0x25c4a5ae, 0x6264df7e,\n 0x5f04f6ce, 0xed242ade, 0xd044036e, 0x97e479be, 0xaa84500e,\n 0x4834505d, 0x755479ed, 0x32f4033d, 0x0f942a8d, 0xbdb4f69d,\n 0x80d4df2d, 0xc774a5fd, 0xfa148c4d, 0x78441b9c, 0x4524322c,\n 0x028448fc, 0x3fe4614c, 0x8dc4bd5c, 0xb0a494ec, 0xf704ee3c,\n 0xca64c78c}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x00000000, 0xb029603d, 0x6053c07a, 0xd07aa047, 0xc0a680f5,\n 0x708fe0c8, 0xa0f5408f, 0x10dc20b2, 0xc14b7030, 0x7162100d,\n 0xa118b04a, 0x1131d077, 0x01edf0c5, 0xb1c490f8, 0x61be30bf,\n 0xd1975082, 0x8297e060, 0x32be805d, 0xe2c4201a, 0x52ed4027,\n 0x42316095, 0xf21800a8, 0x2262a0ef, 0x924bc0d2, 0x43dc9050,\n 0xf3f5f06d, 0x238f502a, 0x93a63017, 0x837a10a5, 0x33537098,\n 0xe329d0df, 0x5300b0e2, 0x042fc1c1, 0xb406a1fc, 0x647c01bb,\n 0xd4556186, 0xc4894134, 0x74a02109, 0xa4da814e, 0x14f3e173,\n 0xc564b1f1, 0x754dd1cc, 0xa537718b, 0x151e11b6, 0x05c23104,\n 0xb5eb5139, 0x6591f17e, 0xd5b89143, 0x86b821a1, 0x3691419c,\n 0xe6ebe1db, 0x56c281e6, 0x461ea154, 0xf637c169, 0x264d612e,\n 0x96640113, 0x47f35191, 0xf7da31ac, 0x27a091eb, 0x9789f1d6,\n 0x8755d164, 0x377cb159, 0xe706111e, 0x572f7123, 0x4958f358,\n 0xf9719365, 0x290b3322, 0x9922531f, 0x89fe73ad, 0x39d71390,\n 0xe9adb3d7, 0x5984d3ea, 0x88138368, 0x383ae355, 0xe8404312,\n 0x5869232f, 0x48b5039d, 0xf89c63a0, 0x28e6c3e7, 0x98cfa3da,\n 0xcbcf1338, 0x7be67305, 0xab9cd342, 0x1bb5b37f, 0x0b6993cd,\n 0xbb40f3f0, 0x6b3a53b7, 0xdb13338a, 0x0a846308, 0xbaad0335,\n 0x6ad7a372, 0xdafec34f, 0xca22e3fd, 0x7a0b83c0, 0xaa712387,\n 0x1a5843ba, 0x4d773299, 0xfd5e52a4, 0x2d24f2e3, 0x9d0d92de,\n 0x8dd1b26c, 0x3df8d251, 0xed827216, 0x5dab122b, 0x8c3c42a9,\n 0x3c152294, 0xec6f82d3, 0x5c46e2ee, 0x4c9ac25c, 0xfcb3a261,\n 0x2cc90226, 0x9ce0621b, 0xcfe0d2f9, 0x7fc9b2c4, 0xafb31283,\n 0x1f9a72be, 0x0f46520c, 0xbf6f3231, 0x6f159276, 0xdf3cf24b,\n 0x0eaba2c9, 0xbe82c2f4, 0x6ef862b3, 0xded1028e, 0xce0d223c,\n 0x7e244201, 0xae5ee246, 0x1e77827b, 0x92b0e6b1, 0x2299868c,\n 0xf2e326cb, 0x42ca46f6, 0x52166644, 0xe23f0679, 0x3245a63e,\n 0x826cc603, 0x53fb9681, 0xe3d2f6bc, 0x33a856fb, 0x838136c6,\n 0x935d1674, 0x23747649, 0xf30ed60e, 0x4327b633, 0x102706d1,\n 0xa00e66ec, 0x7074c6ab, 0xc05da696, 0xd0818624, 0x60a8e619,\n 0xb0d2465e, 0x00fb2663, 0xd16c76e1, 0x614516dc, 0xb13fb69b,\n 0x0116d6a6, 0x11caf614, 0xa1e39629, 0x7199366e, 0xc1b05653,\n 0x969f2770, 0x26b6474d, 0xf6cce70a, 0x46e58737, 0x5639a785,\n 0xe610c7b8, 0x366a67ff, 0x864307c2, 0x57d45740, 0xe7fd377d,\n 0x3787973a, 0x87aef707, 0x9772d7b5, 0x275bb788, 0xf72117cf,\n 0x470877f2, 0x1408c710, 0xa421a72d, 0x745b076a, 0xc4726757,\n 0xd4ae47e5, 0x648727d8, 0xb4fd879f, 0x04d4e7a2, 0xd543b720,\n 0x656ad71d, 0xb510775a, 0x05391767, 0x15e537d5, 0xa5cc57e8,\n 0x75b6f7af, 0xc59f9792, 0xdbe815e9, 0x6bc175d4, 0xbbbbd593,\n 0x0b92b5ae, 0x1b4e951c, 0xab67f521, 0x7b1d5566, 0xcb34355b,\n 0x1aa365d9, 0xaa8a05e4, 0x7af0a5a3, 0xcad9c59e, 0xda05e52c,\n 0x6a2c8511, 0xba562556, 0x0a7f456b, 0x597ff589, 0xe95695b4,\n 0x392c35f3, 0x890555ce, 0x99d9757c, 0x29f01541, 0xf98ab506,\n 0x49a3d53b, 0x983485b9, 0x281de584, 0xf86745c3, 0x484e25fe,\n 0x5892054c, 0xe8bb6571, 0x38c1c536, 0x88e8a50b, 0xdfc7d428,\n 0x6feeb415, 0xbf941452, 0x0fbd746f, 0x1f6154dd, 0xaf4834e0,\n 0x7f3294a7, 0xcf1bf49a, 0x1e8ca418, 0xaea5c425, 0x7edf6462,\n 0xcef6045f, 0xde2a24ed, 0x6e0344d0, 0xbe79e497, 0x0e5084aa,\n 0x5d503448, 0xed795475, 0x3d03f432, 0x8d2a940f, 0x9df6b4bd,\n 0x2ddfd480, 0xfda574c7, 0x4d8c14fa, 0x9c1b4478, 0x2c322445,\n 0xfc488402, 0x4c61e43f, 0x5cbdc48d, 0xec94a4b0, 0x3cee04f7,\n 0x8cc764ca},\n {0x00000000, 0xa5d35ccb, 0x0ba1c84d, 0xae729486, 0x1642919b,\n 0xb391cd50, 0x1de359d6, 0xb830051d, 0x6d8253ec, 0xc8510f27,\n 0x66239ba1, 0xc3f0c76a, 0x7bc0c277, 0xde139ebc, 0x70610a3a,\n 0xd5b256f1, 0x9b02d603, 0x3ed18ac8, 0x90a31e4e, 0x35704285,\n 0x8d404798, 0x28931b53, 0x86e18fd5, 0x2332d31e, 0xf68085ef,\n 0x5353d924, 0xfd214da2, 0x58f21169, 0xe0c21474, 0x451148bf,\n 0xeb63dc39, 0x4eb080f2, 0x3605ac07, 0x93d6f0cc, 0x3da4644a,\n 0x98773881, 0x20473d9c, 0x85946157, 0x2be6f5d1, 0x8e35a91a,\n 0x5b87ffeb, 0xfe54a320, 0x502637a6, 0xf5f56b6d, 0x4dc56e70,\n 0xe81632bb, 0x4664a63d, 0xe3b7faf6, 0xad077a04, 0x08d426cf,\n 0xa6a6b249, 0x0375ee82, 0xbb45eb9f, 0x1e96b754, 0xb0e423d2,\n 0x15377f19, 0xc08529e8, 0x65567523, 0xcb24e1a5, 0x6ef7bd6e,\n 0xd6c7b873, 0x7314e4b8, 0xdd66703e, 0x78b52cf5, 0x6c0a580f,\n 0xc9d904c4, 0x67ab9042, 0xc278cc89, 0x7a48c994, 0xdf9b955f,\n 0x71e901d9, 0xd43a5d12, 0x01880be3, 0xa45b5728, 0x0a29c3ae,\n 0xaffa9f65, 0x17ca9a78, 0xb219c6b3, 0x1c6b5235, 0xb9b80efe,\n 0xf7088e0c, 0x52dbd2c7, 0xfca94641, 0x597a1a8a, 0xe14a1f97,\n 0x4499435c, 0xeaebd7da, 0x4f388b11, 0x9a8adde0, 0x3f59812b,\n 0x912b15ad, 0x34f84966, 0x8cc84c7b, 0x291b10b0, 0x87698436,\n 0x22bad8fd, 0x5a0ff408, 0xffdca8c3, 0x51ae3c45, 0xf47d608e,\n 0x4c4d6593, 0xe99e3958, 0x47ecadde, 0xe23ff115, 0x378da7e4,\n 0x925efb2f, 0x3c2c6fa9, 0x99ff3362, 0x21cf367f, 0x841c6ab4,\n 0x2a6efe32, 0x8fbda2f9, 0xc10d220b, 0x64de7ec0, 0xcaacea46,\n 0x6f7fb68d, 0xd74fb390, 0x729cef5b, 0xdcee7bdd, 0x793d2716,\n 0xac8f71e7, 0x095c2d2c, 0xa72eb9aa, 0x02fde561, 0xbacde07c,\n 0x1f1ebcb7, 0xb16c2831, 0x14bf74fa, 0xd814b01e, 0x7dc7ecd5,\n 0xd3b57853, 0x76662498, 0xce562185, 0x6b857d4e, 0xc5f7e9c8,\n 0x6024b503, 0xb596e3f2, 0x1045bf39, 0xbe372bbf, 0x1be47774,\n 0xa3d47269, 0x06072ea2, 0xa875ba24, 0x0da6e6ef, 0x4316661d,\n 0xe6c53ad6, 0x48b7ae50, 0xed64f29b, 0x5554f786, 0xf087ab4d,\n 0x5ef53fcb, 0xfb266300, 0x2e9435f1, 0x8b47693a, 0x2535fdbc,\n 0x80e6a177, 0x38d6a46a, 0x9d05f8a1, 0x33776c27, 0x96a430ec,\n 0xee111c19, 0x4bc240d2, 0xe5b0d454, 0x4063889f, 0xf8538d82,\n 0x5d80d149, 0xf3f245cf, 0x56211904, 0x83934ff5, 0x2640133e,\n 0x883287b8, 0x2de1db73, 0x95d1de6e, 0x300282a5, 0x9e701623,\n 0x3ba34ae8, 0x7513ca1a, 0xd0c096d1, 0x7eb20257, 0xdb615e9c,\n 0x63515b81, 0xc682074a, 0x68f093cc, 0xcd23cf07, 0x189199f6,\n 0xbd42c53d, 0x133051bb, 0xb6e30d70, 0x0ed3086d, 0xab0054a6,\n 0x0572c020, 0xa0a19ceb, 0xb41ee811, 0x11cdb4da, 0xbfbf205c,\n 0x1a6c7c97, 0xa25c798a, 0x078f2541, 0xa9fdb1c7, 0x0c2eed0c,\n 0xd99cbbfd, 0x7c4fe736, 0xd23d73b0, 0x77ee2f7b, 0xcfde2a66,\n 0x6a0d76ad, 0xc47fe22b, 0x61acbee0, 0x2f1c3e12, 0x8acf62d9,\n 0x24bdf65f, 0x816eaa94, 0x395eaf89, 0x9c8df342, 0x32ff67c4,\n 0x972c3b0f, 0x429e6dfe, 0xe74d3135, 0x493fa5b3, 0xececf978,\n 0x54dcfc65, 0xf10fa0ae, 0x5f7d3428, 0xfaae68e3, 0x821b4416,\n 0x27c818dd, 0x89ba8c5b, 0x2c69d090, 0x9459d58d, 0x318a8946,\n 0x9ff81dc0, 0x3a2b410b, 0xef9917fa, 0x4a4a4b31, 0xe438dfb7,\n 0x41eb837c, 0xf9db8661, 0x5c08daaa, 0xf27a4e2c, 0x57a912e7,\n 0x19199215, 0xbccacede, 0x12b85a58, 0xb76b0693, 0x0f5b038e,\n 0xaa885f45, 0x04facbc3, 0xa1299708, 0x749bc1f9, 0xd1489d32,\n 0x7f3a09b4, 0xdae9557f, 0x62d95062, 0xc70a0ca9, 0x6978982f,\n 0xccabc4e4},\n {0x00000000, 0xb40b77a6, 0x29119f97, 0x9d1ae831, 0x13244ff4,\n 0xa72f3852, 0x3a35d063, 0x8e3ea7c5, 0x674eef33, 0xd3459895,\n 0x4e5f70a4, 0xfa540702, 0x746aa0c7, 0xc061d761, 0x5d7b3f50,\n 0xe97048f6, 0xce9cde67, 0x7a97a9c1, 0xe78d41f0, 0x53863656,\n 0xddb89193, 0x69b3e635, 0xf4a90e04, 0x40a279a2, 0xa9d23154,\n 0x1dd946f2, 0x80c3aec3, 0x34c8d965, 0xbaf67ea0, 0x0efd0906,\n 0x93e7e137, 0x27ec9691, 0x9c39bdcf, 0x2832ca69, 0xb5282258,\n 0x012355fe, 0x8f1df23b, 0x3b16859d, 0xa60c6dac, 0x12071a0a,\n 0xfb7752fc, 0x4f7c255a, 0xd266cd6b, 0x666dbacd, 0xe8531d08,\n 0x5c586aae, 0xc142829f, 0x7549f539, 0x52a563a8, 0xe6ae140e,\n 0x7bb4fc3f, 0xcfbf8b99, 0x41812c5c, 0xf58a5bfa, 0x6890b3cb,\n 0xdc9bc46d, 0x35eb8c9b, 0x81e0fb3d, 0x1cfa130c, 0xa8f164aa,\n 0x26cfc36f, 0x92c4b4c9, 0x0fde5cf8, 0xbbd52b5e, 0x79750b44,\n 0xcd7e7ce2, 0x506494d3, 0xe46fe375, 0x6a5144b0, 0xde5a3316,\n 0x4340db27, 0xf74bac81, 0x1e3be477, 0xaa3093d1, 0x372a7be0,\n 0x83210c46, 0x0d1fab83, 0xb914dc25, 0x240e3414, 0x900543b2,\n 0xb7e9d523, 0x03e2a285, 0x9ef84ab4, 0x2af33d12, 0xa4cd9ad7,\n 0x10c6ed71, 0x8ddc0540, 0x39d772e6, 0xd0a73a10, 0x64ac4db6,\n 0xf9b6a587, 0x4dbdd221, 0xc38375e4, 0x77880242, 0xea92ea73,\n 0x5e999dd5, 0xe54cb68b, 0x5147c12d, 0xcc5d291c, 0x78565eba,\n 0xf668f97f, 0x42638ed9, 0xdf7966e8, 0x6b72114e, 0x820259b8,\n 0x36092e1e, 0xab13c62f, 0x1f18b189, 0x9126164c, 0x252d61ea,\n 0xb83789db, 0x0c3cfe7d, 0x2bd068ec, 0x9fdb1f4a, 0x02c1f77b,\n 0xb6ca80dd, 0x38f42718, 0x8cff50be, 0x11e5b88f, 0xa5eecf29,\n 0x4c9e87df, 0xf895f079, 0x658f1848, 0xd1846fee, 0x5fbac82b,\n 0xebb1bf8d, 0x76ab57bc, 0xc2a0201a, 0xf2ea1688, 0x46e1612e,\n 0xdbfb891f, 0x6ff0feb9, 0xe1ce597c, 0x55c52eda, 0xc8dfc6eb,\n 0x7cd4b14d, 0x95a4f9bb, 0x21af8e1d, 0xbcb5662c, 0x08be118a,\n 0x8680b64f, 0x328bc1e9, 0xaf9129d8, 0x1b9a5e7e, 0x3c76c8ef,\n 0x887dbf49, 0x15675778, 0xa16c20de, 0x2f52871b, 0x9b59f0bd,\n 0x0643188c, 0xb2486f2a, 0x5b3827dc, 0xef33507a, 0x7229b84b,\n 0xc622cfed, 0x481c6828, 0xfc171f8e, 0x610df7bf, 0xd5068019,\n 0x6ed3ab47, 0xdad8dce1, 0x47c234d0, 0xf3c94376, 0x7df7e4b3,\n 0xc9fc9315, 0x54e67b24, 0xe0ed0c82, 0x099d4474, 0xbd9633d2,\n 0x208cdbe3, 0x9487ac45, 0x1ab90b80, 0xaeb27c26, 0x33a89417,\n 0x87a3e3b1, 0xa04f7520, 0x14440286, 0x895eeab7, 0x3d559d11,\n 0xb36b3ad4, 0x07604d72, 0x9a7aa543, 0x2e71d2e5, 0xc7019a13,\n 0x730aedb5, 0xee100584, 0x5a1b7222, 0xd425d5e7, 0x602ea241,\n 0xfd344a70, 0x493f3dd6, 0x8b9f1dcc, 0x3f946a6a, 0xa28e825b,\n 0x1685f5fd, 0x98bb5238, 0x2cb0259e, 0xb1aacdaf, 0x05a1ba09,\n 0xecd1f2ff, 0x58da8559, 0xc5c06d68, 0x71cb1ace, 0xfff5bd0b,\n 0x4bfecaad, 0xd6e4229c, 0x62ef553a, 0x4503c3ab, 0xf108b40d,\n 0x6c125c3c, 0xd8192b9a, 0x56278c5f, 0xe22cfbf9, 0x7f3613c8,\n 0xcb3d646e, 0x224d2c98, 0x96465b3e, 0x0b5cb30f, 0xbf57c4a9,\n 0x3169636c, 0x856214ca, 0x1878fcfb, 0xac738b5d, 0x17a6a003,\n 0xa3add7a5, 0x3eb73f94, 0x8abc4832, 0x0482eff7, 0xb0899851,\n 0x2d937060, 0x999807c6, 0x70e84f30, 0xc4e33896, 0x59f9d0a7,\n 0xedf2a701, 0x63cc00c4, 0xd7c77762, 0x4add9f53, 0xfed6e8f5,\n 0xd93a7e64, 0x6d3109c2, 0xf02be1f3, 0x44209655, 0xca1e3190,\n 0x7e154636, 0xe30fae07, 0x5704d9a1, 0xbe749157, 0x0a7fe6f1,\n 0x97650ec0, 0x236e7966, 0xad50dea3, 0x195ba905, 0x84414134,\n 0x304a3692},\n {0x00000000, 0x9e00aacc, 0x7d072542, 0xe3078f8e, 0xfa0e4a84,\n 0x640ee048, 0x87096fc6, 0x1909c50a, 0xb51be5d3, 0x2b1b4f1f,\n 0xc81cc091, 0x561c6a5d, 0x4f15af57, 0xd115059b, 0x32128a15,\n 0xac1220d9, 0x2b31bb7c, 0xb53111b0, 0x56369e3e, 0xc83634f2,\n 0xd13ff1f8, 0x4f3f5b34, 0xac38d4ba, 0x32387e76, 0x9e2a5eaf,\n 0x002af463, 0xe32d7bed, 0x7d2dd121, 0x6424142b, 0xfa24bee7,\n 0x19233169, 0x87239ba5, 0x566276f9, 0xc862dc35, 0x2b6553bb,\n 0xb565f977, 0xac6c3c7d, 0x326c96b1, 0xd16b193f, 0x4f6bb3f3,\n 0xe379932a, 0x7d7939e6, 0x9e7eb668, 0x007e1ca4, 0x1977d9ae,\n 0x87777362, 0x6470fcec, 0xfa705620, 0x7d53cd85, 0xe3536749,\n 0x0054e8c7, 0x9e54420b, 0x875d8701, 0x195d2dcd, 0xfa5aa243,\n 0x645a088f, 0xc8482856, 0x5648829a, 0xb54f0d14, 0x2b4fa7d8,\n 0x324662d2, 0xac46c81e, 0x4f414790, 0xd141ed5c, 0xedc29d29,\n 0x73c237e5, 0x90c5b86b, 0x0ec512a7, 0x17ccd7ad, 0x89cc7d61,\n 0x6acbf2ef, 0xf4cb5823, 0x58d978fa, 0xc6d9d236, 0x25de5db8,\n 0xbbdef774, 0xa2d7327e, 0x3cd798b2, 0xdfd0173c, 0x41d0bdf0,\n 0xc6f32655, 0x58f38c99, 0xbbf40317, 0x25f4a9db, 0x3cfd6cd1,\n 0xa2fdc61d, 0x41fa4993, 0xdffae35f, 0x73e8c386, 0xede8694a,\n 0x0eefe6c4, 0x90ef4c08, 0x89e68902, 0x17e623ce, 0xf4e1ac40,\n 0x6ae1068c, 0xbba0ebd0, 0x25a0411c, 0xc6a7ce92, 0x58a7645e,\n 0x41aea154, 0xdfae0b98, 0x3ca98416, 0xa2a92eda, 0x0ebb0e03,\n 0x90bba4cf, 0x73bc2b41, 0xedbc818d, 0xf4b54487, 0x6ab5ee4b,\n 0x89b261c5, 0x17b2cb09, 0x909150ac, 0x0e91fa60, 0xed9675ee,\n 0x7396df22, 0x6a9f1a28, 0xf49fb0e4, 0x17983f6a, 0x899895a6,\n 0x258ab57f, 0xbb8a1fb3, 0x588d903d, 0xc68d3af1, 0xdf84fffb,\n 0x41845537, 0xa283dab9, 0x3c837075, 0xda853b53, 0x4485919f,\n 0xa7821e11, 0x3982b4dd, 0x208b71d7, 0xbe8bdb1b, 0x5d8c5495,\n 0xc38cfe59, 0x6f9ede80, 0xf19e744c, 0x1299fbc2, 0x8c99510e,\n 0x95909404, 0x0b903ec8, 0xe897b146, 0x76971b8a, 0xf1b4802f,\n 0x6fb42ae3, 0x8cb3a56d, 0x12b30fa1, 0x0bbacaab, 0x95ba6067,\n 0x76bdefe9, 0xe8bd4525, 0x44af65fc, 0xdaafcf30, 0x39a840be,\n 0xa7a8ea72, 0xbea12f78, 0x20a185b4, 0xc3a60a3a, 0x5da6a0f6,\n 0x8ce74daa, 0x12e7e766, 0xf1e068e8, 0x6fe0c224, 0x76e9072e,\n 0xe8e9ade2, 0x0bee226c, 0x95ee88a0, 0x39fca879, 0xa7fc02b5,\n 0x44fb8d3b, 0xdafb27f7, 0xc3f2e2fd, 0x5df24831, 0xbef5c7bf,\n 0x20f56d73, 0xa7d6f6d6, 0x39d65c1a, 0xdad1d394, 0x44d17958,\n 0x5dd8bc52, 0xc3d8169e, 0x20df9910, 0xbedf33dc, 0x12cd1305,\n 0x8ccdb9c9, 0x6fca3647, 0xf1ca9c8b, 0xe8c35981, 0x76c3f34d,\n 0x95c47cc3, 0x0bc4d60f, 0x3747a67a, 0xa9470cb6, 0x4a408338,\n 0xd44029f4, 0xcd49ecfe, 0x53494632, 0xb04ec9bc, 0x2e4e6370,\n 0x825c43a9, 0x1c5ce965, 0xff5b66eb, 0x615bcc27, 0x7852092d,\n 0xe652a3e1, 0x05552c6f, 0x9b5586a3, 0x1c761d06, 0x8276b7ca,\n 0x61713844, 0xff719288, 0xe6785782, 0x7878fd4e, 0x9b7f72c0,\n 0x057fd80c, 0xa96df8d5, 0x376d5219, 0xd46add97, 0x4a6a775b,\n 0x5363b251, 0xcd63189d, 0x2e649713, 0xb0643ddf, 0x6125d083,\n 0xff257a4f, 0x1c22f5c1, 0x82225f0d, 0x9b2b9a07, 0x052b30cb,\n 0xe62cbf45, 0x782c1589, 0xd43e3550, 0x4a3e9f9c, 0xa9391012,\n 0x3739bade, 0x2e307fd4, 0xb030d518, 0x53375a96, 0xcd37f05a,\n 0x4a146bff, 0xd414c133, 0x37134ebd, 0xa913e471, 0xb01a217b,\n 0x2e1a8bb7, 0xcd1d0439, 0x531daef5, 0xff0f8e2c, 0x610f24e0,\n 0x8208ab6e, 0x1c0801a2, 0x0501c4a8, 0x9b016e64, 0x7806e1ea,\n 0xe6064b26}};\n\n#endif\n\n#endif\n\n#if N == 3\n\n#if W == 8\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0x81256527, 0xd93bcc0f, 0x581ea928, 0x69069e5f,\n 0xe823fb78, 0xb03d5250, 0x31183777, 0xd20d3cbe, 0x53285999,\n 0x0b36f0b1, 0x8a139596, 0xbb0ba2e1, 0x3a2ec7c6, 0x62306eee,\n 0xe3150bc9, 0x7f6b7f3d, 0xfe4e1a1a, 0xa650b332, 0x2775d615,\n 0x166de162, 0x97488445, 0xcf562d6d, 0x4e73484a, 0xad664383,\n 0x2c4326a4, 0x745d8f8c, 0xf578eaab, 0xc460dddc, 0x4545b8fb,\n 0x1d5b11d3, 0x9c7e74f4, 0xfed6fe7a, 0x7ff39b5d, 0x27ed3275,\n 0xa6c85752, 0x97d06025, 0x16f50502, 0x4eebac2a, 0xcfcec90d,\n 0x2cdbc2c4, 0xadfea7e3, 0xf5e00ecb, 0x74c56bec, 0x45dd5c9b,\n 0xc4f839bc, 0x9ce69094, 0x1dc3f5b3, 0x81bd8147, 0x0098e460,\n 0x58864d48, 0xd9a3286f, 0xe8bb1f18, 0x699e7a3f, 0x3180d317,\n 0xb0a5b630, 0x53b0bdf9, 0xd295d8de, 0x8a8b71f6, 0x0bae14d1,\n 0x3ab623a6, 0xbb934681, 0xe38defa9, 0x62a88a8e, 0x26dcfab5,\n 0xa7f99f92, 0xffe736ba, 0x7ec2539d, 0x4fda64ea, 0xceff01cd,\n 0x96e1a8e5, 0x17c4cdc2, 0xf4d1c60b, 0x75f4a32c, 0x2dea0a04,\n 0xaccf6f23, 0x9dd75854, 0x1cf23d73, 0x44ec945b, 0xc5c9f17c,\n 0x59b78588, 0xd892e0af, 0x808c4987, 0x01a92ca0, 0x30b11bd7,\n 0xb1947ef0, 0xe98ad7d8, 0x68afb2ff, 0x8bbab936, 0x0a9fdc11,\n 0x52817539, 0xd3a4101e, 0xe2bc2769, 0x6399424e, 0x3b87eb66,\n 0xbaa28e41, 0xd80a04cf, 0x592f61e8, 0x0131c8c0, 0x8014ade7,\n 0xb10c9a90, 0x3029ffb7, 0x6837569f, 0xe91233b8, 0x0a073871,\n 0x8b225d56, 0xd33cf47e, 0x52199159, 0x6301a62e, 0xe224c309,\n 0xba3a6a21, 0x3b1f0f06, 0xa7617bf2, 0x26441ed5, 0x7e5ab7fd,\n 0xff7fd2da, 0xce67e5ad, 0x4f42808a, 0x175c29a2, 0x96794c85,\n 0x756c474c, 0xf449226b, 0xac578b43, 0x2d72ee64, 0x1c6ad913,\n 0x9d4fbc34, 0xc551151c, 0x4474703b, 0x4db9f56a, 0xcc9c904d,\n 0x94823965, 0x15a75c42, 0x24bf6b35, 0xa59a0e12, 0xfd84a73a,\n 0x7ca1c21d, 0x9fb4c9d4, 0x1e91acf3, 0x468f05db, 0xc7aa60fc,\n 0xf6b2578b, 0x779732ac, 0x2f899b84, 0xaeacfea3, 0x32d28a57,\n 0xb3f7ef70, 0xebe94658, 0x6acc237f, 0x5bd41408, 0xdaf1712f,\n 0x82efd807, 0x03cabd20, 0xe0dfb6e9, 0x61fad3ce, 0x39e47ae6,\n 0xb8c11fc1, 0x89d928b6, 0x08fc4d91, 0x50e2e4b9, 0xd1c7819e,\n 0xb36f0b10, 0x324a6e37, 0x6a54c71f, 0xeb71a238, 0xda69954f,\n 0x5b4cf068, 0x03525940, 0x82773c67, 0x616237ae, 0xe0475289,\n 0xb859fba1, 0x397c9e86, 0x0864a9f1, 0x8941ccd6, 0xd15f65fe,\n 0x507a00d9, 0xcc04742d, 0x4d21110a, 0x153fb822, 0x941add05,\n 0xa502ea72, 0x24278f55, 0x7c39267d, 0xfd1c435a, 0x1e094893,\n 0x9f2c2db4, 0xc732849c, 0x4617e1bb, 0x770fd6cc, 0xf62ab3eb,\n 0xae341ac3, 0x2f117fe4, 0x6b650fdf, 0xea406af8, 0xb25ec3d0,\n 0x337ba6f7, 0x02639180, 0x8346f4a7, 0xdb585d8f, 0x5a7d38a8,\n 0xb9683361, 0x384d5646, 0x6053ff6e, 0xe1769a49, 0xd06ead3e,\n 0x514bc819, 0x09556131, 0x88700416, 0x140e70e2, 0x952b15c5,\n 0xcd35bced, 0x4c10d9ca, 0x7d08eebd, 0xfc2d8b9a, 0xa43322b2,\n 0x25164795, 0xc6034c5c, 0x4726297b, 0x1f388053, 0x9e1de574,\n 0xaf05d203, 0x2e20b724, 0x763e1e0c, 0xf71b7b2b, 0x95b3f1a5,\n 0x14969482, 0x4c883daa, 0xcdad588d, 0xfcb56ffa, 0x7d900add,\n 0x258ea3f5, 0xa4abc6d2, 0x47becd1b, 0xc69ba83c, 0x9e850114,\n 0x1fa06433, 0x2eb85344, 0xaf9d3663, 0xf7839f4b, 0x76a6fa6c,\n 0xead88e98, 0x6bfdebbf, 0x33e34297, 0xb2c627b0, 0x83de10c7,\n 0x02fb75e0, 0x5ae5dcc8, 0xdbc0b9ef, 0x38d5b226, 0xb9f0d701,\n 0xe1ee7e29, 0x60cb1b0e, 0x51d32c79, 0xd0f6495e, 0x88e8e076,\n 0x09cd8551},\n {0x00000000, 0x9b73ead4, 0xed96d3e9, 0x76e5393d, 0x005ca193,\n 0x9b2f4b47, 0xedca727a, 0x76b998ae, 0x00b94326, 0x9bcaa9f2,\n 0xed2f90cf, 0x765c7a1b, 0x00e5e2b5, 0x9b960861, 0xed73315c,\n 0x7600db88, 0x0172864c, 0x9a016c98, 0xece455a5, 0x7797bf71,\n 0x012e27df, 0x9a5dcd0b, 0xecb8f436, 0x77cb1ee2, 0x01cbc56a,\n 0x9ab82fbe, 0xec5d1683, 0x772efc57, 0x019764f9, 0x9ae48e2d,\n 0xec01b710, 0x77725dc4, 0x02e50c98, 0x9996e64c, 0xef73df71,\n 0x740035a5, 0x02b9ad0b, 0x99ca47df, 0xef2f7ee2, 0x745c9436,\n 0x025c4fbe, 0x992fa56a, 0xefca9c57, 0x74b97683, 0x0200ee2d,\n 0x997304f9, 0xef963dc4, 0x74e5d710, 0x03978ad4, 0x98e46000,\n 0xee01593d, 0x7572b3e9, 0x03cb2b47, 0x98b8c193, 0xee5df8ae,\n 0x752e127a, 0x032ec9f2, 0x985d2326, 0xeeb81a1b, 0x75cbf0cf,\n 0x03726861, 0x980182b5, 0xeee4bb88, 0x7597515c, 0x05ca1930,\n 0x9eb9f3e4, 0xe85ccad9, 0x732f200d, 0x0596b8a3, 0x9ee55277,\n 0xe8006b4a, 0x7373819e, 0x05735a16, 0x9e00b0c2, 0xe8e589ff,\n 0x7396632b, 0x052ffb85, 0x9e5c1151, 0xe8b9286c, 0x73cac2b8,\n 0x04b89f7c, 0x9fcb75a8, 0xe92e4c95, 0x725da641, 0x04e43eef,\n 0x9f97d43b, 0xe972ed06, 0x720107d2, 0x0401dc5a, 0x9f72368e,\n 0xe9970fb3, 0x72e4e567, 0x045d7dc9, 0x9f2e971d, 0xe9cbae20,\n 0x72b844f4, 0x072f15a8, 0x9c5cff7c, 0xeab9c641, 0x71ca2c95,\n 0x0773b43b, 0x9c005eef, 0xeae567d2, 0x71968d06, 0x0796568e,\n 0x9ce5bc5a, 0xea008567, 0x71736fb3, 0x07caf71d, 0x9cb91dc9,\n 0xea5c24f4, 0x712fce20, 0x065d93e4, 0x9d2e7930, 0xebcb400d,\n 0x70b8aad9, 0x06013277, 0x9d72d8a3, 0xeb97e19e, 0x70e40b4a,\n 0x06e4d0c2, 0x9d973a16, 0xeb72032b, 0x7001e9ff, 0x06b87151,\n 0x9dcb9b85, 0xeb2ea2b8, 0x705d486c, 0x0b943260, 0x90e7d8b4,\n 0xe602e189, 0x7d710b5d, 0x0bc893f3, 0x90bb7927, 0xe65e401a,\n 0x7d2daace, 0x0b2d7146, 0x905e9b92, 0xe6bba2af, 0x7dc8487b,\n 0x0b71d0d5, 0x90023a01, 0xe6e7033c, 0x7d94e9e8, 0x0ae6b42c,\n 0x91955ef8, 0xe77067c5, 0x7c038d11, 0x0aba15bf, 0x91c9ff6b,\n 0xe72cc656, 0x7c5f2c82, 0x0a5ff70a, 0x912c1dde, 0xe7c924e3,\n 0x7cbace37, 0x0a035699, 0x9170bc4d, 0xe7958570, 0x7ce66fa4,\n 0x09713ef8, 0x9202d42c, 0xe4e7ed11, 0x7f9407c5, 0x092d9f6b,\n 0x925e75bf, 0xe4bb4c82, 0x7fc8a656, 0x09c87dde, 0x92bb970a,\n 0xe45eae37, 0x7f2d44e3, 0x0994dc4d, 0x92e73699, 0xe4020fa4,\n 0x7f71e570, 0x0803b8b4, 0x93705260, 0xe5956b5d, 0x7ee68189,\n 0x085f1927, 0x932cf3f3, 0xe5c9cace, 0x7eba201a, 0x08bafb92,\n 0x93c91146, 0xe52c287b, 0x7e5fc2af, 0x08e65a01, 0x9395b0d5,\n 0xe57089e8, 0x7e03633c, 0x0e5e2b50, 0x952dc184, 0xe3c8f8b9,\n 0x78bb126d, 0x0e028ac3, 0x95716017, 0xe394592a, 0x78e7b3fe,\n 0x0ee76876, 0x959482a2, 0xe371bb9f, 0x7802514b, 0x0ebbc9e5,\n 0x95c82331, 0xe32d1a0c, 0x785ef0d8, 0x0f2cad1c, 0x945f47c8,\n 0xe2ba7ef5, 0x79c99421, 0x0f700c8f, 0x9403e65b, 0xe2e6df66,\n 0x799535b2, 0x0f95ee3a, 0x94e604ee, 0xe2033dd3, 0x7970d707,\n 0x0fc94fa9, 0x94baa57d, 0xe25f9c40, 0x792c7694, 0x0cbb27c8,\n 0x97c8cd1c, 0xe12df421, 0x7a5e1ef5, 0x0ce7865b, 0x97946c8f,\n 0xe17155b2, 0x7a02bf66, 0x0c0264ee, 0x97718e3a, 0xe194b707,\n 0x7ae75dd3, 0x0c5ec57d, 0x972d2fa9, 0xe1c81694, 0x7abbfc40,\n 0x0dc9a184, 0x96ba4b50, 0xe05f726d, 0x7b2c98b9, 0x0d950017,\n 0x96e6eac3, 0xe003d3fe, 0x7b70392a, 0x0d70e2a2, 0x96030876,\n 0xe0e6314b, 0x7b95db9f, 0x0d2c4331, 0x965fa9e5, 0xe0ba90d8,\n 0x7bc97a0c},\n {0x00000000, 0x172864c0, 0x2e50c980, 0x3978ad40, 0x5ca19300,\n 0x4b89f7c0, 0x72f15a80, 0x65d93e40, 0xb9432600, 0xae6b42c0,\n 0x9713ef80, 0x803b8b40, 0xe5e2b500, 0xf2cad1c0, 0xcbb27c80,\n 0xdc9a1840, 0xa9f74a41, 0xbedf2e81, 0x87a783c1, 0x908fe701,\n 0xf556d941, 0xe27ebd81, 0xdb0610c1, 0xcc2e7401, 0x10b46c41,\n 0x079c0881, 0x3ee4a5c1, 0x29ccc101, 0x4c15ff41, 0x5b3d9b81,\n 0x624536c1, 0x756d5201, 0x889f92c3, 0x9fb7f603, 0xa6cf5b43,\n 0xb1e73f83, 0xd43e01c3, 0xc3166503, 0xfa6ec843, 0xed46ac83,\n 0x31dcb4c3, 0x26f4d003, 0x1f8c7d43, 0x08a41983, 0x6d7d27c3,\n 0x7a554303, 0x432dee43, 0x54058a83, 0x2168d882, 0x3640bc42,\n 0x0f381102, 0x181075c2, 0x7dc94b82, 0x6ae12f42, 0x53998202,\n 0x44b1e6c2, 0x982bfe82, 0x8f039a42, 0xb67b3702, 0xa15353c2,\n 0xc48a6d82, 0xd3a20942, 0xeadaa402, 0xfdf2c0c2, 0xca4e23c7,\n 0xdd664707, 0xe41eea47, 0xf3368e87, 0x96efb0c7, 0x81c7d407,\n 0xb8bf7947, 0xaf971d87, 0x730d05c7, 0x64256107, 0x5d5dcc47,\n 0x4a75a887, 0x2fac96c7, 0x3884f207, 0x01fc5f47, 0x16d43b87,\n 0x63b96986, 0x74910d46, 0x4de9a006, 0x5ac1c4c6, 0x3f18fa86,\n 0x28309e46, 0x11483306, 0x066057c6, 0xdafa4f86, 0xcdd22b46,\n 0xf4aa8606, 0xe382e2c6, 0x865bdc86, 0x9173b846, 0xa80b1506,\n 0xbf2371c6, 0x42d1b104, 0x55f9d5c4, 0x6c817884, 0x7ba91c44,\n 0x1e702204, 0x095846c4, 0x3020eb84, 0x27088f44, 0xfb929704,\n 0xecbaf3c4, 0xd5c25e84, 0xc2ea3a44, 0xa7330404, 0xb01b60c4,\n 0x8963cd84, 0x9e4ba944, 0xeb26fb45, 0xfc0e9f85, 0xc57632c5,\n 0xd25e5605, 0xb7876845, 0xa0af0c85, 0x99d7a1c5, 0x8effc505,\n 0x5265dd45, 0x454db985, 0x7c3514c5, 0x6b1d7005, 0x0ec44e45,\n 0x19ec2a85, 0x209487c5, 0x37bce305, 0x4fed41cf, 0x58c5250f,\n 0x61bd884f, 0x7695ec8f, 0x134cd2cf, 0x0464b60f, 0x3d1c1b4f,\n 0x2a347f8f, 0xf6ae67cf, 0xe186030f, 0xd8feae4f, 0xcfd6ca8f,\n 0xaa0ff4cf, 0xbd27900f, 0x845f3d4f, 0x9377598f, 0xe61a0b8e,\n 0xf1326f4e, 0xc84ac20e, 0xdf62a6ce, 0xbabb988e, 0xad93fc4e,\n 0x94eb510e, 0x83c335ce, 0x5f592d8e, 0x4871494e, 0x7109e40e,\n 0x662180ce, 0x03f8be8e, 0x14d0da4e, 0x2da8770e, 0x3a8013ce,\n 0xc772d30c, 0xd05ab7cc, 0xe9221a8c, 0xfe0a7e4c, 0x9bd3400c,\n 0x8cfb24cc, 0xb583898c, 0xa2abed4c, 0x7e31f50c, 0x691991cc,\n 0x50613c8c, 0x4749584c, 0x2290660c, 0x35b802cc, 0x0cc0af8c,\n 0x1be8cb4c, 0x6e85994d, 0x79adfd8d, 0x40d550cd, 0x57fd340d,\n 0x32240a4d, 0x250c6e8d, 0x1c74c3cd, 0x0b5ca70d, 0xd7c6bf4d,\n 0xc0eedb8d, 0xf99676cd, 0xeebe120d, 0x8b672c4d, 0x9c4f488d,\n 0xa537e5cd, 0xb21f810d, 0x85a36208, 0x928b06c8, 0xabf3ab88,\n 0xbcdbcf48, 0xd902f108, 0xce2a95c8, 0xf7523888, 0xe07a5c48,\n 0x3ce04408, 0x2bc820c8, 0x12b08d88, 0x0598e948, 0x6041d708,\n 0x7769b3c8, 0x4e111e88, 0x59397a48, 0x2c542849, 0x3b7c4c89,\n 0x0204e1c9, 0x152c8509, 0x70f5bb49, 0x67dddf89, 0x5ea572c9,\n 0x498d1609, 0x95170e49, 0x823f6a89, 0xbb47c7c9, 0xac6fa309,\n 0xc9b69d49, 0xde9ef989, 0xe7e654c9, 0xf0ce3009, 0x0d3cf0cb,\n 0x1a14940b, 0x236c394b, 0x34445d8b, 0x519d63cb, 0x46b5070b,\n 0x7fcdaa4b, 0x68e5ce8b, 0xb47fd6cb, 0xa357b20b, 0x9a2f1f4b,\n 0x8d077b8b, 0xe8de45cb, 0xfff6210b, 0xc68e8c4b, 0xd1a6e88b,\n 0xa4cbba8a, 0xb3e3de4a, 0x8a9b730a, 0x9db317ca, 0xf86a298a,\n 0xef424d4a, 0xd63ae00a, 0xc11284ca, 0x1d889c8a, 0x0aa0f84a,\n 0x33d8550a, 0x24f031ca, 0x41290f8a, 0x56016b4a, 0x6f79c60a,\n 0x7851a2ca},\n {0x00000000, 0x9fda839e, 0xe4c4017d, 0x7b1e82e3, 0x12f904bb,\n 0x8d238725, 0xf63d05c6, 0x69e78658, 0x25f20976, 0xba288ae8,\n 0xc136080b, 0x5eec8b95, 0x370b0dcd, 0xa8d18e53, 0xd3cf0cb0,\n 0x4c158f2e, 0x4be412ec, 0xd43e9172, 0xaf201391, 0x30fa900f,\n 0x591d1657, 0xc6c795c9, 0xbdd9172a, 0x220394b4, 0x6e161b9a,\n 0xf1cc9804, 0x8ad21ae7, 0x15089979, 0x7cef1f21, 0xe3359cbf,\n 0x982b1e5c, 0x07f19dc2, 0x97c825d8, 0x0812a646, 0x730c24a5,\n 0xecd6a73b, 0x85312163, 0x1aeba2fd, 0x61f5201e, 0xfe2fa380,\n 0xb23a2cae, 0x2de0af30, 0x56fe2dd3, 0xc924ae4d, 0xa0c32815,\n 0x3f19ab8b, 0x44072968, 0xdbddaaf6, 0xdc2c3734, 0x43f6b4aa,\n 0x38e83649, 0xa732b5d7, 0xced5338f, 0x510fb011, 0x2a1132f2,\n 0xb5cbb16c, 0xf9de3e42, 0x6604bddc, 0x1d1a3f3f, 0x82c0bca1,\n 0xeb273af9, 0x74fdb967, 0x0fe33b84, 0x9039b81a, 0xf4e14df1,\n 0x6b3bce6f, 0x10254c8c, 0x8fffcf12, 0xe618494a, 0x79c2cad4,\n 0x02dc4837, 0x9d06cba9, 0xd1134487, 0x4ec9c719, 0x35d745fa,\n 0xaa0dc664, 0xc3ea403c, 0x5c30c3a2, 0x272e4141, 0xb8f4c2df,\n 0xbf055f1d, 0x20dfdc83, 0x5bc15e60, 0xc41bddfe, 0xadfc5ba6,\n 0x3226d838, 0x49385adb, 0xd6e2d945, 0x9af7566b, 0x052dd5f5,\n 0x7e335716, 0xe1e9d488, 0x880e52d0, 0x17d4d14e, 0x6cca53ad,\n 0xf310d033, 0x63296829, 0xfcf3ebb7, 0x87ed6954, 0x1837eaca,\n 0x71d06c92, 0xee0aef0c, 0x95146def, 0x0aceee71, 0x46db615f,\n 0xd901e2c1, 0xa21f6022, 0x3dc5e3bc, 0x542265e4, 0xcbf8e67a,\n 0xb0e66499, 0x2f3ce707, 0x28cd7ac5, 0xb717f95b, 0xcc097bb8,\n 0x53d3f826, 0x3a347e7e, 0xa5eefde0, 0xdef07f03, 0x412afc9d,\n 0x0d3f73b3, 0x92e5f02d, 0xe9fb72ce, 0x7621f150, 0x1fc67708,\n 0x801cf496, 0xfb027675, 0x64d8f5eb, 0x32b39da3, 0xad691e3d,\n 0xd6779cde, 0x49ad1f40, 0x204a9918, 0xbf901a86, 0xc48e9865,\n 0x5b541bfb, 0x174194d5, 0x889b174b, 0xf38595a8, 0x6c5f1636,\n 0x05b8906e, 0x9a6213f0, 0xe17c9113, 0x7ea6128d, 0x79578f4f,\n 0xe68d0cd1, 0x9d938e32, 0x02490dac, 0x6bae8bf4, 0xf474086a,\n 0x8f6a8a89, 0x10b00917, 0x5ca58639, 0xc37f05a7, 0xb8618744,\n 0x27bb04da, 0x4e5c8282, 0xd186011c, 0xaa9883ff, 0x35420061,\n 0xa57bb87b, 0x3aa13be5, 0x41bfb906, 0xde653a98, 0xb782bcc0,\n 0x28583f5e, 0x5346bdbd, 0xcc9c3e23, 0x8089b10d, 0x1f533293,\n 0x644db070, 0xfb9733ee, 0x9270b5b6, 0x0daa3628, 0x76b4b4cb,\n 0xe96e3755, 0xee9faa97, 0x71452909, 0x0a5babea, 0x95812874,\n 0xfc66ae2c, 0x63bc2db2, 0x18a2af51, 0x87782ccf, 0xcb6da3e1,\n 0x54b7207f, 0x2fa9a29c, 0xb0732102, 0xd994a75a, 0x464e24c4,\n 0x3d50a627, 0xa28a25b9, 0xc652d052, 0x598853cc, 0x2296d12f,\n 0xbd4c52b1, 0xd4abd4e9, 0x4b715777, 0x306fd594, 0xafb5560a,\n 0xe3a0d924, 0x7c7a5aba, 0x0764d859, 0x98be5bc7, 0xf159dd9f,\n 0x6e835e01, 0x159ddce2, 0x8a475f7c, 0x8db6c2be, 0x126c4120,\n 0x6972c3c3, 0xf6a8405d, 0x9f4fc605, 0x0095459b, 0x7b8bc778,\n 0xe45144e6, 0xa844cbc8, 0x379e4856, 0x4c80cab5, 0xd35a492b,\n 0xbabdcf73, 0x25674ced, 0x5e79ce0e, 0xc1a34d90, 0x519af58a,\n 0xce407614, 0xb55ef4f7, 0x2a847769, 0x4363f131, 0xdcb972af,\n 0xa7a7f04c, 0x387d73d2, 0x7468fcfc, 0xebb27f62, 0x90acfd81,\n 0x0f767e1f, 0x6691f847, 0xf94b7bd9, 0x8255f93a, 0x1d8f7aa4,\n 0x1a7ee766, 0x85a464f8, 0xfebae61b, 0x61606585, 0x0887e3dd,\n 0x975d6043, 0xec43e2a0, 0x7399613e, 0x3f8cee10, 0xa0566d8e,\n 0xdb48ef6d, 0x44926cf3, 0x2d75eaab, 0xb2af6935, 0xc9b1ebd6,\n 0x566b6848},\n {0x00000000, 0x65673b46, 0xcace768c, 0xafa94dca, 0x4eedeb59,\n 0x2b8ad01f, 0x84239dd5, 0xe144a693, 0x9ddbd6b2, 0xf8bcedf4,\n 0x5715a03e, 0x32729b78, 0xd3363deb, 0xb65106ad, 0x19f84b67,\n 0x7c9f7021, 0xe0c6ab25, 0x85a19063, 0x2a08dda9, 0x4f6fe6ef,\n 0xae2b407c, 0xcb4c7b3a, 0x64e536f0, 0x01820db6, 0x7d1d7d97,\n 0x187a46d1, 0xb7d30b1b, 0xd2b4305d, 0x33f096ce, 0x5697ad88,\n 0xf93ee042, 0x9c59db04, 0x1afc500b, 0x7f9b6b4d, 0xd0322687,\n 0xb5551dc1, 0x5411bb52, 0x31768014, 0x9edfcdde, 0xfbb8f698,\n 0x872786b9, 0xe240bdff, 0x4de9f035, 0x288ecb73, 0xc9ca6de0,\n 0xacad56a6, 0x03041b6c, 0x6663202a, 0xfa3afb2e, 0x9f5dc068,\n 0x30f48da2, 0x5593b6e4, 0xb4d71077, 0xd1b02b31, 0x7e1966fb,\n 0x1b7e5dbd, 0x67e12d9c, 0x028616da, 0xad2f5b10, 0xc8486056,\n 0x290cc6c5, 0x4c6bfd83, 0xe3c2b049, 0x86a58b0f, 0x35f8a016,\n 0x509f9b50, 0xff36d69a, 0x9a51eddc, 0x7b154b4f, 0x1e727009,\n 0xb1db3dc3, 0xd4bc0685, 0xa82376a4, 0xcd444de2, 0x62ed0028,\n 0x078a3b6e, 0xe6ce9dfd, 0x83a9a6bb, 0x2c00eb71, 0x4967d037,\n 0xd53e0b33, 0xb0593075, 0x1ff07dbf, 0x7a9746f9, 0x9bd3e06a,\n 0xfeb4db2c, 0x511d96e6, 0x347aada0, 0x48e5dd81, 0x2d82e6c7,\n 0x822bab0d, 0xe74c904b, 0x060836d8, 0x636f0d9e, 0xccc64054,\n 0xa9a17b12, 0x2f04f01d, 0x4a63cb5b, 0xe5ca8691, 0x80adbdd7,\n 0x61e91b44, 0x048e2002, 0xab276dc8, 0xce40568e, 0xb2df26af,\n 0xd7b81de9, 0x78115023, 0x1d766b65, 0xfc32cdf6, 0x9955f6b0,\n 0x36fcbb7a, 0x539b803c, 0xcfc25b38, 0xaaa5607e, 0x050c2db4,\n 0x606b16f2, 0x812fb061, 0xe4488b27, 0x4be1c6ed, 0x2e86fdab,\n 0x52198d8a, 0x377eb6cc, 0x98d7fb06, 0xfdb0c040, 0x1cf466d3,\n 0x79935d95, 0xd63a105f, 0xb35d2b19, 0x6bf1402c, 0x0e967b6a,\n 0xa13f36a0, 0xc4580de6, 0x251cab75, 0x407b9033, 0xefd2ddf9,\n 0x8ab5e6bf, 0xf62a969e, 0x934dadd8, 0x3ce4e012, 0x5983db54,\n 0xb8c77dc7, 0xdda04681, 0x72090b4b, 0x176e300d, 0x8b37eb09,\n 0xee50d04f, 0x41f99d85, 0x249ea6c3, 0xc5da0050, 0xa0bd3b16,\n 0x0f1476dc, 0x6a734d9a, 0x16ec3dbb, 0x738b06fd, 0xdc224b37,\n 0xb9457071, 0x5801d6e2, 0x3d66eda4, 0x92cfa06e, 0xf7a89b28,\n 0x710d1027, 0x146a2b61, 0xbbc366ab, 0xdea45ded, 0x3fe0fb7e,\n 0x5a87c038, 0xf52e8df2, 0x9049b6b4, 0xecd6c695, 0x89b1fdd3,\n 0x2618b019, 0x437f8b5f, 0xa23b2dcc, 0xc75c168a, 0x68f55b40,\n 0x0d926006, 0x91cbbb02, 0xf4ac8044, 0x5b05cd8e, 0x3e62f6c8,\n 0xdf26505b, 0xba416b1d, 0x15e826d7, 0x708f1d91, 0x0c106db0,\n 0x697756f6, 0xc6de1b3c, 0xa3b9207a, 0x42fd86e9, 0x279abdaf,\n 0x8833f065, 0xed54cb23, 0x5e09e03a, 0x3b6edb7c, 0x94c796b6,\n 0xf1a0adf0, 0x10e40b63, 0x75833025, 0xda2a7def, 0xbf4d46a9,\n 0xc3d23688, 0xa6b50dce, 0x091c4004, 0x6c7b7b42, 0x8d3fddd1,\n 0xe858e697, 0x47f1ab5d, 0x2296901b, 0xbecf4b1f, 0xdba87059,\n 0x74013d93, 0x116606d5, 0xf022a046, 0x95459b00, 0x3aecd6ca,\n 0x5f8bed8c, 0x23149dad, 0x4673a6eb, 0xe9daeb21, 0x8cbdd067,\n 0x6df976f4, 0x089e4db2, 0xa7370078, 0xc2503b3e, 0x44f5b031,\n 0x21928b77, 0x8e3bc6bd, 0xeb5cfdfb, 0x0a185b68, 0x6f7f602e,\n 0xc0d62de4, 0xa5b116a2, 0xd92e6683, 0xbc495dc5, 0x13e0100f,\n 0x76872b49, 0x97c38dda, 0xf2a4b69c, 0x5d0dfb56, 0x386ac010,\n 0xa4331b14, 0xc1542052, 0x6efd6d98, 0x0b9a56de, 0xeadef04d,\n 0x8fb9cb0b, 0x201086c1, 0x4577bd87, 0x39e8cda6, 0x5c8ff6e0,\n 0xf326bb2a, 0x9641806c, 0x770526ff, 0x12621db9, 0xbdcb5073,\n 0xd8ac6b35},\n {0x00000000, 0xd7e28058, 0x74b406f1, 0xa35686a9, 0xe9680de2,\n 0x3e8a8dba, 0x9ddc0b13, 0x4a3e8b4b, 0x09a11d85, 0xde439ddd,\n 0x7d151b74, 0xaaf79b2c, 0xe0c91067, 0x372b903f, 0x947d1696,\n 0x439f96ce, 0x13423b0a, 0xc4a0bb52, 0x67f63dfb, 0xb014bda3,\n 0xfa2a36e8, 0x2dc8b6b0, 0x8e9e3019, 0x597cb041, 0x1ae3268f,\n 0xcd01a6d7, 0x6e57207e, 0xb9b5a026, 0xf38b2b6d, 0x2469ab35,\n 0x873f2d9c, 0x50ddadc4, 0x26847614, 0xf166f64c, 0x523070e5,\n 0x85d2f0bd, 0xcfec7bf6, 0x180efbae, 0xbb587d07, 0x6cbafd5f,\n 0x2f256b91, 0xf8c7ebc9, 0x5b916d60, 0x8c73ed38, 0xc64d6673,\n 0x11afe62b, 0xb2f96082, 0x651be0da, 0x35c64d1e, 0xe224cd46,\n 0x41724bef, 0x9690cbb7, 0xdcae40fc, 0x0b4cc0a4, 0xa81a460d,\n 0x7ff8c655, 0x3c67509b, 0xeb85d0c3, 0x48d3566a, 0x9f31d632,\n 0xd50f5d79, 0x02eddd21, 0xa1bb5b88, 0x7659dbd0, 0x4d08ec28,\n 0x9aea6c70, 0x39bcead9, 0xee5e6a81, 0xa460e1ca, 0x73826192,\n 0xd0d4e73b, 0x07366763, 0x44a9f1ad, 0x934b71f5, 0x301df75c,\n 0xe7ff7704, 0xadc1fc4f, 0x7a237c17, 0xd975fabe, 0x0e977ae6,\n 0x5e4ad722, 0x89a8577a, 0x2afed1d3, 0xfd1c518b, 0xb722dac0,\n 0x60c05a98, 0xc396dc31, 0x14745c69, 0x57ebcaa7, 0x80094aff,\n 0x235fcc56, 0xf4bd4c0e, 0xbe83c745, 0x6961471d, 0xca37c1b4,\n 0x1dd541ec, 0x6b8c9a3c, 0xbc6e1a64, 0x1f389ccd, 0xc8da1c95,\n 0x82e497de, 0x55061786, 0xf650912f, 0x21b21177, 0x622d87b9,\n 0xb5cf07e1, 0x16998148, 0xc17b0110, 0x8b458a5b, 0x5ca70a03,\n 0xfff18caa, 0x28130cf2, 0x78cea136, 0xaf2c216e, 0x0c7aa7c7,\n 0xdb98279f, 0x91a6acd4, 0x46442c8c, 0xe512aa25, 0x32f02a7d,\n 0x716fbcb3, 0xa68d3ceb, 0x05dbba42, 0xd2393a1a, 0x9807b151,\n 0x4fe53109, 0xecb3b7a0, 0x3b5137f8, 0x9a11d850, 0x4df35808,\n 0xeea5dea1, 0x39475ef9, 0x7379d5b2, 0xa49b55ea, 0x07cdd343,\n 0xd02f531b, 0x93b0c5d5, 0x4452458d, 0xe704c324, 0x30e6437c,\n 0x7ad8c837, 0xad3a486f, 0x0e6ccec6, 0xd98e4e9e, 0x8953e35a,\n 0x5eb16302, 0xfde7e5ab, 0x2a0565f3, 0x603beeb8, 0xb7d96ee0,\n 0x148fe849, 0xc36d6811, 0x80f2fedf, 0x57107e87, 0xf446f82e,\n 0x23a47876, 0x699af33d, 0xbe787365, 0x1d2ef5cc, 0xcacc7594,\n 0xbc95ae44, 0x6b772e1c, 0xc821a8b5, 0x1fc328ed, 0x55fda3a6,\n 0x821f23fe, 0x2149a557, 0xf6ab250f, 0xb534b3c1, 0x62d63399,\n 0xc180b530, 0x16623568, 0x5c5cbe23, 0x8bbe3e7b, 0x28e8b8d2,\n 0xff0a388a, 0xafd7954e, 0x78351516, 0xdb6393bf, 0x0c8113e7,\n 0x46bf98ac, 0x915d18f4, 0x320b9e5d, 0xe5e91e05, 0xa67688cb,\n 0x71940893, 0xd2c28e3a, 0x05200e62, 0x4f1e8529, 0x98fc0571,\n 0x3baa83d8, 0xec480380, 0xd7193478, 0x00fbb420, 0xa3ad3289,\n 0x744fb2d1, 0x3e71399a, 0xe993b9c2, 0x4ac53f6b, 0x9d27bf33,\n 0xdeb829fd, 0x095aa9a5, 0xaa0c2f0c, 0x7deeaf54, 0x37d0241f,\n 0xe032a447, 0x436422ee, 0x9486a2b6, 0xc45b0f72, 0x13b98f2a,\n 0xb0ef0983, 0x670d89db, 0x2d330290, 0xfad182c8, 0x59870461,\n 0x8e658439, 0xcdfa12f7, 0x1a1892af, 0xb94e1406, 0x6eac945e,\n 0x24921f15, 0xf3709f4d, 0x502619e4, 0x87c499bc, 0xf19d426c,\n 0x267fc234, 0x8529449d, 0x52cbc4c5, 0x18f54f8e, 0xcf17cfd6,\n 0x6c41497f, 0xbba3c927, 0xf83c5fe9, 0x2fdedfb1, 0x8c885918,\n 0x5b6ad940, 0x1154520b, 0xc6b6d253, 0x65e054fa, 0xb202d4a2,\n 0xe2df7966, 0x353df93e, 0x966b7f97, 0x4189ffcf, 0x0bb77484,\n 0xdc55f4dc, 0x7f037275, 0xa8e1f22d, 0xeb7e64e3, 0x3c9ce4bb,\n 0x9fca6212, 0x4828e24a, 0x02166901, 0xd5f4e959, 0x76a26ff0,\n 0xa140efa8},\n {0x00000000, 0xef52b6e1, 0x05d46b83, 0xea86dd62, 0x0ba8d706,\n 0xe4fa61e7, 0x0e7cbc85, 0xe12e0a64, 0x1751ae0c, 0xf80318ed,\n 0x1285c58f, 0xfdd7736e, 0x1cf9790a, 0xf3abcfeb, 0x192d1289,\n 0xf67fa468, 0x2ea35c18, 0xc1f1eaf9, 0x2b77379b, 0xc425817a,\n 0x250b8b1e, 0xca593dff, 0x20dfe09d, 0xcf8d567c, 0x39f2f214,\n 0xd6a044f5, 0x3c269997, 0xd3742f76, 0x325a2512, 0xdd0893f3,\n 0x378e4e91, 0xd8dcf870, 0x5d46b830, 0xb2140ed1, 0x5892d3b3,\n 0xb7c06552, 0x56ee6f36, 0xb9bcd9d7, 0x533a04b5, 0xbc68b254,\n 0x4a17163c, 0xa545a0dd, 0x4fc37dbf, 0xa091cb5e, 0x41bfc13a,\n 0xaeed77db, 0x446baab9, 0xab391c58, 0x73e5e428, 0x9cb752c9,\n 0x76318fab, 0x9963394a, 0x784d332e, 0x971f85cf, 0x7d9958ad,\n 0x92cbee4c, 0x64b44a24, 0x8be6fcc5, 0x616021a7, 0x8e329746,\n 0x6f1c9d22, 0x804e2bc3, 0x6ac8f6a1, 0x859a4040, 0xba8d7060,\n 0x55dfc681, 0xbf591be3, 0x500bad02, 0xb125a766, 0x5e771187,\n 0xb4f1cce5, 0x5ba37a04, 0xaddcde6c, 0x428e688d, 0xa808b5ef,\n 0x475a030e, 0xa674096a, 0x4926bf8b, 0xa3a062e9, 0x4cf2d408,\n 0x942e2c78, 0x7b7c9a99, 0x91fa47fb, 0x7ea8f11a, 0x9f86fb7e,\n 0x70d44d9f, 0x9a5290fd, 0x7500261c, 0x837f8274, 0x6c2d3495,\n 0x86abe9f7, 0x69f95f16, 0x88d75572, 0x6785e393, 0x8d033ef1,\n 0x62518810, 0xe7cbc850, 0x08997eb1, 0xe21fa3d3, 0x0d4d1532,\n 0xec631f56, 0x0331a9b7, 0xe9b774d5, 0x06e5c234, 0xf09a665c,\n 0x1fc8d0bd, 0xf54e0ddf, 0x1a1cbb3e, 0xfb32b15a, 0x146007bb,\n 0xfee6dad9, 0x11b46c38, 0xc9689448, 0x263a22a9, 0xccbcffcb,\n 0x23ee492a, 0xc2c0434e, 0x2d92f5af, 0xc71428cd, 0x28469e2c,\n 0xde393a44, 0x316b8ca5, 0xdbed51c7, 0x34bfe726, 0xd591ed42,\n 0x3ac35ba3, 0xd04586c1, 0x3f173020, 0xae6be681, 0x41395060,\n 0xabbf8d02, 0x44ed3be3, 0xa5c33187, 0x4a918766, 0xa0175a04,\n 0x4f45ece5, 0xb93a488d, 0x5668fe6c, 0xbcee230e, 0x53bc95ef,\n 0xb2929f8b, 0x5dc0296a, 0xb746f408, 0x581442e9, 0x80c8ba99,\n 0x6f9a0c78, 0x851cd11a, 0x6a4e67fb, 0x8b606d9f, 0x6432db7e,\n 0x8eb4061c, 0x61e6b0fd, 0x97991495, 0x78cba274, 0x924d7f16,\n 0x7d1fc9f7, 0x9c31c393, 0x73637572, 0x99e5a810, 0x76b71ef1,\n 0xf32d5eb1, 0x1c7fe850, 0xf6f93532, 0x19ab83d3, 0xf88589b7,\n 0x17d73f56, 0xfd51e234, 0x120354d5, 0xe47cf0bd, 0x0b2e465c,\n 0xe1a89b3e, 0x0efa2ddf, 0xefd427bb, 0x0086915a, 0xea004c38,\n 0x0552fad9, 0xdd8e02a9, 0x32dcb448, 0xd85a692a, 0x3708dfcb,\n 0xd626d5af, 0x3974634e, 0xd3f2be2c, 0x3ca008cd, 0xcadfaca5,\n 0x258d1a44, 0xcf0bc726, 0x205971c7, 0xc1777ba3, 0x2e25cd42,\n 0xc4a31020, 0x2bf1a6c1, 0x14e696e1, 0xfbb42000, 0x1132fd62,\n 0xfe604b83, 0x1f4e41e7, 0xf01cf706, 0x1a9a2a64, 0xf5c89c85,\n 0x03b738ed, 0xece58e0c, 0x0663536e, 0xe931e58f, 0x081fefeb,\n 0xe74d590a, 0x0dcb8468, 0xe2993289, 0x3a45caf9, 0xd5177c18,\n 0x3f91a17a, 0xd0c3179b, 0x31ed1dff, 0xdebfab1e, 0x3439767c,\n 0xdb6bc09d, 0x2d1464f5, 0xc246d214, 0x28c00f76, 0xc792b997,\n 0x26bcb3f3, 0xc9ee0512, 0x2368d870, 0xcc3a6e91, 0x49a02ed1,\n 0xa6f29830, 0x4c744552, 0xa326f3b3, 0x4208f9d7, 0xad5a4f36,\n 0x47dc9254, 0xa88e24b5, 0x5ef180dd, 0xb1a3363c, 0x5b25eb5e,\n 0xb4775dbf, 0x555957db, 0xba0be13a, 0x508d3c58, 0xbfdf8ab9,\n 0x670372c9, 0x8851c428, 0x62d7194a, 0x8d85afab, 0x6caba5cf,\n 0x83f9132e, 0x697fce4c, 0x862d78ad, 0x7052dcc5, 0x9f006a24,\n 0x7586b746, 0x9ad401a7, 0x7bfa0bc3, 0x94a8bd22, 0x7e2e6040,\n 0x917cd6a1},\n {0x00000000, 0x87a6cb43, 0xd43c90c7, 0x539a5b84, 0x730827cf,\n 0xf4aeec8c, 0xa734b708, 0x20927c4b, 0xe6104f9e, 0x61b684dd,\n 0x322cdf59, 0xb58a141a, 0x95186851, 0x12bea312, 0x4124f896,\n 0xc68233d5, 0x1751997d, 0x90f7523e, 0xc36d09ba, 0x44cbc2f9,\n 0x6459beb2, 0xe3ff75f1, 0xb0652e75, 0x37c3e536, 0xf141d6e3,\n 0x76e71da0, 0x257d4624, 0xa2db8d67, 0x8249f12c, 0x05ef3a6f,\n 0x567561eb, 0xd1d3aaa8, 0x2ea332fa, 0xa905f9b9, 0xfa9fa23d,\n 0x7d39697e, 0x5dab1535, 0xda0dde76, 0x899785f2, 0x0e314eb1,\n 0xc8b37d64, 0x4f15b627, 0x1c8feda3, 0x9b2926e0, 0xbbbb5aab,\n 0x3c1d91e8, 0x6f87ca6c, 0xe821012f, 0x39f2ab87, 0xbe5460c4,\n 0xedce3b40, 0x6a68f003, 0x4afa8c48, 0xcd5c470b, 0x9ec61c8f,\n 0x1960d7cc, 0xdfe2e419, 0x58442f5a, 0x0bde74de, 0x8c78bf9d,\n 0xaceac3d6, 0x2b4c0895, 0x78d65311, 0xff709852, 0x5d4665f4,\n 0xdae0aeb7, 0x897af533, 0x0edc3e70, 0x2e4e423b, 0xa9e88978,\n 0xfa72d2fc, 0x7dd419bf, 0xbb562a6a, 0x3cf0e129, 0x6f6abaad,\n 0xe8cc71ee, 0xc85e0da5, 0x4ff8c6e6, 0x1c629d62, 0x9bc45621,\n 0x4a17fc89, 0xcdb137ca, 0x9e2b6c4e, 0x198da70d, 0x391fdb46,\n 0xbeb91005, 0xed234b81, 0x6a8580c2, 0xac07b317, 0x2ba17854,\n 0x783b23d0, 0xff9de893, 0xdf0f94d8, 0x58a95f9b, 0x0b33041f,\n 0x8c95cf5c, 0x73e5570e, 0xf4439c4d, 0xa7d9c7c9, 0x207f0c8a,\n 0x00ed70c1, 0x874bbb82, 0xd4d1e006, 0x53772b45, 0x95f51890,\n 0x1253d3d3, 0x41c98857, 0xc66f4314, 0xe6fd3f5f, 0x615bf41c,\n 0x32c1af98, 0xb56764db, 0x64b4ce73, 0xe3120530, 0xb0885eb4,\n 0x372e95f7, 0x17bce9bc, 0x901a22ff, 0xc380797b, 0x4426b238,\n 0x82a481ed, 0x05024aae, 0x5698112a, 0xd13eda69, 0xf1aca622,\n 0x760a6d61, 0x259036e5, 0xa236fda6, 0xba8ccbe8, 0x3d2a00ab,\n 0x6eb05b2f, 0xe916906c, 0xc984ec27, 0x4e222764, 0x1db87ce0,\n 0x9a1eb7a3, 0x5c9c8476, 0xdb3a4f35, 0x88a014b1, 0x0f06dff2,\n 0x2f94a3b9, 0xa83268fa, 0xfba8337e, 0x7c0ef83d, 0xaddd5295,\n 0x2a7b99d6, 0x79e1c252, 0xfe470911, 0xded5755a, 0x5973be19,\n 0x0ae9e59d, 0x8d4f2ede, 0x4bcd1d0b, 0xcc6bd648, 0x9ff18dcc,\n 0x1857468f, 0x38c53ac4, 0xbf63f187, 0xecf9aa03, 0x6b5f6140,\n 0x942ff912, 0x13893251, 0x401369d5, 0xc7b5a296, 0xe727dedd,\n 0x6081159e, 0x331b4e1a, 0xb4bd8559, 0x723fb68c, 0xf5997dcf,\n 0xa603264b, 0x21a5ed08, 0x01379143, 0x86915a00, 0xd50b0184,\n 0x52adcac7, 0x837e606f, 0x04d8ab2c, 0x5742f0a8, 0xd0e43beb,\n 0xf07647a0, 0x77d08ce3, 0x244ad767, 0xa3ec1c24, 0x656e2ff1,\n 0xe2c8e4b2, 0xb152bf36, 0x36f47475, 0x1666083e, 0x91c0c37d,\n 0xc25a98f9, 0x45fc53ba, 0xe7caae1c, 0x606c655f, 0x33f63edb,\n 0xb450f598, 0x94c289d3, 0x13644290, 0x40fe1914, 0xc758d257,\n 0x01dae182, 0x867c2ac1, 0xd5e67145, 0x5240ba06, 0x72d2c64d,\n 0xf5740d0e, 0xa6ee568a, 0x21489dc9, 0xf09b3761, 0x773dfc22,\n 0x24a7a7a6, 0xa3016ce5, 0x839310ae, 0x0435dbed, 0x57af8069,\n 0xd0094b2a, 0x168b78ff, 0x912db3bc, 0xc2b7e838, 0x4511237b,\n 0x65835f30, 0xe2259473, 0xb1bfcff7, 0x361904b4, 0xc9699ce6,\n 0x4ecf57a5, 0x1d550c21, 0x9af3c762, 0xba61bb29, 0x3dc7706a,\n 0x6e5d2bee, 0xe9fbe0ad, 0x2f79d378, 0xa8df183b, 0xfb4543bf,\n 0x7ce388fc, 0x5c71f4b7, 0xdbd73ff4, 0x884d6470, 0x0febaf33,\n 0xde38059b, 0x599eced8, 0x0a04955c, 0x8da25e1f, 0xad302254,\n 0x2a96e917, 0x790cb293, 0xfeaa79d0, 0x38284a05, 0xbf8e8146,\n 0xec14dac2, 0x6bb21181, 0x4b206dca, 0xcc86a689, 0x9f1cfd0d,\n 0x18ba364e}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x0000000000000000, 0x43cba68700000000, 0xc7903cd400000000,\n 0x845b9a5300000000, 0xcf27087300000000, 0x8cecaef400000000,\n 0x08b734a700000000, 0x4b7c922000000000, 0x9e4f10e600000000,\n 0xdd84b66100000000, 0x59df2c3200000000, 0x1a148ab500000000,\n 0x5168189500000000, 0x12a3be1200000000, 0x96f8244100000000,\n 0xd53382c600000000, 0x7d99511700000000, 0x3e52f79000000000,\n 0xba096dc300000000, 0xf9c2cb4400000000, 0xb2be596400000000,\n 0xf175ffe300000000, 0x752e65b000000000, 0x36e5c33700000000,\n 0xe3d641f100000000, 0xa01de77600000000, 0x24467d2500000000,\n 0x678ddba200000000, 0x2cf1498200000000, 0x6f3aef0500000000,\n 0xeb61755600000000, 0xa8aad3d100000000, 0xfa32a32e00000000,\n 0xb9f905a900000000, 0x3da29ffa00000000, 0x7e69397d00000000,\n 0x3515ab5d00000000, 0x76de0dda00000000, 0xf285978900000000,\n 0xb14e310e00000000, 0x647db3c800000000, 0x27b6154f00000000,\n 0xa3ed8f1c00000000, 0xe026299b00000000, 0xab5abbbb00000000,\n 0xe8911d3c00000000, 0x6cca876f00000000, 0x2f0121e800000000,\n 0x87abf23900000000, 0xc46054be00000000, 0x403bceed00000000,\n 0x03f0686a00000000, 0x488cfa4a00000000, 0x0b475ccd00000000,\n 0x8f1cc69e00000000, 0xccd7601900000000, 0x19e4e2df00000000,\n 0x5a2f445800000000, 0xde74de0b00000000, 0x9dbf788c00000000,\n 0xd6c3eaac00000000, 0x95084c2b00000000, 0x1153d67800000000,\n 0x529870ff00000000, 0xf465465d00000000, 0xb7aee0da00000000,\n 0x33f57a8900000000, 0x703edc0e00000000, 0x3b424e2e00000000,\n 0x7889e8a900000000, 0xfcd272fa00000000, 0xbf19d47d00000000,\n 0x6a2a56bb00000000, 0x29e1f03c00000000, 0xadba6a6f00000000,\n 0xee71cce800000000, 0xa50d5ec800000000, 0xe6c6f84f00000000,\n 0x629d621c00000000, 0x2156c49b00000000, 0x89fc174a00000000,\n 0xca37b1cd00000000, 0x4e6c2b9e00000000, 0x0da78d1900000000,\n 0x46db1f3900000000, 0x0510b9be00000000, 0x814b23ed00000000,\n 0xc280856a00000000, 0x17b307ac00000000, 0x5478a12b00000000,\n 0xd0233b7800000000, 0x93e89dff00000000, 0xd8940fdf00000000,\n 0x9b5fa95800000000, 0x1f04330b00000000, 0x5ccf958c00000000,\n 0x0e57e57300000000, 0x4d9c43f400000000, 0xc9c7d9a700000000,\n 0x8a0c7f2000000000, 0xc170ed0000000000, 0x82bb4b8700000000,\n 0x06e0d1d400000000, 0x452b775300000000, 0x9018f59500000000,\n 0xd3d3531200000000, 0x5788c94100000000, 0x14436fc600000000,\n 0x5f3ffde600000000, 0x1cf45b6100000000, 0x98afc13200000000,\n 0xdb6467b500000000, 0x73ceb46400000000, 0x300512e300000000,\n 0xb45e88b000000000, 0xf7952e3700000000, 0xbce9bc1700000000,\n 0xff221a9000000000, 0x7b7980c300000000, 0x38b2264400000000,\n 0xed81a48200000000, 0xae4a020500000000, 0x2a11985600000000,\n 0x69da3ed100000000, 0x22a6acf100000000, 0x616d0a7600000000,\n 0xe536902500000000, 0xa6fd36a200000000, 0xe8cb8cba00000000,\n 0xab002a3d00000000, 0x2f5bb06e00000000, 0x6c9016e900000000,\n 0x27ec84c900000000, 0x6427224e00000000, 0xe07cb81d00000000,\n 0xa3b71e9a00000000, 0x76849c5c00000000, 0x354f3adb00000000,\n 0xb114a08800000000, 0xf2df060f00000000, 0xb9a3942f00000000,\n 0xfa6832a800000000, 0x7e33a8fb00000000, 0x3df80e7c00000000,\n 0x9552ddad00000000, 0xd6997b2a00000000, 0x52c2e17900000000,\n 0x110947fe00000000, 0x5a75d5de00000000, 0x19be735900000000,\n 0x9de5e90a00000000, 0xde2e4f8d00000000, 0x0b1dcd4b00000000,\n 0x48d66bcc00000000, 0xcc8df19f00000000, 0x8f46571800000000,\n 0xc43ac53800000000, 0x87f163bf00000000, 0x03aaf9ec00000000,\n 0x40615f6b00000000, 0x12f92f9400000000, 0x5132891300000000,\n 0xd569134000000000, 0x96a2b5c700000000, 0xddde27e700000000,\n 0x9e15816000000000, 0x1a4e1b3300000000, 0x5985bdb400000000,\n 0x8cb63f7200000000, 0xcf7d99f500000000, 0x4b2603a600000000,\n 0x08eda52100000000, 0x4391370100000000, 0x005a918600000000,\n 0x84010bd500000000, 0xc7caad5200000000, 0x6f607e8300000000,\n 0x2cabd80400000000, 0xa8f0425700000000, 0xeb3be4d000000000,\n 0xa04776f000000000, 0xe38cd07700000000, 0x67d74a2400000000,\n 0x241ceca300000000, 0xf12f6e6500000000, 0xb2e4c8e200000000,\n 0x36bf52b100000000, 0x7574f43600000000, 0x3e08661600000000,\n 0x7dc3c09100000000, 0xf9985ac200000000, 0xba53fc4500000000,\n 0x1caecae700000000, 0x5f656c6000000000, 0xdb3ef63300000000,\n 0x98f550b400000000, 0xd389c29400000000, 0x9042641300000000,\n 0x1419fe4000000000, 0x57d258c700000000, 0x82e1da0100000000,\n 0xc12a7c8600000000, 0x4571e6d500000000, 0x06ba405200000000,\n 0x4dc6d27200000000, 0x0e0d74f500000000, 0x8a56eea600000000,\n 0xc99d482100000000, 0x61379bf000000000, 0x22fc3d7700000000,\n 0xa6a7a72400000000, 0xe56c01a300000000, 0xae10938300000000,\n 0xeddb350400000000, 0x6980af5700000000, 0x2a4b09d000000000,\n 0xff788b1600000000, 0xbcb32d9100000000, 0x38e8b7c200000000,\n 0x7b23114500000000, 0x305f836500000000, 0x739425e200000000,\n 0xf7cfbfb100000000, 0xb404193600000000, 0xe69c69c900000000,\n 0xa557cf4e00000000, 0x210c551d00000000, 0x62c7f39a00000000,\n 0x29bb61ba00000000, 0x6a70c73d00000000, 0xee2b5d6e00000000,\n 0xade0fbe900000000, 0x78d3792f00000000, 0x3b18dfa800000000,\n 0xbf4345fb00000000, 0xfc88e37c00000000, 0xb7f4715c00000000,\n 0xf43fd7db00000000, 0x70644d8800000000, 0x33afeb0f00000000,\n 0x9b0538de00000000, 0xd8ce9e5900000000, 0x5c95040a00000000,\n 0x1f5ea28d00000000, 0x542230ad00000000, 0x17e9962a00000000,\n 0x93b20c7900000000, 0xd079aafe00000000, 0x054a283800000000,\n 0x46818ebf00000000, 0xc2da14ec00000000, 0x8111b26b00000000,\n 0xca6d204b00000000, 0x89a686cc00000000, 0x0dfd1c9f00000000,\n 0x4e36ba1800000000},\n {0x0000000000000000, 0xe1b652ef00000000, 0x836bd40500000000,\n 0x62dd86ea00000000, 0x06d7a80b00000000, 0xe761fae400000000,\n 0x85bc7c0e00000000, 0x640a2ee100000000, 0x0cae511700000000,\n 0xed1803f800000000, 0x8fc5851200000000, 0x6e73d7fd00000000,\n 0x0a79f91c00000000, 0xebcfabf300000000, 0x89122d1900000000,\n 0x68a47ff600000000, 0x185ca32e00000000, 0xf9eaf1c100000000,\n 0x9b37772b00000000, 0x7a8125c400000000, 0x1e8b0b2500000000,\n 0xff3d59ca00000000, 0x9de0df2000000000, 0x7c568dcf00000000,\n 0x14f2f23900000000, 0xf544a0d600000000, 0x9799263c00000000,\n 0x762f74d300000000, 0x12255a3200000000, 0xf39308dd00000000,\n 0x914e8e3700000000, 0x70f8dcd800000000, 0x30b8465d00000000,\n 0xd10e14b200000000, 0xb3d3925800000000, 0x5265c0b700000000,\n 0x366fee5600000000, 0xd7d9bcb900000000, 0xb5043a5300000000,\n 0x54b268bc00000000, 0x3c16174a00000000, 0xdda045a500000000,\n 0xbf7dc34f00000000, 0x5ecb91a000000000, 0x3ac1bf4100000000,\n 0xdb77edae00000000, 0xb9aa6b4400000000, 0x581c39ab00000000,\n 0x28e4e57300000000, 0xc952b79c00000000, 0xab8f317600000000,\n 0x4a39639900000000, 0x2e334d7800000000, 0xcf851f9700000000,\n 0xad58997d00000000, 0x4ceecb9200000000, 0x244ab46400000000,\n 0xc5fce68b00000000, 0xa721606100000000, 0x4697328e00000000,\n 0x229d1c6f00000000, 0xc32b4e8000000000, 0xa1f6c86a00000000,\n 0x40409a8500000000, 0x60708dba00000000, 0x81c6df5500000000,\n 0xe31b59bf00000000, 0x02ad0b5000000000, 0x66a725b100000000,\n 0x8711775e00000000, 0xe5ccf1b400000000, 0x047aa35b00000000,\n 0x6cdedcad00000000, 0x8d688e4200000000, 0xefb508a800000000,\n 0x0e035a4700000000, 0x6a0974a600000000, 0x8bbf264900000000,\n 0xe962a0a300000000, 0x08d4f24c00000000, 0x782c2e9400000000,\n 0x999a7c7b00000000, 0xfb47fa9100000000, 0x1af1a87e00000000,\n 0x7efb869f00000000, 0x9f4dd47000000000, 0xfd90529a00000000,\n 0x1c26007500000000, 0x74827f8300000000, 0x95342d6c00000000,\n 0xf7e9ab8600000000, 0x165ff96900000000, 0x7255d78800000000,\n 0x93e3856700000000, 0xf13e038d00000000, 0x1088516200000000,\n 0x50c8cbe700000000, 0xb17e990800000000, 0xd3a31fe200000000,\n 0x32154d0d00000000, 0x561f63ec00000000, 0xb7a9310300000000,\n 0xd574b7e900000000, 0x34c2e50600000000, 0x5c669af000000000,\n 0xbdd0c81f00000000, 0xdf0d4ef500000000, 0x3ebb1c1a00000000,\n 0x5ab132fb00000000, 0xbb07601400000000, 0xd9dae6fe00000000,\n 0x386cb41100000000, 0x489468c900000000, 0xa9223a2600000000,\n 0xcbffbccc00000000, 0x2a49ee2300000000, 0x4e43c0c200000000,\n 0xaff5922d00000000, 0xcd2814c700000000, 0x2c9e462800000000,\n 0x443a39de00000000, 0xa58c6b3100000000, 0xc751eddb00000000,\n 0x26e7bf3400000000, 0x42ed91d500000000, 0xa35bc33a00000000,\n 0xc18645d000000000, 0x2030173f00000000, 0x81e66bae00000000,\n 0x6050394100000000, 0x028dbfab00000000, 0xe33bed4400000000,\n 0x8731c3a500000000, 0x6687914a00000000, 0x045a17a000000000,\n 0xe5ec454f00000000, 0x8d483ab900000000, 0x6cfe685600000000,\n 0x0e23eebc00000000, 0xef95bc5300000000, 0x8b9f92b200000000,\n 0x6a29c05d00000000, 0x08f446b700000000, 0xe942145800000000,\n 0x99bac88000000000, 0x780c9a6f00000000, 0x1ad11c8500000000,\n 0xfb674e6a00000000, 0x9f6d608b00000000, 0x7edb326400000000,\n 0x1c06b48e00000000, 0xfdb0e66100000000, 0x9514999700000000,\n 0x74a2cb7800000000, 0x167f4d9200000000, 0xf7c91f7d00000000,\n 0x93c3319c00000000, 0x7275637300000000, 0x10a8e59900000000,\n 0xf11eb77600000000, 0xb15e2df300000000, 0x50e87f1c00000000,\n 0x3235f9f600000000, 0xd383ab1900000000, 0xb78985f800000000,\n 0x563fd71700000000, 0x34e251fd00000000, 0xd554031200000000,\n 0xbdf07ce400000000, 0x5c462e0b00000000, 0x3e9ba8e100000000,\n 0xdf2dfa0e00000000, 0xbb27d4ef00000000, 0x5a91860000000000,\n 0x384c00ea00000000, 0xd9fa520500000000, 0xa9028edd00000000,\n 0x48b4dc3200000000, 0x2a695ad800000000, 0xcbdf083700000000,\n 0xafd526d600000000, 0x4e63743900000000, 0x2cbef2d300000000,\n 0xcd08a03c00000000, 0xa5acdfca00000000, 0x441a8d2500000000,\n 0x26c70bcf00000000, 0xc771592000000000, 0xa37b77c100000000,\n 0x42cd252e00000000, 0x2010a3c400000000, 0xc1a6f12b00000000,\n 0xe196e61400000000, 0x0020b4fb00000000, 0x62fd321100000000,\n 0x834b60fe00000000, 0xe7414e1f00000000, 0x06f71cf000000000,\n 0x642a9a1a00000000, 0x859cc8f500000000, 0xed38b70300000000,\n 0x0c8ee5ec00000000, 0x6e53630600000000, 0x8fe531e900000000,\n 0xebef1f0800000000, 0x0a594de700000000, 0x6884cb0d00000000,\n 0x893299e200000000, 0xf9ca453a00000000, 0x187c17d500000000,\n 0x7aa1913f00000000, 0x9b17c3d000000000, 0xff1ded3100000000,\n 0x1eabbfde00000000, 0x7c76393400000000, 0x9dc06bdb00000000,\n 0xf564142d00000000, 0x14d246c200000000, 0x760fc02800000000,\n 0x97b992c700000000, 0xf3b3bc2600000000, 0x1205eec900000000,\n 0x70d8682300000000, 0x916e3acc00000000, 0xd12ea04900000000,\n 0x3098f2a600000000, 0x5245744c00000000, 0xb3f326a300000000,\n 0xd7f9084200000000, 0x364f5aad00000000, 0x5492dc4700000000,\n 0xb5248ea800000000, 0xdd80f15e00000000, 0x3c36a3b100000000,\n 0x5eeb255b00000000, 0xbf5d77b400000000, 0xdb57595500000000,\n 0x3ae10bba00000000, 0x583c8d5000000000, 0xb98adfbf00000000,\n 0xc972036700000000, 0x28c4518800000000, 0x4a19d76200000000,\n 0xabaf858d00000000, 0xcfa5ab6c00000000, 0x2e13f98300000000,\n 0x4cce7f6900000000, 0xad782d8600000000, 0xc5dc527000000000,\n 0x246a009f00000000, 0x46b7867500000000, 0xa701d49a00000000,\n 0xc30bfa7b00000000, 0x22bda89400000000, 0x40602e7e00000000,\n 0xa1d67c9100000000},\n {0x0000000000000000, 0x5880e2d700000000, 0xf106b47400000000,\n 0xa98656a300000000, 0xe20d68e900000000, 0xba8d8a3e00000000,\n 0x130bdc9d00000000, 0x4b8b3e4a00000000, 0x851da10900000000,\n 0xdd9d43de00000000, 0x741b157d00000000, 0x2c9bf7aa00000000,\n 0x6710c9e000000000, 0x3f902b3700000000, 0x96167d9400000000,\n 0xce969f4300000000, 0x0a3b421300000000, 0x52bba0c400000000,\n 0xfb3df66700000000, 0xa3bd14b000000000, 0xe8362afa00000000,\n 0xb0b6c82d00000000, 0x19309e8e00000000, 0x41b07c5900000000,\n 0x8f26e31a00000000, 0xd7a601cd00000000, 0x7e20576e00000000,\n 0x26a0b5b900000000, 0x6d2b8bf300000000, 0x35ab692400000000,\n 0x9c2d3f8700000000, 0xc4addd5000000000, 0x1476842600000000,\n 0x4cf666f100000000, 0xe570305200000000, 0xbdf0d28500000000,\n 0xf67beccf00000000, 0xaefb0e1800000000, 0x077d58bb00000000,\n 0x5ffdba6c00000000, 0x916b252f00000000, 0xc9ebc7f800000000,\n 0x606d915b00000000, 0x38ed738c00000000, 0x73664dc600000000,\n 0x2be6af1100000000, 0x8260f9b200000000, 0xdae01b6500000000,\n 0x1e4dc63500000000, 0x46cd24e200000000, 0xef4b724100000000,\n 0xb7cb909600000000, 0xfc40aedc00000000, 0xa4c04c0b00000000,\n 0x0d461aa800000000, 0x55c6f87f00000000, 0x9b50673c00000000,\n 0xc3d085eb00000000, 0x6a56d34800000000, 0x32d6319f00000000,\n 0x795d0fd500000000, 0x21dded0200000000, 0x885bbba100000000,\n 0xd0db597600000000, 0x28ec084d00000000, 0x706cea9a00000000,\n 0xd9eabc3900000000, 0x816a5eee00000000, 0xcae160a400000000,\n 0x9261827300000000, 0x3be7d4d000000000, 0x6367360700000000,\n 0xadf1a94400000000, 0xf5714b9300000000, 0x5cf71d3000000000,\n 0x0477ffe700000000, 0x4ffcc1ad00000000, 0x177c237a00000000,\n 0xbefa75d900000000, 0xe67a970e00000000, 0x22d74a5e00000000,\n 0x7a57a88900000000, 0xd3d1fe2a00000000, 0x8b511cfd00000000,\n 0xc0da22b700000000, 0x985ac06000000000, 0x31dc96c300000000,\n 0x695c741400000000, 0xa7caeb5700000000, 0xff4a098000000000,\n 0x56cc5f2300000000, 0x0e4cbdf400000000, 0x45c783be00000000,\n 0x1d47616900000000, 0xb4c137ca00000000, 0xec41d51d00000000,\n 0x3c9a8c6b00000000, 0x641a6ebc00000000, 0xcd9c381f00000000,\n 0x951cdac800000000, 0xde97e48200000000, 0x8617065500000000,\n 0x2f9150f600000000, 0x7711b22100000000, 0xb9872d6200000000,\n 0xe107cfb500000000, 0x4881991600000000, 0x10017bc100000000,\n 0x5b8a458b00000000, 0x030aa75c00000000, 0xaa8cf1ff00000000,\n 0xf20c132800000000, 0x36a1ce7800000000, 0x6e212caf00000000,\n 0xc7a77a0c00000000, 0x9f2798db00000000, 0xd4aca69100000000,\n 0x8c2c444600000000, 0x25aa12e500000000, 0x7d2af03200000000,\n 0xb3bc6f7100000000, 0xeb3c8da600000000, 0x42badb0500000000,\n 0x1a3a39d200000000, 0x51b1079800000000, 0x0931e54f00000000,\n 0xa0b7b3ec00000000, 0xf837513b00000000, 0x50d8119a00000000,\n 0x0858f34d00000000, 0xa1dea5ee00000000, 0xf95e473900000000,\n 0xb2d5797300000000, 0xea559ba400000000, 0x43d3cd0700000000,\n 0x1b532fd000000000, 0xd5c5b09300000000, 0x8d45524400000000,\n 0x24c304e700000000, 0x7c43e63000000000, 0x37c8d87a00000000,\n 0x6f483aad00000000, 0xc6ce6c0e00000000, 0x9e4e8ed900000000,\n 0x5ae3538900000000, 0x0263b15e00000000, 0xabe5e7fd00000000,\n 0xf365052a00000000, 0xb8ee3b6000000000, 0xe06ed9b700000000,\n 0x49e88f1400000000, 0x11686dc300000000, 0xdffef28000000000,\n 0x877e105700000000, 0x2ef846f400000000, 0x7678a42300000000,\n 0x3df39a6900000000, 0x657378be00000000, 0xccf52e1d00000000,\n 0x9475ccca00000000, 0x44ae95bc00000000, 0x1c2e776b00000000,\n 0xb5a821c800000000, 0xed28c31f00000000, 0xa6a3fd5500000000,\n 0xfe231f8200000000, 0x57a5492100000000, 0x0f25abf600000000,\n 0xc1b334b500000000, 0x9933d66200000000, 0x30b580c100000000,\n 0x6835621600000000, 0x23be5c5c00000000, 0x7b3ebe8b00000000,\n 0xd2b8e82800000000, 0x8a380aff00000000, 0x4e95d7af00000000,\n 0x1615357800000000, 0xbf9363db00000000, 0xe713810c00000000,\n 0xac98bf4600000000, 0xf4185d9100000000, 0x5d9e0b3200000000,\n 0x051ee9e500000000, 0xcb8876a600000000, 0x9308947100000000,\n 0x3a8ec2d200000000, 0x620e200500000000, 0x29851e4f00000000,\n 0x7105fc9800000000, 0xd883aa3b00000000, 0x800348ec00000000,\n 0x783419d700000000, 0x20b4fb0000000000, 0x8932ada300000000,\n 0xd1b24f7400000000, 0x9a39713e00000000, 0xc2b993e900000000,\n 0x6b3fc54a00000000, 0x33bf279d00000000, 0xfd29b8de00000000,\n 0xa5a95a0900000000, 0x0c2f0caa00000000, 0x54afee7d00000000,\n 0x1f24d03700000000, 0x47a432e000000000, 0xee22644300000000,\n 0xb6a2869400000000, 0x720f5bc400000000, 0x2a8fb91300000000,\n 0x8309efb000000000, 0xdb890d6700000000, 0x9002332d00000000,\n 0xc882d1fa00000000, 0x6104875900000000, 0x3984658e00000000,\n 0xf712facd00000000, 0xaf92181a00000000, 0x06144eb900000000,\n 0x5e94ac6e00000000, 0x151f922400000000, 0x4d9f70f300000000,\n 0xe419265000000000, 0xbc99c48700000000, 0x6c429df100000000,\n 0x34c27f2600000000, 0x9d44298500000000, 0xc5c4cb5200000000,\n 0x8e4ff51800000000, 0xd6cf17cf00000000, 0x7f49416c00000000,\n 0x27c9a3bb00000000, 0xe95f3cf800000000, 0xb1dfde2f00000000,\n 0x1859888c00000000, 0x40d96a5b00000000, 0x0b52541100000000,\n 0x53d2b6c600000000, 0xfa54e06500000000, 0xa2d402b200000000,\n 0x6679dfe200000000, 0x3ef93d3500000000, 0x977f6b9600000000,\n 0xcfff894100000000, 0x8474b70b00000000, 0xdcf455dc00000000,\n 0x7572037f00000000, 0x2df2e1a800000000, 0xe3647eeb00000000,\n 0xbbe49c3c00000000, 0x1262ca9f00000000, 0x4ae2284800000000,\n 0x0169160200000000, 0x59e9f4d500000000, 0xf06fa27600000000,\n 0xa8ef40a100000000},\n {0x0000000000000000, 0x463b676500000000, 0x8c76ceca00000000,\n 0xca4da9af00000000, 0x59ebed4e00000000, 0x1fd08a2b00000000,\n 0xd59d238400000000, 0x93a644e100000000, 0xb2d6db9d00000000,\n 0xf4edbcf800000000, 0x3ea0155700000000, 0x789b723200000000,\n 0xeb3d36d300000000, 0xad0651b600000000, 0x674bf81900000000,\n 0x21709f7c00000000, 0x25abc6e000000000, 0x6390a18500000000,\n 0xa9dd082a00000000, 0xefe66f4f00000000, 0x7c402bae00000000,\n 0x3a7b4ccb00000000, 0xf036e56400000000, 0xb60d820100000000,\n 0x977d1d7d00000000, 0xd1467a1800000000, 0x1b0bd3b700000000,\n 0x5d30b4d200000000, 0xce96f03300000000, 0x88ad975600000000,\n 0x42e03ef900000000, 0x04db599c00000000, 0x0b50fc1a00000000,\n 0x4d6b9b7f00000000, 0x872632d000000000, 0xc11d55b500000000,\n 0x52bb115400000000, 0x1480763100000000, 0xdecddf9e00000000,\n 0x98f6b8fb00000000, 0xb986278700000000, 0xffbd40e200000000,\n 0x35f0e94d00000000, 0x73cb8e2800000000, 0xe06dcac900000000,\n 0xa656adac00000000, 0x6c1b040300000000, 0x2a20636600000000,\n 0x2efb3afa00000000, 0x68c05d9f00000000, 0xa28df43000000000,\n 0xe4b6935500000000, 0x7710d7b400000000, 0x312bb0d100000000,\n 0xfb66197e00000000, 0xbd5d7e1b00000000, 0x9c2de16700000000,\n 0xda16860200000000, 0x105b2fad00000000, 0x566048c800000000,\n 0xc5c60c2900000000, 0x83fd6b4c00000000, 0x49b0c2e300000000,\n 0x0f8ba58600000000, 0x16a0f83500000000, 0x509b9f5000000000,\n 0x9ad636ff00000000, 0xdced519a00000000, 0x4f4b157b00000000,\n 0x0970721e00000000, 0xc33ddbb100000000, 0x8506bcd400000000,\n 0xa47623a800000000, 0xe24d44cd00000000, 0x2800ed6200000000,\n 0x6e3b8a0700000000, 0xfd9dcee600000000, 0xbba6a98300000000,\n 0x71eb002c00000000, 0x37d0674900000000, 0x330b3ed500000000,\n 0x753059b000000000, 0xbf7df01f00000000, 0xf946977a00000000,\n 0x6ae0d39b00000000, 0x2cdbb4fe00000000, 0xe6961d5100000000,\n 0xa0ad7a3400000000, 0x81dde54800000000, 0xc7e6822d00000000,\n 0x0dab2b8200000000, 0x4b904ce700000000, 0xd836080600000000,\n 0x9e0d6f6300000000, 0x5440c6cc00000000, 0x127ba1a900000000,\n 0x1df0042f00000000, 0x5bcb634a00000000, 0x9186cae500000000,\n 0xd7bdad8000000000, 0x441be96100000000, 0x02208e0400000000,\n 0xc86d27ab00000000, 0x8e5640ce00000000, 0xaf26dfb200000000,\n 0xe91db8d700000000, 0x2350117800000000, 0x656b761d00000000,\n 0xf6cd32fc00000000, 0xb0f6559900000000, 0x7abbfc3600000000,\n 0x3c809b5300000000, 0x385bc2cf00000000, 0x7e60a5aa00000000,\n 0xb42d0c0500000000, 0xf2166b6000000000, 0x61b02f8100000000,\n 0x278b48e400000000, 0xedc6e14b00000000, 0xabfd862e00000000,\n 0x8a8d195200000000, 0xccb67e3700000000, 0x06fbd79800000000,\n 0x40c0b0fd00000000, 0xd366f41c00000000, 0x955d937900000000,\n 0x5f103ad600000000, 0x192b5db300000000, 0x2c40f16b00000000,\n 0x6a7b960e00000000, 0xa0363fa100000000, 0xe60d58c400000000,\n 0x75ab1c2500000000, 0x33907b4000000000, 0xf9ddd2ef00000000,\n 0xbfe6b58a00000000, 0x9e962af600000000, 0xd8ad4d9300000000,\n 0x12e0e43c00000000, 0x54db835900000000, 0xc77dc7b800000000,\n 0x8146a0dd00000000, 0x4b0b097200000000, 0x0d306e1700000000,\n 0x09eb378b00000000, 0x4fd050ee00000000, 0x859df94100000000,\n 0xc3a69e2400000000, 0x5000dac500000000, 0x163bbda000000000,\n 0xdc76140f00000000, 0x9a4d736a00000000, 0xbb3dec1600000000,\n 0xfd068b7300000000, 0x374b22dc00000000, 0x717045b900000000,\n 0xe2d6015800000000, 0xa4ed663d00000000, 0x6ea0cf9200000000,\n 0x289ba8f700000000, 0x27100d7100000000, 0x612b6a1400000000,\n 0xab66c3bb00000000, 0xed5da4de00000000, 0x7efbe03f00000000,\n 0x38c0875a00000000, 0xf28d2ef500000000, 0xb4b6499000000000,\n 0x95c6d6ec00000000, 0xd3fdb18900000000, 0x19b0182600000000,\n 0x5f8b7f4300000000, 0xcc2d3ba200000000, 0x8a165cc700000000,\n 0x405bf56800000000, 0x0660920d00000000, 0x02bbcb9100000000,\n 0x4480acf400000000, 0x8ecd055b00000000, 0xc8f6623e00000000,\n 0x5b5026df00000000, 0x1d6b41ba00000000, 0xd726e81500000000,\n 0x911d8f7000000000, 0xb06d100c00000000, 0xf656776900000000,\n 0x3c1bdec600000000, 0x7a20b9a300000000, 0xe986fd4200000000,\n 0xafbd9a2700000000, 0x65f0338800000000, 0x23cb54ed00000000,\n 0x3ae0095e00000000, 0x7cdb6e3b00000000, 0xb696c79400000000,\n 0xf0ada0f100000000, 0x630be41000000000, 0x2530837500000000,\n 0xef7d2ada00000000, 0xa9464dbf00000000, 0x8836d2c300000000,\n 0xce0db5a600000000, 0x04401c0900000000, 0x427b7b6c00000000,\n 0xd1dd3f8d00000000, 0x97e658e800000000, 0x5dabf14700000000,\n 0x1b90962200000000, 0x1f4bcfbe00000000, 0x5970a8db00000000,\n 0x933d017400000000, 0xd506661100000000, 0x46a022f000000000,\n 0x009b459500000000, 0xcad6ec3a00000000, 0x8ced8b5f00000000,\n 0xad9d142300000000, 0xeba6734600000000, 0x21ebdae900000000,\n 0x67d0bd8c00000000, 0xf476f96d00000000, 0xb24d9e0800000000,\n 0x780037a700000000, 0x3e3b50c200000000, 0x31b0f54400000000,\n 0x778b922100000000, 0xbdc63b8e00000000, 0xfbfd5ceb00000000,\n 0x685b180a00000000, 0x2e607f6f00000000, 0xe42dd6c000000000,\n 0xa216b1a500000000, 0x83662ed900000000, 0xc55d49bc00000000,\n 0x0f10e01300000000, 0x492b877600000000, 0xda8dc39700000000,\n 0x9cb6a4f200000000, 0x56fb0d5d00000000, 0x10c06a3800000000,\n 0x141b33a400000000, 0x522054c100000000, 0x986dfd6e00000000,\n 0xde569a0b00000000, 0x4df0deea00000000, 0x0bcbb98f00000000,\n 0xc186102000000000, 0x87bd774500000000, 0xa6cde83900000000,\n 0xe0f68f5c00000000, 0x2abb26f300000000, 0x6c80419600000000,\n 0xff26057700000000, 0xb91d621200000000, 0x7350cbbd00000000,\n 0x356bacd800000000},\n {0x0000000000000000, 0x9e83da9f00000000, 0x7d01c4e400000000,\n 0xe3821e7b00000000, 0xbb04f91200000000, 0x2587238d00000000,\n 0xc6053df600000000, 0x5886e76900000000, 0x7609f22500000000,\n 0xe88a28ba00000000, 0x0b0836c100000000, 0x958bec5e00000000,\n 0xcd0d0b3700000000, 0x538ed1a800000000, 0xb00ccfd300000000,\n 0x2e8f154c00000000, 0xec12e44b00000000, 0x72913ed400000000,\n 0x911320af00000000, 0x0f90fa3000000000, 0x57161d5900000000,\n 0xc995c7c600000000, 0x2a17d9bd00000000, 0xb494032200000000,\n 0x9a1b166e00000000, 0x0498ccf100000000, 0xe71ad28a00000000,\n 0x7999081500000000, 0x211fef7c00000000, 0xbf9c35e300000000,\n 0x5c1e2b9800000000, 0xc29df10700000000, 0xd825c89700000000,\n 0x46a6120800000000, 0xa5240c7300000000, 0x3ba7d6ec00000000,\n 0x6321318500000000, 0xfda2eb1a00000000, 0x1e20f56100000000,\n 0x80a32ffe00000000, 0xae2c3ab200000000, 0x30afe02d00000000,\n 0xd32dfe5600000000, 0x4dae24c900000000, 0x1528c3a000000000,\n 0x8bab193f00000000, 0x6829074400000000, 0xf6aadddb00000000,\n 0x34372cdc00000000, 0xaab4f64300000000, 0x4936e83800000000,\n 0xd7b532a700000000, 0x8f33d5ce00000000, 0x11b00f5100000000,\n 0xf232112a00000000, 0x6cb1cbb500000000, 0x423edef900000000,\n 0xdcbd046600000000, 0x3f3f1a1d00000000, 0xa1bcc08200000000,\n 0xf93a27eb00000000, 0x67b9fd7400000000, 0x843be30f00000000,\n 0x1ab8399000000000, 0xf14de1f400000000, 0x6fce3b6b00000000,\n 0x8c4c251000000000, 0x12cfff8f00000000, 0x4a4918e600000000,\n 0xd4cac27900000000, 0x3748dc0200000000, 0xa9cb069d00000000,\n 0x874413d100000000, 0x19c7c94e00000000, 0xfa45d73500000000,\n 0x64c60daa00000000, 0x3c40eac300000000, 0xa2c3305c00000000,\n 0x41412e2700000000, 0xdfc2f4b800000000, 0x1d5f05bf00000000,\n 0x83dcdf2000000000, 0x605ec15b00000000, 0xfedd1bc400000000,\n 0xa65bfcad00000000, 0x38d8263200000000, 0xdb5a384900000000,\n 0x45d9e2d600000000, 0x6b56f79a00000000, 0xf5d52d0500000000,\n 0x1657337e00000000, 0x88d4e9e100000000, 0xd0520e8800000000,\n 0x4ed1d41700000000, 0xad53ca6c00000000, 0x33d010f300000000,\n 0x2968296300000000, 0xb7ebf3fc00000000, 0x5469ed8700000000,\n 0xcaea371800000000, 0x926cd07100000000, 0x0cef0aee00000000,\n 0xef6d149500000000, 0x71eece0a00000000, 0x5f61db4600000000,\n 0xc1e201d900000000, 0x22601fa200000000, 0xbce3c53d00000000,\n 0xe465225400000000, 0x7ae6f8cb00000000, 0x9964e6b000000000,\n 0x07e73c2f00000000, 0xc57acd2800000000, 0x5bf917b700000000,\n 0xb87b09cc00000000, 0x26f8d35300000000, 0x7e7e343a00000000,\n 0xe0fdeea500000000, 0x037ff0de00000000, 0x9dfc2a4100000000,\n 0xb3733f0d00000000, 0x2df0e59200000000, 0xce72fbe900000000,\n 0x50f1217600000000, 0x0877c61f00000000, 0x96f41c8000000000,\n 0x757602fb00000000, 0xebf5d86400000000, 0xa39db33200000000,\n 0x3d1e69ad00000000, 0xde9c77d600000000, 0x401fad4900000000,\n 0x18994a2000000000, 0x861a90bf00000000, 0x65988ec400000000,\n 0xfb1b545b00000000, 0xd594411700000000, 0x4b179b8800000000,\n 0xa89585f300000000, 0x36165f6c00000000, 0x6e90b80500000000,\n 0xf013629a00000000, 0x13917ce100000000, 0x8d12a67e00000000,\n 0x4f8f577900000000, 0xd10c8de600000000, 0x328e939d00000000,\n 0xac0d490200000000, 0xf48bae6b00000000, 0x6a0874f400000000,\n 0x898a6a8f00000000, 0x1709b01000000000, 0x3986a55c00000000,\n 0xa7057fc300000000, 0x448761b800000000, 0xda04bb2700000000,\n 0x82825c4e00000000, 0x1c0186d100000000, 0xff8398aa00000000,\n 0x6100423500000000, 0x7bb87ba500000000, 0xe53ba13a00000000,\n 0x06b9bf4100000000, 0x983a65de00000000, 0xc0bc82b700000000,\n 0x5e3f582800000000, 0xbdbd465300000000, 0x233e9ccc00000000,\n 0x0db1898000000000, 0x9332531f00000000, 0x70b04d6400000000,\n 0xee3397fb00000000, 0xb6b5709200000000, 0x2836aa0d00000000,\n 0xcbb4b47600000000, 0x55376ee900000000, 0x97aa9fee00000000,\n 0x0929457100000000, 0xeaab5b0a00000000, 0x7428819500000000,\n 0x2cae66fc00000000, 0xb22dbc6300000000, 0x51afa21800000000,\n 0xcf2c788700000000, 0xe1a36dcb00000000, 0x7f20b75400000000,\n 0x9ca2a92f00000000, 0x022173b000000000, 0x5aa794d900000000,\n 0xc4244e4600000000, 0x27a6503d00000000, 0xb9258aa200000000,\n 0x52d052c600000000, 0xcc53885900000000, 0x2fd1962200000000,\n 0xb1524cbd00000000, 0xe9d4abd400000000, 0x7757714b00000000,\n 0x94d56f3000000000, 0x0a56b5af00000000, 0x24d9a0e300000000,\n 0xba5a7a7c00000000, 0x59d8640700000000, 0xc75bbe9800000000,\n 0x9fdd59f100000000, 0x015e836e00000000, 0xe2dc9d1500000000,\n 0x7c5f478a00000000, 0xbec2b68d00000000, 0x20416c1200000000,\n 0xc3c3726900000000, 0x5d40a8f600000000, 0x05c64f9f00000000,\n 0x9b45950000000000, 0x78c78b7b00000000, 0xe64451e400000000,\n 0xc8cb44a800000000, 0x56489e3700000000, 0xb5ca804c00000000,\n 0x2b495ad300000000, 0x73cfbdba00000000, 0xed4c672500000000,\n 0x0ece795e00000000, 0x904da3c100000000, 0x8af59a5100000000,\n 0x147640ce00000000, 0xf7f45eb500000000, 0x6977842a00000000,\n 0x31f1634300000000, 0xaf72b9dc00000000, 0x4cf0a7a700000000,\n 0xd2737d3800000000, 0xfcfc687400000000, 0x627fb2eb00000000,\n 0x81fdac9000000000, 0x1f7e760f00000000, 0x47f8916600000000,\n 0xd97b4bf900000000, 0x3af9558200000000, 0xa47a8f1d00000000,\n 0x66e77e1a00000000, 0xf864a48500000000, 0x1be6bafe00000000,\n 0x8565606100000000, 0xdde3870800000000, 0x43605d9700000000,\n 0xa0e243ec00000000, 0x3e61997300000000, 0x10ee8c3f00000000,\n 0x8e6d56a000000000, 0x6def48db00000000, 0xf36c924400000000,\n 0xabea752d00000000, 0x3569afb200000000, 0xd6ebb1c900000000,\n 0x48686b5600000000},\n {0x0000000000000000, 0xc064281700000000, 0x80c9502e00000000,\n 0x40ad783900000000, 0x0093a15c00000000, 0xc0f7894b00000000,\n 0x805af17200000000, 0x403ed96500000000, 0x002643b900000000,\n 0xc0426bae00000000, 0x80ef139700000000, 0x408b3b8000000000,\n 0x00b5e2e500000000, 0xc0d1caf200000000, 0x807cb2cb00000000,\n 0x40189adc00000000, 0x414af7a900000000, 0x812edfbe00000000,\n 0xc183a78700000000, 0x01e78f9000000000, 0x41d956f500000000,\n 0x81bd7ee200000000, 0xc11006db00000000, 0x01742ecc00000000,\n 0x416cb41000000000, 0x81089c0700000000, 0xc1a5e43e00000000,\n 0x01c1cc2900000000, 0x41ff154c00000000, 0x819b3d5b00000000,\n 0xc136456200000000, 0x01526d7500000000, 0xc3929f8800000000,\n 0x03f6b79f00000000, 0x435bcfa600000000, 0x833fe7b100000000,\n 0xc3013ed400000000, 0x036516c300000000, 0x43c86efa00000000,\n 0x83ac46ed00000000, 0xc3b4dc3100000000, 0x03d0f42600000000,\n 0x437d8c1f00000000, 0x8319a40800000000, 0xc3277d6d00000000,\n 0x0343557a00000000, 0x43ee2d4300000000, 0x838a055400000000,\n 0x82d8682100000000, 0x42bc403600000000, 0x0211380f00000000,\n 0xc275101800000000, 0x824bc97d00000000, 0x422fe16a00000000,\n 0x0282995300000000, 0xc2e6b14400000000, 0x82fe2b9800000000,\n 0x429a038f00000000, 0x02377bb600000000, 0xc25353a100000000,\n 0x826d8ac400000000, 0x4209a2d300000000, 0x02a4daea00000000,\n 0xc2c0f2fd00000000, 0xc7234eca00000000, 0x074766dd00000000,\n 0x47ea1ee400000000, 0x878e36f300000000, 0xc7b0ef9600000000,\n 0x07d4c78100000000, 0x4779bfb800000000, 0x871d97af00000000,\n 0xc7050d7300000000, 0x0761256400000000, 0x47cc5d5d00000000,\n 0x87a8754a00000000, 0xc796ac2f00000000, 0x07f2843800000000,\n 0x475ffc0100000000, 0x873bd41600000000, 0x8669b96300000000,\n 0x460d917400000000, 0x06a0e94d00000000, 0xc6c4c15a00000000,\n 0x86fa183f00000000, 0x469e302800000000, 0x0633481100000000,\n 0xc657600600000000, 0x864ffada00000000, 0x462bd2cd00000000,\n 0x0686aaf400000000, 0xc6e282e300000000, 0x86dc5b8600000000,\n 0x46b8739100000000, 0x06150ba800000000, 0xc67123bf00000000,\n 0x04b1d14200000000, 0xc4d5f95500000000, 0x8478816c00000000,\n 0x441ca97b00000000, 0x0422701e00000000, 0xc446580900000000,\n 0x84eb203000000000, 0x448f082700000000, 0x049792fb00000000,\n 0xc4f3baec00000000, 0x845ec2d500000000, 0x443aeac200000000,\n 0x040433a700000000, 0xc4601bb000000000, 0x84cd638900000000,\n 0x44a94b9e00000000, 0x45fb26eb00000000, 0x859f0efc00000000,\n 0xc53276c500000000, 0x05565ed200000000, 0x456887b700000000,\n 0x850cafa000000000, 0xc5a1d79900000000, 0x05c5ff8e00000000,\n 0x45dd655200000000, 0x85b94d4500000000, 0xc514357c00000000,\n 0x05701d6b00000000, 0x454ec40e00000000, 0x852aec1900000000,\n 0xc587942000000000, 0x05e3bc3700000000, 0xcf41ed4f00000000,\n 0x0f25c55800000000, 0x4f88bd6100000000, 0x8fec957600000000,\n 0xcfd24c1300000000, 0x0fb6640400000000, 0x4f1b1c3d00000000,\n 0x8f7f342a00000000, 0xcf67aef600000000, 0x0f0386e100000000,\n 0x4faefed800000000, 0x8fcad6cf00000000, 0xcff40faa00000000,\n 0x0f9027bd00000000, 0x4f3d5f8400000000, 0x8f59779300000000,\n 0x8e0b1ae600000000, 0x4e6f32f100000000, 0x0ec24ac800000000,\n 0xcea662df00000000, 0x8e98bbba00000000, 0x4efc93ad00000000,\n 0x0e51eb9400000000, 0xce35c38300000000, 0x8e2d595f00000000,\n 0x4e49714800000000, 0x0ee4097100000000, 0xce80216600000000,\n 0x8ebef80300000000, 0x4edad01400000000, 0x0e77a82d00000000,\n 0xce13803a00000000, 0x0cd372c700000000, 0xccb75ad000000000,\n 0x8c1a22e900000000, 0x4c7e0afe00000000, 0x0c40d39b00000000,\n 0xcc24fb8c00000000, 0x8c8983b500000000, 0x4cedaba200000000,\n 0x0cf5317e00000000, 0xcc91196900000000, 0x8c3c615000000000,\n 0x4c58494700000000, 0x0c66902200000000, 0xcc02b83500000000,\n 0x8cafc00c00000000, 0x4ccbe81b00000000, 0x4d99856e00000000,\n 0x8dfdad7900000000, 0xcd50d54000000000, 0x0d34fd5700000000,\n 0x4d0a243200000000, 0x8d6e0c2500000000, 0xcdc3741c00000000,\n 0x0da75c0b00000000, 0x4dbfc6d700000000, 0x8ddbeec000000000,\n 0xcd7696f900000000, 0x0d12beee00000000, 0x4d2c678b00000000,\n 0x8d484f9c00000000, 0xcde537a500000000, 0x0d811fb200000000,\n 0x0862a38500000000, 0xc8068b9200000000, 0x88abf3ab00000000,\n 0x48cfdbbc00000000, 0x08f102d900000000, 0xc8952ace00000000,\n 0x883852f700000000, 0x485c7ae000000000, 0x0844e03c00000000,\n 0xc820c82b00000000, 0x888db01200000000, 0x48e9980500000000,\n 0x08d7416000000000, 0xc8b3697700000000, 0x881e114e00000000,\n 0x487a395900000000, 0x4928542c00000000, 0x894c7c3b00000000,\n 0xc9e1040200000000, 0x09852c1500000000, 0x49bbf57000000000,\n 0x89dfdd6700000000, 0xc972a55e00000000, 0x09168d4900000000,\n 0x490e179500000000, 0x896a3f8200000000, 0xc9c747bb00000000,\n 0x09a36fac00000000, 0x499db6c900000000, 0x89f99ede00000000,\n 0xc954e6e700000000, 0x0930cef000000000, 0xcbf03c0d00000000,\n 0x0b94141a00000000, 0x4b396c2300000000, 0x8b5d443400000000,\n 0xcb639d5100000000, 0x0b07b54600000000, 0x4baacd7f00000000,\n 0x8bcee56800000000, 0xcbd67fb400000000, 0x0bb257a300000000,\n 0x4b1f2f9a00000000, 0x8b7b078d00000000, 0xcb45dee800000000,\n 0x0b21f6ff00000000, 0x4b8c8ec600000000, 0x8be8a6d100000000,\n 0x8abacba400000000, 0x4adee3b300000000, 0x0a739b8a00000000,\n 0xca17b39d00000000, 0x8a296af800000000, 0x4a4d42ef00000000,\n 0x0ae03ad600000000, 0xca8412c100000000, 0x8a9c881d00000000,\n 0x4af8a00a00000000, 0x0a55d83300000000, 0xca31f02400000000,\n 0x8a0f294100000000, 0x4a6b015600000000, 0x0ac6796f00000000,\n 0xcaa2517800000000},\n {0x0000000000000000, 0xd4ea739b00000000, 0xe9d396ed00000000,\n 0x3d39e57600000000, 0x93a15c0000000000, 0x474b2f9b00000000,\n 0x7a72caed00000000, 0xae98b97600000000, 0x2643b90000000000,\n 0xf2a9ca9b00000000, 0xcf902fed00000000, 0x1b7a5c7600000000,\n 0xb5e2e50000000000, 0x6108969b00000000, 0x5c3173ed00000000,\n 0x88db007600000000, 0x4c86720100000000, 0x986c019a00000000,\n 0xa555e4ec00000000, 0x71bf977700000000, 0xdf272e0100000000,\n 0x0bcd5d9a00000000, 0x36f4b8ec00000000, 0xe21ecb7700000000,\n 0x6ac5cb0100000000, 0xbe2fb89a00000000, 0x83165dec00000000,\n 0x57fc2e7700000000, 0xf964970100000000, 0x2d8ee49a00000000,\n 0x10b701ec00000000, 0xc45d727700000000, 0x980ce50200000000,\n 0x4ce6969900000000, 0x71df73ef00000000, 0xa535007400000000,\n 0x0badb90200000000, 0xdf47ca9900000000, 0xe27e2fef00000000,\n 0x36945c7400000000, 0xbe4f5c0200000000, 0x6aa52f9900000000,\n 0x579ccaef00000000, 0x8376b97400000000, 0x2dee000200000000,\n 0xf904739900000000, 0xc43d96ef00000000, 0x10d7e57400000000,\n 0xd48a970300000000, 0x0060e49800000000, 0x3d5901ee00000000,\n 0xe9b3727500000000, 0x472bcb0300000000, 0x93c1b89800000000,\n 0xaef85dee00000000, 0x7a122e7500000000, 0xf2c92e0300000000,\n 0x26235d9800000000, 0x1b1ab8ee00000000, 0xcff0cb7500000000,\n 0x6168720300000000, 0xb582019800000000, 0x88bbe4ee00000000,\n 0x5c51977500000000, 0x3019ca0500000000, 0xe4f3b99e00000000,\n 0xd9ca5ce800000000, 0x0d202f7300000000, 0xa3b8960500000000,\n 0x7752e59e00000000, 0x4a6b00e800000000, 0x9e81737300000000,\n 0x165a730500000000, 0xc2b0009e00000000, 0xff89e5e800000000,\n 0x2b63967300000000, 0x85fb2f0500000000, 0x51115c9e00000000,\n 0x6c28b9e800000000, 0xb8c2ca7300000000, 0x7c9fb80400000000,\n 0xa875cb9f00000000, 0x954c2ee900000000, 0x41a65d7200000000,\n 0xef3ee40400000000, 0x3bd4979f00000000, 0x06ed72e900000000,\n 0xd207017200000000, 0x5adc010400000000, 0x8e36729f00000000,\n 0xb30f97e900000000, 0x67e5e47200000000, 0xc97d5d0400000000,\n 0x1d972e9f00000000, 0x20aecbe900000000, 0xf444b87200000000,\n 0xa8152f0700000000, 0x7cff5c9c00000000, 0x41c6b9ea00000000,\n 0x952cca7100000000, 0x3bb4730700000000, 0xef5e009c00000000,\n 0xd267e5ea00000000, 0x068d967100000000, 0x8e56960700000000,\n 0x5abce59c00000000, 0x678500ea00000000, 0xb36f737100000000,\n 0x1df7ca0700000000, 0xc91db99c00000000, 0xf4245cea00000000,\n 0x20ce2f7100000000, 0xe4935d0600000000, 0x30792e9d00000000,\n 0x0d40cbeb00000000, 0xd9aab87000000000, 0x7732010600000000,\n 0xa3d8729d00000000, 0x9ee197eb00000000, 0x4a0be47000000000,\n 0xc2d0e40600000000, 0x163a979d00000000, 0x2b0372eb00000000,\n 0xffe9017000000000, 0x5171b80600000000, 0x859bcb9d00000000,\n 0xb8a22eeb00000000, 0x6c485d7000000000, 0x6032940b00000000,\n 0xb4d8e79000000000, 0x89e102e600000000, 0x5d0b717d00000000,\n 0xf393c80b00000000, 0x2779bb9000000000, 0x1a405ee600000000,\n 0xceaa2d7d00000000, 0x46712d0b00000000, 0x929b5e9000000000,\n 0xafa2bbe600000000, 0x7b48c87d00000000, 0xd5d0710b00000000,\n 0x013a029000000000, 0x3c03e7e600000000, 0xe8e9947d00000000,\n 0x2cb4e60a00000000, 0xf85e959100000000, 0xc56770e700000000,\n 0x118d037c00000000, 0xbf15ba0a00000000, 0x6bffc99100000000,\n 0x56c62ce700000000, 0x822c5f7c00000000, 0x0af75f0a00000000,\n 0xde1d2c9100000000, 0xe324c9e700000000, 0x37ceba7c00000000,\n 0x9956030a00000000, 0x4dbc709100000000, 0x708595e700000000,\n 0xa46fe67c00000000, 0xf83e710900000000, 0x2cd4029200000000,\n 0x11ede7e400000000, 0xc507947f00000000, 0x6b9f2d0900000000,\n 0xbf755e9200000000, 0x824cbbe400000000, 0x56a6c87f00000000,\n 0xde7dc80900000000, 0x0a97bb9200000000, 0x37ae5ee400000000,\n 0xe3442d7f00000000, 0x4ddc940900000000, 0x9936e79200000000,\n 0xa40f02e400000000, 0x70e5717f00000000, 0xb4b8030800000000,\n 0x6052709300000000, 0x5d6b95e500000000, 0x8981e67e00000000,\n 0x27195f0800000000, 0xf3f32c9300000000, 0xcecac9e500000000,\n 0x1a20ba7e00000000, 0x92fbba0800000000, 0x4611c99300000000,\n 0x7b282ce500000000, 0xafc25f7e00000000, 0x015ae60800000000,\n 0xd5b0959300000000, 0xe88970e500000000, 0x3c63037e00000000,\n 0x502b5e0e00000000, 0x84c12d9500000000, 0xb9f8c8e300000000,\n 0x6d12bb7800000000, 0xc38a020e00000000, 0x1760719500000000,\n 0x2a5994e300000000, 0xfeb3e77800000000, 0x7668e70e00000000,\n 0xa282949500000000, 0x9fbb71e300000000, 0x4b51027800000000,\n 0xe5c9bb0e00000000, 0x3123c89500000000, 0x0c1a2de300000000,\n 0xd8f05e7800000000, 0x1cad2c0f00000000, 0xc8475f9400000000,\n 0xf57ebae200000000, 0x2194c97900000000, 0x8f0c700f00000000,\n 0x5be6039400000000, 0x66dfe6e200000000, 0xb235957900000000,\n 0x3aee950f00000000, 0xee04e69400000000, 0xd33d03e200000000,\n 0x07d7707900000000, 0xa94fc90f00000000, 0x7da5ba9400000000,\n 0x409c5fe200000000, 0x94762c7900000000, 0xc827bb0c00000000,\n 0x1ccdc89700000000, 0x21f42de100000000, 0xf51e5e7a00000000,\n 0x5b86e70c00000000, 0x8f6c949700000000, 0xb25571e100000000,\n 0x66bf027a00000000, 0xee64020c00000000, 0x3a8e719700000000,\n 0x07b794e100000000, 0xd35de77a00000000, 0x7dc55e0c00000000,\n 0xa92f2d9700000000, 0x9416c8e100000000, 0x40fcbb7a00000000,\n 0x84a1c90d00000000, 0x504bba9600000000, 0x6d725fe000000000,\n 0xb9982c7b00000000, 0x1700950d00000000, 0xc3eae69600000000,\n 0xfed303e000000000, 0x2a39707b00000000, 0xa2e2700d00000000,\n 0x7608039600000000, 0x4b31e6e000000000, 0x9fdb957b00000000,\n 0x31432c0d00000000, 0xe5a95f9600000000, 0xd890bae000000000,\n 0x0c7ac97b00000000},\n {0x0000000000000000, 0x2765258100000000, 0x0fcc3bd900000000,\n 0x28a91e5800000000, 0x5f9e066900000000, 0x78fb23e800000000,\n 0x50523db000000000, 0x7737183100000000, 0xbe3c0dd200000000,\n 0x9959285300000000, 0xb1f0360b00000000, 0x9695138a00000000,\n 0xe1a20bbb00000000, 0xc6c72e3a00000000, 0xee6e306200000000,\n 0xc90b15e300000000, 0x3d7f6b7f00000000, 0x1a1a4efe00000000,\n 0x32b350a600000000, 0x15d6752700000000, 0x62e16d1600000000,\n 0x4584489700000000, 0x6d2d56cf00000000, 0x4a48734e00000000,\n 0x834366ad00000000, 0xa426432c00000000, 0x8c8f5d7400000000,\n 0xabea78f500000000, 0xdcdd60c400000000, 0xfbb8454500000000,\n 0xd3115b1d00000000, 0xf4747e9c00000000, 0x7afed6fe00000000,\n 0x5d9bf37f00000000, 0x7532ed2700000000, 0x5257c8a600000000,\n 0x2560d09700000000, 0x0205f51600000000, 0x2aaceb4e00000000,\n 0x0dc9cecf00000000, 0xc4c2db2c00000000, 0xe3a7fead00000000,\n 0xcb0ee0f500000000, 0xec6bc57400000000, 0x9b5cdd4500000000,\n 0xbc39f8c400000000, 0x9490e69c00000000, 0xb3f5c31d00000000,\n 0x4781bd8100000000, 0x60e4980000000000, 0x484d865800000000,\n 0x6f28a3d900000000, 0x181fbbe800000000, 0x3f7a9e6900000000,\n 0x17d3803100000000, 0x30b6a5b000000000, 0xf9bdb05300000000,\n 0xded895d200000000, 0xf6718b8a00000000, 0xd114ae0b00000000,\n 0xa623b63a00000000, 0x814693bb00000000, 0xa9ef8de300000000,\n 0x8e8aa86200000000, 0xb5fadc2600000000, 0x929ff9a700000000,\n 0xba36e7ff00000000, 0x9d53c27e00000000, 0xea64da4f00000000,\n 0xcd01ffce00000000, 0xe5a8e19600000000, 0xc2cdc41700000000,\n 0x0bc6d1f400000000, 0x2ca3f47500000000, 0x040aea2d00000000,\n 0x236fcfac00000000, 0x5458d79d00000000, 0x733df21c00000000,\n 0x5b94ec4400000000, 0x7cf1c9c500000000, 0x8885b75900000000,\n 0xafe092d800000000, 0x87498c8000000000, 0xa02ca90100000000,\n 0xd71bb13000000000, 0xf07e94b100000000, 0xd8d78ae900000000,\n 0xffb2af6800000000, 0x36b9ba8b00000000, 0x11dc9f0a00000000,\n 0x3975815200000000, 0x1e10a4d300000000, 0x6927bce200000000,\n 0x4e42996300000000, 0x66eb873b00000000, 0x418ea2ba00000000,\n 0xcf040ad800000000, 0xe8612f5900000000, 0xc0c8310100000000,\n 0xe7ad148000000000, 0x909a0cb100000000, 0xb7ff293000000000,\n 0x9f56376800000000, 0xb83312e900000000, 0x7138070a00000000,\n 0x565d228b00000000, 0x7ef43cd300000000, 0x5991195200000000,\n 0x2ea6016300000000, 0x09c324e200000000, 0x216a3aba00000000,\n 0x060f1f3b00000000, 0xf27b61a700000000, 0xd51e442600000000,\n 0xfdb75a7e00000000, 0xdad27fff00000000, 0xade567ce00000000,\n 0x8a80424f00000000, 0xa2295c1700000000, 0x854c799600000000,\n 0x4c476c7500000000, 0x6b2249f400000000, 0x438b57ac00000000,\n 0x64ee722d00000000, 0x13d96a1c00000000, 0x34bc4f9d00000000,\n 0x1c1551c500000000, 0x3b70744400000000, 0x6af5b94d00000000,\n 0x4d909ccc00000000, 0x6539829400000000, 0x425ca71500000000,\n 0x356bbf2400000000, 0x120e9aa500000000, 0x3aa784fd00000000,\n 0x1dc2a17c00000000, 0xd4c9b49f00000000, 0xf3ac911e00000000,\n 0xdb058f4600000000, 0xfc60aac700000000, 0x8b57b2f600000000,\n 0xac32977700000000, 0x849b892f00000000, 0xa3feacae00000000,\n 0x578ad23200000000, 0x70eff7b300000000, 0x5846e9eb00000000,\n 0x7f23cc6a00000000, 0x0814d45b00000000, 0x2f71f1da00000000,\n 0x07d8ef8200000000, 0x20bdca0300000000, 0xe9b6dfe000000000,\n 0xced3fa6100000000, 0xe67ae43900000000, 0xc11fc1b800000000,\n 0xb628d98900000000, 0x914dfc0800000000, 0xb9e4e25000000000,\n 0x9e81c7d100000000, 0x100b6fb300000000, 0x376e4a3200000000,\n 0x1fc7546a00000000, 0x38a271eb00000000, 0x4f9569da00000000,\n 0x68f04c5b00000000, 0x4059520300000000, 0x673c778200000000,\n 0xae37626100000000, 0x895247e000000000, 0xa1fb59b800000000,\n 0x869e7c3900000000, 0xf1a9640800000000, 0xd6cc418900000000,\n 0xfe655fd100000000, 0xd9007a5000000000, 0x2d7404cc00000000,\n 0x0a11214d00000000, 0x22b83f1500000000, 0x05dd1a9400000000,\n 0x72ea02a500000000, 0x558f272400000000, 0x7d26397c00000000,\n 0x5a431cfd00000000, 0x9348091e00000000, 0xb42d2c9f00000000,\n 0x9c8432c700000000, 0xbbe1174600000000, 0xccd60f7700000000,\n 0xebb32af600000000, 0xc31a34ae00000000, 0xe47f112f00000000,\n 0xdf0f656b00000000, 0xf86a40ea00000000, 0xd0c35eb200000000,\n 0xf7a67b3300000000, 0x8091630200000000, 0xa7f4468300000000,\n 0x8f5d58db00000000, 0xa8387d5a00000000, 0x613368b900000000,\n 0x46564d3800000000, 0x6eff536000000000, 0x499a76e100000000,\n 0x3ead6ed000000000, 0x19c84b5100000000, 0x3161550900000000,\n 0x1604708800000000, 0xe2700e1400000000, 0xc5152b9500000000,\n 0xedbc35cd00000000, 0xcad9104c00000000, 0xbdee087d00000000,\n 0x9a8b2dfc00000000, 0xb22233a400000000, 0x9547162500000000,\n 0x5c4c03c600000000, 0x7b29264700000000, 0x5380381f00000000,\n 0x74e51d9e00000000, 0x03d205af00000000, 0x24b7202e00000000,\n 0x0c1e3e7600000000, 0x2b7b1bf700000000, 0xa5f1b39500000000,\n 0x8294961400000000, 0xaa3d884c00000000, 0x8d58adcd00000000,\n 0xfa6fb5fc00000000, 0xdd0a907d00000000, 0xf5a38e2500000000,\n 0xd2c6aba400000000, 0x1bcdbe4700000000, 0x3ca89bc600000000,\n 0x1401859e00000000, 0x3364a01f00000000, 0x4453b82e00000000,\n 0x63369daf00000000, 0x4b9f83f700000000, 0x6cfaa67600000000,\n 0x988ed8ea00000000, 0xbfebfd6b00000000, 0x9742e33300000000,\n 0xb027c6b200000000, 0xc710de8300000000, 0xe075fb0200000000,\n 0xc8dce55a00000000, 0xefb9c0db00000000, 0x26b2d53800000000,\n 0x01d7f0b900000000, 0x297eeee100000000, 0x0e1bcb6000000000,\n 0x792cd35100000000, 0x5e49f6d000000000, 0x76e0e88800000000,\n 0x5185cd0900000000}};\n\n#else /* W == 4 */\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0x9ba54c6f, 0xec3b9e9f, 0x779ed2f0, 0x03063b7f,\n 0x98a37710, 0xef3da5e0, 0x7498e98f, 0x060c76fe, 0x9da93a91,\n 0xea37e861, 0x7192a40e, 0x050a4d81, 0x9eaf01ee, 0xe931d31e,\n 0x72949f71, 0x0c18edfc, 0x97bda193, 0xe0237363, 0x7b863f0c,\n 0x0f1ed683, 0x94bb9aec, 0xe325481c, 0x78800473, 0x0a149b02,\n 0x91b1d76d, 0xe62f059d, 0x7d8a49f2, 0x0912a07d, 0x92b7ec12,\n 0xe5293ee2, 0x7e8c728d, 0x1831dbf8, 0x83949797, 0xf40a4567,\n 0x6faf0908, 0x1b37e087, 0x8092ace8, 0xf70c7e18, 0x6ca93277,\n 0x1e3dad06, 0x8598e169, 0xf2063399, 0x69a37ff6, 0x1d3b9679,\n 0x869eda16, 0xf10008e6, 0x6aa54489, 0x14293604, 0x8f8c7a6b,\n 0xf812a89b, 0x63b7e4f4, 0x172f0d7b, 0x8c8a4114, 0xfb1493e4,\n 0x60b1df8b, 0x122540fa, 0x89800c95, 0xfe1ede65, 0x65bb920a,\n 0x11237b85, 0x8a8637ea, 0xfd18e51a, 0x66bda975, 0x3063b7f0,\n 0xabc6fb9f, 0xdc58296f, 0x47fd6500, 0x33658c8f, 0xa8c0c0e0,\n 0xdf5e1210, 0x44fb5e7f, 0x366fc10e, 0xadca8d61, 0xda545f91,\n 0x41f113fe, 0x3569fa71, 0xaeccb61e, 0xd95264ee, 0x42f72881,\n 0x3c7b5a0c, 0xa7de1663, 0xd040c493, 0x4be588fc, 0x3f7d6173,\n 0xa4d82d1c, 0xd346ffec, 0x48e3b383, 0x3a772cf2, 0xa1d2609d,\n 0xd64cb26d, 0x4de9fe02, 0x3971178d, 0xa2d45be2, 0xd54a8912,\n 0x4eefc57d, 0x28526c08, 0xb3f72067, 0xc469f297, 0x5fccbef8,\n 0x2b545777, 0xb0f11b18, 0xc76fc9e8, 0x5cca8587, 0x2e5e1af6,\n 0xb5fb5699, 0xc2658469, 0x59c0c806, 0x2d582189, 0xb6fd6de6,\n 0xc163bf16, 0x5ac6f379, 0x244a81f4, 0xbfefcd9b, 0xc8711f6b,\n 0x53d45304, 0x274cba8b, 0xbce9f6e4, 0xcb772414, 0x50d2687b,\n 0x2246f70a, 0xb9e3bb65, 0xce7d6995, 0x55d825fa, 0x2140cc75,\n 0xbae5801a, 0xcd7b52ea, 0x56de1e85, 0x60c76fe0, 0xfb62238f,\n 0x8cfcf17f, 0x1759bd10, 0x63c1549f, 0xf86418f0, 0x8ffaca00,\n 0x145f866f, 0x66cb191e, 0xfd6e5571, 0x8af08781, 0x1155cbee,\n 0x65cd2261, 0xfe686e0e, 0x89f6bcfe, 0x1253f091, 0x6cdf821c,\n 0xf77ace73, 0x80e41c83, 0x1b4150ec, 0x6fd9b963, 0xf47cf50c,\n 0x83e227fc, 0x18476b93, 0x6ad3f4e2, 0xf176b88d, 0x86e86a7d,\n 0x1d4d2612, 0x69d5cf9d, 0xf27083f2, 0x85ee5102, 0x1e4b1d6d,\n 0x78f6b418, 0xe353f877, 0x94cd2a87, 0x0f6866e8, 0x7bf08f67,\n 0xe055c308, 0x97cb11f8, 0x0c6e5d97, 0x7efac2e6, 0xe55f8e89,\n 0x92c15c79, 0x09641016, 0x7dfcf999, 0xe659b5f6, 0x91c76706,\n 0x0a622b69, 0x74ee59e4, 0xef4b158b, 0x98d5c77b, 0x03708b14,\n 0x77e8629b, 0xec4d2ef4, 0x9bd3fc04, 0x0076b06b, 0x72e22f1a,\n 0xe9476375, 0x9ed9b185, 0x057cfdea, 0x71e41465, 0xea41580a,\n 0x9ddf8afa, 0x067ac695, 0x50a4d810, 0xcb01947f, 0xbc9f468f,\n 0x273a0ae0, 0x53a2e36f, 0xc807af00, 0xbf997df0, 0x243c319f,\n 0x56a8aeee, 0xcd0de281, 0xba933071, 0x21367c1e, 0x55ae9591,\n 0xce0bd9fe, 0xb9950b0e, 0x22304761, 0x5cbc35ec, 0xc7197983,\n 0xb087ab73, 0x2b22e71c, 0x5fba0e93, 0xc41f42fc, 0xb381900c,\n 0x2824dc63, 0x5ab04312, 0xc1150f7d, 0xb68bdd8d, 0x2d2e91e2,\n 0x59b6786d, 0xc2133402, 0xb58de6f2, 0x2e28aa9d, 0x489503e8,\n 0xd3304f87, 0xa4ae9d77, 0x3f0bd118, 0x4b933897, 0xd03674f8,\n 0xa7a8a608, 0x3c0dea67, 0x4e997516, 0xd53c3979, 0xa2a2eb89,\n 0x3907a7e6, 0x4d9f4e69, 0xd63a0206, 0xa1a4d0f6, 0x3a019c99,\n 0x448dee14, 0xdf28a27b, 0xa8b6708b, 0x33133ce4, 0x478bd56b,\n 0xdc2e9904, 0xabb04bf4, 0x3015079b, 0x428198ea, 0xd924d485,\n 0xaeba0675, 0x351f4a1a, 0x4187a395, 0xda22effa, 0xadbc3d0a,\n 0x36197165},\n {0x00000000, 0xc18edfc0, 0x586cb9c1, 0x99e26601, 0xb0d97382,\n 0x7157ac42, 0xe8b5ca43, 0x293b1583, 0xbac3e145, 0x7b4d3e85,\n 0xe2af5884, 0x23218744, 0x0a1a92c7, 0xcb944d07, 0x52762b06,\n 0x93f8f4c6, 0xaef6c4cb, 0x6f781b0b, 0xf69a7d0a, 0x3714a2ca,\n 0x1e2fb749, 0xdfa16889, 0x46430e88, 0x87cdd148, 0x1435258e,\n 0xd5bbfa4e, 0x4c599c4f, 0x8dd7438f, 0xa4ec560c, 0x656289cc,\n 0xfc80efcd, 0x3d0e300d, 0x869c8fd7, 0x47125017, 0xdef03616,\n 0x1f7ee9d6, 0x3645fc55, 0xf7cb2395, 0x6e294594, 0xafa79a54,\n 0x3c5f6e92, 0xfdd1b152, 0x6433d753, 0xa5bd0893, 0x8c861d10,\n 0x4d08c2d0, 0xd4eaa4d1, 0x15647b11, 0x286a4b1c, 0xe9e494dc,\n 0x7006f2dd, 0xb1882d1d, 0x98b3389e, 0x593de75e, 0xc0df815f,\n 0x01515e9f, 0x92a9aa59, 0x53277599, 0xcac51398, 0x0b4bcc58,\n 0x2270d9db, 0xe3fe061b, 0x7a1c601a, 0xbb92bfda, 0xd64819ef,\n 0x17c6c62f, 0x8e24a02e, 0x4faa7fee, 0x66916a6d, 0xa71fb5ad,\n 0x3efdd3ac, 0xff730c6c, 0x6c8bf8aa, 0xad05276a, 0x34e7416b,\n 0xf5699eab, 0xdc528b28, 0x1ddc54e8, 0x843e32e9, 0x45b0ed29,\n 0x78bedd24, 0xb93002e4, 0x20d264e5, 0xe15cbb25, 0xc867aea6,\n 0x09e97166, 0x900b1767, 0x5185c8a7, 0xc27d3c61, 0x03f3e3a1,\n 0x9a1185a0, 0x5b9f5a60, 0x72a44fe3, 0xb32a9023, 0x2ac8f622,\n 0xeb4629e2, 0x50d49638, 0x915a49f8, 0x08b82ff9, 0xc936f039,\n 0xe00de5ba, 0x21833a7a, 0xb8615c7b, 0x79ef83bb, 0xea17777d,\n 0x2b99a8bd, 0xb27bcebc, 0x73f5117c, 0x5ace04ff, 0x9b40db3f,\n 0x02a2bd3e, 0xc32c62fe, 0xfe2252f3, 0x3fac8d33, 0xa64eeb32,\n 0x67c034f2, 0x4efb2171, 0x8f75feb1, 0x169798b0, 0xd7194770,\n 0x44e1b3b6, 0x856f6c76, 0x1c8d0a77, 0xdd03d5b7, 0xf438c034,\n 0x35b61ff4, 0xac5479f5, 0x6ddaa635, 0x77e1359f, 0xb66fea5f,\n 0x2f8d8c5e, 0xee03539e, 0xc738461d, 0x06b699dd, 0x9f54ffdc,\n 0x5eda201c, 0xcd22d4da, 0x0cac0b1a, 0x954e6d1b, 0x54c0b2db,\n 0x7dfba758, 0xbc757898, 0x25971e99, 0xe419c159, 0xd917f154,\n 0x18992e94, 0x817b4895, 0x40f59755, 0x69ce82d6, 0xa8405d16,\n 0x31a23b17, 0xf02ce4d7, 0x63d41011, 0xa25acfd1, 0x3bb8a9d0,\n 0xfa367610, 0xd30d6393, 0x1283bc53, 0x8b61da52, 0x4aef0592,\n 0xf17dba48, 0x30f36588, 0xa9110389, 0x689fdc49, 0x41a4c9ca,\n 0x802a160a, 0x19c8700b, 0xd846afcb, 0x4bbe5b0d, 0x8a3084cd,\n 0x13d2e2cc, 0xd25c3d0c, 0xfb67288f, 0x3ae9f74f, 0xa30b914e,\n 0x62854e8e, 0x5f8b7e83, 0x9e05a143, 0x07e7c742, 0xc6691882,\n 0xef520d01, 0x2edcd2c1, 0xb73eb4c0, 0x76b06b00, 0xe5489fc6,\n 0x24c64006, 0xbd242607, 0x7caaf9c7, 0x5591ec44, 0x941f3384,\n 0x0dfd5585, 0xcc738a45, 0xa1a92c70, 0x6027f3b0, 0xf9c595b1,\n 0x384b4a71, 0x11705ff2, 0xd0fe8032, 0x491ce633, 0x889239f3,\n 0x1b6acd35, 0xdae412f5, 0x430674f4, 0x8288ab34, 0xabb3beb7,\n 0x6a3d6177, 0xf3df0776, 0x3251d8b6, 0x0f5fe8bb, 0xced1377b,\n 0x5733517a, 0x96bd8eba, 0xbf869b39, 0x7e0844f9, 0xe7ea22f8,\n 0x2664fd38, 0xb59c09fe, 0x7412d63e, 0xedf0b03f, 0x2c7e6fff,\n 0x05457a7c, 0xc4cba5bc, 0x5d29c3bd, 0x9ca71c7d, 0x2735a3a7,\n 0xe6bb7c67, 0x7f591a66, 0xbed7c5a6, 0x97ecd025, 0x56620fe5,\n 0xcf8069e4, 0x0e0eb624, 0x9df642e2, 0x5c789d22, 0xc59afb23,\n 0x041424e3, 0x2d2f3160, 0xeca1eea0, 0x754388a1, 0xb4cd5761,\n 0x89c3676c, 0x484db8ac, 0xd1afdead, 0x1021016d, 0x391a14ee,\n 0xf894cb2e, 0x6176ad2f, 0xa0f872ef, 0x33008629, 0xf28e59e9,\n 0x6b6c3fe8, 0xaae2e028, 0x83d9f5ab, 0x42572a6b, 0xdbb54c6a,\n 0x1a3b93aa},\n {0x00000000, 0xefc26b3e, 0x04f5d03d, 0xeb37bb03, 0x09eba07a,\n 0xe629cb44, 0x0d1e7047, 0xe2dc1b79, 0x13d740f4, 0xfc152bca,\n 0x172290c9, 0xf8e0fbf7, 0x1a3ce08e, 0xf5fe8bb0, 0x1ec930b3,\n 0xf10b5b8d, 0x27ae81e8, 0xc86cead6, 0x235b51d5, 0xcc993aeb,\n 0x2e452192, 0xc1874aac, 0x2ab0f1af, 0xc5729a91, 0x3479c11c,\n 0xdbbbaa22, 0x308c1121, 0xdf4e7a1f, 0x3d926166, 0xd2500a58,\n 0x3967b15b, 0xd6a5da65, 0x4f5d03d0, 0xa09f68ee, 0x4ba8d3ed,\n 0xa46ab8d3, 0x46b6a3aa, 0xa974c894, 0x42437397, 0xad8118a9,\n 0x5c8a4324, 0xb348281a, 0x587f9319, 0xb7bdf827, 0x5561e35e,\n 0xbaa38860, 0x51943363, 0xbe56585d, 0x68f38238, 0x8731e906,\n 0x6c065205, 0x83c4393b, 0x61182242, 0x8eda497c, 0x65edf27f,\n 0x8a2f9941, 0x7b24c2cc, 0x94e6a9f2, 0x7fd112f1, 0x901379cf,\n 0x72cf62b6, 0x9d0d0988, 0x763ab28b, 0x99f8d9b5, 0x9eba07a0,\n 0x71786c9e, 0x9a4fd79d, 0x758dbca3, 0x9751a7da, 0x7893cce4,\n 0x93a477e7, 0x7c661cd9, 0x8d6d4754, 0x62af2c6a, 0x89989769,\n 0x665afc57, 0x8486e72e, 0x6b448c10, 0x80733713, 0x6fb15c2d,\n 0xb9148648, 0x56d6ed76, 0xbde15675, 0x52233d4b, 0xb0ff2632,\n 0x5f3d4d0c, 0xb40af60f, 0x5bc89d31, 0xaac3c6bc, 0x4501ad82,\n 0xae361681, 0x41f47dbf, 0xa32866c6, 0x4cea0df8, 0xa7ddb6fb,\n 0x481fddc5, 0xd1e70470, 0x3e256f4e, 0xd512d44d, 0x3ad0bf73,\n 0xd80ca40a, 0x37cecf34, 0xdcf97437, 0x333b1f09, 0xc2304484,\n 0x2df22fba, 0xc6c594b9, 0x2907ff87, 0xcbdbe4fe, 0x24198fc0,\n 0xcf2e34c3, 0x20ec5ffd, 0xf6498598, 0x198beea6, 0xf2bc55a5,\n 0x1d7e3e9b, 0xffa225e2, 0x10604edc, 0xfb57f5df, 0x14959ee1,\n 0xe59ec56c, 0x0a5cae52, 0xe16b1551, 0x0ea97e6f, 0xec756516,\n 0x03b70e28, 0xe880b52b, 0x0742de15, 0xe6050901, 0x09c7623f,\n 0xe2f0d93c, 0x0d32b202, 0xefeea97b, 0x002cc245, 0xeb1b7946,\n 0x04d91278, 0xf5d249f5, 0x1a1022cb, 0xf12799c8, 0x1ee5f2f6,\n 0xfc39e98f, 0x13fb82b1, 0xf8cc39b2, 0x170e528c, 0xc1ab88e9,\n 0x2e69e3d7, 0xc55e58d4, 0x2a9c33ea, 0xc8402893, 0x278243ad,\n 0xccb5f8ae, 0x23779390, 0xd27cc81d, 0x3dbea323, 0xd6891820,\n 0x394b731e, 0xdb976867, 0x34550359, 0xdf62b85a, 0x30a0d364,\n 0xa9580ad1, 0x469a61ef, 0xadaddaec, 0x426fb1d2, 0xa0b3aaab,\n 0x4f71c195, 0xa4467a96, 0x4b8411a8, 0xba8f4a25, 0x554d211b,\n 0xbe7a9a18, 0x51b8f126, 0xb364ea5f, 0x5ca68161, 0xb7913a62,\n 0x5853515c, 0x8ef68b39, 0x6134e007, 0x8a035b04, 0x65c1303a,\n 0x871d2b43, 0x68df407d, 0x83e8fb7e, 0x6c2a9040, 0x9d21cbcd,\n 0x72e3a0f3, 0x99d41bf0, 0x761670ce, 0x94ca6bb7, 0x7b080089,\n 0x903fbb8a, 0x7ffdd0b4, 0x78bf0ea1, 0x977d659f, 0x7c4ade9c,\n 0x9388b5a2, 0x7154aedb, 0x9e96c5e5, 0x75a17ee6, 0x9a6315d8,\n 0x6b684e55, 0x84aa256b, 0x6f9d9e68, 0x805ff556, 0x6283ee2f,\n 0x8d418511, 0x66763e12, 0x89b4552c, 0x5f118f49, 0xb0d3e477,\n 0x5be45f74, 0xb426344a, 0x56fa2f33, 0xb938440d, 0x520fff0e,\n 0xbdcd9430, 0x4cc6cfbd, 0xa304a483, 0x48331f80, 0xa7f174be,\n 0x452d6fc7, 0xaaef04f9, 0x41d8bffa, 0xae1ad4c4, 0x37e20d71,\n 0xd820664f, 0x3317dd4c, 0xdcd5b672, 0x3e09ad0b, 0xd1cbc635,\n 0x3afc7d36, 0xd53e1608, 0x24354d85, 0xcbf726bb, 0x20c09db8,\n 0xcf02f686, 0x2ddeedff, 0xc21c86c1, 0x292b3dc2, 0xc6e956fc,\n 0x104c8c99, 0xff8ee7a7, 0x14b95ca4, 0xfb7b379a, 0x19a72ce3,\n 0xf66547dd, 0x1d52fcde, 0xf29097e0, 0x039bcc6d, 0xec59a753,\n 0x076e1c50, 0xe8ac776e, 0x0a706c17, 0xe5b20729, 0x0e85bc2a,\n 0xe147d714},\n {0x00000000, 0x177b1443, 0x2ef62886, 0x398d3cc5, 0x5dec510c,\n 0x4a97454f, 0x731a798a, 0x64616dc9, 0xbbd8a218, 0xaca3b65b,\n 0x952e8a9e, 0x82559edd, 0xe634f314, 0xf14fe757, 0xc8c2db92,\n 0xdfb9cfd1, 0xacc04271, 0xbbbb5632, 0x82366af7, 0x954d7eb4,\n 0xf12c137d, 0xe657073e, 0xdfda3bfb, 0xc8a12fb8, 0x1718e069,\n 0x0063f42a, 0x39eec8ef, 0x2e95dcac, 0x4af4b165, 0x5d8fa526,\n 0x640299e3, 0x73798da0, 0x82f182a3, 0x958a96e0, 0xac07aa25,\n 0xbb7cbe66, 0xdf1dd3af, 0xc866c7ec, 0xf1ebfb29, 0xe690ef6a,\n 0x392920bb, 0x2e5234f8, 0x17df083d, 0x00a41c7e, 0x64c571b7,\n 0x73be65f4, 0x4a335931, 0x5d484d72, 0x2e31c0d2, 0x394ad491,\n 0x00c7e854, 0x17bcfc17, 0x73dd91de, 0x64a6859d, 0x5d2bb958,\n 0x4a50ad1b, 0x95e962ca, 0x82927689, 0xbb1f4a4c, 0xac645e0f,\n 0xc80533c6, 0xdf7e2785, 0xe6f31b40, 0xf1880f03, 0xde920307,\n 0xc9e91744, 0xf0642b81, 0xe71f3fc2, 0x837e520b, 0x94054648,\n 0xad887a8d, 0xbaf36ece, 0x654aa11f, 0x7231b55c, 0x4bbc8999,\n 0x5cc79dda, 0x38a6f013, 0x2fdde450, 0x1650d895, 0x012bccd6,\n 0x72524176, 0x65295535, 0x5ca469f0, 0x4bdf7db3, 0x2fbe107a,\n 0x38c50439, 0x014838fc, 0x16332cbf, 0xc98ae36e, 0xdef1f72d,\n 0xe77ccbe8, 0xf007dfab, 0x9466b262, 0x831da621, 0xba909ae4,\n 0xadeb8ea7, 0x5c6381a4, 0x4b1895e7, 0x7295a922, 0x65eebd61,\n 0x018fd0a8, 0x16f4c4eb, 0x2f79f82e, 0x3802ec6d, 0xe7bb23bc,\n 0xf0c037ff, 0xc94d0b3a, 0xde361f79, 0xba5772b0, 0xad2c66f3,\n 0x94a15a36, 0x83da4e75, 0xf0a3c3d5, 0xe7d8d796, 0xde55eb53,\n 0xc92eff10, 0xad4f92d9, 0xba34869a, 0x83b9ba5f, 0x94c2ae1c,\n 0x4b7b61cd, 0x5c00758e, 0x658d494b, 0x72f65d08, 0x169730c1,\n 0x01ec2482, 0x38611847, 0x2f1a0c04, 0x6655004f, 0x712e140c,\n 0x48a328c9, 0x5fd83c8a, 0x3bb95143, 0x2cc24500, 0x154f79c5,\n 0x02346d86, 0xdd8da257, 0xcaf6b614, 0xf37b8ad1, 0xe4009e92,\n 0x8061f35b, 0x971ae718, 0xae97dbdd, 0xb9eccf9e, 0xca95423e,\n 0xddee567d, 0xe4636ab8, 0xf3187efb, 0x97791332, 0x80020771,\n 0xb98f3bb4, 0xaef42ff7, 0x714de026, 0x6636f465, 0x5fbbc8a0,\n 0x48c0dce3, 0x2ca1b12a, 0x3bdaa569, 0x025799ac, 0x152c8def,\n 0xe4a482ec, 0xf3df96af, 0xca52aa6a, 0xdd29be29, 0xb948d3e0,\n 0xae33c7a3, 0x97befb66, 0x80c5ef25, 0x5f7c20f4, 0x480734b7,\n 0x718a0872, 0x66f11c31, 0x029071f8, 0x15eb65bb, 0x2c66597e,\n 0x3b1d4d3d, 0x4864c09d, 0x5f1fd4de, 0x6692e81b, 0x71e9fc58,\n 0x15889191, 0x02f385d2, 0x3b7eb917, 0x2c05ad54, 0xf3bc6285,\n 0xe4c776c6, 0xdd4a4a03, 0xca315e40, 0xae503389, 0xb92b27ca,\n 0x80a61b0f, 0x97dd0f4c, 0xb8c70348, 0xafbc170b, 0x96312bce,\n 0x814a3f8d, 0xe52b5244, 0xf2504607, 0xcbdd7ac2, 0xdca66e81,\n 0x031fa150, 0x1464b513, 0x2de989d6, 0x3a929d95, 0x5ef3f05c,\n 0x4988e41f, 0x7005d8da, 0x677ecc99, 0x14074139, 0x037c557a,\n 0x3af169bf, 0x2d8a7dfc, 0x49eb1035, 0x5e900476, 0x671d38b3,\n 0x70662cf0, 0xafdfe321, 0xb8a4f762, 0x8129cba7, 0x9652dfe4,\n 0xf233b22d, 0xe548a66e, 0xdcc59aab, 0xcbbe8ee8, 0x3a3681eb,\n 0x2d4d95a8, 0x14c0a96d, 0x03bbbd2e, 0x67dad0e7, 0x70a1c4a4,\n 0x492cf861, 0x5e57ec22, 0x81ee23f3, 0x969537b0, 0xaf180b75,\n 0xb8631f36, 0xdc0272ff, 0xcb7966bc, 0xf2f45a79, 0xe58f4e3a,\n 0x96f6c39a, 0x818dd7d9, 0xb800eb1c, 0xaf7bff5f, 0xcb1a9296,\n 0xdc6186d5, 0xe5ecba10, 0xf297ae53, 0x2d2e6182, 0x3a5575c1,\n 0x03d84904, 0x14a35d47, 0x70c2308e, 0x67b924cd, 0x5e341808,\n 0x494f0c4b}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x00000000, 0x43147b17, 0x8628f62e, 0xc53c8d39, 0x0c51ec5d,\n 0x4f45974a, 0x8a791a73, 0xc96d6164, 0x18a2d8bb, 0x5bb6a3ac,\n 0x9e8a2e95, 0xdd9e5582, 0x14f334e6, 0x57e74ff1, 0x92dbc2c8,\n 0xd1cfb9df, 0x7142c0ac, 0x3256bbbb, 0xf76a3682, 0xb47e4d95,\n 0x7d132cf1, 0x3e0757e6, 0xfb3bdadf, 0xb82fa1c8, 0x69e01817,\n 0x2af46300, 0xefc8ee39, 0xacdc952e, 0x65b1f44a, 0x26a58f5d,\n 0xe3990264, 0xa08d7973, 0xa382f182, 0xe0968a95, 0x25aa07ac,\n 0x66be7cbb, 0xafd31ddf, 0xecc766c8, 0x29fbebf1, 0x6aef90e6,\n 0xbb202939, 0xf834522e, 0x3d08df17, 0x7e1ca400, 0xb771c564,\n 0xf465be73, 0x3159334a, 0x724d485d, 0xd2c0312e, 0x91d44a39,\n 0x54e8c700, 0x17fcbc17, 0xde91dd73, 0x9d85a664, 0x58b92b5d,\n 0x1bad504a, 0xca62e995, 0x89769282, 0x4c4a1fbb, 0x0f5e64ac,\n 0xc63305c8, 0x85277edf, 0x401bf3e6, 0x030f88f1, 0x070392de,\n 0x4417e9c9, 0x812b64f0, 0xc23f1fe7, 0x0b527e83, 0x48460594,\n 0x8d7a88ad, 0xce6ef3ba, 0x1fa14a65, 0x5cb53172, 0x9989bc4b,\n 0xda9dc75c, 0x13f0a638, 0x50e4dd2f, 0x95d85016, 0xd6cc2b01,\n 0x76415272, 0x35552965, 0xf069a45c, 0xb37ddf4b, 0x7a10be2f,\n 0x3904c538, 0xfc384801, 0xbf2c3316, 0x6ee38ac9, 0x2df7f1de,\n 0xe8cb7ce7, 0xabdf07f0, 0x62b26694, 0x21a61d83, 0xe49a90ba,\n 0xa78eebad, 0xa481635c, 0xe795184b, 0x22a99572, 0x61bdee65,\n 0xa8d08f01, 0xebc4f416, 0x2ef8792f, 0x6dec0238, 0xbc23bbe7,\n 0xff37c0f0, 0x3a0b4dc9, 0x791f36de, 0xb07257ba, 0xf3662cad,\n 0x365aa194, 0x754eda83, 0xd5c3a3f0, 0x96d7d8e7, 0x53eb55de,\n 0x10ff2ec9, 0xd9924fad, 0x9a8634ba, 0x5fbab983, 0x1caec294,\n 0xcd617b4b, 0x8e75005c, 0x4b498d65, 0x085df672, 0xc1309716,\n 0x8224ec01, 0x47186138, 0x040c1a2f, 0x4f005566, 0x0c142e71,\n 0xc928a348, 0x8a3cd85f, 0x4351b93b, 0x0045c22c, 0xc5794f15,\n 0x866d3402, 0x57a28ddd, 0x14b6f6ca, 0xd18a7bf3, 0x929e00e4,\n 0x5bf36180, 0x18e71a97, 0xdddb97ae, 0x9ecfecb9, 0x3e4295ca,\n 0x7d56eedd, 0xb86a63e4, 0xfb7e18f3, 0x32137997, 0x71070280,\n 0xb43b8fb9, 0xf72ff4ae, 0x26e04d71, 0x65f43666, 0xa0c8bb5f,\n 0xe3dcc048, 0x2ab1a12c, 0x69a5da3b, 0xac995702, 0xef8d2c15,\n 0xec82a4e4, 0xaf96dff3, 0x6aaa52ca, 0x29be29dd, 0xe0d348b9,\n 0xa3c733ae, 0x66fbbe97, 0x25efc580, 0xf4207c5f, 0xb7340748,\n 0x72088a71, 0x311cf166, 0xf8719002, 0xbb65eb15, 0x7e59662c,\n 0x3d4d1d3b, 0x9dc06448, 0xded41f5f, 0x1be89266, 0x58fce971,\n 0x91918815, 0xd285f302, 0x17b97e3b, 0x54ad052c, 0x8562bcf3,\n 0xc676c7e4, 0x034a4add, 0x405e31ca, 0x893350ae, 0xca272bb9,\n 0x0f1ba680, 0x4c0fdd97, 0x4803c7b8, 0x0b17bcaf, 0xce2b3196,\n 0x8d3f4a81, 0x44522be5, 0x074650f2, 0xc27addcb, 0x816ea6dc,\n 0x50a11f03, 0x13b56414, 0xd689e92d, 0x959d923a, 0x5cf0f35e,\n 0x1fe48849, 0xdad80570, 0x99cc7e67, 0x39410714, 0x7a557c03,\n 0xbf69f13a, 0xfc7d8a2d, 0x3510eb49, 0x7604905e, 0xb3381d67,\n 0xf02c6670, 0x21e3dfaf, 0x62f7a4b8, 0xa7cb2981, 0xe4df5296,\n 0x2db233f2, 0x6ea648e5, 0xab9ac5dc, 0xe88ebecb, 0xeb81363a,\n 0xa8954d2d, 0x6da9c014, 0x2ebdbb03, 0xe7d0da67, 0xa4c4a170,\n 0x61f82c49, 0x22ec575e, 0xf323ee81, 0xb0379596, 0x750b18af,\n 0x361f63b8, 0xff7202dc, 0xbc6679cb, 0x795af4f2, 0x3a4e8fe5,\n 0x9ac3f696, 0xd9d78d81, 0x1ceb00b8, 0x5fff7baf, 0x96921acb,\n 0xd58661dc, 0x10baece5, 0x53ae97f2, 0x82612e2d, 0xc175553a,\n 0x0449d803, 0x475da314, 0x8e30c270, 0xcd24b967, 0x0818345e,\n 0x4b0c4f49},\n {0x00000000, 0x3e6bc2ef, 0x3dd0f504, 0x03bb37eb, 0x7aa0eb09,\n 0x44cb29e6, 0x47701e0d, 0x791bdce2, 0xf440d713, 0xca2b15fc,\n 0xc9902217, 0xf7fbe0f8, 0x8ee03c1a, 0xb08bfef5, 0xb330c91e,\n 0x8d5b0bf1, 0xe881ae27, 0xd6ea6cc8, 0xd5515b23, 0xeb3a99cc,\n 0x9221452e, 0xac4a87c1, 0xaff1b02a, 0x919a72c5, 0x1cc17934,\n 0x22aabbdb, 0x21118c30, 0x1f7a4edf, 0x6661923d, 0x580a50d2,\n 0x5bb16739, 0x65daa5d6, 0xd0035d4f, 0xee689fa0, 0xedd3a84b,\n 0xd3b86aa4, 0xaaa3b646, 0x94c874a9, 0x97734342, 0xa91881ad,\n 0x24438a5c, 0x1a2848b3, 0x19937f58, 0x27f8bdb7, 0x5ee36155,\n 0x6088a3ba, 0x63339451, 0x5d5856be, 0x3882f368, 0x06e93187,\n 0x0552066c, 0x3b39c483, 0x42221861, 0x7c49da8e, 0x7ff2ed65,\n 0x41992f8a, 0xccc2247b, 0xf2a9e694, 0xf112d17f, 0xcf791390,\n 0xb662cf72, 0x88090d9d, 0x8bb23a76, 0xb5d9f899, 0xa007ba9e,\n 0x9e6c7871, 0x9dd74f9a, 0xa3bc8d75, 0xdaa75197, 0xe4cc9378,\n 0xe777a493, 0xd91c667c, 0x54476d8d, 0x6a2caf62, 0x69979889,\n 0x57fc5a66, 0x2ee78684, 0x108c446b, 0x13377380, 0x2d5cb16f,\n 0x488614b9, 0x76edd656, 0x7556e1bd, 0x4b3d2352, 0x3226ffb0,\n 0x0c4d3d5f, 0x0ff60ab4, 0x319dc85b, 0xbcc6c3aa, 0x82ad0145,\n 0x811636ae, 0xbf7df441, 0xc66628a3, 0xf80dea4c, 0xfbb6dda7,\n 0xc5dd1f48, 0x7004e7d1, 0x4e6f253e, 0x4dd412d5, 0x73bfd03a,\n 0x0aa40cd8, 0x34cfce37, 0x3774f9dc, 0x091f3b33, 0x844430c2,\n 0xba2ff22d, 0xb994c5c6, 0x87ff0729, 0xfee4dbcb, 0xc08f1924,\n 0xc3342ecf, 0xfd5fec20, 0x988549f6, 0xa6ee8b19, 0xa555bcf2,\n 0x9b3e7e1d, 0xe225a2ff, 0xdc4e6010, 0xdff557fb, 0xe19e9514,\n 0x6cc59ee5, 0x52ae5c0a, 0x51156be1, 0x6f7ea90e, 0x166575ec,\n 0x280eb703, 0x2bb580e8, 0x15de4207, 0x010905e6, 0x3f62c709,\n 0x3cd9f0e2, 0x02b2320d, 0x7ba9eeef, 0x45c22c00, 0x46791beb,\n 0x7812d904, 0xf549d2f5, 0xcb22101a, 0xc89927f1, 0xf6f2e51e,\n 0x8fe939fc, 0xb182fb13, 0xb239ccf8, 0x8c520e17, 0xe988abc1,\n 0xd7e3692e, 0xd4585ec5, 0xea339c2a, 0x932840c8, 0xad438227,\n 0xaef8b5cc, 0x90937723, 0x1dc87cd2, 0x23a3be3d, 0x201889d6,\n 0x1e734b39, 0x676897db, 0x59035534, 0x5ab862df, 0x64d3a030,\n 0xd10a58a9, 0xef619a46, 0xecdaadad, 0xd2b16f42, 0xabaab3a0,\n 0x95c1714f, 0x967a46a4, 0xa811844b, 0x254a8fba, 0x1b214d55,\n 0x189a7abe, 0x26f1b851, 0x5fea64b3, 0x6181a65c, 0x623a91b7,\n 0x5c515358, 0x398bf68e, 0x07e03461, 0x045b038a, 0x3a30c165,\n 0x432b1d87, 0x7d40df68, 0x7efbe883, 0x40902a6c, 0xcdcb219d,\n 0xf3a0e372, 0xf01bd499, 0xce701676, 0xb76bca94, 0x8900087b,\n 0x8abb3f90, 0xb4d0fd7f, 0xa10ebf78, 0x9f657d97, 0x9cde4a7c,\n 0xa2b58893, 0xdbae5471, 0xe5c5969e, 0xe67ea175, 0xd815639a,\n 0x554e686b, 0x6b25aa84, 0x689e9d6f, 0x56f55f80, 0x2fee8362,\n 0x1185418d, 0x123e7666, 0x2c55b489, 0x498f115f, 0x77e4d3b0,\n 0x745fe45b, 0x4a3426b4, 0x332ffa56, 0x0d4438b9, 0x0eff0f52,\n 0x3094cdbd, 0xbdcfc64c, 0x83a404a3, 0x801f3348, 0xbe74f1a7,\n 0xc76f2d45, 0xf904efaa, 0xfabfd841, 0xc4d41aae, 0x710de237,\n 0x4f6620d8, 0x4cdd1733, 0x72b6d5dc, 0x0bad093e, 0x35c6cbd1,\n 0x367dfc3a, 0x08163ed5, 0x854d3524, 0xbb26f7cb, 0xb89dc020,\n 0x86f602cf, 0xffedde2d, 0xc1861cc2, 0xc23d2b29, 0xfc56e9c6,\n 0x998c4c10, 0xa7e78eff, 0xa45cb914, 0x9a377bfb, 0xe32ca719,\n 0xdd4765f6, 0xdefc521d, 0xe09790f2, 0x6dcc9b03, 0x53a759ec,\n 0x501c6e07, 0x6e77ace8, 0x176c700a, 0x2907b2e5, 0x2abc850e,\n 0x14d747e1},\n {0x00000000, 0xc0df8ec1, 0xc1b96c58, 0x0166e299, 0x8273d9b0,\n 0x42ac5771, 0x43cab5e8, 0x83153b29, 0x45e1c3ba, 0x853e4d7b,\n 0x8458afe2, 0x44872123, 0xc7921a0a, 0x074d94cb, 0x062b7652,\n 0xc6f4f893, 0xcbc4f6ae, 0x0b1b786f, 0x0a7d9af6, 0xcaa21437,\n 0x49b72f1e, 0x8968a1df, 0x880e4346, 0x48d1cd87, 0x8e253514,\n 0x4efabbd5, 0x4f9c594c, 0x8f43d78d, 0x0c56eca4, 0xcc896265,\n 0xcdef80fc, 0x0d300e3d, 0xd78f9c86, 0x17501247, 0x1636f0de,\n 0xd6e97e1f, 0x55fc4536, 0x9523cbf7, 0x9445296e, 0x549aa7af,\n 0x926e5f3c, 0x52b1d1fd, 0x53d73364, 0x9308bda5, 0x101d868c,\n 0xd0c2084d, 0xd1a4ead4, 0x117b6415, 0x1c4b6a28, 0xdc94e4e9,\n 0xddf20670, 0x1d2d88b1, 0x9e38b398, 0x5ee73d59, 0x5f81dfc0,\n 0x9f5e5101, 0x59aaa992, 0x99752753, 0x9813c5ca, 0x58cc4b0b,\n 0xdbd97022, 0x1b06fee3, 0x1a601c7a, 0xdabf92bb, 0xef1948d6,\n 0x2fc6c617, 0x2ea0248e, 0xee7faa4f, 0x6d6a9166, 0xadb51fa7,\n 0xacd3fd3e, 0x6c0c73ff, 0xaaf88b6c, 0x6a2705ad, 0x6b41e734,\n 0xab9e69f5, 0x288b52dc, 0xe854dc1d, 0xe9323e84, 0x29edb045,\n 0x24ddbe78, 0xe40230b9, 0xe564d220, 0x25bb5ce1, 0xa6ae67c8,\n 0x6671e909, 0x67170b90, 0xa7c88551, 0x613c7dc2, 0xa1e3f303,\n 0xa085119a, 0x605a9f5b, 0xe34fa472, 0x23902ab3, 0x22f6c82a,\n 0xe22946eb, 0x3896d450, 0xf8495a91, 0xf92fb808, 0x39f036c9,\n 0xbae50de0, 0x7a3a8321, 0x7b5c61b8, 0xbb83ef79, 0x7d7717ea,\n 0xbda8992b, 0xbcce7bb2, 0x7c11f573, 0xff04ce5a, 0x3fdb409b,\n 0x3ebda202, 0xfe622cc3, 0xf35222fe, 0x338dac3f, 0x32eb4ea6,\n 0xf234c067, 0x7121fb4e, 0xb1fe758f, 0xb0989716, 0x704719d7,\n 0xb6b3e144, 0x766c6f85, 0x770a8d1c, 0xb7d503dd, 0x34c038f4,\n 0xf41fb635, 0xf57954ac, 0x35a6da6d, 0x9f35e177, 0x5fea6fb6,\n 0x5e8c8d2f, 0x9e5303ee, 0x1d4638c7, 0xdd99b606, 0xdcff549f,\n 0x1c20da5e, 0xdad422cd, 0x1a0bac0c, 0x1b6d4e95, 0xdbb2c054,\n 0x58a7fb7d, 0x987875bc, 0x991e9725, 0x59c119e4, 0x54f117d9,\n 0x942e9918, 0x95487b81, 0x5597f540, 0xd682ce69, 0x165d40a8,\n 0x173ba231, 0xd7e42cf0, 0x1110d463, 0xd1cf5aa2, 0xd0a9b83b,\n 0x107636fa, 0x93630dd3, 0x53bc8312, 0x52da618b, 0x9205ef4a,\n 0x48ba7df1, 0x8865f330, 0x890311a9, 0x49dc9f68, 0xcac9a441,\n 0x0a162a80, 0x0b70c819, 0xcbaf46d8, 0x0d5bbe4b, 0xcd84308a,\n 0xcce2d213, 0x0c3d5cd2, 0x8f2867fb, 0x4ff7e93a, 0x4e910ba3,\n 0x8e4e8562, 0x837e8b5f, 0x43a1059e, 0x42c7e707, 0x821869c6,\n 0x010d52ef, 0xc1d2dc2e, 0xc0b43eb7, 0x006bb076, 0xc69f48e5,\n 0x0640c624, 0x072624bd, 0xc7f9aa7c, 0x44ec9155, 0x84331f94,\n 0x8555fd0d, 0x458a73cc, 0x702ca9a1, 0xb0f32760, 0xb195c5f9,\n 0x714a4b38, 0xf25f7011, 0x3280fed0, 0x33e61c49, 0xf3399288,\n 0x35cd6a1b, 0xf512e4da, 0xf4740643, 0x34ab8882, 0xb7beb3ab,\n 0x77613d6a, 0x7607dff3, 0xb6d85132, 0xbbe85f0f, 0x7b37d1ce,\n 0x7a513357, 0xba8ebd96, 0x399b86bf, 0xf944087e, 0xf822eae7,\n 0x38fd6426, 0xfe099cb5, 0x3ed61274, 0x3fb0f0ed, 0xff6f7e2c,\n 0x7c7a4505, 0xbca5cbc4, 0xbdc3295d, 0x7d1ca79c, 0xa7a33527,\n 0x677cbbe6, 0x661a597f, 0xa6c5d7be, 0x25d0ec97, 0xe50f6256,\n 0xe46980cf, 0x24b60e0e, 0xe242f69d, 0x229d785c, 0x23fb9ac5,\n 0xe3241404, 0x60312f2d, 0xa0eea1ec, 0xa1884375, 0x6157cdb4,\n 0x6c67c389, 0xacb84d48, 0xaddeafd1, 0x6d012110, 0xee141a39,\n 0x2ecb94f8, 0x2fad7661, 0xef72f8a0, 0x29860033, 0xe9598ef2,\n 0xe83f6c6b, 0x28e0e2aa, 0xabf5d983, 0x6b2a5742, 0x6a4cb5db,\n 0xaa933b1a},\n {0x00000000, 0x6f4ca59b, 0x9f9e3bec, 0xf0d29e77, 0x7f3b0603,\n 0x1077a398, 0xe0a53def, 0x8fe99874, 0xfe760c06, 0x913aa99d,\n 0x61e837ea, 0x0ea49271, 0x814d0a05, 0xee01af9e, 0x1ed331e9,\n 0x719f9472, 0xfced180c, 0x93a1bd97, 0x637323e0, 0x0c3f867b,\n 0x83d61e0f, 0xec9abb94, 0x1c4825e3, 0x73048078, 0x029b140a,\n 0x6dd7b191, 0x9d052fe6, 0xf2498a7d, 0x7da01209, 0x12ecb792,\n 0xe23e29e5, 0x8d728c7e, 0xf8db3118, 0x97979483, 0x67450af4,\n 0x0809af6f, 0x87e0371b, 0xe8ac9280, 0x187e0cf7, 0x7732a96c,\n 0x06ad3d1e, 0x69e19885, 0x993306f2, 0xf67fa369, 0x79963b1d,\n 0x16da9e86, 0xe60800f1, 0x8944a56a, 0x04362914, 0x6b7a8c8f,\n 0x9ba812f8, 0xf4e4b763, 0x7b0d2f17, 0x14418a8c, 0xe49314fb,\n 0x8bdfb160, 0xfa402512, 0x950c8089, 0x65de1efe, 0x0a92bb65,\n 0x857b2311, 0xea37868a, 0x1ae518fd, 0x75a9bd66, 0xf0b76330,\n 0x9ffbc6ab, 0x6f2958dc, 0x0065fd47, 0x8f8c6533, 0xe0c0c0a8,\n 0x10125edf, 0x7f5efb44, 0x0ec16f36, 0x618dcaad, 0x915f54da,\n 0xfe13f141, 0x71fa6935, 0x1eb6ccae, 0xee6452d9, 0x8128f742,\n 0x0c5a7b3c, 0x6316dea7, 0x93c440d0, 0xfc88e54b, 0x73617d3f,\n 0x1c2dd8a4, 0xecff46d3, 0x83b3e348, 0xf22c773a, 0x9d60d2a1,\n 0x6db24cd6, 0x02fee94d, 0x8d177139, 0xe25bd4a2, 0x12894ad5,\n 0x7dc5ef4e, 0x086c5228, 0x6720f7b3, 0x97f269c4, 0xf8becc5f,\n 0x7757542b, 0x181bf1b0, 0xe8c96fc7, 0x8785ca5c, 0xf61a5e2e,\n 0x9956fbb5, 0x698465c2, 0x06c8c059, 0x8921582d, 0xe66dfdb6,\n 0x16bf63c1, 0x79f3c65a, 0xf4814a24, 0x9bcdefbf, 0x6b1f71c8,\n 0x0453d453, 0x8bba4c27, 0xe4f6e9bc, 0x142477cb, 0x7b68d250,\n 0x0af74622, 0x65bbe3b9, 0x95697dce, 0xfa25d855, 0x75cc4021,\n 0x1a80e5ba, 0xea527bcd, 0x851ede56, 0xe06fc760, 0x8f2362fb,\n 0x7ff1fc8c, 0x10bd5917, 0x9f54c163, 0xf01864f8, 0x00cafa8f,\n 0x6f865f14, 0x1e19cb66, 0x71556efd, 0x8187f08a, 0xeecb5511,\n 0x6122cd65, 0x0e6e68fe, 0xfebcf689, 0x91f05312, 0x1c82df6c,\n 0x73ce7af7, 0x831ce480, 0xec50411b, 0x63b9d96f, 0x0cf57cf4,\n 0xfc27e283, 0x936b4718, 0xe2f4d36a, 0x8db876f1, 0x7d6ae886,\n 0x12264d1d, 0x9dcfd569, 0xf28370f2, 0x0251ee85, 0x6d1d4b1e,\n 0x18b4f678, 0x77f853e3, 0x872acd94, 0xe866680f, 0x678ff07b,\n 0x08c355e0, 0xf811cb97, 0x975d6e0c, 0xe6c2fa7e, 0x898e5fe5,\n 0x795cc192, 0x16106409, 0x99f9fc7d, 0xf6b559e6, 0x0667c791,\n 0x692b620a, 0xe459ee74, 0x8b154bef, 0x7bc7d598, 0x148b7003,\n 0x9b62e877, 0xf42e4dec, 0x04fcd39b, 0x6bb07600, 0x1a2fe272,\n 0x756347e9, 0x85b1d99e, 0xeafd7c05, 0x6514e471, 0x0a5841ea,\n 0xfa8adf9d, 0x95c67a06, 0x10d8a450, 0x7f9401cb, 0x8f469fbc,\n 0xe00a3a27, 0x6fe3a253, 0x00af07c8, 0xf07d99bf, 0x9f313c24,\n 0xeeaea856, 0x81e20dcd, 0x713093ba, 0x1e7c3621, 0x9195ae55,\n 0xfed90bce, 0x0e0b95b9, 0x61473022, 0xec35bc5c, 0x837919c7,\n 0x73ab87b0, 0x1ce7222b, 0x930eba5f, 0xfc421fc4, 0x0c9081b3,\n 0x63dc2428, 0x1243b05a, 0x7d0f15c1, 0x8ddd8bb6, 0xe2912e2d,\n 0x6d78b659, 0x023413c2, 0xf2e68db5, 0x9daa282e, 0xe8039548,\n 0x874f30d3, 0x779daea4, 0x18d10b3f, 0x9738934b, 0xf87436d0,\n 0x08a6a8a7, 0x67ea0d3c, 0x1675994e, 0x79393cd5, 0x89eba2a2,\n 0xe6a70739, 0x694e9f4d, 0x06023ad6, 0xf6d0a4a1, 0x999c013a,\n 0x14ee8d44, 0x7ba228df, 0x8b70b6a8, 0xe43c1333, 0x6bd58b47,\n 0x04992edc, 0xf44bb0ab, 0x9b071530, 0xea988142, 0x85d424d9,\n 0x7506baae, 0x1a4a1f35, 0x95a38741, 0xfaef22da, 0x0a3dbcad,\n 0x65711936}};\n\n#endif\n\n#endif\n\n#if N == 4\n\n#if W == 8\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0xf1da05aa, 0x38c50d15, 0xc91f08bf, 0x718a1a2a,\n 0x80501f80, 0x494f173f, 0xb8951295, 0xe3143454, 0x12ce31fe,\n 0xdbd13941, 0x2a0b3ceb, 0x929e2e7e, 0x63442bd4, 0xaa5b236b,\n 0x5b8126c1, 0x1d596ee9, 0xec836b43, 0x259c63fc, 0xd4466656,\n 0x6cd374c3, 0x9d097169, 0x541679d6, 0xa5cc7c7c, 0xfe4d5abd,\n 0x0f975f17, 0xc68857a8, 0x37525202, 0x8fc74097, 0x7e1d453d,\n 0xb7024d82, 0x46d84828, 0x3ab2ddd2, 0xcb68d878, 0x0277d0c7,\n 0xf3add56d, 0x4b38c7f8, 0xbae2c252, 0x73fdcaed, 0x8227cf47,\n 0xd9a6e986, 0x287cec2c, 0xe163e493, 0x10b9e139, 0xa82cf3ac,\n 0x59f6f606, 0x90e9feb9, 0x6133fb13, 0x27ebb33b, 0xd631b691,\n 0x1f2ebe2e, 0xeef4bb84, 0x5661a911, 0xa7bbacbb, 0x6ea4a404,\n 0x9f7ea1ae, 0xc4ff876f, 0x352582c5, 0xfc3a8a7a, 0x0de08fd0,\n 0xb5759d45, 0x44af98ef, 0x8db09050, 0x7c6a95fa, 0x7565bba4,\n 0x84bfbe0e, 0x4da0b6b1, 0xbc7ab31b, 0x04efa18e, 0xf535a424,\n 0x3c2aac9b, 0xcdf0a931, 0x96718ff0, 0x67ab8a5a, 0xaeb482e5,\n 0x5f6e874f, 0xe7fb95da, 0x16219070, 0xdf3e98cf, 0x2ee49d65,\n 0x683cd54d, 0x99e6d0e7, 0x50f9d858, 0xa123ddf2, 0x19b6cf67,\n 0xe86ccacd, 0x2173c272, 0xd0a9c7d8, 0x8b28e119, 0x7af2e4b3,\n 0xb3edec0c, 0x4237e9a6, 0xfaa2fb33, 0x0b78fe99, 0xc267f626,\n 0x33bdf38c, 0x4fd76676, 0xbe0d63dc, 0x77126b63, 0x86c86ec9,\n 0x3e5d7c5c, 0xcf8779f6, 0x06987149, 0xf74274e3, 0xacc35222,\n 0x5d195788, 0x94065f37, 0x65dc5a9d, 0xdd494808, 0x2c934da2,\n 0xe58c451d, 0x145640b7, 0x528e089f, 0xa3540d35, 0x6a4b058a,\n 0x9b910020, 0x230412b5, 0xd2de171f, 0x1bc11fa0, 0xea1b1a0a,\n 0xb19a3ccb, 0x40403961, 0x895f31de, 0x78853474, 0xc01026e1,\n 0x31ca234b, 0xf8d52bf4, 0x090f2e5e, 0xeacb7748, 0x1b1172e2,\n 0xd20e7a5d, 0x23d47ff7, 0x9b416d62, 0x6a9b68c8, 0xa3846077,\n 0x525e65dd, 0x09df431c, 0xf80546b6, 0x311a4e09, 0xc0c04ba3,\n 0x78555936, 0x898f5c9c, 0x40905423, 0xb14a5189, 0xf79219a1,\n 0x06481c0b, 0xcf5714b4, 0x3e8d111e, 0x8618038b, 0x77c20621,\n 0xbedd0e9e, 0x4f070b34, 0x14862df5, 0xe55c285f, 0x2c4320e0,\n 0xdd99254a, 0x650c37df, 0x94d63275, 0x5dc93aca, 0xac133f60,\n 0xd079aa9a, 0x21a3af30, 0xe8bca78f, 0x1966a225, 0xa1f3b0b0,\n 0x5029b51a, 0x9936bda5, 0x68ecb80f, 0x336d9ece, 0xc2b79b64,\n 0x0ba893db, 0xfa729671, 0x42e784e4, 0xb33d814e, 0x7a2289f1,\n 0x8bf88c5b, 0xcd20c473, 0x3cfac1d9, 0xf5e5c966, 0x043fcccc,\n 0xbcaade59, 0x4d70dbf3, 0x846fd34c, 0x75b5d6e6, 0x2e34f027,\n 0xdfeef58d, 0x16f1fd32, 0xe72bf898, 0x5fbeea0d, 0xae64efa7,\n 0x677be718, 0x96a1e2b2, 0x9faeccec, 0x6e74c946, 0xa76bc1f9,\n 0x56b1c453, 0xee24d6c6, 0x1ffed36c, 0xd6e1dbd3, 0x273bde79,\n 0x7cbaf8b8, 0x8d60fd12, 0x447ff5ad, 0xb5a5f007, 0x0d30e292,\n 0xfceae738, 0x35f5ef87, 0xc42fea2d, 0x82f7a205, 0x732da7af,\n 0xba32af10, 0x4be8aaba, 0xf37db82f, 0x02a7bd85, 0xcbb8b53a,\n 0x3a62b090, 0x61e39651, 0x903993fb, 0x59269b44, 0xa8fc9eee,\n 0x10698c7b, 0xe1b389d1, 0x28ac816e, 0xd97684c4, 0xa51c113e,\n 0x54c61494, 0x9dd91c2b, 0x6c031981, 0xd4960b14, 0x254c0ebe,\n 0xec530601, 0x1d8903ab, 0x4608256a, 0xb7d220c0, 0x7ecd287f,\n 0x8f172dd5, 0x37823f40, 0xc6583aea, 0x0f473255, 0xfe9d37ff,\n 0xb8457fd7, 0x499f7a7d, 0x808072c2, 0x715a7768, 0xc9cf65fd,\n 0x38156057, 0xf10a68e8, 0x00d06d42, 0x5b514b83, 0xaa8b4e29,\n 0x63944696, 0x924e433c, 0x2adb51a9, 0xdb015403, 0x121e5cbc,\n 0xe3c45916},\n {0x00000000, 0x0ee7e8d1, 0x1dcfd1a2, 0x13283973, 0x3b9fa344,\n 0x35784b95, 0x265072e6, 0x28b79a37, 0x773f4688, 0x79d8ae59,\n 0x6af0972a, 0x64177ffb, 0x4ca0e5cc, 0x42470d1d, 0x516f346e,\n 0x5f88dcbf, 0xee7e8d10, 0xe09965c1, 0xf3b15cb2, 0xfd56b463,\n 0xd5e12e54, 0xdb06c685, 0xc82efff6, 0xc6c91727, 0x9941cb98,\n 0x97a62349, 0x848e1a3a, 0x8a69f2eb, 0xa2de68dc, 0xac39800d,\n 0xbf11b97e, 0xb1f651af, 0x078c1c61, 0x096bf4b0, 0x1a43cdc3,\n 0x14a42512, 0x3c13bf25, 0x32f457f4, 0x21dc6e87, 0x2f3b8656,\n 0x70b35ae9, 0x7e54b238, 0x6d7c8b4b, 0x639b639a, 0x4b2cf9ad,\n 0x45cb117c, 0x56e3280f, 0x5804c0de, 0xe9f29171, 0xe71579a0,\n 0xf43d40d3, 0xfadaa802, 0xd26d3235, 0xdc8adae4, 0xcfa2e397,\n 0xc1450b46, 0x9ecdd7f9, 0x902a3f28, 0x8302065b, 0x8de5ee8a,\n 0xa55274bd, 0xabb59c6c, 0xb89da51f, 0xb67a4dce, 0x0f1838c2,\n 0x01ffd013, 0x12d7e960, 0x1c3001b1, 0x34879b86, 0x3a607357,\n 0x29484a24, 0x27afa2f5, 0x78277e4a, 0x76c0969b, 0x65e8afe8,\n 0x6b0f4739, 0x43b8dd0e, 0x4d5f35df, 0x5e770cac, 0x5090e47d,\n 0xe166b5d2, 0xef815d03, 0xfca96470, 0xf24e8ca1, 0xdaf91696,\n 0xd41efe47, 0xc736c734, 0xc9d12fe5, 0x9659f35a, 0x98be1b8b,\n 0x8b9622f8, 0x8571ca29, 0xadc6501e, 0xa321b8cf, 0xb00981bc,\n 0xbeee696d, 0x089424a3, 0x0673cc72, 0x155bf501, 0x1bbc1dd0,\n 0x330b87e7, 0x3dec6f36, 0x2ec45645, 0x2023be94, 0x7fab622b,\n 0x714c8afa, 0x6264b389, 0x6c835b58, 0x4434c16f, 0x4ad329be,\n 0x59fb10cd, 0x571cf81c, 0xe6eaa9b3, 0xe80d4162, 0xfb257811,\n 0xf5c290c0, 0xdd750af7, 0xd392e226, 0xc0badb55, 0xce5d3384,\n 0x91d5ef3b, 0x9f3207ea, 0x8c1a3e99, 0x82fdd648, 0xaa4a4c7f,\n 0xa4ada4ae, 0xb7859ddd, 0xb962750c, 0x1e307184, 0x10d79955,\n 0x03ffa026, 0x0d1848f7, 0x25afd2c0, 0x2b483a11, 0x38600362,\n 0x3687ebb3, 0x690f370c, 0x67e8dfdd, 0x74c0e6ae, 0x7a270e7f,\n 0x52909448, 0x5c777c99, 0x4f5f45ea, 0x41b8ad3b, 0xf04efc94,\n 0xfea91445, 0xed812d36, 0xe366c5e7, 0xcbd15fd0, 0xc536b701,\n 0xd61e8e72, 0xd8f966a3, 0x8771ba1c, 0x899652cd, 0x9abe6bbe,\n 0x9459836f, 0xbcee1958, 0xb209f189, 0xa121c8fa, 0xafc6202b,\n 0x19bc6de5, 0x175b8534, 0x0473bc47, 0x0a945496, 0x2223cea1,\n 0x2cc42670, 0x3fec1f03, 0x310bf7d2, 0x6e832b6d, 0x6064c3bc,\n 0x734cfacf, 0x7dab121e, 0x551c8829, 0x5bfb60f8, 0x48d3598b,\n 0x4634b15a, 0xf7c2e0f5, 0xf9250824, 0xea0d3157, 0xe4ead986,\n 0xcc5d43b1, 0xc2baab60, 0xd1929213, 0xdf757ac2, 0x80fda67d,\n 0x8e1a4eac, 0x9d3277df, 0x93d59f0e, 0xbb620539, 0xb585ede8,\n 0xa6add49b, 0xa84a3c4a, 0x11284946, 0x1fcfa197, 0x0ce798e4,\n 0x02007035, 0x2ab7ea02, 0x245002d3, 0x37783ba0, 0x399fd371,\n 0x66170fce, 0x68f0e71f, 0x7bd8de6c, 0x753f36bd, 0x5d88ac8a,\n 0x536f445b, 0x40477d28, 0x4ea095f9, 0xff56c456, 0xf1b12c87,\n 0xe29915f4, 0xec7efd25, 0xc4c96712, 0xca2e8fc3, 0xd906b6b0,\n 0xd7e15e61, 0x886982de, 0x868e6a0f, 0x95a6537c, 0x9b41bbad,\n 0xb3f6219a, 0xbd11c94b, 0xae39f038, 0xa0de18e9, 0x16a45527,\n 0x1843bdf6, 0x0b6b8485, 0x058c6c54, 0x2d3bf663, 0x23dc1eb2,\n 0x30f427c1, 0x3e13cf10, 0x619b13af, 0x6f7cfb7e, 0x7c54c20d,\n 0x72b32adc, 0x5a04b0eb, 0x54e3583a, 0x47cb6149, 0x492c8998,\n 0xf8dad837, 0xf63d30e6, 0xe5150995, 0xebf2e144, 0xc3457b73,\n 0xcda293a2, 0xde8aaad1, 0xd06d4200, 0x8fe59ebf, 0x8102766e,\n 0x922a4f1d, 0x9ccda7cc, 0xb47a3dfb, 0xba9dd52a, 0xa9b5ec59,\n 0xa7520488},\n {0x00000000, 0x3c60e308, 0x78c1c610, 0x44a12518, 0xf1838c20,\n 0xcde36f28, 0x89424a30, 0xb522a938, 0x38761e01, 0x0416fd09,\n 0x40b7d811, 0x7cd73b19, 0xc9f59221, 0xf5957129, 0xb1345431,\n 0x8d54b739, 0x70ec3c02, 0x4c8cdf0a, 0x082dfa12, 0x344d191a,\n 0x816fb022, 0xbd0f532a, 0xf9ae7632, 0xc5ce953a, 0x489a2203,\n 0x74fac10b, 0x305be413, 0x0c3b071b, 0xb919ae23, 0x85794d2b,\n 0xc1d86833, 0xfdb88b3b, 0xe1d87804, 0xddb89b0c, 0x9919be14,\n 0xa5795d1c, 0x105bf424, 0x2c3b172c, 0x689a3234, 0x54fad13c,\n 0xd9ae6605, 0xe5ce850d, 0xa16fa015, 0x9d0f431d, 0x282dea25,\n 0x144d092d, 0x50ec2c35, 0x6c8ccf3d, 0x91344406, 0xad54a70e,\n 0xe9f58216, 0xd595611e, 0x60b7c826, 0x5cd72b2e, 0x18760e36,\n 0x2416ed3e, 0xa9425a07, 0x9522b90f, 0xd1839c17, 0xede37f1f,\n 0x58c1d627, 0x64a1352f, 0x20001037, 0x1c60f33f, 0x18c1f649,\n 0x24a11541, 0x60003059, 0x5c60d351, 0xe9427a69, 0xd5229961,\n 0x9183bc79, 0xade35f71, 0x20b7e848, 0x1cd70b40, 0x58762e58,\n 0x6416cd50, 0xd1346468, 0xed548760, 0xa9f5a278, 0x95954170,\n 0x682dca4b, 0x544d2943, 0x10ec0c5b, 0x2c8cef53, 0x99ae466b,\n 0xa5cea563, 0xe16f807b, 0xdd0f6373, 0x505bd44a, 0x6c3b3742,\n 0x289a125a, 0x14faf152, 0xa1d8586a, 0x9db8bb62, 0xd9199e7a,\n 0xe5797d72, 0xf9198e4d, 0xc5796d45, 0x81d8485d, 0xbdb8ab55,\n 0x089a026d, 0x34fae165, 0x705bc47d, 0x4c3b2775, 0xc16f904c,\n 0xfd0f7344, 0xb9ae565c, 0x85ceb554, 0x30ec1c6c, 0x0c8cff64,\n 0x482dda7c, 0x744d3974, 0x89f5b24f, 0xb5955147, 0xf134745f,\n 0xcd549757, 0x78763e6f, 0x4416dd67, 0x00b7f87f, 0x3cd71b77,\n 0xb183ac4e, 0x8de34f46, 0xc9426a5e, 0xf5228956, 0x4000206e,\n 0x7c60c366, 0x38c1e67e, 0x04a10576, 0x3183ec92, 0x0de30f9a,\n 0x49422a82, 0x7522c98a, 0xc00060b2, 0xfc6083ba, 0xb8c1a6a2,\n 0x84a145aa, 0x09f5f293, 0x3595119b, 0x71343483, 0x4d54d78b,\n 0xf8767eb3, 0xc4169dbb, 0x80b7b8a3, 0xbcd75bab, 0x416fd090,\n 0x7d0f3398, 0x39ae1680, 0x05cef588, 0xb0ec5cb0, 0x8c8cbfb8,\n 0xc82d9aa0, 0xf44d79a8, 0x7919ce91, 0x45792d99, 0x01d80881,\n 0x3db8eb89, 0x889a42b1, 0xb4faa1b9, 0xf05b84a1, 0xcc3b67a9,\n 0xd05b9496, 0xec3b779e, 0xa89a5286, 0x94fab18e, 0x21d818b6,\n 0x1db8fbbe, 0x5919dea6, 0x65793dae, 0xe82d8a97, 0xd44d699f,\n 0x90ec4c87, 0xac8caf8f, 0x19ae06b7, 0x25cee5bf, 0x616fc0a7,\n 0x5d0f23af, 0xa0b7a894, 0x9cd74b9c, 0xd8766e84, 0xe4168d8c,\n 0x513424b4, 0x6d54c7bc, 0x29f5e2a4, 0x159501ac, 0x98c1b695,\n 0xa4a1559d, 0xe0007085, 0xdc60938d, 0x69423ab5, 0x5522d9bd,\n 0x1183fca5, 0x2de31fad, 0x29421adb, 0x1522f9d3, 0x5183dccb,\n 0x6de33fc3, 0xd8c196fb, 0xe4a175f3, 0xa00050eb, 0x9c60b3e3,\n 0x113404da, 0x2d54e7d2, 0x69f5c2ca, 0x559521c2, 0xe0b788fa,\n 0xdcd76bf2, 0x98764eea, 0xa416ade2, 0x59ae26d9, 0x65cec5d1,\n 0x216fe0c9, 0x1d0f03c1, 0xa82daaf9, 0x944d49f1, 0xd0ec6ce9,\n 0xec8c8fe1, 0x61d838d8, 0x5db8dbd0, 0x1919fec8, 0x25791dc0,\n 0x905bb4f8, 0xac3b57f0, 0xe89a72e8, 0xd4fa91e0, 0xc89a62df,\n 0xf4fa81d7, 0xb05ba4cf, 0x8c3b47c7, 0x3919eeff, 0x05790df7,\n 0x41d828ef, 0x7db8cbe7, 0xf0ec7cde, 0xcc8c9fd6, 0x882dbace,\n 0xb44d59c6, 0x016ff0fe, 0x3d0f13f6, 0x79ae36ee, 0x45ced5e6,\n 0xb8765edd, 0x8416bdd5, 0xc0b798cd, 0xfcd77bc5, 0x49f5d2fd,\n 0x759531f5, 0x313414ed, 0x0d54f7e5, 0x800040dc, 0xbc60a3d4,\n 0xf8c186cc, 0xc4a165c4, 0x7183ccfc, 0x4de32ff4, 0x09420aec,\n 0x3522e9e4},\n {0x00000000, 0x6307d924, 0xc60fb248, 0xa5086b6c, 0x576e62d1,\n 0x3469bbf5, 0x9161d099, 0xf26609bd, 0xaedcc5a2, 0xcddb1c86,\n 0x68d377ea, 0x0bd4aece, 0xf9b2a773, 0x9ab57e57, 0x3fbd153b,\n 0x5cbacc1f, 0x86c88d05, 0xe5cf5421, 0x40c73f4d, 0x23c0e669,\n 0xd1a6efd4, 0xb2a136f0, 0x17a95d9c, 0x74ae84b8, 0x281448a7,\n 0x4b139183, 0xee1bfaef, 0x8d1c23cb, 0x7f7a2a76, 0x1c7df352,\n 0xb975983e, 0xda72411a, 0xd6e01c4b, 0xb5e7c56f, 0x10efae03,\n 0x73e87727, 0x818e7e9a, 0xe289a7be, 0x4781ccd2, 0x248615f6,\n 0x783cd9e9, 0x1b3b00cd, 0xbe336ba1, 0xdd34b285, 0x2f52bb38,\n 0x4c55621c, 0xe95d0970, 0x8a5ad054, 0x5028914e, 0x332f486a,\n 0x96272306, 0xf520fa22, 0x0746f39f, 0x64412abb, 0xc14941d7,\n 0xa24e98f3, 0xfef454ec, 0x9df38dc8, 0x38fbe6a4, 0x5bfc3f80,\n 0xa99a363d, 0xca9def19, 0x6f958475, 0x0c925d51, 0x76b13ed7,\n 0x15b6e7f3, 0xb0be8c9f, 0xd3b955bb, 0x21df5c06, 0x42d88522,\n 0xe7d0ee4e, 0x84d7376a, 0xd86dfb75, 0xbb6a2251, 0x1e62493d,\n 0x7d659019, 0x8f0399a4, 0xec044080, 0x490c2bec, 0x2a0bf2c8,\n 0xf079b3d2, 0x937e6af6, 0x3676019a, 0x5571d8be, 0xa717d103,\n 0xc4100827, 0x6118634b, 0x021fba6f, 0x5ea57670, 0x3da2af54,\n 0x98aac438, 0xfbad1d1c, 0x09cb14a1, 0x6acccd85, 0xcfc4a6e9,\n 0xacc37fcd, 0xa051229c, 0xc356fbb8, 0x665e90d4, 0x055949f0,\n 0xf73f404d, 0x94389969, 0x3130f205, 0x52372b21, 0x0e8de73e,\n 0x6d8a3e1a, 0xc8825576, 0xab858c52, 0x59e385ef, 0x3ae45ccb,\n 0x9fec37a7, 0xfcebee83, 0x2699af99, 0x459e76bd, 0xe0961dd1,\n 0x8391c4f5, 0x71f7cd48, 0x12f0146c, 0xb7f87f00, 0xd4ffa624,\n 0x88456a3b, 0xeb42b31f, 0x4e4ad873, 0x2d4d0157, 0xdf2b08ea,\n 0xbc2cd1ce, 0x1924baa2, 0x7a236386, 0xed627dae, 0x8e65a48a,\n 0x2b6dcfe6, 0x486a16c2, 0xba0c1f7f, 0xd90bc65b, 0x7c03ad37,\n 0x1f047413, 0x43beb80c, 0x20b96128, 0x85b10a44, 0xe6b6d360,\n 0x14d0dadd, 0x77d703f9, 0xd2df6895, 0xb1d8b1b1, 0x6baaf0ab,\n 0x08ad298f, 0xada542e3, 0xcea29bc7, 0x3cc4927a, 0x5fc34b5e,\n 0xfacb2032, 0x99ccf916, 0xc5763509, 0xa671ec2d, 0x03798741,\n 0x607e5e65, 0x921857d8, 0xf11f8efc, 0x5417e590, 0x37103cb4,\n 0x3b8261e5, 0x5885b8c1, 0xfd8dd3ad, 0x9e8a0a89, 0x6cec0334,\n 0x0febda10, 0xaae3b17c, 0xc9e46858, 0x955ea447, 0xf6597d63,\n 0x5351160f, 0x3056cf2b, 0xc230c696, 0xa1371fb2, 0x043f74de,\n 0x6738adfa, 0xbd4aece0, 0xde4d35c4, 0x7b455ea8, 0x1842878c,\n 0xea248e31, 0x89235715, 0x2c2b3c79, 0x4f2ce55d, 0x13962942,\n 0x7091f066, 0xd5999b0a, 0xb69e422e, 0x44f84b93, 0x27ff92b7,\n 0x82f7f9db, 0xe1f020ff, 0x9bd34379, 0xf8d49a5d, 0x5ddcf131,\n 0x3edb2815, 0xccbd21a8, 0xafbaf88c, 0x0ab293e0, 0x69b54ac4,\n 0x350f86db, 0x56085fff, 0xf3003493, 0x9007edb7, 0x6261e40a,\n 0x01663d2e, 0xa46e5642, 0xc7698f66, 0x1d1bce7c, 0x7e1c1758,\n 0xdb147c34, 0xb813a510, 0x4a75acad, 0x29727589, 0x8c7a1ee5,\n 0xef7dc7c1, 0xb3c70bde, 0xd0c0d2fa, 0x75c8b996, 0x16cf60b2,\n 0xe4a9690f, 0x87aeb02b, 0x22a6db47, 0x41a10263, 0x4d335f32,\n 0x2e348616, 0x8b3ced7a, 0xe83b345e, 0x1a5d3de3, 0x795ae4c7,\n 0xdc528fab, 0xbf55568f, 0xe3ef9a90, 0x80e843b4, 0x25e028d8,\n 0x46e7f1fc, 0xb481f841, 0xd7862165, 0x728e4a09, 0x1189932d,\n 0xcbfbd237, 0xa8fc0b13, 0x0df4607f, 0x6ef3b95b, 0x9c95b0e6,\n 0xff9269c2, 0x5a9a02ae, 0x399ddb8a, 0x65271795, 0x0620ceb1,\n 0xa328a5dd, 0xc02f7cf9, 0x32497544, 0x514eac60, 0xf446c70c,\n 0x97411e28},\n {0x00000000, 0x01b5fd1d, 0x036bfa3a, 0x02de0727, 0x06d7f474,\n 0x07620969, 0x05bc0e4e, 0x0409f353, 0x0dafe8e8, 0x0c1a15f5,\n 0x0ec412d2, 0x0f71efcf, 0x0b781c9c, 0x0acde181, 0x0813e6a6,\n 0x09a61bbb, 0x1b5fd1d0, 0x1aea2ccd, 0x18342bea, 0x1981d6f7,\n 0x1d8825a4, 0x1c3dd8b9, 0x1ee3df9e, 0x1f562283, 0x16f03938,\n 0x1745c425, 0x159bc302, 0x142e3e1f, 0x1027cd4c, 0x11923051,\n 0x134c3776, 0x12f9ca6b, 0x36bfa3a0, 0x370a5ebd, 0x35d4599a,\n 0x3461a487, 0x306857d4, 0x31ddaac9, 0x3303adee, 0x32b650f3,\n 0x3b104b48, 0x3aa5b655, 0x387bb172, 0x39ce4c6f, 0x3dc7bf3c,\n 0x3c724221, 0x3eac4506, 0x3f19b81b, 0x2de07270, 0x2c558f6d,\n 0x2e8b884a, 0x2f3e7557, 0x2b378604, 0x2a827b19, 0x285c7c3e,\n 0x29e98123, 0x204f9a98, 0x21fa6785, 0x232460a2, 0x22919dbf,\n 0x26986eec, 0x272d93f1, 0x25f394d6, 0x244669cb, 0x6d7f4740,\n 0x6ccaba5d, 0x6e14bd7a, 0x6fa14067, 0x6ba8b334, 0x6a1d4e29,\n 0x68c3490e, 0x6976b413, 0x60d0afa8, 0x616552b5, 0x63bb5592,\n 0x620ea88f, 0x66075bdc, 0x67b2a6c1, 0x656ca1e6, 0x64d95cfb,\n 0x76209690, 0x77956b8d, 0x754b6caa, 0x74fe91b7, 0x70f762e4,\n 0x71429ff9, 0x739c98de, 0x722965c3, 0x7b8f7e78, 0x7a3a8365,\n 0x78e48442, 0x7951795f, 0x7d588a0c, 0x7ced7711, 0x7e337036,\n 0x7f868d2b, 0x5bc0e4e0, 0x5a7519fd, 0x58ab1eda, 0x591ee3c7,\n 0x5d171094, 0x5ca2ed89, 0x5e7ceaae, 0x5fc917b3, 0x566f0c08,\n 0x57daf115, 0x5504f632, 0x54b10b2f, 0x50b8f87c, 0x510d0561,\n 0x53d30246, 0x5266ff5b, 0x409f3530, 0x412ac82d, 0x43f4cf0a,\n 0x42413217, 0x4648c144, 0x47fd3c59, 0x45233b7e, 0x4496c663,\n 0x4d30ddd8, 0x4c8520c5, 0x4e5b27e2, 0x4feedaff, 0x4be729ac,\n 0x4a52d4b1, 0x488cd396, 0x49392e8b, 0xdafe8e80, 0xdb4b739d,\n 0xd99574ba, 0xd82089a7, 0xdc297af4, 0xdd9c87e9, 0xdf4280ce,\n 0xdef77dd3, 0xd7516668, 0xd6e49b75, 0xd43a9c52, 0xd58f614f,\n 0xd186921c, 0xd0336f01, 0xd2ed6826, 0xd358953b, 0xc1a15f50,\n 0xc014a24d, 0xc2caa56a, 0xc37f5877, 0xc776ab24, 0xc6c35639,\n 0xc41d511e, 0xc5a8ac03, 0xcc0eb7b8, 0xcdbb4aa5, 0xcf654d82,\n 0xced0b09f, 0xcad943cc, 0xcb6cbed1, 0xc9b2b9f6, 0xc80744eb,\n 0xec412d20, 0xedf4d03d, 0xef2ad71a, 0xee9f2a07, 0xea96d954,\n 0xeb232449, 0xe9fd236e, 0xe848de73, 0xe1eec5c8, 0xe05b38d5,\n 0xe2853ff2, 0xe330c2ef, 0xe73931bc, 0xe68ccca1, 0xe452cb86,\n 0xe5e7369b, 0xf71efcf0, 0xf6ab01ed, 0xf47506ca, 0xf5c0fbd7,\n 0xf1c90884, 0xf07cf599, 0xf2a2f2be, 0xf3170fa3, 0xfab11418,\n 0xfb04e905, 0xf9daee22, 0xf86f133f, 0xfc66e06c, 0xfdd31d71,\n 0xff0d1a56, 0xfeb8e74b, 0xb781c9c0, 0xb63434dd, 0xb4ea33fa,\n 0xb55fcee7, 0xb1563db4, 0xb0e3c0a9, 0xb23dc78e, 0xb3883a93,\n 0xba2e2128, 0xbb9bdc35, 0xb945db12, 0xb8f0260f, 0xbcf9d55c,\n 0xbd4c2841, 0xbf922f66, 0xbe27d27b, 0xacde1810, 0xad6be50d,\n 0xafb5e22a, 0xae001f37, 0xaa09ec64, 0xabbc1179, 0xa962165e,\n 0xa8d7eb43, 0xa171f0f8, 0xa0c40de5, 0xa21a0ac2, 0xa3aff7df,\n 0xa7a6048c, 0xa613f991, 0xa4cdfeb6, 0xa57803ab, 0x813e6a60,\n 0x808b977d, 0x8255905a, 0x83e06d47, 0x87e99e14, 0x865c6309,\n 0x8482642e, 0x85379933, 0x8c918288, 0x8d247f95, 0x8ffa78b2,\n 0x8e4f85af, 0x8a4676fc, 0x8bf38be1, 0x892d8cc6, 0x889871db,\n 0x9a61bbb0, 0x9bd446ad, 0x990a418a, 0x98bfbc97, 0x9cb64fc4,\n 0x9d03b2d9, 0x9fddb5fe, 0x9e6848e3, 0x97ce5358, 0x967bae45,\n 0x94a5a962, 0x9510547f, 0x9119a72c, 0x90ac5a31, 0x92725d16,\n 0x93c7a00b},\n {0x00000000, 0x6e8c1b41, 0xdd183682, 0xb3942dc3, 0x61416b45,\n 0x0fcd7004, 0xbc595dc7, 0xd2d54686, 0xc282d68a, 0xac0ecdcb,\n 0x1f9ae008, 0x7116fb49, 0xa3c3bdcf, 0xcd4fa68e, 0x7edb8b4d,\n 0x1057900c, 0x5e74ab55, 0x30f8b014, 0x836c9dd7, 0xede08696,\n 0x3f35c010, 0x51b9db51, 0xe22df692, 0x8ca1edd3, 0x9cf67ddf,\n 0xf27a669e, 0x41ee4b5d, 0x2f62501c, 0xfdb7169a, 0x933b0ddb,\n 0x20af2018, 0x4e233b59, 0xbce956aa, 0xd2654deb, 0x61f16028,\n 0x0f7d7b69, 0xdda83def, 0xb32426ae, 0x00b00b6d, 0x6e3c102c,\n 0x7e6b8020, 0x10e79b61, 0xa373b6a2, 0xcdffade3, 0x1f2aeb65,\n 0x71a6f024, 0xc232dde7, 0xacbec6a6, 0xe29dfdff, 0x8c11e6be,\n 0x3f85cb7d, 0x5109d03c, 0x83dc96ba, 0xed508dfb, 0x5ec4a038,\n 0x3048bb79, 0x201f2b75, 0x4e933034, 0xfd071df7, 0x938b06b6,\n 0x415e4030, 0x2fd25b71, 0x9c4676b2, 0xf2ca6df3, 0xa2a3ab15,\n 0xcc2fb054, 0x7fbb9d97, 0x113786d6, 0xc3e2c050, 0xad6edb11,\n 0x1efaf6d2, 0x7076ed93, 0x60217d9f, 0x0ead66de, 0xbd394b1d,\n 0xd3b5505c, 0x016016da, 0x6fec0d9b, 0xdc782058, 0xb2f43b19,\n 0xfcd70040, 0x925b1b01, 0x21cf36c2, 0x4f432d83, 0x9d966b05,\n 0xf31a7044, 0x408e5d87, 0x2e0246c6, 0x3e55d6ca, 0x50d9cd8b,\n 0xe34de048, 0x8dc1fb09, 0x5f14bd8f, 0x3198a6ce, 0x820c8b0d,\n 0xec80904c, 0x1e4afdbf, 0x70c6e6fe, 0xc352cb3d, 0xadded07c,\n 0x7f0b96fa, 0x11878dbb, 0xa213a078, 0xcc9fbb39, 0xdcc82b35,\n 0xb2443074, 0x01d01db7, 0x6f5c06f6, 0xbd894070, 0xd3055b31,\n 0x609176f2, 0x0e1d6db3, 0x403e56ea, 0x2eb24dab, 0x9d266068,\n 0xf3aa7b29, 0x217f3daf, 0x4ff326ee, 0xfc670b2d, 0x92eb106c,\n 0x82bc8060, 0xec309b21, 0x5fa4b6e2, 0x3128ada3, 0xe3fdeb25,\n 0x8d71f064, 0x3ee5dda7, 0x5069c6e6, 0x9e36506b, 0xf0ba4b2a,\n 0x432e66e9, 0x2da27da8, 0xff773b2e, 0x91fb206f, 0x226f0dac,\n 0x4ce316ed, 0x5cb486e1, 0x32389da0, 0x81acb063, 0xef20ab22,\n 0x3df5eda4, 0x5379f6e5, 0xe0eddb26, 0x8e61c067, 0xc042fb3e,\n 0xaecee07f, 0x1d5acdbc, 0x73d6d6fd, 0xa103907b, 0xcf8f8b3a,\n 0x7c1ba6f9, 0x1297bdb8, 0x02c02db4, 0x6c4c36f5, 0xdfd81b36,\n 0xb1540077, 0x638146f1, 0x0d0d5db0, 0xbe997073, 0xd0156b32,\n 0x22df06c1, 0x4c531d80, 0xffc73043, 0x914b2b02, 0x439e6d84,\n 0x2d1276c5, 0x9e865b06, 0xf00a4047, 0xe05dd04b, 0x8ed1cb0a,\n 0x3d45e6c9, 0x53c9fd88, 0x811cbb0e, 0xef90a04f, 0x5c048d8c,\n 0x328896cd, 0x7cabad94, 0x1227b6d5, 0xa1b39b16, 0xcf3f8057,\n 0x1deac6d1, 0x7366dd90, 0xc0f2f053, 0xae7eeb12, 0xbe297b1e,\n 0xd0a5605f, 0x63314d9c, 0x0dbd56dd, 0xdf68105b, 0xb1e40b1a,\n 0x027026d9, 0x6cfc3d98, 0x3c95fb7e, 0x5219e03f, 0xe18dcdfc,\n 0x8f01d6bd, 0x5dd4903b, 0x33588b7a, 0x80cca6b9, 0xee40bdf8,\n 0xfe172df4, 0x909b36b5, 0x230f1b76, 0x4d830037, 0x9f5646b1,\n 0xf1da5df0, 0x424e7033, 0x2cc26b72, 0x62e1502b, 0x0c6d4b6a,\n 0xbff966a9, 0xd1757de8, 0x03a03b6e, 0x6d2c202f, 0xdeb80dec,\n 0xb03416ad, 0xa06386a1, 0xceef9de0, 0x7d7bb023, 0x13f7ab62,\n 0xc122ede4, 0xafaef6a5, 0x1c3adb66, 0x72b6c027, 0x807cadd4,\n 0xeef0b695, 0x5d649b56, 0x33e88017, 0xe13dc691, 0x8fb1ddd0,\n 0x3c25f013, 0x52a9eb52, 0x42fe7b5e, 0x2c72601f, 0x9fe64ddc,\n 0xf16a569d, 0x23bf101b, 0x4d330b5a, 0xfea72699, 0x902b3dd8,\n 0xde080681, 0xb0841dc0, 0x03103003, 0x6d9c2b42, 0xbf496dc4,\n 0xd1c57685, 0x62515b46, 0x0cdd4007, 0x1c8ad00b, 0x7206cb4a,\n 0xc192e689, 0xaf1efdc8, 0x7dcbbb4e, 0x1347a00f, 0xa0d38dcc,\n 0xce5f968d},\n {0x00000000, 0xe71da697, 0x154a4b6f, 0xf257edf8, 0x2a9496de,\n 0xcd893049, 0x3fdeddb1, 0xd8c37b26, 0x55292dbc, 0xb2348b2b,\n 0x406366d3, 0xa77ec044, 0x7fbdbb62, 0x98a01df5, 0x6af7f00d,\n 0x8dea569a, 0xaa525b78, 0x4d4ffdef, 0xbf181017, 0x5805b680,\n 0x80c6cda6, 0x67db6b31, 0x958c86c9, 0x7291205e, 0xff7b76c4,\n 0x1866d053, 0xea313dab, 0x0d2c9b3c, 0xd5efe01a, 0x32f2468d,\n 0xc0a5ab75, 0x27b80de2, 0x8fd5b0b1, 0x68c81626, 0x9a9ffbde,\n 0x7d825d49, 0xa541266f, 0x425c80f8, 0xb00b6d00, 0x5716cb97,\n 0xdafc9d0d, 0x3de13b9a, 0xcfb6d662, 0x28ab70f5, 0xf0680bd3,\n 0x1775ad44, 0xe52240bc, 0x023fe62b, 0x2587ebc9, 0xc29a4d5e,\n 0x30cda0a6, 0xd7d00631, 0x0f137d17, 0xe80edb80, 0x1a593678,\n 0xfd4490ef, 0x70aec675, 0x97b360e2, 0x65e48d1a, 0x82f92b8d,\n 0x5a3a50ab, 0xbd27f63c, 0x4f701bc4, 0xa86dbd53, 0xc4da6723,\n 0x23c7c1b4, 0xd1902c4c, 0x368d8adb, 0xee4ef1fd, 0x0953576a,\n 0xfb04ba92, 0x1c191c05, 0x91f34a9f, 0x76eeec08, 0x84b901f0,\n 0x63a4a767, 0xbb67dc41, 0x5c7a7ad6, 0xae2d972e, 0x493031b9,\n 0x6e883c5b, 0x89959acc, 0x7bc27734, 0x9cdfd1a3, 0x441caa85,\n 0xa3010c12, 0x5156e1ea, 0xb64b477d, 0x3ba111e7, 0xdcbcb770,\n 0x2eeb5a88, 0xc9f6fc1f, 0x11358739, 0xf62821ae, 0x047fcc56,\n 0xe3626ac1, 0x4b0fd792, 0xac127105, 0x5e459cfd, 0xb9583a6a,\n 0x619b414c, 0x8686e7db, 0x74d10a23, 0x93ccacb4, 0x1e26fa2e,\n 0xf93b5cb9, 0x0b6cb141, 0xec7117d6, 0x34b26cf0, 0xd3afca67,\n 0x21f8279f, 0xc6e58108, 0xe15d8cea, 0x06402a7d, 0xf417c785,\n 0x130a6112, 0xcbc91a34, 0x2cd4bca3, 0xde83515b, 0x399ef7cc,\n 0xb474a156, 0x536907c1, 0xa13eea39, 0x46234cae, 0x9ee03788,\n 0x79fd911f, 0x8baa7ce7, 0x6cb7da70, 0x52c5c807, 0xb5d86e90,\n 0x478f8368, 0xa09225ff, 0x78515ed9, 0x9f4cf84e, 0x6d1b15b6,\n 0x8a06b321, 0x07ece5bb, 0xe0f1432c, 0x12a6aed4, 0xf5bb0843,\n 0x2d787365, 0xca65d5f2, 0x3832380a, 0xdf2f9e9d, 0xf897937f,\n 0x1f8a35e8, 0xedddd810, 0x0ac07e87, 0xd20305a1, 0x351ea336,\n 0xc7494ece, 0x2054e859, 0xadbebec3, 0x4aa31854, 0xb8f4f5ac,\n 0x5fe9533b, 0x872a281d, 0x60378e8a, 0x92606372, 0x757dc5e5,\n 0xdd1078b6, 0x3a0dde21, 0xc85a33d9, 0x2f47954e, 0xf784ee68,\n 0x109948ff, 0xe2cea507, 0x05d30390, 0x8839550a, 0x6f24f39d,\n 0x9d731e65, 0x7a6eb8f2, 0xa2adc3d4, 0x45b06543, 0xb7e788bb,\n 0x50fa2e2c, 0x774223ce, 0x905f8559, 0x620868a1, 0x8515ce36,\n 0x5dd6b510, 0xbacb1387, 0x489cfe7f, 0xaf8158e8, 0x226b0e72,\n 0xc576a8e5, 0x3721451d, 0xd03ce38a, 0x08ff98ac, 0xefe23e3b,\n 0x1db5d3c3, 0xfaa87554, 0x961faf24, 0x710209b3, 0x8355e44b,\n 0x644842dc, 0xbc8b39fa, 0x5b969f6d, 0xa9c17295, 0x4edcd402,\n 0xc3368298, 0x242b240f, 0xd67cc9f7, 0x31616f60, 0xe9a21446,\n 0x0ebfb2d1, 0xfce85f29, 0x1bf5f9be, 0x3c4df45c, 0xdb5052cb,\n 0x2907bf33, 0xce1a19a4, 0x16d96282, 0xf1c4c415, 0x039329ed,\n 0xe48e8f7a, 0x6964d9e0, 0x8e797f77, 0x7c2e928f, 0x9b333418,\n 0x43f04f3e, 0xa4ede9a9, 0x56ba0451, 0xb1a7a2c6, 0x19ca1f95,\n 0xfed7b902, 0x0c8054fa, 0xeb9df26d, 0x335e894b, 0xd4432fdc,\n 0x2614c224, 0xc10964b3, 0x4ce33229, 0xabfe94be, 0x59a97946,\n 0xbeb4dfd1, 0x6677a4f7, 0x816a0260, 0x733def98, 0x9420490f,\n 0xb39844ed, 0x5485e27a, 0xa6d20f82, 0x41cfa915, 0x990cd233,\n 0x7e1174a4, 0x8c46995c, 0x6b5b3fcb, 0xe6b16951, 0x01accfc6,\n 0xf3fb223e, 0x14e684a9, 0xcc25ff8f, 0x2b385918, 0xd96fb4e0,\n 0x3e721277},\n {0x00000000, 0xa58b900e, 0x9066265d, 0x35edb653, 0xfbbd4afb,\n 0x5e36daf5, 0x6bdb6ca6, 0xce50fca8, 0x2c0b93b7, 0x898003b9,\n 0xbc6db5ea, 0x19e625e4, 0xd7b6d94c, 0x723d4942, 0x47d0ff11,\n 0xe25b6f1f, 0x5817276e, 0xfd9cb760, 0xc8710133, 0x6dfa913d,\n 0xa3aa6d95, 0x0621fd9b, 0x33cc4bc8, 0x9647dbc6, 0x741cb4d9,\n 0xd19724d7, 0xe47a9284, 0x41f1028a, 0x8fa1fe22, 0x2a2a6e2c,\n 0x1fc7d87f, 0xba4c4871, 0xb02e4edc, 0x15a5ded2, 0x20486881,\n 0x85c3f88f, 0x4b930427, 0xee189429, 0xdbf5227a, 0x7e7eb274,\n 0x9c25dd6b, 0x39ae4d65, 0x0c43fb36, 0xa9c86b38, 0x67989790,\n 0xc213079e, 0xf7feb1cd, 0x527521c3, 0xe83969b2, 0x4db2f9bc,\n 0x785f4fef, 0xddd4dfe1, 0x13842349, 0xb60fb347, 0x83e20514,\n 0x2669951a, 0xc432fa05, 0x61b96a0b, 0x5454dc58, 0xf1df4c56,\n 0x3f8fb0fe, 0x9a0420f0, 0xafe996a3, 0x0a6206ad, 0xbb2d9bf9,\n 0x1ea60bf7, 0x2b4bbda4, 0x8ec02daa, 0x4090d102, 0xe51b410c,\n 0xd0f6f75f, 0x757d6751, 0x9726084e, 0x32ad9840, 0x07402e13,\n 0xa2cbbe1d, 0x6c9b42b5, 0xc910d2bb, 0xfcfd64e8, 0x5976f4e6,\n 0xe33abc97, 0x46b12c99, 0x735c9aca, 0xd6d70ac4, 0x1887f66c,\n 0xbd0c6662, 0x88e1d031, 0x2d6a403f, 0xcf312f20, 0x6ababf2e,\n 0x5f57097d, 0xfadc9973, 0x348c65db, 0x9107f5d5, 0xa4ea4386,\n 0x0161d388, 0x0b03d525, 0xae88452b, 0x9b65f378, 0x3eee6376,\n 0xf0be9fde, 0x55350fd0, 0x60d8b983, 0xc553298d, 0x27084692,\n 0x8283d69c, 0xb76e60cf, 0x12e5f0c1, 0xdcb50c69, 0x793e9c67,\n 0x4cd32a34, 0xe958ba3a, 0x5314f24b, 0xf69f6245, 0xc372d416,\n 0x66f94418, 0xa8a9b8b0, 0x0d2228be, 0x38cf9eed, 0x9d440ee3,\n 0x7f1f61fc, 0xda94f1f2, 0xef7947a1, 0x4af2d7af, 0x84a22b07,\n 0x2129bb09, 0x14c40d5a, 0xb14f9d54, 0xad2a31b3, 0x08a1a1bd,\n 0x3d4c17ee, 0x98c787e0, 0x56977b48, 0xf31ceb46, 0xc6f15d15,\n 0x637acd1b, 0x8121a204, 0x24aa320a, 0x11478459, 0xb4cc1457,\n 0x7a9ce8ff, 0xdf1778f1, 0xeafacea2, 0x4f715eac, 0xf53d16dd,\n 0x50b686d3, 0x655b3080, 0xc0d0a08e, 0x0e805c26, 0xab0bcc28,\n 0x9ee67a7b, 0x3b6dea75, 0xd936856a, 0x7cbd1564, 0x4950a337,\n 0xecdb3339, 0x228bcf91, 0x87005f9f, 0xb2ede9cc, 0x176679c2,\n 0x1d047f6f, 0xb88fef61, 0x8d625932, 0x28e9c93c, 0xe6b93594,\n 0x4332a59a, 0x76df13c9, 0xd35483c7, 0x310fecd8, 0x94847cd6,\n 0xa169ca85, 0x04e25a8b, 0xcab2a623, 0x6f39362d, 0x5ad4807e,\n 0xff5f1070, 0x45135801, 0xe098c80f, 0xd5757e5c, 0x70feee52,\n 0xbeae12fa, 0x1b2582f4, 0x2ec834a7, 0x8b43a4a9, 0x6918cbb6,\n 0xcc935bb8, 0xf97eedeb, 0x5cf57de5, 0x92a5814d, 0x372e1143,\n 0x02c3a710, 0xa748371e, 0x1607aa4a, 0xb38c3a44, 0x86618c17,\n 0x23ea1c19, 0xedbae0b1, 0x483170bf, 0x7ddcc6ec, 0xd85756e2,\n 0x3a0c39fd, 0x9f87a9f3, 0xaa6a1fa0, 0x0fe18fae, 0xc1b17306,\n 0x643ae308, 0x51d7555b, 0xf45cc555, 0x4e108d24, 0xeb9b1d2a,\n 0xde76ab79, 0x7bfd3b77, 0xb5adc7df, 0x102657d1, 0x25cbe182,\n 0x8040718c, 0x621b1e93, 0xc7908e9d, 0xf27d38ce, 0x57f6a8c0,\n 0x99a65468, 0x3c2dc466, 0x09c07235, 0xac4be23b, 0xa629e496,\n 0x03a27498, 0x364fc2cb, 0x93c452c5, 0x5d94ae6d, 0xf81f3e63,\n 0xcdf28830, 0x6879183e, 0x8a227721, 0x2fa9e72f, 0x1a44517c,\n 0xbfcfc172, 0x719f3dda, 0xd414add4, 0xe1f91b87, 0x44728b89,\n 0xfe3ec3f8, 0x5bb553f6, 0x6e58e5a5, 0xcbd375ab, 0x05838903,\n 0xa008190d, 0x95e5af5e, 0x306e3f50, 0xd235504f, 0x77bec041,\n 0x42537612, 0xe7d8e61c, 0x29881ab4, 0x8c038aba, 0xb9ee3ce9,\n 0x1c65ace7}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x0000000000000000, 0x0e908ba500000000, 0x5d26669000000000,\n 0x53b6ed3500000000, 0xfb4abdfb00000000, 0xf5da365e00000000,\n 0xa66cdb6b00000000, 0xa8fc50ce00000000, 0xb7930b2c00000000,\n 0xb903808900000000, 0xeab56dbc00000000, 0xe425e61900000000,\n 0x4cd9b6d700000000, 0x42493d7200000000, 0x11ffd04700000000,\n 0x1f6f5be200000000, 0x6e27175800000000, 0x60b79cfd00000000,\n 0x330171c800000000, 0x3d91fa6d00000000, 0x956daaa300000000,\n 0x9bfd210600000000, 0xc84bcc3300000000, 0xc6db479600000000,\n 0xd9b41c7400000000, 0xd72497d100000000, 0x84927ae400000000,\n 0x8a02f14100000000, 0x22fea18f00000000, 0x2c6e2a2a00000000,\n 0x7fd8c71f00000000, 0x71484cba00000000, 0xdc4e2eb000000000,\n 0xd2dea51500000000, 0x8168482000000000, 0x8ff8c38500000000,\n 0x2704934b00000000, 0x299418ee00000000, 0x7a22f5db00000000,\n 0x74b27e7e00000000, 0x6bdd259c00000000, 0x654dae3900000000,\n 0x36fb430c00000000, 0x386bc8a900000000, 0x9097986700000000,\n 0x9e0713c200000000, 0xcdb1fef700000000, 0xc321755200000000,\n 0xb26939e800000000, 0xbcf9b24d00000000, 0xef4f5f7800000000,\n 0xe1dfd4dd00000000, 0x4923841300000000, 0x47b30fb600000000,\n 0x1405e28300000000, 0x1a95692600000000, 0x05fa32c400000000,\n 0x0b6ab96100000000, 0x58dc545400000000, 0x564cdff100000000,\n 0xfeb08f3f00000000, 0xf020049a00000000, 0xa396e9af00000000,\n 0xad06620a00000000, 0xf99b2dbb00000000, 0xf70ba61e00000000,\n 0xa4bd4b2b00000000, 0xaa2dc08e00000000, 0x02d1904000000000,\n 0x0c411be500000000, 0x5ff7f6d000000000, 0x51677d7500000000,\n 0x4e08269700000000, 0x4098ad3200000000, 0x132e400700000000,\n 0x1dbecba200000000, 0xb5429b6c00000000, 0xbbd210c900000000,\n 0xe864fdfc00000000, 0xe6f4765900000000, 0x97bc3ae300000000,\n 0x992cb14600000000, 0xca9a5c7300000000, 0xc40ad7d600000000,\n 0x6cf6871800000000, 0x62660cbd00000000, 0x31d0e18800000000,\n 0x3f406a2d00000000, 0x202f31cf00000000, 0x2ebfba6a00000000,\n 0x7d09575f00000000, 0x7399dcfa00000000, 0xdb658c3400000000,\n 0xd5f5079100000000, 0x8643eaa400000000, 0x88d3610100000000,\n 0x25d5030b00000000, 0x2b4588ae00000000, 0x78f3659b00000000,\n 0x7663ee3e00000000, 0xde9fbef000000000, 0xd00f355500000000,\n 0x83b9d86000000000, 0x8d2953c500000000, 0x9246082700000000,\n 0x9cd6838200000000, 0xcf606eb700000000, 0xc1f0e51200000000,\n 0x690cb5dc00000000, 0x679c3e7900000000, 0x342ad34c00000000,\n 0x3aba58e900000000, 0x4bf2145300000000, 0x45629ff600000000,\n 0x16d472c300000000, 0x1844f96600000000, 0xb0b8a9a800000000,\n 0xbe28220d00000000, 0xed9ecf3800000000, 0xe30e449d00000000,\n 0xfc611f7f00000000, 0xf2f194da00000000, 0xa14779ef00000000,\n 0xafd7f24a00000000, 0x072ba28400000000, 0x09bb292100000000,\n 0x5a0dc41400000000, 0x549d4fb100000000, 0xb3312aad00000000,\n 0xbda1a10800000000, 0xee174c3d00000000, 0xe087c79800000000,\n 0x487b975600000000, 0x46eb1cf300000000, 0x155df1c600000000,\n 0x1bcd7a6300000000, 0x04a2218100000000, 0x0a32aa2400000000,\n 0x5984471100000000, 0x5714ccb400000000, 0xffe89c7a00000000,\n 0xf17817df00000000, 0xa2cefaea00000000, 0xac5e714f00000000,\n 0xdd163df500000000, 0xd386b65000000000, 0x80305b6500000000,\n 0x8ea0d0c000000000, 0x265c800e00000000, 0x28cc0bab00000000,\n 0x7b7ae69e00000000, 0x75ea6d3b00000000, 0x6a8536d900000000,\n 0x6415bd7c00000000, 0x37a3504900000000, 0x3933dbec00000000,\n 0x91cf8b2200000000, 0x9f5f008700000000, 0xcce9edb200000000,\n 0xc279661700000000, 0x6f7f041d00000000, 0x61ef8fb800000000,\n 0x3259628d00000000, 0x3cc9e92800000000, 0x9435b9e600000000,\n 0x9aa5324300000000, 0xc913df7600000000, 0xc78354d300000000,\n 0xd8ec0f3100000000, 0xd67c849400000000, 0x85ca69a100000000,\n 0x8b5ae20400000000, 0x23a6b2ca00000000, 0x2d36396f00000000,\n 0x7e80d45a00000000, 0x70105fff00000000, 0x0158134500000000,\n 0x0fc898e000000000, 0x5c7e75d500000000, 0x52eefe7000000000,\n 0xfa12aebe00000000, 0xf482251b00000000, 0xa734c82e00000000,\n 0xa9a4438b00000000, 0xb6cb186900000000, 0xb85b93cc00000000,\n 0xebed7ef900000000, 0xe57df55c00000000, 0x4d81a59200000000,\n 0x43112e3700000000, 0x10a7c30200000000, 0x1e3748a700000000,\n 0x4aaa071600000000, 0x443a8cb300000000, 0x178c618600000000,\n 0x191cea2300000000, 0xb1e0baed00000000, 0xbf70314800000000,\n 0xecc6dc7d00000000, 0xe25657d800000000, 0xfd390c3a00000000,\n 0xf3a9879f00000000, 0xa01f6aaa00000000, 0xae8fe10f00000000,\n 0x0673b1c100000000, 0x08e33a6400000000, 0x5b55d75100000000,\n 0x55c55cf400000000, 0x248d104e00000000, 0x2a1d9beb00000000,\n 0x79ab76de00000000, 0x773bfd7b00000000, 0xdfc7adb500000000,\n 0xd157261000000000, 0x82e1cb2500000000, 0x8c71408000000000,\n 0x931e1b6200000000, 0x9d8e90c700000000, 0xce387df200000000,\n 0xc0a8f65700000000, 0x6854a69900000000, 0x66c42d3c00000000,\n 0x3572c00900000000, 0x3be24bac00000000, 0x96e429a600000000,\n 0x9874a20300000000, 0xcbc24f3600000000, 0xc552c49300000000,\n 0x6dae945d00000000, 0x633e1ff800000000, 0x3088f2cd00000000,\n 0x3e18796800000000, 0x2177228a00000000, 0x2fe7a92f00000000,\n 0x7c51441a00000000, 0x72c1cfbf00000000, 0xda3d9f7100000000,\n 0xd4ad14d400000000, 0x871bf9e100000000, 0x898b724400000000,\n 0xf8c33efe00000000, 0xf653b55b00000000, 0xa5e5586e00000000,\n 0xab75d3cb00000000, 0x0389830500000000, 0x0d1908a000000000,\n 0x5eafe59500000000, 0x503f6e3000000000, 0x4f5035d200000000,\n 0x41c0be7700000000, 0x1276534200000000, 0x1ce6d8e700000000,\n 0xb41a882900000000, 0xba8a038c00000000, 0xe93ceeb900000000,\n 0xe7ac651c00000000},\n {0x0000000000000000, 0x97a61de700000000, 0x6f4b4a1500000000,\n 0xf8ed57f200000000, 0xde96942a00000000, 0x493089cd00000000,\n 0xb1ddde3f00000000, 0x267bc3d800000000, 0xbc2d295500000000,\n 0x2b8b34b200000000, 0xd366634000000000, 0x44c07ea700000000,\n 0x62bbbd7f00000000, 0xf51da09800000000, 0x0df0f76a00000000,\n 0x9a56ea8d00000000, 0x785b52aa00000000, 0xeffd4f4d00000000,\n 0x171018bf00000000, 0x80b6055800000000, 0xa6cdc68000000000,\n 0x316bdb6700000000, 0xc9868c9500000000, 0x5e20917200000000,\n 0xc4767bff00000000, 0x53d0661800000000, 0xab3d31ea00000000,\n 0x3c9b2c0d00000000, 0x1ae0efd500000000, 0x8d46f23200000000,\n 0x75aba5c000000000, 0xe20db82700000000, 0xb1b0d58f00000000,\n 0x2616c86800000000, 0xdefb9f9a00000000, 0x495d827d00000000,\n 0x6f2641a500000000, 0xf8805c4200000000, 0x006d0bb000000000,\n 0x97cb165700000000, 0x0d9dfcda00000000, 0x9a3be13d00000000,\n 0x62d6b6cf00000000, 0xf570ab2800000000, 0xd30b68f000000000,\n 0x44ad751700000000, 0xbc4022e500000000, 0x2be63f0200000000,\n 0xc9eb872500000000, 0x5e4d9ac200000000, 0xa6a0cd3000000000,\n 0x3106d0d700000000, 0x177d130f00000000, 0x80db0ee800000000,\n 0x7836591a00000000, 0xef9044fd00000000, 0x75c6ae7000000000,\n 0xe260b39700000000, 0x1a8de46500000000, 0x8d2bf98200000000,\n 0xab503a5a00000000, 0x3cf627bd00000000, 0xc41b704f00000000,\n 0x53bd6da800000000, 0x2367dac400000000, 0xb4c1c72300000000,\n 0x4c2c90d100000000, 0xdb8a8d3600000000, 0xfdf14eee00000000,\n 0x6a57530900000000, 0x92ba04fb00000000, 0x051c191c00000000,\n 0x9f4af39100000000, 0x08ecee7600000000, 0xf001b98400000000,\n 0x67a7a46300000000, 0x41dc67bb00000000, 0xd67a7a5c00000000,\n 0x2e972dae00000000, 0xb931304900000000, 0x5b3c886e00000000,\n 0xcc9a958900000000, 0x3477c27b00000000, 0xa3d1df9c00000000,\n 0x85aa1c4400000000, 0x120c01a300000000, 0xeae1565100000000,\n 0x7d474bb600000000, 0xe711a13b00000000, 0x70b7bcdc00000000,\n 0x885aeb2e00000000, 0x1ffcf6c900000000, 0x3987351100000000,\n 0xae2128f600000000, 0x56cc7f0400000000, 0xc16a62e300000000,\n 0x92d70f4b00000000, 0x057112ac00000000, 0xfd9c455e00000000,\n 0x6a3a58b900000000, 0x4c419b6100000000, 0xdbe7868600000000,\n 0x230ad17400000000, 0xb4accc9300000000, 0x2efa261e00000000,\n 0xb95c3bf900000000, 0x41b16c0b00000000, 0xd61771ec00000000,\n 0xf06cb23400000000, 0x67caafd300000000, 0x9f27f82100000000,\n 0x0881e5c600000000, 0xea8c5de100000000, 0x7d2a400600000000,\n 0x85c717f400000000, 0x12610a1300000000, 0x341ac9cb00000000,\n 0xa3bcd42c00000000, 0x5b5183de00000000, 0xccf79e3900000000,\n 0x56a174b400000000, 0xc107695300000000, 0x39ea3ea100000000,\n 0xae4c234600000000, 0x8837e09e00000000, 0x1f91fd7900000000,\n 0xe77caa8b00000000, 0x70dab76c00000000, 0x07c8c55200000000,\n 0x906ed8b500000000, 0x68838f4700000000, 0xff2592a000000000,\n 0xd95e517800000000, 0x4ef84c9f00000000, 0xb6151b6d00000000,\n 0x21b3068a00000000, 0xbbe5ec0700000000, 0x2c43f1e000000000,\n 0xd4aea61200000000, 0x4308bbf500000000, 0x6573782d00000000,\n 0xf2d565ca00000000, 0x0a38323800000000, 0x9d9e2fdf00000000,\n 0x7f9397f800000000, 0xe8358a1f00000000, 0x10d8dded00000000,\n 0x877ec00a00000000, 0xa10503d200000000, 0x36a31e3500000000,\n 0xce4e49c700000000, 0x59e8542000000000, 0xc3bebead00000000,\n 0x5418a34a00000000, 0xacf5f4b800000000, 0x3b53e95f00000000,\n 0x1d282a8700000000, 0x8a8e376000000000, 0x7263609200000000,\n 0xe5c57d7500000000, 0xb67810dd00000000, 0x21de0d3a00000000,\n 0xd9335ac800000000, 0x4e95472f00000000, 0x68ee84f700000000,\n 0xff48991000000000, 0x07a5cee200000000, 0x9003d30500000000,\n 0x0a55398800000000, 0x9df3246f00000000, 0x651e739d00000000,\n 0xf2b86e7a00000000, 0xd4c3ada200000000, 0x4365b04500000000,\n 0xbb88e7b700000000, 0x2c2efa5000000000, 0xce23427700000000,\n 0x59855f9000000000, 0xa168086200000000, 0x36ce158500000000,\n 0x10b5d65d00000000, 0x8713cbba00000000, 0x7ffe9c4800000000,\n 0xe85881af00000000, 0x720e6b2200000000, 0xe5a876c500000000,\n 0x1d45213700000000, 0x8ae33cd000000000, 0xac98ff0800000000,\n 0x3b3ee2ef00000000, 0xc3d3b51d00000000, 0x5475a8fa00000000,\n 0x24af1f9600000000, 0xb309027100000000, 0x4be4558300000000,\n 0xdc42486400000000, 0xfa398bbc00000000, 0x6d9f965b00000000,\n 0x9572c1a900000000, 0x02d4dc4e00000000, 0x988236c300000000,\n 0x0f242b2400000000, 0xf7c97cd600000000, 0x606f613100000000,\n 0x4614a2e900000000, 0xd1b2bf0e00000000, 0x295fe8fc00000000,\n 0xbef9f51b00000000, 0x5cf44d3c00000000, 0xcb5250db00000000,\n 0x33bf072900000000, 0xa4191ace00000000, 0x8262d91600000000,\n 0x15c4c4f100000000, 0xed29930300000000, 0x7a8f8ee400000000,\n 0xe0d9646900000000, 0x777f798e00000000, 0x8f922e7c00000000,\n 0x1834339b00000000, 0x3e4ff04300000000, 0xa9e9eda400000000,\n 0x5104ba5600000000, 0xc6a2a7b100000000, 0x951fca1900000000,\n 0x02b9d7fe00000000, 0xfa54800c00000000, 0x6df29deb00000000,\n 0x4b895e3300000000, 0xdc2f43d400000000, 0x24c2142600000000,\n 0xb36409c100000000, 0x2932e34c00000000, 0xbe94feab00000000,\n 0x4679a95900000000, 0xd1dfb4be00000000, 0xf7a4776600000000,\n 0x60026a8100000000, 0x98ef3d7300000000, 0x0f49209400000000,\n 0xed4498b300000000, 0x7ae2855400000000, 0x820fd2a600000000,\n 0x15a9cf4100000000, 0x33d20c9900000000, 0xa474117e00000000,\n 0x5c99468c00000000, 0xcb3f5b6b00000000, 0x5169b1e600000000,\n 0xc6cfac0100000000, 0x3e22fbf300000000, 0xa984e61400000000,\n 0x8fff25cc00000000, 0x1859382b00000000, 0xe0b46fd900000000,\n 0x7712723e00000000},\n {0x0000000000000000, 0x411b8c6e00000000, 0x823618dd00000000,\n 0xc32d94b300000000, 0x456b416100000000, 0x0470cd0f00000000,\n 0xc75d59bc00000000, 0x8646d5d200000000, 0x8ad682c200000000,\n 0xcbcd0eac00000000, 0x08e09a1f00000000, 0x49fb167100000000,\n 0xcfbdc3a300000000, 0x8ea64fcd00000000, 0x4d8bdb7e00000000,\n 0x0c90571000000000, 0x55ab745e00000000, 0x14b0f83000000000,\n 0xd79d6c8300000000, 0x9686e0ed00000000, 0x10c0353f00000000,\n 0x51dbb95100000000, 0x92f62de200000000, 0xd3eda18c00000000,\n 0xdf7df69c00000000, 0x9e667af200000000, 0x5d4bee4100000000,\n 0x1c50622f00000000, 0x9a16b7fd00000000, 0xdb0d3b9300000000,\n 0x1820af2000000000, 0x593b234e00000000, 0xaa56e9bc00000000,\n 0xeb4d65d200000000, 0x2860f16100000000, 0x697b7d0f00000000,\n 0xef3da8dd00000000, 0xae2624b300000000, 0x6d0bb00000000000,\n 0x2c103c6e00000000, 0x20806b7e00000000, 0x619be71000000000,\n 0xa2b673a300000000, 0xe3adffcd00000000, 0x65eb2a1f00000000,\n 0x24f0a67100000000, 0xe7dd32c200000000, 0xa6c6beac00000000,\n 0xfffd9de200000000, 0xbee6118c00000000, 0x7dcb853f00000000,\n 0x3cd0095100000000, 0xba96dc8300000000, 0xfb8d50ed00000000,\n 0x38a0c45e00000000, 0x79bb483000000000, 0x752b1f2000000000,\n 0x3430934e00000000, 0xf71d07fd00000000, 0xb6068b9300000000,\n 0x30405e4100000000, 0x715bd22f00000000, 0xb276469c00000000,\n 0xf36dcaf200000000, 0x15aba3a200000000, 0x54b02fcc00000000,\n 0x979dbb7f00000000, 0xd686371100000000, 0x50c0e2c300000000,\n 0x11db6ead00000000, 0xd2f6fa1e00000000, 0x93ed767000000000,\n 0x9f7d216000000000, 0xde66ad0e00000000, 0x1d4b39bd00000000,\n 0x5c50b5d300000000, 0xda16600100000000, 0x9b0dec6f00000000,\n 0x582078dc00000000, 0x193bf4b200000000, 0x4000d7fc00000000,\n 0x011b5b9200000000, 0xc236cf2100000000, 0x832d434f00000000,\n 0x056b969d00000000, 0x44701af300000000, 0x875d8e4000000000,\n 0xc646022e00000000, 0xcad6553e00000000, 0x8bcdd95000000000,\n 0x48e04de300000000, 0x09fbc18d00000000, 0x8fbd145f00000000,\n 0xcea6983100000000, 0x0d8b0c8200000000, 0x4c9080ec00000000,\n 0xbffd4a1e00000000, 0xfee6c67000000000, 0x3dcb52c300000000,\n 0x7cd0dead00000000, 0xfa960b7f00000000, 0xbb8d871100000000,\n 0x78a013a200000000, 0x39bb9fcc00000000, 0x352bc8dc00000000,\n 0x743044b200000000, 0xb71dd00100000000, 0xf6065c6f00000000,\n 0x704089bd00000000, 0x315b05d300000000, 0xf276916000000000,\n 0xb36d1d0e00000000, 0xea563e4000000000, 0xab4db22e00000000,\n 0x6860269d00000000, 0x297baaf300000000, 0xaf3d7f2100000000,\n 0xee26f34f00000000, 0x2d0b67fc00000000, 0x6c10eb9200000000,\n 0x6080bc8200000000, 0x219b30ec00000000, 0xe2b6a45f00000000,\n 0xa3ad283100000000, 0x25ebfde300000000, 0x64f0718d00000000,\n 0xa7dde53e00000000, 0xe6c6695000000000, 0x6b50369e00000000,\n 0x2a4bbaf000000000, 0xe9662e4300000000, 0xa87da22d00000000,\n 0x2e3b77ff00000000, 0x6f20fb9100000000, 0xac0d6f2200000000,\n 0xed16e34c00000000, 0xe186b45c00000000, 0xa09d383200000000,\n 0x63b0ac8100000000, 0x22ab20ef00000000, 0xa4edf53d00000000,\n 0xe5f6795300000000, 0x26dbede000000000, 0x67c0618e00000000,\n 0x3efb42c000000000, 0x7fe0ceae00000000, 0xbccd5a1d00000000,\n 0xfdd6d67300000000, 0x7b9003a100000000, 0x3a8b8fcf00000000,\n 0xf9a61b7c00000000, 0xb8bd971200000000, 0xb42dc00200000000,\n 0xf5364c6c00000000, 0x361bd8df00000000, 0x770054b100000000,\n 0xf146816300000000, 0xb05d0d0d00000000, 0x737099be00000000,\n 0x326b15d000000000, 0xc106df2200000000, 0x801d534c00000000,\n 0x4330c7ff00000000, 0x022b4b9100000000, 0x846d9e4300000000,\n 0xc576122d00000000, 0x065b869e00000000, 0x47400af000000000,\n 0x4bd05de000000000, 0x0acbd18e00000000, 0xc9e6453d00000000,\n 0x88fdc95300000000, 0x0ebb1c8100000000, 0x4fa090ef00000000,\n 0x8c8d045c00000000, 0xcd96883200000000, 0x94adab7c00000000,\n 0xd5b6271200000000, 0x169bb3a100000000, 0x57803fcf00000000,\n 0xd1c6ea1d00000000, 0x90dd667300000000, 0x53f0f2c000000000,\n 0x12eb7eae00000000, 0x1e7b29be00000000, 0x5f60a5d000000000,\n 0x9c4d316300000000, 0xdd56bd0d00000000, 0x5b1068df00000000,\n 0x1a0be4b100000000, 0xd926700200000000, 0x983dfc6c00000000,\n 0x7efb953c00000000, 0x3fe0195200000000, 0xfccd8de100000000,\n 0xbdd6018f00000000, 0x3b90d45d00000000, 0x7a8b583300000000,\n 0xb9a6cc8000000000, 0xf8bd40ee00000000, 0xf42d17fe00000000,\n 0xb5369b9000000000, 0x761b0f2300000000, 0x3700834d00000000,\n 0xb146569f00000000, 0xf05ddaf100000000, 0x33704e4200000000,\n 0x726bc22c00000000, 0x2b50e16200000000, 0x6a4b6d0c00000000,\n 0xa966f9bf00000000, 0xe87d75d100000000, 0x6e3ba00300000000,\n 0x2f202c6d00000000, 0xec0db8de00000000, 0xad1634b000000000,\n 0xa18663a000000000, 0xe09defce00000000, 0x23b07b7d00000000,\n 0x62abf71300000000, 0xe4ed22c100000000, 0xa5f6aeaf00000000,\n 0x66db3a1c00000000, 0x27c0b67200000000, 0xd4ad7c8000000000,\n 0x95b6f0ee00000000, 0x569b645d00000000, 0x1780e83300000000,\n 0x91c63de100000000, 0xd0ddb18f00000000, 0x13f0253c00000000,\n 0x52eba95200000000, 0x5e7bfe4200000000, 0x1f60722c00000000,\n 0xdc4de69f00000000, 0x9d566af100000000, 0x1b10bf2300000000,\n 0x5a0b334d00000000, 0x9926a7fe00000000, 0xd83d2b9000000000,\n 0x810608de00000000, 0xc01d84b000000000, 0x0330100300000000,\n 0x422b9c6d00000000, 0xc46d49bf00000000, 0x8576c5d100000000,\n 0x465b516200000000, 0x0740dd0c00000000, 0x0bd08a1c00000000,\n 0x4acb067200000000, 0x89e692c100000000, 0xc8fd1eaf00000000,\n 0x4ebbcb7d00000000, 0x0fa0471300000000, 0xcc8dd3a000000000,\n 0x8d965fce00000000},\n {0x0000000000000000, 0x1dfdb50100000000, 0x3afa6b0300000000,\n 0x2707de0200000000, 0x74f4d70600000000, 0x6909620700000000,\n 0x4e0ebc0500000000, 0x53f3090400000000, 0xe8e8af0d00000000,\n 0xf5151a0c00000000, 0xd212c40e00000000, 0xcfef710f00000000,\n 0x9c1c780b00000000, 0x81e1cd0a00000000, 0xa6e6130800000000,\n 0xbb1ba60900000000, 0xd0d15f1b00000000, 0xcd2cea1a00000000,\n 0xea2b341800000000, 0xf7d6811900000000, 0xa425881d00000000,\n 0xb9d83d1c00000000, 0x9edfe31e00000000, 0x8322561f00000000,\n 0x3839f01600000000, 0x25c4451700000000, 0x02c39b1500000000,\n 0x1f3e2e1400000000, 0x4ccd271000000000, 0x5130921100000000,\n 0x76374c1300000000, 0x6bcaf91200000000, 0xa0a3bf3600000000,\n 0xbd5e0a3700000000, 0x9a59d43500000000, 0x87a4613400000000,\n 0xd457683000000000, 0xc9aadd3100000000, 0xeead033300000000,\n 0xf350b63200000000, 0x484b103b00000000, 0x55b6a53a00000000,\n 0x72b17b3800000000, 0x6f4cce3900000000, 0x3cbfc73d00000000,\n 0x2142723c00000000, 0x0645ac3e00000000, 0x1bb8193f00000000,\n 0x7072e02d00000000, 0x6d8f552c00000000, 0x4a888b2e00000000,\n 0x57753e2f00000000, 0x0486372b00000000, 0x197b822a00000000,\n 0x3e7c5c2800000000, 0x2381e92900000000, 0x989a4f2000000000,\n 0x8567fa2100000000, 0xa260242300000000, 0xbf9d912200000000,\n 0xec6e982600000000, 0xf1932d2700000000, 0xd694f32500000000,\n 0xcb69462400000000, 0x40477f6d00000000, 0x5dbaca6c00000000,\n 0x7abd146e00000000, 0x6740a16f00000000, 0x34b3a86b00000000,\n 0x294e1d6a00000000, 0x0e49c36800000000, 0x13b4766900000000,\n 0xa8afd06000000000, 0xb552656100000000, 0x9255bb6300000000,\n 0x8fa80e6200000000, 0xdc5b076600000000, 0xc1a6b26700000000,\n 0xe6a16c6500000000, 0xfb5cd96400000000, 0x9096207600000000,\n 0x8d6b957700000000, 0xaa6c4b7500000000, 0xb791fe7400000000,\n 0xe462f77000000000, 0xf99f427100000000, 0xde989c7300000000,\n 0xc365297200000000, 0x787e8f7b00000000, 0x65833a7a00000000,\n 0x4284e47800000000, 0x5f79517900000000, 0x0c8a587d00000000,\n 0x1177ed7c00000000, 0x3670337e00000000, 0x2b8d867f00000000,\n 0xe0e4c05b00000000, 0xfd19755a00000000, 0xda1eab5800000000,\n 0xc7e31e5900000000, 0x9410175d00000000, 0x89eda25c00000000,\n 0xaeea7c5e00000000, 0xb317c95f00000000, 0x080c6f5600000000,\n 0x15f1da5700000000, 0x32f6045500000000, 0x2f0bb15400000000,\n 0x7cf8b85000000000, 0x61050d5100000000, 0x4602d35300000000,\n 0x5bff665200000000, 0x30359f4000000000, 0x2dc82a4100000000,\n 0x0acff44300000000, 0x1732414200000000, 0x44c1484600000000,\n 0x593cfd4700000000, 0x7e3b234500000000, 0x63c6964400000000,\n 0xd8dd304d00000000, 0xc520854c00000000, 0xe2275b4e00000000,\n 0xffdaee4f00000000, 0xac29e74b00000000, 0xb1d4524a00000000,\n 0x96d38c4800000000, 0x8b2e394900000000, 0x808efeda00000000,\n 0x9d734bdb00000000, 0xba7495d900000000, 0xa78920d800000000,\n 0xf47a29dc00000000, 0xe9879cdd00000000, 0xce8042df00000000,\n 0xd37df7de00000000, 0x686651d700000000, 0x759be4d600000000,\n 0x529c3ad400000000, 0x4f618fd500000000, 0x1c9286d100000000,\n 0x016f33d000000000, 0x2668edd200000000, 0x3b9558d300000000,\n 0x505fa1c100000000, 0x4da214c000000000, 0x6aa5cac200000000,\n 0x77587fc300000000, 0x24ab76c700000000, 0x3956c3c600000000,\n 0x1e511dc400000000, 0x03aca8c500000000, 0xb8b70ecc00000000,\n 0xa54abbcd00000000, 0x824d65cf00000000, 0x9fb0d0ce00000000,\n 0xcc43d9ca00000000, 0xd1be6ccb00000000, 0xf6b9b2c900000000,\n 0xeb4407c800000000, 0x202d41ec00000000, 0x3dd0f4ed00000000,\n 0x1ad72aef00000000, 0x072a9fee00000000, 0x54d996ea00000000,\n 0x492423eb00000000, 0x6e23fde900000000, 0x73de48e800000000,\n 0xc8c5eee100000000, 0xd5385be000000000, 0xf23f85e200000000,\n 0xefc230e300000000, 0xbc3139e700000000, 0xa1cc8ce600000000,\n 0x86cb52e400000000, 0x9b36e7e500000000, 0xf0fc1ef700000000,\n 0xed01abf600000000, 0xca0675f400000000, 0xd7fbc0f500000000,\n 0x8408c9f100000000, 0x99f57cf000000000, 0xbef2a2f200000000,\n 0xa30f17f300000000, 0x1814b1fa00000000, 0x05e904fb00000000,\n 0x22eedaf900000000, 0x3f136ff800000000, 0x6ce066fc00000000,\n 0x711dd3fd00000000, 0x561a0dff00000000, 0x4be7b8fe00000000,\n 0xc0c981b700000000, 0xdd3434b600000000, 0xfa33eab400000000,\n 0xe7ce5fb500000000, 0xb43d56b100000000, 0xa9c0e3b000000000,\n 0x8ec73db200000000, 0x933a88b300000000, 0x28212eba00000000,\n 0x35dc9bbb00000000, 0x12db45b900000000, 0x0f26f0b800000000,\n 0x5cd5f9bc00000000, 0x41284cbd00000000, 0x662f92bf00000000,\n 0x7bd227be00000000, 0x1018deac00000000, 0x0de56bad00000000,\n 0x2ae2b5af00000000, 0x371f00ae00000000, 0x64ec09aa00000000,\n 0x7911bcab00000000, 0x5e1662a900000000, 0x43ebd7a800000000,\n 0xf8f071a100000000, 0xe50dc4a000000000, 0xc20a1aa200000000,\n 0xdff7afa300000000, 0x8c04a6a700000000, 0x91f913a600000000,\n 0xb6fecda400000000, 0xab0378a500000000, 0x606a3e8100000000,\n 0x7d978b8000000000, 0x5a90558200000000, 0x476de08300000000,\n 0x149ee98700000000, 0x09635c8600000000, 0x2e64828400000000,\n 0x3399378500000000, 0x8882918c00000000, 0x957f248d00000000,\n 0xb278fa8f00000000, 0xaf854f8e00000000, 0xfc76468a00000000,\n 0xe18bf38b00000000, 0xc68c2d8900000000, 0xdb71988800000000,\n 0xb0bb619a00000000, 0xad46d49b00000000, 0x8a410a9900000000,\n 0x97bcbf9800000000, 0xc44fb69c00000000, 0xd9b2039d00000000,\n 0xfeb5dd9f00000000, 0xe348689e00000000, 0x5853ce9700000000,\n 0x45ae7b9600000000, 0x62a9a59400000000, 0x7f54109500000000,\n 0x2ca7199100000000, 0x315aac9000000000, 0x165d729200000000,\n 0x0ba0c79300000000},\n {0x0000000000000000, 0x24d9076300000000, 0x48b20fc600000000,\n 0x6c6b08a500000000, 0xd1626e5700000000, 0xf5bb693400000000,\n 0x99d0619100000000, 0xbd0966f200000000, 0xa2c5dcae00000000,\n 0x861cdbcd00000000, 0xea77d36800000000, 0xceaed40b00000000,\n 0x73a7b2f900000000, 0x577eb59a00000000, 0x3b15bd3f00000000,\n 0x1fccba5c00000000, 0x058dc88600000000, 0x2154cfe500000000,\n 0x4d3fc74000000000, 0x69e6c02300000000, 0xd4efa6d100000000,\n 0xf036a1b200000000, 0x9c5da91700000000, 0xb884ae7400000000,\n 0xa748142800000000, 0x8391134b00000000, 0xeffa1bee00000000,\n 0xcb231c8d00000000, 0x762a7a7f00000000, 0x52f37d1c00000000,\n 0x3e9875b900000000, 0x1a4172da00000000, 0x4b1ce0d600000000,\n 0x6fc5e7b500000000, 0x03aeef1000000000, 0x2777e87300000000,\n 0x9a7e8e8100000000, 0xbea789e200000000, 0xd2cc814700000000,\n 0xf615862400000000, 0xe9d93c7800000000, 0xcd003b1b00000000,\n 0xa16b33be00000000, 0x85b234dd00000000, 0x38bb522f00000000,\n 0x1c62554c00000000, 0x70095de900000000, 0x54d05a8a00000000,\n 0x4e91285000000000, 0x6a482f3300000000, 0x0623279600000000,\n 0x22fa20f500000000, 0x9ff3460700000000, 0xbb2a416400000000,\n 0xd74149c100000000, 0xf3984ea200000000, 0xec54f4fe00000000,\n 0xc88df39d00000000, 0xa4e6fb3800000000, 0x803ffc5b00000000,\n 0x3d369aa900000000, 0x19ef9dca00000000, 0x7584956f00000000,\n 0x515d920c00000000, 0xd73eb17600000000, 0xf3e7b61500000000,\n 0x9f8cbeb000000000, 0xbb55b9d300000000, 0x065cdf2100000000,\n 0x2285d84200000000, 0x4eeed0e700000000, 0x6a37d78400000000,\n 0x75fb6dd800000000, 0x51226abb00000000, 0x3d49621e00000000,\n 0x1990657d00000000, 0xa499038f00000000, 0x804004ec00000000,\n 0xec2b0c4900000000, 0xc8f20b2a00000000, 0xd2b379f000000000,\n 0xf66a7e9300000000, 0x9a01763600000000, 0xbed8715500000000,\n 0x03d117a700000000, 0x270810c400000000, 0x4b63186100000000,\n 0x6fba1f0200000000, 0x7076a55e00000000, 0x54afa23d00000000,\n 0x38c4aa9800000000, 0x1c1dadfb00000000, 0xa114cb0900000000,\n 0x85cdcc6a00000000, 0xe9a6c4cf00000000, 0xcd7fc3ac00000000,\n 0x9c2251a000000000, 0xb8fb56c300000000, 0xd4905e6600000000,\n 0xf049590500000000, 0x4d403ff700000000, 0x6999389400000000,\n 0x05f2303100000000, 0x212b375200000000, 0x3ee78d0e00000000,\n 0x1a3e8a6d00000000, 0x765582c800000000, 0x528c85ab00000000,\n 0xef85e35900000000, 0xcb5ce43a00000000, 0xa737ec9f00000000,\n 0x83eeebfc00000000, 0x99af992600000000, 0xbd769e4500000000,\n 0xd11d96e000000000, 0xf5c4918300000000, 0x48cdf77100000000,\n 0x6c14f01200000000, 0x007ff8b700000000, 0x24a6ffd400000000,\n 0x3b6a458800000000, 0x1fb342eb00000000, 0x73d84a4e00000000,\n 0x57014d2d00000000, 0xea082bdf00000000, 0xced12cbc00000000,\n 0xa2ba241900000000, 0x8663237a00000000, 0xae7d62ed00000000,\n 0x8aa4658e00000000, 0xe6cf6d2b00000000, 0xc2166a4800000000,\n 0x7f1f0cba00000000, 0x5bc60bd900000000, 0x37ad037c00000000,\n 0x1374041f00000000, 0x0cb8be4300000000, 0x2861b92000000000,\n 0x440ab18500000000, 0x60d3b6e600000000, 0xdddad01400000000,\n 0xf903d77700000000, 0x9568dfd200000000, 0xb1b1d8b100000000,\n 0xabf0aa6b00000000, 0x8f29ad0800000000, 0xe342a5ad00000000,\n 0xc79ba2ce00000000, 0x7a92c43c00000000, 0x5e4bc35f00000000,\n 0x3220cbfa00000000, 0x16f9cc9900000000, 0x093576c500000000,\n 0x2dec71a600000000, 0x4187790300000000, 0x655e7e6000000000,\n 0xd857189200000000, 0xfc8e1ff100000000, 0x90e5175400000000,\n 0xb43c103700000000, 0xe561823b00000000, 0xc1b8855800000000,\n 0xadd38dfd00000000, 0x890a8a9e00000000, 0x3403ec6c00000000,\n 0x10daeb0f00000000, 0x7cb1e3aa00000000, 0x5868e4c900000000,\n 0x47a45e9500000000, 0x637d59f600000000, 0x0f16515300000000,\n 0x2bcf563000000000, 0x96c630c200000000, 0xb21f37a100000000,\n 0xde743f0400000000, 0xfaad386700000000, 0xe0ec4abd00000000,\n 0xc4354dde00000000, 0xa85e457b00000000, 0x8c87421800000000,\n 0x318e24ea00000000, 0x1557238900000000, 0x793c2b2c00000000,\n 0x5de52c4f00000000, 0x4229961300000000, 0x66f0917000000000,\n 0x0a9b99d500000000, 0x2e429eb600000000, 0x934bf84400000000,\n 0xb792ff2700000000, 0xdbf9f78200000000, 0xff20f0e100000000,\n 0x7943d39b00000000, 0x5d9ad4f800000000, 0x31f1dc5d00000000,\n 0x1528db3e00000000, 0xa821bdcc00000000, 0x8cf8baaf00000000,\n 0xe093b20a00000000, 0xc44ab56900000000, 0xdb860f3500000000,\n 0xff5f085600000000, 0x933400f300000000, 0xb7ed079000000000,\n 0x0ae4616200000000, 0x2e3d660100000000, 0x42566ea400000000,\n 0x668f69c700000000, 0x7cce1b1d00000000, 0x58171c7e00000000,\n 0x347c14db00000000, 0x10a513b800000000, 0xadac754a00000000,\n 0x8975722900000000, 0xe51e7a8c00000000, 0xc1c77def00000000,\n 0xde0bc7b300000000, 0xfad2c0d000000000, 0x96b9c87500000000,\n 0xb260cf1600000000, 0x0f69a9e400000000, 0x2bb0ae8700000000,\n 0x47dba62200000000, 0x6302a14100000000, 0x325f334d00000000,\n 0x1686342e00000000, 0x7aed3c8b00000000, 0x5e343be800000000,\n 0xe33d5d1a00000000, 0xc7e45a7900000000, 0xab8f52dc00000000,\n 0x8f5655bf00000000, 0x909aefe300000000, 0xb443e88000000000,\n 0xd828e02500000000, 0xfcf1e74600000000, 0x41f881b400000000,\n 0x652186d700000000, 0x094a8e7200000000, 0x2d93891100000000,\n 0x37d2fbcb00000000, 0x130bfca800000000, 0x7f60f40d00000000,\n 0x5bb9f36e00000000, 0xe6b0959c00000000, 0xc26992ff00000000,\n 0xae029a5a00000000, 0x8adb9d3900000000, 0x9517276500000000,\n 0xb1ce200600000000, 0xdda528a300000000, 0xf97c2fc000000000,\n 0x4475493200000000, 0x60ac4e5100000000, 0x0cc746f400000000,\n 0x281e419700000000},\n {0x0000000000000000, 0x08e3603c00000000, 0x10c6c17800000000,\n 0x1825a14400000000, 0x208c83f100000000, 0x286fe3cd00000000,\n 0x304a428900000000, 0x38a922b500000000, 0x011e763800000000,\n 0x09fd160400000000, 0x11d8b74000000000, 0x193bd77c00000000,\n 0x2192f5c900000000, 0x297195f500000000, 0x315434b100000000,\n 0x39b7548d00000000, 0x023cec7000000000, 0x0adf8c4c00000000,\n 0x12fa2d0800000000, 0x1a194d3400000000, 0x22b06f8100000000,\n 0x2a530fbd00000000, 0x3276aef900000000, 0x3a95cec500000000,\n 0x03229a4800000000, 0x0bc1fa7400000000, 0x13e45b3000000000,\n 0x1b073b0c00000000, 0x23ae19b900000000, 0x2b4d798500000000,\n 0x3368d8c100000000, 0x3b8bb8fd00000000, 0x0478d8e100000000,\n 0x0c9bb8dd00000000, 0x14be199900000000, 0x1c5d79a500000000,\n 0x24f45b1000000000, 0x2c173b2c00000000, 0x34329a6800000000,\n 0x3cd1fa5400000000, 0x0566aed900000000, 0x0d85cee500000000,\n 0x15a06fa100000000, 0x1d430f9d00000000, 0x25ea2d2800000000,\n 0x2d094d1400000000, 0x352cec5000000000, 0x3dcf8c6c00000000,\n 0x0644349100000000, 0x0ea754ad00000000, 0x1682f5e900000000,\n 0x1e6195d500000000, 0x26c8b76000000000, 0x2e2bd75c00000000,\n 0x360e761800000000, 0x3eed162400000000, 0x075a42a900000000,\n 0x0fb9229500000000, 0x179c83d100000000, 0x1f7fe3ed00000000,\n 0x27d6c15800000000, 0x2f35a16400000000, 0x3710002000000000,\n 0x3ff3601c00000000, 0x49f6c11800000000, 0x4115a12400000000,\n 0x5930006000000000, 0x51d3605c00000000, 0x697a42e900000000,\n 0x619922d500000000, 0x79bc839100000000, 0x715fe3ad00000000,\n 0x48e8b72000000000, 0x400bd71c00000000, 0x582e765800000000,\n 0x50cd166400000000, 0x686434d100000000, 0x608754ed00000000,\n 0x78a2f5a900000000, 0x7041959500000000, 0x4bca2d6800000000,\n 0x43294d5400000000, 0x5b0cec1000000000, 0x53ef8c2c00000000,\n 0x6b46ae9900000000, 0x63a5cea500000000, 0x7b806fe100000000,\n 0x73630fdd00000000, 0x4ad45b5000000000, 0x42373b6c00000000,\n 0x5a129a2800000000, 0x52f1fa1400000000, 0x6a58d8a100000000,\n 0x62bbb89d00000000, 0x7a9e19d900000000, 0x727d79e500000000,\n 0x4d8e19f900000000, 0x456d79c500000000, 0x5d48d88100000000,\n 0x55abb8bd00000000, 0x6d029a0800000000, 0x65e1fa3400000000,\n 0x7dc45b7000000000, 0x75273b4c00000000, 0x4c906fc100000000,\n 0x44730ffd00000000, 0x5c56aeb900000000, 0x54b5ce8500000000,\n 0x6c1cec3000000000, 0x64ff8c0c00000000, 0x7cda2d4800000000,\n 0x74394d7400000000, 0x4fb2f58900000000, 0x475195b500000000,\n 0x5f7434f100000000, 0x579754cd00000000, 0x6f3e767800000000,\n 0x67dd164400000000, 0x7ff8b70000000000, 0x771bd73c00000000,\n 0x4eac83b100000000, 0x464fe38d00000000, 0x5e6a42c900000000,\n 0x568922f500000000, 0x6e20004000000000, 0x66c3607c00000000,\n 0x7ee6c13800000000, 0x7605a10400000000, 0x92ec833100000000,\n 0x9a0fe30d00000000, 0x822a424900000000, 0x8ac9227500000000,\n 0xb26000c000000000, 0xba8360fc00000000, 0xa2a6c1b800000000,\n 0xaa45a18400000000, 0x93f2f50900000000, 0x9b11953500000000,\n 0x8334347100000000, 0x8bd7544d00000000, 0xb37e76f800000000,\n 0xbb9d16c400000000, 0xa3b8b78000000000, 0xab5bd7bc00000000,\n 0x90d06f4100000000, 0x98330f7d00000000, 0x8016ae3900000000,\n 0x88f5ce0500000000, 0xb05cecb000000000, 0xb8bf8c8c00000000,\n 0xa09a2dc800000000, 0xa8794df400000000, 0x91ce197900000000,\n 0x992d794500000000, 0x8108d80100000000, 0x89ebb83d00000000,\n 0xb1429a8800000000, 0xb9a1fab400000000, 0xa1845bf000000000,\n 0xa9673bcc00000000, 0x96945bd000000000, 0x9e773bec00000000,\n 0x86529aa800000000, 0x8eb1fa9400000000, 0xb618d82100000000,\n 0xbefbb81d00000000, 0xa6de195900000000, 0xae3d796500000000,\n 0x978a2de800000000, 0x9f694dd400000000, 0x874cec9000000000,\n 0x8faf8cac00000000, 0xb706ae1900000000, 0xbfe5ce2500000000,\n 0xa7c06f6100000000, 0xaf230f5d00000000, 0x94a8b7a000000000,\n 0x9c4bd79c00000000, 0x846e76d800000000, 0x8c8d16e400000000,\n 0xb424345100000000, 0xbcc7546d00000000, 0xa4e2f52900000000,\n 0xac01951500000000, 0x95b6c19800000000, 0x9d55a1a400000000,\n 0x857000e000000000, 0x8d9360dc00000000, 0xb53a426900000000,\n 0xbdd9225500000000, 0xa5fc831100000000, 0xad1fe32d00000000,\n 0xdb1a422900000000, 0xd3f9221500000000, 0xcbdc835100000000,\n 0xc33fe36d00000000, 0xfb96c1d800000000, 0xf375a1e400000000,\n 0xeb5000a000000000, 0xe3b3609c00000000, 0xda04341100000000,\n 0xd2e7542d00000000, 0xcac2f56900000000, 0xc221955500000000,\n 0xfa88b7e000000000, 0xf26bd7dc00000000, 0xea4e769800000000,\n 0xe2ad16a400000000, 0xd926ae5900000000, 0xd1c5ce6500000000,\n 0xc9e06f2100000000, 0xc1030f1d00000000, 0xf9aa2da800000000,\n 0xf1494d9400000000, 0xe96cecd000000000, 0xe18f8cec00000000,\n 0xd838d86100000000, 0xd0dbb85d00000000, 0xc8fe191900000000,\n 0xc01d792500000000, 0xf8b45b9000000000, 0xf0573bac00000000,\n 0xe8729ae800000000, 0xe091fad400000000, 0xdf629ac800000000,\n 0xd781faf400000000, 0xcfa45bb000000000, 0xc7473b8c00000000,\n 0xffee193900000000, 0xf70d790500000000, 0xef28d84100000000,\n 0xe7cbb87d00000000, 0xde7cecf000000000, 0xd69f8ccc00000000,\n 0xceba2d8800000000, 0xc6594db400000000, 0xfef06f0100000000,\n 0xf6130f3d00000000, 0xee36ae7900000000, 0xe6d5ce4500000000,\n 0xdd5e76b800000000, 0xd5bd168400000000, 0xcd98b7c000000000,\n 0xc57bd7fc00000000, 0xfdd2f54900000000, 0xf531957500000000,\n 0xed14343100000000, 0xe5f7540d00000000, 0xdc40008000000000,\n 0xd4a360bc00000000, 0xcc86c1f800000000, 0xc465a1c400000000,\n 0xfccc837100000000, 0xf42fe34d00000000, 0xec0a420900000000,\n 0xe4e9223500000000},\n {0x0000000000000000, 0xd1e8e70e00000000, 0xa2d1cf1d00000000,\n 0x7339281300000000, 0x44a39f3b00000000, 0x954b783500000000,\n 0xe672502600000000, 0x379ab72800000000, 0x88463f7700000000,\n 0x59aed87900000000, 0x2a97f06a00000000, 0xfb7f176400000000,\n 0xcce5a04c00000000, 0x1d0d474200000000, 0x6e346f5100000000,\n 0xbfdc885f00000000, 0x108d7eee00000000, 0xc16599e000000000,\n 0xb25cb1f300000000, 0x63b456fd00000000, 0x542ee1d500000000,\n 0x85c606db00000000, 0xf6ff2ec800000000, 0x2717c9c600000000,\n 0x98cb419900000000, 0x4923a69700000000, 0x3a1a8e8400000000,\n 0xebf2698a00000000, 0xdc68dea200000000, 0x0d8039ac00000000,\n 0x7eb911bf00000000, 0xaf51f6b100000000, 0x611c8c0700000000,\n 0xb0f46b0900000000, 0xc3cd431a00000000, 0x1225a41400000000,\n 0x25bf133c00000000, 0xf457f43200000000, 0x876edc2100000000,\n 0x56863b2f00000000, 0xe95ab37000000000, 0x38b2547e00000000,\n 0x4b8b7c6d00000000, 0x9a639b6300000000, 0xadf92c4b00000000,\n 0x7c11cb4500000000, 0x0f28e35600000000, 0xdec0045800000000,\n 0x7191f2e900000000, 0xa07915e700000000, 0xd3403df400000000,\n 0x02a8dafa00000000, 0x35326dd200000000, 0xe4da8adc00000000,\n 0x97e3a2cf00000000, 0x460b45c100000000, 0xf9d7cd9e00000000,\n 0x283f2a9000000000, 0x5b06028300000000, 0x8aeee58d00000000,\n 0xbd7452a500000000, 0x6c9cb5ab00000000, 0x1fa59db800000000,\n 0xce4d7ab600000000, 0xc238180f00000000, 0x13d0ff0100000000,\n 0x60e9d71200000000, 0xb101301c00000000, 0x869b873400000000,\n 0x5773603a00000000, 0x244a482900000000, 0xf5a2af2700000000,\n 0x4a7e277800000000, 0x9b96c07600000000, 0xe8afe86500000000,\n 0x39470f6b00000000, 0x0eddb84300000000, 0xdf355f4d00000000,\n 0xac0c775e00000000, 0x7de4905000000000, 0xd2b566e100000000,\n 0x035d81ef00000000, 0x7064a9fc00000000, 0xa18c4ef200000000,\n 0x9616f9da00000000, 0x47fe1ed400000000, 0x34c736c700000000,\n 0xe52fd1c900000000, 0x5af3599600000000, 0x8b1bbe9800000000,\n 0xf822968b00000000, 0x29ca718500000000, 0x1e50c6ad00000000,\n 0xcfb821a300000000, 0xbc8109b000000000, 0x6d69eebe00000000,\n 0xa324940800000000, 0x72cc730600000000, 0x01f55b1500000000,\n 0xd01dbc1b00000000, 0xe7870b3300000000, 0x366fec3d00000000,\n 0x4556c42e00000000, 0x94be232000000000, 0x2b62ab7f00000000,\n 0xfa8a4c7100000000, 0x89b3646200000000, 0x585b836c00000000,\n 0x6fc1344400000000, 0xbe29d34a00000000, 0xcd10fb5900000000,\n 0x1cf81c5700000000, 0xb3a9eae600000000, 0x62410de800000000,\n 0x117825fb00000000, 0xc090c2f500000000, 0xf70a75dd00000000,\n 0x26e292d300000000, 0x55dbbac000000000, 0x84335dce00000000,\n 0x3befd59100000000, 0xea07329f00000000, 0x993e1a8c00000000,\n 0x48d6fd8200000000, 0x7f4c4aaa00000000, 0xaea4ada400000000,\n 0xdd9d85b700000000, 0x0c7562b900000000, 0x8471301e00000000,\n 0x5599d71000000000, 0x26a0ff0300000000, 0xf748180d00000000,\n 0xc0d2af2500000000, 0x113a482b00000000, 0x6203603800000000,\n 0xb3eb873600000000, 0x0c370f6900000000, 0xdddfe86700000000,\n 0xaee6c07400000000, 0x7f0e277a00000000, 0x4894905200000000,\n 0x997c775c00000000, 0xea455f4f00000000, 0x3badb84100000000,\n 0x94fc4ef000000000, 0x4514a9fe00000000, 0x362d81ed00000000,\n 0xe7c566e300000000, 0xd05fd1cb00000000, 0x01b736c500000000,\n 0x728e1ed600000000, 0xa366f9d800000000, 0x1cba718700000000,\n 0xcd52968900000000, 0xbe6bbe9a00000000, 0x6f83599400000000,\n 0x5819eebc00000000, 0x89f109b200000000, 0xfac821a100000000,\n 0x2b20c6af00000000, 0xe56dbc1900000000, 0x34855b1700000000,\n 0x47bc730400000000, 0x9654940a00000000, 0xa1ce232200000000,\n 0x7026c42c00000000, 0x031fec3f00000000, 0xd2f70b3100000000,\n 0x6d2b836e00000000, 0xbcc3646000000000, 0xcffa4c7300000000,\n 0x1e12ab7d00000000, 0x29881c5500000000, 0xf860fb5b00000000,\n 0x8b59d34800000000, 0x5ab1344600000000, 0xf5e0c2f700000000,\n 0x240825f900000000, 0x57310dea00000000, 0x86d9eae400000000,\n 0xb1435dcc00000000, 0x60abbac200000000, 0x139292d100000000,\n 0xc27a75df00000000, 0x7da6fd8000000000, 0xac4e1a8e00000000,\n 0xdf77329d00000000, 0x0e9fd59300000000, 0x390562bb00000000,\n 0xe8ed85b500000000, 0x9bd4ada600000000, 0x4a3c4aa800000000,\n 0x4649281100000000, 0x97a1cf1f00000000, 0xe498e70c00000000,\n 0x3570000200000000, 0x02eab72a00000000, 0xd302502400000000,\n 0xa03b783700000000, 0x71d39f3900000000, 0xce0f176600000000,\n 0x1fe7f06800000000, 0x6cded87b00000000, 0xbd363f7500000000,\n 0x8aac885d00000000, 0x5b446f5300000000, 0x287d474000000000,\n 0xf995a04e00000000, 0x56c456ff00000000, 0x872cb1f100000000,\n 0xf41599e200000000, 0x25fd7eec00000000, 0x1267c9c400000000,\n 0xc38f2eca00000000, 0xb0b606d900000000, 0x615ee1d700000000,\n 0xde82698800000000, 0x0f6a8e8600000000, 0x7c53a69500000000,\n 0xadbb419b00000000, 0x9a21f6b300000000, 0x4bc911bd00000000,\n 0x38f039ae00000000, 0xe918dea000000000, 0x2755a41600000000,\n 0xf6bd431800000000, 0x85846b0b00000000, 0x546c8c0500000000,\n 0x63f63b2d00000000, 0xb21edc2300000000, 0xc127f43000000000,\n 0x10cf133e00000000, 0xaf139b6100000000, 0x7efb7c6f00000000,\n 0x0dc2547c00000000, 0xdc2ab37200000000, 0xebb0045a00000000,\n 0x3a58e35400000000, 0x4961cb4700000000, 0x98892c4900000000,\n 0x37d8daf800000000, 0xe6303df600000000, 0x950915e500000000,\n 0x44e1f2eb00000000, 0x737b45c300000000, 0xa293a2cd00000000,\n 0xd1aa8ade00000000, 0x00426dd000000000, 0xbf9ee58f00000000,\n 0x6e76028100000000, 0x1d4f2a9200000000, 0xcca7cd9c00000000,\n 0xfb3d7ab400000000, 0x2ad59dba00000000, 0x59ecb5a900000000,\n 0x880452a700000000},\n {0x0000000000000000, 0xaa05daf100000000, 0x150dc53800000000,\n 0xbf081fc900000000, 0x2a1a8a7100000000, 0x801f508000000000,\n 0x3f174f4900000000, 0x951295b800000000, 0x543414e300000000,\n 0xfe31ce1200000000, 0x4139d1db00000000, 0xeb3c0b2a00000000,\n 0x7e2e9e9200000000, 0xd42b446300000000, 0x6b235baa00000000,\n 0xc126815b00000000, 0xe96e591d00000000, 0x436b83ec00000000,\n 0xfc639c2500000000, 0x566646d400000000, 0xc374d36c00000000,\n 0x6971099d00000000, 0xd679165400000000, 0x7c7ccca500000000,\n 0xbd5a4dfe00000000, 0x175f970f00000000, 0xa85788c600000000,\n 0x0252523700000000, 0x9740c78f00000000, 0x3d451d7e00000000,\n 0x824d02b700000000, 0x2848d84600000000, 0xd2ddb23a00000000,\n 0x78d868cb00000000, 0xc7d0770200000000, 0x6dd5adf300000000,\n 0xf8c7384b00000000, 0x52c2e2ba00000000, 0xedcafd7300000000,\n 0x47cf278200000000, 0x86e9a6d900000000, 0x2cec7c2800000000,\n 0x93e463e100000000, 0x39e1b91000000000, 0xacf32ca800000000,\n 0x06f6f65900000000, 0xb9fee99000000000, 0x13fb336100000000,\n 0x3bb3eb2700000000, 0x91b631d600000000, 0x2ebe2e1f00000000,\n 0x84bbf4ee00000000, 0x11a9615600000000, 0xbbacbba700000000,\n 0x04a4a46e00000000, 0xaea17e9f00000000, 0x6f87ffc400000000,\n 0xc582253500000000, 0x7a8a3afc00000000, 0xd08fe00d00000000,\n 0x459d75b500000000, 0xef98af4400000000, 0x5090b08d00000000,\n 0xfa956a7c00000000, 0xa4bb657500000000, 0x0ebebf8400000000,\n 0xb1b6a04d00000000, 0x1bb37abc00000000, 0x8ea1ef0400000000,\n 0x24a435f500000000, 0x9bac2a3c00000000, 0x31a9f0cd00000000,\n 0xf08f719600000000, 0x5a8aab6700000000, 0xe582b4ae00000000,\n 0x4f876e5f00000000, 0xda95fbe700000000, 0x7090211600000000,\n 0xcf983edf00000000, 0x659de42e00000000, 0x4dd53c6800000000,\n 0xe7d0e69900000000, 0x58d8f95000000000, 0xf2dd23a100000000,\n 0x67cfb61900000000, 0xcdca6ce800000000, 0x72c2732100000000,\n 0xd8c7a9d000000000, 0x19e1288b00000000, 0xb3e4f27a00000000,\n 0x0cecedb300000000, 0xa6e9374200000000, 0x33fba2fa00000000,\n 0x99fe780b00000000, 0x26f667c200000000, 0x8cf3bd3300000000,\n 0x7666d74f00000000, 0xdc630dbe00000000, 0x636b127700000000,\n 0xc96ec88600000000, 0x5c7c5d3e00000000, 0xf67987cf00000000,\n 0x4971980600000000, 0xe37442f700000000, 0x2252c3ac00000000,\n 0x8857195d00000000, 0x375f069400000000, 0x9d5adc6500000000,\n 0x084849dd00000000, 0xa24d932c00000000, 0x1d458ce500000000,\n 0xb740561400000000, 0x9f088e5200000000, 0x350d54a300000000,\n 0x8a054b6a00000000, 0x2000919b00000000, 0xb512042300000000,\n 0x1f17ded200000000, 0xa01fc11b00000000, 0x0a1a1bea00000000,\n 0xcb3c9ab100000000, 0x6139404000000000, 0xde315f8900000000,\n 0x7434857800000000, 0xe12610c000000000, 0x4b23ca3100000000,\n 0xf42bd5f800000000, 0x5e2e0f0900000000, 0x4877cbea00000000,\n 0xe272111b00000000, 0x5d7a0ed200000000, 0xf77fd42300000000,\n 0x626d419b00000000, 0xc8689b6a00000000, 0x776084a300000000,\n 0xdd655e5200000000, 0x1c43df0900000000, 0xb64605f800000000,\n 0x094e1a3100000000, 0xa34bc0c000000000, 0x3659557800000000,\n 0x9c5c8f8900000000, 0x2354904000000000, 0x89514ab100000000,\n 0xa11992f700000000, 0x0b1c480600000000, 0xb41457cf00000000,\n 0x1e118d3e00000000, 0x8b03188600000000, 0x2106c27700000000,\n 0x9e0eddbe00000000, 0x340b074f00000000, 0xf52d861400000000,\n 0x5f285ce500000000, 0xe020432c00000000, 0x4a2599dd00000000,\n 0xdf370c6500000000, 0x7532d69400000000, 0xca3ac95d00000000,\n 0x603f13ac00000000, 0x9aaa79d000000000, 0x30afa32100000000,\n 0x8fa7bce800000000, 0x25a2661900000000, 0xb0b0f3a100000000,\n 0x1ab5295000000000, 0xa5bd369900000000, 0x0fb8ec6800000000,\n 0xce9e6d3300000000, 0x649bb7c200000000, 0xdb93a80b00000000,\n 0x719672fa00000000, 0xe484e74200000000, 0x4e813db300000000,\n 0xf189227a00000000, 0x5b8cf88b00000000, 0x73c420cd00000000,\n 0xd9c1fa3c00000000, 0x66c9e5f500000000, 0xcccc3f0400000000,\n 0x59deaabc00000000, 0xf3db704d00000000, 0x4cd36f8400000000,\n 0xe6d6b57500000000, 0x27f0342e00000000, 0x8df5eedf00000000,\n 0x32fdf11600000000, 0x98f82be700000000, 0x0deabe5f00000000,\n 0xa7ef64ae00000000, 0x18e77b6700000000, 0xb2e2a19600000000,\n 0xecccae9f00000000, 0x46c9746e00000000, 0xf9c16ba700000000,\n 0x53c4b15600000000, 0xc6d624ee00000000, 0x6cd3fe1f00000000,\n 0xd3dbe1d600000000, 0x79de3b2700000000, 0xb8f8ba7c00000000,\n 0x12fd608d00000000, 0xadf57f4400000000, 0x07f0a5b500000000,\n 0x92e2300d00000000, 0x38e7eafc00000000, 0x87eff53500000000,\n 0x2dea2fc400000000, 0x05a2f78200000000, 0xafa72d7300000000,\n 0x10af32ba00000000, 0xbaaae84b00000000, 0x2fb87df300000000,\n 0x85bda70200000000, 0x3ab5b8cb00000000, 0x90b0623a00000000,\n 0x5196e36100000000, 0xfb93399000000000, 0x449b265900000000,\n 0xee9efca800000000, 0x7b8c691000000000, 0xd189b3e100000000,\n 0x6e81ac2800000000, 0xc48476d900000000, 0x3e111ca500000000,\n 0x9414c65400000000, 0x2b1cd99d00000000, 0x8119036c00000000,\n 0x140b96d400000000, 0xbe0e4c2500000000, 0x010653ec00000000,\n 0xab03891d00000000, 0x6a25084600000000, 0xc020d2b700000000,\n 0x7f28cd7e00000000, 0xd52d178f00000000, 0x403f823700000000,\n 0xea3a58c600000000, 0x5532470f00000000, 0xff379dfe00000000,\n 0xd77f45b800000000, 0x7d7a9f4900000000, 0xc272808000000000,\n 0x68775a7100000000, 0xfd65cfc900000000, 0x5760153800000000,\n 0xe8680af100000000, 0x426dd00000000000, 0x834b515b00000000,\n 0x294e8baa00000000, 0x9646946300000000, 0x3c434e9200000000,\n 0xa951db2a00000000, 0x035401db00000000, 0xbc5c1e1200000000,\n 0x1659c4e300000000}};\n\n#else /* W == 4 */\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0xae689191, 0x87a02563, 0x29c8b4f2, 0xd4314c87,\n 0x7a59dd16, 0x539169e4, 0xfdf9f875, 0x73139f4f, 0xdd7b0ede,\n 0xf4b3ba2c, 0x5adb2bbd, 0xa722d3c8, 0x094a4259, 0x2082f6ab,\n 0x8eea673a, 0xe6273e9e, 0x484faf0f, 0x61871bfd, 0xcfef8a6c,\n 0x32167219, 0x9c7ee388, 0xb5b6577a, 0x1bdec6eb, 0x9534a1d1,\n 0x3b5c3040, 0x129484b2, 0xbcfc1523, 0x4105ed56, 0xef6d7cc7,\n 0xc6a5c835, 0x68cd59a4, 0x173f7b7d, 0xb957eaec, 0x909f5e1e,\n 0x3ef7cf8f, 0xc30e37fa, 0x6d66a66b, 0x44ae1299, 0xeac68308,\n 0x642ce432, 0xca4475a3, 0xe38cc151, 0x4de450c0, 0xb01da8b5,\n 0x1e753924, 0x37bd8dd6, 0x99d51c47, 0xf11845e3, 0x5f70d472,\n 0x76b86080, 0xd8d0f111, 0x25290964, 0x8b4198f5, 0xa2892c07,\n 0x0ce1bd96, 0x820bdaac, 0x2c634b3d, 0x05abffcf, 0xabc36e5e,\n 0x563a962b, 0xf85207ba, 0xd19ab348, 0x7ff222d9, 0x2e7ef6fa,\n 0x8016676b, 0xa9ded399, 0x07b64208, 0xfa4fba7d, 0x54272bec,\n 0x7def9f1e, 0xd3870e8f, 0x5d6d69b5, 0xf305f824, 0xdacd4cd6,\n 0x74a5dd47, 0x895c2532, 0x2734b4a3, 0x0efc0051, 0xa09491c0,\n 0xc859c864, 0x663159f5, 0x4ff9ed07, 0xe1917c96, 0x1c6884e3,\n 0xb2001572, 0x9bc8a180, 0x35a03011, 0xbb4a572b, 0x1522c6ba,\n 0x3cea7248, 0x9282e3d9, 0x6f7b1bac, 0xc1138a3d, 0xe8db3ecf,\n 0x46b3af5e, 0x39418d87, 0x97291c16, 0xbee1a8e4, 0x10893975,\n 0xed70c100, 0x43185091, 0x6ad0e463, 0xc4b875f2, 0x4a5212c8,\n 0xe43a8359, 0xcdf237ab, 0x639aa63a, 0x9e635e4f, 0x300bcfde,\n 0x19c37b2c, 0xb7abeabd, 0xdf66b319, 0x710e2288, 0x58c6967a,\n 0xf6ae07eb, 0x0b57ff9e, 0xa53f6e0f, 0x8cf7dafd, 0x229f4b6c,\n 0xac752c56, 0x021dbdc7, 0x2bd50935, 0x85bd98a4, 0x784460d1,\n 0xd62cf140, 0xffe445b2, 0x518cd423, 0x5cfdedf4, 0xf2957c65,\n 0xdb5dc897, 0x75355906, 0x88cca173, 0x26a430e2, 0x0f6c8410,\n 0xa1041581, 0x2fee72bb, 0x8186e32a, 0xa84e57d8, 0x0626c649,\n 0xfbdf3e3c, 0x55b7afad, 0x7c7f1b5f, 0xd2178ace, 0xbadad36a,\n 0x14b242fb, 0x3d7af609, 0x93126798, 0x6eeb9fed, 0xc0830e7c,\n 0xe94bba8e, 0x47232b1f, 0xc9c94c25, 0x67a1ddb4, 0x4e696946,\n 0xe001f8d7, 0x1df800a2, 0xb3909133, 0x9a5825c1, 0x3430b450,\n 0x4bc29689, 0xe5aa0718, 0xcc62b3ea, 0x620a227b, 0x9ff3da0e,\n 0x319b4b9f, 0x1853ff6d, 0xb63b6efc, 0x38d109c6, 0x96b99857,\n 0xbf712ca5, 0x1119bd34, 0xece04541, 0x4288d4d0, 0x6b406022,\n 0xc528f1b3, 0xade5a817, 0x038d3986, 0x2a458d74, 0x842d1ce5,\n 0x79d4e490, 0xd7bc7501, 0xfe74c1f3, 0x501c5062, 0xdef63758,\n 0x709ea6c9, 0x5956123b, 0xf73e83aa, 0x0ac77bdf, 0xa4afea4e,\n 0x8d675ebc, 0x230fcf2d, 0x72831b0e, 0xdceb8a9f, 0xf5233e6d,\n 0x5b4baffc, 0xa6b25789, 0x08dac618, 0x211272ea, 0x8f7ae37b,\n 0x01908441, 0xaff815d0, 0x8630a122, 0x285830b3, 0xd5a1c8c6,\n 0x7bc95957, 0x5201eda5, 0xfc697c34, 0x94a42590, 0x3accb401,\n 0x130400f3, 0xbd6c9162, 0x40956917, 0xeefdf886, 0xc7354c74,\n 0x695ddde5, 0xe7b7badf, 0x49df2b4e, 0x60179fbc, 0xce7f0e2d,\n 0x3386f658, 0x9dee67c9, 0xb426d33b, 0x1a4e42aa, 0x65bc6073,\n 0xcbd4f1e2, 0xe21c4510, 0x4c74d481, 0xb18d2cf4, 0x1fe5bd65,\n 0x362d0997, 0x98459806, 0x16afff3c, 0xb8c76ead, 0x910fda5f,\n 0x3f674bce, 0xc29eb3bb, 0x6cf6222a, 0x453e96d8, 0xeb560749,\n 0x839b5eed, 0x2df3cf7c, 0x043b7b8e, 0xaa53ea1f, 0x57aa126a,\n 0xf9c283fb, 0xd00a3709, 0x7e62a698, 0xf088c1a2, 0x5ee05033,\n 0x7728e4c1, 0xd9407550, 0x24b98d25, 0x8ad11cb4, 0xa319a846,\n 0x0d7139d7},\n {0x00000000, 0xb9fbdbe8, 0xa886b191, 0x117d6a79, 0x8a7c6563,\n 0x3387be8b, 0x22fad4f2, 0x9b010f1a, 0xcf89cc87, 0x7672176f,\n 0x670f7d16, 0xdef4a6fe, 0x45f5a9e4, 0xfc0e720c, 0xed731875,\n 0x5488c39d, 0x44629f4f, 0xfd9944a7, 0xece42ede, 0x551ff536,\n 0xce1efa2c, 0x77e521c4, 0x66984bbd, 0xdf639055, 0x8beb53c8,\n 0x32108820, 0x236de259, 0x9a9639b1, 0x019736ab, 0xb86ced43,\n 0xa911873a, 0x10ea5cd2, 0x88c53e9e, 0x313ee576, 0x20438f0f,\n 0x99b854e7, 0x02b95bfd, 0xbb428015, 0xaa3fea6c, 0x13c43184,\n 0x474cf219, 0xfeb729f1, 0xefca4388, 0x56319860, 0xcd30977a,\n 0x74cb4c92, 0x65b626eb, 0xdc4dfd03, 0xcca7a1d1, 0x755c7a39,\n 0x64211040, 0xdddacba8, 0x46dbc4b2, 0xff201f5a, 0xee5d7523,\n 0x57a6aecb, 0x032e6d56, 0xbad5b6be, 0xaba8dcc7, 0x1253072f,\n 0x89520835, 0x30a9d3dd, 0x21d4b9a4, 0x982f624c, 0xcafb7b7d,\n 0x7300a095, 0x627dcaec, 0xdb861104, 0x40871e1e, 0xf97cc5f6,\n 0xe801af8f, 0x51fa7467, 0x0572b7fa, 0xbc896c12, 0xadf4066b,\n 0x140fdd83, 0x8f0ed299, 0x36f50971, 0x27886308, 0x9e73b8e0,\n 0x8e99e432, 0x37623fda, 0x261f55a3, 0x9fe48e4b, 0x04e58151,\n 0xbd1e5ab9, 0xac6330c0, 0x1598eb28, 0x411028b5, 0xf8ebf35d,\n 0xe9969924, 0x506d42cc, 0xcb6c4dd6, 0x7297963e, 0x63eafc47,\n 0xda1127af, 0x423e45e3, 0xfbc59e0b, 0xeab8f472, 0x53432f9a,\n 0xc8422080, 0x71b9fb68, 0x60c49111, 0xd93f4af9, 0x8db78964,\n 0x344c528c, 0x253138f5, 0x9ccae31d, 0x07cbec07, 0xbe3037ef,\n 0xaf4d5d96, 0x16b6867e, 0x065cdaac, 0xbfa70144, 0xaeda6b3d,\n 0x1721b0d5, 0x8c20bfcf, 0x35db6427, 0x24a60e5e, 0x9d5dd5b6,\n 0xc9d5162b, 0x702ecdc3, 0x6153a7ba, 0xd8a87c52, 0x43a97348,\n 0xfa52a8a0, 0xeb2fc2d9, 0x52d41931, 0x4e87f0bb, 0xf77c2b53,\n 0xe601412a, 0x5ffa9ac2, 0xc4fb95d8, 0x7d004e30, 0x6c7d2449,\n 0xd586ffa1, 0x810e3c3c, 0x38f5e7d4, 0x29888dad, 0x90735645,\n 0x0b72595f, 0xb28982b7, 0xa3f4e8ce, 0x1a0f3326, 0x0ae56ff4,\n 0xb31eb41c, 0xa263de65, 0x1b98058d, 0x80990a97, 0x3962d17f,\n 0x281fbb06, 0x91e460ee, 0xc56ca373, 0x7c97789b, 0x6dea12e2,\n 0xd411c90a, 0x4f10c610, 0xf6eb1df8, 0xe7967781, 0x5e6dac69,\n 0xc642ce25, 0x7fb915cd, 0x6ec47fb4, 0xd73fa45c, 0x4c3eab46,\n 0xf5c570ae, 0xe4b81ad7, 0x5d43c13f, 0x09cb02a2, 0xb030d94a,\n 0xa14db333, 0x18b668db, 0x83b767c1, 0x3a4cbc29, 0x2b31d650,\n 0x92ca0db8, 0x8220516a, 0x3bdb8a82, 0x2aa6e0fb, 0x935d3b13,\n 0x085c3409, 0xb1a7efe1, 0xa0da8598, 0x19215e70, 0x4da99ded,\n 0xf4524605, 0xe52f2c7c, 0x5cd4f794, 0xc7d5f88e, 0x7e2e2366,\n 0x6f53491f, 0xd6a892f7, 0x847c8bc6, 0x3d87502e, 0x2cfa3a57,\n 0x9501e1bf, 0x0e00eea5, 0xb7fb354d, 0xa6865f34, 0x1f7d84dc,\n 0x4bf54741, 0xf20e9ca9, 0xe373f6d0, 0x5a882d38, 0xc1892222,\n 0x7872f9ca, 0x690f93b3, 0xd0f4485b, 0xc01e1489, 0x79e5cf61,\n 0x6898a518, 0xd1637ef0, 0x4a6271ea, 0xf399aa02, 0xe2e4c07b,\n 0x5b1f1b93, 0x0f97d80e, 0xb66c03e6, 0xa711699f, 0x1eeab277,\n 0x85ebbd6d, 0x3c106685, 0x2d6d0cfc, 0x9496d714, 0x0cb9b558,\n 0xb5426eb0, 0xa43f04c9, 0x1dc4df21, 0x86c5d03b, 0x3f3e0bd3,\n 0x2e4361aa, 0x97b8ba42, 0xc33079df, 0x7acba237, 0x6bb6c84e,\n 0xd24d13a6, 0x494c1cbc, 0xf0b7c754, 0xe1caad2d, 0x583176c5,\n 0x48db2a17, 0xf120f1ff, 0xe05d9b86, 0x59a6406e, 0xc2a74f74,\n 0x7b5c949c, 0x6a21fee5, 0xd3da250d, 0x8752e690, 0x3ea93d78,\n 0x2fd45701, 0x962f8ce9, 0x0d2e83f3, 0xb4d5581b, 0xa5a83262,\n 0x1c53e98a},\n {0x00000000, 0x9d0fe176, 0xe16ec4ad, 0x7c6125db, 0x19ac8f1b,\n 0x84a36e6d, 0xf8c24bb6, 0x65cdaac0, 0x33591e36, 0xae56ff40,\n 0xd237da9b, 0x4f383bed, 0x2af5912d, 0xb7fa705b, 0xcb9b5580,\n 0x5694b4f6, 0x66b23c6c, 0xfbbddd1a, 0x87dcf8c1, 0x1ad319b7,\n 0x7f1eb377, 0xe2115201, 0x9e7077da, 0x037f96ac, 0x55eb225a,\n 0xc8e4c32c, 0xb485e6f7, 0x298a0781, 0x4c47ad41, 0xd1484c37,\n 0xad2969ec, 0x3026889a, 0xcd6478d8, 0x506b99ae, 0x2c0abc75,\n 0xb1055d03, 0xd4c8f7c3, 0x49c716b5, 0x35a6336e, 0xa8a9d218,\n 0xfe3d66ee, 0x63328798, 0x1f53a243, 0x825c4335, 0xe791e9f5,\n 0x7a9e0883, 0x06ff2d58, 0x9bf0cc2e, 0xabd644b4, 0x36d9a5c2,\n 0x4ab88019, 0xd7b7616f, 0xb27acbaf, 0x2f752ad9, 0x53140f02,\n 0xce1bee74, 0x988f5a82, 0x0580bbf4, 0x79e19e2f, 0xe4ee7f59,\n 0x8123d599, 0x1c2c34ef, 0x604d1134, 0xfd42f042, 0x41b9f7f1,\n 0xdcb61687, 0xa0d7335c, 0x3dd8d22a, 0x581578ea, 0xc51a999c,\n 0xb97bbc47, 0x24745d31, 0x72e0e9c7, 0xefef08b1, 0x938e2d6a,\n 0x0e81cc1c, 0x6b4c66dc, 0xf64387aa, 0x8a22a271, 0x172d4307,\n 0x270bcb9d, 0xba042aeb, 0xc6650f30, 0x5b6aee46, 0x3ea74486,\n 0xa3a8a5f0, 0xdfc9802b, 0x42c6615d, 0x1452d5ab, 0x895d34dd,\n 0xf53c1106, 0x6833f070, 0x0dfe5ab0, 0x90f1bbc6, 0xec909e1d,\n 0x719f7f6b, 0x8cdd8f29, 0x11d26e5f, 0x6db34b84, 0xf0bcaaf2,\n 0x95710032, 0x087ee144, 0x741fc49f, 0xe91025e9, 0xbf84911f,\n 0x228b7069, 0x5eea55b2, 0xc3e5b4c4, 0xa6281e04, 0x3b27ff72,\n 0x4746daa9, 0xda493bdf, 0xea6fb345, 0x77605233, 0x0b0177e8,\n 0x960e969e, 0xf3c33c5e, 0x6eccdd28, 0x12adf8f3, 0x8fa21985,\n 0xd936ad73, 0x44394c05, 0x385869de, 0xa55788a8, 0xc09a2268,\n 0x5d95c31e, 0x21f4e6c5, 0xbcfb07b3, 0x8373efe2, 0x1e7c0e94,\n 0x621d2b4f, 0xff12ca39, 0x9adf60f9, 0x07d0818f, 0x7bb1a454,\n 0xe6be4522, 0xb02af1d4, 0x2d2510a2, 0x51443579, 0xcc4bd40f,\n 0xa9867ecf, 0x34899fb9, 0x48e8ba62, 0xd5e75b14, 0xe5c1d38e,\n 0x78ce32f8, 0x04af1723, 0x99a0f655, 0xfc6d5c95, 0x6162bde3,\n 0x1d039838, 0x800c794e, 0xd698cdb8, 0x4b972cce, 0x37f60915,\n 0xaaf9e863, 0xcf3442a3, 0x523ba3d5, 0x2e5a860e, 0xb3556778,\n 0x4e17973a, 0xd318764c, 0xaf795397, 0x3276b2e1, 0x57bb1821,\n 0xcab4f957, 0xb6d5dc8c, 0x2bda3dfa, 0x7d4e890c, 0xe041687a,\n 0x9c204da1, 0x012facd7, 0x64e20617, 0xf9ede761, 0x858cc2ba,\n 0x188323cc, 0x28a5ab56, 0xb5aa4a20, 0xc9cb6ffb, 0x54c48e8d,\n 0x3109244d, 0xac06c53b, 0xd067e0e0, 0x4d680196, 0x1bfcb560,\n 0x86f35416, 0xfa9271cd, 0x679d90bb, 0x02503a7b, 0x9f5fdb0d,\n 0xe33efed6, 0x7e311fa0, 0xc2ca1813, 0x5fc5f965, 0x23a4dcbe,\n 0xbeab3dc8, 0xdb669708, 0x4669767e, 0x3a0853a5, 0xa707b2d3,\n 0xf1930625, 0x6c9ce753, 0x10fdc288, 0x8df223fe, 0xe83f893e,\n 0x75306848, 0x09514d93, 0x945eace5, 0xa478247f, 0x3977c509,\n 0x4516e0d2, 0xd81901a4, 0xbdd4ab64, 0x20db4a12, 0x5cba6fc9,\n 0xc1b58ebf, 0x97213a49, 0x0a2edb3f, 0x764ffee4, 0xeb401f92,\n 0x8e8db552, 0x13825424, 0x6fe371ff, 0xf2ec9089, 0x0fae60cb,\n 0x92a181bd, 0xeec0a466, 0x73cf4510, 0x1602efd0, 0x8b0d0ea6,\n 0xf76c2b7d, 0x6a63ca0b, 0x3cf77efd, 0xa1f89f8b, 0xdd99ba50,\n 0x40965b26, 0x255bf1e6, 0xb8541090, 0xc435354b, 0x593ad43d,\n 0x691c5ca7, 0xf413bdd1, 0x8872980a, 0x157d797c, 0x70b0d3bc,\n 0xedbf32ca, 0x91de1711, 0x0cd1f667, 0x5a454291, 0xc74aa3e7,\n 0xbb2b863c, 0x2624674a, 0x43e9cd8a, 0xdee62cfc, 0xa2870927,\n 0x3f88e851},\n {0x00000000, 0xdd96d985, 0x605cb54b, 0xbdca6cce, 0xc0b96a96,\n 0x1d2fb313, 0xa0e5dfdd, 0x7d730658, 0x5a03d36d, 0x87950ae8,\n 0x3a5f6626, 0xe7c9bfa3, 0x9abab9fb, 0x472c607e, 0xfae60cb0,\n 0x2770d535, 0xb407a6da, 0x69917f5f, 0xd45b1391, 0x09cdca14,\n 0x74becc4c, 0xa92815c9, 0x14e27907, 0xc974a082, 0xee0475b7,\n 0x3392ac32, 0x8e58c0fc, 0x53ce1979, 0x2ebd1f21, 0xf32bc6a4,\n 0x4ee1aa6a, 0x937773ef, 0xb37e4bf5, 0x6ee89270, 0xd322febe,\n 0x0eb4273b, 0x73c72163, 0xae51f8e6, 0x139b9428, 0xce0d4dad,\n 0xe97d9898, 0x34eb411d, 0x89212dd3, 0x54b7f456, 0x29c4f20e,\n 0xf4522b8b, 0x49984745, 0x940e9ec0, 0x0779ed2f, 0xdaef34aa,\n 0x67255864, 0xbab381e1, 0xc7c087b9, 0x1a565e3c, 0xa79c32f2,\n 0x7a0aeb77, 0x5d7a3e42, 0x80ece7c7, 0x3d268b09, 0xe0b0528c,\n 0x9dc354d4, 0x40558d51, 0xfd9fe19f, 0x2009381a, 0xbd8d91ab,\n 0x601b482e, 0xddd124e0, 0x0047fd65, 0x7d34fb3d, 0xa0a222b8,\n 0x1d684e76, 0xc0fe97f3, 0xe78e42c6, 0x3a189b43, 0x87d2f78d,\n 0x5a442e08, 0x27372850, 0xfaa1f1d5, 0x476b9d1b, 0x9afd449e,\n 0x098a3771, 0xd41ceef4, 0x69d6823a, 0xb4405bbf, 0xc9335de7,\n 0x14a58462, 0xa96fe8ac, 0x74f93129, 0x5389e41c, 0x8e1f3d99,\n 0x33d55157, 0xee4388d2, 0x93308e8a, 0x4ea6570f, 0xf36c3bc1,\n 0x2efae244, 0x0ef3da5e, 0xd36503db, 0x6eaf6f15, 0xb339b690,\n 0xce4ab0c8, 0x13dc694d, 0xae160583, 0x7380dc06, 0x54f00933,\n 0x8966d0b6, 0x34acbc78, 0xe93a65fd, 0x944963a5, 0x49dfba20,\n 0xf415d6ee, 0x29830f6b, 0xbaf47c84, 0x6762a501, 0xdaa8c9cf,\n 0x073e104a, 0x7a4d1612, 0xa7dbcf97, 0x1a11a359, 0xc7877adc,\n 0xe0f7afe9, 0x3d61766c, 0x80ab1aa2, 0x5d3dc327, 0x204ec57f,\n 0xfdd81cfa, 0x40127034, 0x9d84a9b1, 0xa06a2517, 0x7dfcfc92,\n 0xc036905c, 0x1da049d9, 0x60d34f81, 0xbd459604, 0x008ffaca,\n 0xdd19234f, 0xfa69f67a, 0x27ff2fff, 0x9a354331, 0x47a39ab4,\n 0x3ad09cec, 0xe7464569, 0x5a8c29a7, 0x871af022, 0x146d83cd,\n 0xc9fb5a48, 0x74313686, 0xa9a7ef03, 0xd4d4e95b, 0x094230de,\n 0xb4885c10, 0x691e8595, 0x4e6e50a0, 0x93f88925, 0x2e32e5eb,\n 0xf3a43c6e, 0x8ed73a36, 0x5341e3b3, 0xee8b8f7d, 0x331d56f8,\n 0x13146ee2, 0xce82b767, 0x7348dba9, 0xaede022c, 0xd3ad0474,\n 0x0e3bddf1, 0xb3f1b13f, 0x6e6768ba, 0x4917bd8f, 0x9481640a,\n 0x294b08c4, 0xf4ddd141, 0x89aed719, 0x54380e9c, 0xe9f26252,\n 0x3464bbd7, 0xa713c838, 0x7a8511bd, 0xc74f7d73, 0x1ad9a4f6,\n 0x67aaa2ae, 0xba3c7b2b, 0x07f617e5, 0xda60ce60, 0xfd101b55,\n 0x2086c2d0, 0x9d4cae1e, 0x40da779b, 0x3da971c3, 0xe03fa846,\n 0x5df5c488, 0x80631d0d, 0x1de7b4bc, 0xc0716d39, 0x7dbb01f7,\n 0xa02dd872, 0xdd5ede2a, 0x00c807af, 0xbd026b61, 0x6094b2e4,\n 0x47e467d1, 0x9a72be54, 0x27b8d29a, 0xfa2e0b1f, 0x875d0d47,\n 0x5acbd4c2, 0xe701b80c, 0x3a976189, 0xa9e01266, 0x7476cbe3,\n 0xc9bca72d, 0x142a7ea8, 0x695978f0, 0xb4cfa175, 0x0905cdbb,\n 0xd493143e, 0xf3e3c10b, 0x2e75188e, 0x93bf7440, 0x4e29adc5,\n 0x335aab9d, 0xeecc7218, 0x53061ed6, 0x8e90c753, 0xae99ff49,\n 0x730f26cc, 0xcec54a02, 0x13539387, 0x6e2095df, 0xb3b64c5a,\n 0x0e7c2094, 0xd3eaf911, 0xf49a2c24, 0x290cf5a1, 0x94c6996f,\n 0x495040ea, 0x342346b2, 0xe9b59f37, 0x547ff3f9, 0x89e92a7c,\n 0x1a9e5993, 0xc7088016, 0x7ac2ecd8, 0xa754355d, 0xda273305,\n 0x07b1ea80, 0xba7b864e, 0x67ed5fcb, 0x409d8afe, 0x9d0b537b,\n 0x20c13fb5, 0xfd57e630, 0x8024e068, 0x5db239ed, 0xe0785523,\n 0x3dee8ca6}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x00000000, 0x85d996dd, 0x4bb55c60, 0xce6ccabd, 0x966ab9c0,\n 0x13b32f1d, 0xdddfe5a0, 0x5806737d, 0x6dd3035a, 0xe80a9587,\n 0x26665f3a, 0xa3bfc9e7, 0xfbb9ba9a, 0x7e602c47, 0xb00ce6fa,\n 0x35d57027, 0xdaa607b4, 0x5f7f9169, 0x91135bd4, 0x14cacd09,\n 0x4cccbe74, 0xc91528a9, 0x0779e214, 0x82a074c9, 0xb77504ee,\n 0x32ac9233, 0xfcc0588e, 0x7919ce53, 0x211fbd2e, 0xa4c62bf3,\n 0x6aaae14e, 0xef737793, 0xf54b7eb3, 0x7092e86e, 0xbefe22d3,\n 0x3b27b40e, 0x6321c773, 0xe6f851ae, 0x28949b13, 0xad4d0dce,\n 0x98987de9, 0x1d41eb34, 0xd32d2189, 0x56f4b754, 0x0ef2c429,\n 0x8b2b52f4, 0x45479849, 0xc09e0e94, 0x2fed7907, 0xaa34efda,\n 0x64582567, 0xe181b3ba, 0xb987c0c7, 0x3c5e561a, 0xf2329ca7,\n 0x77eb0a7a, 0x423e7a5d, 0xc7e7ec80, 0x098b263d, 0x8c52b0e0,\n 0xd454c39d, 0x518d5540, 0x9fe19ffd, 0x1a380920, 0xab918dbd,\n 0x2e481b60, 0xe024d1dd, 0x65fd4700, 0x3dfb347d, 0xb822a2a0,\n 0x764e681d, 0xf397fec0, 0xc6428ee7, 0x439b183a, 0x8df7d287,\n 0x082e445a, 0x50283727, 0xd5f1a1fa, 0x1b9d6b47, 0x9e44fd9a,\n 0x71378a09, 0xf4ee1cd4, 0x3a82d669, 0xbf5b40b4, 0xe75d33c9,\n 0x6284a514, 0xace86fa9, 0x2931f974, 0x1ce48953, 0x993d1f8e,\n 0x5751d533, 0xd28843ee, 0x8a8e3093, 0x0f57a64e, 0xc13b6cf3,\n 0x44e2fa2e, 0x5edaf30e, 0xdb0365d3, 0x156faf6e, 0x90b639b3,\n 0xc8b04ace, 0x4d69dc13, 0x830516ae, 0x06dc8073, 0x3309f054,\n 0xb6d06689, 0x78bcac34, 0xfd653ae9, 0xa5634994, 0x20badf49,\n 0xeed615f4, 0x6b0f8329, 0x847cf4ba, 0x01a56267, 0xcfc9a8da,\n 0x4a103e07, 0x12164d7a, 0x97cfdba7, 0x59a3111a, 0xdc7a87c7,\n 0xe9aff7e0, 0x6c76613d, 0xa21aab80, 0x27c33d5d, 0x7fc54e20,\n 0xfa1cd8fd, 0x34701240, 0xb1a9849d, 0x17256aa0, 0x92fcfc7d,\n 0x5c9036c0, 0xd949a01d, 0x814fd360, 0x049645bd, 0xcafa8f00,\n 0x4f2319dd, 0x7af669fa, 0xff2fff27, 0x3143359a, 0xb49aa347,\n 0xec9cd03a, 0x694546e7, 0xa7298c5a, 0x22f01a87, 0xcd836d14,\n 0x485afbc9, 0x86363174, 0x03efa7a9, 0x5be9d4d4, 0xde304209,\n 0x105c88b4, 0x95851e69, 0xa0506e4e, 0x2589f893, 0xebe5322e,\n 0x6e3ca4f3, 0x363ad78e, 0xb3e34153, 0x7d8f8bee, 0xf8561d33,\n 0xe26e1413, 0x67b782ce, 0xa9db4873, 0x2c02deae, 0x7404add3,\n 0xf1dd3b0e, 0x3fb1f1b3, 0xba68676e, 0x8fbd1749, 0x0a648194,\n 0xc4084b29, 0x41d1ddf4, 0x19d7ae89, 0x9c0e3854, 0x5262f2e9,\n 0xd7bb6434, 0x38c813a7, 0xbd11857a, 0x737d4fc7, 0xf6a4d91a,\n 0xaea2aa67, 0x2b7b3cba, 0xe517f607, 0x60ce60da, 0x551b10fd,\n 0xd0c28620, 0x1eae4c9d, 0x9b77da40, 0xc371a93d, 0x46a83fe0,\n 0x88c4f55d, 0x0d1d6380, 0xbcb4e71d, 0x396d71c0, 0xf701bb7d,\n 0x72d82da0, 0x2ade5edd, 0xaf07c800, 0x616b02bd, 0xe4b29460,\n 0xd167e447, 0x54be729a, 0x9ad2b827, 0x1f0b2efa, 0x470d5d87,\n 0xc2d4cb5a, 0x0cb801e7, 0x8961973a, 0x6612e0a9, 0xe3cb7674,\n 0x2da7bcc9, 0xa87e2a14, 0xf0785969, 0x75a1cfb4, 0xbbcd0509,\n 0x3e1493d4, 0x0bc1e3f3, 0x8e18752e, 0x4074bf93, 0xc5ad294e,\n 0x9dab5a33, 0x1872ccee, 0xd61e0653, 0x53c7908e, 0x49ff99ae,\n 0xcc260f73, 0x024ac5ce, 0x87935313, 0xdf95206e, 0x5a4cb6b3,\n 0x94207c0e, 0x11f9ead3, 0x242c9af4, 0xa1f50c29, 0x6f99c694,\n 0xea405049, 0xb2462334, 0x379fb5e9, 0xf9f37f54, 0x7c2ae989,\n 0x93599e1a, 0x168008c7, 0xd8ecc27a, 0x5d3554a7, 0x053327da,\n 0x80eab107, 0x4e867bba, 0xcb5fed67, 0xfe8a9d40, 0x7b530b9d,\n 0xb53fc120, 0x30e657fd, 0x68e02480, 0xed39b25d, 0x235578e0,\n 0xa68cee3d},\n {0x00000000, 0x76e10f9d, 0xadc46ee1, 0xdb25617c, 0x1b8fac19,\n 0x6d6ea384, 0xb64bc2f8, 0xc0aacd65, 0x361e5933, 0x40ff56ae,\n 0x9bda37d2, 0xed3b384f, 0x2d91f52a, 0x5b70fab7, 0x80559bcb,\n 0xf6b49456, 0x6c3cb266, 0x1addbdfb, 0xc1f8dc87, 0xb719d31a,\n 0x77b31e7f, 0x015211e2, 0xda77709e, 0xac967f03, 0x5a22eb55,\n 0x2cc3e4c8, 0xf7e685b4, 0x81078a29, 0x41ad474c, 0x374c48d1,\n 0xec6929ad, 0x9a882630, 0xd87864cd, 0xae996b50, 0x75bc0a2c,\n 0x035d05b1, 0xc3f7c8d4, 0xb516c749, 0x6e33a635, 0x18d2a9a8,\n 0xee663dfe, 0x98873263, 0x43a2531f, 0x35435c82, 0xf5e991e7,\n 0x83089e7a, 0x582dff06, 0x2eccf09b, 0xb444d6ab, 0xc2a5d936,\n 0x1980b84a, 0x6f61b7d7, 0xafcb7ab2, 0xd92a752f, 0x020f1453,\n 0x74ee1bce, 0x825a8f98, 0xf4bb8005, 0x2f9ee179, 0x597feee4,\n 0x99d52381, 0xef342c1c, 0x34114d60, 0x42f042fd, 0xf1f7b941,\n 0x8716b6dc, 0x5c33d7a0, 0x2ad2d83d, 0xea781558, 0x9c991ac5,\n 0x47bc7bb9, 0x315d7424, 0xc7e9e072, 0xb108efef, 0x6a2d8e93,\n 0x1ccc810e, 0xdc664c6b, 0xaa8743f6, 0x71a2228a, 0x07432d17,\n 0x9dcb0b27, 0xeb2a04ba, 0x300f65c6, 0x46ee6a5b, 0x8644a73e,\n 0xf0a5a8a3, 0x2b80c9df, 0x5d61c642, 0xabd55214, 0xdd345d89,\n 0x06113cf5, 0x70f03368, 0xb05afe0d, 0xc6bbf190, 0x1d9e90ec,\n 0x6b7f9f71, 0x298fdd8c, 0x5f6ed211, 0x844bb36d, 0xf2aabcf0,\n 0x32007195, 0x44e17e08, 0x9fc41f74, 0xe92510e9, 0x1f9184bf,\n 0x69708b22, 0xb255ea5e, 0xc4b4e5c3, 0x041e28a6, 0x72ff273b,\n 0xa9da4647, 0xdf3b49da, 0x45b36fea, 0x33526077, 0xe877010b,\n 0x9e960e96, 0x5e3cc3f3, 0x28ddcc6e, 0xf3f8ad12, 0x8519a28f,\n 0x73ad36d9, 0x054c3944, 0xde695838, 0xa88857a5, 0x68229ac0,\n 0x1ec3955d, 0xc5e6f421, 0xb307fbbc, 0xe2ef7383, 0x940e7c1e,\n 0x4f2b1d62, 0x39ca12ff, 0xf960df9a, 0x8f81d007, 0x54a4b17b,\n 0x2245bee6, 0xd4f12ab0, 0xa210252d, 0x79354451, 0x0fd44bcc,\n 0xcf7e86a9, 0xb99f8934, 0x62bae848, 0x145be7d5, 0x8ed3c1e5,\n 0xf832ce78, 0x2317af04, 0x55f6a099, 0x955c6dfc, 0xe3bd6261,\n 0x3898031d, 0x4e790c80, 0xb8cd98d6, 0xce2c974b, 0x1509f637,\n 0x63e8f9aa, 0xa34234cf, 0xd5a33b52, 0x0e865a2e, 0x786755b3,\n 0x3a97174e, 0x4c7618d3, 0x975379af, 0xe1b27632, 0x2118bb57,\n 0x57f9b4ca, 0x8cdcd5b6, 0xfa3dda2b, 0x0c894e7d, 0x7a6841e0,\n 0xa14d209c, 0xd7ac2f01, 0x1706e264, 0x61e7edf9, 0xbac28c85,\n 0xcc238318, 0x56aba528, 0x204aaab5, 0xfb6fcbc9, 0x8d8ec454,\n 0x4d240931, 0x3bc506ac, 0xe0e067d0, 0x9601684d, 0x60b5fc1b,\n 0x1654f386, 0xcd7192fa, 0xbb909d67, 0x7b3a5002, 0x0ddb5f9f,\n 0xd6fe3ee3, 0xa01f317e, 0x1318cac2, 0x65f9c55f, 0xbedca423,\n 0xc83dabbe, 0x089766db, 0x7e766946, 0xa553083a, 0xd3b207a7,\n 0x250693f1, 0x53e79c6c, 0x88c2fd10, 0xfe23f28d, 0x3e893fe8,\n 0x48683075, 0x934d5109, 0xe5ac5e94, 0x7f2478a4, 0x09c57739,\n 0xd2e01645, 0xa40119d8, 0x64abd4bd, 0x124adb20, 0xc96fba5c,\n 0xbf8eb5c1, 0x493a2197, 0x3fdb2e0a, 0xe4fe4f76, 0x921f40eb,\n 0x52b58d8e, 0x24548213, 0xff71e36f, 0x8990ecf2, 0xcb60ae0f,\n 0xbd81a192, 0x66a4c0ee, 0x1045cf73, 0xd0ef0216, 0xa60e0d8b,\n 0x7d2b6cf7, 0x0bca636a, 0xfd7ef73c, 0x8b9ff8a1, 0x50ba99dd,\n 0x265b9640, 0xe6f15b25, 0x901054b8, 0x4b3535c4, 0x3dd43a59,\n 0xa75c1c69, 0xd1bd13f4, 0x0a987288, 0x7c797d15, 0xbcd3b070,\n 0xca32bfed, 0x1117de91, 0x67f6d10c, 0x9142455a, 0xe7a34ac7,\n 0x3c862bbb, 0x4a672426, 0x8acde943, 0xfc2ce6de, 0x270987a2,\n 0x51e8883f},\n {0x00000000, 0xe8dbfbb9, 0x91b186a8, 0x796a7d11, 0x63657c8a,\n 0x8bbe8733, 0xf2d4fa22, 0x1a0f019b, 0x87cc89cf, 0x6f177276,\n 0x167d0f67, 0xfea6f4de, 0xe4a9f545, 0x0c720efc, 0x751873ed,\n 0x9dc38854, 0x4f9f6244, 0xa74499fd, 0xde2ee4ec, 0x36f51f55,\n 0x2cfa1ece, 0xc421e577, 0xbd4b9866, 0x559063df, 0xc853eb8b,\n 0x20881032, 0x59e26d23, 0xb139969a, 0xab369701, 0x43ed6cb8,\n 0x3a8711a9, 0xd25cea10, 0x9e3ec588, 0x76e53e31, 0x0f8f4320,\n 0xe754b899, 0xfd5bb902, 0x158042bb, 0x6cea3faa, 0x8431c413,\n 0x19f24c47, 0xf129b7fe, 0x8843caef, 0x60983156, 0x7a9730cd,\n 0x924ccb74, 0xeb26b665, 0x03fd4ddc, 0xd1a1a7cc, 0x397a5c75,\n 0x40102164, 0xa8cbdadd, 0xb2c4db46, 0x5a1f20ff, 0x23755dee,\n 0xcbaea657, 0x566d2e03, 0xbeb6d5ba, 0xc7dca8ab, 0x2f075312,\n 0x35085289, 0xddd3a930, 0xa4b9d421, 0x4c622f98, 0x7d7bfbca,\n 0x95a00073, 0xecca7d62, 0x041186db, 0x1e1e8740, 0xf6c57cf9,\n 0x8faf01e8, 0x6774fa51, 0xfab77205, 0x126c89bc, 0x6b06f4ad,\n 0x83dd0f14, 0x99d20e8f, 0x7109f536, 0x08638827, 0xe0b8739e,\n 0x32e4998e, 0xda3f6237, 0xa3551f26, 0x4b8ee49f, 0x5181e504,\n 0xb95a1ebd, 0xc03063ac, 0x28eb9815, 0xb5281041, 0x5df3ebf8,\n 0x249996e9, 0xcc426d50, 0xd64d6ccb, 0x3e969772, 0x47fcea63,\n 0xaf2711da, 0xe3453e42, 0x0b9ec5fb, 0x72f4b8ea, 0x9a2f4353,\n 0x802042c8, 0x68fbb971, 0x1191c460, 0xf94a3fd9, 0x6489b78d,\n 0x8c524c34, 0xf5383125, 0x1de3ca9c, 0x07eccb07, 0xef3730be,\n 0x965d4daf, 0x7e86b616, 0xacda5c06, 0x4401a7bf, 0x3d6bdaae,\n 0xd5b02117, 0xcfbf208c, 0x2764db35, 0x5e0ea624, 0xb6d55d9d,\n 0x2b16d5c9, 0xc3cd2e70, 0xbaa75361, 0x527ca8d8, 0x4873a943,\n 0xa0a852fa, 0xd9c22feb, 0x3119d452, 0xbbf0874e, 0x532b7cf7,\n 0x2a4101e6, 0xc29afa5f, 0xd895fbc4, 0x304e007d, 0x49247d6c,\n 0xa1ff86d5, 0x3c3c0e81, 0xd4e7f538, 0xad8d8829, 0x45567390,\n 0x5f59720b, 0xb78289b2, 0xcee8f4a3, 0x26330f1a, 0xf46fe50a,\n 0x1cb41eb3, 0x65de63a2, 0x8d05981b, 0x970a9980, 0x7fd16239,\n 0x06bb1f28, 0xee60e491, 0x73a36cc5, 0x9b78977c, 0xe212ea6d,\n 0x0ac911d4, 0x10c6104f, 0xf81debf6, 0x817796e7, 0x69ac6d5e,\n 0x25ce42c6, 0xcd15b97f, 0xb47fc46e, 0x5ca43fd7, 0x46ab3e4c,\n 0xae70c5f5, 0xd71ab8e4, 0x3fc1435d, 0xa202cb09, 0x4ad930b0,\n 0x33b34da1, 0xdb68b618, 0xc167b783, 0x29bc4c3a, 0x50d6312b,\n 0xb80dca92, 0x6a512082, 0x828adb3b, 0xfbe0a62a, 0x133b5d93,\n 0x09345c08, 0xe1efa7b1, 0x9885daa0, 0x705e2119, 0xed9da94d,\n 0x054652f4, 0x7c2c2fe5, 0x94f7d45c, 0x8ef8d5c7, 0x66232e7e,\n 0x1f49536f, 0xf792a8d6, 0xc68b7c84, 0x2e50873d, 0x573afa2c,\n 0xbfe10195, 0xa5ee000e, 0x4d35fbb7, 0x345f86a6, 0xdc847d1f,\n 0x4147f54b, 0xa99c0ef2, 0xd0f673e3, 0x382d885a, 0x222289c1,\n 0xcaf97278, 0xb3930f69, 0x5b48f4d0, 0x89141ec0, 0x61cfe579,\n 0x18a59868, 0xf07e63d1, 0xea71624a, 0x02aa99f3, 0x7bc0e4e2,\n 0x931b1f5b, 0x0ed8970f, 0xe6036cb6, 0x9f6911a7, 0x77b2ea1e,\n 0x6dbdeb85, 0x8566103c, 0xfc0c6d2d, 0x14d79694, 0x58b5b90c,\n 0xb06e42b5, 0xc9043fa4, 0x21dfc41d, 0x3bd0c586, 0xd30b3e3f,\n 0xaa61432e, 0x42bab897, 0xdf7930c3, 0x37a2cb7a, 0x4ec8b66b,\n 0xa6134dd2, 0xbc1c4c49, 0x54c7b7f0, 0x2dadcae1, 0xc5763158,\n 0x172adb48, 0xfff120f1, 0x869b5de0, 0x6e40a659, 0x744fa7c2,\n 0x9c945c7b, 0xe5fe216a, 0x0d25dad3, 0x90e65287, 0x783da93e,\n 0x0157d42f, 0xe98c2f96, 0xf3832e0d, 0x1b58d5b4, 0x6232a8a5,\n 0x8ae9531c},\n {0x00000000, 0x919168ae, 0x6325a087, 0xf2b4c829, 0x874c31d4,\n 0x16dd597a, 0xe4699153, 0x75f8f9fd, 0x4f9f1373, 0xde0e7bdd,\n 0x2cbab3f4, 0xbd2bdb5a, 0xc8d322a7, 0x59424a09, 0xabf68220,\n 0x3a67ea8e, 0x9e3e27e6, 0x0faf4f48, 0xfd1b8761, 0x6c8aefcf,\n 0x19721632, 0x88e37e9c, 0x7a57b6b5, 0xebc6de1b, 0xd1a13495,\n 0x40305c3b, 0xb2849412, 0x2315fcbc, 0x56ed0541, 0xc77c6def,\n 0x35c8a5c6, 0xa459cd68, 0x7d7b3f17, 0xecea57b9, 0x1e5e9f90,\n 0x8fcff73e, 0xfa370ec3, 0x6ba6666d, 0x9912ae44, 0x0883c6ea,\n 0x32e42c64, 0xa37544ca, 0x51c18ce3, 0xc050e44d, 0xb5a81db0,\n 0x2439751e, 0xd68dbd37, 0x471cd599, 0xe34518f1, 0x72d4705f,\n 0x8060b876, 0x11f1d0d8, 0x64092925, 0xf598418b, 0x072c89a2,\n 0x96bde10c, 0xacda0b82, 0x3d4b632c, 0xcfffab05, 0x5e6ec3ab,\n 0x2b963a56, 0xba0752f8, 0x48b39ad1, 0xd922f27f, 0xfaf67e2e,\n 0x6b671680, 0x99d3dea9, 0x0842b607, 0x7dba4ffa, 0xec2b2754,\n 0x1e9fef7d, 0x8f0e87d3, 0xb5696d5d, 0x24f805f3, 0xd64ccdda,\n 0x47dda574, 0x32255c89, 0xa3b43427, 0x5100fc0e, 0xc09194a0,\n 0x64c859c8, 0xf5593166, 0x07edf94f, 0x967c91e1, 0xe384681c,\n 0x721500b2, 0x80a1c89b, 0x1130a035, 0x2b574abb, 0xbac62215,\n 0x4872ea3c, 0xd9e38292, 0xac1b7b6f, 0x3d8a13c1, 0xcf3edbe8,\n 0x5eafb346, 0x878d4139, 0x161c2997, 0xe4a8e1be, 0x75398910,\n 0x00c170ed, 0x91501843, 0x63e4d06a, 0xf275b8c4, 0xc812524a,\n 0x59833ae4, 0xab37f2cd, 0x3aa69a63, 0x4f5e639e, 0xdecf0b30,\n 0x2c7bc319, 0xbdeaabb7, 0x19b366df, 0x88220e71, 0x7a96c658,\n 0xeb07aef6, 0x9eff570b, 0x0f6e3fa5, 0xfddaf78c, 0x6c4b9f22,\n 0x562c75ac, 0xc7bd1d02, 0x3509d52b, 0xa498bd85, 0xd1604478,\n 0x40f12cd6, 0xb245e4ff, 0x23d48c51, 0xf4edfd5c, 0x657c95f2,\n 0x97c85ddb, 0x06593575, 0x73a1cc88, 0xe230a426, 0x10846c0f,\n 0x811504a1, 0xbb72ee2f, 0x2ae38681, 0xd8574ea8, 0x49c62606,\n 0x3c3edffb, 0xadafb755, 0x5f1b7f7c, 0xce8a17d2, 0x6ad3daba,\n 0xfb42b214, 0x09f67a3d, 0x98671293, 0xed9feb6e, 0x7c0e83c0,\n 0x8eba4be9, 0x1f2b2347, 0x254cc9c9, 0xb4dda167, 0x4669694e,\n 0xd7f801e0, 0xa200f81d, 0x339190b3, 0xc125589a, 0x50b43034,\n 0x8996c24b, 0x1807aae5, 0xeab362cc, 0x7b220a62, 0x0edaf39f,\n 0x9f4b9b31, 0x6dff5318, 0xfc6e3bb6, 0xc609d138, 0x5798b996,\n 0xa52c71bf, 0x34bd1911, 0x4145e0ec, 0xd0d48842, 0x2260406b,\n 0xb3f128c5, 0x17a8e5ad, 0x86398d03, 0x748d452a, 0xe51c2d84,\n 0x90e4d479, 0x0175bcd7, 0xf3c174fe, 0x62501c50, 0x5837f6de,\n 0xc9a69e70, 0x3b125659, 0xaa833ef7, 0xdf7bc70a, 0x4eeaafa4,\n 0xbc5e678d, 0x2dcf0f23, 0x0e1b8372, 0x9f8aebdc, 0x6d3e23f5,\n 0xfcaf4b5b, 0x8957b2a6, 0x18c6da08, 0xea721221, 0x7be37a8f,\n 0x41849001, 0xd015f8af, 0x22a13086, 0xb3305828, 0xc6c8a1d5,\n 0x5759c97b, 0xa5ed0152, 0x347c69fc, 0x9025a494, 0x01b4cc3a,\n 0xf3000413, 0x62916cbd, 0x17699540, 0x86f8fdee, 0x744c35c7,\n 0xe5dd5d69, 0xdfbab7e7, 0x4e2bdf49, 0xbc9f1760, 0x2d0e7fce,\n 0x58f68633, 0xc967ee9d, 0x3bd326b4, 0xaa424e1a, 0x7360bc65,\n 0xe2f1d4cb, 0x10451ce2, 0x81d4744c, 0xf42c8db1, 0x65bde51f,\n 0x97092d36, 0x06984598, 0x3cffaf16, 0xad6ec7b8, 0x5fda0f91,\n 0xce4b673f, 0xbbb39ec2, 0x2a22f66c, 0xd8963e45, 0x490756eb,\n 0xed5e9b83, 0x7ccff32d, 0x8e7b3b04, 0x1fea53aa, 0x6a12aa57,\n 0xfb83c2f9, 0x09370ad0, 0x98a6627e, 0xa2c188f0, 0x3350e05e,\n 0xc1e42877, 0x507540d9, 0x258db924, 0xb41cd18a, 0x46a819a3,\n 0xd739710d}};\n\n#endif\n\n#endif\n\n#if N == 5\n\n#if W == 8\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0xaf449247, 0x85f822cf, 0x2abcb088, 0xd08143df,\n 0x7fc5d198, 0x55796110, 0xfa3df357, 0x7a7381ff, 0xd53713b8,\n 0xff8ba330, 0x50cf3177, 0xaaf2c220, 0x05b65067, 0x2f0ae0ef,\n 0x804e72a8, 0xf4e703fe, 0x5ba391b9, 0x711f2131, 0xde5bb376,\n 0x24664021, 0x8b22d266, 0xa19e62ee, 0x0edaf0a9, 0x8e948201,\n 0x21d01046, 0x0b6ca0ce, 0xa4283289, 0x5e15c1de, 0xf1515399,\n 0xdbede311, 0x74a97156, 0x32bf01bd, 0x9dfb93fa, 0xb7472372,\n 0x1803b135, 0xe23e4262, 0x4d7ad025, 0x67c660ad, 0xc882f2ea,\n 0x48cc8042, 0xe7881205, 0xcd34a28d, 0x627030ca, 0x984dc39d,\n 0x370951da, 0x1db5e152, 0xb2f17315, 0xc6580243, 0x691c9004,\n 0x43a0208c, 0xece4b2cb, 0x16d9419c, 0xb99dd3db, 0x93216353,\n 0x3c65f114, 0xbc2b83bc, 0x136f11fb, 0x39d3a173, 0x96973334,\n 0x6caac063, 0xc3ee5224, 0xe952e2ac, 0x461670eb, 0x657e037a,\n 0xca3a913d, 0xe08621b5, 0x4fc2b3f2, 0xb5ff40a5, 0x1abbd2e2,\n 0x3007626a, 0x9f43f02d, 0x1f0d8285, 0xb04910c2, 0x9af5a04a,\n 0x35b1320d, 0xcf8cc15a, 0x60c8531d, 0x4a74e395, 0xe53071d2,\n 0x91990084, 0x3edd92c3, 0x1461224b, 0xbb25b00c, 0x4118435b,\n 0xee5cd11c, 0xc4e06194, 0x6ba4f3d3, 0xebea817b, 0x44ae133c,\n 0x6e12a3b4, 0xc15631f3, 0x3b6bc2a4, 0x942f50e3, 0xbe93e06b,\n 0x11d7722c, 0x57c102c7, 0xf8859080, 0xd2392008, 0x7d7db24f,\n 0x87404118, 0x2804d35f, 0x02b863d7, 0xadfcf190, 0x2db28338,\n 0x82f6117f, 0xa84aa1f7, 0x070e33b0, 0xfd33c0e7, 0x527752a0,\n 0x78cbe228, 0xd78f706f, 0xa3260139, 0x0c62937e, 0x26de23f6,\n 0x899ab1b1, 0x73a742e6, 0xdce3d0a1, 0xf65f6029, 0x591bf26e,\n 0xd95580c6, 0x76111281, 0x5cada209, 0xf3e9304e, 0x09d4c319,\n 0xa690515e, 0x8c2ce1d6, 0x23687391, 0xcafc06f4, 0x65b894b3,\n 0x4f04243b, 0xe040b67c, 0x1a7d452b, 0xb539d76c, 0x9f8567e4,\n 0x30c1f5a3, 0xb08f870b, 0x1fcb154c, 0x3577a5c4, 0x9a333783,\n 0x600ec4d4, 0xcf4a5693, 0xe5f6e61b, 0x4ab2745c, 0x3e1b050a,\n 0x915f974d, 0xbbe327c5, 0x14a7b582, 0xee9a46d5, 0x41ded492,\n 0x6b62641a, 0xc426f65d, 0x446884f5, 0xeb2c16b2, 0xc190a63a,\n 0x6ed4347d, 0x94e9c72a, 0x3bad556d, 0x1111e5e5, 0xbe5577a2,\n 0xf8430749, 0x5707950e, 0x7dbb2586, 0xd2ffb7c1, 0x28c24496,\n 0x8786d6d1, 0xad3a6659, 0x027ef41e, 0x823086b6, 0x2d7414f1,\n 0x07c8a479, 0xa88c363e, 0x52b1c569, 0xfdf5572e, 0xd749e7a6,\n 0x780d75e1, 0x0ca404b7, 0xa3e096f0, 0x895c2678, 0x2618b43f,\n 0xdc254768, 0x7361d52f, 0x59dd65a7, 0xf699f7e0, 0x76d78548,\n 0xd993170f, 0xf32fa787, 0x5c6b35c0, 0xa656c697, 0x091254d0,\n 0x23aee458, 0x8cea761f, 0xaf82058e, 0x00c697c9, 0x2a7a2741,\n 0x853eb506, 0x7f034651, 0xd047d416, 0xfafb649e, 0x55bff6d9,\n 0xd5f18471, 0x7ab51636, 0x5009a6be, 0xff4d34f9, 0x0570c7ae,\n 0xaa3455e9, 0x8088e561, 0x2fcc7726, 0x5b650670, 0xf4219437,\n 0xde9d24bf, 0x71d9b6f8, 0x8be445af, 0x24a0d7e8, 0x0e1c6760,\n 0xa158f527, 0x2116878f, 0x8e5215c8, 0xa4eea540, 0x0baa3707,\n 0xf197c450, 0x5ed35617, 0x746fe69f, 0xdb2b74d8, 0x9d3d0433,\n 0x32799674, 0x18c526fc, 0xb781b4bb, 0x4dbc47ec, 0xe2f8d5ab,\n 0xc8446523, 0x6700f764, 0xe74e85cc, 0x480a178b, 0x62b6a703,\n 0xcdf23544, 0x37cfc613, 0x988b5454, 0xb237e4dc, 0x1d73769b,\n 0x69da07cd, 0xc69e958a, 0xec222502, 0x4366b745, 0xb95b4412,\n 0x161fd655, 0x3ca366dd, 0x93e7f49a, 0x13a98632, 0xbced1475,\n 0x9651a4fd, 0x391536ba, 0xc328c5ed, 0x6c6c57aa, 0x46d0e722,\n 0xe9947565},\n {0x00000000, 0x4e890ba9, 0x9d121752, 0xd39b1cfb, 0xe15528e5,\n 0xafdc234c, 0x7c473fb7, 0x32ce341e, 0x19db578b, 0x57525c22,\n 0x84c940d9, 0xca404b70, 0xf88e7f6e, 0xb60774c7, 0x659c683c,\n 0x2b156395, 0x33b6af16, 0x7d3fa4bf, 0xaea4b844, 0xe02db3ed,\n 0xd2e387f3, 0x9c6a8c5a, 0x4ff190a1, 0x01789b08, 0x2a6df89d,\n 0x64e4f334, 0xb77fefcf, 0xf9f6e466, 0xcb38d078, 0x85b1dbd1,\n 0x562ac72a, 0x18a3cc83, 0x676d5e2c, 0x29e45585, 0xfa7f497e,\n 0xb4f642d7, 0x863876c9, 0xc8b17d60, 0x1b2a619b, 0x55a36a32,\n 0x7eb609a7, 0x303f020e, 0xe3a41ef5, 0xad2d155c, 0x9fe32142,\n 0xd16a2aeb, 0x02f13610, 0x4c783db9, 0x54dbf13a, 0x1a52fa93,\n 0xc9c9e668, 0x8740edc1, 0xb58ed9df, 0xfb07d276, 0x289cce8d,\n 0x6615c524, 0x4d00a6b1, 0x0389ad18, 0xd012b1e3, 0x9e9bba4a,\n 0xac558e54, 0xe2dc85fd, 0x31479906, 0x7fce92af, 0xcedabc58,\n 0x8053b7f1, 0x53c8ab0a, 0x1d41a0a3, 0x2f8f94bd, 0x61069f14,\n 0xb29d83ef, 0xfc148846, 0xd701ebd3, 0x9988e07a, 0x4a13fc81,\n 0x049af728, 0x3654c336, 0x78ddc89f, 0xab46d464, 0xe5cfdfcd,\n 0xfd6c134e, 0xb3e518e7, 0x607e041c, 0x2ef70fb5, 0x1c393bab,\n 0x52b03002, 0x812b2cf9, 0xcfa22750, 0xe4b744c5, 0xaa3e4f6c,\n 0x79a55397, 0x372c583e, 0x05e26c20, 0x4b6b6789, 0x98f07b72,\n 0xd67970db, 0xa9b7e274, 0xe73ee9dd, 0x34a5f526, 0x7a2cfe8f,\n 0x48e2ca91, 0x066bc138, 0xd5f0ddc3, 0x9b79d66a, 0xb06cb5ff,\n 0xfee5be56, 0x2d7ea2ad, 0x63f7a904, 0x51399d1a, 0x1fb096b3,\n 0xcc2b8a48, 0x82a281e1, 0x9a014d62, 0xd48846cb, 0x07135a30,\n 0x499a5199, 0x7b546587, 0x35dd6e2e, 0xe64672d5, 0xa8cf797c,\n 0x83da1ae9, 0xcd531140, 0x1ec80dbb, 0x50410612, 0x628f320c,\n 0x2c0639a5, 0xff9d255e, 0xb1142ef7, 0x46c47ef1, 0x084d7558,\n 0xdbd669a3, 0x955f620a, 0xa7915614, 0xe9185dbd, 0x3a834146,\n 0x740a4aef, 0x5f1f297a, 0x119622d3, 0xc20d3e28, 0x8c843581,\n 0xbe4a019f, 0xf0c30a36, 0x235816cd, 0x6dd11d64, 0x7572d1e7,\n 0x3bfbda4e, 0xe860c6b5, 0xa6e9cd1c, 0x9427f902, 0xdaaef2ab,\n 0x0935ee50, 0x47bce5f9, 0x6ca9866c, 0x22208dc5, 0xf1bb913e,\n 0xbf329a97, 0x8dfcae89, 0xc375a520, 0x10eeb9db, 0x5e67b272,\n 0x21a920dd, 0x6f202b74, 0xbcbb378f, 0xf2323c26, 0xc0fc0838,\n 0x8e750391, 0x5dee1f6a, 0x136714c3, 0x38727756, 0x76fb7cff,\n 0xa5606004, 0xebe96bad, 0xd9275fb3, 0x97ae541a, 0x443548e1,\n 0x0abc4348, 0x121f8fcb, 0x5c968462, 0x8f0d9899, 0xc1849330,\n 0xf34aa72e, 0xbdc3ac87, 0x6e58b07c, 0x20d1bbd5, 0x0bc4d840,\n 0x454dd3e9, 0x96d6cf12, 0xd85fc4bb, 0xea91f0a5, 0xa418fb0c,\n 0x7783e7f7, 0x390aec5e, 0x881ec2a9, 0xc697c900, 0x150cd5fb,\n 0x5b85de52, 0x694bea4c, 0x27c2e1e5, 0xf459fd1e, 0xbad0f6b7,\n 0x91c59522, 0xdf4c9e8b, 0x0cd78270, 0x425e89d9, 0x7090bdc7,\n 0x3e19b66e, 0xed82aa95, 0xa30ba13c, 0xbba86dbf, 0xf5216616,\n 0x26ba7aed, 0x68337144, 0x5afd455a, 0x14744ef3, 0xc7ef5208,\n 0x896659a1, 0xa2733a34, 0xecfa319d, 0x3f612d66, 0x71e826cf,\n 0x432612d1, 0x0daf1978, 0xde340583, 0x90bd0e2a, 0xef739c85,\n 0xa1fa972c, 0x72618bd7, 0x3ce8807e, 0x0e26b460, 0x40afbfc9,\n 0x9334a332, 0xddbda89b, 0xf6a8cb0e, 0xb821c0a7, 0x6bbadc5c,\n 0x2533d7f5, 0x17fde3eb, 0x5974e842, 0x8aeff4b9, 0xc466ff10,\n 0xdcc53393, 0x924c383a, 0x41d724c1, 0x0f5e2f68, 0x3d901b76,\n 0x731910df, 0xa0820c24, 0xee0b078d, 0xc51e6418, 0x8b976fb1,\n 0x580c734a, 0x168578e3, 0x244b4cfd, 0x6ac24754, 0xb9595baf,\n 0xf7d05006},\n {0x00000000, 0x8d88fde2, 0xc060fd85, 0x4de80067, 0x5bb0fd4b,\n 0xd63800a9, 0x9bd000ce, 0x1658fd2c, 0xb761fa96, 0x3ae90774,\n 0x77010713, 0xfa89faf1, 0xecd107dd, 0x6159fa3f, 0x2cb1fa58,\n 0xa13907ba, 0xb5b2f36d, 0x383a0e8f, 0x75d20ee8, 0xf85af30a,\n 0xee020e26, 0x638af3c4, 0x2e62f3a3, 0xa3ea0e41, 0x02d309fb,\n 0x8f5bf419, 0xc2b3f47e, 0x4f3b099c, 0x5963f4b0, 0xd4eb0952,\n 0x99030935, 0x148bf4d7, 0xb014e09b, 0x3d9c1d79, 0x70741d1e,\n 0xfdfce0fc, 0xeba41dd0, 0x662ce032, 0x2bc4e055, 0xa64c1db7,\n 0x07751a0d, 0x8afde7ef, 0xc715e788, 0x4a9d1a6a, 0x5cc5e746,\n 0xd14d1aa4, 0x9ca51ac3, 0x112de721, 0x05a613f6, 0x882eee14,\n 0xc5c6ee73, 0x484e1391, 0x5e16eebd, 0xd39e135f, 0x9e761338,\n 0x13feeeda, 0xb2c7e960, 0x3f4f1482, 0x72a714e5, 0xff2fe907,\n 0xe977142b, 0x64ffe9c9, 0x2917e9ae, 0xa49f144c, 0xbb58c777,\n 0x36d03a95, 0x7b383af2, 0xf6b0c710, 0xe0e83a3c, 0x6d60c7de,\n 0x2088c7b9, 0xad003a5b, 0x0c393de1, 0x81b1c003, 0xcc59c064,\n 0x41d13d86, 0x5789c0aa, 0xda013d48, 0x97e93d2f, 0x1a61c0cd,\n 0x0eea341a, 0x8362c9f8, 0xce8ac99f, 0x4302347d, 0x555ac951,\n 0xd8d234b3, 0x953a34d4, 0x18b2c936, 0xb98bce8c, 0x3403336e,\n 0x79eb3309, 0xf463ceeb, 0xe23b33c7, 0x6fb3ce25, 0x225bce42,\n 0xafd333a0, 0x0b4c27ec, 0x86c4da0e, 0xcb2cda69, 0x46a4278b,\n 0x50fcdaa7, 0xdd742745, 0x909c2722, 0x1d14dac0, 0xbc2ddd7a,\n 0x31a52098, 0x7c4d20ff, 0xf1c5dd1d, 0xe79d2031, 0x6a15ddd3,\n 0x27fdddb4, 0xaa752056, 0xbefed481, 0x33762963, 0x7e9e2904,\n 0xf316d4e6, 0xe54e29ca, 0x68c6d428, 0x252ed44f, 0xa8a629ad,\n 0x099f2e17, 0x8417d3f5, 0xc9ffd392, 0x44772e70, 0x522fd35c,\n 0xdfa72ebe, 0x924f2ed9, 0x1fc7d33b, 0xadc088af, 0x2048754d,\n 0x6da0752a, 0xe02888c8, 0xf67075e4, 0x7bf88806, 0x36108861,\n 0xbb987583, 0x1aa17239, 0x97298fdb, 0xdac18fbc, 0x5749725e,\n 0x41118f72, 0xcc997290, 0x817172f7, 0x0cf98f15, 0x18727bc2,\n 0x95fa8620, 0xd8128647, 0x559a7ba5, 0x43c28689, 0xce4a7b6b,\n 0x83a27b0c, 0x0e2a86ee, 0xaf138154, 0x229b7cb6, 0x6f737cd1,\n 0xe2fb8133, 0xf4a37c1f, 0x792b81fd, 0x34c3819a, 0xb94b7c78,\n 0x1dd46834, 0x905c95d6, 0xddb495b1, 0x503c6853, 0x4664957f,\n 0xcbec689d, 0x860468fa, 0x0b8c9518, 0xaab592a2, 0x273d6f40,\n 0x6ad56f27, 0xe75d92c5, 0xf1056fe9, 0x7c8d920b, 0x3165926c,\n 0xbced6f8e, 0xa8669b59, 0x25ee66bb, 0x680666dc, 0xe58e9b3e,\n 0xf3d66612, 0x7e5e9bf0, 0x33b69b97, 0xbe3e6675, 0x1f0761cf,\n 0x928f9c2d, 0xdf679c4a, 0x52ef61a8, 0x44b79c84, 0xc93f6166,\n 0x84d76101, 0x095f9ce3, 0x16984fd8, 0x9b10b23a, 0xd6f8b25d,\n 0x5b704fbf, 0x4d28b293, 0xc0a04f71, 0x8d484f16, 0x00c0b2f4,\n 0xa1f9b54e, 0x2c7148ac, 0x619948cb, 0xec11b529, 0xfa494805,\n 0x77c1b5e7, 0x3a29b580, 0xb7a14862, 0xa32abcb5, 0x2ea24157,\n 0x634a4130, 0xeec2bcd2, 0xf89a41fe, 0x7512bc1c, 0x38fabc7b,\n 0xb5724199, 0x144b4623, 0x99c3bbc1, 0xd42bbba6, 0x59a34644,\n 0x4ffbbb68, 0xc273468a, 0x8f9b46ed, 0x0213bb0f, 0xa68caf43,\n 0x2b0452a1, 0x66ec52c6, 0xeb64af24, 0xfd3c5208, 0x70b4afea,\n 0x3d5caf8d, 0xb0d4526f, 0x11ed55d5, 0x9c65a837, 0xd18da850,\n 0x5c0555b2, 0x4a5da89e, 0xc7d5557c, 0x8a3d551b, 0x07b5a8f9,\n 0x133e5c2e, 0x9eb6a1cc, 0xd35ea1ab, 0x5ed65c49, 0x488ea165,\n 0xc5065c87, 0x88ee5ce0, 0x0566a102, 0xa45fa6b8, 0x29d75b5a,\n 0x643f5b3d, 0xe9b7a6df, 0xffef5bf3, 0x7267a611, 0x3f8fa676,\n 0xb2075b94},\n {0x00000000, 0x80f0171f, 0xda91287f, 0x5a613f60, 0x6e5356bf,\n 0xeea341a0, 0xb4c27ec0, 0x343269df, 0xdca6ad7e, 0x5c56ba61,\n 0x06378501, 0x86c7921e, 0xb2f5fbc1, 0x3205ecde, 0x6864d3be,\n 0xe894c4a1, 0x623c5cbd, 0xe2cc4ba2, 0xb8ad74c2, 0x385d63dd,\n 0x0c6f0a02, 0x8c9f1d1d, 0xd6fe227d, 0x560e3562, 0xbe9af1c3,\n 0x3e6ae6dc, 0x640bd9bc, 0xe4fbcea3, 0xd0c9a77c, 0x5039b063,\n 0x0a588f03, 0x8aa8981c, 0xc478b97a, 0x4488ae65, 0x1ee99105,\n 0x9e19861a, 0xaa2befc5, 0x2adbf8da, 0x70bac7ba, 0xf04ad0a5,\n 0x18de1404, 0x982e031b, 0xc24f3c7b, 0x42bf2b64, 0x768d42bb,\n 0xf67d55a4, 0xac1c6ac4, 0x2cec7ddb, 0xa644e5c7, 0x26b4f2d8,\n 0x7cd5cdb8, 0xfc25daa7, 0xc817b378, 0x48e7a467, 0x12869b07,\n 0x92768c18, 0x7ae248b9, 0xfa125fa6, 0xa07360c6, 0x208377d9,\n 0x14b11e06, 0x94410919, 0xce203679, 0x4ed02166, 0x538074b5,\n 0xd37063aa, 0x89115cca, 0x09e14bd5, 0x3dd3220a, 0xbd233515,\n 0xe7420a75, 0x67b21d6a, 0x8f26d9cb, 0x0fd6ced4, 0x55b7f1b4,\n 0xd547e6ab, 0xe1758f74, 0x6185986b, 0x3be4a70b, 0xbb14b014,\n 0x31bc2808, 0xb14c3f17, 0xeb2d0077, 0x6bdd1768, 0x5fef7eb7,\n 0xdf1f69a8, 0x857e56c8, 0x058e41d7, 0xed1a8576, 0x6dea9269,\n 0x378bad09, 0xb77bba16, 0x8349d3c9, 0x03b9c4d6, 0x59d8fbb6,\n 0xd928eca9, 0x97f8cdcf, 0x1708dad0, 0x4d69e5b0, 0xcd99f2af,\n 0xf9ab9b70, 0x795b8c6f, 0x233ab30f, 0xa3caa410, 0x4b5e60b1,\n 0xcbae77ae, 0x91cf48ce, 0x113f5fd1, 0x250d360e, 0xa5fd2111,\n 0xff9c1e71, 0x7f6c096e, 0xf5c49172, 0x7534866d, 0x2f55b90d,\n 0xafa5ae12, 0x9b97c7cd, 0x1b67d0d2, 0x4106efb2, 0xc1f6f8ad,\n 0x29623c0c, 0xa9922b13, 0xf3f31473, 0x7303036c, 0x47316ab3,\n 0xc7c17dac, 0x9da042cc, 0x1d5055d3, 0xa700e96a, 0x27f0fe75,\n 0x7d91c115, 0xfd61d60a, 0xc953bfd5, 0x49a3a8ca, 0x13c297aa,\n 0x933280b5, 0x7ba64414, 0xfb56530b, 0xa1376c6b, 0x21c77b74,\n 0x15f512ab, 0x950505b4, 0xcf643ad4, 0x4f942dcb, 0xc53cb5d7,\n 0x45cca2c8, 0x1fad9da8, 0x9f5d8ab7, 0xab6fe368, 0x2b9ff477,\n 0x71fecb17, 0xf10edc08, 0x199a18a9, 0x996a0fb6, 0xc30b30d6,\n 0x43fb27c9, 0x77c94e16, 0xf7395909, 0xad586669, 0x2da87176,\n 0x63785010, 0xe388470f, 0xb9e9786f, 0x39196f70, 0x0d2b06af,\n 0x8ddb11b0, 0xd7ba2ed0, 0x574a39cf, 0xbfdefd6e, 0x3f2eea71,\n 0x654fd511, 0xe5bfc20e, 0xd18dabd1, 0x517dbcce, 0x0b1c83ae,\n 0x8bec94b1, 0x01440cad, 0x81b41bb2, 0xdbd524d2, 0x5b2533cd,\n 0x6f175a12, 0xefe74d0d, 0xb586726d, 0x35766572, 0xdde2a1d3,\n 0x5d12b6cc, 0x077389ac, 0x87839eb3, 0xb3b1f76c, 0x3341e073,\n 0x6920df13, 0xe9d0c80c, 0xf4809ddf, 0x74708ac0, 0x2e11b5a0,\n 0xaee1a2bf, 0x9ad3cb60, 0x1a23dc7f, 0x4042e31f, 0xc0b2f400,\n 0x282630a1, 0xa8d627be, 0xf2b718de, 0x72470fc1, 0x4675661e,\n 0xc6857101, 0x9ce44e61, 0x1c14597e, 0x96bcc162, 0x164cd67d,\n 0x4c2de91d, 0xccddfe02, 0xf8ef97dd, 0x781f80c2, 0x227ebfa2,\n 0xa28ea8bd, 0x4a1a6c1c, 0xcaea7b03, 0x908b4463, 0x107b537c,\n 0x24493aa3, 0xa4b92dbc, 0xfed812dc, 0x7e2805c3, 0x30f824a5,\n 0xb00833ba, 0xea690cda, 0x6a991bc5, 0x5eab721a, 0xde5b6505,\n 0x843a5a65, 0x04ca4d7a, 0xec5e89db, 0x6cae9ec4, 0x36cfa1a4,\n 0xb63fb6bb, 0x820ddf64, 0x02fdc87b, 0x589cf71b, 0xd86ce004,\n 0x52c47818, 0xd2346f07, 0x88555067, 0x08a54778, 0x3c972ea7,\n 0xbc6739b8, 0xe60606d8, 0x66f611c7, 0x8e62d566, 0x0e92c279,\n 0x54f3fd19, 0xd403ea06, 0xe03183d9, 0x60c194c6, 0x3aa0aba6,\n 0xba50bcb9},\n {0x00000000, 0x9570d495, 0xf190af6b, 0x64e07bfe, 0x38505897,\n 0xad208c02, 0xc9c0f7fc, 0x5cb02369, 0x70a0b12e, 0xe5d065bb,\n 0x81301e45, 0x1440cad0, 0x48f0e9b9, 0xdd803d2c, 0xb96046d2,\n 0x2c109247, 0xe141625c, 0x7431b6c9, 0x10d1cd37, 0x85a119a2,\n 0xd9113acb, 0x4c61ee5e, 0x288195a0, 0xbdf14135, 0x91e1d372,\n 0x049107e7, 0x60717c19, 0xf501a88c, 0xa9b18be5, 0x3cc15f70,\n 0x5821248e, 0xcd51f01b, 0x19f3c2f9, 0x8c83166c, 0xe8636d92,\n 0x7d13b907, 0x21a39a6e, 0xb4d34efb, 0xd0333505, 0x4543e190,\n 0x695373d7, 0xfc23a742, 0x98c3dcbc, 0x0db30829, 0x51032b40,\n 0xc473ffd5, 0xa093842b, 0x35e350be, 0xf8b2a0a5, 0x6dc27430,\n 0x09220fce, 0x9c52db5b, 0xc0e2f832, 0x55922ca7, 0x31725759,\n 0xa40283cc, 0x8812118b, 0x1d62c51e, 0x7982bee0, 0xecf26a75,\n 0xb042491c, 0x25329d89, 0x41d2e677, 0xd4a232e2, 0x33e785f2,\n 0xa6975167, 0xc2772a99, 0x5707fe0c, 0x0bb7dd65, 0x9ec709f0,\n 0xfa27720e, 0x6f57a69b, 0x434734dc, 0xd637e049, 0xb2d79bb7,\n 0x27a74f22, 0x7b176c4b, 0xee67b8de, 0x8a87c320, 0x1ff717b5,\n 0xd2a6e7ae, 0x47d6333b, 0x233648c5, 0xb6469c50, 0xeaf6bf39,\n 0x7f866bac, 0x1b661052, 0x8e16c4c7, 0xa2065680, 0x37768215,\n 0x5396f9eb, 0xc6e62d7e, 0x9a560e17, 0x0f26da82, 0x6bc6a17c,\n 0xfeb675e9, 0x2a14470b, 0xbf64939e, 0xdb84e860, 0x4ef43cf5,\n 0x12441f9c, 0x8734cb09, 0xe3d4b0f7, 0x76a46462, 0x5ab4f625,\n 0xcfc422b0, 0xab24594e, 0x3e548ddb, 0x62e4aeb2, 0xf7947a27,\n 0x937401d9, 0x0604d54c, 0xcb552557, 0x5e25f1c2, 0x3ac58a3c,\n 0xafb55ea9, 0xf3057dc0, 0x6675a955, 0x0295d2ab, 0x97e5063e,\n 0xbbf59479, 0x2e8540ec, 0x4a653b12, 0xdf15ef87, 0x83a5ccee,\n 0x16d5187b, 0x72356385, 0xe745b710, 0x67cf0be4, 0xf2bfdf71,\n 0x965fa48f, 0x032f701a, 0x5f9f5373, 0xcaef87e6, 0xae0ffc18,\n 0x3b7f288d, 0x176fbaca, 0x821f6e5f, 0xe6ff15a1, 0x738fc134,\n 0x2f3fe25d, 0xba4f36c8, 0xdeaf4d36, 0x4bdf99a3, 0x868e69b8,\n 0x13febd2d, 0x771ec6d3, 0xe26e1246, 0xbede312f, 0x2baee5ba,\n 0x4f4e9e44, 0xda3e4ad1, 0xf62ed896, 0x635e0c03, 0x07be77fd,\n 0x92cea368, 0xce7e8001, 0x5b0e5494, 0x3fee2f6a, 0xaa9efbff,\n 0x7e3cc91d, 0xeb4c1d88, 0x8fac6676, 0x1adcb2e3, 0x466c918a,\n 0xd31c451f, 0xb7fc3ee1, 0x228cea74, 0x0e9c7833, 0x9becaca6,\n 0xff0cd758, 0x6a7c03cd, 0x36cc20a4, 0xa3bcf431, 0xc75c8fcf,\n 0x522c5b5a, 0x9f7dab41, 0x0a0d7fd4, 0x6eed042a, 0xfb9dd0bf,\n 0xa72df3d6, 0x325d2743, 0x56bd5cbd, 0xc3cd8828, 0xefdd1a6f,\n 0x7aadcefa, 0x1e4db504, 0x8b3d6191, 0xd78d42f8, 0x42fd966d,\n 0x261ded93, 0xb36d3906, 0x54288e16, 0xc1585a83, 0xa5b8217d,\n 0x30c8f5e8, 0x6c78d681, 0xf9080214, 0x9de879ea, 0x0898ad7f,\n 0x24883f38, 0xb1f8ebad, 0xd5189053, 0x406844c6, 0x1cd867af,\n 0x89a8b33a, 0xed48c8c4, 0x78381c51, 0xb569ec4a, 0x201938df,\n 0x44f94321, 0xd18997b4, 0x8d39b4dd, 0x18496048, 0x7ca91bb6,\n 0xe9d9cf23, 0xc5c95d64, 0x50b989f1, 0x3459f20f, 0xa129269a,\n 0xfd9905f3, 0x68e9d166, 0x0c09aa98, 0x99797e0d, 0x4ddb4cef,\n 0xd8ab987a, 0xbc4be384, 0x293b3711, 0x758b1478, 0xe0fbc0ed,\n 0x841bbb13, 0x116b6f86, 0x3d7bfdc1, 0xa80b2954, 0xcceb52aa,\n 0x599b863f, 0x052ba556, 0x905b71c3, 0xf4bb0a3d, 0x61cbdea8,\n 0xac9a2eb3, 0x39eafa26, 0x5d0a81d8, 0xc87a554d, 0x94ca7624,\n 0x01baa2b1, 0x655ad94f, 0xf02a0dda, 0xdc3a9f9d, 0x494a4b08,\n 0x2daa30f6, 0xb8dae463, 0xe46ac70a, 0x711a139f, 0x15fa6861,\n 0x808abcf4},\n {0x00000000, 0xcf9e17c8, 0x444d29d1, 0x8bd33e19, 0x889a53a2,\n 0x4704446a, 0xccd77a73, 0x03496dbb, 0xca45a105, 0x05dbb6cd,\n 0x8e0888d4, 0x41969f1c, 0x42dff2a7, 0x8d41e56f, 0x0692db76,\n 0xc90cccbe, 0x4ffa444b, 0x80645383, 0x0bb76d9a, 0xc4297a52,\n 0xc76017e9, 0x08fe0021, 0x832d3e38, 0x4cb329f0, 0x85bfe54e,\n 0x4a21f286, 0xc1f2cc9f, 0x0e6cdb57, 0x0d25b6ec, 0xc2bba124,\n 0x49689f3d, 0x86f688f5, 0x9ff48896, 0x506a9f5e, 0xdbb9a147,\n 0x1427b68f, 0x176edb34, 0xd8f0ccfc, 0x5323f2e5, 0x9cbde52d,\n 0x55b12993, 0x9a2f3e5b, 0x11fc0042, 0xde62178a, 0xdd2b7a31,\n 0x12b56df9, 0x996653e0, 0x56f84428, 0xd00eccdd, 0x1f90db15,\n 0x9443e50c, 0x5bddf2c4, 0x58949f7f, 0x970a88b7, 0x1cd9b6ae,\n 0xd347a166, 0x1a4b6dd8, 0xd5d57a10, 0x5e064409, 0x919853c1,\n 0x92d13e7a, 0x5d4f29b2, 0xd69c17ab, 0x19020063, 0xe498176d,\n 0x2b0600a5, 0xa0d53ebc, 0x6f4b2974, 0x6c0244cf, 0xa39c5307,\n 0x284f6d1e, 0xe7d17ad6, 0x2eddb668, 0xe143a1a0, 0x6a909fb9,\n 0xa50e8871, 0xa647e5ca, 0x69d9f202, 0xe20acc1b, 0x2d94dbd3,\n 0xab625326, 0x64fc44ee, 0xef2f7af7, 0x20b16d3f, 0x23f80084,\n 0xec66174c, 0x67b52955, 0xa82b3e9d, 0x6127f223, 0xaeb9e5eb,\n 0x256adbf2, 0xeaf4cc3a, 0xe9bda181, 0x2623b649, 0xadf08850,\n 0x626e9f98, 0x7b6c9ffb, 0xb4f28833, 0x3f21b62a, 0xf0bfa1e2,\n 0xf3f6cc59, 0x3c68db91, 0xb7bbe588, 0x7825f240, 0xb1293efe,\n 0x7eb72936, 0xf564172f, 0x3afa00e7, 0x39b36d5c, 0xf62d7a94,\n 0x7dfe448d, 0xb2605345, 0x3496dbb0, 0xfb08cc78, 0x70dbf261,\n 0xbf45e5a9, 0xbc0c8812, 0x73929fda, 0xf841a1c3, 0x37dfb60b,\n 0xfed37ab5, 0x314d6d7d, 0xba9e5364, 0x750044ac, 0x76492917,\n 0xb9d73edf, 0x320400c6, 0xfd9a170e, 0x1241289b, 0xdddf3f53,\n 0x560c014a, 0x99921682, 0x9adb7b39, 0x55456cf1, 0xde9652e8,\n 0x11084520, 0xd804899e, 0x179a9e56, 0x9c49a04f, 0x53d7b787,\n 0x509eda3c, 0x9f00cdf4, 0x14d3f3ed, 0xdb4de425, 0x5dbb6cd0,\n 0x92257b18, 0x19f64501, 0xd66852c9, 0xd5213f72, 0x1abf28ba,\n 0x916c16a3, 0x5ef2016b, 0x97fecdd5, 0x5860da1d, 0xd3b3e404,\n 0x1c2df3cc, 0x1f649e77, 0xd0fa89bf, 0x5b29b7a6, 0x94b7a06e,\n 0x8db5a00d, 0x422bb7c5, 0xc9f889dc, 0x06669e14, 0x052ff3af,\n 0xcab1e467, 0x4162da7e, 0x8efccdb6, 0x47f00108, 0x886e16c0,\n 0x03bd28d9, 0xcc233f11, 0xcf6a52aa, 0x00f44562, 0x8b277b7b,\n 0x44b96cb3, 0xc24fe446, 0x0dd1f38e, 0x8602cd97, 0x499cda5f,\n 0x4ad5b7e4, 0x854ba02c, 0x0e989e35, 0xc10689fd, 0x080a4543,\n 0xc794528b, 0x4c476c92, 0x83d97b5a, 0x809016e1, 0x4f0e0129,\n 0xc4dd3f30, 0x0b4328f8, 0xf6d93ff6, 0x3947283e, 0xb2941627,\n 0x7d0a01ef, 0x7e436c54, 0xb1dd7b9c, 0x3a0e4585, 0xf590524d,\n 0x3c9c9ef3, 0xf302893b, 0x78d1b722, 0xb74fa0ea, 0xb406cd51,\n 0x7b98da99, 0xf04be480, 0x3fd5f348, 0xb9237bbd, 0x76bd6c75,\n 0xfd6e526c, 0x32f045a4, 0x31b9281f, 0xfe273fd7, 0x75f401ce,\n 0xba6a1606, 0x7366dab8, 0xbcf8cd70, 0x372bf369, 0xf8b5e4a1,\n 0xfbfc891a, 0x34629ed2, 0xbfb1a0cb, 0x702fb703, 0x692db760,\n 0xa6b3a0a8, 0x2d609eb1, 0xe2fe8979, 0xe1b7e4c2, 0x2e29f30a,\n 0xa5facd13, 0x6a64dadb, 0xa3681665, 0x6cf601ad, 0xe7253fb4,\n 0x28bb287c, 0x2bf245c7, 0xe46c520f, 0x6fbf6c16, 0xa0217bde,\n 0x26d7f32b, 0xe949e4e3, 0x629adafa, 0xad04cd32, 0xae4da089,\n 0x61d3b741, 0xea008958, 0x259e9e90, 0xec92522e, 0x230c45e6,\n 0xa8df7bff, 0x67416c37, 0x6408018c, 0xab961644, 0x2045285d,\n 0xefdb3f95},\n {0x00000000, 0x24825136, 0x4904a26c, 0x6d86f35a, 0x920944d8,\n 0xb68b15ee, 0xdb0de6b4, 0xff8fb782, 0xff638ff1, 0xdbe1dec7,\n 0xb6672d9d, 0x92e57cab, 0x6d6acb29, 0x49e89a1f, 0x246e6945,\n 0x00ec3873, 0x25b619a3, 0x01344895, 0x6cb2bbcf, 0x4830eaf9,\n 0xb7bf5d7b, 0x933d0c4d, 0xfebbff17, 0xda39ae21, 0xdad59652,\n 0xfe57c764, 0x93d1343e, 0xb7536508, 0x48dcd28a, 0x6c5e83bc,\n 0x01d870e6, 0x255a21d0, 0x4b6c3346, 0x6fee6270, 0x0268912a,\n 0x26eac01c, 0xd965779e, 0xfde726a8, 0x9061d5f2, 0xb4e384c4,\n 0xb40fbcb7, 0x908ded81, 0xfd0b1edb, 0xd9894fed, 0x2606f86f,\n 0x0284a959, 0x6f025a03, 0x4b800b35, 0x6eda2ae5, 0x4a587bd3,\n 0x27de8889, 0x035cd9bf, 0xfcd36e3d, 0xd8513f0b, 0xb5d7cc51,\n 0x91559d67, 0x91b9a514, 0xb53bf422, 0xd8bd0778, 0xfc3f564e,\n 0x03b0e1cc, 0x2732b0fa, 0x4ab443a0, 0x6e361296, 0x96d8668c,\n 0xb25a37ba, 0xdfdcc4e0, 0xfb5e95d6, 0x04d12254, 0x20537362,\n 0x4dd58038, 0x6957d10e, 0x69bbe97d, 0x4d39b84b, 0x20bf4b11,\n 0x043d1a27, 0xfbb2ada5, 0xdf30fc93, 0xb2b60fc9, 0x96345eff,\n 0xb36e7f2f, 0x97ec2e19, 0xfa6add43, 0xdee88c75, 0x21673bf7,\n 0x05e56ac1, 0x6863999b, 0x4ce1c8ad, 0x4c0df0de, 0x688fa1e8,\n 0x050952b2, 0x218b0384, 0xde04b406, 0xfa86e530, 0x9700166a,\n 0xb382475c, 0xddb455ca, 0xf93604fc, 0x94b0f7a6, 0xb032a690,\n 0x4fbd1112, 0x6b3f4024, 0x06b9b37e, 0x223be248, 0x22d7da3b,\n 0x06558b0d, 0x6bd37857, 0x4f512961, 0xb0de9ee3, 0x945ccfd5,\n 0xf9da3c8f, 0xdd586db9, 0xf8024c69, 0xdc801d5f, 0xb106ee05,\n 0x9584bf33, 0x6a0b08b1, 0x4e895987, 0x230faadd, 0x078dfbeb,\n 0x0761c398, 0x23e392ae, 0x4e6561f4, 0x6ae730c2, 0x95688740,\n 0xb1ead676, 0xdc6c252c, 0xf8ee741a, 0xf6c1cb59, 0xd2439a6f,\n 0xbfc56935, 0x9b473803, 0x64c88f81, 0x404adeb7, 0x2dcc2ded,\n 0x094e7cdb, 0x09a244a8, 0x2d20159e, 0x40a6e6c4, 0x6424b7f2,\n 0x9bab0070, 0xbf295146, 0xd2afa21c, 0xf62df32a, 0xd377d2fa,\n 0xf7f583cc, 0x9a737096, 0xbef121a0, 0x417e9622, 0x65fcc714,\n 0x087a344e, 0x2cf86578, 0x2c145d0b, 0x08960c3d, 0x6510ff67,\n 0x4192ae51, 0xbe1d19d3, 0x9a9f48e5, 0xf719bbbf, 0xd39bea89,\n 0xbdadf81f, 0x992fa929, 0xf4a95a73, 0xd02b0b45, 0x2fa4bcc7,\n 0x0b26edf1, 0x66a01eab, 0x42224f9d, 0x42ce77ee, 0x664c26d8,\n 0x0bcad582, 0x2f4884b4, 0xd0c73336, 0xf4456200, 0x99c3915a,\n 0xbd41c06c, 0x981be1bc, 0xbc99b08a, 0xd11f43d0, 0xf59d12e6,\n 0x0a12a564, 0x2e90f452, 0x43160708, 0x6794563e, 0x67786e4d,\n 0x43fa3f7b, 0x2e7ccc21, 0x0afe9d17, 0xf5712a95, 0xd1f37ba3,\n 0xbc7588f9, 0x98f7d9cf, 0x6019add5, 0x449bfce3, 0x291d0fb9,\n 0x0d9f5e8f, 0xf210e90d, 0xd692b83b, 0xbb144b61, 0x9f961a57,\n 0x9f7a2224, 0xbbf87312, 0xd67e8048, 0xf2fcd17e, 0x0d7366fc,\n 0x29f137ca, 0x4477c490, 0x60f595a6, 0x45afb476, 0x612de540,\n 0x0cab161a, 0x2829472c, 0xd7a6f0ae, 0xf324a198, 0x9ea252c2,\n 0xba2003f4, 0xbacc3b87, 0x9e4e6ab1, 0xf3c899eb, 0xd74ac8dd,\n 0x28c57f5f, 0x0c472e69, 0x61c1dd33, 0x45438c05, 0x2b759e93,\n 0x0ff7cfa5, 0x62713cff, 0x46f36dc9, 0xb97cda4b, 0x9dfe8b7d,\n 0xf0787827, 0xd4fa2911, 0xd4161162, 0xf0944054, 0x9d12b30e,\n 0xb990e238, 0x461f55ba, 0x629d048c, 0x0f1bf7d6, 0x2b99a6e0,\n 0x0ec38730, 0x2a41d606, 0x47c7255c, 0x6345746a, 0x9ccac3e8,\n 0xb84892de, 0xd5ce6184, 0xf14c30b2, 0xf1a008c1, 0xd52259f7,\n 0xb8a4aaad, 0x9c26fb9b, 0x63a94c19, 0x472b1d2f, 0x2aadee75,\n 0x0e2fbf43},\n {0x00000000, 0x36f290f3, 0x6de521e6, 0x5b17b115, 0xdbca43cc,\n 0xed38d33f, 0xb62f622a, 0x80ddf2d9, 0x6ce581d9, 0x5a17112a,\n 0x0100a03f, 0x37f230cc, 0xb72fc215, 0x81dd52e6, 0xdacae3f3,\n 0xec387300, 0xd9cb03b2, 0xef399341, 0xb42e2254, 0x82dcb2a7,\n 0x0201407e, 0x34f3d08d, 0x6fe46198, 0x5916f16b, 0xb52e826b,\n 0x83dc1298, 0xd8cba38d, 0xee39337e, 0x6ee4c1a7, 0x58165154,\n 0x0301e041, 0x35f370b2, 0x68e70125, 0x5e1591d6, 0x050220c3,\n 0x33f0b030, 0xb32d42e9, 0x85dfd21a, 0xdec8630f, 0xe83af3fc,\n 0x040280fc, 0x32f0100f, 0x69e7a11a, 0x5f1531e9, 0xdfc8c330,\n 0xe93a53c3, 0xb22de2d6, 0x84df7225, 0xb12c0297, 0x87de9264,\n 0xdcc92371, 0xea3bb382, 0x6ae6415b, 0x5c14d1a8, 0x070360bd,\n 0x31f1f04e, 0xddc9834e, 0xeb3b13bd, 0xb02ca2a8, 0x86de325b,\n 0x0603c082, 0x30f15071, 0x6be6e164, 0x5d147197, 0xd1ce024a,\n 0xe73c92b9, 0xbc2b23ac, 0x8ad9b35f, 0x0a044186, 0x3cf6d175,\n 0x67e16060, 0x5113f093, 0xbd2b8393, 0x8bd91360, 0xd0cea275,\n 0xe63c3286, 0x66e1c05f, 0x501350ac, 0x0b04e1b9, 0x3df6714a,\n 0x080501f8, 0x3ef7910b, 0x65e0201e, 0x5312b0ed, 0xd3cf4234,\n 0xe53dd2c7, 0xbe2a63d2, 0x88d8f321, 0x64e08021, 0x521210d2,\n 0x0905a1c7, 0x3ff73134, 0xbf2ac3ed, 0x89d8531e, 0xd2cfe20b,\n 0xe43d72f8, 0xb929036f, 0x8fdb939c, 0xd4cc2289, 0xe23eb27a,\n 0x62e340a3, 0x5411d050, 0x0f066145, 0x39f4f1b6, 0xd5cc82b6,\n 0xe33e1245, 0xb829a350, 0x8edb33a3, 0x0e06c17a, 0x38f45189,\n 0x63e3e09c, 0x5511706f, 0x60e200dd, 0x5610902e, 0x0d07213b,\n 0x3bf5b1c8, 0xbb284311, 0x8ddad3e2, 0xd6cd62f7, 0xe03ff204,\n 0x0c078104, 0x3af511f7, 0x61e2a0e2, 0x57103011, 0xd7cdc2c8,\n 0xe13f523b, 0xba28e32e, 0x8cda73dd, 0x78ed02d5, 0x4e1f9226,\n 0x15082333, 0x23fab3c0, 0xa3274119, 0x95d5d1ea, 0xcec260ff,\n 0xf830f00c, 0x1408830c, 0x22fa13ff, 0x79eda2ea, 0x4f1f3219,\n 0xcfc2c0c0, 0xf9305033, 0xa227e126, 0x94d571d5, 0xa1260167,\n 0x97d49194, 0xccc32081, 0xfa31b072, 0x7aec42ab, 0x4c1ed258,\n 0x1709634d, 0x21fbf3be, 0xcdc380be, 0xfb31104d, 0xa026a158,\n 0x96d431ab, 0x1609c372, 0x20fb5381, 0x7bece294, 0x4d1e7267,\n 0x100a03f0, 0x26f89303, 0x7def2216, 0x4b1db2e5, 0xcbc0403c,\n 0xfd32d0cf, 0xa62561da, 0x90d7f129, 0x7cef8229, 0x4a1d12da,\n 0x110aa3cf, 0x27f8333c, 0xa725c1e5, 0x91d75116, 0xcac0e003,\n 0xfc3270f0, 0xc9c10042, 0xff3390b1, 0xa42421a4, 0x92d6b157,\n 0x120b438e, 0x24f9d37d, 0x7fee6268, 0x491cf29b, 0xa524819b,\n 0x93d61168, 0xc8c1a07d, 0xfe33308e, 0x7eeec257, 0x481c52a4,\n 0x130be3b1, 0x25f97342, 0xa923009f, 0x9fd1906c, 0xc4c62179,\n 0xf234b18a, 0x72e94353, 0x441bd3a0, 0x1f0c62b5, 0x29fef246,\n 0xc5c68146, 0xf33411b5, 0xa823a0a0, 0x9ed13053, 0x1e0cc28a,\n 0x28fe5279, 0x73e9e36c, 0x451b739f, 0x70e8032d, 0x461a93de,\n 0x1d0d22cb, 0x2bffb238, 0xab2240e1, 0x9dd0d012, 0xc6c76107,\n 0xf035f1f4, 0x1c0d82f4, 0x2aff1207, 0x71e8a312, 0x471a33e1,\n 0xc7c7c138, 0xf13551cb, 0xaa22e0de, 0x9cd0702d, 0xc1c401ba,\n 0xf7369149, 0xac21205c, 0x9ad3b0af, 0x1a0e4276, 0x2cfcd285,\n 0x77eb6390, 0x4119f363, 0xad218063, 0x9bd31090, 0xc0c4a185,\n 0xf6363176, 0x76ebc3af, 0x4019535c, 0x1b0ee249, 0x2dfc72ba,\n 0x180f0208, 0x2efd92fb, 0x75ea23ee, 0x4318b31d, 0xc3c541c4,\n 0xf537d137, 0xae206022, 0x98d2f0d1, 0x74ea83d1, 0x42181322,\n 0x190fa237, 0x2ffd32c4, 0xaf20c01d, 0x99d250ee, 0xc2c5e1fb,\n 0xf4377108}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x0000000000000000, 0xf390f23600000000, 0xe621e56d00000000,\n 0x15b1175b00000000, 0xcc43cadb00000000, 0x3fd338ed00000000,\n 0x2a622fb600000000, 0xd9f2dd8000000000, 0xd981e56c00000000,\n 0x2a11175a00000000, 0x3fa0000100000000, 0xcc30f23700000000,\n 0x15c22fb700000000, 0xe652dd8100000000, 0xf3e3cada00000000,\n 0x007338ec00000000, 0xb203cbd900000000, 0x419339ef00000000,\n 0x54222eb400000000, 0xa7b2dc8200000000, 0x7e40010200000000,\n 0x8dd0f33400000000, 0x9861e46f00000000, 0x6bf1165900000000,\n 0x6b822eb500000000, 0x9812dc8300000000, 0x8da3cbd800000000,\n 0x7e3339ee00000000, 0xa7c1e46e00000000, 0x5451165800000000,\n 0x41e0010300000000, 0xb270f33500000000, 0x2501e76800000000,\n 0xd691155e00000000, 0xc320020500000000, 0x30b0f03300000000,\n 0xe9422db300000000, 0x1ad2df8500000000, 0x0f63c8de00000000,\n 0xfcf33ae800000000, 0xfc80020400000000, 0x0f10f03200000000,\n 0x1aa1e76900000000, 0xe931155f00000000, 0x30c3c8df00000000,\n 0xc3533ae900000000, 0xd6e22db200000000, 0x2572df8400000000,\n 0x97022cb100000000, 0x6492de8700000000, 0x7123c9dc00000000,\n 0x82b33bea00000000, 0x5b41e66a00000000, 0xa8d1145c00000000,\n 0xbd60030700000000, 0x4ef0f13100000000, 0x4e83c9dd00000000,\n 0xbd133beb00000000, 0xa8a22cb000000000, 0x5b32de8600000000,\n 0x82c0030600000000, 0x7150f13000000000, 0x64e1e66b00000000,\n 0x9771145d00000000, 0x4a02ced100000000, 0xb9923ce700000000,\n 0xac232bbc00000000, 0x5fb3d98a00000000, 0x8641040a00000000,\n 0x75d1f63c00000000, 0x6060e16700000000, 0x93f0135100000000,\n 0x93832bbd00000000, 0x6013d98b00000000, 0x75a2ced000000000,\n 0x86323ce600000000, 0x5fc0e16600000000, 0xac50135000000000,\n 0xb9e1040b00000000, 0x4a71f63d00000000, 0xf801050800000000,\n 0x0b91f73e00000000, 0x1e20e06500000000, 0xedb0125300000000,\n 0x3442cfd300000000, 0xc7d23de500000000, 0xd2632abe00000000,\n 0x21f3d88800000000, 0x2180e06400000000, 0xd210125200000000,\n 0xc7a1050900000000, 0x3431f73f00000000, 0xedc32abf00000000,\n 0x1e53d88900000000, 0x0be2cfd200000000, 0xf8723de400000000,\n 0x6f0329b900000000, 0x9c93db8f00000000, 0x8922ccd400000000,\n 0x7ab23ee200000000, 0xa340e36200000000, 0x50d0115400000000,\n 0x4561060f00000000, 0xb6f1f43900000000, 0xb682ccd500000000,\n 0x45123ee300000000, 0x50a329b800000000, 0xa333db8e00000000,\n 0x7ac1060e00000000, 0x8951f43800000000, 0x9ce0e36300000000,\n 0x6f70115500000000, 0xdd00e26000000000, 0x2e90105600000000,\n 0x3b21070d00000000, 0xc8b1f53b00000000, 0x114328bb00000000,\n 0xe2d3da8d00000000, 0xf762cdd600000000, 0x04f23fe000000000,\n 0x0481070c00000000, 0xf711f53a00000000, 0xe2a0e26100000000,\n 0x1130105700000000, 0xc8c2cdd700000000, 0x3b523fe100000000,\n 0x2ee328ba00000000, 0xdd73da8c00000000, 0xd502ed7800000000,\n 0x26921f4e00000000, 0x3323081500000000, 0xc0b3fa2300000000,\n 0x194127a300000000, 0xead1d59500000000, 0xff60c2ce00000000,\n 0x0cf030f800000000, 0x0c83081400000000, 0xff13fa2200000000,\n 0xeaa2ed7900000000, 0x19321f4f00000000, 0xc0c0c2cf00000000,\n 0x335030f900000000, 0x26e127a200000000, 0xd571d59400000000,\n 0x670126a100000000, 0x9491d49700000000, 0x8120c3cc00000000,\n 0x72b031fa00000000, 0xab42ec7a00000000, 0x58d21e4c00000000,\n 0x4d63091700000000, 0xbef3fb2100000000, 0xbe80c3cd00000000,\n 0x4d1031fb00000000, 0x58a126a000000000, 0xab31d49600000000,\n 0x72c3091600000000, 0x8153fb2000000000, 0x94e2ec7b00000000,\n 0x67721e4d00000000, 0xf0030a1000000000, 0x0393f82600000000,\n 0x1622ef7d00000000, 0xe5b21d4b00000000, 0x3c40c0cb00000000,\n 0xcfd032fd00000000, 0xda6125a600000000, 0x29f1d79000000000,\n 0x2982ef7c00000000, 0xda121d4a00000000, 0xcfa30a1100000000,\n 0x3c33f82700000000, 0xe5c125a700000000, 0x1651d79100000000,\n 0x03e0c0ca00000000, 0xf07032fc00000000, 0x4200c1c900000000,\n 0xb19033ff00000000, 0xa42124a400000000, 0x57b1d69200000000,\n 0x8e430b1200000000, 0x7dd3f92400000000, 0x6862ee7f00000000,\n 0x9bf21c4900000000, 0x9b8124a500000000, 0x6811d69300000000,\n 0x7da0c1c800000000, 0x8e3033fe00000000, 0x57c2ee7e00000000,\n 0xa4521c4800000000, 0xb1e30b1300000000, 0x4273f92500000000,\n 0x9f0023a900000000, 0x6c90d19f00000000, 0x7921c6c400000000,\n 0x8ab134f200000000, 0x5343e97200000000, 0xa0d31b4400000000,\n 0xb5620c1f00000000, 0x46f2fe2900000000, 0x4681c6c500000000,\n 0xb51134f300000000, 0xa0a023a800000000, 0x5330d19e00000000,\n 0x8ac20c1e00000000, 0x7952fe2800000000, 0x6ce3e97300000000,\n 0x9f731b4500000000, 0x2d03e87000000000, 0xde931a4600000000,\n 0xcb220d1d00000000, 0x38b2ff2b00000000, 0xe14022ab00000000,\n 0x12d0d09d00000000, 0x0761c7c600000000, 0xf4f135f000000000,\n 0xf4820d1c00000000, 0x0712ff2a00000000, 0x12a3e87100000000,\n 0xe1331a4700000000, 0x38c1c7c700000000, 0xcb5135f100000000,\n 0xdee022aa00000000, 0x2d70d09c00000000, 0xba01c4c100000000,\n 0x499136f700000000, 0x5c2021ac00000000, 0xafb0d39a00000000,\n 0x76420e1a00000000, 0x85d2fc2c00000000, 0x9063eb7700000000,\n 0x63f3194100000000, 0x638021ad00000000, 0x9010d39b00000000,\n 0x85a1c4c000000000, 0x763136f600000000, 0xafc3eb7600000000,\n 0x5c53194000000000, 0x49e20e1b00000000, 0xba72fc2d00000000,\n 0x08020f1800000000, 0xfb92fd2e00000000, 0xee23ea7500000000,\n 0x1db3184300000000, 0xc441c5c300000000, 0x37d137f500000000,\n 0x226020ae00000000, 0xd1f0d29800000000, 0xd183ea7400000000,\n 0x2213184200000000, 0x37a20f1900000000, 0xc432fd2f00000000,\n 0x1dc020af00000000, 0xee50d29900000000, 0xfbe1c5c200000000,\n 0x087137f400000000},\n {0x0000000000000000, 0x3651822400000000, 0x6ca2044900000000,\n 0x5af3866d00000000, 0xd844099200000000, 0xee158bb600000000,\n 0xb4e60ddb00000000, 0x82b78fff00000000, 0xf18f63ff00000000,\n 0xc7dee1db00000000, 0x9d2d67b600000000, 0xab7ce59200000000,\n 0x29cb6a6d00000000, 0x1f9ae84900000000, 0x45696e2400000000,\n 0x7338ec0000000000, 0xa319b62500000000, 0x9548340100000000,\n 0xcfbbb26c00000000, 0xf9ea304800000000, 0x7b5dbfb700000000,\n 0x4d0c3d9300000000, 0x17ffbbfe00000000, 0x21ae39da00000000,\n 0x5296d5da00000000, 0x64c757fe00000000, 0x3e34d19300000000,\n 0x086553b700000000, 0x8ad2dc4800000000, 0xbc835e6c00000000,\n 0xe670d80100000000, 0xd0215a2500000000, 0x46336c4b00000000,\n 0x7062ee6f00000000, 0x2a91680200000000, 0x1cc0ea2600000000,\n 0x9e7765d900000000, 0xa826e7fd00000000, 0xf2d5619000000000,\n 0xc484e3b400000000, 0xb7bc0fb400000000, 0x81ed8d9000000000,\n 0xdb1e0bfd00000000, 0xed4f89d900000000, 0x6ff8062600000000,\n 0x59a9840200000000, 0x035a026f00000000, 0x350b804b00000000,\n 0xe52ada6e00000000, 0xd37b584a00000000, 0x8988de2700000000,\n 0xbfd95c0300000000, 0x3d6ed3fc00000000, 0x0b3f51d800000000,\n 0x51ccd7b500000000, 0x679d559100000000, 0x14a5b99100000000,\n 0x22f43bb500000000, 0x7807bdd800000000, 0x4e563ffc00000000,\n 0xcce1b00300000000, 0xfab0322700000000, 0xa043b44a00000000,\n 0x9612366e00000000, 0x8c66d89600000000, 0xba375ab200000000,\n 0xe0c4dcdf00000000, 0xd6955efb00000000, 0x5422d10400000000,\n 0x6273532000000000, 0x3880d54d00000000, 0x0ed1576900000000,\n 0x7de9bb6900000000, 0x4bb8394d00000000, 0x114bbf2000000000,\n 0x271a3d0400000000, 0xa5adb2fb00000000, 0x93fc30df00000000,\n 0xc90fb6b200000000, 0xff5e349600000000, 0x2f7f6eb300000000,\n 0x192eec9700000000, 0x43dd6afa00000000, 0x758ce8de00000000,\n 0xf73b672100000000, 0xc16ae50500000000, 0x9b99636800000000,\n 0xadc8e14c00000000, 0xdef00d4c00000000, 0xe8a18f6800000000,\n 0xb252090500000000, 0x84038b2100000000, 0x06b404de00000000,\n 0x30e586fa00000000, 0x6a16009700000000, 0x5c4782b300000000,\n 0xca55b4dd00000000, 0xfc0436f900000000, 0xa6f7b09400000000,\n 0x90a632b000000000, 0x1211bd4f00000000, 0x24403f6b00000000,\n 0x7eb3b90600000000, 0x48e23b2200000000, 0x3bdad72200000000,\n 0x0d8b550600000000, 0x5778d36b00000000, 0x6129514f00000000,\n 0xe39edeb000000000, 0xd5cf5c9400000000, 0x8f3cdaf900000000,\n 0xb96d58dd00000000, 0x694c02f800000000, 0x5f1d80dc00000000,\n 0x05ee06b100000000, 0x33bf849500000000, 0xb1080b6a00000000,\n 0x8759894e00000000, 0xddaa0f2300000000, 0xebfb8d0700000000,\n 0x98c3610700000000, 0xae92e32300000000, 0xf461654e00000000,\n 0xc230e76a00000000, 0x4087689500000000, 0x76d6eab100000000,\n 0x2c256cdc00000000, 0x1a74eef800000000, 0x59cbc1f600000000,\n 0x6f9a43d200000000, 0x3569c5bf00000000, 0x0338479b00000000,\n 0x818fc86400000000, 0xb7de4a4000000000, 0xed2dcc2d00000000,\n 0xdb7c4e0900000000, 0xa844a20900000000, 0x9e15202d00000000,\n 0xc4e6a64000000000, 0xf2b7246400000000, 0x7000ab9b00000000,\n 0x465129bf00000000, 0x1ca2afd200000000, 0x2af32df600000000,\n 0xfad277d300000000, 0xcc83f5f700000000, 0x9670739a00000000,\n 0xa021f1be00000000, 0x22967e4100000000, 0x14c7fc6500000000,\n 0x4e347a0800000000, 0x7865f82c00000000, 0x0b5d142c00000000,\n 0x3d0c960800000000, 0x67ff106500000000, 0x51ae924100000000,\n 0xd3191dbe00000000, 0xe5489f9a00000000, 0xbfbb19f700000000,\n 0x89ea9bd300000000, 0x1ff8adbd00000000, 0x29a92f9900000000,\n 0x735aa9f400000000, 0x450b2bd000000000, 0xc7bca42f00000000,\n 0xf1ed260b00000000, 0xab1ea06600000000, 0x9d4f224200000000,\n 0xee77ce4200000000, 0xd8264c6600000000, 0x82d5ca0b00000000,\n 0xb484482f00000000, 0x3633c7d000000000, 0x006245f400000000,\n 0x5a91c39900000000, 0x6cc041bd00000000, 0xbce11b9800000000,\n 0x8ab099bc00000000, 0xd0431fd100000000, 0xe6129df500000000,\n 0x64a5120a00000000, 0x52f4902e00000000, 0x0807164300000000,\n 0x3e56946700000000, 0x4d6e786700000000, 0x7b3ffa4300000000,\n 0x21cc7c2e00000000, 0x179dfe0a00000000, 0x952a71f500000000,\n 0xa37bf3d100000000, 0xf98875bc00000000, 0xcfd9f79800000000,\n 0xd5ad196000000000, 0xe3fc9b4400000000, 0xb90f1d2900000000,\n 0x8f5e9f0d00000000, 0x0de910f200000000, 0x3bb892d600000000,\n 0x614b14bb00000000, 0x571a969f00000000, 0x24227a9f00000000,\n 0x1273f8bb00000000, 0x48807ed600000000, 0x7ed1fcf200000000,\n 0xfc66730d00000000, 0xca37f12900000000, 0x90c4774400000000,\n 0xa695f56000000000, 0x76b4af4500000000, 0x40e52d6100000000,\n 0x1a16ab0c00000000, 0x2c47292800000000, 0xaef0a6d700000000,\n 0x98a124f300000000, 0xc252a29e00000000, 0xf40320ba00000000,\n 0x873bccba00000000, 0xb16a4e9e00000000, 0xeb99c8f300000000,\n 0xddc84ad700000000, 0x5f7fc52800000000, 0x692e470c00000000,\n 0x33ddc16100000000, 0x058c434500000000, 0x939e752b00000000,\n 0xa5cff70f00000000, 0xff3c716200000000, 0xc96df34600000000,\n 0x4bda7cb900000000, 0x7d8bfe9d00000000, 0x277878f000000000,\n 0x1129fad400000000, 0x621116d400000000, 0x544094f000000000,\n 0x0eb3129d00000000, 0x38e290b900000000, 0xba551f4600000000,\n 0x8c049d6200000000, 0xd6f71b0f00000000, 0xe0a6992b00000000,\n 0x3087c30e00000000, 0x06d6412a00000000, 0x5c25c74700000000,\n 0x6a74456300000000, 0xe8c3ca9c00000000, 0xde9248b800000000,\n 0x8461ced500000000, 0xb2304cf100000000, 0xc108a0f100000000,\n 0xf75922d500000000, 0xadaaa4b800000000, 0x9bfb269c00000000,\n 0x194ca96300000000, 0x2f1d2b4700000000, 0x75eead2a00000000,\n 0x43bf2f0e00000000},\n {0x0000000000000000, 0xc8179ecf00000000, 0xd1294d4400000000,\n 0x193ed38b00000000, 0xa2539a8800000000, 0x6a44044700000000,\n 0x737ad7cc00000000, 0xbb6d490300000000, 0x05a145ca00000000,\n 0xcdb6db0500000000, 0xd488088e00000000, 0x1c9f964100000000,\n 0xa7f2df4200000000, 0x6fe5418d00000000, 0x76db920600000000,\n 0xbecc0cc900000000, 0x4b44fa4f00000000, 0x8353648000000000,\n 0x9a6db70b00000000, 0x527a29c400000000, 0xe91760c700000000,\n 0x2100fe0800000000, 0x383e2d8300000000, 0xf029b34c00000000,\n 0x4ee5bf8500000000, 0x86f2214a00000000, 0x9fccf2c100000000,\n 0x57db6c0e00000000, 0xecb6250d00000000, 0x24a1bbc200000000,\n 0x3d9f684900000000, 0xf588f68600000000, 0x9688f49f00000000,\n 0x5e9f6a5000000000, 0x47a1b9db00000000, 0x8fb6271400000000,\n 0x34db6e1700000000, 0xfcccf0d800000000, 0xe5f2235300000000,\n 0x2de5bd9c00000000, 0x9329b15500000000, 0x5b3e2f9a00000000,\n 0x4200fc1100000000, 0x8a1762de00000000, 0x317a2bdd00000000,\n 0xf96db51200000000, 0xe053669900000000, 0x2844f85600000000,\n 0xddcc0ed000000000, 0x15db901f00000000, 0x0ce5439400000000,\n 0xc4f2dd5b00000000, 0x7f9f945800000000, 0xb7880a9700000000,\n 0xaeb6d91c00000000, 0x66a147d300000000, 0xd86d4b1a00000000,\n 0x107ad5d500000000, 0x0944065e00000000, 0xc153989100000000,\n 0x7a3ed19200000000, 0xb2294f5d00000000, 0xab179cd600000000,\n 0x6300021900000000, 0x6d1798e400000000, 0xa500062b00000000,\n 0xbc3ed5a000000000, 0x74294b6f00000000, 0xcf44026c00000000,\n 0x07539ca300000000, 0x1e6d4f2800000000, 0xd67ad1e700000000,\n 0x68b6dd2e00000000, 0xa0a143e100000000, 0xb99f906a00000000,\n 0x71880ea500000000, 0xcae547a600000000, 0x02f2d96900000000,\n 0x1bcc0ae200000000, 0xd3db942d00000000, 0x265362ab00000000,\n 0xee44fc6400000000, 0xf77a2fef00000000, 0x3f6db12000000000,\n 0x8400f82300000000, 0x4c1766ec00000000, 0x5529b56700000000,\n 0x9d3e2ba800000000, 0x23f2276100000000, 0xebe5b9ae00000000,\n 0xf2db6a2500000000, 0x3accf4ea00000000, 0x81a1bde900000000,\n 0x49b6232600000000, 0x5088f0ad00000000, 0x989f6e6200000000,\n 0xfb9f6c7b00000000, 0x3388f2b400000000, 0x2ab6213f00000000,\n 0xe2a1bff000000000, 0x59ccf6f300000000, 0x91db683c00000000,\n 0x88e5bbb700000000, 0x40f2257800000000, 0xfe3e29b100000000,\n 0x3629b77e00000000, 0x2f1764f500000000, 0xe700fa3a00000000,\n 0x5c6db33900000000, 0x947a2df600000000, 0x8d44fe7d00000000,\n 0x455360b200000000, 0xb0db963400000000, 0x78cc08fb00000000,\n 0x61f2db7000000000, 0xa9e545bf00000000, 0x12880cbc00000000,\n 0xda9f927300000000, 0xc3a141f800000000, 0x0bb6df3700000000,\n 0xb57ad3fe00000000, 0x7d6d4d3100000000, 0x64539eba00000000,\n 0xac44007500000000, 0x1729497600000000, 0xdf3ed7b900000000,\n 0xc600043200000000, 0x0e179afd00000000, 0x9b28411200000000,\n 0x533fdfdd00000000, 0x4a010c5600000000, 0x8216929900000000,\n 0x397bdb9a00000000, 0xf16c455500000000, 0xe85296de00000000,\n 0x2045081100000000, 0x9e8904d800000000, 0x569e9a1700000000,\n 0x4fa0499c00000000, 0x87b7d75300000000, 0x3cda9e5000000000,\n 0xf4cd009f00000000, 0xedf3d31400000000, 0x25e44ddb00000000,\n 0xd06cbb5d00000000, 0x187b259200000000, 0x0145f61900000000,\n 0xc95268d600000000, 0x723f21d500000000, 0xba28bf1a00000000,\n 0xa3166c9100000000, 0x6b01f25e00000000, 0xd5cdfe9700000000,\n 0x1dda605800000000, 0x04e4b3d300000000, 0xccf32d1c00000000,\n 0x779e641f00000000, 0xbf89fad000000000, 0xa6b7295b00000000,\n 0x6ea0b79400000000, 0x0da0b58d00000000, 0xc5b72b4200000000,\n 0xdc89f8c900000000, 0x149e660600000000, 0xaff32f0500000000,\n 0x67e4b1ca00000000, 0x7eda624100000000, 0xb6cdfc8e00000000,\n 0x0801f04700000000, 0xc0166e8800000000, 0xd928bd0300000000,\n 0x113f23cc00000000, 0xaa526acf00000000, 0x6245f40000000000,\n 0x7b7b278b00000000, 0xb36cb94400000000, 0x46e44fc200000000,\n 0x8ef3d10d00000000, 0x97cd028600000000, 0x5fda9c4900000000,\n 0xe4b7d54a00000000, 0x2ca04b8500000000, 0x359e980e00000000,\n 0xfd8906c100000000, 0x43450a0800000000, 0x8b5294c700000000,\n 0x926c474c00000000, 0x5a7bd98300000000, 0xe116908000000000,\n 0x29010e4f00000000, 0x303fddc400000000, 0xf828430b00000000,\n 0xf63fd9f600000000, 0x3e28473900000000, 0x271694b200000000,\n 0xef010a7d00000000, 0x546c437e00000000, 0x9c7bddb100000000,\n 0x85450e3a00000000, 0x4d5290f500000000, 0xf39e9c3c00000000,\n 0x3b8902f300000000, 0x22b7d17800000000, 0xeaa04fb700000000,\n 0x51cd06b400000000, 0x99da987b00000000, 0x80e44bf000000000,\n 0x48f3d53f00000000, 0xbd7b23b900000000, 0x756cbd7600000000,\n 0x6c526efd00000000, 0xa445f03200000000, 0x1f28b93100000000,\n 0xd73f27fe00000000, 0xce01f47500000000, 0x06166aba00000000,\n 0xb8da667300000000, 0x70cdf8bc00000000, 0x69f32b3700000000,\n 0xa1e4b5f800000000, 0x1a89fcfb00000000, 0xd29e623400000000,\n 0xcba0b1bf00000000, 0x03b72f7000000000, 0x60b72d6900000000,\n 0xa8a0b3a600000000, 0xb19e602d00000000, 0x7989fee200000000,\n 0xc2e4b7e100000000, 0x0af3292e00000000, 0x13cdfaa500000000,\n 0xdbda646a00000000, 0x651668a300000000, 0xad01f66c00000000,\n 0xb43f25e700000000, 0x7c28bb2800000000, 0xc745f22b00000000,\n 0x0f526ce400000000, 0x166cbf6f00000000, 0xde7b21a000000000,\n 0x2bf3d72600000000, 0xe3e449e900000000, 0xfada9a6200000000,\n 0x32cd04ad00000000, 0x89a04dae00000000, 0x41b7d36100000000,\n 0x588900ea00000000, 0x909e9e2500000000, 0x2e5292ec00000000,\n 0xe6450c2300000000, 0xff7bdfa800000000, 0x376c416700000000,\n 0x8c01086400000000, 0x441696ab00000000, 0x5d28452000000000,\n 0x953fdbef00000000},\n {0x0000000000000000, 0x95d4709500000000, 0x6baf90f100000000,\n 0xfe7be06400000000, 0x9758503800000000, 0x028c20ad00000000,\n 0xfcf7c0c900000000, 0x6923b05c00000000, 0x2eb1a07000000000,\n 0xbb65d0e500000000, 0x451e308100000000, 0xd0ca401400000000,\n 0xb9e9f04800000000, 0x2c3d80dd00000000, 0xd24660b900000000,\n 0x4792102c00000000, 0x5c6241e100000000, 0xc9b6317400000000,\n 0x37cdd11000000000, 0xa219a18500000000, 0xcb3a11d900000000,\n 0x5eee614c00000000, 0xa095812800000000, 0x3541f1bd00000000,\n 0x72d3e19100000000, 0xe707910400000000, 0x197c716000000000,\n 0x8ca801f500000000, 0xe58bb1a900000000, 0x705fc13c00000000,\n 0x8e24215800000000, 0x1bf051cd00000000, 0xf9c2f31900000000,\n 0x6c16838c00000000, 0x926d63e800000000, 0x07b9137d00000000,\n 0x6e9aa32100000000, 0xfb4ed3b400000000, 0x053533d000000000,\n 0x90e1434500000000, 0xd773536900000000, 0x42a723fc00000000,\n 0xbcdcc39800000000, 0x2908b30d00000000, 0x402b035100000000,\n 0xd5ff73c400000000, 0x2b8493a000000000, 0xbe50e33500000000,\n 0xa5a0b2f800000000, 0x3074c26d00000000, 0xce0f220900000000,\n 0x5bdb529c00000000, 0x32f8e2c000000000, 0xa72c925500000000,\n 0x5957723100000000, 0xcc8302a400000000, 0x8b11128800000000,\n 0x1ec5621d00000000, 0xe0be827900000000, 0x756af2ec00000000,\n 0x1c4942b000000000, 0x899d322500000000, 0x77e6d24100000000,\n 0xe232a2d400000000, 0xf285e73300000000, 0x675197a600000000,\n 0x992a77c200000000, 0x0cfe075700000000, 0x65ddb70b00000000,\n 0xf009c79e00000000, 0x0e7227fa00000000, 0x9ba6576f00000000,\n 0xdc34474300000000, 0x49e037d600000000, 0xb79bd7b200000000,\n 0x224fa72700000000, 0x4b6c177b00000000, 0xdeb867ee00000000,\n 0x20c3878a00000000, 0xb517f71f00000000, 0xaee7a6d200000000,\n 0x3b33d64700000000, 0xc548362300000000, 0x509c46b600000000,\n 0x39bff6ea00000000, 0xac6b867f00000000, 0x5210661b00000000,\n 0xc7c4168e00000000, 0x805606a200000000, 0x1582763700000000,\n 0xebf9965300000000, 0x7e2de6c600000000, 0x170e569a00000000,\n 0x82da260f00000000, 0x7ca1c66b00000000, 0xe975b6fe00000000,\n 0x0b47142a00000000, 0x9e9364bf00000000, 0x60e884db00000000,\n 0xf53cf44e00000000, 0x9c1f441200000000, 0x09cb348700000000,\n 0xf7b0d4e300000000, 0x6264a47600000000, 0x25f6b45a00000000,\n 0xb022c4cf00000000, 0x4e5924ab00000000, 0xdb8d543e00000000,\n 0xb2aee46200000000, 0x277a94f700000000, 0xd901749300000000,\n 0x4cd5040600000000, 0x572555cb00000000, 0xc2f1255e00000000,\n 0x3c8ac53a00000000, 0xa95eb5af00000000, 0xc07d05f300000000,\n 0x55a9756600000000, 0xabd2950200000000, 0x3e06e59700000000,\n 0x7994f5bb00000000, 0xec40852e00000000, 0x123b654a00000000,\n 0x87ef15df00000000, 0xeecca58300000000, 0x7b18d51600000000,\n 0x8563357200000000, 0x10b745e700000000, 0xe40bcf6700000000,\n 0x71dfbff200000000, 0x8fa45f9600000000, 0x1a702f0300000000,\n 0x73539f5f00000000, 0xe687efca00000000, 0x18fc0fae00000000,\n 0x8d287f3b00000000, 0xcaba6f1700000000, 0x5f6e1f8200000000,\n 0xa115ffe600000000, 0x34c18f7300000000, 0x5de23f2f00000000,\n 0xc8364fba00000000, 0x364dafde00000000, 0xa399df4b00000000,\n 0xb8698e8600000000, 0x2dbdfe1300000000, 0xd3c61e7700000000,\n 0x46126ee200000000, 0x2f31debe00000000, 0xbae5ae2b00000000,\n 0x449e4e4f00000000, 0xd14a3eda00000000, 0x96d82ef600000000,\n 0x030c5e6300000000, 0xfd77be0700000000, 0x68a3ce9200000000,\n 0x01807ece00000000, 0x94540e5b00000000, 0x6a2fee3f00000000,\n 0xfffb9eaa00000000, 0x1dc93c7e00000000, 0x881d4ceb00000000,\n 0x7666ac8f00000000, 0xe3b2dc1a00000000, 0x8a916c4600000000,\n 0x1f451cd300000000, 0xe13efcb700000000, 0x74ea8c2200000000,\n 0x33789c0e00000000, 0xa6acec9b00000000, 0x58d70cff00000000,\n 0xcd037c6a00000000, 0xa420cc3600000000, 0x31f4bca300000000,\n 0xcf8f5cc700000000, 0x5a5b2c5200000000, 0x41ab7d9f00000000,\n 0xd47f0d0a00000000, 0x2a04ed6e00000000, 0xbfd09dfb00000000,\n 0xd6f32da700000000, 0x43275d3200000000, 0xbd5cbd5600000000,\n 0x2888cdc300000000, 0x6f1addef00000000, 0xfacead7a00000000,\n 0x04b54d1e00000000, 0x91613d8b00000000, 0xf8428dd700000000,\n 0x6d96fd4200000000, 0x93ed1d2600000000, 0x06396db300000000,\n 0x168e285400000000, 0x835a58c100000000, 0x7d21b8a500000000,\n 0xe8f5c83000000000, 0x81d6786c00000000, 0x140208f900000000,\n 0xea79e89d00000000, 0x7fad980800000000, 0x383f882400000000,\n 0xadebf8b100000000, 0x539018d500000000, 0xc644684000000000,\n 0xaf67d81c00000000, 0x3ab3a88900000000, 0xc4c848ed00000000,\n 0x511c387800000000, 0x4aec69b500000000, 0xdf38192000000000,\n 0x2143f94400000000, 0xb49789d100000000, 0xddb4398d00000000,\n 0x4860491800000000, 0xb61ba97c00000000, 0x23cfd9e900000000,\n 0x645dc9c500000000, 0xf189b95000000000, 0x0ff2593400000000,\n 0x9a2629a100000000, 0xf30599fd00000000, 0x66d1e96800000000,\n 0x98aa090c00000000, 0x0d7e799900000000, 0xef4cdb4d00000000,\n 0x7a98abd800000000, 0x84e34bbc00000000, 0x11373b2900000000,\n 0x78148b7500000000, 0xedc0fbe000000000, 0x13bb1b8400000000,\n 0x866f6b1100000000, 0xc1fd7b3d00000000, 0x54290ba800000000,\n 0xaa52ebcc00000000, 0x3f869b5900000000, 0x56a52b0500000000,\n 0xc3715b9000000000, 0x3d0abbf400000000, 0xa8decb6100000000,\n 0xb32e9aac00000000, 0x26faea3900000000, 0xd8810a5d00000000,\n 0x4d557ac800000000, 0x2476ca9400000000, 0xb1a2ba0100000000,\n 0x4fd95a6500000000, 0xda0d2af000000000, 0x9d9f3adc00000000,\n 0x084b4a4900000000, 0xf630aa2d00000000, 0x63e4dab800000000,\n 0x0ac76ae400000000, 0x9f131a7100000000, 0x6168fa1500000000,\n 0xf4bc8a8000000000},\n {0x0000000000000000, 0x1f17f08000000000, 0x7f2891da00000000,\n 0x603f615a00000000, 0xbf56536e00000000, 0xa041a3ee00000000,\n 0xc07ec2b400000000, 0xdf69323400000000, 0x7eada6dc00000000,\n 0x61ba565c00000000, 0x0185370600000000, 0x1e92c78600000000,\n 0xc1fbf5b200000000, 0xdeec053200000000, 0xbed3646800000000,\n 0xa1c494e800000000, 0xbd5c3c6200000000, 0xa24bcce200000000,\n 0xc274adb800000000, 0xdd635d3800000000, 0x020a6f0c00000000,\n 0x1d1d9f8c00000000, 0x7d22fed600000000, 0x62350e5600000000,\n 0xc3f19abe00000000, 0xdce66a3e00000000, 0xbcd90b6400000000,\n 0xa3cefbe400000000, 0x7ca7c9d000000000, 0x63b0395000000000,\n 0x038f580a00000000, 0x1c98a88a00000000, 0x7ab978c400000000,\n 0x65ae884400000000, 0x0591e91e00000000, 0x1a86199e00000000,\n 0xc5ef2baa00000000, 0xdaf8db2a00000000, 0xbac7ba7000000000,\n 0xa5d04af000000000, 0x0414de1800000000, 0x1b032e9800000000,\n 0x7b3c4fc200000000, 0x642bbf4200000000, 0xbb428d7600000000,\n 0xa4557df600000000, 0xc46a1cac00000000, 0xdb7dec2c00000000,\n 0xc7e544a600000000, 0xd8f2b42600000000, 0xb8cdd57c00000000,\n 0xa7da25fc00000000, 0x78b317c800000000, 0x67a4e74800000000,\n 0x079b861200000000, 0x188c769200000000, 0xb948e27a00000000,\n 0xa65f12fa00000000, 0xc66073a000000000, 0xd977832000000000,\n 0x061eb11400000000, 0x1909419400000000, 0x793620ce00000000,\n 0x6621d04e00000000, 0xb574805300000000, 0xaa6370d300000000,\n 0xca5c118900000000, 0xd54be10900000000, 0x0a22d33d00000000,\n 0x153523bd00000000, 0x750a42e700000000, 0x6a1db26700000000,\n 0xcbd9268f00000000, 0xd4ced60f00000000, 0xb4f1b75500000000,\n 0xabe647d500000000, 0x748f75e100000000, 0x6b98856100000000,\n 0x0ba7e43b00000000, 0x14b014bb00000000, 0x0828bc3100000000,\n 0x173f4cb100000000, 0x77002deb00000000, 0x6817dd6b00000000,\n 0xb77eef5f00000000, 0xa8691fdf00000000, 0xc8567e8500000000,\n 0xd7418e0500000000, 0x76851aed00000000, 0x6992ea6d00000000,\n 0x09ad8b3700000000, 0x16ba7bb700000000, 0xc9d3498300000000,\n 0xd6c4b90300000000, 0xb6fbd85900000000, 0xa9ec28d900000000,\n 0xcfcdf89700000000, 0xd0da081700000000, 0xb0e5694d00000000,\n 0xaff299cd00000000, 0x709babf900000000, 0x6f8c5b7900000000,\n 0x0fb33a2300000000, 0x10a4caa300000000, 0xb1605e4b00000000,\n 0xae77aecb00000000, 0xce48cf9100000000, 0xd15f3f1100000000,\n 0x0e360d2500000000, 0x1121fda500000000, 0x711e9cff00000000,\n 0x6e096c7f00000000, 0x7291c4f500000000, 0x6d86347500000000,\n 0x0db9552f00000000, 0x12aea5af00000000, 0xcdc7979b00000000,\n 0xd2d0671b00000000, 0xb2ef064100000000, 0xadf8f6c100000000,\n 0x0c3c622900000000, 0x132b92a900000000, 0x7314f3f300000000,\n 0x6c03037300000000, 0xb36a314700000000, 0xac7dc1c700000000,\n 0xcc42a09d00000000, 0xd355501d00000000, 0x6ae900a700000000,\n 0x75fef02700000000, 0x15c1917d00000000, 0x0ad661fd00000000,\n 0xd5bf53c900000000, 0xcaa8a34900000000, 0xaa97c21300000000,\n 0xb580329300000000, 0x1444a67b00000000, 0x0b5356fb00000000,\n 0x6b6c37a100000000, 0x747bc72100000000, 0xab12f51500000000,\n 0xb405059500000000, 0xd43a64cf00000000, 0xcb2d944f00000000,\n 0xd7b53cc500000000, 0xc8a2cc4500000000, 0xa89dad1f00000000,\n 0xb78a5d9f00000000, 0x68e36fab00000000, 0x77f49f2b00000000,\n 0x17cbfe7100000000, 0x08dc0ef100000000, 0xa9189a1900000000,\n 0xb60f6a9900000000, 0xd6300bc300000000, 0xc927fb4300000000,\n 0x164ec97700000000, 0x095939f700000000, 0x696658ad00000000,\n 0x7671a82d00000000, 0x1050786300000000, 0x0f4788e300000000,\n 0x6f78e9b900000000, 0x706f193900000000, 0xaf062b0d00000000,\n 0xb011db8d00000000, 0xd02ebad700000000, 0xcf394a5700000000,\n 0x6efddebf00000000, 0x71ea2e3f00000000, 0x11d54f6500000000,\n 0x0ec2bfe500000000, 0xd1ab8dd100000000, 0xcebc7d5100000000,\n 0xae831c0b00000000, 0xb194ec8b00000000, 0xad0c440100000000,\n 0xb21bb48100000000, 0xd224d5db00000000, 0xcd33255b00000000,\n 0x125a176f00000000, 0x0d4de7ef00000000, 0x6d7286b500000000,\n 0x7265763500000000, 0xd3a1e2dd00000000, 0xccb6125d00000000,\n 0xac89730700000000, 0xb39e838700000000, 0x6cf7b1b300000000,\n 0x73e0413300000000, 0x13df206900000000, 0x0cc8d0e900000000,\n 0xdf9d80f400000000, 0xc08a707400000000, 0xa0b5112e00000000,\n 0xbfa2e1ae00000000, 0x60cbd39a00000000, 0x7fdc231a00000000,\n 0x1fe3424000000000, 0x00f4b2c000000000, 0xa130262800000000,\n 0xbe27d6a800000000, 0xde18b7f200000000, 0xc10f477200000000,\n 0x1e66754600000000, 0x017185c600000000, 0x614ee49c00000000,\n 0x7e59141c00000000, 0x62c1bc9600000000, 0x7dd64c1600000000,\n 0x1de92d4c00000000, 0x02feddcc00000000, 0xdd97eff800000000,\n 0xc2801f7800000000, 0xa2bf7e2200000000, 0xbda88ea200000000,\n 0x1c6c1a4a00000000, 0x037beaca00000000, 0x63448b9000000000,\n 0x7c537b1000000000, 0xa33a492400000000, 0xbc2db9a400000000,\n 0xdc12d8fe00000000, 0xc305287e00000000, 0xa524f83000000000,\n 0xba3308b000000000, 0xda0c69ea00000000, 0xc51b996a00000000,\n 0x1a72ab5e00000000, 0x05655bde00000000, 0x655a3a8400000000,\n 0x7a4dca0400000000, 0xdb895eec00000000, 0xc49eae6c00000000,\n 0xa4a1cf3600000000, 0xbbb63fb600000000, 0x64df0d8200000000,\n 0x7bc8fd0200000000, 0x1bf79c5800000000, 0x04e06cd800000000,\n 0x1878c45200000000, 0x076f34d200000000, 0x6750558800000000,\n 0x7847a50800000000, 0xa72e973c00000000, 0xb83967bc00000000,\n 0xd80606e600000000, 0xc711f66600000000, 0x66d5628e00000000,\n 0x79c2920e00000000, 0x19fdf35400000000, 0x06ea03d400000000,\n 0xd98331e000000000, 0xc694c16000000000, 0xa6aba03a00000000,\n 0xb9bc50ba00000000},\n {0x0000000000000000, 0xe2fd888d00000000, 0x85fd60c000000000,\n 0x6700e84d00000000, 0x4bfdb05b00000000, 0xa90038d600000000,\n 0xce00d09b00000000, 0x2cfd581600000000, 0x96fa61b700000000,\n 0x7407e93a00000000, 0x1307017700000000, 0xf1fa89fa00000000,\n 0xdd07d1ec00000000, 0x3ffa596100000000, 0x58fab12c00000000,\n 0xba0739a100000000, 0x6df3b2b500000000, 0x8f0e3a3800000000,\n 0xe80ed27500000000, 0x0af35af800000000, 0x260e02ee00000000,\n 0xc4f38a6300000000, 0xa3f3622e00000000, 0x410eeaa300000000,\n 0xfb09d30200000000, 0x19f45b8f00000000, 0x7ef4b3c200000000,\n 0x9c093b4f00000000, 0xb0f4635900000000, 0x5209ebd400000000,\n 0x3509039900000000, 0xd7f48b1400000000, 0x9be014b000000000,\n 0x791d9c3d00000000, 0x1e1d747000000000, 0xfce0fcfd00000000,\n 0xd01da4eb00000000, 0x32e02c6600000000, 0x55e0c42b00000000,\n 0xb71d4ca600000000, 0x0d1a750700000000, 0xefe7fd8a00000000,\n 0x88e715c700000000, 0x6a1a9d4a00000000, 0x46e7c55c00000000,\n 0xa41a4dd100000000, 0xc31aa59c00000000, 0x21e72d1100000000,\n 0xf613a60500000000, 0x14ee2e8800000000, 0x73eec6c500000000,\n 0x91134e4800000000, 0xbdee165e00000000, 0x5f139ed300000000,\n 0x3813769e00000000, 0xdaeefe1300000000, 0x60e9c7b200000000,\n 0x82144f3f00000000, 0xe514a77200000000, 0x07e92fff00000000,\n 0x2b1477e900000000, 0xc9e9ff6400000000, 0xaee9172900000000,\n 0x4c149fa400000000, 0x77c758bb00000000, 0x953ad03600000000,\n 0xf23a387b00000000, 0x10c7b0f600000000, 0x3c3ae8e000000000,\n 0xdec7606d00000000, 0xb9c7882000000000, 0x5b3a00ad00000000,\n 0xe13d390c00000000, 0x03c0b18100000000, 0x64c059cc00000000,\n 0x863dd14100000000, 0xaac0895700000000, 0x483d01da00000000,\n 0x2f3de99700000000, 0xcdc0611a00000000, 0x1a34ea0e00000000,\n 0xf8c9628300000000, 0x9fc98ace00000000, 0x7d34024300000000,\n 0x51c95a5500000000, 0xb334d2d800000000, 0xd4343a9500000000,\n 0x36c9b21800000000, 0x8cce8bb900000000, 0x6e33033400000000,\n 0x0933eb7900000000, 0xebce63f400000000, 0xc7333be200000000,\n 0x25ceb36f00000000, 0x42ce5b2200000000, 0xa033d3af00000000,\n 0xec274c0b00000000, 0x0edac48600000000, 0x69da2ccb00000000,\n 0x8b27a44600000000, 0xa7dafc5000000000, 0x452774dd00000000,\n 0x22279c9000000000, 0xc0da141d00000000, 0x7add2dbc00000000,\n 0x9820a53100000000, 0xff204d7c00000000, 0x1dddc5f100000000,\n 0x31209de700000000, 0xd3dd156a00000000, 0xb4ddfd2700000000,\n 0x562075aa00000000, 0x81d4febe00000000, 0x6329763300000000,\n 0x04299e7e00000000, 0xe6d416f300000000, 0xca294ee500000000,\n 0x28d4c66800000000, 0x4fd42e2500000000, 0xad29a6a800000000,\n 0x172e9f0900000000, 0xf5d3178400000000, 0x92d3ffc900000000,\n 0x702e774400000000, 0x5cd32f5200000000, 0xbe2ea7df00000000,\n 0xd92e4f9200000000, 0x3bd3c71f00000000, 0xaf88c0ad00000000,\n 0x4d75482000000000, 0x2a75a06d00000000, 0xc88828e000000000,\n 0xe47570f600000000, 0x0688f87b00000000, 0x6188103600000000,\n 0x837598bb00000000, 0x3972a11a00000000, 0xdb8f299700000000,\n 0xbc8fc1da00000000, 0x5e72495700000000, 0x728f114100000000,\n 0x907299cc00000000, 0xf772718100000000, 0x158ff90c00000000,\n 0xc27b721800000000, 0x2086fa9500000000, 0x478612d800000000,\n 0xa57b9a5500000000, 0x8986c24300000000, 0x6b7b4ace00000000,\n 0x0c7ba28300000000, 0xee862a0e00000000, 0x548113af00000000,\n 0xb67c9b2200000000, 0xd17c736f00000000, 0x3381fbe200000000,\n 0x1f7ca3f400000000, 0xfd812b7900000000, 0x9a81c33400000000,\n 0x787c4bb900000000, 0x3468d41d00000000, 0xd6955c9000000000,\n 0xb195b4dd00000000, 0x53683c5000000000, 0x7f95644600000000,\n 0x9d68eccb00000000, 0xfa68048600000000, 0x18958c0b00000000,\n 0xa292b5aa00000000, 0x406f3d2700000000, 0x276fd56a00000000,\n 0xc5925de700000000, 0xe96f05f100000000, 0x0b928d7c00000000,\n 0x6c92653100000000, 0x8e6fedbc00000000, 0x599b66a800000000,\n 0xbb66ee2500000000, 0xdc66066800000000, 0x3e9b8ee500000000,\n 0x1266d6f300000000, 0xf09b5e7e00000000, 0x979bb63300000000,\n 0x75663ebe00000000, 0xcf61071f00000000, 0x2d9c8f9200000000,\n 0x4a9c67df00000000, 0xa861ef5200000000, 0x849cb74400000000,\n 0x66613fc900000000, 0x0161d78400000000, 0xe39c5f0900000000,\n 0xd84f981600000000, 0x3ab2109b00000000, 0x5db2f8d600000000,\n 0xbf4f705b00000000, 0x93b2284d00000000, 0x714fa0c000000000,\n 0x164f488d00000000, 0xf4b2c00000000000, 0x4eb5f9a100000000,\n 0xac48712c00000000, 0xcb48996100000000, 0x29b511ec00000000,\n 0x054849fa00000000, 0xe7b5c17700000000, 0x80b5293a00000000,\n 0x6248a1b700000000, 0xb5bc2aa300000000, 0x5741a22e00000000,\n 0x30414a6300000000, 0xd2bcc2ee00000000, 0xfe419af800000000,\n 0x1cbc127500000000, 0x7bbcfa3800000000, 0x994172b500000000,\n 0x23464b1400000000, 0xc1bbc39900000000, 0xa6bb2bd400000000,\n 0x4446a35900000000, 0x68bbfb4f00000000, 0x8a4673c200000000,\n 0xed469b8f00000000, 0x0fbb130200000000, 0x43af8ca600000000,\n 0xa152042b00000000, 0xc652ec6600000000, 0x24af64eb00000000,\n 0x08523cfd00000000, 0xeaafb47000000000, 0x8daf5c3d00000000,\n 0x6f52d4b000000000, 0xd555ed1100000000, 0x37a8659c00000000,\n 0x50a88dd100000000, 0xb255055c00000000, 0x9ea85d4a00000000,\n 0x7c55d5c700000000, 0x1b553d8a00000000, 0xf9a8b50700000000,\n 0x2e5c3e1300000000, 0xcca1b69e00000000, 0xaba15ed300000000,\n 0x495cd65e00000000, 0x65a18e4800000000, 0x875c06c500000000,\n 0xe05cee8800000000, 0x02a1660500000000, 0xb8a65fa400000000,\n 0x5a5bd72900000000, 0x3d5b3f6400000000, 0xdfa6b7e900000000,\n 0xf35befff00000000, 0x11a6677200000000, 0x76a68f3f00000000,\n 0x945b07b200000000},\n {0x0000000000000000, 0xa90b894e00000000, 0x5217129d00000000,\n 0xfb1c9bd300000000, 0xe52855e100000000, 0x4c23dcaf00000000,\n 0xb73f477c00000000, 0x1e34ce3200000000, 0x8b57db1900000000,\n 0x225c525700000000, 0xd940c98400000000, 0x704b40ca00000000,\n 0x6e7f8ef800000000, 0xc77407b600000000, 0x3c689c6500000000,\n 0x9563152b00000000, 0x16afb63300000000, 0xbfa43f7d00000000,\n 0x44b8a4ae00000000, 0xedb32de000000000, 0xf387e3d200000000,\n 0x5a8c6a9c00000000, 0xa190f14f00000000, 0x089b780100000000,\n 0x9df86d2a00000000, 0x34f3e46400000000, 0xcfef7fb700000000,\n 0x66e4f6f900000000, 0x78d038cb00000000, 0xd1dbb18500000000,\n 0x2ac72a5600000000, 0x83cca31800000000, 0x2c5e6d6700000000,\n 0x8555e42900000000, 0x7e497ffa00000000, 0xd742f6b400000000,\n 0xc976388600000000, 0x607db1c800000000, 0x9b612a1b00000000,\n 0x326aa35500000000, 0xa709b67e00000000, 0x0e023f3000000000,\n 0xf51ea4e300000000, 0x5c152dad00000000, 0x4221e39f00000000,\n 0xeb2a6ad100000000, 0x1036f10200000000, 0xb93d784c00000000,\n 0x3af1db5400000000, 0x93fa521a00000000, 0x68e6c9c900000000,\n 0xc1ed408700000000, 0xdfd98eb500000000, 0x76d207fb00000000,\n 0x8dce9c2800000000, 0x24c5156600000000, 0xb1a6004d00000000,\n 0x18ad890300000000, 0xe3b112d000000000, 0x4aba9b9e00000000,\n 0x548e55ac00000000, 0xfd85dce200000000, 0x0699473100000000,\n 0xaf92ce7f00000000, 0x58bcdace00000000, 0xf1b7538000000000,\n 0x0aabc85300000000, 0xa3a0411d00000000, 0xbd948f2f00000000,\n 0x149f066100000000, 0xef839db200000000, 0x468814fc00000000,\n 0xd3eb01d700000000, 0x7ae0889900000000, 0x81fc134a00000000,\n 0x28f79a0400000000, 0x36c3543600000000, 0x9fc8dd7800000000,\n 0x64d446ab00000000, 0xcddfcfe500000000, 0x4e136cfd00000000,\n 0xe718e5b300000000, 0x1c047e6000000000, 0xb50ff72e00000000,\n 0xab3b391c00000000, 0x0230b05200000000, 0xf92c2b8100000000,\n 0x5027a2cf00000000, 0xc544b7e400000000, 0x6c4f3eaa00000000,\n 0x9753a57900000000, 0x3e582c3700000000, 0x206ce20500000000,\n 0x89676b4b00000000, 0x727bf09800000000, 0xdb7079d600000000,\n 0x74e2b7a900000000, 0xdde93ee700000000, 0x26f5a53400000000,\n 0x8ffe2c7a00000000, 0x91cae24800000000, 0x38c16b0600000000,\n 0xc3ddf0d500000000, 0x6ad6799b00000000, 0xffb56cb000000000,\n 0x56bee5fe00000000, 0xada27e2d00000000, 0x04a9f76300000000,\n 0x1a9d395100000000, 0xb396b01f00000000, 0x488a2bcc00000000,\n 0xe181a28200000000, 0x624d019a00000000, 0xcb4688d400000000,\n 0x305a130700000000, 0x99519a4900000000, 0x8765547b00000000,\n 0x2e6edd3500000000, 0xd57246e600000000, 0x7c79cfa800000000,\n 0xe91ada8300000000, 0x401153cd00000000, 0xbb0dc81e00000000,\n 0x1206415000000000, 0x0c328f6200000000, 0xa539062c00000000,\n 0x5e259dff00000000, 0xf72e14b100000000, 0xf17ec44600000000,\n 0x58754d0800000000, 0xa369d6db00000000, 0x0a625f9500000000,\n 0x145691a700000000, 0xbd5d18e900000000, 0x4641833a00000000,\n 0xef4a0a7400000000, 0x7a291f5f00000000, 0xd322961100000000,\n 0x283e0dc200000000, 0x8135848c00000000, 0x9f014abe00000000,\n 0x360ac3f000000000, 0xcd16582300000000, 0x641dd16d00000000,\n 0xe7d1727500000000, 0x4edafb3b00000000, 0xb5c660e800000000,\n 0x1ccde9a600000000, 0x02f9279400000000, 0xabf2aeda00000000,\n 0x50ee350900000000, 0xf9e5bc4700000000, 0x6c86a96c00000000,\n 0xc58d202200000000, 0x3e91bbf100000000, 0x979a32bf00000000,\n 0x89aefc8d00000000, 0x20a575c300000000, 0xdbb9ee1000000000,\n 0x72b2675e00000000, 0xdd20a92100000000, 0x742b206f00000000,\n 0x8f37bbbc00000000, 0x263c32f200000000, 0x3808fcc000000000,\n 0x9103758e00000000, 0x6a1fee5d00000000, 0xc314671300000000,\n 0x5677723800000000, 0xff7cfb7600000000, 0x046060a500000000,\n 0xad6be9eb00000000, 0xb35f27d900000000, 0x1a54ae9700000000,\n 0xe148354400000000, 0x4843bc0a00000000, 0xcb8f1f1200000000,\n 0x6284965c00000000, 0x99980d8f00000000, 0x309384c100000000,\n 0x2ea74af300000000, 0x87acc3bd00000000, 0x7cb0586e00000000,\n 0xd5bbd12000000000, 0x40d8c40b00000000, 0xe9d34d4500000000,\n 0x12cfd69600000000, 0xbbc45fd800000000, 0xa5f091ea00000000,\n 0x0cfb18a400000000, 0xf7e7837700000000, 0x5eec0a3900000000,\n 0xa9c21e8800000000, 0x00c997c600000000, 0xfbd50c1500000000,\n 0x52de855b00000000, 0x4cea4b6900000000, 0xe5e1c22700000000,\n 0x1efd59f400000000, 0xb7f6d0ba00000000, 0x2295c59100000000,\n 0x8b9e4cdf00000000, 0x7082d70c00000000, 0xd9895e4200000000,\n 0xc7bd907000000000, 0x6eb6193e00000000, 0x95aa82ed00000000,\n 0x3ca10ba300000000, 0xbf6da8bb00000000, 0x166621f500000000,\n 0xed7aba2600000000, 0x4471336800000000, 0x5a45fd5a00000000,\n 0xf34e741400000000, 0x0852efc700000000, 0xa159668900000000,\n 0x343a73a200000000, 0x9d31faec00000000, 0x662d613f00000000,\n 0xcf26e87100000000, 0xd112264300000000, 0x7819af0d00000000,\n 0x830534de00000000, 0x2a0ebd9000000000, 0x859c73ef00000000,\n 0x2c97faa100000000, 0xd78b617200000000, 0x7e80e83c00000000,\n 0x60b4260e00000000, 0xc9bfaf4000000000, 0x32a3349300000000,\n 0x9ba8bddd00000000, 0x0ecba8f600000000, 0xa7c021b800000000,\n 0x5cdcba6b00000000, 0xf5d7332500000000, 0xebe3fd1700000000,\n 0x42e8745900000000, 0xb9f4ef8a00000000, 0x10ff66c400000000,\n 0x9333c5dc00000000, 0x3a384c9200000000, 0xc124d74100000000,\n 0x682f5e0f00000000, 0x761b903d00000000, 0xdf10197300000000,\n 0x240c82a000000000, 0x8d070bee00000000, 0x18641ec500000000,\n 0xb16f978b00000000, 0x4a730c5800000000, 0xe378851600000000,\n 0xfd4c4b2400000000, 0x5447c26a00000000, 0xaf5b59b900000000,\n 0x0650d0f700000000},\n {0x0000000000000000, 0x479244af00000000, 0xcf22f88500000000,\n 0x88b0bc2a00000000, 0xdf4381d000000000, 0x98d1c57f00000000,\n 0x1061795500000000, 0x57f33dfa00000000, 0xff81737a00000000,\n 0xb81337d500000000, 0x30a38bff00000000, 0x7731cf5000000000,\n 0x20c2f2aa00000000, 0x6750b60500000000, 0xefe00a2f00000000,\n 0xa8724e8000000000, 0xfe03e7f400000000, 0xb991a35b00000000,\n 0x31211f7100000000, 0x76b35bde00000000, 0x2140662400000000,\n 0x66d2228b00000000, 0xee629ea100000000, 0xa9f0da0e00000000,\n 0x0182948e00000000, 0x4610d02100000000, 0xcea06c0b00000000,\n 0x893228a400000000, 0xdec1155e00000000, 0x995351f100000000,\n 0x11e3eddb00000000, 0x5671a97400000000, 0xbd01bf3200000000,\n 0xfa93fb9d00000000, 0x722347b700000000, 0x35b1031800000000,\n 0x62423ee200000000, 0x25d07a4d00000000, 0xad60c66700000000,\n 0xeaf282c800000000, 0x4280cc4800000000, 0x051288e700000000,\n 0x8da234cd00000000, 0xca30706200000000, 0x9dc34d9800000000,\n 0xda51093700000000, 0x52e1b51d00000000, 0x1573f1b200000000,\n 0x430258c600000000, 0x04901c6900000000, 0x8c20a04300000000,\n 0xcbb2e4ec00000000, 0x9c41d91600000000, 0xdbd39db900000000,\n 0x5363219300000000, 0x14f1653c00000000, 0xbc832bbc00000000,\n 0xfb116f1300000000, 0x73a1d33900000000, 0x3433979600000000,\n 0x63c0aa6c00000000, 0x2452eec300000000, 0xace252e900000000,\n 0xeb70164600000000, 0x7a037e6500000000, 0x3d913aca00000000,\n 0xb52186e000000000, 0xf2b3c24f00000000, 0xa540ffb500000000,\n 0xe2d2bb1a00000000, 0x6a62073000000000, 0x2df0439f00000000,\n 0x85820d1f00000000, 0xc21049b000000000, 0x4aa0f59a00000000,\n 0x0d32b13500000000, 0x5ac18ccf00000000, 0x1d53c86000000000,\n 0x95e3744a00000000, 0xd27130e500000000, 0x8400999100000000,\n 0xc392dd3e00000000, 0x4b22611400000000, 0x0cb025bb00000000,\n 0x5b43184100000000, 0x1cd15cee00000000, 0x9461e0c400000000,\n 0xd3f3a46b00000000, 0x7b81eaeb00000000, 0x3c13ae4400000000,\n 0xb4a3126e00000000, 0xf33156c100000000, 0xa4c26b3b00000000,\n 0xe3502f9400000000, 0x6be093be00000000, 0x2c72d71100000000,\n 0xc702c15700000000, 0x809085f800000000, 0x082039d200000000,\n 0x4fb27d7d00000000, 0x1841408700000000, 0x5fd3042800000000,\n 0xd763b80200000000, 0x90f1fcad00000000, 0x3883b22d00000000,\n 0x7f11f68200000000, 0xf7a14aa800000000, 0xb0330e0700000000,\n 0xe7c033fd00000000, 0xa052775200000000, 0x28e2cb7800000000,\n 0x6f708fd700000000, 0x390126a300000000, 0x7e93620c00000000,\n 0xf623de2600000000, 0xb1b19a8900000000, 0xe642a77300000000,\n 0xa1d0e3dc00000000, 0x29605ff600000000, 0x6ef21b5900000000,\n 0xc68055d900000000, 0x8112117600000000, 0x09a2ad5c00000000,\n 0x4e30e9f300000000, 0x19c3d40900000000, 0x5e5190a600000000,\n 0xd6e12c8c00000000, 0x9173682300000000, 0xf406fcca00000000,\n 0xb394b86500000000, 0x3b24044f00000000, 0x7cb640e000000000,\n 0x2b457d1a00000000, 0x6cd739b500000000, 0xe467859f00000000,\n 0xa3f5c13000000000, 0x0b878fb000000000, 0x4c15cb1f00000000,\n 0xc4a5773500000000, 0x8337339a00000000, 0xd4c40e6000000000,\n 0x93564acf00000000, 0x1be6f6e500000000, 0x5c74b24a00000000,\n 0x0a051b3e00000000, 0x4d975f9100000000, 0xc527e3bb00000000,\n 0x82b5a71400000000, 0xd5469aee00000000, 0x92d4de4100000000,\n 0x1a64626b00000000, 0x5df626c400000000, 0xf584684400000000,\n 0xb2162ceb00000000, 0x3aa690c100000000, 0x7d34d46e00000000,\n 0x2ac7e99400000000, 0x6d55ad3b00000000, 0xe5e5111100000000,\n 0xa27755be00000000, 0x490743f800000000, 0x0e95075700000000,\n 0x8625bb7d00000000, 0xc1b7ffd200000000, 0x9644c22800000000,\n 0xd1d6868700000000, 0x59663aad00000000, 0x1ef47e0200000000,\n 0xb686308200000000, 0xf114742d00000000, 0x79a4c80700000000,\n 0x3e368ca800000000, 0x69c5b15200000000, 0x2e57f5fd00000000,\n 0xa6e749d700000000, 0xe1750d7800000000, 0xb704a40c00000000,\n 0xf096e0a300000000, 0x78265c8900000000, 0x3fb4182600000000,\n 0x684725dc00000000, 0x2fd5617300000000, 0xa765dd5900000000,\n 0xe0f799f600000000, 0x4885d77600000000, 0x0f1793d900000000,\n 0x87a72ff300000000, 0xc0356b5c00000000, 0x97c656a600000000,\n 0xd054120900000000, 0x58e4ae2300000000, 0x1f76ea8c00000000,\n 0x8e0582af00000000, 0xc997c60000000000, 0x41277a2a00000000,\n 0x06b53e8500000000, 0x5146037f00000000, 0x16d447d000000000,\n 0x9e64fbfa00000000, 0xd9f6bf5500000000, 0x7184f1d500000000,\n 0x3616b57a00000000, 0xbea6095000000000, 0xf9344dff00000000,\n 0xaec7700500000000, 0xe95534aa00000000, 0x61e5888000000000,\n 0x2677cc2f00000000, 0x7006655b00000000, 0x379421f400000000,\n 0xbf249dde00000000, 0xf8b6d97100000000, 0xaf45e48b00000000,\n 0xe8d7a02400000000, 0x60671c0e00000000, 0x27f558a100000000,\n 0x8f87162100000000, 0xc815528e00000000, 0x40a5eea400000000,\n 0x0737aa0b00000000, 0x50c497f100000000, 0x1756d35e00000000,\n 0x9fe66f7400000000, 0xd8742bdb00000000, 0x33043d9d00000000,\n 0x7496793200000000, 0xfc26c51800000000, 0xbbb481b700000000,\n 0xec47bc4d00000000, 0xabd5f8e200000000, 0x236544c800000000,\n 0x64f7006700000000, 0xcc854ee700000000, 0x8b170a4800000000,\n 0x03a7b66200000000, 0x4435f2cd00000000, 0x13c6cf3700000000,\n 0x54548b9800000000, 0xdce437b200000000, 0x9b76731d00000000,\n 0xcd07da6900000000, 0x8a959ec600000000, 0x022522ec00000000,\n 0x45b7664300000000, 0x12445bb900000000, 0x55d61f1600000000,\n 0xdd66a33c00000000, 0x9af4e79300000000, 0x3286a91300000000,\n 0x7514edbc00000000, 0xfda4519600000000, 0xba36153900000000,\n 0xedc528c300000000, 0xaa576c6c00000000, 0x22e7d04600000000,\n 0x657594e900000000}};\n\n#else /* W == 4 */\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0x65673b46, 0xcace768c, 0xafa94dca, 0x4eedeb59,\n 0x2b8ad01f, 0x84239dd5, 0xe144a693, 0x9ddbd6b2, 0xf8bcedf4,\n 0x5715a03e, 0x32729b78, 0xd3363deb, 0xb65106ad, 0x19f84b67,\n 0x7c9f7021, 0xe0c6ab25, 0x85a19063, 0x2a08dda9, 0x4f6fe6ef,\n 0xae2b407c, 0xcb4c7b3a, 0x64e536f0, 0x01820db6, 0x7d1d7d97,\n 0x187a46d1, 0xb7d30b1b, 0xd2b4305d, 0x33f096ce, 0x5697ad88,\n 0xf93ee042, 0x9c59db04, 0x1afc500b, 0x7f9b6b4d, 0xd0322687,\n 0xb5551dc1, 0x5411bb52, 0x31768014, 0x9edfcdde, 0xfbb8f698,\n 0x872786b9, 0xe240bdff, 0x4de9f035, 0x288ecb73, 0xc9ca6de0,\n 0xacad56a6, 0x03041b6c, 0x6663202a, 0xfa3afb2e, 0x9f5dc068,\n 0x30f48da2, 0x5593b6e4, 0xb4d71077, 0xd1b02b31, 0x7e1966fb,\n 0x1b7e5dbd, 0x67e12d9c, 0x028616da, 0xad2f5b10, 0xc8486056,\n 0x290cc6c5, 0x4c6bfd83, 0xe3c2b049, 0x86a58b0f, 0x35f8a016,\n 0x509f9b50, 0xff36d69a, 0x9a51eddc, 0x7b154b4f, 0x1e727009,\n 0xb1db3dc3, 0xd4bc0685, 0xa82376a4, 0xcd444de2, 0x62ed0028,\n 0x078a3b6e, 0xe6ce9dfd, 0x83a9a6bb, 0x2c00eb71, 0x4967d037,\n 0xd53e0b33, 0xb0593075, 0x1ff07dbf, 0x7a9746f9, 0x9bd3e06a,\n 0xfeb4db2c, 0x511d96e6, 0x347aada0, 0x48e5dd81, 0x2d82e6c7,\n 0x822bab0d, 0xe74c904b, 0x060836d8, 0x636f0d9e, 0xccc64054,\n 0xa9a17b12, 0x2f04f01d, 0x4a63cb5b, 0xe5ca8691, 0x80adbdd7,\n 0x61e91b44, 0x048e2002, 0xab276dc8, 0xce40568e, 0xb2df26af,\n 0xd7b81de9, 0x78115023, 0x1d766b65, 0xfc32cdf6, 0x9955f6b0,\n 0x36fcbb7a, 0x539b803c, 0xcfc25b38, 0xaaa5607e, 0x050c2db4,\n 0x606b16f2, 0x812fb061, 0xe4488b27, 0x4be1c6ed, 0x2e86fdab,\n 0x52198d8a, 0x377eb6cc, 0x98d7fb06, 0xfdb0c040, 0x1cf466d3,\n 0x79935d95, 0xd63a105f, 0xb35d2b19, 0x6bf1402c, 0x0e967b6a,\n 0xa13f36a0, 0xc4580de6, 0x251cab75, 0x407b9033, 0xefd2ddf9,\n 0x8ab5e6bf, 0xf62a969e, 0x934dadd8, 0x3ce4e012, 0x5983db54,\n 0xb8c77dc7, 0xdda04681, 0x72090b4b, 0x176e300d, 0x8b37eb09,\n 0xee50d04f, 0x41f99d85, 0x249ea6c3, 0xc5da0050, 0xa0bd3b16,\n 0x0f1476dc, 0x6a734d9a, 0x16ec3dbb, 0x738b06fd, 0xdc224b37,\n 0xb9457071, 0x5801d6e2, 0x3d66eda4, 0x92cfa06e, 0xf7a89b28,\n 0x710d1027, 0x146a2b61, 0xbbc366ab, 0xdea45ded, 0x3fe0fb7e,\n 0x5a87c038, 0xf52e8df2, 0x9049b6b4, 0xecd6c695, 0x89b1fdd3,\n 0x2618b019, 0x437f8b5f, 0xa23b2dcc, 0xc75c168a, 0x68f55b40,\n 0x0d926006, 0x91cbbb02, 0xf4ac8044, 0x5b05cd8e, 0x3e62f6c8,\n 0xdf26505b, 0xba416b1d, 0x15e826d7, 0x708f1d91, 0x0c106db0,\n 0x697756f6, 0xc6de1b3c, 0xa3b9207a, 0x42fd86e9, 0x279abdaf,\n 0x8833f065, 0xed54cb23, 0x5e09e03a, 0x3b6edb7c, 0x94c796b6,\n 0xf1a0adf0, 0x10e40b63, 0x75833025, 0xda2a7def, 0xbf4d46a9,\n 0xc3d23688, 0xa6b50dce, 0x091c4004, 0x6c7b7b42, 0x8d3fddd1,\n 0xe858e697, 0x47f1ab5d, 0x2296901b, 0xbecf4b1f, 0xdba87059,\n 0x74013d93, 0x116606d5, 0xf022a046, 0x95459b00, 0x3aecd6ca,\n 0x5f8bed8c, 0x23149dad, 0x4673a6eb, 0xe9daeb21, 0x8cbdd067,\n 0x6df976f4, 0x089e4db2, 0xa7370078, 0xc2503b3e, 0x44f5b031,\n 0x21928b77, 0x8e3bc6bd, 0xeb5cfdfb, 0x0a185b68, 0x6f7f602e,\n 0xc0d62de4, 0xa5b116a2, 0xd92e6683, 0xbc495dc5, 0x13e0100f,\n 0x76872b49, 0x97c38dda, 0xf2a4b69c, 0x5d0dfb56, 0x386ac010,\n 0xa4331b14, 0xc1542052, 0x6efd6d98, 0x0b9a56de, 0xeadef04d,\n 0x8fb9cb0b, 0x201086c1, 0x4577bd87, 0x39e8cda6, 0x5c8ff6e0,\n 0xf326bb2a, 0x9641806c, 0x770526ff, 0x12621db9, 0xbdcb5073,\n 0xd8ac6b35},\n {0x00000000, 0xd7e28058, 0x74b406f1, 0xa35686a9, 0xe9680de2,\n 0x3e8a8dba, 0x9ddc0b13, 0x4a3e8b4b, 0x09a11d85, 0xde439ddd,\n 0x7d151b74, 0xaaf79b2c, 0xe0c91067, 0x372b903f, 0x947d1696,\n 0x439f96ce, 0x13423b0a, 0xc4a0bb52, 0x67f63dfb, 0xb014bda3,\n 0xfa2a36e8, 0x2dc8b6b0, 0x8e9e3019, 0x597cb041, 0x1ae3268f,\n 0xcd01a6d7, 0x6e57207e, 0xb9b5a026, 0xf38b2b6d, 0x2469ab35,\n 0x873f2d9c, 0x50ddadc4, 0x26847614, 0xf166f64c, 0x523070e5,\n 0x85d2f0bd, 0xcfec7bf6, 0x180efbae, 0xbb587d07, 0x6cbafd5f,\n 0x2f256b91, 0xf8c7ebc9, 0x5b916d60, 0x8c73ed38, 0xc64d6673,\n 0x11afe62b, 0xb2f96082, 0x651be0da, 0x35c64d1e, 0xe224cd46,\n 0x41724bef, 0x9690cbb7, 0xdcae40fc, 0x0b4cc0a4, 0xa81a460d,\n 0x7ff8c655, 0x3c67509b, 0xeb85d0c3, 0x48d3566a, 0x9f31d632,\n 0xd50f5d79, 0x02eddd21, 0xa1bb5b88, 0x7659dbd0, 0x4d08ec28,\n 0x9aea6c70, 0x39bcead9, 0xee5e6a81, 0xa460e1ca, 0x73826192,\n 0xd0d4e73b, 0x07366763, 0x44a9f1ad, 0x934b71f5, 0x301df75c,\n 0xe7ff7704, 0xadc1fc4f, 0x7a237c17, 0xd975fabe, 0x0e977ae6,\n 0x5e4ad722, 0x89a8577a, 0x2afed1d3, 0xfd1c518b, 0xb722dac0,\n 0x60c05a98, 0xc396dc31, 0x14745c69, 0x57ebcaa7, 0x80094aff,\n 0x235fcc56, 0xf4bd4c0e, 0xbe83c745, 0x6961471d, 0xca37c1b4,\n 0x1dd541ec, 0x6b8c9a3c, 0xbc6e1a64, 0x1f389ccd, 0xc8da1c95,\n 0x82e497de, 0x55061786, 0xf650912f, 0x21b21177, 0x622d87b9,\n 0xb5cf07e1, 0x16998148, 0xc17b0110, 0x8b458a5b, 0x5ca70a03,\n 0xfff18caa, 0x28130cf2, 0x78cea136, 0xaf2c216e, 0x0c7aa7c7,\n 0xdb98279f, 0x91a6acd4, 0x46442c8c, 0xe512aa25, 0x32f02a7d,\n 0x716fbcb3, 0xa68d3ceb, 0x05dbba42, 0xd2393a1a, 0x9807b151,\n 0x4fe53109, 0xecb3b7a0, 0x3b5137f8, 0x9a11d850, 0x4df35808,\n 0xeea5dea1, 0x39475ef9, 0x7379d5b2, 0xa49b55ea, 0x07cdd343,\n 0xd02f531b, 0x93b0c5d5, 0x4452458d, 0xe704c324, 0x30e6437c,\n 0x7ad8c837, 0xad3a486f, 0x0e6ccec6, 0xd98e4e9e, 0x8953e35a,\n 0x5eb16302, 0xfde7e5ab, 0x2a0565f3, 0x603beeb8, 0xb7d96ee0,\n 0x148fe849, 0xc36d6811, 0x80f2fedf, 0x57107e87, 0xf446f82e,\n 0x23a47876, 0x699af33d, 0xbe787365, 0x1d2ef5cc, 0xcacc7594,\n 0xbc95ae44, 0x6b772e1c, 0xc821a8b5, 0x1fc328ed, 0x55fda3a6,\n 0x821f23fe, 0x2149a557, 0xf6ab250f, 0xb534b3c1, 0x62d63399,\n 0xc180b530, 0x16623568, 0x5c5cbe23, 0x8bbe3e7b, 0x28e8b8d2,\n 0xff0a388a, 0xafd7954e, 0x78351516, 0xdb6393bf, 0x0c8113e7,\n 0x46bf98ac, 0x915d18f4, 0x320b9e5d, 0xe5e91e05, 0xa67688cb,\n 0x71940893, 0xd2c28e3a, 0x05200e62, 0x4f1e8529, 0x98fc0571,\n 0x3baa83d8, 0xec480380, 0xd7193478, 0x00fbb420, 0xa3ad3289,\n 0x744fb2d1, 0x3e71399a, 0xe993b9c2, 0x4ac53f6b, 0x9d27bf33,\n 0xdeb829fd, 0x095aa9a5, 0xaa0c2f0c, 0x7deeaf54, 0x37d0241f,\n 0xe032a447, 0x436422ee, 0x9486a2b6, 0xc45b0f72, 0x13b98f2a,\n 0xb0ef0983, 0x670d89db, 0x2d330290, 0xfad182c8, 0x59870461,\n 0x8e658439, 0xcdfa12f7, 0x1a1892af, 0xb94e1406, 0x6eac945e,\n 0x24921f15, 0xf3709f4d, 0x502619e4, 0x87c499bc, 0xf19d426c,\n 0x267fc234, 0x8529449d, 0x52cbc4c5, 0x18f54f8e, 0xcf17cfd6,\n 0x6c41497f, 0xbba3c927, 0xf83c5fe9, 0x2fdedfb1, 0x8c885918,\n 0x5b6ad940, 0x1154520b, 0xc6b6d253, 0x65e054fa, 0xb202d4a2,\n 0xe2df7966, 0x353df93e, 0x966b7f97, 0x4189ffcf, 0x0bb77484,\n 0xdc55f4dc, 0x7f037275, 0xa8e1f22d, 0xeb7e64e3, 0x3c9ce4bb,\n 0x9fca6212, 0x4828e24a, 0x02166901, 0xd5f4e959, 0x76a26ff0,\n 0xa140efa8},\n {0x00000000, 0xef52b6e1, 0x05d46b83, 0xea86dd62, 0x0ba8d706,\n 0xe4fa61e7, 0x0e7cbc85, 0xe12e0a64, 0x1751ae0c, 0xf80318ed,\n 0x1285c58f, 0xfdd7736e, 0x1cf9790a, 0xf3abcfeb, 0x192d1289,\n 0xf67fa468, 0x2ea35c18, 0xc1f1eaf9, 0x2b77379b, 0xc425817a,\n 0x250b8b1e, 0xca593dff, 0x20dfe09d, 0xcf8d567c, 0x39f2f214,\n 0xd6a044f5, 0x3c269997, 0xd3742f76, 0x325a2512, 0xdd0893f3,\n 0x378e4e91, 0xd8dcf870, 0x5d46b830, 0xb2140ed1, 0x5892d3b3,\n 0xb7c06552, 0x56ee6f36, 0xb9bcd9d7, 0x533a04b5, 0xbc68b254,\n 0x4a17163c, 0xa545a0dd, 0x4fc37dbf, 0xa091cb5e, 0x41bfc13a,\n 0xaeed77db, 0x446baab9, 0xab391c58, 0x73e5e428, 0x9cb752c9,\n 0x76318fab, 0x9963394a, 0x784d332e, 0x971f85cf, 0x7d9958ad,\n 0x92cbee4c, 0x64b44a24, 0x8be6fcc5, 0x616021a7, 0x8e329746,\n 0x6f1c9d22, 0x804e2bc3, 0x6ac8f6a1, 0x859a4040, 0xba8d7060,\n 0x55dfc681, 0xbf591be3, 0x500bad02, 0xb125a766, 0x5e771187,\n 0xb4f1cce5, 0x5ba37a04, 0xaddcde6c, 0x428e688d, 0xa808b5ef,\n 0x475a030e, 0xa674096a, 0x4926bf8b, 0xa3a062e9, 0x4cf2d408,\n 0x942e2c78, 0x7b7c9a99, 0x91fa47fb, 0x7ea8f11a, 0x9f86fb7e,\n 0x70d44d9f, 0x9a5290fd, 0x7500261c, 0x837f8274, 0x6c2d3495,\n 0x86abe9f7, 0x69f95f16, 0x88d75572, 0x6785e393, 0x8d033ef1,\n 0x62518810, 0xe7cbc850, 0x08997eb1, 0xe21fa3d3, 0x0d4d1532,\n 0xec631f56, 0x0331a9b7, 0xe9b774d5, 0x06e5c234, 0xf09a665c,\n 0x1fc8d0bd, 0xf54e0ddf, 0x1a1cbb3e, 0xfb32b15a, 0x146007bb,\n 0xfee6dad9, 0x11b46c38, 0xc9689448, 0x263a22a9, 0xccbcffcb,\n 0x23ee492a, 0xc2c0434e, 0x2d92f5af, 0xc71428cd, 0x28469e2c,\n 0xde393a44, 0x316b8ca5, 0xdbed51c7, 0x34bfe726, 0xd591ed42,\n 0x3ac35ba3, 0xd04586c1, 0x3f173020, 0xae6be681, 0x41395060,\n 0xabbf8d02, 0x44ed3be3, 0xa5c33187, 0x4a918766, 0xa0175a04,\n 0x4f45ece5, 0xb93a488d, 0x5668fe6c, 0xbcee230e, 0x53bc95ef,\n 0xb2929f8b, 0x5dc0296a, 0xb746f408, 0x581442e9, 0x80c8ba99,\n 0x6f9a0c78, 0x851cd11a, 0x6a4e67fb, 0x8b606d9f, 0x6432db7e,\n 0x8eb4061c, 0x61e6b0fd, 0x97991495, 0x78cba274, 0x924d7f16,\n 0x7d1fc9f7, 0x9c31c393, 0x73637572, 0x99e5a810, 0x76b71ef1,\n 0xf32d5eb1, 0x1c7fe850, 0xf6f93532, 0x19ab83d3, 0xf88589b7,\n 0x17d73f56, 0xfd51e234, 0x120354d5, 0xe47cf0bd, 0x0b2e465c,\n 0xe1a89b3e, 0x0efa2ddf, 0xefd427bb, 0x0086915a, 0xea004c38,\n 0x0552fad9, 0xdd8e02a9, 0x32dcb448, 0xd85a692a, 0x3708dfcb,\n 0xd626d5af, 0x3974634e, 0xd3f2be2c, 0x3ca008cd, 0xcadfaca5,\n 0x258d1a44, 0xcf0bc726, 0x205971c7, 0xc1777ba3, 0x2e25cd42,\n 0xc4a31020, 0x2bf1a6c1, 0x14e696e1, 0xfbb42000, 0x1132fd62,\n 0xfe604b83, 0x1f4e41e7, 0xf01cf706, 0x1a9a2a64, 0xf5c89c85,\n 0x03b738ed, 0xece58e0c, 0x0663536e, 0xe931e58f, 0x081fefeb,\n 0xe74d590a, 0x0dcb8468, 0xe2993289, 0x3a45caf9, 0xd5177c18,\n 0x3f91a17a, 0xd0c3179b, 0x31ed1dff, 0xdebfab1e, 0x3439767c,\n 0xdb6bc09d, 0x2d1464f5, 0xc246d214, 0x28c00f76, 0xc792b997,\n 0x26bcb3f3, 0xc9ee0512, 0x2368d870, 0xcc3a6e91, 0x49a02ed1,\n 0xa6f29830, 0x4c744552, 0xa326f3b3, 0x4208f9d7, 0xad5a4f36,\n 0x47dc9254, 0xa88e24b5, 0x5ef180dd, 0xb1a3363c, 0x5b25eb5e,\n 0xb4775dbf, 0x555957db, 0xba0be13a, 0x508d3c58, 0xbfdf8ab9,\n 0x670372c9, 0x8851c428, 0x62d7194a, 0x8d85afab, 0x6caba5cf,\n 0x83f9132e, 0x697fce4c, 0x862d78ad, 0x7052dcc5, 0x9f006a24,\n 0x7586b746, 0x9ad401a7, 0x7bfa0bc3, 0x94a8bd22, 0x7e2e6040,\n 0x917cd6a1},\n {0x00000000, 0x87a6cb43, 0xd43c90c7, 0x539a5b84, 0x730827cf,\n 0xf4aeec8c, 0xa734b708, 0x20927c4b, 0xe6104f9e, 0x61b684dd,\n 0x322cdf59, 0xb58a141a, 0x95186851, 0x12bea312, 0x4124f896,\n 0xc68233d5, 0x1751997d, 0x90f7523e, 0xc36d09ba, 0x44cbc2f9,\n 0x6459beb2, 0xe3ff75f1, 0xb0652e75, 0x37c3e536, 0xf141d6e3,\n 0x76e71da0, 0x257d4624, 0xa2db8d67, 0x8249f12c, 0x05ef3a6f,\n 0x567561eb, 0xd1d3aaa8, 0x2ea332fa, 0xa905f9b9, 0xfa9fa23d,\n 0x7d39697e, 0x5dab1535, 0xda0dde76, 0x899785f2, 0x0e314eb1,\n 0xc8b37d64, 0x4f15b627, 0x1c8feda3, 0x9b2926e0, 0xbbbb5aab,\n 0x3c1d91e8, 0x6f87ca6c, 0xe821012f, 0x39f2ab87, 0xbe5460c4,\n 0xedce3b40, 0x6a68f003, 0x4afa8c48, 0xcd5c470b, 0x9ec61c8f,\n 0x1960d7cc, 0xdfe2e419, 0x58442f5a, 0x0bde74de, 0x8c78bf9d,\n 0xaceac3d6, 0x2b4c0895, 0x78d65311, 0xff709852, 0x5d4665f4,\n 0xdae0aeb7, 0x897af533, 0x0edc3e70, 0x2e4e423b, 0xa9e88978,\n 0xfa72d2fc, 0x7dd419bf, 0xbb562a6a, 0x3cf0e129, 0x6f6abaad,\n 0xe8cc71ee, 0xc85e0da5, 0x4ff8c6e6, 0x1c629d62, 0x9bc45621,\n 0x4a17fc89, 0xcdb137ca, 0x9e2b6c4e, 0x198da70d, 0x391fdb46,\n 0xbeb91005, 0xed234b81, 0x6a8580c2, 0xac07b317, 0x2ba17854,\n 0x783b23d0, 0xff9de893, 0xdf0f94d8, 0x58a95f9b, 0x0b33041f,\n 0x8c95cf5c, 0x73e5570e, 0xf4439c4d, 0xa7d9c7c9, 0x207f0c8a,\n 0x00ed70c1, 0x874bbb82, 0xd4d1e006, 0x53772b45, 0x95f51890,\n 0x1253d3d3, 0x41c98857, 0xc66f4314, 0xe6fd3f5f, 0x615bf41c,\n 0x32c1af98, 0xb56764db, 0x64b4ce73, 0xe3120530, 0xb0885eb4,\n 0x372e95f7, 0x17bce9bc, 0x901a22ff, 0xc380797b, 0x4426b238,\n 0x82a481ed, 0x05024aae, 0x5698112a, 0xd13eda69, 0xf1aca622,\n 0x760a6d61, 0x259036e5, 0xa236fda6, 0xba8ccbe8, 0x3d2a00ab,\n 0x6eb05b2f, 0xe916906c, 0xc984ec27, 0x4e222764, 0x1db87ce0,\n 0x9a1eb7a3, 0x5c9c8476, 0xdb3a4f35, 0x88a014b1, 0x0f06dff2,\n 0x2f94a3b9, 0xa83268fa, 0xfba8337e, 0x7c0ef83d, 0xaddd5295,\n 0x2a7b99d6, 0x79e1c252, 0xfe470911, 0xded5755a, 0x5973be19,\n 0x0ae9e59d, 0x8d4f2ede, 0x4bcd1d0b, 0xcc6bd648, 0x9ff18dcc,\n 0x1857468f, 0x38c53ac4, 0xbf63f187, 0xecf9aa03, 0x6b5f6140,\n 0x942ff912, 0x13893251, 0x401369d5, 0xc7b5a296, 0xe727dedd,\n 0x6081159e, 0x331b4e1a, 0xb4bd8559, 0x723fb68c, 0xf5997dcf,\n 0xa603264b, 0x21a5ed08, 0x01379143, 0x86915a00, 0xd50b0184,\n 0x52adcac7, 0x837e606f, 0x04d8ab2c, 0x5742f0a8, 0xd0e43beb,\n 0xf07647a0, 0x77d08ce3, 0x244ad767, 0xa3ec1c24, 0x656e2ff1,\n 0xe2c8e4b2, 0xb152bf36, 0x36f47475, 0x1666083e, 0x91c0c37d,\n 0xc25a98f9, 0x45fc53ba, 0xe7caae1c, 0x606c655f, 0x33f63edb,\n 0xb450f598, 0x94c289d3, 0x13644290, 0x40fe1914, 0xc758d257,\n 0x01dae182, 0x867c2ac1, 0xd5e67145, 0x5240ba06, 0x72d2c64d,\n 0xf5740d0e, 0xa6ee568a, 0x21489dc9, 0xf09b3761, 0x773dfc22,\n 0x24a7a7a6, 0xa3016ce5, 0x839310ae, 0x0435dbed, 0x57af8069,\n 0xd0094b2a, 0x168b78ff, 0x912db3bc, 0xc2b7e838, 0x4511237b,\n 0x65835f30, 0xe2259473, 0xb1bfcff7, 0x361904b4, 0xc9699ce6,\n 0x4ecf57a5, 0x1d550c21, 0x9af3c762, 0xba61bb29, 0x3dc7706a,\n 0x6e5d2bee, 0xe9fbe0ad, 0x2f79d378, 0xa8df183b, 0xfb4543bf,\n 0x7ce388fc, 0x5c71f4b7, 0xdbd73ff4, 0x884d6470, 0x0febaf33,\n 0xde38059b, 0x599eced8, 0x0a04955c, 0x8da25e1f, 0xad302254,\n 0x2a96e917, 0x790cb293, 0xfeaa79d0, 0x38284a05, 0xbf8e8146,\n 0xec14dac2, 0x6bb21181, 0x4b206dca, 0xcc86a689, 0x9f1cfd0d,\n 0x18ba364e}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x00000000, 0x43cba687, 0xc7903cd4, 0x845b9a53, 0xcf270873,\n 0x8cecaef4, 0x08b734a7, 0x4b7c9220, 0x9e4f10e6, 0xdd84b661,\n 0x59df2c32, 0x1a148ab5, 0x51681895, 0x12a3be12, 0x96f82441,\n 0xd53382c6, 0x7d995117, 0x3e52f790, 0xba096dc3, 0xf9c2cb44,\n 0xb2be5964, 0xf175ffe3, 0x752e65b0, 0x36e5c337, 0xe3d641f1,\n 0xa01de776, 0x24467d25, 0x678ddba2, 0x2cf14982, 0x6f3aef05,\n 0xeb617556, 0xa8aad3d1, 0xfa32a32e, 0xb9f905a9, 0x3da29ffa,\n 0x7e69397d, 0x3515ab5d, 0x76de0dda, 0xf2859789, 0xb14e310e,\n 0x647db3c8, 0x27b6154f, 0xa3ed8f1c, 0xe026299b, 0xab5abbbb,\n 0xe8911d3c, 0x6cca876f, 0x2f0121e8, 0x87abf239, 0xc46054be,\n 0x403bceed, 0x03f0686a, 0x488cfa4a, 0x0b475ccd, 0x8f1cc69e,\n 0xccd76019, 0x19e4e2df, 0x5a2f4458, 0xde74de0b, 0x9dbf788c,\n 0xd6c3eaac, 0x95084c2b, 0x1153d678, 0x529870ff, 0xf465465d,\n 0xb7aee0da, 0x33f57a89, 0x703edc0e, 0x3b424e2e, 0x7889e8a9,\n 0xfcd272fa, 0xbf19d47d, 0x6a2a56bb, 0x29e1f03c, 0xadba6a6f,\n 0xee71cce8, 0xa50d5ec8, 0xe6c6f84f, 0x629d621c, 0x2156c49b,\n 0x89fc174a, 0xca37b1cd, 0x4e6c2b9e, 0x0da78d19, 0x46db1f39,\n 0x0510b9be, 0x814b23ed, 0xc280856a, 0x17b307ac, 0x5478a12b,\n 0xd0233b78, 0x93e89dff, 0xd8940fdf, 0x9b5fa958, 0x1f04330b,\n 0x5ccf958c, 0x0e57e573, 0x4d9c43f4, 0xc9c7d9a7, 0x8a0c7f20,\n 0xc170ed00, 0x82bb4b87, 0x06e0d1d4, 0x452b7753, 0x9018f595,\n 0xd3d35312, 0x5788c941, 0x14436fc6, 0x5f3ffde6, 0x1cf45b61,\n 0x98afc132, 0xdb6467b5, 0x73ceb464, 0x300512e3, 0xb45e88b0,\n 0xf7952e37, 0xbce9bc17, 0xff221a90, 0x7b7980c3, 0x38b22644,\n 0xed81a482, 0xae4a0205, 0x2a119856, 0x69da3ed1, 0x22a6acf1,\n 0x616d0a76, 0xe5369025, 0xa6fd36a2, 0xe8cb8cba, 0xab002a3d,\n 0x2f5bb06e, 0x6c9016e9, 0x27ec84c9, 0x6427224e, 0xe07cb81d,\n 0xa3b71e9a, 0x76849c5c, 0x354f3adb, 0xb114a088, 0xf2df060f,\n 0xb9a3942f, 0xfa6832a8, 0x7e33a8fb, 0x3df80e7c, 0x9552ddad,\n 0xd6997b2a, 0x52c2e179, 0x110947fe, 0x5a75d5de, 0x19be7359,\n 0x9de5e90a, 0xde2e4f8d, 0x0b1dcd4b, 0x48d66bcc, 0xcc8df19f,\n 0x8f465718, 0xc43ac538, 0x87f163bf, 0x03aaf9ec, 0x40615f6b,\n 0x12f92f94, 0x51328913, 0xd5691340, 0x96a2b5c7, 0xddde27e7,\n 0x9e158160, 0x1a4e1b33, 0x5985bdb4, 0x8cb63f72, 0xcf7d99f5,\n 0x4b2603a6, 0x08eda521, 0x43913701, 0x005a9186, 0x84010bd5,\n 0xc7caad52, 0x6f607e83, 0x2cabd804, 0xa8f04257, 0xeb3be4d0,\n 0xa04776f0, 0xe38cd077, 0x67d74a24, 0x241ceca3, 0xf12f6e65,\n 0xb2e4c8e2, 0x36bf52b1, 0x7574f436, 0x3e086616, 0x7dc3c091,\n 0xf9985ac2, 0xba53fc45, 0x1caecae7, 0x5f656c60, 0xdb3ef633,\n 0x98f550b4, 0xd389c294, 0x90426413, 0x1419fe40, 0x57d258c7,\n 0x82e1da01, 0xc12a7c86, 0x4571e6d5, 0x06ba4052, 0x4dc6d272,\n 0x0e0d74f5, 0x8a56eea6, 0xc99d4821, 0x61379bf0, 0x22fc3d77,\n 0xa6a7a724, 0xe56c01a3, 0xae109383, 0xeddb3504, 0x6980af57,\n 0x2a4b09d0, 0xff788b16, 0xbcb32d91, 0x38e8b7c2, 0x7b231145,\n 0x305f8365, 0x739425e2, 0xf7cfbfb1, 0xb4041936, 0xe69c69c9,\n 0xa557cf4e, 0x210c551d, 0x62c7f39a, 0x29bb61ba, 0x6a70c73d,\n 0xee2b5d6e, 0xade0fbe9, 0x78d3792f, 0x3b18dfa8, 0xbf4345fb,\n 0xfc88e37c, 0xb7f4715c, 0xf43fd7db, 0x70644d88, 0x33afeb0f,\n 0x9b0538de, 0xd8ce9e59, 0x5c95040a, 0x1f5ea28d, 0x542230ad,\n 0x17e9962a, 0x93b20c79, 0xd079aafe, 0x054a2838, 0x46818ebf,\n 0xc2da14ec, 0x8111b26b, 0xca6d204b, 0x89a686cc, 0x0dfd1c9f,\n 0x4e36ba18},\n {0x00000000, 0xe1b652ef, 0x836bd405, 0x62dd86ea, 0x06d7a80b,\n 0xe761fae4, 0x85bc7c0e, 0x640a2ee1, 0x0cae5117, 0xed1803f8,\n 0x8fc58512, 0x6e73d7fd, 0x0a79f91c, 0xebcfabf3, 0x89122d19,\n 0x68a47ff6, 0x185ca32e, 0xf9eaf1c1, 0x9b37772b, 0x7a8125c4,\n 0x1e8b0b25, 0xff3d59ca, 0x9de0df20, 0x7c568dcf, 0x14f2f239,\n 0xf544a0d6, 0x9799263c, 0x762f74d3, 0x12255a32, 0xf39308dd,\n 0x914e8e37, 0x70f8dcd8, 0x30b8465d, 0xd10e14b2, 0xb3d39258,\n 0x5265c0b7, 0x366fee56, 0xd7d9bcb9, 0xb5043a53, 0x54b268bc,\n 0x3c16174a, 0xdda045a5, 0xbf7dc34f, 0x5ecb91a0, 0x3ac1bf41,\n 0xdb77edae, 0xb9aa6b44, 0x581c39ab, 0x28e4e573, 0xc952b79c,\n 0xab8f3176, 0x4a396399, 0x2e334d78, 0xcf851f97, 0xad58997d,\n 0x4ceecb92, 0x244ab464, 0xc5fce68b, 0xa7216061, 0x4697328e,\n 0x229d1c6f, 0xc32b4e80, 0xa1f6c86a, 0x40409a85, 0x60708dba,\n 0x81c6df55, 0xe31b59bf, 0x02ad0b50, 0x66a725b1, 0x8711775e,\n 0xe5ccf1b4, 0x047aa35b, 0x6cdedcad, 0x8d688e42, 0xefb508a8,\n 0x0e035a47, 0x6a0974a6, 0x8bbf2649, 0xe962a0a3, 0x08d4f24c,\n 0x782c2e94, 0x999a7c7b, 0xfb47fa91, 0x1af1a87e, 0x7efb869f,\n 0x9f4dd470, 0xfd90529a, 0x1c260075, 0x74827f83, 0x95342d6c,\n 0xf7e9ab86, 0x165ff969, 0x7255d788, 0x93e38567, 0xf13e038d,\n 0x10885162, 0x50c8cbe7, 0xb17e9908, 0xd3a31fe2, 0x32154d0d,\n 0x561f63ec, 0xb7a93103, 0xd574b7e9, 0x34c2e506, 0x5c669af0,\n 0xbdd0c81f, 0xdf0d4ef5, 0x3ebb1c1a, 0x5ab132fb, 0xbb076014,\n 0xd9dae6fe, 0x386cb411, 0x489468c9, 0xa9223a26, 0xcbffbccc,\n 0x2a49ee23, 0x4e43c0c2, 0xaff5922d, 0xcd2814c7, 0x2c9e4628,\n 0x443a39de, 0xa58c6b31, 0xc751eddb, 0x26e7bf34, 0x42ed91d5,\n 0xa35bc33a, 0xc18645d0, 0x2030173f, 0x81e66bae, 0x60503941,\n 0x028dbfab, 0xe33bed44, 0x8731c3a5, 0x6687914a, 0x045a17a0,\n 0xe5ec454f, 0x8d483ab9, 0x6cfe6856, 0x0e23eebc, 0xef95bc53,\n 0x8b9f92b2, 0x6a29c05d, 0x08f446b7, 0xe9421458, 0x99bac880,\n 0x780c9a6f, 0x1ad11c85, 0xfb674e6a, 0x9f6d608b, 0x7edb3264,\n 0x1c06b48e, 0xfdb0e661, 0x95149997, 0x74a2cb78, 0x167f4d92,\n 0xf7c91f7d, 0x93c3319c, 0x72756373, 0x10a8e599, 0xf11eb776,\n 0xb15e2df3, 0x50e87f1c, 0x3235f9f6, 0xd383ab19, 0xb78985f8,\n 0x563fd717, 0x34e251fd, 0xd5540312, 0xbdf07ce4, 0x5c462e0b,\n 0x3e9ba8e1, 0xdf2dfa0e, 0xbb27d4ef, 0x5a918600, 0x384c00ea,\n 0xd9fa5205, 0xa9028edd, 0x48b4dc32, 0x2a695ad8, 0xcbdf0837,\n 0xafd526d6, 0x4e637439, 0x2cbef2d3, 0xcd08a03c, 0xa5acdfca,\n 0x441a8d25, 0x26c70bcf, 0xc7715920, 0xa37b77c1, 0x42cd252e,\n 0x2010a3c4, 0xc1a6f12b, 0xe196e614, 0x0020b4fb, 0x62fd3211,\n 0x834b60fe, 0xe7414e1f, 0x06f71cf0, 0x642a9a1a, 0x859cc8f5,\n 0xed38b703, 0x0c8ee5ec, 0x6e536306, 0x8fe531e9, 0xebef1f08,\n 0x0a594de7, 0x6884cb0d, 0x893299e2, 0xf9ca453a, 0x187c17d5,\n 0x7aa1913f, 0x9b17c3d0, 0xff1ded31, 0x1eabbfde, 0x7c763934,\n 0x9dc06bdb, 0xf564142d, 0x14d246c2, 0x760fc028, 0x97b992c7,\n 0xf3b3bc26, 0x1205eec9, 0x70d86823, 0x916e3acc, 0xd12ea049,\n 0x3098f2a6, 0x5245744c, 0xb3f326a3, 0xd7f90842, 0x364f5aad,\n 0x5492dc47, 0xb5248ea8, 0xdd80f15e, 0x3c36a3b1, 0x5eeb255b,\n 0xbf5d77b4, 0xdb575955, 0x3ae10bba, 0x583c8d50, 0xb98adfbf,\n 0xc9720367, 0x28c45188, 0x4a19d762, 0xabaf858d, 0xcfa5ab6c,\n 0x2e13f983, 0x4cce7f69, 0xad782d86, 0xc5dc5270, 0x246a009f,\n 0x46b78675, 0xa701d49a, 0xc30bfa7b, 0x22bda894, 0x40602e7e,\n 0xa1d67c91},\n {0x00000000, 0x5880e2d7, 0xf106b474, 0xa98656a3, 0xe20d68e9,\n 0xba8d8a3e, 0x130bdc9d, 0x4b8b3e4a, 0x851da109, 0xdd9d43de,\n 0x741b157d, 0x2c9bf7aa, 0x6710c9e0, 0x3f902b37, 0x96167d94,\n 0xce969f43, 0x0a3b4213, 0x52bba0c4, 0xfb3df667, 0xa3bd14b0,\n 0xe8362afa, 0xb0b6c82d, 0x19309e8e, 0x41b07c59, 0x8f26e31a,\n 0xd7a601cd, 0x7e20576e, 0x26a0b5b9, 0x6d2b8bf3, 0x35ab6924,\n 0x9c2d3f87, 0xc4addd50, 0x14768426, 0x4cf666f1, 0xe5703052,\n 0xbdf0d285, 0xf67beccf, 0xaefb0e18, 0x077d58bb, 0x5ffdba6c,\n 0x916b252f, 0xc9ebc7f8, 0x606d915b, 0x38ed738c, 0x73664dc6,\n 0x2be6af11, 0x8260f9b2, 0xdae01b65, 0x1e4dc635, 0x46cd24e2,\n 0xef4b7241, 0xb7cb9096, 0xfc40aedc, 0xa4c04c0b, 0x0d461aa8,\n 0x55c6f87f, 0x9b50673c, 0xc3d085eb, 0x6a56d348, 0x32d6319f,\n 0x795d0fd5, 0x21dded02, 0x885bbba1, 0xd0db5976, 0x28ec084d,\n 0x706cea9a, 0xd9eabc39, 0x816a5eee, 0xcae160a4, 0x92618273,\n 0x3be7d4d0, 0x63673607, 0xadf1a944, 0xf5714b93, 0x5cf71d30,\n 0x0477ffe7, 0x4ffcc1ad, 0x177c237a, 0xbefa75d9, 0xe67a970e,\n 0x22d74a5e, 0x7a57a889, 0xd3d1fe2a, 0x8b511cfd, 0xc0da22b7,\n 0x985ac060, 0x31dc96c3, 0x695c7414, 0xa7caeb57, 0xff4a0980,\n 0x56cc5f23, 0x0e4cbdf4, 0x45c783be, 0x1d476169, 0xb4c137ca,\n 0xec41d51d, 0x3c9a8c6b, 0x641a6ebc, 0xcd9c381f, 0x951cdac8,\n 0xde97e482, 0x86170655, 0x2f9150f6, 0x7711b221, 0xb9872d62,\n 0xe107cfb5, 0x48819916, 0x10017bc1, 0x5b8a458b, 0x030aa75c,\n 0xaa8cf1ff, 0xf20c1328, 0x36a1ce78, 0x6e212caf, 0xc7a77a0c,\n 0x9f2798db, 0xd4aca691, 0x8c2c4446, 0x25aa12e5, 0x7d2af032,\n 0xb3bc6f71, 0xeb3c8da6, 0x42badb05, 0x1a3a39d2, 0x51b10798,\n 0x0931e54f, 0xa0b7b3ec, 0xf837513b, 0x50d8119a, 0x0858f34d,\n 0xa1dea5ee, 0xf95e4739, 0xb2d57973, 0xea559ba4, 0x43d3cd07,\n 0x1b532fd0, 0xd5c5b093, 0x8d455244, 0x24c304e7, 0x7c43e630,\n 0x37c8d87a, 0x6f483aad, 0xc6ce6c0e, 0x9e4e8ed9, 0x5ae35389,\n 0x0263b15e, 0xabe5e7fd, 0xf365052a, 0xb8ee3b60, 0xe06ed9b7,\n 0x49e88f14, 0x11686dc3, 0xdffef280, 0x877e1057, 0x2ef846f4,\n 0x7678a423, 0x3df39a69, 0x657378be, 0xccf52e1d, 0x9475ccca,\n 0x44ae95bc, 0x1c2e776b, 0xb5a821c8, 0xed28c31f, 0xa6a3fd55,\n 0xfe231f82, 0x57a54921, 0x0f25abf6, 0xc1b334b5, 0x9933d662,\n 0x30b580c1, 0x68356216, 0x23be5c5c, 0x7b3ebe8b, 0xd2b8e828,\n 0x8a380aff, 0x4e95d7af, 0x16153578, 0xbf9363db, 0xe713810c,\n 0xac98bf46, 0xf4185d91, 0x5d9e0b32, 0x051ee9e5, 0xcb8876a6,\n 0x93089471, 0x3a8ec2d2, 0x620e2005, 0x29851e4f, 0x7105fc98,\n 0xd883aa3b, 0x800348ec, 0x783419d7, 0x20b4fb00, 0x8932ada3,\n 0xd1b24f74, 0x9a39713e, 0xc2b993e9, 0x6b3fc54a, 0x33bf279d,\n 0xfd29b8de, 0xa5a95a09, 0x0c2f0caa, 0x54afee7d, 0x1f24d037,\n 0x47a432e0, 0xee226443, 0xb6a28694, 0x720f5bc4, 0x2a8fb913,\n 0x8309efb0, 0xdb890d67, 0x9002332d, 0xc882d1fa, 0x61048759,\n 0x3984658e, 0xf712facd, 0xaf92181a, 0x06144eb9, 0x5e94ac6e,\n 0x151f9224, 0x4d9f70f3, 0xe4192650, 0xbc99c487, 0x6c429df1,\n 0x34c27f26, 0x9d442985, 0xc5c4cb52, 0x8e4ff518, 0xd6cf17cf,\n 0x7f49416c, 0x27c9a3bb, 0xe95f3cf8, 0xb1dfde2f, 0x1859888c,\n 0x40d96a5b, 0x0b525411, 0x53d2b6c6, 0xfa54e065, 0xa2d402b2,\n 0x6679dfe2, 0x3ef93d35, 0x977f6b96, 0xcfff8941, 0x8474b70b,\n 0xdcf455dc, 0x7572037f, 0x2df2e1a8, 0xe3647eeb, 0xbbe49c3c,\n 0x1262ca9f, 0x4ae22848, 0x01691602, 0x59e9f4d5, 0xf06fa276,\n 0xa8ef40a1},\n {0x00000000, 0x463b6765, 0x8c76ceca, 0xca4da9af, 0x59ebed4e,\n 0x1fd08a2b, 0xd59d2384, 0x93a644e1, 0xb2d6db9d, 0xf4edbcf8,\n 0x3ea01557, 0x789b7232, 0xeb3d36d3, 0xad0651b6, 0x674bf819,\n 0x21709f7c, 0x25abc6e0, 0x6390a185, 0xa9dd082a, 0xefe66f4f,\n 0x7c402bae, 0x3a7b4ccb, 0xf036e564, 0xb60d8201, 0x977d1d7d,\n 0xd1467a18, 0x1b0bd3b7, 0x5d30b4d2, 0xce96f033, 0x88ad9756,\n 0x42e03ef9, 0x04db599c, 0x0b50fc1a, 0x4d6b9b7f, 0x872632d0,\n 0xc11d55b5, 0x52bb1154, 0x14807631, 0xdecddf9e, 0x98f6b8fb,\n 0xb9862787, 0xffbd40e2, 0x35f0e94d, 0x73cb8e28, 0xe06dcac9,\n 0xa656adac, 0x6c1b0403, 0x2a206366, 0x2efb3afa, 0x68c05d9f,\n 0xa28df430, 0xe4b69355, 0x7710d7b4, 0x312bb0d1, 0xfb66197e,\n 0xbd5d7e1b, 0x9c2de167, 0xda168602, 0x105b2fad, 0x566048c8,\n 0xc5c60c29, 0x83fd6b4c, 0x49b0c2e3, 0x0f8ba586, 0x16a0f835,\n 0x509b9f50, 0x9ad636ff, 0xdced519a, 0x4f4b157b, 0x0970721e,\n 0xc33ddbb1, 0x8506bcd4, 0xa47623a8, 0xe24d44cd, 0x2800ed62,\n 0x6e3b8a07, 0xfd9dcee6, 0xbba6a983, 0x71eb002c, 0x37d06749,\n 0x330b3ed5, 0x753059b0, 0xbf7df01f, 0xf946977a, 0x6ae0d39b,\n 0x2cdbb4fe, 0xe6961d51, 0xa0ad7a34, 0x81dde548, 0xc7e6822d,\n 0x0dab2b82, 0x4b904ce7, 0xd8360806, 0x9e0d6f63, 0x5440c6cc,\n 0x127ba1a9, 0x1df0042f, 0x5bcb634a, 0x9186cae5, 0xd7bdad80,\n 0x441be961, 0x02208e04, 0xc86d27ab, 0x8e5640ce, 0xaf26dfb2,\n 0xe91db8d7, 0x23501178, 0x656b761d, 0xf6cd32fc, 0xb0f65599,\n 0x7abbfc36, 0x3c809b53, 0x385bc2cf, 0x7e60a5aa, 0xb42d0c05,\n 0xf2166b60, 0x61b02f81, 0x278b48e4, 0xedc6e14b, 0xabfd862e,\n 0x8a8d1952, 0xccb67e37, 0x06fbd798, 0x40c0b0fd, 0xd366f41c,\n 0x955d9379, 0x5f103ad6, 0x192b5db3, 0x2c40f16b, 0x6a7b960e,\n 0xa0363fa1, 0xe60d58c4, 0x75ab1c25, 0x33907b40, 0xf9ddd2ef,\n 0xbfe6b58a, 0x9e962af6, 0xd8ad4d93, 0x12e0e43c, 0x54db8359,\n 0xc77dc7b8, 0x8146a0dd, 0x4b0b0972, 0x0d306e17, 0x09eb378b,\n 0x4fd050ee, 0x859df941, 0xc3a69e24, 0x5000dac5, 0x163bbda0,\n 0xdc76140f, 0x9a4d736a, 0xbb3dec16, 0xfd068b73, 0x374b22dc,\n 0x717045b9, 0xe2d60158, 0xa4ed663d, 0x6ea0cf92, 0x289ba8f7,\n 0x27100d71, 0x612b6a14, 0xab66c3bb, 0xed5da4de, 0x7efbe03f,\n 0x38c0875a, 0xf28d2ef5, 0xb4b64990, 0x95c6d6ec, 0xd3fdb189,\n 0x19b01826, 0x5f8b7f43, 0xcc2d3ba2, 0x8a165cc7, 0x405bf568,\n 0x0660920d, 0x02bbcb91, 0x4480acf4, 0x8ecd055b, 0xc8f6623e,\n 0x5b5026df, 0x1d6b41ba, 0xd726e815, 0x911d8f70, 0xb06d100c,\n 0xf6567769, 0x3c1bdec6, 0x7a20b9a3, 0xe986fd42, 0xafbd9a27,\n 0x65f03388, 0x23cb54ed, 0x3ae0095e, 0x7cdb6e3b, 0xb696c794,\n 0xf0ada0f1, 0x630be410, 0x25308375, 0xef7d2ada, 0xa9464dbf,\n 0x8836d2c3, 0xce0db5a6, 0x04401c09, 0x427b7b6c, 0xd1dd3f8d,\n 0x97e658e8, 0x5dabf147, 0x1b909622, 0x1f4bcfbe, 0x5970a8db,\n 0x933d0174, 0xd5066611, 0x46a022f0, 0x009b4595, 0xcad6ec3a,\n 0x8ced8b5f, 0xad9d1423, 0xeba67346, 0x21ebdae9, 0x67d0bd8c,\n 0xf476f96d, 0xb24d9e08, 0x780037a7, 0x3e3b50c2, 0x31b0f544,\n 0x778b9221, 0xbdc63b8e, 0xfbfd5ceb, 0x685b180a, 0x2e607f6f,\n 0xe42dd6c0, 0xa216b1a5, 0x83662ed9, 0xc55d49bc, 0x0f10e013,\n 0x492b8776, 0xda8dc397, 0x9cb6a4f2, 0x56fb0d5d, 0x10c06a38,\n 0x141b33a4, 0x522054c1, 0x986dfd6e, 0xde569a0b, 0x4df0deea,\n 0x0bcbb98f, 0xc1861020, 0x87bd7745, 0xa6cde839, 0xe0f68f5c,\n 0x2abb26f3, 0x6c804196, 0xff260577, 0xb91d6212, 0x7350cbbd,\n 0x356bacd8}};\n\n#endif\n\n#endif\n\n#if N == 6\n\n#if W == 8\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0x3db1ecdc, 0x7b63d9b8, 0x46d23564, 0xf6c7b370,\n 0xcb765fac, 0x8da46ac8, 0xb0158614, 0x36fe60a1, 0x0b4f8c7d,\n 0x4d9db919, 0x702c55c5, 0xc039d3d1, 0xfd883f0d, 0xbb5a0a69,\n 0x86ebe6b5, 0x6dfcc142, 0x504d2d9e, 0x169f18fa, 0x2b2ef426,\n 0x9b3b7232, 0xa68a9eee, 0xe058ab8a, 0xdde94756, 0x5b02a1e3,\n 0x66b34d3f, 0x2061785b, 0x1dd09487, 0xadc51293, 0x9074fe4f,\n 0xd6a6cb2b, 0xeb1727f7, 0xdbf98284, 0xe6486e58, 0xa09a5b3c,\n 0x9d2bb7e0, 0x2d3e31f4, 0x108fdd28, 0x565de84c, 0x6bec0490,\n 0xed07e225, 0xd0b60ef9, 0x96643b9d, 0xabd5d741, 0x1bc05155,\n 0x2671bd89, 0x60a388ed, 0x5d126431, 0xb60543c6, 0x8bb4af1a,\n 0xcd669a7e, 0xf0d776a2, 0x40c2f0b6, 0x7d731c6a, 0x3ba1290e,\n 0x0610c5d2, 0x80fb2367, 0xbd4acfbb, 0xfb98fadf, 0xc6291603,\n 0x763c9017, 0x4b8d7ccb, 0x0d5f49af, 0x30eea573, 0x6c820349,\n 0x5133ef95, 0x17e1daf1, 0x2a50362d, 0x9a45b039, 0xa7f45ce5,\n 0xe1266981, 0xdc97855d, 0x5a7c63e8, 0x67cd8f34, 0x211fba50,\n 0x1cae568c, 0xacbbd098, 0x910a3c44, 0xd7d80920, 0xea69e5fc,\n 0x017ec20b, 0x3ccf2ed7, 0x7a1d1bb3, 0x47acf76f, 0xf7b9717b,\n 0xca089da7, 0x8cdaa8c3, 0xb16b441f, 0x3780a2aa, 0x0a314e76,\n 0x4ce37b12, 0x715297ce, 0xc14711da, 0xfcf6fd06, 0xba24c862,\n 0x879524be, 0xb77b81cd, 0x8aca6d11, 0xcc185875, 0xf1a9b4a9,\n 0x41bc32bd, 0x7c0dde61, 0x3adfeb05, 0x076e07d9, 0x8185e16c,\n 0xbc340db0, 0xfae638d4, 0xc757d408, 0x7742521c, 0x4af3bec0,\n 0x0c218ba4, 0x31906778, 0xda87408f, 0xe736ac53, 0xa1e49937,\n 0x9c5575eb, 0x2c40f3ff, 0x11f11f23, 0x57232a47, 0x6a92c69b,\n 0xec79202e, 0xd1c8ccf2, 0x971af996, 0xaaab154a, 0x1abe935e,\n 0x270f7f82, 0x61dd4ae6, 0x5c6ca63a, 0xd9040692, 0xe4b5ea4e,\n 0xa267df2a, 0x9fd633f6, 0x2fc3b5e2, 0x1272593e, 0x54a06c5a,\n 0x69118086, 0xeffa6633, 0xd24b8aef, 0x9499bf8b, 0xa9285357,\n 0x193dd543, 0x248c399f, 0x625e0cfb, 0x5fefe027, 0xb4f8c7d0,\n 0x89492b0c, 0xcf9b1e68, 0xf22af2b4, 0x423f74a0, 0x7f8e987c,\n 0x395cad18, 0x04ed41c4, 0x8206a771, 0xbfb74bad, 0xf9657ec9,\n 0xc4d49215, 0x74c11401, 0x4970f8dd, 0x0fa2cdb9, 0x32132165,\n 0x02fd8416, 0x3f4c68ca, 0x799e5dae, 0x442fb172, 0xf43a3766,\n 0xc98bdbba, 0x8f59eede, 0xb2e80202, 0x3403e4b7, 0x09b2086b,\n 0x4f603d0f, 0x72d1d1d3, 0xc2c457c7, 0xff75bb1b, 0xb9a78e7f,\n 0x841662a3, 0x6f014554, 0x52b0a988, 0x14629cec, 0x29d37030,\n 0x99c6f624, 0xa4771af8, 0xe2a52f9c, 0xdf14c340, 0x59ff25f5,\n 0x644ec929, 0x229cfc4d, 0x1f2d1091, 0xaf389685, 0x92897a59,\n 0xd45b4f3d, 0xe9eaa3e1, 0xb58605db, 0x8837e907, 0xcee5dc63,\n 0xf35430bf, 0x4341b6ab, 0x7ef05a77, 0x38226f13, 0x059383cf,\n 0x8378657a, 0xbec989a6, 0xf81bbcc2, 0xc5aa501e, 0x75bfd60a,\n 0x480e3ad6, 0x0edc0fb2, 0x336de36e, 0xd87ac499, 0xe5cb2845,\n 0xa3191d21, 0x9ea8f1fd, 0x2ebd77e9, 0x130c9b35, 0x55deae51,\n 0x686f428d, 0xee84a438, 0xd33548e4, 0x95e77d80, 0xa856915c,\n 0x18431748, 0x25f2fb94, 0x6320cef0, 0x5e91222c, 0x6e7f875f,\n 0x53ce6b83, 0x151c5ee7, 0x28adb23b, 0x98b8342f, 0xa509d8f3,\n 0xe3dbed97, 0xde6a014b, 0x5881e7fe, 0x65300b22, 0x23e23e46,\n 0x1e53d29a, 0xae46548e, 0x93f7b852, 0xd5258d36, 0xe89461ea,\n 0x0383461d, 0x3e32aac1, 0x78e09fa5, 0x45517379, 0xf544f56d,\n 0xc8f519b1, 0x8e272cd5, 0xb396c009, 0x357d26bc, 0x08ccca60,\n 0x4e1eff04, 0x73af13d8, 0xc3ba95cc, 0xfe0b7910, 0xb8d94c74,\n 0x8568a0a8},\n {0x00000000, 0x69790b65, 0xd2f216ca, 0xbb8b1daf, 0x7e952bd5,\n 0x17ec20b0, 0xac673d1f, 0xc51e367a, 0xfd2a57aa, 0x94535ccf,\n 0x2fd84160, 0x46a14a05, 0x83bf7c7f, 0xeac6771a, 0x514d6ab5,\n 0x383461d0, 0x2125a915, 0x485ca270, 0xf3d7bfdf, 0x9aaeb4ba,\n 0x5fb082c0, 0x36c989a5, 0x8d42940a, 0xe43b9f6f, 0xdc0ffebf,\n 0xb576f5da, 0x0efde875, 0x6784e310, 0xa29ad56a, 0xcbe3de0f,\n 0x7068c3a0, 0x1911c8c5, 0x424b522a, 0x2b32594f, 0x90b944e0,\n 0xf9c04f85, 0x3cde79ff, 0x55a7729a, 0xee2c6f35, 0x87556450,\n 0xbf610580, 0xd6180ee5, 0x6d93134a, 0x04ea182f, 0xc1f42e55,\n 0xa88d2530, 0x1306389f, 0x7a7f33fa, 0x636efb3f, 0x0a17f05a,\n 0xb19cedf5, 0xd8e5e690, 0x1dfbd0ea, 0x7482db8f, 0xcf09c620,\n 0xa670cd45, 0x9e44ac95, 0xf73da7f0, 0x4cb6ba5f, 0x25cfb13a,\n 0xe0d18740, 0x89a88c25, 0x3223918a, 0x5b5a9aef, 0x8496a454,\n 0xedefaf31, 0x5664b29e, 0x3f1db9fb, 0xfa038f81, 0x937a84e4,\n 0x28f1994b, 0x4188922e, 0x79bcf3fe, 0x10c5f89b, 0xab4ee534,\n 0xc237ee51, 0x0729d82b, 0x6e50d34e, 0xd5dbcee1, 0xbca2c584,\n 0xa5b30d41, 0xccca0624, 0x77411b8b, 0x1e3810ee, 0xdb262694,\n 0xb25f2df1, 0x09d4305e, 0x60ad3b3b, 0x58995aeb, 0x31e0518e,\n 0x8a6b4c21, 0xe3124744, 0x260c713e, 0x4f757a5b, 0xf4fe67f4,\n 0x9d876c91, 0xc6ddf67e, 0xafa4fd1b, 0x142fe0b4, 0x7d56ebd1,\n 0xb848ddab, 0xd131d6ce, 0x6abacb61, 0x03c3c004, 0x3bf7a1d4,\n 0x528eaab1, 0xe905b71e, 0x807cbc7b, 0x45628a01, 0x2c1b8164,\n 0x97909ccb, 0xfee997ae, 0xe7f85f6b, 0x8e81540e, 0x350a49a1,\n 0x5c7342c4, 0x996d74be, 0xf0147fdb, 0x4b9f6274, 0x22e66911,\n 0x1ad208c1, 0x73ab03a4, 0xc8201e0b, 0xa159156e, 0x64472314,\n 0x0d3e2871, 0xb6b535de, 0xdfcc3ebb, 0xd25c4ee9, 0xbb25458c,\n 0x00ae5823, 0x69d75346, 0xacc9653c, 0xc5b06e59, 0x7e3b73f6,\n 0x17427893, 0x2f761943, 0x460f1226, 0xfd840f89, 0x94fd04ec,\n 0x51e33296, 0x389a39f3, 0x8311245c, 0xea682f39, 0xf379e7fc,\n 0x9a00ec99, 0x218bf136, 0x48f2fa53, 0x8deccc29, 0xe495c74c,\n 0x5f1edae3, 0x3667d186, 0x0e53b056, 0x672abb33, 0xdca1a69c,\n 0xb5d8adf9, 0x70c69b83, 0x19bf90e6, 0xa2348d49, 0xcb4d862c,\n 0x90171cc3, 0xf96e17a6, 0x42e50a09, 0x2b9c016c, 0xee823716,\n 0x87fb3c73, 0x3c7021dc, 0x55092ab9, 0x6d3d4b69, 0x0444400c,\n 0xbfcf5da3, 0xd6b656c6, 0x13a860bc, 0x7ad16bd9, 0xc15a7676,\n 0xa8237d13, 0xb132b5d6, 0xd84bbeb3, 0x63c0a31c, 0x0ab9a879,\n 0xcfa79e03, 0xa6de9566, 0x1d5588c9, 0x742c83ac, 0x4c18e27c,\n 0x2561e919, 0x9eeaf4b6, 0xf793ffd3, 0x328dc9a9, 0x5bf4c2cc,\n 0xe07fdf63, 0x8906d406, 0x56caeabd, 0x3fb3e1d8, 0x8438fc77,\n 0xed41f712, 0x285fc168, 0x4126ca0d, 0xfaadd7a2, 0x93d4dcc7,\n 0xabe0bd17, 0xc299b672, 0x7912abdd, 0x106ba0b8, 0xd57596c2,\n 0xbc0c9da7, 0x07878008, 0x6efe8b6d, 0x77ef43a8, 0x1e9648cd,\n 0xa51d5562, 0xcc645e07, 0x097a687d, 0x60036318, 0xdb887eb7,\n 0xb2f175d2, 0x8ac51402, 0xe3bc1f67, 0x583702c8, 0x314e09ad,\n 0xf4503fd7, 0x9d2934b2, 0x26a2291d, 0x4fdb2278, 0x1481b897,\n 0x7df8b3f2, 0xc673ae5d, 0xaf0aa538, 0x6a149342, 0x036d9827,\n 0xb8e68588, 0xd19f8eed, 0xe9abef3d, 0x80d2e458, 0x3b59f9f7,\n 0x5220f292, 0x973ec4e8, 0xfe47cf8d, 0x45ccd222, 0x2cb5d947,\n 0x35a41182, 0x5cdd1ae7, 0xe7560748, 0x8e2f0c2d, 0x4b313a57,\n 0x22483132, 0x99c32c9d, 0xf0ba27f8, 0xc88e4628, 0xa1f74d4d,\n 0x1a7c50e2, 0x73055b87, 0xb61b6dfd, 0xdf626698, 0x64e97b37,\n 0x0d907052},\n {0x00000000, 0x7fc99b93, 0xff933726, 0x805aacb5, 0x2457680d,\n 0x5b9ef39e, 0xdbc45f2b, 0xa40dc4b8, 0x48aed01a, 0x37674b89,\n 0xb73de73c, 0xc8f47caf, 0x6cf9b817, 0x13302384, 0x936a8f31,\n 0xeca314a2, 0x915da034, 0xee943ba7, 0x6ece9712, 0x11070c81,\n 0xb50ac839, 0xcac353aa, 0x4a99ff1f, 0x3550648c, 0xd9f3702e,\n 0xa63aebbd, 0x26604708, 0x59a9dc9b, 0xfda41823, 0x826d83b0,\n 0x02372f05, 0x7dfeb496, 0xf9ca4629, 0x8603ddba, 0x0659710f,\n 0x7990ea9c, 0xdd9d2e24, 0xa254b5b7, 0x220e1902, 0x5dc78291,\n 0xb1649633, 0xcead0da0, 0x4ef7a115, 0x313e3a86, 0x9533fe3e,\n 0xeafa65ad, 0x6aa0c918, 0x1569528b, 0x6897e61d, 0x175e7d8e,\n 0x9704d13b, 0xe8cd4aa8, 0x4cc08e10, 0x33091583, 0xb353b936,\n 0xcc9a22a5, 0x20393607, 0x5ff0ad94, 0xdfaa0121, 0xa0639ab2,\n 0x046e5e0a, 0x7ba7c599, 0xfbfd692c, 0x8434f2bf, 0x28e58a13,\n 0x572c1180, 0xd776bd35, 0xa8bf26a6, 0x0cb2e21e, 0x737b798d,\n 0xf321d538, 0x8ce84eab, 0x604b5a09, 0x1f82c19a, 0x9fd86d2f,\n 0xe011f6bc, 0x441c3204, 0x3bd5a997, 0xbb8f0522, 0xc4469eb1,\n 0xb9b82a27, 0xc671b1b4, 0x462b1d01, 0x39e28692, 0x9def422a,\n 0xe226d9b9, 0x627c750c, 0x1db5ee9f, 0xf116fa3d, 0x8edf61ae,\n 0x0e85cd1b, 0x714c5688, 0xd5419230, 0xaa8809a3, 0x2ad2a516,\n 0x551b3e85, 0xd12fcc3a, 0xaee657a9, 0x2ebcfb1c, 0x5175608f,\n 0xf578a437, 0x8ab13fa4, 0x0aeb9311, 0x75220882, 0x99811c20,\n 0xe64887b3, 0x66122b06, 0x19dbb095, 0xbdd6742d, 0xc21fefbe,\n 0x4245430b, 0x3d8cd898, 0x40726c0e, 0x3fbbf79d, 0xbfe15b28,\n 0xc028c0bb, 0x64250403, 0x1bec9f90, 0x9bb63325, 0xe47fa8b6,\n 0x08dcbc14, 0x77152787, 0xf74f8b32, 0x888610a1, 0x2c8bd419,\n 0x53424f8a, 0xd318e33f, 0xacd178ac, 0x51cb1426, 0x2e028fb5,\n 0xae582300, 0xd191b893, 0x759c7c2b, 0x0a55e7b8, 0x8a0f4b0d,\n 0xf5c6d09e, 0x1965c43c, 0x66ac5faf, 0xe6f6f31a, 0x993f6889,\n 0x3d32ac31, 0x42fb37a2, 0xc2a19b17, 0xbd680084, 0xc096b412,\n 0xbf5f2f81, 0x3f058334, 0x40cc18a7, 0xe4c1dc1f, 0x9b08478c,\n 0x1b52eb39, 0x649b70aa, 0x88386408, 0xf7f1ff9b, 0x77ab532e,\n 0x0862c8bd, 0xac6f0c05, 0xd3a69796, 0x53fc3b23, 0x2c35a0b0,\n 0xa801520f, 0xd7c8c99c, 0x57926529, 0x285bfeba, 0x8c563a02,\n 0xf39fa191, 0x73c50d24, 0x0c0c96b7, 0xe0af8215, 0x9f661986,\n 0x1f3cb533, 0x60f52ea0, 0xc4f8ea18, 0xbb31718b, 0x3b6bdd3e,\n 0x44a246ad, 0x395cf23b, 0x469569a8, 0xc6cfc51d, 0xb9065e8e,\n 0x1d0b9a36, 0x62c201a5, 0xe298ad10, 0x9d513683, 0x71f22221,\n 0x0e3bb9b2, 0x8e611507, 0xf1a88e94, 0x55a54a2c, 0x2a6cd1bf,\n 0xaa367d0a, 0xd5ffe699, 0x792e9e35, 0x06e705a6, 0x86bda913,\n 0xf9743280, 0x5d79f638, 0x22b06dab, 0xa2eac11e, 0xdd235a8d,\n 0x31804e2f, 0x4e49d5bc, 0xce137909, 0xb1dae29a, 0x15d72622,\n 0x6a1ebdb1, 0xea441104, 0x958d8a97, 0xe8733e01, 0x97baa592,\n 0x17e00927, 0x682992b4, 0xcc24560c, 0xb3edcd9f, 0x33b7612a,\n 0x4c7efab9, 0xa0ddee1b, 0xdf147588, 0x5f4ed93d, 0x208742ae,\n 0x848a8616, 0xfb431d85, 0x7b19b130, 0x04d02aa3, 0x80e4d81c,\n 0xff2d438f, 0x7f77ef3a, 0x00be74a9, 0xa4b3b011, 0xdb7a2b82,\n 0x5b208737, 0x24e91ca4, 0xc84a0806, 0xb7839395, 0x37d93f20,\n 0x4810a4b3, 0xec1d600b, 0x93d4fb98, 0x138e572d, 0x6c47ccbe,\n 0x11b97828, 0x6e70e3bb, 0xee2a4f0e, 0x91e3d49d, 0x35ee1025,\n 0x4a278bb6, 0xca7d2703, 0xb5b4bc90, 0x5917a832, 0x26de33a1,\n 0xa6849f14, 0xd94d0487, 0x7d40c03f, 0x02895bac, 0x82d3f719,\n 0xfd1a6c8a},\n {0x00000000, 0xa396284c, 0x9c5d56d9, 0x3fcb7e95, 0xe3cbabf3,\n 0x405d83bf, 0x7f96fd2a, 0xdc00d566, 0x1ce651a7, 0xbf7079eb,\n 0x80bb077e, 0x232d2f32, 0xff2dfa54, 0x5cbbd218, 0x6370ac8d,\n 0xc0e684c1, 0x39cca34e, 0x9a5a8b02, 0xa591f597, 0x0607dddb,\n 0xda0708bd, 0x799120f1, 0x465a5e64, 0xe5cc7628, 0x252af2e9,\n 0x86bcdaa5, 0xb977a430, 0x1ae18c7c, 0xc6e1591a, 0x65777156,\n 0x5abc0fc3, 0xf92a278f, 0x7399469c, 0xd00f6ed0, 0xefc41045,\n 0x4c523809, 0x9052ed6f, 0x33c4c523, 0x0c0fbbb6, 0xaf9993fa,\n 0x6f7f173b, 0xcce93f77, 0xf32241e2, 0x50b469ae, 0x8cb4bcc8,\n 0x2f229484, 0x10e9ea11, 0xb37fc25d, 0x4a55e5d2, 0xe9c3cd9e,\n 0xd608b30b, 0x759e9b47, 0xa99e4e21, 0x0a08666d, 0x35c318f8,\n 0x965530b4, 0x56b3b475, 0xf5259c39, 0xcaeee2ac, 0x6978cae0,\n 0xb5781f86, 0x16ee37ca, 0x2925495f, 0x8ab36113, 0xe7328d38,\n 0x44a4a574, 0x7b6fdbe1, 0xd8f9f3ad, 0x04f926cb, 0xa76f0e87,\n 0x98a47012, 0x3b32585e, 0xfbd4dc9f, 0x5842f4d3, 0x67898a46,\n 0xc41fa20a, 0x181f776c, 0xbb895f20, 0x844221b5, 0x27d409f9,\n 0xdefe2e76, 0x7d68063a, 0x42a378af, 0xe13550e3, 0x3d358585,\n 0x9ea3adc9, 0xa168d35c, 0x02fefb10, 0xc2187fd1, 0x618e579d,\n 0x5e452908, 0xfdd30144, 0x21d3d422, 0x8245fc6e, 0xbd8e82fb,\n 0x1e18aab7, 0x94abcba4, 0x373de3e8, 0x08f69d7d, 0xab60b531,\n 0x77606057, 0xd4f6481b, 0xeb3d368e, 0x48ab1ec2, 0x884d9a03,\n 0x2bdbb24f, 0x1410ccda, 0xb786e496, 0x6b8631f0, 0xc81019bc,\n 0xf7db6729, 0x544d4f65, 0xad6768ea, 0x0ef140a6, 0x313a3e33,\n 0x92ac167f, 0x4eacc319, 0xed3aeb55, 0xd2f195c0, 0x7167bd8c,\n 0xb181394d, 0x12171101, 0x2ddc6f94, 0x8e4a47d8, 0x524a92be,\n 0xf1dcbaf2, 0xce17c467, 0x6d81ec2b, 0x15141c31, 0xb682347d,\n 0x89494ae8, 0x2adf62a4, 0xf6dfb7c2, 0x55499f8e, 0x6a82e11b,\n 0xc914c957, 0x09f24d96, 0xaa6465da, 0x95af1b4f, 0x36393303,\n 0xea39e665, 0x49afce29, 0x7664b0bc, 0xd5f298f0, 0x2cd8bf7f,\n 0x8f4e9733, 0xb085e9a6, 0x1313c1ea, 0xcf13148c, 0x6c853cc0,\n 0x534e4255, 0xf0d86a19, 0x303eeed8, 0x93a8c694, 0xac63b801,\n 0x0ff5904d, 0xd3f5452b, 0x70636d67, 0x4fa813f2, 0xec3e3bbe,\n 0x668d5aad, 0xc51b72e1, 0xfad00c74, 0x59462438, 0x8546f15e,\n 0x26d0d912, 0x191ba787, 0xba8d8fcb, 0x7a6b0b0a, 0xd9fd2346,\n 0xe6365dd3, 0x45a0759f, 0x99a0a0f9, 0x3a3688b5, 0x05fdf620,\n 0xa66bde6c, 0x5f41f9e3, 0xfcd7d1af, 0xc31caf3a, 0x608a8776,\n 0xbc8a5210, 0x1f1c7a5c, 0x20d704c9, 0x83412c85, 0x43a7a844,\n 0xe0318008, 0xdffafe9d, 0x7c6cd6d1, 0xa06c03b7, 0x03fa2bfb,\n 0x3c31556e, 0x9fa77d22, 0xf2269109, 0x51b0b945, 0x6e7bc7d0,\n 0xcdedef9c, 0x11ed3afa, 0xb27b12b6, 0x8db06c23, 0x2e26446f,\n 0xeec0c0ae, 0x4d56e8e2, 0x729d9677, 0xd10bbe3b, 0x0d0b6b5d,\n 0xae9d4311, 0x91563d84, 0x32c015c8, 0xcbea3247, 0x687c1a0b,\n 0x57b7649e, 0xf4214cd2, 0x282199b4, 0x8bb7b1f8, 0xb47ccf6d,\n 0x17eae721, 0xd70c63e0, 0x749a4bac, 0x4b513539, 0xe8c71d75,\n 0x34c7c813, 0x9751e05f, 0xa89a9eca, 0x0b0cb686, 0x81bfd795,\n 0x2229ffd9, 0x1de2814c, 0xbe74a900, 0x62747c66, 0xc1e2542a,\n 0xfe292abf, 0x5dbf02f3, 0x9d598632, 0x3ecfae7e, 0x0104d0eb,\n 0xa292f8a7, 0x7e922dc1, 0xdd04058d, 0xe2cf7b18, 0x41595354,\n 0xb87374db, 0x1be55c97, 0x242e2202, 0x87b80a4e, 0x5bb8df28,\n 0xf82ef764, 0xc7e589f1, 0x6473a1bd, 0xa495257c, 0x07030d30,\n 0x38c873a5, 0x9b5e5be9, 0x475e8e8f, 0xe4c8a6c3, 0xdb03d856,\n 0x7895f01a},\n {0x00000000, 0x2a283862, 0x545070c4, 0x7e7848a6, 0xa8a0e188,\n 0x8288d9ea, 0xfcf0914c, 0xd6d8a92e, 0x8a30c551, 0xa018fd33,\n 0xde60b595, 0xf4488df7, 0x229024d9, 0x08b81cbb, 0x76c0541d,\n 0x5ce86c7f, 0xcf108ce3, 0xe538b481, 0x9b40fc27, 0xb168c445,\n 0x67b06d6b, 0x4d985509, 0x33e01daf, 0x19c825cd, 0x452049b2,\n 0x6f0871d0, 0x11703976, 0x3b580114, 0xed80a83a, 0xc7a89058,\n 0xb9d0d8fe, 0x93f8e09c, 0x45501f87, 0x6f7827e5, 0x11006f43,\n 0x3b285721, 0xedf0fe0f, 0xc7d8c66d, 0xb9a08ecb, 0x9388b6a9,\n 0xcf60dad6, 0xe548e2b4, 0x9b30aa12, 0xb1189270, 0x67c03b5e,\n 0x4de8033c, 0x33904b9a, 0x19b873f8, 0x8a409364, 0xa068ab06,\n 0xde10e3a0, 0xf438dbc2, 0x22e072ec, 0x08c84a8e, 0x76b00228,\n 0x5c983a4a, 0x00705635, 0x2a586e57, 0x542026f1, 0x7e081e93,\n 0xa8d0b7bd, 0x82f88fdf, 0xfc80c779, 0xd6a8ff1b, 0x8aa03f0e,\n 0xa088076c, 0xdef04fca, 0xf4d877a8, 0x2200de86, 0x0828e6e4,\n 0x7650ae42, 0x5c789620, 0x0090fa5f, 0x2ab8c23d, 0x54c08a9b,\n 0x7ee8b2f9, 0xa8301bd7, 0x821823b5, 0xfc606b13, 0xd6485371,\n 0x45b0b3ed, 0x6f988b8f, 0x11e0c329, 0x3bc8fb4b, 0xed105265,\n 0xc7386a07, 0xb94022a1, 0x93681ac3, 0xcf8076bc, 0xe5a84ede,\n 0x9bd00678, 0xb1f83e1a, 0x67209734, 0x4d08af56, 0x3370e7f0,\n 0x1958df92, 0xcff02089, 0xe5d818eb, 0x9ba0504d, 0xb188682f,\n 0x6750c101, 0x4d78f963, 0x3300b1c5, 0x192889a7, 0x45c0e5d8,\n 0x6fe8ddba, 0x1190951c, 0x3bb8ad7e, 0xed600450, 0xc7483c32,\n 0xb9307494, 0x93184cf6, 0x00e0ac6a, 0x2ac89408, 0x54b0dcae,\n 0x7e98e4cc, 0xa8404de2, 0x82687580, 0xfc103d26, 0xd6380544,\n 0x8ad0693b, 0xa0f85159, 0xde8019ff, 0xf4a8219d, 0x227088b3,\n 0x0858b0d1, 0x7620f877, 0x5c08c015, 0xce31785d, 0xe419403f,\n 0x9a610899, 0xb04930fb, 0x669199d5, 0x4cb9a1b7, 0x32c1e911,\n 0x18e9d173, 0x4401bd0c, 0x6e29856e, 0x1051cdc8, 0x3a79f5aa,\n 0xeca15c84, 0xc68964e6, 0xb8f12c40, 0x92d91422, 0x0121f4be,\n 0x2b09ccdc, 0x5571847a, 0x7f59bc18, 0xa9811536, 0x83a92d54,\n 0xfdd165f2, 0xd7f95d90, 0x8b1131ef, 0xa139098d, 0xdf41412b,\n 0xf5697949, 0x23b1d067, 0x0999e805, 0x77e1a0a3, 0x5dc998c1,\n 0x8b6167da, 0xa1495fb8, 0xdf31171e, 0xf5192f7c, 0x23c18652,\n 0x09e9be30, 0x7791f696, 0x5db9cef4, 0x0151a28b, 0x2b799ae9,\n 0x5501d24f, 0x7f29ea2d, 0xa9f14303, 0x83d97b61, 0xfda133c7,\n 0xd7890ba5, 0x4471eb39, 0x6e59d35b, 0x10219bfd, 0x3a09a39f,\n 0xecd10ab1, 0xc6f932d3, 0xb8817a75, 0x92a94217, 0xce412e68,\n 0xe469160a, 0x9a115eac, 0xb03966ce, 0x66e1cfe0, 0x4cc9f782,\n 0x32b1bf24, 0x18998746, 0x44914753, 0x6eb97f31, 0x10c13797,\n 0x3ae90ff5, 0xec31a6db, 0xc6199eb9, 0xb861d61f, 0x9249ee7d,\n 0xcea18202, 0xe489ba60, 0x9af1f2c6, 0xb0d9caa4, 0x6601638a,\n 0x4c295be8, 0x3251134e, 0x18792b2c, 0x8b81cbb0, 0xa1a9f3d2,\n 0xdfd1bb74, 0xf5f98316, 0x23212a38, 0x0909125a, 0x77715afc,\n 0x5d59629e, 0x01b10ee1, 0x2b993683, 0x55e17e25, 0x7fc94647,\n 0xa911ef69, 0x8339d70b, 0xfd419fad, 0xd769a7cf, 0x01c158d4,\n 0x2be960b6, 0x55912810, 0x7fb91072, 0xa961b95c, 0x8349813e,\n 0xfd31c998, 0xd719f1fa, 0x8bf19d85, 0xa1d9a5e7, 0xdfa1ed41,\n 0xf589d523, 0x23517c0d, 0x0979446f, 0x77010cc9, 0x5d2934ab,\n 0xced1d437, 0xe4f9ec55, 0x9a81a4f3, 0xb0a99c91, 0x667135bf,\n 0x4c590ddd, 0x3221457b, 0x18097d19, 0x44e11166, 0x6ec92904,\n 0x10b161a2, 0x3a9959c0, 0xec41f0ee, 0xc669c88c, 0xb811802a,\n 0x9239b848},\n {0x00000000, 0x4713f6fb, 0x8e27edf6, 0xc9341b0d, 0xc73eddad,\n 0x802d2b56, 0x4919305b, 0x0e0ac6a0, 0x550cbd1b, 0x121f4be0,\n 0xdb2b50ed, 0x9c38a616, 0x923260b6, 0xd521964d, 0x1c158d40,\n 0x5b067bbb, 0xaa197a36, 0xed0a8ccd, 0x243e97c0, 0x632d613b,\n 0x6d27a79b, 0x2a345160, 0xe3004a6d, 0xa413bc96, 0xff15c72d,\n 0xb80631d6, 0x71322adb, 0x3621dc20, 0x382b1a80, 0x7f38ec7b,\n 0xb60cf776, 0xf11f018d, 0x8f43f22d, 0xc85004d6, 0x01641fdb,\n 0x4677e920, 0x487d2f80, 0x0f6ed97b, 0xc65ac276, 0x8149348d,\n 0xda4f4f36, 0x9d5cb9cd, 0x5468a2c0, 0x137b543b, 0x1d71929b,\n 0x5a626460, 0x93567f6d, 0xd4458996, 0x255a881b, 0x62497ee0,\n 0xab7d65ed, 0xec6e9316, 0xe26455b6, 0xa577a34d, 0x6c43b840,\n 0x2b504ebb, 0x70563500, 0x3745c3fb, 0xfe71d8f6, 0xb9622e0d,\n 0xb768e8ad, 0xf07b1e56, 0x394f055b, 0x7e5cf3a0, 0xc5f6e21b,\n 0x82e514e0, 0x4bd10fed, 0x0cc2f916, 0x02c83fb6, 0x45dbc94d,\n 0x8cefd240, 0xcbfc24bb, 0x90fa5f00, 0xd7e9a9fb, 0x1eddb2f6,\n 0x59ce440d, 0x57c482ad, 0x10d77456, 0xd9e36f5b, 0x9ef099a0,\n 0x6fef982d, 0x28fc6ed6, 0xe1c875db, 0xa6db8320, 0xa8d14580,\n 0xefc2b37b, 0x26f6a876, 0x61e55e8d, 0x3ae32536, 0x7df0d3cd,\n 0xb4c4c8c0, 0xf3d73e3b, 0xfdddf89b, 0xbace0e60, 0x73fa156d,\n 0x34e9e396, 0x4ab51036, 0x0da6e6cd, 0xc492fdc0, 0x83810b3b,\n 0x8d8bcd9b, 0xca983b60, 0x03ac206d, 0x44bfd696, 0x1fb9ad2d,\n 0x58aa5bd6, 0x919e40db, 0xd68db620, 0xd8877080, 0x9f94867b,\n 0x56a09d76, 0x11b36b8d, 0xe0ac6a00, 0xa7bf9cfb, 0x6e8b87f6,\n 0x2998710d, 0x2792b7ad, 0x60814156, 0xa9b55a5b, 0xeea6aca0,\n 0xb5a0d71b, 0xf2b321e0, 0x3b873aed, 0x7c94cc16, 0x729e0ab6,\n 0x358dfc4d, 0xfcb9e740, 0xbbaa11bb, 0x509cc277, 0x178f348c,\n 0xdebb2f81, 0x99a8d97a, 0x97a21fda, 0xd0b1e921, 0x1985f22c,\n 0x5e9604d7, 0x05907f6c, 0x42838997, 0x8bb7929a, 0xcca46461,\n 0xc2aea2c1, 0x85bd543a, 0x4c894f37, 0x0b9ab9cc, 0xfa85b841,\n 0xbd964eba, 0x74a255b7, 0x33b1a34c, 0x3dbb65ec, 0x7aa89317,\n 0xb39c881a, 0xf48f7ee1, 0xaf89055a, 0xe89af3a1, 0x21aee8ac,\n 0x66bd1e57, 0x68b7d8f7, 0x2fa42e0c, 0xe6903501, 0xa183c3fa,\n 0xdfdf305a, 0x98ccc6a1, 0x51f8ddac, 0x16eb2b57, 0x18e1edf7,\n 0x5ff21b0c, 0x96c60001, 0xd1d5f6fa, 0x8ad38d41, 0xcdc07bba,\n 0x04f460b7, 0x43e7964c, 0x4ded50ec, 0x0afea617, 0xc3cabd1a,\n 0x84d94be1, 0x75c64a6c, 0x32d5bc97, 0xfbe1a79a, 0xbcf25161,\n 0xb2f897c1, 0xf5eb613a, 0x3cdf7a37, 0x7bcc8ccc, 0x20caf777,\n 0x67d9018c, 0xaeed1a81, 0xe9feec7a, 0xe7f42ada, 0xa0e7dc21,\n 0x69d3c72c, 0x2ec031d7, 0x956a206c, 0xd279d697, 0x1b4dcd9a,\n 0x5c5e3b61, 0x5254fdc1, 0x15470b3a, 0xdc731037, 0x9b60e6cc,\n 0xc0669d77, 0x87756b8c, 0x4e417081, 0x0952867a, 0x075840da,\n 0x404bb621, 0x897fad2c, 0xce6c5bd7, 0x3f735a5a, 0x7860aca1,\n 0xb154b7ac, 0xf6474157, 0xf84d87f7, 0xbf5e710c, 0x766a6a01,\n 0x31799cfa, 0x6a7fe741, 0x2d6c11ba, 0xe4580ab7, 0xa34bfc4c,\n 0xad413aec, 0xea52cc17, 0x2366d71a, 0x647521e1, 0x1a29d241,\n 0x5d3a24ba, 0x940e3fb7, 0xd31dc94c, 0xdd170fec, 0x9a04f917,\n 0x5330e21a, 0x142314e1, 0x4f256f5a, 0x083699a1, 0xc10282ac,\n 0x86117457, 0x881bb2f7, 0xcf08440c, 0x063c5f01, 0x412fa9fa,\n 0xb030a877, 0xf7235e8c, 0x3e174581, 0x7904b37a, 0x770e75da,\n 0x301d8321, 0xf929982c, 0xbe3a6ed7, 0xe53c156c, 0xa22fe397,\n 0x6b1bf89a, 0x2c080e61, 0x2202c8c1, 0x65113e3a, 0xac252537,\n 0xeb36d3cc},\n {0x00000000, 0xa13984ee, 0x99020f9d, 0x383b8b73, 0xe975197b,\n 0x484c9d95, 0x707716e6, 0xd14e9208, 0x099b34b7, 0xa8a2b059,\n 0x90993b2a, 0x31a0bfc4, 0xe0ee2dcc, 0x41d7a922, 0x79ec2251,\n 0xd8d5a6bf, 0x1336696e, 0xb20fed80, 0x8a3466f3, 0x2b0de21d,\n 0xfa437015, 0x5b7af4fb, 0x63417f88, 0xc278fb66, 0x1aad5dd9,\n 0xbb94d937, 0x83af5244, 0x2296d6aa, 0xf3d844a2, 0x52e1c04c,\n 0x6ada4b3f, 0xcbe3cfd1, 0x266cd2dc, 0x87555632, 0xbf6edd41,\n 0x1e5759af, 0xcf19cba7, 0x6e204f49, 0x561bc43a, 0xf72240d4,\n 0x2ff7e66b, 0x8ece6285, 0xb6f5e9f6, 0x17cc6d18, 0xc682ff10,\n 0x67bb7bfe, 0x5f80f08d, 0xfeb97463, 0x355abbb2, 0x94633f5c,\n 0xac58b42f, 0x0d6130c1, 0xdc2fa2c9, 0x7d162627, 0x452dad54,\n 0xe41429ba, 0x3cc18f05, 0x9df80beb, 0xa5c38098, 0x04fa0476,\n 0xd5b4967e, 0x748d1290, 0x4cb699e3, 0xed8f1d0d, 0x4cd9a5b8,\n 0xede02156, 0xd5dbaa25, 0x74e22ecb, 0xa5acbcc3, 0x0495382d,\n 0x3caeb35e, 0x9d9737b0, 0x4542910f, 0xe47b15e1, 0xdc409e92,\n 0x7d791a7c, 0xac378874, 0x0d0e0c9a, 0x353587e9, 0x940c0307,\n 0x5fefccd6, 0xfed64838, 0xc6edc34b, 0x67d447a5, 0xb69ad5ad,\n 0x17a35143, 0x2f98da30, 0x8ea15ede, 0x5674f861, 0xf74d7c8f,\n 0xcf76f7fc, 0x6e4f7312, 0xbf01e11a, 0x1e3865f4, 0x2603ee87,\n 0x873a6a69, 0x6ab57764, 0xcb8cf38a, 0xf3b778f9, 0x528efc17,\n 0x83c06e1f, 0x22f9eaf1, 0x1ac26182, 0xbbfbe56c, 0x632e43d3,\n 0xc217c73d, 0xfa2c4c4e, 0x5b15c8a0, 0x8a5b5aa8, 0x2b62de46,\n 0x13595535, 0xb260d1db, 0x79831e0a, 0xd8ba9ae4, 0xe0811197,\n 0x41b89579, 0x90f60771, 0x31cf839f, 0x09f408ec, 0xa8cd8c02,\n 0x70182abd, 0xd121ae53, 0xe91a2520, 0x4823a1ce, 0x996d33c6,\n 0x3854b728, 0x006f3c5b, 0xa156b8b5, 0x99b34b70, 0x388acf9e,\n 0x00b144ed, 0xa188c003, 0x70c6520b, 0xd1ffd6e5, 0xe9c45d96,\n 0x48fdd978, 0x90287fc7, 0x3111fb29, 0x092a705a, 0xa813f4b4,\n 0x795d66bc, 0xd864e252, 0xe05f6921, 0x4166edcf, 0x8a85221e,\n 0x2bbca6f0, 0x13872d83, 0xb2bea96d, 0x63f03b65, 0xc2c9bf8b,\n 0xfaf234f8, 0x5bcbb016, 0x831e16a9, 0x22279247, 0x1a1c1934,\n 0xbb259dda, 0x6a6b0fd2, 0xcb528b3c, 0xf369004f, 0x525084a1,\n 0xbfdf99ac, 0x1ee61d42, 0x26dd9631, 0x87e412df, 0x56aa80d7,\n 0xf7930439, 0xcfa88f4a, 0x6e910ba4, 0xb644ad1b, 0x177d29f5,\n 0x2f46a286, 0x8e7f2668, 0x5f31b460, 0xfe08308e, 0xc633bbfd,\n 0x670a3f13, 0xace9f0c2, 0x0dd0742c, 0x35ebff5f, 0x94d27bb1,\n 0x459ce9b9, 0xe4a56d57, 0xdc9ee624, 0x7da762ca, 0xa572c475,\n 0x044b409b, 0x3c70cbe8, 0x9d494f06, 0x4c07dd0e, 0xed3e59e0,\n 0xd505d293, 0x743c567d, 0xd56aeec8, 0x74536a26, 0x4c68e155,\n 0xed5165bb, 0x3c1ff7b3, 0x9d26735d, 0xa51df82e, 0x04247cc0,\n 0xdcf1da7f, 0x7dc85e91, 0x45f3d5e2, 0xe4ca510c, 0x3584c304,\n 0x94bd47ea, 0xac86cc99, 0x0dbf4877, 0xc65c87a6, 0x67650348,\n 0x5f5e883b, 0xfe670cd5, 0x2f299edd, 0x8e101a33, 0xb62b9140,\n 0x171215ae, 0xcfc7b311, 0x6efe37ff, 0x56c5bc8c, 0xf7fc3862,\n 0x26b2aa6a, 0x878b2e84, 0xbfb0a5f7, 0x1e892119, 0xf3063c14,\n 0x523fb8fa, 0x6a043389, 0xcb3db767, 0x1a73256f, 0xbb4aa181,\n 0x83712af2, 0x2248ae1c, 0xfa9d08a3, 0x5ba48c4d, 0x639f073e,\n 0xc2a683d0, 0x13e811d8, 0xb2d19536, 0x8aea1e45, 0x2bd39aab,\n 0xe030557a, 0x4109d194, 0x79325ae7, 0xd80bde09, 0x09454c01,\n 0xa87cc8ef, 0x9047439c, 0x317ec772, 0xe9ab61cd, 0x4892e523,\n 0x70a96e50, 0xd190eabe, 0x00de78b6, 0xa1e7fc58, 0x99dc772b,\n 0x38e5f3c5},\n {0x00000000, 0xe81790a1, 0x0b5e2703, 0xe349b7a2, 0x16bc4e06,\n 0xfeabdea7, 0x1de26905, 0xf5f5f9a4, 0x2d789c0c, 0xc56f0cad,\n 0x2626bb0f, 0xce312bae, 0x3bc4d20a, 0xd3d342ab, 0x309af509,\n 0xd88d65a8, 0x5af13818, 0xb2e6a8b9, 0x51af1f1b, 0xb9b88fba,\n 0x4c4d761e, 0xa45ae6bf, 0x4713511d, 0xaf04c1bc, 0x7789a414,\n 0x9f9e34b5, 0x7cd78317, 0x94c013b6, 0x6135ea12, 0x89227ab3,\n 0x6a6bcd11, 0x827c5db0, 0xb5e27030, 0x5df5e091, 0xbebc5733,\n 0x56abc792, 0xa35e3e36, 0x4b49ae97, 0xa8001935, 0x40178994,\n 0x989aec3c, 0x708d7c9d, 0x93c4cb3f, 0x7bd35b9e, 0x8e26a23a,\n 0x6631329b, 0x85788539, 0x6d6f1598, 0xef134828, 0x0704d889,\n 0xe44d6f2b, 0x0c5aff8a, 0xf9af062e, 0x11b8968f, 0xf2f1212d,\n 0x1ae6b18c, 0xc26bd424, 0x2a7c4485, 0xc935f327, 0x21226386,\n 0xd4d79a22, 0x3cc00a83, 0xdf89bd21, 0x379e2d80, 0xb0b5e621,\n 0x58a27680, 0xbbebc122, 0x53fc5183, 0xa609a827, 0x4e1e3886,\n 0xad578f24, 0x45401f85, 0x9dcd7a2d, 0x75daea8c, 0x96935d2e,\n 0x7e84cd8f, 0x8b71342b, 0x6366a48a, 0x802f1328, 0x68388389,\n 0xea44de39, 0x02534e98, 0xe11af93a, 0x090d699b, 0xfcf8903f,\n 0x14ef009e, 0xf7a6b73c, 0x1fb1279d, 0xc73c4235, 0x2f2bd294,\n 0xcc626536, 0x2475f597, 0xd1800c33, 0x39979c92, 0xdade2b30,\n 0x32c9bb91, 0x05579611, 0xed4006b0, 0x0e09b112, 0xe61e21b3,\n 0x13ebd817, 0xfbfc48b6, 0x18b5ff14, 0xf0a26fb5, 0x282f0a1d,\n 0xc0389abc, 0x23712d1e, 0xcb66bdbf, 0x3e93441b, 0xd684d4ba,\n 0x35cd6318, 0xdddaf3b9, 0x5fa6ae09, 0xb7b13ea8, 0x54f8890a,\n 0xbcef19ab, 0x491ae00f, 0xa10d70ae, 0x4244c70c, 0xaa5357ad,\n 0x72de3205, 0x9ac9a2a4, 0x79801506, 0x919785a7, 0x64627c03,\n 0x8c75eca2, 0x6f3c5b00, 0x872bcba1, 0xba1aca03, 0x520d5aa2,\n 0xb144ed00, 0x59537da1, 0xaca68405, 0x44b114a4, 0xa7f8a306,\n 0x4fef33a7, 0x9762560f, 0x7f75c6ae, 0x9c3c710c, 0x742be1ad,\n 0x81de1809, 0x69c988a8, 0x8a803f0a, 0x6297afab, 0xe0ebf21b,\n 0x08fc62ba, 0xebb5d518, 0x03a245b9, 0xf657bc1d, 0x1e402cbc,\n 0xfd099b1e, 0x151e0bbf, 0xcd936e17, 0x2584feb6, 0xc6cd4914,\n 0x2edad9b5, 0xdb2f2011, 0x3338b0b0, 0xd0710712, 0x386697b3,\n 0x0ff8ba33, 0xe7ef2a92, 0x04a69d30, 0xecb10d91, 0x1944f435,\n 0xf1536494, 0x121ad336, 0xfa0d4397, 0x2280263f, 0xca97b69e,\n 0x29de013c, 0xc1c9919d, 0x343c6839, 0xdc2bf898, 0x3f624f3a,\n 0xd775df9b, 0x5509822b, 0xbd1e128a, 0x5e57a528, 0xb6403589,\n 0x43b5cc2d, 0xaba25c8c, 0x48ebeb2e, 0xa0fc7b8f, 0x78711e27,\n 0x90668e86, 0x732f3924, 0x9b38a985, 0x6ecd5021, 0x86dac080,\n 0x65937722, 0x8d84e783, 0x0aaf2c22, 0xe2b8bc83, 0x01f10b21,\n 0xe9e69b80, 0x1c136224, 0xf404f285, 0x174d4527, 0xff5ad586,\n 0x27d7b02e, 0xcfc0208f, 0x2c89972d, 0xc49e078c, 0x316bfe28,\n 0xd97c6e89, 0x3a35d92b, 0xd222498a, 0x505e143a, 0xb849849b,\n 0x5b003339, 0xb317a398, 0x46e25a3c, 0xaef5ca9d, 0x4dbc7d3f,\n 0xa5abed9e, 0x7d268836, 0x95311897, 0x7678af35, 0x9e6f3f94,\n 0x6b9ac630, 0x838d5691, 0x60c4e133, 0x88d37192, 0xbf4d5c12,\n 0x575accb3, 0xb4137b11, 0x5c04ebb0, 0xa9f11214, 0x41e682b5,\n 0xa2af3517, 0x4ab8a5b6, 0x9235c01e, 0x7a2250bf, 0x996be71d,\n 0x717c77bc, 0x84898e18, 0x6c9e1eb9, 0x8fd7a91b, 0x67c039ba,\n 0xe5bc640a, 0x0dabf4ab, 0xeee24309, 0x06f5d3a8, 0xf3002a0c,\n 0x1b17baad, 0xf85e0d0f, 0x10499dae, 0xc8c4f806, 0x20d368a7,\n 0xc39adf05, 0x2b8d4fa4, 0xde78b600, 0x366f26a1, 0xd5269103,\n 0x3d3101a2}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x0000000000000000, 0xa19017e800000000, 0x03275e0b00000000,\n 0xa2b749e300000000, 0x064ebc1600000000, 0xa7deabfe00000000,\n 0x0569e21d00000000, 0xa4f9f5f500000000, 0x0c9c782d00000000,\n 0xad0c6fc500000000, 0x0fbb262600000000, 0xae2b31ce00000000,\n 0x0ad2c43b00000000, 0xab42d3d300000000, 0x09f59a3000000000,\n 0xa8658dd800000000, 0x1838f15a00000000, 0xb9a8e6b200000000,\n 0x1b1faf5100000000, 0xba8fb8b900000000, 0x1e764d4c00000000,\n 0xbfe65aa400000000, 0x1d51134700000000, 0xbcc104af00000000,\n 0x14a4897700000000, 0xb5349e9f00000000, 0x1783d77c00000000,\n 0xb613c09400000000, 0x12ea356100000000, 0xb37a228900000000,\n 0x11cd6b6a00000000, 0xb05d7c8200000000, 0x3070e2b500000000,\n 0x91e0f55d00000000, 0x3357bcbe00000000, 0x92c7ab5600000000,\n 0x363e5ea300000000, 0x97ae494b00000000, 0x351900a800000000,\n 0x9489174000000000, 0x3cec9a9800000000, 0x9d7c8d7000000000,\n 0x3fcbc49300000000, 0x9e5bd37b00000000, 0x3aa2268e00000000,\n 0x9b32316600000000, 0x3985788500000000, 0x98156f6d00000000,\n 0x284813ef00000000, 0x89d8040700000000, 0x2b6f4de400000000,\n 0x8aff5a0c00000000, 0x2e06aff900000000, 0x8f96b81100000000,\n 0x2d21f1f200000000, 0x8cb1e61a00000000, 0x24d46bc200000000,\n 0x85447c2a00000000, 0x27f335c900000000, 0x8663222100000000,\n 0x229ad7d400000000, 0x830ac03c00000000, 0x21bd89df00000000,\n 0x802d9e3700000000, 0x21e6b5b000000000, 0x8076a25800000000,\n 0x22c1ebbb00000000, 0x8351fc5300000000, 0x27a809a600000000,\n 0x86381e4e00000000, 0x248f57ad00000000, 0x851f404500000000,\n 0x2d7acd9d00000000, 0x8ceada7500000000, 0x2e5d939600000000,\n 0x8fcd847e00000000, 0x2b34718b00000000, 0x8aa4666300000000,\n 0x28132f8000000000, 0x8983386800000000, 0x39de44ea00000000,\n 0x984e530200000000, 0x3af91ae100000000, 0x9b690d0900000000,\n 0x3f90f8fc00000000, 0x9e00ef1400000000, 0x3cb7a6f700000000,\n 0x9d27b11f00000000, 0x35423cc700000000, 0x94d22b2f00000000,\n 0x366562cc00000000, 0x97f5752400000000, 0x330c80d100000000,\n 0x929c973900000000, 0x302bdeda00000000, 0x91bbc93200000000,\n 0x1196570500000000, 0xb00640ed00000000, 0x12b1090e00000000,\n 0xb3211ee600000000, 0x17d8eb1300000000, 0xb648fcfb00000000,\n 0x14ffb51800000000, 0xb56fa2f000000000, 0x1d0a2f2800000000,\n 0xbc9a38c000000000, 0x1e2d712300000000, 0xbfbd66cb00000000,\n 0x1b44933e00000000, 0xbad484d600000000, 0x1863cd3500000000,\n 0xb9f3dadd00000000, 0x09aea65f00000000, 0xa83eb1b700000000,\n 0x0a89f85400000000, 0xab19efbc00000000, 0x0fe01a4900000000,\n 0xae700da100000000, 0x0cc7444200000000, 0xad5753aa00000000,\n 0x0532de7200000000, 0xa4a2c99a00000000, 0x0615807900000000,\n 0xa785979100000000, 0x037c626400000000, 0xa2ec758c00000000,\n 0x005b3c6f00000000, 0xa1cb2b8700000000, 0x03ca1aba00000000,\n 0xa25a0d5200000000, 0x00ed44b100000000, 0xa17d535900000000,\n 0x0584a6ac00000000, 0xa414b14400000000, 0x06a3f8a700000000,\n 0xa733ef4f00000000, 0x0f56629700000000, 0xaec6757f00000000,\n 0x0c713c9c00000000, 0xade12b7400000000, 0x0918de8100000000,\n 0xa888c96900000000, 0x0a3f808a00000000, 0xabaf976200000000,\n 0x1bf2ebe000000000, 0xba62fc0800000000, 0x18d5b5eb00000000,\n 0xb945a20300000000, 0x1dbc57f600000000, 0xbc2c401e00000000,\n 0x1e9b09fd00000000, 0xbf0b1e1500000000, 0x176e93cd00000000,\n 0xb6fe842500000000, 0x1449cdc600000000, 0xb5d9da2e00000000,\n 0x11202fdb00000000, 0xb0b0383300000000, 0x120771d000000000,\n 0xb397663800000000, 0x33baf80f00000000, 0x922aefe700000000,\n 0x309da60400000000, 0x910db1ec00000000, 0x35f4441900000000,\n 0x946453f100000000, 0x36d31a1200000000, 0x97430dfa00000000,\n 0x3f26802200000000, 0x9eb697ca00000000, 0x3c01de2900000000,\n 0x9d91c9c100000000, 0x39683c3400000000, 0x98f82bdc00000000,\n 0x3a4f623f00000000, 0x9bdf75d700000000, 0x2b82095500000000,\n 0x8a121ebd00000000, 0x28a5575e00000000, 0x893540b600000000,\n 0x2dccb54300000000, 0x8c5ca2ab00000000, 0x2eebeb4800000000,\n 0x8f7bfca000000000, 0x271e717800000000, 0x868e669000000000,\n 0x24392f7300000000, 0x85a9389b00000000, 0x2150cd6e00000000,\n 0x80c0da8600000000, 0x2277936500000000, 0x83e7848d00000000,\n 0x222caf0a00000000, 0x83bcb8e200000000, 0x210bf10100000000,\n 0x809be6e900000000, 0x2462131c00000000, 0x85f204f400000000,\n 0x27454d1700000000, 0x86d55aff00000000, 0x2eb0d72700000000,\n 0x8f20c0cf00000000, 0x2d97892c00000000, 0x8c079ec400000000,\n 0x28fe6b3100000000, 0x896e7cd900000000, 0x2bd9353a00000000,\n 0x8a4922d200000000, 0x3a145e5000000000, 0x9b8449b800000000,\n 0x3933005b00000000, 0x98a317b300000000, 0x3c5ae24600000000,\n 0x9dcaf5ae00000000, 0x3f7dbc4d00000000, 0x9eedaba500000000,\n 0x3688267d00000000, 0x9718319500000000, 0x35af787600000000,\n 0x943f6f9e00000000, 0x30c69a6b00000000, 0x91568d8300000000,\n 0x33e1c46000000000, 0x9271d38800000000, 0x125c4dbf00000000,\n 0xb3cc5a5700000000, 0x117b13b400000000, 0xb0eb045c00000000,\n 0x1412f1a900000000, 0xb582e64100000000, 0x1735afa200000000,\n 0xb6a5b84a00000000, 0x1ec0359200000000, 0xbf50227a00000000,\n 0x1de76b9900000000, 0xbc777c7100000000, 0x188e898400000000,\n 0xb91e9e6c00000000, 0x1ba9d78f00000000, 0xba39c06700000000,\n 0x0a64bce500000000, 0xabf4ab0d00000000, 0x0943e2ee00000000,\n 0xa8d3f50600000000, 0x0c2a00f300000000, 0xadba171b00000000,\n 0x0f0d5ef800000000, 0xae9d491000000000, 0x06f8c4c800000000,\n 0xa768d32000000000, 0x05df9ac300000000, 0xa44f8d2b00000000,\n 0x00b678de00000000, 0xa1266f3600000000, 0x039126d500000000,\n 0xa201313d00000000},\n {0x0000000000000000, 0xee8439a100000000, 0x9d0f029900000000,\n 0x738b3b3800000000, 0x7b1975e900000000, 0x959d4c4800000000,\n 0xe616777000000000, 0x08924ed100000000, 0xb7349b0900000000,\n 0x59b0a2a800000000, 0x2a3b999000000000, 0xc4bfa03100000000,\n 0xcc2deee000000000, 0x22a9d74100000000, 0x5122ec7900000000,\n 0xbfa6d5d800000000, 0x6e69361300000000, 0x80ed0fb200000000,\n 0xf366348a00000000, 0x1de20d2b00000000, 0x157043fa00000000,\n 0xfbf47a5b00000000, 0x887f416300000000, 0x66fb78c200000000,\n 0xd95dad1a00000000, 0x37d994bb00000000, 0x4452af8300000000,\n 0xaad6962200000000, 0xa244d8f300000000, 0x4cc0e15200000000,\n 0x3f4bda6a00000000, 0xd1cfe3cb00000000, 0xdcd26c2600000000,\n 0x3256558700000000, 0x41dd6ebf00000000, 0xaf59571e00000000,\n 0xa7cb19cf00000000, 0x494f206e00000000, 0x3ac41b5600000000,\n 0xd44022f700000000, 0x6be6f72f00000000, 0x8562ce8e00000000,\n 0xf6e9f5b600000000, 0x186dcc1700000000, 0x10ff82c600000000,\n 0xfe7bbb6700000000, 0x8df0805f00000000, 0x6374b9fe00000000,\n 0xb2bb5a3500000000, 0x5c3f639400000000, 0x2fb458ac00000000,\n 0xc130610d00000000, 0xc9a22fdc00000000, 0x2726167d00000000,\n 0x54ad2d4500000000, 0xba2914e400000000, 0x058fc13c00000000,\n 0xeb0bf89d00000000, 0x9880c3a500000000, 0x7604fa0400000000,\n 0x7e96b4d500000000, 0x90128d7400000000, 0xe399b64c00000000,\n 0x0d1d8fed00000000, 0xb8a5d94c00000000, 0x5621e0ed00000000,\n 0x25aadbd500000000, 0xcb2ee27400000000, 0xc3bcaca500000000,\n 0x2d38950400000000, 0x5eb3ae3c00000000, 0xb037979d00000000,\n 0x0f91424500000000, 0xe1157be400000000, 0x929e40dc00000000,\n 0x7c1a797d00000000, 0x748837ac00000000, 0x9a0c0e0d00000000,\n 0xe987353500000000, 0x07030c9400000000, 0xd6ccef5f00000000,\n 0x3848d6fe00000000, 0x4bc3edc600000000, 0xa547d46700000000,\n 0xadd59ab600000000, 0x4351a31700000000, 0x30da982f00000000,\n 0xde5ea18e00000000, 0x61f8745600000000, 0x8f7c4df700000000,\n 0xfcf776cf00000000, 0x12734f6e00000000, 0x1ae101bf00000000,\n 0xf465381e00000000, 0x87ee032600000000, 0x696a3a8700000000,\n 0x6477b56a00000000, 0x8af38ccb00000000, 0xf978b7f300000000,\n 0x17fc8e5200000000, 0x1f6ec08300000000, 0xf1eaf92200000000,\n 0x8261c21a00000000, 0x6ce5fbbb00000000, 0xd3432e6300000000,\n 0x3dc717c200000000, 0x4e4c2cfa00000000, 0xa0c8155b00000000,\n 0xa85a5b8a00000000, 0x46de622b00000000, 0x3555591300000000,\n 0xdbd160b200000000, 0x0a1e837900000000, 0xe49abad800000000,\n 0x971181e000000000, 0x7995b84100000000, 0x7107f69000000000,\n 0x9f83cf3100000000, 0xec08f40900000000, 0x028ccda800000000,\n 0xbd2a187000000000, 0x53ae21d100000000, 0x20251ae900000000,\n 0xcea1234800000000, 0xc6336d9900000000, 0x28b7543800000000,\n 0x5b3c6f0000000000, 0xb5b856a100000000, 0x704bb39900000000,\n 0x9ecf8a3800000000, 0xed44b10000000000, 0x03c088a100000000,\n 0x0b52c67000000000, 0xe5d6ffd100000000, 0x965dc4e900000000,\n 0x78d9fd4800000000, 0xc77f289000000000, 0x29fb113100000000,\n 0x5a702a0900000000, 0xb4f413a800000000, 0xbc665d7900000000,\n 0x52e264d800000000, 0x21695fe000000000, 0xcfed664100000000,\n 0x1e22858a00000000, 0xf0a6bc2b00000000, 0x832d871300000000,\n 0x6da9beb200000000, 0x653bf06300000000, 0x8bbfc9c200000000,\n 0xf834f2fa00000000, 0x16b0cb5b00000000, 0xa9161e8300000000,\n 0x4792272200000000, 0x34191c1a00000000, 0xda9d25bb00000000,\n 0xd20f6b6a00000000, 0x3c8b52cb00000000, 0x4f0069f300000000,\n 0xa184505200000000, 0xac99dfbf00000000, 0x421de61e00000000,\n 0x3196dd2600000000, 0xdf12e48700000000, 0xd780aa5600000000,\n 0x390493f700000000, 0x4a8fa8cf00000000, 0xa40b916e00000000,\n 0x1bad44b600000000, 0xf5297d1700000000, 0x86a2462f00000000,\n 0x68267f8e00000000, 0x60b4315f00000000, 0x8e3008fe00000000,\n 0xfdbb33c600000000, 0x133f0a6700000000, 0xc2f0e9ac00000000,\n 0x2c74d00d00000000, 0x5fffeb3500000000, 0xb17bd29400000000,\n 0xb9e99c4500000000, 0x576da5e400000000, 0x24e69edc00000000,\n 0xca62a77d00000000, 0x75c472a500000000, 0x9b404b0400000000,\n 0xe8cb703c00000000, 0x064f499d00000000, 0x0edd074c00000000,\n 0xe0593eed00000000, 0x93d205d500000000, 0x7d563c7400000000,\n 0xc8ee6ad500000000, 0x266a537400000000, 0x55e1684c00000000,\n 0xbb6551ed00000000, 0xb3f71f3c00000000, 0x5d73269d00000000,\n 0x2ef81da500000000, 0xc07c240400000000, 0x7fdaf1dc00000000,\n 0x915ec87d00000000, 0xe2d5f34500000000, 0x0c51cae400000000,\n 0x04c3843500000000, 0xea47bd9400000000, 0x99cc86ac00000000,\n 0x7748bf0d00000000, 0xa6875cc600000000, 0x4803656700000000,\n 0x3b885e5f00000000, 0xd50c67fe00000000, 0xdd9e292f00000000,\n 0x331a108e00000000, 0x40912bb600000000, 0xae15121700000000,\n 0x11b3c7cf00000000, 0xff37fe6e00000000, 0x8cbcc55600000000,\n 0x6238fcf700000000, 0x6aaab22600000000, 0x842e8b8700000000,\n 0xf7a5b0bf00000000, 0x1921891e00000000, 0x143c06f300000000,\n 0xfab83f5200000000, 0x8933046a00000000, 0x67b73dcb00000000,\n 0x6f25731a00000000, 0x81a14abb00000000, 0xf22a718300000000,\n 0x1cae482200000000, 0xa3089dfa00000000, 0x4d8ca45b00000000,\n 0x3e079f6300000000, 0xd083a6c200000000, 0xd811e81300000000,\n 0x3695d1b200000000, 0x451eea8a00000000, 0xab9ad32b00000000,\n 0x7a5530e000000000, 0x94d1094100000000, 0xe75a327900000000,\n 0x09de0bd800000000, 0x014c450900000000, 0xefc87ca800000000,\n 0x9c43479000000000, 0x72c77e3100000000, 0xcd61abe900000000,\n 0x23e5924800000000, 0x506ea97000000000, 0xbeea90d100000000,\n 0xb678de0000000000, 0x58fce7a100000000, 0x2b77dc9900000000,\n 0xc5f3e53800000000},\n {0x0000000000000000, 0xfbf6134700000000, 0xf6ed278e00000000,\n 0x0d1b34c900000000, 0xaddd3ec700000000, 0x562b2d8000000000,\n 0x5b30194900000000, 0xa0c60a0e00000000, 0x1bbd0c5500000000,\n 0xe04b1f1200000000, 0xed502bdb00000000, 0x16a6389c00000000,\n 0xb660329200000000, 0x4d9621d500000000, 0x408d151c00000000,\n 0xbb7b065b00000000, 0x367a19aa00000000, 0xcd8c0aed00000000,\n 0xc0973e2400000000, 0x3b612d6300000000, 0x9ba7276d00000000,\n 0x6051342a00000000, 0x6d4a00e300000000, 0x96bc13a400000000,\n 0x2dc715ff00000000, 0xd63106b800000000, 0xdb2a327100000000,\n 0x20dc213600000000, 0x801a2b3800000000, 0x7bec387f00000000,\n 0x76f70cb600000000, 0x8d011ff100000000, 0x2df2438f00000000,\n 0xd60450c800000000, 0xdb1f640100000000, 0x20e9774600000000,\n 0x802f7d4800000000, 0x7bd96e0f00000000, 0x76c25ac600000000,\n 0x8d34498100000000, 0x364f4fda00000000, 0xcdb95c9d00000000,\n 0xc0a2685400000000, 0x3b547b1300000000, 0x9b92711d00000000,\n 0x6064625a00000000, 0x6d7f569300000000, 0x968945d400000000,\n 0x1b885a2500000000, 0xe07e496200000000, 0xed657dab00000000,\n 0x16936eec00000000, 0xb65564e200000000, 0x4da377a500000000,\n 0x40b8436c00000000, 0xbb4e502b00000000, 0x0035567000000000,\n 0xfbc3453700000000, 0xf6d871fe00000000, 0x0d2e62b900000000,\n 0xade868b700000000, 0x561e7bf000000000, 0x5b054f3900000000,\n 0xa0f35c7e00000000, 0x1be2f6c500000000, 0xe014e58200000000,\n 0xed0fd14b00000000, 0x16f9c20c00000000, 0xb63fc80200000000,\n 0x4dc9db4500000000, 0x40d2ef8c00000000, 0xbb24fccb00000000,\n 0x005ffa9000000000, 0xfba9e9d700000000, 0xf6b2dd1e00000000,\n 0x0d44ce5900000000, 0xad82c45700000000, 0x5674d71000000000,\n 0x5b6fe3d900000000, 0xa099f09e00000000, 0x2d98ef6f00000000,\n 0xd66efc2800000000, 0xdb75c8e100000000, 0x2083dba600000000,\n 0x8045d1a800000000, 0x7bb3c2ef00000000, 0x76a8f62600000000,\n 0x8d5ee56100000000, 0x3625e33a00000000, 0xcdd3f07d00000000,\n 0xc0c8c4b400000000, 0x3b3ed7f300000000, 0x9bf8ddfd00000000,\n 0x600eceba00000000, 0x6d15fa7300000000, 0x96e3e93400000000,\n 0x3610b54a00000000, 0xcde6a60d00000000, 0xc0fd92c400000000,\n 0x3b0b818300000000, 0x9bcd8b8d00000000, 0x603b98ca00000000,\n 0x6d20ac0300000000, 0x96d6bf4400000000, 0x2dadb91f00000000,\n 0xd65baa5800000000, 0xdb409e9100000000, 0x20b68dd600000000,\n 0x807087d800000000, 0x7b86949f00000000, 0x769da05600000000,\n 0x8d6bb31100000000, 0x006aace000000000, 0xfb9cbfa700000000,\n 0xf6878b6e00000000, 0x0d71982900000000, 0xadb7922700000000,\n 0x5641816000000000, 0x5b5ab5a900000000, 0xa0aca6ee00000000,\n 0x1bd7a0b500000000, 0xe021b3f200000000, 0xed3a873b00000000,\n 0x16cc947c00000000, 0xb60a9e7200000000, 0x4dfc8d3500000000,\n 0x40e7b9fc00000000, 0xbb11aabb00000000, 0x77c29c5000000000,\n 0x8c348f1700000000, 0x812fbbde00000000, 0x7ad9a89900000000,\n 0xda1fa29700000000, 0x21e9b1d000000000, 0x2cf2851900000000,\n 0xd704965e00000000, 0x6c7f900500000000, 0x9789834200000000,\n 0x9a92b78b00000000, 0x6164a4cc00000000, 0xc1a2aec200000000,\n 0x3a54bd8500000000, 0x374f894c00000000, 0xccb99a0b00000000,\n 0x41b885fa00000000, 0xba4e96bd00000000, 0xb755a27400000000,\n 0x4ca3b13300000000, 0xec65bb3d00000000, 0x1793a87a00000000,\n 0x1a889cb300000000, 0xe17e8ff400000000, 0x5a0589af00000000,\n 0xa1f39ae800000000, 0xace8ae2100000000, 0x571ebd6600000000,\n 0xf7d8b76800000000, 0x0c2ea42f00000000, 0x013590e600000000,\n 0xfac383a100000000, 0x5a30dfdf00000000, 0xa1c6cc9800000000,\n 0xacddf85100000000, 0x572beb1600000000, 0xf7ede11800000000,\n 0x0c1bf25f00000000, 0x0100c69600000000, 0xfaf6d5d100000000,\n 0x418dd38a00000000, 0xba7bc0cd00000000, 0xb760f40400000000,\n 0x4c96e74300000000, 0xec50ed4d00000000, 0x17a6fe0a00000000,\n 0x1abdcac300000000, 0xe14bd98400000000, 0x6c4ac67500000000,\n 0x97bcd53200000000, 0x9aa7e1fb00000000, 0x6151f2bc00000000,\n 0xc197f8b200000000, 0x3a61ebf500000000, 0x377adf3c00000000,\n 0xcc8ccc7b00000000, 0x77f7ca2000000000, 0x8c01d96700000000,\n 0x811aedae00000000, 0x7aecfee900000000, 0xda2af4e700000000,\n 0x21dce7a000000000, 0x2cc7d36900000000, 0xd731c02e00000000,\n 0x6c206a9500000000, 0x97d679d200000000, 0x9acd4d1b00000000,\n 0x613b5e5c00000000, 0xc1fd545200000000, 0x3a0b471500000000,\n 0x371073dc00000000, 0xcce6609b00000000, 0x779d66c000000000,\n 0x8c6b758700000000, 0x8170414e00000000, 0x7a86520900000000,\n 0xda40580700000000, 0x21b64b4000000000, 0x2cad7f8900000000,\n 0xd75b6cce00000000, 0x5a5a733f00000000, 0xa1ac607800000000,\n 0xacb754b100000000, 0x574147f600000000, 0xf7874df800000000,\n 0x0c715ebf00000000, 0x016a6a7600000000, 0xfa9c793100000000,\n 0x41e77f6a00000000, 0xba116c2d00000000, 0xb70a58e400000000,\n 0x4cfc4ba300000000, 0xec3a41ad00000000, 0x17cc52ea00000000,\n 0x1ad7662300000000, 0xe121756400000000, 0x41d2291a00000000,\n 0xba243a5d00000000, 0xb73f0e9400000000, 0x4cc91dd300000000,\n 0xec0f17dd00000000, 0x17f9049a00000000, 0x1ae2305300000000,\n 0xe114231400000000, 0x5a6f254f00000000, 0xa199360800000000,\n 0xac8202c100000000, 0x5774118600000000, 0xf7b21b8800000000,\n 0x0c4408cf00000000, 0x015f3c0600000000, 0xfaa92f4100000000,\n 0x77a830b000000000, 0x8c5e23f700000000, 0x8145173e00000000,\n 0x7ab3047900000000, 0xda750e7700000000, 0x21831d3000000000,\n 0x2c9829f900000000, 0xd76e3abe00000000, 0x6c153ce500000000,\n 0x97e32fa200000000, 0x9af81b6b00000000, 0x610e082c00000000,\n 0xc1c8022200000000, 0x3a3e116500000000, 0x372525ac00000000,\n 0xccd336eb00000000},\n {0x0000000000000000, 0x6238282a00000000, 0xc470505400000000,\n 0xa648787e00000000, 0x88e1a0a800000000, 0xead9888200000000,\n 0x4c91f0fc00000000, 0x2ea9d8d600000000, 0x51c5308a00000000,\n 0x33fd18a000000000, 0x95b560de00000000, 0xf78d48f400000000,\n 0xd924902200000000, 0xbb1cb80800000000, 0x1d54c07600000000,\n 0x7f6ce85c00000000, 0xe38c10cf00000000, 0x81b438e500000000,\n 0x27fc409b00000000, 0x45c468b100000000, 0x6b6db06700000000,\n 0x0955984d00000000, 0xaf1de03300000000, 0xcd25c81900000000,\n 0xb249204500000000, 0xd071086f00000000, 0x7639701100000000,\n 0x1401583b00000000, 0x3aa880ed00000000, 0x5890a8c700000000,\n 0xfed8d0b900000000, 0x9ce0f89300000000, 0x871f504500000000,\n 0xe527786f00000000, 0x436f001100000000, 0x2157283b00000000,\n 0x0ffef0ed00000000, 0x6dc6d8c700000000, 0xcb8ea0b900000000,\n 0xa9b6889300000000, 0xd6da60cf00000000, 0xb4e248e500000000,\n 0x12aa309b00000000, 0x709218b100000000, 0x5e3bc06700000000,\n 0x3c03e84d00000000, 0x9a4b903300000000, 0xf873b81900000000,\n 0x6493408a00000000, 0x06ab68a000000000, 0xa0e310de00000000,\n 0xc2db38f400000000, 0xec72e02200000000, 0x8e4ac80800000000,\n 0x2802b07600000000, 0x4a3a985c00000000, 0x3556700000000000,\n 0x576e582a00000000, 0xf126205400000000, 0x931e087e00000000,\n 0xbdb7d0a800000000, 0xdf8ff88200000000, 0x79c780fc00000000,\n 0x1bffa8d600000000, 0x0e3fa08a00000000, 0x6c0788a000000000,\n 0xca4ff0de00000000, 0xa877d8f400000000, 0x86de002200000000,\n 0xe4e6280800000000, 0x42ae507600000000, 0x2096785c00000000,\n 0x5ffa900000000000, 0x3dc2b82a00000000, 0x9b8ac05400000000,\n 0xf9b2e87e00000000, 0xd71b30a800000000, 0xb523188200000000,\n 0x136b60fc00000000, 0x715348d600000000, 0xedb3b04500000000,\n 0x8f8b986f00000000, 0x29c3e01100000000, 0x4bfbc83b00000000,\n 0x655210ed00000000, 0x076a38c700000000, 0xa12240b900000000,\n 0xc31a689300000000, 0xbc7680cf00000000, 0xde4ea8e500000000,\n 0x7806d09b00000000, 0x1a3ef8b100000000, 0x3497206700000000,\n 0x56af084d00000000, 0xf0e7703300000000, 0x92df581900000000,\n 0x8920f0cf00000000, 0xeb18d8e500000000, 0x4d50a09b00000000,\n 0x2f6888b100000000, 0x01c1506700000000, 0x63f9784d00000000,\n 0xc5b1003300000000, 0xa789281900000000, 0xd8e5c04500000000,\n 0xbadde86f00000000, 0x1c95901100000000, 0x7eadb83b00000000,\n 0x500460ed00000000, 0x323c48c700000000, 0x947430b900000000,\n 0xf64c189300000000, 0x6aace00000000000, 0x0894c82a00000000,\n 0xaedcb05400000000, 0xcce4987e00000000, 0xe24d40a800000000,\n 0x8075688200000000, 0x263d10fc00000000, 0x440538d600000000,\n 0x3b69d08a00000000, 0x5951f8a000000000, 0xff1980de00000000,\n 0x9d21a8f400000000, 0xb388702200000000, 0xd1b0580800000000,\n 0x77f8207600000000, 0x15c0085c00000000, 0x5d7831ce00000000,\n 0x3f4019e400000000, 0x9908619a00000000, 0xfb3049b000000000,\n 0xd599916600000000, 0xb7a1b94c00000000, 0x11e9c13200000000,\n 0x73d1e91800000000, 0x0cbd014400000000, 0x6e85296e00000000,\n 0xc8cd511000000000, 0xaaf5793a00000000, 0x845ca1ec00000000,\n 0xe66489c600000000, 0x402cf1b800000000, 0x2214d99200000000,\n 0xbef4210100000000, 0xdccc092b00000000, 0x7a84715500000000,\n 0x18bc597f00000000, 0x361581a900000000, 0x542da98300000000,\n 0xf265d1fd00000000, 0x905df9d700000000, 0xef31118b00000000,\n 0x8d0939a100000000, 0x2b4141df00000000, 0x497969f500000000,\n 0x67d0b12300000000, 0x05e8990900000000, 0xa3a0e17700000000,\n 0xc198c95d00000000, 0xda67618b00000000, 0xb85f49a100000000,\n 0x1e1731df00000000, 0x7c2f19f500000000, 0x5286c12300000000,\n 0x30bee90900000000, 0x96f6917700000000, 0xf4ceb95d00000000,\n 0x8ba2510100000000, 0xe99a792b00000000, 0x4fd2015500000000,\n 0x2dea297f00000000, 0x0343f1a900000000, 0x617bd98300000000,\n 0xc733a1fd00000000, 0xa50b89d700000000, 0x39eb714400000000,\n 0x5bd3596e00000000, 0xfd9b211000000000, 0x9fa3093a00000000,\n 0xb10ad1ec00000000, 0xd332f9c600000000, 0x757a81b800000000,\n 0x1742a99200000000, 0x682e41ce00000000, 0x0a1669e400000000,\n 0xac5e119a00000000, 0xce6639b000000000, 0xe0cfe16600000000,\n 0x82f7c94c00000000, 0x24bfb13200000000, 0x4687991800000000,\n 0x5347914400000000, 0x317fb96e00000000, 0x9737c11000000000,\n 0xf50fe93a00000000, 0xdba631ec00000000, 0xb99e19c600000000,\n 0x1fd661b800000000, 0x7dee499200000000, 0x0282a1ce00000000,\n 0x60ba89e400000000, 0xc6f2f19a00000000, 0xa4cad9b000000000,\n 0x8a63016600000000, 0xe85b294c00000000, 0x4e13513200000000,\n 0x2c2b791800000000, 0xb0cb818b00000000, 0xd2f3a9a100000000,\n 0x74bbd1df00000000, 0x1683f9f500000000, 0x382a212300000000,\n 0x5a12090900000000, 0xfc5a717700000000, 0x9e62595d00000000,\n 0xe10eb10100000000, 0x8336992b00000000, 0x257ee15500000000,\n 0x4746c97f00000000, 0x69ef11a900000000, 0x0bd7398300000000,\n 0xad9f41fd00000000, 0xcfa769d700000000, 0xd458c10100000000,\n 0xb660e92b00000000, 0x1028915500000000, 0x7210b97f00000000,\n 0x5cb961a900000000, 0x3e81498300000000, 0x98c931fd00000000,\n 0xfaf119d700000000, 0x859df18b00000000, 0xe7a5d9a100000000,\n 0x41eda1df00000000, 0x23d589f500000000, 0x0d7c512300000000,\n 0x6f44790900000000, 0xc90c017700000000, 0xab34295d00000000,\n 0x37d4d1ce00000000, 0x55ecf9e400000000, 0xf3a4819a00000000,\n 0x919ca9b000000000, 0xbf35716600000000, 0xdd0d594c00000000,\n 0x7b45213200000000, 0x197d091800000000, 0x6611e14400000000,\n 0x0429c96e00000000, 0xa261b11000000000, 0xc059993a00000000,\n 0xeef041ec00000000, 0x8cc869c600000000, 0x2a8011b800000000,\n 0x48b8399200000000},\n {0x0000000000000000, 0x4c2896a300000000, 0xd9565d9c00000000,\n 0x957ecb3f00000000, 0xf3abcbe300000000, 0xbf835d4000000000,\n 0x2afd967f00000000, 0x66d500dc00000000, 0xa751e61c00000000,\n 0xeb7970bf00000000, 0x7e07bb8000000000, 0x322f2d2300000000,\n 0x54fa2dff00000000, 0x18d2bb5c00000000, 0x8dac706300000000,\n 0xc184e6c000000000, 0x4ea3cc3900000000, 0x028b5a9a00000000,\n 0x97f591a500000000, 0xdbdd070600000000, 0xbd0807da00000000,\n 0xf120917900000000, 0x645e5a4600000000, 0x2876cce500000000,\n 0xe9f22a2500000000, 0xa5dabc8600000000, 0x30a477b900000000,\n 0x7c8ce11a00000000, 0x1a59e1c600000000, 0x5671776500000000,\n 0xc30fbc5a00000000, 0x8f272af900000000, 0x9c46997300000000,\n 0xd06e0fd000000000, 0x4510c4ef00000000, 0x0938524c00000000,\n 0x6fed529000000000, 0x23c5c43300000000, 0xb6bb0f0c00000000,\n 0xfa9399af00000000, 0x3b177f6f00000000, 0x773fe9cc00000000,\n 0xe24122f300000000, 0xae69b45000000000, 0xc8bcb48c00000000,\n 0x8494222f00000000, 0x11eae91000000000, 0x5dc27fb300000000,\n 0xd2e5554a00000000, 0x9ecdc3e900000000, 0x0bb308d600000000,\n 0x479b9e7500000000, 0x214e9ea900000000, 0x6d66080a00000000,\n 0xf818c33500000000, 0xb430559600000000, 0x75b4b35600000000,\n 0x399c25f500000000, 0xace2eeca00000000, 0xe0ca786900000000,\n 0x861f78b500000000, 0xca37ee1600000000, 0x5f49252900000000,\n 0x1361b38a00000000, 0x388d32e700000000, 0x74a5a44400000000,\n 0xe1db6f7b00000000, 0xadf3f9d800000000, 0xcb26f90400000000,\n 0x870e6fa700000000, 0x1270a49800000000, 0x5e58323b00000000,\n 0x9fdcd4fb00000000, 0xd3f4425800000000, 0x468a896700000000,\n 0x0aa21fc400000000, 0x6c771f1800000000, 0x205f89bb00000000,\n 0xb521428400000000, 0xf909d42700000000, 0x762efede00000000,\n 0x3a06687d00000000, 0xaf78a34200000000, 0xe35035e100000000,\n 0x8585353d00000000, 0xc9ada39e00000000, 0x5cd368a100000000,\n 0x10fbfe0200000000, 0xd17f18c200000000, 0x9d578e6100000000,\n 0x0829455e00000000, 0x4401d3fd00000000, 0x22d4d32100000000,\n 0x6efc458200000000, 0xfb828ebd00000000, 0xb7aa181e00000000,\n 0xa4cbab9400000000, 0xe8e33d3700000000, 0x7d9df60800000000,\n 0x31b560ab00000000, 0x5760607700000000, 0x1b48f6d400000000,\n 0x8e363deb00000000, 0xc21eab4800000000, 0x039a4d8800000000,\n 0x4fb2db2b00000000, 0xdacc101400000000, 0x96e486b700000000,\n 0xf031866b00000000, 0xbc1910c800000000, 0x2967dbf700000000,\n 0x654f4d5400000000, 0xea6867ad00000000, 0xa640f10e00000000,\n 0x333e3a3100000000, 0x7f16ac9200000000, 0x19c3ac4e00000000,\n 0x55eb3aed00000000, 0xc095f1d200000000, 0x8cbd677100000000,\n 0x4d3981b100000000, 0x0111171200000000, 0x946fdc2d00000000,\n 0xd8474a8e00000000, 0xbe924a5200000000, 0xf2badcf100000000,\n 0x67c417ce00000000, 0x2bec816d00000000, 0x311c141500000000,\n 0x7d3482b600000000, 0xe84a498900000000, 0xa462df2a00000000,\n 0xc2b7dff600000000, 0x8e9f495500000000, 0x1be1826a00000000,\n 0x57c914c900000000, 0x964df20900000000, 0xda6564aa00000000,\n 0x4f1baf9500000000, 0x0333393600000000, 0x65e639ea00000000,\n 0x29ceaf4900000000, 0xbcb0647600000000, 0xf098f2d500000000,\n 0x7fbfd82c00000000, 0x33974e8f00000000, 0xa6e985b000000000,\n 0xeac1131300000000, 0x8c1413cf00000000, 0xc03c856c00000000,\n 0x55424e5300000000, 0x196ad8f000000000, 0xd8ee3e3000000000,\n 0x94c6a89300000000, 0x01b863ac00000000, 0x4d90f50f00000000,\n 0x2b45f5d300000000, 0x676d637000000000, 0xf213a84f00000000,\n 0xbe3b3eec00000000, 0xad5a8d6600000000, 0xe1721bc500000000,\n 0x740cd0fa00000000, 0x3824465900000000, 0x5ef1468500000000,\n 0x12d9d02600000000, 0x87a71b1900000000, 0xcb8f8dba00000000,\n 0x0a0b6b7a00000000, 0x4623fdd900000000, 0xd35d36e600000000,\n 0x9f75a04500000000, 0xf9a0a09900000000, 0xb588363a00000000,\n 0x20f6fd0500000000, 0x6cde6ba600000000, 0xe3f9415f00000000,\n 0xafd1d7fc00000000, 0x3aaf1cc300000000, 0x76878a6000000000,\n 0x10528abc00000000, 0x5c7a1c1f00000000, 0xc904d72000000000,\n 0x852c418300000000, 0x44a8a74300000000, 0x088031e000000000,\n 0x9dfefadf00000000, 0xd1d66c7c00000000, 0xb7036ca000000000,\n 0xfb2bfa0300000000, 0x6e55313c00000000, 0x227da79f00000000,\n 0x099126f200000000, 0x45b9b05100000000, 0xd0c77b6e00000000,\n 0x9cefedcd00000000, 0xfa3aed1100000000, 0xb6127bb200000000,\n 0x236cb08d00000000, 0x6f44262e00000000, 0xaec0c0ee00000000,\n 0xe2e8564d00000000, 0x77969d7200000000, 0x3bbe0bd100000000,\n 0x5d6b0b0d00000000, 0x11439dae00000000, 0x843d569100000000,\n 0xc815c03200000000, 0x4732eacb00000000, 0x0b1a7c6800000000,\n 0x9e64b75700000000, 0xd24c21f400000000, 0xb499212800000000,\n 0xf8b1b78b00000000, 0x6dcf7cb400000000, 0x21e7ea1700000000,\n 0xe0630cd700000000, 0xac4b9a7400000000, 0x3935514b00000000,\n 0x751dc7e800000000, 0x13c8c73400000000, 0x5fe0519700000000,\n 0xca9e9aa800000000, 0x86b60c0b00000000, 0x95d7bf8100000000,\n 0xd9ff292200000000, 0x4c81e21d00000000, 0x00a974be00000000,\n 0x667c746200000000, 0x2a54e2c100000000, 0xbf2a29fe00000000,\n 0xf302bf5d00000000, 0x3286599d00000000, 0x7eaecf3e00000000,\n 0xebd0040100000000, 0xa7f892a200000000, 0xc12d927e00000000,\n 0x8d0504dd00000000, 0x187bcfe200000000, 0x5453594100000000,\n 0xdb7473b800000000, 0x975ce51b00000000, 0x02222e2400000000,\n 0x4e0ab88700000000, 0x28dfb85b00000000, 0x64f72ef800000000,\n 0xf189e5c700000000, 0xbda1736400000000, 0x7c2595a400000000,\n 0x300d030700000000, 0xa573c83800000000, 0xe95b5e9b00000000,\n 0x8f8e5e4700000000, 0xc3a6c8e400000000, 0x56d803db00000000,\n 0x1af0957800000000},\n {0x0000000000000000, 0x939bc97f00000000, 0x263793ff00000000,\n 0xb5ac5a8000000000, 0x0d68572400000000, 0x9ef39e5b00000000,\n 0x2b5fc4db00000000, 0xb8c40da400000000, 0x1ad0ae4800000000,\n 0x894b673700000000, 0x3ce73db700000000, 0xaf7cf4c800000000,\n 0x17b8f96c00000000, 0x8423301300000000, 0x318f6a9300000000,\n 0xa214a3ec00000000, 0x34a05d9100000000, 0xa73b94ee00000000,\n 0x1297ce6e00000000, 0x810c071100000000, 0x39c80ab500000000,\n 0xaa53c3ca00000000, 0x1fff994a00000000, 0x8c64503500000000,\n 0x2e70f3d900000000, 0xbdeb3aa600000000, 0x0847602600000000,\n 0x9bdca95900000000, 0x2318a4fd00000000, 0xb0836d8200000000,\n 0x052f370200000000, 0x96b4fe7d00000000, 0x2946caf900000000,\n 0xbadd038600000000, 0x0f71590600000000, 0x9cea907900000000,\n 0x242e9ddd00000000, 0xb7b554a200000000, 0x02190e2200000000,\n 0x9182c75d00000000, 0x339664b100000000, 0xa00dadce00000000,\n 0x15a1f74e00000000, 0x863a3e3100000000, 0x3efe339500000000,\n 0xad65faea00000000, 0x18c9a06a00000000, 0x8b52691500000000,\n 0x1de6976800000000, 0x8e7d5e1700000000, 0x3bd1049700000000,\n 0xa84acde800000000, 0x108ec04c00000000, 0x8315093300000000,\n 0x36b953b300000000, 0xa5229acc00000000, 0x0736392000000000,\n 0x94adf05f00000000, 0x2101aadf00000000, 0xb29a63a000000000,\n 0x0a5e6e0400000000, 0x99c5a77b00000000, 0x2c69fdfb00000000,\n 0xbff2348400000000, 0x138ae52800000000, 0x80112c5700000000,\n 0x35bd76d700000000, 0xa626bfa800000000, 0x1ee2b20c00000000,\n 0x8d797b7300000000, 0x38d521f300000000, 0xab4ee88c00000000,\n 0x095a4b6000000000, 0x9ac1821f00000000, 0x2f6dd89f00000000,\n 0xbcf611e000000000, 0x04321c4400000000, 0x97a9d53b00000000,\n 0x22058fbb00000000, 0xb19e46c400000000, 0x272ab8b900000000,\n 0xb4b171c600000000, 0x011d2b4600000000, 0x9286e23900000000,\n 0x2a42ef9d00000000, 0xb9d926e200000000, 0x0c757c6200000000,\n 0x9feeb51d00000000, 0x3dfa16f100000000, 0xae61df8e00000000,\n 0x1bcd850e00000000, 0x88564c7100000000, 0x309241d500000000,\n 0xa30988aa00000000, 0x16a5d22a00000000, 0x853e1b5500000000,\n 0x3acc2fd100000000, 0xa957e6ae00000000, 0x1cfbbc2e00000000,\n 0x8f60755100000000, 0x37a478f500000000, 0xa43fb18a00000000,\n 0x1193eb0a00000000, 0x8208227500000000, 0x201c819900000000,\n 0xb38748e600000000, 0x062b126600000000, 0x95b0db1900000000,\n 0x2d74d6bd00000000, 0xbeef1fc200000000, 0x0b43454200000000,\n 0x98d88c3d00000000, 0x0e6c724000000000, 0x9df7bb3f00000000,\n 0x285be1bf00000000, 0xbbc028c000000000, 0x0304256400000000,\n 0x909fec1b00000000, 0x2533b69b00000000, 0xb6a87fe400000000,\n 0x14bcdc0800000000, 0x8727157700000000, 0x328b4ff700000000,\n 0xa110868800000000, 0x19d48b2c00000000, 0x8a4f425300000000,\n 0x3fe318d300000000, 0xac78d1ac00000000, 0x2614cb5100000000,\n 0xb58f022e00000000, 0x002358ae00000000, 0x93b891d100000000,\n 0x2b7c9c7500000000, 0xb8e7550a00000000, 0x0d4b0f8a00000000,\n 0x9ed0c6f500000000, 0x3cc4651900000000, 0xaf5fac6600000000,\n 0x1af3f6e600000000, 0x89683f9900000000, 0x31ac323d00000000,\n 0xa237fb4200000000, 0x179ba1c200000000, 0x840068bd00000000,\n 0x12b496c000000000, 0x812f5fbf00000000, 0x3483053f00000000,\n 0xa718cc4000000000, 0x1fdcc1e400000000, 0x8c47089b00000000,\n 0x39eb521b00000000, 0xaa709b6400000000, 0x0864388800000000,\n 0x9bfff1f700000000, 0x2e53ab7700000000, 0xbdc8620800000000,\n 0x050c6fac00000000, 0x9697a6d300000000, 0x233bfc5300000000,\n 0xb0a0352c00000000, 0x0f5201a800000000, 0x9cc9c8d700000000,\n 0x2965925700000000, 0xbafe5b2800000000, 0x023a568c00000000,\n 0x91a19ff300000000, 0x240dc57300000000, 0xb7960c0c00000000,\n 0x1582afe000000000, 0x8619669f00000000, 0x33b53c1f00000000,\n 0xa02ef56000000000, 0x18eaf8c400000000, 0x8b7131bb00000000,\n 0x3edd6b3b00000000, 0xad46a24400000000, 0x3bf25c3900000000,\n 0xa869954600000000, 0x1dc5cfc600000000, 0x8e5e06b900000000,\n 0x369a0b1d00000000, 0xa501c26200000000, 0x10ad98e200000000,\n 0x8336519d00000000, 0x2122f27100000000, 0xb2b93b0e00000000,\n 0x0715618e00000000, 0x948ea8f100000000, 0x2c4aa55500000000,\n 0xbfd16c2a00000000, 0x0a7d36aa00000000, 0x99e6ffd500000000,\n 0x359e2e7900000000, 0xa605e70600000000, 0x13a9bd8600000000,\n 0x803274f900000000, 0x38f6795d00000000, 0xab6db02200000000,\n 0x1ec1eaa200000000, 0x8d5a23dd00000000, 0x2f4e803100000000,\n 0xbcd5494e00000000, 0x097913ce00000000, 0x9ae2dab100000000,\n 0x2226d71500000000, 0xb1bd1e6a00000000, 0x041144ea00000000,\n 0x978a8d9500000000, 0x013e73e800000000, 0x92a5ba9700000000,\n 0x2709e01700000000, 0xb492296800000000, 0x0c5624cc00000000,\n 0x9fcdedb300000000, 0x2a61b73300000000, 0xb9fa7e4c00000000,\n 0x1beedda000000000, 0x887514df00000000, 0x3dd94e5f00000000,\n 0xae42872000000000, 0x16868a8400000000, 0x851d43fb00000000,\n 0x30b1197b00000000, 0xa32ad00400000000, 0x1cd8e48000000000,\n 0x8f432dff00000000, 0x3aef777f00000000, 0xa974be0000000000,\n 0x11b0b3a400000000, 0x822b7adb00000000, 0x3787205b00000000,\n 0xa41ce92400000000, 0x06084ac800000000, 0x959383b700000000,\n 0x203fd93700000000, 0xb3a4104800000000, 0x0b601dec00000000,\n 0x98fbd49300000000, 0x2d578e1300000000, 0xbecc476c00000000,\n 0x2878b91100000000, 0xbbe3706e00000000, 0x0e4f2aee00000000,\n 0x9dd4e39100000000, 0x2510ee3500000000, 0xb68b274a00000000,\n 0x03277dca00000000, 0x90bcb4b500000000, 0x32a8175900000000,\n 0xa133de2600000000, 0x149f84a600000000, 0x87044dd900000000,\n 0x3fc0407d00000000, 0xac5b890200000000, 0x19f7d38200000000,\n 0x8a6c1afd00000000},\n {0x0000000000000000, 0x650b796900000000, 0xca16f2d200000000,\n 0xaf1d8bbb00000000, 0xd52b957e00000000, 0xb020ec1700000000,\n 0x1f3d67ac00000000, 0x7a361ec500000000, 0xaa572afd00000000,\n 0xcf5c539400000000, 0x6041d82f00000000, 0x054aa14600000000,\n 0x7f7cbf8300000000, 0x1a77c6ea00000000, 0xb56a4d5100000000,\n 0xd061343800000000, 0x15a9252100000000, 0x70a25c4800000000,\n 0xdfbfd7f300000000, 0xbab4ae9a00000000, 0xc082b05f00000000,\n 0xa589c93600000000, 0x0a94428d00000000, 0x6f9f3be400000000,\n 0xbffe0fdc00000000, 0xdaf576b500000000, 0x75e8fd0e00000000,\n 0x10e3846700000000, 0x6ad59aa200000000, 0x0fdee3cb00000000,\n 0xa0c3687000000000, 0xc5c8111900000000, 0x2a524b4200000000,\n 0x4f59322b00000000, 0xe044b99000000000, 0x854fc0f900000000,\n 0xff79de3c00000000, 0x9a72a75500000000, 0x356f2cee00000000,\n 0x5064558700000000, 0x800561bf00000000, 0xe50e18d600000000,\n 0x4a13936d00000000, 0x2f18ea0400000000, 0x552ef4c100000000,\n 0x30258da800000000, 0x9f38061300000000, 0xfa337f7a00000000,\n 0x3ffb6e6300000000, 0x5af0170a00000000, 0xf5ed9cb100000000,\n 0x90e6e5d800000000, 0xead0fb1d00000000, 0x8fdb827400000000,\n 0x20c609cf00000000, 0x45cd70a600000000, 0x95ac449e00000000,\n 0xf0a73df700000000, 0x5fbab64c00000000, 0x3ab1cf2500000000,\n 0x4087d1e000000000, 0x258ca88900000000, 0x8a91233200000000,\n 0xef9a5a5b00000000, 0x54a4968400000000, 0x31afefed00000000,\n 0x9eb2645600000000, 0xfbb91d3f00000000, 0x818f03fa00000000,\n 0xe4847a9300000000, 0x4b99f12800000000, 0x2e92884100000000,\n 0xfef3bc7900000000, 0x9bf8c51000000000, 0x34e54eab00000000,\n 0x51ee37c200000000, 0x2bd8290700000000, 0x4ed3506e00000000,\n 0xe1cedbd500000000, 0x84c5a2bc00000000, 0x410db3a500000000,\n 0x2406cacc00000000, 0x8b1b417700000000, 0xee10381e00000000,\n 0x942626db00000000, 0xf12d5fb200000000, 0x5e30d40900000000,\n 0x3b3bad6000000000, 0xeb5a995800000000, 0x8e51e03100000000,\n 0x214c6b8a00000000, 0x444712e300000000, 0x3e710c2600000000,\n 0x5b7a754f00000000, 0xf467fef400000000, 0x916c879d00000000,\n 0x7ef6ddc600000000, 0x1bfda4af00000000, 0xb4e02f1400000000,\n 0xd1eb567d00000000, 0xabdd48b800000000, 0xced631d100000000,\n 0x61cbba6a00000000, 0x04c0c30300000000, 0xd4a1f73b00000000,\n 0xb1aa8e5200000000, 0x1eb705e900000000, 0x7bbc7c8000000000,\n 0x018a624500000000, 0x64811b2c00000000, 0xcb9c909700000000,\n 0xae97e9fe00000000, 0x6b5ff8e700000000, 0x0e54818e00000000,\n 0xa1490a3500000000, 0xc442735c00000000, 0xbe746d9900000000,\n 0xdb7f14f000000000, 0x74629f4b00000000, 0x1169e62200000000,\n 0xc108d21a00000000, 0xa403ab7300000000, 0x0b1e20c800000000,\n 0x6e1559a100000000, 0x1423476400000000, 0x71283e0d00000000,\n 0xde35b5b600000000, 0xbb3eccdf00000000, 0xe94e5cd200000000,\n 0x8c4525bb00000000, 0x2358ae0000000000, 0x4653d76900000000,\n 0x3c65c9ac00000000, 0x596eb0c500000000, 0xf6733b7e00000000,\n 0x9378421700000000, 0x4319762f00000000, 0x26120f4600000000,\n 0x890f84fd00000000, 0xec04fd9400000000, 0x9632e35100000000,\n 0xf3399a3800000000, 0x5c24118300000000, 0x392f68ea00000000,\n 0xfce779f300000000, 0x99ec009a00000000, 0x36f18b2100000000,\n 0x53faf24800000000, 0x29ccec8d00000000, 0x4cc795e400000000,\n 0xe3da1e5f00000000, 0x86d1673600000000, 0x56b0530e00000000,\n 0x33bb2a6700000000, 0x9ca6a1dc00000000, 0xf9add8b500000000,\n 0x839bc67000000000, 0xe690bf1900000000, 0x498d34a200000000,\n 0x2c864dcb00000000, 0xc31c179000000000, 0xa6176ef900000000,\n 0x090ae54200000000, 0x6c019c2b00000000, 0x163782ee00000000,\n 0x733cfb8700000000, 0xdc21703c00000000, 0xb92a095500000000,\n 0x694b3d6d00000000, 0x0c40440400000000, 0xa35dcfbf00000000,\n 0xc656b6d600000000, 0xbc60a81300000000, 0xd96bd17a00000000,\n 0x76765ac100000000, 0x137d23a800000000, 0xd6b532b100000000,\n 0xb3be4bd800000000, 0x1ca3c06300000000, 0x79a8b90a00000000,\n 0x039ea7cf00000000, 0x6695dea600000000, 0xc988551d00000000,\n 0xac832c7400000000, 0x7ce2184c00000000, 0x19e9612500000000,\n 0xb6f4ea9e00000000, 0xd3ff93f700000000, 0xa9c98d3200000000,\n 0xccc2f45b00000000, 0x63df7fe000000000, 0x06d4068900000000,\n 0xbdeaca5600000000, 0xd8e1b33f00000000, 0x77fc388400000000,\n 0x12f741ed00000000, 0x68c15f2800000000, 0x0dca264100000000,\n 0xa2d7adfa00000000, 0xc7dcd49300000000, 0x17bde0ab00000000,\n 0x72b699c200000000, 0xddab127900000000, 0xb8a06b1000000000,\n 0xc29675d500000000, 0xa79d0cbc00000000, 0x0880870700000000,\n 0x6d8bfe6e00000000, 0xa843ef7700000000, 0xcd48961e00000000,\n 0x62551da500000000, 0x075e64cc00000000, 0x7d687a0900000000,\n 0x1863036000000000, 0xb77e88db00000000, 0xd275f1b200000000,\n 0x0214c58a00000000, 0x671fbce300000000, 0xc802375800000000,\n 0xad094e3100000000, 0xd73f50f400000000, 0xb234299d00000000,\n 0x1d29a22600000000, 0x7822db4f00000000, 0x97b8811400000000,\n 0xf2b3f87d00000000, 0x5dae73c600000000, 0x38a50aaf00000000,\n 0x4293146a00000000, 0x27986d0300000000, 0x8885e6b800000000,\n 0xed8e9fd100000000, 0x3defabe900000000, 0x58e4d28000000000,\n 0xf7f9593b00000000, 0x92f2205200000000, 0xe8c43e9700000000,\n 0x8dcf47fe00000000, 0x22d2cc4500000000, 0x47d9b52c00000000,\n 0x8211a43500000000, 0xe71add5c00000000, 0x480756e700000000,\n 0x2d0c2f8e00000000, 0x573a314b00000000, 0x3231482200000000,\n 0x9d2cc39900000000, 0xf827baf000000000, 0x28468ec800000000,\n 0x4d4df7a100000000, 0xe2507c1a00000000, 0x875b057300000000,\n 0xfd6d1bb600000000, 0x986662df00000000, 0x377be96400000000,\n 0x5270900d00000000},\n {0x0000000000000000, 0xdcecb13d00000000, 0xb8d9637b00000000,\n 0x6435d24600000000, 0x70b3c7f600000000, 0xac5f76cb00000000,\n 0xc86aa48d00000000, 0x148615b000000000, 0xa160fe3600000000,\n 0x7d8c4f0b00000000, 0x19b99d4d00000000, 0xc5552c7000000000,\n 0xd1d339c000000000, 0x0d3f88fd00000000, 0x690a5abb00000000,\n 0xb5e6eb8600000000, 0x42c1fc6d00000000, 0x9e2d4d5000000000,\n 0xfa189f1600000000, 0x26f42e2b00000000, 0x32723b9b00000000,\n 0xee9e8aa600000000, 0x8aab58e000000000, 0x5647e9dd00000000,\n 0xe3a1025b00000000, 0x3f4db36600000000, 0x5b78612000000000,\n 0x8794d01d00000000, 0x9312c5ad00000000, 0x4ffe749000000000,\n 0x2bcba6d600000000, 0xf72717eb00000000, 0x8482f9db00000000,\n 0x586e48e600000000, 0x3c5b9aa000000000, 0xe0b72b9d00000000,\n 0xf4313e2d00000000, 0x28dd8f1000000000, 0x4ce85d5600000000,\n 0x9004ec6b00000000, 0x25e207ed00000000, 0xf90eb6d000000000,\n 0x9d3b649600000000, 0x41d7d5ab00000000, 0x5551c01b00000000,\n 0x89bd712600000000, 0xed88a36000000000, 0x3164125d00000000,\n 0xc64305b600000000, 0x1aafb48b00000000, 0x7e9a66cd00000000,\n 0xa276d7f000000000, 0xb6f0c24000000000, 0x6a1c737d00000000,\n 0x0e29a13b00000000, 0xd2c5100600000000, 0x6723fb8000000000,\n 0xbbcf4abd00000000, 0xdffa98fb00000000, 0x031629c600000000,\n 0x17903c7600000000, 0xcb7c8d4b00000000, 0xaf495f0d00000000,\n 0x73a5ee3000000000, 0x4903826c00000000, 0x95ef335100000000,\n 0xf1dae11700000000, 0x2d36502a00000000, 0x39b0459a00000000,\n 0xe55cf4a700000000, 0x816926e100000000, 0x5d8597dc00000000,\n 0xe8637c5a00000000, 0x348fcd6700000000, 0x50ba1f2100000000,\n 0x8c56ae1c00000000, 0x98d0bbac00000000, 0x443c0a9100000000,\n 0x2009d8d700000000, 0xfce569ea00000000, 0x0bc27e0100000000,\n 0xd72ecf3c00000000, 0xb31b1d7a00000000, 0x6ff7ac4700000000,\n 0x7b71b9f700000000, 0xa79d08ca00000000, 0xc3a8da8c00000000,\n 0x1f446bb100000000, 0xaaa2803700000000, 0x764e310a00000000,\n 0x127be34c00000000, 0xce97527100000000, 0xda1147c100000000,\n 0x06fdf6fc00000000, 0x62c824ba00000000, 0xbe24958700000000,\n 0xcd817bb700000000, 0x116dca8a00000000, 0x755818cc00000000,\n 0xa9b4a9f100000000, 0xbd32bc4100000000, 0x61de0d7c00000000,\n 0x05ebdf3a00000000, 0xd9076e0700000000, 0x6ce1858100000000,\n 0xb00d34bc00000000, 0xd438e6fa00000000, 0x08d457c700000000,\n 0x1c52427700000000, 0xc0bef34a00000000, 0xa48b210c00000000,\n 0x7867903100000000, 0x8f4087da00000000, 0x53ac36e700000000,\n 0x3799e4a100000000, 0xeb75559c00000000, 0xfff3402c00000000,\n 0x231ff11100000000, 0x472a235700000000, 0x9bc6926a00000000,\n 0x2e2079ec00000000, 0xf2ccc8d100000000, 0x96f91a9700000000,\n 0x4a15abaa00000000, 0x5e93be1a00000000, 0x827f0f2700000000,\n 0xe64add6100000000, 0x3aa66c5c00000000, 0x920604d900000000,\n 0x4eeab5e400000000, 0x2adf67a200000000, 0xf633d69f00000000,\n 0xe2b5c32f00000000, 0x3e59721200000000, 0x5a6ca05400000000,\n 0x8680116900000000, 0x3366faef00000000, 0xef8a4bd200000000,\n 0x8bbf999400000000, 0x575328a900000000, 0x43d53d1900000000,\n 0x9f398c2400000000, 0xfb0c5e6200000000, 0x27e0ef5f00000000,\n 0xd0c7f8b400000000, 0x0c2b498900000000, 0x681e9bcf00000000,\n 0xb4f22af200000000, 0xa0743f4200000000, 0x7c988e7f00000000,\n 0x18ad5c3900000000, 0xc441ed0400000000, 0x71a7068200000000,\n 0xad4bb7bf00000000, 0xc97e65f900000000, 0x1592d4c400000000,\n 0x0114c17400000000, 0xddf8704900000000, 0xb9cda20f00000000,\n 0x6521133200000000, 0x1684fd0200000000, 0xca684c3f00000000,\n 0xae5d9e7900000000, 0x72b12f4400000000, 0x66373af400000000,\n 0xbadb8bc900000000, 0xdeee598f00000000, 0x0202e8b200000000,\n 0xb7e4033400000000, 0x6b08b20900000000, 0x0f3d604f00000000,\n 0xd3d1d17200000000, 0xc757c4c200000000, 0x1bbb75ff00000000,\n 0x7f8ea7b900000000, 0xa362168400000000, 0x5445016f00000000,\n 0x88a9b05200000000, 0xec9c621400000000, 0x3070d32900000000,\n 0x24f6c69900000000, 0xf81a77a400000000, 0x9c2fa5e200000000,\n 0x40c314df00000000, 0xf525ff5900000000, 0x29c94e6400000000,\n 0x4dfc9c2200000000, 0x91102d1f00000000, 0x859638af00000000,\n 0x597a899200000000, 0x3d4f5bd400000000, 0xe1a3eae900000000,\n 0xdb0586b500000000, 0x07e9378800000000, 0x63dce5ce00000000,\n 0xbf3054f300000000, 0xabb6414300000000, 0x775af07e00000000,\n 0x136f223800000000, 0xcf83930500000000, 0x7a65788300000000,\n 0xa689c9be00000000, 0xc2bc1bf800000000, 0x1e50aac500000000,\n 0x0ad6bf7500000000, 0xd63a0e4800000000, 0xb20fdc0e00000000,\n 0x6ee36d3300000000, 0x99c47ad800000000, 0x4528cbe500000000,\n 0x211d19a300000000, 0xfdf1a89e00000000, 0xe977bd2e00000000,\n 0x359b0c1300000000, 0x51aede5500000000, 0x8d426f6800000000,\n 0x38a484ee00000000, 0xe44835d300000000, 0x807de79500000000,\n 0x5c9156a800000000, 0x4817431800000000, 0x94fbf22500000000,\n 0xf0ce206300000000, 0x2c22915e00000000, 0x5f877f6e00000000,\n 0x836bce5300000000, 0xe75e1c1500000000, 0x3bb2ad2800000000,\n 0x2f34b89800000000, 0xf3d809a500000000, 0x97eddbe300000000,\n 0x4b016ade00000000, 0xfee7815800000000, 0x220b306500000000,\n 0x463ee22300000000, 0x9ad2531e00000000, 0x8e5446ae00000000,\n 0x52b8f79300000000, 0x368d25d500000000, 0xea6194e800000000,\n 0x1d46830300000000, 0xc1aa323e00000000, 0xa59fe07800000000,\n 0x7973514500000000, 0x6df544f500000000, 0xb119f5c800000000,\n 0xd52c278e00000000, 0x09c096b300000000, 0xbc267d3500000000,\n 0x60cacc0800000000, 0x04ff1e4e00000000, 0xd813af7300000000,\n 0xcc95bac300000000, 0x10790bfe00000000, 0x744cd9b800000000,\n 0xa8a0688500000000}};\n\n#else /* W == 4 */\n\nlocal const z_crc_t FAR crc_braid_table[][256] = {\n {0x00000000, 0x81256527, 0xd93bcc0f, 0x581ea928, 0x69069e5f,\n 0xe823fb78, 0xb03d5250, 0x31183777, 0xd20d3cbe, 0x53285999,\n 0x0b36f0b1, 0x8a139596, 0xbb0ba2e1, 0x3a2ec7c6, 0x62306eee,\n 0xe3150bc9, 0x7f6b7f3d, 0xfe4e1a1a, 0xa650b332, 0x2775d615,\n 0x166de162, 0x97488445, 0xcf562d6d, 0x4e73484a, 0xad664383,\n 0x2c4326a4, 0x745d8f8c, 0xf578eaab, 0xc460dddc, 0x4545b8fb,\n 0x1d5b11d3, 0x9c7e74f4, 0xfed6fe7a, 0x7ff39b5d, 0x27ed3275,\n 0xa6c85752, 0x97d06025, 0x16f50502, 0x4eebac2a, 0xcfcec90d,\n 0x2cdbc2c4, 0xadfea7e3, 0xf5e00ecb, 0x74c56bec, 0x45dd5c9b,\n 0xc4f839bc, 0x9ce69094, 0x1dc3f5b3, 0x81bd8147, 0x0098e460,\n 0x58864d48, 0xd9a3286f, 0xe8bb1f18, 0x699e7a3f, 0x3180d317,\n 0xb0a5b630, 0x53b0bdf9, 0xd295d8de, 0x8a8b71f6, 0x0bae14d1,\n 0x3ab623a6, 0xbb934681, 0xe38defa9, 0x62a88a8e, 0x26dcfab5,\n 0xa7f99f92, 0xffe736ba, 0x7ec2539d, 0x4fda64ea, 0xceff01cd,\n 0x96e1a8e5, 0x17c4cdc2, 0xf4d1c60b, 0x75f4a32c, 0x2dea0a04,\n 0xaccf6f23, 0x9dd75854, 0x1cf23d73, 0x44ec945b, 0xc5c9f17c,\n 0x59b78588, 0xd892e0af, 0x808c4987, 0x01a92ca0, 0x30b11bd7,\n 0xb1947ef0, 0xe98ad7d8, 0x68afb2ff, 0x8bbab936, 0x0a9fdc11,\n 0x52817539, 0xd3a4101e, 0xe2bc2769, 0x6399424e, 0x3b87eb66,\n 0xbaa28e41, 0xd80a04cf, 0x592f61e8, 0x0131c8c0, 0x8014ade7,\n 0xb10c9a90, 0x3029ffb7, 0x6837569f, 0xe91233b8, 0x0a073871,\n 0x8b225d56, 0xd33cf47e, 0x52199159, 0x6301a62e, 0xe224c309,\n 0xba3a6a21, 0x3b1f0f06, 0xa7617bf2, 0x26441ed5, 0x7e5ab7fd,\n 0xff7fd2da, 0xce67e5ad, 0x4f42808a, 0x175c29a2, 0x96794c85,\n 0x756c474c, 0xf449226b, 0xac578b43, 0x2d72ee64, 0x1c6ad913,\n 0x9d4fbc34, 0xc551151c, 0x4474703b, 0x4db9f56a, 0xcc9c904d,\n 0x94823965, 0x15a75c42, 0x24bf6b35, 0xa59a0e12, 0xfd84a73a,\n 0x7ca1c21d, 0x9fb4c9d4, 0x1e91acf3, 0x468f05db, 0xc7aa60fc,\n 0xf6b2578b, 0x779732ac, 0x2f899b84, 0xaeacfea3, 0x32d28a57,\n 0xb3f7ef70, 0xebe94658, 0x6acc237f, 0x5bd41408, 0xdaf1712f,\n 0x82efd807, 0x03cabd20, 0xe0dfb6e9, 0x61fad3ce, 0x39e47ae6,\n 0xb8c11fc1, 0x89d928b6, 0x08fc4d91, 0x50e2e4b9, 0xd1c7819e,\n 0xb36f0b10, 0x324a6e37, 0x6a54c71f, 0xeb71a238, 0xda69954f,\n 0x5b4cf068, 0x03525940, 0x82773c67, 0x616237ae, 0xe0475289,\n 0xb859fba1, 0x397c9e86, 0x0864a9f1, 0x8941ccd6, 0xd15f65fe,\n 0x507a00d9, 0xcc04742d, 0x4d21110a, 0x153fb822, 0x941add05,\n 0xa502ea72, 0x24278f55, 0x7c39267d, 0xfd1c435a, 0x1e094893,\n 0x9f2c2db4, 0xc732849c, 0x4617e1bb, 0x770fd6cc, 0xf62ab3eb,\n 0xae341ac3, 0x2f117fe4, 0x6b650fdf, 0xea406af8, 0xb25ec3d0,\n 0x337ba6f7, 0x02639180, 0x8346f4a7, 0xdb585d8f, 0x5a7d38a8,\n 0xb9683361, 0x384d5646, 0x6053ff6e, 0xe1769a49, 0xd06ead3e,\n 0x514bc819, 0x09556131, 0x88700416, 0x140e70e2, 0x952b15c5,\n 0xcd35bced, 0x4c10d9ca, 0x7d08eebd, 0xfc2d8b9a, 0xa43322b2,\n 0x25164795, 0xc6034c5c, 0x4726297b, 0x1f388053, 0x9e1de574,\n 0xaf05d203, 0x2e20b724, 0x763e1e0c, 0xf71b7b2b, 0x95b3f1a5,\n 0x14969482, 0x4c883daa, 0xcdad588d, 0xfcb56ffa, 0x7d900add,\n 0x258ea3f5, 0xa4abc6d2, 0x47becd1b, 0xc69ba83c, 0x9e850114,\n 0x1fa06433, 0x2eb85344, 0xaf9d3663, 0xf7839f4b, 0x76a6fa6c,\n 0xead88e98, 0x6bfdebbf, 0x33e34297, 0xb2c627b0, 0x83de10c7,\n 0x02fb75e0, 0x5ae5dcc8, 0xdbc0b9ef, 0x38d5b226, 0xb9f0d701,\n 0xe1ee7e29, 0x60cb1b0e, 0x51d32c79, 0xd0f6495e, 0x88e8e076,\n 0x09cd8551},\n {0x00000000, 0x9b73ead4, 0xed96d3e9, 0x76e5393d, 0x005ca193,\n 0x9b2f4b47, 0xedca727a, 0x76b998ae, 0x00b94326, 0x9bcaa9f2,\n 0xed2f90cf, 0x765c7a1b, 0x00e5e2b5, 0x9b960861, 0xed73315c,\n 0x7600db88, 0x0172864c, 0x9a016c98, 0xece455a5, 0x7797bf71,\n 0x012e27df, 0x9a5dcd0b, 0xecb8f436, 0x77cb1ee2, 0x01cbc56a,\n 0x9ab82fbe, 0xec5d1683, 0x772efc57, 0x019764f9, 0x9ae48e2d,\n 0xec01b710, 0x77725dc4, 0x02e50c98, 0x9996e64c, 0xef73df71,\n 0x740035a5, 0x02b9ad0b, 0x99ca47df, 0xef2f7ee2, 0x745c9436,\n 0x025c4fbe, 0x992fa56a, 0xefca9c57, 0x74b97683, 0x0200ee2d,\n 0x997304f9, 0xef963dc4, 0x74e5d710, 0x03978ad4, 0x98e46000,\n 0xee01593d, 0x7572b3e9, 0x03cb2b47, 0x98b8c193, 0xee5df8ae,\n 0x752e127a, 0x032ec9f2, 0x985d2326, 0xeeb81a1b, 0x75cbf0cf,\n 0x03726861, 0x980182b5, 0xeee4bb88, 0x7597515c, 0x05ca1930,\n 0x9eb9f3e4, 0xe85ccad9, 0x732f200d, 0x0596b8a3, 0x9ee55277,\n 0xe8006b4a, 0x7373819e, 0x05735a16, 0x9e00b0c2, 0xe8e589ff,\n 0x7396632b, 0x052ffb85, 0x9e5c1151, 0xe8b9286c, 0x73cac2b8,\n 0x04b89f7c, 0x9fcb75a8, 0xe92e4c95, 0x725da641, 0x04e43eef,\n 0x9f97d43b, 0xe972ed06, 0x720107d2, 0x0401dc5a, 0x9f72368e,\n 0xe9970fb3, 0x72e4e567, 0x045d7dc9, 0x9f2e971d, 0xe9cbae20,\n 0x72b844f4, 0x072f15a8, 0x9c5cff7c, 0xeab9c641, 0x71ca2c95,\n 0x0773b43b, 0x9c005eef, 0xeae567d2, 0x71968d06, 0x0796568e,\n 0x9ce5bc5a, 0xea008567, 0x71736fb3, 0x07caf71d, 0x9cb91dc9,\n 0xea5c24f4, 0x712fce20, 0x065d93e4, 0x9d2e7930, 0xebcb400d,\n 0x70b8aad9, 0x06013277, 0x9d72d8a3, 0xeb97e19e, 0x70e40b4a,\n 0x06e4d0c2, 0x9d973a16, 0xeb72032b, 0x7001e9ff, 0x06b87151,\n 0x9dcb9b85, 0xeb2ea2b8, 0x705d486c, 0x0b943260, 0x90e7d8b4,\n 0xe602e189, 0x7d710b5d, 0x0bc893f3, 0x90bb7927, 0xe65e401a,\n 0x7d2daace, 0x0b2d7146, 0x905e9b92, 0xe6bba2af, 0x7dc8487b,\n 0x0b71d0d5, 0x90023a01, 0xe6e7033c, 0x7d94e9e8, 0x0ae6b42c,\n 0x91955ef8, 0xe77067c5, 0x7c038d11, 0x0aba15bf, 0x91c9ff6b,\n 0xe72cc656, 0x7c5f2c82, 0x0a5ff70a, 0x912c1dde, 0xe7c924e3,\n 0x7cbace37, 0x0a035699, 0x9170bc4d, 0xe7958570, 0x7ce66fa4,\n 0x09713ef8, 0x9202d42c, 0xe4e7ed11, 0x7f9407c5, 0x092d9f6b,\n 0x925e75bf, 0xe4bb4c82, 0x7fc8a656, 0x09c87dde, 0x92bb970a,\n 0xe45eae37, 0x7f2d44e3, 0x0994dc4d, 0x92e73699, 0xe4020fa4,\n 0x7f71e570, 0x0803b8b4, 0x93705260, 0xe5956b5d, 0x7ee68189,\n 0x085f1927, 0x932cf3f3, 0xe5c9cace, 0x7eba201a, 0x08bafb92,\n 0x93c91146, 0xe52c287b, 0x7e5fc2af, 0x08e65a01, 0x9395b0d5,\n 0xe57089e8, 0x7e03633c, 0x0e5e2b50, 0x952dc184, 0xe3c8f8b9,\n 0x78bb126d, 0x0e028ac3, 0x95716017, 0xe394592a, 0x78e7b3fe,\n 0x0ee76876, 0x959482a2, 0xe371bb9f, 0x7802514b, 0x0ebbc9e5,\n 0x95c82331, 0xe32d1a0c, 0x785ef0d8, 0x0f2cad1c, 0x945f47c8,\n 0xe2ba7ef5, 0x79c99421, 0x0f700c8f, 0x9403e65b, 0xe2e6df66,\n 0x799535b2, 0x0f95ee3a, 0x94e604ee, 0xe2033dd3, 0x7970d707,\n 0x0fc94fa9, 0x94baa57d, 0xe25f9c40, 0x792c7694, 0x0cbb27c8,\n 0x97c8cd1c, 0xe12df421, 0x7a5e1ef5, 0x0ce7865b, 0x97946c8f,\n 0xe17155b2, 0x7a02bf66, 0x0c0264ee, 0x97718e3a, 0xe194b707,\n 0x7ae75dd3, 0x0c5ec57d, 0x972d2fa9, 0xe1c81694, 0x7abbfc40,\n 0x0dc9a184, 0x96ba4b50, 0xe05f726d, 0x7b2c98b9, 0x0d950017,\n 0x96e6eac3, 0xe003d3fe, 0x7b70392a, 0x0d70e2a2, 0x96030876,\n 0xe0e6314b, 0x7b95db9f, 0x0d2c4331, 0x965fa9e5, 0xe0ba90d8,\n 0x7bc97a0c},\n {0x00000000, 0x172864c0, 0x2e50c980, 0x3978ad40, 0x5ca19300,\n 0x4b89f7c0, 0x72f15a80, 0x65d93e40, 0xb9432600, 0xae6b42c0,\n 0x9713ef80, 0x803b8b40, 0xe5e2b500, 0xf2cad1c0, 0xcbb27c80,\n 0xdc9a1840, 0xa9f74a41, 0xbedf2e81, 0x87a783c1, 0x908fe701,\n 0xf556d941, 0xe27ebd81, 0xdb0610c1, 0xcc2e7401, 0x10b46c41,\n 0x079c0881, 0x3ee4a5c1, 0x29ccc101, 0x4c15ff41, 0x5b3d9b81,\n 0x624536c1, 0x756d5201, 0x889f92c3, 0x9fb7f603, 0xa6cf5b43,\n 0xb1e73f83, 0xd43e01c3, 0xc3166503, 0xfa6ec843, 0xed46ac83,\n 0x31dcb4c3, 0x26f4d003, 0x1f8c7d43, 0x08a41983, 0x6d7d27c3,\n 0x7a554303, 0x432dee43, 0x54058a83, 0x2168d882, 0x3640bc42,\n 0x0f381102, 0x181075c2, 0x7dc94b82, 0x6ae12f42, 0x53998202,\n 0x44b1e6c2, 0x982bfe82, 0x8f039a42, 0xb67b3702, 0xa15353c2,\n 0xc48a6d82, 0xd3a20942, 0xeadaa402, 0xfdf2c0c2, 0xca4e23c7,\n 0xdd664707, 0xe41eea47, 0xf3368e87, 0x96efb0c7, 0x81c7d407,\n 0xb8bf7947, 0xaf971d87, 0x730d05c7, 0x64256107, 0x5d5dcc47,\n 0x4a75a887, 0x2fac96c7, 0x3884f207, 0x01fc5f47, 0x16d43b87,\n 0x63b96986, 0x74910d46, 0x4de9a006, 0x5ac1c4c6, 0x3f18fa86,\n 0x28309e46, 0x11483306, 0x066057c6, 0xdafa4f86, 0xcdd22b46,\n 0xf4aa8606, 0xe382e2c6, 0x865bdc86, 0x9173b846, 0xa80b1506,\n 0xbf2371c6, 0x42d1b104, 0x55f9d5c4, 0x6c817884, 0x7ba91c44,\n 0x1e702204, 0x095846c4, 0x3020eb84, 0x27088f44, 0xfb929704,\n 0xecbaf3c4, 0xd5c25e84, 0xc2ea3a44, 0xa7330404, 0xb01b60c4,\n 0x8963cd84, 0x9e4ba944, 0xeb26fb45, 0xfc0e9f85, 0xc57632c5,\n 0xd25e5605, 0xb7876845, 0xa0af0c85, 0x99d7a1c5, 0x8effc505,\n 0x5265dd45, 0x454db985, 0x7c3514c5, 0x6b1d7005, 0x0ec44e45,\n 0x19ec2a85, 0x209487c5, 0x37bce305, 0x4fed41cf, 0x58c5250f,\n 0x61bd884f, 0x7695ec8f, 0x134cd2cf, 0x0464b60f, 0x3d1c1b4f,\n 0x2a347f8f, 0xf6ae67cf, 0xe186030f, 0xd8feae4f, 0xcfd6ca8f,\n 0xaa0ff4cf, 0xbd27900f, 0x845f3d4f, 0x9377598f, 0xe61a0b8e,\n 0xf1326f4e, 0xc84ac20e, 0xdf62a6ce, 0xbabb988e, 0xad93fc4e,\n 0x94eb510e, 0x83c335ce, 0x5f592d8e, 0x4871494e, 0x7109e40e,\n 0x662180ce, 0x03f8be8e, 0x14d0da4e, 0x2da8770e, 0x3a8013ce,\n 0xc772d30c, 0xd05ab7cc, 0xe9221a8c, 0xfe0a7e4c, 0x9bd3400c,\n 0x8cfb24cc, 0xb583898c, 0xa2abed4c, 0x7e31f50c, 0x691991cc,\n 0x50613c8c, 0x4749584c, 0x2290660c, 0x35b802cc, 0x0cc0af8c,\n 0x1be8cb4c, 0x6e85994d, 0x79adfd8d, 0x40d550cd, 0x57fd340d,\n 0x32240a4d, 0x250c6e8d, 0x1c74c3cd, 0x0b5ca70d, 0xd7c6bf4d,\n 0xc0eedb8d, 0xf99676cd, 0xeebe120d, 0x8b672c4d, 0x9c4f488d,\n 0xa537e5cd, 0xb21f810d, 0x85a36208, 0x928b06c8, 0xabf3ab88,\n 0xbcdbcf48, 0xd902f108, 0xce2a95c8, 0xf7523888, 0xe07a5c48,\n 0x3ce04408, 0x2bc820c8, 0x12b08d88, 0x0598e948, 0x6041d708,\n 0x7769b3c8, 0x4e111e88, 0x59397a48, 0x2c542849, 0x3b7c4c89,\n 0x0204e1c9, 0x152c8509, 0x70f5bb49, 0x67dddf89, 0x5ea572c9,\n 0x498d1609, 0x95170e49, 0x823f6a89, 0xbb47c7c9, 0xac6fa309,\n 0xc9b69d49, 0xde9ef989, 0xe7e654c9, 0xf0ce3009, 0x0d3cf0cb,\n 0x1a14940b, 0x236c394b, 0x34445d8b, 0x519d63cb, 0x46b5070b,\n 0x7fcdaa4b, 0x68e5ce8b, 0xb47fd6cb, 0xa357b20b, 0x9a2f1f4b,\n 0x8d077b8b, 0xe8de45cb, 0xfff6210b, 0xc68e8c4b, 0xd1a6e88b,\n 0xa4cbba8a, 0xb3e3de4a, 0x8a9b730a, 0x9db317ca, 0xf86a298a,\n 0xef424d4a, 0xd63ae00a, 0xc11284ca, 0x1d889c8a, 0x0aa0f84a,\n 0x33d8550a, 0x24f031ca, 0x41290f8a, 0x56016b4a, 0x6f79c60a,\n 0x7851a2ca},\n {0x00000000, 0x9fda839e, 0xe4c4017d, 0x7b1e82e3, 0x12f904bb,\n 0x8d238725, 0xf63d05c6, 0x69e78658, 0x25f20976, 0xba288ae8,\n 0xc136080b, 0x5eec8b95, 0x370b0dcd, 0xa8d18e53, 0xd3cf0cb0,\n 0x4c158f2e, 0x4be412ec, 0xd43e9172, 0xaf201391, 0x30fa900f,\n 0x591d1657, 0xc6c795c9, 0xbdd9172a, 0x220394b4, 0x6e161b9a,\n 0xf1cc9804, 0x8ad21ae7, 0x15089979, 0x7cef1f21, 0xe3359cbf,\n 0x982b1e5c, 0x07f19dc2, 0x97c825d8, 0x0812a646, 0x730c24a5,\n 0xecd6a73b, 0x85312163, 0x1aeba2fd, 0x61f5201e, 0xfe2fa380,\n 0xb23a2cae, 0x2de0af30, 0x56fe2dd3, 0xc924ae4d, 0xa0c32815,\n 0x3f19ab8b, 0x44072968, 0xdbddaaf6, 0xdc2c3734, 0x43f6b4aa,\n 0x38e83649, 0xa732b5d7, 0xced5338f, 0x510fb011, 0x2a1132f2,\n 0xb5cbb16c, 0xf9de3e42, 0x6604bddc, 0x1d1a3f3f, 0x82c0bca1,\n 0xeb273af9, 0x74fdb967, 0x0fe33b84, 0x9039b81a, 0xf4e14df1,\n 0x6b3bce6f, 0x10254c8c, 0x8fffcf12, 0xe618494a, 0x79c2cad4,\n 0x02dc4837, 0x9d06cba9, 0xd1134487, 0x4ec9c719, 0x35d745fa,\n 0xaa0dc664, 0xc3ea403c, 0x5c30c3a2, 0x272e4141, 0xb8f4c2df,\n 0xbf055f1d, 0x20dfdc83, 0x5bc15e60, 0xc41bddfe, 0xadfc5ba6,\n 0x3226d838, 0x49385adb, 0xd6e2d945, 0x9af7566b, 0x052dd5f5,\n 0x7e335716, 0xe1e9d488, 0x880e52d0, 0x17d4d14e, 0x6cca53ad,\n 0xf310d033, 0x63296829, 0xfcf3ebb7, 0x87ed6954, 0x1837eaca,\n 0x71d06c92, 0xee0aef0c, 0x95146def, 0x0aceee71, 0x46db615f,\n 0xd901e2c1, 0xa21f6022, 0x3dc5e3bc, 0x542265e4, 0xcbf8e67a,\n 0xb0e66499, 0x2f3ce707, 0x28cd7ac5, 0xb717f95b, 0xcc097bb8,\n 0x53d3f826, 0x3a347e7e, 0xa5eefde0, 0xdef07f03, 0x412afc9d,\n 0x0d3f73b3, 0x92e5f02d, 0xe9fb72ce, 0x7621f150, 0x1fc67708,\n 0x801cf496, 0xfb027675, 0x64d8f5eb, 0x32b39da3, 0xad691e3d,\n 0xd6779cde, 0x49ad1f40, 0x204a9918, 0xbf901a86, 0xc48e9865,\n 0x5b541bfb, 0x174194d5, 0x889b174b, 0xf38595a8, 0x6c5f1636,\n 0x05b8906e, 0x9a6213f0, 0xe17c9113, 0x7ea6128d, 0x79578f4f,\n 0xe68d0cd1, 0x9d938e32, 0x02490dac, 0x6bae8bf4, 0xf474086a,\n 0x8f6a8a89, 0x10b00917, 0x5ca58639, 0xc37f05a7, 0xb8618744,\n 0x27bb04da, 0x4e5c8282, 0xd186011c, 0xaa9883ff, 0x35420061,\n 0xa57bb87b, 0x3aa13be5, 0x41bfb906, 0xde653a98, 0xb782bcc0,\n 0x28583f5e, 0x5346bdbd, 0xcc9c3e23, 0x8089b10d, 0x1f533293,\n 0x644db070, 0xfb9733ee, 0x9270b5b6, 0x0daa3628, 0x76b4b4cb,\n 0xe96e3755, 0xee9faa97, 0x71452909, 0x0a5babea, 0x95812874,\n 0xfc66ae2c, 0x63bc2db2, 0x18a2af51, 0x87782ccf, 0xcb6da3e1,\n 0x54b7207f, 0x2fa9a29c, 0xb0732102, 0xd994a75a, 0x464e24c4,\n 0x3d50a627, 0xa28a25b9, 0xc652d052, 0x598853cc, 0x2296d12f,\n 0xbd4c52b1, 0xd4abd4e9, 0x4b715777, 0x306fd594, 0xafb5560a,\n 0xe3a0d924, 0x7c7a5aba, 0x0764d859, 0x98be5bc7, 0xf159dd9f,\n 0x6e835e01, 0x159ddce2, 0x8a475f7c, 0x8db6c2be, 0x126c4120,\n 0x6972c3c3, 0xf6a8405d, 0x9f4fc605, 0x0095459b, 0x7b8bc778,\n 0xe45144e6, 0xa844cbc8, 0x379e4856, 0x4c80cab5, 0xd35a492b,\n 0xbabdcf73, 0x25674ced, 0x5e79ce0e, 0xc1a34d90, 0x519af58a,\n 0xce407614, 0xb55ef4f7, 0x2a847769, 0x4363f131, 0xdcb972af,\n 0xa7a7f04c, 0x387d73d2, 0x7468fcfc, 0xebb27f62, 0x90acfd81,\n 0x0f767e1f, 0x6691f847, 0xf94b7bd9, 0x8255f93a, 0x1d8f7aa4,\n 0x1a7ee766, 0x85a464f8, 0xfebae61b, 0x61606585, 0x0887e3dd,\n 0x975d6043, 0xec43e2a0, 0x7399613e, 0x3f8cee10, 0xa0566d8e,\n 0xdb48ef6d, 0x44926cf3, 0x2d75eaab, 0xb2af6935, 0xc9b1ebd6,\n 0x566b6848}};\n\nlocal const z_word_t FAR crc_braid_big_table[][256] = {\n {0x00000000, 0x9e83da9f, 0x7d01c4e4, 0xe3821e7b, 0xbb04f912,\n 0x2587238d, 0xc6053df6, 0x5886e769, 0x7609f225, 0xe88a28ba,\n 0x0b0836c1, 0x958bec5e, 0xcd0d0b37, 0x538ed1a8, 0xb00ccfd3,\n 0x2e8f154c, 0xec12e44b, 0x72913ed4, 0x911320af, 0x0f90fa30,\n 0x57161d59, 0xc995c7c6, 0x2a17d9bd, 0xb4940322, 0x9a1b166e,\n 0x0498ccf1, 0xe71ad28a, 0x79990815, 0x211fef7c, 0xbf9c35e3,\n 0x5c1e2b98, 0xc29df107, 0xd825c897, 0x46a61208, 0xa5240c73,\n 0x3ba7d6ec, 0x63213185, 0xfda2eb1a, 0x1e20f561, 0x80a32ffe,\n 0xae2c3ab2, 0x30afe02d, 0xd32dfe56, 0x4dae24c9, 0x1528c3a0,\n 0x8bab193f, 0x68290744, 0xf6aadddb, 0x34372cdc, 0xaab4f643,\n 0x4936e838, 0xd7b532a7, 0x8f33d5ce, 0x11b00f51, 0xf232112a,\n 0x6cb1cbb5, 0x423edef9, 0xdcbd0466, 0x3f3f1a1d, 0xa1bcc082,\n 0xf93a27eb, 0x67b9fd74, 0x843be30f, 0x1ab83990, 0xf14de1f4,\n 0x6fce3b6b, 0x8c4c2510, 0x12cfff8f, 0x4a4918e6, 0xd4cac279,\n 0x3748dc02, 0xa9cb069d, 0x874413d1, 0x19c7c94e, 0xfa45d735,\n 0x64c60daa, 0x3c40eac3, 0xa2c3305c, 0x41412e27, 0xdfc2f4b8,\n 0x1d5f05bf, 0x83dcdf20, 0x605ec15b, 0xfedd1bc4, 0xa65bfcad,\n 0x38d82632, 0xdb5a3849, 0x45d9e2d6, 0x6b56f79a, 0xf5d52d05,\n 0x1657337e, 0x88d4e9e1, 0xd0520e88, 0x4ed1d417, 0xad53ca6c,\n 0x33d010f3, 0x29682963, 0xb7ebf3fc, 0x5469ed87, 0xcaea3718,\n 0x926cd071, 0x0cef0aee, 0xef6d1495, 0x71eece0a, 0x5f61db46,\n 0xc1e201d9, 0x22601fa2, 0xbce3c53d, 0xe4652254, 0x7ae6f8cb,\n 0x9964e6b0, 0x07e73c2f, 0xc57acd28, 0x5bf917b7, 0xb87b09cc,\n 0x26f8d353, 0x7e7e343a, 0xe0fdeea5, 0x037ff0de, 0x9dfc2a41,\n 0xb3733f0d, 0x2df0e592, 0xce72fbe9, 0x50f12176, 0x0877c61f,\n 0x96f41c80, 0x757602fb, 0xebf5d864, 0xa39db332, 0x3d1e69ad,\n 0xde9c77d6, 0x401fad49, 0x18994a20, 0x861a90bf, 0x65988ec4,\n 0xfb1b545b, 0xd5944117, 0x4b179b88, 0xa89585f3, 0x36165f6c,\n 0x6e90b805, 0xf013629a, 0x13917ce1, 0x8d12a67e, 0x4f8f5779,\n 0xd10c8de6, 0x328e939d, 0xac0d4902, 0xf48bae6b, 0x6a0874f4,\n 0x898a6a8f, 0x1709b010, 0x3986a55c, 0xa7057fc3, 0x448761b8,\n 0xda04bb27, 0x82825c4e, 0x1c0186d1, 0xff8398aa, 0x61004235,\n 0x7bb87ba5, 0xe53ba13a, 0x06b9bf41, 0x983a65de, 0xc0bc82b7,\n 0x5e3f5828, 0xbdbd4653, 0x233e9ccc, 0x0db18980, 0x9332531f,\n 0x70b04d64, 0xee3397fb, 0xb6b57092, 0x2836aa0d, 0xcbb4b476,\n 0x55376ee9, 0x97aa9fee, 0x09294571, 0xeaab5b0a, 0x74288195,\n 0x2cae66fc, 0xb22dbc63, 0x51afa218, 0xcf2c7887, 0xe1a36dcb,\n 0x7f20b754, 0x9ca2a92f, 0x022173b0, 0x5aa794d9, 0xc4244e46,\n 0x27a6503d, 0xb9258aa2, 0x52d052c6, 0xcc538859, 0x2fd19622,\n 0xb1524cbd, 0xe9d4abd4, 0x7757714b, 0x94d56f30, 0x0a56b5af,\n 0x24d9a0e3, 0xba5a7a7c, 0x59d86407, 0xc75bbe98, 0x9fdd59f1,\n 0x015e836e, 0xe2dc9d15, 0x7c5f478a, 0xbec2b68d, 0x20416c12,\n 0xc3c37269, 0x5d40a8f6, 0x05c64f9f, 0x9b459500, 0x78c78b7b,\n 0xe64451e4, 0xc8cb44a8, 0x56489e37, 0xb5ca804c, 0x2b495ad3,\n 0x73cfbdba, 0xed4c6725, 0x0ece795e, 0x904da3c1, 0x8af59a51,\n 0x147640ce, 0xf7f45eb5, 0x6977842a, 0x31f16343, 0xaf72b9dc,\n 0x4cf0a7a7, 0xd2737d38, 0xfcfc6874, 0x627fb2eb, 0x81fdac90,\n 0x1f7e760f, 0x47f89166, 0xd97b4bf9, 0x3af95582, 0xa47a8f1d,\n 0x66e77e1a, 0xf864a485, 0x1be6bafe, 0x85656061, 0xdde38708,\n 0x43605d97, 0xa0e243ec, 0x3e619973, 0x10ee8c3f, 0x8e6d56a0,\n 0x6def48db, 0xf36c9244, 0xabea752d, 0x3569afb2, 0xd6ebb1c9,\n 0x48686b56},\n {0x00000000, 0xc0642817, 0x80c9502e, 0x40ad7839, 0x0093a15c,\n 0xc0f7894b, 0x805af172, 0x403ed965, 0x002643b9, 0xc0426bae,\n 0x80ef1397, 0x408b3b80, 0x00b5e2e5, 0xc0d1caf2, 0x807cb2cb,\n 0x40189adc, 0x414af7a9, 0x812edfbe, 0xc183a787, 0x01e78f90,\n 0x41d956f5, 0x81bd7ee2, 0xc11006db, 0x01742ecc, 0x416cb410,\n 0x81089c07, 0xc1a5e43e, 0x01c1cc29, 0x41ff154c, 0x819b3d5b,\n 0xc1364562, 0x01526d75, 0xc3929f88, 0x03f6b79f, 0x435bcfa6,\n 0x833fe7b1, 0xc3013ed4, 0x036516c3, 0x43c86efa, 0x83ac46ed,\n 0xc3b4dc31, 0x03d0f426, 0x437d8c1f, 0x8319a408, 0xc3277d6d,\n 0x0343557a, 0x43ee2d43, 0x838a0554, 0x82d86821, 0x42bc4036,\n 0x0211380f, 0xc2751018, 0x824bc97d, 0x422fe16a, 0x02829953,\n 0xc2e6b144, 0x82fe2b98, 0x429a038f, 0x02377bb6, 0xc25353a1,\n 0x826d8ac4, 0x4209a2d3, 0x02a4daea, 0xc2c0f2fd, 0xc7234eca,\n 0x074766dd, 0x47ea1ee4, 0x878e36f3, 0xc7b0ef96, 0x07d4c781,\n 0x4779bfb8, 0x871d97af, 0xc7050d73, 0x07612564, 0x47cc5d5d,\n 0x87a8754a, 0xc796ac2f, 0x07f28438, 0x475ffc01, 0x873bd416,\n 0x8669b963, 0x460d9174, 0x06a0e94d, 0xc6c4c15a, 0x86fa183f,\n 0x469e3028, 0x06334811, 0xc6576006, 0x864ffada, 0x462bd2cd,\n 0x0686aaf4, 0xc6e282e3, 0x86dc5b86, 0x46b87391, 0x06150ba8,\n 0xc67123bf, 0x04b1d142, 0xc4d5f955, 0x8478816c, 0x441ca97b,\n 0x0422701e, 0xc4465809, 0x84eb2030, 0x448f0827, 0x049792fb,\n 0xc4f3baec, 0x845ec2d5, 0x443aeac2, 0x040433a7, 0xc4601bb0,\n 0x84cd6389, 0x44a94b9e, 0x45fb26eb, 0x859f0efc, 0xc53276c5,\n 0x05565ed2, 0x456887b7, 0x850cafa0, 0xc5a1d799, 0x05c5ff8e,\n 0x45dd6552, 0x85b94d45, 0xc514357c, 0x05701d6b, 0x454ec40e,\n 0x852aec19, 0xc5879420, 0x05e3bc37, 0xcf41ed4f, 0x0f25c558,\n 0x4f88bd61, 0x8fec9576, 0xcfd24c13, 0x0fb66404, 0x4f1b1c3d,\n 0x8f7f342a, 0xcf67aef6, 0x0f0386e1, 0x4faefed8, 0x8fcad6cf,\n 0xcff40faa, 0x0f9027bd, 0x4f3d5f84, 0x8f597793, 0x8e0b1ae6,\n 0x4e6f32f1, 0x0ec24ac8, 0xcea662df, 0x8e98bbba, 0x4efc93ad,\n 0x0e51eb94, 0xce35c383, 0x8e2d595f, 0x4e497148, 0x0ee40971,\n 0xce802166, 0x8ebef803, 0x4edad014, 0x0e77a82d, 0xce13803a,\n 0x0cd372c7, 0xccb75ad0, 0x8c1a22e9, 0x4c7e0afe, 0x0c40d39b,\n 0xcc24fb8c, 0x8c8983b5, 0x4cedaba2, 0x0cf5317e, 0xcc911969,\n 0x8c3c6150, 0x4c584947, 0x0c669022, 0xcc02b835, 0x8cafc00c,\n 0x4ccbe81b, 0x4d99856e, 0x8dfdad79, 0xcd50d540, 0x0d34fd57,\n 0x4d0a2432, 0x8d6e0c25, 0xcdc3741c, 0x0da75c0b, 0x4dbfc6d7,\n 0x8ddbeec0, 0xcd7696f9, 0x0d12beee, 0x4d2c678b, 0x8d484f9c,\n 0xcde537a5, 0x0d811fb2, 0x0862a385, 0xc8068b92, 0x88abf3ab,\n 0x48cfdbbc, 0x08f102d9, 0xc8952ace, 0x883852f7, 0x485c7ae0,\n 0x0844e03c, 0xc820c82b, 0x888db012, 0x48e99805, 0x08d74160,\n 0xc8b36977, 0x881e114e, 0x487a3959, 0x4928542c, 0x894c7c3b,\n 0xc9e10402, 0x09852c15, 0x49bbf570, 0x89dfdd67, 0xc972a55e,\n 0x09168d49, 0x490e1795, 0x896a3f82, 0xc9c747bb, 0x09a36fac,\n 0x499db6c9, 0x89f99ede, 0xc954e6e7, 0x0930cef0, 0xcbf03c0d,\n 0x0b94141a, 0x4b396c23, 0x8b5d4434, 0xcb639d51, 0x0b07b546,\n 0x4baacd7f, 0x8bcee568, 0xcbd67fb4, 0x0bb257a3, 0x4b1f2f9a,\n 0x8b7b078d, 0xcb45dee8, 0x0b21f6ff, 0x4b8c8ec6, 0x8be8a6d1,\n 0x8abacba4, 0x4adee3b3, 0x0a739b8a, 0xca17b39d, 0x8a296af8,\n 0x4a4d42ef, 0x0ae03ad6, 0xca8412c1, 0x8a9c881d, 0x4af8a00a,\n 0x0a55d833, 0xca31f024, 0x8a0f2941, 0x4a6b0156, 0x0ac6796f,\n 0xcaa25178},\n {0x00000000, 0xd4ea739b, 0xe9d396ed, 0x3d39e576, 0x93a15c00,\n 0x474b2f9b, 0x7a72caed, 0xae98b976, 0x2643b900, 0xf2a9ca9b,\n 0xcf902fed, 0x1b7a5c76, 0xb5e2e500, 0x6108969b, 0x5c3173ed,\n 0x88db0076, 0x4c867201, 0x986c019a, 0xa555e4ec, 0x71bf9777,\n 0xdf272e01, 0x0bcd5d9a, 0x36f4b8ec, 0xe21ecb77, 0x6ac5cb01,\n 0xbe2fb89a, 0x83165dec, 0x57fc2e77, 0xf9649701, 0x2d8ee49a,\n 0x10b701ec, 0xc45d7277, 0x980ce502, 0x4ce69699, 0x71df73ef,\n 0xa5350074, 0x0badb902, 0xdf47ca99, 0xe27e2fef, 0x36945c74,\n 0xbe4f5c02, 0x6aa52f99, 0x579ccaef, 0x8376b974, 0x2dee0002,\n 0xf9047399, 0xc43d96ef, 0x10d7e574, 0xd48a9703, 0x0060e498,\n 0x3d5901ee, 0xe9b37275, 0x472bcb03, 0x93c1b898, 0xaef85dee,\n 0x7a122e75, 0xf2c92e03, 0x26235d98, 0x1b1ab8ee, 0xcff0cb75,\n 0x61687203, 0xb5820198, 0x88bbe4ee, 0x5c519775, 0x3019ca05,\n 0xe4f3b99e, 0xd9ca5ce8, 0x0d202f73, 0xa3b89605, 0x7752e59e,\n 0x4a6b00e8, 0x9e817373, 0x165a7305, 0xc2b0009e, 0xff89e5e8,\n 0x2b639673, 0x85fb2f05, 0x51115c9e, 0x6c28b9e8, 0xb8c2ca73,\n 0x7c9fb804, 0xa875cb9f, 0x954c2ee9, 0x41a65d72, 0xef3ee404,\n 0x3bd4979f, 0x06ed72e9, 0xd2070172, 0x5adc0104, 0x8e36729f,\n 0xb30f97e9, 0x67e5e472, 0xc97d5d04, 0x1d972e9f, 0x20aecbe9,\n 0xf444b872, 0xa8152f07, 0x7cff5c9c, 0x41c6b9ea, 0x952cca71,\n 0x3bb47307, 0xef5e009c, 0xd267e5ea, 0x068d9671, 0x8e569607,\n 0x5abce59c, 0x678500ea, 0xb36f7371, 0x1df7ca07, 0xc91db99c,\n 0xf4245cea, 0x20ce2f71, 0xe4935d06, 0x30792e9d, 0x0d40cbeb,\n 0xd9aab870, 0x77320106, 0xa3d8729d, 0x9ee197eb, 0x4a0be470,\n 0xc2d0e406, 0x163a979d, 0x2b0372eb, 0xffe90170, 0x5171b806,\n 0x859bcb9d, 0xb8a22eeb, 0x6c485d70, 0x6032940b, 0xb4d8e790,\n 0x89e102e6, 0x5d0b717d, 0xf393c80b, 0x2779bb90, 0x1a405ee6,\n 0xceaa2d7d, 0x46712d0b, 0x929b5e90, 0xafa2bbe6, 0x7b48c87d,\n 0xd5d0710b, 0x013a0290, 0x3c03e7e6, 0xe8e9947d, 0x2cb4e60a,\n 0xf85e9591, 0xc56770e7, 0x118d037c, 0xbf15ba0a, 0x6bffc991,\n 0x56c62ce7, 0x822c5f7c, 0x0af75f0a, 0xde1d2c91, 0xe324c9e7,\n 0x37ceba7c, 0x9956030a, 0x4dbc7091, 0x708595e7, 0xa46fe67c,\n 0xf83e7109, 0x2cd40292, 0x11ede7e4, 0xc507947f, 0x6b9f2d09,\n 0xbf755e92, 0x824cbbe4, 0x56a6c87f, 0xde7dc809, 0x0a97bb92,\n 0x37ae5ee4, 0xe3442d7f, 0x4ddc9409, 0x9936e792, 0xa40f02e4,\n 0x70e5717f, 0xb4b80308, 0x60527093, 0x5d6b95e5, 0x8981e67e,\n 0x27195f08, 0xf3f32c93, 0xcecac9e5, 0x1a20ba7e, 0x92fbba08,\n 0x4611c993, 0x7b282ce5, 0xafc25f7e, 0x015ae608, 0xd5b09593,\n 0xe88970e5, 0x3c63037e, 0x502b5e0e, 0x84c12d95, 0xb9f8c8e3,\n 0x6d12bb78, 0xc38a020e, 0x17607195, 0x2a5994e3, 0xfeb3e778,\n 0x7668e70e, 0xa2829495, 0x9fbb71e3, 0x4b510278, 0xe5c9bb0e,\n 0x3123c895, 0x0c1a2de3, 0xd8f05e78, 0x1cad2c0f, 0xc8475f94,\n 0xf57ebae2, 0x2194c979, 0x8f0c700f, 0x5be60394, 0x66dfe6e2,\n 0xb2359579, 0x3aee950f, 0xee04e694, 0xd33d03e2, 0x07d77079,\n 0xa94fc90f, 0x7da5ba94, 0x409c5fe2, 0x94762c79, 0xc827bb0c,\n 0x1ccdc897, 0x21f42de1, 0xf51e5e7a, 0x5b86e70c, 0x8f6c9497,\n 0xb25571e1, 0x66bf027a, 0xee64020c, 0x3a8e7197, 0x07b794e1,\n 0xd35de77a, 0x7dc55e0c, 0xa92f2d97, 0x9416c8e1, 0x40fcbb7a,\n 0x84a1c90d, 0x504bba96, 0x6d725fe0, 0xb9982c7b, 0x1700950d,\n 0xc3eae696, 0xfed303e0, 0x2a39707b, 0xa2e2700d, 0x76080396,\n 0x4b31e6e0, 0x9fdb957b, 0x31432c0d, 0xe5a95f96, 0xd890bae0,\n 0x0c7ac97b},\n {0x00000000, 0x27652581, 0x0fcc3bd9, 0x28a91e58, 0x5f9e0669,\n 0x78fb23e8, 0x50523db0, 0x77371831, 0xbe3c0dd2, 0x99592853,\n 0xb1f0360b, 0x9695138a, 0xe1a20bbb, 0xc6c72e3a, 0xee6e3062,\n 0xc90b15e3, 0x3d7f6b7f, 0x1a1a4efe, 0x32b350a6, 0x15d67527,\n 0x62e16d16, 0x45844897, 0x6d2d56cf, 0x4a48734e, 0x834366ad,\n 0xa426432c, 0x8c8f5d74, 0xabea78f5, 0xdcdd60c4, 0xfbb84545,\n 0xd3115b1d, 0xf4747e9c, 0x7afed6fe, 0x5d9bf37f, 0x7532ed27,\n 0x5257c8a6, 0x2560d097, 0x0205f516, 0x2aaceb4e, 0x0dc9cecf,\n 0xc4c2db2c, 0xe3a7fead, 0xcb0ee0f5, 0xec6bc574, 0x9b5cdd45,\n 0xbc39f8c4, 0x9490e69c, 0xb3f5c31d, 0x4781bd81, 0x60e49800,\n 0x484d8658, 0x6f28a3d9, 0x181fbbe8, 0x3f7a9e69, 0x17d38031,\n 0x30b6a5b0, 0xf9bdb053, 0xded895d2, 0xf6718b8a, 0xd114ae0b,\n 0xa623b63a, 0x814693bb, 0xa9ef8de3, 0x8e8aa862, 0xb5fadc26,\n 0x929ff9a7, 0xba36e7ff, 0x9d53c27e, 0xea64da4f, 0xcd01ffce,\n 0xe5a8e196, 0xc2cdc417, 0x0bc6d1f4, 0x2ca3f475, 0x040aea2d,\n 0x236fcfac, 0x5458d79d, 0x733df21c, 0x5b94ec44, 0x7cf1c9c5,\n 0x8885b759, 0xafe092d8, 0x87498c80, 0xa02ca901, 0xd71bb130,\n 0xf07e94b1, 0xd8d78ae9, 0xffb2af68, 0x36b9ba8b, 0x11dc9f0a,\n 0x39758152, 0x1e10a4d3, 0x6927bce2, 0x4e429963, 0x66eb873b,\n 0x418ea2ba, 0xcf040ad8, 0xe8612f59, 0xc0c83101, 0xe7ad1480,\n 0x909a0cb1, 0xb7ff2930, 0x9f563768, 0xb83312e9, 0x7138070a,\n 0x565d228b, 0x7ef43cd3, 0x59911952, 0x2ea60163, 0x09c324e2,\n 0x216a3aba, 0x060f1f3b, 0xf27b61a7, 0xd51e4426, 0xfdb75a7e,\n 0xdad27fff, 0xade567ce, 0x8a80424f, 0xa2295c17, 0x854c7996,\n 0x4c476c75, 0x6b2249f4, 0x438b57ac, 0x64ee722d, 0x13d96a1c,\n 0x34bc4f9d, 0x1c1551c5, 0x3b707444, 0x6af5b94d, 0x4d909ccc,\n 0x65398294, 0x425ca715, 0x356bbf24, 0x120e9aa5, 0x3aa784fd,\n 0x1dc2a17c, 0xd4c9b49f, 0xf3ac911e, 0xdb058f46, 0xfc60aac7,\n 0x8b57b2f6, 0xac329777, 0x849b892f, 0xa3feacae, 0x578ad232,\n 0x70eff7b3, 0x5846e9eb, 0x7f23cc6a, 0x0814d45b, 0x2f71f1da,\n 0x07d8ef82, 0x20bdca03, 0xe9b6dfe0, 0xced3fa61, 0xe67ae439,\n 0xc11fc1b8, 0xb628d989, 0x914dfc08, 0xb9e4e250, 0x9e81c7d1,\n 0x100b6fb3, 0x376e4a32, 0x1fc7546a, 0x38a271eb, 0x4f9569da,\n 0x68f04c5b, 0x40595203, 0x673c7782, 0xae376261, 0x895247e0,\n 0xa1fb59b8, 0x869e7c39, 0xf1a96408, 0xd6cc4189, 0xfe655fd1,\n 0xd9007a50, 0x2d7404cc, 0x0a11214d, 0x22b83f15, 0x05dd1a94,\n 0x72ea02a5, 0x558f2724, 0x7d26397c, 0x5a431cfd, 0x9348091e,\n 0xb42d2c9f, 0x9c8432c7, 0xbbe11746, 0xccd60f77, 0xebb32af6,\n 0xc31a34ae, 0xe47f112f, 0xdf0f656b, 0xf86a40ea, 0xd0c35eb2,\n 0xf7a67b33, 0x80916302, 0xa7f44683, 0x8f5d58db, 0xa8387d5a,\n 0x613368b9, 0x46564d38, 0x6eff5360, 0x499a76e1, 0x3ead6ed0,\n 0x19c84b51, 0x31615509, 0x16047088, 0xe2700e14, 0xc5152b95,\n 0xedbc35cd, 0xcad9104c, 0xbdee087d, 0x9a8b2dfc, 0xb22233a4,\n 0x95471625, 0x5c4c03c6, 0x7b292647, 0x5380381f, 0x74e51d9e,\n 0x03d205af, 0x24b7202e, 0x0c1e3e76, 0x2b7b1bf7, 0xa5f1b395,\n 0x82949614, 0xaa3d884c, 0x8d58adcd, 0xfa6fb5fc, 0xdd0a907d,\n 0xf5a38e25, 0xd2c6aba4, 0x1bcdbe47, 0x3ca89bc6, 0x1401859e,\n 0x3364a01f, 0x4453b82e, 0x63369daf, 0x4b9f83f7, 0x6cfaa676,\n 0x988ed8ea, 0xbfebfd6b, 0x9742e333, 0xb027c6b2, 0xc710de83,\n 0xe075fb02, 0xc8dce55a, 0xefb9c0db, 0x26b2d538, 0x01d7f0b9,\n 0x297eeee1, 0x0e1bcb60, 0x792cd351, 0x5e49f6d0, 0x76e0e888,\n 0x5185cd09}};\n\n#endif\n\n#endif\n\n#endif\n\nlocal const z_crc_t FAR x2n_table[] = {\n 0x40000000, 0x20000000, 0x08000000, 0x00800000, 0x00008000,\n 0xedb88320, 0xb1e6b092, 0xa06a2517, 0xed627dae, 0x88d14467,\n 0xd7bbfe6a, 0xec447f11, 0x8e7ea170, 0x6427800e, 0x4d47bae0,\n 0x09fe548f, 0x83852d0f, 0x30362f1a, 0x7b5a9cc3, 0x31fec169,\n 0x9fec022a, 0x6c8dedc4, 0x15d6874d, 0x5fde7a4e, 0xbad90e37,\n 0x2e4e5eef, 0x4eaba214, 0xa8a472c0, 0x429a969e, 0x148d302a,\n 0xc40ba6d0, 0xc4e22c3c};\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/deflate.c", "content": "/* deflate.c -- compress data using the deflation algorithm\n * Copyright (C) 1995-2023 Jean-loup Gailly and Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/*\n * ALGORITHM\n *\n * The \"deflation\" process depends on being able to identify portions\n * of the input text which are identical to earlier input (within a\n * sliding window trailing behind the input currently being processed).\n *\n * The most straightforward technique turns out to be the fastest for\n * most input files: try all possible matches and select the longest.\n * The key feature of this algorithm is that insertions into the string\n * dictionary are very simple and thus fast, and deletions are avoided\n * completely. Insertions are performed at each input character, whereas\n * string matches are performed only when the previous match ends. So it\n * is preferable to spend more time in matches to allow very fast string\n * insertions and avoid deletions. The matching algorithm for small\n * strings is inspired from that of Rabin & Karp. A brute force approach\n * is used to find longer strings when a small match has been found.\n * A similar algorithm is used in comic (by Jan-Mark Wams) and freeze\n * (by Leonid Broukhis).\n * A previous version of this file used a more sophisticated algorithm\n * (by Fiala and Greene) which is guaranteed to run in linear amortized\n * time, but has a larger average cost, uses more memory and is patented.\n * However the F&G algorithm may be faster for some highly redundant\n * files if the parameter max_chain_length (described below) is too large.\n *\n * ACKNOWLEDGEMENTS\n *\n * The idea of lazy evaluation of matches is due to Jan-Mark Wams, and\n * I found it in 'freeze' written by Leonid Broukhis.\n * Thanks to many people for bug reports and testing.\n *\n * REFERENCES\n *\n * Deutsch, L.P.,\"DEFLATE Compressed Data Format Specification\".\n * Available in http://tools.ietf.org/html/rfc1951\n *\n * A description of the Rabin and Karp algorithm is given in the book\n * \"Algorithms\" by R. Sedgewick, Addison-Wesley, p252.\n *\n * Fiala,E.R., and Greene,D.H.\n * Data Compression with Finite Windows, Comm.ACM, 32,4 (1989) 490-595\n *\n */\n\n/* @(#) $Id$ */\n\n#include \"deflate.h\"\n\nconst char deflate_copyright[] =\n \" deflate 1.3 Copyright 1995-2023 Jean-loup Gailly and Mark Adler \";\n/*\n If you use the zlib library in a product, an acknowledgment is welcome\n in the documentation of your product. If for some reason you cannot\n include such an acknowledgment, I would appreciate that you keep this\n copyright string in the executable of your product.\n */\n\ntypedef enum {\n need_more, /* block not completed, need more input or more output */\n block_done, /* block flush performed */\n finish_started, /* finish started, need only more output at next deflate */\n finish_done /* finish done, accept no more input or output */\n} block_state;\n\ntypedef block_state (*compress_func)(deflate_state *s, int flush);\n/* Compression function. Returns the block state after the call. */\n\nlocal block_state deflate_stored(deflate_state *s, int flush);\nlocal block_state deflate_fast(deflate_state *s, int flush);\n#ifndef FASTEST\nlocal block_state deflate_slow(deflate_state *s, int flush);\n#endif\nlocal block_state deflate_rle(deflate_state *s, int flush);\nlocal block_state deflate_huff(deflate_state *s, int flush);\n\n/* ===========================================================================\n * Local data\n */\n\n#define NIL 0\n/* Tail of hash chains */\n\n#ifndef TOO_FAR\n# define TOO_FAR 4096\n#endif\n/* Matches of length 3 are discarded if their distance exceeds TOO_FAR */\n\n/* Values for max_lazy_match, good_match and max_chain_length, depending on\n * the desired pack level (0..9). The values given below have been tuned to\n * exclude worst case performance for pathological files. Better values may be\n * found for specific files.\n */\ntypedef struct config_s {\n ush good_length; /* reduce lazy search above this match length */\n ush max_lazy; /* do not perform lazy search above this match length */\n ush nice_length; /* quit search above this match length */\n ush max_chain;\n compress_func func;\n} config;\n\n#ifdef FASTEST\nlocal const config configuration_table[2] = {\n/* good lazy nice chain */\n/* 0 */ {0, 0, 0, 0, deflate_stored}, /* store only */\n/* 1 */ {4, 4, 8, 4, deflate_fast}}; /* max speed, no lazy matches */\n#else\nlocal const config configuration_table[10] = {\n/* good lazy nice chain */\n/* 0 */ {0, 0, 0, 0, deflate_stored}, /* store only */\n/* 1 */ {4, 4, 8, 4, deflate_fast}, /* max speed, no lazy matches */\n/* 2 */ {4, 5, 16, 8, deflate_fast},\n/* 3 */ {4, 6, 32, 32, deflate_fast},\n\n/* 4 */ {4, 4, 16, 16, deflate_slow}, /* lazy matches */\n/* 5 */ {8, 16, 32, 32, deflate_slow},\n/* 6 */ {8, 16, 128, 128, deflate_slow},\n/* 7 */ {8, 32, 128, 256, deflate_slow},\n/* 8 */ {32, 128, 258, 1024, deflate_slow},\n/* 9 */ {32, 258, 258, 4096, deflate_slow}}; /* max compression */\n#endif\n\n/* Note: the deflate() code requires max_lazy >= MIN_MATCH and max_chain >= 4\n * For deflate_fast() (levels <= 3) good is ignored and lazy has a different\n * meaning.\n */\n\n/* rank Z_BLOCK between Z_NO_FLUSH and Z_PARTIAL_FLUSH */\n#define RANK(f) (((f) * 2) - ((f) > 4 ? 9 : 0))\n\n/* ===========================================================================\n * Update a hash value with the given input byte\n * IN assertion: all calls to UPDATE_HASH are made with consecutive input\n * characters, so that a running hash key can be computed from the previous\n * key instead of complete recalculation each time.\n */\n#define UPDATE_HASH(s,h,c) (h = (((h) << s->hash_shift) ^ (c)) & s->hash_mask)\n\n\n/* ===========================================================================\n * Insert string str in the dictionary and set match_head to the previous head\n * of the hash chain (the most recent string with same hash key). Return\n * the previous length of the hash chain.\n * If this file is compiled with -DFASTEST, the compression level is forced\n * to 1, and no hash chains are maintained.\n * IN assertion: all calls to INSERT_STRING are made with consecutive input\n * characters and the first MIN_MATCH bytes of str are valid (except for\n * the last MIN_MATCH-1 bytes of the input file).\n */\n#ifdef FASTEST\n#define INSERT_STRING(s, str, match_head) \\\n (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \\\n match_head = s->head[s->ins_h], \\\n s->head[s->ins_h] = (Pos)(str))\n#else\n#define INSERT_STRING(s, str, match_head) \\\n (UPDATE_HASH(s, s->ins_h, s->window[(str) + (MIN_MATCH-1)]), \\\n match_head = s->prev[(str) & s->w_mask] = s->head[s->ins_h], \\\n s->head[s->ins_h] = (Pos)(str))\n#endif\n\n/* ===========================================================================\n * Initialize the hash table (avoiding 64K overflow for 16 bit systems).\n * prev[] will be initialized on the fly.\n */\n#define CLEAR_HASH(s) \\\n do { \\\n s->head[s->hash_size - 1] = NIL; \\\n zmemzero((Bytef *)s->head, \\\n (unsigned)(s->hash_size - 1)*sizeof(*s->head)); \\\n } while (0)\n\n/* ===========================================================================\n * Slide the hash table when sliding the window down (could be avoided with 32\n * bit values at the expense of memory usage). We slide even when level == 0 to\n * keep the hash table consistent if we switch back to level > 0 later.\n */\n#if defined(__has_feature)\n# if __has_feature(memory_sanitizer)\n __attribute__((no_sanitize(\"memory\")))\n# endif\n#endif\nlocal void slide_hash(deflate_state *s) {\n unsigned n, m;\n Posf *p;\n uInt wsize = s->w_size;\n\n n = s->hash_size;\n p = &s->head[n];\n do {\n m = *--p;\n *p = (Pos)(m >= wsize ? m - wsize : NIL);\n } while (--n);\n n = wsize;\n#ifndef FASTEST\n p = &s->prev[n];\n do {\n m = *--p;\n *p = (Pos)(m >= wsize ? m - wsize : NIL);\n /* If n is not on any hash chain, prev[n] is garbage but\n * its value will never be used.\n */\n } while (--n);\n#endif\n}\n\n/* ===========================================================================\n * Read a new buffer from the current input stream, update the adler32\n * and total number of bytes read. All deflate() input goes through\n * this function so some applications may wish to modify it to avoid\n * allocating a large strm->next_in buffer and copying from it.\n * (See also flush_pending()).\n */\nlocal unsigned read_buf(z_streamp strm, Bytef *buf, unsigned size) {\n unsigned len = strm->avail_in;\n\n if (len > size) len = size;\n if (len == 0) return 0;\n\n strm->avail_in -= len;\n\n zmemcpy(buf, strm->next_in, len);\n if (strm->state->wrap == 1) {\n strm->adler = adler32(strm->adler, buf, len);\n }\n#ifdef GZIP\n else if (strm->state->wrap == 2) {\n strm->adler = crc32(strm->adler, buf, len);\n }\n#endif\n strm->next_in += len;\n strm->total_in += len;\n\n return len;\n}\n\n/* ===========================================================================\n * Fill the window when the lookahead becomes insufficient.\n * Updates strstart and lookahead.\n *\n * IN assertion: lookahead < MIN_LOOKAHEAD\n * OUT assertions: strstart <= window_size-MIN_LOOKAHEAD\n * At least one byte has been read, or avail_in == 0; reads are\n * performed for at least two bytes (required for the zip translate_eol\n * option -- not supported here).\n */\nlocal void fill_window(deflate_state *s) {\n unsigned n;\n unsigned more; /* Amount of free space at the end of the window. */\n uInt wsize = s->w_size;\n\n Assert(s->lookahead < MIN_LOOKAHEAD, \"already enough lookahead\");\n\n do {\n more = (unsigned)(s->window_size -(ulg)s->lookahead -(ulg)s->strstart);\n\n /* Deal with !@#$% 64K limit: */\n if (sizeof(int) <= 2) {\n if (more == 0 && s->strstart == 0 && s->lookahead == 0) {\n more = wsize;\n\n } else if (more == (unsigned)(-1)) {\n /* Very unlikely, but possible on 16 bit machine if\n * strstart == 0 && lookahead == 1 (input done a byte at time)\n */\n more--;\n }\n }\n\n /* If the window is almost full and there is insufficient lookahead,\n * move the upper half to the lower one to make room in the upper half.\n */\n if (s->strstart >= wsize + MAX_DIST(s)) {\n\n zmemcpy(s->window, s->window + wsize, (unsigned)wsize - more);\n s->match_start -= wsize;\n s->strstart -= wsize; /* we now have strstart >= MAX_DIST */\n s->block_start -= (long) wsize;\n if (s->insert > s->strstart)\n s->insert = s->strstart;\n slide_hash(s);\n more += wsize;\n }\n if (s->strm->avail_in == 0) break;\n\n /* If there was no sliding:\n * strstart <= WSIZE+MAX_DIST-1 && lookahead <= MIN_LOOKAHEAD - 1 &&\n * more == window_size - lookahead - strstart\n * => more >= window_size - (MIN_LOOKAHEAD-1 + WSIZE + MAX_DIST-1)\n * => more >= window_size - 2*WSIZE + 2\n * In the BIG_MEM or MMAP case (not yet supported),\n * window_size == input_size + MIN_LOOKAHEAD &&\n * strstart + s->lookahead <= input_size => more >= MIN_LOOKAHEAD.\n * Otherwise, window_size == 2*WSIZE so more >= 2.\n * If there was sliding, more >= WSIZE. So in all cases, more >= 2.\n */\n Assert(more >= 2, \"more < 2\");\n\n n = read_buf(s->strm, s->window + s->strstart + s->lookahead, more);\n s->lookahead += n;\n\n /* Initialize the hash value now that we have some input: */\n if (s->lookahead + s->insert >= MIN_MATCH) {\n uInt str = s->strstart - s->insert;\n s->ins_h = s->window[str];\n UPDATE_HASH(s, s->ins_h, s->window[str + 1]);\n#if MIN_MATCH != 3\n Call UPDATE_HASH() MIN_MATCH-3 more times\n#endif\n while (s->insert) {\n UPDATE_HASH(s, s->ins_h, s->window[str + MIN_MATCH-1]);\n#ifndef FASTEST\n s->prev[str & s->w_mask] = s->head[s->ins_h];\n#endif\n s->head[s->ins_h] = (Pos)str;\n str++;\n s->insert--;\n if (s->lookahead + s->insert < MIN_MATCH)\n break;\n }\n }\n /* If the whole input has less than MIN_MATCH bytes, ins_h is garbage,\n * but this is not important since only literal bytes will be emitted.\n */\n\n } while (s->lookahead < MIN_LOOKAHEAD && s->strm->avail_in != 0);\n\n /* If the WIN_INIT bytes after the end of the current data have never been\n * written, then zero those bytes in order to avoid memory check reports of\n * the use of uninitialized (or uninitialised as Julian writes) bytes by\n * the longest match routines. Update the high water mark for the next\n * time through here. WIN_INIT is set to MAX_MATCH since the longest match\n * routines allow scanning to strstart + MAX_MATCH, ignoring lookahead.\n */\n if (s->high_water < s->window_size) {\n ulg curr = s->strstart + (ulg)(s->lookahead);\n ulg init;\n\n if (s->high_water < curr) {\n /* Previous high water mark below current data -- zero WIN_INIT\n * bytes or up to end of window, whichever is less.\n */\n init = s->window_size - curr;\n if (init > WIN_INIT)\n init = WIN_INIT;\n zmemzero(s->window + curr, (unsigned)init);\n s->high_water = curr + init;\n }\n else if (s->high_water < (ulg)curr + WIN_INIT) {\n /* High water mark at or above current data, but below current data\n * plus WIN_INIT -- zero out to current data plus WIN_INIT, or up\n * to end of window, whichever is less.\n */\n init = (ulg)curr + WIN_INIT - s->high_water;\n if (init > s->window_size - s->high_water)\n init = s->window_size - s->high_water;\n zmemzero(s->window + s->high_water, (unsigned)init);\n s->high_water += init;\n }\n }\n\n Assert((ulg)s->strstart <= s->window_size - MIN_LOOKAHEAD,\n \"not enough room for search\");\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateInit_(z_streamp strm, int level, const char *version,\n int stream_size) {\n return deflateInit2_(strm, level, Z_DEFLATED, MAX_WBITS, DEF_MEM_LEVEL,\n Z_DEFAULT_STRATEGY, version, stream_size);\n /* To do: ignore strm->next_in if we use it as window */\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateInit2_(z_streamp strm, int level, int method,\n int windowBits, int memLevel, int strategy,\n const char *version, int stream_size) {\n deflate_state *s;\n int wrap = 1;\n static const char my_version[] = ZLIB_VERSION;\n\n if (version == Z_NULL || version[0] != my_version[0] ||\n stream_size != sizeof(z_stream)) {\n return Z_VERSION_ERROR;\n }\n if (strm == Z_NULL) return Z_STREAM_ERROR;\n\n strm->msg = Z_NULL;\n if (strm->zalloc == (alloc_func)0) {\n#ifdef Z_SOLO\n return Z_STREAM_ERROR;\n#else\n strm->zalloc = zcalloc;\n strm->opaque = (voidpf)0;\n#endif\n }\n if (strm->zfree == (free_func)0)\n#ifdef Z_SOLO\n return Z_STREAM_ERROR;\n#else\n strm->zfree = zcfree;\n#endif\n\n#ifdef FASTEST\n if (level != 0) level = 1;\n#else\n if (level == Z_DEFAULT_COMPRESSION) level = 6;\n#endif\n\n if (windowBits < 0) { /* suppress zlib wrapper */\n wrap = 0;\n if (windowBits < -15)\n return Z_STREAM_ERROR;\n windowBits = -windowBits;\n }\n#ifdef GZIP\n else if (windowBits > 15) {\n wrap = 2; /* write gzip wrapper instead */\n windowBits -= 16;\n }\n#endif\n if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||\n windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||\n strategy < 0 || strategy > Z_FIXED || (windowBits == 8 && wrap != 1)) {\n return Z_STREAM_ERROR;\n }\n if (windowBits == 8) windowBits = 9; /* until 256-byte window bug fixed */\n s = (deflate_state *) ZALLOC(strm, 1, sizeof(deflate_state));\n if (s == Z_NULL) return Z_MEM_ERROR;\n strm->state = (struct internal_state FAR *)s;\n s->strm = strm;\n s->status = INIT_STATE; /* to pass state test in deflateReset() */\n\n s->wrap = wrap;\n s->gzhead = Z_NULL;\n s->w_bits = (uInt)windowBits;\n s->w_size = 1 << s->w_bits;\n s->w_mask = s->w_size - 1;\n\n s->hash_bits = (uInt)memLevel + 7;\n s->hash_size = 1 << s->hash_bits;\n s->hash_mask = s->hash_size - 1;\n s->hash_shift = ((s->hash_bits + MIN_MATCH-1) / MIN_MATCH);\n\n s->window = (Bytef *) ZALLOC(strm, s->w_size, 2*sizeof(Byte));\n s->prev = (Posf *) ZALLOC(strm, s->w_size, sizeof(Pos));\n s->head = (Posf *) ZALLOC(strm, s->hash_size, sizeof(Pos));\n\n s->high_water = 0; /* nothing written to s->window yet */\n\n s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */\n\n /* We overlay pending_buf and sym_buf. This works since the average size\n * for length/distance pairs over any compressed block is assured to be 31\n * bits or less.\n *\n * Analysis: The longest fixed codes are a length code of 8 bits plus 5\n * extra bits, for lengths 131 to 257. The longest fixed distance codes are\n * 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest\n * possible fixed-codes length/distance pair is then 31 bits total.\n *\n * sym_buf starts one-fourth of the way into pending_buf. So there are\n * three bytes in sym_buf for every four bytes in pending_buf. Each symbol\n * in sym_buf is three bytes -- two for the distance and one for the\n * literal/length. As each symbol is consumed, the pointer to the next\n * sym_buf value to read moves forward three bytes. From that symbol, up to\n * 31 bits are written to pending_buf. The closest the written pending_buf\n * bits gets to the next sym_buf symbol to read is just before the last\n * code is written. At that time, 31*(n - 2) bits have been written, just\n * after 24*(n - 2) bits have been consumed from sym_buf. sym_buf starts at\n * 8*n bits into pending_buf. (Note that the symbol buffer fills when n - 1\n * symbols are written.) The closest the writing gets to what is unread is\n * then n + 14 bits. Here n is lit_bufsize, which is 16384 by default, and\n * can range from 128 to 32768.\n *\n * Therefore, at a minimum, there are 142 bits of space between what is\n * written and what is read in the overlain buffers, so the symbols cannot\n * be overwritten by the compressed data. That space is actually 139 bits,\n * due to the three-bit fixed-code block header.\n *\n * That covers the case where either Z_FIXED is specified, forcing fixed\n * codes, or when the use of fixed codes is chosen, because that choice\n * results in a smaller compressed block than dynamic codes. That latter\n * condition then assures that the above analysis also covers all dynamic\n * blocks. A dynamic-code block will only be chosen to be emitted if it has\n * fewer bits than a fixed-code block would for the same set of symbols.\n * Therefore its average symbol length is assured to be less than 31. So\n * the compressed data for a dynamic block also cannot overwrite the\n * symbols from which it is being constructed.\n */\n\n s->pending_buf = (uchf *) ZALLOC(strm, s->lit_bufsize, 4);\n s->pending_buf_size = (ulg)s->lit_bufsize * 4;\n\n if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL ||\n s->pending_buf == Z_NULL) {\n s->status = FINISH_STATE;\n strm->msg = ERR_MSG(Z_MEM_ERROR);\n deflateEnd (strm);\n return Z_MEM_ERROR;\n }\n s->sym_buf = s->pending_buf + s->lit_bufsize;\n s->sym_end = (s->lit_bufsize - 1) * 3;\n /* We avoid equality with lit_bufsize*3 because of wraparound at 64K\n * on 16 bit machines and because stored blocks are restricted to\n * 64K-1 bytes.\n */\n\n s->level = level;\n s->strategy = strategy;\n s->method = (Byte)method;\n\n return deflateReset(strm);\n}\n\n/* =========================================================================\n * Check for a valid deflate stream state. Return 0 if ok, 1 if not.\n */\nlocal int deflateStateCheck(z_streamp strm) {\n deflate_state *s;\n if (strm == Z_NULL ||\n strm->zalloc == (alloc_func)0 || strm->zfree == (free_func)0)\n return 1;\n s = strm->state;\n if (s == Z_NULL || s->strm != strm || (s->status != INIT_STATE &&\n#ifdef GZIP\n s->status != GZIP_STATE &&\n#endif\n s->status != EXTRA_STATE &&\n s->status != NAME_STATE &&\n s->status != COMMENT_STATE &&\n s->status != HCRC_STATE &&\n s->status != BUSY_STATE &&\n s->status != FINISH_STATE))\n return 1;\n return 0;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateSetDictionary(z_streamp strm, const Bytef *dictionary,\n uInt dictLength) {\n deflate_state *s;\n uInt str, n;\n int wrap;\n unsigned avail;\n z_const unsigned char *next;\n\n if (deflateStateCheck(strm) || dictionary == Z_NULL)\n return Z_STREAM_ERROR;\n s = strm->state;\n wrap = s->wrap;\n if (wrap == 2 || (wrap == 1 && s->status != INIT_STATE) || s->lookahead)\n return Z_STREAM_ERROR;\n\n /* when using zlib wrappers, compute Adler-32 for provided dictionary */\n if (wrap == 1)\n strm->adler = adler32(strm->adler, dictionary, dictLength);\n s->wrap = 0; /* avoid computing Adler-32 in read_buf */\n\n /* if dictionary would fill window, just replace the history */\n if (dictLength >= s->w_size) {\n if (wrap == 0) { /* already empty otherwise */\n CLEAR_HASH(s);\n s->strstart = 0;\n s->block_start = 0L;\n s->insert = 0;\n }\n dictionary += dictLength - s->w_size; /* use the tail */\n dictLength = s->w_size;\n }\n\n /* insert dictionary into window and hash */\n avail = strm->avail_in;\n next = strm->next_in;\n strm->avail_in = dictLength;\n strm->next_in = (z_const Bytef *)dictionary;\n fill_window(s);\n while (s->lookahead >= MIN_MATCH) {\n str = s->strstart;\n n = s->lookahead - (MIN_MATCH-1);\n do {\n UPDATE_HASH(s, s->ins_h, s->window[str + MIN_MATCH-1]);\n#ifndef FASTEST\n s->prev[str & s->w_mask] = s->head[s->ins_h];\n#endif\n s->head[s->ins_h] = (Pos)str;\n str++;\n } while (--n);\n s->strstart = str;\n s->lookahead = MIN_MATCH-1;\n fill_window(s);\n }\n s->strstart += s->lookahead;\n s->block_start = (long)s->strstart;\n s->insert = s->lookahead;\n s->lookahead = 0;\n s->match_length = s->prev_length = MIN_MATCH-1;\n s->match_available = 0;\n strm->next_in = next;\n strm->avail_in = avail;\n s->wrap = wrap;\n return Z_OK;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateGetDictionary(z_streamp strm, Bytef *dictionary,\n uInt *dictLength) {\n deflate_state *s;\n uInt len;\n\n if (deflateStateCheck(strm))\n return Z_STREAM_ERROR;\n s = strm->state;\n len = s->strstart + s->lookahead;\n if (len > s->w_size)\n len = s->w_size;\n if (dictionary != Z_NULL && len)\n zmemcpy(dictionary, s->window + s->strstart + s->lookahead - len, len);\n if (dictLength != Z_NULL)\n *dictLength = len;\n return Z_OK;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateResetKeep(z_streamp strm) {\n deflate_state *s;\n\n if (deflateStateCheck(strm)) {\n return Z_STREAM_ERROR;\n }\n\n strm->total_in = strm->total_out = 0;\n strm->msg = Z_NULL; /* use zfree if we ever allocate msg dynamically */\n strm->data_type = Z_UNKNOWN;\n\n s = (deflate_state *)strm->state;\n s->pending = 0;\n s->pending_out = s->pending_buf;\n\n if (s->wrap < 0) {\n s->wrap = -s->wrap; /* was made negative by deflate(..., Z_FINISH); */\n }\n s->status =\n#ifdef GZIP\n s->wrap == 2 ? GZIP_STATE :\n#endif\n INIT_STATE;\n strm->adler =\n#ifdef GZIP\n s->wrap == 2 ? crc32(0L, Z_NULL, 0) :\n#endif\n adler32(0L, Z_NULL, 0);\n s->last_flush = -2;\n\n _tr_init(s);\n\n return Z_OK;\n}\n\n/* ===========================================================================\n * Initialize the \"longest match\" routines for a new zlib stream\n */\nlocal void lm_init(deflate_state *s) {\n s->window_size = (ulg)2L*s->w_size;\n\n CLEAR_HASH(s);\n\n /* Set the default configuration parameters:\n */\n s->max_lazy_match = configuration_table[s->level].max_lazy;\n s->good_match = configuration_table[s->level].good_length;\n s->nice_match = configuration_table[s->level].nice_length;\n s->max_chain_length = configuration_table[s->level].max_chain;\n\n s->strstart = 0;\n s->block_start = 0L;\n s->lookahead = 0;\n s->insert = 0;\n s->match_length = s->prev_length = MIN_MATCH-1;\n s->match_available = 0;\n s->ins_h = 0;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateReset(z_streamp strm) {\n int ret;\n\n ret = deflateResetKeep(strm);\n if (ret == Z_OK)\n lm_init(strm->state);\n return ret;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateSetHeader(z_streamp strm, gz_headerp head) {\n if (deflateStateCheck(strm) || strm->state->wrap != 2)\n return Z_STREAM_ERROR;\n strm->state->gzhead = head;\n return Z_OK;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflatePending(z_streamp strm, unsigned *pending, int *bits) {\n if (deflateStateCheck(strm)) return Z_STREAM_ERROR;\n if (pending != Z_NULL)\n *pending = strm->state->pending;\n if (bits != Z_NULL)\n *bits = strm->state->bi_valid;\n return Z_OK;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflatePrime(z_streamp strm, int bits, int value) {\n deflate_state *s;\n int put;\n\n if (deflateStateCheck(strm)) return Z_STREAM_ERROR;\n s = strm->state;\n if (bits < 0 || bits > 16 ||\n s->sym_buf < s->pending_out + ((Buf_size + 7) >> 3))\n return Z_BUF_ERROR;\n do {\n put = Buf_size - s->bi_valid;\n if (put > bits)\n put = bits;\n s->bi_buf |= (ush)((value & ((1 << put) - 1)) << s->bi_valid);\n s->bi_valid += put;\n _tr_flush_bits(s);\n value >>= put;\n bits -= put;\n } while (bits);\n return Z_OK;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateParams(z_streamp strm, int level, int strategy) {\n deflate_state *s;\n compress_func func;\n\n if (deflateStateCheck(strm)) return Z_STREAM_ERROR;\n s = strm->state;\n\n#ifdef FASTEST\n if (level != 0) level = 1;\n#else\n if (level == Z_DEFAULT_COMPRESSION) level = 6;\n#endif\n if (level < 0 || level > 9 || strategy < 0 || strategy > Z_FIXED) {\n return Z_STREAM_ERROR;\n }\n func = configuration_table[s->level].func;\n\n if ((strategy != s->strategy || func != configuration_table[level].func) &&\n s->last_flush != -2) {\n /* Flush the last buffer: */\n int err = deflate(strm, Z_BLOCK);\n if (err == Z_STREAM_ERROR)\n return err;\n if (strm->avail_in || (s->strstart - s->block_start) + s->lookahead)\n return Z_BUF_ERROR;\n }\n if (s->level != level) {\n if (s->level == 0 && s->matches != 0) {\n if (s->matches == 1)\n slide_hash(s);\n else\n CLEAR_HASH(s);\n s->matches = 0;\n }\n s->level = level;\n s->max_lazy_match = configuration_table[level].max_lazy;\n s->good_match = configuration_table[level].good_length;\n s->nice_match = configuration_table[level].nice_length;\n s->max_chain_length = configuration_table[level].max_chain;\n }\n s->strategy = strategy;\n return Z_OK;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateTune(z_streamp strm, int good_length, int max_lazy,\n int nice_length, int max_chain) {\n deflate_state *s;\n\n if (deflateStateCheck(strm)) return Z_STREAM_ERROR;\n s = strm->state;\n s->good_match = (uInt)good_length;\n s->max_lazy_match = (uInt)max_lazy;\n s->nice_match = nice_length;\n s->max_chain_length = (uInt)max_chain;\n return Z_OK;\n}\n\n/* =========================================================================\n * For the default windowBits of 15 and memLevel of 8, this function returns a\n * close to exact, as well as small, upper bound on the compressed size. This\n * is an expansion of ~0.03%, plus a small constant.\n *\n * For any setting other than those defaults for windowBits and memLevel, one\n * of two worst case bounds is returned. This is at most an expansion of ~4% or\n * ~13%, plus a small constant.\n *\n * Both the 0.03% and 4% derive from the overhead of stored blocks. The first\n * one is for stored blocks of 16383 bytes (memLevel == 8), whereas the second\n * is for stored blocks of 127 bytes (the worst case memLevel == 1). The\n * expansion results from five bytes of header for each stored block.\n *\n * The larger expansion of 13% results from a window size less than or equal to\n * the symbols buffer size (windowBits <= memLevel + 7). In that case some of\n * the data being compressed may have slid out of the sliding window, impeding\n * a stored block from being emitted. Then the only choice is a fixed or\n * dynamic block, where a fixed block limits the maximum expansion to 9 bits\n * per 8-bit byte, plus 10 bits for every block. The smallest block size for\n * which this can occur is 255 (memLevel == 2).\n *\n * Shifts are used to approximate divisions, for speed.\n */\nuLong ZEXPORT deflateBound(z_streamp strm, uLong sourceLen) {\n deflate_state *s;\n uLong fixedlen, storelen, wraplen;\n\n /* upper bound for fixed blocks with 9-bit literals and length 255\n (memLevel == 2, which is the lowest that may not use stored blocks) --\n ~13% overhead plus a small constant */\n fixedlen = sourceLen + (sourceLen >> 3) + (sourceLen >> 8) +\n (sourceLen >> 9) + 4;\n\n /* upper bound for stored blocks with length 127 (memLevel == 1) --\n ~4% overhead plus a small constant */\n storelen = sourceLen + (sourceLen >> 5) + (sourceLen >> 7) +\n (sourceLen >> 11) + 7;\n\n /* if can't get parameters, return larger bound plus a zlib wrapper */\n if (deflateStateCheck(strm))\n return (fixedlen > storelen ? fixedlen : storelen) + 6;\n\n /* compute wrapper length */\n s = strm->state;\n switch (s->wrap) {\n case 0: /* raw deflate */\n wraplen = 0;\n break;\n case 1: /* zlib wrapper */\n wraplen = 6 + (s->strstart ? 4 : 0);\n break;\n#ifdef GZIP\n case 2: /* gzip wrapper */\n wraplen = 18;\n if (s->gzhead != Z_NULL) { /* user-supplied gzip header */\n Bytef *str;\n if (s->gzhead->extra != Z_NULL)\n wraplen += 2 + s->gzhead->extra_len;\n str = s->gzhead->name;\n if (str != Z_NULL)\n do {\n wraplen++;\n } while (*str++);\n str = s->gzhead->comment;\n if (str != Z_NULL)\n do {\n wraplen++;\n } while (*str++);\n if (s->gzhead->hcrc)\n wraplen += 2;\n }\n break;\n#endif\n default: /* for compiler happiness */\n wraplen = 6;\n }\n\n /* if not default parameters, return one of the conservative bounds */\n if (s->w_bits != 15 || s->hash_bits != 8 + 7)\n return (s->w_bits <= s->hash_bits && s->level ? fixedlen : storelen) +\n wraplen;\n\n /* default settings: return tight bound for that case -- ~0.03% overhead\n plus a small constant */\n return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) +\n (sourceLen >> 25) + 13 - 6 + wraplen;\n}\n\n/* =========================================================================\n * Put a short in the pending buffer. The 16-bit value is put in MSB order.\n * IN assertion: the stream state is correct and there is enough room in\n * pending_buf.\n */\nlocal void putShortMSB(deflate_state *s, uInt b) {\n put_byte(s, (Byte)(b >> 8));\n put_byte(s, (Byte)(b & 0xff));\n}\n\n/* =========================================================================\n * Flush as much pending output as possible. All deflate() output, except for\n * some deflate_stored() output, goes through this function so some\n * applications may wish to modify it to avoid allocating a large\n * strm->next_out buffer and copying into it. (See also read_buf()).\n */\nlocal void flush_pending(z_streamp strm) {\n unsigned len;\n deflate_state *s = strm->state;\n\n _tr_flush_bits(s);\n len = s->pending;\n if (len > strm->avail_out) len = strm->avail_out;\n if (len == 0) return;\n\n zmemcpy(strm->next_out, s->pending_out, len);\n strm->next_out += len;\n s->pending_out += len;\n strm->total_out += len;\n strm->avail_out -= len;\n s->pending -= len;\n if (s->pending == 0) {\n s->pending_out = s->pending_buf;\n }\n}\n\n/* ===========================================================================\n * Update the header CRC with the bytes s->pending_buf[beg..s->pending - 1].\n */\n#define HCRC_UPDATE(beg) \\\n do { \\\n if (s->gzhead->hcrc && s->pending > (beg)) \\\n strm->adler = crc32(strm->adler, s->pending_buf + (beg), \\\n s->pending - (beg)); \\\n } while (0)\n\n/* ========================================================================= */\nint ZEXPORT deflate(z_streamp strm, int flush) {\n int old_flush; /* value of flush param for previous deflate call */\n deflate_state *s;\n\n if (deflateStateCheck(strm) || flush > Z_BLOCK || flush < 0) {\n return Z_STREAM_ERROR;\n }\n s = strm->state;\n\n if (strm->next_out == Z_NULL ||\n (strm->avail_in != 0 && strm->next_in == Z_NULL) ||\n (s->status == FINISH_STATE && flush != Z_FINISH)) {\n ERR_RETURN(strm, Z_STREAM_ERROR);\n }\n if (strm->avail_out == 0) ERR_RETURN(strm, Z_BUF_ERROR);\n\n old_flush = s->last_flush;\n s->last_flush = flush;\n\n /* Flush as much pending output as possible */\n if (s->pending != 0) {\n flush_pending(strm);\n if (strm->avail_out == 0) {\n /* Since avail_out is 0, deflate will be called again with\n * more output space, but possibly with both pending and\n * avail_in equal to zero. There won't be anything to do,\n * but this is not an error situation so make sure we\n * return OK instead of BUF_ERROR at next call of deflate:\n */\n s->last_flush = -1;\n return Z_OK;\n }\n\n /* Make sure there is something to do and avoid duplicate consecutive\n * flushes. For repeated and useless calls with Z_FINISH, we keep\n * returning Z_STREAM_END instead of Z_BUF_ERROR.\n */\n } else if (strm->avail_in == 0 && RANK(flush) <= RANK(old_flush) &&\n flush != Z_FINISH) {\n ERR_RETURN(strm, Z_BUF_ERROR);\n }\n\n /* User must not provide more input after the first FINISH: */\n if (s->status == FINISH_STATE && strm->avail_in != 0) {\n ERR_RETURN(strm, Z_BUF_ERROR);\n }\n\n /* Write the header */\n if (s->status == INIT_STATE && s->wrap == 0)\n s->status = BUSY_STATE;\n if (s->status == INIT_STATE) {\n /* zlib header */\n uInt header = (Z_DEFLATED + ((s->w_bits - 8) << 4)) << 8;\n uInt level_flags;\n\n if (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2)\n level_flags = 0;\n else if (s->level < 6)\n level_flags = 1;\n else if (s->level == 6)\n level_flags = 2;\n else\n level_flags = 3;\n header |= (level_flags << 6);\n if (s->strstart != 0) header |= PRESET_DICT;\n header += 31 - (header % 31);\n\n putShortMSB(s, header);\n\n /* Save the adler32 of the preset dictionary: */\n if (s->strstart != 0) {\n putShortMSB(s, (uInt)(strm->adler >> 16));\n putShortMSB(s, (uInt)(strm->adler & 0xffff));\n }\n strm->adler = adler32(0L, Z_NULL, 0);\n s->status = BUSY_STATE;\n\n /* Compression must start with an empty pending buffer */\n flush_pending(strm);\n if (s->pending != 0) {\n s->last_flush = -1;\n return Z_OK;\n }\n }\n#ifdef GZIP\n if (s->status == GZIP_STATE) {\n /* gzip header */\n strm->adler = crc32(0L, Z_NULL, 0);\n put_byte(s, 31);\n put_byte(s, 139);\n put_byte(s, 8);\n if (s->gzhead == Z_NULL) {\n put_byte(s, 0);\n put_byte(s, 0);\n put_byte(s, 0);\n put_byte(s, 0);\n put_byte(s, 0);\n put_byte(s, s->level == 9 ? 2 :\n (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ?\n 4 : 0));\n put_byte(s, OS_CODE);\n s->status = BUSY_STATE;\n\n /* Compression must start with an empty pending buffer */\n flush_pending(strm);\n if (s->pending != 0) {\n s->last_flush = -1;\n return Z_OK;\n }\n }\n else {\n put_byte(s, (s->gzhead->text ? 1 : 0) +\n (s->gzhead->hcrc ? 2 : 0) +\n (s->gzhead->extra == Z_NULL ? 0 : 4) +\n (s->gzhead->name == Z_NULL ? 0 : 8) +\n (s->gzhead->comment == Z_NULL ? 0 : 16)\n );\n put_byte(s, (Byte)(s->gzhead->time & 0xff));\n put_byte(s, (Byte)((s->gzhead->time >> 8) & 0xff));\n put_byte(s, (Byte)((s->gzhead->time >> 16) & 0xff));\n put_byte(s, (Byte)((s->gzhead->time >> 24) & 0xff));\n put_byte(s, s->level == 9 ? 2 :\n (s->strategy >= Z_HUFFMAN_ONLY || s->level < 2 ?\n 4 : 0));\n put_byte(s, s->gzhead->os & 0xff);\n if (s->gzhead->extra != Z_NULL) {\n put_byte(s, s->gzhead->extra_len & 0xff);\n put_byte(s, (s->gzhead->extra_len >> 8) & 0xff);\n }\n if (s->gzhead->hcrc)\n strm->adler = crc32(strm->adler, s->pending_buf,\n s->pending);\n s->gzindex = 0;\n s->status = EXTRA_STATE;\n }\n }\n if (s->status == EXTRA_STATE) {\n if (s->gzhead->extra != Z_NULL) {\n ulg beg = s->pending; /* start of bytes to update crc */\n uInt left = (s->gzhead->extra_len & 0xffff) - s->gzindex;\n while (s->pending + left > s->pending_buf_size) {\n uInt copy = s->pending_buf_size - s->pending;\n zmemcpy(s->pending_buf + s->pending,\n s->gzhead->extra + s->gzindex, copy);\n s->pending = s->pending_buf_size;\n HCRC_UPDATE(beg);\n s->gzindex += copy;\n flush_pending(strm);\n if (s->pending != 0) {\n s->last_flush = -1;\n return Z_OK;\n }\n beg = 0;\n left -= copy;\n }\n zmemcpy(s->pending_buf + s->pending,\n s->gzhead->extra + s->gzindex, left);\n s->pending += left;\n HCRC_UPDATE(beg);\n s->gzindex = 0;\n }\n s->status = NAME_STATE;\n }\n if (s->status == NAME_STATE) {\n if (s->gzhead->name != Z_NULL) {\n ulg beg = s->pending; /* start of bytes to update crc */\n int val;\n do {\n if (s->pending == s->pending_buf_size) {\n HCRC_UPDATE(beg);\n flush_pending(strm);\n if (s->pending != 0) {\n s->last_flush = -1;\n return Z_OK;\n }\n beg = 0;\n }\n val = s->gzhead->name[s->gzindex++];\n put_byte(s, val);\n } while (val != 0);\n HCRC_UPDATE(beg);\n s->gzindex = 0;\n }\n s->status = COMMENT_STATE;\n }\n if (s->status == COMMENT_STATE) {\n if (s->gzhead->comment != Z_NULL) {\n ulg beg = s->pending; /* start of bytes to update crc */\n int val;\n do {\n if (s->pending == s->pending_buf_size) {\n HCRC_UPDATE(beg);\n flush_pending(strm);\n if (s->pending != 0) {\n s->last_flush = -1;\n return Z_OK;\n }\n beg = 0;\n }\n val = s->gzhead->comment[s->gzindex++];\n put_byte(s, val);\n } while (val != 0);\n HCRC_UPDATE(beg);\n }\n s->status = HCRC_STATE;\n }\n if (s->status == HCRC_STATE) {\n if (s->gzhead->hcrc) {\n if (s->pending + 2 > s->pending_buf_size) {\n flush_pending(strm);\n if (s->pending != 0) {\n s->last_flush = -1;\n return Z_OK;\n }\n }\n put_byte(s, (Byte)(strm->adler & 0xff));\n put_byte(s, (Byte)((strm->adler >> 8) & 0xff));\n strm->adler = crc32(0L, Z_NULL, 0);\n }\n s->status = BUSY_STATE;\n\n /* Compression must start with an empty pending buffer */\n flush_pending(strm);\n if (s->pending != 0) {\n s->last_flush = -1;\n return Z_OK;\n }\n }\n#endif\n\n /* Start a new block or continue the current one.\n */\n if (strm->avail_in != 0 || s->lookahead != 0 ||\n (flush != Z_NO_FLUSH && s->status != FINISH_STATE)) {\n block_state bstate;\n\n bstate = s->level == 0 ? deflate_stored(s, flush) :\n s->strategy == Z_HUFFMAN_ONLY ? deflate_huff(s, flush) :\n s->strategy == Z_RLE ? deflate_rle(s, flush) :\n (*(configuration_table[s->level].func))(s, flush);\n\n if (bstate == finish_started || bstate == finish_done) {\n s->status = FINISH_STATE;\n }\n if (bstate == need_more || bstate == finish_started) {\n if (strm->avail_out == 0) {\n s->last_flush = -1; /* avoid BUF_ERROR next call, see above */\n }\n return Z_OK;\n /* If flush != Z_NO_FLUSH && avail_out == 0, the next call\n * of deflate should use the same flush parameter to make sure\n * that the flush is complete. So we don't have to output an\n * empty block here, this will be done at next call. This also\n * ensures that for a very small output buffer, we emit at most\n * one empty block.\n */\n }\n if (bstate == block_done) {\n if (flush == Z_PARTIAL_FLUSH) {\n _tr_align(s);\n } else if (flush != Z_BLOCK) { /* FULL_FLUSH or SYNC_FLUSH */\n _tr_stored_block(s, (char*)0, 0L, 0);\n /* For a full flush, this empty block will be recognized\n * as a special marker by inflate_sync().\n */\n if (flush == Z_FULL_FLUSH) {\n CLEAR_HASH(s); /* forget history */\n if (s->lookahead == 0) {\n s->strstart = 0;\n s->block_start = 0L;\n s->insert = 0;\n }\n }\n }\n flush_pending(strm);\n if (strm->avail_out == 0) {\n s->last_flush = -1; /* avoid BUF_ERROR at next call, see above */\n return Z_OK;\n }\n }\n }\n\n if (flush != Z_FINISH) return Z_OK;\n if (s->wrap <= 0) return Z_STREAM_END;\n\n /* Write the trailer */\n#ifdef GZIP\n if (s->wrap == 2) {\n put_byte(s, (Byte)(strm->adler & 0xff));\n put_byte(s, (Byte)((strm->adler >> 8) & 0xff));\n put_byte(s, (Byte)((strm->adler >> 16) & 0xff));\n put_byte(s, (Byte)((strm->adler >> 24) & 0xff));\n put_byte(s, (Byte)(strm->total_in & 0xff));\n put_byte(s, (Byte)((strm->total_in >> 8) & 0xff));\n put_byte(s, (Byte)((strm->total_in >> 16) & 0xff));\n put_byte(s, (Byte)((strm->total_in >> 24) & 0xff));\n }\n else\n#endif\n {\n putShortMSB(s, (uInt)(strm->adler >> 16));\n putShortMSB(s, (uInt)(strm->adler & 0xffff));\n }\n flush_pending(strm);\n /* If avail_out is zero, the application will call deflate again\n * to flush the rest.\n */\n if (s->wrap > 0) s->wrap = -s->wrap; /* write the trailer only once! */\n return s->pending != 0 ? Z_OK : Z_STREAM_END;\n}\n\n/* ========================================================================= */\nint ZEXPORT deflateEnd(z_streamp strm) {\n int status;\n\n if (deflateStateCheck(strm)) return Z_STREAM_ERROR;\n\n status = strm->state->status;\n\n /* Deallocate in reverse order of allocations: */\n TRY_FREE(strm, strm->state->pending_buf);\n TRY_FREE(strm, strm->state->head);\n TRY_FREE(strm, strm->state->prev);\n TRY_FREE(strm, strm->state->window);\n\n ZFREE(strm, strm->state);\n strm->state = Z_NULL;\n\n return status == BUSY_STATE ? Z_DATA_ERROR : Z_OK;\n}\n\n/* =========================================================================\n * Copy the source state to the destination state.\n * To simplify the source, this is not supported for 16-bit MSDOS (which\n * doesn't have enough memory anyway to duplicate compression states).\n */\nint ZEXPORT deflateCopy(z_streamp dest, z_streamp source) {\n#ifdef MAXSEG_64K\n (void)dest;\n (void)source;\n return Z_STREAM_ERROR;\n#else\n deflate_state *ds;\n deflate_state *ss;\n\n\n if (deflateStateCheck(source) || dest == Z_NULL) {\n return Z_STREAM_ERROR;\n }\n\n ss = source->state;\n\n zmemcpy((voidpf)dest, (voidpf)source, sizeof(z_stream));\n\n ds = (deflate_state *) ZALLOC(dest, 1, sizeof(deflate_state));\n if (ds == Z_NULL) return Z_MEM_ERROR;\n dest->state = (struct internal_state FAR *) ds;\n zmemcpy((voidpf)ds, (voidpf)ss, sizeof(deflate_state));\n ds->strm = dest;\n\n ds->window = (Bytef *) ZALLOC(dest, ds->w_size, 2*sizeof(Byte));\n ds->prev = (Posf *) ZALLOC(dest, ds->w_size, sizeof(Pos));\n ds->head = (Posf *) ZALLOC(dest, ds->hash_size, sizeof(Pos));\n ds->pending_buf = (uchf *) ZALLOC(dest, ds->lit_bufsize, 4);\n\n if (ds->window == Z_NULL || ds->prev == Z_NULL || ds->head == Z_NULL ||\n ds->pending_buf == Z_NULL) {\n deflateEnd (dest);\n return Z_MEM_ERROR;\n }\n /* following zmemcpy do not work for 16-bit MSDOS */\n zmemcpy(ds->window, ss->window, ds->w_size * 2 * sizeof(Byte));\n zmemcpy((voidpf)ds->prev, (voidpf)ss->prev, ds->w_size * sizeof(Pos));\n zmemcpy((voidpf)ds->head, (voidpf)ss->head, ds->hash_size * sizeof(Pos));\n zmemcpy(ds->pending_buf, ss->pending_buf, (uInt)ds->pending_buf_size);\n\n ds->pending_out = ds->pending_buf + (ss->pending_out - ss->pending_buf);\n ds->sym_buf = ds->pending_buf + ds->lit_bufsize;\n\n ds->l_desc.dyn_tree = ds->dyn_ltree;\n ds->d_desc.dyn_tree = ds->dyn_dtree;\n ds->bl_desc.dyn_tree = ds->bl_tree;\n\n return Z_OK;\n#endif /* MAXSEG_64K */\n}\n\n#ifndef FASTEST\n/* ===========================================================================\n * Set match_start to the longest match starting at the given string and\n * return its length. Matches shorter or equal to prev_length are discarded,\n * in which case the result is equal to prev_length and match_start is\n * garbage.\n * IN assertions: cur_match is the head of the hash chain for the current\n * string (strstart) and its distance is <= MAX_DIST, and prev_length >= 1\n * OUT assertion: the match length is not greater than s->lookahead.\n */\nlocal uInt longest_match(deflate_state *s, IPos cur_match) {\n unsigned chain_length = s->max_chain_length;/* max hash chain length */\n register Bytef *scan = s->window + s->strstart; /* current string */\n register Bytef *match; /* matched string */\n register int len; /* length of current match */\n int best_len = (int)s->prev_length; /* best match length so far */\n int nice_match = s->nice_match; /* stop if match long enough */\n IPos limit = s->strstart > (IPos)MAX_DIST(s) ?\n s->strstart - (IPos)MAX_DIST(s) : NIL;\n /* Stop when cur_match becomes <= limit. To simplify the code,\n * we prevent matches with the string of window index 0.\n */\n Posf *prev = s->prev;\n uInt wmask = s->w_mask;\n\n#ifdef UNALIGNED_OK\n /* Compare two bytes at a time. Note: this is not always beneficial.\n * Try with and without -DUNALIGNED_OK to check.\n */\n register Bytef *strend = s->window + s->strstart + MAX_MATCH - 1;\n register ush scan_start = *(ushf*)scan;\n register ush scan_end = *(ushf*)(scan + best_len - 1);\n#else\n register Bytef *strend = s->window + s->strstart + MAX_MATCH;\n register Byte scan_end1 = scan[best_len - 1];\n register Byte scan_end = scan[best_len];\n#endif\n\n /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.\n * It is easy to get rid of this optimization if necessary.\n */\n Assert(s->hash_bits >= 8 && MAX_MATCH == 258, \"Code too clever\");\n\n /* Do not waste too much time if we already have a good match: */\n if (s->prev_length >= s->good_match) {\n chain_length >>= 2;\n }\n /* Do not look for matches beyond the end of the input. This is necessary\n * to make deflate deterministic.\n */\n if ((uInt)nice_match > s->lookahead) nice_match = (int)s->lookahead;\n\n Assert((ulg)s->strstart <= s->window_size - MIN_LOOKAHEAD,\n \"need lookahead\");\n\n do {\n Assert(cur_match < s->strstart, \"no future\");\n match = s->window + cur_match;\n\n /* Skip to next match if the match length cannot increase\n * or if the match length is less than 2. Note that the checks below\n * for insufficient lookahead only occur occasionally for performance\n * reasons. Therefore uninitialized memory will be accessed, and\n * conditional jumps will be made that depend on those values.\n * However the length of the match is limited to the lookahead, so\n * the output of deflate is not affected by the uninitialized values.\n */\n#if (defined(UNALIGNED_OK) && MAX_MATCH == 258)\n /* This code assumes sizeof(unsigned short) == 2. Do not use\n * UNALIGNED_OK if your compiler uses a different size.\n */\n if (*(ushf*)(match + best_len - 1) != scan_end ||\n *(ushf*)match != scan_start) continue;\n\n /* It is not necessary to compare scan[2] and match[2] since they are\n * always equal when the other bytes match, given that the hash keys\n * are equal and that HASH_BITS >= 8. Compare 2 bytes at a time at\n * strstart + 3, + 5, up to strstart + 257. We check for insufficient\n * lookahead only every 4th comparison; the 128th check will be made\n * at strstart + 257. If MAX_MATCH-2 is not a multiple of 8, it is\n * necessary to put more guard bytes at the end of the window, or\n * to check more often for insufficient lookahead.\n */\n Assert(scan[2] == match[2], \"scan[2]?\");\n scan++, match++;\n do {\n } while (*(ushf*)(scan += 2) == *(ushf*)(match += 2) &&\n *(ushf*)(scan += 2) == *(ushf*)(match += 2) &&\n *(ushf*)(scan += 2) == *(ushf*)(match += 2) &&\n *(ushf*)(scan += 2) == *(ushf*)(match += 2) &&\n scan < strend);\n /* The funny \"do {}\" generates better code on most compilers */\n\n /* Here, scan <= window + strstart + 257 */\n Assert(scan <= s->window + (unsigned)(s->window_size - 1),\n \"wild scan\");\n if (*scan == *match) scan++;\n\n len = (MAX_MATCH - 1) - (int)(strend - scan);\n scan = strend - (MAX_MATCH-1);\n\n#else /* UNALIGNED_OK */\n\n if (match[best_len] != scan_end ||\n match[best_len - 1] != scan_end1 ||\n *match != *scan ||\n *++match != scan[1]) continue;\n\n /* The check at best_len - 1 can be removed because it will be made\n * again later. (This heuristic is not always a win.)\n * It is not necessary to compare scan[2] and match[2] since they\n * are always equal when the other bytes match, given that\n * the hash keys are equal and that HASH_BITS >= 8.\n */\n scan += 2, match++;\n Assert(*scan == *match, \"match[2]?\");\n\n /* We check for insufficient lookahead only every 8th comparison;\n * the 256th check will be made at strstart + 258.\n */\n do {\n } while (*++scan == *++match && *++scan == *++match &&\n *++scan == *++match && *++scan == *++match &&\n *++scan == *++match && *++scan == *++match &&\n *++scan == *++match && *++scan == *++match &&\n scan < strend);\n\n Assert(scan <= s->window + (unsigned)(s->window_size - 1),\n \"wild scan\");\n\n len = MAX_MATCH - (int)(strend - scan);\n scan = strend - MAX_MATCH;\n\n#endif /* UNALIGNED_OK */\n\n if (len > best_len) {\n s->match_start = cur_match;\n best_len = len;\n if (len >= nice_match) break;\n#ifdef UNALIGNED_OK\n scan_end = *(ushf*)(scan + best_len - 1);\n#else\n scan_end1 = scan[best_len - 1];\n scan_end = scan[best_len];\n#endif\n }\n } while ((cur_match = prev[cur_match & wmask]) > limit\n && --chain_length != 0);\n\n if ((uInt)best_len <= s->lookahead) return (uInt)best_len;\n return s->lookahead;\n}\n\n#else /* FASTEST */\n\n/* ---------------------------------------------------------------------------\n * Optimized version for FASTEST only\n */\nlocal uInt longest_match(deflate_state *s, IPos cur_match) {\n register Bytef *scan = s->window + s->strstart; /* current string */\n register Bytef *match; /* matched string */\n register int len; /* length of current match */\n register Bytef *strend = s->window + s->strstart + MAX_MATCH;\n\n /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.\n * It is easy to get rid of this optimization if necessary.\n */\n Assert(s->hash_bits >= 8 && MAX_MATCH == 258, \"Code too clever\");\n\n Assert((ulg)s->strstart <= s->window_size - MIN_LOOKAHEAD,\n \"need lookahead\");\n\n Assert(cur_match < s->strstart, \"no future\");\n\n match = s->window + cur_match;\n\n /* Return failure if the match length is less than 2:\n */\n if (match[0] != scan[0] || match[1] != scan[1]) return MIN_MATCH-1;\n\n /* The check at best_len - 1 can be removed because it will be made\n * again later. (This heuristic is not always a win.)\n * It is not necessary to compare scan[2] and match[2] since they\n * are always equal when the other bytes match, given that\n * the hash keys are equal and that HASH_BITS >= 8.\n */\n scan += 2, match += 2;\n Assert(*scan == *match, \"match[2]?\");\n\n /* We check for insufficient lookahead only every 8th comparison;\n * the 256th check will be made at strstart + 258.\n */\n do {\n } while (*++scan == *++match && *++scan == *++match &&\n *++scan == *++match && *++scan == *++match &&\n *++scan == *++match && *++scan == *++match &&\n *++scan == *++match && *++scan == *++match &&\n scan < strend);\n\n Assert(scan <= s->window + (unsigned)(s->window_size - 1), \"wild scan\");\n\n len = MAX_MATCH - (int)(strend - scan);\n\n if (len < MIN_MATCH) return MIN_MATCH - 1;\n\n s->match_start = cur_match;\n return (uInt)len <= s->lookahead ? (uInt)len : s->lookahead;\n}\n\n#endif /* FASTEST */\n\n#ifdef ZLIB_DEBUG\n\n#define EQUAL 0\n/* result of memcmp for equal strings */\n\n/* ===========================================================================\n * Check that the match at match_start is indeed a match.\n */\nlocal void check_match(deflate_state *s, IPos start, IPos match, int length) {\n /* check that the match is indeed a match */\n if (zmemcmp(s->window + match,\n s->window + start, length) != EQUAL) {\n fprintf(stderr, \" start %u, match %u, length %d\\n\",\n start, match, length);\n do {\n fprintf(stderr, \"%c%c\", s->window[match++], s->window[start++]);\n } while (--length != 0);\n z_error(\"invalid match\");\n }\n if (z_verbose > 1) {\n fprintf(stderr,\"\\\\[%d,%d]\", start - match, length);\n do { putc(s->window[start++], stderr); } while (--length != 0);\n }\n}\n#else\n# define check_match(s, start, match, length)\n#endif /* ZLIB_DEBUG */\n\n/* ===========================================================================\n * Flush the current block, with given end-of-file flag.\n * IN assertion: strstart is set to the end of the current match.\n */\n#define FLUSH_BLOCK_ONLY(s, last) { \\\n _tr_flush_block(s, (s->block_start >= 0L ? \\\n (charf *)&s->window[(unsigned)s->block_start] : \\\n (charf *)Z_NULL), \\\n (ulg)((long)s->strstart - s->block_start), \\\n (last)); \\\n s->block_start = s->strstart; \\\n flush_pending(s->strm); \\\n Tracev((stderr,\"[FLUSH]\")); \\\n}\n\n/* Same but force premature exit if necessary. */\n#define FLUSH_BLOCK(s, last) { \\\n FLUSH_BLOCK_ONLY(s, last); \\\n if (s->strm->avail_out == 0) return (last) ? finish_started : need_more; \\\n}\n\n/* Maximum stored block length in deflate format (not including header). */\n#define MAX_STORED 65535\n\n/* Minimum of a and b. */\n#define MIN(a, b) ((a) > (b) ? (b) : (a))\n\n/* ===========================================================================\n * Copy without compression as much as possible from the input stream, return\n * the current block state.\n *\n * In case deflateParams() is used to later switch to a non-zero compression\n * level, s->matches (otherwise unused when storing) keeps track of the number\n * of hash table slides to perform. If s->matches is 1, then one hash table\n * slide will be done when switching. If s->matches is 2, the maximum value\n * allowed here, then the hash table will be cleared, since two or more slides\n * is the same as a clear.\n *\n * deflate_stored() is written to minimize the number of times an input byte is\n * copied. It is most efficient with large input and output buffers, which\n * maximizes the opportunities to have a single copy from next_in to next_out.\n */\nlocal block_state deflate_stored(deflate_state *s, int flush) {\n /* Smallest worthy block size when not flushing or finishing. By default\n * this is 32K. This can be as small as 507 bytes for memLevel == 1. For\n * large input and output buffers, the stored block size will be larger.\n */\n unsigned min_block = MIN(s->pending_buf_size - 5, s->w_size);\n\n /* Copy as many min_block or larger stored blocks directly to next_out as\n * possible. If flushing, copy the remaining available input to next_out as\n * stored blocks, if there is enough space.\n */\n unsigned len, left, have, last = 0;\n unsigned used = s->strm->avail_in;\n do {\n /* Set len to the maximum size block that we can copy directly with the\n * available input data and output space. Set left to how much of that\n * would be copied from what's left in the window.\n */\n len = MAX_STORED; /* maximum deflate stored block length */\n have = (s->bi_valid + 42) >> 3; /* number of header bytes */\n if (s->strm->avail_out < have) /* need room for header */\n break;\n /* maximum stored block length that will fit in avail_out: */\n have = s->strm->avail_out - have;\n left = s->strstart - s->block_start; /* bytes left in window */\n if (len > (ulg)left + s->strm->avail_in)\n len = left + s->strm->avail_in; /* limit len to the input */\n if (len > have)\n len = have; /* limit len to the output */\n\n /* If the stored block would be less than min_block in length, or if\n * unable to copy all of the available input when flushing, then try\n * copying to the window and the pending buffer instead. Also don't\n * write an empty block when flushing -- deflate() does that.\n */\n if (len < min_block && ((len == 0 && flush != Z_FINISH) ||\n flush == Z_NO_FLUSH ||\n len != left + s->strm->avail_in))\n break;\n\n /* Make a dummy stored block in pending to get the header bytes,\n * including any pending bits. This also updates the debugging counts.\n */\n last = flush == Z_FINISH && len == left + s->strm->avail_in ? 1 : 0;\n _tr_stored_block(s, (char *)0, 0L, last);\n\n /* Replace the lengths in the dummy stored block with len. */\n s->pending_buf[s->pending - 4] = len;\n s->pending_buf[s->pending - 3] = len >> 8;\n s->pending_buf[s->pending - 2] = ~len;\n s->pending_buf[s->pending - 1] = ~len >> 8;\n\n /* Write the stored block header bytes. */\n flush_pending(s->strm);\n\n#ifdef ZLIB_DEBUG\n /* Update debugging counts for the data about to be copied. */\n s->compressed_len += len << 3;\n s->bits_sent += len << 3;\n#endif\n\n /* Copy uncompressed bytes from the window to next_out. */\n if (left) {\n if (left > len)\n left = len;\n zmemcpy(s->strm->next_out, s->window + s->block_start, left);\n s->strm->next_out += left;\n s->strm->avail_out -= left;\n s->strm->total_out += left;\n s->block_start += left;\n len -= left;\n }\n\n /* Copy uncompressed bytes directly from next_in to next_out, updating\n * the check value.\n */\n if (len) {\n read_buf(s->strm, s->strm->next_out, len);\n s->strm->next_out += len;\n s->strm->avail_out -= len;\n s->strm->total_out += len;\n }\n } while (last == 0);\n\n /* Update the sliding window with the last s->w_size bytes of the copied\n * data, or append all of the copied data to the existing window if less\n * than s->w_size bytes were copied. Also update the number of bytes to\n * insert in the hash tables, in the event that deflateParams() switches to\n * a non-zero compression level.\n */\n used -= s->strm->avail_in; /* number of input bytes directly copied */\n if (used) {\n /* If any input was used, then no unused input remains in the window,\n * therefore s->block_start == s->strstart.\n */\n if (used >= s->w_size) { /* supplant the previous history */\n s->matches = 2; /* clear hash */\n zmemcpy(s->window, s->strm->next_in - s->w_size, s->w_size);\n s->strstart = s->w_size;\n s->insert = s->strstart;\n }\n else {\n if (s->window_size - s->strstart <= used) {\n /* Slide the window down. */\n s->strstart -= s->w_size;\n zmemcpy(s->window, s->window + s->w_size, s->strstart);\n if (s->matches < 2)\n s->matches++; /* add a pending slide_hash() */\n if (s->insert > s->strstart)\n s->insert = s->strstart;\n }\n zmemcpy(s->window + s->strstart, s->strm->next_in - used, used);\n s->strstart += used;\n s->insert += MIN(used, s->w_size - s->insert);\n }\n s->block_start = s->strstart;\n }\n if (s->high_water < s->strstart)\n s->high_water = s->strstart;\n\n /* If the last block was written to next_out, then done. */\n if (last)\n return finish_done;\n\n /* If flushing and all input has been consumed, then done. */\n if (flush != Z_NO_FLUSH && flush != Z_FINISH &&\n s->strm->avail_in == 0 && (long)s->strstart == s->block_start)\n return block_done;\n\n /* Fill the window with any remaining input. */\n have = s->window_size - s->strstart;\n if (s->strm->avail_in > have && s->block_start >= (long)s->w_size) {\n /* Slide the window down. */\n s->block_start -= s->w_size;\n s->strstart -= s->w_size;\n zmemcpy(s->window, s->window + s->w_size, s->strstart);\n if (s->matches < 2)\n s->matches++; /* add a pending slide_hash() */\n have += s->w_size; /* more space now */\n if (s->insert > s->strstart)\n s->insert = s->strstart;\n }\n if (have > s->strm->avail_in)\n have = s->strm->avail_in;\n if (have) {\n read_buf(s->strm, s->window + s->strstart, have);\n s->strstart += have;\n s->insert += MIN(have, s->w_size - s->insert);\n }\n if (s->high_water < s->strstart)\n s->high_water = s->strstart;\n\n /* There was not enough avail_out to write a complete worthy or flushed\n * stored block to next_out. Write a stored block to pending instead, if we\n * have enough input for a worthy block, or if flushing and there is enough\n * room for the remaining input as a stored block in the pending buffer.\n */\n have = (s->bi_valid + 42) >> 3; /* number of header bytes */\n /* maximum stored block length that will fit in pending: */\n have = MIN(s->pending_buf_size - have, MAX_STORED);\n min_block = MIN(have, s->w_size);\n left = s->strstart - s->block_start;\n if (left >= min_block ||\n ((left || flush == Z_FINISH) && flush != Z_NO_FLUSH &&\n s->strm->avail_in == 0 && left <= have)) {\n len = MIN(left, have);\n last = flush == Z_FINISH && s->strm->avail_in == 0 &&\n len == left ? 1 : 0;\n _tr_stored_block(s, (charf *)s->window + s->block_start, len, last);\n s->block_start += len;\n flush_pending(s->strm);\n }\n\n /* We've done all we can with the available input and output. */\n return last ? finish_started : need_more;\n}\n\n/* ===========================================================================\n * Compress as much as possible from the input stream, return the current\n * block state.\n * This function does not perform lazy evaluation of matches and inserts\n * new strings in the dictionary only for unmatched strings or for short\n * matches. It is used only for the fast compression options.\n */\nlocal block_state deflate_fast(deflate_state *s, int flush) {\n IPos hash_head; /* head of the hash chain */\n int bflush; /* set if current block must be flushed */\n\n for (;;) {\n /* Make sure that we always have enough lookahead, except\n * at the end of the input file. We need MAX_MATCH bytes\n * for the next match, plus MIN_MATCH bytes to insert the\n * string following the next match.\n */\n if (s->lookahead < MIN_LOOKAHEAD) {\n fill_window(s);\n if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {\n return need_more;\n }\n if (s->lookahead == 0) break; /* flush the current block */\n }\n\n /* Insert the string window[strstart .. strstart + 2] in the\n * dictionary, and set hash_head to the head of the hash chain:\n */\n hash_head = NIL;\n if (s->lookahead >= MIN_MATCH) {\n INSERT_STRING(s, s->strstart, hash_head);\n }\n\n /* Find the longest match, discarding those <= prev_length.\n * At this point we have always match_length < MIN_MATCH\n */\n if (hash_head != NIL && s->strstart - hash_head <= MAX_DIST(s)) {\n /* To simplify the code, we prevent matches with the string\n * of window index 0 (in particular we have to avoid a match\n * of the string with itself at the start of the input file).\n */\n s->match_length = longest_match (s, hash_head);\n /* longest_match() sets match_start */\n }\n if (s->match_length >= MIN_MATCH) {\n check_match(s, s->strstart, s->match_start, s->match_length);\n\n _tr_tally_dist(s, s->strstart - s->match_start,\n s->match_length - MIN_MATCH, bflush);\n\n s->lookahead -= s->match_length;\n\n /* Insert new strings in the hash table only if the match length\n * is not too large. This saves time but degrades compression.\n */\n#ifndef FASTEST\n if (s->match_length <= s->max_insert_length &&\n s->lookahead >= MIN_MATCH) {\n s->match_length--; /* string at strstart already in table */\n do {\n s->strstart++;\n INSERT_STRING(s, s->strstart, hash_head);\n /* strstart never exceeds WSIZE-MAX_MATCH, so there are\n * always MIN_MATCH bytes ahead.\n */\n } while (--s->match_length != 0);\n s->strstart++;\n } else\n#endif\n {\n s->strstart += s->match_length;\n s->match_length = 0;\n s->ins_h = s->window[s->strstart];\n UPDATE_HASH(s, s->ins_h, s->window[s->strstart + 1]);\n#if MIN_MATCH != 3\n Call UPDATE_HASH() MIN_MATCH-3 more times\n#endif\n /* If lookahead < MIN_MATCH, ins_h is garbage, but it does not\n * matter since it will be recomputed at next deflate call.\n */\n }\n } else {\n /* No match, output a literal byte */\n Tracevv((stderr,\"%c\", s->window[s->strstart]));\n _tr_tally_lit(s, s->window[s->strstart], bflush);\n s->lookahead--;\n s->strstart++;\n }\n if (bflush) FLUSH_BLOCK(s, 0);\n }\n s->insert = s->strstart < MIN_MATCH-1 ? s->strstart : MIN_MATCH-1;\n if (flush == Z_FINISH) {\n FLUSH_BLOCK(s, 1);\n return finish_done;\n }\n if (s->sym_next)\n FLUSH_BLOCK(s, 0);\n return block_done;\n}\n\n#ifndef FASTEST\n/* ===========================================================================\n * Same as above, but achieves better compression. We use a lazy\n * evaluation for matches: a match is finally adopted only if there is\n * no better match at the next window position.\n */\nlocal block_state deflate_slow(deflate_state *s, int flush) {\n IPos hash_head; /* head of hash chain */\n int bflush; /* set if current block must be flushed */\n\n /* Process the input block. */\n for (;;) {\n /* Make sure that we always have enough lookahead, except\n * at the end of the input file. We need MAX_MATCH bytes\n * for the next match, plus MIN_MATCH bytes to insert the\n * string following the next match.\n */\n if (s->lookahead < MIN_LOOKAHEAD) {\n fill_window(s);\n if (s->lookahead < MIN_LOOKAHEAD && flush == Z_NO_FLUSH) {\n return need_more;\n }\n if (s->lookahead == 0) break; /* flush the current block */\n }\n\n /* Insert the string window[strstart .. strstart + 2] in the\n * dictionary, and set hash_head to the head of the hash chain:\n */\n hash_head = NIL;\n if (s->lookahead >= MIN_MATCH) {\n INSERT_STRING(s, s->strstart, hash_head);\n }\n\n /* Find the longest match, discarding those <= prev_length.\n */\n s->prev_length = s->match_length, s->prev_match = s->match_start;\n s->match_length = MIN_MATCH-1;\n\n if (hash_head != NIL && s->prev_length < s->max_lazy_match &&\n s->strstart - hash_head <= MAX_DIST(s)) {\n /* To simplify the code, we prevent matches with the string\n * of window index 0 (in particular we have to avoid a match\n * of the string with itself at the start of the input file).\n */\n s->match_length = longest_match (s, hash_head);\n /* longest_match() sets match_start */\n\n if (s->match_length <= 5 && (s->strategy == Z_FILTERED\n#if TOO_FAR <= 32767\n || (s->match_length == MIN_MATCH &&\n s->strstart - s->match_start > TOO_FAR)\n#endif\n )) {\n\n /* If prev_match is also MIN_MATCH, match_start is garbage\n * but we will ignore the current match anyway.\n */\n s->match_length = MIN_MATCH-1;\n }\n }\n /* If there was a match at the previous step and the current\n * match is not better, output the previous match:\n */\n if (s->prev_length >= MIN_MATCH && s->match_length <= s->prev_length) {\n uInt max_insert = s->strstart + s->lookahead - MIN_MATCH;\n /* Do not insert strings in hash table beyond this. */\n\n check_match(s, s->strstart - 1, s->prev_match, s->prev_length);\n\n _tr_tally_dist(s, s->strstart - 1 - s->prev_match,\n s->prev_length - MIN_MATCH, bflush);\n\n /* Insert in hash table all strings up to the end of the match.\n * strstart - 1 and strstart are already inserted. If there is not\n * enough lookahead, the last two strings are not inserted in\n * the hash table.\n */\n s->lookahead -= s->prev_length - 1;\n s->prev_length -= 2;\n do {\n if (++s->strstart <= max_insert) {\n INSERT_STRING(s, s->strstart, hash_head);\n }\n } while (--s->prev_length != 0);\n s->match_available = 0;\n s->match_length = MIN_MATCH-1;\n s->strstart++;\n\n if (bflush) FLUSH_BLOCK(s, 0);\n\n } else if (s->match_available) {\n /* If there was no match at the previous position, output a\n * single literal. If there was a match but the current match\n * is longer, truncate the previous match to a single literal.\n */\n Tracevv((stderr,\"%c\", s->window[s->strstart - 1]));\n _tr_tally_lit(s, s->window[s->strstart - 1], bflush);\n if (bflush) {\n FLUSH_BLOCK_ONLY(s, 0);\n }\n s->strstart++;\n s->lookahead--;\n if (s->strm->avail_out == 0) return need_more;\n } else {\n /* There is no previous match to compare with, wait for\n * the next step to decide.\n */\n s->match_available = 1;\n s->strstart++;\n s->lookahead--;\n }\n }\n Assert (flush != Z_NO_FLUSH, \"no flush?\");\n if (s->match_available) {\n Tracevv((stderr,\"%c\", s->window[s->strstart - 1]));\n _tr_tally_lit(s, s->window[s->strstart - 1], bflush);\n s->match_available = 0;\n }\n s->insert = s->strstart < MIN_MATCH-1 ? s->strstart : MIN_MATCH-1;\n if (flush == Z_FINISH) {\n FLUSH_BLOCK(s, 1);\n return finish_done;\n }\n if (s->sym_next)\n FLUSH_BLOCK(s, 0);\n return block_done;\n}\n#endif /* FASTEST */\n\n/* ===========================================================================\n * For Z_RLE, simply look for runs of bytes, generate matches only of distance\n * one. Do not maintain a hash table. (It will be regenerated if this run of\n * deflate switches away from Z_RLE.)\n */\nlocal block_state deflate_rle(deflate_state *s, int flush) {\n int bflush; /* set if current block must be flushed */\n uInt prev; /* byte at distance one to match */\n Bytef *scan, *strend; /* scan goes up to strend for length of run */\n\n for (;;) {\n /* Make sure that we always have enough lookahead, except\n * at the end of the input file. We need MAX_MATCH bytes\n * for the longest run, plus one for the unrolled loop.\n */\n if (s->lookahead <= MAX_MATCH) {\n fill_window(s);\n if (s->lookahead <= MAX_MATCH && flush == Z_NO_FLUSH) {\n return need_more;\n }\n if (s->lookahead == 0) break; /* flush the current block */\n }\n\n /* See how many times the previous byte repeats */\n s->match_length = 0;\n if (s->lookahead >= MIN_MATCH && s->strstart > 0) {\n scan = s->window + s->strstart - 1;\n prev = *scan;\n if (prev == *++scan && prev == *++scan && prev == *++scan) {\n strend = s->window + s->strstart + MAX_MATCH;\n do {\n } while (prev == *++scan && prev == *++scan &&\n prev == *++scan && prev == *++scan &&\n prev == *++scan && prev == *++scan &&\n prev == *++scan && prev == *++scan &&\n scan < strend);\n s->match_length = MAX_MATCH - (uInt)(strend - scan);\n if (s->match_length > s->lookahead)\n s->match_length = s->lookahead;\n }\n Assert(scan <= s->window + (uInt)(s->window_size - 1),\n \"wild scan\");\n }\n\n /* Emit match if have run of MIN_MATCH or longer, else emit literal */\n if (s->match_length >= MIN_MATCH) {\n check_match(s, s->strstart, s->strstart - 1, s->match_length);\n\n _tr_tally_dist(s, 1, s->match_length - MIN_MATCH, bflush);\n\n s->lookahead -= s->match_length;\n s->strstart += s->match_length;\n s->match_length = 0;\n } else {\n /* No match, output a literal byte */\n Tracevv((stderr,\"%c\", s->window[s->strstart]));\n _tr_tally_lit(s, s->window[s->strstart], bflush);\n s->lookahead--;\n s->strstart++;\n }\n if (bflush) FLUSH_BLOCK(s, 0);\n }\n s->insert = 0;\n if (flush == Z_FINISH) {\n FLUSH_BLOCK(s, 1);\n return finish_done;\n }\n if (s->sym_next)\n FLUSH_BLOCK(s, 0);\n return block_done;\n}\n\n/* ===========================================================================\n * For Z_HUFFMAN_ONLY, do not look for matches. Do not maintain a hash table.\n * (It will be regenerated if this run of deflate switches away from Huffman.)\n */\nlocal block_state deflate_huff(deflate_state *s, int flush) {\n int bflush; /* set if current block must be flushed */\n\n for (;;) {\n /* Make sure that we have a literal to write. */\n if (s->lookahead == 0) {\n fill_window(s);\n if (s->lookahead == 0) {\n if (flush == Z_NO_FLUSH)\n return need_more;\n break; /* flush the current block */\n }\n }\n\n /* Output a literal byte */\n s->match_length = 0;\n Tracevv((stderr,\"%c\", s->window[s->strstart]));\n _tr_tally_lit(s, s->window[s->strstart], bflush);\n s->lookahead--;\n s->strstart++;\n if (bflush) FLUSH_BLOCK(s, 0);\n }\n s->insert = 0;\n if (flush == Z_FINISH) {\n FLUSH_BLOCK(s, 1);\n return finish_done;\n }\n if (s->sym_next)\n FLUSH_BLOCK(s, 0);\n return block_done;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/deflate.h", "content": "/* deflate.h -- internal compression state\n * Copyright (C) 1995-2018 Jean-loup Gailly\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* WARNING: this file should *not* be used by applications. It is\n part of the implementation of the compression library and is\n subject to change. Applications should only use zlib.h.\n */\n\n/* @(#) $Id$ */\n\n#ifndef DEFLATE_H\n#define DEFLATE_H\n\n#include \"zutil.h\"\n\n/* define NO_GZIP when compiling if you want to disable gzip header and\n trailer creation by deflate(). NO_GZIP would be used to avoid linking in\n the crc code when it is not needed. For shared libraries, gzip encoding\n should be left enabled. */\n#ifndef NO_GZIP\n# define GZIP\n#endif\n\n/* ===========================================================================\n * Internal compression state.\n */\n\n#define LENGTH_CODES 29\n/* number of length codes, not counting the special END_BLOCK code */\n\n#define LITERALS 256\n/* number of literal bytes 0..255 */\n\n#define L_CODES (LITERALS+1+LENGTH_CODES)\n/* number of Literal or Length codes, including the END_BLOCK code */\n\n#define D_CODES 30\n/* number of distance codes */\n\n#define BL_CODES 19\n/* number of codes used to transfer the bit lengths */\n\n#define HEAP_SIZE (2*L_CODES+1)\n/* maximum heap size */\n\n#define MAX_BITS 15\n/* All codes must not exceed MAX_BITS bits */\n\n#define Buf_size 16\n/* size of bit buffer in bi_buf */\n\n#define INIT_STATE 42 /* zlib header -> BUSY_STATE */\n#ifdef GZIP\n# define GZIP_STATE 57 /* gzip header -> BUSY_STATE | EXTRA_STATE */\n#endif\n#define EXTRA_STATE 69 /* gzip extra block -> NAME_STATE */\n#define NAME_STATE 73 /* gzip file name -> COMMENT_STATE */\n#define COMMENT_STATE 91 /* gzip comment -> HCRC_STATE */\n#define HCRC_STATE 103 /* gzip header CRC -> BUSY_STATE */\n#define BUSY_STATE 113 /* deflate -> FINISH_STATE */\n#define FINISH_STATE 666 /* stream complete */\n/* Stream status */\n\n\n/* Data structure describing a single value and its code string. */\ntypedef struct ct_data_s {\n union {\n ush freq; /* frequency count */\n ush code; /* bit string */\n } fc;\n union {\n ush dad; /* father node in Huffman tree */\n ush len; /* length of bit string */\n } dl;\n} FAR ct_data;\n\n#define Freq fc.freq\n#define Code fc.code\n#define Dad dl.dad\n#define Len dl.len\n\ntypedef struct static_tree_desc_s static_tree_desc;\n\ntypedef struct tree_desc_s {\n ct_data *dyn_tree; /* the dynamic tree */\n int max_code; /* largest code with non zero frequency */\n const static_tree_desc *stat_desc; /* the corresponding static tree */\n} FAR tree_desc;\n\ntypedef ush Pos;\ntypedef Pos FAR Posf;\ntypedef unsigned IPos;\n\n/* A Pos is an index in the character window. We use short instead of int to\n * save space in the various tables. IPos is used only for parameter passing.\n */\n\ntypedef struct internal_state {\n z_streamp strm; /* pointer back to this zlib stream */\n int status; /* as the name implies */\n Bytef *pending_buf; /* output still pending */\n ulg pending_buf_size; /* size of pending_buf */\n Bytef *pending_out; /* next pending byte to output to the stream */\n ulg pending; /* nb of bytes in the pending buffer */\n int wrap; /* bit 0 true for zlib, bit 1 true for gzip */\n gz_headerp gzhead; /* gzip header information to write */\n ulg gzindex; /* where in extra, name, or comment */\n Byte method; /* can only be DEFLATED */\n int last_flush; /* value of flush param for previous deflate call */\n\n /* used by deflate.c: */\n\n uInt w_size; /* LZ77 window size (32K by default) */\n uInt w_bits; /* log2(w_size) (8..16) */\n uInt w_mask; /* w_size - 1 */\n\n Bytef *window;\n /* Sliding window. Input bytes are read into the second half of the window,\n * and move to the first half later to keep a dictionary of at least wSize\n * bytes. With this organization, matches are limited to a distance of\n * wSize-MAX_MATCH bytes, but this ensures that IO is always\n * performed with a length multiple of the block size. Also, it limits\n * the window size to 64K, which is quite useful on MSDOS.\n * To do: use the user input buffer as sliding window.\n */\n\n ulg window_size;\n /* Actual size of window: 2*wSize, except when the user input buffer\n * is directly used as sliding window.\n */\n\n Posf *prev;\n /* Link to older string with same hash index. To limit the size of this\n * array to 64K, this link is maintained only for the last 32K strings.\n * An index in this array is thus a window index modulo 32K.\n */\n\n Posf *head; /* Heads of the hash chains or NIL. */\n\n uInt ins_h; /* hash index of string to be inserted */\n uInt hash_size; /* number of elements in hash table */\n uInt hash_bits; /* log2(hash_size) */\n uInt hash_mask; /* hash_size-1 */\n\n uInt hash_shift;\n /* Number of bits by which ins_h must be shifted at each input\n * step. It must be such that after MIN_MATCH steps, the oldest\n * byte no longer takes part in the hash key, that is:\n * hash_shift * MIN_MATCH >= hash_bits\n */\n\n long block_start;\n /* Window position at the beginning of the current output block. Gets\n * negative when the window is moved backwards.\n */\n\n uInt match_length; /* length of best match */\n IPos prev_match; /* previous match */\n int match_available; /* set if previous match exists */\n uInt strstart; /* start of string to insert */\n uInt match_start; /* start of matching string */\n uInt lookahead; /* number of valid bytes ahead in window */\n\n uInt prev_length;\n /* Length of the best match at previous step. Matches not greater than this\n * are discarded. This is used in the lazy match evaluation.\n */\n\n uInt max_chain_length;\n /* To speed up deflation, hash chains are never searched beyond this\n * length. A higher limit improves compression ratio but degrades the\n * speed.\n */\n\n uInt max_lazy_match;\n /* Attempt to find a better match only when the current match is strictly\n * smaller than this value. This mechanism is used only for compression\n * levels >= 4.\n */\n# define max_insert_length max_lazy_match\n /* Insert new strings in the hash table only if the match length is not\n * greater than this length. This saves time but degrades compression.\n * max_insert_length is used only for compression levels <= 3.\n */\n\n int level; /* compression level (1..9) */\n int strategy; /* favor or force Huffman coding*/\n\n uInt good_match;\n /* Use a faster search when the previous match is longer than this */\n\n int nice_match; /* Stop searching when current match exceeds this */\n\n /* used by trees.c: */\n /* Didn't use ct_data typedef below to suppress compiler warning */\n struct ct_data_s dyn_ltree[HEAP_SIZE]; /* literal and length tree */\n struct ct_data_s dyn_dtree[2*D_CODES+1]; /* distance tree */\n struct ct_data_s bl_tree[2*BL_CODES+1]; /* Huffman tree for bit lengths */\n\n struct tree_desc_s l_desc; /* desc. for literal tree */\n struct tree_desc_s d_desc; /* desc. for distance tree */\n struct tree_desc_s bl_desc; /* desc. for bit length tree */\n\n ush bl_count[MAX_BITS+1];\n /* number of codes at each bit length for an optimal tree */\n\n int heap[2*L_CODES+1]; /* heap used to build the Huffman trees */\n int heap_len; /* number of elements in the heap */\n int heap_max; /* element of largest frequency */\n /* The sons of heap[n] are heap[2*n] and heap[2*n+1]. heap[0] is not used.\n * The same heap array is used to build all trees.\n */\n\n uch depth[2*L_CODES+1];\n /* Depth of each subtree used as tie breaker for trees of equal frequency\n */\n\n uchf *sym_buf; /* buffer for distances and literals/lengths */\n\n uInt lit_bufsize;\n /* Size of match buffer for literals/lengths. There are 4 reasons for\n * limiting lit_bufsize to 64K:\n * - frequencies can be kept in 16 bit counters\n * - if compression is not successful for the first block, all input\n * data is still in the window so we can still emit a stored block even\n * when input comes from standard input. (This can also be done for\n * all blocks if lit_bufsize is not greater than 32K.)\n * - if compression is not successful for a file smaller than 64K, we can\n * even emit a stored file instead of a stored block (saving 5 bytes).\n * This is applicable only for zip (not gzip or zlib).\n * - creating new Huffman trees less frequently may not provide fast\n * adaptation to changes in the input data statistics. (Take for\n * example a binary file with poorly compressible code followed by\n * a highly compressible string table.) Smaller buffer sizes give\n * fast adaptation but have of course the overhead of transmitting\n * trees more frequently.\n * - I can't count above 4\n */\n\n uInt sym_next; /* running index in sym_buf */\n uInt sym_end; /* symbol table full when sym_next reaches this */\n\n ulg opt_len; /* bit length of current block with optimal trees */\n ulg static_len; /* bit length of current block with static trees */\n uInt matches; /* number of string matches in current block */\n uInt insert; /* bytes at end of window left to insert */\n\n#ifdef ZLIB_DEBUG\n ulg compressed_len; /* total bit length of compressed file mod 2^32 */\n ulg bits_sent; /* bit length of compressed data sent mod 2^32 */\n#endif\n\n ush bi_buf;\n /* Output buffer. bits are inserted starting at the bottom (least\n * significant bits).\n */\n int bi_valid;\n /* Number of valid bits in bi_buf. All bits above the last valid bit\n * are always zero.\n */\n\n ulg high_water;\n /* High water mark offset in window for initialized bytes -- bytes above\n * this are set to zero in order to avoid memory check warnings when\n * longest match routines access bytes past the input. This is then\n * updated to the new high water mark.\n */\n\n} FAR deflate_state;\n\n/* Output a byte on the stream.\n * IN assertion: there is enough room in pending_buf.\n */\n#define put_byte(s, c) {s->pending_buf[s->pending++] = (Bytef)(c);}\n\n\n#define MIN_LOOKAHEAD (MAX_MATCH+MIN_MATCH+1)\n/* Minimum amount of lookahead, except at the end of the input file.\n * See deflate.c for comments about the MIN_MATCH+1.\n */\n\n#define MAX_DIST(s) ((s)->w_size-MIN_LOOKAHEAD)\n/* In order to simplify the code, particularly on 16 bit machines, match\n * distances are limited to MAX_DIST instead of WSIZE.\n */\n\n#define WIN_INIT MAX_MATCH\n/* Number of bytes after end of data in window to initialize in order to avoid\n memory checker errors from longest match routines */\n\n /* in trees.c */\nvoid ZLIB_INTERNAL _tr_init(deflate_state *s);\nint ZLIB_INTERNAL _tr_tally(deflate_state *s, unsigned dist, unsigned lc);\nvoid ZLIB_INTERNAL _tr_flush_block(deflate_state *s, charf *buf,\n ulg stored_len, int last);\nvoid ZLIB_INTERNAL _tr_flush_bits(deflate_state *s);\nvoid ZLIB_INTERNAL _tr_align(deflate_state *s);\nvoid ZLIB_INTERNAL _tr_stored_block(deflate_state *s, charf *buf,\n ulg stored_len, int last);\n\n#define d_code(dist) \\\n ((dist) < 256 ? _dist_code[dist] : _dist_code[256+((dist)>>7)])\n/* Mapping from a distance to a distance code. dist is the distance - 1 and\n * must not have side effects. _dist_code[256] and _dist_code[257] are never\n * used.\n */\n\n#ifndef ZLIB_DEBUG\n/* Inline versions of _tr_tally for speed: */\n\n#if defined(GEN_TREES_H) || !defined(STDC)\n extern uch ZLIB_INTERNAL _length_code[];\n extern uch ZLIB_INTERNAL _dist_code[];\n#else\n extern const uch ZLIB_INTERNAL _length_code[];\n extern const uch ZLIB_INTERNAL _dist_code[];\n#endif\n\n# define _tr_tally_lit(s, c, flush) \\\n { uch cc = (c); \\\n s->sym_buf[s->sym_next++] = 0; \\\n s->sym_buf[s->sym_next++] = 0; \\\n s->sym_buf[s->sym_next++] = cc; \\\n s->dyn_ltree[cc].Freq++; \\\n flush = (s->sym_next == s->sym_end); \\\n }\n# define _tr_tally_dist(s, distance, length, flush) \\\n { uch len = (uch)(length); \\\n ush dist = (ush)(distance); \\\n s->sym_buf[s->sym_next++] = (uch)dist; \\\n s->sym_buf[s->sym_next++] = (uch)(dist >> 8); \\\n s->sym_buf[s->sym_next++] = len; \\\n dist--; \\\n s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \\\n s->dyn_dtree[d_code(dist)].Freq++; \\\n flush = (s->sym_next == s->sym_end); \\\n }\n#else\n# define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)\n# define _tr_tally_dist(s, distance, length, flush) \\\n flush = _tr_tally(s, distance, length)\n#endif\n\n#endif /* DEFLATE_H */\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/README.examples", "content": "This directory contains examples of the use of zlib and other relevant\nprograms and documentation.\n\nenough.c\n calculation and justification of ENOUGH parameter in inftrees.h\n - calculates the maximum table space used in inflate tree\n construction over all possible Huffman codes\n\nfitblk.c\n compress just enough input to nearly fill a requested output size\n - zlib isn't designed to do this, but fitblk does it anyway\n\ngun.c\n uncompress a gzip file\n - illustrates the use of inflateBack() for high speed file-to-file\n decompression using call-back functions\n - is approximately twice as fast as gzip -d\n - also provides Unix uncompress functionality, again twice as fast\n\ngzappend.c\n append to a gzip file\n - illustrates the use of the Z_BLOCK flush parameter for inflate()\n - illustrates the use of deflatePrime() to start at any bit\n\ngzjoin.c\n join gzip files without recalculating the crc or recompressing\n - illustrates the use of the Z_BLOCK flush parameter for inflate()\n - illustrates the use of crc32_combine()\n\ngzlog.c\ngzlog.h\n efficiently and robustly maintain a message log file in gzip format\n - illustrates use of raw deflate, Z_PARTIAL_FLUSH, deflatePrime(),\n and deflateSetDictionary()\n - illustrates use of a gzip header extra field\n\ngznorm.c\n normalize a gzip file by combining members into a single member\n - demonstrates how to concatenate deflate streams using Z_BLOCK\n\nzlib_how.html\n painfully comprehensive description of zpipe.c (see below)\n - describes in excruciating detail the use of deflate() and inflate()\n\nzpipe.c\n reads and writes zlib streams from stdin to stdout\n - illustrates the proper use of deflate() and inflate()\n - deeply commented in zlib_how.html (see above)\n\nzran.c\nzran.h\n index a zlib or gzip stream and randomly access it\n - illustrates the use of Z_BLOCK, inflatePrime(), and\n inflateSetDictionary() to provide random access\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/enough.c", "content": "/* enough.c -- determine the maximum size of inflate's Huffman code tables over\n * all possible valid and complete prefix codes, subject to a length limit.\n * Copyright (C) 2007, 2008, 2012, 2018 Mark Adler\n * Version 1.5 5 August 2018 Mark Adler\n */\n\n/* Version history:\n 1.0 3 Jan 2007 First version (derived from codecount.c version 1.4)\n 1.1 4 Jan 2007 Use faster incremental table usage computation\n Prune examine() search on previously visited states\n 1.2 5 Jan 2007 Comments clean up\n As inflate does, decrease root for short codes\n Refuse cases where inflate would increase root\n 1.3 17 Feb 2008 Add argument for initial root table size\n Fix bug for initial root table size == max - 1\n Use a macro to compute the history index\n 1.4 18 Aug 2012 Avoid shifts more than bits in type (caused endless loop!)\n Clean up comparisons of different types\n Clean up code indentation\n 1.5 5 Aug 2018 Clean up code style, formatting, and comments\n Show all the codes for the maximum, and only the maximum\n */\n\n/*\n Examine all possible prefix codes for a given number of symbols and a\n maximum code length in bits to determine the maximum table size for zlib's\n inflate. Only complete prefix codes are counted.\n\n Two codes are considered distinct if the vectors of the number of codes per\n length are not identical. So permutations of the symbol assignments result\n in the same code for the counting, as do permutations of the assignments of\n the bit values to the codes (i.e. only canonical codes are counted).\n\n We build a code from shorter to longer lengths, determining how many symbols\n are coded at each length. At each step, we have how many symbols remain to\n be coded, what the last code length used was, and how many bit patterns of\n that length remain unused. Then we add one to the code length and double the\n number of unused patterns to graduate to the next code length. We then\n assign all portions of the remaining symbols to that code length that\n preserve the properties of a correct and eventually complete code. Those\n properties are: we cannot use more bit patterns than are available; and when\n all the symbols are used, there are exactly zero possible bit patterns left\n unused.\n\n The inflate Huffman decoding algorithm uses two-level lookup tables for\n speed. There is a single first-level table to decode codes up to root bits\n in length (root == 9 for literal/length codes and root == 6 for distance\n codes, in the current inflate implementation). The base table has 1 << root\n entries and is indexed by the next root bits of input. Codes shorter than\n root bits have replicated table entries, so that the correct entry is\n pointed to regardless of the bits that follow the short code. If the code is\n longer than root bits, then the table entry points to a second-level table.\n The size of that table is determined by the longest code with that root-bit\n prefix. If that longest code has length len, then the table has size 1 <<\n (len - root), to index the remaining bits in that set of codes. Each\n subsequent root-bit prefix then has its own sub-table. The total number of\n table entries required by the code is calculated incrementally as the number\n of codes at each bit length is populated. When all of the codes are shorter\n than root bits, then root is reduced to the longest code length, resulting\n in a single, smaller, one-level table.\n\n The inflate algorithm also provides for small values of root (relative to\n the log2 of the number of symbols), where the shortest code has more bits\n than root. In that case, root is increased to the length of the shortest\n code. This program, by design, does not handle that case, so it is verified\n that the number of symbols is less than 1 << (root + 1).\n\n In order to speed up the examination (by about ten orders of magnitude for\n the default arguments), the intermediate states in the build-up of a code\n are remembered and previously visited branches are pruned. The memory\n required for this will increase rapidly with the total number of symbols and\n the maximum code length in bits. However this is a very small price to pay\n for the vast speedup.\n\n First, all of the possible prefix codes are counted, and reachable\n intermediate states are noted by a non-zero count in a saved-results array.\n Second, the intermediate states that lead to (root + 1) bit or longer codes\n are used to look at all sub-codes from those junctures for their inflate\n memory usage. (The amount of memory used is not affected by the number of\n codes of root bits or less in length.) Third, the visited states in the\n construction of those sub-codes and the associated calculation of the table\n size is recalled in order to avoid recalculating from the same juncture.\n Beginning the code examination at (root + 1) bit codes, which is enabled by\n identifying the reachable nodes, accounts for about six of the orders of\n magnitude of improvement for the default arguments. About another four\n orders of magnitude come from not revisiting previous states. Out of\n approximately 2x10^16 possible prefix codes, only about 2x10^6 sub-codes\n need to be examined to cover all of the possible table memory usage cases\n for the default arguments of 286 symbols limited to 15-bit codes.\n\n Note that the uintmax_t type is used for counting. It is quite easy to\n exceed the capacity of an eight-byte integer with a large number of symbols\n and a large maximum code length, so multiple-precision arithmetic would need\n to replace the integer arithmetic in that case. This program will abort if\n an overflow occurs. The big_t type identifies where the counting takes\n place.\n\n The uintmax_t type is also used for calculating the number of possible codes\n remaining at the maximum length. This limits the maximum code length to the\n number of bits in a long long minus the number of bits needed to represent\n the symbols in a flat code. The code_t type identifies where the bit-pattern\n counting takes place.\n */\n\n#include \n#include \n#include \n#include \n#include \n#include \n\n#define local static\n\n// Special data types.\ntypedef uintmax_t big_t; // type for code counting\n#define PRIbig \"ju\" // printf format for big_t\ntypedef uintmax_t code_t; // type for bit pattern counting\nstruct tab { // type for been-here check\n size_t len; // allocated length of bit vector in octets\n char *vec; // allocated bit vector\n};\n\n/* The array for saving results, num[], is indexed with this triplet:\n\n syms: number of symbols remaining to code\n left: number of available bit patterns at length len\n len: number of bits in the codes currently being assigned\n\n Those indices are constrained thusly when saving results:\n\n syms: 3..totsym (totsym == total symbols to code)\n left: 2..syms - 1, but only the evens (so syms == 8 -> 2, 4, 6)\n len: 1..max - 1 (max == maximum code length in bits)\n\n syms == 2 is not saved since that immediately leads to a single code. left\n must be even, since it represents the number of available bit patterns at\n the current length, which is double the number at the previous length. left\n ends at syms-1 since left == syms immediately results in a single code.\n (left > sym is not allowed since that would result in an incomplete code.)\n len is less than max, since the code completes immediately when len == max.\n\n The offset into the array is calculated for the three indices with the first\n one (syms) being outermost, and the last one (len) being innermost. We build\n the array with length max-1 lists for the len index, with syms-3 of those\n for each symbol. There are totsym-2 of those, with each one varying in\n length as a function of sym. See the calculation of index in map() for the\n index, and the calculation of size in main() for the size of the array.\n\n For the deflate example of 286 symbols limited to 15-bit codes, the array\n has 284,284 entries, taking up 2.17 MB for an 8-byte big_t. More than half\n of the space allocated for saved results is actually used -- not all\n possible triplets are reached in the generation of valid prefix codes.\n */\n\n/* The array for tracking visited states, done[], is itself indexed identically\n to the num[] array as described above for the (syms, left, len) triplet.\n Each element in the array is further indexed by the (mem, rem) doublet,\n where mem is the amount of inflate table space used so far, and rem is the\n remaining unused entries in the current inflate sub-table. Each indexed\n element is simply one bit indicating whether the state has been visited or\n not. Since the ranges for mem and rem are not known a priori, each bit\n vector is of a variable size, and grows as needed to accommodate the visited\n states. mem and rem are used to calculate a single index in a triangular\n array. Since the range of mem is expected in the default case to be about\n ten times larger than the range of rem, the array is skewed to reduce the\n memory usage, with eight times the range for mem than for rem. See the\n calculations for offset and bit in been_here() for the details.\n\n For the deflate example of 286 symbols limited to 15-bit codes, the bit\n vectors grow to total 5.5 MB, in addition to the 4.3 MB done array itself.\n */\n\n// Type for a variable-length, allocated string.\ntypedef struct {\n char *str; // pointer to allocated string\n size_t size; // size of allocation\n size_t len; // length of string, not including terminating zero\n} string_t;\n\n// Clear a string_t.\nlocal void string_clear(string_t *s) {\n s->str[0] = 0;\n s->len = 0;\n}\n\n// Initialize a string_t.\nlocal void string_init(string_t *s) {\n s->size = 16;\n s->str = malloc(s->size);\n assert(s->str != NULL && \"out of memory\");\n string_clear(s);\n}\n\n// Release the allocation of a string_t.\nlocal void string_free(string_t *s) {\n free(s->str);\n s->str = NULL;\n s->size = 0;\n s->len = 0;\n}\n\n// Save the results of printf with fmt and the subsequent argument list to s.\n// Each call appends to s. The allocated space for s is increased as needed.\nlocal void string_printf(string_t *s, char *fmt, ...) {\n va_list ap;\n va_start(ap, fmt);\n size_t len = s->len;\n int ret = vsnprintf(s->str + len, s->size - len, fmt, ap);\n assert(ret >= 0 && \"out of memory\");\n s->len += ret;\n if (s->size < s->len + 1) {\n do {\n s->size <<= 1;\n assert(s->size != 0 && \"overflow\");\n } while (s->size < s->len + 1);\n s->str = realloc(s->str, s->size);\n assert(s->str != NULL && \"out of memory\");\n vsnprintf(s->str + len, s->size - len, fmt, ap);\n }\n va_end(ap);\n}\n\n// Globals to avoid propagating constants or constant pointers recursively.\nstruct {\n int max; // maximum allowed bit length for the codes\n int root; // size of base code table in bits\n int large; // largest code table so far\n size_t size; // number of elements in num and done\n big_t tot; // total number of codes with maximum tables size\n string_t out; // display of subcodes for maximum tables size\n int *code; // number of symbols assigned to each bit length\n big_t *num; // saved results array for code counting\n struct tab *done; // states already evaluated array\n} g;\n\n// Index function for num[] and done[].\nlocal inline size_t map(int syms, int left, int len) {\n return ((size_t)((syms - 1) >> 1) * ((syms - 2) >> 1) +\n (left >> 1) - 1) * (g.max - 1) +\n len - 1;\n}\n\n// Free allocated space in globals.\nlocal void cleanup(void) {\n if (g.done != NULL) {\n for (size_t n = 0; n < g.size; n++)\n if (g.done[n].len)\n free(g.done[n].vec);\n g.size = 0;\n free(g.done); g.done = NULL;\n }\n free(g.num); g.num = NULL;\n free(g.code); g.code = NULL;\n string_free(&g.out);\n}\n\n// Return the number of possible prefix codes using bit patterns of lengths len\n// through max inclusive, coding syms symbols, with left bit patterns of length\n// len unused -- return -1 if there is an overflow in the counting. Keep a\n// record of previous results in num to prevent repeating the same calculation.\nlocal big_t count(int syms, int left, int len) {\n // see if only one possible code\n if (syms == left)\n return 1;\n\n // note and verify the expected state\n assert(syms > left && left > 0 && len < g.max);\n\n // see if we've done this one already\n size_t index = map(syms, left, len);\n big_t got = g.num[index];\n if (got)\n return got; // we have -- return the saved result\n\n // we need to use at least this many bit patterns so that the code won't be\n // incomplete at the next length (more bit patterns than symbols)\n int least = (left << 1) - syms;\n if (least < 0)\n least = 0;\n\n // we can use at most this many bit patterns, lest there not be enough\n // available for the remaining symbols at the maximum length (if there were\n // no limit to the code length, this would become: most = left - 1)\n int most = (((code_t)left << (g.max - len)) - syms) /\n (((code_t)1 << (g.max - len)) - 1);\n\n // count all possible codes from this juncture and add them up\n big_t sum = 0;\n for (int use = least; use <= most; use++) {\n got = count(syms - use, (left - use) << 1, len + 1);\n sum += got;\n if (got == (big_t)-1 || sum < got) // overflow\n return (big_t)-1;\n }\n\n // verify that all recursive calls are productive\n assert(sum != 0);\n\n // save the result and return it\n g.num[index] = sum;\n return sum;\n}\n\n// Return true if we've been here before, set to true if not. Set a bit in a\n// bit vector to indicate visiting this state. Each (syms,len,left) state has a\n// variable size bit vector indexed by (mem,rem). The bit vector is lengthened\n// as needed to allow setting the (mem,rem) bit.\nlocal int been_here(int syms, int left, int len, int mem, int rem) {\n // point to vector for (syms,left,len), bit in vector for (mem,rem)\n size_t index = map(syms, left, len);\n mem -= 1 << g.root; // mem always includes the root table\n mem >>= 1; // mem and rem are always even\n rem >>= 1;\n size_t offset = (mem >> 3) + rem;\n offset = ((offset * (offset + 1)) >> 1) + rem;\n int bit = 1 << (mem & 7);\n\n // see if we've been here\n size_t length = g.done[index].len;\n if (offset < length && (g.done[index].vec[offset] & bit) != 0)\n return 1; // done this!\n\n // we haven't been here before -- set the bit to show we have now\n\n // see if we need to lengthen the vector in order to set the bit\n if (length <= offset) {\n // if we have one already, enlarge it, zero out the appended space\n char *vector;\n if (length) {\n do {\n length <<= 1;\n } while (length <= offset);\n vector = realloc(g.done[index].vec, length);\n assert(vector != NULL && \"out of memory\");\n memset(vector + g.done[index].len, 0, length - g.done[index].len);\n }\n\n // otherwise we need to make a new vector and zero it out\n else {\n length = 16;\n while (length <= offset)\n length <<= 1;\n vector = calloc(length, 1);\n assert(vector != NULL && \"out of memory\");\n }\n\n // install the new vector\n g.done[index].len = length;\n g.done[index].vec = vector;\n }\n\n // set the bit\n g.done[index].vec[offset] |= bit;\n return 0;\n}\n\n// Examine all possible codes from the given node (syms, len, left). Compute\n// the amount of memory required to build inflate's decoding tables, where the\n// number of code structures used so far is mem, and the number remaining in\n// the current sub-table is rem.\nlocal void examine(int syms, int left, int len, int mem, int rem) {\n // see if we have a complete code\n if (syms == left) {\n // set the last code entry\n g.code[len] = left;\n\n // complete computation of memory used by this code\n while (rem < left) {\n left -= rem;\n rem = 1 << (len - g.root);\n mem += rem;\n }\n assert(rem == left);\n\n // if this is at the maximum, show the sub-code\n if (mem >= g.large) {\n // if this is a new maximum, update the maximum and clear out the\n // printed sub-codes from the previous maximum\n if (mem > g.large) {\n g.large = mem;\n string_clear(&g.out);\n }\n\n // compute the starting state for this sub-code\n syms = 0;\n left = 1 << g.max;\n for (int bits = g.max; bits > g.root; bits--) {\n syms += g.code[bits];\n left -= g.code[bits];\n assert((left & 1) == 0);\n left >>= 1;\n }\n\n // print the starting state and the resulting sub-code to g.out\n string_printf(&g.out, \"<%u, %u, %u>:\",\n syms, g.root + 1, ((1 << g.root) - left) << 1);\n for (int bits = g.root + 1; bits <= g.max; bits++)\n if (g.code[bits])\n string_printf(&g.out, \" %d[%d]\", g.code[bits], bits);\n string_printf(&g.out, \"\\n\");\n }\n\n // remove entries as we drop back down in the recursion\n g.code[len] = 0;\n return;\n }\n\n // prune the tree if we can\n if (been_here(syms, left, len, mem, rem))\n return;\n\n // we need to use at least this many bit patterns so that the code won't be\n // incomplete at the next length (more bit patterns than symbols)\n int least = (left << 1) - syms;\n if (least < 0)\n least = 0;\n\n // we can use at most this many bit patterns, lest there not be enough\n // available for the remaining symbols at the maximum length (if there were\n // no limit to the code length, this would become: most = left - 1)\n int most = (((code_t)left << (g.max - len)) - syms) /\n (((code_t)1 << (g.max - len)) - 1);\n\n // occupy least table spaces, creating new sub-tables as needed\n int use = least;\n while (rem < use) {\n use -= rem;\n rem = 1 << (len - g.root);\n mem += rem;\n }\n rem -= use;\n\n // examine codes from here, updating table space as we go\n for (use = least; use <= most; use++) {\n g.code[len] = use;\n examine(syms - use, (left - use) << 1, len + 1,\n mem + (rem ? 1 << (len - g.root) : 0), rem << 1);\n if (rem == 0) {\n rem = 1 << (len - g.root);\n mem += rem;\n }\n rem--;\n }\n\n // remove entries as we drop back down in the recursion\n g.code[len] = 0;\n}\n\n// Look at all sub-codes starting with root + 1 bits. Look at only the valid\n// intermediate code states (syms, left, len). For each completed code,\n// calculate the amount of memory required by inflate to build the decoding\n// tables. Find the maximum amount of memory required and show the codes that\n// require that maximum.\nlocal void enough(int syms) {\n // clear code\n for (int n = 0; n <= g.max; n++)\n g.code[n] = 0;\n\n // look at all (root + 1) bit and longer codes\n string_clear(&g.out); // empty saved results\n g.large = 1 << g.root; // base table\n if (g.root < g.max) // otherwise, there's only a base table\n for (int n = 3; n <= syms; n++)\n for (int left = 2; left < n; left += 2) {\n // look at all reachable (root + 1) bit nodes, and the\n // resulting codes (complete at root + 2 or more)\n size_t index = map(n, left, g.root + 1);\n if (g.root + 1 < g.max && g.num[index]) // reachable node\n examine(n, left, g.root + 1, 1 << g.root, 0);\n\n // also look at root bit codes with completions at root + 1\n // bits (not saved in num, since complete), just in case\n if (g.num[index - 1] && n <= left << 1)\n examine((n - left) << 1, (n - left) << 1, g.root + 1,\n 1 << g.root, 0);\n }\n\n // done\n printf(\"maximum of %d table entries for root = %d\\n\", g.large, g.root);\n fputs(g.out.str, stdout);\n}\n\n// Examine and show the total number of possible prefix codes for a given\n// maximum number of symbols, initial root table size, and maximum code length\n// in bits -- those are the command arguments in that order. The default values\n// are 286, 9, and 15 respectively, for the deflate literal/length code. The\n// possible codes are counted for each number of coded symbols from two to the\n// maximum. The counts for each of those and the total number of codes are\n// shown. The maximum number of inflate table entries is then calculated across\n// all possible codes. Each new maximum number of table entries and the\n// associated sub-code (starting at root + 1 == 10 bits) is shown.\n//\n// To count and examine prefix codes that are not length-limited, provide a\n// maximum length equal to the number of symbols minus one.\n//\n// For the deflate literal/length code, use \"enough\". For the deflate distance\n// code, use \"enough 30 6\".\nint main(int argc, char **argv) {\n // set up globals for cleanup()\n g.code = NULL;\n g.num = NULL;\n g.done = NULL;\n string_init(&g.out);\n\n // get arguments -- default to the deflate literal/length code\n int syms = 286;\n g.root = 9;\n g.max = 15;\n if (argc > 1) {\n syms = atoi(argv[1]);\n if (argc > 2) {\n g.root = atoi(argv[2]);\n if (argc > 3)\n g.max = atoi(argv[3]);\n }\n }\n if (argc > 4 || syms < 2 || g.root < 1 || g.max < 1) {\n fputs(\"invalid arguments, need: [sym >= 2 [root >= 1 [max >= 1]]]\\n\",\n stderr);\n return 1;\n }\n\n // if not restricting the code length, the longest is syms - 1\n if (g.max > syms - 1)\n g.max = syms - 1;\n\n // determine the number of bits in a code_t\n int bits = 0;\n for (code_t word = 1; word; word <<= 1)\n bits++;\n\n // make sure that the calculation of most will not overflow\n if (g.max > bits || (code_t)(syms - 2) >= ((code_t)-1 >> (g.max - 1))) {\n fputs(\"abort: code length too long for internal types\\n\", stderr);\n return 1;\n }\n\n // reject impossible code requests\n if ((code_t)(syms - 1) > ((code_t)1 << g.max) - 1) {\n fprintf(stderr, \"%d symbols cannot be coded in %d bits\\n\",\n syms, g.max);\n return 1;\n }\n\n // allocate code vector\n g.code = calloc(g.max + 1, sizeof(int));\n assert(g.code != NULL && \"out of memory\");\n\n // determine size of saved results array, checking for overflows,\n // allocate and clear the array (set all to zero with calloc())\n if (syms == 2) // iff max == 1\n g.num = NULL; // won't be saving any results\n else {\n g.size = syms >> 1;\n int n = (syms - 1) >> 1;\n assert(g.size <= (size_t)-1 / n && \"overflow\");\n g.size *= n;\n n = g.max - 1;\n assert(g.size <= (size_t)-1 / n && \"overflow\");\n g.size *= n;\n g.num = calloc(g.size, sizeof(big_t));\n assert(g.num != NULL && \"out of memory\");\n }\n\n // count possible codes for all numbers of symbols, add up counts\n big_t sum = 0;\n for (int n = 2; n <= syms; n++) {\n big_t got = count(n, 2, 1);\n sum += got;\n assert(got != (big_t)-1 && sum >= got && \"overflow\");\n }\n printf(\"%\"PRIbig\" total codes for 2 to %d symbols\", sum, syms);\n if (g.max < syms - 1)\n printf(\" (%d-bit length limit)\\n\", g.max);\n else\n puts(\" (no length limit)\");\n\n // allocate and clear done array for been_here()\n if (syms == 2)\n g.done = NULL;\n else {\n g.done = calloc(g.size, sizeof(struct tab));\n assert(g.done != NULL && \"out of memory\");\n }\n\n // find and show maximum inflate table usage\n if (g.root > g.max) // reduce root to max length\n g.root = g.max;\n if ((code_t)syms < ((code_t)1 << (g.root + 1)))\n enough(syms);\n else\n fputs(\"cannot handle minimum code lengths > root\", stderr);\n\n // done\n cleanup();\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/fitblk.c", "content": "/* fitblk.c: example of fitting compressed output to a specified size\n Not copyrighted -- provided to the public domain\n Version 1.1 25 November 2004 Mark Adler */\n\n/* Version history:\n 1.0 24 Nov 2004 First version\n 1.1 25 Nov 2004 Change deflateInit2() to deflateInit()\n Use fixed-size, stack-allocated raw buffers\n Simplify code moving compression to subroutines\n Use assert() for internal errors\n Add detailed description of approach\n */\n\n/* Approach to just fitting a requested compressed size:\n\n fitblk performs three compression passes on a portion of the input\n data in order to determine how much of that input will compress to\n nearly the requested output block size. The first pass generates\n enough deflate blocks to produce output to fill the requested\n output size plus a specified excess amount (see the EXCESS define\n below). The last deflate block may go quite a bit past that, but\n is discarded. The second pass decompresses and recompresses just\n the compressed data that fit in the requested plus excess sized\n buffer. The deflate process is terminated after that amount of\n input, which is less than the amount consumed on the first pass.\n The last deflate block of the result will be of a comparable size\n to the final product, so that the header for that deflate block and\n the compression ratio for that block will be about the same as in\n the final product. The third compression pass decompresses the\n result of the second step, but only the compressed data up to the\n requested size minus an amount to allow the compressed stream to\n complete (see the MARGIN define below). That will result in a\n final compressed stream whose length is less than or equal to the\n requested size. Assuming sufficient input and a requested size\n greater than a few hundred bytes, the shortfall will typically be\n less than ten bytes.\n\n If the input is short enough that the first compression completes\n before filling the requested output size, then that compressed\n stream is return with no recompression.\n\n EXCESS is chosen to be just greater than the shortfall seen in a\n two pass approach similar to the above. That shortfall is due to\n the last deflate block compressing more efficiently with a smaller\n header on the second pass. EXCESS is set to be large enough so\n that there is enough uncompressed data for the second pass to fill\n out the requested size, and small enough so that the final deflate\n block of the second pass will be close in size to the final deflate\n block of the third and final pass. MARGIN is chosen to be just\n large enough to assure that the final compression has enough room\n to complete in all cases.\n */\n\n#include \n#include \n#include \n#include \"zlib.h\"\n\n#define local static\n\n/* print nastygram and leave */\nlocal void quit(char *why)\n{\n fprintf(stderr, \"fitblk abort: %s\\n\", why);\n exit(1);\n}\n\n#define RAWLEN 4096 /* intermediate uncompressed buffer size */\n\n/* compress from file to def until provided buffer is full or end of\n input reached; return last deflate() return value, or Z_ERRNO if\n there was read error on the file */\nlocal int partcompress(FILE *in, z_streamp def)\n{\n int ret, flush;\n unsigned char raw[RAWLEN];\n\n flush = Z_NO_FLUSH;\n do {\n def->avail_in = fread(raw, 1, RAWLEN, in);\n if (ferror(in))\n return Z_ERRNO;\n def->next_in = raw;\n if (feof(in))\n flush = Z_FINISH;\n ret = deflate(def, flush);\n assert(ret != Z_STREAM_ERROR);\n } while (def->avail_out != 0 && flush == Z_NO_FLUSH);\n return ret;\n}\n\n/* recompress from inf's input to def's output; the input for inf and\n the output for def are set in those structures before calling;\n return last deflate() return value, or Z_MEM_ERROR if inflate()\n was not able to allocate enough memory when it needed to */\nlocal int recompress(z_streamp inf, z_streamp def)\n{\n int ret, flush;\n unsigned char raw[RAWLEN];\n\n flush = Z_NO_FLUSH;\n do {\n /* decompress */\n inf->avail_out = RAWLEN;\n inf->next_out = raw;\n ret = inflate(inf, Z_NO_FLUSH);\n assert(ret != Z_STREAM_ERROR && ret != Z_DATA_ERROR &&\n ret != Z_NEED_DICT);\n if (ret == Z_MEM_ERROR)\n return ret;\n\n /* compress what was decompressed until done or no room */\n def->avail_in = RAWLEN - inf->avail_out;\n def->next_in = raw;\n if (inf->avail_out != 0)\n flush = Z_FINISH;\n ret = deflate(def, flush);\n assert(ret != Z_STREAM_ERROR);\n } while (ret != Z_STREAM_END && def->avail_out != 0);\n return ret;\n}\n\n#define EXCESS 256 /* empirically determined stream overage */\n#define MARGIN 8 /* amount to back off for completion */\n\n/* compress from stdin to fixed-size block on stdout */\nint main(int argc, char **argv)\n{\n int ret; /* return code */\n unsigned size; /* requested fixed output block size */\n unsigned have; /* bytes written by deflate() call */\n unsigned char *blk; /* intermediate and final stream */\n unsigned char *tmp; /* close to desired size stream */\n z_stream def, inf; /* zlib deflate and inflate states */\n\n /* get requested output size */\n if (argc != 2)\n quit(\"need one argument: size of output block\");\n ret = strtol(argv[1], argv + 1, 10);\n if (argv[1][0] != 0)\n quit(\"argument must be a number\");\n if (ret < 8) /* 8 is minimum zlib stream size */\n quit(\"need positive size of 8 or greater\");\n size = (unsigned)ret;\n\n /* allocate memory for buffers and compression engine */\n blk = malloc(size + EXCESS);\n def.zalloc = Z_NULL;\n def.zfree = Z_NULL;\n def.opaque = Z_NULL;\n ret = deflateInit(&def, Z_DEFAULT_COMPRESSION);\n if (ret != Z_OK || blk == NULL)\n quit(\"out of memory\");\n\n /* compress from stdin until output full, or no more input */\n def.avail_out = size + EXCESS;\n def.next_out = blk;\n ret = partcompress(stdin, &def);\n if (ret == Z_ERRNO)\n quit(\"error reading input\");\n\n /* if it all fit, then size was undersubscribed -- done! */\n if (ret == Z_STREAM_END && def.avail_out >= EXCESS) {\n /* write block to stdout */\n have = size + EXCESS - def.avail_out;\n if (fwrite(blk, 1, have, stdout) != have || ferror(stdout))\n quit(\"error writing output\");\n\n /* clean up and print results to stderr */\n ret = deflateEnd(&def);\n assert(ret != Z_STREAM_ERROR);\n free(blk);\n fprintf(stderr,\n \"%u bytes unused out of %u requested (all input)\\n\",\n size - have, size);\n return 0;\n }\n\n /* it didn't all fit -- set up for recompression */\n inf.zalloc = Z_NULL;\n inf.zfree = Z_NULL;\n inf.opaque = Z_NULL;\n inf.avail_in = 0;\n inf.next_in = Z_NULL;\n ret = inflateInit(&inf);\n tmp = malloc(size + EXCESS);\n if (ret != Z_OK || tmp == NULL)\n quit(\"out of memory\");\n ret = deflateReset(&def);\n assert(ret != Z_STREAM_ERROR);\n\n /* do first recompression close to the right amount */\n inf.avail_in = size + EXCESS;\n inf.next_in = blk;\n def.avail_out = size + EXCESS;\n def.next_out = tmp;\n ret = recompress(&inf, &def);\n if (ret == Z_MEM_ERROR)\n quit(\"out of memory\");\n\n /* set up for next recompression */\n ret = inflateReset(&inf);\n assert(ret != Z_STREAM_ERROR);\n ret = deflateReset(&def);\n assert(ret != Z_STREAM_ERROR);\n\n /* do second and final recompression (third compression) */\n inf.avail_in = size - MARGIN; /* assure stream will complete */\n inf.next_in = tmp;\n def.avail_out = size;\n def.next_out = blk;\n ret = recompress(&inf, &def);\n if (ret == Z_MEM_ERROR)\n quit(\"out of memory\");\n assert(ret == Z_STREAM_END); /* otherwise MARGIN too small */\n\n /* done -- write block to stdout */\n have = size - def.avail_out;\n if (fwrite(blk, 1, have, stdout) != have || ferror(stdout))\n quit(\"error writing output\");\n\n /* clean up and print results to stderr */\n free(tmp);\n ret = inflateEnd(&inf);\n assert(ret != Z_STREAM_ERROR);\n ret = deflateEnd(&def);\n assert(ret != Z_STREAM_ERROR);\n free(blk);\n fprintf(stderr,\n \"%u bytes unused out of %u requested (%lu input)\\n\",\n size - have, size, def.total_in);\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gun.c", "content": "/* gun.c -- simple gunzip to give an example of the use of inflateBack()\n * Copyright (C) 2003, 2005, 2008, 2010, 2012 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n Version 1.7 12 August 2012 Mark Adler */\n\n/* Version history:\n 1.0 16 Feb 2003 First version for testing of inflateBack()\n 1.1 21 Feb 2005 Decompress concatenated gzip streams\n Remove use of \"this\" variable (C++ keyword)\n Fix return value for in()\n Improve allocation failure checking\n Add typecasting for void * structures\n Add -h option for command version and usage\n Add a bunch of comments\n 1.2 20 Mar 2005 Add Unix compress (LZW) decompression\n Copy file attributes from input file to output file\n 1.3 12 Jun 2005 Add casts for error messages [Oberhumer]\n 1.4 8 Dec 2006 LZW decompression speed improvements\n 1.5 9 Feb 2008 Avoid warning in latest version of gcc\n 1.6 17 Jan 2010 Avoid signed/unsigned comparison warnings\n 1.7 12 Aug 2012 Update for z_const usage in zlib 1.2.8\n */\n\n/*\n gun [ -t ] [ name ... ]\n\n decompresses the data in the named gzip files. If no arguments are given,\n gun will decompress from stdin to stdout. The names must end in .gz, -gz,\n .z, -z, _z, or .Z. The uncompressed data will be written to a file name\n with the suffix stripped. On success, the original file is deleted. On\n failure, the output file is deleted. For most failures, the command will\n continue to process the remaining names on the command line. A memory\n allocation failure will abort the command. If -t is specified, then the\n listed files or stdin will be tested as gzip files for integrity (without\n checking for a proper suffix), no output will be written, and no files\n will be deleted.\n\n Like gzip, gun allows concatenated gzip streams and will decompress them,\n writing all of the uncompressed data to the output. Unlike gzip, gun allows\n an empty file on input, and will produce no error writing an empty output\n file.\n\n gun will also decompress files made by Unix compress, which uses LZW\n compression. These files are automatically detected by virtue of their\n magic header bytes. Since the end of Unix compress stream is marked by the\n end-of-file, they cannot be concatenated. If a Unix compress stream is\n encountered in an input file, it is the last stream in that file.\n\n Like gunzip and uncompress, the file attributes of the original compressed\n file are maintained in the final uncompressed file, to the extent that the\n user permissions allow it.\n\n On my Mac OS X PowerPC G4, gun is almost twice as fast as gunzip (version\n 1.2.4) is on the same file, when gun is linked with zlib 1.2.2. Also the\n LZW decompression provided by gun is about twice as fast as the standard\n Unix uncompress command.\n */\n\n/* external functions and related types and constants */\n#include /* fprintf() */\n#include /* malloc(), free() */\n#include /* strerror(), strcmp(), strlen(), memcpy() */\n#include /* errno */\n#include /* open() */\n#include /* read(), write(), close(), chown(), unlink() */\n#include \n#include /* stat(), chmod() */\n#include /* utime() */\n#include \"zlib.h\" /* inflateBackInit(), inflateBack(), */\n /* inflateBackEnd(), crc32() */\n\n/* function declaration */\n#define local static\n\n/* buffer constants */\n#define SIZE 32768U /* input and output buffer sizes */\n#define PIECE 16384 /* limits i/o chunks for 16-bit int case */\n\n/* structure for infback() to pass to input function in() -- it maintains the\n input file and a buffer of size SIZE */\nstruct ind {\n int infile;\n unsigned char *inbuf;\n};\n\n/* Load input buffer, assumed to be empty, and return bytes loaded and a\n pointer to them. read() is called until the buffer is full, or until it\n returns end-of-file or error. Return 0 on error. */\nlocal unsigned in(void *in_desc, z_const unsigned char **buf)\n{\n int ret;\n unsigned len;\n unsigned char *next;\n struct ind *me = (struct ind *)in_desc;\n\n next = me->inbuf;\n *buf = next;\n len = 0;\n do {\n ret = PIECE;\n if ((unsigned)ret > SIZE - len)\n ret = (int)(SIZE - len);\n ret = (int)read(me->infile, next, ret);\n if (ret == -1) {\n len = 0;\n break;\n }\n next += ret;\n len += ret;\n } while (ret != 0 && len < SIZE);\n return len;\n}\n\n/* structure for infback() to pass to output function out() -- it maintains the\n output file, a running CRC-32 check on the output and the total number of\n bytes output, both for checking against the gzip trailer. (The length in\n the gzip trailer is stored modulo 2^32, so it's ok if a long is 32 bits and\n the output is greater than 4 GB.) */\nstruct outd {\n int outfile;\n int check; /* true if checking crc and total */\n unsigned long crc;\n unsigned long total;\n};\n\n/* Write output buffer and update the CRC-32 and total bytes written. write()\n is called until all of the output is written or an error is encountered.\n On success out() returns 0. For a write failure, out() returns 1. If the\n output file descriptor is -1, then nothing is written.\n */\nlocal int out(void *out_desc, unsigned char *buf, unsigned len)\n{\n int ret;\n struct outd *me = (struct outd *)out_desc;\n\n if (me->check) {\n me->crc = crc32(me->crc, buf, len);\n me->total += len;\n }\n if (me->outfile != -1)\n do {\n ret = PIECE;\n if ((unsigned)ret > len)\n ret = (int)len;\n ret = (int)write(me->outfile, buf, ret);\n if (ret == -1)\n return 1;\n buf += ret;\n len -= ret;\n } while (len != 0);\n return 0;\n}\n\n/* next input byte macro for use inside lunpipe() and gunpipe() */\n#define NEXT() (have ? 0 : (have = in(indp, &next)), \\\n last = have ? (have--, (int)(*next++)) : -1)\n\n/* memory for gunpipe() and lunpipe() --\n the first 256 entries of prefix[] and suffix[] are never used, could\n have offset the index, but it's faster to waste the memory */\nunsigned char inbuf[SIZE]; /* input buffer */\nunsigned char outbuf[SIZE]; /* output buffer */\nunsigned short prefix[65536]; /* index to LZW prefix string */\nunsigned char suffix[65536]; /* one-character LZW suffix */\nunsigned char match[65280 + 2]; /* buffer for reversed match or gzip\n 32K sliding window */\n\n/* throw out what's left in the current bits byte buffer (this is a vestigial\n aspect of the compressed data format derived from an implementation that\n made use of a special VAX machine instruction!) */\n#define FLUSHCODE() \\\n do { \\\n left = 0; \\\n rem = 0; \\\n if (chunk > have) { \\\n chunk -= have; \\\n have = 0; \\\n if (NEXT() == -1) \\\n break; \\\n chunk--; \\\n if (chunk > have) { \\\n chunk = have = 0; \\\n break; \\\n } \\\n } \\\n have -= chunk; \\\n next += chunk; \\\n chunk = 0; \\\n } while (0)\n\n/* Decompress a compress (LZW) file from indp to outfile. The compress magic\n header (two bytes) has already been read and verified. There are have bytes\n of buffered input at next. strm is used for passing error information back\n to gunpipe().\n\n lunpipe() will return Z_OK on success, Z_BUF_ERROR for an unexpected end of\n file, read error, or write error (a write error indicated by strm->next_in\n not equal to Z_NULL), or Z_DATA_ERROR for invalid input.\n */\nlocal int lunpipe(unsigned have, z_const unsigned char *next, struct ind *indp,\n int outfile, z_stream *strm)\n{\n int last; /* last byte read by NEXT(), or -1 if EOF */\n unsigned chunk; /* bytes left in current chunk */\n int left; /* bits left in rem */\n unsigned rem; /* unused bits from input */\n int bits; /* current bits per code */\n unsigned code; /* code, table traversal index */\n unsigned mask; /* mask for current bits codes */\n int max; /* maximum bits per code for this stream */\n unsigned flags; /* compress flags, then block compress flag */\n unsigned end; /* last valid entry in prefix/suffix tables */\n unsigned temp; /* current code */\n unsigned prev; /* previous code */\n unsigned final; /* last character written for previous code */\n unsigned stack; /* next position for reversed string */\n unsigned outcnt; /* bytes in output buffer */\n struct outd outd; /* output structure */\n unsigned char *p;\n\n /* set up output */\n outd.outfile = outfile;\n outd.check = 0;\n\n /* process remainder of compress header -- a flags byte */\n flags = NEXT();\n if (last == -1)\n return Z_BUF_ERROR;\n if (flags & 0x60) {\n strm->msg = (char *)\"unknown lzw flags set\";\n return Z_DATA_ERROR;\n }\n max = flags & 0x1f;\n if (max < 9 || max > 16) {\n strm->msg = (char *)\"lzw bits out of range\";\n return Z_DATA_ERROR;\n }\n if (max == 9) /* 9 doesn't really mean 9 */\n max = 10;\n flags &= 0x80; /* true if block compress */\n\n /* clear table */\n bits = 9;\n mask = 0x1ff;\n end = flags ? 256 : 255;\n\n /* set up: get first 9-bit code, which is the first decompressed byte, but\n don't create a table entry until the next code */\n if (NEXT() == -1) /* no compressed data is ok */\n return Z_OK;\n final = prev = (unsigned)last; /* low 8 bits of code */\n if (NEXT() == -1) /* missing a bit */\n return Z_BUF_ERROR;\n if (last & 1) { /* code must be < 256 */\n strm->msg = (char *)\"invalid lzw code\";\n return Z_DATA_ERROR;\n }\n rem = (unsigned)last >> 1; /* remaining 7 bits */\n left = 7;\n chunk = bits - 2; /* 7 bytes left in this chunk */\n outbuf[0] = (unsigned char)final; /* write first decompressed byte */\n outcnt = 1;\n\n /* decode codes */\n stack = 0;\n for (;;) {\n /* if the table will be full after this, increment the code size */\n if (end >= mask && bits < max) {\n FLUSHCODE();\n bits++;\n mask <<= 1;\n mask++;\n }\n\n /* get a code of length bits */\n if (chunk == 0) /* decrement chunk modulo bits */\n chunk = bits;\n code = rem; /* low bits of code */\n if (NEXT() == -1) { /* EOF is end of compressed data */\n /* write remaining buffered output */\n if (outcnt && out(&outd, outbuf, outcnt)) {\n strm->next_in = outbuf; /* signal write error */\n return Z_BUF_ERROR;\n }\n return Z_OK;\n }\n code += (unsigned)last << left; /* middle (or high) bits of code */\n left += 8;\n chunk--;\n if (bits > left) { /* need more bits */\n if (NEXT() == -1) /* can't end in middle of code */\n return Z_BUF_ERROR;\n code += (unsigned)last << left; /* high bits of code */\n left += 8;\n chunk--;\n }\n code &= mask; /* mask to current code length */\n left -= bits; /* number of unused bits */\n rem = (unsigned)last >> (8 - left); /* unused bits from last byte */\n\n /* process clear code (256) */\n if (code == 256 && flags) {\n FLUSHCODE();\n bits = 9; /* initialize bits and mask */\n mask = 0x1ff;\n end = 255; /* empty table */\n continue; /* get next code */\n }\n\n /* special code to reuse last match */\n temp = code; /* save the current code */\n if (code > end) {\n /* Be picky on the allowed code here, and make sure that the code\n we drop through (prev) will be a valid index so that random\n input does not cause an exception. The code != end + 1 check is\n empirically derived, and not checked in the original uncompress\n code. If this ever causes a problem, that check could be safely\n removed. Leaving this check in greatly improves gun's ability\n to detect random or corrupted input after a compress header.\n In any case, the prev > end check must be retained. */\n if (code != end + 1 || prev > end) {\n strm->msg = (char *)\"invalid lzw code\";\n return Z_DATA_ERROR;\n }\n match[stack++] = (unsigned char)final;\n code = prev;\n }\n\n /* walk through linked list to generate output in reverse order */\n p = match + stack;\n while (code >= 256) {\n *p++ = suffix[code];\n code = prefix[code];\n }\n stack = p - match;\n match[stack++] = (unsigned char)code;\n final = code;\n\n /* link new table entry */\n if (end < mask) {\n end++;\n prefix[end] = (unsigned short)prev;\n suffix[end] = (unsigned char)final;\n }\n\n /* set previous code for next iteration */\n prev = temp;\n\n /* write output in forward order */\n while (stack > SIZE - outcnt) {\n while (outcnt < SIZE)\n outbuf[outcnt++] = match[--stack];\n if (out(&outd, outbuf, outcnt)) {\n strm->next_in = outbuf; /* signal write error */\n return Z_BUF_ERROR;\n }\n outcnt = 0;\n }\n p = match + stack;\n do {\n outbuf[outcnt++] = *--p;\n } while (p > match);\n stack = 0;\n\n /* loop for next code with final and prev as the last match, rem and\n left provide the first 0..7 bits of the next code, end is the last\n valid table entry */\n }\n}\n\n/* Decompress a gzip file from infile to outfile. strm is assumed to have been\n successfully initialized with inflateBackInit(). The input file may consist\n of a series of gzip streams, in which case all of them will be decompressed\n to the output file. If outfile is -1, then the gzip stream(s) integrity is\n checked and nothing is written.\n\n The return value is a zlib error code: Z_MEM_ERROR if out of memory,\n Z_DATA_ERROR if the header or the compressed data is invalid, or if the\n trailer CRC-32 check or length doesn't match, Z_BUF_ERROR if the input ends\n prematurely or a write error occurs, or Z_ERRNO if junk (not a another gzip\n stream) follows a valid gzip stream.\n */\nlocal int gunpipe(z_stream *strm, int infile, int outfile)\n{\n int ret, first, last;\n unsigned have, flags, len;\n z_const unsigned char *next = NULL;\n struct ind ind, *indp;\n struct outd outd;\n\n /* setup input buffer */\n ind.infile = infile;\n ind.inbuf = inbuf;\n indp = &ind;\n\n /* decompress concatenated gzip streams */\n have = 0; /* no input data read in yet */\n first = 1; /* looking for first gzip header */\n strm->next_in = Z_NULL; /* so Z_BUF_ERROR means EOF */\n for (;;) {\n /* look for the two magic header bytes for a gzip stream */\n if (NEXT() == -1) {\n ret = Z_OK;\n break; /* empty gzip stream is ok */\n }\n if (last != 31 || (NEXT() != 139 && last != 157)) {\n strm->msg = (char *)\"incorrect header check\";\n ret = first ? Z_DATA_ERROR : Z_ERRNO;\n break; /* not a gzip or compress header */\n }\n first = 0; /* next non-header is junk */\n\n /* process a compress (LZW) file -- can't be concatenated after this */\n if (last == 157) {\n ret = lunpipe(have, next, indp, outfile, strm);\n break;\n }\n\n /* process remainder of gzip header */\n ret = Z_BUF_ERROR;\n if (NEXT() != 8) { /* only deflate method allowed */\n if (last == -1) break;\n strm->msg = (char *)\"unknown compression method\";\n ret = Z_DATA_ERROR;\n break;\n }\n flags = NEXT(); /* header flags */\n NEXT(); /* discard mod time, xflgs, os */\n NEXT();\n NEXT();\n NEXT();\n NEXT();\n NEXT();\n if (last == -1) break;\n if (flags & 0xe0) {\n strm->msg = (char *)\"unknown header flags set\";\n ret = Z_DATA_ERROR;\n break;\n }\n if (flags & 4) { /* extra field */\n len = NEXT();\n len += (unsigned)(NEXT()) << 8;\n if (last == -1) break;\n while (len > have) {\n len -= have;\n have = 0;\n if (NEXT() == -1) break;\n len--;\n }\n if (last == -1) break;\n have -= len;\n next += len;\n }\n if (flags & 8) /* file name */\n while (NEXT() != 0 && last != -1)\n ;\n if (flags & 16) /* comment */\n while (NEXT() != 0 && last != -1)\n ;\n if (flags & 2) { /* header crc */\n NEXT();\n NEXT();\n }\n if (last == -1) break;\n\n /* set up output */\n outd.outfile = outfile;\n outd.check = 1;\n outd.crc = crc32(0L, Z_NULL, 0);\n outd.total = 0;\n\n /* decompress data to output */\n strm->next_in = next;\n strm->avail_in = have;\n ret = inflateBack(strm, in, indp, out, &outd);\n if (ret != Z_STREAM_END) break;\n next = strm->next_in;\n have = strm->avail_in;\n strm->next_in = Z_NULL; /* so Z_BUF_ERROR means EOF */\n\n /* check trailer */\n ret = Z_BUF_ERROR;\n if (NEXT() != (int)(outd.crc & 0xff) ||\n NEXT() != (int)((outd.crc >> 8) & 0xff) ||\n NEXT() != (int)((outd.crc >> 16) & 0xff) ||\n NEXT() != (int)((outd.crc >> 24) & 0xff)) {\n /* crc error */\n if (last != -1) {\n strm->msg = (char *)\"incorrect data check\";\n ret = Z_DATA_ERROR;\n }\n break;\n }\n if (NEXT() != (int)(outd.total & 0xff) ||\n NEXT() != (int)((outd.total >> 8) & 0xff) ||\n NEXT() != (int)((outd.total >> 16) & 0xff) ||\n NEXT() != (int)((outd.total >> 24) & 0xff)) {\n /* length error */\n if (last != -1) {\n strm->msg = (char *)\"incorrect length check\";\n ret = Z_DATA_ERROR;\n }\n break;\n }\n\n /* go back and look for another gzip stream */\n }\n\n /* clean up and return */\n return ret;\n}\n\n/* Copy file attributes, from -> to, as best we can. This is best effort, so\n no errors are reported. The mode bits, including suid, sgid, and the sticky\n bit are copied (if allowed), the owner's user id and group id are copied\n (again if allowed), and the access and modify times are copied. */\nlocal void copymeta(char *from, char *to)\n{\n struct stat was;\n struct utimbuf when;\n\n /* get all of from's Unix meta data, return if not a regular file */\n if (stat(from, &was) != 0 || (was.st_mode & S_IFMT) != S_IFREG)\n return;\n\n /* set to's mode bits, ignore errors */\n (void)chmod(to, was.st_mode & 07777);\n\n /* copy owner's user and group, ignore errors */\n (void)chown(to, was.st_uid, was.st_gid);\n\n /* copy access and modify times, ignore errors */\n when.actime = was.st_atime;\n when.modtime = was.st_mtime;\n (void)utime(to, &when);\n}\n\n/* Decompress the file inname to the file outnname, of if test is true, just\n decompress without writing and check the gzip trailer for integrity. If\n inname is NULL or an empty string, read from stdin. If outname is NULL or\n an empty string, write to stdout. strm is a pre-initialized inflateBack\n structure. When appropriate, copy the file attributes from inname to\n outname.\n\n gunzip() returns 1 if there is an out-of-memory error or an unexpected\n return code from gunpipe(). Otherwise it returns 0.\n */\nlocal int gunzip(z_stream *strm, char *inname, char *outname, int test)\n{\n int ret;\n int infile, outfile;\n\n /* open files */\n if (inname == NULL || *inname == 0) {\n inname = \"-\";\n infile = 0; /* stdin */\n }\n else {\n infile = open(inname, O_RDONLY, 0);\n if (infile == -1) {\n fprintf(stderr, \"gun cannot open %s\\n\", inname);\n return 0;\n }\n }\n if (test)\n outfile = -1;\n else if (outname == NULL || *outname == 0) {\n outname = \"-\";\n outfile = 1; /* stdout */\n }\n else {\n outfile = open(outname, O_CREAT | O_TRUNC | O_WRONLY, 0666);\n if (outfile == -1) {\n close(infile);\n fprintf(stderr, \"gun cannot create %s\\n\", outname);\n return 0;\n }\n }\n errno = 0;\n\n /* decompress */\n ret = gunpipe(strm, infile, outfile);\n if (outfile > 2) close(outfile);\n if (infile > 2) close(infile);\n\n /* interpret result */\n switch (ret) {\n case Z_OK:\n case Z_ERRNO:\n if (infile > 2 && outfile > 2) {\n copymeta(inname, outname); /* copy attributes */\n unlink(inname);\n }\n if (ret == Z_ERRNO)\n fprintf(stderr, \"gun warning: trailing garbage ignored in %s\\n\",\n inname);\n break;\n case Z_DATA_ERROR:\n if (outfile > 2) unlink(outname);\n fprintf(stderr, \"gun data error on %s: %s\\n\", inname, strm->msg);\n break;\n case Z_MEM_ERROR:\n if (outfile > 2) unlink(outname);\n fprintf(stderr, \"gun out of memory error--aborting\\n\");\n return 1;\n case Z_BUF_ERROR:\n if (outfile > 2) unlink(outname);\n if (strm->next_in != Z_NULL) {\n fprintf(stderr, \"gun write error on %s: %s\\n\",\n outname, strerror(errno));\n }\n else if (errno) {\n fprintf(stderr, \"gun read error on %s: %s\\n\",\n inname, strerror(errno));\n }\n else {\n fprintf(stderr, \"gun unexpected end of file on %s\\n\",\n inname);\n }\n break;\n default:\n if (outfile > 2) unlink(outname);\n fprintf(stderr, \"gun internal error--aborting\\n\");\n return 1;\n }\n return 0;\n}\n\n/* Process the gun command line arguments. See the command syntax near the\n beginning of this source file. */\nint main(int argc, char **argv)\n{\n int ret, len, test;\n char *outname;\n unsigned char *window;\n z_stream strm;\n\n /* initialize inflateBack state for repeated use */\n window = match; /* reuse LZW match buffer */\n strm.zalloc = Z_NULL;\n strm.zfree = Z_NULL;\n strm.opaque = Z_NULL;\n ret = inflateBackInit(&strm, 15, window);\n if (ret != Z_OK) {\n fprintf(stderr, \"gun out of memory error--aborting\\n\");\n return 1;\n }\n\n /* decompress each file to the same name with the suffix removed */\n argc--;\n argv++;\n test = 0;\n if (argc && strcmp(*argv, \"-h\") == 0) {\n fprintf(stderr, \"gun 1.6 (17 Jan 2010)\\n\");\n fprintf(stderr, \"Copyright (C) 2003-2010 Mark Adler\\n\");\n fprintf(stderr, \"usage: gun [-t] [file1.gz [file2.Z ...]]\\n\");\n return 0;\n }\n if (argc && strcmp(*argv, \"-t\") == 0) {\n test = 1;\n argc--;\n argv++;\n }\n if (argc)\n do {\n if (test)\n outname = NULL;\n else {\n len = (int)strlen(*argv);\n if (strcmp(*argv + len - 3, \".gz\") == 0 ||\n strcmp(*argv + len - 3, \"-gz\") == 0)\n len -= 3;\n else if (strcmp(*argv + len - 2, \".z\") == 0 ||\n strcmp(*argv + len - 2, \"-z\") == 0 ||\n strcmp(*argv + len - 2, \"_z\") == 0 ||\n strcmp(*argv + len - 2, \".Z\") == 0)\n len -= 2;\n else {\n fprintf(stderr, \"gun error: no gz type on %s--skipping\\n\",\n *argv);\n continue;\n }\n outname = malloc(len + 1);\n if (outname == NULL) {\n fprintf(stderr, \"gun out of memory error--aborting\\n\");\n ret = 1;\n break;\n }\n memcpy(outname, *argv, len);\n outname[len] = 0;\n }\n ret = gunzip(&strm, *argv, outname, test);\n if (outname != NULL) free(outname);\n if (ret) break;\n } while (argv++, --argc);\n else\n ret = gunzip(&strm, NULL, NULL, test);\n\n /* clean up */\n inflateBackEnd(&strm);\n return ret;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gzappend.c", "content": "/* gzappend -- command to append to a gzip file\n\n Copyright (C) 2003, 2012 Mark Adler, all rights reserved\n version 1.2, 11 Oct 2012\n\n This software is provided 'as-is', without any express or implied\n warranty. In no event will the author be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this software must not be misrepresented; you must not\n claim that you wrote the original software. If you use this software\n in a product, an acknowledgment in the product documentation would be\n appreciated but is not required.\n 2. Altered source versions must be plainly marked as such, and must not be\n misrepresented as being the original software.\n 3. This notice may not be removed or altered from any source distribution.\n\n Mark Adler madler@alumni.caltech.edu\n */\n\n/*\n * Change history:\n *\n * 1.0 19 Oct 2003 - First version\n * 1.1 4 Nov 2003 - Expand and clarify some comments and notes\n * - Add version and copyright to help\n * - Send help to stdout instead of stderr\n * - Add some preemptive typecasts\n * - Add L to constants in lseek() calls\n * - Remove some debugging information in error messages\n * - Use new data_type definition for zlib 1.2.1\n * - Simplify and unify file operations\n * - Finish off gzip file in gztack()\n * - Use deflatePrime() instead of adding empty blocks\n * - Keep gzip file clean on appended file read errors\n * - Use in-place rotate instead of auxiliary buffer\n * (Why you ask? Because it was fun to write!)\n * 1.2 11 Oct 2012 - Fix for proper z_const usage\n * - Check for input buffer malloc failure\n */\n\n/*\n gzappend takes a gzip file and appends to it, compressing files from the\n command line or data from stdin. The gzip file is written to directly, to\n avoid copying that file, in case it's large. Note that this results in the\n unfriendly behavior that if gzappend fails, the gzip file is corrupted.\n\n This program was written to illustrate the use of the new Z_BLOCK option of\n zlib 1.2.x's inflate() function. This option returns from inflate() at each\n block boundary to facilitate locating and modifying the last block bit at\n the start of the final deflate block. Also whether using Z_BLOCK or not,\n another required feature of zlib 1.2.x is that inflate() now provides the\n number of unused bits in the last input byte used. gzappend will not work\n with versions of zlib earlier than 1.2.1.\n\n gzappend first decompresses the gzip file internally, discarding all but\n the last 32K of uncompressed data, and noting the location of the last block\n bit and the number of unused bits in the last byte of the compressed data.\n The gzip trailer containing the CRC-32 and length of the uncompressed data\n is verified. This trailer will be later overwritten.\n\n Then the last block bit is cleared by seeking back in the file and rewriting\n the byte that contains it. Seeking forward, the last byte of the compressed\n data is saved along with the number of unused bits to initialize deflate.\n\n A deflate process is initialized, using the last 32K of the uncompressed\n data from the gzip file to initialize the dictionary. If the total\n uncompressed data was less than 32K, then all of it is used to initialize\n the dictionary. The deflate output bit buffer is also initialized with the\n last bits from the original deflate stream. From here on, the data to\n append is simply compressed using deflate, and written to the gzip file.\n When that is complete, the new CRC-32 and uncompressed length are written\n as the trailer of the gzip file.\n */\n\n#include \n#include \n#include \n#include \n#include \n#include \"zlib.h\"\n\n#define local static\n#define LGCHUNK 14\n#define CHUNK (1U << LGCHUNK)\n#define DSIZE 32768U\n\n/* print an error message and terminate with extreme prejudice */\nlocal void bye(char *msg1, char *msg2)\n{\n fprintf(stderr, \"gzappend error: %s%s\\n\", msg1, msg2);\n exit(1);\n}\n\n/* return the greatest common divisor of a and b using Euclid's algorithm,\n modified to be fast when one argument much greater than the other, and\n coded to avoid unnecessary swapping */\nlocal unsigned gcd(unsigned a, unsigned b)\n{\n unsigned c;\n\n while (a && b)\n if (a > b) {\n c = b;\n while (a - c >= c)\n c <<= 1;\n a -= c;\n }\n else {\n c = a;\n while (b - c >= c)\n c <<= 1;\n b -= c;\n }\n return a + b;\n}\n\n/* rotate list[0..len-1] left by rot positions, in place */\nlocal void rotate(unsigned char *list, unsigned len, unsigned rot)\n{\n unsigned char tmp;\n unsigned cycles;\n unsigned char *start, *last, *to, *from;\n\n /* normalize rot and handle degenerate cases */\n if (len < 2) return;\n if (rot >= len) rot %= len;\n if (rot == 0) return;\n\n /* pointer to last entry in list */\n last = list + (len - 1);\n\n /* do simple left shift by one */\n if (rot == 1) {\n tmp = *list;\n memmove(list, list + 1, len - 1);\n *last = tmp;\n return;\n }\n\n /* do simple right shift by one */\n if (rot == len - 1) {\n tmp = *last;\n memmove(list + 1, list, len - 1);\n *list = tmp;\n return;\n }\n\n /* otherwise do rotate as a set of cycles in place */\n cycles = gcd(len, rot); /* number of cycles */\n do {\n start = from = list + cycles; /* start index is arbitrary */\n tmp = *from; /* save entry to be overwritten */\n for (;;) {\n to = from; /* next step in cycle */\n from += rot; /* go right rot positions */\n if (from > last) from -= len; /* (pointer better not wrap) */\n if (from == start) break; /* all but one shifted */\n *to = *from; /* shift left */\n }\n *to = tmp; /* complete the circle */\n } while (--cycles);\n}\n\n/* structure for gzip file read operations */\ntypedef struct {\n int fd; /* file descriptor */\n int size; /* 1 << size is bytes in buf */\n unsigned left; /* bytes available at next */\n unsigned char *buf; /* buffer */\n z_const unsigned char *next; /* next byte in buffer */\n char *name; /* file name for error messages */\n} file;\n\n/* reload buffer */\nlocal int readin(file *in)\n{\n int len;\n\n len = read(in->fd, in->buf, 1 << in->size);\n if (len == -1) bye(\"error reading \", in->name);\n in->left = (unsigned)len;\n in->next = in->buf;\n return len;\n}\n\n/* read from file in, exit if end-of-file */\nlocal int readmore(file *in)\n{\n if (readin(in) == 0) bye(\"unexpected end of \", in->name);\n return 0;\n}\n\n#define read1(in) (in->left == 0 ? readmore(in) : 0, \\\n in->left--, *(in->next)++)\n\n/* skip over n bytes of in */\nlocal void skip(file *in, unsigned n)\n{\n unsigned bypass;\n\n if (n > in->left) {\n n -= in->left;\n bypass = n & ~((1U << in->size) - 1);\n if (bypass) {\n if (lseek(in->fd, (off_t)bypass, SEEK_CUR) == -1)\n bye(\"seeking \", in->name);\n n -= bypass;\n }\n readmore(in);\n if (n > in->left)\n bye(\"unexpected end of \", in->name);\n }\n in->left -= n;\n in->next += n;\n}\n\n/* read a four-byte unsigned integer, little-endian, from in */\nunsigned long read4(file *in)\n{\n unsigned long val;\n\n val = read1(in);\n val += (unsigned)read1(in) << 8;\n val += (unsigned long)read1(in) << 16;\n val += (unsigned long)read1(in) << 24;\n return val;\n}\n\n/* skip over gzip header */\nlocal void gzheader(file *in)\n{\n int flags;\n unsigned n;\n\n if (read1(in) != 31 || read1(in) != 139) bye(in->name, \" not a gzip file\");\n if (read1(in) != 8) bye(\"unknown compression method in\", in->name);\n flags = read1(in);\n if (flags & 0xe0) bye(\"unknown header flags set in\", in->name);\n skip(in, 6);\n if (flags & 4) {\n n = read1(in);\n n += (unsigned)(read1(in)) << 8;\n skip(in, n);\n }\n if (flags & 8) while (read1(in) != 0) ;\n if (flags & 16) while (read1(in) != 0) ;\n if (flags & 2) skip(in, 2);\n}\n\n/* decompress gzip file \"name\", return strm with a deflate stream ready to\n continue compression of the data in the gzip file, and return a file\n descriptor pointing to where to write the compressed data -- the deflate\n stream is initialized to compress using level \"level\" */\nlocal int gzscan(char *name, z_stream *strm, int level)\n{\n int ret, lastbit, left, full;\n unsigned have;\n unsigned long crc, tot;\n unsigned char *window;\n off_t lastoff, end;\n file gz;\n\n /* open gzip file */\n gz.name = name;\n gz.fd = open(name, O_RDWR, 0);\n if (gz.fd == -1) bye(\"cannot open \", name);\n gz.buf = malloc(CHUNK);\n if (gz.buf == NULL) bye(\"out of memory\", \"\");\n gz.size = LGCHUNK;\n gz.left = 0;\n\n /* skip gzip header */\n gzheader(&gz);\n\n /* prepare to decompress */\n window = malloc(DSIZE);\n if (window == NULL) bye(\"out of memory\", \"\");\n strm->zalloc = Z_NULL;\n strm->zfree = Z_NULL;\n strm->opaque = Z_NULL;\n ret = inflateInit2(strm, -15);\n if (ret != Z_OK) bye(\"out of memory\", \" or library mismatch\");\n\n /* decompress the deflate stream, saving append information */\n lastbit = 0;\n lastoff = lseek(gz.fd, 0L, SEEK_CUR) - gz.left;\n left = 0;\n strm->avail_in = gz.left;\n strm->next_in = gz.next;\n crc = crc32(0L, Z_NULL, 0);\n have = full = 0;\n do {\n /* if needed, get more input */\n if (strm->avail_in == 0) {\n readmore(&gz);\n strm->avail_in = gz.left;\n strm->next_in = gz.next;\n }\n\n /* set up output to next available section of sliding window */\n strm->avail_out = DSIZE - have;\n strm->next_out = window + have;\n\n /* inflate and check for errors */\n ret = inflate(strm, Z_BLOCK);\n if (ret == Z_STREAM_ERROR) bye(\"internal stream error!\", \"\");\n if (ret == Z_MEM_ERROR) bye(\"out of memory\", \"\");\n if (ret == Z_DATA_ERROR)\n bye(\"invalid compressed data--format violated in\", name);\n\n /* update crc and sliding window pointer */\n crc = crc32(crc, window + have, DSIZE - have - strm->avail_out);\n if (strm->avail_out)\n have = DSIZE - strm->avail_out;\n else {\n have = 0;\n full = 1;\n }\n\n /* process end of block */\n if (strm->data_type & 128) {\n if (strm->data_type & 64)\n left = strm->data_type & 0x1f;\n else {\n lastbit = strm->data_type & 0x1f;\n lastoff = lseek(gz.fd, 0L, SEEK_CUR) - strm->avail_in;\n }\n }\n } while (ret != Z_STREAM_END);\n inflateEnd(strm);\n gz.left = strm->avail_in;\n gz.next = strm->next_in;\n\n /* save the location of the end of the compressed data */\n end = lseek(gz.fd, 0L, SEEK_CUR) - gz.left;\n\n /* check gzip trailer and save total for deflate */\n if (crc != read4(&gz))\n bye(\"invalid compressed data--crc mismatch in \", name);\n tot = strm->total_out;\n if ((tot & 0xffffffffUL) != read4(&gz))\n bye(\"invalid compressed data--length mismatch in\", name);\n\n /* if not at end of file, warn */\n if (gz.left || readin(&gz))\n fprintf(stderr,\n \"gzappend warning: junk at end of gzip file overwritten\\n\");\n\n /* clear last block bit */\n lseek(gz.fd, lastoff - (lastbit != 0), SEEK_SET);\n if (read(gz.fd, gz.buf, 1) != 1) bye(\"reading after seek on \", name);\n *gz.buf = (unsigned char)(*gz.buf ^ (1 << ((8 - lastbit) & 7)));\n lseek(gz.fd, -1L, SEEK_CUR);\n if (write(gz.fd, gz.buf, 1) != 1) bye(\"writing after seek to \", name);\n\n /* if window wrapped, build dictionary from window by rotating */\n if (full) {\n rotate(window, DSIZE, have);\n have = DSIZE;\n }\n\n /* set up deflate stream with window, crc, total_in, and leftover bits */\n ret = deflateInit2(strm, level, Z_DEFLATED, -15, 8, Z_DEFAULT_STRATEGY);\n if (ret != Z_OK) bye(\"out of memory\", \"\");\n deflateSetDictionary(strm, window, have);\n strm->adler = crc;\n strm->total_in = tot;\n if (left) {\n lseek(gz.fd, --end, SEEK_SET);\n if (read(gz.fd, gz.buf, 1) != 1) bye(\"reading after seek on \", name);\n deflatePrime(strm, 8 - left, *gz.buf);\n }\n lseek(gz.fd, end, SEEK_SET);\n\n /* clean up and return */\n free(window);\n free(gz.buf);\n return gz.fd;\n}\n\n/* append file \"name\" to gzip file gd using deflate stream strm -- if last\n is true, then finish off the deflate stream at the end */\nlocal void gztack(char *name, int gd, z_stream *strm, int last)\n{\n int fd, len, ret;\n unsigned left;\n unsigned char *in, *out;\n\n /* open file to compress and append */\n fd = 0;\n if (name != NULL) {\n fd = open(name, O_RDONLY, 0);\n if (fd == -1)\n fprintf(stderr, \"gzappend warning: %s not found, skipping ...\\n\",\n name);\n }\n\n /* allocate buffers */\n in = malloc(CHUNK);\n out = malloc(CHUNK);\n if (in == NULL || out == NULL) bye(\"out of memory\", \"\");\n\n /* compress input file and append to gzip file */\n do {\n /* get more input */\n len = read(fd, in, CHUNK);\n if (len == -1) {\n fprintf(stderr,\n \"gzappend warning: error reading %s, skipping rest ...\\n\",\n name);\n len = 0;\n }\n strm->avail_in = (unsigned)len;\n strm->next_in = in;\n if (len) strm->adler = crc32(strm->adler, in, (unsigned)len);\n\n /* compress and write all available output */\n do {\n strm->avail_out = CHUNK;\n strm->next_out = out;\n ret = deflate(strm, last && len == 0 ? Z_FINISH : Z_NO_FLUSH);\n left = CHUNK - strm->avail_out;\n while (left) {\n len = write(gd, out + CHUNK - strm->avail_out - left, left);\n if (len == -1) bye(\"writing gzip file\", \"\");\n left -= (unsigned)len;\n }\n } while (strm->avail_out == 0 && ret != Z_STREAM_END);\n } while (len != 0);\n\n /* write trailer after last entry */\n if (last) {\n deflateEnd(strm);\n out[0] = (unsigned char)(strm->adler);\n out[1] = (unsigned char)(strm->adler >> 8);\n out[2] = (unsigned char)(strm->adler >> 16);\n out[3] = (unsigned char)(strm->adler >> 24);\n out[4] = (unsigned char)(strm->total_in);\n out[5] = (unsigned char)(strm->total_in >> 8);\n out[6] = (unsigned char)(strm->total_in >> 16);\n out[7] = (unsigned char)(strm->total_in >> 24);\n len = 8;\n do {\n ret = write(gd, out + 8 - len, len);\n if (ret == -1) bye(\"writing gzip file\", \"\");\n len -= ret;\n } while (len);\n close(gd);\n }\n\n /* clean up and return */\n free(out);\n free(in);\n if (fd > 0) close(fd);\n}\n\n/* process the compression level option if present, scan the gzip file, and\n append the specified files, or append the data from stdin if no other file\n names are provided on the command line -- the gzip file must be writable\n and seekable */\nint main(int argc, char **argv)\n{\n int gd, level;\n z_stream strm;\n\n /* ignore command name */\n argc--; argv++;\n\n /* provide usage if no arguments */\n if (*argv == NULL) {\n printf(\n \"gzappend 1.2 (11 Oct 2012) Copyright (C) 2003, 2012 Mark Adler\\n\"\n );\n printf(\n \"usage: gzappend [-level] file.gz [ addthis [ andthis ... ]]\\n\");\n return 0;\n }\n\n /* set compression level */\n level = Z_DEFAULT_COMPRESSION;\n if (argv[0][0] == '-') {\n if (argv[0][1] < '0' || argv[0][1] > '9' || argv[0][2] != 0)\n bye(\"invalid compression level\", \"\");\n level = argv[0][1] - '0';\n if (*++argv == NULL) bye(\"no gzip file name after options\", \"\");\n }\n\n /* prepare to append to gzip file */\n gd = gzscan(*argv++, &strm, level);\n\n /* append files on command line, or from stdin if none */\n if (*argv == NULL)\n gztack(NULL, gd, &strm, 1);\n else\n do {\n gztack(*argv, gd, &strm, argv[1] == NULL);\n } while (*++argv != NULL);\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gzjoin.c", "content": "/* gzjoin -- command to join gzip files into one gzip file\n\n Copyright (C) 2004, 2005, 2012 Mark Adler, all rights reserved\n version 1.2, 14 Aug 2012\n\n This software is provided 'as-is', without any express or implied\n warranty. In no event will the author be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this software must not be misrepresented; you must not\n claim that you wrote the original software. If you use this software\n in a product, an acknowledgment in the product documentation would be\n appreciated but is not required.\n 2. Altered source versions must be plainly marked as such, and must not be\n misrepresented as being the original software.\n 3. This notice may not be removed or altered from any source distribution.\n\n Mark Adler madler@alumni.caltech.edu\n */\n\n/*\n * Change history:\n *\n * 1.0 11 Dec 2004 - First version\n * 1.1 12 Jun 2005 - Changed ssize_t to long for portability\n * 1.2 14 Aug 2012 - Clean up for z_const usage\n */\n\n/*\n gzjoin takes one or more gzip files on the command line and writes out a\n single gzip file that will uncompress to the concatenation of the\n uncompressed data from the individual gzip files. gzjoin does this without\n having to recompress any of the data and without having to calculate a new\n crc32 for the concatenated uncompressed data. gzjoin does however have to\n decompress all of the input data in order to find the bits in the compressed\n data that need to be modified to concatenate the streams.\n\n gzjoin does not do an integrity check on the input gzip files other than\n checking the gzip header and decompressing the compressed data. They are\n otherwise assumed to be complete and correct.\n\n Each joint between gzip files removes at least 18 bytes of previous trailer\n and subsequent header, and inserts an average of about three bytes to the\n compressed data in order to connect the streams. The output gzip file\n has a minimal ten-byte gzip header with no file name or modification time.\n\n This program was written to illustrate the use of the Z_BLOCK option of\n inflate() and the crc32_combine() function. gzjoin will not compile with\n versions of zlib earlier than 1.2.3.\n */\n\n#include /* fputs(), fprintf(), fwrite(), putc() */\n#include /* exit(), malloc(), free() */\n#include /* open() */\n#include /* close(), read(), lseek() */\n#include \"zlib.h\"\n /* crc32(), crc32_combine(), inflateInit2(), inflate(), inflateEnd() */\n\n#define local static\n\n/* exit with an error (return a value to allow use in an expression) */\nlocal int bail(char *why1, char *why2)\n{\n fprintf(stderr, \"gzjoin error: %s%s, output incomplete\\n\", why1, why2);\n exit(1);\n return 0;\n}\n\n/* -- simple buffered file input with access to the buffer -- */\n\n#define CHUNK 32768 /* must be a power of two and fit in unsigned */\n\n/* bin buffered input file type */\ntypedef struct {\n char *name; /* name of file for error messages */\n int fd; /* file descriptor */\n unsigned left; /* bytes remaining at next */\n unsigned char *next; /* next byte to read */\n unsigned char *buf; /* allocated buffer of length CHUNK */\n} bin;\n\n/* close a buffered file and free allocated memory */\nlocal void bclose(bin *in)\n{\n if (in != NULL) {\n if (in->fd != -1)\n close(in->fd);\n if (in->buf != NULL)\n free(in->buf);\n free(in);\n }\n}\n\n/* open a buffered file for input, return a pointer to type bin, or NULL on\n failure */\nlocal bin *bopen(char *name)\n{\n bin *in;\n\n in = malloc(sizeof(bin));\n if (in == NULL)\n return NULL;\n in->buf = malloc(CHUNK);\n in->fd = open(name, O_RDONLY, 0);\n if (in->buf == NULL || in->fd == -1) {\n bclose(in);\n return NULL;\n }\n in->left = 0;\n in->next = in->buf;\n in->name = name;\n return in;\n}\n\n/* load buffer from file, return -1 on read error, 0 or 1 on success, with\n 1 indicating that end-of-file was reached */\nlocal int bload(bin *in)\n{\n long len;\n\n if (in == NULL)\n return -1;\n if (in->left != 0)\n return 0;\n in->next = in->buf;\n do {\n len = (long)read(in->fd, in->buf + in->left, CHUNK - in->left);\n if (len < 0)\n return -1;\n in->left += (unsigned)len;\n } while (len != 0 && in->left < CHUNK);\n return len == 0 ? 1 : 0;\n}\n\n/* get a byte from the file, bail if end of file */\n#define bget(in) (in->left ? 0 : bload(in), \\\n in->left ? (in->left--, *(in->next)++) : \\\n bail(\"unexpected end of file on \", in->name))\n\n/* get a four-byte little-endian unsigned integer from file */\nlocal unsigned long bget4(bin *in)\n{\n unsigned long val;\n\n val = bget(in);\n val += (unsigned long)(bget(in)) << 8;\n val += (unsigned long)(bget(in)) << 16;\n val += (unsigned long)(bget(in)) << 24;\n return val;\n}\n\n/* skip bytes in file */\nlocal void bskip(bin *in, unsigned skip)\n{\n /* check pointer */\n if (in == NULL)\n return;\n\n /* easy case -- skip bytes in buffer */\n if (skip <= in->left) {\n in->left -= skip;\n in->next += skip;\n return;\n }\n\n /* skip what's in buffer, discard buffer contents */\n skip -= in->left;\n in->left = 0;\n\n /* seek past multiples of CHUNK bytes */\n if (skip > CHUNK) {\n unsigned left;\n\n left = skip & (CHUNK - 1);\n if (left == 0) {\n /* exact number of chunks: seek all the way minus one byte to check\n for end-of-file with a read */\n lseek(in->fd, skip - 1, SEEK_CUR);\n if (read(in->fd, in->buf, 1) != 1)\n bail(\"unexpected end of file on \", in->name);\n return;\n }\n\n /* skip the integral chunks, update skip with remainder */\n lseek(in->fd, skip - left, SEEK_CUR);\n skip = left;\n }\n\n /* read more input and skip remainder */\n bload(in);\n if (skip > in->left)\n bail(\"unexpected end of file on \", in->name);\n in->left -= skip;\n in->next += skip;\n}\n\n/* -- end of buffered input functions -- */\n\n/* skip the gzip header from file in */\nlocal void gzhead(bin *in)\n{\n int flags;\n\n /* verify gzip magic header and compression method */\n if (bget(in) != 0x1f || bget(in) != 0x8b || bget(in) != 8)\n bail(in->name, \" is not a valid gzip file\");\n\n /* get and verify flags */\n flags = bget(in);\n if ((flags & 0xe0) != 0)\n bail(\"unknown reserved bits set in \", in->name);\n\n /* skip modification time, extra flags, and os */\n bskip(in, 6);\n\n /* skip extra field if present */\n if (flags & 4) {\n unsigned len;\n\n len = bget(in);\n len += (unsigned)(bget(in)) << 8;\n bskip(in, len);\n }\n\n /* skip file name if present */\n if (flags & 8)\n while (bget(in) != 0)\n ;\n\n /* skip comment if present */\n if (flags & 16)\n while (bget(in) != 0)\n ;\n\n /* skip header crc if present */\n if (flags & 2)\n bskip(in, 2);\n}\n\n/* write a four-byte little-endian unsigned integer to out */\nlocal void put4(unsigned long val, FILE *out)\n{\n putc(val & 0xff, out);\n putc((val >> 8) & 0xff, out);\n putc((val >> 16) & 0xff, out);\n putc((val >> 24) & 0xff, out);\n}\n\n/* Load up zlib stream from buffered input, bail if end of file */\nlocal void zpull(z_streamp strm, bin *in)\n{\n if (in->left == 0)\n bload(in);\n if (in->left == 0)\n bail(\"unexpected end of file on \", in->name);\n strm->avail_in = in->left;\n strm->next_in = in->next;\n}\n\n/* Write header for gzip file to out and initialize trailer. */\nlocal void gzinit(unsigned long *crc, unsigned long *tot, FILE *out)\n{\n fwrite(\"\\x1f\\x8b\\x08\\0\\0\\0\\0\\0\\0\\xff\", 1, 10, out);\n *crc = crc32(0L, Z_NULL, 0);\n *tot = 0;\n}\n\n/* Copy the compressed data from name, zeroing the last block bit of the last\n block if clr is true, and adding empty blocks as needed to get to a byte\n boundary. If clr is false, then the last block becomes the last block of\n the output, and the gzip trailer is written. crc and tot maintains the\n crc and length (modulo 2^32) of the output for the trailer. The resulting\n gzip file is written to out. gzinit() must be called before the first call\n of gzcopy() to write the gzip header and to initialize crc and tot. */\nlocal void gzcopy(char *name, int clr, unsigned long *crc, unsigned long *tot,\n FILE *out)\n{\n int ret; /* return value from zlib functions */\n int pos; /* where the \"last block\" bit is in byte */\n int last; /* true if processing the last block */\n bin *in; /* buffered input file */\n unsigned char *start; /* start of compressed data in buffer */\n unsigned char *junk; /* buffer for uncompressed data -- discarded */\n z_off_t len; /* length of uncompressed data (support > 4 GB) */\n z_stream strm; /* zlib inflate stream */\n\n /* open gzip file and skip header */\n in = bopen(name);\n if (in == NULL)\n bail(\"could not open \", name);\n gzhead(in);\n\n /* allocate buffer for uncompressed data and initialize raw inflate\n stream */\n junk = malloc(CHUNK);\n strm.zalloc = Z_NULL;\n strm.zfree = Z_NULL;\n strm.opaque = Z_NULL;\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n ret = inflateInit2(&strm, -15);\n if (junk == NULL || ret != Z_OK)\n bail(\"out of memory\", \"\");\n\n /* inflate and copy compressed data, clear last-block bit if requested */\n len = 0;\n zpull(&strm, in);\n start = in->next;\n last = start[0] & 1;\n if (last && clr)\n start[0] &= ~1;\n strm.avail_out = 0;\n for (;;) {\n /* if input used and output done, write used input and get more */\n if (strm.avail_in == 0 && strm.avail_out != 0) {\n fwrite(start, 1, strm.next_in - start, out);\n start = in->buf;\n in->left = 0;\n zpull(&strm, in);\n }\n\n /* decompress -- return early when end-of-block reached */\n strm.avail_out = CHUNK;\n strm.next_out = junk;\n ret = inflate(&strm, Z_BLOCK);\n switch (ret) {\n case Z_MEM_ERROR:\n bail(\"out of memory\", \"\");\n case Z_DATA_ERROR:\n bail(\"invalid compressed data in \", in->name);\n }\n\n /* update length of uncompressed data */\n len += CHUNK - strm.avail_out;\n\n /* check for block boundary (only get this when block copied out) */\n if (strm.data_type & 128) {\n /* if that was the last block, then done */\n if (last)\n break;\n\n /* number of unused bits in last byte */\n pos = strm.data_type & 7;\n\n /* find the next last-block bit */\n if (pos != 0) {\n /* next last-block bit is in last used byte */\n pos = 0x100 >> pos;\n last = strm.next_in[-1] & pos;\n if (last && clr)\n in->buf[strm.next_in - in->buf - 1] &= ~pos;\n }\n else {\n /* next last-block bit is in next unused byte */\n if (strm.avail_in == 0) {\n /* don't have that byte yet -- get it */\n fwrite(start, 1, strm.next_in - start, out);\n start = in->buf;\n in->left = 0;\n zpull(&strm, in);\n }\n last = strm.next_in[0] & 1;\n if (last && clr)\n in->buf[strm.next_in - in->buf] &= ~1;\n }\n }\n }\n\n /* update buffer with unused input */\n in->left = strm.avail_in;\n in->next = in->buf + (strm.next_in - in->buf);\n\n /* copy used input, write empty blocks to get to byte boundary */\n pos = strm.data_type & 7;\n fwrite(start, 1, in->next - start - 1, out);\n last = in->next[-1];\n if (pos == 0 || !clr)\n /* already at byte boundary, or last file: write last byte */\n putc(last, out);\n else {\n /* append empty blocks to last byte */\n last &= ((0x100 >> pos) - 1); /* assure unused bits are zero */\n if (pos & 1) {\n /* odd -- append an empty stored block */\n putc(last, out);\n if (pos == 1)\n putc(0, out); /* two more bits in block header */\n fwrite(\"\\0\\0\\xff\\xff\", 1, 4, out);\n }\n else {\n /* even -- append 1, 2, or 3 empty fixed blocks */\n switch (pos) {\n case 6:\n putc(last | 8, out);\n last = 0;\n case 4:\n putc(last | 0x20, out);\n last = 0;\n case 2:\n putc(last | 0x80, out);\n putc(0, out);\n }\n }\n }\n\n /* update crc and tot */\n *crc = crc32_combine(*crc, bget4(in), len);\n *tot += (unsigned long)len;\n\n /* clean up */\n inflateEnd(&strm);\n free(junk);\n bclose(in);\n\n /* write trailer if this is the last gzip file */\n if (!clr) {\n put4(*crc, out);\n put4(*tot, out);\n }\n}\n\n/* join the gzip files on the command line, write result to stdout */\nint main(int argc, char **argv)\n{\n unsigned long crc, tot; /* running crc and total uncompressed length */\n\n /* skip command name */\n argc--;\n argv++;\n\n /* show usage if no arguments */\n if (argc == 0) {\n fputs(\"gzjoin usage: gzjoin f1.gz [f2.gz [f3.gz ...]] > fjoin.gz\\n\",\n stderr);\n return 0;\n }\n\n /* join gzip files on command line and write to stdout */\n gzinit(&crc, &tot, stdout);\n while (argc--)\n gzcopy(*argv++, argc, &crc, &tot, stdout);\n\n /* done */\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gzlog.c", "content": "/*\n * gzlog.c\n * Copyright (C) 2004, 2008, 2012, 2016, 2019 Mark Adler, all rights reserved\n * For conditions of distribution and use, see copyright notice in gzlog.h\n * version 2.3, 25 May 2019\n */\n\n/*\n gzlog provides a mechanism for frequently appending short strings to a gzip\n file that is efficient both in execution time and compression ratio. The\n strategy is to write the short strings in an uncompressed form to the end of\n the gzip file, only compressing when the amount of uncompressed data has\n reached a given threshold.\n\n gzlog also provides protection against interruptions in the process due to\n system crashes. The status of the operation is recorded in an extra field\n in the gzip file, and is only updated once the gzip file is brought to a\n valid state. The last data to be appended or compressed is saved in an\n auxiliary file, so that if the operation is interrupted, it can be completed\n the next time an append operation is attempted.\n\n gzlog maintains another auxiliary file with the last 32K of data from the\n compressed portion, which is preloaded for the compression of the subsequent\n data. This minimizes the impact to the compression ratio of appending.\n */\n\n/*\n Operations Concept:\n\n Files (log name \"foo\"):\n foo.gz -- gzip file with the complete log\n foo.add -- last message to append or last data to compress\n foo.dict -- dictionary of the last 32K of data for next compression\n foo.temp -- temporary dictionary file for compression after this one\n foo.lock -- lock file for reading and writing the other files\n foo.repairs -- log file for log file recovery operations (not compressed)\n\n gzip file structure:\n - fixed-length (no file name) header with extra field (see below)\n - compressed data ending initially with empty stored block\n - uncompressed data filling out originally empty stored block and\n subsequent stored blocks as needed (16K max each)\n - gzip trailer\n - no junk at end (no other gzip streams)\n\n When appending data, the information in the first three items above plus the\n foo.add file are sufficient to recover an interrupted append operation. The\n extra field has the necessary information to restore the start of the last\n stored block and determine where to append the data in the foo.add file, as\n well as the crc and length of the gzip data before the append operation.\n\n The foo.add file is created before the gzip file is marked for append, and\n deleted after the gzip file is marked as complete. So if the append\n operation is interrupted, the data to add will still be there. If due to\n some external force, the foo.add file gets deleted between when the append\n operation was interrupted and when recovery is attempted, the gzip file will\n still be restored, but without the appended data.\n\n When compressing data, the information in the first two items above plus the\n foo.add file are sufficient to recover an interrupted compress operation.\n The extra field has the necessary information to find the end of the\n compressed data, and contains both the crc and length of just the compressed\n data and of the complete set of data including the contents of the foo.add\n file.\n\n Again, the foo.add file is maintained during the compress operation in case\n of an interruption. If in the unlikely event the foo.add file with the data\n to be compressed is missing due to some external force, a gzip file with\n just the previous compressed data will be reconstructed. In this case, all\n of the data that was to be compressed is lost (approximately one megabyte).\n This will not occur if all that happened was an interruption of the compress\n operation.\n\n The third state that is marked is the replacement of the old dictionary with\n the new dictionary after a compress operation. Once compression is\n complete, the gzip file is marked as being in the replace state. This\n completes the gzip file, so an interrupt after being so marked does not\n result in recompression. Then the dictionary file is replaced, and the gzip\n file is marked as completed. This state prevents the possibility of\n restarting compression with the wrong dictionary file.\n\n All three operations are wrapped by a lock/unlock procedure. In order to\n gain exclusive access to the log files, first a foo.lock file must be\n exclusively created. When all operations are complete, the lock is\n released by deleting the foo.lock file. If when attempting to create the\n lock file, it already exists and the modify time of the lock file is more\n than five minutes old (set by the PATIENCE define below), then the old\n lock file is considered stale and deleted, and the exclusive creation of\n the lock file is retried. To assure that there are no false assessments\n of the staleness of the lock file, the operations periodically touch the\n lock file to update the modified date.\n\n Following is the definition of the extra field with all of the information\n required to enable the above append and compress operations and their\n recovery if interrupted. Multi-byte values are stored little endian\n (consistent with the gzip format). File pointers are eight bytes long.\n The crc's and lengths for the gzip trailer are four bytes long. (Note that\n the length at the end of a gzip file is used for error checking only, and\n for large files is actually the length modulo 2^32.) The stored block\n length is two bytes long. The gzip extra field two-byte identification is\n \"ap\" for append. It is assumed that writing the extra field to the file is\n an \"atomic\" operation. That is, either all of the extra field is written\n to the file, or none of it is, if the operation is interrupted right at the\n point of updating the extra field. This is a reasonable assumption, since\n the extra field is within the first 52 bytes of the file, which is smaller\n than any expected block size for a mass storage device (usually 512 bytes or\n larger).\n\n Extra field (35 bytes):\n - Pointer to first stored block length -- this points to the two-byte length\n of the first stored block, which is followed by the two-byte, one's\n complement of that length. The stored block length is preceded by the\n three-bit header of the stored block, which is the actual start of the\n stored block in the deflate format. See the bit offset field below.\n - Pointer to the last stored block length. This is the same as above, but\n for the last stored block of the uncompressed data in the gzip file.\n Initially this is the same as the first stored block length pointer.\n When the stored block gets to 16K (see the MAX_STORE define), then a new\n stored block as added, at which point the last stored block length pointer\n is different from the first stored block length pointer. When they are\n different, the first bit of the last stored block header is eight bits, or\n one byte back from the block length.\n - Compressed data crc and length. This is the crc and length of the data\n that is in the compressed portion of the deflate stream. These are used\n only in the event that the foo.add file containing the data to compress is\n lost after a compress operation is interrupted.\n - Total data crc and length. This is the crc and length of all of the data\n stored in the gzip file, compressed and uncompressed. It is used to\n reconstruct the gzip trailer when compressing, as well as when recovering\n interrupted operations.\n - Final stored block length. This is used to quickly find where to append,\n and allows the restoration of the original final stored block state when\n an append operation is interrupted.\n - First stored block start as the number of bits back from the final stored\n block first length byte. This value is in the range of 3..10, and is\n stored as the low three bits of the final byte of the extra field after\n subtracting three (0..7). This allows the last-block bit of the stored\n block header to be updated when a new stored block is added, for the case\n when the first stored block and the last stored block are the same. (When\n they are different, the numbers of bits back is known to be eight.) This\n also allows for new compressed data to be appended to the old compressed\n data in the compress operation, overwriting the previous first stored\n block, or for the compressed data to be terminated and a valid gzip file\n reconstructed on the off chance that a compression operation was\n interrupted and the data to compress in the foo.add file was deleted.\n - The operation in process. This is the next two bits in the last byte (the\n bits under the mask 0x18). The are interpreted as 0: nothing in process,\n 1: append in process, 2: compress in process, 3: replace in process.\n - The top three bits of the last byte in the extra field are reserved and\n are currently set to zero.\n\n Main procedure:\n - Exclusively create the foo.lock file using the O_CREAT and O_EXCL modes of\n the system open() call. If the modify time of an existing lock file is\n more than PATIENCE seconds old, then the lock file is deleted and the\n exclusive create is retried.\n - Load the extra field from the foo.gz file, and see if an operation was in\n progress but not completed. If so, apply the recovery procedure below.\n - Perform the append procedure with the provided data.\n - If the uncompressed data in the foo.gz file is 1MB or more, apply the\n compress procedure.\n - Delete the foo.lock file.\n\n Append procedure:\n - Put what to append in the foo.add file so that the operation can be\n restarted if this procedure is interrupted.\n - Mark the foo.gz extra field with the append operation in progress.\n + Restore the original last-block bit and stored block length of the last\n stored block from the information in the extra field, in case a previous\n append operation was interrupted.\n - Append the provided data to the last stored block, creating new stored\n blocks as needed and updating the stored blocks last-block bits and\n lengths.\n - Update the crc and length with the new data, and write the gzip trailer.\n - Write over the extra field (with a single write operation) with the new\n pointers, lengths, and crc's, and mark the gzip file as not in process.\n Though there is still a foo.add file, it will be ignored since nothing\n is in process. If a foo.add file is leftover from a previously\n completed operation, it is truncated when writing new data to it.\n - Delete the foo.add file.\n\n Compress and replace procedures:\n - Read all of the uncompressed data in the stored blocks in foo.gz and write\n it to foo.add. Also write foo.temp with the last 32K of that data to\n provide a dictionary for the next invocation of this procedure.\n - Rewrite the extra field marking foo.gz with a compression in process.\n * If there is no data provided to compress (due to a missing foo.add file\n when recovering), reconstruct and truncate the foo.gz file to contain\n only the previous compressed data and proceed to the step after the next\n one. Otherwise ...\n - Compress the data with the dictionary in foo.dict, and write to the\n foo.gz file starting at the bit immediately following the last previously\n compressed block. If there is no foo.dict, proceed anyway with the\n compression at slightly reduced efficiency. (For the foo.dict file to be\n missing requires some external failure beyond simply the interruption of\n a compress operation.) During this process, the foo.lock file is\n periodically touched to assure that that file is not considered stale by\n another process before we're done. The deflation is terminated with a\n non-last empty static block (10 bits long), that is then located and\n written over by a last-bit-set empty stored block.\n - Append the crc and length of the data in the gzip file (previously\n calculated during the append operations).\n - Write over the extra field with the updated stored block offsets, bits\n back, crc's, and lengths, and mark foo.gz as in process for a replacement\n of the dictionary.\n @ Delete the foo.add file.\n - Replace foo.dict with foo.temp.\n - Write over the extra field, marking foo.gz as complete.\n\n Recovery procedure:\n - If not a replace recovery, read in the foo.add file, and provide that data\n to the appropriate recovery below. If there is no foo.add file, provide\n a zero data length to the recovery. In that case, the append recovery\n restores the foo.gz to the previous compressed + uncompressed data state.\n For the the compress recovery, a missing foo.add file results in foo.gz\n being restored to the previous compressed-only data state.\n - Append recovery:\n - Pick up append at + step above\n - Compress recovery:\n - Pick up compress at * step above\n - Replace recovery:\n - Pick up compress at @ step above\n - Log the repair with a date stamp in foo.repairs\n */\n\n#include \n#include /* rename, fopen, fprintf, fclose */\n#include /* malloc, free */\n#include /* strlen, strrchr, strcpy, strncpy, strcmp */\n#include /* open */\n#include /* lseek, read, write, close, unlink, sleep, */\n /* ftruncate, fsync */\n#include /* errno */\n#include /* time, ctime */\n#include /* stat */\n#include /* utimes */\n#include \"zlib.h\" /* crc32 */\n\n#include \"gzlog.h\" /* header for external access */\n\n#define local static\ntypedef unsigned int uint;\ntypedef unsigned long ulong;\n\n/* Macro for debugging to deterministically force recovery operations */\n#ifdef GZLOG_DEBUG\n #include /* longjmp */\n jmp_buf gzlog_jump; /* where to go back to */\n int gzlog_bail = 0; /* which point to bail at (1..8) */\n int gzlog_count = -1; /* number of times through to wait */\n# define BAIL(n) do { if (n == gzlog_bail && gzlog_count-- == 0) \\\n longjmp(gzlog_jump, gzlog_bail); } while (0)\n#else\n# define BAIL(n)\n#endif\n\n/* how old the lock file can be in seconds before considering it stale */\n#define PATIENCE 300\n\n/* maximum stored block size in Kbytes -- must be in 1..63 */\n#define MAX_STORE 16\n\n/* number of stored Kbytes to trigger compression (must be >= 32 to allow\n dictionary construction, and <= 204 * MAX_STORE, in order for >> 10 to\n discard the stored block headers contribution of five bytes each) */\n#define TRIGGER 1024\n\n/* size of a deflate dictionary (this cannot be changed) */\n#define DICT 32768U\n\n/* values for the operation (2 bits) */\n#define NO_OP 0\n#define APPEND_OP 1\n#define COMPRESS_OP 2\n#define REPLACE_OP 3\n\n/* macros to extract little-endian integers from an unsigned byte buffer */\n#define PULL2(p) ((p)[0]+((uint)((p)[1])<<8))\n#define PULL4(p) (PULL2(p)+((ulong)PULL2(p+2)<<16))\n#define PULL8(p) (PULL4(p)+((off_t)PULL4(p+4)<<32))\n\n/* macros to store integers into a byte buffer in little-endian order */\n#define PUT2(p,a) do {(p)[0]=a;(p)[1]=(a)>>8;} while(0)\n#define PUT4(p,a) do {PUT2(p,a);PUT2(p+2,a>>16);} while(0)\n#define PUT8(p,a) do {PUT4(p,a);PUT4(p+4,a>>32);} while(0)\n\n/* internal structure for log information */\n#define LOGID \"\\106\\035\\172\" /* should be three non-zero characters */\nstruct log {\n char id[4]; /* contains LOGID to detect inadvertent overwrites */\n int fd; /* file descriptor for .gz file, opened read/write */\n char *path; /* allocated path, e.g. \"/var/log/foo\" or \"foo\" */\n char *end; /* end of path, for appending suffices such as \".gz\" */\n off_t first; /* offset of first stored block first length byte */\n int back; /* location of first block id in bits back from first */\n uint stored; /* bytes currently in last stored block */\n off_t last; /* offset of last stored block first length byte */\n ulong ccrc; /* crc of compressed data */\n ulong clen; /* length (modulo 2^32) of compressed data */\n ulong tcrc; /* crc of total data */\n ulong tlen; /* length (modulo 2^32) of total data */\n time_t lock; /* last modify time of our lock file */\n};\n\n/* gzip header for gzlog */\nlocal unsigned char log_gzhead[] = {\n 0x1f, 0x8b, /* magic gzip id */\n 8, /* compression method is deflate */\n 4, /* there is an extra field (no file name) */\n 0, 0, 0, 0, /* no modification time provided */\n 0, 0xff, /* no extra flags, no OS specified */\n 39, 0, 'a', 'p', 35, 0 /* extra field with \"ap\" subfield */\n /* 35 is EXTRA, 39 is EXTRA + 4 */\n};\n\n#define HEAD sizeof(log_gzhead) /* should be 16 */\n\n/* initial gzip extra field content (52 == HEAD + EXTRA + 1) */\nlocal unsigned char log_gzext[] = {\n 52, 0, 0, 0, 0, 0, 0, 0, /* offset of first stored block length */\n 52, 0, 0, 0, 0, 0, 0, 0, /* offset of last stored block length */\n 0, 0, 0, 0, 0, 0, 0, 0, /* compressed data crc and length */\n 0, 0, 0, 0, 0, 0, 0, 0, /* total data crc and length */\n 0, 0, /* final stored block data length */\n 5 /* op is NO_OP, last bit 8 bits back */\n};\n\n#define EXTRA sizeof(log_gzext) /* should be 35 */\n\n/* initial gzip data and trailer */\nlocal unsigned char log_gzbody[] = {\n 1, 0, 0, 0xff, 0xff, /* empty stored block (last) */\n 0, 0, 0, 0, /* crc */\n 0, 0, 0, 0 /* uncompressed length */\n};\n\n#define BODY sizeof(log_gzbody)\n\n/* Exclusively create foo.lock in order to negotiate exclusive access to the\n foo.* files. If the modify time of an existing lock file is greater than\n PATIENCE seconds in the past, then consider the lock file to have been\n abandoned, delete it, and try the exclusive create again. Save the lock\n file modify time for verification of ownership. Return 0 on success, or -1\n on failure, usually due to an access restriction or invalid path. Note that\n if stat() or unlink() fails, it may be due to another process noticing the\n abandoned lock file a smidge sooner and deleting it, so those are not\n flagged as an error. */\nlocal int log_lock(struct log *log)\n{\n int fd;\n struct stat st;\n\n strcpy(log->end, \".lock\");\n while ((fd = open(log->path, O_CREAT | O_EXCL, 0644)) < 0) {\n if (errno != EEXIST)\n return -1;\n if (stat(log->path, &st) == 0 && time(NULL) - st.st_mtime > PATIENCE) {\n unlink(log->path);\n continue;\n }\n sleep(2); /* relinquish the CPU for two seconds while waiting */\n }\n close(fd);\n if (stat(log->path, &st) == 0)\n log->lock = st.st_mtime;\n return 0;\n}\n\n/* Update the modify time of the lock file to now, in order to prevent another\n task from thinking that the lock is stale. Save the lock file modify time\n for verification of ownership. */\nlocal void log_touch(struct log *log)\n{\n struct stat st;\n\n strcpy(log->end, \".lock\");\n utimes(log->path, NULL);\n if (stat(log->path, &st) == 0)\n log->lock = st.st_mtime;\n}\n\n/* Check the log file modify time against what is expected. Return true if\n this is not our lock. If it is our lock, touch it to keep it. */\nlocal int log_check(struct log *log)\n{\n struct stat st;\n\n strcpy(log->end, \".lock\");\n if (stat(log->path, &st) || st.st_mtime != log->lock)\n return 1;\n log_touch(log);\n return 0;\n}\n\n/* Unlock a previously acquired lock, but only if it's ours. */\nlocal void log_unlock(struct log *log)\n{\n if (log_check(log))\n return;\n strcpy(log->end, \".lock\");\n unlink(log->path);\n log->lock = 0;\n}\n\n/* Check the gzip header and read in the extra field, filling in the values in\n the log structure. Return op on success or -1 if the gzip header was not as\n expected. op is the current operation in progress last written to the extra\n field. This assumes that the gzip file has already been opened, with the\n file descriptor log->fd. */\nlocal int log_head(struct log *log)\n{\n int op;\n unsigned char buf[HEAD + EXTRA];\n\n if (lseek(log->fd, 0, SEEK_SET) < 0 ||\n read(log->fd, buf, HEAD + EXTRA) != HEAD + EXTRA ||\n memcmp(buf, log_gzhead, HEAD)) {\n return -1;\n }\n log->first = PULL8(buf + HEAD);\n log->last = PULL8(buf + HEAD + 8);\n log->ccrc = PULL4(buf + HEAD + 16);\n log->clen = PULL4(buf + HEAD + 20);\n log->tcrc = PULL4(buf + HEAD + 24);\n log->tlen = PULL4(buf + HEAD + 28);\n log->stored = PULL2(buf + HEAD + 32);\n log->back = 3 + (buf[HEAD + 34] & 7);\n op = (buf[HEAD + 34] >> 3) & 3;\n return op;\n}\n\n/* Write over the extra field contents, marking the operation as op. Use fsync\n to assure that the device is written to, and in the requested order. This\n operation, and only this operation, is assumed to be atomic in order to\n assure that the log is recoverable in the event of an interruption at any\n point in the process. Return -1 if the write to foo.gz failed. */\nlocal int log_mark(struct log *log, int op)\n{\n int ret;\n unsigned char ext[EXTRA];\n\n PUT8(ext, log->first);\n PUT8(ext + 8, log->last);\n PUT4(ext + 16, log->ccrc);\n PUT4(ext + 20, log->clen);\n PUT4(ext + 24, log->tcrc);\n PUT4(ext + 28, log->tlen);\n PUT2(ext + 32, log->stored);\n ext[34] = log->back - 3 + (op << 3);\n fsync(log->fd);\n ret = lseek(log->fd, HEAD, SEEK_SET) < 0 ||\n write(log->fd, ext, EXTRA) != EXTRA ? -1 : 0;\n fsync(log->fd);\n return ret;\n}\n\n/* Rewrite the last block header bits and subsequent zero bits to get to a byte\n boundary, setting the last block bit if last is true, and then write the\n remainder of the stored block header (length and one's complement). Leave\n the file pointer after the end of the last stored block data. Return -1 if\n there is a read or write failure on the foo.gz file */\nlocal int log_last(struct log *log, int last)\n{\n int back, len, mask;\n unsigned char buf[6];\n\n /* determine the locations of the bytes and bits to modify */\n back = log->last == log->first ? log->back : 8;\n len = back > 8 ? 2 : 1; /* bytes back from log->last */\n mask = 0x80 >> ((back - 1) & 7); /* mask for block last-bit */\n\n /* get the byte to modify (one or two back) into buf[0] -- don't need to\n read the byte if the last-bit is eight bits back, since in that case\n the entire byte will be modified */\n buf[0] = 0;\n if (back != 8 && (lseek(log->fd, log->last - len, SEEK_SET) < 0 ||\n read(log->fd, buf, 1) != 1))\n return -1;\n\n /* change the last-bit of the last stored block as requested -- note\n that all bits above the last-bit are set to zero, per the type bits\n of a stored block being 00 and per the convention that the bits to\n bring the stream to a byte boundary are also zeros */\n buf[1] = 0;\n buf[2 - len] = (*buf & (mask - 1)) + (last ? mask : 0);\n\n /* write the modified stored block header and lengths, move the file\n pointer to after the last stored block data */\n PUT2(buf + 2, log->stored);\n PUT2(buf + 4, log->stored ^ 0xffff);\n return lseek(log->fd, log->last - len, SEEK_SET) < 0 ||\n write(log->fd, buf + 2 - len, len + 4) != len + 4 ||\n lseek(log->fd, log->stored, SEEK_CUR) < 0 ? -1 : 0;\n}\n\n/* Append len bytes from data to the locked and open log file. len may be zero\n if recovering and no .add file was found. In that case, the previous state\n of the foo.gz file is restored. The data is appended uncompressed in\n deflate stored blocks. Return -1 if there was an error reading or writing\n the foo.gz file. */\nlocal int log_append(struct log *log, unsigned char *data, size_t len)\n{\n uint put;\n off_t end;\n unsigned char buf[8];\n\n /* set the last block last-bit and length, in case recovering an\n interrupted append, then position the file pointer to append to the\n block */\n if (log_last(log, 1))\n return -1;\n\n /* append, adding stored blocks and updating the offset of the last stored\n block as needed, and update the total crc and length */\n while (len) {\n /* append as much as we can to the last block */\n put = (MAX_STORE << 10) - log->stored;\n if (put > len)\n put = (uint)len;\n if (put) {\n if (write(log->fd, data, put) != put)\n return -1;\n BAIL(1);\n log->tcrc = crc32(log->tcrc, data, put);\n log->tlen += put;\n log->stored += put;\n data += put;\n len -= put;\n }\n\n /* if we need to, add a new empty stored block */\n if (len) {\n /* mark current block as not last */\n if (log_last(log, 0))\n return -1;\n\n /* point to new, empty stored block */\n log->last += 4 + log->stored + 1;\n log->stored = 0;\n }\n\n /* mark last block as last, update its length */\n if (log_last(log, 1))\n return -1;\n BAIL(2);\n }\n\n /* write the new crc and length trailer, and truncate just in case (could\n be recovering from partial append with a missing foo.add file) */\n PUT4(buf, log->tcrc);\n PUT4(buf + 4, log->tlen);\n if (write(log->fd, buf, 8) != 8 ||\n (end = lseek(log->fd, 0, SEEK_CUR)) < 0 || ftruncate(log->fd, end))\n return -1;\n\n /* write the extra field, marking the log file as done, delete .add file */\n if (log_mark(log, NO_OP))\n return -1;\n strcpy(log->end, \".add\");\n unlink(log->path); /* ignore error, since may not exist */\n return 0;\n}\n\n/* Replace the foo.dict file with the foo.temp file. Also delete the foo.add\n file, since the compress operation may have been interrupted before that was\n done. Returns 1 if memory could not be allocated, or -1 if reading or\n writing foo.gz fails, or if the rename fails for some reason other than\n foo.temp not existing. foo.temp not existing is a permitted error, since\n the replace operation may have been interrupted after the rename is done,\n but before foo.gz is marked as complete. */\nlocal int log_replace(struct log *log)\n{\n int ret;\n char *dest;\n\n /* delete foo.add file */\n strcpy(log->end, \".add\");\n unlink(log->path); /* ignore error, since may not exist */\n BAIL(3);\n\n /* rename foo.name to foo.dict, replacing foo.dict if it exists */\n strcpy(log->end, \".dict\");\n dest = malloc(strlen(log->path) + 1);\n if (dest == NULL)\n return -2;\n strcpy(dest, log->path);\n strcpy(log->end, \".temp\");\n ret = rename(log->path, dest);\n free(dest);\n if (ret && errno != ENOENT)\n return -1;\n BAIL(4);\n\n /* mark the foo.gz file as done */\n return log_mark(log, NO_OP);\n}\n\n/* Compress the len bytes at data and append the compressed data to the\n foo.gz deflate data immediately after the previous compressed data. This\n overwrites the previous uncompressed data, which was stored in foo.add\n and is the data provided in data[0..len-1]. If this operation is\n interrupted, it picks up at the start of this routine, with the foo.add\n file read in again. If there is no data to compress (len == 0), then we\n simply terminate the foo.gz file after the previously compressed data,\n appending a final empty stored block and the gzip trailer. Return -1 if\n reading or writing the log.gz file failed, or -2 if there was a memory\n allocation failure. */\nlocal int log_compress(struct log *log, unsigned char *data, size_t len)\n{\n int fd;\n uint got, max;\n ssize_t dict;\n off_t end;\n z_stream strm;\n unsigned char buf[DICT];\n\n /* compress and append compressed data */\n if (len) {\n /* set up for deflate, allocating memory */\n strm.zalloc = Z_NULL;\n strm.zfree = Z_NULL;\n strm.opaque = Z_NULL;\n if (deflateInit2(&strm, Z_DEFAULT_COMPRESSION, Z_DEFLATED, -15, 8,\n Z_DEFAULT_STRATEGY) != Z_OK)\n return -2;\n\n /* read in dictionary (last 32K of data that was compressed) */\n strcpy(log->end, \".dict\");\n fd = open(log->path, O_RDONLY, 0);\n if (fd >= 0) {\n dict = read(fd, buf, DICT);\n close(fd);\n if (dict < 0) {\n deflateEnd(&strm);\n return -1;\n }\n if (dict)\n deflateSetDictionary(&strm, buf, (uint)dict);\n }\n log_touch(log);\n\n /* prime deflate with last bits of previous block, position write\n pointer to write those bits and overwrite what follows */\n if (lseek(log->fd, log->first - (log->back > 8 ? 2 : 1),\n SEEK_SET) < 0 ||\n read(log->fd, buf, 1) != 1 || lseek(log->fd, -1, SEEK_CUR) < 0) {\n deflateEnd(&strm);\n return -1;\n }\n deflatePrime(&strm, (8 - log->back) & 7, *buf);\n\n /* compress, finishing with a partial non-last empty static block */\n strm.next_in = data;\n max = (((uint)0 - 1) >> 1) + 1; /* in case int smaller than size_t */\n do {\n strm.avail_in = len > max ? max : (uint)len;\n len -= strm.avail_in;\n do {\n strm.avail_out = DICT;\n strm.next_out = buf;\n deflate(&strm, len ? Z_NO_FLUSH : Z_PARTIAL_FLUSH);\n got = DICT - strm.avail_out;\n if (got && write(log->fd, buf, got) != got) {\n deflateEnd(&strm);\n return -1;\n }\n log_touch(log);\n } while (strm.avail_out == 0);\n } while (len);\n deflateEnd(&strm);\n BAIL(5);\n\n /* find start of empty static block -- scanning backwards the first one\n bit is the second bit of the block, if the last byte is zero, then\n we know the byte before that has a one in the top bit, since an\n empty static block is ten bits long */\n if ((log->first = lseek(log->fd, -1, SEEK_CUR)) < 0 ||\n read(log->fd, buf, 1) != 1)\n return -1;\n log->first++;\n if (*buf) {\n log->back = 1;\n while ((*buf & ((uint)1 << (8 - log->back++))) == 0)\n ; /* guaranteed to terminate, since *buf != 0 */\n }\n else\n log->back = 10;\n\n /* update compressed crc and length */\n log->ccrc = log->tcrc;\n log->clen = log->tlen;\n }\n else {\n /* no data to compress -- fix up existing gzip stream */\n log->tcrc = log->ccrc;\n log->tlen = log->clen;\n }\n\n /* complete and truncate gzip stream */\n log->last = log->first;\n log->stored = 0;\n PUT4(buf, log->tcrc);\n PUT4(buf + 4, log->tlen);\n if (log_last(log, 1) || write(log->fd, buf, 8) != 8 ||\n (end = lseek(log->fd, 0, SEEK_CUR)) < 0 || ftruncate(log->fd, end))\n return -1;\n BAIL(6);\n\n /* mark as being in the replace operation */\n if (log_mark(log, REPLACE_OP))\n return -1;\n\n /* execute the replace operation and mark the file as done */\n return log_replace(log);\n}\n\n/* log a repair record to the .repairs file */\nlocal void log_log(struct log *log, int op, char *record)\n{\n time_t now;\n FILE *rec;\n\n now = time(NULL);\n strcpy(log->end, \".repairs\");\n rec = fopen(log->path, \"a\");\n if (rec == NULL)\n return;\n fprintf(rec, \"%.24s %s recovery: %s\\n\", ctime(&now), op == APPEND_OP ?\n \"append\" : (op == COMPRESS_OP ? \"compress\" : \"replace\"), record);\n fclose(rec);\n return;\n}\n\n/* Recover the interrupted operation op. First read foo.add for recovering an\n append or compress operation. Return -1 if there was an error reading or\n writing foo.gz or reading an existing foo.add, or -2 if there was a memory\n allocation failure. */\nlocal int log_recover(struct log *log, int op)\n{\n int fd, ret = 0;\n unsigned char *data = NULL;\n size_t len = 0;\n struct stat st;\n\n /* log recovery */\n log_log(log, op, \"start\");\n\n /* load foo.add file if expected and present */\n if (op == APPEND_OP || op == COMPRESS_OP) {\n strcpy(log->end, \".add\");\n if (stat(log->path, &st) == 0 && st.st_size) {\n len = (size_t)(st.st_size);\n if ((off_t)len != st.st_size ||\n (data = malloc(st.st_size)) == NULL) {\n log_log(log, op, \"allocation failure\");\n return -2;\n }\n if ((fd = open(log->path, O_RDONLY, 0)) < 0) {\n free(data);\n log_log(log, op, \".add file read failure\");\n return -1;\n }\n ret = (size_t)read(fd, data, len) != len;\n close(fd);\n if (ret) {\n free(data);\n log_log(log, op, \".add file read failure\");\n return -1;\n }\n log_log(log, op, \"loaded .add file\");\n }\n else\n log_log(log, op, \"missing .add file!\");\n }\n\n /* recover the interrupted operation */\n switch (op) {\n case APPEND_OP:\n ret = log_append(log, data, len);\n break;\n case COMPRESS_OP:\n ret = log_compress(log, data, len);\n break;\n case REPLACE_OP:\n ret = log_replace(log);\n }\n\n /* log status */\n log_log(log, op, ret ? \"failure\" : \"complete\");\n\n /* clean up */\n if (data != NULL)\n free(data);\n return ret;\n}\n\n/* Close the foo.gz file (if open) and release the lock. */\nlocal void log_close(struct log *log)\n{\n if (log->fd >= 0)\n close(log->fd);\n log->fd = -1;\n log_unlock(log);\n}\n\n/* Open foo.gz, verify the header, and load the extra field contents, after\n first creating the foo.lock file to gain exclusive access to the foo.*\n files. If foo.gz does not exist or is empty, then write the initial header,\n extra, and body content of an empty foo.gz log file. If there is an error\n creating the lock file due to access restrictions, or an error reading or\n writing the foo.gz file, or if the foo.gz file is not a proper log file for\n this object (e.g. not a gzip file or does not contain the expected extra\n field), then return true. If there is an error, the lock is released.\n Otherwise, the lock is left in place. */\nlocal int log_open(struct log *log)\n{\n int op;\n\n /* release open file resource if left over -- can occur if lock lost\n between gzlog_open() and gzlog_write() */\n if (log->fd >= 0)\n close(log->fd);\n log->fd = -1;\n\n /* negotiate exclusive access */\n if (log_lock(log) < 0)\n return -1;\n\n /* open the log file, foo.gz */\n strcpy(log->end, \".gz\");\n log->fd = open(log->path, O_RDWR | O_CREAT, 0644);\n if (log->fd < 0) {\n log_close(log);\n return -1;\n }\n\n /* if new, initialize foo.gz with an empty log, delete old dictionary */\n if (lseek(log->fd, 0, SEEK_END) == 0) {\n if (write(log->fd, log_gzhead, HEAD) != HEAD ||\n write(log->fd, log_gzext, EXTRA) != EXTRA ||\n write(log->fd, log_gzbody, BODY) != BODY) {\n log_close(log);\n return -1;\n }\n strcpy(log->end, \".dict\");\n unlink(log->path);\n }\n\n /* verify log file and load extra field information */\n if ((op = log_head(log)) < 0) {\n log_close(log);\n return -1;\n }\n\n /* check for interrupted process and if so, recover */\n if (op != NO_OP && log_recover(log, op)) {\n log_close(log);\n return -1;\n }\n\n /* touch the lock file to prevent another process from grabbing it */\n log_touch(log);\n return 0;\n}\n\n/* See gzlog.h for the description of the external methods below */\ngzlog *gzlog_open(char *path)\n{\n size_t n;\n struct log *log;\n\n /* check arguments */\n if (path == NULL || *path == 0)\n return NULL;\n\n /* allocate and initialize log structure */\n log = malloc(sizeof(struct log));\n if (log == NULL)\n return NULL;\n strcpy(log->id, LOGID);\n log->fd = -1;\n\n /* save path and end of path for name construction */\n n = strlen(path);\n log->path = malloc(n + 9); /* allow for \".repairs\" */\n if (log->path == NULL) {\n free(log);\n return NULL;\n }\n strcpy(log->path, path);\n log->end = log->path + n;\n\n /* gain exclusive access and verify log file -- may perform a\n recovery operation if needed */\n if (log_open(log)) {\n free(log->path);\n free(log);\n return NULL;\n }\n\n /* return pointer to log structure */\n return log;\n}\n\n/* gzlog_compress() return values:\n 0: all good\n -1: file i/o error (usually access issue)\n -2: memory allocation failure\n -3: invalid log pointer argument */\nint gzlog_compress(gzlog *logd)\n{\n int fd, ret;\n uint block;\n size_t len, next;\n unsigned char *data, buf[5];\n struct log *log = logd;\n\n /* check arguments */\n if (log == NULL || strcmp(log->id, LOGID))\n return -3;\n\n /* see if we lost the lock -- if so get it again and reload the extra\n field information (it probably changed), recover last operation if\n necessary */\n if (log_check(log) && log_open(log))\n return -1;\n\n /* create space for uncompressed data */\n len = ((size_t)(log->last - log->first) & ~(((size_t)1 << 10) - 1)) +\n log->stored;\n if ((data = malloc(len)) == NULL)\n return -2;\n\n /* do statement here is just a cheap trick for error handling */\n do {\n /* read in the uncompressed data */\n if (lseek(log->fd, log->first - 1, SEEK_SET) < 0)\n break;\n next = 0;\n while (next < len) {\n if (read(log->fd, buf, 5) != 5)\n break;\n block = PULL2(buf + 1);\n if (next + block > len ||\n read(log->fd, (char *)data + next, block) != block)\n break;\n next += block;\n }\n if (lseek(log->fd, 0, SEEK_CUR) != log->last + 4 + log->stored)\n break;\n log_touch(log);\n\n /* write the uncompressed data to the .add file */\n strcpy(log->end, \".add\");\n fd = open(log->path, O_WRONLY | O_CREAT | O_TRUNC, 0644);\n if (fd < 0)\n break;\n ret = (size_t)write(fd, data, len) != len;\n if (ret | close(fd))\n break;\n log_touch(log);\n\n /* write the dictionary for the next compress to the .temp file */\n strcpy(log->end, \".temp\");\n fd = open(log->path, O_WRONLY | O_CREAT | O_TRUNC, 0644);\n if (fd < 0)\n break;\n next = DICT > len ? len : DICT;\n ret = (size_t)write(fd, (char *)data + len - next, next) != next;\n if (ret | close(fd))\n break;\n log_touch(log);\n\n /* roll back to compressed data, mark the compress in progress */\n log->last = log->first;\n log->stored = 0;\n if (log_mark(log, COMPRESS_OP))\n break;\n BAIL(7);\n\n /* compress and append the data (clears mark) */\n ret = log_compress(log, data, len);\n free(data);\n return ret;\n } while (0);\n\n /* broke out of do above on i/o error */\n free(data);\n return -1;\n}\n\n/* gzlog_write() return values:\n 0: all good\n -1: file i/o error (usually access issue)\n -2: memory allocation failure\n -3: invalid log pointer argument */\nint gzlog_write(gzlog *logd, void *data, size_t len)\n{\n int fd, ret;\n struct log *log = logd;\n\n /* check arguments */\n if (log == NULL || strcmp(log->id, LOGID))\n return -3;\n if (data == NULL || len <= 0)\n return 0;\n\n /* see if we lost the lock -- if so get it again and reload the extra\n field information (it probably changed), recover last operation if\n necessary */\n if (log_check(log) && log_open(log))\n return -1;\n\n /* create and write .add file */\n strcpy(log->end, \".add\");\n fd = open(log->path, O_WRONLY | O_CREAT | O_TRUNC, 0644);\n if (fd < 0)\n return -1;\n ret = (size_t)write(fd, data, len) != len;\n if (ret | close(fd))\n return -1;\n log_touch(log);\n\n /* mark log file with append in progress */\n if (log_mark(log, APPEND_OP))\n return -1;\n BAIL(8);\n\n /* append data (clears mark) */\n if (log_append(log, data, len))\n return -1;\n\n /* check to see if it's time to compress -- if not, then done */\n if (((log->last - log->first) >> 10) + (log->stored >> 10) < TRIGGER)\n return 0;\n\n /* time to compress */\n return gzlog_compress(log);\n}\n\n/* gzlog_close() return values:\n 0: ok\n -3: invalid log pointer argument */\nint gzlog_close(gzlog *logd)\n{\n struct log *log = logd;\n\n /* check arguments */\n if (log == NULL || strcmp(log->id, LOGID))\n return -3;\n\n /* close the log file and release the lock */\n log_close(log);\n\n /* free structure and return */\n if (log->path != NULL)\n free(log->path);\n strcpy(log->id, \"bad\");\n free(log);\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gzlog.h", "content": "/* gzlog.h\n Copyright (C) 2004, 2008, 2012 Mark Adler, all rights reserved\n version 2.2, 14 Aug 2012\n\n This software is provided 'as-is', without any express or implied\n warranty. In no event will the author be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this software must not be misrepresented; you must not\n claim that you wrote the original software. If you use this software\n in a product, an acknowledgment in the product documentation would be\n appreciated but is not required.\n 2. Altered source versions must be plainly marked as such, and must not be\n misrepresented as being the original software.\n 3. This notice may not be removed or altered from any source distribution.\n\n Mark Adler madler@alumni.caltech.edu\n */\n\n/* Version History:\n 1.0 26 Nov 2004 First version\n 2.0 25 Apr 2008 Complete redesign for recovery of interrupted operations\n Interface changed slightly in that now path is a prefix\n Compression now occurs as needed during gzlog_write()\n gzlog_write() now always leaves the log file as valid gzip\n 2.1 8 Jul 2012 Fix argument checks in gzlog_compress() and gzlog_write()\n 2.2 14 Aug 2012 Clean up signed comparisons\n */\n\n/*\n The gzlog object allows writing short messages to a gzipped log file,\n opening the log file locked for small bursts, and then closing it. The log\n object works by appending stored (uncompressed) data to the gzip file until\n 1 MB has been accumulated. At that time, the stored data is compressed, and\n replaces the uncompressed data in the file. The log file is truncated to\n its new size at that time. After each write operation, the log file is a\n valid gzip file that can decompressed to recover what was written.\n\n The gzlog operations can be interrupted at any point due to an application or\n system crash, and the log file will be recovered the next time the log is\n opened with gzlog_open().\n */\n\n#ifndef GZLOG_H\n#define GZLOG_H\n\n/* gzlog object type */\ntypedef void gzlog;\n\n/* Open a gzlog object, creating the log file if it does not exist. Return\n NULL on error. Note that gzlog_open() could take a while to complete if it\n has to wait to verify that a lock is stale (possibly for five minutes), or\n if there is significant contention with other instantiations of this object\n when locking the resource. path is the prefix of the file names created by\n this object. If path is \"foo\", then the log file will be \"foo.gz\", and\n other auxiliary files will be created and destroyed during the process:\n \"foo.dict\" for a compression dictionary, \"foo.temp\" for a temporary (next)\n dictionary, \"foo.add\" for data being added or compressed, \"foo.lock\" for the\n lock file, and \"foo.repairs\" to log recovery operations performed due to\n interrupted gzlog operations. A gzlog_open() followed by a gzlog_close()\n will recover a previously interrupted operation, if any. */\ngzlog *gzlog_open(char *path);\n\n/* Write to a gzlog object. Return zero on success, -1 if there is a file i/o\n error on any of the gzlog files (this should not happen if gzlog_open()\n succeeded, unless the device has run out of space or leftover auxiliary\n files have permissions or ownership that prevent their use), -2 if there is\n a memory allocation failure, or -3 if the log argument is invalid (e.g. if\n it was not created by gzlog_open()). This function will write data to the\n file uncompressed, until 1 MB has been accumulated, at which time that data\n will be compressed. The log file will be a valid gzip file upon successful\n return. */\nint gzlog_write(gzlog *log, void *data, size_t len);\n\n/* Force compression of any uncompressed data in the log. This should be used\n sparingly, if at all. The main application would be when a log file will\n not be appended to again. If this is used to compress frequently while\n appending, it will both significantly increase the execution time and\n reduce the compression ratio. The return codes are the same as for\n gzlog_write(). */\nint gzlog_compress(gzlog *log);\n\n/* Close a gzlog object. Return zero on success, -3 if the log argument is\n invalid. The log object is freed, and so cannot be referenced again. */\nint gzlog_close(gzlog *log);\n\n#endif\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/gznorm.c", "content": "/* gznorm.c -- normalize a gzip stream\n * Copyright (C) 2018 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n * Version 1.0 7 Oct 2018 Mark Adler */\n\n// gznorm takes a gzip stream, potentially containing multiple members, and\n// converts it to a gzip stream with a single member. In addition the gzip\n// header is normalized, removing the file name and time stamp, and setting the\n// other header contents (XFL, OS) to fixed values. gznorm does not recompress\n// the data, so it is fast, but no advantage is gained from the history that\n// could be available across member boundaries.\n\n#include // fread, fwrite, putc, fflush, ferror, fprintf,\n // vsnprintf, stdout, stderr, NULL, FILE\n#include // malloc, free\n#include // strerror\n#include // errno\n#include // va_list, va_start, va_end\n#include \"zlib.h\" // inflateInit2, inflate, inflateReset, inflateEnd,\n // z_stream, z_off_t, crc32_combine, Z_NULL, Z_BLOCK,\n // Z_OK, Z_STREAM_END, Z_BUF_ERROR, Z_DATA_ERROR,\n // Z_MEM_ERROR\n\n#if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)\n# include \n# include \n# define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)\n#else\n# define SET_BINARY_MODE(file)\n#endif\n\n#define local static\n\n// printf to an allocated string. Return the string, or NULL if the printf or\n// allocation fails.\nlocal char *aprintf(char *fmt, ...) {\n // Get the length of the result of the printf.\n va_list args;\n va_start(args, fmt);\n int len = vsnprintf(NULL, 0, fmt, args);\n va_end(args);\n if (len < 0)\n return NULL;\n\n // Allocate the required space and printf to it.\n char *str = malloc(len + 1);\n if (str == NULL)\n return NULL;\n va_start(args, fmt);\n vsnprintf(str, len + 1, fmt, args);\n va_end(args);\n return str;\n}\n\n// Return with an error, putting an allocated error message in *err. Doing an\n// inflateEnd() on an already ended state, or one with state set to Z_NULL, is\n// permitted.\n#define BYE(...) \\\n do { \\\n inflateEnd(&strm); \\\n *err = aprintf(__VA_ARGS__); \\\n return 1; \\\n } while (0)\n\n// Chunk size for buffered reads and for decompression. Twice this many bytes\n// will be allocated on the stack by gzip_normalize(). Must fit in an unsigned.\n#define CHUNK 16384\n\n// Read a gzip stream from in and write an equivalent normalized gzip stream to\n// out. If given no input, an empty gzip stream will be written. If successful,\n// 0 is returned, and *err is set to NULL. On error, 1 is returned, where the\n// details of the error are returned in *err, a pointer to an allocated string.\n//\n// The input may be a stream with multiple gzip members, which is converted to\n// a single gzip member on the output. Each gzip member is decompressed at the\n// level of deflate blocks. This enables clearing the last-block bit, shifting\n// the compressed data to concatenate to the previous member's compressed data,\n// which can end at an arbitrary bit boundary, and identifying stored blocks in\n// order to resynchronize those to byte boundaries. The deflate compressed data\n// is terminated with a 10-bit empty fixed block. If any members on the input\n// end with a 10-bit empty fixed block, then that block is excised from the\n// stream. This avoids appending empty fixed blocks for every normalization,\n// and assures that gzip_normalize applied a second time will not change the\n// input. The pad bits after stored block headers and after the final deflate\n// block are all forced to zeros.\nlocal int gzip_normalize(FILE *in, FILE *out, char **err) {\n // initialize the inflate engine to process a gzip member\n z_stream strm;\n strm.zalloc = Z_NULL;\n strm.zfree = Z_NULL;\n strm.opaque = Z_NULL;\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n if (inflateInit2(&strm, 15 + 16) != Z_OK)\n BYE(\"out of memory\");\n\n // State while processing the input gzip stream.\n enum { // BETWEEN -> HEAD -> BLOCK -> TAIL -> BETWEEN -> ...\n BETWEEN, // between gzip members (must end in this state)\n HEAD, // reading a gzip header\n BLOCK, // reading deflate blocks\n TAIL // reading a gzip trailer\n } state = BETWEEN; // current component being processed\n unsigned long crc = 0; // accumulated CRC of uncompressed data\n unsigned long len = 0; // accumulated length of uncompressed data\n unsigned long buf = 0; // deflate stream bit buffer of num bits\n int num = 0; // number of bits in buf (at bottom)\n\n // Write a canonical gzip header (no mod time, file name, comment, extra\n // block, or extra flags, and OS is marked as unknown).\n fwrite(\"\\x1f\\x8b\\x08\\0\\0\\0\\0\\0\\0\\xff\", 1, 10, out);\n\n // Process the gzip stream from in until reaching the end of the input,\n // encountering invalid input, or experiencing an i/o error.\n int more; // true if not at the end of the input\n do {\n // State inside this loop.\n unsigned char *put; // next input buffer location to process\n int prev; // number of bits from previous block in\n // the bit buffer, or -1 if not at the\n // start of a block\n unsigned long long memb; // uncompressed length of member\n size_t tail; // number of trailer bytes read (0..8)\n unsigned long part; // accumulated trailer component\n\n // Get the next chunk of input from in.\n unsigned char dat[CHUNK];\n strm.avail_in = fread(dat, 1, CHUNK, in);\n if (strm.avail_in == 0)\n break;\n more = strm.avail_in == CHUNK;\n strm.next_in = put = dat;\n\n // Run that chunk of input through the inflate engine to exhaustion.\n do {\n // At this point it is assured that strm.avail_in > 0.\n\n // Inflate until the end of a gzip component (header, deflate\n // block, trailer) is reached, or until all of the chunk is\n // consumed. The resulting decompressed data is discarded, though\n // the total size of the decompressed data in each member is\n // tracked, for the calculation of the total CRC.\n do {\n // inflate and handle any errors\n unsigned char scrap[CHUNK];\n strm.avail_out = CHUNK;\n strm.next_out = scrap;\n int ret = inflate(&strm, Z_BLOCK);\n if (ret == Z_MEM_ERROR)\n BYE(\"out of memory\");\n if (ret == Z_DATA_ERROR)\n BYE(\"input invalid: %s\", strm.msg);\n if (ret != Z_OK && ret != Z_BUF_ERROR && ret != Z_STREAM_END)\n BYE(\"internal error\");\n\n // Update the number of uncompressed bytes generated in this\n // member. The actual count (not modulo 2^32) is required to\n // correctly compute the total CRC.\n unsigned got = CHUNK - strm.avail_out;\n memb += got;\n if (memb < got)\n BYE(\"overflow error\");\n\n // Continue to process this chunk until it is consumed, or\n // until the end of a component (header, deflate block, or\n // trailer) is reached.\n } while (strm.avail_out == 0 && (strm.data_type & 0x80) == 0);\n\n // Since strm.avail_in was > 0 for the inflate call, some input was\n // just consumed. It is therefore assured that put < strm.next_in.\n\n // Disposition the consumed component or part of a component.\n switch (state) {\n case BETWEEN:\n state = HEAD;\n // Fall through to HEAD when some or all of the header is\n // processed.\n\n case HEAD:\n // Discard the header.\n if (strm.data_type & 0x80) {\n // End of header reached -- deflate blocks follow.\n put = strm.next_in;\n prev = num;\n memb = 0;\n state = BLOCK;\n }\n break;\n\n case BLOCK:\n // Copy the deflate stream to the output, but with the\n // last-block-bit cleared. Re-synchronize stored block\n // headers to the output byte boundaries. The bytes at\n // put..strm.next_in-1 is the compressed data that has been\n // processed and is ready to be copied to the output.\n\n // At this point, it is assured that new compressed data is\n // available, i.e., put < strm.next_in. If prev is -1, then\n // that compressed data starts in the middle of a deflate\n // block. If prev is not -1, then the bits in the bit\n // buffer, possibly combined with the bits in *put, contain\n // the three-bit header of the new deflate block. In that\n // case, prev is the number of bits from the previous block\n // that remain in the bit buffer. Since num is the number\n // of bits in the bit buffer, we have that num - prev is\n // the number of bits from the new block currently in the\n // bit buffer.\n\n // If strm.data_type & 0xc0 is 0x80, then the last byte of\n // the available compressed data includes the last bits of\n // the end of a deflate block. In that case, that last byte\n // also has strm.data_type & 0x1f bits of the next deflate\n // block, in the range 0..7. If strm.data_type & 0xc0 is\n // 0xc0, then the last byte of the compressed data is the\n // end of the deflate stream, followed by strm.data_type &\n // 0x1f pad bits, also in the range 0..7.\n\n // Set bits to the number of bits not yet consumed from the\n // last byte. If we are at the end of the block, bits is\n // either the number of bits in the last byte belonging to\n // the next block, or the number of pad bits after the\n // final block. In either of those cases, bits is in the\n // range 0..7.\n ; // (required due to C syntax oddity)\n int bits = strm.data_type & 0x1f;\n\n if (prev != -1) {\n // We are at the start of a new block. Clear the last\n // block bit, and check for special cases. If it is a\n // stored block, then emit the header and pad to the\n // next byte boundary. If it is a final, empty fixed\n // block, then excise it.\n\n // Some or all of the three header bits for this block\n // may already be in the bit buffer. Load any remaining\n // header bits into the bit buffer.\n if (num - prev < 3) {\n buf += (unsigned long)*put++ << num;\n num += 8;\n }\n\n // Set last to have a 1 in the position of the last\n // block bit in the bit buffer.\n unsigned long last = (unsigned long)1 << prev;\n\n if (((buf >> prev) & 7) == 3) {\n // This is a final fixed block. Load at least ten\n // bits from this block, including the header, into\n // the bit buffer. We already have at least three,\n // so at most one more byte needs to be loaded.\n if (num - prev < 10) {\n if (put == strm.next_in)\n // Need to go get and process more input.\n // We'll end up back here to finish this.\n break;\n buf += (unsigned long)*put++ << num;\n num += 8;\n }\n if (((buf >> prev) & 0x3ff) == 3) {\n // That final fixed block is empty. Delete it\n // to avoid adding an empty block every time a\n // gzip stream is normalized.\n num = prev;\n buf &= last - 1; // zero the pad bits\n }\n }\n else if (((buf >> prev) & 6) == 0) {\n // This is a stored block. Flush to the next\n // byte boundary after the three-bit header.\n num = (prev + 10) & ~7;\n buf &= last - 1; // zero the pad bits\n }\n\n // Clear the last block bit.\n buf &= ~last;\n\n // Write out complete bytes in the bit buffer.\n while (num >= 8) {\n putc(buf, out);\n buf >>= 8;\n num -= 8;\n }\n\n // If no more bytes left to process, then we have\n // consumed the byte that had bits from the next block.\n if (put == strm.next_in)\n bits = 0;\n }\n\n // We are done handling the deflate block header. Now copy\n // all or almost all of the remaining compressed data that\n // has been processed so far. Don't copy one byte at the\n // end if it contains bits from the next deflate block or\n // pad bits at the end of a deflate block.\n\n // mix is 1 if we are at the end of a deflate block, and if\n // some of the bits in the last byte follow this block. mix\n // is 0 if we are in the middle of a deflate block, if the\n // deflate block ended on a byte boundary, or if all of the\n // compressed data processed so far has been consumed.\n int mix = (strm.data_type & 0x80) && bits;\n\n // Copy all of the processed compressed data to the output,\n // except for the last byte if it contains bits from the\n // next deflate block or pad bits at the end of the deflate\n // stream. Copy the data after shifting in num bits from\n // buf in front of it, leaving num bits from the end of the\n // compressed data in buf when done.\n unsigned char *end = strm.next_in - mix;\n if (put < end) {\n if (num)\n // Insert num bits from buf before the data being\n // copied.\n do {\n buf += (unsigned)(*put++) << num;\n putc(buf, out);\n buf >>= 8;\n } while (put < end);\n else {\n // No shifting needed -- write directly.\n fwrite(put, 1, end - put, out);\n put = end;\n }\n }\n\n // Process the last processed byte if it wasn't written.\n if (mix) {\n // Load the last byte into the bit buffer.\n buf += (unsigned)(*put++) << num;\n num += 8;\n\n if (strm.data_type & 0x40) {\n // We are at the end of the deflate stream and\n // there are bits pad bits. Discard the pad bits\n // and write a byte to the output, if available.\n // Leave the num bits left over in buf to prepend\n // to the next deflate stream.\n num -= bits;\n if (num >= 8) {\n putc(buf, out);\n num -= 8;\n buf >>= 8;\n }\n\n // Force the pad bits in the bit buffer to zeros.\n buf &= ((unsigned long)1 << num) - 1;\n\n // Don't need to set prev here since going to TAIL.\n }\n else\n // At the end of an internal deflate block. Leave\n // the last byte in the bit buffer to examine on\n // the next entry to BLOCK, when more bits from the\n // next block will be available.\n prev = num - bits; // number of bits in buffer\n // from current block\n }\n\n // Don't have a byte left over, so we are in the middle of\n // a deflate block, or the deflate block ended on a byte\n // boundary. Set prev appropriately for the next entry into\n // BLOCK.\n else if (strm.data_type & 0x80)\n // The block ended on a byte boundary, so no header\n // bits are in the bit buffer.\n prev = num;\n else\n // In the middle of a deflate block, so no header here.\n prev = -1;\n\n // Check for the end of the deflate stream.\n if ((strm.data_type & 0xc0) == 0xc0) {\n // That ends the deflate stream on the input side, the\n // pad bits were discarded, and any remaining bits from\n // the last block in the stream are saved in the bit\n // buffer to prepend to the next stream. Process the\n // gzip trailer next.\n tail = 0;\n part = 0;\n state = TAIL;\n }\n break;\n\n case TAIL:\n // Accumulate available trailer bytes to update the total\n // CRC and the total uncompressed length.\n do {\n part = (part >> 8) + ((unsigned long)(*put++) << 24);\n tail++;\n if (tail == 4) {\n // Update the total CRC.\n z_off_t len2 = memb;\n if (len2 < 0 || (unsigned long long)len2 != memb)\n BYE(\"overflow error\");\n crc = crc ? crc32_combine(crc, part, len2) : part;\n part = 0;\n }\n else if (tail == 8) {\n // Update the total uncompressed length. (It's ok\n // if this sum is done modulo 2^32.)\n len += part;\n\n // At the end of a member. Set up to inflate an\n // immediately following gzip member. (If we made\n // it this far, then the trailer was valid.)\n if (inflateReset(&strm) != Z_OK)\n BYE(\"internal error\");\n state = BETWEEN;\n break;\n }\n } while (put < strm.next_in);\n break;\n }\n\n // Process the input buffer until completely consumed.\n } while (strm.avail_in > 0);\n\n // Process input until end of file, invalid input, or i/o error.\n } while (more);\n\n // Done with the inflate engine.\n inflateEnd(&strm);\n\n // Verify the validity of the input.\n if (state != BETWEEN)\n BYE(\"input invalid: incomplete gzip stream\");\n\n // Write the remaining deflate stream bits, followed by a terminating\n // deflate fixed block.\n buf += (unsigned long)3 << num;\n putc(buf, out);\n putc(buf >> 8, out);\n if (num > 6)\n putc(0, out);\n\n // Write the gzip trailer, which is the CRC and the uncompressed length\n // modulo 2^32, both in little-endian order.\n putc(crc, out);\n putc(crc >> 8, out);\n putc(crc >> 16, out);\n putc(crc >> 24, out);\n putc(len, out);\n putc(len >> 8, out);\n putc(len >> 16, out);\n putc(len >> 24, out);\n fflush(out);\n\n // Check for any i/o errors.\n if (ferror(in) || ferror(out))\n BYE(\"i/o error: %s\", strerror(errno));\n\n // All good!\n *err = NULL;\n return 0;\n}\n\n// Normalize the gzip stream on stdin, writing the result to stdout.\nint main(void) {\n // Avoid end-of-line conversions on evil operating systems.\n SET_BINARY_MODE(stdin);\n SET_BINARY_MODE(stdout);\n\n // Normalize from stdin to stdout, returning 1 on error, 0 if ok.\n char *err;\n int ret = gzip_normalize(stdin, stdout, &err);\n if (ret)\n fprintf(stderr, \"gznorm error: %s\\n\", err);\n free(err);\n return ret;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/zlib_how.html", "content": "\n\n\n\nzlib Usage Example\n\n\n\n

zlib Usage Example

\nWe often get questions about how the deflate() and inflate() functions should be used.\nUsers wonder when they should provide more input, when they should use more output,\nwhat to do with a Z_BUF_ERROR, how to make sure the process terminates properly, and\nso on. So for those who have read zlib.h (a few times), and\nwould like further edification, below is an annotated example in C of simple routines to compress and decompress\nfrom an input file to an output file using deflate() and inflate() respectively. The\nannotations are interspersed between lines of the code. So please read between the lines.\nWe hope this helps explain some of the intricacies of zlib.\n

\nWithout further ado, here is the program zpipe.c:\n

\n/* zpipe.c: example of proper use of zlib's inflate() and deflate()\n   Not copyrighted -- provided to the public domain\n   Version 1.4  11 December 2005  Mark Adler */\n\n/* Version history:\n   1.0  30 Oct 2004  First version\n   1.1   8 Nov 2004  Add void casting for unused return values\n                     Use switch statement for inflate() return values\n   1.2   9 Nov 2004  Add assertions to document zlib guarantees\n   1.3   6 Apr 2005  Remove incorrect assertion in inf()\n   1.4  11 Dec 2005  Add hack to avoid MSDOS end-of-line conversions\n                     Avoid some compiler warnings for input and output buffers\n */\n
\nWe now include the header files for the required definitions. From\nstdio.h we use fopen(), fread(), fwrite(),\nfeof(), ferror(), and fclose() for file i/o, and\nfputs() for error messages. From string.h we use\nstrcmp() for command line argument processing.\nFrom assert.h we use the assert() macro.\nFrom zlib.h\nwe use the basic compression functions deflateInit(),\ndeflate(), and deflateEnd(), and the basic decompression\nfunctions inflateInit(), inflate(), and\ninflateEnd().\n
\n#include <stdio.h>\n#include <string.h>\n#include <assert.h>\n#include \"zlib.h\"\n
\nThis is an ugly hack required to avoid corruption of the input and output data on\nWindows/MS-DOS systems. Without this, those systems would assume that the input and output\nfiles are text, and try to convert the end-of-line characters from one standard to\nanother. That would corrupt binary data, and in particular would render the compressed data unusable.\nThis sets the input and output to binary which suppresses the end-of-line conversions.\nSET_BINARY_MODE() will be used later on stdin and stdout, at the beginning of main().\n
\n#if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)\n#  include <fcntl.h>\n#  include <io.h>\n#  define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)\n#else\n#  define SET_BINARY_MODE(file)\n#endif\n
\nCHUNK is simply the buffer size for feeding data to and pulling data\nfrom the zlib routines. Larger buffer sizes would be more efficient,\nespecially for inflate(). If the memory is available, buffers sizes\non the order of 128K or 256K bytes should be used.\n
\n#define CHUNK 16384\n
\nThe def() routine compresses data from an input file to an output file. The output data\nwill be in the zlib format, which is different from the gzip or zip\nformats. The zlib format has a very small header of only two bytes to identify it as\na zlib stream and to provide decoding information, and a four-byte trailer with a fast\ncheck value to verify the integrity of the uncompressed data after decoding.\n
\n/* Compress from file source to file dest until EOF on source.\n   def() returns Z_OK on success, Z_MEM_ERROR if memory could not be\n   allocated for processing, Z_STREAM_ERROR if an invalid compression\n   level is supplied, Z_VERSION_ERROR if the version of zlib.h and the\n   version of the library linked do not match, or Z_ERRNO if there is\n   an error reading or writing the files. */\nint def(FILE *source, FILE *dest, int level)\n{\n
\nHere are the local variables for def(). ret will be used for zlib\nreturn codes. flush will keep track of the current flushing state for deflate(),\nwhich is either no flushing, or flush to completion after the end of the input file is reached.\nhave is the amount of data returned from deflate(). The strm structure\nis used to pass information to and from the zlib routines, and to maintain the\ndeflate() state. in and out are the input and output buffers for\ndeflate().\n
\n    int ret, flush;\n    unsigned have;\n    z_stream strm;\n    unsigned char in[CHUNK];\n    unsigned char out[CHUNK];\n
\nThe first thing we do is to initialize the zlib state for compression using\ndeflateInit(). This must be done before the first use of deflate().\nThe zalloc, zfree, and opaque fields in the strm\nstructure must be initialized before calling deflateInit(). Here they are\nset to the zlib constant Z_NULL to request that zlib use\nthe default memory allocation routines. An application may also choose to provide\ncustom memory allocation routines here. deflateInit() will allocate on the\norder of 256K bytes for the internal state.\n(See zlib Technical Details.)\n

\ndeflateInit() is called with a pointer to the structure to be initialized and\nthe compression level, which is an integer in the range of -1 to 9. Lower compression\nlevels result in faster execution, but less compression. Higher levels result in\ngreater compression, but slower execution. The zlib constant Z_DEFAULT_COMPRESSION,\nequal to -1,\nprovides a good compromise between compression and speed and is equivalent to level 6.\nLevel 0 actually does no compression at all, and in fact expands the data slightly to produce\nthe zlib format (it is not a byte-for-byte copy of the input).\nMore advanced applications of zlib\nmay use deflateInit2() here instead. Such an application may want to reduce how\nmuch memory will be used, at some price in compression. Or it may need to request a\ngzip header and trailer instead of a zlib header and trailer, or raw\nencoding with no header or trailer at all.\n

\nWe must check the return value of deflateInit() against the zlib constant\nZ_OK to make sure that it was able to\nallocate memory for the internal state, and that the provided arguments were valid.\ndeflateInit() will also check that the version of zlib that the zlib.h\nfile came from matches the version of zlib actually linked with the program. This\nis especially important for environments in which zlib is a shared library.\n

\nNote that an application can initialize multiple, independent zlib streams, which can\noperate in parallel. The state information maintained in the structure allows the zlib\nroutines to be reentrant.\n

\n    /* allocate deflate state */\n    strm.zalloc = Z_NULL;\n    strm.zfree = Z_NULL;\n    strm.opaque = Z_NULL;\n    ret = deflateInit(&strm, level);\n    if (ret != Z_OK)\n        return ret;\n
\nWith the pleasantries out of the way, now we can get down to business. The outer do-loop\nreads all of the input file and exits at the bottom of the loop once end-of-file is reached.\nThis loop contains the only call of deflate(). So we must make sure that all of the\ninput data has been processed and that all of the output data has been generated and consumed\nbefore we fall out of the loop at the bottom.\n
\n    /* compress until end of file */\n    do {\n
\nWe start off by reading data from the input file. The number of bytes read is put directly\ninto avail_in, and a pointer to those bytes is put into next_in. We also\ncheck to see if end-of-file on the input has been reached using feof().\nIf we are at the end of file, then flush is set to the\nzlib constant Z_FINISH, which is later passed to deflate() to\nindicate that this is the last chunk of input data to compress.\nIf we are not yet at the end of the input, then the zlib\nconstant Z_NO_FLUSH will be passed to deflate to indicate that we are still\nin the middle of the uncompressed data.\n

\nIf there is an error in reading from the input file, the process is aborted with\ndeflateEnd() being called to free the allocated zlib state before returning\nthe error. We wouldn't want a memory leak, now would we? deflateEnd() can be called\nat any time after the state has been initialized. Once that's done, deflateInit() (or\ndeflateInit2()) would have to be called to start a new compression process. There is\nno point here in checking the deflateEnd() return code. The deallocation can't fail.\n

\n        strm.avail_in = fread(in, 1, CHUNK, source);\n        if (ferror(source)) {\n            (void)deflateEnd(&strm);\n            return Z_ERRNO;\n        }\n        flush = feof(source) ? Z_FINISH : Z_NO_FLUSH;\n        strm.next_in = in;\n
\nThe inner do-loop passes our chunk of input data to deflate(), and then\nkeeps calling deflate() until it is done producing output. Once there is no more\nnew output, deflate() is guaranteed to have consumed all of the input, i.e.,\navail_in will be zero.\n
\n        /* run deflate() on input until output buffer not full, finish\n           compression if all of source has been read in */\n        do {\n
\nOutput space is provided to deflate() by setting avail_out to the number\nof available output bytes and next_out to a pointer to that space.\n
\n            strm.avail_out = CHUNK;\n            strm.next_out = out;\n
\nNow we call the compression engine itself, deflate(). It takes as many of the\navail_in bytes at next_in as it can process, and writes as many as\navail_out bytes to next_out. Those counters and pointers are then\nupdated past the input data consumed and the output data written. It is the amount of\noutput space available that may limit how much input is consumed.\nHence the inner loop to make sure that\nall of the input is consumed by providing more output space each time. Since avail_in\nand next_in are updated by deflate(), we don't have to mess with those\nbetween deflate() calls until it's all used up.\n

\nThe parameters to deflate() are a pointer to the strm structure containing\nthe input and output information and the internal compression engine state, and a parameter\nindicating whether and how to flush data to the output. Normally deflate will consume\nseveral K bytes of input data before producing any output (except for the header), in order\nto accumulate statistics on the data for optimum compression. It will then put out a burst of\ncompressed data, and proceed to consume more input before the next burst. Eventually,\ndeflate()\nmust be told to terminate the stream, complete the compression with provided input data, and\nwrite out the trailer check value. deflate() will continue to compress normally as long\nas the flush parameter is Z_NO_FLUSH. Once the Z_FINISH parameter is provided,\ndeflate() will begin to complete the compressed output stream. However depending on how\nmuch output space is provided, deflate() may have to be called several times until it\nhas provided the complete compressed stream, even after it has consumed all of the input. The flush\nparameter must continue to be Z_FINISH for those subsequent calls.\n

\nThere are other values of the flush parameter that are used in more advanced applications. You can\nforce deflate() to produce a burst of output that encodes all of the input data provided\nso far, even if it wouldn't have otherwise, for example to control data latency on a link with\ncompressed data. You can also ask that deflate() do that as well as erase any history up to\nthat point so that what follows can be decompressed independently, for example for random access\napplications. Both requests will degrade compression by an amount depending on how often such\nrequests are made.\n

\ndeflate() has a return value that can indicate errors, yet we do not check it here. Why\nnot? Well, it turns out that deflate() can do no wrong here. Let's go through\ndeflate()'s return values and dispense with them one by one. The possible values are\nZ_OK, Z_STREAM_END, Z_STREAM_ERROR, or Z_BUF_ERROR. Z_OK\nis, well, ok. Z_STREAM_END is also ok and will be returned for the last call of\ndeflate(). This is already guaranteed by calling deflate() with Z_FINISH\nuntil it has no more output. Z_STREAM_ERROR is only possible if the stream is not\ninitialized properly, but we did initialize it properly. There is no harm in checking for\nZ_STREAM_ERROR here, for example to check for the possibility that some\nother part of the application inadvertently clobbered the memory containing the zlib state.\nZ_BUF_ERROR will be explained further below, but\nsuffice it to say that this is simply an indication that deflate() could not consume\nmore input or produce more output. deflate() can be called again with more output space\nor more available input, which it will be in this code.\n

\n            ret = deflate(&strm, flush);    /* no bad return value */\n            assert(ret != Z_STREAM_ERROR);  /* state not clobbered */\n
\nNow we compute how much output deflate() provided on the last call, which is the\ndifference between how much space was provided before the call, and how much output space\nis still available after the call. Then that data, if any, is written to the output file.\nWe can then reuse the output buffer for the next call of deflate(). Again if there\nis a file i/o error, we call deflateEnd() before returning to avoid a memory leak.\n
\n            have = CHUNK - strm.avail_out;\n            if (fwrite(out, 1, have, dest) != have || ferror(dest)) {\n                (void)deflateEnd(&strm);\n                return Z_ERRNO;\n            }\n
\nThe inner do-loop is repeated until the last deflate() call fails to fill the\nprovided output buffer. Then we know that deflate() has done as much as it can with\nthe provided input, and that all of that input has been consumed. We can then fall out of this\nloop and reuse the input buffer.\n

\nThe way we tell that deflate() has no more output is by seeing that it did not fill\nthe output buffer, leaving avail_out greater than zero. However suppose that\ndeflate() has no more output, but just so happened to exactly fill the output buffer!\navail_out is zero, and we can't tell that deflate() has done all it can.\nAs far as we know, deflate()\nhas more output for us. So we call it again. But now deflate() produces no output\nat all, and avail_out remains unchanged as CHUNK. That deflate() call\nwasn't able to do anything, either consume input or produce output, and so it returns\nZ_BUF_ERROR. (See, I told you I'd cover this later.) However this is not a problem at\nall. Now we finally have the desired indication that deflate() is really done,\nand so we drop out of the inner loop to provide more input to deflate().\n

\nWith flush set to Z_FINISH, this final set of deflate() calls will\ncomplete the output stream. Once that is done, subsequent calls of deflate() would return\nZ_STREAM_ERROR if the flush parameter is not Z_FINISH, and do no more processing\nuntil the state is reinitialized.\n

\nSome applications of zlib have two loops that call deflate()\ninstead of the single inner loop we have here. The first loop would call\nwithout flushing and feed all of the data to deflate(). The second loop would call\ndeflate() with no more\ndata and the Z_FINISH parameter to complete the process. As you can see from this\nexample, that can be avoided by simply keeping track of the current flush state.\n

\n        } while (strm.avail_out == 0);\n        assert(strm.avail_in == 0);     /* all input will be used */\n
\nNow we check to see if we have already processed all of the input file. That information was\nsaved in the flush variable, so we see if that was set to Z_FINISH. If so,\nthen we're done and we fall out of the outer loop. We're guaranteed to get Z_STREAM_END\nfrom the last deflate() call, since we ran it until the last chunk of input was\nconsumed and all of the output was generated.\n
\n        /* done when last data in file processed */\n    } while (flush != Z_FINISH);\n    assert(ret == Z_STREAM_END);        /* stream will be complete */\n
\nThe process is complete, but we still need to deallocate the state to avoid a memory leak\n(or rather more like a memory hemorrhage if you didn't do this). Then\nfinally we can return with a happy return value.\n
\n    /* clean up and return */\n    (void)deflateEnd(&strm);\n    return Z_OK;\n}\n
\nNow we do the same thing for decompression in the inf() routine. inf()\ndecompresses what is hopefully a valid zlib stream from the input file and writes the\nuncompressed data to the output file. Much of the discussion above for def()\napplies to inf() as well, so the discussion here will focus on the differences between\nthe two.\n
\n/* Decompress from file source to file dest until stream ends or EOF.\n   inf() returns Z_OK on success, Z_MEM_ERROR if memory could not be\n   allocated for processing, Z_DATA_ERROR if the deflate data is\n   invalid or incomplete, Z_VERSION_ERROR if the version of zlib.h and\n   the version of the library linked do not match, or Z_ERRNO if there\n   is an error reading or writing the files. */\nint inf(FILE *source, FILE *dest)\n{\n
\nThe local variables have the same functionality as they do for def(). The\nonly difference is that there is no flush variable, since inflate()\ncan tell from the zlib stream itself when the stream is complete.\n
\n    int ret;\n    unsigned have;\n    z_stream strm;\n    unsigned char in[CHUNK];\n    unsigned char out[CHUNK];\n
\nThe initialization of the state is the same, except that there is no compression level,\nof course, and two more elements of the structure are initialized. avail_in\nand next_in must be initialized before calling inflateInit(). This\nis because the application has the option to provide the start of the zlib stream in\norder for inflateInit() to have access to information about the compression\nmethod to aid in memory allocation. In the current implementation of zlib\n(up through versions 1.2.x), the method-dependent memory allocations are deferred to the first call of\ninflate() anyway. However those fields must be initialized since later versions\nof zlib that provide more compression methods may take advantage of this interface.\nIn any case, no decompression is performed by inflateInit(), so the\navail_out and next_out fields do not need to be initialized before calling.\n

\nHere avail_in is set to zero and next_in is set to Z_NULL to\nindicate that no input data is being provided.\n

\n    /* allocate inflate state */\n    strm.zalloc = Z_NULL;\n    strm.zfree = Z_NULL;\n    strm.opaque = Z_NULL;\n    strm.avail_in = 0;\n    strm.next_in = Z_NULL;\n    ret = inflateInit(&strm);\n    if (ret != Z_OK)\n        return ret;\n
\nThe outer do-loop decompresses input until inflate() indicates\nthat it has reached the end of the compressed data and has produced all of the uncompressed\noutput. This is in contrast to def() which processes all of the input file.\nIf end-of-file is reached before the compressed data self-terminates, then the compressed\ndata is incomplete and an error is returned.\n
\n    /* decompress until deflate stream ends or end of file */\n    do {\n
\nWe read input data and set the strm structure accordingly. If we've reached the\nend of the input file, then we leave the outer loop and report an error, since the\ncompressed data is incomplete. Note that we may read more data than is eventually consumed\nby inflate(), if the input file continues past the zlib stream.\nFor applications where zlib streams are embedded in other data, this routine would\nneed to be modified to return the unused data, or at least indicate how much of the input\ndata was not used, so the application would know where to pick up after the zlib stream.\n
\n        strm.avail_in = fread(in, 1, CHUNK, source);\n        if (ferror(source)) {\n            (void)inflateEnd(&strm);\n            return Z_ERRNO;\n        }\n        if (strm.avail_in == 0)\n            break;\n        strm.next_in = in;\n
\nThe inner do-loop has the same function it did in def(), which is to\nkeep calling inflate() until has generated all of the output it can with the\nprovided input.\n
\n        /* run inflate() on input until output buffer not full */\n        do {\n
\nJust like in def(), the same output space is provided for each call of inflate().\n
\n            strm.avail_out = CHUNK;\n            strm.next_out = out;\n
\nNow we run the decompression engine itself. There is no need to adjust the flush parameter, since\nthe zlib format is self-terminating. The main difference here is that there are\nreturn values that we need to pay attention to. Z_DATA_ERROR\nindicates that inflate() detected an error in the zlib compressed data format,\nwhich means that either the data is not a zlib stream to begin with, or that the data was\ncorrupted somewhere along the way since it was compressed. The other error to be processed is\nZ_MEM_ERROR, which can occur since memory allocation is deferred until inflate()\nneeds it, unlike deflate(), whose memory is allocated at the start by deflateInit().\n

\nAdvanced applications may use\ndeflateSetDictionary() to prime deflate() with a set of likely data to improve the\nfirst 32K or so of compression. This is noted in the zlib header, so inflate()\nrequests that that dictionary be provided before it can start to decompress. Without the dictionary,\ncorrect decompression is not possible. For this routine, we have no idea what the dictionary is,\nso the Z_NEED_DICT indication is converted to a Z_DATA_ERROR.\n

\ninflate() can also return Z_STREAM_ERROR, which should not be possible here,\nbut could be checked for as noted above for def(). Z_BUF_ERROR does not need to be\nchecked for here, for the same reasons noted for def(). Z_STREAM_END will be\nchecked for later.\n

\n            ret = inflate(&strm, Z_NO_FLUSH);\n            assert(ret != Z_STREAM_ERROR);  /* state not clobbered */\n            switch (ret) {\n            case Z_NEED_DICT:\n                ret = Z_DATA_ERROR;     /* and fall through */\n            case Z_DATA_ERROR:\n            case Z_MEM_ERROR:\n                (void)inflateEnd(&strm);\n                return ret;\n            }\n
\nThe output of inflate() is handled identically to that of deflate().\n
\n            have = CHUNK - strm.avail_out;\n            if (fwrite(out, 1, have, dest) != have || ferror(dest)) {\n                (void)inflateEnd(&strm);\n                return Z_ERRNO;\n            }\n
\nThe inner do-loop ends when inflate() has no more output as indicated\nby not filling the output buffer, just as for deflate(). In this case, we cannot\nassert that strm.avail_in will be zero, since the deflate stream may end before the file\ndoes.\n
\n        } while (strm.avail_out == 0);\n
\nThe outer do-loop ends when inflate() reports that it has reached the\nend of the input zlib stream, has completed the decompression and integrity\ncheck, and has provided all of the output. This is indicated by the inflate()\nreturn value Z_STREAM_END. The inner loop is guaranteed to leave ret\nequal to Z_STREAM_END if the last chunk of the input file read contained the end\nof the zlib stream. So if the return value is not Z_STREAM_END, the\nloop continues to read more input.\n
\n        /* done when inflate() says it's done */\n    } while (ret != Z_STREAM_END);\n
\nAt this point, decompression successfully completed, or we broke out of the loop due to no\nmore data being available from the input file. If the last inflate() return value\nis not Z_STREAM_END, then the zlib stream was incomplete and a data error\nis returned. Otherwise, we return with a happy return value. Of course, inflateEnd()\nis called first to avoid a memory leak.\n
\n    /* clean up and return */\n    (void)inflateEnd(&strm);\n    return ret == Z_STREAM_END ? Z_OK : Z_DATA_ERROR;\n}\n
\nThat ends the routines that directly use zlib. The following routines make this\na command-line program by running data through the above routines from stdin to\nstdout, and handling any errors reported by def() or inf().\n

\nzerr() is used to interpret the possible error codes from def()\nand inf(), as detailed in their comments above, and print out an error message.\nNote that these are only a subset of the possible return values from deflate()\nand inflate().\n

\n/* report a zlib or i/o error */\nvoid zerr(int ret)\n{\n    fputs(\"zpipe: \", stderr);\n    switch (ret) {\n    case Z_ERRNO:\n        if (ferror(stdin))\n            fputs(\"error reading stdin\\n\", stderr);\n        if (ferror(stdout))\n            fputs(\"error writing stdout\\n\", stderr);\n        break;\n    case Z_STREAM_ERROR:\n        fputs(\"invalid compression level\\n\", stderr);\n        break;\n    case Z_DATA_ERROR:\n        fputs(\"invalid or incomplete deflate data\\n\", stderr);\n        break;\n    case Z_MEM_ERROR:\n        fputs(\"out of memory\\n\", stderr);\n        break;\n    case Z_VERSION_ERROR:\n        fputs(\"zlib version mismatch!\\n\", stderr);\n    }\n}\n
\nHere is the main() routine used to test def() and inf(). The\nzpipe command is simply a compression pipe from stdin to stdout, if\nno arguments are given, or it is a decompression pipe if zpipe -d is used. If any other\narguments are provided, no compression or decompression is performed. Instead a usage\nmessage is displayed. Examples are zpipe < foo.txt > foo.txt.z to compress, and\nzpipe -d < foo.txt.z > foo.txt to decompress.\n
\n/* compress or decompress from stdin to stdout */\nint main(int argc, char **argv)\n{\n    int ret;\n\n    /* avoid end-of-line conversions */\n    SET_BINARY_MODE(stdin);\n    SET_BINARY_MODE(stdout);\n\n    /* do compression if no arguments */\n    if (argc == 1) {\n        ret = def(stdin, stdout, Z_DEFAULT_COMPRESSION);\n        if (ret != Z_OK)\n            zerr(ret);\n        return ret;\n    }\n\n    /* do decompression if -d specified */\n    else if (argc == 2 && strcmp(argv[1], \"-d\") == 0) {\n        ret = inf(stdin, stdout);\n        if (ret != Z_OK)\n            zerr(ret);\n        return ret;\n    }\n\n    /* otherwise, report usage */\n    else {\n        fputs(\"zpipe usage: zpipe [-d] < source > dest\\n\", stderr);\n        return 1;\n    }\n}\n
\n
\nLast modified 24 January 2023
\nCopyright © 2004-2023 Mark Adler
\n\n\"Creative\n\nCreative Commons Attribution-NoDerivatives 4.0 International License.\n\n\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/zpipe.c", "content": "/* zpipe.c: example of proper use of zlib's inflate() and deflate()\n Not copyrighted -- provided to the public domain\n Version 1.4 11 December 2005 Mark Adler */\n\n/* Version history:\n 1.0 30 Oct 2004 First version\n 1.1 8 Nov 2004 Add void casting for unused return values\n Use switch statement for inflate() return values\n 1.2 9 Nov 2004 Add assertions to document zlib guarantees\n 1.3 6 Apr 2005 Remove incorrect assertion in inf()\n 1.4 11 Dec 2005 Add hack to avoid MSDOS end-of-line conversions\n Avoid some compiler warnings for input and output buffers\n */\n\n#include \n#include \n#include \n#include \"zlib.h\"\n\n#if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)\n# include \n# include \n# define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)\n#else\n# define SET_BINARY_MODE(file)\n#endif\n\n#define CHUNK 16384\n\n/* Compress from file source to file dest until EOF on source.\n def() returns Z_OK on success, Z_MEM_ERROR if memory could not be\n allocated for processing, Z_STREAM_ERROR if an invalid compression\n level is supplied, Z_VERSION_ERROR if the version of zlib.h and the\n version of the library linked do not match, or Z_ERRNO if there is\n an error reading or writing the files. */\nint def(FILE *source, FILE *dest, int level)\n{\n int ret, flush;\n unsigned have;\n z_stream strm;\n unsigned char in[CHUNK];\n unsigned char out[CHUNK];\n\n /* allocate deflate state */\n strm.zalloc = Z_NULL;\n strm.zfree = Z_NULL;\n strm.opaque = Z_NULL;\n ret = deflateInit(&strm, level);\n if (ret != Z_OK)\n return ret;\n\n /* compress until end of file */\n do {\n strm.avail_in = fread(in, 1, CHUNK, source);\n if (ferror(source)) {\n (void)deflateEnd(&strm);\n return Z_ERRNO;\n }\n flush = feof(source) ? Z_FINISH : Z_NO_FLUSH;\n strm.next_in = in;\n\n /* run deflate() on input until output buffer not full, finish\n compression if all of source has been read in */\n do {\n strm.avail_out = CHUNK;\n strm.next_out = out;\n ret = deflate(&strm, flush); /* no bad return value */\n assert(ret != Z_STREAM_ERROR); /* state not clobbered */\n have = CHUNK - strm.avail_out;\n if (fwrite(out, 1, have, dest) != have || ferror(dest)) {\n (void)deflateEnd(&strm);\n return Z_ERRNO;\n }\n } while (strm.avail_out == 0);\n assert(strm.avail_in == 0); /* all input will be used */\n\n /* done when last data in file processed */\n } while (flush != Z_FINISH);\n assert(ret == Z_STREAM_END); /* stream will be complete */\n\n /* clean up and return */\n (void)deflateEnd(&strm);\n return Z_OK;\n}\n\n/* Decompress from file source to file dest until stream ends or EOF.\n inf() returns Z_OK on success, Z_MEM_ERROR if memory could not be\n allocated for processing, Z_DATA_ERROR if the deflate data is\n invalid or incomplete, Z_VERSION_ERROR if the version of zlib.h and\n the version of the library linked do not match, or Z_ERRNO if there\n is an error reading or writing the files. */\nint inf(FILE *source, FILE *dest)\n{\n int ret;\n unsigned have;\n z_stream strm;\n unsigned char in[CHUNK];\n unsigned char out[CHUNK];\n\n /* allocate inflate state */\n strm.zalloc = Z_NULL;\n strm.zfree = Z_NULL;\n strm.opaque = Z_NULL;\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n ret = inflateInit(&strm);\n if (ret != Z_OK)\n return ret;\n\n /* decompress until deflate stream ends or end of file */\n do {\n strm.avail_in = fread(in, 1, CHUNK, source);\n if (ferror(source)) {\n (void)inflateEnd(&strm);\n return Z_ERRNO;\n }\n if (strm.avail_in == 0)\n break;\n strm.next_in = in;\n\n /* run inflate() on input until output buffer not full */\n do {\n strm.avail_out = CHUNK;\n strm.next_out = out;\n ret = inflate(&strm, Z_NO_FLUSH);\n assert(ret != Z_STREAM_ERROR); /* state not clobbered */\n switch (ret) {\n case Z_NEED_DICT:\n ret = Z_DATA_ERROR; /* and fall through */\n case Z_DATA_ERROR:\n case Z_MEM_ERROR:\n (void)inflateEnd(&strm);\n return ret;\n }\n have = CHUNK - strm.avail_out;\n if (fwrite(out, 1, have, dest) != have || ferror(dest)) {\n (void)inflateEnd(&strm);\n return Z_ERRNO;\n }\n } while (strm.avail_out == 0);\n\n /* done when inflate() says it's done */\n } while (ret != Z_STREAM_END);\n\n /* clean up and return */\n (void)inflateEnd(&strm);\n return ret == Z_STREAM_END ? Z_OK : Z_DATA_ERROR;\n}\n\n/* report a zlib or i/o error */\nvoid zerr(int ret)\n{\n fputs(\"zpipe: \", stderr);\n switch (ret) {\n case Z_ERRNO:\n if (ferror(stdin))\n fputs(\"error reading stdin\\n\", stderr);\n if (ferror(stdout))\n fputs(\"error writing stdout\\n\", stderr);\n break;\n case Z_STREAM_ERROR:\n fputs(\"invalid compression level\\n\", stderr);\n break;\n case Z_DATA_ERROR:\n fputs(\"invalid or incomplete deflate data\\n\", stderr);\n break;\n case Z_MEM_ERROR:\n fputs(\"out of memory\\n\", stderr);\n break;\n case Z_VERSION_ERROR:\n fputs(\"zlib version mismatch!\\n\", stderr);\n }\n}\n\n/* compress or decompress from stdin to stdout */\nint main(int argc, char **argv)\n{\n int ret;\n\n /* avoid end-of-line conversions */\n SET_BINARY_MODE(stdin);\n SET_BINARY_MODE(stdout);\n\n /* do compression if no arguments */\n if (argc == 1) {\n ret = def(stdin, stdout, Z_DEFAULT_COMPRESSION);\n if (ret != Z_OK)\n zerr(ret);\n return ret;\n }\n\n /* do decompression if -d specified */\n else if (argc == 2 && strcmp(argv[1], \"-d\") == 0) {\n ret = inf(stdin, stdout);\n if (ret != Z_OK)\n zerr(ret);\n return ret;\n }\n\n /* otherwise, report usage */\n else {\n fputs(\"zpipe usage: zpipe [-d] < source > dest\\n\", stderr);\n return 1;\n }\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/zran.c", "content": "/* zran.c -- example of deflate stream indexing and random access\n * Copyright (C) 2005, 2012, 2018, 2023 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n * Version 1.4 13 Apr 2023 Mark Adler */\n\n/* Version History:\n 1.0 29 May 2005 First version\n 1.1 29 Sep 2012 Fix memory reallocation error\n 1.2 14 Oct 2018 Handle gzip streams with multiple members\n Add a header file to facilitate usage in applications\n 1.3 18 Feb 2023 Permit raw deflate streams as well as zlib and gzip\n Permit crossing gzip member boundaries when extracting\n Support a size_t size when extracting (was an int)\n Do a binary search over the index for an access point\n Expose the access point type to enable save and load\n 1.4 13 Apr 2023 Add a NOPRIME define to not use inflatePrime()\n */\n\n// Illustrate the use of Z_BLOCK, inflatePrime(), and inflateSetDictionary()\n// for random access of a compressed file. A file containing a raw deflate\n// stream is provided on the command line. The compressed stream is decoded in\n// its entirety, and an index built with access points about every SPAN bytes\n// in the uncompressed output. The compressed file is left open, and can then\n// be read randomly, having to decompress on the average SPAN/2 uncompressed\n// bytes before getting to the desired block of data.\n//\n// An access point can be created at the start of any deflate block, by saving\n// the starting file offset and bit of that block, and the 32K bytes of\n// uncompressed data that precede that block. Also the uncompressed offset of\n// that block is saved to provide a reference for locating a desired starting\n// point in the uncompressed stream. deflate_index_build() decompresses the\n// input raw deflate stream a block at a time, and at the end of each block\n// decides if enough uncompressed data has gone by to justify the creation of a\n// new access point. If so, that point is saved in a data structure that grows\n// as needed to accommodate the points.\n//\n// To use the index, an offset in the uncompressed data is provided, for which\n// the latest access point at or preceding that offset is located in the index.\n// The input file is positioned to the specified location in the index, and if\n// necessary the first few bits of the compressed data is read from the file.\n// inflate is initialized with those bits and the 32K of uncompressed data, and\n// decompression then proceeds until the desired offset in the file is reached.\n// Then decompression continues to read the requested uncompressed data from\n// the file.\n//\n// There is some fair bit of overhead to starting inflation for the random\n// access, mainly copying the 32K byte dictionary. If small pieces of the file\n// are being accessed, it would make sense to implement a cache to hold some\n// lookahead to avoid many calls to deflate_index_extract() for small lengths.\n//\n// Another way to build an index would be to use inflateCopy(). That would not\n// be constrained to have access points at block boundaries, but would require\n// more memory per access point, and could not be saved to a file due to the\n// use of pointers in the state. The approach here allows for storage of the\n// index in a file.\n\n#include \n#include \n#include \n#include \n#include \"zlib.h\"\n#include \"zran.h\"\n\n#define WINSIZE 32768U // sliding window size\n#define CHUNK 16384 // file input buffer size\n\n// See comments in zran.h.\nvoid deflate_index_free(struct deflate_index *index) {\n if (index != NULL) {\n free(index->list);\n free(index);\n }\n}\n\n// Add an access point to the list. If out of memory, deallocate the existing\n// list and return NULL. index->mode is temporarily the allocated number of\n// access points, until it is time for deflate_index_build() to return. Then\n// index->mode is set to the mode of inflation.\nstatic struct deflate_index *add_point(struct deflate_index *index, int bits,\n off_t in, off_t out, unsigned left,\n unsigned char *window) {\n if (index == NULL) {\n // The list is empty. Create it, starting with eight access points.\n index = malloc(sizeof(struct deflate_index));\n if (index == NULL)\n return NULL;\n index->have = 0;\n index->mode = 8;\n index->list = malloc(sizeof(point_t) * index->mode);\n if (index->list == NULL) {\n free(index);\n return NULL;\n }\n }\n\n else if (index->have == index->mode) {\n // The list is full. Make it bigger.\n index->mode <<= 1;\n point_t *next = realloc(index->list, sizeof(point_t) * index->mode);\n if (next == NULL) {\n deflate_index_free(index);\n return NULL;\n }\n index->list = next;\n }\n\n // Fill in the access point and increment how many we have.\n point_t *next = (point_t *)(index->list) + index->have++;\n if (index->have < 0) {\n // Overflowed the int!\n deflate_index_free(index);\n return NULL;\n }\n next->out = out;\n next->in = in;\n next->bits = bits;\n if (left)\n memcpy(next->window, window + WINSIZE - left, left);\n if (left < WINSIZE)\n memcpy(next->window + left, window, WINSIZE - left);\n\n // Return the index, which may have been newly allocated or destroyed.\n return index;\n}\n\n// Decompression modes. These are the inflateInit2() windowBits parameter.\n#define RAW -15\n#define ZLIB 15\n#define GZIP 31\n\n// See comments in zran.h.\nint deflate_index_build(FILE *in, off_t span, struct deflate_index **built) {\n // Set up inflation state.\n z_stream strm = {0}; // inflate engine (gets fired up later)\n unsigned char buf[CHUNK]; // input buffer\n unsigned char win[WINSIZE] = {0}; // output sliding window\n off_t totin = 0; // total bytes read from input\n off_t totout = 0; // total bytes uncompressed\n int mode = 0; // mode: RAW, ZLIB, or GZIP (0 => not set yet)\n\n // Decompress from in, generating access points along the way.\n int ret; // the return value from zlib, or Z_ERRNO\n off_t last; // last access point uncompressed offset\n struct deflate_index *index = NULL; // list of access points\n do {\n // Assure available input, at least until reaching EOF.\n if (strm.avail_in == 0) {\n strm.avail_in = fread(buf, 1, sizeof(buf), in);\n totin += strm.avail_in;\n strm.next_in = buf;\n if (strm.avail_in < sizeof(buf) && ferror(in)) {\n ret = Z_ERRNO;\n break;\n }\n\n if (mode == 0) {\n // At the start of the input -- determine the type. Assume raw\n // if it is neither zlib nor gzip. This could in theory result\n // in a false positive for zlib, but in practice the fill bits\n // after a stored block are always zeros, so a raw stream won't\n // start with an 8 in the low nybble.\n mode = strm.avail_in == 0 ? RAW : // empty -- will fail\n (strm.next_in[0] & 0xf) == 8 ? ZLIB :\n strm.next_in[0] == 0x1f ? GZIP :\n /* else */ RAW;\n ret = inflateInit2(&strm, mode);\n if (ret != Z_OK)\n break;\n }\n }\n\n // Assure available output. This rotates the output through, for use as\n // a sliding window on the uncompressed data.\n if (strm.avail_out == 0) {\n strm.avail_out = sizeof(win);\n strm.next_out = win;\n }\n\n if (mode == RAW && index == NULL)\n // We skip the inflate() call at the start of raw deflate data in\n // order generate an access point there. Set data_type to imitate\n // the end of a header.\n strm.data_type = 0x80;\n else {\n // Inflate and update the number of uncompressed bytes.\n unsigned before = strm.avail_out;\n ret = inflate(&strm, Z_BLOCK);\n totout += before - strm.avail_out;\n }\n\n if ((strm.data_type & 0xc0) == 0x80 &&\n (index == NULL || totout - last >= span)) {\n // We are at the end of a header or a non-last deflate block, so we\n // can add an access point here. Furthermore, we are either at the\n // very start for the first access point, or there has been span or\n // more uncompressed bytes since the last access point, so we want\n // to add an access point here.\n index = add_point(index, strm.data_type & 7, totin - strm.avail_in,\n totout, strm.avail_out, win);\n if (index == NULL) {\n ret = Z_MEM_ERROR;\n break;\n }\n last = totout;\n }\n\n if (ret == Z_STREAM_END && mode == GZIP &&\n (strm.avail_in || ungetc(getc(in), in) != EOF))\n // There is more input after the end of a gzip member. Reset the\n // inflate state to read another gzip member. On success, this will\n // set ret to Z_OK to continue decompressing.\n ret = inflateReset2(&strm, GZIP);\n\n // Keep going until Z_STREAM_END or error. If the compressed data ends\n // prematurely without a file read error, Z_BUF_ERROR is returned.\n } while (ret == Z_OK);\n inflateEnd(&strm);\n\n if (ret != Z_STREAM_END) {\n // An error was encountered. Discard the index and return a negative\n // error code.\n deflate_index_free(index);\n return ret == Z_NEED_DICT ? Z_DATA_ERROR : ret;\n }\n\n // Shrink the index to only the occupied access points and return it.\n index->mode = mode;\n index->length = totout;\n point_t *list = realloc(index->list, sizeof(point_t) * index->have);\n if (list == NULL) {\n // Seems like a realloc() to make something smaller should always work,\n // but just in case.\n deflate_index_free(index);\n return Z_MEM_ERROR;\n }\n index->list = list;\n *built = index;\n return index->have;\n}\n\n#ifdef NOPRIME\n// Support zlib versions before 1.2.3 (July 2005), or incomplete zlib clones\n// that do not have inflatePrime().\n\n# define INFLATEPRIME inflatePreface\n\n// Append the low bits bits of value to in[] at bit position *have, updating\n// *have. value must be zero above its low bits bits. bits must be positive.\n// This assumes that any bits above the *have bits in the last byte are zeros.\n// That assumption is preserved on return, as any bits above *have + bits in\n// the last byte written will be set to zeros.\nstatic inline void append_bits(unsigned value, int bits,\n unsigned char *in, int *have) {\n in += *have >> 3; // where the first bits from value will go\n int k = *have & 7; // the number of bits already there\n *have += bits;\n if (k)\n *in |= value << k; // write value above the low k bits\n else\n *in = value;\n k = 8 - k; // the number of bits just appended\n while (bits > k) {\n value >>= k; // drop the bits appended\n bits -= k;\n k = 8; // now at a byte boundary\n *++in = value;\n }\n}\n\n// Insert enough bits in the form of empty deflate blocks in front of the the\n// low bits bits of value, in order to bring the sequence to a byte boundary.\n// Then feed that to inflate(). This does what inflatePrime() does, except that\n// a negative value of bits is not supported. bits must be in 0..16. If the\n// arguments are invalid, Z_STREAM_ERROR is returned. Otherwise the return\n// value from inflate() is returned.\nstatic int inflatePreface(z_stream *strm, int bits, int value) {\n // Check input.\n if (strm == Z_NULL || bits < 0 || bits > 16)\n return Z_STREAM_ERROR;\n if (bits == 0)\n return Z_OK;\n value &= (2 << (bits - 1)) - 1;\n\n // An empty dynamic block with an odd number of bits (95). The high bit of\n // the last byte is unused.\n static const unsigned char dyn[] = {\n 4, 0xe0, 0x81, 8, 0, 0, 0, 0, 0x20, 0xa8, 0xab, 0x1f\n };\n const int dynlen = 95; // number of bits in the block\n\n // Build an input buffer for inflate that is a multiple of eight bits in\n // length, and that ends with the low bits bits of value.\n unsigned char in[(dynlen + 3 * 10 + 16 + 7) / 8];\n int have = 0;\n if (bits & 1) {\n // Insert an empty dynamic block to get to an odd number of bits, so\n // when bits bits from value are appended, we are at an even number of\n // bits.\n memcpy(in, dyn, sizeof(dyn));\n have = dynlen;\n }\n while ((have + bits) & 7)\n // Insert empty fixed blocks until appending bits bits would put us on\n // a byte boundary. This will insert at most three fixed blocks.\n append_bits(2, 10, in, &have);\n\n // Append the bits bits from value, which takes us to a byte boundary.\n append_bits(value, bits, in, &have);\n\n // Deliver the input to inflate(). There is no output space provided, but\n // inflate() can't get stuck waiting on output not ingesting all of the\n // provided input. The reason is that there will be at most 16 bits of\n // input from value after the empty deflate blocks (which themselves\n // generate no output). At least ten bits are needed to generate the first\n // output byte from a fixed block. The last two bytes of the buffer have to\n // be ingested in order to get ten bits, which is the most that value can\n // occupy.\n strm->avail_in = have >> 3;\n strm->next_in = in;\n strm->avail_out = 0;\n strm->next_out = in; // not used, but can't be NULL\n return inflate(strm, Z_NO_FLUSH);\n}\n\n#else\n# define INFLATEPRIME inflatePrime\n#endif\n\n// See comments in zran.h.\nptrdiff_t deflate_index_extract(FILE *in, struct deflate_index *index,\n off_t offset, unsigned char *buf, size_t len) {\n // Do a quick sanity check on the index.\n if (index == NULL || index->have < 1 || index->list[0].out != 0)\n return Z_STREAM_ERROR;\n\n // If nothing to extract, return zero bytes extracted.\n if (len == 0 || offset < 0 || offset >= index->length)\n return 0;\n\n // Find the access point closest to but not after offset.\n int lo = -1, hi = index->have;\n point_t *point = index->list;\n while (hi - lo > 1) {\n int mid = (lo + hi) >> 1;\n if (offset < point[mid].out)\n hi = mid;\n else\n lo = mid;\n }\n point += lo;\n\n // Initialize the input file and prime the inflate engine to start there.\n int ret = fseeko(in, point->in - (point->bits ? 1 : 0), SEEK_SET);\n if (ret == -1)\n return Z_ERRNO;\n int ch = 0;\n if (point->bits && (ch = getc(in)) == EOF)\n return ferror(in) ? Z_ERRNO : Z_BUF_ERROR;\n z_stream strm = {0};\n ret = inflateInit2(&strm, RAW);\n if (ret != Z_OK)\n return ret;\n if (point->bits)\n INFLATEPRIME(&strm, point->bits, ch >> (8 - point->bits));\n inflateSetDictionary(&strm, point->window, WINSIZE);\n\n // Skip uncompressed bytes until offset reached, then satisfy request.\n unsigned char input[CHUNK];\n unsigned char discard[WINSIZE];\n offset -= point->out; // number of bytes to skip to get to offset\n size_t left = len; // number of bytes left to read after offset\n do {\n if (offset) {\n // Discard up to offset uncompressed bytes.\n strm.avail_out = offset < WINSIZE ? (unsigned)offset : WINSIZE;\n strm.next_out = discard;\n }\n else {\n // Uncompress up to left bytes into buf.\n strm.avail_out = left < UINT_MAX ? (unsigned)left : UINT_MAX;\n strm.next_out = buf + len - left;\n }\n\n // Uncompress, setting got to the number of bytes uncompressed.\n if (strm.avail_in == 0) {\n // Assure available input.\n strm.avail_in = fread(input, 1, CHUNK, in);\n if (strm.avail_in < CHUNK && ferror(in)) {\n ret = Z_ERRNO;\n break;\n }\n strm.next_in = input;\n }\n unsigned got = strm.avail_out;\n ret = inflate(&strm, Z_NO_FLUSH);\n got -= strm.avail_out;\n\n // Update the appropriate count.\n if (offset)\n offset -= got;\n else\n left -= got;\n\n // If we're at the end of a gzip member and there's more to read,\n // continue to the next gzip member.\n if (ret == Z_STREAM_END && index->mode == GZIP) {\n // Discard the gzip trailer.\n unsigned drop = 8; // length of gzip trailer\n if (strm.avail_in >= drop) {\n strm.avail_in -= drop;\n strm.next_in += drop;\n }\n else {\n // Read and discard the remainder of the gzip trailer.\n drop -= strm.avail_in;\n strm.avail_in = 0;\n do {\n if (getc(in) == EOF)\n // The input does not have a complete trailer.\n return ferror(in) ? Z_ERRNO : Z_BUF_ERROR;\n } while (--drop);\n }\n\n if (strm.avail_in || ungetc(getc(in), in) != EOF) {\n // There's more after the gzip trailer. Use inflate to skip the\n // gzip header and resume the raw inflate there.\n inflateReset2(&strm, GZIP);\n do {\n if (strm.avail_in == 0) {\n strm.avail_in = fread(input, 1, CHUNK, in);\n if (strm.avail_in < CHUNK && ferror(in)) {\n ret = Z_ERRNO;\n break;\n }\n strm.next_in = input;\n }\n strm.avail_out = WINSIZE;\n strm.next_out = discard;\n ret = inflate(&strm, Z_BLOCK); // stop at end of header\n } while (ret == Z_OK && (strm.data_type & 0x80) == 0);\n if (ret != Z_OK)\n break;\n inflateReset2(&strm, RAW);\n }\n }\n\n // Continue until we have the requested data, the deflate data has\n // ended, or an error is encountered.\n } while (ret == Z_OK && left);\n inflateEnd(&strm);\n\n // Return the number of uncompressed bytes read into buf, or the error.\n return ret == Z_OK || ret == Z_STREAM_END ? len - left : ret;\n}\n\n#ifdef TEST\n\n#define SPAN 1048576L // desired distance between access points\n#define LEN 16384 // number of bytes to extract\n\n// Demonstrate the use of deflate_index_build() and deflate_index_extract() by\n// processing the file provided on the command line, and extracting LEN bytes\n// from 2/3rds of the way through the uncompressed output, writing that to\n// stdout. An offset can be provided as the second argument, in which case the\n// data is extracted from there instead.\nint main(int argc, char **argv) {\n // Open the input file.\n if (argc < 2 || argc > 3) {\n fprintf(stderr, \"usage: zran file.raw [offset]\\n\");\n return 1;\n }\n FILE *in = fopen(argv[1], \"rb\");\n if (in == NULL) {\n fprintf(stderr, \"zran: could not open %s for reading\\n\", argv[1]);\n return 1;\n }\n\n // Get optional offset.\n off_t offset = -1;\n if (argc == 3) {\n char *end;\n offset = strtoll(argv[2], &end, 10);\n if (*end || offset < 0) {\n fprintf(stderr, \"zran: %s is not a valid offset\\n\", argv[2]);\n return 1;\n }\n }\n\n // Build index.\n struct deflate_index *index = NULL;\n int len = deflate_index_build(in, SPAN, &index);\n if (len < 0) {\n fclose(in);\n switch (len) {\n case Z_MEM_ERROR:\n fprintf(stderr, \"zran: out of memory\\n\");\n break;\n case Z_BUF_ERROR:\n fprintf(stderr, \"zran: %s ended prematurely\\n\", argv[1]);\n break;\n case Z_DATA_ERROR:\n fprintf(stderr, \"zran: compressed data error in %s\\n\", argv[1]);\n break;\n case Z_ERRNO:\n fprintf(stderr, \"zran: read error on %s\\n\", argv[1]);\n break;\n default:\n fprintf(stderr, \"zran: error %d while building index\\n\", len);\n }\n return 1;\n }\n fprintf(stderr, \"zran: built index with %d access points\\n\", len);\n\n // Use index by reading some bytes from an arbitrary offset.\n unsigned char buf[LEN];\n if (offset == -1)\n offset = ((index->length + 1) << 1) / 3;\n ptrdiff_t got = deflate_index_extract(in, index, offset, buf, LEN);\n if (got < 0)\n fprintf(stderr, \"zran: extraction failed: %s error\\n\",\n got == Z_MEM_ERROR ? \"out of memory\" : \"input corrupted\");\n else {\n fwrite(buf, 1, got, stdout);\n fprintf(stderr, \"zran: extracted %ld bytes at %lld\\n\", got, offset);\n }\n\n // Clean up and exit.\n deflate_index_free(index);\n fclose(in);\n return 0;\n}\n\n#endif\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/examples/zran.h", "content": "/* zran.h -- example of deflated stream indexing and random access\n * Copyright (C) 2005, 2012, 2018, 2023 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n * Version 1.3 18 Feb 2023 Mark Adler */\n\n#include \n#include \"zlib.h\"\n\n// Access point.\ntypedef struct point {\n off_t out; // offset in uncompressed data\n off_t in; // offset in compressed file of first full byte\n int bits; // 0, or number of bits (1-7) from byte at in-1\n unsigned char window[32768]; // preceding 32K of uncompressed data\n} point_t;\n\n// Access point list.\nstruct deflate_index {\n int have; // number of access points in list\n int mode; // -15 for raw, 15 for zlib, or 31 for gzip\n off_t length; // total length of uncompressed data\n point_t *list; // allocated list of access points\n};\n\n// Make one pass through a zlib, gzip, or raw deflate compressed stream and\n// build an index, with access points about every span bytes of uncompressed\n// output. gzip files with multiple members are fully indexed. span should be\n// chosen to balance the speed of random access against the memory requirements\n// of the list, which is about 32K bytes per access point. The return value is\n// the number of access points on success (>= 1), Z_MEM_ERROR for out of\n// memory, Z_BUF_ERROR for a premature end of input, Z_DATA_ERROR for a format\n// or verification error in the input file, or Z_ERRNO for a file read error.\n// On success, *built points to the resulting index.\nint deflate_index_build(FILE *in, off_t span, struct deflate_index **built);\n\n// Use the index to read len bytes from offset into buf. Return the number of\n// bytes read or a negative error code. If data is requested past the end of\n// the uncompressed data, then deflate_index_extract() will return a value less\n// than len, indicating how much was actually read into buf. If given a valid\n// index, this function should not return an error unless the file was modified\n// somehow since the index was generated, given that deflate_index_build() had\n// validated all of the input. If nevertheless there is a failure, Z_BUF_ERROR\n// is returned if the compressed data ends prematurely, Z_DATA_ERROR if the\n// deflate compressed data is not valid, Z_MEM_ERROR if out of memory,\n// Z_STREAM_ERROR if the index is not valid, or Z_ERRNO if there is an error\n// reading or seeking on the input file.\nptrdiff_t deflate_index_extract(FILE *in, struct deflate_index *index,\n off_t offset, unsigned char *buf, size_t len);\n\n// Deallocate an index built by deflate_index_build().\nvoid deflate_index_free(struct deflate_index *index);\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzclose.c", "content": "/* gzclose.c -- zlib gzclose() function\n * Copyright (C) 2004, 2010 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n#include \"gzguts.h\"\n\n/* gzclose() is in a separate file so that it is linked in only if it is used.\n That way the other gzclose functions can be used instead to avoid linking in\n unneeded compression or decompression routines. */\nint ZEXPORT gzclose(gzFile file) {\n#ifndef NO_GZCOMPRESS\n gz_statep state;\n\n if (file == NULL)\n return Z_STREAM_ERROR;\n state = (gz_statep)file;\n\n return state->mode == GZ_READ ? gzclose_r(file) : gzclose_w(file);\n#else\n return gzclose_r(file);\n#endif\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzguts.h", "content": "/* gzguts.h -- zlib internal header definitions for gz* operations\n * Copyright (C) 2004-2019 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n#ifdef _LARGEFILE64_SOURCE\n# ifndef _LARGEFILE_SOURCE\n# define _LARGEFILE_SOURCE 1\n# endif\n# undef _FILE_OFFSET_BITS\n# undef _TIME_BITS\n#endif\n\n#ifdef HAVE_HIDDEN\n# define ZLIB_INTERNAL __attribute__((visibility (\"hidden\")))\n#else\n# define ZLIB_INTERNAL\n#endif\n\n#include \n#include \"zlib.h\"\n#ifdef STDC\n# include \n# include \n# include \n#endif\n\n#ifndef _POSIX_SOURCE\n# define _POSIX_SOURCE\n#endif\n#include \n\n#ifdef _WIN32\n# include \n#endif\n\n#if defined(__TURBOC__) || defined(_MSC_VER) || defined(_WIN32)\n# include \n#endif\n\n#if defined(_WIN32)\n# define WIDECHAR\n#endif\n\n#ifdef WINAPI_FAMILY\n# define open _open\n# define read _read\n# define write _write\n# define close _close\n#endif\n\n#ifdef NO_DEFLATE /* for compatibility with old definition */\n# define NO_GZCOMPRESS\n#endif\n\n#if defined(STDC99) || (defined(__TURBOC__) && __TURBOC__ >= 0x550)\n# ifndef HAVE_VSNPRINTF\n# define HAVE_VSNPRINTF\n# endif\n#endif\n\n#if defined(__CYGWIN__)\n# ifndef HAVE_VSNPRINTF\n# define HAVE_VSNPRINTF\n# endif\n#endif\n\n#if defined(MSDOS) && defined(__BORLANDC__) && (BORLANDC > 0x410)\n# ifndef HAVE_VSNPRINTF\n# define HAVE_VSNPRINTF\n# endif\n#endif\n\n#ifndef HAVE_VSNPRINTF\n# ifdef MSDOS\n/* vsnprintf may exist on some MS-DOS compilers (DJGPP?),\n but for now we just assume it doesn't. */\n# define NO_vsnprintf\n# endif\n# ifdef __TURBOC__\n# define NO_vsnprintf\n# endif\n# ifdef WIN32\n/* In Win32, vsnprintf is available as the \"non-ANSI\" _vsnprintf. */\n# if !defined(vsnprintf) && !defined(NO_vsnprintf)\n# if !defined(_MSC_VER) || ( defined(_MSC_VER) && _MSC_VER < 1500 )\n# define vsnprintf _vsnprintf\n# endif\n# endif\n# endif\n# ifdef __SASC\n# define NO_vsnprintf\n# endif\n# ifdef VMS\n# define NO_vsnprintf\n# endif\n# ifdef __OS400__\n# define NO_vsnprintf\n# endif\n# ifdef __MVS__\n# define NO_vsnprintf\n# endif\n#endif\n\n/* unlike snprintf (which is required in C99), _snprintf does not guarantee\n null termination of the result -- however this is only used in gzlib.c where\n the result is assured to fit in the space provided */\n#if defined(_MSC_VER) && _MSC_VER < 1900\n# define snprintf _snprintf\n#endif\n\n#ifndef local\n# define local static\n#endif\n/* since \"static\" is used to mean two completely different things in C, we\n define \"local\" for the non-static meaning of \"static\", for readability\n (compile with -Dlocal if your debugger can't find static symbols) */\n\n/* gz* functions always use library allocation functions */\n#ifndef STDC\n extern voidp malloc(uInt size);\n extern void free(voidpf ptr);\n#endif\n\n/* get errno and strerror definition */\n#if defined UNDER_CE\n# include \n# define zstrerror() gz_strwinerror((DWORD)GetLastError())\n#else\n# ifndef NO_STRERROR\n# include \n# define zstrerror() strerror(errno)\n# else\n# define zstrerror() \"stdio error (consult errno)\"\n# endif\n#endif\n\n/* provide prototypes for these when building zlib without LFS */\n#if !defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0\n ZEXTERN gzFile ZEXPORT gzopen64(const char *, const char *);\n ZEXTERN z_off64_t ZEXPORT gzseek64(gzFile, z_off64_t, int);\n ZEXTERN z_off64_t ZEXPORT gztell64(gzFile);\n ZEXTERN z_off64_t ZEXPORT gzoffset64(gzFile);\n#endif\n\n/* default memLevel */\n#if MAX_MEM_LEVEL >= 8\n# define DEF_MEM_LEVEL 8\n#else\n# define DEF_MEM_LEVEL MAX_MEM_LEVEL\n#endif\n\n/* default i/o buffer size -- double this for output when reading (this and\n twice this must be able to fit in an unsigned type) */\n#define GZBUFSIZE 8192\n\n/* gzip modes, also provide a little integrity check on the passed structure */\n#define GZ_NONE 0\n#define GZ_READ 7247\n#define GZ_WRITE 31153\n#define GZ_APPEND 1 /* mode set to GZ_WRITE after the file is opened */\n\n/* values for gz_state how */\n#define LOOK 0 /* look for a gzip header */\n#define COPY 1 /* copy input directly */\n#define GZIP 2 /* decompress a gzip stream */\n\n/* internal gzip file state data structure */\ntypedef struct {\n /* exposed contents for gzgetc() macro */\n struct gzFile_s x; /* \"x\" for exposed */\n /* x.have: number of bytes available at x.next */\n /* x.next: next output data to deliver or write */\n /* x.pos: current position in uncompressed data */\n /* used for both reading and writing */\n int mode; /* see gzip modes above */\n int fd; /* file descriptor */\n char *path; /* path or fd for error messages */\n unsigned size; /* buffer size, zero if not allocated yet */\n unsigned want; /* requested buffer size, default is GZBUFSIZE */\n unsigned char *in; /* input buffer (double-sized when writing) */\n unsigned char *out; /* output buffer (double-sized when reading) */\n int direct; /* 0 if processing gzip, 1 if transparent */\n /* just for reading */\n int how; /* 0: get header, 1: copy, 2: decompress */\n z_off64_t start; /* where the gzip data started, for rewinding */\n int eof; /* true if end of input file reached */\n int past; /* true if read requested past end */\n /* just for writing */\n int level; /* compression level */\n int strategy; /* compression strategy */\n int reset; /* true if a reset is pending after a Z_FINISH */\n /* seek request */\n z_off64_t skip; /* amount to skip (already rewound if backwards) */\n int seek; /* true if seek request pending */\n /* error information */\n int err; /* error code */\n char *msg; /* error message */\n /* zlib inflate or deflate stream */\n z_stream strm; /* stream structure in-place (not a pointer) */\n} gz_state;\ntypedef gz_state FAR *gz_statep;\n\n/* shared functions */\nvoid ZLIB_INTERNAL gz_error(gz_statep, int, const char *);\n#if defined UNDER_CE\nchar ZLIB_INTERNAL *gz_strwinerror(DWORD error);\n#endif\n\n/* GT_OFF(x), where x is an unsigned value, is true if x > maximum z_off64_t\n value -- needed when comparing unsigned to z_off64_t, which is signed\n (possible z_off64_t types off_t, off64_t, and long are all signed) */\n#ifdef INT_MAX\n# define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > INT_MAX)\n#else\nunsigned ZLIB_INTERNAL gz_intmax(void);\n# define GT_OFF(x) (sizeof(int) == sizeof(z_off64_t) && (x) > gz_intmax())\n#endif\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzlib.c", "content": "/* gzlib.c -- zlib functions common to reading and writing gzip files\n * Copyright (C) 2004-2019 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n#include \"gzguts.h\"\n\n#if defined(_WIN32) && !defined(__BORLANDC__)\n# define LSEEK _lseeki64\n#else\n#if defined(_LARGEFILE64_SOURCE) && _LFS64_LARGEFILE-0\n# define LSEEK lseek64\n#else\n# define LSEEK lseek\n#endif\n#endif\n\n#if defined UNDER_CE\n\n/* Map the Windows error number in ERROR to a locale-dependent error message\n string and return a pointer to it. Typically, the values for ERROR come\n from GetLastError.\n\n The string pointed to shall not be modified by the application, but may be\n overwritten by a subsequent call to gz_strwinerror\n\n The gz_strwinerror function does not change the current setting of\n GetLastError. */\nchar ZLIB_INTERNAL *gz_strwinerror(DWORD error) {\n static char buf[1024];\n\n wchar_t *msgbuf;\n DWORD lasterr = GetLastError();\n DWORD chars = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM\n | FORMAT_MESSAGE_ALLOCATE_BUFFER,\n NULL,\n error,\n 0, /* Default language */\n (LPVOID)&msgbuf,\n 0,\n NULL);\n if (chars != 0) {\n /* If there is an \\r\\n appended, zap it. */\n if (chars >= 2\n && msgbuf[chars - 2] == '\\r' && msgbuf[chars - 1] == '\\n') {\n chars -= 2;\n msgbuf[chars] = 0;\n }\n\n if (chars > sizeof (buf) - 1) {\n chars = sizeof (buf) - 1;\n msgbuf[chars] = 0;\n }\n\n wcstombs(buf, msgbuf, chars + 1);\n LocalFree(msgbuf);\n }\n else {\n sprintf(buf, \"unknown win32 error (%ld)\", error);\n }\n\n SetLastError(lasterr);\n return buf;\n}\n\n#endif /* UNDER_CE */\n\n/* Reset gzip file state */\nlocal void gz_reset(gz_statep state) {\n state->x.have = 0; /* no output data available */\n if (state->mode == GZ_READ) { /* for reading ... */\n state->eof = 0; /* not at end of file */\n state->past = 0; /* have not read past end yet */\n state->how = LOOK; /* look for gzip header */\n }\n else /* for writing ... */\n state->reset = 0; /* no deflateReset pending */\n state->seek = 0; /* no seek request pending */\n gz_error(state, Z_OK, NULL); /* clear error */\n state->x.pos = 0; /* no uncompressed data yet */\n state->strm.avail_in = 0; /* no input data yet */\n}\n\n/* Open a gzip file either by name or file descriptor. */\nlocal gzFile gz_open(const void *path, int fd, const char *mode) {\n gz_statep state;\n z_size_t len;\n int oflag;\n#ifdef O_CLOEXEC\n int cloexec = 0;\n#endif\n#ifdef O_EXCL\n int exclusive = 0;\n#endif\n\n /* check input */\n if (path == NULL)\n return NULL;\n\n /* allocate gzFile structure to return */\n state = (gz_statep)malloc(sizeof(gz_state));\n if (state == NULL)\n return NULL;\n state->size = 0; /* no buffers allocated yet */\n state->want = GZBUFSIZE; /* requested buffer size */\n state->msg = NULL; /* no error message yet */\n\n /* interpret mode */\n state->mode = GZ_NONE;\n state->level = Z_DEFAULT_COMPRESSION;\n state->strategy = Z_DEFAULT_STRATEGY;\n state->direct = 0;\n while (*mode) {\n if (*mode >= '0' && *mode <= '9')\n state->level = *mode - '0';\n else\n switch (*mode) {\n case 'r':\n state->mode = GZ_READ;\n break;\n#ifndef NO_GZCOMPRESS\n case 'w':\n state->mode = GZ_WRITE;\n break;\n case 'a':\n state->mode = GZ_APPEND;\n break;\n#endif\n case '+': /* can't read and write at the same time */\n free(state);\n return NULL;\n case 'b': /* ignore -- will request binary anyway */\n break;\n#ifdef O_CLOEXEC\n case 'e':\n cloexec = 1;\n break;\n#endif\n#ifdef O_EXCL\n case 'x':\n exclusive = 1;\n break;\n#endif\n case 'f':\n state->strategy = Z_FILTERED;\n break;\n case 'h':\n state->strategy = Z_HUFFMAN_ONLY;\n break;\n case 'R':\n state->strategy = Z_RLE;\n break;\n case 'F':\n state->strategy = Z_FIXED;\n break;\n case 'T':\n state->direct = 1;\n break;\n default: /* could consider as an error, but just ignore */\n ;\n }\n mode++;\n }\n\n /* must provide an \"r\", \"w\", or \"a\" */\n if (state->mode == GZ_NONE) {\n free(state);\n return NULL;\n }\n\n /* can't force transparent read */\n if (state->mode == GZ_READ) {\n if (state->direct) {\n free(state);\n return NULL;\n }\n state->direct = 1; /* for empty file */\n }\n\n /* save the path name for error messages */\n#ifdef WIDECHAR\n if (fd == -2) {\n len = wcstombs(NULL, path, 0);\n if (len == (z_size_t)-1)\n len = 0;\n }\n else\n#endif\n len = strlen((const char *)path);\n state->path = (char *)malloc(len + 1);\n if (state->path == NULL) {\n free(state);\n return NULL;\n }\n#ifdef WIDECHAR\n if (fd == -2)\n if (len)\n wcstombs(state->path, path, len + 1);\n else\n *(state->path) = 0;\n else\n#endif\n#if !defined(NO_snprintf) && !defined(NO_vsnprintf)\n (void)snprintf(state->path, len + 1, \"%s\", (const char *)path);\n#else\n strcpy(state->path, path);\n#endif\n\n /* compute the flags for open() */\n oflag =\n#ifdef O_LARGEFILE\n O_LARGEFILE |\n#endif\n#ifdef O_BINARY\n O_BINARY |\n#endif\n#ifdef O_CLOEXEC\n (cloexec ? O_CLOEXEC : 0) |\n#endif\n (state->mode == GZ_READ ?\n O_RDONLY :\n (O_WRONLY | O_CREAT |\n#ifdef O_EXCL\n (exclusive ? O_EXCL : 0) |\n#endif\n (state->mode == GZ_WRITE ?\n O_TRUNC :\n O_APPEND)));\n\n /* open the file with the appropriate flags (or just use fd) */\n state->fd = fd > -1 ? fd : (\n#ifdef WIDECHAR\n fd == -2 ? _wopen(path, oflag, 0666) :\n#endif\n open((const char *)path, oflag, 0666));\n if (state->fd == -1) {\n free(state->path);\n free(state);\n return NULL;\n }\n if (state->mode == GZ_APPEND) {\n LSEEK(state->fd, 0, SEEK_END); /* so gzoffset() is correct */\n state->mode = GZ_WRITE; /* simplify later checks */\n }\n\n /* save the current position for rewinding (only if reading) */\n if (state->mode == GZ_READ) {\n state->start = LSEEK(state->fd, 0, SEEK_CUR);\n if (state->start == -1) state->start = 0;\n }\n\n /* initialize stream */\n gz_reset(state);\n\n /* return stream */\n return (gzFile)state;\n}\n\n/* -- see zlib.h -- */\ngzFile ZEXPORT gzopen(const char *path, const char *mode) {\n return gz_open(path, -1, mode);\n}\n\n/* -- see zlib.h -- */\ngzFile ZEXPORT gzopen64(const char *path, const char *mode) {\n return gz_open(path, -1, mode);\n}\n\n/* -- see zlib.h -- */\ngzFile ZEXPORT gzdopen(int fd, const char *mode) {\n char *path; /* identifier for error messages */\n gzFile gz;\n\n if (fd == -1 || (path = (char *)malloc(7 + 3 * sizeof(int))) == NULL)\n return NULL;\n#if !defined(NO_snprintf) && !defined(NO_vsnprintf)\n (void)snprintf(path, 7 + 3 * sizeof(int), \"\", fd);\n#else\n sprintf(path, \"\", fd); /* for debugging */\n#endif\n gz = gz_open(path, fd, mode);\n free(path);\n return gz;\n}\n\n/* -- see zlib.h -- */\n#ifdef WIDECHAR\ngzFile ZEXPORT gzopen_w(const wchar_t *path, const char *mode) {\n return gz_open(path, -2, mode);\n}\n#endif\n\n/* -- see zlib.h -- */\nint ZEXPORT gzbuffer(gzFile file, unsigned size) {\n gz_statep state;\n\n /* get internal structure and check integrity */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n if (state->mode != GZ_READ && state->mode != GZ_WRITE)\n return -1;\n\n /* make sure we haven't already allocated memory */\n if (state->size != 0)\n return -1;\n\n /* check and set requested size */\n if ((size << 1) < size)\n return -1; /* need to be able to double it */\n if (size < 8)\n size = 8; /* needed to behave well with flushing */\n state->want = size;\n return 0;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzrewind(gzFile file) {\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n\n /* check that we're reading and that there's no error */\n if (state->mode != GZ_READ ||\n (state->err != Z_OK && state->err != Z_BUF_ERROR))\n return -1;\n\n /* back up and start over */\n if (LSEEK(state->fd, state->start, SEEK_SET) == -1)\n return -1;\n gz_reset(state);\n return 0;\n}\n\n/* -- see zlib.h -- */\nz_off64_t ZEXPORT gzseek64(gzFile file, z_off64_t offset, int whence) {\n unsigned n;\n z_off64_t ret;\n gz_statep state;\n\n /* get internal structure and check integrity */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n if (state->mode != GZ_READ && state->mode != GZ_WRITE)\n return -1;\n\n /* check that there's no error */\n if (state->err != Z_OK && state->err != Z_BUF_ERROR)\n return -1;\n\n /* can only seek from start or relative to current position */\n if (whence != SEEK_SET && whence != SEEK_CUR)\n return -1;\n\n /* normalize offset to a SEEK_CUR specification */\n if (whence == SEEK_SET)\n offset -= state->x.pos;\n else if (state->seek)\n offset += state->skip;\n state->seek = 0;\n\n /* if within raw area while reading, just go there */\n if (state->mode == GZ_READ && state->how == COPY &&\n state->x.pos + offset >= 0) {\n ret = LSEEK(state->fd, offset - (z_off64_t)state->x.have, SEEK_CUR);\n if (ret == -1)\n return -1;\n state->x.have = 0;\n state->eof = 0;\n state->past = 0;\n state->seek = 0;\n gz_error(state, Z_OK, NULL);\n state->strm.avail_in = 0;\n state->x.pos += offset;\n return state->x.pos;\n }\n\n /* calculate skip amount, rewinding if needed for back seek when reading */\n if (offset < 0) {\n if (state->mode != GZ_READ) /* writing -- can't go backwards */\n return -1;\n offset += state->x.pos;\n if (offset < 0) /* before start of file! */\n return -1;\n if (gzrewind(file) == -1) /* rewind, then skip to offset */\n return -1;\n }\n\n /* if reading, skip what's in output buffer (one less gzgetc() check) */\n if (state->mode == GZ_READ) {\n n = GT_OFF(state->x.have) || (z_off64_t)state->x.have > offset ?\n (unsigned)offset : state->x.have;\n state->x.have -= n;\n state->x.next += n;\n state->x.pos += n;\n offset -= n;\n }\n\n /* request skip (if not zero) */\n if (offset) {\n state->seek = 1;\n state->skip = offset;\n }\n return state->x.pos + offset;\n}\n\n/* -- see zlib.h -- */\nz_off_t ZEXPORT gzseek(gzFile file, z_off_t offset, int whence) {\n z_off64_t ret;\n\n ret = gzseek64(file, (z_off64_t)offset, whence);\n return ret == (z_off_t)ret ? (z_off_t)ret : -1;\n}\n\n/* -- see zlib.h -- */\nz_off64_t ZEXPORT gztell64(gzFile file) {\n gz_statep state;\n\n /* get internal structure and check integrity */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n if (state->mode != GZ_READ && state->mode != GZ_WRITE)\n return -1;\n\n /* return position */\n return state->x.pos + (state->seek ? state->skip : 0);\n}\n\n/* -- see zlib.h -- */\nz_off_t ZEXPORT gztell(gzFile file) {\n z_off64_t ret;\n\n ret = gztell64(file);\n return ret == (z_off_t)ret ? (z_off_t)ret : -1;\n}\n\n/* -- see zlib.h -- */\nz_off64_t ZEXPORT gzoffset64(gzFile file) {\n z_off64_t offset;\n gz_statep state;\n\n /* get internal structure and check integrity */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n if (state->mode != GZ_READ && state->mode != GZ_WRITE)\n return -1;\n\n /* compute and return effective offset in file */\n offset = LSEEK(state->fd, 0, SEEK_CUR);\n if (offset == -1)\n return -1;\n if (state->mode == GZ_READ) /* reading */\n offset -= state->strm.avail_in; /* don't count buffered input */\n return offset;\n}\n\n/* -- see zlib.h -- */\nz_off_t ZEXPORT gzoffset(gzFile file) {\n z_off64_t ret;\n\n ret = gzoffset64(file);\n return ret == (z_off_t)ret ? (z_off_t)ret : -1;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzeof(gzFile file) {\n gz_statep state;\n\n /* get internal structure and check integrity */\n if (file == NULL)\n return 0;\n state = (gz_statep)file;\n if (state->mode != GZ_READ && state->mode != GZ_WRITE)\n return 0;\n\n /* return end-of-file state */\n return state->mode == GZ_READ ? state->past : 0;\n}\n\n/* -- see zlib.h -- */\nconst char * ZEXPORT gzerror(gzFile file, int *errnum) {\n gz_statep state;\n\n /* get internal structure and check integrity */\n if (file == NULL)\n return NULL;\n state = (gz_statep)file;\n if (state->mode != GZ_READ && state->mode != GZ_WRITE)\n return NULL;\n\n /* return error information */\n if (errnum != NULL)\n *errnum = state->err;\n return state->err == Z_MEM_ERROR ? \"out of memory\" :\n (state->msg == NULL ? \"\" : state->msg);\n}\n\n/* -- see zlib.h -- */\nvoid ZEXPORT gzclearerr(gzFile file) {\n gz_statep state;\n\n /* get internal structure and check integrity */\n if (file == NULL)\n return;\n state = (gz_statep)file;\n if (state->mode != GZ_READ && state->mode != GZ_WRITE)\n return;\n\n /* clear error and end-of-file */\n if (state->mode == GZ_READ) {\n state->eof = 0;\n state->past = 0;\n }\n gz_error(state, Z_OK, NULL);\n}\n\n/* Create an error message in allocated memory and set state->err and\n state->msg accordingly. Free any previous error message already there. Do\n not try to free or allocate space if the error is Z_MEM_ERROR (out of\n memory). Simply save the error message as a static string. If there is an\n allocation failure constructing the error message, then convert the error to\n out of memory. */\nvoid ZLIB_INTERNAL gz_error(gz_statep state, int err, const char *msg) {\n /* free previously allocated message and clear */\n if (state->msg != NULL) {\n if (state->err != Z_MEM_ERROR)\n free(state->msg);\n state->msg = NULL;\n }\n\n /* if fatal, set state->x.have to 0 so that the gzgetc() macro fails */\n if (err != Z_OK && err != Z_BUF_ERROR)\n state->x.have = 0;\n\n /* set error code, and if no message, then done */\n state->err = err;\n if (msg == NULL)\n return;\n\n /* for an out of memory error, return literal string when requested */\n if (err == Z_MEM_ERROR)\n return;\n\n /* construct error message with path */\n if ((state->msg = (char *)malloc(strlen(state->path) + strlen(msg) + 3)) ==\n NULL) {\n state->err = Z_MEM_ERROR;\n return;\n }\n#if !defined(NO_snprintf) && !defined(NO_vsnprintf)\n (void)snprintf(state->msg, strlen(state->path) + strlen(msg) + 3,\n \"%s%s%s\", state->path, \": \", msg);\n#else\n strcpy(state->msg, state->path);\n strcat(state->msg, \": \");\n strcat(state->msg, msg);\n#endif\n}\n\n#ifndef INT_MAX\n/* portably return maximum value for an int (when limits.h presumed not\n available) -- we need to do this to cover cases where 2's complement not\n used, since C standard permits 1's complement and sign-bit representations,\n otherwise we could just use ((unsigned)-1) >> 1 */\nunsigned ZLIB_INTERNAL gz_intmax(void) {\n unsigned p, q;\n\n p = 1;\n do {\n q = p;\n p <<= 1;\n p++;\n } while (p > q);\n return q >> 1;\n}\n#endif\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzread.c", "content": "/* gzread.c -- zlib functions for reading gzip files\n * Copyright (C) 2004-2017 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n#include \"gzguts.h\"\n\n/* Use read() to load a buffer -- return -1 on error, otherwise 0. Read from\n state->fd, and update state->eof, state->err, and state->msg as appropriate.\n This function needs to loop on read(), since read() is not guaranteed to\n read the number of bytes requested, depending on the type of descriptor. */\nlocal int gz_load(gz_statep state, unsigned char *buf, unsigned len,\n unsigned *have) {\n int ret;\n unsigned get, max = ((unsigned)-1 >> 2) + 1;\n\n *have = 0;\n do {\n get = len - *have;\n if (get > max)\n get = max;\n ret = read(state->fd, buf + *have, get);\n if (ret <= 0)\n break;\n *have += (unsigned)ret;\n } while (*have < len);\n if (ret < 0) {\n gz_error(state, Z_ERRNO, zstrerror());\n return -1;\n }\n if (ret == 0)\n state->eof = 1;\n return 0;\n}\n\n/* Load up input buffer and set eof flag if last data loaded -- return -1 on\n error, 0 otherwise. Note that the eof flag is set when the end of the input\n file is reached, even though there may be unused data in the buffer. Once\n that data has been used, no more attempts will be made to read the file.\n If strm->avail_in != 0, then the current data is moved to the beginning of\n the input buffer, and then the remainder of the buffer is loaded with the\n available data from the input file. */\nlocal int gz_avail(gz_statep state) {\n unsigned got;\n z_streamp strm = &(state->strm);\n\n if (state->err != Z_OK && state->err != Z_BUF_ERROR)\n return -1;\n if (state->eof == 0) {\n if (strm->avail_in) { /* copy what's there to the start */\n unsigned char *p = state->in;\n unsigned const char *q = strm->next_in;\n unsigned n = strm->avail_in;\n do {\n *p++ = *q++;\n } while (--n);\n }\n if (gz_load(state, state->in + strm->avail_in,\n state->size - strm->avail_in, &got) == -1)\n return -1;\n strm->avail_in += got;\n strm->next_in = state->in;\n }\n return 0;\n}\n\n/* Look for gzip header, set up for inflate or copy. state->x.have must be 0.\n If this is the first time in, allocate required memory. state->how will be\n left unchanged if there is no more input data available, will be set to COPY\n if there is no gzip header and direct copying will be performed, or it will\n be set to GZIP for decompression. If direct copying, then leftover input\n data from the input buffer will be copied to the output buffer. In that\n case, all further file reads will be directly to either the output buffer or\n a user buffer. If decompressing, the inflate state will be initialized.\n gz_look() will return 0 on success or -1 on failure. */\nlocal int gz_look(gz_statep state) {\n z_streamp strm = &(state->strm);\n\n /* allocate read buffers and inflate memory */\n if (state->size == 0) {\n /* allocate buffers */\n state->in = (unsigned char *)malloc(state->want);\n state->out = (unsigned char *)malloc(state->want << 1);\n if (state->in == NULL || state->out == NULL) {\n free(state->out);\n free(state->in);\n gz_error(state, Z_MEM_ERROR, \"out of memory\");\n return -1;\n }\n state->size = state->want;\n\n /* allocate inflate memory */\n state->strm.zalloc = Z_NULL;\n state->strm.zfree = Z_NULL;\n state->strm.opaque = Z_NULL;\n state->strm.avail_in = 0;\n state->strm.next_in = Z_NULL;\n if (inflateInit2(&(state->strm), 15 + 16) != Z_OK) { /* gunzip */\n free(state->out);\n free(state->in);\n state->size = 0;\n gz_error(state, Z_MEM_ERROR, \"out of memory\");\n return -1;\n }\n }\n\n /* get at least the magic bytes in the input buffer */\n if (strm->avail_in < 2) {\n if (gz_avail(state) == -1)\n return -1;\n if (strm->avail_in == 0)\n return 0;\n }\n\n /* look for gzip magic bytes -- if there, do gzip decoding (note: there is\n a logical dilemma here when considering the case of a partially written\n gzip file, to wit, if a single 31 byte is written, then we cannot tell\n whether this is a single-byte file, or just a partially written gzip\n file -- for here we assume that if a gzip file is being written, then\n the header will be written in a single operation, so that reading a\n single byte is sufficient indication that it is not a gzip file) */\n if (strm->avail_in > 1 &&\n strm->next_in[0] == 31 && strm->next_in[1] == 139) {\n inflateReset(strm);\n state->how = GZIP;\n state->direct = 0;\n return 0;\n }\n\n /* no gzip header -- if we were decoding gzip before, then this is trailing\n garbage. Ignore the trailing garbage and finish. */\n if (state->direct == 0) {\n strm->avail_in = 0;\n state->eof = 1;\n state->x.have = 0;\n return 0;\n }\n\n /* doing raw i/o, copy any leftover input to output -- this assumes that\n the output buffer is larger than the input buffer, which also assures\n space for gzungetc() */\n state->x.next = state->out;\n memcpy(state->x.next, strm->next_in, strm->avail_in);\n state->x.have = strm->avail_in;\n strm->avail_in = 0;\n state->how = COPY;\n state->direct = 1;\n return 0;\n}\n\n/* Decompress from input to the provided next_out and avail_out in the state.\n On return, state->x.have and state->x.next point to the just decompressed\n data. If the gzip stream completes, state->how is reset to LOOK to look for\n the next gzip stream or raw data, once state->x.have is depleted. Returns 0\n on success, -1 on failure. */\nlocal int gz_decomp(gz_statep state) {\n int ret = Z_OK;\n unsigned had;\n z_streamp strm = &(state->strm);\n\n /* fill output buffer up to end of deflate stream */\n had = strm->avail_out;\n do {\n /* get more input for inflate() */\n if (strm->avail_in == 0 && gz_avail(state) == -1)\n return -1;\n if (strm->avail_in == 0) {\n gz_error(state, Z_BUF_ERROR, \"unexpected end of file\");\n break;\n }\n\n /* decompress and handle errors */\n ret = inflate(strm, Z_NO_FLUSH);\n if (ret == Z_STREAM_ERROR || ret == Z_NEED_DICT) {\n gz_error(state, Z_STREAM_ERROR,\n \"internal error: inflate stream corrupt\");\n return -1;\n }\n if (ret == Z_MEM_ERROR) {\n gz_error(state, Z_MEM_ERROR, \"out of memory\");\n return -1;\n }\n if (ret == Z_DATA_ERROR) { /* deflate stream invalid */\n gz_error(state, Z_DATA_ERROR,\n strm->msg == NULL ? \"compressed data error\" : strm->msg);\n return -1;\n }\n } while (strm->avail_out && ret != Z_STREAM_END);\n\n /* update available output */\n state->x.have = had - strm->avail_out;\n state->x.next = strm->next_out - state->x.have;\n\n /* if the gzip stream completed successfully, look for another */\n if (ret == Z_STREAM_END)\n state->how = LOOK;\n\n /* good decompression */\n return 0;\n}\n\n/* Fetch data and put it in the output buffer. Assumes state->x.have is 0.\n Data is either copied from the input file or decompressed from the input\n file depending on state->how. If state->how is LOOK, then a gzip header is\n looked for to determine whether to copy or decompress. Returns -1 on error,\n otherwise 0. gz_fetch() will leave state->how as COPY or GZIP unless the\n end of the input file has been reached and all data has been processed. */\nlocal int gz_fetch(gz_statep state) {\n z_streamp strm = &(state->strm);\n\n do {\n switch(state->how) {\n case LOOK: /* -> LOOK, COPY (only if never GZIP), or GZIP */\n if (gz_look(state) == -1)\n return -1;\n if (state->how == LOOK)\n return 0;\n break;\n case COPY: /* -> COPY */\n if (gz_load(state, state->out, state->size << 1, &(state->x.have))\n == -1)\n return -1;\n state->x.next = state->out;\n return 0;\n case GZIP: /* -> GZIP or LOOK (if end of gzip stream) */\n strm->avail_out = state->size << 1;\n strm->next_out = state->out;\n if (gz_decomp(state) == -1)\n return -1;\n }\n } while (state->x.have == 0 && (!state->eof || strm->avail_in));\n return 0;\n}\n\n/* Skip len uncompressed bytes of output. Return -1 on error, 0 on success. */\nlocal int gz_skip(gz_statep state, z_off64_t len) {\n unsigned n;\n\n /* skip over len bytes or reach end-of-file, whichever comes first */\n while (len)\n /* skip over whatever is in output buffer */\n if (state->x.have) {\n n = GT_OFF(state->x.have) || (z_off64_t)state->x.have > len ?\n (unsigned)len : state->x.have;\n state->x.have -= n;\n state->x.next += n;\n state->x.pos += n;\n len -= n;\n }\n\n /* output buffer empty -- return if we're at the end of the input */\n else if (state->eof && state->strm.avail_in == 0)\n break;\n\n /* need more data to skip -- load up output buffer */\n else {\n /* get more output, looking for header if required */\n if (gz_fetch(state) == -1)\n return -1;\n }\n return 0;\n}\n\n/* Read len bytes into buf from file, or less than len up to the end of the\n input. Return the number of bytes read. If zero is returned, either the\n end of file was reached, or there was an error. state->err must be\n consulted in that case to determine which. */\nlocal z_size_t gz_read(gz_statep state, voidp buf, z_size_t len) {\n z_size_t got;\n unsigned n;\n\n /* if len is zero, avoid unnecessary operations */\n if (len == 0)\n return 0;\n\n /* process a skip request */\n if (state->seek) {\n state->seek = 0;\n if (gz_skip(state, state->skip) == -1)\n return 0;\n }\n\n /* get len bytes to buf, or less than len if at the end */\n got = 0;\n do {\n /* set n to the maximum amount of len that fits in an unsigned int */\n n = (unsigned)-1;\n if (n > len)\n n = (unsigned)len;\n\n /* first just try copying data from the output buffer */\n if (state->x.have) {\n if (state->x.have < n)\n n = state->x.have;\n memcpy(buf, state->x.next, n);\n state->x.next += n;\n state->x.have -= n;\n }\n\n /* output buffer empty -- return if we're at the end of the input */\n else if (state->eof && state->strm.avail_in == 0) {\n state->past = 1; /* tried to read past end */\n break;\n }\n\n /* need output data -- for small len or new stream load up our output\n buffer */\n else if (state->how == LOOK || n < (state->size << 1)) {\n /* get more output, looking for header if required */\n if (gz_fetch(state) == -1)\n return 0;\n continue; /* no progress yet -- go back to copy above */\n /* the copy above assures that we will leave with space in the\n output buffer, allowing at least one gzungetc() to succeed */\n }\n\n /* large len -- read directly into user buffer */\n else if (state->how == COPY) { /* read directly */\n if (gz_load(state, (unsigned char *)buf, n, &n) == -1)\n return 0;\n }\n\n /* large len -- decompress directly into user buffer */\n else { /* state->how == GZIP */\n state->strm.avail_out = n;\n state->strm.next_out = (unsigned char *)buf;\n if (gz_decomp(state) == -1)\n return 0;\n n = state->x.have;\n state->x.have = 0;\n }\n\n /* update progress */\n len -= n;\n buf = (char *)buf + n;\n got += n;\n state->x.pos += n;\n } while (len);\n\n /* return number of bytes read into user buffer */\n return got;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzread(gzFile file, voidp buf, unsigned len) {\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n\n /* check that we're reading and that there's no (serious) error */\n if (state->mode != GZ_READ ||\n (state->err != Z_OK && state->err != Z_BUF_ERROR))\n return -1;\n\n /* since an int is returned, make sure len fits in one, otherwise return\n with an error (this avoids a flaw in the interface) */\n if ((int)len < 0) {\n gz_error(state, Z_STREAM_ERROR, \"request does not fit in an int\");\n return -1;\n }\n\n /* read len or fewer bytes to buf */\n len = (unsigned)gz_read(state, buf, len);\n\n /* check for an error */\n if (len == 0 && state->err != Z_OK && state->err != Z_BUF_ERROR)\n return -1;\n\n /* return the number of bytes read (this is assured to fit in an int) */\n return (int)len;\n}\n\n/* -- see zlib.h -- */\nz_size_t ZEXPORT gzfread(voidp buf, z_size_t size, z_size_t nitems, gzFile file) {\n z_size_t len;\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return 0;\n state = (gz_statep)file;\n\n /* check that we're reading and that there's no (serious) error */\n if (state->mode != GZ_READ ||\n (state->err != Z_OK && state->err != Z_BUF_ERROR))\n return 0;\n\n /* compute bytes to read -- error on overflow */\n len = nitems * size;\n if (size && len / size != nitems) {\n gz_error(state, Z_STREAM_ERROR, \"request does not fit in a size_t\");\n return 0;\n }\n\n /* read len or fewer bytes to buf, return the number of full items read */\n return len ? gz_read(state, buf, len) / size : 0;\n}\n\n/* -- see zlib.h -- */\n#ifdef Z_PREFIX_SET\n# undef z_gzgetc\n#else\n# undef gzgetc\n#endif\nint ZEXPORT gzgetc(gzFile file) {\n unsigned char buf[1];\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n\n /* check that we're reading and that there's no (serious) error */\n if (state->mode != GZ_READ ||\n (state->err != Z_OK && state->err != Z_BUF_ERROR))\n return -1;\n\n /* try output buffer (no need to check for skip request) */\n if (state->x.have) {\n state->x.have--;\n state->x.pos++;\n return *(state->x.next)++;\n }\n\n /* nothing there -- try gz_read() */\n return gz_read(state, buf, 1) < 1 ? -1 : buf[0];\n}\n\nint ZEXPORT gzgetc_(gzFile file) {\n return gzgetc(file);\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzungetc(int c, gzFile file) {\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n\n /* in case this was just opened, set up the input buffer */\n if (state->mode == GZ_READ && state->how == LOOK && state->x.have == 0)\n (void)gz_look(state);\n\n /* check that we're reading and that there's no (serious) error */\n if (state->mode != GZ_READ ||\n (state->err != Z_OK && state->err != Z_BUF_ERROR))\n return -1;\n\n /* process a skip request */\n if (state->seek) {\n state->seek = 0;\n if (gz_skip(state, state->skip) == -1)\n return -1;\n }\n\n /* can't push EOF */\n if (c < 0)\n return -1;\n\n /* if output buffer empty, put byte at end (allows more pushing) */\n if (state->x.have == 0) {\n state->x.have = 1;\n state->x.next = state->out + (state->size << 1) - 1;\n state->x.next[0] = (unsigned char)c;\n state->x.pos--;\n state->past = 0;\n return c;\n }\n\n /* if no room, give up (must have already done a gzungetc()) */\n if (state->x.have == (state->size << 1)) {\n gz_error(state, Z_DATA_ERROR, \"out of room to push characters\");\n return -1;\n }\n\n /* slide output data if needed and insert byte before existing data */\n if (state->x.next == state->out) {\n unsigned char *src = state->out + state->x.have;\n unsigned char *dest = state->out + (state->size << 1);\n while (src > state->out)\n *--dest = *--src;\n state->x.next = dest;\n }\n state->x.have++;\n state->x.next--;\n state->x.next[0] = (unsigned char)c;\n state->x.pos--;\n state->past = 0;\n return c;\n}\n\n/* -- see zlib.h -- */\nchar * ZEXPORT gzgets(gzFile file, char *buf, int len) {\n unsigned left, n;\n char *str;\n unsigned char *eol;\n gz_statep state;\n\n /* check parameters and get internal structure */\n if (file == NULL || buf == NULL || len < 1)\n return NULL;\n state = (gz_statep)file;\n\n /* check that we're reading and that there's no (serious) error */\n if (state->mode != GZ_READ ||\n (state->err != Z_OK && state->err != Z_BUF_ERROR))\n return NULL;\n\n /* process a skip request */\n if (state->seek) {\n state->seek = 0;\n if (gz_skip(state, state->skip) == -1)\n return NULL;\n }\n\n /* copy output bytes up to new line or len - 1, whichever comes first --\n append a terminating zero to the string (we don't check for a zero in\n the contents, let the user worry about that) */\n str = buf;\n left = (unsigned)len - 1;\n if (left) do {\n /* assure that something is in the output buffer */\n if (state->x.have == 0 && gz_fetch(state) == -1)\n return NULL; /* error */\n if (state->x.have == 0) { /* end of file */\n state->past = 1; /* read past end */\n break; /* return what we have */\n }\n\n /* look for end-of-line in current output buffer */\n n = state->x.have > left ? left : state->x.have;\n eol = (unsigned char *)memchr(state->x.next, '\\n', n);\n if (eol != NULL)\n n = (unsigned)(eol - state->x.next) + 1;\n\n /* copy through end-of-line, or remainder if not found */\n memcpy(buf, state->x.next, n);\n state->x.have -= n;\n state->x.next += n;\n state->x.pos += n;\n left -= n;\n buf += n;\n } while (left && eol == NULL);\n\n /* return terminated string, or if nothing, end of file */\n if (buf == str)\n return NULL;\n buf[0] = 0;\n return str;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzdirect(gzFile file) {\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return 0;\n state = (gz_statep)file;\n\n /* if the state is not known, but we can find out, then do so (this is\n mainly for right after a gzopen() or gzdopen()) */\n if (state->mode == GZ_READ && state->how == LOOK && state->x.have == 0)\n (void)gz_look(state);\n\n /* return 1 if transparent, 0 if processing a gzip stream */\n return state->direct;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzclose_r(gzFile file) {\n int ret, err;\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return Z_STREAM_ERROR;\n state = (gz_statep)file;\n\n /* check that we're reading */\n if (state->mode != GZ_READ)\n return Z_STREAM_ERROR;\n\n /* free memory and close file */\n if (state->size) {\n inflateEnd(&(state->strm));\n free(state->out);\n free(state->in);\n }\n err = state->err == Z_BUF_ERROR ? Z_BUF_ERROR : Z_OK;\n gz_error(state, Z_OK, NULL);\n free(state->path);\n ret = close(state->fd);\n free(state);\n return ret ? Z_ERRNO : err;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/gzwrite.c", "content": "/* gzwrite.c -- zlib functions for writing gzip files\n * Copyright (C) 2004-2019 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n#include \"gzguts.h\"\n\n/* Initialize state for writing a gzip file. Mark initialization by setting\n state->size to non-zero. Return -1 on a memory allocation failure, or 0 on\n success. */\nlocal int gz_init(gz_statep state) {\n int ret;\n z_streamp strm = &(state->strm);\n\n /* allocate input buffer (double size for gzprintf) */\n state->in = (unsigned char *)malloc(state->want << 1);\n if (state->in == NULL) {\n gz_error(state, Z_MEM_ERROR, \"out of memory\");\n return -1;\n }\n\n /* only need output buffer and deflate state if compressing */\n if (!state->direct) {\n /* allocate output buffer */\n state->out = (unsigned char *)malloc(state->want);\n if (state->out == NULL) {\n free(state->in);\n gz_error(state, Z_MEM_ERROR, \"out of memory\");\n return -1;\n }\n\n /* allocate deflate memory, set up for gzip compression */\n strm->zalloc = Z_NULL;\n strm->zfree = Z_NULL;\n strm->opaque = Z_NULL;\n ret = deflateInit2(strm, state->level, Z_DEFLATED,\n MAX_WBITS + 16, DEF_MEM_LEVEL, state->strategy);\n if (ret != Z_OK) {\n free(state->out);\n free(state->in);\n gz_error(state, Z_MEM_ERROR, \"out of memory\");\n return -1;\n }\n strm->next_in = NULL;\n }\n\n /* mark state as initialized */\n state->size = state->want;\n\n /* initialize write buffer if compressing */\n if (!state->direct) {\n strm->avail_out = state->size;\n strm->next_out = state->out;\n state->x.next = strm->next_out;\n }\n return 0;\n}\n\n/* Compress whatever is at avail_in and next_in and write to the output file.\n Return -1 if there is an error writing to the output file or if gz_init()\n fails to allocate memory, otherwise 0. flush is assumed to be a valid\n deflate() flush value. If flush is Z_FINISH, then the deflate() state is\n reset to start a new gzip stream. If gz->direct is true, then simply write\n to the output file without compressing, and ignore flush. */\nlocal int gz_comp(gz_statep state, int flush) {\n int ret, writ;\n unsigned have, put, max = ((unsigned)-1 >> 2) + 1;\n z_streamp strm = &(state->strm);\n\n /* allocate memory if this is the first time through */\n if (state->size == 0 && gz_init(state) == -1)\n return -1;\n\n /* write directly if requested */\n if (state->direct) {\n while (strm->avail_in) {\n put = strm->avail_in > max ? max : strm->avail_in;\n writ = write(state->fd, strm->next_in, put);\n if (writ < 0) {\n gz_error(state, Z_ERRNO, zstrerror());\n return -1;\n }\n strm->avail_in -= (unsigned)writ;\n strm->next_in += writ;\n }\n return 0;\n }\n\n /* check for a pending reset */\n if (state->reset) {\n /* don't start a new gzip member unless there is data to write */\n if (strm->avail_in == 0)\n return 0;\n deflateReset(strm);\n state->reset = 0;\n }\n\n /* run deflate() on provided input until it produces no more output */\n ret = Z_OK;\n do {\n /* write out current buffer contents if full, or if flushing, but if\n doing Z_FINISH then don't write until we get to Z_STREAM_END */\n if (strm->avail_out == 0 || (flush != Z_NO_FLUSH &&\n (flush != Z_FINISH || ret == Z_STREAM_END))) {\n while (strm->next_out > state->x.next) {\n put = strm->next_out - state->x.next > (int)max ? max :\n (unsigned)(strm->next_out - state->x.next);\n writ = write(state->fd, state->x.next, put);\n if (writ < 0) {\n gz_error(state, Z_ERRNO, zstrerror());\n return -1;\n }\n state->x.next += writ;\n }\n if (strm->avail_out == 0) {\n strm->avail_out = state->size;\n strm->next_out = state->out;\n state->x.next = state->out;\n }\n }\n\n /* compress */\n have = strm->avail_out;\n ret = deflate(strm, flush);\n if (ret == Z_STREAM_ERROR) {\n gz_error(state, Z_STREAM_ERROR,\n \"internal error: deflate stream corrupt\");\n return -1;\n }\n have -= strm->avail_out;\n } while (have);\n\n /* if that completed a deflate stream, allow another to start */\n if (flush == Z_FINISH)\n state->reset = 1;\n\n /* all done, no errors */\n return 0;\n}\n\n/* Compress len zeros to output. Return -1 on a write error or memory\n allocation failure by gz_comp(), or 0 on success. */\nlocal int gz_zero(gz_statep state, z_off64_t len) {\n int first;\n unsigned n;\n z_streamp strm = &(state->strm);\n\n /* consume whatever's left in the input buffer */\n if (strm->avail_in && gz_comp(state, Z_NO_FLUSH) == -1)\n return -1;\n\n /* compress len zeros (len guaranteed > 0) */\n first = 1;\n while (len) {\n n = GT_OFF(state->size) || (z_off64_t)state->size > len ?\n (unsigned)len : state->size;\n if (first) {\n memset(state->in, 0, n);\n first = 0;\n }\n strm->avail_in = n;\n strm->next_in = state->in;\n state->x.pos += n;\n if (gz_comp(state, Z_NO_FLUSH) == -1)\n return -1;\n len -= n;\n }\n return 0;\n}\n\n/* Write len bytes from buf to file. Return the number of bytes written. If\n the returned value is less than len, then there was an error. */\nlocal z_size_t gz_write(gz_statep state, voidpc buf, z_size_t len) {\n z_size_t put = len;\n\n /* if len is zero, avoid unnecessary operations */\n if (len == 0)\n return 0;\n\n /* allocate memory if this is the first time through */\n if (state->size == 0 && gz_init(state) == -1)\n return 0;\n\n /* check for seek request */\n if (state->seek) {\n state->seek = 0;\n if (gz_zero(state, state->skip) == -1)\n return 0;\n }\n\n /* for small len, copy to input buffer, otherwise compress directly */\n if (len < state->size) {\n /* copy to input buffer, compress when full */\n do {\n unsigned have, copy;\n\n if (state->strm.avail_in == 0)\n state->strm.next_in = state->in;\n have = (unsigned)((state->strm.next_in + state->strm.avail_in) -\n state->in);\n copy = state->size - have;\n if (copy > len)\n copy = (unsigned)len;\n memcpy(state->in + have, buf, copy);\n state->strm.avail_in += copy;\n state->x.pos += copy;\n buf = (const char *)buf + copy;\n len -= copy;\n if (len && gz_comp(state, Z_NO_FLUSH) == -1)\n return 0;\n } while (len);\n }\n else {\n /* consume whatever's left in the input buffer */\n if (state->strm.avail_in && gz_comp(state, Z_NO_FLUSH) == -1)\n return 0;\n\n /* directly compress user buffer to file */\n state->strm.next_in = (z_const Bytef *)buf;\n do {\n unsigned n = (unsigned)-1;\n if (n > len)\n n = (unsigned)len;\n state->strm.avail_in = n;\n state->x.pos += n;\n if (gz_comp(state, Z_NO_FLUSH) == -1)\n return 0;\n len -= n;\n } while (len);\n }\n\n /* input was all buffered or compressed */\n return put;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzwrite(gzFile file, voidpc buf, unsigned len) {\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return 0;\n state = (gz_statep)file;\n\n /* check that we're writing and that there's no error */\n if (state->mode != GZ_WRITE || state->err != Z_OK)\n return 0;\n\n /* since an int is returned, make sure len fits in one, otherwise return\n with an error (this avoids a flaw in the interface) */\n if ((int)len < 0) {\n gz_error(state, Z_DATA_ERROR, \"requested length does not fit in int\");\n return 0;\n }\n\n /* write len bytes from buf (the return value will fit in an int) */\n return (int)gz_write(state, buf, len);\n}\n\n/* -- see zlib.h -- */\nz_size_t ZEXPORT gzfwrite(voidpc buf, z_size_t size, z_size_t nitems,\n gzFile file) {\n z_size_t len;\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return 0;\n state = (gz_statep)file;\n\n /* check that we're writing and that there's no error */\n if (state->mode != GZ_WRITE || state->err != Z_OK)\n return 0;\n\n /* compute bytes to read -- error on overflow */\n len = nitems * size;\n if (size && len / size != nitems) {\n gz_error(state, Z_STREAM_ERROR, \"request does not fit in a size_t\");\n return 0;\n }\n\n /* write len bytes to buf, return the number of full items written */\n return len ? gz_write(state, buf, len) / size : 0;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzputc(gzFile file, int c) {\n unsigned have;\n unsigned char buf[1];\n gz_statep state;\n z_streamp strm;\n\n /* get internal structure */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n strm = &(state->strm);\n\n /* check that we're writing and that there's no error */\n if (state->mode != GZ_WRITE || state->err != Z_OK)\n return -1;\n\n /* check for seek request */\n if (state->seek) {\n state->seek = 0;\n if (gz_zero(state, state->skip) == -1)\n return -1;\n }\n\n /* try writing to input buffer for speed (state->size == 0 if buffer not\n initialized) */\n if (state->size) {\n if (strm->avail_in == 0)\n strm->next_in = state->in;\n have = (unsigned)((strm->next_in + strm->avail_in) - state->in);\n if (have < state->size) {\n state->in[have] = (unsigned char)c;\n strm->avail_in++;\n state->x.pos++;\n return c & 0xff;\n }\n }\n\n /* no room in buffer or not initialized, use gz_write() */\n buf[0] = (unsigned char)c;\n if (gz_write(state, buf, 1) != 1)\n return -1;\n return c & 0xff;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzputs(gzFile file, const char *s) {\n z_size_t len, put;\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return -1;\n state = (gz_statep)file;\n\n /* check that we're writing and that there's no error */\n if (state->mode != GZ_WRITE || state->err != Z_OK)\n return -1;\n\n /* write string */\n len = strlen(s);\n if ((int)len < 0 || (unsigned)len != len) {\n gz_error(state, Z_STREAM_ERROR, \"string length does not fit in int\");\n return -1;\n }\n put = gz_write(state, s, len);\n return put < len ? -1 : (int)len;\n}\n\n#if defined(STDC) || defined(Z_HAVE_STDARG_H)\n#include \n\n/* -- see zlib.h -- */\nint ZEXPORTVA gzvprintf(gzFile file, const char *format, va_list va) {\n int len;\n unsigned left;\n char *next;\n gz_statep state;\n z_streamp strm;\n\n /* get internal structure */\n if (file == NULL)\n return Z_STREAM_ERROR;\n state = (gz_statep)file;\n strm = &(state->strm);\n\n /* check that we're writing and that there's no error */\n if (state->mode != GZ_WRITE || state->err != Z_OK)\n return Z_STREAM_ERROR;\n\n /* make sure we have some buffer space */\n if (state->size == 0 && gz_init(state) == -1)\n return state->err;\n\n /* check for seek request */\n if (state->seek) {\n state->seek = 0;\n if (gz_zero(state, state->skip) == -1)\n return state->err;\n }\n\n /* do the printf() into the input buffer, put length in len -- the input\n buffer is double-sized just for this function, so there is guaranteed to\n be state->size bytes available after the current contents */\n if (strm->avail_in == 0)\n strm->next_in = state->in;\n next = (char *)(state->in + (strm->next_in - state->in) + strm->avail_in);\n next[state->size - 1] = 0;\n#ifdef NO_vsnprintf\n# ifdef HAS_vsprintf_void\n (void)vsprintf(next, format, va);\n for (len = 0; len < state->size; len++)\n if (next[len] == 0) break;\n# else\n len = vsprintf(next, format, va);\n# endif\n#else\n# ifdef HAS_vsnprintf_void\n (void)vsnprintf(next, state->size, format, va);\n len = strlen(next);\n# else\n len = vsnprintf(next, state->size, format, va);\n# endif\n#endif\n\n /* check that printf() results fit in buffer */\n if (len == 0 || (unsigned)len >= state->size || next[state->size - 1] != 0)\n return 0;\n\n /* update buffer and position, compress first half if past that */\n strm->avail_in += (unsigned)len;\n state->x.pos += len;\n if (strm->avail_in >= state->size) {\n left = strm->avail_in - state->size;\n strm->avail_in = state->size;\n if (gz_comp(state, Z_NO_FLUSH) == -1)\n return state->err;\n memmove(state->in, state->in + state->size, left);\n strm->next_in = state->in;\n strm->avail_in = left;\n }\n return len;\n}\n\nint ZEXPORTVA gzprintf(gzFile file, const char *format, ...) {\n va_list va;\n int ret;\n\n va_start(va, format);\n ret = gzvprintf(file, format, va);\n va_end(va);\n return ret;\n}\n\n#else /* !STDC && !Z_HAVE_STDARG_H */\n\n/* -- see zlib.h -- */\nint ZEXPORTVA gzprintf(gzFile file, const char *format, int a1, int a2, int a3,\n int a4, int a5, int a6, int a7, int a8, int a9, int a10,\n int a11, int a12, int a13, int a14, int a15, int a16,\n int a17, int a18, int a19, int a20) {\n unsigned len, left;\n char *next;\n gz_statep state;\n z_streamp strm;\n\n /* get internal structure */\n if (file == NULL)\n return Z_STREAM_ERROR;\n state = (gz_statep)file;\n strm = &(state->strm);\n\n /* check that can really pass pointer in ints */\n if (sizeof(int) != sizeof(void *))\n return Z_STREAM_ERROR;\n\n /* check that we're writing and that there's no error */\n if (state->mode != GZ_WRITE || state->err != Z_OK)\n return Z_STREAM_ERROR;\n\n /* make sure we have some buffer space */\n if (state->size == 0 && gz_init(state) == -1)\n return state->error;\n\n /* check for seek request */\n if (state->seek) {\n state->seek = 0;\n if (gz_zero(state, state->skip) == -1)\n return state->error;\n }\n\n /* do the printf() into the input buffer, put length in len -- the input\n buffer is double-sized just for this function, so there is guaranteed to\n be state->size bytes available after the current contents */\n if (strm->avail_in == 0)\n strm->next_in = state->in;\n next = (char *)(strm->next_in + strm->avail_in);\n next[state->size - 1] = 0;\n#ifdef NO_snprintf\n# ifdef HAS_sprintf_void\n sprintf(next, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12,\n a13, a14, a15, a16, a17, a18, a19, a20);\n for (len = 0; len < size; len++)\n if (next[len] == 0)\n break;\n# else\n len = sprintf(next, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11,\n a12, a13, a14, a15, a16, a17, a18, a19, a20);\n# endif\n#else\n# ifdef HAS_snprintf_void\n snprintf(next, state->size, format, a1, a2, a3, a4, a5, a6, a7, a8, a9,\n a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);\n len = strlen(next);\n# else\n len = snprintf(next, state->size, format, a1, a2, a3, a4, a5, a6, a7, a8,\n a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);\n# endif\n#endif\n\n /* check that printf() results fit in buffer */\n if (len == 0 || len >= state->size || next[state->size - 1] != 0)\n return 0;\n\n /* update buffer and position, compress first half if past that */\n strm->avail_in += len;\n state->x.pos += len;\n if (strm->avail_in >= state->size) {\n left = strm->avail_in - state->size;\n strm->avail_in = state->size;\n if (gz_comp(state, Z_NO_FLUSH) == -1)\n return state->err;\n memmove(state->in, state->in + state->size, left);\n strm->next_in = state->in;\n strm->avail_in = left;\n }\n return (int)len;\n}\n\n#endif\n\n/* -- see zlib.h -- */\nint ZEXPORT gzflush(gzFile file, int flush) {\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return Z_STREAM_ERROR;\n state = (gz_statep)file;\n\n /* check that we're writing and that there's no error */\n if (state->mode != GZ_WRITE || state->err != Z_OK)\n return Z_STREAM_ERROR;\n\n /* check flush parameter */\n if (flush < 0 || flush > Z_FINISH)\n return Z_STREAM_ERROR;\n\n /* check for seek request */\n if (state->seek) {\n state->seek = 0;\n if (gz_zero(state, state->skip) == -1)\n return state->err;\n }\n\n /* compress remaining data with requested flush */\n (void)gz_comp(state, flush);\n return state->err;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzsetparams(gzFile file, int level, int strategy) {\n gz_statep state;\n z_streamp strm;\n\n /* get internal structure */\n if (file == NULL)\n return Z_STREAM_ERROR;\n state = (gz_statep)file;\n strm = &(state->strm);\n\n /* check that we're writing and that there's no error */\n if (state->mode != GZ_WRITE || state->err != Z_OK || state->direct)\n return Z_STREAM_ERROR;\n\n /* if no change is requested, then do nothing */\n if (level == state->level && strategy == state->strategy)\n return Z_OK;\n\n /* check for seek request */\n if (state->seek) {\n state->seek = 0;\n if (gz_zero(state, state->skip) == -1)\n return state->err;\n }\n\n /* change compression parameters for subsequent input */\n if (state->size) {\n /* flush previous input with previous parameters before changing */\n if (strm->avail_in && gz_comp(state, Z_BLOCK) == -1)\n return state->err;\n deflateParams(strm, level, strategy);\n }\n state->level = level;\n state->strategy = strategy;\n return Z_OK;\n}\n\n/* -- see zlib.h -- */\nint ZEXPORT gzclose_w(gzFile file) {\n int ret = Z_OK;\n gz_statep state;\n\n /* get internal structure */\n if (file == NULL)\n return Z_STREAM_ERROR;\n state = (gz_statep)file;\n\n /* check that we're writing */\n if (state->mode != GZ_WRITE)\n return Z_STREAM_ERROR;\n\n /* check for seek request */\n if (state->seek) {\n state->seek = 0;\n if (gz_zero(state, state->skip) == -1)\n ret = state->err;\n }\n\n /* flush, free memory, and close file */\n if (gz_comp(state, Z_FINISH) == -1)\n ret = state->err;\n if (state->size) {\n if (!state->direct) {\n (void)deflateEnd(&(state->strm));\n free(state->out);\n }\n free(state->in);\n }\n gz_error(state, Z_OK, NULL);\n free(state->path);\n if (close(state->fd) == -1)\n ret = Z_ERRNO;\n free(state);\n return ret;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/infback.c", "content": "/* infback.c -- inflate using a call-back interface\n * Copyright (C) 1995-2022 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/*\n This code is largely copied from inflate.c. Normally either infback.o or\n inflate.o would be linked into an application--not both. The interface\n with inffast.c is retained so that optimized assembler-coded versions of\n inflate_fast() can be used with either inflate.c or infback.c.\n */\n\n#include \"zutil.h\"\n#include \"inftrees.h\"\n#include \"inflate.h\"\n#include \"inffast.h\"\n\n/*\n strm provides memory allocation functions in zalloc and zfree, or\n Z_NULL to use the library memory allocation functions.\n\n windowBits is in the range 8..15, and window is a user-supplied\n window and output buffer that is 2**windowBits bytes.\n */\nint ZEXPORT inflateBackInit_(z_streamp strm, int windowBits,\n unsigned char FAR *window, const char *version,\n int stream_size) {\n struct inflate_state FAR *state;\n\n if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||\n stream_size != (int)(sizeof(z_stream)))\n return Z_VERSION_ERROR;\n if (strm == Z_NULL || window == Z_NULL ||\n windowBits < 8 || windowBits > 15)\n return Z_STREAM_ERROR;\n strm->msg = Z_NULL; /* in case we return an error */\n if (strm->zalloc == (alloc_func)0) {\n#ifdef Z_SOLO\n return Z_STREAM_ERROR;\n#else\n strm->zalloc = zcalloc;\n strm->opaque = (voidpf)0;\n#endif\n }\n if (strm->zfree == (free_func)0)\n#ifdef Z_SOLO\n return Z_STREAM_ERROR;\n#else\n strm->zfree = zcfree;\n#endif\n state = (struct inflate_state FAR *)ZALLOC(strm, 1,\n sizeof(struct inflate_state));\n if (state == Z_NULL) return Z_MEM_ERROR;\n Tracev((stderr, \"inflate: allocated\\n\"));\n strm->state = (struct internal_state FAR *)state;\n state->dmax = 32768U;\n state->wbits = (uInt)windowBits;\n state->wsize = 1U << windowBits;\n state->window = window;\n state->wnext = 0;\n state->whave = 0;\n state->sane = 1;\n return Z_OK;\n}\n\n/*\n Return state with length and distance decoding tables and index sizes set to\n fixed code decoding. Normally this returns fixed tables from inffixed.h.\n If BUILDFIXED is defined, then instead this routine builds the tables the\n first time it's called, and returns those tables the first time and\n thereafter. This reduces the size of the code by about 2K bytes, in\n exchange for a little execution time. However, BUILDFIXED should not be\n used for threaded applications, since the rewriting of the tables and virgin\n may not be thread-safe.\n */\nlocal void fixedtables(struct inflate_state FAR *state) {\n#ifdef BUILDFIXED\n static int virgin = 1;\n static code *lenfix, *distfix;\n static code fixed[544];\n\n /* build fixed huffman tables if first call (may not be thread safe) */\n if (virgin) {\n unsigned sym, bits;\n static code *next;\n\n /* literal/length table */\n sym = 0;\n while (sym < 144) state->lens[sym++] = 8;\n while (sym < 256) state->lens[sym++] = 9;\n while (sym < 280) state->lens[sym++] = 7;\n while (sym < 288) state->lens[sym++] = 8;\n next = fixed;\n lenfix = next;\n bits = 9;\n inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work);\n\n /* distance table */\n sym = 0;\n while (sym < 32) state->lens[sym++] = 5;\n distfix = next;\n bits = 5;\n inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work);\n\n /* do this just once */\n virgin = 0;\n }\n#else /* !BUILDFIXED */\n# include \"inffixed.h\"\n#endif /* BUILDFIXED */\n state->lencode = lenfix;\n state->lenbits = 9;\n state->distcode = distfix;\n state->distbits = 5;\n}\n\n/* Macros for inflateBack(): */\n\n/* Load returned state from inflate_fast() */\n#define LOAD() \\\n do { \\\n put = strm->next_out; \\\n left = strm->avail_out; \\\n next = strm->next_in; \\\n have = strm->avail_in; \\\n hold = state->hold; \\\n bits = state->bits; \\\n } while (0)\n\n/* Set state from registers for inflate_fast() */\n#define RESTORE() \\\n do { \\\n strm->next_out = put; \\\n strm->avail_out = left; \\\n strm->next_in = next; \\\n strm->avail_in = have; \\\n state->hold = hold; \\\n state->bits = bits; \\\n } while (0)\n\n/* Clear the input bit accumulator */\n#define INITBITS() \\\n do { \\\n hold = 0; \\\n bits = 0; \\\n } while (0)\n\n/* Assure that some input is available. If input is requested, but denied,\n then return a Z_BUF_ERROR from inflateBack(). */\n#define PULL() \\\n do { \\\n if (have == 0) { \\\n have = in(in_desc, &next); \\\n if (have == 0) { \\\n next = Z_NULL; \\\n ret = Z_BUF_ERROR; \\\n goto inf_leave; \\\n } \\\n } \\\n } while (0)\n\n/* Get a byte of input into the bit accumulator, or return from inflateBack()\n with an error if there is no input available. */\n#define PULLBYTE() \\\n do { \\\n PULL(); \\\n have--; \\\n hold += (unsigned long)(*next++) << bits; \\\n bits += 8; \\\n } while (0)\n\n/* Assure that there are at least n bits in the bit accumulator. If there is\n not enough available input to do that, then return from inflateBack() with\n an error. */\n#define NEEDBITS(n) \\\n do { \\\n while (bits < (unsigned)(n)) \\\n PULLBYTE(); \\\n } while (0)\n\n/* Return the low n bits of the bit accumulator (n < 16) */\n#define BITS(n) \\\n ((unsigned)hold & ((1U << (n)) - 1))\n\n/* Remove n bits from the bit accumulator */\n#define DROPBITS(n) \\\n do { \\\n hold >>= (n); \\\n bits -= (unsigned)(n); \\\n } while (0)\n\n/* Remove zero to seven bits as needed to go to a byte boundary */\n#define BYTEBITS() \\\n do { \\\n hold >>= bits & 7; \\\n bits -= bits & 7; \\\n } while (0)\n\n/* Assure that some output space is available, by writing out the window\n if it's full. If the write fails, return from inflateBack() with a\n Z_BUF_ERROR. */\n#define ROOM() \\\n do { \\\n if (left == 0) { \\\n put = state->window; \\\n left = state->wsize; \\\n state->whave = left; \\\n if (out(out_desc, put, left)) { \\\n ret = Z_BUF_ERROR; \\\n goto inf_leave; \\\n } \\\n } \\\n } while (0)\n\n/*\n strm provides the memory allocation functions and window buffer on input,\n and provides information on the unused input on return. For Z_DATA_ERROR\n returns, strm will also provide an error message.\n\n in() and out() are the call-back input and output functions. When\n inflateBack() needs more input, it calls in(). When inflateBack() has\n filled the window with output, or when it completes with data in the\n window, it calls out() to write out the data. The application must not\n change the provided input until in() is called again or inflateBack()\n returns. The application must not change the window/output buffer until\n inflateBack() returns.\n\n in() and out() are called with a descriptor parameter provided in the\n inflateBack() call. This parameter can be a structure that provides the\n information required to do the read or write, as well as accumulated\n information on the input and output such as totals and check values.\n\n in() should return zero on failure. out() should return non-zero on\n failure. If either in() or out() fails, than inflateBack() returns a\n Z_BUF_ERROR. strm->next_in can be checked for Z_NULL to see whether it\n was in() or out() that caused in the error. Otherwise, inflateBack()\n returns Z_STREAM_END on success, Z_DATA_ERROR for an deflate format\n error, or Z_MEM_ERROR if it could not allocate memory for the state.\n inflateBack() can also return Z_STREAM_ERROR if the input parameters\n are not correct, i.e. strm is Z_NULL or the state was not initialized.\n */\nint ZEXPORT inflateBack(z_streamp strm, in_func in, void FAR *in_desc,\n out_func out, void FAR *out_desc) {\n struct inflate_state FAR *state;\n z_const unsigned char FAR *next; /* next input */\n unsigned char FAR *put; /* next output */\n unsigned have, left; /* available input and output */\n unsigned long hold; /* bit buffer */\n unsigned bits; /* bits in bit buffer */\n unsigned copy; /* number of stored or match bytes to copy */\n unsigned char FAR *from; /* where to copy match bytes from */\n code here; /* current decoding table entry */\n code last; /* parent table entry */\n unsigned len; /* length to copy for repeats, bits to drop */\n int ret; /* return code */\n static const unsigned short order[19] = /* permutation of code lengths */\n {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};\n\n /* Check that the strm exists and that the state was initialized */\n if (strm == Z_NULL || strm->state == Z_NULL)\n return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n\n /* Reset the state */\n strm->msg = Z_NULL;\n state->mode = TYPE;\n state->last = 0;\n state->whave = 0;\n next = strm->next_in;\n have = next != Z_NULL ? strm->avail_in : 0;\n hold = 0;\n bits = 0;\n put = state->window;\n left = state->wsize;\n\n /* Inflate until end of block marked as last */\n for (;;)\n switch (state->mode) {\n case TYPE:\n /* determine and dispatch block type */\n if (state->last) {\n BYTEBITS();\n state->mode = DONE;\n break;\n }\n NEEDBITS(3);\n state->last = BITS(1);\n DROPBITS(1);\n switch (BITS(2)) {\n case 0: /* stored block */\n Tracev((stderr, \"inflate: stored block%s\\n\",\n state->last ? \" (last)\" : \"\"));\n state->mode = STORED;\n break;\n case 1: /* fixed block */\n fixedtables(state);\n Tracev((stderr, \"inflate: fixed codes block%s\\n\",\n state->last ? \" (last)\" : \"\"));\n state->mode = LEN; /* decode codes */\n break;\n case 2: /* dynamic block */\n Tracev((stderr, \"inflate: dynamic codes block%s\\n\",\n state->last ? \" (last)\" : \"\"));\n state->mode = TABLE;\n break;\n case 3:\n strm->msg = (char *)\"invalid block type\";\n state->mode = BAD;\n }\n DROPBITS(2);\n break;\n\n case STORED:\n /* get and verify stored block length */\n BYTEBITS(); /* go to byte boundary */\n NEEDBITS(32);\n if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) {\n strm->msg = (char *)\"invalid stored block lengths\";\n state->mode = BAD;\n break;\n }\n state->length = (unsigned)hold & 0xffff;\n Tracev((stderr, \"inflate: stored length %u\\n\",\n state->length));\n INITBITS();\n\n /* copy stored block from input to output */\n while (state->length != 0) {\n copy = state->length;\n PULL();\n ROOM();\n if (copy > have) copy = have;\n if (copy > left) copy = left;\n zmemcpy(put, next, copy);\n have -= copy;\n next += copy;\n left -= copy;\n put += copy;\n state->length -= copy;\n }\n Tracev((stderr, \"inflate: stored end\\n\"));\n state->mode = TYPE;\n break;\n\n case TABLE:\n /* get dynamic table entries descriptor */\n NEEDBITS(14);\n state->nlen = BITS(5) + 257;\n DROPBITS(5);\n state->ndist = BITS(5) + 1;\n DROPBITS(5);\n state->ncode = BITS(4) + 4;\n DROPBITS(4);\n#ifndef PKZIP_BUG_WORKAROUND\n if (state->nlen > 286 || state->ndist > 30) {\n strm->msg = (char *)\"too many length or distance symbols\";\n state->mode = BAD;\n break;\n }\n#endif\n Tracev((stderr, \"inflate: table sizes ok\\n\"));\n\n /* get code length code lengths (not a typo) */\n state->have = 0;\n while (state->have < state->ncode) {\n NEEDBITS(3);\n state->lens[order[state->have++]] = (unsigned short)BITS(3);\n DROPBITS(3);\n }\n while (state->have < 19)\n state->lens[order[state->have++]] = 0;\n state->next = state->codes;\n state->lencode = (code const FAR *)(state->next);\n state->lenbits = 7;\n ret = inflate_table(CODES, state->lens, 19, &(state->next),\n &(state->lenbits), state->work);\n if (ret) {\n strm->msg = (char *)\"invalid code lengths set\";\n state->mode = BAD;\n break;\n }\n Tracev((stderr, \"inflate: code lengths ok\\n\"));\n\n /* get length and distance code code lengths */\n state->have = 0;\n while (state->have < state->nlen + state->ndist) {\n for (;;) {\n here = state->lencode[BITS(state->lenbits)];\n if ((unsigned)(here.bits) <= bits) break;\n PULLBYTE();\n }\n if (here.val < 16) {\n DROPBITS(here.bits);\n state->lens[state->have++] = here.val;\n }\n else {\n if (here.val == 16) {\n NEEDBITS(here.bits + 2);\n DROPBITS(here.bits);\n if (state->have == 0) {\n strm->msg = (char *)\"invalid bit length repeat\";\n state->mode = BAD;\n break;\n }\n len = (unsigned)(state->lens[state->have - 1]);\n copy = 3 + BITS(2);\n DROPBITS(2);\n }\n else if (here.val == 17) {\n NEEDBITS(here.bits + 3);\n DROPBITS(here.bits);\n len = 0;\n copy = 3 + BITS(3);\n DROPBITS(3);\n }\n else {\n NEEDBITS(here.bits + 7);\n DROPBITS(here.bits);\n len = 0;\n copy = 11 + BITS(7);\n DROPBITS(7);\n }\n if (state->have + copy > state->nlen + state->ndist) {\n strm->msg = (char *)\"invalid bit length repeat\";\n state->mode = BAD;\n break;\n }\n while (copy--)\n state->lens[state->have++] = (unsigned short)len;\n }\n }\n\n /* handle error breaks in while */\n if (state->mode == BAD) break;\n\n /* check for end-of-block code (better have one) */\n if (state->lens[256] == 0) {\n strm->msg = (char *)\"invalid code -- missing end-of-block\";\n state->mode = BAD;\n break;\n }\n\n /* build code tables -- note: do not change the lenbits or distbits\n values here (9 and 6) without reading the comments in inftrees.h\n concerning the ENOUGH constants, which depend on those values */\n state->next = state->codes;\n state->lencode = (code const FAR *)(state->next);\n state->lenbits = 9;\n ret = inflate_table(LENS, state->lens, state->nlen, &(state->next),\n &(state->lenbits), state->work);\n if (ret) {\n strm->msg = (char *)\"invalid literal/lengths set\";\n state->mode = BAD;\n break;\n }\n state->distcode = (code const FAR *)(state->next);\n state->distbits = 6;\n ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist,\n &(state->next), &(state->distbits), state->work);\n if (ret) {\n strm->msg = (char *)\"invalid distances set\";\n state->mode = BAD;\n break;\n }\n Tracev((stderr, \"inflate: codes ok\\n\"));\n state->mode = LEN;\n /* fallthrough */\n\n case LEN:\n /* use inflate_fast() if we have enough input and output */\n if (have >= 6 && left >= 258) {\n RESTORE();\n if (state->whave < state->wsize)\n state->whave = state->wsize - left;\n inflate_fast(strm, state->wsize);\n LOAD();\n break;\n }\n\n /* get a literal, length, or end-of-block code */\n for (;;) {\n here = state->lencode[BITS(state->lenbits)];\n if ((unsigned)(here.bits) <= bits) break;\n PULLBYTE();\n }\n if (here.op && (here.op & 0xf0) == 0) {\n last = here;\n for (;;) {\n here = state->lencode[last.val +\n (BITS(last.bits + last.op) >> last.bits)];\n if ((unsigned)(last.bits + here.bits) <= bits) break;\n PULLBYTE();\n }\n DROPBITS(last.bits);\n }\n DROPBITS(here.bits);\n state->length = (unsigned)here.val;\n\n /* process literal */\n if (here.op == 0) {\n Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?\n \"inflate: literal '%c'\\n\" :\n \"inflate: literal 0x%02x\\n\", here.val));\n ROOM();\n *put++ = (unsigned char)(state->length);\n left--;\n state->mode = LEN;\n break;\n }\n\n /* process end of block */\n if (here.op & 32) {\n Tracevv((stderr, \"inflate: end of block\\n\"));\n state->mode = TYPE;\n break;\n }\n\n /* invalid code */\n if (here.op & 64) {\n strm->msg = (char *)\"invalid literal/length code\";\n state->mode = BAD;\n break;\n }\n\n /* length code -- get extra bits, if any */\n state->extra = (unsigned)(here.op) & 15;\n if (state->extra != 0) {\n NEEDBITS(state->extra);\n state->length += BITS(state->extra);\n DROPBITS(state->extra);\n }\n Tracevv((stderr, \"inflate: length %u\\n\", state->length));\n\n /* get distance code */\n for (;;) {\n here = state->distcode[BITS(state->distbits)];\n if ((unsigned)(here.bits) <= bits) break;\n PULLBYTE();\n }\n if ((here.op & 0xf0) == 0) {\n last = here;\n for (;;) {\n here = state->distcode[last.val +\n (BITS(last.bits + last.op) >> last.bits)];\n if ((unsigned)(last.bits + here.bits) <= bits) break;\n PULLBYTE();\n }\n DROPBITS(last.bits);\n }\n DROPBITS(here.bits);\n if (here.op & 64) {\n strm->msg = (char *)\"invalid distance code\";\n state->mode = BAD;\n break;\n }\n state->offset = (unsigned)here.val;\n\n /* get distance extra bits, if any */\n state->extra = (unsigned)(here.op) & 15;\n if (state->extra != 0) {\n NEEDBITS(state->extra);\n state->offset += BITS(state->extra);\n DROPBITS(state->extra);\n }\n if (state->offset > state->wsize - (state->whave < state->wsize ?\n left : 0)) {\n strm->msg = (char *)\"invalid distance too far back\";\n state->mode = BAD;\n break;\n }\n Tracevv((stderr, \"inflate: distance %u\\n\", state->offset));\n\n /* copy match from window to output */\n do {\n ROOM();\n copy = state->wsize - state->offset;\n if (copy < left) {\n from = put + copy;\n copy = left - copy;\n }\n else {\n from = put - state->offset;\n copy = left;\n }\n if (copy > state->length) copy = state->length;\n state->length -= copy;\n left -= copy;\n do {\n *put++ = *from++;\n } while (--copy);\n } while (state->length != 0);\n break;\n\n case DONE:\n /* inflate stream terminated properly */\n ret = Z_STREAM_END;\n goto inf_leave;\n\n case BAD:\n ret = Z_DATA_ERROR;\n goto inf_leave;\n\n default:\n /* can't happen, but makes compilers happy */\n ret = Z_STREAM_ERROR;\n goto inf_leave;\n }\n\n /* Write leftover output and return unused input */\n inf_leave:\n if (left < state->wsize) {\n if (out(out_desc, state->window, state->wsize - left) &&\n ret == Z_STREAM_END)\n ret = Z_BUF_ERROR;\n }\n strm->next_in = next;\n strm->avail_in = have;\n return ret;\n}\n\nint ZEXPORT inflateBackEnd(z_streamp strm) {\n if (strm == Z_NULL || strm->state == Z_NULL || strm->zfree == (free_func)0)\n return Z_STREAM_ERROR;\n ZFREE(strm, strm->state);\n strm->state = Z_NULL;\n Tracev((stderr, \"inflate: end\\n\"));\n return Z_OK;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inffast.c", "content": "/* inffast.c -- fast decoding\n * Copyright (C) 1995-2017 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n#include \"zutil.h\"\n#include \"inftrees.h\"\n#include \"inflate.h\"\n#include \"inffast.h\"\n\n#ifdef ASMINF\n# pragma message(\"Assembler code may have bugs -- use at your own risk\")\n#else\n\n/*\n Decode literal, length, and distance codes and write out the resulting\n literal and match bytes until either not enough input or output is\n available, an end-of-block is encountered, or a data error is encountered.\n When large enough input and output buffers are supplied to inflate(), for\n example, a 16K input buffer and a 64K output buffer, more than 95% of the\n inflate execution time is spent in this routine.\n\n Entry assumptions:\n\n state->mode == LEN\n strm->avail_in >= 6\n strm->avail_out >= 258\n start >= strm->avail_out\n state->bits < 8\n\n On return, state->mode is one of:\n\n LEN -- ran out of enough output space or enough available input\n TYPE -- reached end of block code, inflate() to interpret next block\n BAD -- error in block data\n\n Notes:\n\n - The maximum input bits used by a length/distance pair is 15 bits for the\n length code, 5 bits for the length extra, 15 bits for the distance code,\n and 13 bits for the distance extra. This totals 48 bits, or six bytes.\n Therefore if strm->avail_in >= 6, then there is enough input to avoid\n checking for available input while decoding.\n\n - The maximum bytes that a single length/distance pair can output is 258\n bytes, which is the maximum length that can be coded. inflate_fast()\n requires strm->avail_out >= 258 for each loop to avoid checking for\n output space.\n */\nvoid ZLIB_INTERNAL inflate_fast(z_streamp strm, unsigned start) {\n struct inflate_state FAR *state;\n z_const unsigned char FAR *in; /* local strm->next_in */\n z_const unsigned char FAR *last; /* have enough input while in < last */\n unsigned char FAR *out; /* local strm->next_out */\n unsigned char FAR *beg; /* inflate()'s initial strm->next_out */\n unsigned char FAR *end; /* while out < end, enough space available */\n#ifdef INFLATE_STRICT\n unsigned dmax; /* maximum distance from zlib header */\n#endif\n unsigned wsize; /* window size or zero if not using window */\n unsigned whave; /* valid bytes in the window */\n unsigned wnext; /* window write index */\n unsigned char FAR *window; /* allocated sliding window, if wsize != 0 */\n unsigned long hold; /* local strm->hold */\n unsigned bits; /* local strm->bits */\n code const FAR *lcode; /* local strm->lencode */\n code const FAR *dcode; /* local strm->distcode */\n unsigned lmask; /* mask for first level of length codes */\n unsigned dmask; /* mask for first level of distance codes */\n code const *here; /* retrieved table entry */\n unsigned op; /* code bits, operation, extra bits, or */\n /* window position, window bytes to copy */\n unsigned len; /* match length, unused bytes */\n unsigned dist; /* match distance */\n unsigned char FAR *from; /* where to copy match from */\n\n /* copy state to local variables */\n state = (struct inflate_state FAR *)strm->state;\n in = strm->next_in;\n last = in + (strm->avail_in - 5);\n out = strm->next_out;\n beg = out - (start - strm->avail_out);\n end = out + (strm->avail_out - 257);\n#ifdef INFLATE_STRICT\n dmax = state->dmax;\n#endif\n wsize = state->wsize;\n whave = state->whave;\n wnext = state->wnext;\n window = state->window;\n hold = state->hold;\n bits = state->bits;\n lcode = state->lencode;\n dcode = state->distcode;\n lmask = (1U << state->lenbits) - 1;\n dmask = (1U << state->distbits) - 1;\n\n /* decode literals and length/distances until end-of-block or not enough\n input data or output space */\n do {\n if (bits < 15) {\n hold += (unsigned long)(*in++) << bits;\n bits += 8;\n hold += (unsigned long)(*in++) << bits;\n bits += 8;\n }\n here = lcode + (hold & lmask);\n dolen:\n op = (unsigned)(here->bits);\n hold >>= op;\n bits -= op;\n op = (unsigned)(here->op);\n if (op == 0) { /* literal */\n Tracevv((stderr, here->val >= 0x20 && here->val < 0x7f ?\n \"inflate: literal '%c'\\n\" :\n \"inflate: literal 0x%02x\\n\", here->val));\n *out++ = (unsigned char)(here->val);\n }\n else if (op & 16) { /* length base */\n len = (unsigned)(here->val);\n op &= 15; /* number of extra bits */\n if (op) {\n if (bits < op) {\n hold += (unsigned long)(*in++) << bits;\n bits += 8;\n }\n len += (unsigned)hold & ((1U << op) - 1);\n hold >>= op;\n bits -= op;\n }\n Tracevv((stderr, \"inflate: length %u\\n\", len));\n if (bits < 15) {\n hold += (unsigned long)(*in++) << bits;\n bits += 8;\n hold += (unsigned long)(*in++) << bits;\n bits += 8;\n }\n here = dcode + (hold & dmask);\n dodist:\n op = (unsigned)(here->bits);\n hold >>= op;\n bits -= op;\n op = (unsigned)(here->op);\n if (op & 16) { /* distance base */\n dist = (unsigned)(here->val);\n op &= 15; /* number of extra bits */\n if (bits < op) {\n hold += (unsigned long)(*in++) << bits;\n bits += 8;\n if (bits < op) {\n hold += (unsigned long)(*in++) << bits;\n bits += 8;\n }\n }\n dist += (unsigned)hold & ((1U << op) - 1);\n#ifdef INFLATE_STRICT\n if (dist > dmax) {\n strm->msg = (char *)\"invalid distance too far back\";\n state->mode = BAD;\n break;\n }\n#endif\n hold >>= op;\n bits -= op;\n Tracevv((stderr, \"inflate: distance %u\\n\", dist));\n op = (unsigned)(out - beg); /* max distance in output */\n if (dist > op) { /* see if copy from window */\n op = dist - op; /* distance back in window */\n if (op > whave) {\n if (state->sane) {\n strm->msg =\n (char *)\"invalid distance too far back\";\n state->mode = BAD;\n break;\n }\n#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR\n if (len <= op - whave) {\n do {\n *out++ = 0;\n } while (--len);\n continue;\n }\n len -= op - whave;\n do {\n *out++ = 0;\n } while (--op > whave);\n if (op == 0) {\n from = out - dist;\n do {\n *out++ = *from++;\n } while (--len);\n continue;\n }\n#endif\n }\n from = window;\n if (wnext == 0) { /* very common case */\n from += wsize - op;\n if (op < len) { /* some from window */\n len -= op;\n do {\n *out++ = *from++;\n } while (--op);\n from = out - dist; /* rest from output */\n }\n }\n else if (wnext < op) { /* wrap around window */\n from += wsize + wnext - op;\n op -= wnext;\n if (op < len) { /* some from end of window */\n len -= op;\n do {\n *out++ = *from++;\n } while (--op);\n from = window;\n if (wnext < len) { /* some from start of window */\n op = wnext;\n len -= op;\n do {\n *out++ = *from++;\n } while (--op);\n from = out - dist; /* rest from output */\n }\n }\n }\n else { /* contiguous in window */\n from += wnext - op;\n if (op < len) { /* some from window */\n len -= op;\n do {\n *out++ = *from++;\n } while (--op);\n from = out - dist; /* rest from output */\n }\n }\n while (len > 2) {\n *out++ = *from++;\n *out++ = *from++;\n *out++ = *from++;\n len -= 3;\n }\n if (len) {\n *out++ = *from++;\n if (len > 1)\n *out++ = *from++;\n }\n }\n else {\n from = out - dist; /* copy direct from output */\n do { /* minimum length is three */\n *out++ = *from++;\n *out++ = *from++;\n *out++ = *from++;\n len -= 3;\n } while (len > 2);\n if (len) {\n *out++ = *from++;\n if (len > 1)\n *out++ = *from++;\n }\n }\n }\n else if ((op & 64) == 0) { /* 2nd level distance code */\n here = dcode + here->val + (hold & ((1U << op) - 1));\n goto dodist;\n }\n else {\n strm->msg = (char *)\"invalid distance code\";\n state->mode = BAD;\n break;\n }\n }\n else if ((op & 64) == 0) { /* 2nd level length code */\n here = lcode + here->val + (hold & ((1U << op) - 1));\n goto dolen;\n }\n else if (op & 32) { /* end-of-block */\n Tracevv((stderr, \"inflate: end of block\\n\"));\n state->mode = TYPE;\n break;\n }\n else {\n strm->msg = (char *)\"invalid literal/length code\";\n state->mode = BAD;\n break;\n }\n } while (in < last && out < end);\n\n /* return unused bytes (on entry, bits < 8, so in won't go too far back) */\n len = bits >> 3;\n in -= len;\n bits -= len << 3;\n hold &= (1U << bits) - 1;\n\n /* update state and return */\n strm->next_in = in;\n strm->next_out = out;\n strm->avail_in = (unsigned)(in < last ? 5 + (last - in) : 5 - (in - last));\n strm->avail_out = (unsigned)(out < end ?\n 257 + (end - out) : 257 - (out - end));\n state->hold = hold;\n state->bits = bits;\n return;\n}\n\n/*\n inflate_fast() speedups that turned out slower (on a PowerPC G3 750CXe):\n - Using bit fields for code structure\n - Different op definition to avoid & for extra bits (do & for table bits)\n - Three separate decoding do-loops for direct, window, and wnext == 0\n - Special case for distance > 1 copies to do overlapped load and store copy\n - Explicit branch predictions (based on measured branch probabilities)\n - Deferring match copy and interspersed it with decoding subsequent codes\n - Swapping literal/length else\n - Swapping window/direct else\n - Larger unrolled copy loops (three is about right)\n - Moving len -= 3 statement into middle of loop\n */\n\n#endif /* !ASMINF */\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inffast.h", "content": "/* inffast.h -- header to use inffast.c\n * Copyright (C) 1995-2003, 2010 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* WARNING: this file should *not* be used by applications. It is\n part of the implementation of the compression library and is\n subject to change. Applications should only use zlib.h.\n */\n\nvoid ZLIB_INTERNAL inflate_fast(z_streamp strm, unsigned start);\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inffixed.h", "content": " /* inffixed.h -- table for decoding fixed codes\n * Generated automatically by makefixed().\n */\n\n /* WARNING: this file should *not* be used by applications.\n It is part of the implementation of this library and is\n subject to change. Applications should only use zlib.h.\n */\n\n static const code lenfix[512] = {\n {96,7,0},{0,8,80},{0,8,16},{20,8,115},{18,7,31},{0,8,112},{0,8,48},\n {0,9,192},{16,7,10},{0,8,96},{0,8,32},{0,9,160},{0,8,0},{0,8,128},\n {0,8,64},{0,9,224},{16,7,6},{0,8,88},{0,8,24},{0,9,144},{19,7,59},\n {0,8,120},{0,8,56},{0,9,208},{17,7,17},{0,8,104},{0,8,40},{0,9,176},\n {0,8,8},{0,8,136},{0,8,72},{0,9,240},{16,7,4},{0,8,84},{0,8,20},\n {21,8,227},{19,7,43},{0,8,116},{0,8,52},{0,9,200},{17,7,13},{0,8,100},\n {0,8,36},{0,9,168},{0,8,4},{0,8,132},{0,8,68},{0,9,232},{16,7,8},\n {0,8,92},{0,8,28},{0,9,152},{20,7,83},{0,8,124},{0,8,60},{0,9,216},\n {18,7,23},{0,8,108},{0,8,44},{0,9,184},{0,8,12},{0,8,140},{0,8,76},\n {0,9,248},{16,7,3},{0,8,82},{0,8,18},{21,8,163},{19,7,35},{0,8,114},\n {0,8,50},{0,9,196},{17,7,11},{0,8,98},{0,8,34},{0,9,164},{0,8,2},\n {0,8,130},{0,8,66},{0,9,228},{16,7,7},{0,8,90},{0,8,26},{0,9,148},\n {20,7,67},{0,8,122},{0,8,58},{0,9,212},{18,7,19},{0,8,106},{0,8,42},\n {0,9,180},{0,8,10},{0,8,138},{0,8,74},{0,9,244},{16,7,5},{0,8,86},\n {0,8,22},{64,8,0},{19,7,51},{0,8,118},{0,8,54},{0,9,204},{17,7,15},\n {0,8,102},{0,8,38},{0,9,172},{0,8,6},{0,8,134},{0,8,70},{0,9,236},\n {16,7,9},{0,8,94},{0,8,30},{0,9,156},{20,7,99},{0,8,126},{0,8,62},\n {0,9,220},{18,7,27},{0,8,110},{0,8,46},{0,9,188},{0,8,14},{0,8,142},\n {0,8,78},{0,9,252},{96,7,0},{0,8,81},{0,8,17},{21,8,131},{18,7,31},\n {0,8,113},{0,8,49},{0,9,194},{16,7,10},{0,8,97},{0,8,33},{0,9,162},\n {0,8,1},{0,8,129},{0,8,65},{0,9,226},{16,7,6},{0,8,89},{0,8,25},\n {0,9,146},{19,7,59},{0,8,121},{0,8,57},{0,9,210},{17,7,17},{0,8,105},\n {0,8,41},{0,9,178},{0,8,9},{0,8,137},{0,8,73},{0,9,242},{16,7,4},\n {0,8,85},{0,8,21},{16,8,258},{19,7,43},{0,8,117},{0,8,53},{0,9,202},\n {17,7,13},{0,8,101},{0,8,37},{0,9,170},{0,8,5},{0,8,133},{0,8,69},\n {0,9,234},{16,7,8},{0,8,93},{0,8,29},{0,9,154},{20,7,83},{0,8,125},\n {0,8,61},{0,9,218},{18,7,23},{0,8,109},{0,8,45},{0,9,186},{0,8,13},\n {0,8,141},{0,8,77},{0,9,250},{16,7,3},{0,8,83},{0,8,19},{21,8,195},\n {19,7,35},{0,8,115},{0,8,51},{0,9,198},{17,7,11},{0,8,99},{0,8,35},\n {0,9,166},{0,8,3},{0,8,131},{0,8,67},{0,9,230},{16,7,7},{0,8,91},\n {0,8,27},{0,9,150},{20,7,67},{0,8,123},{0,8,59},{0,9,214},{18,7,19},\n {0,8,107},{0,8,43},{0,9,182},{0,8,11},{0,8,139},{0,8,75},{0,9,246},\n {16,7,5},{0,8,87},{0,8,23},{64,8,0},{19,7,51},{0,8,119},{0,8,55},\n {0,9,206},{17,7,15},{0,8,103},{0,8,39},{0,9,174},{0,8,7},{0,8,135},\n {0,8,71},{0,9,238},{16,7,9},{0,8,95},{0,8,31},{0,9,158},{20,7,99},\n {0,8,127},{0,8,63},{0,9,222},{18,7,27},{0,8,111},{0,8,47},{0,9,190},\n {0,8,15},{0,8,143},{0,8,79},{0,9,254},{96,7,0},{0,8,80},{0,8,16},\n {20,8,115},{18,7,31},{0,8,112},{0,8,48},{0,9,193},{16,7,10},{0,8,96},\n {0,8,32},{0,9,161},{0,8,0},{0,8,128},{0,8,64},{0,9,225},{16,7,6},\n {0,8,88},{0,8,24},{0,9,145},{19,7,59},{0,8,120},{0,8,56},{0,9,209},\n {17,7,17},{0,8,104},{0,8,40},{0,9,177},{0,8,8},{0,8,136},{0,8,72},\n {0,9,241},{16,7,4},{0,8,84},{0,8,20},{21,8,227},{19,7,43},{0,8,116},\n {0,8,52},{0,9,201},{17,7,13},{0,8,100},{0,8,36},{0,9,169},{0,8,4},\n {0,8,132},{0,8,68},{0,9,233},{16,7,8},{0,8,92},{0,8,28},{0,9,153},\n {20,7,83},{0,8,124},{0,8,60},{0,9,217},{18,7,23},{0,8,108},{0,8,44},\n {0,9,185},{0,8,12},{0,8,140},{0,8,76},{0,9,249},{16,7,3},{0,8,82},\n {0,8,18},{21,8,163},{19,7,35},{0,8,114},{0,8,50},{0,9,197},{17,7,11},\n {0,8,98},{0,8,34},{0,9,165},{0,8,2},{0,8,130},{0,8,66},{0,9,229},\n {16,7,7},{0,8,90},{0,8,26},{0,9,149},{20,7,67},{0,8,122},{0,8,58},\n {0,9,213},{18,7,19},{0,8,106},{0,8,42},{0,9,181},{0,8,10},{0,8,138},\n {0,8,74},{0,9,245},{16,7,5},{0,8,86},{0,8,22},{64,8,0},{19,7,51},\n {0,8,118},{0,8,54},{0,9,205},{17,7,15},{0,8,102},{0,8,38},{0,9,173},\n {0,8,6},{0,8,134},{0,8,70},{0,9,237},{16,7,9},{0,8,94},{0,8,30},\n {0,9,157},{20,7,99},{0,8,126},{0,8,62},{0,9,221},{18,7,27},{0,8,110},\n {0,8,46},{0,9,189},{0,8,14},{0,8,142},{0,8,78},{0,9,253},{96,7,0},\n {0,8,81},{0,8,17},{21,8,131},{18,7,31},{0,8,113},{0,8,49},{0,9,195},\n {16,7,10},{0,8,97},{0,8,33},{0,9,163},{0,8,1},{0,8,129},{0,8,65},\n {0,9,227},{16,7,6},{0,8,89},{0,8,25},{0,9,147},{19,7,59},{0,8,121},\n {0,8,57},{0,9,211},{17,7,17},{0,8,105},{0,8,41},{0,9,179},{0,8,9},\n {0,8,137},{0,8,73},{0,9,243},{16,7,4},{0,8,85},{0,8,21},{16,8,258},\n {19,7,43},{0,8,117},{0,8,53},{0,9,203},{17,7,13},{0,8,101},{0,8,37},\n {0,9,171},{0,8,5},{0,8,133},{0,8,69},{0,9,235},{16,7,8},{0,8,93},\n {0,8,29},{0,9,155},{20,7,83},{0,8,125},{0,8,61},{0,9,219},{18,7,23},\n {0,8,109},{0,8,45},{0,9,187},{0,8,13},{0,8,141},{0,8,77},{0,9,251},\n {16,7,3},{0,8,83},{0,8,19},{21,8,195},{19,7,35},{0,8,115},{0,8,51},\n {0,9,199},{17,7,11},{0,8,99},{0,8,35},{0,9,167},{0,8,3},{0,8,131},\n {0,8,67},{0,9,231},{16,7,7},{0,8,91},{0,8,27},{0,9,151},{20,7,67},\n {0,8,123},{0,8,59},{0,9,215},{18,7,19},{0,8,107},{0,8,43},{0,9,183},\n {0,8,11},{0,8,139},{0,8,75},{0,9,247},{16,7,5},{0,8,87},{0,8,23},\n {64,8,0},{19,7,51},{0,8,119},{0,8,55},{0,9,207},{17,7,15},{0,8,103},\n {0,8,39},{0,9,175},{0,8,7},{0,8,135},{0,8,71},{0,9,239},{16,7,9},\n {0,8,95},{0,8,31},{0,9,159},{20,7,99},{0,8,127},{0,8,63},{0,9,223},\n {18,7,27},{0,8,111},{0,8,47},{0,9,191},{0,8,15},{0,8,143},{0,8,79},\n {0,9,255}\n };\n\n static const code distfix[32] = {\n {16,5,1},{23,5,257},{19,5,17},{27,5,4097},{17,5,5},{25,5,1025},\n {21,5,65},{29,5,16385},{16,5,3},{24,5,513},{20,5,33},{28,5,8193},\n {18,5,9},{26,5,2049},{22,5,129},{64,5,0},{16,5,2},{23,5,385},\n {19,5,25},{27,5,6145},{17,5,7},{25,5,1537},{21,5,97},{29,5,24577},\n {16,5,4},{24,5,769},{20,5,49},{28,5,12289},{18,5,13},{26,5,3073},\n {22,5,193},{64,5,0}\n };\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inflate.c", "content": "/* inflate.c -- zlib decompression\n * Copyright (C) 1995-2022 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/*\n * Change history:\n *\n * 1.2.beta0 24 Nov 2002\n * - First version -- complete rewrite of inflate to simplify code, avoid\n * creation of window when not needed, minimize use of window when it is\n * needed, make inffast.c even faster, implement gzip decoding, and to\n * improve code readability and style over the previous zlib inflate code\n *\n * 1.2.beta1 25 Nov 2002\n * - Use pointers for available input and output checking in inffast.c\n * - Remove input and output counters in inffast.c\n * - Change inffast.c entry and loop from avail_in >= 7 to >= 6\n * - Remove unnecessary second byte pull from length extra in inffast.c\n * - Unroll direct copy to three copies per loop in inffast.c\n *\n * 1.2.beta2 4 Dec 2002\n * - Change external routine names to reduce potential conflicts\n * - Correct filename to inffixed.h for fixed tables in inflate.c\n * - Make hbuf[] unsigned char to match parameter type in inflate.c\n * - Change strm->next_out[-state->offset] to *(strm->next_out - state->offset)\n * to avoid negation problem on Alphas (64 bit) in inflate.c\n *\n * 1.2.beta3 22 Dec 2002\n * - Add comments on state->bits assertion in inffast.c\n * - Add comments on op field in inftrees.h\n * - Fix bug in reuse of allocated window after inflateReset()\n * - Remove bit fields--back to byte structure for speed\n * - Remove distance extra == 0 check in inflate_fast()--only helps for lengths\n * - Change post-increments to pre-increments in inflate_fast(), PPC biased?\n * - Add compile time option, POSTINC, to use post-increments instead (Intel?)\n * - Make MATCH copy in inflate() much faster for when inflate_fast() not used\n * - Use local copies of stream next and avail values, as well as local bit\n * buffer and bit count in inflate()--for speed when inflate_fast() not used\n *\n * 1.2.beta4 1 Jan 2003\n * - Split ptr - 257 statements in inflate_table() to avoid compiler warnings\n * - Move a comment on output buffer sizes from inffast.c to inflate.c\n * - Add comments in inffast.c to introduce the inflate_fast() routine\n * - Rearrange window copies in inflate_fast() for speed and simplification\n * - Unroll last copy for window match in inflate_fast()\n * - Use local copies of window variables in inflate_fast() for speed\n * - Pull out common wnext == 0 case for speed in inflate_fast()\n * - Make op and len in inflate_fast() unsigned for consistency\n * - Add FAR to lcode and dcode declarations in inflate_fast()\n * - Simplified bad distance check in inflate_fast()\n * - Added inflateBackInit(), inflateBack(), and inflateBackEnd() in new\n * source file infback.c to provide a call-back interface to inflate for\n * programs like gzip and unzip -- uses window as output buffer to avoid\n * window copying\n *\n * 1.2.beta5 1 Jan 2003\n * - Improved inflateBack() interface to allow the caller to provide initial\n * input in strm.\n * - Fixed stored blocks bug in inflateBack()\n *\n * 1.2.beta6 4 Jan 2003\n * - Added comments in inffast.c on effectiveness of POSTINC\n * - Typecasting all around to reduce compiler warnings\n * - Changed loops from while (1) or do {} while (1) to for (;;), again to\n * make compilers happy\n * - Changed type of window in inflateBackInit() to unsigned char *\n *\n * 1.2.beta7 27 Jan 2003\n * - Changed many types to unsigned or unsigned short to avoid warnings\n * - Added inflateCopy() function\n *\n * 1.2.0 9 Mar 2003\n * - Changed inflateBack() interface to provide separate opaque descriptors\n * for the in() and out() functions\n * - Changed inflateBack() argument and in_func typedef to swap the length\n * and buffer address return values for the input function\n * - Check next_in and next_out for Z_NULL on entry to inflate()\n *\n * The history for versions after 1.2.0 are in ChangeLog in zlib distribution.\n */\n\n#include \"zutil.h\"\n#include \"inftrees.h\"\n#include \"inflate.h\"\n#include \"inffast.h\"\n\n#ifdef MAKEFIXED\n# ifndef BUILDFIXED\n# define BUILDFIXED\n# endif\n#endif\n\nlocal int inflateStateCheck(z_streamp strm) {\n struct inflate_state FAR *state;\n if (strm == Z_NULL ||\n strm->zalloc == (alloc_func)0 || strm->zfree == (free_func)0)\n return 1;\n state = (struct inflate_state FAR *)strm->state;\n if (state == Z_NULL || state->strm != strm ||\n state->mode < HEAD || state->mode > SYNC)\n return 1;\n return 0;\n}\n\nint ZEXPORT inflateResetKeep(z_streamp strm) {\n struct inflate_state FAR *state;\n\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n strm->total_in = strm->total_out = state->total = 0;\n strm->msg = Z_NULL;\n if (state->wrap) /* to support ill-conceived Java test suite */\n strm->adler = state->wrap & 1;\n state->mode = HEAD;\n state->last = 0;\n state->havedict = 0;\n state->flags = -1;\n state->dmax = 32768U;\n state->head = Z_NULL;\n state->hold = 0;\n state->bits = 0;\n state->lencode = state->distcode = state->next = state->codes;\n state->sane = 1;\n state->back = -1;\n Tracev((stderr, \"inflate: reset\\n\"));\n return Z_OK;\n}\n\nint ZEXPORT inflateReset(z_streamp strm) {\n struct inflate_state FAR *state;\n\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n state->wsize = 0;\n state->whave = 0;\n state->wnext = 0;\n return inflateResetKeep(strm);\n}\n\nint ZEXPORT inflateReset2(z_streamp strm, int windowBits) {\n int wrap;\n struct inflate_state FAR *state;\n\n /* get the state */\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n\n /* extract wrap request from windowBits parameter */\n if (windowBits < 0) {\n if (windowBits < -15)\n return Z_STREAM_ERROR;\n wrap = 0;\n windowBits = -windowBits;\n }\n else {\n wrap = (windowBits >> 4) + 5;\n#ifdef GUNZIP\n if (windowBits < 48)\n windowBits &= 15;\n#endif\n }\n\n /* set number of window bits, free window if different */\n if (windowBits && (windowBits < 8 || windowBits > 15))\n return Z_STREAM_ERROR;\n if (state->window != Z_NULL && state->wbits != (unsigned)windowBits) {\n ZFREE(strm, state->window);\n state->window = Z_NULL;\n }\n\n /* update state and reset the rest of it */\n state->wrap = wrap;\n state->wbits = (unsigned)windowBits;\n return inflateReset(strm);\n}\n\nint ZEXPORT inflateInit2_(z_streamp strm, int windowBits,\n const char *version, int stream_size) {\n int ret;\n struct inflate_state FAR *state;\n\n if (version == Z_NULL || version[0] != ZLIB_VERSION[0] ||\n stream_size != (int)(sizeof(z_stream)))\n return Z_VERSION_ERROR;\n if (strm == Z_NULL) return Z_STREAM_ERROR;\n strm->msg = Z_NULL; /* in case we return an error */\n if (strm->zalloc == (alloc_func)0) {\n#ifdef Z_SOLO\n return Z_STREAM_ERROR;\n#else\n strm->zalloc = zcalloc;\n strm->opaque = (voidpf)0;\n#endif\n }\n if (strm->zfree == (free_func)0)\n#ifdef Z_SOLO\n return Z_STREAM_ERROR;\n#else\n strm->zfree = zcfree;\n#endif\n state = (struct inflate_state FAR *)\n ZALLOC(strm, 1, sizeof(struct inflate_state));\n if (state == Z_NULL) return Z_MEM_ERROR;\n Tracev((stderr, \"inflate: allocated\\n\"));\n strm->state = (struct internal_state FAR *)state;\n state->strm = strm;\n state->window = Z_NULL;\n state->mode = HEAD; /* to pass state test in inflateReset2() */\n ret = inflateReset2(strm, windowBits);\n if (ret != Z_OK) {\n ZFREE(strm, state);\n strm->state = Z_NULL;\n }\n return ret;\n}\n\nint ZEXPORT inflateInit_(z_streamp strm, const char *version,\n int stream_size) {\n return inflateInit2_(strm, DEF_WBITS, version, stream_size);\n}\n\nint ZEXPORT inflatePrime(z_streamp strm, int bits, int value) {\n struct inflate_state FAR *state;\n\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n if (bits == 0)\n return Z_OK;\n state = (struct inflate_state FAR *)strm->state;\n if (bits < 0) {\n state->hold = 0;\n state->bits = 0;\n return Z_OK;\n }\n if (bits > 16 || state->bits + (uInt)bits > 32) return Z_STREAM_ERROR;\n value &= (1L << bits) - 1;\n state->hold += (unsigned)value << state->bits;\n state->bits += (uInt)bits;\n return Z_OK;\n}\n\n/*\n Return state with length and distance decoding tables and index sizes set to\n fixed code decoding. Normally this returns fixed tables from inffixed.h.\n If BUILDFIXED is defined, then instead this routine builds the tables the\n first time it's called, and returns those tables the first time and\n thereafter. This reduces the size of the code by about 2K bytes, in\n exchange for a little execution time. However, BUILDFIXED should not be\n used for threaded applications, since the rewriting of the tables and virgin\n may not be thread-safe.\n */\nlocal void fixedtables(struct inflate_state FAR *state) {\n#ifdef BUILDFIXED\n static int virgin = 1;\n static code *lenfix, *distfix;\n static code fixed[544];\n\n /* build fixed huffman tables if first call (may not be thread safe) */\n if (virgin) {\n unsigned sym, bits;\n static code *next;\n\n /* literal/length table */\n sym = 0;\n while (sym < 144) state->lens[sym++] = 8;\n while (sym < 256) state->lens[sym++] = 9;\n while (sym < 280) state->lens[sym++] = 7;\n while (sym < 288) state->lens[sym++] = 8;\n next = fixed;\n lenfix = next;\n bits = 9;\n inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work);\n\n /* distance table */\n sym = 0;\n while (sym < 32) state->lens[sym++] = 5;\n distfix = next;\n bits = 5;\n inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work);\n\n /* do this just once */\n virgin = 0;\n }\n#else /* !BUILDFIXED */\n# include \"inffixed.h\"\n#endif /* BUILDFIXED */\n state->lencode = lenfix;\n state->lenbits = 9;\n state->distcode = distfix;\n state->distbits = 5;\n}\n\n#ifdef MAKEFIXED\n#include \n\n/*\n Write out the inffixed.h that is #include'd above. Defining MAKEFIXED also\n defines BUILDFIXED, so the tables are built on the fly. makefixed() writes\n those tables to stdout, which would be piped to inffixed.h. A small program\n can simply call makefixed to do this:\n\n void makefixed(void);\n\n int main(void)\n {\n makefixed();\n return 0;\n }\n\n Then that can be linked with zlib built with MAKEFIXED defined and run:\n\n a.out > inffixed.h\n */\nvoid makefixed(void)\n{\n unsigned low, size;\n struct inflate_state state;\n\n fixedtables(&state);\n puts(\" /* inffixed.h -- table for decoding fixed codes\");\n puts(\" * Generated automatically by makefixed().\");\n puts(\" */\");\n puts(\"\");\n puts(\" /* WARNING: this file should *not* be used by applications.\");\n puts(\" It is part of the implementation of this library and is\");\n puts(\" subject to change. Applications should only use zlib.h.\");\n puts(\" */\");\n puts(\"\");\n size = 1U << 9;\n printf(\" static const code lenfix[%u] = {\", size);\n low = 0;\n for (;;) {\n if ((low % 7) == 0) printf(\"\\n \");\n printf(\"{%u,%u,%d}\", (low & 127) == 99 ? 64 : state.lencode[low].op,\n state.lencode[low].bits, state.lencode[low].val);\n if (++low == size) break;\n putchar(',');\n }\n puts(\"\\n };\");\n size = 1U << 5;\n printf(\"\\n static const code distfix[%u] = {\", size);\n low = 0;\n for (;;) {\n if ((low % 6) == 0) printf(\"\\n \");\n printf(\"{%u,%u,%d}\", state.distcode[low].op, state.distcode[low].bits,\n state.distcode[low].val);\n if (++low == size) break;\n putchar(',');\n }\n puts(\"\\n };\");\n}\n#endif /* MAKEFIXED */\n\n/*\n Update the window with the last wsize (normally 32K) bytes written before\n returning. If window does not exist yet, create it. This is only called\n when a window is already in use, or when output has been written during this\n inflate call, but the end of the deflate stream has not been reached yet.\n It is also called to create a window for dictionary data when a dictionary\n is loaded.\n\n Providing output buffers larger than 32K to inflate() should provide a speed\n advantage, since only the last 32K of output is copied to the sliding window\n upon return from inflate(), and since all distances after the first 32K of\n output will fall in the output data, making match copies simpler and faster.\n The advantage may be dependent on the size of the processor's data caches.\n */\nlocal int updatewindow(z_streamp strm, const Bytef *end, unsigned copy) {\n struct inflate_state FAR *state;\n unsigned dist;\n\n state = (struct inflate_state FAR *)strm->state;\n\n /* if it hasn't been done already, allocate space for the window */\n if (state->window == Z_NULL) {\n state->window = (unsigned char FAR *)\n ZALLOC(strm, 1U << state->wbits,\n sizeof(unsigned char));\n if (state->window == Z_NULL) return 1;\n }\n\n /* if window not in use yet, initialize */\n if (state->wsize == 0) {\n state->wsize = 1U << state->wbits;\n state->wnext = 0;\n state->whave = 0;\n }\n\n /* copy state->wsize or less output bytes into the circular window */\n if (copy >= state->wsize) {\n zmemcpy(state->window, end - state->wsize, state->wsize);\n state->wnext = 0;\n state->whave = state->wsize;\n }\n else {\n dist = state->wsize - state->wnext;\n if (dist > copy) dist = copy;\n zmemcpy(state->window + state->wnext, end - copy, dist);\n copy -= dist;\n if (copy) {\n zmemcpy(state->window, end - copy, copy);\n state->wnext = copy;\n state->whave = state->wsize;\n }\n else {\n state->wnext += dist;\n if (state->wnext == state->wsize) state->wnext = 0;\n if (state->whave < state->wsize) state->whave += dist;\n }\n }\n return 0;\n}\n\n/* Macros for inflate(): */\n\n/* check function to use adler32() for zlib or crc32() for gzip */\n#ifdef GUNZIP\n# define UPDATE_CHECK(check, buf, len) \\\n (state->flags ? crc32(check, buf, len) : adler32(check, buf, len))\n#else\n# define UPDATE_CHECK(check, buf, len) adler32(check, buf, len)\n#endif\n\n/* check macros for header crc */\n#ifdef GUNZIP\n# define CRC2(check, word) \\\n do { \\\n hbuf[0] = (unsigned char)(word); \\\n hbuf[1] = (unsigned char)((word) >> 8); \\\n check = crc32(check, hbuf, 2); \\\n } while (0)\n\n# define CRC4(check, word) \\\n do { \\\n hbuf[0] = (unsigned char)(word); \\\n hbuf[1] = (unsigned char)((word) >> 8); \\\n hbuf[2] = (unsigned char)((word) >> 16); \\\n hbuf[3] = (unsigned char)((word) >> 24); \\\n check = crc32(check, hbuf, 4); \\\n } while (0)\n#endif\n\n/* Load registers with state in inflate() for speed */\n#define LOAD() \\\n do { \\\n put = strm->next_out; \\\n left = strm->avail_out; \\\n next = strm->next_in; \\\n have = strm->avail_in; \\\n hold = state->hold; \\\n bits = state->bits; \\\n } while (0)\n\n/* Restore state from registers in inflate() */\n#define RESTORE() \\\n do { \\\n strm->next_out = put; \\\n strm->avail_out = left; \\\n strm->next_in = next; \\\n strm->avail_in = have; \\\n state->hold = hold; \\\n state->bits = bits; \\\n } while (0)\n\n/* Clear the input bit accumulator */\n#define INITBITS() \\\n do { \\\n hold = 0; \\\n bits = 0; \\\n } while (0)\n\n/* Get a byte of input into the bit accumulator, or return from inflate()\n if there is no input available. */\n#define PULLBYTE() \\\n do { \\\n if (have == 0) goto inf_leave; \\\n have--; \\\n hold += (unsigned long)(*next++) << bits; \\\n bits += 8; \\\n } while (0)\n\n/* Assure that there are at least n bits in the bit accumulator. If there is\n not enough available input to do that, then return from inflate(). */\n#define NEEDBITS(n) \\\n do { \\\n while (bits < (unsigned)(n)) \\\n PULLBYTE(); \\\n } while (0)\n\n/* Return the low n bits of the bit accumulator (n < 16) */\n#define BITS(n) \\\n ((unsigned)hold & ((1U << (n)) - 1))\n\n/* Remove n bits from the bit accumulator */\n#define DROPBITS(n) \\\n do { \\\n hold >>= (n); \\\n bits -= (unsigned)(n); \\\n } while (0)\n\n/* Remove zero to seven bits as needed to go to a byte boundary */\n#define BYTEBITS() \\\n do { \\\n hold >>= bits & 7; \\\n bits -= bits & 7; \\\n } while (0)\n\n/*\n inflate() uses a state machine to process as much input data and generate as\n much output data as possible before returning. The state machine is\n structured roughly as follows:\n\n for (;;) switch (state) {\n ...\n case STATEn:\n if (not enough input data or output space to make progress)\n return;\n ... make progress ...\n state = STATEm;\n break;\n ...\n }\n\n so when inflate() is called again, the same case is attempted again, and\n if the appropriate resources are provided, the machine proceeds to the\n next state. The NEEDBITS() macro is usually the way the state evaluates\n whether it can proceed or should return. NEEDBITS() does the return if\n the requested bits are not available. The typical use of the BITS macros\n is:\n\n NEEDBITS(n);\n ... do something with BITS(n) ...\n DROPBITS(n);\n\n where NEEDBITS(n) either returns from inflate() if there isn't enough\n input left to load n bits into the accumulator, or it continues. BITS(n)\n gives the low n bits in the accumulator. When done, DROPBITS(n) drops\n the low n bits off the accumulator. INITBITS() clears the accumulator\n and sets the number of available bits to zero. BYTEBITS() discards just\n enough bits to put the accumulator on a byte boundary. After BYTEBITS()\n and a NEEDBITS(8), then BITS(8) would return the next byte in the stream.\n\n NEEDBITS(n) uses PULLBYTE() to get an available byte of input, or to return\n if there is no input available. The decoding of variable length codes uses\n PULLBYTE() directly in order to pull just enough bytes to decode the next\n code, and no more.\n\n Some states loop until they get enough input, making sure that enough\n state information is maintained to continue the loop where it left off\n if NEEDBITS() returns in the loop. For example, want, need, and keep\n would all have to actually be part of the saved state in case NEEDBITS()\n returns:\n\n case STATEw:\n while (want < need) {\n NEEDBITS(n);\n keep[want++] = BITS(n);\n DROPBITS(n);\n }\n state = STATEx;\n case STATEx:\n\n As shown above, if the next state is also the next case, then the break\n is omitted.\n\n A state may also return if there is not enough output space available to\n complete that state. Those states are copying stored data, writing a\n literal byte, and copying a matching string.\n\n When returning, a \"goto inf_leave\" is used to update the total counters,\n update the check value, and determine whether any progress has been made\n during that inflate() call in order to return the proper return code.\n Progress is defined as a change in either strm->avail_in or strm->avail_out.\n When there is a window, goto inf_leave will update the window with the last\n output written. If a goto inf_leave occurs in the middle of decompression\n and there is no window currently, goto inf_leave will create one and copy\n output to the window for the next call of inflate().\n\n In this implementation, the flush parameter of inflate() only affects the\n return code (per zlib.h). inflate() always writes as much as possible to\n strm->next_out, given the space available and the provided input--the effect\n documented in zlib.h of Z_SYNC_FLUSH. Furthermore, inflate() always defers\n the allocation of and copying into a sliding window until necessary, which\n provides the effect documented in zlib.h for Z_FINISH when the entire input\n stream available. So the only thing the flush parameter actually does is:\n when flush is set to Z_FINISH, inflate() cannot return Z_OK. Instead it\n will return Z_BUF_ERROR if it has not reached the end of the stream.\n */\n\nint ZEXPORT inflate(z_streamp strm, int flush) {\n struct inflate_state FAR *state;\n z_const unsigned char FAR *next; /* next input */\n unsigned char FAR *put; /* next output */\n unsigned have, left; /* available input and output */\n unsigned long hold; /* bit buffer */\n unsigned bits; /* bits in bit buffer */\n unsigned in, out; /* save starting available input and output */\n unsigned copy; /* number of stored or match bytes to copy */\n unsigned char FAR *from; /* where to copy match bytes from */\n code here; /* current decoding table entry */\n code last; /* parent table entry */\n unsigned len; /* length to copy for repeats, bits to drop */\n int ret; /* return code */\n#ifdef GUNZIP\n unsigned char hbuf[4]; /* buffer for gzip header crc calculation */\n#endif\n static const unsigned short order[19] = /* permutation of code lengths */\n {16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15};\n\n if (inflateStateCheck(strm) || strm->next_out == Z_NULL ||\n (strm->next_in == Z_NULL && strm->avail_in != 0))\n return Z_STREAM_ERROR;\n\n state = (struct inflate_state FAR *)strm->state;\n if (state->mode == TYPE) state->mode = TYPEDO; /* skip check */\n LOAD();\n in = have;\n out = left;\n ret = Z_OK;\n for (;;)\n switch (state->mode) {\n case HEAD:\n if (state->wrap == 0) {\n state->mode = TYPEDO;\n break;\n }\n NEEDBITS(16);\n#ifdef GUNZIP\n if ((state->wrap & 2) && hold == 0x8b1f) { /* gzip header */\n if (state->wbits == 0)\n state->wbits = 15;\n state->check = crc32(0L, Z_NULL, 0);\n CRC2(state->check, hold);\n INITBITS();\n state->mode = FLAGS;\n break;\n }\n if (state->head != Z_NULL)\n state->head->done = -1;\n if (!(state->wrap & 1) || /* check if zlib header allowed */\n#else\n if (\n#endif\n ((BITS(8) << 8) + (hold >> 8)) % 31) {\n strm->msg = (char *)\"incorrect header check\";\n state->mode = BAD;\n break;\n }\n if (BITS(4) != Z_DEFLATED) {\n strm->msg = (char *)\"unknown compression method\";\n state->mode = BAD;\n break;\n }\n DROPBITS(4);\n len = BITS(4) + 8;\n if (state->wbits == 0)\n state->wbits = len;\n if (len > 15 || len > state->wbits) {\n strm->msg = (char *)\"invalid window size\";\n state->mode = BAD;\n break;\n }\n state->dmax = 1U << len;\n state->flags = 0; /* indicate zlib header */\n Tracev((stderr, \"inflate: zlib header ok\\n\"));\n strm->adler = state->check = adler32(0L, Z_NULL, 0);\n state->mode = hold & 0x200 ? DICTID : TYPE;\n INITBITS();\n break;\n#ifdef GUNZIP\n case FLAGS:\n NEEDBITS(16);\n state->flags = (int)(hold);\n if ((state->flags & 0xff) != Z_DEFLATED) {\n strm->msg = (char *)\"unknown compression method\";\n state->mode = BAD;\n break;\n }\n if (state->flags & 0xe000) {\n strm->msg = (char *)\"unknown header flags set\";\n state->mode = BAD;\n break;\n }\n if (state->head != Z_NULL)\n state->head->text = (int)((hold >> 8) & 1);\n if ((state->flags & 0x0200) && (state->wrap & 4))\n CRC2(state->check, hold);\n INITBITS();\n state->mode = TIME;\n /* fallthrough */\n case TIME:\n NEEDBITS(32);\n if (state->head != Z_NULL)\n state->head->time = hold;\n if ((state->flags & 0x0200) && (state->wrap & 4))\n CRC4(state->check, hold);\n INITBITS();\n state->mode = OS;\n /* fallthrough */\n case OS:\n NEEDBITS(16);\n if (state->head != Z_NULL) {\n state->head->xflags = (int)(hold & 0xff);\n state->head->os = (int)(hold >> 8);\n }\n if ((state->flags & 0x0200) && (state->wrap & 4))\n CRC2(state->check, hold);\n INITBITS();\n state->mode = EXLEN;\n /* fallthrough */\n case EXLEN:\n if (state->flags & 0x0400) {\n NEEDBITS(16);\n state->length = (unsigned)(hold);\n if (state->head != Z_NULL)\n state->head->extra_len = (unsigned)hold;\n if ((state->flags & 0x0200) && (state->wrap & 4))\n CRC2(state->check, hold);\n INITBITS();\n }\n else if (state->head != Z_NULL)\n state->head->extra = Z_NULL;\n state->mode = EXTRA;\n /* fallthrough */\n case EXTRA:\n if (state->flags & 0x0400) {\n copy = state->length;\n if (copy > have) copy = have;\n if (copy) {\n if (state->head != Z_NULL &&\n state->head->extra != Z_NULL &&\n (len = state->head->extra_len - state->length) <\n state->head->extra_max) {\n zmemcpy(state->head->extra + len, next,\n len + copy > state->head->extra_max ?\n state->head->extra_max - len : copy);\n }\n if ((state->flags & 0x0200) && (state->wrap & 4))\n state->check = crc32(state->check, next, copy);\n have -= copy;\n next += copy;\n state->length -= copy;\n }\n if (state->length) goto inf_leave;\n }\n state->length = 0;\n state->mode = NAME;\n /* fallthrough */\n case NAME:\n if (state->flags & 0x0800) {\n if (have == 0) goto inf_leave;\n copy = 0;\n do {\n len = (unsigned)(next[copy++]);\n if (state->head != Z_NULL &&\n state->head->name != Z_NULL &&\n state->length < state->head->name_max)\n state->head->name[state->length++] = (Bytef)len;\n } while (len && copy < have);\n if ((state->flags & 0x0200) && (state->wrap & 4))\n state->check = crc32(state->check, next, copy);\n have -= copy;\n next += copy;\n if (len) goto inf_leave;\n }\n else if (state->head != Z_NULL)\n state->head->name = Z_NULL;\n state->length = 0;\n state->mode = COMMENT;\n /* fallthrough */\n case COMMENT:\n if (state->flags & 0x1000) {\n if (have == 0) goto inf_leave;\n copy = 0;\n do {\n len = (unsigned)(next[copy++]);\n if (state->head != Z_NULL &&\n state->head->comment != Z_NULL &&\n state->length < state->head->comm_max)\n state->head->comment[state->length++] = (Bytef)len;\n } while (len && copy < have);\n if ((state->flags & 0x0200) && (state->wrap & 4))\n state->check = crc32(state->check, next, copy);\n have -= copy;\n next += copy;\n if (len) goto inf_leave;\n }\n else if (state->head != Z_NULL)\n state->head->comment = Z_NULL;\n state->mode = HCRC;\n /* fallthrough */\n case HCRC:\n if (state->flags & 0x0200) {\n NEEDBITS(16);\n if ((state->wrap & 4) && hold != (state->check & 0xffff)) {\n strm->msg = (char *)\"header crc mismatch\";\n state->mode = BAD;\n break;\n }\n INITBITS();\n }\n if (state->head != Z_NULL) {\n state->head->hcrc = (int)((state->flags >> 9) & 1);\n state->head->done = 1;\n }\n strm->adler = state->check = crc32(0L, Z_NULL, 0);\n state->mode = TYPE;\n break;\n#endif\n case DICTID:\n NEEDBITS(32);\n strm->adler = state->check = ZSWAP32(hold);\n INITBITS();\n state->mode = DICT;\n /* fallthrough */\n case DICT:\n if (state->havedict == 0) {\n RESTORE();\n return Z_NEED_DICT;\n }\n strm->adler = state->check = adler32(0L, Z_NULL, 0);\n state->mode = TYPE;\n /* fallthrough */\n case TYPE:\n if (flush == Z_BLOCK || flush == Z_TREES) goto inf_leave;\n /* fallthrough */\n case TYPEDO:\n if (state->last) {\n BYTEBITS();\n state->mode = CHECK;\n break;\n }\n NEEDBITS(3);\n state->last = BITS(1);\n DROPBITS(1);\n switch (BITS(2)) {\n case 0: /* stored block */\n Tracev((stderr, \"inflate: stored block%s\\n\",\n state->last ? \" (last)\" : \"\"));\n state->mode = STORED;\n break;\n case 1: /* fixed block */\n fixedtables(state);\n Tracev((stderr, \"inflate: fixed codes block%s\\n\",\n state->last ? \" (last)\" : \"\"));\n state->mode = LEN_; /* decode codes */\n if (flush == Z_TREES) {\n DROPBITS(2);\n goto inf_leave;\n }\n break;\n case 2: /* dynamic block */\n Tracev((stderr, \"inflate: dynamic codes block%s\\n\",\n state->last ? \" (last)\" : \"\"));\n state->mode = TABLE;\n break;\n case 3:\n strm->msg = (char *)\"invalid block type\";\n state->mode = BAD;\n }\n DROPBITS(2);\n break;\n case STORED:\n BYTEBITS(); /* go to byte boundary */\n NEEDBITS(32);\n if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) {\n strm->msg = (char *)\"invalid stored block lengths\";\n state->mode = BAD;\n break;\n }\n state->length = (unsigned)hold & 0xffff;\n Tracev((stderr, \"inflate: stored length %u\\n\",\n state->length));\n INITBITS();\n state->mode = COPY_;\n if (flush == Z_TREES) goto inf_leave;\n /* fallthrough */\n case COPY_:\n state->mode = COPY;\n /* fallthrough */\n case COPY:\n copy = state->length;\n if (copy) {\n if (copy > have) copy = have;\n if (copy > left) copy = left;\n if (copy == 0) goto inf_leave;\n zmemcpy(put, next, copy);\n have -= copy;\n next += copy;\n left -= copy;\n put += copy;\n state->length -= copy;\n break;\n }\n Tracev((stderr, \"inflate: stored end\\n\"));\n state->mode = TYPE;\n break;\n case TABLE:\n NEEDBITS(14);\n state->nlen = BITS(5) + 257;\n DROPBITS(5);\n state->ndist = BITS(5) + 1;\n DROPBITS(5);\n state->ncode = BITS(4) + 4;\n DROPBITS(4);\n#ifndef PKZIP_BUG_WORKAROUND\n if (state->nlen > 286 || state->ndist > 30) {\n strm->msg = (char *)\"too many length or distance symbols\";\n state->mode = BAD;\n break;\n }\n#endif\n Tracev((stderr, \"inflate: table sizes ok\\n\"));\n state->have = 0;\n state->mode = LENLENS;\n /* fallthrough */\n case LENLENS:\n while (state->have < state->ncode) {\n NEEDBITS(3);\n state->lens[order[state->have++]] = (unsigned short)BITS(3);\n DROPBITS(3);\n }\n while (state->have < 19)\n state->lens[order[state->have++]] = 0;\n state->next = state->codes;\n state->lencode = (const code FAR *)(state->next);\n state->lenbits = 7;\n ret = inflate_table(CODES, state->lens, 19, &(state->next),\n &(state->lenbits), state->work);\n if (ret) {\n strm->msg = (char *)\"invalid code lengths set\";\n state->mode = BAD;\n break;\n }\n Tracev((stderr, \"inflate: code lengths ok\\n\"));\n state->have = 0;\n state->mode = CODELENS;\n /* fallthrough */\n case CODELENS:\n while (state->have < state->nlen + state->ndist) {\n for (;;) {\n here = state->lencode[BITS(state->lenbits)];\n if ((unsigned)(here.bits) <= bits) break;\n PULLBYTE();\n }\n if (here.val < 16) {\n DROPBITS(here.bits);\n state->lens[state->have++] = here.val;\n }\n else {\n if (here.val == 16) {\n NEEDBITS(here.bits + 2);\n DROPBITS(here.bits);\n if (state->have == 0) {\n strm->msg = (char *)\"invalid bit length repeat\";\n state->mode = BAD;\n break;\n }\n len = state->lens[state->have - 1];\n copy = 3 + BITS(2);\n DROPBITS(2);\n }\n else if (here.val == 17) {\n NEEDBITS(here.bits + 3);\n DROPBITS(here.bits);\n len = 0;\n copy = 3 + BITS(3);\n DROPBITS(3);\n }\n else {\n NEEDBITS(here.bits + 7);\n DROPBITS(here.bits);\n len = 0;\n copy = 11 + BITS(7);\n DROPBITS(7);\n }\n if (state->have + copy > state->nlen + state->ndist) {\n strm->msg = (char *)\"invalid bit length repeat\";\n state->mode = BAD;\n break;\n }\n while (copy--)\n state->lens[state->have++] = (unsigned short)len;\n }\n }\n\n /* handle error breaks in while */\n if (state->mode == BAD) break;\n\n /* check for end-of-block code (better have one) */\n if (state->lens[256] == 0) {\n strm->msg = (char *)\"invalid code -- missing end-of-block\";\n state->mode = BAD;\n break;\n }\n\n /* build code tables -- note: do not change the lenbits or distbits\n values here (9 and 6) without reading the comments in inftrees.h\n concerning the ENOUGH constants, which depend on those values */\n state->next = state->codes;\n state->lencode = (const code FAR *)(state->next);\n state->lenbits = 9;\n ret = inflate_table(LENS, state->lens, state->nlen, &(state->next),\n &(state->lenbits), state->work);\n if (ret) {\n strm->msg = (char *)\"invalid literal/lengths set\";\n state->mode = BAD;\n break;\n }\n state->distcode = (const code FAR *)(state->next);\n state->distbits = 6;\n ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist,\n &(state->next), &(state->distbits), state->work);\n if (ret) {\n strm->msg = (char *)\"invalid distances set\";\n state->mode = BAD;\n break;\n }\n Tracev((stderr, \"inflate: codes ok\\n\"));\n state->mode = LEN_;\n if (flush == Z_TREES) goto inf_leave;\n /* fallthrough */\n case LEN_:\n state->mode = LEN;\n /* fallthrough */\n case LEN:\n if (have >= 6 && left >= 258) {\n RESTORE();\n inflate_fast(strm, out);\n LOAD();\n if (state->mode == TYPE)\n state->back = -1;\n break;\n }\n state->back = 0;\n for (;;) {\n here = state->lencode[BITS(state->lenbits)];\n if ((unsigned)(here.bits) <= bits) break;\n PULLBYTE();\n }\n if (here.op && (here.op & 0xf0) == 0) {\n last = here;\n for (;;) {\n here = state->lencode[last.val +\n (BITS(last.bits + last.op) >> last.bits)];\n if ((unsigned)(last.bits + here.bits) <= bits) break;\n PULLBYTE();\n }\n DROPBITS(last.bits);\n state->back += last.bits;\n }\n DROPBITS(here.bits);\n state->back += here.bits;\n state->length = (unsigned)here.val;\n if ((int)(here.op) == 0) {\n Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?\n \"inflate: literal '%c'\\n\" :\n \"inflate: literal 0x%02x\\n\", here.val));\n state->mode = LIT;\n break;\n }\n if (here.op & 32) {\n Tracevv((stderr, \"inflate: end of block\\n\"));\n state->back = -1;\n state->mode = TYPE;\n break;\n }\n if (here.op & 64) {\n strm->msg = (char *)\"invalid literal/length code\";\n state->mode = BAD;\n break;\n }\n state->extra = (unsigned)(here.op) & 15;\n state->mode = LENEXT;\n /* fallthrough */\n case LENEXT:\n if (state->extra) {\n NEEDBITS(state->extra);\n state->length += BITS(state->extra);\n DROPBITS(state->extra);\n state->back += state->extra;\n }\n Tracevv((stderr, \"inflate: length %u\\n\", state->length));\n state->was = state->length;\n state->mode = DIST;\n /* fallthrough */\n case DIST:\n for (;;) {\n here = state->distcode[BITS(state->distbits)];\n if ((unsigned)(here.bits) <= bits) break;\n PULLBYTE();\n }\n if ((here.op & 0xf0) == 0) {\n last = here;\n for (;;) {\n here = state->distcode[last.val +\n (BITS(last.bits + last.op) >> last.bits)];\n if ((unsigned)(last.bits + here.bits) <= bits) break;\n PULLBYTE();\n }\n DROPBITS(last.bits);\n state->back += last.bits;\n }\n DROPBITS(here.bits);\n state->back += here.bits;\n if (here.op & 64) {\n strm->msg = (char *)\"invalid distance code\";\n state->mode = BAD;\n break;\n }\n state->offset = (unsigned)here.val;\n state->extra = (unsigned)(here.op) & 15;\n state->mode = DISTEXT;\n /* fallthrough */\n case DISTEXT:\n if (state->extra) {\n NEEDBITS(state->extra);\n state->offset += BITS(state->extra);\n DROPBITS(state->extra);\n state->back += state->extra;\n }\n#ifdef INFLATE_STRICT\n if (state->offset > state->dmax) {\n strm->msg = (char *)\"invalid distance too far back\";\n state->mode = BAD;\n break;\n }\n#endif\n Tracevv((stderr, \"inflate: distance %u\\n\", state->offset));\n state->mode = MATCH;\n /* fallthrough */\n case MATCH:\n if (left == 0) goto inf_leave;\n copy = out - left;\n if (state->offset > copy) { /* copy from window */\n copy = state->offset - copy;\n if (copy > state->whave) {\n if (state->sane) {\n strm->msg = (char *)\"invalid distance too far back\";\n state->mode = BAD;\n break;\n }\n#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR\n Trace((stderr, \"inflate.c too far\\n\"));\n copy -= state->whave;\n if (copy > state->length) copy = state->length;\n if (copy > left) copy = left;\n left -= copy;\n state->length -= copy;\n do {\n *put++ = 0;\n } while (--copy);\n if (state->length == 0) state->mode = LEN;\n break;\n#endif\n }\n if (copy > state->wnext) {\n copy -= state->wnext;\n from = state->window + (state->wsize - copy);\n }\n else\n from = state->window + (state->wnext - copy);\n if (copy > state->length) copy = state->length;\n }\n else { /* copy from output */\n from = put - state->offset;\n copy = state->length;\n }\n if (copy > left) copy = left;\n left -= copy;\n state->length -= copy;\n do {\n *put++ = *from++;\n } while (--copy);\n if (state->length == 0) state->mode = LEN;\n break;\n case LIT:\n if (left == 0) goto inf_leave;\n *put++ = (unsigned char)(state->length);\n left--;\n state->mode = LEN;\n break;\n case CHECK:\n if (state->wrap) {\n NEEDBITS(32);\n out -= left;\n strm->total_out += out;\n state->total += out;\n if ((state->wrap & 4) && out)\n strm->adler = state->check =\n UPDATE_CHECK(state->check, put - out, out);\n out = left;\n if ((state->wrap & 4) && (\n#ifdef GUNZIP\n state->flags ? hold :\n#endif\n ZSWAP32(hold)) != state->check) {\n strm->msg = (char *)\"incorrect data check\";\n state->mode = BAD;\n break;\n }\n INITBITS();\n Tracev((stderr, \"inflate: check matches trailer\\n\"));\n }\n#ifdef GUNZIP\n state->mode = LENGTH;\n /* fallthrough */\n case LENGTH:\n if (state->wrap && state->flags) {\n NEEDBITS(32);\n if ((state->wrap & 4) && hold != (state->total & 0xffffffff)) {\n strm->msg = (char *)\"incorrect length check\";\n state->mode = BAD;\n break;\n }\n INITBITS();\n Tracev((stderr, \"inflate: length matches trailer\\n\"));\n }\n#endif\n state->mode = DONE;\n /* fallthrough */\n case DONE:\n ret = Z_STREAM_END;\n goto inf_leave;\n case BAD:\n ret = Z_DATA_ERROR;\n goto inf_leave;\n case MEM:\n return Z_MEM_ERROR;\n case SYNC:\n /* fallthrough */\n default:\n return Z_STREAM_ERROR;\n }\n\n /*\n Return from inflate(), updating the total counts and the check value.\n If there was no progress during the inflate() call, return a buffer\n error. Call updatewindow() to create and/or update the window state.\n Note: a memory error from inflate() is non-recoverable.\n */\n inf_leave:\n RESTORE();\n if (state->wsize || (out != strm->avail_out && state->mode < BAD &&\n (state->mode < CHECK || flush != Z_FINISH)))\n if (updatewindow(strm, strm->next_out, out - strm->avail_out)) {\n state->mode = MEM;\n return Z_MEM_ERROR;\n }\n in -= strm->avail_in;\n out -= strm->avail_out;\n strm->total_in += in;\n strm->total_out += out;\n state->total += out;\n if ((state->wrap & 4) && out)\n strm->adler = state->check =\n UPDATE_CHECK(state->check, strm->next_out - out, out);\n strm->data_type = (int)state->bits + (state->last ? 64 : 0) +\n (state->mode == TYPE ? 128 : 0) +\n (state->mode == LEN_ || state->mode == COPY_ ? 256 : 0);\n if (((in == 0 && out == 0) || flush == Z_FINISH) && ret == Z_OK)\n ret = Z_BUF_ERROR;\n return ret;\n}\n\nint ZEXPORT inflateEnd(z_streamp strm) {\n struct inflate_state FAR *state;\n if (inflateStateCheck(strm))\n return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n if (state->window != Z_NULL) ZFREE(strm, state->window);\n ZFREE(strm, strm->state);\n strm->state = Z_NULL;\n Tracev((stderr, \"inflate: end\\n\"));\n return Z_OK;\n}\n\nint ZEXPORT inflateGetDictionary(z_streamp strm, Bytef *dictionary,\n uInt *dictLength) {\n struct inflate_state FAR *state;\n\n /* check state */\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n\n /* copy dictionary */\n if (state->whave && dictionary != Z_NULL) {\n zmemcpy(dictionary, state->window + state->wnext,\n state->whave - state->wnext);\n zmemcpy(dictionary + state->whave - state->wnext,\n state->window, state->wnext);\n }\n if (dictLength != Z_NULL)\n *dictLength = state->whave;\n return Z_OK;\n}\n\nint ZEXPORT inflateSetDictionary(z_streamp strm, const Bytef *dictionary,\n uInt dictLength) {\n struct inflate_state FAR *state;\n unsigned long dictid;\n int ret;\n\n /* check state */\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n if (state->wrap != 0 && state->mode != DICT)\n return Z_STREAM_ERROR;\n\n /* check for correct dictionary identifier */\n if (state->mode == DICT) {\n dictid = adler32(0L, Z_NULL, 0);\n dictid = adler32(dictid, dictionary, dictLength);\n if (dictid != state->check)\n return Z_DATA_ERROR;\n }\n\n /* copy dictionary to window using updatewindow(), which will amend the\n existing dictionary if appropriate */\n ret = updatewindow(strm, dictionary + dictLength, dictLength);\n if (ret) {\n state->mode = MEM;\n return Z_MEM_ERROR;\n }\n state->havedict = 1;\n Tracev((stderr, \"inflate: dictionary set\\n\"));\n return Z_OK;\n}\n\nint ZEXPORT inflateGetHeader(z_streamp strm, gz_headerp head) {\n struct inflate_state FAR *state;\n\n /* check state */\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n if ((state->wrap & 2) == 0) return Z_STREAM_ERROR;\n\n /* save header structure */\n state->head = head;\n head->done = 0;\n return Z_OK;\n}\n\n/*\n Search buf[0..len-1] for the pattern: 0, 0, 0xff, 0xff. Return when found\n or when out of input. When called, *have is the number of pattern bytes\n found in order so far, in 0..3. On return *have is updated to the new\n state. If on return *have equals four, then the pattern was found and the\n return value is how many bytes were read including the last byte of the\n pattern. If *have is less than four, then the pattern has not been found\n yet and the return value is len. In the latter case, syncsearch() can be\n called again with more data and the *have state. *have is initialized to\n zero for the first call.\n */\nlocal unsigned syncsearch(unsigned FAR *have, const unsigned char FAR *buf,\n unsigned len) {\n unsigned got;\n unsigned next;\n\n got = *have;\n next = 0;\n while (next < len && got < 4) {\n if ((int)(buf[next]) == (got < 2 ? 0 : 0xff))\n got++;\n else if (buf[next])\n got = 0;\n else\n got = 4 - got;\n next++;\n }\n *have = got;\n return next;\n}\n\nint ZEXPORT inflateSync(z_streamp strm) {\n unsigned len; /* number of bytes to look at or looked at */\n int flags; /* temporary to save header status */\n unsigned long in, out; /* temporary to save total_in and total_out */\n unsigned char buf[4]; /* to restore bit buffer to byte string */\n struct inflate_state FAR *state;\n\n /* check parameters */\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n if (strm->avail_in == 0 && state->bits < 8) return Z_BUF_ERROR;\n\n /* if first time, start search in bit buffer */\n if (state->mode != SYNC) {\n state->mode = SYNC;\n state->hold <<= state->bits & 7;\n state->bits -= state->bits & 7;\n len = 0;\n while (state->bits >= 8) {\n buf[len++] = (unsigned char)(state->hold);\n state->hold >>= 8;\n state->bits -= 8;\n }\n state->have = 0;\n syncsearch(&(state->have), buf, len);\n }\n\n /* search available input */\n len = syncsearch(&(state->have), strm->next_in, strm->avail_in);\n strm->avail_in -= len;\n strm->next_in += len;\n strm->total_in += len;\n\n /* return no joy or set up to restart inflate() on a new block */\n if (state->have != 4) return Z_DATA_ERROR;\n if (state->flags == -1)\n state->wrap = 0; /* if no header yet, treat as raw */\n else\n state->wrap &= ~4; /* no point in computing a check value now */\n flags = state->flags;\n in = strm->total_in; out = strm->total_out;\n inflateReset(strm);\n strm->total_in = in; strm->total_out = out;\n state->flags = flags;\n state->mode = TYPE;\n return Z_OK;\n}\n\n/*\n Returns true if inflate is currently at the end of a block generated by\n Z_SYNC_FLUSH or Z_FULL_FLUSH. This function is used by one PPP\n implementation to provide an additional safety check. PPP uses\n Z_SYNC_FLUSH but removes the length bytes of the resulting empty stored\n block. When decompressing, PPP checks that at the end of input packet,\n inflate is waiting for these length bytes.\n */\nint ZEXPORT inflateSyncPoint(z_streamp strm) {\n struct inflate_state FAR *state;\n\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n return state->mode == STORED && state->bits == 0;\n}\n\nint ZEXPORT inflateCopy(z_streamp dest, z_streamp source) {\n struct inflate_state FAR *state;\n struct inflate_state FAR *copy;\n unsigned char FAR *window;\n unsigned wsize;\n\n /* check input */\n if (inflateStateCheck(source) || dest == Z_NULL)\n return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)source->state;\n\n /* allocate space */\n copy = (struct inflate_state FAR *)\n ZALLOC(source, 1, sizeof(struct inflate_state));\n if (copy == Z_NULL) return Z_MEM_ERROR;\n window = Z_NULL;\n if (state->window != Z_NULL) {\n window = (unsigned char FAR *)\n ZALLOC(source, 1U << state->wbits, sizeof(unsigned char));\n if (window == Z_NULL) {\n ZFREE(source, copy);\n return Z_MEM_ERROR;\n }\n }\n\n /* copy state */\n zmemcpy((voidpf)dest, (voidpf)source, sizeof(z_stream));\n zmemcpy((voidpf)copy, (voidpf)state, sizeof(struct inflate_state));\n copy->strm = dest;\n if (state->lencode >= state->codes &&\n state->lencode <= state->codes + ENOUGH - 1) {\n copy->lencode = copy->codes + (state->lencode - state->codes);\n copy->distcode = copy->codes + (state->distcode - state->codes);\n }\n copy->next = copy->codes + (state->next - state->codes);\n if (window != Z_NULL) {\n wsize = 1U << state->wbits;\n zmemcpy(window, state->window, wsize);\n }\n copy->window = window;\n dest->state = (struct internal_state FAR *)copy;\n return Z_OK;\n}\n\nint ZEXPORT inflateUndermine(z_streamp strm, int subvert) {\n struct inflate_state FAR *state;\n\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR\n state->sane = !subvert;\n return Z_OK;\n#else\n (void)subvert;\n state->sane = 1;\n return Z_DATA_ERROR;\n#endif\n}\n\nint ZEXPORT inflateValidate(z_streamp strm, int check) {\n struct inflate_state FAR *state;\n\n if (inflateStateCheck(strm)) return Z_STREAM_ERROR;\n state = (struct inflate_state FAR *)strm->state;\n if (check && state->wrap)\n state->wrap |= 4;\n else\n state->wrap &= ~4;\n return Z_OK;\n}\n\nlong ZEXPORT inflateMark(z_streamp strm) {\n struct inflate_state FAR *state;\n\n if (inflateStateCheck(strm))\n return -(1L << 16);\n state = (struct inflate_state FAR *)strm->state;\n return (long)(((unsigned long)((long)state->back)) << 16) +\n (state->mode == COPY ? state->length :\n (state->mode == MATCH ? state->was - state->length : 0));\n}\n\nunsigned long ZEXPORT inflateCodesUsed(z_streamp strm) {\n struct inflate_state FAR *state;\n if (inflateStateCheck(strm)) return (unsigned long)-1;\n state = (struct inflate_state FAR *)strm->state;\n return (unsigned long)(state->next - state->codes);\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inflate.h", "content": "/* inflate.h -- internal inflate state definition\n * Copyright (C) 1995-2019 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* WARNING: this file should *not* be used by applications. It is\n part of the implementation of the compression library and is\n subject to change. Applications should only use zlib.h.\n */\n\n/* define NO_GZIP when compiling if you want to disable gzip header and\n trailer decoding by inflate(). NO_GZIP would be used to avoid linking in\n the crc code when it is not needed. For shared libraries, gzip decoding\n should be left enabled. */\n#ifndef NO_GZIP\n# define GUNZIP\n#endif\n\n/* Possible inflate modes between inflate() calls */\ntypedef enum {\n HEAD = 16180, /* i: waiting for magic header */\n FLAGS, /* i: waiting for method and flags (gzip) */\n TIME, /* i: waiting for modification time (gzip) */\n OS, /* i: waiting for extra flags and operating system (gzip) */\n EXLEN, /* i: waiting for extra length (gzip) */\n EXTRA, /* i: waiting for extra bytes (gzip) */\n NAME, /* i: waiting for end of file name (gzip) */\n COMMENT, /* i: waiting for end of comment (gzip) */\n HCRC, /* i: waiting for header crc (gzip) */\n DICTID, /* i: waiting for dictionary check value */\n DICT, /* waiting for inflateSetDictionary() call */\n TYPE, /* i: waiting for type bits, including last-flag bit */\n TYPEDO, /* i: same, but skip check to exit inflate on new block */\n STORED, /* i: waiting for stored size (length and complement) */\n COPY_, /* i/o: same as COPY below, but only first time in */\n COPY, /* i/o: waiting for input or output to copy stored block */\n TABLE, /* i: waiting for dynamic block table lengths */\n LENLENS, /* i: waiting for code length code lengths */\n CODELENS, /* i: waiting for length/lit and distance code lengths */\n LEN_, /* i: same as LEN below, but only first time in */\n LEN, /* i: waiting for length/lit/eob code */\n LENEXT, /* i: waiting for length extra bits */\n DIST, /* i: waiting for distance code */\n DISTEXT, /* i: waiting for distance extra bits */\n MATCH, /* o: waiting for output space to copy string */\n LIT, /* o: waiting for output space to write literal */\n CHECK, /* i: waiting for 32-bit check value */\n LENGTH, /* i: waiting for 32-bit length (gzip) */\n DONE, /* finished check, done -- remain here until reset */\n BAD, /* got a data error -- remain here until reset */\n MEM, /* got an inflate() memory error -- remain here until reset */\n SYNC /* looking for synchronization bytes to restart inflate() */\n} inflate_mode;\n\n/*\n State transitions between above modes -\n\n (most modes can go to BAD or MEM on error -- not shown for clarity)\n\n Process header:\n HEAD -> (gzip) or (zlib) or (raw)\n (gzip) -> FLAGS -> TIME -> OS -> EXLEN -> EXTRA -> NAME -> COMMENT ->\n HCRC -> TYPE\n (zlib) -> DICTID or TYPE\n DICTID -> DICT -> TYPE\n (raw) -> TYPEDO\n Read deflate blocks:\n TYPE -> TYPEDO -> STORED or TABLE or LEN_ or CHECK\n STORED -> COPY_ -> COPY -> TYPE\n TABLE -> LENLENS -> CODELENS -> LEN_\n LEN_ -> LEN\n Read deflate codes in fixed or dynamic block:\n LEN -> LENEXT or LIT or TYPE\n LENEXT -> DIST -> DISTEXT -> MATCH -> LEN\n LIT -> LEN\n Process trailer:\n CHECK -> LENGTH -> DONE\n */\n\n/* State maintained between inflate() calls -- approximately 7K bytes, not\n including the allocated sliding window, which is up to 32K bytes. */\nstruct inflate_state {\n z_streamp strm; /* pointer back to this zlib stream */\n inflate_mode mode; /* current inflate mode */\n int last; /* true if processing last block */\n int wrap; /* bit 0 true for zlib, bit 1 true for gzip,\n bit 2 true to validate check value */\n int havedict; /* true if dictionary provided */\n int flags; /* gzip header method and flags, 0 if zlib, or\n -1 if raw or no header yet */\n unsigned dmax; /* zlib header max distance (INFLATE_STRICT) */\n unsigned long check; /* protected copy of check value */\n unsigned long total; /* protected copy of output count */\n gz_headerp head; /* where to save gzip header information */\n /* sliding window */\n unsigned wbits; /* log base 2 of requested window size */\n unsigned wsize; /* window size or zero if not using window */\n unsigned whave; /* valid bytes in the window */\n unsigned wnext; /* window write index */\n unsigned char FAR *window; /* allocated sliding window, if needed */\n /* bit accumulator */\n unsigned long hold; /* input bit accumulator */\n unsigned bits; /* number of bits in \"in\" */\n /* for string and stored block copying */\n unsigned length; /* literal or length of data to copy */\n unsigned offset; /* distance back to copy string from */\n /* for table and code decoding */\n unsigned extra; /* extra bits needed */\n /* fixed and dynamic code tables */\n code const FAR *lencode; /* starting table for length/literal codes */\n code const FAR *distcode; /* starting table for distance codes */\n unsigned lenbits; /* index bits for lencode */\n unsigned distbits; /* index bits for distcode */\n /* dynamic table building */\n unsigned ncode; /* number of code length code lengths */\n unsigned nlen; /* number of length code lengths */\n unsigned ndist; /* number of distance code lengths */\n unsigned have; /* number of code lengths in lens[] */\n code FAR *next; /* next available space in codes[] */\n unsigned short lens[320]; /* temporary storage for code lengths */\n unsigned short work[288]; /* work area for code table building */\n code codes[ENOUGH]; /* space for code tables */\n int sane; /* if false, allow invalid distance too far */\n int back; /* bits back of last unprocessed length/lit */\n unsigned was; /* initial length of match */\n};\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inftrees.c", "content": "/* inftrees.c -- generate Huffman trees for efficient decoding\n * Copyright (C) 1995-2023 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n#include \"zutil.h\"\n#include \"inftrees.h\"\n\n#define MAXBITS 15\n\nconst char inflate_copyright[] =\n \" inflate 1.3 Copyright 1995-2023 Mark Adler \";\n/*\n If you use the zlib library in a product, an acknowledgment is welcome\n in the documentation of your product. If for some reason you cannot\n include such an acknowledgment, I would appreciate that you keep this\n copyright string in the executable of your product.\n */\n\n/*\n Build a set of tables to decode the provided canonical Huffman code.\n The code lengths are lens[0..codes-1]. The result starts at *table,\n whose indices are 0..2^bits-1. work is a writable array of at least\n lens shorts, which is used as a work area. type is the type of code\n to be generated, CODES, LENS, or DISTS. On return, zero is success,\n -1 is an invalid code, and +1 means that ENOUGH isn't enough. table\n on return points to the next available entry's address. bits is the\n requested root table index bits, and on return it is the actual root\n table index bits. It will differ if the request is greater than the\n longest code or if it is less than the shortest code.\n */\nint ZLIB_INTERNAL inflate_table(codetype type, unsigned short FAR *lens,\n unsigned codes, code FAR * FAR *table,\n unsigned FAR *bits, unsigned short FAR *work) {\n unsigned len; /* a code's length in bits */\n unsigned sym; /* index of code symbols */\n unsigned min, max; /* minimum and maximum code lengths */\n unsigned root; /* number of index bits for root table */\n unsigned curr; /* number of index bits for current table */\n unsigned drop; /* code bits to drop for sub-table */\n int left; /* number of prefix codes available */\n unsigned used; /* code entries in table used */\n unsigned huff; /* Huffman code */\n unsigned incr; /* for incrementing code, index */\n unsigned fill; /* index for replicating entries */\n unsigned low; /* low bits for current root entry */\n unsigned mask; /* mask for low root bits */\n code here; /* table entry for duplication */\n code FAR *next; /* next available space in table */\n const unsigned short FAR *base; /* base value table to use */\n const unsigned short FAR *extra; /* extra bits table to use */\n unsigned match; /* use base and extra for symbol >= match */\n unsigned short count[MAXBITS+1]; /* number of codes of each length */\n unsigned short offs[MAXBITS+1]; /* offsets in table for each length */\n static const unsigned short lbase[31] = { /* Length codes 257..285 base */\n 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15, 17, 19, 23, 27, 31,\n 35, 43, 51, 59, 67, 83, 99, 115, 131, 163, 195, 227, 258, 0, 0};\n static const unsigned short lext[31] = { /* Length codes 257..285 extra */\n 16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18,\n 19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 198, 203};\n static const unsigned short dbase[32] = { /* Distance codes 0..29 base */\n 1, 2, 3, 4, 5, 7, 9, 13, 17, 25, 33, 49, 65, 97, 129, 193,\n 257, 385, 513, 769, 1025, 1537, 2049, 3073, 4097, 6145,\n 8193, 12289, 16385, 24577, 0, 0};\n static const unsigned short dext[32] = { /* Distance codes 0..29 extra */\n 16, 16, 16, 16, 17, 17, 18, 18, 19, 19, 20, 20, 21, 21, 22, 22,\n 23, 23, 24, 24, 25, 25, 26, 26, 27, 27,\n 28, 28, 29, 29, 64, 64};\n\n /*\n Process a set of code lengths to create a canonical Huffman code. The\n code lengths are lens[0..codes-1]. Each length corresponds to the\n symbols 0..codes-1. The Huffman code is generated by first sorting the\n symbols by length from short to long, and retaining the symbol order\n for codes with equal lengths. Then the code starts with all zero bits\n for the first code of the shortest length, and the codes are integer\n increments for the same length, and zeros are appended as the length\n increases. For the deflate format, these bits are stored backwards\n from their more natural integer increment ordering, and so when the\n decoding tables are built in the large loop below, the integer codes\n are incremented backwards.\n\n This routine assumes, but does not check, that all of the entries in\n lens[] are in the range 0..MAXBITS. The caller must assure this.\n 1..MAXBITS is interpreted as that code length. zero means that that\n symbol does not occur in this code.\n\n The codes are sorted by computing a count of codes for each length,\n creating from that a table of starting indices for each length in the\n sorted table, and then entering the symbols in order in the sorted\n table. The sorted table is work[], with that space being provided by\n the caller.\n\n The length counts are used for other purposes as well, i.e. finding\n the minimum and maximum length codes, determining if there are any\n codes at all, checking for a valid set of lengths, and looking ahead\n at length counts to determine sub-table sizes when building the\n decoding tables.\n */\n\n /* accumulate lengths for codes (assumes lens[] all in 0..MAXBITS) */\n for (len = 0; len <= MAXBITS; len++)\n count[len] = 0;\n for (sym = 0; sym < codes; sym++)\n count[lens[sym]]++;\n\n /* bound code lengths, force root to be within code lengths */\n root = *bits;\n for (max = MAXBITS; max >= 1; max--)\n if (count[max] != 0) break;\n if (root > max) root = max;\n if (max == 0) { /* no symbols to code at all */\n here.op = (unsigned char)64; /* invalid code marker */\n here.bits = (unsigned char)1;\n here.val = (unsigned short)0;\n *(*table)++ = here; /* make a table to force an error */\n *(*table)++ = here;\n *bits = 1;\n return 0; /* no symbols, but wait for decoding to report error */\n }\n for (min = 1; min < max; min++)\n if (count[min] != 0) break;\n if (root < min) root = min;\n\n /* check for an over-subscribed or incomplete set of lengths */\n left = 1;\n for (len = 1; len <= MAXBITS; len++) {\n left <<= 1;\n left -= count[len];\n if (left < 0) return -1; /* over-subscribed */\n }\n if (left > 0 && (type == CODES || max != 1))\n return -1; /* incomplete set */\n\n /* generate offsets into symbol table for each length for sorting */\n offs[1] = 0;\n for (len = 1; len < MAXBITS; len++)\n offs[len + 1] = offs[len] + count[len];\n\n /* sort symbols by length, by symbol order within each length */\n for (sym = 0; sym < codes; sym++)\n if (lens[sym] != 0) work[offs[lens[sym]]++] = (unsigned short)sym;\n\n /*\n Create and fill in decoding tables. In this loop, the table being\n filled is at next and has curr index bits. The code being used is huff\n with length len. That code is converted to an index by dropping drop\n bits off of the bottom. For codes where len is less than drop + curr,\n those top drop + curr - len bits are incremented through all values to\n fill the table with replicated entries.\n\n root is the number of index bits for the root table. When len exceeds\n root, sub-tables are created pointed to by the root entry with an index\n of the low root bits of huff. This is saved in low to check for when a\n new sub-table should be started. drop is zero when the root table is\n being filled, and drop is root when sub-tables are being filled.\n\n When a new sub-table is needed, it is necessary to look ahead in the\n code lengths to determine what size sub-table is needed. The length\n counts are used for this, and so count[] is decremented as codes are\n entered in the tables.\n\n used keeps track of how many table entries have been allocated from the\n provided *table space. It is checked for LENS and DIST tables against\n the constants ENOUGH_LENS and ENOUGH_DISTS to guard against changes in\n the initial root table size constants. See the comments in inftrees.h\n for more information.\n\n sym increments through all symbols, and the loop terminates when\n all codes of length max, i.e. all codes, have been processed. This\n routine permits incomplete codes, so another loop after this one fills\n in the rest of the decoding tables with invalid code markers.\n */\n\n /* set up for code type */\n switch (type) {\n case CODES:\n base = extra = work; /* dummy value--not used */\n match = 20;\n break;\n case LENS:\n base = lbase;\n extra = lext;\n match = 257;\n break;\n default: /* DISTS */\n base = dbase;\n extra = dext;\n match = 0;\n }\n\n /* initialize state for loop */\n huff = 0; /* starting code */\n sym = 0; /* starting code symbol */\n len = min; /* starting code length */\n next = *table; /* current table to fill in */\n curr = root; /* current table index bits */\n drop = 0; /* current bits to drop from code for index */\n low = (unsigned)(-1); /* trigger new sub-table when len > root */\n used = 1U << root; /* use root table entries */\n mask = used - 1; /* mask for comparing low */\n\n /* check available table space */\n if ((type == LENS && used > ENOUGH_LENS) ||\n (type == DISTS && used > ENOUGH_DISTS))\n return 1;\n\n /* process all codes and make table entries */\n for (;;) {\n /* create table entry */\n here.bits = (unsigned char)(len - drop);\n if (work[sym] + 1U < match) {\n here.op = (unsigned char)0;\n here.val = work[sym];\n }\n else if (work[sym] >= match) {\n here.op = (unsigned char)(extra[work[sym] - match]);\n here.val = base[work[sym] - match];\n }\n else {\n here.op = (unsigned char)(32 + 64); /* end of block */\n here.val = 0;\n }\n\n /* replicate for those indices with low len bits equal to huff */\n incr = 1U << (len - drop);\n fill = 1U << curr;\n min = fill; /* save offset to next table */\n do {\n fill -= incr;\n next[(huff >> drop) + fill] = here;\n } while (fill != 0);\n\n /* backwards increment the len-bit code huff */\n incr = 1U << (len - 1);\n while (huff & incr)\n incr >>= 1;\n if (incr != 0) {\n huff &= incr - 1;\n huff += incr;\n }\n else\n huff = 0;\n\n /* go to next symbol, update count, len */\n sym++;\n if (--(count[len]) == 0) {\n if (len == max) break;\n len = lens[work[sym]];\n }\n\n /* create new sub-table if needed */\n if (len > root && (huff & mask) != low) {\n /* if first time, transition to sub-tables */\n if (drop == 0)\n drop = root;\n\n /* increment past last table */\n next += min; /* here min is 1 << curr */\n\n /* determine length of next table */\n curr = len - drop;\n left = (int)(1 << curr);\n while (curr + drop < max) {\n left -= count[curr + drop];\n if (left <= 0) break;\n curr++;\n left <<= 1;\n }\n\n /* check for enough space */\n used += 1U << curr;\n if ((type == LENS && used > ENOUGH_LENS) ||\n (type == DISTS && used > ENOUGH_DISTS))\n return 1;\n\n /* point entry in root table to sub-table */\n low = huff & mask;\n (*table)[low].op = (unsigned char)curr;\n (*table)[low].bits = (unsigned char)root;\n (*table)[low].val = (unsigned short)(next - *table);\n }\n }\n\n /* fill in remaining table entry if code is incomplete (guaranteed to have\n at most one remaining entry, since if the code is incomplete, the\n maximum code length that was allowed to get this far is one bit) */\n if (huff != 0) {\n here.op = (unsigned char)64; /* invalid code marker */\n here.bits = (unsigned char)(len - drop);\n here.val = (unsigned short)0;\n next[huff] = here;\n }\n\n /* set return parameters */\n *table += used;\n *bits = root;\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/inftrees.h", "content": "/* inftrees.h -- header to use inftrees.c\n * Copyright (C) 1995-2005, 2010 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* WARNING: this file should *not* be used by applications. It is\n part of the implementation of the compression library and is\n subject to change. Applications should only use zlib.h.\n */\n\n/* Structure for decoding tables. Each entry provides either the\n information needed to do the operation requested by the code that\n indexed that table entry, or it provides a pointer to another\n table that indexes more bits of the code. op indicates whether\n the entry is a pointer to another table, a literal, a length or\n distance, an end-of-block, or an invalid code. For a table\n pointer, the low four bits of op is the number of index bits of\n that table. For a length or distance, the low four bits of op\n is the number of extra bits to get after the code. bits is\n the number of bits in this code or part of the code to drop off\n of the bit buffer. val is the actual byte to output in the case\n of a literal, the base length or distance, or the offset from\n the current table to the next table. Each entry is four bytes. */\ntypedef struct {\n unsigned char op; /* operation, extra bits, table bits */\n unsigned char bits; /* bits in this part of the code */\n unsigned short val; /* offset in table or code value */\n} code;\n\n/* op values as set by inflate_table():\n 00000000 - literal\n 0000tttt - table link, tttt != 0 is the number of table index bits\n 0001eeee - length or distance, eeee is the number of extra bits\n 01100000 - end of block\n 01000000 - invalid code\n */\n\n/* Maximum size of the dynamic table. The maximum number of code structures is\n 1444, which is the sum of 852 for literal/length codes and 592 for distance\n codes. These values were found by exhaustive searches using the program\n examples/enough.c found in the zlib distribution. The arguments to that\n program are the number of symbols, the initial root table size, and the\n maximum bit length of a code. \"enough 286 9 15\" for literal/length codes\n returns returns 852, and \"enough 30 6 15\" for distance codes returns 592.\n The initial root table size (9 or 6) is found in the fifth argument of the\n inflate_table() calls in inflate.c and infback.c. If the root table size is\n changed, then these maximum sizes would be need to be recalculated and\n updated. */\n#define ENOUGH_LENS 852\n#define ENOUGH_DISTS 592\n#define ENOUGH (ENOUGH_LENS+ENOUGH_DISTS)\n\n/* Type of code to build for inflate_table() */\ntypedef enum {\n CODES,\n LENS,\n DISTS\n} codetype;\n\nint ZLIB_INTERNAL inflate_table(codetype type, unsigned short FAR *lens,\n unsigned codes, code FAR * FAR *table,\n unsigned FAR *bits, unsigned short FAR *work);\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/make_vms.com", "content": "$! make libz under VMS written by\n$! Martin P.J. Zinser\n$!\n$! In case of problems with the install you might contact me at\n$! zinser@zinser.no-ip.info(preferred) or\n$! martin.zinser@eurexchange.com (work)\n$!\n$! Make procedure history for Zlib\n$!\n$!------------------------------------------------------------------------------\n$! Version history\n$! 0.01 20060120 First version to receive a number\n$! 0.02 20061008 Adapt to new Makefile.in\n$! 0.03 20091224 Add support for large file check\n$! 0.04 20100110 Add new gzclose, gzlib, gzread, gzwrite\n$! 0.05 20100221 Exchange zlibdefs.h by zconf.h.in\n$! 0.06 20120111 Fix missing amiss_err, update zconf_h.in, fix new examples\n$! subdir path, update module search in makefile.in\n$! 0.07 20120115 Triggered by work done by Alexey Chupahin completely redesigned\n$! shared image creation\n$! 0.08 20120219 Make it work on VAX again, pre-load missing symbols to shared\n$! image\n$! 0.09 20120305 SMS. P1 sets builder (\"MMK\", \"MMS\", \" \" (built-in)).\n$! \"\" -> automatic, preference: MMK, MMS, built-in.\n$!\n$ on error then goto err_exit\n$!\n$ true = 1\n$ false = 0\n$ tmpnam = \"temp_\" + f$getjpi(\"\",\"pid\")\n$ tt = tmpnam + \".txt\"\n$ tc = tmpnam + \".c\"\n$ th = tmpnam + \".h\"\n$ define/nolog tconfig 'th'\n$ its_decc = false\n$ its_vaxc = false\n$ its_gnuc = false\n$ s_case = False\n$!\n$! Setup variables holding \"config\" information\n$!\n$ Make = \"''p1'\"\n$ name = \"Zlib\"\n$ version = \"?.?.?\"\n$ v_string = \"ZLIB_VERSION\"\n$ v_file = \"zlib.h\"\n$ ccopt = \"/include = []\"\n$ lopts = \"\"\n$ dnsrl = \"\"\n$ aconf_in_file = \"zconf.h.in#zconf.h_in#zconf_h.in\"\n$ conf_check_string = \"\"\n$ linkonly = false\n$ optfile = name + \".opt\"\n$ mapfile = name + \".map\"\n$ libdefs = \"\"\n$ vax = f$getsyi(\"HW_MODEL\").lt.1024\n$ axp = f$getsyi(\"HW_MODEL\").ge.1024 .and. f$getsyi(\"HW_MODEL\").lt.4096\n$ ia64 = f$getsyi(\"HW_MODEL\").ge.4096\n$!\n$! 2012-03-05 SMS.\n$! Why is this needed? And if it is needed, why not simply \".not. vax\"?\n$!\n$!!! if axp .or. ia64 then set proc/parse=extended\n$!\n$ whoami = f$parse(f$environment(\"Procedure\"),,,,\"NO_CONCEAL\")\n$ mydef = F$parse(whoami,,,\"DEVICE\")\n$ mydir = f$parse(whoami,,,\"DIRECTORY\") - \"][\"\n$ myproc = f$parse(whoami,,,\"Name\") + f$parse(whoami,,,\"type\")\n$!\n$! Check for MMK/MMS\n$!\n$ if (Make .eqs. \"\")\n$ then\n$ If F$Search (\"Sys$System:MMS.EXE\") .nes. \"\" Then Make = \"MMS\"\n$ If F$Type (MMK) .eqs. \"STRING\" Then Make = \"MMK\"\n$ else\n$ Make = f$edit( Make, \"trim\")\n$ endif\n$!\n$ gosub find_version\n$!\n$ open/write topt tmp.opt\n$ open/write optf 'optfile'\n$!\n$ gosub check_opts\n$!\n$! Look for the compiler used\n$!\n$ gosub check_compiler\n$ close topt\n$ close optf\n$!\n$ if its_decc\n$ then\n$ ccopt = \"/prefix=all\" + ccopt\n$ if f$trnlnm(\"SYS\") .eqs. \"\"\n$ then\n$ if axp\n$ then\n$ define sys sys$library:\n$ else\n$ ccopt = \"/decc\" + ccopt\n$ define sys decc$library_include:\n$ endif\n$ endif\n$!\n$! 2012-03-05 SMS.\n$! Why /NAMES = AS_IS? Why not simply \".not. vax\"? And why not on VAX?\n$!\n$ if axp .or. ia64\n$ then\n$ ccopt = ccopt + \"/name=as_is/opt=(inline=speed)\"\n$ s_case = true\n$ endif\n$ endif\n$ if its_vaxc .or. its_gnuc\n$ then\n$ if f$trnlnm(\"SYS\").eqs.\"\" then define sys sys$library:\n$ endif\n$!\n$! Build a fake configure input header\n$!\n$ open/write conf_hin config.hin\n$ write conf_hin \"#undef _LARGEFILE64_SOURCE\"\n$ close conf_hin\n$!\n$!\n$ i = 0\n$FIND_ACONF:\n$ fname = f$element(i,\"#\",aconf_in_file)\n$ if fname .eqs. \"#\" then goto AMISS_ERR\n$ if f$search(fname) .eqs. \"\"\n$ then\n$ i = i + 1\n$ goto find_aconf\n$ endif\n$ open/read/err=aconf_err aconf_in 'fname'\n$ open/write aconf zconf.h\n$ACONF_LOOP:\n$ read/end_of_file=aconf_exit aconf_in line\n$ work = f$edit(line, \"compress,trim\")\n$ if f$extract(0,6,work) .nes. \"#undef\"\n$ then\n$ if f$extract(0,12,work) .nes. \"#cmakedefine\"\n$ then\n$ write aconf line\n$ endif\n$ else\n$ cdef = f$element(1,\" \",work)\n$ gosub check_config\n$ endif\n$ goto aconf_loop\n$ACONF_EXIT:\n$ write aconf \"\"\n$ write aconf \"/* VMS specifics added by make_vms.com: */\"\n$ write aconf \"#define VMS 1\"\n$ write aconf \"#include \"\n$ write aconf \"#include \"\n$ write aconf \"#ifdef _LARGEFILE\"\n$ write aconf \"# define off64_t __off64_t\"\n$ write aconf \"# define fopen64 fopen\"\n$ write aconf \"# define fseeko64 fseeko\"\n$ write aconf \"# define lseek64 lseek\"\n$ write aconf \"# define ftello64 ftell\"\n$ write aconf \"#endif\"\n$ write aconf \"#if !defined( __VAX) && (__CRTL_VER >= 70312000)\"\n$ write aconf \"# define HAVE_VSNPRINTF\"\n$ write aconf \"#endif\"\n$ close aconf_in\n$ close aconf\n$ if f$search(\"''th'\") .nes. \"\" then delete 'th';*\n$! Build the thing plain or with mms\n$!\n$ write sys$output \"Compiling Zlib sources ...\"\n$ if make.eqs.\"\"\n$ then\n$ if (f$search( \"example.obj;*\") .nes. \"\") then delete example.obj;*\n$ if (f$search( \"minigzip.obj;*\") .nes. \"\") then delete minigzip.obj;*\n$ CALL MAKE adler32.OBJ \"CC ''CCOPT' adler32\" -\n adler32.c zlib.h zconf.h\n$ CALL MAKE compress.OBJ \"CC ''CCOPT' compress\" -\n compress.c zlib.h zconf.h\n$ CALL MAKE crc32.OBJ \"CC ''CCOPT' crc32\" -\n crc32.c zlib.h zconf.h\n$ CALL MAKE deflate.OBJ \"CC ''CCOPT' deflate\" -\n deflate.c deflate.h zutil.h zlib.h zconf.h\n$ CALL MAKE gzclose.OBJ \"CC ''CCOPT' gzclose\" -\n gzclose.c zutil.h zlib.h zconf.h\n$ CALL MAKE gzlib.OBJ \"CC ''CCOPT' gzlib\" -\n gzlib.c zutil.h zlib.h zconf.h\n$ CALL MAKE gzread.OBJ \"CC ''CCOPT' gzread\" -\n gzread.c zutil.h zlib.h zconf.h\n$ CALL MAKE gzwrite.OBJ \"CC ''CCOPT' gzwrite\" -\n gzwrite.c zutil.h zlib.h zconf.h\n$ CALL MAKE infback.OBJ \"CC ''CCOPT' infback\" -\n infback.c zutil.h inftrees.h inflate.h inffast.h inffixed.h\n$ CALL MAKE inffast.OBJ \"CC ''CCOPT' inffast\" -\n inffast.c zutil.h zlib.h zconf.h inffast.h\n$ CALL MAKE inflate.OBJ \"CC ''CCOPT' inflate\" -\n inflate.c zutil.h zlib.h zconf.h infblock.h\n$ CALL MAKE inftrees.OBJ \"CC ''CCOPT' inftrees\" -\n inftrees.c zutil.h zlib.h zconf.h inftrees.h\n$ CALL MAKE trees.OBJ \"CC ''CCOPT' trees\" -\n trees.c deflate.h zutil.h zlib.h zconf.h\n$ CALL MAKE uncompr.OBJ \"CC ''CCOPT' uncompr\" -\n uncompr.c zlib.h zconf.h\n$ CALL MAKE zutil.OBJ \"CC ''CCOPT' zutil\" -\n zutil.c zutil.h zlib.h zconf.h\n$ write sys$output \"Building Zlib ...\"\n$ CALL MAKE libz.OLB \"lib/crea libz.olb *.obj\" *.OBJ\n$ write sys$output \"Building example...\"\n$ CALL MAKE example.OBJ \"CC ''CCOPT' [.test]example\" -\n [.test]example.c zlib.h zconf.h\n$ call make example.exe \"LINK example,libz.olb/lib\" example.obj libz.olb\n$ write sys$output \"Building minigzip...\"\n$ CALL MAKE minigzip.OBJ \"CC ''CCOPT' [.test]minigzip\" -\n [.test]minigzip.c zlib.h zconf.h\n$ call make minigzip.exe -\n \"LINK minigzip,libz.olb/lib\" -\n minigzip.obj libz.olb\n$ else\n$ gosub crea_mms\n$ write sys$output \"Make ''name' ''version' with ''Make' \"\n$ 'make'\n$ endif\n$!\n$! Create shareable image\n$!\n$ gosub crea_olist\n$ write sys$output \"Creating libzshr.exe\"\n$ call map_2_shopt 'mapfile' 'optfile'\n$ LINK_'lopts'/SHARE=libzshr.exe modules.opt/opt,'optfile'/opt\n$ write sys$output \"Zlib build completed\"\n$ delete/nolog tmp.opt;*\n$ exit\n$AMISS_ERR:\n$ write sys$output \"No source for config.hin found.\"\n$ write sys$output \"Tried any of ''aconf_in_file'\"\n$ goto err_exit\n$CC_ERR:\n$ write sys$output \"C compiler required to build ''name'\"\n$ goto err_exit\n$ERR_EXIT:\n$ set message/facil/ident/sever/text\n$ close/nolog optf\n$ close/nolog topt\n$ close/nolog aconf_in\n$ close/nolog aconf\n$ close/nolog out\n$ close/nolog min\n$ close/nolog mod\n$ close/nolog h_in\n$ write sys$output \"Exiting...\"\n$ exit 2\n$!\n$!\n$MAKE: SUBROUTINE !SUBROUTINE TO CHECK DEPENDENCIES\n$ V = 'F$Verify(0)\n$! P1 = What we are trying to make\n$! P2 = Command to make it\n$! P3 - P8 What it depends on\n$\n$ If F$Search(P1) .Eqs. \"\" Then Goto Makeit\n$ Time = F$CvTime(F$File(P1,\"RDT\"))\n$arg=3\n$Loop:\n$ Argument = P'arg\n$ If Argument .Eqs. \"\" Then Goto Exit\n$ El=0\n$Loop2:\n$ File = F$Element(El,\" \",Argument)\n$ If File .Eqs. \" \" Then Goto Endl\n$ AFile = \"\"\n$Loop3:\n$ OFile = AFile\n$ AFile = F$Search(File)\n$ If AFile .Eqs. \"\" .Or. AFile .Eqs. OFile Then Goto NextEl\n$ If F$CvTime(F$File(AFile,\"RDT\")) .Ges. Time Then Goto Makeit\n$ Goto Loop3\n$NextEL:\n$ El = El + 1\n$ Goto Loop2\n$EndL:\n$ arg=arg+1\n$ If arg .Le. 8 Then Goto Loop\n$ Goto Exit\n$\n$Makeit:\n$ VV=F$VERIFY(0)\n$ write sys$output P2\n$ 'P2\n$ VV='F$Verify(VV)\n$Exit:\n$ If V Then Set Verify\n$ENDSUBROUTINE\n$!------------------------------------------------------------------------------\n$!\n$! Check command line options and set symbols accordingly\n$!\n$!------------------------------------------------------------------------------\n$! Version history\n$! 0.01 20041206 First version to receive a number\n$! 0.02 20060126 Add new \"HELP\" target\n$ CHECK_OPTS:\n$ i = 1\n$ OPT_LOOP:\n$ if i .lt. 9\n$ then\n$ cparm = f$edit(p'i',\"upcase\")\n$!\n$! Check if parameter actually contains something\n$!\n$ if f$edit(cparm,\"trim\") .nes. \"\"\n$ then\n$ if cparm .eqs. \"DEBUG\"\n$ then\n$ ccopt = ccopt + \"/noopt/deb\"\n$ lopts = lopts + \"/deb\"\n$ endif\n$ if f$locate(\"CCOPT=\",cparm) .lt. f$length(cparm)\n$ then\n$ start = f$locate(\"=\",cparm) + 1\n$ len = f$length(cparm) - start\n$ ccopt = ccopt + f$extract(start,len,cparm)\n$ if f$locate(\"AS_IS\",f$edit(ccopt,\"UPCASE\")) .lt. f$length(ccopt) -\n then s_case = true\n$ endif\n$ if cparm .eqs. \"LINK\" then linkonly = true\n$ if f$locate(\"LOPTS=\",cparm) .lt. f$length(cparm)\n$ then\n$ start = f$locate(\"=\",cparm) + 1\n$ len = f$length(cparm) - start\n$ lopts = lopts + f$extract(start,len,cparm)\n$ endif\n$ if f$locate(\"CC=\",cparm) .lt. f$length(cparm)\n$ then\n$ start = f$locate(\"=\",cparm) + 1\n$ len = f$length(cparm) - start\n$ cc_com = f$extract(start,len,cparm)\n if (cc_com .nes. \"DECC\") .and. -\n (cc_com .nes. \"VAXC\") .and. -\n (cc_com .nes. \"GNUC\")\n$ then\n$ write sys$output \"Unsupported compiler choice ''cc_com' ignored\"\n$ write sys$output \"Use DECC, VAXC, or GNUC instead\"\n$ else\n$ if cc_com .eqs. \"DECC\" then its_decc = true\n$ if cc_com .eqs. \"VAXC\" then its_vaxc = true\n$ if cc_com .eqs. \"GNUC\" then its_gnuc = true\n$ endif\n$ endif\n$ if f$locate(\"MAKE=\",cparm) .lt. f$length(cparm)\n$ then\n$ start = f$locate(\"=\",cparm) + 1\n$ len = f$length(cparm) - start\n$ mmks = f$extract(start,len,cparm)\n$ if (mmks .eqs. \"MMK\") .or. (mmks .eqs. \"MMS\")\n$ then\n$ make = mmks\n$ else\n$ write sys$output \"Unsupported make choice ''mmks' ignored\"\n$ write sys$output \"Use MMK or MMS instead\"\n$ endif\n$ endif\n$ if cparm .eqs. \"HELP\" then gosub bhelp\n$ endif\n$ i = i + 1\n$ goto opt_loop\n$ endif\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! Look for the compiler used\n$!\n$! Version history\n$! 0.01 20040223 First version to receive a number\n$! 0.02 20040229 Save/set value of decc$no_rooted_search_lists\n$! 0.03 20060202 Extend handling of GNU C\n$! 0.04 20090402 Compaq -> hp\n$CHECK_COMPILER:\n$ if (.not. (its_decc .or. its_vaxc .or. its_gnuc))\n$ then\n$ its_decc = (f$search(\"SYS$SYSTEM:DECC$COMPILER.EXE\") .nes. \"\")\n$ its_vaxc = .not. its_decc .and. (F$Search(\"SYS$System:VAXC.Exe\") .nes. \"\")\n$ its_gnuc = .not. (its_decc .or. its_vaxc) .and. (f$trnlnm(\"gnu_cc\") .nes. \"\")\n$ endif\n$!\n$! Exit if no compiler available\n$!\n$ if (.not. (its_decc .or. its_vaxc .or. its_gnuc))\n$ then goto CC_ERR\n$ else\n$ if its_decc\n$ then\n$ write sys$output \"CC compiler check ... hp C\"\n$ if f$trnlnm(\"decc$no_rooted_search_lists\") .nes. \"\"\n$ then\n$ dnrsl = f$trnlnm(\"decc$no_rooted_search_lists\")\n$ endif\n$ define/nolog decc$no_rooted_search_lists 1\n$ else\n$ if its_vaxc then write sys$output \"CC compiler check ... VAX C\"\n$ if its_gnuc\n$ then\n$ write sys$output \"CC compiler check ... GNU C\"\n$ if f$trnlnm(topt) then write topt \"gnu_cc:[000000]gcclib.olb/lib\"\n$ if f$trnlnm(optf) then write optf \"gnu_cc:[000000]gcclib.olb/lib\"\n$ cc = \"gcc\"\n$ endif\n$ if f$trnlnm(topt) then write topt \"sys$share:vaxcrtl.exe/share\"\n$ if f$trnlnm(optf) then write optf \"sys$share:vaxcrtl.exe/share\"\n$ endif\n$ endif\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! If MMS/MMK are available dump out the descrip.mms if required\n$!\n$CREA_MMS:\n$ write sys$output \"Creating descrip.mms...\"\n$ create descrip.mms\n$ open/append out descrip.mms\n$ copy sys$input: out\n$ deck\n# descrip.mms: MMS description file for building zlib on VMS\n# written by Martin P.J. Zinser\n# \n\nOBJS = adler32.obj, compress.obj, crc32.obj, gzclose.obj, gzlib.obj\\\n gzread.obj, gzwrite.obj, uncompr.obj, infback.obj\\\n deflate.obj, trees.obj, zutil.obj, inflate.obj, \\\n inftrees.obj, inffast.obj\n\n$ eod\n$ write out \"CFLAGS=\", ccopt\n$ write out \"LOPTS=\", lopts\n$ write out \"all : example.exe minigzip.exe libz.olb\"\n$ copy sys$input: out\n$ deck\n @ write sys$output \" Example applications available\"\n\nlibz.olb : libz.olb($(OBJS))\n\t@ write sys$output \" libz available\"\n\nexample.exe : example.obj libz.olb\n link $(LOPTS) example,libz.olb/lib\n\nminigzip.exe : minigzip.obj libz.olb\n link $(LOPTS) minigzip,libz.olb/lib\n\nclean :\n\tdelete *.obj;*,libz.olb;*,*.opt;*,*.exe;*\n\n\n# Other dependencies.\nadler32.obj : adler32.c zutil.h zlib.h zconf.h\ncompress.obj : compress.c zlib.h zconf.h\ncrc32.obj : crc32.c zutil.h zlib.h zconf.h\ndeflate.obj : deflate.c deflate.h zutil.h zlib.h zconf.h\nexample.obj : [.test]example.c zlib.h zconf.h\ngzclose.obj : gzclose.c zutil.h zlib.h zconf.h\ngzlib.obj : gzlib.c zutil.h zlib.h zconf.h\ngzread.obj : gzread.c zutil.h zlib.h zconf.h\ngzwrite.obj : gzwrite.c zutil.h zlib.h zconf.h\ninffast.obj : inffast.c zutil.h zlib.h zconf.h inftrees.h inffast.h\ninflate.obj : inflate.c zutil.h zlib.h zconf.h\ninftrees.obj : inftrees.c zutil.h zlib.h zconf.h inftrees.h\nminigzip.obj : [.test]minigzip.c zlib.h zconf.h\ntrees.obj : trees.c deflate.h zutil.h zlib.h zconf.h\nuncompr.obj : uncompr.c zlib.h zconf.h\nzutil.obj : zutil.c zutil.h zlib.h zconf.h\ninfback.obj : infback.c zutil.h inftrees.h inflate.h inffast.h inffixed.h\n$ eod\n$ close out\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! Read list of core library sources from makefile.in and create options\n$! needed to build shareable image\n$!\n$CREA_OLIST:\n$ open/read min makefile.in\n$ open/write mod modules.opt\n$ src_check_list = \"OBJZ =#OBJG =\"\n$MRLOOP:\n$ read/end=mrdone min rec\n$ i = 0\n$SRC_CHECK_LOOP:\n$ src_check = f$element(i, \"#\", src_check_list)\n$ i = i+1\n$ if src_check .eqs. \"#\" then goto mrloop\n$ if (f$extract(0,6,rec) .nes. src_check) then goto src_check_loop\n$ rec = rec - src_check\n$ gosub extra_filnam\n$ if (f$element(1,\"\\\",rec) .eqs. \"\\\") then goto mrloop\n$MRSLOOP:\n$ read/end=mrdone min rec\n$ gosub extra_filnam\n$ if (f$element(1,\"\\\",rec) .nes. \"\\\") then goto mrsloop\n$MRDONE:\n$ close min\n$ close mod\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! Take record extracted in crea_olist and split it into single filenames\n$!\n$EXTRA_FILNAM:\n$ myrec = f$edit(rec - \"\\\", \"trim,compress\")\n$ i = 0\n$FELOOP:\n$ srcfil = f$element(i,\" \", myrec)\n$ if (srcfil .nes. \" \")\n$ then\n$ write mod f$parse(srcfil,,,\"NAME\"), \".obj\"\n$ i = i + 1\n$ goto feloop\n$ endif\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! Find current Zlib version number\n$!\n$FIND_VERSION:\n$ open/read h_in 'v_file'\n$hloop:\n$ read/end=hdone h_in rec\n$ rec = f$edit(rec,\"TRIM\")\n$ if (f$extract(0,1,rec) .nes. \"#\") then goto hloop\n$ rec = f$edit(rec - \"#\", \"TRIM\")\n$ if f$element(0,\" \",rec) .nes. \"define\" then goto hloop\n$ if f$element(1,\" \",rec) .eqs. v_string\n$ then\n$ version = 'f$element(2,\" \",rec)'\n$ goto hdone\n$ endif\n$ goto hloop\n$hdone:\n$ close h_in\n$ return\n$!------------------------------------------------------------------------------\n$!\n$CHECK_CONFIG:\n$!\n$ in_ldef = f$locate(cdef,libdefs)\n$ if (in_ldef .lt. f$length(libdefs))\n$ then\n$ write aconf \"#define ''cdef' 1\"\n$ libdefs = f$extract(0,in_ldef,libdefs) + -\n f$extract(in_ldef + f$length(cdef) + 1, -\n f$length(libdefs) - in_ldef - f$length(cdef) - 1, -\n libdefs)\n$ else\n$ if (f$type('cdef') .eqs. \"INTEGER\")\n$ then\n$ write aconf \"#define ''cdef' \", 'cdef'\n$ else\n$ if (f$type('cdef') .eqs. \"STRING\")\n$ then\n$ write aconf \"#define ''cdef' \", \"\"\"\", '''cdef'', \"\"\"\"\n$ else\n$ gosub check_cc_def\n$ endif\n$ endif\n$ endif\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! Check if this is a define relating to the properties of the C/C++\n$! compiler\n$!\n$ CHECK_CC_DEF:\n$ if (cdef .eqs. \"_LARGEFILE64_SOURCE\")\n$ then\n$ copy sys$input: 'tc'\n$ deck\n#include \"tconfig\"\n#define _LARGEFILE\n#include \n\nint main(){\nFILE *fp;\n fp = fopen(\"temp.txt\",\"r\");\n fseeko(fp,1,SEEK_SET);\n fclose(fp);\n}\n\n$ eod\n$ test_inv = false\n$ comm_h = false\n$ gosub cc_prop_check\n$ return\n$ endif\n$ write aconf \"/* \", line, \" */\"\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! Check for properties of C/C++ compiler\n$!\n$! Version history\n$! 0.01 20031020 First version to receive a number\n$! 0.02 20031022 Added logic for defines with value\n$! 0.03 20040309 Make sure local config file gets not deleted\n$! 0.04 20041230 Also write include for configure run\n$! 0.05 20050103 Add processing of \"comment defines\"\n$CC_PROP_CHECK:\n$ cc_prop = true\n$ is_need = false\n$ is_need = (f$extract(0,4,cdef) .eqs. \"NEED\") .or. (test_inv .eq. true)\n$ if f$search(th) .eqs. \"\" then create 'th'\n$ set message/nofac/noident/nosever/notext\n$ on error then continue\n$ cc 'tmpnam'\n$ if .not. ($status) then cc_prop = false\n$ on error then continue\n$! The headers might lie about the capabilities of the RTL\n$ link 'tmpnam',tmp.opt/opt\n$ if .not. ($status) then cc_prop = false\n$ set message/fac/ident/sever/text\n$ on error then goto err_exit\n$ delete/nolog 'tmpnam'.*;*/exclude='th'\n$ if (cc_prop .and. .not. is_need) .or. -\n (.not. cc_prop .and. is_need)\n$ then\n$ write sys$output \"Checking for ''cdef'... yes\"\n$ if f$type('cdef_val'_yes) .nes. \"\"\n$ then\n$ if f$type('cdef_val'_yes) .eqs. \"INTEGER\" -\n then call write_config f$fao(\"#define !AS !UL\",cdef,'cdef_val'_yes)\n$ if f$type('cdef_val'_yes) .eqs. \"STRING\" -\n then call write_config f$fao(\"#define !AS !AS\",cdef,'cdef_val'_yes)\n$ else\n$ call write_config f$fao(\"#define !AS 1\",cdef)\n$ endif\n$ if (cdef .eqs. \"HAVE_FSEEKO\") .or. (cdef .eqs. \"_LARGE_FILES\") .or. -\n (cdef .eqs. \"_LARGEFILE64_SOURCE\") then -\n call write_config f$string(\"#define _LARGEFILE 1\")\n$ else\n$ write sys$output \"Checking for ''cdef'... no\"\n$ if (comm_h)\n$ then\n call write_config f$fao(\"/* !AS */\",line)\n$ else\n$ if f$type('cdef_val'_no) .nes. \"\"\n$ then\n$ if f$type('cdef_val'_no) .eqs. \"INTEGER\" -\n then call write_config f$fao(\"#define !AS !UL\",cdef,'cdef_val'_no)\n$ if f$type('cdef_val'_no) .eqs. \"STRING\" -\n then call write_config f$fao(\"#define !AS !AS\",cdef,'cdef_val'_no)\n$ else\n$ call write_config f$fao(\"#undef !AS\",cdef)\n$ endif\n$ endif\n$ endif\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! Check for properties of C/C++ compiler with multiple result values\n$!\n$! Version history\n$! 0.01 20040127 First version\n$! 0.02 20050103 Reconcile changes from cc_prop up to version 0.05\n$CC_MPROP_CHECK:\n$ cc_prop = true\n$ i = 1\n$ idel = 1\n$ MT_LOOP:\n$ if f$type(result_'i') .eqs. \"STRING\"\n$ then\n$ set message/nofac/noident/nosever/notext\n$ on error then continue\n$ cc 'tmpnam'_'i'\n$ if .not. ($status) then cc_prop = false\n$ on error then continue\n$! The headers might lie about the capabilities of the RTL\n$ link 'tmpnam'_'i',tmp.opt/opt\n$ if .not. ($status) then cc_prop = false\n$ set message/fac/ident/sever/text\n$ on error then goto err_exit\n$ delete/nolog 'tmpnam'_'i'.*;*\n$ if (cc_prop)\n$ then\n$ write sys$output \"Checking for ''cdef'... \", mdef_'i'\n$ if f$type(mdef_'i') .eqs. \"INTEGER\" -\n then call write_config f$fao(\"#define !AS !UL\",cdef,mdef_'i')\n$ if f$type('cdef_val'_yes) .eqs. \"STRING\" -\n then call write_config f$fao(\"#define !AS !AS\",cdef,mdef_'i')\n$ goto msym_clean\n$ else\n$ i = i + 1\n$ goto mt_loop\n$ endif\n$ endif\n$ write sys$output \"Checking for ''cdef'... no\"\n$ call write_config f$fao(\"#undef !AS\",cdef)\n$ MSYM_CLEAN:\n$ if (idel .le. msym_max)\n$ then\n$ delete/sym mdef_'idel'\n$ idel = idel + 1\n$ goto msym_clean\n$ endif\n$ return\n$!------------------------------------------------------------------------------\n$!\n$! Write configuration to both permanent and temporary config file\n$!\n$! Version history\n$! 0.01 20031029 First version to receive a number\n$!\n$WRITE_CONFIG: SUBROUTINE\n$ write aconf 'p1'\n$ open/append confh 'th'\n$ write confh 'p1'\n$ close confh\n$ENDSUBROUTINE\n$!------------------------------------------------------------------------------\n$!\n$! Analyze the project map file and create the symbol vector for a shareable\n$! image from it\n$!\n$! Version history\n$! 0.01 20120128 First version\n$! 0.02 20120226 Add pre-load logic\n$!\n$ MAP_2_SHOPT: Subroutine\n$!\n$ SAY := \"WRITE_ SYS$OUTPUT\"\n$!\n$ IF F$SEARCH(\"''P1'\") .EQS. \"\"\n$ THEN\n$ SAY \"MAP_2_SHOPT-E-NOSUCHFILE: Error, inputfile ''p1' not available\"\n$ goto exit_m2s\n$ ENDIF\n$ IF \"''P2'\" .EQS. \"\"\n$ THEN\n$ SAY \"MAP_2_SHOPT: Error, no output file provided\"\n$ goto exit_m2s\n$ ENDIF\n$!\n$ module1 = \"deflate#deflateEnd#deflateInit_#deflateParams#deflateSetDictionary\"\n$ module2 = \"gzclose#gzerror#gzgetc#gzgets#gzopen#gzprintf#gzputc#gzputs#gzread\"\n$ module3 = \"gzseek#gztell#inflate#inflateEnd#inflateInit_#inflateSetDictionary\"\n$ module4 = \"inflateSync#uncompress#zlibVersion#compress\"\n$ open/read map 'p1\n$ if axp .or. ia64\n$ then\n$ open/write aopt a.opt\n$ open/write bopt b.opt\n$ write aopt \" CASE_SENSITIVE=YES\"\n$ write bopt \"SYMBOL_VECTOR= (-\"\n$ mod_sym_num = 1\n$ MOD_SYM_LOOP:\n$ if f$type(module'mod_sym_num') .nes. \"\"\n$ then\n$ mod_in = 0\n$ MOD_SYM_IN:\n$ shared_proc = f$element(mod_in, \"#\", module'mod_sym_num')\n$ if shared_proc .nes. \"#\"\n$ then\n$ write aopt f$fao(\" symbol_vector=(!AS/!AS=PROCEDURE)\",-\n \t\t f$edit(shared_proc,\"upcase\"),shared_proc)\n$ write bopt f$fao(\"!AS=PROCEDURE,-\",shared_proc)\n$ mod_in = mod_in + 1\n$ goto mod_sym_in\n$ endif\n$ mod_sym_num = mod_sym_num + 1\n$ goto mod_sym_loop\n$ endif\n$MAP_LOOP:\n$ read/end=map_end map line\n$ if (f$locate(\"{\",line).lt. f$length(line)) .or. -\n (f$locate(\"global:\", line) .lt. f$length(line))\n$ then\n$ proc = true\n$ goto map_loop\n$ endif\n$ if f$locate(\"}\",line).lt. f$length(line) then proc = false\n$ if f$locate(\"local:\", line) .lt. f$length(line) then proc = false\n$ if proc\n$ then\n$ shared_proc = f$edit(line,\"collapse\")\n$ chop_semi = f$locate(\";\", shared_proc)\n$ if chop_semi .lt. f$length(shared_proc) then -\n shared_proc = f$extract(0, chop_semi, shared_proc)\n$ write aopt f$fao(\" symbol_vector=(!AS/!AS=PROCEDURE)\",-\n \t\t\t f$edit(shared_proc,\"upcase\"),shared_proc)\n$ write bopt f$fao(\"!AS=PROCEDURE,-\",shared_proc)\n$ endif\n$ goto map_loop\n$MAP_END:\n$ close/nolog aopt\n$ close/nolog bopt\n$ open/append libopt 'p2'\n$ open/read aopt a.opt\n$ open/read bopt b.opt\n$ALOOP:\n$ read/end=aloop_end aopt line\n$ write libopt line\n$ goto aloop\n$ALOOP_END:\n$ close/nolog aopt\n$ sv = \"\"\n$BLOOP:\n$ read/end=bloop_end bopt svn\n$ if (svn.nes.\"\")\n$ then\n$ if (sv.nes.\"\") then write libopt sv\n$ sv = svn\n$ endif\n$ goto bloop\n$BLOOP_END:\n$ write libopt f$extract(0,f$length(sv)-2,sv), \"-\"\n$ write libopt \")\"\n$ close/nolog bopt\n$ delete/nolog/noconf a.opt;*,b.opt;*\n$ else\n$ if vax\n$ then\n$ open/append libopt 'p2'\n$ mod_sym_num = 1\n$ VMOD_SYM_LOOP:\n$ if f$type(module'mod_sym_num') .nes. \"\"\n$ then\n$ mod_in = 0\n$ VMOD_SYM_IN:\n$ shared_proc = f$element(mod_in, \"#\", module'mod_sym_num')\n$ if shared_proc .nes. \"#\"\n$ then\n$ \t write libopt f$fao(\"UNIVERSAL=!AS\",-\n \t \t\t\t f$edit(shared_proc,\"upcase\"))\n$ mod_in = mod_in + 1\n$ goto vmod_sym_in\n$ endif\n$ mod_sym_num = mod_sym_num + 1\n$ goto vmod_sym_loop\n$ endif\n$VMAP_LOOP:\n$ \t read/end=vmap_end map line\n$ \t if (f$locate(\"{\",line).lt. f$length(line)) .or. -\n \t (f$locate(\"global:\", line) .lt. f$length(line))\n$ \t then\n$ \t proc = true\n$ \t goto vmap_loop\n$ \t endif\n$ \t if f$locate(\"}\",line).lt. f$length(line) then proc = false\n$ \t if f$locate(\"local:\", line) .lt. f$length(line) then proc = false\n$ \t if proc\n$ \t then\n$ \t shared_proc = f$edit(line,\"collapse\")\n$ \t chop_semi = f$locate(\";\", shared_proc)\n$ \t if chop_semi .lt. f$length(shared_proc) then -\n \t \t shared_proc = f$extract(0, chop_semi, shared_proc)\n$ \t write libopt f$fao(\"UNIVERSAL=!AS\",-\n \t \t\t\t f$edit(shared_proc,\"upcase\"))\n$ \t endif\n$ \t goto vmap_loop\n$VMAP_END:\n$ else\n$ write sys$output \"Unknown Architecture (Not VAX, AXP, or IA64)\"\n$ write sys$output \"No options file created\"\n$ endif\n$ endif\n$ EXIT_M2S:\n$ close/nolog map\n$ close/nolog libopt\n$ endsubroutine\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/nintendods/Makefile", "content": "#---------------------------------------------------------------------------------\n.SUFFIXES:\n#---------------------------------------------------------------------------------\n\nifeq ($(strip $(DEVKITARM)),)\n$(error \"Please set DEVKITARM in your environment. export DEVKITARM=devkitARM\")\nendif\n\ninclude $(DEVKITARM)/ds_rules\n\n#---------------------------------------------------------------------------------\n# TARGET is the name of the output\n# BUILD is the directory where object files & intermediate files will be placed\n# SOURCES is a list of directories containing source code\n# DATA is a list of directories containing data files\n# INCLUDES is a list of directories containing header files\n#---------------------------------------------------------------------------------\nTARGET\t\t:=\t$(shell basename $(CURDIR))\nBUILD\t\t:=\tbuild\nSOURCES\t\t:=\t../../\nDATA\t\t:=\tdata\nINCLUDES\t:=\tinclude\n\n#---------------------------------------------------------------------------------\n# options for code generation\n#---------------------------------------------------------------------------------\nARCH\t:=\t-mthumb -mthumb-interwork\n\nCFLAGS\t:=\t-Wall -O2\\\n\t\t-march=armv5te -mtune=arm946e-s \\\n\t\t-fomit-frame-pointer -ffast-math \\\n\t\t$(ARCH)\n\nCFLAGS\t+=\t$(INCLUDE) -DARM9\nCXXFLAGS\t:= $(CFLAGS) -fno-rtti -fno-exceptions\n\nASFLAGS\t:=\t$(ARCH) -march=armv5te -mtune=arm946e-s\nLDFLAGS\t=\t-specs=ds_arm9.specs -g $(ARCH) -Wl,-Map,$(notdir $*.map)\n\n#---------------------------------------------------------------------------------\n# list of directories containing libraries, this must be the top level containing\n# include and lib\n#---------------------------------------------------------------------------------\nLIBDIRS\t:=\t$(LIBNDS)\n\n#---------------------------------------------------------------------------------\n# no real need to edit anything past this point unless you need to add additional\n# rules for different file extensions\n#---------------------------------------------------------------------------------\nifneq ($(BUILD),$(notdir $(CURDIR)))\n#---------------------------------------------------------------------------------\n\nexport OUTPUT\t:=\t$(CURDIR)/lib/libz.a\n\nexport VPATH\t:=\t$(foreach dir,$(SOURCES),$(CURDIR)/$(dir)) \\\n\t\t\t$(foreach dir,$(DATA),$(CURDIR)/$(dir))\n\nexport DEPSDIR\t:=\t$(CURDIR)/$(BUILD)\n\nCFILES\t\t:=\t$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.c)))\nCPPFILES\t:=\t$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.cpp)))\nSFILES\t\t:=\t$(foreach dir,$(SOURCES),$(notdir $(wildcard $(dir)/*.s)))\nBINFILES\t:=\t$(foreach dir,$(DATA),$(notdir $(wildcard $(dir)/*.*)))\n\n#---------------------------------------------------------------------------------\n# use CXX for linking C++ projects, CC for standard C\n#---------------------------------------------------------------------------------\nifeq ($(strip $(CPPFILES)),)\n#---------------------------------------------------------------------------------\n\texport LD\t:=\t$(CC)\n#---------------------------------------------------------------------------------\nelse\n#---------------------------------------------------------------------------------\n\texport LD\t:=\t$(CXX)\n#---------------------------------------------------------------------------------\nendif\n#---------------------------------------------------------------------------------\n\nexport OFILES\t:=\t$(addsuffix .o,$(BINFILES)) \\\n\t\t\t$(CPPFILES:.cpp=.o) $(CFILES:.c=.o) $(SFILES:.s=.o)\n\nexport INCLUDE\t:=\t$(foreach dir,$(INCLUDES),-I$(CURDIR)/$(dir)) \\\n\t\t\t$(foreach dir,$(LIBDIRS),-I$(dir)/include) \\\n\t\t\t-I$(CURDIR)/$(BUILD)\n\n.PHONY: $(BUILD) clean all\n\n#---------------------------------------------------------------------------------\nall: $(BUILD)\n\t@[ -d $@ ] || mkdir -p include\n\t@cp ../../*.h include\n\nlib:\n\t@[ -d $@ ] || mkdir -p $@\n\t\n$(BUILD): lib\n\t@[ -d $@ ] || mkdir -p $@\n\t@$(MAKE) --no-print-directory -C $(BUILD) -f $(CURDIR)/Makefile\n\n#---------------------------------------------------------------------------------\nclean:\n\t@echo clean ...\n\t@rm -fr $(BUILD) lib\n\n#---------------------------------------------------------------------------------\nelse\n\nDEPENDS\t:=\t$(OFILES:.o=.d)\n\n#---------------------------------------------------------------------------------\n# main targets\n#---------------------------------------------------------------------------------\n$(OUTPUT)\t:\t$(OFILES)\n\n#---------------------------------------------------------------------------------\n%.bin.o\t:\t%.bin\n#---------------------------------------------------------------------------------\n\t@echo $(notdir $<)\n\t@$(bin2o)\n\n\n-include $(DEPENDS)\n\n#---------------------------------------------------------------------------------------\nendif\n#---------------------------------------------------------------------------------------\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/nintendods/README", "content": "This Makefile requires devkitARM (http://www.devkitpro.org/category/devkitarm/) and works inside \"contrib/nds\". It is based on a devkitARM template.\n\nEduardo Costa \nJanuary 3, 2009\n\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/os400/README400", "content": " ZLIB version 1.3.0 for OS/400 installation instructions\n\n1) Download and unpack the zlib tarball to some IFS directory.\n (i.e.: /path/to/the/zlib/ifs/source/directory)\n\n If the installed IFS command supports gzip format, this is straightforward,\nelse you have to unpack first to some directory on a system supporting it,\nthen move the whole directory to the IFS via the network (via SMB or FTP).\n\n2) Edit the configuration parameters in the compilation script.\n\n EDTF STMF('/path/to/the/zlib/ifs/source/directory/os400/make.sh')\n\nTune the parameters according to your needs if not matching the defaults.\nSave the file and exit after edition.\n\n3) Enter qshell, then work in the zlib OS/400 specific directory.\n\n QSH\n cd /path/to/the/zlib/ifs/source/directory/os400\n\n4) Compile and install\n\n sh make.sh\n\nThe script will:\n- create the libraries, objects and IFS directories for the zlib environment,\n- compile all modules,\n- create a service program,\n- create a static and a dynamic binding directory,\n- install header files for C/C++ and for ILE/RPG, both for compilation in\n DB2 and IFS environments.\n\nThat's all. \n\n\nNotes: For OS/400 ILE RPG programmers, a /copy member defining the ZLIB\n API prototypes for ILE RPG can be found in ZLIB/H(ZLIB.INC).\n In the ILE environment, the same definitions are available from\n file zlib.inc located in the same IFS include directory as the\n C/C++ header files.\n Please read comments in this member for more information.\n\n Remember that most foreign textual data are ASCII coded: this\n implementation does not handle conversion from/to ASCII, so\n text data code conversions must be done explicitly.\n\n Mainly for the reason above, always open zipped files in binary mode.\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/os400/bndsrc", "content": "STRPGMEXP PGMLVL(*CURRENT) SIGNATURE('ZLIB')\n\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n/* Version 1.1.3 entry points. */\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n\n EXPORT SYMBOL(\"adler32\")\n EXPORT SYMBOL(\"compress\")\n EXPORT SYMBOL(\"compress2\")\n EXPORT SYMBOL(\"crc32\")\n EXPORT SYMBOL(\"get_crc_table\")\n EXPORT SYMBOL(\"deflate\")\n EXPORT SYMBOL(\"deflateEnd\")\n EXPORT SYMBOL(\"deflateSetDictionary\")\n EXPORT SYMBOL(\"deflateCopy\")\n EXPORT SYMBOL(\"deflateReset\")\n EXPORT SYMBOL(\"deflateParams\")\n EXPORT SYMBOL(\"deflatePrime\")\n EXPORT SYMBOL(\"deflateInit_\")\n EXPORT SYMBOL(\"deflateInit2_\")\n EXPORT SYMBOL(\"gzopen\")\n EXPORT SYMBOL(\"gzdopen\")\n EXPORT SYMBOL(\"gzsetparams\")\n EXPORT SYMBOL(\"gzread\")\n EXPORT SYMBOL(\"gzwrite\")\n EXPORT SYMBOL(\"gzprintf\")\n EXPORT SYMBOL(\"gzputs\")\n EXPORT SYMBOL(\"gzgets\")\n EXPORT SYMBOL(\"gzputc\")\n EXPORT SYMBOL(\"gzgetc\")\n EXPORT SYMBOL(\"gzflush\")\n EXPORT SYMBOL(\"gzseek\")\n EXPORT SYMBOL(\"gzrewind\")\n EXPORT SYMBOL(\"gztell\")\n EXPORT SYMBOL(\"gzeof\")\n EXPORT SYMBOL(\"gzclose\")\n EXPORT SYMBOL(\"gzerror\")\n EXPORT SYMBOL(\"inflate\")\n EXPORT SYMBOL(\"inflateEnd\")\n EXPORT SYMBOL(\"inflateSetDictionary\")\n EXPORT SYMBOL(\"inflateSync\")\n EXPORT SYMBOL(\"inflateReset\")\n EXPORT SYMBOL(\"inflateInit_\")\n EXPORT SYMBOL(\"inflateInit2_\")\n EXPORT SYMBOL(\"inflateSyncPoint\")\n EXPORT SYMBOL(\"uncompress\")\n EXPORT SYMBOL(\"zlibVersion\")\n EXPORT SYMBOL(\"zError\")\n EXPORT SYMBOL(\"z_errmsg\")\n\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n/* Version 1.2.1 additional entry points. */\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n\n EXPORT SYMBOL(\"compressBound\")\n EXPORT SYMBOL(\"deflateBound\")\n EXPORT SYMBOL(\"deflatePending\")\n EXPORT SYMBOL(\"gzungetc\")\n EXPORT SYMBOL(\"gzclearerr\")\n EXPORT SYMBOL(\"inflateBack\")\n EXPORT SYMBOL(\"inflateBackEnd\")\n EXPORT SYMBOL(\"inflateBackInit_\")\n EXPORT SYMBOL(\"inflateCopy\")\n EXPORT SYMBOL(\"zlibCompileFlags\")\n\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n/* Version 1.2.4 additional entry points. */\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n\n EXPORT SYMBOL(\"adler32_combine\")\n EXPORT SYMBOL(\"adler32_combine64\")\n EXPORT SYMBOL(\"crc32_combine\")\n EXPORT SYMBOL(\"crc32_combine64\")\n EXPORT SYMBOL(\"deflateSetHeader\")\n EXPORT SYMBOL(\"deflateTune\")\n EXPORT SYMBOL(\"gzbuffer\")\n EXPORT SYMBOL(\"gzclose_r\")\n EXPORT SYMBOL(\"gzclose_w\")\n EXPORT SYMBOL(\"gzdirect\")\n EXPORT SYMBOL(\"gzoffset\")\n EXPORT SYMBOL(\"gzoffset64\")\n EXPORT SYMBOL(\"gzopen64\")\n EXPORT SYMBOL(\"gzseek64\")\n EXPORT SYMBOL(\"gztell64\")\n EXPORT SYMBOL(\"inflateGetHeader\")\n EXPORT SYMBOL(\"inflateMark\")\n EXPORT SYMBOL(\"inflatePrime\")\n EXPORT SYMBOL(\"inflateReset2\")\n EXPORT SYMBOL(\"inflateUndermine\")\n\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n/* Version 1.2.6 additional entry points. */\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n\n EXPORT SYMBOL(\"deflateResetKeep\")\n EXPORT SYMBOL(\"gzgetc_\")\n EXPORT SYMBOL(\"inflateResetKeep\")\n\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n/* Version 1.2.8 additional entry points. */\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n\n EXPORT SYMBOL(\"gzvprintf\")\n EXPORT SYMBOL(\"inflateGetDictionary\")\n\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n/* Version 1.2.9 additional entry points. */\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n\n EXPORT SYMBOL(\"adler32_z\")\n EXPORT SYMBOL(\"crc32_z\")\n EXPORT SYMBOL(\"deflateGetDictionary\")\n EXPORT SYMBOL(\"gzfread\")\n EXPORT SYMBOL(\"gzfwrite\")\n EXPORT SYMBOL(\"inflateCodesUsed\")\n EXPORT SYMBOL(\"inflateValidate\")\n EXPORT SYMBOL(\"uncompress2\")\n\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n/* Version 1.2.12 additional entry points. */\n/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*/\n\n EXPORT SYMBOL(\"crc32_combine_gen64\")\n EXPORT SYMBOL(\"crc32_combine_gen\")\n EXPORT SYMBOL(\"crc32_combine_op\")\n\nENDPGMEXP\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/os400/make.sh", "content": "#!/bin/sh\n#\n# ZLIB compilation script for the OS/400.\n#\n#\n# This is a shell script since make is not a standard component of OS/400.\n\n\n################################################################################\n#\n# Tunable configuration parameters.\n#\n################################################################################\n\nTARGETLIB='ZLIB' # Target OS/400 program library\nSTATBNDDIR='ZLIB_A' # Static binding directory.\nDYNBNDDIR='ZLIB' # Dynamic binding directory.\nSRVPGM=\"ZLIB\" # Service program.\nIFSDIR='/zlib' # IFS support base directory.\nTGTCCSID='500' # Target CCSID of objects\nDEBUG='*NONE' # Debug level\nOPTIMIZE='40' # Optimisation level\nOUTPUT='*NONE' # Compilation output option.\nTGTRLS='V6R1M0' # Target OS release\n\nexport TARGETLIB STATBNDDIR DYNBNDDIR SRVPGM IFSDIR\nexport TGTCCSID DEBUG OPTIMIZE OUTPUT TGTRLS\n\n\n################################################################################\n#\n# OS/400 specific definitions.\n#\n################################################################################\n\nLIBIFSNAME=\"/QSYS.LIB/${TARGETLIB}.LIB\"\n\n\n################################################################################\n#\n# Procedures.\n#\n################################################################################\n\n# action_needed dest [src]\n#\n# dest is an object to build\n# if specified, src is an object on which dest depends.\n#\n# exit 0 (succeeds) if some action has to be taken, else 1.\n\naction_needed()\n\n{\n [ ! -e \"${1}\" ] && return 0\n [ \"${2}\" ] || return 1\n [ \"${1}\" -ot \"${2}\" ] && return 0\n return 1\n}\n\n\n# make_module module_name source_name [additional_definitions]\n#\n# Compile source name into module if needed.\n# As side effect, append the module name to variable MODULES.\n# Set LINK to \"YES\" if the module has been compiled.\n\nmake_module()\n\n{\n MODULES=\"${MODULES} ${1}\"\n MODIFSNAME=\"${LIBIFSNAME}/${1}.MODULE\"\n CSRC=\"`basename \\\"${2}\\\"`\"\n\n if action_needed \"${MODIFSNAME}\" \"${2}\"\n then :\n elif [ ! \"`sed -e \\\"//,/<\\\\\\\\/source>/!d\\\" \\\n -e '/ tmphdrfile\n\n # Need to translate to target CCSID.\n\n CMD=\"CPY OBJ('`pwd`/tmphdrfile') TOOBJ('${DEST}')\"\n CMD=\"${CMD} TOCCSID(${TGTCCSID}) DTAFMT(*TEXT) REPLACE(*YES)\"\n system \"${CMD}\"\n # touch -r \"${HFILE}\" \"${DEST}\"\n rm -f tmphdrfile\n fi\n\n IFSFILE=\"${IFSDIR}/include/`basename \\\"${HFILE}\\\"`\"\n\n if action_needed \"${IFSFILE}\" \"${DEST}\"\n then rm -f \"${IFSFILE}\"\n ln -s \"${DEST}\" \"${IFSFILE}\"\n fi\ndone\n\n\n# Install the ILE/RPG header file.\n\n\nHFILE=\"${SCRIPTDIR}/zlib.inc\"\nDEST=\"${SRCPF}/ZLIB.INC.MBR\"\n\nif action_needed \"${DEST}\" \"${HFILE}\"\nthen CMD=\"CPY OBJ('${HFILE}') TOOBJ('${DEST}')\"\n CMD=\"${CMD} TOCCSID(${TGTCCSID}) DTAFMT(*TEXT) REPLACE(*YES)\"\n system \"${CMD}\"\n # touch -r \"${HFILE}\" \"${DEST}\"\nfi\n\nIFSFILE=\"${IFSDIR}/include/`basename \\\"${HFILE}\\\"`\"\n\nif action_needed \"${IFSFILE}\" \"${DEST}\"\nthen rm -f \"${IFSFILE}\"\n ln -s \"${DEST}\" \"${IFSFILE}\"\nfi\n\n\n# Create and compile the identification source file.\n\necho '#pragma comment(user, \"ZLIB version '\"${VERSION}\"'\")' > os400.c\necho '#pragma comment(user, __DATE__)' >> os400.c\necho '#pragma comment(user, __TIME__)' >> os400.c\necho '#pragma comment(copyright, \"Copyright (C) 1995-2017 Jean-Loup Gailly, Mark Adler. OS/400 version by P. Monnerat.\")' >> os400.c\nmake_module OS400 os400.c\nLINK= # No need to rebuild service program yet.\nMODULES=\n\n\n# Get source list.\n\nCSOURCES=`sed -e '/\n \n \n \n \n \n \n \n \n \n \n \n \n\n \n \n \n \n \n \n \n \n\n \n \n \n \n \n \n \n \n \n\n \n \n \n Library\n \n Medium\n \n 2.0\n \n\n \n zlib\n zlib\n alain.bonnefoy@icbt.com\n Public\n public\n www.gzip.org/zlib\n \n \n Jean-Loup Gailly,Mark Adler\n www.gzip.org/zlib\n \n zlib@gzip.org\n \n \n A massively spiffy yet delicately unobtrusive compression library.\n zlib is designed to be a free, general-purpose, legally unencumbered, lossless data compression library for use on virtually any computer hardware and operating system.\n http://www.gzip.org/zlib\n \n \n\n \n 1.3.0\n Medium\n Stable\n \n \n \n \n \n\n No License\n \n\n \n Software Development/Libraries and Extensions/C Libraries\n zlib,compression\n qnx6\n qnx6\n None\n Developer\n \n \n \n\n \n \n \n \n \n\n \n \n \n Install\n Post\n No\n Ignore\n \n No\n Optional\n \n \n \n\n \n \n \n\n \n \n \n\t \n\t InstallOver\n\t zlib\n\t \n \n \n\n \n \n \n\n \n \n \n\t \n\t InstallOver\n\t zlib-dev\n\t \n \n \n\n \n \n \n \n\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/test/example.c", "content": "/* example.c -- usage example of the zlib compression library\n * Copyright (C) 1995-2006, 2011, 2016 Jean-loup Gailly\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* @(#) $Id$ */\n\n#include \"zlib.h\"\n#include \n\n#ifdef STDC\n# include \n# include \n#endif\n\n#if defined(VMS) || defined(RISCOS)\n# define TESTFILE \"foo-gz\"\n#else\n# define TESTFILE \"foo.gz\"\n#endif\n\n#define CHECK_ERR(err, msg) { \\\n if (err != Z_OK) { \\\n fprintf(stderr, \"%s error: %d\\n\", msg, err); \\\n exit(1); \\\n } \\\n}\n\nstatic z_const char hello[] = \"hello, hello!\";\n/* \"hello world\" would be more standard, but the repeated \"hello\"\n * stresses the compression code better, sorry...\n */\n\nstatic const char dictionary[] = \"hello\";\nstatic uLong dictId; /* Adler32 value of the dictionary */\n\n#ifdef Z_SOLO\n\nvoid *myalloc(void *q, unsigned n, unsigned m) {\n (void)q;\n return calloc(n, m);\n}\n\nvoid myfree(void *q, void *p) {\n (void)q;\n free(p);\n}\n\nstatic alloc_func zalloc = myalloc;\nstatic free_func zfree = myfree;\n\n#else /* !Z_SOLO */\n\nstatic alloc_func zalloc = (alloc_func)0;\nstatic free_func zfree = (free_func)0;\n\n/* ===========================================================================\n * Test compress() and uncompress()\n */\nvoid test_compress(Byte *compr, uLong comprLen, Byte *uncompr,\n uLong uncomprLen) {\n int err;\n uLong len = (uLong)strlen(hello)+1;\n\n err = compress(compr, &comprLen, (const Bytef*)hello, len);\n CHECK_ERR(err, \"compress\");\n\n strcpy((char*)uncompr, \"garbage\");\n\n err = uncompress(uncompr, &uncomprLen, compr, comprLen);\n CHECK_ERR(err, \"uncompress\");\n\n if (strcmp((char*)uncompr, hello)) {\n fprintf(stderr, \"bad uncompress\\n\");\n exit(1);\n } else {\n printf(\"uncompress(): %s\\n\", (char *)uncompr);\n }\n}\n\n/* ===========================================================================\n * Test read/write of .gz files\n */\nvoid test_gzio(const char *fname, Byte *uncompr, uLong uncomprLen) {\n#ifdef NO_GZCOMPRESS\n fprintf(stderr, \"NO_GZCOMPRESS -- gz* functions cannot compress\\n\");\n#else\n int err;\n int len = (int)strlen(hello)+1;\n gzFile file;\n z_off_t pos;\n\n file = gzopen(fname, \"wb\");\n if (file == NULL) {\n fprintf(stderr, \"gzopen error\\n\");\n exit(1);\n }\n gzputc(file, 'h');\n if (gzputs(file, \"ello\") != 4) {\n fprintf(stderr, \"gzputs err: %s\\n\", gzerror(file, &err));\n exit(1);\n }\n if (gzprintf(file, \", %s!\", \"hello\") != 8) {\n fprintf(stderr, \"gzprintf err: %s\\n\", gzerror(file, &err));\n exit(1);\n }\n gzseek(file, 1L, SEEK_CUR); /* add one zero byte */\n gzclose(file);\n\n file = gzopen(fname, \"rb\");\n if (file == NULL) {\n fprintf(stderr, \"gzopen error\\n\");\n exit(1);\n }\n strcpy((char*)uncompr, \"garbage\");\n\n if (gzread(file, uncompr, (unsigned)uncomprLen) != len) {\n fprintf(stderr, \"gzread err: %s\\n\", gzerror(file, &err));\n exit(1);\n }\n if (strcmp((char*)uncompr, hello)) {\n fprintf(stderr, \"bad gzread: %s\\n\", (char*)uncompr);\n exit(1);\n } else {\n printf(\"gzread(): %s\\n\", (char*)uncompr);\n }\n\n pos = gzseek(file, -8L, SEEK_CUR);\n if (pos != 6 || gztell(file) != pos) {\n fprintf(stderr, \"gzseek error, pos=%ld, gztell=%ld\\n\",\n (long)pos, (long)gztell(file));\n exit(1);\n }\n\n if (gzgetc(file) != ' ') {\n fprintf(stderr, \"gzgetc error\\n\");\n exit(1);\n }\n\n if (gzungetc(' ', file) != ' ') {\n fprintf(stderr, \"gzungetc error\\n\");\n exit(1);\n }\n\n gzgets(file, (char*)uncompr, (int)uncomprLen);\n if (strlen((char*)uncompr) != 7) { /* \" hello!\" */\n fprintf(stderr, \"gzgets err after gzseek: %s\\n\", gzerror(file, &err));\n exit(1);\n }\n if (strcmp((char*)uncompr, hello + 6)) {\n fprintf(stderr, \"bad gzgets after gzseek\\n\");\n exit(1);\n } else {\n printf(\"gzgets() after gzseek: %s\\n\", (char*)uncompr);\n }\n\n gzclose(file);\n#endif\n}\n\n#endif /* Z_SOLO */\n\n/* ===========================================================================\n * Test deflate() with small buffers\n */\nvoid test_deflate(Byte *compr, uLong comprLen) {\n z_stream c_stream; /* compression stream */\n int err;\n uLong len = (uLong)strlen(hello)+1;\n\n c_stream.zalloc = zalloc;\n c_stream.zfree = zfree;\n c_stream.opaque = (voidpf)0;\n\n err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);\n CHECK_ERR(err, \"deflateInit\");\n\n c_stream.next_in = (z_const unsigned char *)hello;\n c_stream.next_out = compr;\n\n while (c_stream.total_in != len && c_stream.total_out < comprLen) {\n c_stream.avail_in = c_stream.avail_out = 1; /* force small buffers */\n err = deflate(&c_stream, Z_NO_FLUSH);\n CHECK_ERR(err, \"deflate\");\n }\n /* Finish the stream, still forcing small buffers: */\n for (;;) {\n c_stream.avail_out = 1;\n err = deflate(&c_stream, Z_FINISH);\n if (err == Z_STREAM_END) break;\n CHECK_ERR(err, \"deflate\");\n }\n\n err = deflateEnd(&c_stream);\n CHECK_ERR(err, \"deflateEnd\");\n}\n\n/* ===========================================================================\n * Test inflate() with small buffers\n */\nvoid test_inflate(Byte *compr, uLong comprLen, Byte *uncompr,\n uLong uncomprLen) {\n int err;\n z_stream d_stream; /* decompression stream */\n\n strcpy((char*)uncompr, \"garbage\");\n\n d_stream.zalloc = zalloc;\n d_stream.zfree = zfree;\n d_stream.opaque = (voidpf)0;\n\n d_stream.next_in = compr;\n d_stream.avail_in = 0;\n d_stream.next_out = uncompr;\n\n err = inflateInit(&d_stream);\n CHECK_ERR(err, \"inflateInit\");\n\n while (d_stream.total_out < uncomprLen && d_stream.total_in < comprLen) {\n d_stream.avail_in = d_stream.avail_out = 1; /* force small buffers */\n err = inflate(&d_stream, Z_NO_FLUSH);\n if (err == Z_STREAM_END) break;\n CHECK_ERR(err, \"inflate\");\n }\n\n err = inflateEnd(&d_stream);\n CHECK_ERR(err, \"inflateEnd\");\n\n if (strcmp((char*)uncompr, hello)) {\n fprintf(stderr, \"bad inflate\\n\");\n exit(1);\n } else {\n printf(\"inflate(): %s\\n\", (char *)uncompr);\n }\n}\n\n/* ===========================================================================\n * Test deflate() with large buffers and dynamic change of compression level\n */\nvoid test_large_deflate(Byte *compr, uLong comprLen, Byte *uncompr,\n uLong uncomprLen) {\n z_stream c_stream; /* compression stream */\n int err;\n\n c_stream.zalloc = zalloc;\n c_stream.zfree = zfree;\n c_stream.opaque = (voidpf)0;\n\n err = deflateInit(&c_stream, Z_BEST_SPEED);\n CHECK_ERR(err, \"deflateInit\");\n\n c_stream.next_out = compr;\n c_stream.avail_out = (uInt)comprLen;\n\n /* At this point, uncompr is still mostly zeroes, so it should compress\n * very well:\n */\n c_stream.next_in = uncompr;\n c_stream.avail_in = (uInt)uncomprLen;\n err = deflate(&c_stream, Z_NO_FLUSH);\n CHECK_ERR(err, \"deflate\");\n if (c_stream.avail_in != 0) {\n fprintf(stderr, \"deflate not greedy\\n\");\n exit(1);\n }\n\n /* Feed in already compressed data and switch to no compression: */\n deflateParams(&c_stream, Z_NO_COMPRESSION, Z_DEFAULT_STRATEGY);\n c_stream.next_in = compr;\n c_stream.avail_in = (uInt)uncomprLen/2;\n err = deflate(&c_stream, Z_NO_FLUSH);\n CHECK_ERR(err, \"deflate\");\n\n /* Switch back to compressing mode: */\n deflateParams(&c_stream, Z_BEST_COMPRESSION, Z_FILTERED);\n c_stream.next_in = uncompr;\n c_stream.avail_in = (uInt)uncomprLen;\n err = deflate(&c_stream, Z_NO_FLUSH);\n CHECK_ERR(err, \"deflate\");\n\n err = deflate(&c_stream, Z_FINISH);\n if (err != Z_STREAM_END) {\n fprintf(stderr, \"deflate should report Z_STREAM_END\\n\");\n exit(1);\n }\n err = deflateEnd(&c_stream);\n CHECK_ERR(err, \"deflateEnd\");\n}\n\n/* ===========================================================================\n * Test inflate() with large buffers\n */\nvoid test_large_inflate(Byte *compr, uLong comprLen, Byte *uncompr,\n uLong uncomprLen) {\n int err;\n z_stream d_stream; /* decompression stream */\n\n strcpy((char*)uncompr, \"garbage\");\n\n d_stream.zalloc = zalloc;\n d_stream.zfree = zfree;\n d_stream.opaque = (voidpf)0;\n\n d_stream.next_in = compr;\n d_stream.avail_in = (uInt)comprLen;\n\n err = inflateInit(&d_stream);\n CHECK_ERR(err, \"inflateInit\");\n\n for (;;) {\n d_stream.next_out = uncompr; /* discard the output */\n d_stream.avail_out = (uInt)uncomprLen;\n err = inflate(&d_stream, Z_NO_FLUSH);\n if (err == Z_STREAM_END) break;\n CHECK_ERR(err, \"large inflate\");\n }\n\n err = inflateEnd(&d_stream);\n CHECK_ERR(err, \"inflateEnd\");\n\n if (d_stream.total_out != 2*uncomprLen + uncomprLen/2) {\n fprintf(stderr, \"bad large inflate: %ld\\n\", d_stream.total_out);\n exit(1);\n } else {\n printf(\"large_inflate(): OK\\n\");\n }\n}\n\n/* ===========================================================================\n * Test deflate() with full flush\n */\nvoid test_flush(Byte *compr, uLong *comprLen) {\n z_stream c_stream; /* compression stream */\n int err;\n uInt len = (uInt)strlen(hello)+1;\n\n c_stream.zalloc = zalloc;\n c_stream.zfree = zfree;\n c_stream.opaque = (voidpf)0;\n\n err = deflateInit(&c_stream, Z_DEFAULT_COMPRESSION);\n CHECK_ERR(err, \"deflateInit\");\n\n c_stream.next_in = (z_const unsigned char *)hello;\n c_stream.next_out = compr;\n c_stream.avail_in = 3;\n c_stream.avail_out = (uInt)*comprLen;\n err = deflate(&c_stream, Z_FULL_FLUSH);\n CHECK_ERR(err, \"deflate\");\n\n compr[3]++; /* force an error in first compressed block */\n c_stream.avail_in = len - 3;\n\n err = deflate(&c_stream, Z_FINISH);\n if (err != Z_STREAM_END) {\n CHECK_ERR(err, \"deflate\");\n }\n err = deflateEnd(&c_stream);\n CHECK_ERR(err, \"deflateEnd\");\n\n *comprLen = c_stream.total_out;\n}\n\n/* ===========================================================================\n * Test inflateSync()\n */\nvoid test_sync(Byte *compr, uLong comprLen, Byte *uncompr, uLong uncomprLen) {\n int err;\n z_stream d_stream; /* decompression stream */\n\n strcpy((char*)uncompr, \"garbage\");\n\n d_stream.zalloc = zalloc;\n d_stream.zfree = zfree;\n d_stream.opaque = (voidpf)0;\n\n d_stream.next_in = compr;\n d_stream.avail_in = 2; /* just read the zlib header */\n\n err = inflateInit(&d_stream);\n CHECK_ERR(err, \"inflateInit\");\n\n d_stream.next_out = uncompr;\n d_stream.avail_out = (uInt)uncomprLen;\n\n err = inflate(&d_stream, Z_NO_FLUSH);\n CHECK_ERR(err, \"inflate\");\n\n d_stream.avail_in = (uInt)comprLen-2; /* read all compressed data */\n err = inflateSync(&d_stream); /* but skip the damaged part */\n CHECK_ERR(err, \"inflateSync\");\n\n err = inflate(&d_stream, Z_FINISH);\n if (err != Z_STREAM_END) {\n fprintf(stderr, \"inflate should report Z_STREAM_END\\n\");\n exit(1);\n }\n err = inflateEnd(&d_stream);\n CHECK_ERR(err, \"inflateEnd\");\n\n printf(\"after inflateSync(): hel%s\\n\", (char *)uncompr);\n}\n\n/* ===========================================================================\n * Test deflate() with preset dictionary\n */\nvoid test_dict_deflate(Byte *compr, uLong comprLen) {\n z_stream c_stream; /* compression stream */\n int err;\n\n c_stream.zalloc = zalloc;\n c_stream.zfree = zfree;\n c_stream.opaque = (voidpf)0;\n\n err = deflateInit(&c_stream, Z_BEST_COMPRESSION);\n CHECK_ERR(err, \"deflateInit\");\n\n err = deflateSetDictionary(&c_stream,\n (const Bytef*)dictionary, (int)sizeof(dictionary));\n CHECK_ERR(err, \"deflateSetDictionary\");\n\n dictId = c_stream.adler;\n c_stream.next_out = compr;\n c_stream.avail_out = (uInt)comprLen;\n\n c_stream.next_in = (z_const unsigned char *)hello;\n c_stream.avail_in = (uInt)strlen(hello)+1;\n\n err = deflate(&c_stream, Z_FINISH);\n if (err != Z_STREAM_END) {\n fprintf(stderr, \"deflate should report Z_STREAM_END\\n\");\n exit(1);\n }\n err = deflateEnd(&c_stream);\n CHECK_ERR(err, \"deflateEnd\");\n}\n\n/* ===========================================================================\n * Test inflate() with a preset dictionary\n */\nvoid test_dict_inflate(Byte *compr, uLong comprLen, Byte *uncompr,\n uLong uncomprLen) {\n int err;\n z_stream d_stream; /* decompression stream */\n\n strcpy((char*)uncompr, \"garbage\");\n\n d_stream.zalloc = zalloc;\n d_stream.zfree = zfree;\n d_stream.opaque = (voidpf)0;\n\n d_stream.next_in = compr;\n d_stream.avail_in = (uInt)comprLen;\n\n err = inflateInit(&d_stream);\n CHECK_ERR(err, \"inflateInit\");\n\n d_stream.next_out = uncompr;\n d_stream.avail_out = (uInt)uncomprLen;\n\n for (;;) {\n err = inflate(&d_stream, Z_NO_FLUSH);\n if (err == Z_STREAM_END) break;\n if (err == Z_NEED_DICT) {\n if (d_stream.adler != dictId) {\n fprintf(stderr, \"unexpected dictionary\");\n exit(1);\n }\n err = inflateSetDictionary(&d_stream, (const Bytef*)dictionary,\n (int)sizeof(dictionary));\n }\n CHECK_ERR(err, \"inflate with dict\");\n }\n\n err = inflateEnd(&d_stream);\n CHECK_ERR(err, \"inflateEnd\");\n\n if (strcmp((char*)uncompr, hello)) {\n fprintf(stderr, \"bad inflate with dict\\n\");\n exit(1);\n } else {\n printf(\"inflate with dictionary: %s\\n\", (char *)uncompr);\n }\n}\n\n/* ===========================================================================\n * Usage: example [output.gz [input.gz]]\n */\n\nint main(int argc, char *argv[]) {\n Byte *compr, *uncompr;\n uLong uncomprLen = 20000;\n uLong comprLen = 3 * uncomprLen;\n static const char* myVersion = ZLIB_VERSION;\n\n if (zlibVersion()[0] != myVersion[0]) {\n fprintf(stderr, \"incompatible zlib version\\n\");\n exit(1);\n\n } else if (strcmp(zlibVersion(), ZLIB_VERSION) != 0) {\n fprintf(stderr, \"warning: different zlib version linked: %s\\n\",\n zlibVersion());\n }\n\n printf(\"zlib version %s = 0x%04x, compile flags = 0x%lx\\n\",\n ZLIB_VERSION, ZLIB_VERNUM, zlibCompileFlags());\n\n compr = (Byte*)calloc((uInt)comprLen, 1);\n uncompr = (Byte*)calloc((uInt)uncomprLen, 1);\n /* compr and uncompr are cleared to avoid reading uninitialized\n * data and to ensure that uncompr compresses well.\n */\n if (compr == Z_NULL || uncompr == Z_NULL) {\n printf(\"out of memory\\n\");\n exit(1);\n }\n\n#ifdef Z_SOLO\n (void)argc;\n (void)argv;\n#else\n test_compress(compr, comprLen, uncompr, uncomprLen);\n\n test_gzio((argc > 1 ? argv[1] : TESTFILE),\n uncompr, uncomprLen);\n#endif\n\n test_deflate(compr, comprLen);\n test_inflate(compr, comprLen, uncompr, uncomprLen);\n\n test_large_deflate(compr, comprLen, uncompr, uncomprLen);\n test_large_inflate(compr, comprLen, uncompr, uncomprLen);\n\n test_flush(compr, &comprLen);\n test_sync(compr, comprLen, uncompr, uncomprLen);\n comprLen = 3 * uncomprLen;\n\n test_dict_deflate(compr, comprLen);\n test_dict_inflate(compr, comprLen, uncompr, uncomprLen);\n\n free(compr);\n free(uncompr);\n\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/test/infcover.c", "content": "/* infcover.c -- test zlib's inflate routines with full code coverage\n * Copyright (C) 2011, 2016 Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* to use, do: ./configure --cover && make cover */\n\n#include \n#include \n#include \n#include \n#include \"zlib.h\"\n\n/* get definition of internal structure so we can mess with it (see pull()),\n and so we can call inflate_trees() (see cover5()) */\n#define ZLIB_INTERNAL\n#include \"inftrees.h\"\n#include \"inflate.h\"\n\n#define local static\n\n/* -- memory tracking routines -- */\n\n/*\n These memory tracking routines are provided to zlib and track all of zlib's\n allocations and deallocations, check for LIFO operations, keep a current\n and high water mark of total bytes requested, optionally set a limit on the\n total memory that can be allocated, and when done check for memory leaks.\n\n They are used as follows:\n\n z_stream strm;\n mem_setup(&strm) initializes the memory tracking and sets the\n zalloc, zfree, and opaque members of strm to use\n memory tracking for all zlib operations on strm\n mem_limit(&strm, limit) sets a limit on the total bytes requested -- a\n request that exceeds this limit will result in an\n allocation failure (returns NULL) -- setting the\n limit to zero means no limit, which is the default\n after mem_setup()\n mem_used(&strm, \"msg\") prints to stderr \"msg\" and the total bytes used\n mem_high(&strm, \"msg\") prints to stderr \"msg\" and the high water mark\n mem_done(&strm, \"msg\") ends memory tracking, releases all allocations\n for the tracking as well as leaked zlib blocks, if\n any. If there was anything unusual, such as leaked\n blocks, non-FIFO frees, or frees of addresses not\n allocated, then \"msg\" and information about the\n problem is printed to stderr. If everything is\n normal, nothing is printed. mem_done resets the\n strm members to Z_NULL to use the default memory\n allocation routines on the next zlib initialization\n using strm.\n */\n\n/* these items are strung together in a linked list, one for each allocation */\nstruct mem_item {\n void *ptr; /* pointer to allocated memory */\n size_t size; /* requested size of allocation */\n struct mem_item *next; /* pointer to next item in list, or NULL */\n};\n\n/* this structure is at the root of the linked list, and tracks statistics */\nstruct mem_zone {\n struct mem_item *first; /* pointer to first item in list, or NULL */\n size_t total, highwater; /* total allocations, and largest total */\n size_t limit; /* memory allocation limit, or 0 if no limit */\n int notlifo, rogue; /* counts of non-LIFO frees and rogue frees */\n};\n\n/* memory allocation routine to pass to zlib */\nlocal void *mem_alloc(void *mem, unsigned count, unsigned size)\n{\n void *ptr;\n struct mem_item *item;\n struct mem_zone *zone = mem;\n size_t len = count * (size_t)size;\n\n /* induced allocation failure */\n if (zone == NULL || (zone->limit && zone->total + len > zone->limit))\n return NULL;\n\n /* perform allocation using the standard library, fill memory with a\n non-zero value to make sure that the code isn't depending on zeros */\n ptr = malloc(len);\n if (ptr == NULL)\n return NULL;\n memset(ptr, 0xa5, len);\n\n /* create a new item for the list */\n item = malloc(sizeof(struct mem_item));\n if (item == NULL) {\n free(ptr);\n return NULL;\n }\n item->ptr = ptr;\n item->size = len;\n\n /* insert item at the beginning of the list */\n item->next = zone->first;\n zone->first = item;\n\n /* update the statistics */\n zone->total += item->size;\n if (zone->total > zone->highwater)\n zone->highwater = zone->total;\n\n /* return the allocated memory */\n return ptr;\n}\n\n/* memory free routine to pass to zlib */\nlocal void mem_free(void *mem, void *ptr)\n{\n struct mem_item *item, *next;\n struct mem_zone *zone = mem;\n\n /* if no zone, just do a free */\n if (zone == NULL) {\n free(ptr);\n return;\n }\n\n /* point next to the item that matches ptr, or NULL if not found -- remove\n the item from the linked list if found */\n next = zone->first;\n if (next) {\n if (next->ptr == ptr)\n zone->first = next->next; /* first one is it, remove from list */\n else {\n do { /* search the linked list */\n item = next;\n next = item->next;\n } while (next != NULL && next->ptr != ptr);\n if (next) { /* if found, remove from linked list */\n item->next = next->next;\n zone->notlifo++; /* not a LIFO free */\n }\n\n }\n }\n\n /* if found, update the statistics and free the item */\n if (next) {\n zone->total -= next->size;\n free(next);\n }\n\n /* if not found, update the rogue count */\n else\n zone->rogue++;\n\n /* in any case, do the requested free with the standard library function */\n free(ptr);\n}\n\n/* set up a controlled memory allocation space for monitoring, set the stream\n parameters to the controlled routines, with opaque pointing to the space */\nlocal void mem_setup(z_stream *strm)\n{\n struct mem_zone *zone;\n\n zone = malloc(sizeof(struct mem_zone));\n assert(zone != NULL);\n zone->first = NULL;\n zone->total = 0;\n zone->highwater = 0;\n zone->limit = 0;\n zone->notlifo = 0;\n zone->rogue = 0;\n strm->opaque = zone;\n strm->zalloc = mem_alloc;\n strm->zfree = mem_free;\n}\n\n/* set a limit on the total memory allocation, or 0 to remove the limit */\nlocal void mem_limit(z_stream *strm, size_t limit)\n{\n struct mem_zone *zone = strm->opaque;\n\n zone->limit = limit;\n}\n\n/* show the current total requested allocations in bytes */\nlocal void mem_used(z_stream *strm, char *prefix)\n{\n struct mem_zone *zone = strm->opaque;\n\n fprintf(stderr, \"%s: %lu allocated\\n\", prefix, zone->total);\n}\n\n/* show the high water allocation in bytes */\nlocal void mem_high(z_stream *strm, char *prefix)\n{\n struct mem_zone *zone = strm->opaque;\n\n fprintf(stderr, \"%s: %lu high water mark\\n\", prefix, zone->highwater);\n}\n\n/* release the memory allocation zone -- if there are any surprises, notify */\nlocal void mem_done(z_stream *strm, char *prefix)\n{\n int count = 0;\n struct mem_item *item, *next;\n struct mem_zone *zone = strm->opaque;\n\n /* show high water mark */\n mem_high(strm, prefix);\n\n /* free leftover allocations and item structures, if any */\n item = zone->first;\n while (item != NULL) {\n free(item->ptr);\n next = item->next;\n free(item);\n item = next;\n count++;\n }\n\n /* issue alerts about anything unexpected */\n if (count || zone->total)\n fprintf(stderr, \"** %s: %lu bytes in %d blocks not freed\\n\",\n prefix, zone->total, count);\n if (zone->notlifo)\n fprintf(stderr, \"** %s: %d frees not LIFO\\n\", prefix, zone->notlifo);\n if (zone->rogue)\n fprintf(stderr, \"** %s: %d frees not recognized\\n\",\n prefix, zone->rogue);\n\n /* free the zone and delete from the stream */\n free(zone);\n strm->opaque = Z_NULL;\n strm->zalloc = Z_NULL;\n strm->zfree = Z_NULL;\n}\n\n/* -- inflate test routines -- */\n\n/* Decode a hexadecimal string, set *len to length, in[] to the bytes. This\n decodes liberally, in that hex digits can be adjacent, in which case two in\n a row writes a byte. Or they can be delimited by any non-hex character,\n where the delimiters are ignored except when a single hex digit is followed\n by a delimiter, where that single digit writes a byte. The returned data is\n allocated and must eventually be freed. NULL is returned if out of memory.\n If the length is not needed, then len can be NULL. */\nlocal unsigned char *h2b(const char *hex, unsigned *len)\n{\n unsigned char *in, *re;\n unsigned next, val;\n\n in = malloc((strlen(hex) + 1) >> 1);\n if (in == NULL)\n return NULL;\n next = 0;\n val = 1;\n do {\n if (*hex >= '0' && *hex <= '9')\n val = (val << 4) + *hex - '0';\n else if (*hex >= 'A' && *hex <= 'F')\n val = (val << 4) + *hex - 'A' + 10;\n else if (*hex >= 'a' && *hex <= 'f')\n val = (val << 4) + *hex - 'a' + 10;\n else if (val != 1 && val < 32) /* one digit followed by delimiter */\n val += 240; /* make it look like two digits */\n if (val > 255) { /* have two digits */\n in[next++] = val & 0xff; /* save the decoded byte */\n val = 1; /* start over */\n }\n } while (*hex++); /* go through the loop with the terminating null */\n if (len != NULL)\n *len = next;\n re = realloc(in, next);\n return re == NULL ? in : re;\n}\n\n/* generic inflate() run, where hex is the hexadecimal input data, what is the\n text to include in an error message, step is how much input data to feed\n inflate() on each call, or zero to feed it all, win is the window bits\n parameter to inflateInit2(), len is the size of the output buffer, and err\n is the error code expected from the first inflate() call (the second\n inflate() call is expected to return Z_STREAM_END). If win is 47, then\n header information is collected with inflateGetHeader(). If a zlib stream\n is looking for a dictionary, then an empty dictionary is provided.\n inflate() is run until all of the input data is consumed. */\nlocal void inf(char *hex, char *what, unsigned step, int win, unsigned len,\n int err)\n{\n int ret;\n unsigned have;\n unsigned char *in, *out;\n z_stream strm, copy;\n gz_header head;\n\n mem_setup(&strm);\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n ret = inflateInit2(&strm, win);\n if (ret != Z_OK) {\n mem_done(&strm, what);\n return;\n }\n out = malloc(len); assert(out != NULL);\n if (win == 47) {\n head.extra = out;\n head.extra_max = len;\n head.name = out;\n head.name_max = len;\n head.comment = out;\n head.comm_max = len;\n ret = inflateGetHeader(&strm, &head); assert(ret == Z_OK);\n }\n in = h2b(hex, &have); assert(in != NULL);\n if (step == 0 || step > have)\n step = have;\n strm.avail_in = step;\n have -= step;\n strm.next_in = in;\n do {\n strm.avail_out = len;\n strm.next_out = out;\n ret = inflate(&strm, Z_NO_FLUSH); assert(err == 9 || ret == err);\n if (ret != Z_OK && ret != Z_BUF_ERROR && ret != Z_NEED_DICT)\n break;\n if (ret == Z_NEED_DICT) {\n ret = inflateSetDictionary(&strm, in, 1);\n assert(ret == Z_DATA_ERROR);\n mem_limit(&strm, 1);\n ret = inflateSetDictionary(&strm, out, 0);\n assert(ret == Z_MEM_ERROR);\n mem_limit(&strm, 0);\n ((struct inflate_state *)strm.state)->mode = DICT;\n ret = inflateSetDictionary(&strm, out, 0);\n assert(ret == Z_OK);\n ret = inflate(&strm, Z_NO_FLUSH); assert(ret == Z_BUF_ERROR);\n }\n ret = inflateCopy(©, &strm); assert(ret == Z_OK);\n ret = inflateEnd(©); assert(ret == Z_OK);\n err = 9; /* don't care next time around */\n have += strm.avail_in;\n strm.avail_in = step > have ? have : step;\n have -= strm.avail_in;\n } while (strm.avail_in);\n free(in);\n free(out);\n ret = inflateReset2(&strm, -8); assert(ret == Z_OK);\n ret = inflateEnd(&strm); assert(ret == Z_OK);\n mem_done(&strm, what);\n}\n\n/* cover all of the lines in inflate.c up to inflate() */\nlocal void cover_support(void)\n{\n int ret;\n z_stream strm;\n\n mem_setup(&strm);\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n ret = inflateInit(&strm); assert(ret == Z_OK);\n mem_used(&strm, \"inflate init\");\n ret = inflatePrime(&strm, 5, 31); assert(ret == Z_OK);\n ret = inflatePrime(&strm, -1, 0); assert(ret == Z_OK);\n ret = inflateSetDictionary(&strm, Z_NULL, 0);\n assert(ret == Z_STREAM_ERROR);\n ret = inflateEnd(&strm); assert(ret == Z_OK);\n mem_done(&strm, \"prime\");\n\n inf(\"63 0\", \"force window allocation\", 0, -15, 1, Z_OK);\n inf(\"63 18 5\", \"force window replacement\", 0, -8, 259, Z_OK);\n inf(\"63 18 68 30 d0 0 0\", \"force split window update\", 4, -8, 259, Z_OK);\n inf(\"3 0\", \"use fixed blocks\", 0, -15, 1, Z_STREAM_END);\n inf(\"\", \"bad window size\", 0, 1, 0, Z_STREAM_ERROR);\n\n mem_setup(&strm);\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n ret = inflateInit_(&strm, \"!\", (int)sizeof(z_stream));\n assert(ret == Z_VERSION_ERROR);\n mem_done(&strm, \"wrong version\");\n\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n ret = inflateInit(&strm); assert(ret == Z_OK);\n ret = inflateEnd(&strm); assert(ret == Z_OK);\n fputs(\"inflate built-in memory routines\\n\", stderr);\n}\n\n/* cover all inflate() header and trailer cases and code after inflate() */\nlocal void cover_wrap(void)\n{\n int ret;\n z_stream strm, copy;\n unsigned char dict[257];\n\n ret = inflate(Z_NULL, 0); assert(ret == Z_STREAM_ERROR);\n ret = inflateEnd(Z_NULL); assert(ret == Z_STREAM_ERROR);\n ret = inflateCopy(Z_NULL, Z_NULL); assert(ret == Z_STREAM_ERROR);\n fputs(\"inflate bad parameters\\n\", stderr);\n\n inf(\"1f 8b 0 0\", \"bad gzip method\", 0, 31, 0, Z_DATA_ERROR);\n inf(\"1f 8b 8 80\", \"bad gzip flags\", 0, 31, 0, Z_DATA_ERROR);\n inf(\"77 85\", \"bad zlib method\", 0, 15, 0, Z_DATA_ERROR);\n inf(\"8 99\", \"set window size from header\", 0, 0, 0, Z_OK);\n inf(\"78 9c\", \"bad zlib window size\", 0, 8, 0, Z_DATA_ERROR);\n inf(\"78 9c 63 0 0 0 1 0 1\", \"check adler32\", 0, 15, 1, Z_STREAM_END);\n inf(\"1f 8b 8 1e 0 0 0 0 0 0 1 0 0 0 0 0 0\", \"bad header crc\", 0, 47, 1,\n Z_DATA_ERROR);\n inf(\"1f 8b 8 2 0 0 0 0 0 0 1d 26 3 0 0 0 0 0 0 0 0 0\", \"check gzip length\",\n 0, 47, 0, Z_STREAM_END);\n inf(\"78 90\", \"bad zlib header check\", 0, 47, 0, Z_DATA_ERROR);\n inf(\"8 b8 0 0 0 1\", \"need dictionary\", 0, 8, 0, Z_NEED_DICT);\n inf(\"78 9c 63 0\", \"compute adler32\", 0, 15, 1, Z_OK);\n\n mem_setup(&strm);\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n ret = inflateInit2(&strm, -8);\n strm.avail_in = 2;\n strm.next_in = (void *)\"\\x63\";\n strm.avail_out = 1;\n strm.next_out = (void *)&ret;\n mem_limit(&strm, 1);\n ret = inflate(&strm, Z_NO_FLUSH); assert(ret == Z_MEM_ERROR);\n ret = inflate(&strm, Z_NO_FLUSH); assert(ret == Z_MEM_ERROR);\n mem_limit(&strm, 0);\n memset(dict, 0, 257);\n ret = inflateSetDictionary(&strm, dict, 257);\n assert(ret == Z_OK);\n mem_limit(&strm, (sizeof(struct inflate_state) << 1) + 256);\n ret = inflatePrime(&strm, 16, 0); assert(ret == Z_OK);\n strm.avail_in = 2;\n strm.next_in = (void *)\"\\x80\";\n ret = inflateSync(&strm); assert(ret == Z_DATA_ERROR);\n ret = inflate(&strm, Z_NO_FLUSH); assert(ret == Z_STREAM_ERROR);\n strm.avail_in = 4;\n strm.next_in = (void *)\"\\0\\0\\xff\\xff\";\n ret = inflateSync(&strm); assert(ret == Z_OK);\n (void)inflateSyncPoint(&strm);\n ret = inflateCopy(©, &strm); assert(ret == Z_MEM_ERROR);\n mem_limit(&strm, 0);\n ret = inflateUndermine(&strm, 1); assert(ret == Z_DATA_ERROR);\n (void)inflateMark(&strm);\n ret = inflateEnd(&strm); assert(ret == Z_OK);\n mem_done(&strm, \"miscellaneous, force memory errors\");\n}\n\n/* input and output functions for inflateBack() */\nlocal unsigned pull(void *desc, unsigned char **buf)\n{\n static unsigned int next = 0;\n static unsigned char dat[] = {0x63, 0, 2, 0};\n struct inflate_state *state;\n\n if (desc == Z_NULL) {\n next = 0;\n return 0; /* no input (already provided at next_in) */\n }\n state = (void *)((z_stream *)desc)->state;\n if (state != Z_NULL)\n state->mode = SYNC; /* force an otherwise impossible situation */\n return next < sizeof(dat) ? (*buf = dat + next++, 1) : 0;\n}\n\nlocal int push(void *desc, unsigned char *buf, unsigned len)\n{\n (void)buf;\n (void)len;\n return desc != Z_NULL; /* force error if desc not null */\n}\n\n/* cover inflateBack() up to common deflate data cases and after those */\nlocal void cover_back(void)\n{\n int ret;\n z_stream strm;\n unsigned char win[32768];\n\n ret = inflateBackInit_(Z_NULL, 0, win, 0, 0);\n assert(ret == Z_VERSION_ERROR);\n ret = inflateBackInit(Z_NULL, 0, win); assert(ret == Z_STREAM_ERROR);\n ret = inflateBack(Z_NULL, Z_NULL, Z_NULL, Z_NULL, Z_NULL);\n assert(ret == Z_STREAM_ERROR);\n ret = inflateBackEnd(Z_NULL); assert(ret == Z_STREAM_ERROR);\n fputs(\"inflateBack bad parameters\\n\", stderr);\n\n mem_setup(&strm);\n ret = inflateBackInit(&strm, 15, win); assert(ret == Z_OK);\n strm.avail_in = 2;\n strm.next_in = (void *)\"\\x03\";\n ret = inflateBack(&strm, pull, Z_NULL, push, Z_NULL);\n assert(ret == Z_STREAM_END);\n /* force output error */\n strm.avail_in = 3;\n strm.next_in = (void *)\"\\x63\\x00\";\n ret = inflateBack(&strm, pull, Z_NULL, push, &strm);\n assert(ret == Z_BUF_ERROR);\n /* force mode error by mucking with state */\n ret = inflateBack(&strm, pull, &strm, push, Z_NULL);\n assert(ret == Z_STREAM_ERROR);\n ret = inflateBackEnd(&strm); assert(ret == Z_OK);\n mem_done(&strm, \"inflateBack bad state\");\n\n ret = inflateBackInit(&strm, 15, win); assert(ret == Z_OK);\n ret = inflateBackEnd(&strm); assert(ret == Z_OK);\n fputs(\"inflateBack built-in memory routines\\n\", stderr);\n}\n\n/* do a raw inflate of data in hexadecimal with both inflate and inflateBack */\nlocal int try(char *hex, char *id, int err)\n{\n int ret;\n unsigned len, size;\n unsigned char *in, *out, *win;\n char *prefix;\n z_stream strm;\n\n /* convert to hex */\n in = h2b(hex, &len);\n assert(in != NULL);\n\n /* allocate work areas */\n size = len << 3;\n out = malloc(size);\n assert(out != NULL);\n win = malloc(32768);\n assert(win != NULL);\n prefix = malloc(strlen(id) + 6);\n assert(prefix != NULL);\n\n /* first with inflate */\n strcpy(prefix, id);\n strcat(prefix, \"-late\");\n mem_setup(&strm);\n strm.avail_in = 0;\n strm.next_in = Z_NULL;\n ret = inflateInit2(&strm, err < 0 ? 47 : -15);\n assert(ret == Z_OK);\n strm.avail_in = len;\n strm.next_in = in;\n do {\n strm.avail_out = size;\n strm.next_out = out;\n ret = inflate(&strm, Z_TREES);\n assert(ret != Z_STREAM_ERROR && ret != Z_MEM_ERROR);\n if (ret == Z_DATA_ERROR || ret == Z_NEED_DICT)\n break;\n } while (strm.avail_in || strm.avail_out == 0);\n if (err) {\n assert(ret == Z_DATA_ERROR);\n assert(strcmp(id, strm.msg) == 0);\n }\n inflateEnd(&strm);\n mem_done(&strm, prefix);\n\n /* then with inflateBack */\n if (err >= 0) {\n strcpy(prefix, id);\n strcat(prefix, \"-back\");\n mem_setup(&strm);\n ret = inflateBackInit(&strm, 15, win);\n assert(ret == Z_OK);\n strm.avail_in = len;\n strm.next_in = in;\n ret = inflateBack(&strm, pull, Z_NULL, push, Z_NULL);\n assert(ret != Z_STREAM_ERROR);\n if (err) {\n assert(ret == Z_DATA_ERROR);\n assert(strcmp(id, strm.msg) == 0);\n }\n inflateBackEnd(&strm);\n mem_done(&strm, prefix);\n }\n\n /* clean up */\n free(prefix);\n free(win);\n free(out);\n free(in);\n return ret;\n}\n\n/* cover deflate data cases in both inflate() and inflateBack() */\nlocal void cover_inflate(void)\n{\n try(\"0 0 0 0 0\", \"invalid stored block lengths\", 1);\n try(\"3 0\", \"fixed\", 0);\n try(\"6\", \"invalid block type\", 1);\n try(\"1 1 0 fe ff 0\", \"stored\", 0);\n try(\"fc 0 0\", \"too many length or distance symbols\", 1);\n try(\"4 0 fe ff\", \"invalid code lengths set\", 1);\n try(\"4 0 24 49 0\", \"invalid bit length repeat\", 1);\n try(\"4 0 24 e9 ff ff\", \"invalid bit length repeat\", 1);\n try(\"4 0 24 e9 ff 6d\", \"invalid code -- missing end-of-block\", 1);\n try(\"4 80 49 92 24 49 92 24 71 ff ff 93 11 0\",\n \"invalid literal/lengths set\", 1);\n try(\"4 80 49 92 24 49 92 24 f b4 ff ff c3 84\", \"invalid distances set\", 1);\n try(\"4 c0 81 8 0 0 0 0 20 7f eb b 0 0\", \"invalid literal/length code\", 1);\n try(\"2 7e ff ff\", \"invalid distance code\", 1);\n try(\"c c0 81 0 0 0 0 0 90 ff 6b 4 0\", \"invalid distance too far back\", 1);\n\n /* also trailer mismatch just in inflate() */\n try(\"1f 8b 8 0 0 0 0 0 0 0 3 0 0 0 0 1\", \"incorrect data check\", -1);\n try(\"1f 8b 8 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 1\",\n \"incorrect length check\", -1);\n try(\"5 c0 21 d 0 0 0 80 b0 fe 6d 2f 91 6c\", \"pull 17\", 0);\n try(\"5 e0 81 91 24 cb b2 2c 49 e2 f 2e 8b 9a 47 56 9f fb fe ec d2 ff 1f\",\n \"long code\", 0);\n try(\"ed c0 1 1 0 0 0 40 20 ff 57 1b 42 2c 4f\", \"length extra\", 0);\n try(\"ed cf c1 b1 2c 47 10 c4 30 fa 6f 35 1d 1 82 59 3d fb be 2e 2a fc f c\",\n \"long distance and extra\", 0);\n try(\"ed c0 81 0 0 0 0 80 a0 fd a9 17 a9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 \"\n \"0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6\", \"window end\", 0);\n inf(\"2 8 20 80 0 3 0\", \"inflate_fast TYPE return\", 0, -15, 258,\n Z_STREAM_END);\n inf(\"63 18 5 40 c 0\", \"window wrap\", 3, -8, 300, Z_OK);\n}\n\n/* cover remaining lines in inftrees.c */\nlocal void cover_trees(void)\n{\n int ret;\n unsigned bits;\n unsigned short lens[16], work[16];\n code *next, table[ENOUGH_DISTS];\n\n /* we need to call inflate_table() directly in order to manifest not-\n enough errors, since zlib insures that enough is always enough */\n for (bits = 0; bits < 15; bits++)\n lens[bits] = (unsigned short)(bits + 1);\n lens[15] = 15;\n next = table;\n bits = 15;\n ret = inflate_table(DISTS, lens, 16, &next, &bits, work);\n assert(ret == 1);\n next = table;\n bits = 1;\n ret = inflate_table(DISTS, lens, 16, &next, &bits, work);\n assert(ret == 1);\n fputs(\"inflate_table not enough errors\\n\", stderr);\n}\n\n/* cover remaining inffast.c decoding and window copying */\nlocal void cover_fast(void)\n{\n inf(\"e5 e0 81 ad 6d cb b2 2c c9 01 1e 59 63 ae 7d ee fb 4d fd b5 35 41 68\"\n \" ff 7f 0f 0 0 0\", \"fast length extra bits\", 0, -8, 258, Z_DATA_ERROR);\n inf(\"25 fd 81 b5 6d 59 b6 6a 49 ea af 35 6 34 eb 8c b9 f6 b9 1e ef 67 49\"\n \" 50 fe ff ff 3f 0 0\", \"fast distance extra bits\", 0, -8, 258,\n Z_DATA_ERROR);\n inf(\"3 7e 0 0 0 0 0\", \"fast invalid distance code\", 0, -8, 258,\n Z_DATA_ERROR);\n inf(\"1b 7 0 0 0 0 0\", \"fast invalid literal/length code\", 0, -8, 258,\n Z_DATA_ERROR);\n inf(\"d c7 1 ae eb 38 c 4 41 a0 87 72 de df fb 1f b8 36 b1 38 5d ff ff 0\",\n \"fast 2nd level codes and too far back\", 0, -8, 258, Z_DATA_ERROR);\n inf(\"63 18 5 8c 10 8 0 0 0 0\", \"very common case\", 0, -8, 259, Z_OK);\n inf(\"63 60 60 18 c9 0 8 18 18 18 26 c0 28 0 29 0 0 0\",\n \"contiguous and wrap around window\", 6, -8, 259, Z_OK);\n inf(\"63 0 3 0 0 0 0 0\", \"copy direct from output\", 0, -8, 259,\n Z_STREAM_END);\n}\n\nint main(void)\n{\n fprintf(stderr, \"%s\\n\", zlibVersion());\n cover_support();\n cover_wrap();\n cover_back();\n cover_inflate();\n cover_trees();\n cover_fast();\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/test/minigzip.c", "content": "/* minigzip.c -- simulate gzip using the zlib compression library\n * Copyright (C) 1995-2006, 2010, 2011, 2016 Jean-loup Gailly\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/*\n * minigzip is a minimal implementation of the gzip utility. This is\n * only an example of using zlib and isn't meant to replace the\n * full-featured gzip. No attempt is made to deal with file systems\n * limiting names to 14 or 8+3 characters, etc... Error checking is\n * very limited. So use minigzip only for testing; use gzip for the\n * real thing. On MSDOS, use only on file names without extension\n * or in pipe mode.\n */\n\n/* @(#) $Id$ */\n\n#include \"zlib.h\"\n#include \n\n#ifdef STDC\n# include \n# include \n#endif\n\n#ifdef USE_MMAP\n# include \n# include \n# include \n#endif\n\n#if defined(MSDOS) || defined(OS2) || defined(WIN32) || defined(__CYGWIN__)\n# include \n# include \n# ifdef UNDER_CE\n# include \n# endif\n# define SET_BINARY_MODE(file) setmode(fileno(file), O_BINARY)\n#else\n# define SET_BINARY_MODE(file)\n#endif\n\n#if defined(_MSC_VER) && _MSC_VER < 1900\n# define snprintf _snprintf\n#endif\n\n#ifdef VMS\n# define unlink delete\n# define GZ_SUFFIX \"-gz\"\n#endif\n#ifdef RISCOS\n# define unlink remove\n# define GZ_SUFFIX \"-gz\"\n# define fileno(file) file->__file\n#endif\n#if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os\n# include /* for fileno */\n#endif\n\n#if !defined(Z_HAVE_UNISTD_H) && !defined(_LARGEFILE64_SOURCE)\n#ifndef WIN32 /* unlink already in stdio.h for WIN32 */\n extern int unlink(const char *);\n#endif\n#endif\n\n#if defined(UNDER_CE)\n# include \n# define perror(s) pwinerror(s)\n\n/* Map the Windows error number in ERROR to a locale-dependent error\n message string and return a pointer to it. Typically, the values\n for ERROR come from GetLastError.\n\n The string pointed to shall not be modified by the application,\n but may be overwritten by a subsequent call to strwinerror\n\n The strwinerror function does not change the current setting\n of GetLastError. */\n\nstatic char *strwinerror (error)\n DWORD error;\n{\n static char buf[1024];\n\n wchar_t *msgbuf;\n DWORD lasterr = GetLastError();\n DWORD chars = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM\n | FORMAT_MESSAGE_ALLOCATE_BUFFER,\n NULL,\n error,\n 0, /* Default language */\n (LPVOID)&msgbuf,\n 0,\n NULL);\n if (chars != 0) {\n /* If there is an \\r\\n appended, zap it. */\n if (chars >= 2\n && msgbuf[chars - 2] == '\\r' && msgbuf[chars - 1] == '\\n') {\n chars -= 2;\n msgbuf[chars] = 0;\n }\n\n if (chars > sizeof (buf) - 1) {\n chars = sizeof (buf) - 1;\n msgbuf[chars] = 0;\n }\n\n wcstombs(buf, msgbuf, chars + 1);\n LocalFree(msgbuf);\n }\n else {\n sprintf(buf, \"unknown win32 error (%ld)\", error);\n }\n\n SetLastError(lasterr);\n return buf;\n}\n\nstatic void pwinerror (s)\n const char *s;\n{\n if (s && *s)\n fprintf(stderr, \"%s: %s\\n\", s, strwinerror(GetLastError ()));\n else\n fprintf(stderr, \"%s\\n\", strwinerror(GetLastError ()));\n}\n\n#endif /* UNDER_CE */\n\n#ifndef GZ_SUFFIX\n# define GZ_SUFFIX \".gz\"\n#endif\n#define SUFFIX_LEN (sizeof(GZ_SUFFIX)-1)\n\n#define BUFLEN 16384\n#define MAX_NAME_LEN 1024\n\n#ifdef MAXSEG_64K\n# define local static\n /* Needed for systems with limitation on stack size. */\n#else\n# define local\n#endif\n\n#ifdef Z_SOLO\n/* for Z_SOLO, create simplified gz* functions using deflate and inflate */\n\n#if defined(Z_HAVE_UNISTD_H) || defined(Z_LARGE)\n# include /* for unlink() */\n#endif\n\nvoid *myalloc(void *q, unsigned n, unsigned m) {\n (void)q;\n return calloc(n, m);\n}\n\nvoid myfree(void *q, void *p) {\n (void)q;\n free(p);\n}\n\ntypedef struct gzFile_s {\n FILE *file;\n int write;\n int err;\n char *msg;\n z_stream strm;\n} *gzFile;\n\ngzFile gz_open(const char *path, int fd, const char *mode) {\n gzFile gz;\n int ret;\n\n gz = malloc(sizeof(struct gzFile_s));\n if (gz == NULL)\n return NULL;\n gz->write = strchr(mode, 'w') != NULL;\n gz->strm.zalloc = myalloc;\n gz->strm.zfree = myfree;\n gz->strm.opaque = Z_NULL;\n if (gz->write)\n ret = deflateInit2(&(gz->strm), -1, 8, 15 + 16, 8, 0);\n else {\n gz->strm.next_in = 0;\n gz->strm.avail_in = Z_NULL;\n ret = inflateInit2(&(gz->strm), 15 + 16);\n }\n if (ret != Z_OK) {\n free(gz);\n return NULL;\n }\n gz->file = path == NULL ? fdopen(fd, gz->write ? \"wb\" : \"rb\") :\n fopen(path, gz->write ? \"wb\" : \"rb\");\n if (gz->file == NULL) {\n gz->write ? deflateEnd(&(gz->strm)) : inflateEnd(&(gz->strm));\n free(gz);\n return NULL;\n }\n gz->err = 0;\n gz->msg = \"\";\n return gz;\n}\n\ngzFile gzopen(const char *path, const char *mode) {\n return gz_open(path, -1, mode);\n}\n\ngzFile gzdopen(int fd, const char *mode) {\n return gz_open(NULL, fd, mode);\n}\n\nint gzwrite(gzFile gz, const void *buf, unsigned len) {\n z_stream *strm;\n unsigned char out[BUFLEN];\n\n if (gz == NULL || !gz->write)\n return 0;\n strm = &(gz->strm);\n strm->next_in = (void *)buf;\n strm->avail_in = len;\n do {\n strm->next_out = out;\n strm->avail_out = BUFLEN;\n (void)deflate(strm, Z_NO_FLUSH);\n fwrite(out, 1, BUFLEN - strm->avail_out, gz->file);\n } while (strm->avail_out == 0);\n return len;\n}\n\nint gzread(gzFile gz, void *buf, unsigned len) {\n int ret;\n unsigned got;\n unsigned char in[1];\n z_stream *strm;\n\n if (gz == NULL || gz->write)\n return 0;\n if (gz->err)\n return 0;\n strm = &(gz->strm);\n strm->next_out = (void *)buf;\n strm->avail_out = len;\n do {\n got = fread(in, 1, 1, gz->file);\n if (got == 0)\n break;\n strm->next_in = in;\n strm->avail_in = 1;\n ret = inflate(strm, Z_NO_FLUSH);\n if (ret == Z_DATA_ERROR) {\n gz->err = Z_DATA_ERROR;\n gz->msg = strm->msg;\n return 0;\n }\n if (ret == Z_STREAM_END)\n inflateReset(strm);\n } while (strm->avail_out);\n return len - strm->avail_out;\n}\n\nint gzclose(gzFile gz) {\n z_stream *strm;\n unsigned char out[BUFLEN];\n\n if (gz == NULL)\n return Z_STREAM_ERROR;\n strm = &(gz->strm);\n if (gz->write) {\n strm->next_in = Z_NULL;\n strm->avail_in = 0;\n do {\n strm->next_out = out;\n strm->avail_out = BUFLEN;\n (void)deflate(strm, Z_FINISH);\n fwrite(out, 1, BUFLEN - strm->avail_out, gz->file);\n } while (strm->avail_out == 0);\n deflateEnd(strm);\n }\n else\n inflateEnd(strm);\n fclose(gz->file);\n free(gz);\n return Z_OK;\n}\n\nconst char *gzerror(gzFile gz, int *err) {\n *err = gz->err;\n return gz->msg;\n}\n\n#endif\n\nstatic char *prog;\n\n/* ===========================================================================\n * Display error message and exit\n */\nvoid error(const char *msg) {\n fprintf(stderr, \"%s: %s\\n\", prog, msg);\n exit(1);\n}\n\n#ifdef USE_MMAP /* MMAP version, Miguel Albrecht */\n\n/* Try compressing the input file at once using mmap. Return Z_OK if\n * if success, Z_ERRNO otherwise.\n */\nint gz_compress_mmap(FILE *in, gzFile out) {\n int len;\n int err;\n int ifd = fileno(in);\n caddr_t buf; /* mmap'ed buffer for the entire input file */\n off_t buf_len; /* length of the input file */\n struct stat sb;\n\n /* Determine the size of the file, needed for mmap: */\n if (fstat(ifd, &sb) < 0) return Z_ERRNO;\n buf_len = sb.st_size;\n if (buf_len <= 0) return Z_ERRNO;\n\n /* Now do the actual mmap: */\n buf = mmap((caddr_t) 0, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0);\n if (buf == (caddr_t)(-1)) return Z_ERRNO;\n\n /* Compress the whole file at once: */\n len = gzwrite(out, (char *)buf, (unsigned)buf_len);\n\n if (len != (int)buf_len) error(gzerror(out, &err));\n\n munmap(buf, buf_len);\n fclose(in);\n if (gzclose(out) != Z_OK) error(\"failed gzclose\");\n return Z_OK;\n}\n#endif /* USE_MMAP */\n\n/* ===========================================================================\n * Compress input to output then close both files.\n */\n\nvoid gz_compress(FILE *in, gzFile out) {\n local char buf[BUFLEN];\n int len;\n int err;\n\n#ifdef USE_MMAP\n /* Try first compressing with mmap. If mmap fails (minigzip used in a\n * pipe), use the normal fread loop.\n */\n if (gz_compress_mmap(in, out) == Z_OK) return;\n#endif\n for (;;) {\n len = (int)fread(buf, 1, sizeof(buf), in);\n if (ferror(in)) {\n perror(\"fread\");\n exit(1);\n }\n if (len == 0) break;\n\n if (gzwrite(out, buf, (unsigned)len) != len) error(gzerror(out, &err));\n }\n fclose(in);\n if (gzclose(out) != Z_OK) error(\"failed gzclose\");\n}\n\n/* ===========================================================================\n * Uncompress input to output then close both files.\n */\nvoid gz_uncompress(gzFile in, FILE *out) {\n local char buf[BUFLEN];\n int len;\n int err;\n\n for (;;) {\n len = gzread(in, buf, sizeof(buf));\n if (len < 0) error (gzerror(in, &err));\n if (len == 0) break;\n\n if ((int)fwrite(buf, 1, (unsigned)len, out) != len) {\n error(\"failed fwrite\");\n }\n }\n if (fclose(out)) error(\"failed fclose\");\n\n if (gzclose(in) != Z_OK) error(\"failed gzclose\");\n}\n\n\n/* ===========================================================================\n * Compress the given file: create a corresponding .gz file and remove the\n * original.\n */\nvoid file_compress(char *file, char *mode) {\n local char outfile[MAX_NAME_LEN];\n FILE *in;\n gzFile out;\n\n if (strlen(file) + strlen(GZ_SUFFIX) >= sizeof(outfile)) {\n fprintf(stderr, \"%s: filename too long\\n\", prog);\n exit(1);\n }\n\n#if !defined(NO_snprintf) && !defined(NO_vsnprintf)\n snprintf(outfile, sizeof(outfile), \"%s%s\", file, GZ_SUFFIX);\n#else\n strcpy(outfile, file);\n strcat(outfile, GZ_SUFFIX);\n#endif\n\n in = fopen(file, \"rb\");\n if (in == NULL) {\n perror(file);\n exit(1);\n }\n out = gzopen(outfile, mode);\n if (out == NULL) {\n fprintf(stderr, \"%s: can't gzopen %s\\n\", prog, outfile);\n exit(1);\n }\n gz_compress(in, out);\n\n unlink(file);\n}\n\n\n/* ===========================================================================\n * Uncompress the given file and remove the original.\n */\nvoid file_uncompress(char *file) {\n local char buf[MAX_NAME_LEN];\n char *infile, *outfile;\n FILE *out;\n gzFile in;\n z_size_t len = strlen(file);\n\n if (len + strlen(GZ_SUFFIX) >= sizeof(buf)) {\n fprintf(stderr, \"%s: filename too long\\n\", prog);\n exit(1);\n }\n\n#if !defined(NO_snprintf) && !defined(NO_vsnprintf)\n snprintf(buf, sizeof(buf), \"%s\", file);\n#else\n strcpy(buf, file);\n#endif\n\n if (len > SUFFIX_LEN && strcmp(file+len-SUFFIX_LEN, GZ_SUFFIX) == 0) {\n infile = file;\n outfile = buf;\n outfile[len-3] = '\\0';\n } else {\n outfile = file;\n infile = buf;\n#if !defined(NO_snprintf) && !defined(NO_vsnprintf)\n snprintf(buf + len, sizeof(buf) - len, \"%s\", GZ_SUFFIX);\n#else\n strcat(infile, GZ_SUFFIX);\n#endif\n }\n in = gzopen(infile, \"rb\");\n if (in == NULL) {\n fprintf(stderr, \"%s: can't gzopen %s\\n\", prog, infile);\n exit(1);\n }\n out = fopen(outfile, \"wb\");\n if (out == NULL) {\n perror(file);\n exit(1);\n }\n\n gz_uncompress(in, out);\n\n unlink(infile);\n}\n\n\n/* ===========================================================================\n * Usage: minigzip [-c] [-d] [-f] [-h] [-r] [-1 to -9] [files...]\n * -c : write to standard output\n * -d : decompress\n * -f : compress with Z_FILTERED\n * -h : compress with Z_HUFFMAN_ONLY\n * -r : compress with Z_RLE\n * -1 to -9 : compression level\n */\n\nint main(int argc, char *argv[]) {\n int copyout = 0;\n int uncompr = 0;\n gzFile file;\n char *bname, outmode[20];\n\n#if !defined(NO_snprintf) && !defined(NO_vsnprintf)\n snprintf(outmode, sizeof(outmode), \"%s\", \"wb6 \");\n#else\n strcpy(outmode, \"wb6 \");\n#endif\n\n prog = argv[0];\n bname = strrchr(argv[0], '/');\n if (bname)\n bname++;\n else\n bname = argv[0];\n argc--, argv++;\n\n if (!strcmp(bname, \"gunzip\"))\n uncompr = 1;\n else if (!strcmp(bname, \"zcat\"))\n copyout = uncompr = 1;\n\n while (argc > 0) {\n if (strcmp(*argv, \"-c\") == 0)\n copyout = 1;\n else if (strcmp(*argv, \"-d\") == 0)\n uncompr = 1;\n else if (strcmp(*argv, \"-f\") == 0)\n outmode[3] = 'f';\n else if (strcmp(*argv, \"-h\") == 0)\n outmode[3] = 'h';\n else if (strcmp(*argv, \"-r\") == 0)\n outmode[3] = 'R';\n else if ((*argv)[0] == '-' && (*argv)[1] >= '1' && (*argv)[1] <= '9' &&\n (*argv)[2] == 0)\n outmode[2] = (*argv)[1];\n else\n break;\n argc--, argv++;\n }\n if (outmode[3] == ' ')\n outmode[3] = 0;\n if (argc == 0) {\n SET_BINARY_MODE(stdin);\n SET_BINARY_MODE(stdout);\n if (uncompr) {\n file = gzdopen(fileno(stdin), \"rb\");\n if (file == NULL) error(\"can't gzdopen stdin\");\n gz_uncompress(file, stdout);\n } else {\n file = gzdopen(fileno(stdout), outmode);\n if (file == NULL) error(\"can't gzdopen stdout\");\n gz_compress(stdin, file);\n }\n } else {\n if (copyout) {\n SET_BINARY_MODE(stdout);\n }\n do {\n if (uncompr) {\n if (copyout) {\n file = gzopen(*argv, \"rb\");\n if (file == NULL)\n fprintf(stderr, \"%s: can't gzopen %s\\n\", prog, *argv);\n else\n gz_uncompress(file, stdout);\n } else {\n file_uncompress(*argv);\n }\n } else {\n if (copyout) {\n FILE * in = fopen(*argv, \"rb\");\n\n if (in == NULL) {\n perror(*argv);\n } else {\n file = gzdopen(fileno(stdout), outmode);\n if (file == NULL) error(\"can't gzdopen stdout\");\n\n gz_compress(in, file);\n }\n\n } else {\n file_compress(*argv, outmode);\n }\n }\n } while (argv++, --argc);\n }\n return 0;\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/treebuild.xml", "content": "\n\n \n\t zip compression library \n\t\n\n\t\n\t\n\n\t\n\t\n\n\t\n\t \n\t \n\t\n\t\n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t \n\t\n\t\n\t \n\t \n\t \n\t \n\t \n\t \n\t\n \n\n\n\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/trees.c", "content": "/* trees.c -- output deflated data using Huffman coding\n * Copyright (C) 1995-2021 Jean-loup Gailly\n * detect_data_type() function provided freely by Cosmin Truta, 2006\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/*\n * ALGORITHM\n *\n * The \"deflation\" process uses several Huffman trees. The more\n * common source values are represented by shorter bit sequences.\n *\n * Each code tree is stored in a compressed form which is itself\n * a Huffman encoding of the lengths of all the code strings (in\n * ascending order by source values). The actual code strings are\n * reconstructed from the lengths in the inflate process, as described\n * in the deflate specification.\n *\n * REFERENCES\n *\n * Deutsch, L.P.,\"'Deflate' Compressed Data Format Specification\".\n * Available in ftp.uu.net:/pub/archiving/zip/doc/deflate-1.1.doc\n *\n * Storer, James A.\n * Data Compression: Methods and Theory, pp. 49-50.\n * Computer Science Press, 1988. ISBN 0-7167-8156-5.\n *\n * Sedgewick, R.\n * Algorithms, p290.\n * Addison-Wesley, 1983. ISBN 0-201-06672-6.\n */\n\n/* @(#) $Id$ */\n\n/* #define GEN_TREES_H */\n\n#include \"deflate.h\"\n\n#ifdef ZLIB_DEBUG\n# include \n#endif\n\n/* ===========================================================================\n * Constants\n */\n\n#define MAX_BL_BITS 7\n/* Bit length codes must not exceed MAX_BL_BITS bits */\n\n#define END_BLOCK 256\n/* end of block literal code */\n\n#define REP_3_6 16\n/* repeat previous bit length 3-6 times (2 bits of repeat count) */\n\n#define REPZ_3_10 17\n/* repeat a zero length 3-10 times (3 bits of repeat count) */\n\n#define REPZ_11_138 18\n/* repeat a zero length 11-138 times (7 bits of repeat count) */\n\nlocal const int extra_lbits[LENGTH_CODES] /* extra bits for each length code */\n = {0,0,0,0,0,0,0,0,1,1,1,1,2,2,2,2,3,3,3,3,4,4,4,4,5,5,5,5,0};\n\nlocal const int extra_dbits[D_CODES] /* extra bits for each distance code */\n = {0,0,0,0,1,1,2,2,3,3,4,4,5,5,6,6,7,7,8,8,9,9,10,10,11,11,12,12,13,13};\n\nlocal const int extra_blbits[BL_CODES]/* extra bits for each bit length code */\n = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,3,7};\n\nlocal const uch bl_order[BL_CODES]\n = {16,17,18,0,8,7,9,6,10,5,11,4,12,3,13,2,14,1,15};\n/* The lengths of the bit length codes are sent in order of decreasing\n * probability, to avoid transmitting the lengths for unused bit length codes.\n */\n\n/* ===========================================================================\n * Local data. These are initialized only once.\n */\n\n#define DIST_CODE_LEN 512 /* see definition of array dist_code below */\n\n#if defined(GEN_TREES_H) || !defined(STDC)\n/* non ANSI compilers may not accept trees.h */\n\nlocal ct_data static_ltree[L_CODES+2];\n/* The static literal tree. Since the bit lengths are imposed, there is no\n * need for the L_CODES extra codes used during heap construction. However\n * The codes 286 and 287 are needed to build a canonical tree (see _tr_init\n * below).\n */\n\nlocal ct_data static_dtree[D_CODES];\n/* The static distance tree. (Actually a trivial tree since all codes use\n * 5 bits.)\n */\n\nuch _dist_code[DIST_CODE_LEN];\n/* Distance codes. The first 256 values correspond to the distances\n * 3 .. 258, the last 256 values correspond to the top 8 bits of\n * the 15 bit distances.\n */\n\nuch _length_code[MAX_MATCH-MIN_MATCH+1];\n/* length code for each normalized match length (0 == MIN_MATCH) */\n\nlocal int base_length[LENGTH_CODES];\n/* First normalized length for each code (0 = MIN_MATCH) */\n\nlocal int base_dist[D_CODES];\n/* First normalized distance for each code (0 = distance of 1) */\n\n#else\n# include \"trees.h\"\n#endif /* GEN_TREES_H */\n\nstruct static_tree_desc_s {\n const ct_data *static_tree; /* static tree or NULL */\n const intf *extra_bits; /* extra bits for each code or NULL */\n int extra_base; /* base index for extra_bits */\n int elems; /* max number of elements in the tree */\n int max_length; /* max bit length for the codes */\n};\n\n#ifdef NO_INIT_GLOBAL_POINTERS\n# define TCONST\n#else\n# define TCONST const\n#endif\n\nlocal TCONST static_tree_desc static_l_desc =\n{static_ltree, extra_lbits, LITERALS+1, L_CODES, MAX_BITS};\n\nlocal TCONST static_tree_desc static_d_desc =\n{static_dtree, extra_dbits, 0, D_CODES, MAX_BITS};\n\nlocal TCONST static_tree_desc static_bl_desc =\n{(const ct_data *)0, extra_blbits, 0, BL_CODES, MAX_BL_BITS};\n\n/* ===========================================================================\n * Output a short LSB first on the stream.\n * IN assertion: there is enough room in pendingBuf.\n */\n#define put_short(s, w) { \\\n put_byte(s, (uch)((w) & 0xff)); \\\n put_byte(s, (uch)((ush)(w) >> 8)); \\\n}\n\n/* ===========================================================================\n * Reverse the first len bits of a code, using straightforward code (a faster\n * method would use a table)\n * IN assertion: 1 <= len <= 15\n */\nlocal unsigned bi_reverse(unsigned code, int len) {\n register unsigned res = 0;\n do {\n res |= code & 1;\n code >>= 1, res <<= 1;\n } while (--len > 0);\n return res >> 1;\n}\n\n/* ===========================================================================\n * Flush the bit buffer, keeping at most 7 bits in it.\n */\nlocal void bi_flush(deflate_state *s) {\n if (s->bi_valid == 16) {\n put_short(s, s->bi_buf);\n s->bi_buf = 0;\n s->bi_valid = 0;\n } else if (s->bi_valid >= 8) {\n put_byte(s, (Byte)s->bi_buf);\n s->bi_buf >>= 8;\n s->bi_valid -= 8;\n }\n}\n\n/* ===========================================================================\n * Flush the bit buffer and align the output on a byte boundary\n */\nlocal void bi_windup(deflate_state *s) {\n if (s->bi_valid > 8) {\n put_short(s, s->bi_buf);\n } else if (s->bi_valid > 0) {\n put_byte(s, (Byte)s->bi_buf);\n }\n s->bi_buf = 0;\n s->bi_valid = 0;\n#ifdef ZLIB_DEBUG\n s->bits_sent = (s->bits_sent + 7) & ~7;\n#endif\n}\n\n/* ===========================================================================\n * Generate the codes for a given tree and bit counts (which need not be\n * optimal).\n * IN assertion: the array bl_count contains the bit length statistics for\n * the given tree and the field len is set for all tree elements.\n * OUT assertion: the field code is set for all tree elements of non\n * zero code length.\n */\nlocal void gen_codes(ct_data *tree, int max_code, ushf *bl_count) {\n ush next_code[MAX_BITS+1]; /* next code value for each bit length */\n unsigned code = 0; /* running code value */\n int bits; /* bit index */\n int n; /* code index */\n\n /* The distribution counts are first used to generate the code values\n * without bit reversal.\n */\n for (bits = 1; bits <= MAX_BITS; bits++) {\n code = (code + bl_count[bits - 1]) << 1;\n next_code[bits] = (ush)code;\n }\n /* Check that the bit counts in bl_count are consistent. The last code\n * must be all ones.\n */\n Assert (code + bl_count[MAX_BITS] - 1 == (1 << MAX_BITS) - 1,\n \"inconsistent bit counts\");\n Tracev((stderr,\"\\ngen_codes: max_code %d \", max_code));\n\n for (n = 0; n <= max_code; n++) {\n int len = tree[n].Len;\n if (len == 0) continue;\n /* Now reverse the bits */\n tree[n].Code = (ush)bi_reverse(next_code[len]++, len);\n\n Tracecv(tree != static_ltree, (stderr,\"\\nn %3d %c l %2d c %4x (%x) \",\n n, (isgraph(n) ? n : ' '), len, tree[n].Code, next_code[len] - 1));\n }\n}\n\n#ifdef GEN_TREES_H\nlocal void gen_trees_header(void);\n#endif\n\n#ifndef ZLIB_DEBUG\n# define send_code(s, c, tree) send_bits(s, tree[c].Code, tree[c].Len)\n /* Send a code of the given tree. c and tree must not have side effects */\n\n#else /* !ZLIB_DEBUG */\n# define send_code(s, c, tree) \\\n { if (z_verbose>2) fprintf(stderr,\"\\ncd %3d \",(c)); \\\n send_bits(s, tree[c].Code, tree[c].Len); }\n#endif\n\n/* ===========================================================================\n * Send a value on a given number of bits.\n * IN assertion: length <= 16 and value fits in length bits.\n */\n#ifdef ZLIB_DEBUG\nlocal void send_bits(deflate_state *s, int value, int length) {\n Tracevv((stderr,\" l %2d v %4x \", length, value));\n Assert(length > 0 && length <= 15, \"invalid length\");\n s->bits_sent += (ulg)length;\n\n /* If not enough room in bi_buf, use (valid) bits from bi_buf and\n * (16 - bi_valid) bits from value, leaving (width - (16 - bi_valid))\n * unused bits in value.\n */\n if (s->bi_valid > (int)Buf_size - length) {\n s->bi_buf |= (ush)value << s->bi_valid;\n put_short(s, s->bi_buf);\n s->bi_buf = (ush)value >> (Buf_size - s->bi_valid);\n s->bi_valid += length - Buf_size;\n } else {\n s->bi_buf |= (ush)value << s->bi_valid;\n s->bi_valid += length;\n }\n}\n#else /* !ZLIB_DEBUG */\n\n#define send_bits(s, value, length) \\\n{ int len = length;\\\n if (s->bi_valid > (int)Buf_size - len) {\\\n int val = (int)value;\\\n s->bi_buf |= (ush)val << s->bi_valid;\\\n put_short(s, s->bi_buf);\\\n s->bi_buf = (ush)val >> (Buf_size - s->bi_valid);\\\n s->bi_valid += len - Buf_size;\\\n } else {\\\n s->bi_buf |= (ush)(value) << s->bi_valid;\\\n s->bi_valid += len;\\\n }\\\n}\n#endif /* ZLIB_DEBUG */\n\n\n/* the arguments must not have side effects */\n\n/* ===========================================================================\n * Initialize the various 'constant' tables.\n */\nlocal void tr_static_init(void) {\n#if defined(GEN_TREES_H) || !defined(STDC)\n static int static_init_done = 0;\n int n; /* iterates over tree elements */\n int bits; /* bit counter */\n int length; /* length value */\n int code; /* code value */\n int dist; /* distance index */\n ush bl_count[MAX_BITS+1];\n /* number of codes at each bit length for an optimal tree */\n\n if (static_init_done) return;\n\n /* For some embedded targets, global variables are not initialized: */\n#ifdef NO_INIT_GLOBAL_POINTERS\n static_l_desc.static_tree = static_ltree;\n static_l_desc.extra_bits = extra_lbits;\n static_d_desc.static_tree = static_dtree;\n static_d_desc.extra_bits = extra_dbits;\n static_bl_desc.extra_bits = extra_blbits;\n#endif\n\n /* Initialize the mapping length (0..255) -> length code (0..28) */\n length = 0;\n for (code = 0; code < LENGTH_CODES-1; code++) {\n base_length[code] = length;\n for (n = 0; n < (1 << extra_lbits[code]); n++) {\n _length_code[length++] = (uch)code;\n }\n }\n Assert (length == 256, \"tr_static_init: length != 256\");\n /* Note that the length 255 (match length 258) can be represented\n * in two different ways: code 284 + 5 bits or code 285, so we\n * overwrite length_code[255] to use the best encoding:\n */\n _length_code[length - 1] = (uch)code;\n\n /* Initialize the mapping dist (0..32K) -> dist code (0..29) */\n dist = 0;\n for (code = 0 ; code < 16; code++) {\n base_dist[code] = dist;\n for (n = 0; n < (1 << extra_dbits[code]); n++) {\n _dist_code[dist++] = (uch)code;\n }\n }\n Assert (dist == 256, \"tr_static_init: dist != 256\");\n dist >>= 7; /* from now on, all distances are divided by 128 */\n for ( ; code < D_CODES; code++) {\n base_dist[code] = dist << 7;\n for (n = 0; n < (1 << (extra_dbits[code] - 7)); n++) {\n _dist_code[256 + dist++] = (uch)code;\n }\n }\n Assert (dist == 256, \"tr_static_init: 256 + dist != 512\");\n\n /* Construct the codes of the static literal tree */\n for (bits = 0; bits <= MAX_BITS; bits++) bl_count[bits] = 0;\n n = 0;\n while (n <= 143) static_ltree[n++].Len = 8, bl_count[8]++;\n while (n <= 255) static_ltree[n++].Len = 9, bl_count[9]++;\n while (n <= 279) static_ltree[n++].Len = 7, bl_count[7]++;\n while (n <= 287) static_ltree[n++].Len = 8, bl_count[8]++;\n /* Codes 286 and 287 do not exist, but we must include them in the\n * tree construction to get a canonical Huffman tree (longest code\n * all ones)\n */\n gen_codes((ct_data *)static_ltree, L_CODES+1, bl_count);\n\n /* The static distance tree is trivial: */\n for (n = 0; n < D_CODES; n++) {\n static_dtree[n].Len = 5;\n static_dtree[n].Code = bi_reverse((unsigned)n, 5);\n }\n static_init_done = 1;\n\n# ifdef GEN_TREES_H\n gen_trees_header();\n# endif\n#endif /* defined(GEN_TREES_H) || !defined(STDC) */\n}\n\n/* ===========================================================================\n * Generate the file trees.h describing the static trees.\n */\n#ifdef GEN_TREES_H\n# ifndef ZLIB_DEBUG\n# include \n# endif\n\n# define SEPARATOR(i, last, width) \\\n ((i) == (last)? \"\\n};\\n\\n\" : \\\n ((i) % (width) == (width) - 1 ? \",\\n\" : \", \"))\n\nvoid gen_trees_header(void) {\n FILE *header = fopen(\"trees.h\", \"w\");\n int i;\n\n Assert (header != NULL, \"Can't open trees.h\");\n fprintf(header,\n \"/* header created automatically with -DGEN_TREES_H */\\n\\n\");\n\n fprintf(header, \"local const ct_data static_ltree[L_CODES+2] = {\\n\");\n for (i = 0; i < L_CODES+2; i++) {\n fprintf(header, \"{{%3u},{%3u}}%s\", static_ltree[i].Code,\n static_ltree[i].Len, SEPARATOR(i, L_CODES+1, 5));\n }\n\n fprintf(header, \"local const ct_data static_dtree[D_CODES] = {\\n\");\n for (i = 0; i < D_CODES; i++) {\n fprintf(header, \"{{%2u},{%2u}}%s\", static_dtree[i].Code,\n static_dtree[i].Len, SEPARATOR(i, D_CODES-1, 5));\n }\n\n fprintf(header, \"const uch ZLIB_INTERNAL _dist_code[DIST_CODE_LEN] = {\\n\");\n for (i = 0; i < DIST_CODE_LEN; i++) {\n fprintf(header, \"%2u%s\", _dist_code[i],\n SEPARATOR(i, DIST_CODE_LEN-1, 20));\n }\n\n fprintf(header,\n \"const uch ZLIB_INTERNAL _length_code[MAX_MATCH-MIN_MATCH+1]= {\\n\");\n for (i = 0; i < MAX_MATCH-MIN_MATCH+1; i++) {\n fprintf(header, \"%2u%s\", _length_code[i],\n SEPARATOR(i, MAX_MATCH-MIN_MATCH, 20));\n }\n\n fprintf(header, \"local const int base_length[LENGTH_CODES] = {\\n\");\n for (i = 0; i < LENGTH_CODES; i++) {\n fprintf(header, \"%1u%s\", base_length[i],\n SEPARATOR(i, LENGTH_CODES-1, 20));\n }\n\n fprintf(header, \"local const int base_dist[D_CODES] = {\\n\");\n for (i = 0; i < D_CODES; i++) {\n fprintf(header, \"%5u%s\", base_dist[i],\n SEPARATOR(i, D_CODES-1, 10));\n }\n\n fclose(header);\n}\n#endif /* GEN_TREES_H */\n\n/* ===========================================================================\n * Initialize a new block.\n */\nlocal void init_block(deflate_state *s) {\n int n; /* iterates over tree elements */\n\n /* Initialize the trees. */\n for (n = 0; n < L_CODES; n++) s->dyn_ltree[n].Freq = 0;\n for (n = 0; n < D_CODES; n++) s->dyn_dtree[n].Freq = 0;\n for (n = 0; n < BL_CODES; n++) s->bl_tree[n].Freq = 0;\n\n s->dyn_ltree[END_BLOCK].Freq = 1;\n s->opt_len = s->static_len = 0L;\n s->sym_next = s->matches = 0;\n}\n\n/* ===========================================================================\n * Initialize the tree data structures for a new zlib stream.\n */\nvoid ZLIB_INTERNAL _tr_init(deflate_state *s) {\n tr_static_init();\n\n s->l_desc.dyn_tree = s->dyn_ltree;\n s->l_desc.stat_desc = &static_l_desc;\n\n s->d_desc.dyn_tree = s->dyn_dtree;\n s->d_desc.stat_desc = &static_d_desc;\n\n s->bl_desc.dyn_tree = s->bl_tree;\n s->bl_desc.stat_desc = &static_bl_desc;\n\n s->bi_buf = 0;\n s->bi_valid = 0;\n#ifdef ZLIB_DEBUG\n s->compressed_len = 0L;\n s->bits_sent = 0L;\n#endif\n\n /* Initialize the first block of the first file: */\n init_block(s);\n}\n\n#define SMALLEST 1\n/* Index within the heap array of least frequent node in the Huffman tree */\n\n\n/* ===========================================================================\n * Remove the smallest element from the heap and recreate the heap with\n * one less element. Updates heap and heap_len.\n */\n#define pqremove(s, tree, top) \\\n{\\\n top = s->heap[SMALLEST]; \\\n s->heap[SMALLEST] = s->heap[s->heap_len--]; \\\n pqdownheap(s, tree, SMALLEST); \\\n}\n\n/* ===========================================================================\n * Compares to subtrees, using the tree depth as tie breaker when\n * the subtrees have equal frequency. This minimizes the worst case length.\n */\n#define smaller(tree, n, m, depth) \\\n (tree[n].Freq < tree[m].Freq || \\\n (tree[n].Freq == tree[m].Freq && depth[n] <= depth[m]))\n\n/* ===========================================================================\n * Restore the heap property by moving down the tree starting at node k,\n * exchanging a node with the smallest of its two sons if necessary, stopping\n * when the heap property is re-established (each father smaller than its\n * two sons).\n */\nlocal void pqdownheap(deflate_state *s, ct_data *tree, int k) {\n int v = s->heap[k];\n int j = k << 1; /* left son of k */\n while (j <= s->heap_len) {\n /* Set j to the smallest of the two sons: */\n if (j < s->heap_len &&\n smaller(tree, s->heap[j + 1], s->heap[j], s->depth)) {\n j++;\n }\n /* Exit if v is smaller than both sons */\n if (smaller(tree, v, s->heap[j], s->depth)) break;\n\n /* Exchange v with the smallest son */\n s->heap[k] = s->heap[j]; k = j;\n\n /* And continue down the tree, setting j to the left son of k */\n j <<= 1;\n }\n s->heap[k] = v;\n}\n\n/* ===========================================================================\n * Compute the optimal bit lengths for a tree and update the total bit length\n * for the current block.\n * IN assertion: the fields freq and dad are set, heap[heap_max] and\n * above are the tree nodes sorted by increasing frequency.\n * OUT assertions: the field len is set to the optimal bit length, the\n * array bl_count contains the frequencies for each bit length.\n * The length opt_len is updated; static_len is also updated if stree is\n * not null.\n */\nlocal void gen_bitlen(deflate_state *s, tree_desc *desc) {\n ct_data *tree = desc->dyn_tree;\n int max_code = desc->max_code;\n const ct_data *stree = desc->stat_desc->static_tree;\n const intf *extra = desc->stat_desc->extra_bits;\n int base = desc->stat_desc->extra_base;\n int max_length = desc->stat_desc->max_length;\n int h; /* heap index */\n int n, m; /* iterate over the tree elements */\n int bits; /* bit length */\n int xbits; /* extra bits */\n ush f; /* frequency */\n int overflow = 0; /* number of elements with bit length too large */\n\n for (bits = 0; bits <= MAX_BITS; bits++) s->bl_count[bits] = 0;\n\n /* In a first pass, compute the optimal bit lengths (which may\n * overflow in the case of the bit length tree).\n */\n tree[s->heap[s->heap_max]].Len = 0; /* root of the heap */\n\n for (h = s->heap_max + 1; h < HEAP_SIZE; h++) {\n n = s->heap[h];\n bits = tree[tree[n].Dad].Len + 1;\n if (bits > max_length) bits = max_length, overflow++;\n tree[n].Len = (ush)bits;\n /* We overwrite tree[n].Dad which is no longer needed */\n\n if (n > max_code) continue; /* not a leaf node */\n\n s->bl_count[bits]++;\n xbits = 0;\n if (n >= base) xbits = extra[n - base];\n f = tree[n].Freq;\n s->opt_len += (ulg)f * (unsigned)(bits + xbits);\n if (stree) s->static_len += (ulg)f * (unsigned)(stree[n].Len + xbits);\n }\n if (overflow == 0) return;\n\n Tracev((stderr,\"\\nbit length overflow\\n\"));\n /* This happens for example on obj2 and pic of the Calgary corpus */\n\n /* Find the first bit length which could increase: */\n do {\n bits = max_length - 1;\n while (s->bl_count[bits] == 0) bits--;\n s->bl_count[bits]--; /* move one leaf down the tree */\n s->bl_count[bits + 1] += 2; /* move one overflow item as its brother */\n s->bl_count[max_length]--;\n /* The brother of the overflow item also moves one step up,\n * but this does not affect bl_count[max_length]\n */\n overflow -= 2;\n } while (overflow > 0);\n\n /* Now recompute all bit lengths, scanning in increasing frequency.\n * h is still equal to HEAP_SIZE. (It is simpler to reconstruct all\n * lengths instead of fixing only the wrong ones. This idea is taken\n * from 'ar' written by Haruhiko Okumura.)\n */\n for (bits = max_length; bits != 0; bits--) {\n n = s->bl_count[bits];\n while (n != 0) {\n m = s->heap[--h];\n if (m > max_code) continue;\n if ((unsigned) tree[m].Len != (unsigned) bits) {\n Tracev((stderr,\"code %d bits %d->%d\\n\", m, tree[m].Len, bits));\n s->opt_len += ((ulg)bits - tree[m].Len) * tree[m].Freq;\n tree[m].Len = (ush)bits;\n }\n n--;\n }\n }\n}\n\n#ifdef DUMP_BL_TREE\n# include \n#endif\n\n/* ===========================================================================\n * Construct one Huffman tree and assigns the code bit strings and lengths.\n * Update the total bit length for the current block.\n * IN assertion: the field freq is set for all tree elements.\n * OUT assertions: the fields len and code are set to the optimal bit length\n * and corresponding code. The length opt_len is updated; static_len is\n * also updated if stree is not null. The field max_code is set.\n */\nlocal void build_tree(deflate_state *s, tree_desc *desc) {\n ct_data *tree = desc->dyn_tree;\n const ct_data *stree = desc->stat_desc->static_tree;\n int elems = desc->stat_desc->elems;\n int n, m; /* iterate over heap elements */\n int max_code = -1; /* largest code with non zero frequency */\n int node; /* new node being created */\n\n /* Construct the initial heap, with least frequent element in\n * heap[SMALLEST]. The sons of heap[n] are heap[2*n] and heap[2*n + 1].\n * heap[0] is not used.\n */\n s->heap_len = 0, s->heap_max = HEAP_SIZE;\n\n for (n = 0; n < elems; n++) {\n if (tree[n].Freq != 0) {\n s->heap[++(s->heap_len)] = max_code = n;\n s->depth[n] = 0;\n } else {\n tree[n].Len = 0;\n }\n }\n\n /* The pkzip format requires that at least one distance code exists,\n * and that at least one bit should be sent even if there is only one\n * possible code. So to avoid special checks later on we force at least\n * two codes of non zero frequency.\n */\n while (s->heap_len < 2) {\n node = s->heap[++(s->heap_len)] = (max_code < 2 ? ++max_code : 0);\n tree[node].Freq = 1;\n s->depth[node] = 0;\n s->opt_len--; if (stree) s->static_len -= stree[node].Len;\n /* node is 0 or 1 so it does not have extra bits */\n }\n desc->max_code = max_code;\n\n /* The elements heap[heap_len/2 + 1 .. heap_len] are leaves of the tree,\n * establish sub-heaps of increasing lengths:\n */\n for (n = s->heap_len/2; n >= 1; n--) pqdownheap(s, tree, n);\n\n /* Construct the Huffman tree by repeatedly combining the least two\n * frequent nodes.\n */\n node = elems; /* next internal node of the tree */\n do {\n pqremove(s, tree, n); /* n = node of least frequency */\n m = s->heap[SMALLEST]; /* m = node of next least frequency */\n\n s->heap[--(s->heap_max)] = n; /* keep the nodes sorted by frequency */\n s->heap[--(s->heap_max)] = m;\n\n /* Create a new node father of n and m */\n tree[node].Freq = tree[n].Freq + tree[m].Freq;\n s->depth[node] = (uch)((s->depth[n] >= s->depth[m] ?\n s->depth[n] : s->depth[m]) + 1);\n tree[n].Dad = tree[m].Dad = (ush)node;\n#ifdef DUMP_BL_TREE\n if (tree == s->bl_tree) {\n fprintf(stderr,\"\\nnode %d(%d), sons %d(%d) %d(%d)\",\n node, tree[node].Freq, n, tree[n].Freq, m, tree[m].Freq);\n }\n#endif\n /* and insert the new node in the heap */\n s->heap[SMALLEST] = node++;\n pqdownheap(s, tree, SMALLEST);\n\n } while (s->heap_len >= 2);\n\n s->heap[--(s->heap_max)] = s->heap[SMALLEST];\n\n /* At this point, the fields freq and dad are set. We can now\n * generate the bit lengths.\n */\n gen_bitlen(s, (tree_desc *)desc);\n\n /* The field len is now set, we can generate the bit codes */\n gen_codes ((ct_data *)tree, max_code, s->bl_count);\n}\n\n/* ===========================================================================\n * Scan a literal or distance tree to determine the frequencies of the codes\n * in the bit length tree.\n */\nlocal void scan_tree(deflate_state *s, ct_data *tree, int max_code) {\n int n; /* iterates over all tree elements */\n int prevlen = -1; /* last emitted length */\n int curlen; /* length of current code */\n int nextlen = tree[0].Len; /* length of next code */\n int count = 0; /* repeat count of the current code */\n int max_count = 7; /* max repeat count */\n int min_count = 4; /* min repeat count */\n\n if (nextlen == 0) max_count = 138, min_count = 3;\n tree[max_code + 1].Len = (ush)0xffff; /* guard */\n\n for (n = 0; n <= max_code; n++) {\n curlen = nextlen; nextlen = tree[n + 1].Len;\n if (++count < max_count && curlen == nextlen) {\n continue;\n } else if (count < min_count) {\n s->bl_tree[curlen].Freq += count;\n } else if (curlen != 0) {\n if (curlen != prevlen) s->bl_tree[curlen].Freq++;\n s->bl_tree[REP_3_6].Freq++;\n } else if (count <= 10) {\n s->bl_tree[REPZ_3_10].Freq++;\n } else {\n s->bl_tree[REPZ_11_138].Freq++;\n }\n count = 0; prevlen = curlen;\n if (nextlen == 0) {\n max_count = 138, min_count = 3;\n } else if (curlen == nextlen) {\n max_count = 6, min_count = 3;\n } else {\n max_count = 7, min_count = 4;\n }\n }\n}\n\n/* ===========================================================================\n * Send a literal or distance tree in compressed form, using the codes in\n * bl_tree.\n */\nlocal void send_tree(deflate_state *s, ct_data *tree, int max_code) {\n int n; /* iterates over all tree elements */\n int prevlen = -1; /* last emitted length */\n int curlen; /* length of current code */\n int nextlen = tree[0].Len; /* length of next code */\n int count = 0; /* repeat count of the current code */\n int max_count = 7; /* max repeat count */\n int min_count = 4; /* min repeat count */\n\n /* tree[max_code + 1].Len = -1; */ /* guard already set */\n if (nextlen == 0) max_count = 138, min_count = 3;\n\n for (n = 0; n <= max_code; n++) {\n curlen = nextlen; nextlen = tree[n + 1].Len;\n if (++count < max_count && curlen == nextlen) {\n continue;\n } else if (count < min_count) {\n do { send_code(s, curlen, s->bl_tree); } while (--count != 0);\n\n } else if (curlen != 0) {\n if (curlen != prevlen) {\n send_code(s, curlen, s->bl_tree); count--;\n }\n Assert(count >= 3 && count <= 6, \" 3_6?\");\n send_code(s, REP_3_6, s->bl_tree); send_bits(s, count - 3, 2);\n\n } else if (count <= 10) {\n send_code(s, REPZ_3_10, s->bl_tree); send_bits(s, count - 3, 3);\n\n } else {\n send_code(s, REPZ_11_138, s->bl_tree); send_bits(s, count - 11, 7);\n }\n count = 0; prevlen = curlen;\n if (nextlen == 0) {\n max_count = 138, min_count = 3;\n } else if (curlen == nextlen) {\n max_count = 6, min_count = 3;\n } else {\n max_count = 7, min_count = 4;\n }\n }\n}\n\n/* ===========================================================================\n * Construct the Huffman tree for the bit lengths and return the index in\n * bl_order of the last bit length code to send.\n */\nlocal int build_bl_tree(deflate_state *s) {\n int max_blindex; /* index of last bit length code of non zero freq */\n\n /* Determine the bit length frequencies for literal and distance trees */\n scan_tree(s, (ct_data *)s->dyn_ltree, s->l_desc.max_code);\n scan_tree(s, (ct_data *)s->dyn_dtree, s->d_desc.max_code);\n\n /* Build the bit length tree: */\n build_tree(s, (tree_desc *)(&(s->bl_desc)));\n /* opt_len now includes the length of the tree representations, except the\n * lengths of the bit lengths codes and the 5 + 5 + 4 bits for the counts.\n */\n\n /* Determine the number of bit length codes to send. The pkzip format\n * requires that at least 4 bit length codes be sent. (appnote.txt says\n * 3 but the actual value used is 4.)\n */\n for (max_blindex = BL_CODES-1; max_blindex >= 3; max_blindex--) {\n if (s->bl_tree[bl_order[max_blindex]].Len != 0) break;\n }\n /* Update opt_len to include the bit length tree and counts */\n s->opt_len += 3*((ulg)max_blindex + 1) + 5 + 5 + 4;\n Tracev((stderr, \"\\ndyn trees: dyn %ld, stat %ld\",\n s->opt_len, s->static_len));\n\n return max_blindex;\n}\n\n/* ===========================================================================\n * Send the header for a block using dynamic Huffman trees: the counts, the\n * lengths of the bit length codes, the literal tree and the distance tree.\n * IN assertion: lcodes >= 257, dcodes >= 1, blcodes >= 4.\n */\nlocal void send_all_trees(deflate_state *s, int lcodes, int dcodes,\n int blcodes) {\n int rank; /* index in bl_order */\n\n Assert (lcodes >= 257 && dcodes >= 1 && blcodes >= 4, \"not enough codes\");\n Assert (lcodes <= L_CODES && dcodes <= D_CODES && blcodes <= BL_CODES,\n \"too many codes\");\n Tracev((stderr, \"\\nbl counts: \"));\n send_bits(s, lcodes - 257, 5); /* not +255 as stated in appnote.txt */\n send_bits(s, dcodes - 1, 5);\n send_bits(s, blcodes - 4, 4); /* not -3 as stated in appnote.txt */\n for (rank = 0; rank < blcodes; rank++) {\n Tracev((stderr, \"\\nbl code %2d \", bl_order[rank]));\n send_bits(s, s->bl_tree[bl_order[rank]].Len, 3);\n }\n Tracev((stderr, \"\\nbl tree: sent %ld\", s->bits_sent));\n\n send_tree(s, (ct_data *)s->dyn_ltree, lcodes - 1); /* literal tree */\n Tracev((stderr, \"\\nlit tree: sent %ld\", s->bits_sent));\n\n send_tree(s, (ct_data *)s->dyn_dtree, dcodes - 1); /* distance tree */\n Tracev((stderr, \"\\ndist tree: sent %ld\", s->bits_sent));\n}\n\n/* ===========================================================================\n * Send a stored block\n */\nvoid ZLIB_INTERNAL _tr_stored_block(deflate_state *s, charf *buf,\n ulg stored_len, int last) {\n send_bits(s, (STORED_BLOCK<<1) + last, 3); /* send block type */\n bi_windup(s); /* align on byte boundary */\n put_short(s, (ush)stored_len);\n put_short(s, (ush)~stored_len);\n if (stored_len)\n zmemcpy(s->pending_buf + s->pending, (Bytef *)buf, stored_len);\n s->pending += stored_len;\n#ifdef ZLIB_DEBUG\n s->compressed_len = (s->compressed_len + 3 + 7) & (ulg)~7L;\n s->compressed_len += (stored_len + 4) << 3;\n s->bits_sent += 2*16;\n s->bits_sent += stored_len << 3;\n#endif\n}\n\n/* ===========================================================================\n * Flush the bits in the bit buffer to pending output (leaves at most 7 bits)\n */\nvoid ZLIB_INTERNAL _tr_flush_bits(deflate_state *s) {\n bi_flush(s);\n}\n\n/* ===========================================================================\n * Send one empty static block to give enough lookahead for inflate.\n * This takes 10 bits, of which 7 may remain in the bit buffer.\n */\nvoid ZLIB_INTERNAL _tr_align(deflate_state *s) {\n send_bits(s, STATIC_TREES<<1, 3);\n send_code(s, END_BLOCK, static_ltree);\n#ifdef ZLIB_DEBUG\n s->compressed_len += 10L; /* 3 for block type, 7 for EOB */\n#endif\n bi_flush(s);\n}\n\n/* ===========================================================================\n * Send the block data compressed using the given Huffman trees\n */\nlocal void compress_block(deflate_state *s, const ct_data *ltree,\n const ct_data *dtree) {\n unsigned dist; /* distance of matched string */\n int lc; /* match length or unmatched char (if dist == 0) */\n unsigned sx = 0; /* running index in sym_buf */\n unsigned code; /* the code to send */\n int extra; /* number of extra bits to send */\n\n if (s->sym_next != 0) do {\n dist = s->sym_buf[sx++] & 0xff;\n dist += (unsigned)(s->sym_buf[sx++] & 0xff) << 8;\n lc = s->sym_buf[sx++];\n if (dist == 0) {\n send_code(s, lc, ltree); /* send a literal byte */\n Tracecv(isgraph(lc), (stderr,\" '%c' \", lc));\n } else {\n /* Here, lc is the match length - MIN_MATCH */\n code = _length_code[lc];\n send_code(s, code + LITERALS + 1, ltree); /* send length code */\n extra = extra_lbits[code];\n if (extra != 0) {\n lc -= base_length[code];\n send_bits(s, lc, extra); /* send the extra length bits */\n }\n dist--; /* dist is now the match distance - 1 */\n code = d_code(dist);\n Assert (code < D_CODES, \"bad d_code\");\n\n send_code(s, code, dtree); /* send the distance code */\n extra = extra_dbits[code];\n if (extra != 0) {\n dist -= (unsigned)base_dist[code];\n send_bits(s, dist, extra); /* send the extra distance bits */\n }\n } /* literal or match pair ? */\n\n /* Check that the overlay between pending_buf and sym_buf is ok: */\n Assert(s->pending < s->lit_bufsize + sx, \"pendingBuf overflow\");\n\n } while (sx < s->sym_next);\n\n send_code(s, END_BLOCK, ltree);\n}\n\n/* ===========================================================================\n * Check if the data type is TEXT or BINARY, using the following algorithm:\n * - TEXT if the two conditions below are satisfied:\n * a) There are no non-portable control characters belonging to the\n * \"block list\" (0..6, 14..25, 28..31).\n * b) There is at least one printable character belonging to the\n * \"allow list\" (9 {TAB}, 10 {LF}, 13 {CR}, 32..255).\n * - BINARY otherwise.\n * - The following partially-portable control characters form a\n * \"gray list\" that is ignored in this detection algorithm:\n * (7 {BEL}, 8 {BS}, 11 {VT}, 12 {FF}, 26 {SUB}, 27 {ESC}).\n * IN assertion: the fields Freq of dyn_ltree are set.\n */\nlocal int detect_data_type(deflate_state *s) {\n /* block_mask is the bit mask of block-listed bytes\n * set bits 0..6, 14..25, and 28..31\n * 0xf3ffc07f = binary 11110011111111111100000001111111\n */\n unsigned long block_mask = 0xf3ffc07fUL;\n int n;\n\n /* Check for non-textual (\"block-listed\") bytes. */\n for (n = 0; n <= 31; n++, block_mask >>= 1)\n if ((block_mask & 1) && (s->dyn_ltree[n].Freq != 0))\n return Z_BINARY;\n\n /* Check for textual (\"allow-listed\") bytes. */\n if (s->dyn_ltree[9].Freq != 0 || s->dyn_ltree[10].Freq != 0\n || s->dyn_ltree[13].Freq != 0)\n return Z_TEXT;\n for (n = 32; n < LITERALS; n++)\n if (s->dyn_ltree[n].Freq != 0)\n return Z_TEXT;\n\n /* There are no \"block-listed\" or \"allow-listed\" bytes:\n * this stream either is empty or has tolerated (\"gray-listed\") bytes only.\n */\n return Z_BINARY;\n}\n\n/* ===========================================================================\n * Determine the best encoding for the current block: dynamic trees, static\n * trees or store, and write out the encoded block.\n */\nvoid ZLIB_INTERNAL _tr_flush_block(deflate_state *s, charf *buf,\n ulg stored_len, int last) {\n ulg opt_lenb, static_lenb; /* opt_len and static_len in bytes */\n int max_blindex = 0; /* index of last bit length code of non zero freq */\n\n /* Build the Huffman trees unless a stored block is forced */\n if (s->level > 0) {\n\n /* Check if the file is binary or text */\n if (s->strm->data_type == Z_UNKNOWN)\n s->strm->data_type = detect_data_type(s);\n\n /* Construct the literal and distance trees */\n build_tree(s, (tree_desc *)(&(s->l_desc)));\n Tracev((stderr, \"\\nlit data: dyn %ld, stat %ld\", s->opt_len,\n s->static_len));\n\n build_tree(s, (tree_desc *)(&(s->d_desc)));\n Tracev((stderr, \"\\ndist data: dyn %ld, stat %ld\", s->opt_len,\n s->static_len));\n /* At this point, opt_len and static_len are the total bit lengths of\n * the compressed block data, excluding the tree representations.\n */\n\n /* Build the bit length tree for the above two trees, and get the index\n * in bl_order of the last bit length code to send.\n */\n max_blindex = build_bl_tree(s);\n\n /* Determine the best encoding. Compute the block lengths in bytes. */\n opt_lenb = (s->opt_len + 3 + 7) >> 3;\n static_lenb = (s->static_len + 3 + 7) >> 3;\n\n Tracev((stderr, \"\\nopt %lu(%lu) stat %lu(%lu) stored %lu lit %u \",\n opt_lenb, s->opt_len, static_lenb, s->static_len, stored_len,\n s->sym_next / 3));\n\n#ifndef FORCE_STATIC\n if (static_lenb <= opt_lenb || s->strategy == Z_FIXED)\n#endif\n opt_lenb = static_lenb;\n\n } else {\n Assert(buf != (char*)0, \"lost buf\");\n opt_lenb = static_lenb = stored_len + 5; /* force a stored block */\n }\n\n#ifdef FORCE_STORED\n if (buf != (char*)0) { /* force stored block */\n#else\n if (stored_len + 4 <= opt_lenb && buf != (char*)0) {\n /* 4: two words for the lengths */\n#endif\n /* The test buf != NULL is only necessary if LIT_BUFSIZE > WSIZE.\n * Otherwise we can't have processed more than WSIZE input bytes since\n * the last block flush, because compression would have been\n * successful. If LIT_BUFSIZE <= WSIZE, it is never too late to\n * transform a block into a stored block.\n */\n _tr_stored_block(s, buf, stored_len, last);\n\n } else if (static_lenb == opt_lenb) {\n send_bits(s, (STATIC_TREES<<1) + last, 3);\n compress_block(s, (const ct_data *)static_ltree,\n (const ct_data *)static_dtree);\n#ifdef ZLIB_DEBUG\n s->compressed_len += 3 + s->static_len;\n#endif\n } else {\n send_bits(s, (DYN_TREES<<1) + last, 3);\n send_all_trees(s, s->l_desc.max_code + 1, s->d_desc.max_code + 1,\n max_blindex + 1);\n compress_block(s, (const ct_data *)s->dyn_ltree,\n (const ct_data *)s->dyn_dtree);\n#ifdef ZLIB_DEBUG\n s->compressed_len += 3 + s->opt_len;\n#endif\n }\n Assert (s->compressed_len == s->bits_sent, \"bad compressed size\");\n /* The above check is made mod 2^32, for files larger than 512 MB\n * and uLong implemented on 32 bits.\n */\n init_block(s);\n\n if (last) {\n bi_windup(s);\n#ifdef ZLIB_DEBUG\n s->compressed_len += 7; /* align on byte boundary */\n#endif\n }\n Tracev((stderr,\"\\ncomprlen %lu(%lu) \", s->compressed_len >> 3,\n s->compressed_len - 7*last));\n}\n\n/* ===========================================================================\n * Save the match info and tally the frequency counts. Return true if\n * the current block must be flushed.\n */\nint ZLIB_INTERNAL _tr_tally(deflate_state *s, unsigned dist, unsigned lc) {\n s->sym_buf[s->sym_next++] = (uch)dist;\n s->sym_buf[s->sym_next++] = (uch)(dist >> 8);\n s->sym_buf[s->sym_next++] = (uch)lc;\n if (dist == 0) {\n /* lc is the unmatched char */\n s->dyn_ltree[lc].Freq++;\n } else {\n s->matches++;\n /* Here, lc is the match length - MIN_MATCH */\n dist--; /* dist = match distance - 1 */\n Assert((ush)dist < (ush)MAX_DIST(s) &&\n (ush)lc <= (ush)(MAX_MATCH-MIN_MATCH) &&\n (ush)d_code(dist) < (ush)D_CODES, \"_tr_tally: bad match\");\n\n s->dyn_ltree[_length_code[lc] + LITERALS + 1].Freq++;\n s->dyn_dtree[d_code(dist)].Freq++;\n }\n return (s->sym_next == s->sym_end);\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/trees.h", "content": "/* header created automatically with -DGEN_TREES_H */\n\nlocal const ct_data static_ltree[L_CODES+2] = {\n{{ 12},{ 8}}, {{140},{ 8}}, {{ 76},{ 8}}, {{204},{ 8}}, {{ 44},{ 8}},\n{{172},{ 8}}, {{108},{ 8}}, {{236},{ 8}}, {{ 28},{ 8}}, {{156},{ 8}},\n{{ 92},{ 8}}, {{220},{ 8}}, {{ 60},{ 8}}, {{188},{ 8}}, {{124},{ 8}},\n{{252},{ 8}}, {{ 2},{ 8}}, {{130},{ 8}}, {{ 66},{ 8}}, {{194},{ 8}},\n{{ 34},{ 8}}, {{162},{ 8}}, {{ 98},{ 8}}, {{226},{ 8}}, {{ 18},{ 8}},\n{{146},{ 8}}, {{ 82},{ 8}}, {{210},{ 8}}, {{ 50},{ 8}}, {{178},{ 8}},\n{{114},{ 8}}, {{242},{ 8}}, {{ 10},{ 8}}, {{138},{ 8}}, {{ 74},{ 8}},\n{{202},{ 8}}, {{ 42},{ 8}}, {{170},{ 8}}, {{106},{ 8}}, {{234},{ 8}},\n{{ 26},{ 8}}, {{154},{ 8}}, {{ 90},{ 8}}, {{218},{ 8}}, {{ 58},{ 8}},\n{{186},{ 8}}, {{122},{ 8}}, {{250},{ 8}}, {{ 6},{ 8}}, {{134},{ 8}},\n{{ 70},{ 8}}, {{198},{ 8}}, {{ 38},{ 8}}, {{166},{ 8}}, {{102},{ 8}},\n{{230},{ 8}}, {{ 22},{ 8}}, {{150},{ 8}}, {{ 86},{ 8}}, {{214},{ 8}},\n{{ 54},{ 8}}, {{182},{ 8}}, {{118},{ 8}}, {{246},{ 8}}, {{ 14},{ 8}},\n{{142},{ 8}}, {{ 78},{ 8}}, {{206},{ 8}}, {{ 46},{ 8}}, {{174},{ 8}},\n{{110},{ 8}}, {{238},{ 8}}, {{ 30},{ 8}}, {{158},{ 8}}, {{ 94},{ 8}},\n{{222},{ 8}}, {{ 62},{ 8}}, {{190},{ 8}}, {{126},{ 8}}, {{254},{ 8}},\n{{ 1},{ 8}}, {{129},{ 8}}, {{ 65},{ 8}}, {{193},{ 8}}, {{ 33},{ 8}},\n{{161},{ 8}}, {{ 97},{ 8}}, {{225},{ 8}}, {{ 17},{ 8}}, {{145},{ 8}},\n{{ 81},{ 8}}, {{209},{ 8}}, {{ 49},{ 8}}, {{177},{ 8}}, {{113},{ 8}},\n{{241},{ 8}}, {{ 9},{ 8}}, {{137},{ 8}}, {{ 73},{ 8}}, {{201},{ 8}},\n{{ 41},{ 8}}, {{169},{ 8}}, {{105},{ 8}}, {{233},{ 8}}, {{ 25},{ 8}},\n{{153},{ 8}}, {{ 89},{ 8}}, {{217},{ 8}}, {{ 57},{ 8}}, {{185},{ 8}},\n{{121},{ 8}}, {{249},{ 8}}, {{ 5},{ 8}}, {{133},{ 8}}, {{ 69},{ 8}},\n{{197},{ 8}}, {{ 37},{ 8}}, {{165},{ 8}}, {{101},{ 8}}, {{229},{ 8}},\n{{ 21},{ 8}}, {{149},{ 8}}, {{ 85},{ 8}}, {{213},{ 8}}, {{ 53},{ 8}},\n{{181},{ 8}}, {{117},{ 8}}, {{245},{ 8}}, {{ 13},{ 8}}, {{141},{ 8}},\n{{ 77},{ 8}}, {{205},{ 8}}, {{ 45},{ 8}}, {{173},{ 8}}, {{109},{ 8}},\n{{237},{ 8}}, {{ 29},{ 8}}, {{157},{ 8}}, {{ 93},{ 8}}, {{221},{ 8}},\n{{ 61},{ 8}}, {{189},{ 8}}, {{125},{ 8}}, {{253},{ 8}}, {{ 19},{ 9}},\n{{275},{ 9}}, {{147},{ 9}}, {{403},{ 9}}, {{ 83},{ 9}}, {{339},{ 9}},\n{{211},{ 9}}, {{467},{ 9}}, {{ 51},{ 9}}, {{307},{ 9}}, {{179},{ 9}},\n{{435},{ 9}}, {{115},{ 9}}, {{371},{ 9}}, {{243},{ 9}}, {{499},{ 9}},\n{{ 11},{ 9}}, {{267},{ 9}}, {{139},{ 9}}, {{395},{ 9}}, {{ 75},{ 9}},\n{{331},{ 9}}, {{203},{ 9}}, {{459},{ 9}}, {{ 43},{ 9}}, {{299},{ 9}},\n{{171},{ 9}}, {{427},{ 9}}, {{107},{ 9}}, {{363},{ 9}}, {{235},{ 9}},\n{{491},{ 9}}, {{ 27},{ 9}}, {{283},{ 9}}, {{155},{ 9}}, {{411},{ 9}},\n{{ 91},{ 9}}, {{347},{ 9}}, {{219},{ 9}}, {{475},{ 9}}, {{ 59},{ 9}},\n{{315},{ 9}}, {{187},{ 9}}, {{443},{ 9}}, {{123},{ 9}}, {{379},{ 9}},\n{{251},{ 9}}, {{507},{ 9}}, {{ 7},{ 9}}, {{263},{ 9}}, {{135},{ 9}},\n{{391},{ 9}}, {{ 71},{ 9}}, {{327},{ 9}}, {{199},{ 9}}, {{455},{ 9}},\n{{ 39},{ 9}}, {{295},{ 9}}, {{167},{ 9}}, {{423},{ 9}}, {{103},{ 9}},\n{{359},{ 9}}, {{231},{ 9}}, {{487},{ 9}}, {{ 23},{ 9}}, {{279},{ 9}},\n{{151},{ 9}}, {{407},{ 9}}, {{ 87},{ 9}}, {{343},{ 9}}, {{215},{ 9}},\n{{471},{ 9}}, {{ 55},{ 9}}, {{311},{ 9}}, {{183},{ 9}}, {{439},{ 9}},\n{{119},{ 9}}, {{375},{ 9}}, {{247},{ 9}}, {{503},{ 9}}, {{ 15},{ 9}},\n{{271},{ 9}}, {{143},{ 9}}, {{399},{ 9}}, {{ 79},{ 9}}, {{335},{ 9}},\n{{207},{ 9}}, {{463},{ 9}}, {{ 47},{ 9}}, {{303},{ 9}}, {{175},{ 9}},\n{{431},{ 9}}, {{111},{ 9}}, {{367},{ 9}}, {{239},{ 9}}, {{495},{ 9}},\n{{ 31},{ 9}}, {{287},{ 9}}, {{159},{ 9}}, {{415},{ 9}}, {{ 95},{ 9}},\n{{351},{ 9}}, {{223},{ 9}}, {{479},{ 9}}, {{ 63},{ 9}}, {{319},{ 9}},\n{{191},{ 9}}, {{447},{ 9}}, {{127},{ 9}}, {{383},{ 9}}, {{255},{ 9}},\n{{511},{ 9}}, {{ 0},{ 7}}, {{ 64},{ 7}}, {{ 32},{ 7}}, {{ 96},{ 7}},\n{{ 16},{ 7}}, {{ 80},{ 7}}, {{ 48},{ 7}}, {{112},{ 7}}, {{ 8},{ 7}},\n{{ 72},{ 7}}, {{ 40},{ 7}}, {{104},{ 7}}, {{ 24},{ 7}}, {{ 88},{ 7}},\n{{ 56},{ 7}}, {{120},{ 7}}, {{ 4},{ 7}}, {{ 68},{ 7}}, {{ 36},{ 7}},\n{{100},{ 7}}, {{ 20},{ 7}}, {{ 84},{ 7}}, {{ 52},{ 7}}, {{116},{ 7}},\n{{ 3},{ 8}}, {{131},{ 8}}, {{ 67},{ 8}}, {{195},{ 8}}, {{ 35},{ 8}},\n{{163},{ 8}}, {{ 99},{ 8}}, {{227},{ 8}}\n};\n\nlocal const ct_data static_dtree[D_CODES] = {\n{{ 0},{ 5}}, {{16},{ 5}}, {{ 8},{ 5}}, {{24},{ 5}}, {{ 4},{ 5}},\n{{20},{ 5}}, {{12},{ 5}}, {{28},{ 5}}, {{ 2},{ 5}}, {{18},{ 5}},\n{{10},{ 5}}, {{26},{ 5}}, {{ 6},{ 5}}, {{22},{ 5}}, {{14},{ 5}},\n{{30},{ 5}}, {{ 1},{ 5}}, {{17},{ 5}}, {{ 9},{ 5}}, {{25},{ 5}},\n{{ 5},{ 5}}, {{21},{ 5}}, {{13},{ 5}}, {{29},{ 5}}, {{ 3},{ 5}},\n{{19},{ 5}}, {{11},{ 5}}, {{27},{ 5}}, {{ 7},{ 5}}, {{23},{ 5}}\n};\n\nconst uch ZLIB_INTERNAL _dist_code[DIST_CODE_LEN] = {\n 0, 1, 2, 3, 4, 4, 5, 5, 6, 6, 6, 6, 7, 7, 7, 7, 8, 8, 8, 8,\n 8, 8, 8, 8, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 10, 10,\n10, 10, 10, 10, 10, 10, 10, 10, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11, 11,\n11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12,\n12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 12, 13, 13, 13, 13,\n13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13, 13,\n13, 13, 13, 13, 13, 13, 13, 13, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,\n14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,\n14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14,\n14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 14, 15, 15, 15, 15, 15, 15, 15, 15,\n15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,\n15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15,\n15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 15, 0, 0, 16, 17,\n18, 18, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 22, 22, 22, 22, 22, 22, 22, 22,\n23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,\n24, 24, 24, 24, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,\n26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,\n26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27,\n27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,\n27, 27, 27, 27, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,\n28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,\n28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28, 28,\n28, 28, 28, 28, 28, 28, 28, 28, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,\n29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,\n29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29,\n29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29, 29\n};\n\nconst uch ZLIB_INTERNAL _length_code[MAX_MATCH-MIN_MATCH+1]= {\n 0, 1, 2, 3, 4, 5, 6, 7, 8, 8, 9, 9, 10, 10, 11, 11, 12, 12, 12, 12,\n13, 13, 13, 13, 14, 14, 14, 14, 15, 15, 15, 15, 16, 16, 16, 16, 16, 16, 16, 16,\n17, 17, 17, 17, 17, 17, 17, 17, 18, 18, 18, 18, 18, 18, 18, 18, 19, 19, 19, 19,\n19, 19, 19, 19, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20, 20,\n21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 21, 22, 22, 22, 22,\n22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 22, 23, 23, 23, 23, 23, 23, 23, 23,\n23, 23, 23, 23, 23, 23, 23, 23, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,\n24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24,\n25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25,\n25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 25, 26, 26, 26, 26, 26, 26, 26, 26,\n26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26, 26,\n26, 26, 26, 26, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27,\n27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 27, 28\n};\n\nlocal const int base_length[LENGTH_CODES] = {\n0, 1, 2, 3, 4, 5, 6, 7, 8, 10, 12, 14, 16, 20, 24, 28, 32, 40, 48, 56,\n64, 80, 96, 112, 128, 160, 192, 224, 0\n};\n\nlocal const int base_dist[D_CODES] = {\n 0, 1, 2, 3, 4, 6, 8, 12, 16, 24,\n 32, 48, 64, 96, 128, 192, 256, 384, 512, 768,\n 1024, 1536, 2048, 3072, 4096, 6144, 8192, 12288, 16384, 24576\n};\n\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/uncompr.c", "content": "/* uncompr.c -- decompress a memory buffer\n * Copyright (C) 1995-2003, 2010, 2014, 2016 Jean-loup Gailly, Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* @(#) $Id$ */\n\n#define ZLIB_INTERNAL\n#include \"zlib.h\"\n\n/* ===========================================================================\n Decompresses the source buffer into the destination buffer. *sourceLen is\n the byte length of the source buffer. Upon entry, *destLen is the total size\n of the destination buffer, which must be large enough to hold the entire\n uncompressed data. (The size of the uncompressed data must have been saved\n previously by the compressor and transmitted to the decompressor by some\n mechanism outside the scope of this compression library.) Upon exit,\n *destLen is the size of the decompressed data and *sourceLen is the number\n of source bytes consumed. Upon return, source + *sourceLen points to the\n first unused input byte.\n\n uncompress returns Z_OK if success, Z_MEM_ERROR if there was not enough\n memory, Z_BUF_ERROR if there was not enough room in the output buffer, or\n Z_DATA_ERROR if the input data was corrupted, including if the input data is\n an incomplete zlib stream.\n*/\nint ZEXPORT uncompress2(Bytef *dest, uLongf *destLen, const Bytef *source,\n uLong *sourceLen) {\n z_stream stream;\n int err;\n const uInt max = (uInt)-1;\n uLong len, left;\n Byte buf[1]; /* for detection of incomplete stream when *destLen == 0 */\n\n len = *sourceLen;\n if (*destLen) {\n left = *destLen;\n *destLen = 0;\n }\n else {\n left = 1;\n dest = buf;\n }\n\n stream.next_in = (z_const Bytef *)source;\n stream.avail_in = 0;\n stream.zalloc = (alloc_func)0;\n stream.zfree = (free_func)0;\n stream.opaque = (voidpf)0;\n\n err = inflateInit(&stream);\n if (err != Z_OK) return err;\n\n stream.next_out = dest;\n stream.avail_out = 0;\n\n do {\n if (stream.avail_out == 0) {\n stream.avail_out = left > (uLong)max ? max : (uInt)left;\n left -= stream.avail_out;\n }\n if (stream.avail_in == 0) {\n stream.avail_in = len > (uLong)max ? max : (uInt)len;\n len -= stream.avail_in;\n }\n err = inflate(&stream, Z_NO_FLUSH);\n } while (err == Z_OK);\n\n *sourceLen -= len + stream.avail_in;\n if (dest != buf)\n *destLen = stream.total_out;\n else if (stream.total_out && err == Z_BUF_ERROR)\n left = 1;\n\n inflateEnd(&stream);\n return err == Z_STREAM_END ? Z_OK :\n err == Z_NEED_DICT ? Z_DATA_ERROR :\n err == Z_BUF_ERROR && left + stream.avail_out ? Z_DATA_ERROR :\n err;\n}\n\nint ZEXPORT uncompress(Bytef *dest, uLongf *destLen, const Bytef *source,\n uLong sourceLen) {\n return uncompress2(dest, destLen, source, &sourceLen);\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/watcom/watcom_f.mak", "content": "# Makefile for zlib\n# OpenWatcom flat model\n# Last updated: 28-Dec-2005\n\n# To use, do \"wmake -f watcom_f.mak\"\n\nC_SOURCE = adler32.c compress.c crc32.c deflate.c &\n\t gzclose.c gzlib.c gzread.c gzwrite.c &\n infback.c inffast.c inflate.c inftrees.c &\n trees.c uncompr.c zutil.c\n\nOBJS = adler32.obj compress.obj crc32.obj deflate.obj &\n\t gzclose.obj gzlib.obj gzread.obj gzwrite.obj &\n infback.obj inffast.obj inflate.obj inftrees.obj &\n trees.obj uncompr.obj zutil.obj\n\nCC = wcc386\nLINKER = wcl386\nCFLAGS = -zq -mf -3r -fp3 -s -bt=dos -oilrtfm -fr=nul -wx\nZLIB_LIB = zlib_f.lib\n\n.C.OBJ:\n $(CC) $(CFLAGS) $[@\n\nall: $(ZLIB_LIB) example.exe minigzip.exe\n\n$(ZLIB_LIB): $(OBJS)\n\twlib -b -c $(ZLIB_LIB) -+adler32.obj -+compress.obj -+crc32.obj\n\twlib -b -c $(ZLIB_LIB) -+gzclose.obj -+gzlib.obj -+gzread.obj -+gzwrite.obj\n wlib -b -c $(ZLIB_LIB) -+deflate.obj -+infback.obj\n wlib -b -c $(ZLIB_LIB) -+inffast.obj -+inflate.obj -+inftrees.obj\n wlib -b -c $(ZLIB_LIB) -+trees.obj -+uncompr.obj -+zutil.obj\n\nexample.exe: $(ZLIB_LIB) example.obj\n\t$(LINKER) -ldos32a -fe=example.exe example.obj $(ZLIB_LIB)\n\nminigzip.exe: $(ZLIB_LIB) minigzip.obj\n\t$(LINKER) -ldos32a -fe=minigzip.exe minigzip.obj $(ZLIB_LIB)\n\nclean: .SYMBOLIC\n del *.obj\n del $(ZLIB_LIB)\n @echo Cleaning done\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/watcom/watcom_l.mak", "content": "# Makefile for zlib\n# OpenWatcom large model\n# Last updated: 28-Dec-2005\n\n# To use, do \"wmake -f watcom_l.mak\"\n\nC_SOURCE = adler32.c compress.c crc32.c deflate.c &\n\t gzclose.c gzlib.c gzread.c gzwrite.c &\n infback.c inffast.c inflate.c inftrees.c &\n trees.c uncompr.c zutil.c\n\nOBJS = adler32.obj compress.obj crc32.obj deflate.obj &\n\t gzclose.obj gzlib.obj gzread.obj gzwrite.obj &\n infback.obj inffast.obj inflate.obj inftrees.obj &\n trees.obj uncompr.obj zutil.obj\n\nCC = wcc\nLINKER = wcl\nCFLAGS = -zq -ml -s -bt=dos -oilrtfm -fr=nul -wx\nZLIB_LIB = zlib_l.lib\n\n.C.OBJ:\n $(CC) $(CFLAGS) $[@\n\nall: $(ZLIB_LIB) example.exe minigzip.exe\n\n$(ZLIB_LIB): $(OBJS)\n\twlib -b -c $(ZLIB_LIB) -+adler32.obj -+compress.obj -+crc32.obj\n\twlib -b -c $(ZLIB_LIB) -+gzclose.obj -+gzlib.obj -+gzread.obj -+gzwrite.obj\n wlib -b -c $(ZLIB_LIB) -+deflate.obj -+infback.obj\n wlib -b -c $(ZLIB_LIB) -+inffast.obj -+inflate.obj -+inftrees.obj\n wlib -b -c $(ZLIB_LIB) -+trees.obj -+uncompr.obj -+zutil.obj\n\nexample.exe: $(ZLIB_LIB) example.obj\n\t$(LINKER) -fe=example.exe example.obj $(ZLIB_LIB)\n\nminigzip.exe: $(ZLIB_LIB) minigzip.obj\n\t$(LINKER) -fe=minigzip.exe minigzip.obj $(ZLIB_LIB)\n\nclean: .SYMBOLIC\n del *.obj\n del $(ZLIB_LIB)\n @echo Cleaning done\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/DLL_FAQ.txt", "content": "\n Frequently Asked Questions about ZLIB1.DLL\n\n\nThis document describes the design, the rationale, and the usage\nof the official DLL build of zlib, named ZLIB1.DLL. If you have\ngeneral questions about zlib, you should see the file \"FAQ\" found\nin the zlib distribution, or at the following location:\n http://www.gzip.org/zlib/zlib_faq.html\n\n\n 1. What is ZLIB1.DLL, and how can I get it?\n\n - ZLIB1.DLL is the official build of zlib as a DLL.\n (Please remark the character '1' in the name.)\n\n Pointers to a precompiled ZLIB1.DLL can be found in the zlib\n web site at:\n http://www.zlib.net/\n\n Applications that link to ZLIB1.DLL can rely on the following\n specification:\n\n * The exported symbols are exclusively defined in the source\n files \"zlib.h\" and \"zlib.def\", found in an official zlib\n source distribution.\n * The symbols are exported by name, not by ordinal.\n * The exported names are undecorated.\n * The calling convention of functions is \"C\" (CDECL).\n * The ZLIB1.DLL binary is linked to MSVCRT.DLL.\n\n The archive in which ZLIB1.DLL is bundled contains compiled\n test programs that must run with a valid build of ZLIB1.DLL.\n It is recommended to download the prebuilt DLL from the zlib\n web site, instead of building it yourself, to avoid potential\n incompatibilities that could be introduced by your compiler\n and build settings. If you do build the DLL yourself, please\n make sure that it complies with all the above requirements,\n and it runs with the precompiled test programs, bundled with\n the original ZLIB1.DLL distribution.\n\n If, for any reason, you need to build an incompatible DLL,\n please use a different file name.\n\n\n 2. Why did you change the name of the DLL to ZLIB1.DLL?\n What happened to the old ZLIB.DLL?\n\n - The old ZLIB.DLL, built from zlib-1.1.4 or earlier, required\n compilation settings that were incompatible to those used by\n a static build. The DLL settings were supposed to be enabled\n by defining the macro ZLIB_DLL, before including \"zlib.h\".\n Incorrect handling of this macro was silently accepted at\n build time, resulting in two major problems:\n\n * ZLIB_DLL was missing from the old makefile. When building\n the DLL, not all people added it to the build options. In\n consequence, incompatible incarnations of ZLIB.DLL started\n to circulate around the net.\n\n * When switching from using the static library to using the\n DLL, applications had to define the ZLIB_DLL macro and\n to recompile all the sources that contained calls to zlib\n functions. Failure to do so resulted in creating binaries\n that were unable to run with the official ZLIB.DLL build.\n\n The only possible solution that we could foresee was to make\n a binary-incompatible change in the DLL interface, in order to\n remove the dependency on the ZLIB_DLL macro, and to release\n the new DLL under a different name.\n\n We chose the name ZLIB1.DLL, where '1' indicates the major\n zlib version number. We hope that we will not have to break\n the binary compatibility again, at least not as long as the\n zlib-1.x series will last.\n\n There is still a ZLIB_DLL macro, that can trigger a more\n efficient build and use of the DLL, but compatibility no\n longer dependents on it.\n\n\n 3. Can I build ZLIB.DLL from the new zlib sources, and replace\n an old ZLIB.DLL, that was built from zlib-1.1.4 or earlier?\n\n - In principle, you can do it by assigning calling convention\n keywords to the macros ZEXPORT and ZEXPORTVA. In practice,\n it depends on what you mean by \"an old ZLIB.DLL\", because the\n old DLL exists in several mutually-incompatible versions.\n You have to find out first what kind of calling convention is\n being used in your particular ZLIB.DLL build, and to use the\n same one in the new build. If you don't know what this is all\n about, you might be better off if you would just leave the old\n DLL intact.\n\n\n 4. Can I compile my application using the new zlib interface, and\n link it to an old ZLIB.DLL, that was built from zlib-1.1.4 or\n earlier?\n\n - The official answer is \"no\"; the real answer depends again on\n what kind of ZLIB.DLL you have. Even if you are lucky, this\n course of action is unreliable.\n\n If you rebuild your application and you intend to use a newer\n version of zlib (post- 1.1.4), it is strongly recommended to\n link it to the new ZLIB1.DLL.\n\n\n 5. Why are the zlib symbols exported by name, and not by ordinal?\n\n - Although exporting symbols by ordinal is a little faster, it\n is risky. Any single glitch in the maintenance or use of the\n DEF file that contains the ordinals can result in incompatible\n builds and frustrating crashes. Simply put, the benefits of\n exporting symbols by ordinal do not justify the risks.\n\n Technically, it should be possible to maintain ordinals in\n the DEF file, and still export the symbols by name. Ordinals\n exist in every DLL, and even if the dynamic linking performed\n at the DLL startup is searching for names, ordinals serve as\n hints, for a faster name lookup. However, if the DEF file\n contains ordinals, the Microsoft linker automatically builds\n an implib that will cause the executables linked to it to use\n those ordinals, and not the names. It is interesting to\n notice that the GNU linker for Win32 does not suffer from this\n problem.\n\n It is possible to avoid the DEF file if the exported symbols\n are accompanied by a \"__declspec(dllexport)\" attribute in the\n source files. You can do this in zlib by predefining the\n ZLIB_DLL macro.\n\n\n 6. I see that the ZLIB1.DLL functions use the \"C\" (CDECL) calling\n convention. Why not use the STDCALL convention?\n STDCALL is the standard convention in Win32, and I need it in\n my Visual Basic project!\n\n (For readability, we use CDECL to refer to the convention\n triggered by the \"__cdecl\" keyword, STDCALL to refer to\n the convention triggered by \"__stdcall\", and FASTCALL to\n refer to the convention triggered by \"__fastcall\".)\n\n - Most of the native Windows API functions (without varargs) use\n indeed the WINAPI convention (which translates to STDCALL in\n Win32), but the standard C functions use CDECL. If a user\n application is intrinsically tied to the Windows API (e.g.\n it calls native Windows API functions such as CreateFile()),\n sometimes it makes sense to decorate its own functions with\n WINAPI. But if ANSI C or POSIX portability is a goal (e.g.\n it calls standard C functions such as fopen()), it is not a\n sound decision to request the inclusion of , or to\n use non-ANSI constructs, for the sole purpose to make the user\n functions STDCALL-able.\n\n The functionality offered by zlib is not in the category of\n \"Windows functionality\", but is more like \"C functionality\".\n\n Technically, STDCALL is not bad; in fact, it is slightly\n faster than CDECL, and it works with variable-argument\n functions, just like CDECL. It is unfortunate that, in spite\n of using STDCALL in the Windows API, it is not the default\n convention used by the C compilers that run under Windows.\n The roots of the problem reside deep inside the unsafety of\n the K&R-style function prototypes, where the argument types\n are not specified; but that is another story for another day.\n\n The remaining fact is that CDECL is the default convention.\n Even if an explicit convention is hard-coded into the function\n prototypes inside C headers, problems may appear. The\n necessity to expose the convention in users' callbacks is one\n of these problems.\n\n The calling convention issues are also important when using\n zlib in other programming languages. Some of them, like Ada\n (GNAT) and Fortran (GNU G77), have C bindings implemented\n initially on Unix, and relying on the C calling convention.\n On the other hand, the pre- .NET versions of Microsoft Visual\n Basic require STDCALL, while Borland Delphi prefers, although\n it does not require, FASTCALL.\n\n In fairness to all possible uses of zlib outside the C\n programming language, we choose the default \"C\" convention.\n Anyone interested in different bindings or conventions is\n encouraged to maintain specialized projects. The \"contrib/\"\n directory from the zlib distribution already holds a couple\n of foreign bindings, such as Ada, C++, and Delphi.\n\n\n 7. I need a DLL for my Visual Basic project. What can I do?\n\n - Define the ZLIB_WINAPI macro before including \"zlib.h\", when\n building both the DLL and the user application (except that\n you don't need to define anything when using the DLL in Visual\n Basic). The ZLIB_WINAPI macro will switch on the WINAPI\n (STDCALL) convention. The name of this DLL must be different\n than the official ZLIB1.DLL.\n\n Gilles Vollant has contributed a build named ZLIBWAPI.DLL,\n with the ZLIB_WINAPI macro turned on, and with the minizip\n functionality built in. For more information, please read\n the notes inside \"contrib/vstudio/readme.txt\", found in the\n zlib distribution.\n\n\n 8. I need to use zlib in my Microsoft .NET project. What can I\n do?\n\n - Henrik Ravn has contributed a .NET wrapper around zlib. Look\n into contrib/dotzlib/, inside the zlib distribution.\n\n\n 9. If my application uses ZLIB1.DLL, should I link it to\n MSVCRT.DLL? Why?\n\n - It is not required, but it is recommended to link your\n application to MSVCRT.DLL, if it uses ZLIB1.DLL.\n\n The executables (.EXE, .DLL, etc.) that are involved in the\n same process and are using the C run-time library (i.e. they\n are calling standard C functions), must link to the same\n library. There are several libraries in the Win32 system:\n CRTDLL.DLL, MSVCRT.DLL, the static C libraries, etc.\n Since ZLIB1.DLL is linked to MSVCRT.DLL, the executables that\n depend on it should also be linked to MSVCRT.DLL.\n\n\n10. Why are you saying that ZLIB1.DLL and my application should\n be linked to the same C run-time (CRT) library? I linked my\n application and my DLLs to different C libraries (e.g. my\n application to a static library, and my DLLs to MSVCRT.DLL),\n and everything works fine.\n\n - If a user library invokes only pure Win32 API (accessible via\n and the related headers), its DLL build will work\n in any context. But if this library invokes standard C API,\n things get more complicated.\n\n There is a single Win32 library in a Win32 system. Every\n function in this library resides in a single DLL module, that\n is safe to call from anywhere. On the other hand, there are\n multiple versions of the C library, and each of them has its\n own separate internal state. Standalone executables and user\n DLLs that call standard C functions must link to a C run-time\n (CRT) library, be it static or shared (DLL). Intermixing\n occurs when an executable (not necessarily standalone) and a\n DLL are linked to different CRTs, and both are running in the\n same process.\n\n Intermixing multiple CRTs is possible, as long as their\n internal states are kept intact. The Microsoft Knowledge Base\n articles KB94248 \"HOWTO: Use the C Run-Time\" and KB140584\n \"HOWTO: Link with the Correct C Run-Time (CRT) Library\"\n mention the potential problems raised by intermixing.\n\n If intermixing works for you, it's because your application\n and DLLs are avoiding the corruption of each of the CRTs'\n internal states, maybe by careful design, or maybe by fortune.\n\n Also note that linking ZLIB1.DLL to non-Microsoft CRTs, such\n as those provided by Borland, raises similar problems.\n\n\n11. Why are you linking ZLIB1.DLL to MSVCRT.DLL?\n\n - MSVCRT.DLL exists on every Windows 95 with a new service pack\n installed, or with Microsoft Internet Explorer 4 or later, and\n on all other Windows 4.x or later (Windows 98, Windows NT 4,\n or later). It is freely distributable; if not present in the\n system, it can be downloaded from Microsoft or from other\n software provider for free.\n\n The fact that MSVCRT.DLL does not exist on a virgin Windows 95\n is not so problematic. Windows 95 is scarcely found nowadays,\n Microsoft ended its support a long time ago, and many recent\n applications from various vendors, including Microsoft, do not\n even run on it. Furthermore, no serious user should run\n Windows 95 without a proper update installed.\n\n\n12. Why are you not linking ZLIB1.DLL to\n <> ?\n\n - We considered and abandoned the following alternatives:\n\n * Linking ZLIB1.DLL to a static C library (LIBC.LIB, or\n LIBCMT.LIB) is not a good option. People are using the DLL\n mainly to save disk space. If you are linking your program\n to a static C library, you may as well consider linking zlib\n in statically, too.\n\n * Linking ZLIB1.DLL to CRTDLL.DLL looks appealing, because\n CRTDLL.DLL is present on every Win32 installation.\n Unfortunately, it has a series of problems: it does not\n work properly with Microsoft's C++ libraries, it does not\n provide support for 64-bit file offsets, (and so on...),\n and Microsoft discontinued its support a long time ago.\n\n * Linking ZLIB1.DLL to MSVCR70.DLL or MSVCR71.DLL, supplied\n with the Microsoft .NET platform, and Visual C++ 7.0/7.1,\n raises problems related to the status of ZLIB1.DLL as a\n system component. According to the Microsoft Knowledge Base\n article KB326922 \"INFO: Redistribution of the Shared C\n Runtime Component in Visual C++ .NET\", MSVCR70.DLL and\n MSVCR71.DLL are not supposed to function as system DLLs,\n because they may clash with MSVCRT.DLL. Instead, the\n application's installer is supposed to put these DLLs\n (if needed) in the application's private directory.\n If ZLIB1.DLL depends on a non-system runtime, it cannot\n function as a redistributable system component.\n\n * Linking ZLIB1.DLL to non-Microsoft runtimes, such as\n Borland's, or Cygwin's, raises problems related to the\n reliable presence of these runtimes on Win32 systems.\n It's easier to let the DLL build of zlib up to the people\n who distribute these runtimes, and who may proceed as\n explained in the answer to Question 14.\n\n\n13. If ZLIB1.DLL cannot be linked to MSVCR70.DLL or MSVCR71.DLL,\n how can I build/use ZLIB1.DLL in Microsoft Visual C++ 7.0\n (Visual Studio .NET) or newer?\n\n - Due to the problems explained in the Microsoft Knowledge Base\n article KB326922 (see the previous answer), the C runtime that\n comes with the VC7 environment is no longer considered a\n system component. That is, it should not be assumed that this\n runtime exists, or may be installed in a system directory.\n Since ZLIB1.DLL is supposed to be a system component, it may\n not depend on a non-system component.\n\n In order to link ZLIB1.DLL and your application to MSVCRT.DLL\n in VC7, you need the library of Visual C++ 6.0 or older. If\n you don't have this library at hand, it's probably best not to\n use ZLIB1.DLL.\n\n We are hoping that, in the future, Microsoft will provide a\n way to build applications linked to a proper system runtime,\n from the Visual C++ environment. Until then, you have a\n couple of alternatives, such as linking zlib in statically.\n If your application requires dynamic linking, you may proceed\n as explained in the answer to Question 14.\n\n\n14. I need to link my own DLL build to a CRT different than\n MSVCRT.DLL. What can I do?\n\n - Feel free to rebuild the DLL from the zlib sources, and link\n it the way you want. You should, however, clearly state that\n your build is unofficial. You should give it a different file\n name, and/or install it in a private directory that can be\n accessed by your application only, and is not visible to the\n others (i.e. it's neither in the PATH, nor in the SYSTEM or\n SYSTEM32 directories). Otherwise, your build may clash with\n applications that link to the official build.\n\n For example, in Cygwin, zlib is linked to the Cygwin runtime\n CYGWIN1.DLL, and it is distributed under the name CYGZ.DLL.\n\n\n15. May I include additional pieces of code that I find useful,\n link them in ZLIB1.DLL, and export them?\n\n - No. A legitimate build of ZLIB1.DLL must not include code\n that does not originate from the official zlib source code.\n But you can make your own private DLL build, under a different\n file name, as suggested in the previous answer.\n\n For example, zlib is a part of the VCL library, distributed\n with Borland Delphi and C++ Builder. The DLL build of VCL\n is a redistributable file, named VCLxx.DLL.\n\n\n16. May I remove some functionality out of ZLIB1.DLL, by enabling\n macros like NO_GZCOMPRESS or NO_GZIP at compile time?\n\n - No. A legitimate build of ZLIB1.DLL must provide the complete\n zlib functionality, as implemented in the official zlib source\n code. But you can make your own private DLL build, under a\n different file name, as suggested in the previous answer.\n\n\n17. I made my own ZLIB1.DLL build. Can I test it for compliance?\n\n - We prefer that you download the official DLL from the zlib\n web site. If you need something peculiar from this DLL, you\n can send your suggestion to the zlib mailing list.\n\n However, in case you do rebuild the DLL yourself, you can run\n it with the test programs found in the DLL distribution.\n Running these test programs is not a guarantee of compliance,\n but a failure can imply a detected problem.\n\n**\n\nThis document is written and maintained by\nCosmin Truta \n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/Makefile.bor", "content": "# Makefile for zlib\n# Borland C++ for Win32\n#\n# Usage:\n# make -f win32/Makefile.bor\n\n# ------------ Borland C++ ------------\n\n# Optional nonstandard preprocessor flags (e.g. -DMAX_MEM_LEVEL=7)\n# should be added to the environment via \"set LOCAL_ZLIB=-DFOO\" or\n# added to the declaration of LOC here:\nLOC = $(LOCAL_ZLIB)\n\nCC = bcc32\nAS = bcc32\nLD = bcc32\nAR = tlib\nCFLAGS = -a -d -k- -O2 $(LOC)\nASFLAGS = $(LOC)\nLDFLAGS = $(LOC)\n\n\n# variables\nZLIB_LIB = zlib.lib\n\nOBJ1 = adler32.obj compress.obj crc32.obj deflate.obj gzclose.obj gzlib.obj gzread.obj\nOBJ2 = gzwrite.obj infback.obj inffast.obj inflate.obj inftrees.obj trees.obj uncompr.obj zutil.obj\n#OBJA =\nOBJP1 = +adler32.obj+compress.obj+crc32.obj+deflate.obj+gzclose.obj+gzlib.obj+gzread.obj\nOBJP2 = +gzwrite.obj+infback.obj+inffast.obj+inflate.obj+inftrees.obj+trees.obj+uncompr.obj+zutil.obj\n#OBJPA=\n\n\n# targets\nall: $(ZLIB_LIB) example.exe minigzip.exe\n\n.c.obj:\n\t$(CC) -c $(CFLAGS) $<\n\n.asm.obj:\n\t$(AS) -c $(ASFLAGS) $<\n\nadler32.obj: adler32.c zlib.h zconf.h\n\ncompress.obj: compress.c zlib.h zconf.h\n\ncrc32.obj: crc32.c zlib.h zconf.h crc32.h\n\ndeflate.obj: deflate.c deflate.h zutil.h zlib.h zconf.h\n\ngzclose.obj: gzclose.c zlib.h zconf.h gzguts.h\n\ngzlib.obj: gzlib.c zlib.h zconf.h gzguts.h\n\ngzread.obj: gzread.c zlib.h zconf.h gzguts.h\n\ngzwrite.obj: gzwrite.c zlib.h zconf.h gzguts.h\n\ninfback.obj: infback.c zutil.h zlib.h zconf.h inftrees.h inflate.h \\\n inffast.h inffixed.h\n\ninffast.obj: inffast.c zutil.h zlib.h zconf.h inftrees.h inflate.h \\\n inffast.h\n\ninflate.obj: inflate.c zutil.h zlib.h zconf.h inftrees.h inflate.h \\\n inffast.h inffixed.h\n\ninftrees.obj: inftrees.c zutil.h zlib.h zconf.h inftrees.h\n\ntrees.obj: trees.c zutil.h zlib.h zconf.h deflate.h trees.h\n\nuncompr.obj: uncompr.c zlib.h zconf.h\n\nzutil.obj: zutil.c zutil.h zlib.h zconf.h\n\nexample.obj: test/example.c zlib.h zconf.h\n\nminigzip.obj: test/minigzip.c zlib.h zconf.h\n\n\n# For the sake of the old Borland make,\n# the command line is cut to fit in the MS-DOS 128 byte limit:\n$(ZLIB_LIB): $(OBJ1) $(OBJ2) $(OBJA)\n\t-del $(ZLIB_LIB)\n\t$(AR) $(ZLIB_LIB) $(OBJP1)\n\t$(AR) $(ZLIB_LIB) $(OBJP2)\n\t$(AR) $(ZLIB_LIB) $(OBJPA)\n\n\n# testing\ntest: example.exe minigzip.exe\n\texample\n\techo hello world | minigzip | minigzip -d\n\nexample.exe: example.obj $(ZLIB_LIB)\n\t$(LD) $(LDFLAGS) example.obj $(ZLIB_LIB)\n\nminigzip.exe: minigzip.obj $(ZLIB_LIB)\n\t$(LD) $(LDFLAGS) minigzip.obj $(ZLIB_LIB)\n\n\n# cleanup\nclean:\n\t-del $(ZLIB_LIB)\n\t-del *.obj\n\t-del *.exe\n\t-del *.tds\n\t-del zlib.bak\n\t-del foo.gz\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/Makefile.gcc", "content": "# Makefile for zlib, derived from Makefile.dj2.\n# Modified for mingw32 by C. Spieler, 6/16/98.\n# Updated for zlib 1.2.x by Christian Spieler and Cosmin Truta, Mar-2003.\n# Last updated: Mar 2012.\n# Tested under Cygwin and MinGW.\n\n# Copyright (C) 1995-2003 Jean-loup Gailly.\n# For conditions of distribution and use, see copyright notice in zlib.h\n\n# To compile, or to compile and test, type from the top level zlib directory:\n#\n# make -fwin32/Makefile.gcc; make test testdll -fwin32/Makefile.gcc\n#\n# To install libz.a, zconf.h and zlib.h in the system directories, type:\n#\n# make install -fwin32/Makefile.gcc\n#\n# BINARY_PATH, INCLUDE_PATH and LIBRARY_PATH must be set.\n#\n# To install the shared lib, append SHARED_MODE=1 to the make command :\n#\n# make install -fwin32/Makefile.gcc SHARED_MODE=1\n\n# Note:\n# If the platform is *not* MinGW (e.g. it is Cygwin or UWIN),\n# the DLL name should be changed from \"zlib1.dll\".\n\nSTATICLIB = libz.a\nSHAREDLIB = zlib1.dll\nIMPLIB = libz.dll.a\n\n#\n# Set to 1 if shared object needs to be installed\n#\nSHARED_MODE=0\n\n#LOC = -DZLIB_DEBUG -g\n\nPREFIX =\nCC = $(PREFIX)gcc\nCFLAGS = $(LOC) -O3 -Wall\n\nAS = $(CC)\nASFLAGS = $(LOC) -Wall\n\nLD = $(CC)\nLDFLAGS = $(LOC)\n\nAR = $(PREFIX)ar\nARFLAGS = rcs\n\nRC = $(PREFIX)windres\nRCFLAGS = --define GCC_WINDRES\n\nSTRIP = $(PREFIX)strip\n\nCP = cp -fp\n# If GNU install is available, replace $(CP) with install.\nINSTALL = $(CP)\nRM = rm -f\n\nprefix ?= /usr/local\nexec_prefix = $(prefix)\n\nOBJS = adler32.o compress.o crc32.o deflate.o gzclose.o gzlib.o gzread.o \\\n gzwrite.o infback.o inffast.o inflate.o inftrees.o trees.o uncompr.o zutil.o\nOBJA =\n\nall: $(STATICLIB) $(SHAREDLIB) $(IMPLIB) example.exe minigzip.exe example_d.exe minigzip_d.exe\n\ntest: example.exe minigzip.exe\n\t./example\n\techo hello world | ./minigzip | ./minigzip -d\n\ntestdll: example_d.exe minigzip_d.exe\n\t./example_d\n\techo hello world | ./minigzip_d | ./minigzip_d -d\n\n.c.o:\n\t$(CC) $(CFLAGS) -c -o $@ $<\n\n.S.o:\n\t$(AS) $(ASFLAGS) -c -o $@ $<\n\n$(STATICLIB): $(OBJS) $(OBJA)\n\t$(AR) $(ARFLAGS) $@ $(OBJS) $(OBJA)\n\n$(IMPLIB): $(SHAREDLIB)\n\n$(SHAREDLIB): win32/zlib.def $(OBJS) $(OBJA) zlibrc.o\n\t$(CC) -shared -Wl,--out-implib,$(IMPLIB) $(LDFLAGS) \\\n\t-o $@ win32/zlib.def $(OBJS) $(OBJA) zlibrc.o\n\t$(STRIP) $@\n\nexample.exe: example.o $(STATICLIB)\n\t$(LD) $(LDFLAGS) -o $@ example.o $(STATICLIB)\n\t$(STRIP) $@\n\nminigzip.exe: minigzip.o $(STATICLIB)\n\t$(LD) $(LDFLAGS) -o $@ minigzip.o $(STATICLIB)\n\t$(STRIP) $@\n\nexample_d.exe: example.o $(IMPLIB)\n\t$(LD) $(LDFLAGS) -o $@ example.o $(IMPLIB)\n\t$(STRIP) $@\n\nminigzip_d.exe: minigzip.o $(IMPLIB)\n\t$(LD) $(LDFLAGS) -o $@ minigzip.o $(IMPLIB)\n\t$(STRIP) $@\n\nexample.o: test/example.c zlib.h zconf.h\n\t$(CC) $(CFLAGS) -I. -c -o $@ test/example.c\n\nminigzip.o: test/minigzip.c zlib.h zconf.h\n\t$(CC) $(CFLAGS) -I. -c -o $@ test/minigzip.c\n\nzlibrc.o: win32/zlib1.rc\n\t$(RC) $(RCFLAGS) -o $@ win32/zlib1.rc\n\n.PHONY: install uninstall clean\n\ninstall: zlib.h zconf.h $(STATICLIB) $(IMPLIB)\n\t@if test -z \"$(DESTDIR)$(INCLUDE_PATH)\" -o -z \"$(DESTDIR)$(LIBRARY_PATH)\" -o -z \"$(DESTDIR)$(BINARY_PATH)\"; then \\\n\t\techo INCLUDE_PATH, LIBRARY_PATH, and BINARY_PATH must be specified; \\\n\t\texit 1; \\\n\tfi\n\t-@mkdir -p '$(DESTDIR)$(INCLUDE_PATH)'\n\t-@mkdir -p '$(DESTDIR)$(LIBRARY_PATH)' '$(DESTDIR)$(LIBRARY_PATH)'/pkgconfig\n\t-if [ \"$(SHARED_MODE)\" = \"1\" ]; then \\\n\t\tmkdir -p '$(DESTDIR)$(BINARY_PATH)'; \\\n\t\t$(INSTALL) $(SHAREDLIB) '$(DESTDIR)$(BINARY_PATH)'; \\\n\t\t$(INSTALL) $(IMPLIB) '$(DESTDIR)$(LIBRARY_PATH)'; \\\n\tfi\n\t-$(INSTALL) zlib.h '$(DESTDIR)$(INCLUDE_PATH)'\n\t-$(INSTALL) zconf.h '$(DESTDIR)$(INCLUDE_PATH)'\n\t-$(INSTALL) $(STATICLIB) '$(DESTDIR)$(LIBRARY_PATH)'\n\tsed \\\n\t\t-e 's|@prefix@|${prefix}|g' \\\n\t\t-e 's|@exec_prefix@|${exec_prefix}|g' \\\n\t\t-e 's|@libdir@|$(LIBRARY_PATH)|g' \\\n\t\t-e 's|@sharedlibdir@|$(LIBRARY_PATH)|g' \\\n\t\t-e 's|@includedir@|$(INCLUDE_PATH)|g' \\\n\t\t-e 's|@VERSION@|'`sed -n -e '/VERSION \"/s/.*\"\\(.*\\)\".*/\\1/p' zlib.h`'|g' \\\n\t\tzlib.pc.in > '$(DESTDIR)$(LIBRARY_PATH)'/pkgconfig/zlib.pc\n\nuninstall:\n\t-if [ \"$(SHARED_MODE)\" = \"1\" ]; then \\\n\t\t$(RM) '$(DESTDIR)$(BINARY_PATH)'/$(SHAREDLIB); \\\n\t\t$(RM) '$(DESTDIR)$(LIBRARY_PATH)'/$(IMPLIB); \\\n\tfi\n\t-$(RM) '$(DESTDIR)$(INCLUDE_PATH)'/zlib.h\n\t-$(RM) '$(DESTDIR)$(INCLUDE_PATH)'/zconf.h\n\t-$(RM) '$(DESTDIR)$(LIBRARY_PATH)'/$(STATICLIB)\n\nclean:\n\t-$(RM) $(STATICLIB)\n\t-$(RM) $(SHAREDLIB)\n\t-$(RM) $(IMPLIB)\n\t-$(RM) *.o\n\t-$(RM) *.exe\n\t-$(RM) foo.gz\n\nadler32.o: zlib.h zconf.h\ncompress.o: zlib.h zconf.h\ncrc32.o: crc32.h zlib.h zconf.h\ndeflate.o: deflate.h zutil.h zlib.h zconf.h\ngzclose.o: zlib.h zconf.h gzguts.h\ngzlib.o: zlib.h zconf.h gzguts.h\ngzread.o: zlib.h zconf.h gzguts.h\ngzwrite.o: zlib.h zconf.h gzguts.h\ninffast.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h\ninflate.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h\ninfback.o: zutil.h zlib.h zconf.h inftrees.h inflate.h inffast.h\ninftrees.o: zutil.h zlib.h zconf.h inftrees.h\ntrees.o: deflate.h zutil.h zlib.h zconf.h trees.h\nuncompr.o: zlib.h zconf.h\nzutil.o: zutil.h zlib.h zconf.h\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/Makefile.msc", "content": "# Makefile for zlib using Microsoft (Visual) C\n# zlib is copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler\n#\n# Usage:\n# nmake -f win32/Makefile.msc (standard build)\n# nmake -f win32/Makefile.msc LOC=-DFOO (nonstandard build)\n\n# The toplevel directory of the source tree.\n#\nTOP = .\n\n# optional build flags\nLOC =\n\n# variables\nSTATICLIB = zlib.lib\nSHAREDLIB = zlib1.dll\nIMPLIB = zdll.lib\n\nCC = cl\nAS = ml\nLD = link\nAR = lib\nRC = rc\nCFLAGS = -nologo -MD -W3 -O2 -Oy- -Zi -Fd\"zlib\" $(LOC)\nWFLAGS = -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE\nASFLAGS = -coff -Zi $(LOC)\nLDFLAGS = -nologo -debug -incremental:no -opt:ref\nARFLAGS = -nologo\nRCFLAGS = /dWIN32 /r\n\nOBJS = adler32.obj compress.obj crc32.obj deflate.obj gzclose.obj gzlib.obj gzread.obj \\\n gzwrite.obj infback.obj inflate.obj inftrees.obj inffast.obj trees.obj uncompr.obj zutil.obj\nOBJA =\n\n\n# targets\nall: $(STATICLIB) $(SHAREDLIB) $(IMPLIB) \\\n example.exe minigzip.exe example_d.exe minigzip_d.exe\n\n$(STATICLIB): $(OBJS) $(OBJA)\n\t$(AR) $(ARFLAGS) -out:$@ $(OBJS) $(OBJA)\n\n$(IMPLIB): $(SHAREDLIB)\n\n$(SHAREDLIB): $(TOP)/win32/zlib.def $(OBJS) $(OBJA) zlib1.res\n\t$(LD) $(LDFLAGS) -def:$(TOP)/win32/zlib.def -dll -implib:$(IMPLIB) \\\n\t -out:$@ -base:0x5A4C0000 $(OBJS) $(OBJA) zlib1.res\n\tif exist $@.manifest \\\n\t mt -nologo -manifest $@.manifest -outputresource:$@;2\n\nexample.exe: example.obj $(STATICLIB)\n\t$(LD) $(LDFLAGS) example.obj $(STATICLIB)\n\tif exist $@.manifest \\\n\t mt -nologo -manifest $@.manifest -outputresource:$@;1\n\nminigzip.exe: minigzip.obj $(STATICLIB)\n\t$(LD) $(LDFLAGS) minigzip.obj $(STATICLIB)\n\tif exist $@.manifest \\\n\t mt -nologo -manifest $@.manifest -outputresource:$@;1\n\nexample_d.exe: example.obj $(IMPLIB)\n\t$(LD) $(LDFLAGS) -out:$@ example.obj $(IMPLIB)\n\tif exist $@.manifest \\\n\t mt -nologo -manifest $@.manifest -outputresource:$@;1\n\nminigzip_d.exe: minigzip.obj $(IMPLIB)\n\t$(LD) $(LDFLAGS) -out:$@ minigzip.obj $(IMPLIB)\n\tif exist $@.manifest \\\n\t mt -nologo -manifest $@.manifest -outputresource:$@;1\n\n{$(TOP)}.c.obj:\n\t$(CC) -c $(WFLAGS) $(CFLAGS) $<\n\n{$(TOP)/test}.c.obj:\n\t$(CC) -c -I$(TOP) $(WFLAGS) $(CFLAGS) $<\n\n{$(TOP)/contrib/masmx64}.c.obj:\n\t$(CC) -c $(WFLAGS) $(CFLAGS) $<\n\n{$(TOP)/contrib/masmx64}.asm.obj:\n\t$(AS) -c $(ASFLAGS) $<\n\n{$(TOP)/contrib/masmx86}.asm.obj:\n\t$(AS) -c $(ASFLAGS) $<\n\nadler32.obj: $(TOP)/adler32.c $(TOP)/zlib.h $(TOP)/zconf.h\n\ncompress.obj: $(TOP)/compress.c $(TOP)/zlib.h $(TOP)/zconf.h\n\ncrc32.obj: $(TOP)/crc32.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/crc32.h\n\ndeflate.obj: $(TOP)/deflate.c $(TOP)/deflate.h $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h\n\ngzclose.obj: $(TOP)/gzclose.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/gzguts.h\n\ngzlib.obj: $(TOP)/gzlib.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/gzguts.h\n\ngzread.obj: $(TOP)/gzread.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/gzguts.h\n\ngzwrite.obj: $(TOP)/gzwrite.c $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/gzguts.h\n\ninfback.obj: $(TOP)/infback.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/inftrees.h $(TOP)/inflate.h \\\n $(TOP)/inffast.h $(TOP)/inffixed.h\n\ninffast.obj: $(TOP)/inffast.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/inftrees.h $(TOP)/inflate.h \\\n $(TOP)/inffast.h\n\ninflate.obj: $(TOP)/inflate.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/inftrees.h $(TOP)/inflate.h \\\n $(TOP)/inffast.h $(TOP)/inffixed.h\n\ninftrees.obj: $(TOP)/inftrees.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/inftrees.h\n\ntrees.obj: $(TOP)/trees.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h $(TOP)/deflate.h $(TOP)/trees.h\n\nuncompr.obj: $(TOP)/uncompr.c $(TOP)/zlib.h $(TOP)/zconf.h\n\nzutil.obj: $(TOP)/zutil.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h\n\ngvmat64.obj: $(TOP)/contrib\\masmx64\\gvmat64.asm\n\ninffasx64.obj: $(TOP)/contrib\\masmx64\\inffasx64.asm\n\ninffas8664.obj: $(TOP)/contrib\\masmx64\\inffas8664.c $(TOP)/zutil.h $(TOP)/zlib.h $(TOP)/zconf.h \\\n\t\t$(TOP)/inftrees.h $(TOP)/inflate.h $(TOP)/inffast.h\n\ninffas32.obj: $(TOP)/contrib\\masmx86\\inffas32.asm\n\nmatch686.obj: $(TOP)/contrib\\masmx86\\match686.asm\n\nexample.obj: $(TOP)/test/example.c $(TOP)/zlib.h $(TOP)/zconf.h\n\nminigzip.obj: $(TOP)/test/minigzip.c $(TOP)/zlib.h $(TOP)/zconf.h\n\nzlib1.res: $(TOP)/win32/zlib1.rc\n\t$(RC) $(RCFLAGS) /fo$@ $(TOP)/win32/zlib1.rc\n\n# testing\ntest: example.exe minigzip.exe\n\texample\n\techo hello world | minigzip | minigzip -d\n\ntestdll: example_d.exe minigzip_d.exe\n\texample_d\n\techo hello world | minigzip_d | minigzip_d -d\n\n\n# cleanup\nclean:\n\t-del $(STATICLIB)\n\t-del $(SHAREDLIB)\n\t-del $(IMPLIB)\n\t-del *.obj\n\t-del *.res\n\t-del *.exp\n\t-del *.exe\n\t-del *.pdb\n\t-del *.manifest\n\t-del foo.gz\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/README-WIN32.txt", "content": "ZLIB DATA COMPRESSION LIBRARY\n\nzlib 1.3.0 is a general purpose data compression library. All the code is\nthread safe. The data format used by the zlib library is described by RFCs\n(Request for Comments) 1950 to 1952 in the files\nhttp://www.ietf.org/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format)\nand rfc1952.txt (gzip format).\n\nAll functions of the compression library are documented in the file zlib.h\n(volunteer to write man pages welcome, contact zlib@gzip.org). Two compiled\nexamples are distributed in this package, example and minigzip. The example_d\nand minigzip_d flavors validate that the zlib1.dll file is working correctly.\n\nQuestions about zlib should be sent to . The zlib home page\nis http://zlib.net/ . Before reporting a problem, please check this site to\nverify that you have the latest version of zlib; otherwise get the latest\nversion and check whether the problem still exists or not.\n\nPLEASE read DLL_FAQ.txt, and the the zlib FAQ http://zlib.net/zlib_faq.html\nbefore asking for help.\n\n\nManifest:\n\nThe package zlib-1.3.0-win32-x86.zip will contain the following files:\n\n README-WIN32.txt This document\n ChangeLog Changes since previous zlib packages\n DLL_FAQ.txt Frequently asked questions about zlib1.dll\n zlib.3.pdf Documentation of this library in Adobe Acrobat format\n\n example.exe A statically-bound example (using zlib.lib, not the dll)\n example.pdb Symbolic information for debugging example.exe\n\n example_d.exe A zlib1.dll bound example (using zdll.lib)\n example_d.pdb Symbolic information for debugging example_d.exe\n\n minigzip.exe A statically-bound test program (using zlib.lib, not the dll)\n minigzip.pdb Symbolic information for debugging minigzip.exe\n\n minigzip_d.exe A zlib1.dll bound test program (using zdll.lib)\n minigzip_d.pdb Symbolic information for debugging minigzip_d.exe\n\n zlib.h Install these files into the compilers' INCLUDE path to\n zconf.h compile programs which use zlib.lib or zdll.lib\n\n zdll.lib Install these files into the compilers' LIB path if linking\n zdll.exp a compiled program to the zlib1.dll binary\n\n zlib.lib Install these files into the compilers' LIB path to link zlib\n zlib.pdb into compiled programs, without zlib1.dll runtime dependency\n (zlib.pdb provides debugging info to the compile time linker)\n\n zlib1.dll Install this binary shared library into the system PATH, or\n the program's runtime directory (where the .exe resides)\n zlib1.pdb Install in the same directory as zlib1.dll, in order to debug\n an application crash using WinDbg or similar tools.\n\nAll .pdb files above are entirely optional, but are very useful to a developer\nattempting to diagnose program misbehavior or a crash. Many additional\nimportant files for developers can be found in the zlib127.zip source package\navailable from http://zlib.net/ - review that package's README file for details.\n\n\nAcknowledgments:\n\nThe deflate format used by zlib was defined by Phil Katz. The deflate and\nzlib specifications were written by L. Peter Deutsch. Thanks to all the\npeople who reported problems and suggested various improvements in zlib; they\nare too numerous to cite here.\n\n\nCopyright notice:\n\n (C) 1995-2017 Jean-loup Gailly and Mark Adler\n\n This software is provided 'as-is', without any express or implied\n warranty. In no event will the authors be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this software must not be misrepresented; you must not\n claim that you wrote the original software. If you use this software\n in a product, an acknowledgment in the product documentation would be\n appreciated but is not required.\n 2. Altered source versions must be plainly marked as such, and must not be\n misrepresented as being the original software.\n 3. This notice may not be removed or altered from any source distribution.\n\n Jean-loup Gailly Mark Adler\n jloup@gzip.org madler@alumni.caltech.edu\n\nIf you use the zlib library in a product, we would appreciate *not* receiving\nlengthy legal documents to sign. The sources are provided for free but without\nwarranty of any kind. The library has been entirely written by Jean-loup\nGailly and Mark Adler; it does not include third-party code.\n\nIf you redistribute modified sources, we would appreciate that you include in\nthe file ChangeLog history information documenting your changes. Please read\nthe FAQ for more information on the distribution of modified source versions.\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/VisualC.txt", "content": "\nTo build zlib using the Microsoft Visual C++ environment,\nuse the appropriate project from the contrib/vstudio/ directory.\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/zlib.def", "content": "; zlib data compression library\r\nEXPORTS\r\n; basic functions\r\n zlibVersion\r\n deflate\r\n deflateEnd\r\n inflate\r\n inflateEnd\r\n; advanced functions\r\n deflateSetDictionary\r\n deflateGetDictionary\r\n deflateCopy\r\n deflateReset\r\n deflateParams\r\n deflateTune\r\n deflateBound\r\n deflatePending\r\n deflatePrime\r\n deflateSetHeader\r\n inflateSetDictionary\r\n inflateGetDictionary\r\n inflateSync\r\n inflateCopy\r\n inflateReset\r\n inflateReset2\r\n inflatePrime\r\n inflateMark\r\n inflateGetHeader\r\n inflateBack\r\n inflateBackEnd\r\n zlibCompileFlags\r\n; utility functions\r\n compress\r\n compress2\r\n compressBound\r\n uncompress\r\n uncompress2\r\n gzopen\r\n gzdopen\r\n gzbuffer\r\n gzsetparams\r\n gzread\r\n gzfread\r\n gzwrite\r\n gzfwrite\r\n gzprintf\r\n gzvprintf\r\n gzputs\r\n gzgets\r\n gzputc\r\n gzgetc\r\n gzungetc\r\n gzflush\r\n gzseek\r\n gzrewind\r\n gztell\r\n gzoffset\r\n gzeof\r\n gzdirect\r\n gzclose\r\n gzclose_r\r\n gzclose_w\r\n gzerror\r\n gzclearerr\r\n; large file functions\r\n gzopen64\r\n gzseek64\r\n gztell64\r\n gzoffset64\r\n adler32_combine64\r\n crc32_combine64\r\n crc32_combine_gen64\r\n; checksum functions\r\n adler32\r\n adler32_z\r\n crc32\r\n crc32_z\r\n adler32_combine\r\n crc32_combine\r\n crc32_combine_gen\r\n crc32_combine_op\r\n; various hacks, don't look :)\r\n deflateInit_\r\n deflateInit2_\r\n inflateInit_\r\n inflateInit2_\r\n inflateBackInit_\r\n gzgetc_\r\n zError\r\n inflateSyncPoint\r\n get_crc_table\r\n inflateUndermine\r\n inflateValidate\r\n inflateCodesUsed\r\n inflateResetKeep\r\n deflateResetKeep\r\n gzopen_w\r\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/win32/zlib1.rc", "content": "#include \n#include \"../zlib.h\"\n\n#ifdef GCC_WINDRES\nVS_VERSION_INFO\t\tVERSIONINFO\n#else\nVS_VERSION_INFO\t\tVERSIONINFO\tMOVEABLE IMPURE LOADONCALL DISCARDABLE\n#endif\n FILEVERSION\t\tZLIB_VER_MAJOR,ZLIB_VER_MINOR,ZLIB_VER_REVISION,0\n PRODUCTVERSION\tZLIB_VER_MAJOR,ZLIB_VER_MINOR,ZLIB_VER_REVISION,0\n FILEFLAGSMASK\t\tVS_FFI_FILEFLAGSMASK\n#ifdef _DEBUG\n FILEFLAGS\t\t1\n#else\n FILEFLAGS\t\t0\n#endif\n FILEOS\t\tVOS__WINDOWS32\n FILETYPE\t\tVFT_DLL\n FILESUBTYPE\t\t0\t// not used\nBEGIN\n BLOCK \"StringFileInfo\"\n BEGIN\n BLOCK \"040904E4\"\n //language ID = U.S. English, char set = Windows, Multilingual\n BEGIN\n VALUE \"FileDescription\",\t\"zlib data compression library\\0\"\n VALUE \"FileVersion\",\tZLIB_VERSION \"\\0\"\n VALUE \"InternalName\",\t\"zlib1.dll\\0\"\n VALUE \"LegalCopyright\",\t\"(C) 1995-2022 Jean-loup Gailly & Mark Adler\\0\"\n VALUE \"OriginalFilename\",\t\"zlib1.dll\\0\"\n VALUE \"ProductName\",\t\"zlib\\0\"\n VALUE \"ProductVersion\",\tZLIB_VERSION \"\\0\"\n VALUE \"Comments\",\t\t\"For more information visit http://www.zlib.net/\\0\"\n END\n END\n BLOCK \"VarFileInfo\"\n BEGIN\n VALUE \"Translation\", 0x0409, 1252\n END\nEND\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zconf.h", "content": "/* zconf.h -- configuration of the zlib compression library\n * Copyright (C) 1995-2016 Jean-loup Gailly, Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* @(#) $Id$ */\n\n#ifndef ZCONF_H\n#define ZCONF_H\n\n/*\n * If you *really* need a unique prefix for all types and library functions,\n * compile with -DZ_PREFIX. The \"standard\" zlib should be compiled without it.\n * Even better than compiling with -DZ_PREFIX would be to use configure to set\n * this permanently in zconf.h using \"./configure --zprefix\".\n */\n#ifdef Z_PREFIX /* may be set to #if 1 by ./configure */\n# define Z_PREFIX_SET\n\n/* all linked symbols and init macros */\n# define _dist_code z__dist_code\n# define _length_code z__length_code\n# define _tr_align z__tr_align\n# define _tr_flush_bits z__tr_flush_bits\n# define _tr_flush_block z__tr_flush_block\n# define _tr_init z__tr_init\n# define _tr_stored_block z__tr_stored_block\n# define _tr_tally z__tr_tally\n# define adler32 z_adler32\n# define adler32_combine z_adler32_combine\n# define adler32_combine64 z_adler32_combine64\n# define adler32_z z_adler32_z\n# ifndef Z_SOLO\n# define compress z_compress\n# define compress2 z_compress2\n# define compressBound z_compressBound\n# endif\n# define crc32 z_crc32\n# define crc32_combine z_crc32_combine\n# define crc32_combine64 z_crc32_combine64\n# define crc32_combine_gen z_crc32_combine_gen\n# define crc32_combine_gen64 z_crc32_combine_gen64\n# define crc32_combine_op z_crc32_combine_op\n# define crc32_z z_crc32_z\n# define deflate z_deflate\n# define deflateBound z_deflateBound\n# define deflateCopy z_deflateCopy\n# define deflateEnd z_deflateEnd\n# define deflateGetDictionary z_deflateGetDictionary\n# define deflateInit z_deflateInit\n# define deflateInit2 z_deflateInit2\n# define deflateInit2_ z_deflateInit2_\n# define deflateInit_ z_deflateInit_\n# define deflateParams z_deflateParams\n# define deflatePending z_deflatePending\n# define deflatePrime z_deflatePrime\n# define deflateReset z_deflateReset\n# define deflateResetKeep z_deflateResetKeep\n# define deflateSetDictionary z_deflateSetDictionary\n# define deflateSetHeader z_deflateSetHeader\n# define deflateTune z_deflateTune\n# define deflate_copyright z_deflate_copyright\n# define get_crc_table z_get_crc_table\n# ifndef Z_SOLO\n# define gz_error z_gz_error\n# define gz_intmax z_gz_intmax\n# define gz_strwinerror z_gz_strwinerror\n# define gzbuffer z_gzbuffer\n# define gzclearerr z_gzclearerr\n# define gzclose z_gzclose\n# define gzclose_r z_gzclose_r\n# define gzclose_w z_gzclose_w\n# define gzdirect z_gzdirect\n# define gzdopen z_gzdopen\n# define gzeof z_gzeof\n# define gzerror z_gzerror\n# define gzflush z_gzflush\n# define gzfread z_gzfread\n# define gzfwrite z_gzfwrite\n# define gzgetc z_gzgetc\n# define gzgetc_ z_gzgetc_\n# define gzgets z_gzgets\n# define gzoffset z_gzoffset\n# define gzoffset64 z_gzoffset64\n# define gzopen z_gzopen\n# define gzopen64 z_gzopen64\n# ifdef _WIN32\n# define gzopen_w z_gzopen_w\n# endif\n# define gzprintf z_gzprintf\n# define gzputc z_gzputc\n# define gzputs z_gzputs\n# define gzread z_gzread\n# define gzrewind z_gzrewind\n# define gzseek z_gzseek\n# define gzseek64 z_gzseek64\n# define gzsetparams z_gzsetparams\n# define gztell z_gztell\n# define gztell64 z_gztell64\n# define gzungetc z_gzungetc\n# define gzvprintf z_gzvprintf\n# define gzwrite z_gzwrite\n# endif\n# define inflate z_inflate\n# define inflateBack z_inflateBack\n# define inflateBackEnd z_inflateBackEnd\n# define inflateBackInit z_inflateBackInit\n# define inflateBackInit_ z_inflateBackInit_\n# define inflateCodesUsed z_inflateCodesUsed\n# define inflateCopy z_inflateCopy\n# define inflateEnd z_inflateEnd\n# define inflateGetDictionary z_inflateGetDictionary\n# define inflateGetHeader z_inflateGetHeader\n# define inflateInit z_inflateInit\n# define inflateInit2 z_inflateInit2\n# define inflateInit2_ z_inflateInit2_\n# define inflateInit_ z_inflateInit_\n# define inflateMark z_inflateMark\n# define inflatePrime z_inflatePrime\n# define inflateReset z_inflateReset\n# define inflateReset2 z_inflateReset2\n# define inflateResetKeep z_inflateResetKeep\n# define inflateSetDictionary z_inflateSetDictionary\n# define inflateSync z_inflateSync\n# define inflateSyncPoint z_inflateSyncPoint\n# define inflateUndermine z_inflateUndermine\n# define inflateValidate z_inflateValidate\n# define inflate_copyright z_inflate_copyright\n# define inflate_fast z_inflate_fast\n# define inflate_table z_inflate_table\n# ifndef Z_SOLO\n# define uncompress z_uncompress\n# define uncompress2 z_uncompress2\n# endif\n# define zError z_zError\n# ifndef Z_SOLO\n# define zcalloc z_zcalloc\n# define zcfree z_zcfree\n# endif\n# define zlibCompileFlags z_zlibCompileFlags\n# define zlibVersion z_zlibVersion\n\n/* all zlib typedefs in zlib.h and zconf.h */\n# define Byte z_Byte\n# define Bytef z_Bytef\n# define alloc_func z_alloc_func\n# define charf z_charf\n# define free_func z_free_func\n# ifndef Z_SOLO\n# define gzFile z_gzFile\n# endif\n# define gz_header z_gz_header\n# define gz_headerp z_gz_headerp\n# define in_func z_in_func\n# define intf z_intf\n# define out_func z_out_func\n# define uInt z_uInt\n# define uIntf z_uIntf\n# define uLong z_uLong\n# define uLongf z_uLongf\n# define voidp z_voidp\n# define voidpc z_voidpc\n# define voidpf z_voidpf\n\n/* all zlib structs in zlib.h and zconf.h */\n# define gz_header_s z_gz_header_s\n# define internal_state z_internal_state\n\n#endif\n\n#if defined(__MSDOS__) && !defined(MSDOS)\n# define MSDOS\n#endif\n#if (defined(OS_2) || defined(__OS2__)) && !defined(OS2)\n# define OS2\n#endif\n#if defined(_WINDOWS) && !defined(WINDOWS)\n# define WINDOWS\n#endif\n#if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__)\n# ifndef WIN32\n# define WIN32\n# endif\n#endif\n#if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32)\n# if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__)\n# ifndef SYS16BIT\n# define SYS16BIT\n# endif\n# endif\n#endif\n\n/*\n * Compile with -DMAXSEG_64K if the alloc function cannot allocate more\n * than 64k bytes at a time (needed on systems with 16-bit int).\n */\n#ifdef SYS16BIT\n# define MAXSEG_64K\n#endif\n#ifdef MSDOS\n# define UNALIGNED_OK\n#endif\n\n#ifdef __STDC_VERSION__\n# ifndef STDC\n# define STDC\n# endif\n# if __STDC_VERSION__ >= 199901L\n# ifndef STDC99\n# define STDC99\n# endif\n# endif\n#endif\n#if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__))\n# define STDC\n#endif\n\n#if defined(__OS400__) && !defined(STDC) /* iSeries (formerly AS/400). */\n# define STDC\n#endif\n\n#ifndef STDC\n# ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */\n# define const /* note: need a more gentle solution here */\n# endif\n#endif\n\n#if defined(ZLIB_CONST) && !defined(z_const)\n# define z_const const\n#else\n# define z_const\n#endif\n\n#ifdef Z_SOLO\n# ifdef _WIN64\n typedef unsigned long long z_size_t;\n# else\n typedef unsigned long z_size_t;\n# endif\n#else\n# define z_longlong long long\n# if defined(NO_SIZE_T)\n typedef unsigned NO_SIZE_T z_size_t;\n# elif defined(STDC)\n# include \n typedef size_t z_size_t;\n# else\n typedef unsigned long z_size_t;\n# endif\n# undef z_longlong\n#endif\n\n/* Maximum value for memLevel in deflateInit2 */\n#ifndef MAX_MEM_LEVEL\n# ifdef MAXSEG_64K\n# define MAX_MEM_LEVEL 8\n# else\n# define MAX_MEM_LEVEL 9\n# endif\n#endif\n\n/* Maximum value for windowBits in deflateInit2 and inflateInit2.\n * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files\n * created by gzip. (Files created by minigzip can still be extracted by\n * gzip.)\n */\n#ifndef MAX_WBITS\n# define MAX_WBITS 15 /* 32K LZ77 window */\n#endif\n\n/* The memory requirements for deflate are (in bytes):\n (1 << (windowBits+2)) + (1 << (memLevel+9))\n that is: 128K for windowBits=15 + 128K for memLevel = 8 (default values)\n plus a few kilobytes for small objects. For example, if you want to reduce\n the default memory requirements from 256K to 128K, compile with\n make CFLAGS=\"-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7\"\n Of course this will generally degrade compression (there's no free lunch).\n\n The memory requirements for inflate are (in bytes) 1 << windowBits\n that is, 32K for windowBits=15 (default value) plus about 7 kilobytes\n for small objects.\n*/\n\n /* Type declarations */\n\n#ifndef OF /* function prototypes */\n# ifdef STDC\n# define OF(args) args\n# else\n# define OF(args) ()\n# endif\n#endif\n\n#ifndef Z_ARG /* function prototypes for stdarg */\n# if defined(STDC) || defined(Z_HAVE_STDARG_H)\n# define Z_ARG(args) args\n# else\n# define Z_ARG(args) ()\n# endif\n#endif\n\n/* The following definitions for FAR are needed only for MSDOS mixed\n * model programming (small or medium model with some far allocations).\n * This was tested only with MSC; for other MSDOS compilers you may have\n * to define NO_MEMCPY in zutil.h. If you don't need the mixed model,\n * just define FAR to be empty.\n */\n#ifdef SYS16BIT\n# if defined(M_I86SM) || defined(M_I86MM)\n /* MSC small or medium model */\n# define SMALL_MEDIUM\n# ifdef _MSC_VER\n# define FAR _far\n# else\n# define FAR far\n# endif\n# endif\n# if (defined(__SMALL__) || defined(__MEDIUM__))\n /* Turbo C small or medium model */\n# define SMALL_MEDIUM\n# ifdef __BORLANDC__\n# define FAR _far\n# else\n# define FAR far\n# endif\n# endif\n#endif\n\n#if defined(WINDOWS) || defined(WIN32)\n /* If building or using zlib as a DLL, define ZLIB_DLL.\n * This is not mandatory, but it offers a little performance increase.\n */\n# ifdef ZLIB_DLL\n# if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500))\n# ifdef ZLIB_INTERNAL\n# define ZEXTERN extern __declspec(dllexport)\n# else\n# define ZEXTERN extern __declspec(dllimport)\n# endif\n# endif\n# endif /* ZLIB_DLL */\n /* If building or using zlib with the WINAPI/WINAPIV calling convention,\n * define ZLIB_WINAPI.\n * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI.\n */\n# ifdef ZLIB_WINAPI\n# ifdef FAR\n# undef FAR\n# endif\n# ifndef WIN32_LEAN_AND_MEAN\n# define WIN32_LEAN_AND_MEAN\n# endif\n# include \n /* No need for _export, use ZLIB.DEF instead. */\n /* For complete Windows compatibility, use WINAPI, not __stdcall. */\n# define ZEXPORT WINAPI\n# ifdef WIN32\n# define ZEXPORTVA WINAPIV\n# else\n# define ZEXPORTVA FAR CDECL\n# endif\n# endif\n#endif\n\n#if defined (__BEOS__)\n# ifdef ZLIB_DLL\n# ifdef ZLIB_INTERNAL\n# define ZEXPORT __declspec(dllexport)\n# define ZEXPORTVA __declspec(dllexport)\n# else\n# define ZEXPORT __declspec(dllimport)\n# define ZEXPORTVA __declspec(dllimport)\n# endif\n# endif\n#endif\n\n#ifndef ZEXTERN\n# define ZEXTERN extern\n#endif\n#ifndef ZEXPORT\n# define ZEXPORT\n#endif\n#ifndef ZEXPORTVA\n# define ZEXPORTVA\n#endif\n\n#ifndef FAR\n# define FAR\n#endif\n\n#if !defined(__MACTYPES__)\ntypedef unsigned char Byte; /* 8 bits */\n#endif\ntypedef unsigned int uInt; /* 16 bits or more */\ntypedef unsigned long uLong; /* 32 bits or more */\n\n#ifdef SMALL_MEDIUM\n /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */\n# define Bytef Byte FAR\n#else\n typedef Byte FAR Bytef;\n#endif\ntypedef char FAR charf;\ntypedef int FAR intf;\ntypedef uInt FAR uIntf;\ntypedef uLong FAR uLongf;\n\n#ifdef STDC\n typedef void const *voidpc;\n typedef void FAR *voidpf;\n typedef void *voidp;\n#else\n typedef Byte const *voidpc;\n typedef Byte FAR *voidpf;\n typedef Byte *voidp;\n#endif\n\n#if !defined(Z_U4) && !defined(Z_SOLO) && defined(STDC)\n# include \n# if (UINT_MAX == 0xffffffffUL)\n# define Z_U4 unsigned\n# elif (ULONG_MAX == 0xffffffffUL)\n# define Z_U4 unsigned long\n# elif (USHRT_MAX == 0xffffffffUL)\n# define Z_U4 unsigned short\n# endif\n#endif\n\n#ifdef Z_U4\n typedef Z_U4 z_crc_t;\n#else\n typedef unsigned long z_crc_t;\n#endif\n\n#ifdef HAVE_UNISTD_H /* may be set to #if 1 by ./configure */\n# define Z_HAVE_UNISTD_H\n#endif\n\n#ifdef HAVE_STDARG_H /* may be set to #if 1 by ./configure */\n# define Z_HAVE_STDARG_H\n#endif\n\n#ifdef STDC\n# ifndef Z_SOLO\n# include /* for off_t */\n# endif\n#endif\n\n#if defined(STDC) || defined(Z_HAVE_STDARG_H)\n# ifndef Z_SOLO\n# include /* for va_list */\n# endif\n#endif\n\n#ifdef _WIN32\n# ifndef Z_SOLO\n# include /* for wchar_t */\n# endif\n#endif\n\n/* a little trick to accommodate both \"#define _LARGEFILE64_SOURCE\" and\n * \"#define _LARGEFILE64_SOURCE 1\" as requesting 64-bit operations, (even\n * though the former does not conform to the LFS document), but considering\n * both \"#undef _LARGEFILE64_SOURCE\" and \"#define _LARGEFILE64_SOURCE 0\" as\n * equivalently requesting no 64-bit operations\n */\n#if defined(_LARGEFILE64_SOURCE) && -_LARGEFILE64_SOURCE - -1 == 1\n# undef _LARGEFILE64_SOURCE\n#endif\n\n#ifndef Z_HAVE_UNISTD_H\n# ifdef __WATCOMC__\n# define Z_HAVE_UNISTD_H\n# endif\n#endif\n#ifndef Z_HAVE_UNISTD_H\n# if defined(_LARGEFILE64_SOURCE) && !defined(_WIN32)\n# define Z_HAVE_UNISTD_H\n# endif\n#endif\n#ifndef Z_SOLO\n# if defined(Z_HAVE_UNISTD_H)\n# include /* for SEEK_*, off_t, and _LFS64_LARGEFILE */\n# ifdef VMS\n# include /* for off_t */\n# endif\n# ifndef z_off_t\n# define z_off_t off_t\n# endif\n# endif\n#endif\n\n#if defined(_LFS64_LARGEFILE) && _LFS64_LARGEFILE-0\n# define Z_LFS64\n#endif\n\n#if defined(_LARGEFILE64_SOURCE) && defined(Z_LFS64)\n# define Z_LARGE64\n#endif\n\n#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS-0 == 64 && defined(Z_LFS64)\n# define Z_WANT64\n#endif\n\n#if !defined(SEEK_SET) && !defined(Z_SOLO)\n# define SEEK_SET 0 /* Seek from beginning of file. */\n# define SEEK_CUR 1 /* Seek from current position. */\n# define SEEK_END 2 /* Set file pointer to EOF plus \"offset\" */\n#endif\n\n#ifndef z_off_t\n# define z_off_t long\n#endif\n\n#if !defined(_WIN32) && defined(Z_LARGE64)\n# define z_off64_t off64_t\n#else\n# if defined(_WIN32) && !defined(__GNUC__)\n# define z_off64_t __int64\n# else\n# define z_off64_t z_off_t\n# endif\n#endif\n\n/* MVS linker does not support external names larger than 8 bytes */\n#if defined(__MVS__)\n #pragma map(deflateInit_,\"DEIN\")\n #pragma map(deflateInit2_,\"DEIN2\")\n #pragma map(deflateEnd,\"DEEND\")\n #pragma map(deflateBound,\"DEBND\")\n #pragma map(inflateInit_,\"ININ\")\n #pragma map(inflateInit2_,\"ININ2\")\n #pragma map(inflateEnd,\"INEND\")\n #pragma map(inflateSync,\"INSY\")\n #pragma map(inflateSetDictionary,\"INSEDI\")\n #pragma map(compressBound,\"CMBND\")\n #pragma map(inflate_table,\"INTABL\")\n #pragma map(inflate_fast,\"INFA\")\n #pragma map(inflate_copyright,\"INCOPY\")\n#endif\n\n#endif /* ZCONF_H */\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zconf.h.cmakein", "content": "/* zconf.h -- configuration of the zlib compression library\n * Copyright (C) 1995-2016 Jean-loup Gailly, Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* @(#) $Id$ */\n\n#ifndef ZCONF_H\n#define ZCONF_H\n#cmakedefine Z_PREFIX\n#cmakedefine Z_HAVE_UNISTD_H\n\n/*\n * If you *really* need a unique prefix for all types and library functions,\n * compile with -DZ_PREFIX. The \"standard\" zlib should be compiled without it.\n * Even better than compiling with -DZ_PREFIX would be to use configure to set\n * this permanently in zconf.h using \"./configure --zprefix\".\n */\n#ifdef Z_PREFIX /* may be set to #if 1 by ./configure */\n# define Z_PREFIX_SET\n\n/* all linked symbols and init macros */\n# define _dist_code z__dist_code\n# define _length_code z__length_code\n# define _tr_align z__tr_align\n# define _tr_flush_bits z__tr_flush_bits\n# define _tr_flush_block z__tr_flush_block\n# define _tr_init z__tr_init\n# define _tr_stored_block z__tr_stored_block\n# define _tr_tally z__tr_tally\n# define adler32 z_adler32\n# define adler32_combine z_adler32_combine\n# define adler32_combine64 z_adler32_combine64\n# define adler32_z z_adler32_z\n# ifndef Z_SOLO\n# define compress z_compress\n# define compress2 z_compress2\n# define compressBound z_compressBound\n# endif\n# define crc32 z_crc32\n# define crc32_combine z_crc32_combine\n# define crc32_combine64 z_crc32_combine64\n# define crc32_combine_gen z_crc32_combine_gen\n# define crc32_combine_gen64 z_crc32_combine_gen64\n# define crc32_combine_op z_crc32_combine_op\n# define crc32_z z_crc32_z\n# define deflate z_deflate\n# define deflateBound z_deflateBound\n# define deflateCopy z_deflateCopy\n# define deflateEnd z_deflateEnd\n# define deflateGetDictionary z_deflateGetDictionary\n# define deflateInit z_deflateInit\n# define deflateInit2 z_deflateInit2\n# define deflateInit2_ z_deflateInit2_\n# define deflateInit_ z_deflateInit_\n# define deflateParams z_deflateParams\n# define deflatePending z_deflatePending\n# define deflatePrime z_deflatePrime\n# define deflateReset z_deflateReset\n# define deflateResetKeep z_deflateResetKeep\n# define deflateSetDictionary z_deflateSetDictionary\n# define deflateSetHeader z_deflateSetHeader\n# define deflateTune z_deflateTune\n# define deflate_copyright z_deflate_copyright\n# define get_crc_table z_get_crc_table\n# ifndef Z_SOLO\n# define gz_error z_gz_error\n# define gz_intmax z_gz_intmax\n# define gz_strwinerror z_gz_strwinerror\n# define gzbuffer z_gzbuffer\n# define gzclearerr z_gzclearerr\n# define gzclose z_gzclose\n# define gzclose_r z_gzclose_r\n# define gzclose_w z_gzclose_w\n# define gzdirect z_gzdirect\n# define gzdopen z_gzdopen\n# define gzeof z_gzeof\n# define gzerror z_gzerror\n# define gzflush z_gzflush\n# define gzfread z_gzfread\n# define gzfwrite z_gzfwrite\n# define gzgetc z_gzgetc\n# define gzgetc_ z_gzgetc_\n# define gzgets z_gzgets\n# define gzoffset z_gzoffset\n# define gzoffset64 z_gzoffset64\n# define gzopen z_gzopen\n# define gzopen64 z_gzopen64\n# ifdef _WIN32\n# define gzopen_w z_gzopen_w\n# endif\n# define gzprintf z_gzprintf\n# define gzputc z_gzputc\n# define gzputs z_gzputs\n# define gzread z_gzread\n# define gzrewind z_gzrewind\n# define gzseek z_gzseek\n# define gzseek64 z_gzseek64\n# define gzsetparams z_gzsetparams\n# define gztell z_gztell\n# define gztell64 z_gztell64\n# define gzungetc z_gzungetc\n# define gzvprintf z_gzvprintf\n# define gzwrite z_gzwrite\n# endif\n# define inflate z_inflate\n# define inflateBack z_inflateBack\n# define inflateBackEnd z_inflateBackEnd\n# define inflateBackInit z_inflateBackInit\n# define inflateBackInit_ z_inflateBackInit_\n# define inflateCodesUsed z_inflateCodesUsed\n# define inflateCopy z_inflateCopy\n# define inflateEnd z_inflateEnd\n# define inflateGetDictionary z_inflateGetDictionary\n# define inflateGetHeader z_inflateGetHeader\n# define inflateInit z_inflateInit\n# define inflateInit2 z_inflateInit2\n# define inflateInit2_ z_inflateInit2_\n# define inflateInit_ z_inflateInit_\n# define inflateMark z_inflateMark\n# define inflatePrime z_inflatePrime\n# define inflateReset z_inflateReset\n# define inflateReset2 z_inflateReset2\n# define inflateResetKeep z_inflateResetKeep\n# define inflateSetDictionary z_inflateSetDictionary\n# define inflateSync z_inflateSync\n# define inflateSyncPoint z_inflateSyncPoint\n# define inflateUndermine z_inflateUndermine\n# define inflateValidate z_inflateValidate\n# define inflate_copyright z_inflate_copyright\n# define inflate_fast z_inflate_fast\n# define inflate_table z_inflate_table\n# ifndef Z_SOLO\n# define uncompress z_uncompress\n# define uncompress2 z_uncompress2\n# endif\n# define zError z_zError\n# ifndef Z_SOLO\n# define zcalloc z_zcalloc\n# define zcfree z_zcfree\n# endif\n# define zlibCompileFlags z_zlibCompileFlags\n# define zlibVersion z_zlibVersion\n\n/* all zlib typedefs in zlib.h and zconf.h */\n# define Byte z_Byte\n# define Bytef z_Bytef\n# define alloc_func z_alloc_func\n# define charf z_charf\n# define free_func z_free_func\n# ifndef Z_SOLO\n# define gzFile z_gzFile\n# endif\n# define gz_header z_gz_header\n# define gz_headerp z_gz_headerp\n# define in_func z_in_func\n# define intf z_intf\n# define out_func z_out_func\n# define uInt z_uInt\n# define uIntf z_uIntf\n# define uLong z_uLong\n# define uLongf z_uLongf\n# define voidp z_voidp\n# define voidpc z_voidpc\n# define voidpf z_voidpf\n\n/* all zlib structs in zlib.h and zconf.h */\n# define gz_header_s z_gz_header_s\n# define internal_state z_internal_state\n\n#endif\n\n#if defined(__MSDOS__) && !defined(MSDOS)\n# define MSDOS\n#endif\n#if (defined(OS_2) || defined(__OS2__)) && !defined(OS2)\n# define OS2\n#endif\n#if defined(_WINDOWS) && !defined(WINDOWS)\n# define WINDOWS\n#endif\n#if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__)\n# ifndef WIN32\n# define WIN32\n# endif\n#endif\n#if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32)\n# if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__)\n# ifndef SYS16BIT\n# define SYS16BIT\n# endif\n# endif\n#endif\n\n/*\n * Compile with -DMAXSEG_64K if the alloc function cannot allocate more\n * than 64k bytes at a time (needed on systems with 16-bit int).\n */\n#ifdef SYS16BIT\n# define MAXSEG_64K\n#endif\n#ifdef MSDOS\n# define UNALIGNED_OK\n#endif\n\n#ifdef __STDC_VERSION__\n# ifndef STDC\n# define STDC\n# endif\n# if __STDC_VERSION__ >= 199901L\n# ifndef STDC99\n# define STDC99\n# endif\n# endif\n#endif\n#if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__))\n# define STDC\n#endif\n\n#if defined(__OS400__) && !defined(STDC) /* iSeries (formerly AS/400). */\n# define STDC\n#endif\n\n#ifndef STDC\n# ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */\n# define const /* note: need a more gentle solution here */\n# endif\n#endif\n\n#if defined(ZLIB_CONST) && !defined(z_const)\n# define z_const const\n#else\n# define z_const\n#endif\n\n#ifdef Z_SOLO\n# ifdef _WIN64\n typedef unsigned long long z_size_t;\n# else\n typedef unsigned long z_size_t;\n# endif\n#else\n# define z_longlong long long\n# if defined(NO_SIZE_T)\n typedef unsigned NO_SIZE_T z_size_t;\n# elif defined(STDC)\n# include \n typedef size_t z_size_t;\n# else\n typedef unsigned long z_size_t;\n# endif\n# undef z_longlong\n#endif\n\n/* Maximum value for memLevel in deflateInit2 */\n#ifndef MAX_MEM_LEVEL\n# ifdef MAXSEG_64K\n# define MAX_MEM_LEVEL 8\n# else\n# define MAX_MEM_LEVEL 9\n# endif\n#endif\n\n/* Maximum value for windowBits in deflateInit2 and inflateInit2.\n * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files\n * created by gzip. (Files created by minigzip can still be extracted by\n * gzip.)\n */\n#ifndef MAX_WBITS\n# define MAX_WBITS 15 /* 32K LZ77 window */\n#endif\n\n/* The memory requirements for deflate are (in bytes):\n (1 << (windowBits+2)) + (1 << (memLevel+9))\n that is: 128K for windowBits=15 + 128K for memLevel = 8 (default values)\n plus a few kilobytes for small objects. For example, if you want to reduce\n the default memory requirements from 256K to 128K, compile with\n make CFLAGS=\"-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7\"\n Of course this will generally degrade compression (there's no free lunch).\n\n The memory requirements for inflate are (in bytes) 1 << windowBits\n that is, 32K for windowBits=15 (default value) plus about 7 kilobytes\n for small objects.\n*/\n\n /* Type declarations */\n\n#ifndef OF /* function prototypes */\n# ifdef STDC\n# define OF(args) args\n# else\n# define OF(args) ()\n# endif\n#endif\n\n#ifndef Z_ARG /* function prototypes for stdarg */\n# if defined(STDC) || defined(Z_HAVE_STDARG_H)\n# define Z_ARG(args) args\n# else\n# define Z_ARG(args) ()\n# endif\n#endif\n\n/* The following definitions for FAR are needed only for MSDOS mixed\n * model programming (small or medium model with some far allocations).\n * This was tested only with MSC; for other MSDOS compilers you may have\n * to define NO_MEMCPY in zutil.h. If you don't need the mixed model,\n * just define FAR to be empty.\n */\n#ifdef SYS16BIT\n# if defined(M_I86SM) || defined(M_I86MM)\n /* MSC small or medium model */\n# define SMALL_MEDIUM\n# ifdef _MSC_VER\n# define FAR _far\n# else\n# define FAR far\n# endif\n# endif\n# if (defined(__SMALL__) || defined(__MEDIUM__))\n /* Turbo C small or medium model */\n# define SMALL_MEDIUM\n# ifdef __BORLANDC__\n# define FAR _far\n# else\n# define FAR far\n# endif\n# endif\n#endif\n\n#if defined(WINDOWS) || defined(WIN32)\n /* If building or using zlib as a DLL, define ZLIB_DLL.\n * This is not mandatory, but it offers a little performance increase.\n */\n# ifdef ZLIB_DLL\n# if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500))\n# ifdef ZLIB_INTERNAL\n# define ZEXTERN extern __declspec(dllexport)\n# else\n# define ZEXTERN extern __declspec(dllimport)\n# endif\n# endif\n# endif /* ZLIB_DLL */\n /* If building or using zlib with the WINAPI/WINAPIV calling convention,\n * define ZLIB_WINAPI.\n * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI.\n */\n# ifdef ZLIB_WINAPI\n# ifdef FAR\n# undef FAR\n# endif\n# ifndef WIN32_LEAN_AND_MEAN\n# define WIN32_LEAN_AND_MEAN\n# endif\n# include \n /* No need for _export, use ZLIB.DEF instead. */\n /* For complete Windows compatibility, use WINAPI, not __stdcall. */\n# define ZEXPORT WINAPI\n# ifdef WIN32\n# define ZEXPORTVA WINAPIV\n# else\n# define ZEXPORTVA FAR CDECL\n# endif\n# endif\n#endif\n\n#if defined (__BEOS__)\n# ifdef ZLIB_DLL\n# ifdef ZLIB_INTERNAL\n# define ZEXPORT __declspec(dllexport)\n# define ZEXPORTVA __declspec(dllexport)\n# else\n# define ZEXPORT __declspec(dllimport)\n# define ZEXPORTVA __declspec(dllimport)\n# endif\n# endif\n#endif\n\n#ifndef ZEXTERN\n# define ZEXTERN extern\n#endif\n#ifndef ZEXPORT\n# define ZEXPORT\n#endif\n#ifndef ZEXPORTVA\n# define ZEXPORTVA\n#endif\n\n#ifndef FAR\n# define FAR\n#endif\n\n#if !defined(__MACTYPES__)\ntypedef unsigned char Byte; /* 8 bits */\n#endif\ntypedef unsigned int uInt; /* 16 bits or more */\ntypedef unsigned long uLong; /* 32 bits or more */\n\n#ifdef SMALL_MEDIUM\n /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */\n# define Bytef Byte FAR\n#else\n typedef Byte FAR Bytef;\n#endif\ntypedef char FAR charf;\ntypedef int FAR intf;\ntypedef uInt FAR uIntf;\ntypedef uLong FAR uLongf;\n\n#ifdef STDC\n typedef void const *voidpc;\n typedef void FAR *voidpf;\n typedef void *voidp;\n#else\n typedef Byte const *voidpc;\n typedef Byte FAR *voidpf;\n typedef Byte *voidp;\n#endif\n\n#if !defined(Z_U4) && !defined(Z_SOLO) && defined(STDC)\n# include \n# if (UINT_MAX == 0xffffffffUL)\n# define Z_U4 unsigned\n# elif (ULONG_MAX == 0xffffffffUL)\n# define Z_U4 unsigned long\n# elif (USHRT_MAX == 0xffffffffUL)\n# define Z_U4 unsigned short\n# endif\n#endif\n\n#ifdef Z_U4\n typedef Z_U4 z_crc_t;\n#else\n typedef unsigned long z_crc_t;\n#endif\n\n#ifdef HAVE_UNISTD_H /* may be set to #if 1 by ./configure */\n# define Z_HAVE_UNISTD_H\n#endif\n\n#ifdef HAVE_STDARG_H /* may be set to #if 1 by ./configure */\n# define Z_HAVE_STDARG_H\n#endif\n\n#ifdef STDC\n# ifndef Z_SOLO\n# include /* for off_t */\n# endif\n#endif\n\n#if defined(STDC) || defined(Z_HAVE_STDARG_H)\n# ifndef Z_SOLO\n# include /* for va_list */\n# endif\n#endif\n\n#ifdef _WIN32\n# ifndef Z_SOLO\n# include /* for wchar_t */\n# endif\n#endif\n\n/* a little trick to accommodate both \"#define _LARGEFILE64_SOURCE\" and\n * \"#define _LARGEFILE64_SOURCE 1\" as requesting 64-bit operations, (even\n * though the former does not conform to the LFS document), but considering\n * both \"#undef _LARGEFILE64_SOURCE\" and \"#define _LARGEFILE64_SOURCE 0\" as\n * equivalently requesting no 64-bit operations\n */\n#if defined(_LARGEFILE64_SOURCE) && -_LARGEFILE64_SOURCE - -1 == 1\n# undef _LARGEFILE64_SOURCE\n#endif\n\n#ifndef Z_HAVE_UNISTD_H\n# ifdef __WATCOMC__\n# define Z_HAVE_UNISTD_H\n# endif\n#endif\n#ifndef Z_HAVE_UNISTD_H\n# if defined(_LARGEFILE64_SOURCE) && !defined(_WIN32)\n# define Z_HAVE_UNISTD_H\n# endif\n#endif\n#ifndef Z_SOLO\n# if defined(Z_HAVE_UNISTD_H)\n# include /* for SEEK_*, off_t, and _LFS64_LARGEFILE */\n# ifdef VMS\n# include /* for off_t */\n# endif\n# ifndef z_off_t\n# define z_off_t off_t\n# endif\n# endif\n#endif\n\n#if defined(_LFS64_LARGEFILE) && _LFS64_LARGEFILE-0\n# define Z_LFS64\n#endif\n\n#if defined(_LARGEFILE64_SOURCE) && defined(Z_LFS64)\n# define Z_LARGE64\n#endif\n\n#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS-0 == 64 && defined(Z_LFS64)\n# define Z_WANT64\n#endif\n\n#if !defined(SEEK_SET) && !defined(Z_SOLO)\n# define SEEK_SET 0 /* Seek from beginning of file. */\n# define SEEK_CUR 1 /* Seek from current position. */\n# define SEEK_END 2 /* Set file pointer to EOF plus \"offset\" */\n#endif\n\n#ifndef z_off_t\n# define z_off_t long\n#endif\n\n#if !defined(_WIN32) && defined(Z_LARGE64)\n# define z_off64_t off64_t\n#else\n# if defined(_WIN32) && !defined(__GNUC__)\n# define z_off64_t __int64\n# else\n# define z_off64_t z_off_t\n# endif\n#endif\n\n/* MVS linker does not support external names larger than 8 bytes */\n#if defined(__MVS__)\n #pragma map(deflateInit_,\"DEIN\")\n #pragma map(deflateInit2_,\"DEIN2\")\n #pragma map(deflateEnd,\"DEEND\")\n #pragma map(deflateBound,\"DEBND\")\n #pragma map(inflateInit_,\"ININ\")\n #pragma map(inflateInit2_,\"ININ2\")\n #pragma map(inflateEnd,\"INEND\")\n #pragma map(inflateSync,\"INSY\")\n #pragma map(inflateSetDictionary,\"INSEDI\")\n #pragma map(compressBound,\"CMBND\")\n #pragma map(inflate_table,\"INTABL\")\n #pragma map(inflate_fast,\"INFA\")\n #pragma map(inflate_copyright,\"INCOPY\")\n#endif\n\n#endif /* ZCONF_H */\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zconf.h.in", "content": "/* zconf.h -- configuration of the zlib compression library\n * Copyright (C) 1995-2016 Jean-loup Gailly, Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* @(#) $Id$ */\n\n#ifndef ZCONF_H\n#define ZCONF_H\n\n/*\n * If you *really* need a unique prefix for all types and library functions,\n * compile with -DZ_PREFIX. The \"standard\" zlib should be compiled without it.\n * Even better than compiling with -DZ_PREFIX would be to use configure to set\n * this permanently in zconf.h using \"./configure --zprefix\".\n */\n#ifdef Z_PREFIX /* may be set to #if 1 by ./configure */\n# define Z_PREFIX_SET\n\n/* all linked symbols and init macros */\n# define _dist_code z__dist_code\n# define _length_code z__length_code\n# define _tr_align z__tr_align\n# define _tr_flush_bits z__tr_flush_bits\n# define _tr_flush_block z__tr_flush_block\n# define _tr_init z__tr_init\n# define _tr_stored_block z__tr_stored_block\n# define _tr_tally z__tr_tally\n# define adler32 z_adler32\n# define adler32_combine z_adler32_combine\n# define adler32_combine64 z_adler32_combine64\n# define adler32_z z_adler32_z\n# ifndef Z_SOLO\n# define compress z_compress\n# define compress2 z_compress2\n# define compressBound z_compressBound\n# endif\n# define crc32 z_crc32\n# define crc32_combine z_crc32_combine\n# define crc32_combine64 z_crc32_combine64\n# define crc32_combine_gen z_crc32_combine_gen\n# define crc32_combine_gen64 z_crc32_combine_gen64\n# define crc32_combine_op z_crc32_combine_op\n# define crc32_z z_crc32_z\n# define deflate z_deflate\n# define deflateBound z_deflateBound\n# define deflateCopy z_deflateCopy\n# define deflateEnd z_deflateEnd\n# define deflateGetDictionary z_deflateGetDictionary\n# define deflateInit z_deflateInit\n# define deflateInit2 z_deflateInit2\n# define deflateInit2_ z_deflateInit2_\n# define deflateInit_ z_deflateInit_\n# define deflateParams z_deflateParams\n# define deflatePending z_deflatePending\n# define deflatePrime z_deflatePrime\n# define deflateReset z_deflateReset\n# define deflateResetKeep z_deflateResetKeep\n# define deflateSetDictionary z_deflateSetDictionary\n# define deflateSetHeader z_deflateSetHeader\n# define deflateTune z_deflateTune\n# define deflate_copyright z_deflate_copyright\n# define get_crc_table z_get_crc_table\n# ifndef Z_SOLO\n# define gz_error z_gz_error\n# define gz_intmax z_gz_intmax\n# define gz_strwinerror z_gz_strwinerror\n# define gzbuffer z_gzbuffer\n# define gzclearerr z_gzclearerr\n# define gzclose z_gzclose\n# define gzclose_r z_gzclose_r\n# define gzclose_w z_gzclose_w\n# define gzdirect z_gzdirect\n# define gzdopen z_gzdopen\n# define gzeof z_gzeof\n# define gzerror z_gzerror\n# define gzflush z_gzflush\n# define gzfread z_gzfread\n# define gzfwrite z_gzfwrite\n# define gzgetc z_gzgetc\n# define gzgetc_ z_gzgetc_\n# define gzgets z_gzgets\n# define gzoffset z_gzoffset\n# define gzoffset64 z_gzoffset64\n# define gzopen z_gzopen\n# define gzopen64 z_gzopen64\n# ifdef _WIN32\n# define gzopen_w z_gzopen_w\n# endif\n# define gzprintf z_gzprintf\n# define gzputc z_gzputc\n# define gzputs z_gzputs\n# define gzread z_gzread\n# define gzrewind z_gzrewind\n# define gzseek z_gzseek\n# define gzseek64 z_gzseek64\n# define gzsetparams z_gzsetparams\n# define gztell z_gztell\n# define gztell64 z_gztell64\n# define gzungetc z_gzungetc\n# define gzvprintf z_gzvprintf\n# define gzwrite z_gzwrite\n# endif\n# define inflate z_inflate\n# define inflateBack z_inflateBack\n# define inflateBackEnd z_inflateBackEnd\n# define inflateBackInit z_inflateBackInit\n# define inflateBackInit_ z_inflateBackInit_\n# define inflateCodesUsed z_inflateCodesUsed\n# define inflateCopy z_inflateCopy\n# define inflateEnd z_inflateEnd\n# define inflateGetDictionary z_inflateGetDictionary\n# define inflateGetHeader z_inflateGetHeader\n# define inflateInit z_inflateInit\n# define inflateInit2 z_inflateInit2\n# define inflateInit2_ z_inflateInit2_\n# define inflateInit_ z_inflateInit_\n# define inflateMark z_inflateMark\n# define inflatePrime z_inflatePrime\n# define inflateReset z_inflateReset\n# define inflateReset2 z_inflateReset2\n# define inflateResetKeep z_inflateResetKeep\n# define inflateSetDictionary z_inflateSetDictionary\n# define inflateSync z_inflateSync\n# define inflateSyncPoint z_inflateSyncPoint\n# define inflateUndermine z_inflateUndermine\n# define inflateValidate z_inflateValidate\n# define inflate_copyright z_inflate_copyright\n# define inflate_fast z_inflate_fast\n# define inflate_table z_inflate_table\n# ifndef Z_SOLO\n# define uncompress z_uncompress\n# define uncompress2 z_uncompress2\n# endif\n# define zError z_zError\n# ifndef Z_SOLO\n# define zcalloc z_zcalloc\n# define zcfree z_zcfree\n# endif\n# define zlibCompileFlags z_zlibCompileFlags\n# define zlibVersion z_zlibVersion\n\n/* all zlib typedefs in zlib.h and zconf.h */\n# define Byte z_Byte\n# define Bytef z_Bytef\n# define alloc_func z_alloc_func\n# define charf z_charf\n# define free_func z_free_func\n# ifndef Z_SOLO\n# define gzFile z_gzFile\n# endif\n# define gz_header z_gz_header\n# define gz_headerp z_gz_headerp\n# define in_func z_in_func\n# define intf z_intf\n# define out_func z_out_func\n# define uInt z_uInt\n# define uIntf z_uIntf\n# define uLong z_uLong\n# define uLongf z_uLongf\n# define voidp z_voidp\n# define voidpc z_voidpc\n# define voidpf z_voidpf\n\n/* all zlib structs in zlib.h and zconf.h */\n# define gz_header_s z_gz_header_s\n# define internal_state z_internal_state\n\n#endif\n\n#if defined(__MSDOS__) && !defined(MSDOS)\n# define MSDOS\n#endif\n#if (defined(OS_2) || defined(__OS2__)) && !defined(OS2)\n# define OS2\n#endif\n#if defined(_WINDOWS) && !defined(WINDOWS)\n# define WINDOWS\n#endif\n#if defined(_WIN32) || defined(_WIN32_WCE) || defined(__WIN32__)\n# ifndef WIN32\n# define WIN32\n# endif\n#endif\n#if (defined(MSDOS) || defined(OS2) || defined(WINDOWS)) && !defined(WIN32)\n# if !defined(__GNUC__) && !defined(__FLAT__) && !defined(__386__)\n# ifndef SYS16BIT\n# define SYS16BIT\n# endif\n# endif\n#endif\n\n/*\n * Compile with -DMAXSEG_64K if the alloc function cannot allocate more\n * than 64k bytes at a time (needed on systems with 16-bit int).\n */\n#ifdef SYS16BIT\n# define MAXSEG_64K\n#endif\n#ifdef MSDOS\n# define UNALIGNED_OK\n#endif\n\n#ifdef __STDC_VERSION__\n# ifndef STDC\n# define STDC\n# endif\n# if __STDC_VERSION__ >= 199901L\n# ifndef STDC99\n# define STDC99\n# endif\n# endif\n#endif\n#if !defined(STDC) && (defined(__STDC__) || defined(__cplusplus))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(__GNUC__) || defined(__BORLANDC__))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(MSDOS) || defined(WINDOWS) || defined(WIN32))\n# define STDC\n#endif\n#if !defined(STDC) && (defined(OS2) || defined(__HOS_AIX__))\n# define STDC\n#endif\n\n#if defined(__OS400__) && !defined(STDC) /* iSeries (formerly AS/400). */\n# define STDC\n#endif\n\n#ifndef STDC\n# ifndef const /* cannot use !defined(STDC) && !defined(const) on Mac */\n# define const /* note: need a more gentle solution here */\n# endif\n#endif\n\n#if defined(ZLIB_CONST) && !defined(z_const)\n# define z_const const\n#else\n# define z_const\n#endif\n\n#ifdef Z_SOLO\n# ifdef _WIN64\n typedef unsigned long long z_size_t;\n# else\n typedef unsigned long z_size_t;\n# endif\n#else\n# define z_longlong long long\n# if defined(NO_SIZE_T)\n typedef unsigned NO_SIZE_T z_size_t;\n# elif defined(STDC)\n# include \n typedef size_t z_size_t;\n# else\n typedef unsigned long z_size_t;\n# endif\n# undef z_longlong\n#endif\n\n/* Maximum value for memLevel in deflateInit2 */\n#ifndef MAX_MEM_LEVEL\n# ifdef MAXSEG_64K\n# define MAX_MEM_LEVEL 8\n# else\n# define MAX_MEM_LEVEL 9\n# endif\n#endif\n\n/* Maximum value for windowBits in deflateInit2 and inflateInit2.\n * WARNING: reducing MAX_WBITS makes minigzip unable to extract .gz files\n * created by gzip. (Files created by minigzip can still be extracted by\n * gzip.)\n */\n#ifndef MAX_WBITS\n# define MAX_WBITS 15 /* 32K LZ77 window */\n#endif\n\n/* The memory requirements for deflate are (in bytes):\n (1 << (windowBits+2)) + (1 << (memLevel+9))\n that is: 128K for windowBits=15 + 128K for memLevel = 8 (default values)\n plus a few kilobytes for small objects. For example, if you want to reduce\n the default memory requirements from 256K to 128K, compile with\n make CFLAGS=\"-O -DMAX_WBITS=14 -DMAX_MEM_LEVEL=7\"\n Of course this will generally degrade compression (there's no free lunch).\n\n The memory requirements for inflate are (in bytes) 1 << windowBits\n that is, 32K for windowBits=15 (default value) plus about 7 kilobytes\n for small objects.\n*/\n\n /* Type declarations */\n\n#ifndef OF /* function prototypes */\n# ifdef STDC\n# define OF(args) args\n# else\n# define OF(args) ()\n# endif\n#endif\n\n#ifndef Z_ARG /* function prototypes for stdarg */\n# if defined(STDC) || defined(Z_HAVE_STDARG_H)\n# define Z_ARG(args) args\n# else\n# define Z_ARG(args) ()\n# endif\n#endif\n\n/* The following definitions for FAR are needed only for MSDOS mixed\n * model programming (small or medium model with some far allocations).\n * This was tested only with MSC; for other MSDOS compilers you may have\n * to define NO_MEMCPY in zutil.h. If you don't need the mixed model,\n * just define FAR to be empty.\n */\n#ifdef SYS16BIT\n# if defined(M_I86SM) || defined(M_I86MM)\n /* MSC small or medium model */\n# define SMALL_MEDIUM\n# ifdef _MSC_VER\n# define FAR _far\n# else\n# define FAR far\n# endif\n# endif\n# if (defined(__SMALL__) || defined(__MEDIUM__))\n /* Turbo C small or medium model */\n# define SMALL_MEDIUM\n# ifdef __BORLANDC__\n# define FAR _far\n# else\n# define FAR far\n# endif\n# endif\n#endif\n\n#if defined(WINDOWS) || defined(WIN32)\n /* If building or using zlib as a DLL, define ZLIB_DLL.\n * This is not mandatory, but it offers a little performance increase.\n */\n# ifdef ZLIB_DLL\n# if defined(WIN32) && (!defined(__BORLANDC__) || (__BORLANDC__ >= 0x500))\n# ifdef ZLIB_INTERNAL\n# define ZEXTERN extern __declspec(dllexport)\n# else\n# define ZEXTERN extern __declspec(dllimport)\n# endif\n# endif\n# endif /* ZLIB_DLL */\n /* If building or using zlib with the WINAPI/WINAPIV calling convention,\n * define ZLIB_WINAPI.\n * Caution: the standard ZLIB1.DLL is NOT compiled using ZLIB_WINAPI.\n */\n# ifdef ZLIB_WINAPI\n# ifdef FAR\n# undef FAR\n# endif\n# ifndef WIN32_LEAN_AND_MEAN\n# define WIN32_LEAN_AND_MEAN\n# endif\n# include \n /* No need for _export, use ZLIB.DEF instead. */\n /* For complete Windows compatibility, use WINAPI, not __stdcall. */\n# define ZEXPORT WINAPI\n# ifdef WIN32\n# define ZEXPORTVA WINAPIV\n# else\n# define ZEXPORTVA FAR CDECL\n# endif\n# endif\n#endif\n\n#if defined (__BEOS__)\n# ifdef ZLIB_DLL\n# ifdef ZLIB_INTERNAL\n# define ZEXPORT __declspec(dllexport)\n# define ZEXPORTVA __declspec(dllexport)\n# else\n# define ZEXPORT __declspec(dllimport)\n# define ZEXPORTVA __declspec(dllimport)\n# endif\n# endif\n#endif\n\n#ifndef ZEXTERN\n# define ZEXTERN extern\n#endif\n#ifndef ZEXPORT\n# define ZEXPORT\n#endif\n#ifndef ZEXPORTVA\n# define ZEXPORTVA\n#endif\n\n#ifndef FAR\n# define FAR\n#endif\n\n#if !defined(__MACTYPES__)\ntypedef unsigned char Byte; /* 8 bits */\n#endif\ntypedef unsigned int uInt; /* 16 bits or more */\ntypedef unsigned long uLong; /* 32 bits or more */\n\n#ifdef SMALL_MEDIUM\n /* Borland C/C++ and some old MSC versions ignore FAR inside typedef */\n# define Bytef Byte FAR\n#else\n typedef Byte FAR Bytef;\n#endif\ntypedef char FAR charf;\ntypedef int FAR intf;\ntypedef uInt FAR uIntf;\ntypedef uLong FAR uLongf;\n\n#ifdef STDC\n typedef void const *voidpc;\n typedef void FAR *voidpf;\n typedef void *voidp;\n#else\n typedef Byte const *voidpc;\n typedef Byte FAR *voidpf;\n typedef Byte *voidp;\n#endif\n\n#if !defined(Z_U4) && !defined(Z_SOLO) && defined(STDC)\n# include \n# if (UINT_MAX == 0xffffffffUL)\n# define Z_U4 unsigned\n# elif (ULONG_MAX == 0xffffffffUL)\n# define Z_U4 unsigned long\n# elif (USHRT_MAX == 0xffffffffUL)\n# define Z_U4 unsigned short\n# endif\n#endif\n\n#ifdef Z_U4\n typedef Z_U4 z_crc_t;\n#else\n typedef unsigned long z_crc_t;\n#endif\n\n#ifdef HAVE_UNISTD_H /* may be set to #if 1 by ./configure */\n# define Z_HAVE_UNISTD_H\n#endif\n\n#ifdef HAVE_STDARG_H /* may be set to #if 1 by ./configure */\n# define Z_HAVE_STDARG_H\n#endif\n\n#ifdef STDC\n# ifndef Z_SOLO\n# include /* for off_t */\n# endif\n#endif\n\n#if defined(STDC) || defined(Z_HAVE_STDARG_H)\n# ifndef Z_SOLO\n# include /* for va_list */\n# endif\n#endif\n\n#ifdef _WIN32\n# ifndef Z_SOLO\n# include /* for wchar_t */\n# endif\n#endif\n\n/* a little trick to accommodate both \"#define _LARGEFILE64_SOURCE\" and\n * \"#define _LARGEFILE64_SOURCE 1\" as requesting 64-bit operations, (even\n * though the former does not conform to the LFS document), but considering\n * both \"#undef _LARGEFILE64_SOURCE\" and \"#define _LARGEFILE64_SOURCE 0\" as\n * equivalently requesting no 64-bit operations\n */\n#if defined(_LARGEFILE64_SOURCE) && -_LARGEFILE64_SOURCE - -1 == 1\n# undef _LARGEFILE64_SOURCE\n#endif\n\n#ifndef Z_HAVE_UNISTD_H\n# ifdef __WATCOMC__\n# define Z_HAVE_UNISTD_H\n# endif\n#endif\n#ifndef Z_HAVE_UNISTD_H\n# if defined(_LARGEFILE64_SOURCE) && !defined(_WIN32)\n# define Z_HAVE_UNISTD_H\n# endif\n#endif\n#ifndef Z_SOLO\n# if defined(Z_HAVE_UNISTD_H)\n# include /* for SEEK_*, off_t, and _LFS64_LARGEFILE */\n# ifdef VMS\n# include /* for off_t */\n# endif\n# ifndef z_off_t\n# define z_off_t off_t\n# endif\n# endif\n#endif\n\n#if defined(_LFS64_LARGEFILE) && _LFS64_LARGEFILE-0\n# define Z_LFS64\n#endif\n\n#if defined(_LARGEFILE64_SOURCE) && defined(Z_LFS64)\n# define Z_LARGE64\n#endif\n\n#if defined(_FILE_OFFSET_BITS) && _FILE_OFFSET_BITS-0 == 64 && defined(Z_LFS64)\n# define Z_WANT64\n#endif\n\n#if !defined(SEEK_SET) && !defined(Z_SOLO)\n# define SEEK_SET 0 /* Seek from beginning of file. */\n# define SEEK_CUR 1 /* Seek from current position. */\n# define SEEK_END 2 /* Set file pointer to EOF plus \"offset\" */\n#endif\n\n#ifndef z_off_t\n# define z_off_t long\n#endif\n\n#if !defined(_WIN32) && defined(Z_LARGE64)\n# define z_off64_t off64_t\n#else\n# if defined(_WIN32) && !defined(__GNUC__)\n# define z_off64_t __int64\n# else\n# define z_off64_t z_off_t\n# endif\n#endif\n\n/* MVS linker does not support external names larger than 8 bytes */\n#if defined(__MVS__)\n #pragma map(deflateInit_,\"DEIN\")\n #pragma map(deflateInit2_,\"DEIN2\")\n #pragma map(deflateEnd,\"DEEND\")\n #pragma map(deflateBound,\"DEBND\")\n #pragma map(inflateInit_,\"ININ\")\n #pragma map(inflateInit2_,\"ININ2\")\n #pragma map(inflateEnd,\"INEND\")\n #pragma map(inflateSync,\"INSY\")\n #pragma map(inflateSetDictionary,\"INSEDI\")\n #pragma map(compressBound,\"CMBND\")\n #pragma map(inflate_table,\"INTABL\")\n #pragma map(inflate_fast,\"INFA\")\n #pragma map(inflate_copyright,\"INCOPY\")\n#endif\n\n#endif /* ZCONF_H */\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zlib.3", "content": ".TH ZLIB 3 \"18 Aug 2023\"\n.SH NAME\nzlib \\- compression/decompression library\n.SH SYNOPSIS\n[see\n.I zlib.h\nfor full description]\n.SH DESCRIPTION\nThe\n.I zlib\nlibrary is a general purpose data compression library.\nThe code is thread safe, assuming that the standard library functions\nused are thread safe, such as memory allocation routines.\nIt provides in-memory compression and decompression functions,\nincluding integrity checks of the uncompressed data.\nThis version of the library supports only one compression method (deflation)\nbut other algorithms may be added later\nwith the same stream interface.\n.LP\nCompression can be done in a single step if the buffers are large enough\nor can be done by repeated calls of the compression function.\nIn the latter case,\nthe application must provide more input and/or consume the output\n(providing more output space) before each call.\n.LP\nThe library also supports reading and writing files in\n.IR gzip (1)\n(.gz) format\nwith an interface similar to that of stdio.\n.LP\nThe library does not install any signal handler.\nThe decoder checks the consistency of the compressed data,\nso the library should never crash even in the case of corrupted input.\n.LP\nAll functions of the compression library are documented in the file\n.IR zlib.h .\nThe distribution source includes examples of use of the library\nin the files\n.I test/example.c\nand\n.IR test/minigzip.c,\nas well as other examples in the\n.IR examples/\ndirectory.\n.LP\nChanges to this version are documented in the file\n.I ChangeLog\nthat accompanies the source.\n.LP\n.I zlib\nis built in to many languages and operating systems, including but not limited to\nJava, Python, .NET, PHP, Perl, Ruby, Swift, and Go.\n.LP\nAn experimental package to read and write files in the .zip format,\nwritten on top of\n.I zlib\nby Gilles Vollant (info@winimage.com),\nis available at:\n.IP\nhttp://www.winimage.com/zLibDll/minizip.html\nand also in the\n.I contrib/minizip\ndirectory of the main\n.I zlib\nsource distribution.\n.SH \"SEE ALSO\"\nThe\n.I zlib\nweb site can be found at:\n.IP\nhttp://zlib.net/\n.LP\nThe data format used by the\n.I zlib\nlibrary is described by RFC\n(Request for Comments) 1950 to 1952 in the files:\n.IP\nhttp://tools.ietf.org/html/rfc1950 (for the zlib header and trailer format)\n.br\nhttp://tools.ietf.org/html/rfc1951 (for the deflate compressed data format)\n.br\nhttp://tools.ietf.org/html/rfc1952 (for the gzip header and trailer format)\n.LP\nMark Nelson wrote an article about\n.I zlib\nfor the Jan. 1997 issue of Dr. Dobb's Journal;\na copy of the article is available at:\n.IP\nhttp://marknelson.us/1997/01/01/zlib-engine/\n.SH \"REPORTING PROBLEMS\"\nBefore reporting a problem,\nplease check the\n.I zlib\nweb site to verify that you have the latest version of\n.IR zlib ;\notherwise,\nobtain the latest version and see if the problem still exists.\nPlease read the\n.I zlib\nFAQ at:\n.IP\nhttp://zlib.net/zlib_faq.html\n.LP\nbefore asking for help.\nSend questions and/or comments to zlib@gzip.org,\nor (for the Windows DLL version) to Gilles Vollant (info@winimage.com).\n.SH AUTHORS AND LICENSE\nVersion 1.3\n.LP\nCopyright (C) 1995-2023 Jean-loup Gailly and Mark Adler\n.LP\nThis software is provided 'as-is', without any express or implied\nwarranty. In no event will the authors be held liable for any damages\narising from the use of this software.\n.LP\nPermission is granted to anyone to use this software for any purpose,\nincluding commercial applications, and to alter it and redistribute it\nfreely, subject to the following restrictions:\n.LP\n.nr step 1 1\n.IP \\n[step]. 3\nThe origin of this software must not be misrepresented; you must not\nclaim that you wrote the original software. If you use this software\nin a product, an acknowledgment in the product documentation would be\nappreciated but is not required.\n.IP \\n+[step].\nAltered source versions must be plainly marked as such, and must not be\nmisrepresented as being the original software.\n.IP \\n+[step].\nThis notice may not be removed or altered from any source distribution.\n.LP\nJean-loup Gailly Mark Adler\n.br\njloup@gzip.org madler@alumni.caltech.edu\n.LP\nThe deflate format used by\n.I zlib\nwas defined by Phil Katz.\nThe deflate and\n.I zlib\nspecifications were written by L. Peter Deutsch.\nThanks to all the people who reported problems and suggested various\nimprovements in\n.IR zlib ;\nwho are too numerous to cite here.\n.LP\nUNIX manual page by R. P. C. Rodgers,\nU.S. National Library of Medicine (rodgers@nlm.nih.gov).\n.\\\" end of man page\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zlib.h", "content": "/* zlib.h -- interface of the 'zlib' general purpose compression library\n version 1.3, August 18th, 2023\n\n Copyright (C) 1995-2023 Jean-loup Gailly and Mark Adler\n\n This software is provided 'as-is', without any express or implied\n warranty. In no event will the authors be held liable for any damages\n arising from the use of this software.\n\n Permission is granted to anyone to use this software for any purpose,\n including commercial applications, and to alter it and redistribute it\n freely, subject to the following restrictions:\n\n 1. The origin of this software must not be misrepresented; you must not\n claim that you wrote the original software. If you use this software\n in a product, an acknowledgment in the product documentation would be\n appreciated but is not required.\n 2. Altered source versions must be plainly marked as such, and must not be\n misrepresented as being the original software.\n 3. This notice may not be removed or altered from any source distribution.\n\n Jean-loup Gailly Mark Adler\n jloup@gzip.org madler@alumni.caltech.edu\n\n\n The data format used by the zlib library is described by RFCs (Request for\n Comments) 1950 to 1952 in the files http://tools.ietf.org/html/rfc1950\n (zlib format), rfc1951 (deflate format) and rfc1952 (gzip format).\n*/\n\n#ifndef ZLIB_H\n#define ZLIB_H\n\n#include \"zconf.h\"\n\n#ifdef __cplusplus\nextern \"C\" {\n#endif\n\n#define ZLIB_VERSION \"1.3\"\n#define ZLIB_VERNUM 0x1300\n#define ZLIB_VER_MAJOR 1\n#define ZLIB_VER_MINOR 3\n#define ZLIB_VER_REVISION 0\n#define ZLIB_VER_SUBREVISION 0\n\n/*\n The 'zlib' compression library provides in-memory compression and\n decompression functions, including integrity checks of the uncompressed data.\n This version of the library supports only one compression method (deflation)\n but other algorithms will be added later and will have the same stream\n interface.\n\n Compression can be done in a single step if the buffers are large enough,\n or can be done by repeated calls of the compression function. In the latter\n case, the application must provide more input and/or consume the output\n (providing more output space) before each call.\n\n The compressed data format used by default by the in-memory functions is\n the zlib format, which is a zlib wrapper documented in RFC 1950, wrapped\n around a deflate stream, which is itself documented in RFC 1951.\n\n The library also supports reading and writing files in gzip (.gz) format\n with an interface similar to that of stdio using the functions that start\n with \"gz\". The gzip format is different from the zlib format. gzip is a\n gzip wrapper, documented in RFC 1952, wrapped around a deflate stream.\n\n This library can optionally read and write gzip and raw deflate streams in\n memory as well.\n\n The zlib format was designed to be compact and fast for use in memory\n and on communications channels. The gzip format was designed for single-\n file compression on file systems, has a larger header than zlib to maintain\n directory information, and uses a different, slower check method than zlib.\n\n The library does not install any signal handler. The decoder checks\n the consistency of the compressed data, so the library should never crash\n even in the case of corrupted input.\n*/\n\ntypedef voidpf (*alloc_func)(voidpf opaque, uInt items, uInt size);\ntypedef void (*free_func)(voidpf opaque, voidpf address);\n\nstruct internal_state;\n\ntypedef struct z_stream_s {\n z_const Bytef *next_in; /* next input byte */\n uInt avail_in; /* number of bytes available at next_in */\n uLong total_in; /* total number of input bytes read so far */\n\n Bytef *next_out; /* next output byte will go here */\n uInt avail_out; /* remaining free space at next_out */\n uLong total_out; /* total number of bytes output so far */\n\n z_const char *msg; /* last error message, NULL if no error */\n struct internal_state FAR *state; /* not visible by applications */\n\n alloc_func zalloc; /* used to allocate the internal state */\n free_func zfree; /* used to free the internal state */\n voidpf opaque; /* private data object passed to zalloc and zfree */\n\n int data_type; /* best guess about the data type: binary or text\n for deflate, or the decoding state for inflate */\n uLong adler; /* Adler-32 or CRC-32 value of the uncompressed data */\n uLong reserved; /* reserved for future use */\n} z_stream;\n\ntypedef z_stream FAR *z_streamp;\n\n/*\n gzip header information passed to and from zlib routines. See RFC 1952\n for more details on the meanings of these fields.\n*/\ntypedef struct gz_header_s {\n int text; /* true if compressed data believed to be text */\n uLong time; /* modification time */\n int xflags; /* extra flags (not used when writing a gzip file) */\n int os; /* operating system */\n Bytef *extra; /* pointer to extra field or Z_NULL if none */\n uInt extra_len; /* extra field length (valid if extra != Z_NULL) */\n uInt extra_max; /* space at extra (only when reading header) */\n Bytef *name; /* pointer to zero-terminated file name or Z_NULL */\n uInt name_max; /* space at name (only when reading header) */\n Bytef *comment; /* pointer to zero-terminated comment or Z_NULL */\n uInt comm_max; /* space at comment (only when reading header) */\n int hcrc; /* true if there was or will be a header crc */\n int done; /* true when done reading gzip header (not used\n when writing a gzip file) */\n} gz_header;\n\ntypedef gz_header FAR *gz_headerp;\n\n/*\n The application must update next_in and avail_in when avail_in has dropped\n to zero. It must update next_out and avail_out when avail_out has dropped\n to zero. The application must initialize zalloc, zfree and opaque before\n calling the init function. All other fields are set by the compression\n library and must not be updated by the application.\n\n The opaque value provided by the application will be passed as the first\n parameter for calls of zalloc and zfree. This can be useful for custom\n memory management. The compression library attaches no meaning to the\n opaque value.\n\n zalloc must return Z_NULL if there is not enough memory for the object.\n If zlib is used in a multi-threaded application, zalloc and zfree must be\n thread safe. In that case, zlib is thread-safe. When zalloc and zfree are\n Z_NULL on entry to the initialization function, they are set to internal\n routines that use the standard library functions malloc() and free().\n\n On 16-bit systems, the functions zalloc and zfree must be able to allocate\n exactly 65536 bytes, but will not be required to allocate more than this if\n the symbol MAXSEG_64K is defined (see zconf.h). WARNING: On MSDOS, pointers\n returned by zalloc for objects of exactly 65536 bytes *must* have their\n offset normalized to zero. The default allocation function provided by this\n library ensures this (see zutil.c). To reduce memory requirements and avoid\n any allocation of 64K objects, at the expense of compression ratio, compile\n the library with -DMAX_WBITS=14 (see zconf.h).\n\n The fields total_in and total_out can be used for statistics or progress\n reports. After compression, total_in holds the total size of the\n uncompressed data and may be saved for use by the decompressor (particularly\n if the decompressor wants to decompress everything in a single step).\n*/\n\n /* constants */\n\n#define Z_NO_FLUSH 0\n#define Z_PARTIAL_FLUSH 1\n#define Z_SYNC_FLUSH 2\n#define Z_FULL_FLUSH 3\n#define Z_FINISH 4\n#define Z_BLOCK 5\n#define Z_TREES 6\n/* Allowed flush values; see deflate() and inflate() below for details */\n\n#define Z_OK 0\n#define Z_STREAM_END 1\n#define Z_NEED_DICT 2\n#define Z_ERRNO (-1)\n#define Z_STREAM_ERROR (-2)\n#define Z_DATA_ERROR (-3)\n#define Z_MEM_ERROR (-4)\n#define Z_BUF_ERROR (-5)\n#define Z_VERSION_ERROR (-6)\n/* Return codes for the compression/decompression functions. Negative values\n * are errors, positive values are used for special but normal events.\n */\n\n#define Z_NO_COMPRESSION 0\n#define Z_BEST_SPEED 1\n#define Z_BEST_COMPRESSION 9\n#define Z_DEFAULT_COMPRESSION (-1)\n/* compression levels */\n\n#define Z_FILTERED 1\n#define Z_HUFFMAN_ONLY 2\n#define Z_RLE 3\n#define Z_FIXED 4\n#define Z_DEFAULT_STRATEGY 0\n/* compression strategy; see deflateInit2() below for details */\n\n#define Z_BINARY 0\n#define Z_TEXT 1\n#define Z_ASCII Z_TEXT /* for compatibility with 1.2.2 and earlier */\n#define Z_UNKNOWN 2\n/* Possible values of the data_type field for deflate() */\n\n#define Z_DEFLATED 8\n/* The deflate compression method (the only one supported in this version) */\n\n#define Z_NULL 0 /* for initializing zalloc, zfree, opaque */\n\n#define zlib_version zlibVersion()\n/* for compatibility with versions < 1.0.2 */\n\n\n /* basic functions */\n\nZEXTERN const char * ZEXPORT zlibVersion(void);\n/* The application can compare zlibVersion and ZLIB_VERSION for consistency.\n If the first character differs, the library code actually used is not\n compatible with the zlib.h header file used by the application. This check\n is automatically made by deflateInit and inflateInit.\n */\n\n/*\nZEXTERN int ZEXPORT deflateInit(z_streamp strm, int level);\n\n Initializes the internal stream state for compression. The fields\n zalloc, zfree and opaque must be initialized before by the caller. If\n zalloc and zfree are set to Z_NULL, deflateInit updates them to use default\n allocation functions. total_in, total_out, adler, and msg are initialized.\n\n The compression level must be Z_DEFAULT_COMPRESSION, or between 0 and 9:\n 1 gives best speed, 9 gives best compression, 0 gives no compression at all\n (the input data is simply copied a block at a time). Z_DEFAULT_COMPRESSION\n requests a default compromise between speed and compression (currently\n equivalent to level 6).\n\n deflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough\n memory, Z_STREAM_ERROR if level is not a valid compression level, or\n Z_VERSION_ERROR if the zlib library version (zlib_version) is incompatible\n with the version assumed by the caller (ZLIB_VERSION). msg is set to null\n if there is no error message. deflateInit does not perform any compression:\n this will be done by deflate().\n*/\n\n\nZEXTERN int ZEXPORT deflate(z_streamp strm, int flush);\n/*\n deflate compresses as much data as possible, and stops when the input\n buffer becomes empty or the output buffer becomes full. It may introduce\n some output latency (reading input without producing any output) except when\n forced to flush.\n\n The detailed semantics are as follows. deflate performs one or both of the\n following actions:\n\n - Compress more input starting at next_in and update next_in and avail_in\n accordingly. If not all input can be processed (because there is not\n enough room in the output buffer), next_in and avail_in are updated and\n processing will resume at this point for the next call of deflate().\n\n - Generate more output starting at next_out and update next_out and avail_out\n accordingly. This action is forced if the parameter flush is non zero.\n Forcing flush frequently degrades the compression ratio, so this parameter\n should be set only when necessary. Some output may be provided even if\n flush is zero.\n\n Before the call of deflate(), the application should ensure that at least\n one of the actions is possible, by providing more input and/or consuming more\n output, and updating avail_in or avail_out accordingly; avail_out should\n never be zero before the call. The application can consume the compressed\n output when it wants, for example when the output buffer is full (avail_out\n == 0), or after each call of deflate(). If deflate returns Z_OK and with\n zero avail_out, it must be called again after making room in the output\n buffer because there might be more output pending. See deflatePending(),\n which can be used if desired to determine whether or not there is more output\n in that case.\n\n Normally the parameter flush is set to Z_NO_FLUSH, which allows deflate to\n decide how much data to accumulate before producing output, in order to\n maximize compression.\n\n If the parameter flush is set to Z_SYNC_FLUSH, all pending output is\n flushed to the output buffer and the output is aligned on a byte boundary, so\n that the decompressor can get all input data available so far. (In\n particular avail_in is zero after the call if enough output space has been\n provided before the call.) Flushing may degrade compression for some\n compression algorithms and so it should be used only when necessary. This\n completes the current deflate block and follows it with an empty stored block\n that is three bits plus filler bits to the next byte, followed by four bytes\n (00 00 ff ff).\n\n If flush is set to Z_PARTIAL_FLUSH, all pending output is flushed to the\n output buffer, but the output is not aligned to a byte boundary. All of the\n input data so far will be available to the decompressor, as for Z_SYNC_FLUSH.\n This completes the current deflate block and follows it with an empty fixed\n codes block that is 10 bits long. This assures that enough bytes are output\n in order for the decompressor to finish the block before the empty fixed\n codes block.\n\n If flush is set to Z_BLOCK, a deflate block is completed and emitted, as\n for Z_SYNC_FLUSH, but the output is not aligned on a byte boundary, and up to\n seven bits of the current block are held to be written as the next byte after\n the next deflate block is completed. In this case, the decompressor may not\n be provided enough bits at this point in order to complete decompression of\n the data provided so far to the compressor. It may need to wait for the next\n block to be emitted. This is for advanced applications that need to control\n the emission of deflate blocks.\n\n If flush is set to Z_FULL_FLUSH, all output is flushed as with\n Z_SYNC_FLUSH, and the compression state is reset so that decompression can\n restart from this point if previous compressed data has been damaged or if\n random access is desired. Using Z_FULL_FLUSH too often can seriously degrade\n compression.\n\n If deflate returns with avail_out == 0, this function must be called again\n with the same value of the flush parameter and more output space (updated\n avail_out), until the flush is complete (deflate returns with non-zero\n avail_out). In the case of a Z_FULL_FLUSH or Z_SYNC_FLUSH, make sure that\n avail_out is greater than six when the flush marker begins, in order to avoid\n repeated flush markers upon calling deflate() again when avail_out == 0.\n\n If the parameter flush is set to Z_FINISH, pending input is processed,\n pending output is flushed and deflate returns with Z_STREAM_END if there was\n enough output space. If deflate returns with Z_OK or Z_BUF_ERROR, this\n function must be called again with Z_FINISH and more output space (updated\n avail_out) but no more input data, until it returns with Z_STREAM_END or an\n error. After deflate has returned Z_STREAM_END, the only possible operations\n on the stream are deflateReset or deflateEnd.\n\n Z_FINISH can be used in the first deflate call after deflateInit if all the\n compression is to be done in a single step. In order to complete in one\n call, avail_out must be at least the value returned by deflateBound (see\n below). Then deflate is guaranteed to return Z_STREAM_END. If not enough\n output space is provided, deflate will not return Z_STREAM_END, and it must\n be called again as described above.\n\n deflate() sets strm->adler to the Adler-32 checksum of all input read\n so far (that is, total_in bytes). If a gzip stream is being generated, then\n strm->adler will be the CRC-32 checksum of the input read so far. (See\n deflateInit2 below.)\n\n deflate() may update strm->data_type if it can make a good guess about\n the input data type (Z_BINARY or Z_TEXT). If in doubt, the data is\n considered binary. This field is only for information purposes and does not\n affect the compression algorithm in any manner.\n\n deflate() returns Z_OK if some progress has been made (more input\n processed or more output produced), Z_STREAM_END if all input has been\n consumed and all output has been produced (only when flush is set to\n Z_FINISH), Z_STREAM_ERROR if the stream state was inconsistent (for example\n if next_in or next_out was Z_NULL or the state was inadvertently written over\n by the application), or Z_BUF_ERROR if no progress is possible (for example\n avail_in or avail_out was zero). Note that Z_BUF_ERROR is not fatal, and\n deflate() can be called again with more input and more output space to\n continue compressing.\n*/\n\n\nZEXTERN int ZEXPORT deflateEnd(z_streamp strm);\n/*\n All dynamically allocated data structures for this stream are freed.\n This function discards any unprocessed input and does not flush any pending\n output.\n\n deflateEnd returns Z_OK if success, Z_STREAM_ERROR if the\n stream state was inconsistent, Z_DATA_ERROR if the stream was freed\n prematurely (some input or output was discarded). In the error case, msg\n may be set but then points to a static string (which must not be\n deallocated).\n*/\n\n\n/*\nZEXTERN int ZEXPORT inflateInit(z_streamp strm);\n\n Initializes the internal stream state for decompression. The fields\n next_in, avail_in, zalloc, zfree and opaque must be initialized before by\n the caller. In the current version of inflate, the provided input is not\n read or consumed. The allocation of a sliding window will be deferred to\n the first call of inflate (if the decompression does not complete on the\n first call). If zalloc and zfree are set to Z_NULL, inflateInit updates\n them to use default allocation functions. total_in, total_out, adler, and\n msg are initialized.\n\n inflateInit returns Z_OK if success, Z_MEM_ERROR if there was not enough\n memory, Z_VERSION_ERROR if the zlib library version is incompatible with the\n version assumed by the caller, or Z_STREAM_ERROR if the parameters are\n invalid, such as a null pointer to the structure. msg is set to null if\n there is no error message. inflateInit does not perform any decompression.\n Actual decompression will be done by inflate(). So next_in, and avail_in,\n next_out, and avail_out are unused and unchanged. The current\n implementation of inflateInit() does not process any header information --\n that is deferred until inflate() is called.\n*/\n\n\nZEXTERN int ZEXPORT inflate(z_streamp strm, int flush);\n/*\n inflate decompresses as much data as possible, and stops when the input\n buffer becomes empty or the output buffer becomes full. It may introduce\n some output latency (reading input without producing any output) except when\n forced to flush.\n\n The detailed semantics are as follows. inflate performs one or both of the\n following actions:\n\n - Decompress more input starting at next_in and update next_in and avail_in\n accordingly. If not all input can be processed (because there is not\n enough room in the output buffer), then next_in and avail_in are updated\n accordingly, and processing will resume at this point for the next call of\n inflate().\n\n - Generate more output starting at next_out and update next_out and avail_out\n accordingly. inflate() provides as much output as possible, until there is\n no more input data or no more space in the output buffer (see below about\n the flush parameter).\n\n Before the call of inflate(), the application should ensure that at least\n one of the actions is possible, by providing more input and/or consuming more\n output, and updating the next_* and avail_* values accordingly. If the\n caller of inflate() does not provide both available input and available\n output space, it is possible that there will be no progress made. The\n application can consume the uncompressed output when it wants, for example\n when the output buffer is full (avail_out == 0), or after each call of\n inflate(). If inflate returns Z_OK and with zero avail_out, it must be\n called again after making room in the output buffer because there might be\n more output pending.\n\n The flush parameter of inflate() can be Z_NO_FLUSH, Z_SYNC_FLUSH, Z_FINISH,\n Z_BLOCK, or Z_TREES. Z_SYNC_FLUSH requests that inflate() flush as much\n output as possible to the output buffer. Z_BLOCK requests that inflate()\n stop if and when it gets to the next deflate block boundary. When decoding\n the zlib or gzip format, this will cause inflate() to return immediately\n after the header and before the first block. When doing a raw inflate,\n inflate() will go ahead and process the first block, and will return when it\n gets to the end of that block, or when it runs out of data.\n\n The Z_BLOCK option assists in appending to or combining deflate streams.\n To assist in this, on return inflate() always sets strm->data_type to the\n number of unused bits in the last byte taken from strm->next_in, plus 64 if\n inflate() is currently decoding the last block in the deflate stream, plus\n 128 if inflate() returned immediately after decoding an end-of-block code or\n decoding the complete header up to just before the first byte of the deflate\n stream. The end-of-block will not be indicated until all of the uncompressed\n data from that block has been written to strm->next_out. The number of\n unused bits may in general be greater than seven, except when bit 7 of\n data_type is set, in which case the number of unused bits will be less than\n eight. data_type is set as noted here every time inflate() returns for all\n flush options, and so can be used to determine the amount of currently\n consumed input in bits.\n\n The Z_TREES option behaves as Z_BLOCK does, but it also returns when the\n end of each deflate block header is reached, before any actual data in that\n block is decoded. This allows the caller to determine the length of the\n deflate block header for later use in random access within a deflate block.\n 256 is added to the value of strm->data_type when inflate() returns\n immediately after reaching the end of the deflate block header.\n\n inflate() should normally be called until it returns Z_STREAM_END or an\n error. However if all decompression is to be performed in a single step (a\n single call of inflate), the parameter flush should be set to Z_FINISH. In\n this case all pending input is processed and all pending output is flushed;\n avail_out must be large enough to hold all of the uncompressed data for the\n operation to complete. (The size of the uncompressed data may have been\n saved by the compressor for this purpose.) The use of Z_FINISH is not\n required to perform an inflation in one step. However it may be used to\n inform inflate that a faster approach can be used for the single inflate()\n call. Z_FINISH also informs inflate to not maintain a sliding window if the\n stream completes, which reduces inflate's memory footprint. If the stream\n does not complete, either because not all of the stream is provided or not\n enough output space is provided, then a sliding window will be allocated and\n inflate() can be called again to continue the operation as if Z_NO_FLUSH had\n been used.\n\n In this implementation, inflate() always flushes as much output as\n possible to the output buffer, and always uses the faster approach on the\n first call. So the effects of the flush parameter in this implementation are\n on the return value of inflate() as noted below, when inflate() returns early\n when Z_BLOCK or Z_TREES is used, and when inflate() avoids the allocation of\n memory for a sliding window when Z_FINISH is used.\n\n If a preset dictionary is needed after this call (see inflateSetDictionary\n below), inflate sets strm->adler to the Adler-32 checksum of the dictionary\n chosen by the compressor and returns Z_NEED_DICT; otherwise it sets\n strm->adler to the Adler-32 checksum of all output produced so far (that is,\n total_out bytes) and returns Z_OK, Z_STREAM_END or an error code as described\n below. At the end of the stream, inflate() checks that its computed Adler-32\n checksum is equal to that saved by the compressor and returns Z_STREAM_END\n only if the checksum is correct.\n\n inflate() can decompress and check either zlib-wrapped or gzip-wrapped\n deflate data. The header type is detected automatically, if requested when\n initializing with inflateInit2(). Any information contained in the gzip\n header is not retained unless inflateGetHeader() is used. When processing\n gzip-wrapped deflate data, strm->adler32 is set to the CRC-32 of the output\n produced so far. The CRC-32 is checked against the gzip trailer, as is the\n uncompressed length, modulo 2^32.\n\n inflate() returns Z_OK if some progress has been made (more input processed\n or more output produced), Z_STREAM_END if the end of the compressed data has\n been reached and all uncompressed output has been produced, Z_NEED_DICT if a\n preset dictionary is needed at this point, Z_DATA_ERROR if the input data was\n corrupted (input stream not conforming to the zlib format or incorrect check\n value, in which case strm->msg points to a string with a more specific\n error), Z_STREAM_ERROR if the stream structure was inconsistent (for example\n next_in or next_out was Z_NULL, or the state was inadvertently written over\n by the application), Z_MEM_ERROR if there was not enough memory, Z_BUF_ERROR\n if no progress was possible or if there was not enough room in the output\n buffer when Z_FINISH is used. Note that Z_BUF_ERROR is not fatal, and\n inflate() can be called again with more input and more output space to\n continue decompressing. If Z_DATA_ERROR is returned, the application may\n then call inflateSync() to look for a good compression block if a partial\n recovery of the data is to be attempted.\n*/\n\n\nZEXTERN int ZEXPORT inflateEnd(z_streamp strm);\n/*\n All dynamically allocated data structures for this stream are freed.\n This function discards any unprocessed input and does not flush any pending\n output.\n\n inflateEnd returns Z_OK if success, or Z_STREAM_ERROR if the stream state\n was inconsistent.\n*/\n\n\n /* Advanced functions */\n\n/*\n The following functions are needed only in some special applications.\n*/\n\n/*\nZEXTERN int ZEXPORT deflateInit2(z_streamp strm,\n int level,\n int method,\n int windowBits,\n int memLevel,\n int strategy);\n\n This is another version of deflateInit with more compression options. The\n fields zalloc, zfree and opaque must be initialized before by the caller.\n\n The method parameter is the compression method. It must be Z_DEFLATED in\n this version of the library.\n\n The windowBits parameter is the base two logarithm of the window size\n (the size of the history buffer). It should be in the range 8..15 for this\n version of the library. Larger values of this parameter result in better\n compression at the expense of memory usage. The default value is 15 if\n deflateInit is used instead.\n\n For the current implementation of deflate(), a windowBits value of 8 (a\n window size of 256 bytes) is not supported. As a result, a request for 8\n will result in 9 (a 512-byte window). In that case, providing 8 to\n inflateInit2() will result in an error when the zlib header with 9 is\n checked against the initialization of inflate(). The remedy is to not use 8\n with deflateInit2() with this initialization, or at least in that case use 9\n with inflateInit2().\n\n windowBits can also be -8..-15 for raw deflate. In this case, -windowBits\n determines the window size. deflate() will then generate raw deflate data\n with no zlib header or trailer, and will not compute a check value.\n\n windowBits can also be greater than 15 for optional gzip encoding. Add\n 16 to windowBits to write a simple gzip header and trailer around the\n compressed data instead of a zlib wrapper. The gzip header will have no\n file name, no extra data, no comment, no modification time (set to zero), no\n header crc, and the operating system will be set to the appropriate value,\n if the operating system was determined at compile time. If a gzip stream is\n being written, strm->adler is a CRC-32 instead of an Adler-32.\n\n For raw deflate or gzip encoding, a request for a 256-byte window is\n rejected as invalid, since only the zlib header provides a means of\n transmitting the window size to the decompressor.\n\n The memLevel parameter specifies how much memory should be allocated\n for the internal compression state. memLevel=1 uses minimum memory but is\n slow and reduces compression ratio; memLevel=9 uses maximum memory for\n optimal speed. The default value is 8. See zconf.h for total memory usage\n as a function of windowBits and memLevel.\n\n The strategy parameter is used to tune the compression algorithm. Use the\n value Z_DEFAULT_STRATEGY for normal data, Z_FILTERED for data produced by a\n filter (or predictor), Z_HUFFMAN_ONLY to force Huffman encoding only (no\n string match), or Z_RLE to limit match distances to one (run-length\n encoding). Filtered data consists mostly of small values with a somewhat\n random distribution. In this case, the compression algorithm is tuned to\n compress them better. The effect of Z_FILTERED is to force more Huffman\n coding and less string matching; it is somewhat intermediate between\n Z_DEFAULT_STRATEGY and Z_HUFFMAN_ONLY. Z_RLE is designed to be almost as\n fast as Z_HUFFMAN_ONLY, but give better compression for PNG image data. The\n strategy parameter only affects the compression ratio but not the\n correctness of the compressed output even if it is not set appropriately.\n Z_FIXED prevents the use of dynamic Huffman codes, allowing for a simpler\n decoder for special applications.\n\n deflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough\n memory, Z_STREAM_ERROR if any parameter is invalid (such as an invalid\n method), or Z_VERSION_ERROR if the zlib library version (zlib_version) is\n incompatible with the version assumed by the caller (ZLIB_VERSION). msg is\n set to null if there is no error message. deflateInit2 does not perform any\n compression: this will be done by deflate().\n*/\n\nZEXTERN int ZEXPORT deflateSetDictionary(z_streamp strm,\n const Bytef *dictionary,\n uInt dictLength);\n/*\n Initializes the compression dictionary from the given byte sequence\n without producing any compressed output. When using the zlib format, this\n function must be called immediately after deflateInit, deflateInit2 or\n deflateReset, and before any call of deflate. When doing raw deflate, this\n function must be called either before any call of deflate, or immediately\n after the completion of a deflate block, i.e. after all input has been\n consumed and all output has been delivered when using any of the flush\n options Z_BLOCK, Z_PARTIAL_FLUSH, Z_SYNC_FLUSH, or Z_FULL_FLUSH. The\n compressor and decompressor must use exactly the same dictionary (see\n inflateSetDictionary).\n\n The dictionary should consist of strings (byte sequences) that are likely\n to be encountered later in the data to be compressed, with the most commonly\n used strings preferably put towards the end of the dictionary. Using a\n dictionary is most useful when the data to be compressed is short and can be\n predicted with good accuracy; the data can then be compressed better than\n with the default empty dictionary.\n\n Depending on the size of the compression data structures selected by\n deflateInit or deflateInit2, a part of the dictionary may in effect be\n discarded, for example if the dictionary is larger than the window size\n provided in deflateInit or deflateInit2. Thus the strings most likely to be\n useful should be put at the end of the dictionary, not at the front. In\n addition, the current implementation of deflate will use at most the window\n size minus 262 bytes of the provided dictionary.\n\n Upon return of this function, strm->adler is set to the Adler-32 value\n of the dictionary; the decompressor may later use this value to determine\n which dictionary has been used by the compressor. (The Adler-32 value\n applies to the whole dictionary even if only a subset of the dictionary is\n actually used by the compressor.) If a raw deflate was requested, then the\n Adler-32 value is not computed and strm->adler is not set.\n\n deflateSetDictionary returns Z_OK if success, or Z_STREAM_ERROR if a\n parameter is invalid (e.g. dictionary being Z_NULL) or the stream state is\n inconsistent (for example if deflate has already been called for this stream\n or if not at a block boundary for raw deflate). deflateSetDictionary does\n not perform any compression: this will be done by deflate().\n*/\n\nZEXTERN int ZEXPORT deflateGetDictionary(z_streamp strm,\n Bytef *dictionary,\n uInt *dictLength);\n/*\n Returns the sliding dictionary being maintained by deflate. dictLength is\n set to the number of bytes in the dictionary, and that many bytes are copied\n to dictionary. dictionary must have enough space, where 32768 bytes is\n always enough. If deflateGetDictionary() is called with dictionary equal to\n Z_NULL, then only the dictionary length is returned, and nothing is copied.\n Similarly, if dictLength is Z_NULL, then it is not set.\n\n deflateGetDictionary() may return a length less than the window size, even\n when more than the window size in input has been provided. It may return up\n to 258 bytes less in that case, due to how zlib's implementation of deflate\n manages the sliding window and lookahead for matches, where matches can be\n up to 258 bytes long. If the application needs the last window-size bytes of\n input, then that would need to be saved by the application outside of zlib.\n\n deflateGetDictionary returns Z_OK on success, or Z_STREAM_ERROR if the\n stream state is inconsistent.\n*/\n\nZEXTERN int ZEXPORT deflateCopy(z_streamp dest,\n z_streamp source);\n/*\n Sets the destination stream as a complete copy of the source stream.\n\n This function can be useful when several compression strategies will be\n tried, for example when there are several ways of pre-processing the input\n data with a filter. The streams that will be discarded should then be freed\n by calling deflateEnd. Note that deflateCopy duplicates the internal\n compression state which can be quite large, so this strategy is slow and can\n consume lots of memory.\n\n deflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not\n enough memory, Z_STREAM_ERROR if the source stream state was inconsistent\n (such as zalloc being Z_NULL). msg is left unchanged in both source and\n destination.\n*/\n\nZEXTERN int ZEXPORT deflateReset(z_streamp strm);\n/*\n This function is equivalent to deflateEnd followed by deflateInit, but\n does not free and reallocate the internal compression state. The stream\n will leave the compression level and any other attributes that may have been\n set unchanged. total_in, total_out, adler, and msg are initialized.\n\n deflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source\n stream state was inconsistent (such as zalloc or state being Z_NULL).\n*/\n\nZEXTERN int ZEXPORT deflateParams(z_streamp strm,\n int level,\n int strategy);\n/*\n Dynamically update the compression level and compression strategy. The\n interpretation of level and strategy is as in deflateInit2(). This can be\n used to switch between compression and straight copy of the input data, or\n to switch to a different kind of input data requiring a different strategy.\n If the compression approach (which is a function of the level) or the\n strategy is changed, and if there have been any deflate() calls since the\n state was initialized or reset, then the input available so far is\n compressed with the old level and strategy using deflate(strm, Z_BLOCK).\n There are three approaches for the compression levels 0, 1..3, and 4..9\n respectively. The new level and strategy will take effect at the next call\n of deflate().\n\n If a deflate(strm, Z_BLOCK) is performed by deflateParams(), and it does\n not have enough output space to complete, then the parameter change will not\n take effect. In this case, deflateParams() can be called again with the\n same parameters and more output space to try again.\n\n In order to assure a change in the parameters on the first try, the\n deflate stream should be flushed using deflate() with Z_BLOCK or other flush\n request until strm.avail_out is not zero, before calling deflateParams().\n Then no more input data should be provided before the deflateParams() call.\n If this is done, the old level and strategy will be applied to the data\n compressed before deflateParams(), and the new level and strategy will be\n applied to the data compressed after deflateParams().\n\n deflateParams returns Z_OK on success, Z_STREAM_ERROR if the source stream\n state was inconsistent or if a parameter was invalid, or Z_BUF_ERROR if\n there was not enough output space to complete the compression of the\n available input data before a change in the strategy or approach. Note that\n in the case of a Z_BUF_ERROR, the parameters are not changed. A return\n value of Z_BUF_ERROR is not fatal, in which case deflateParams() can be\n retried with more output space.\n*/\n\nZEXTERN int ZEXPORT deflateTune(z_streamp strm,\n int good_length,\n int max_lazy,\n int nice_length,\n int max_chain);\n/*\n Fine tune deflate's internal compression parameters. This should only be\n used by someone who understands the algorithm used by zlib's deflate for\n searching for the best matching string, and even then only by the most\n fanatic optimizer trying to squeeze out the last compressed bit for their\n specific input data. Read the deflate.c source code for the meaning of the\n max_lazy, good_length, nice_length, and max_chain parameters.\n\n deflateTune() can be called after deflateInit() or deflateInit2(), and\n returns Z_OK on success, or Z_STREAM_ERROR for an invalid deflate stream.\n */\n\nZEXTERN uLong ZEXPORT deflateBound(z_streamp strm,\n uLong sourceLen);\n/*\n deflateBound() returns an upper bound on the compressed size after\n deflation of sourceLen bytes. It must be called after deflateInit() or\n deflateInit2(), and after deflateSetHeader(), if used. This would be used\n to allocate an output buffer for deflation in a single pass, and so would be\n called before deflate(). If that first deflate() call is provided the\n sourceLen input bytes, an output buffer allocated to the size returned by\n deflateBound(), and the flush value Z_FINISH, then deflate() is guaranteed\n to return Z_STREAM_END. Note that it is possible for the compressed size to\n be larger than the value returned by deflateBound() if flush options other\n than Z_FINISH or Z_NO_FLUSH are used.\n*/\n\nZEXTERN int ZEXPORT deflatePending(z_streamp strm,\n unsigned *pending,\n int *bits);\n/*\n deflatePending() returns the number of bytes and bits of output that have\n been generated, but not yet provided in the available output. The bytes not\n provided would be due to the available output space having being consumed.\n The number of bits of output not provided are between 0 and 7, where they\n await more bits to join them in order to fill out a full byte. If pending\n or bits are Z_NULL, then those values are not set.\n\n deflatePending returns Z_OK if success, or Z_STREAM_ERROR if the source\n stream state was inconsistent.\n */\n\nZEXTERN int ZEXPORT deflatePrime(z_streamp strm,\n int bits,\n int value);\n/*\n deflatePrime() inserts bits in the deflate output stream. The intent\n is that this function is used to start off the deflate output with the bits\n leftover from a previous deflate stream when appending to it. As such, this\n function can only be used for raw deflate, and must be used before the first\n deflate() call after a deflateInit2() or deflateReset(). bits must be less\n than or equal to 16, and that many of the least significant bits of value\n will be inserted in the output.\n\n deflatePrime returns Z_OK if success, Z_BUF_ERROR if there was not enough\n room in the internal buffer to insert the bits, or Z_STREAM_ERROR if the\n source stream state was inconsistent.\n*/\n\nZEXTERN int ZEXPORT deflateSetHeader(z_streamp strm,\n gz_headerp head);\n/*\n deflateSetHeader() provides gzip header information for when a gzip\n stream is requested by deflateInit2(). deflateSetHeader() may be called\n after deflateInit2() or deflateReset() and before the first call of\n deflate(). The text, time, os, extra field, name, and comment information\n in the provided gz_header structure are written to the gzip header (xflag is\n ignored -- the extra flags are set according to the compression level). The\n caller must assure that, if not Z_NULL, name and comment are terminated with\n a zero byte, and that if extra is not Z_NULL, that extra_len bytes are\n available there. If hcrc is true, a gzip header crc is included. Note that\n the current versions of the command-line version of gzip (up through version\n 1.3.x) do not support header crc's, and will report that it is a \"multi-part\n gzip file\" and give up.\n\n If deflateSetHeader is not used, the default gzip header has text false,\n the time set to zero, and os set to the current operating system, with no\n extra, name, or comment fields. The gzip header is returned to the default\n state by deflateReset().\n\n deflateSetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source\n stream state was inconsistent.\n*/\n\n/*\nZEXTERN int ZEXPORT inflateInit2(z_streamp strm,\n int windowBits);\n\n This is another version of inflateInit with an extra parameter. The\n fields next_in, avail_in, zalloc, zfree and opaque must be initialized\n before by the caller.\n\n The windowBits parameter is the base two logarithm of the maximum window\n size (the size of the history buffer). It should be in the range 8..15 for\n this version of the library. The default value is 15 if inflateInit is used\n instead. windowBits must be greater than or equal to the windowBits value\n provided to deflateInit2() while compressing, or it must be equal to 15 if\n deflateInit2() was not used. If a compressed stream with a larger window\n size is given as input, inflate() will return with the error code\n Z_DATA_ERROR instead of trying to allocate a larger window.\n\n windowBits can also be zero to request that inflate use the window size in\n the zlib header of the compressed stream.\n\n windowBits can also be -8..-15 for raw inflate. In this case, -windowBits\n determines the window size. inflate() will then process raw deflate data,\n not looking for a zlib or gzip header, not generating a check value, and not\n looking for any check values for comparison at the end of the stream. This\n is for use with other formats that use the deflate compressed data format\n such as zip. Those formats provide their own check values. If a custom\n format is developed using the raw deflate format for compressed data, it is\n recommended that a check value such as an Adler-32 or a CRC-32 be applied to\n the uncompressed data as is done in the zlib, gzip, and zip formats. For\n most applications, the zlib format should be used as is. Note that comments\n above on the use in deflateInit2() applies to the magnitude of windowBits.\n\n windowBits can also be greater than 15 for optional gzip decoding. Add\n 32 to windowBits to enable zlib and gzip decoding with automatic header\n detection, or add 16 to decode only the gzip format (the zlib format will\n return a Z_DATA_ERROR). If a gzip stream is being decoded, strm->adler is a\n CRC-32 instead of an Adler-32. Unlike the gunzip utility and gzread() (see\n below), inflate() will *not* automatically decode concatenated gzip members.\n inflate() will return Z_STREAM_END at the end of the gzip member. The state\n would need to be reset to continue decoding a subsequent gzip member. This\n *must* be done if there is more data after a gzip member, in order for the\n decompression to be compliant with the gzip standard (RFC 1952).\n\n inflateInit2 returns Z_OK if success, Z_MEM_ERROR if there was not enough\n memory, Z_VERSION_ERROR if the zlib library version is incompatible with the\n version assumed by the caller, or Z_STREAM_ERROR if the parameters are\n invalid, such as a null pointer to the structure. msg is set to null if\n there is no error message. inflateInit2 does not perform any decompression\n apart from possibly reading the zlib header if present: actual decompression\n will be done by inflate(). (So next_in and avail_in may be modified, but\n next_out and avail_out are unused and unchanged.) The current implementation\n of inflateInit2() does not process any header information -- that is\n deferred until inflate() is called.\n*/\n\nZEXTERN int ZEXPORT inflateSetDictionary(z_streamp strm,\n const Bytef *dictionary,\n uInt dictLength);\n/*\n Initializes the decompression dictionary from the given uncompressed byte\n sequence. This function must be called immediately after a call of inflate,\n if that call returned Z_NEED_DICT. The dictionary chosen by the compressor\n can be determined from the Adler-32 value returned by that call of inflate.\n The compressor and decompressor must use exactly the same dictionary (see\n deflateSetDictionary). For raw inflate, this function can be called at any\n time to set the dictionary. If the provided dictionary is smaller than the\n window and there is already data in the window, then the provided dictionary\n will amend what's there. The application must insure that the dictionary\n that was used for compression is provided.\n\n inflateSetDictionary returns Z_OK if success, Z_STREAM_ERROR if a\n parameter is invalid (e.g. dictionary being Z_NULL) or the stream state is\n inconsistent, Z_DATA_ERROR if the given dictionary doesn't match the\n expected one (incorrect Adler-32 value). inflateSetDictionary does not\n perform any decompression: this will be done by subsequent calls of\n inflate().\n*/\n\nZEXTERN int ZEXPORT inflateGetDictionary(z_streamp strm,\n Bytef *dictionary,\n uInt *dictLength);\n/*\n Returns the sliding dictionary being maintained by inflate. dictLength is\n set to the number of bytes in the dictionary, and that many bytes are copied\n to dictionary. dictionary must have enough space, where 32768 bytes is\n always enough. If inflateGetDictionary() is called with dictionary equal to\n Z_NULL, then only the dictionary length is returned, and nothing is copied.\n Similarly, if dictLength is Z_NULL, then it is not set.\n\n inflateGetDictionary returns Z_OK on success, or Z_STREAM_ERROR if the\n stream state is inconsistent.\n*/\n\nZEXTERN int ZEXPORT inflateSync(z_streamp strm);\n/*\n Skips invalid compressed data until a possible full flush point (see above\n for the description of deflate with Z_FULL_FLUSH) can be found, or until all\n available input is skipped. No output is provided.\n\n inflateSync searches for a 00 00 FF FF pattern in the compressed data.\n All full flush points have this pattern, but not all occurrences of this\n pattern are full flush points.\n\n inflateSync returns Z_OK if a possible full flush point has been found,\n Z_BUF_ERROR if no more input was provided, Z_DATA_ERROR if no flush point\n has been found, or Z_STREAM_ERROR if the stream structure was inconsistent.\n In the success case, the application may save the current current value of\n total_in which indicates where valid compressed data was found. In the\n error case, the application may repeatedly call inflateSync, providing more\n input each time, until success or end of the input data.\n*/\n\nZEXTERN int ZEXPORT inflateCopy(z_streamp dest,\n z_streamp source);\n/*\n Sets the destination stream as a complete copy of the source stream.\n\n This function can be useful when randomly accessing a large stream. The\n first pass through the stream can periodically record the inflate state,\n allowing restarting inflate at those points when randomly accessing the\n stream.\n\n inflateCopy returns Z_OK if success, Z_MEM_ERROR if there was not\n enough memory, Z_STREAM_ERROR if the source stream state was inconsistent\n (such as zalloc being Z_NULL). msg is left unchanged in both source and\n destination.\n*/\n\nZEXTERN int ZEXPORT inflateReset(z_streamp strm);\n/*\n This function is equivalent to inflateEnd followed by inflateInit,\n but does not free and reallocate the internal decompression state. The\n stream will keep attributes that may have been set by inflateInit2.\n total_in, total_out, adler, and msg are initialized.\n\n inflateReset returns Z_OK if success, or Z_STREAM_ERROR if the source\n stream state was inconsistent (such as zalloc or state being Z_NULL).\n*/\n\nZEXTERN int ZEXPORT inflateReset2(z_streamp strm,\n int windowBits);\n/*\n This function is the same as inflateReset, but it also permits changing\n the wrap and window size requests. The windowBits parameter is interpreted\n the same as it is for inflateInit2. If the window size is changed, then the\n memory allocated for the window is freed, and the window will be reallocated\n by inflate() if needed.\n\n inflateReset2 returns Z_OK if success, or Z_STREAM_ERROR if the source\n stream state was inconsistent (such as zalloc or state being Z_NULL), or if\n the windowBits parameter is invalid.\n*/\n\nZEXTERN int ZEXPORT inflatePrime(z_streamp strm,\n int bits,\n int value);\n/*\n This function inserts bits in the inflate input stream. The intent is\n that this function is used to start inflating at a bit position in the\n middle of a byte. The provided bits will be used before any bytes are used\n from next_in. This function should only be used with raw inflate, and\n should be used before the first inflate() call after inflateInit2() or\n inflateReset(). bits must be less than or equal to 16, and that many of the\n least significant bits of value will be inserted in the input.\n\n If bits is negative, then the input stream bit buffer is emptied. Then\n inflatePrime() can be called again to put bits in the buffer. This is used\n to clear out bits leftover after feeding inflate a block description prior\n to feeding inflate codes.\n\n inflatePrime returns Z_OK if success, or Z_STREAM_ERROR if the source\n stream state was inconsistent.\n*/\n\nZEXTERN long ZEXPORT inflateMark(z_streamp strm);\n/*\n This function returns two values, one in the lower 16 bits of the return\n value, and the other in the remaining upper bits, obtained by shifting the\n return value down 16 bits. If the upper value is -1 and the lower value is\n zero, then inflate() is currently decoding information outside of a block.\n If the upper value is -1 and the lower value is non-zero, then inflate is in\n the middle of a stored block, with the lower value equaling the number of\n bytes from the input remaining to copy. If the upper value is not -1, then\n it is the number of bits back from the current bit position in the input of\n the code (literal or length/distance pair) currently being processed. In\n that case the lower value is the number of bytes already emitted for that\n code.\n\n A code is being processed if inflate is waiting for more input to complete\n decoding of the code, or if it has completed decoding but is waiting for\n more output space to write the literal or match data.\n\n inflateMark() is used to mark locations in the input data for random\n access, which may be at bit positions, and to note those cases where the\n output of a code may span boundaries of random access blocks. The current\n location in the input stream can be determined from avail_in and data_type\n as noted in the description for the Z_BLOCK flush parameter for inflate.\n\n inflateMark returns the value noted above, or -65536 if the provided\n source stream state was inconsistent.\n*/\n\nZEXTERN int ZEXPORT inflateGetHeader(z_streamp strm,\n gz_headerp head);\n/*\n inflateGetHeader() requests that gzip header information be stored in the\n provided gz_header structure. inflateGetHeader() may be called after\n inflateInit2() or inflateReset(), and before the first call of inflate().\n As inflate() processes the gzip stream, head->done is zero until the header\n is completed, at which time head->done is set to one. If a zlib stream is\n being decoded, then head->done is set to -1 to indicate that there will be\n no gzip header information forthcoming. Note that Z_BLOCK or Z_TREES can be\n used to force inflate() to return immediately after header processing is\n complete and before any actual data is decompressed.\n\n The text, time, xflags, and os fields are filled in with the gzip header\n contents. hcrc is set to true if there is a header CRC. (The header CRC\n was valid if done is set to one.) If extra is not Z_NULL, then extra_max\n contains the maximum number of bytes to write to extra. Once done is true,\n extra_len contains the actual extra field length, and extra contains the\n extra field, or that field truncated if extra_max is less than extra_len.\n If name is not Z_NULL, then up to name_max characters are written there,\n terminated with a zero unless the length is greater than name_max. If\n comment is not Z_NULL, then up to comm_max characters are written there,\n terminated with a zero unless the length is greater than comm_max. When any\n of extra, name, or comment are not Z_NULL and the respective field is not\n present in the header, then that field is set to Z_NULL to signal its\n absence. This allows the use of deflateSetHeader() with the returned\n structure to duplicate the header. However if those fields are set to\n allocated memory, then the application will need to save those pointers\n elsewhere so that they can be eventually freed.\n\n If inflateGetHeader is not used, then the header information is simply\n discarded. The header is always checked for validity, including the header\n CRC if present. inflateReset() will reset the process to discard the header\n information. The application would need to call inflateGetHeader() again to\n retrieve the header from the next gzip stream.\n\n inflateGetHeader returns Z_OK if success, or Z_STREAM_ERROR if the source\n stream state was inconsistent.\n*/\n\n/*\nZEXTERN int ZEXPORT inflateBackInit(z_streamp strm, int windowBits,\n unsigned char FAR *window);\n\n Initialize the internal stream state for decompression using inflateBack()\n calls. The fields zalloc, zfree and opaque in strm must be initialized\n before the call. If zalloc and zfree are Z_NULL, then the default library-\n derived memory allocation routines are used. windowBits is the base two\n logarithm of the window size, in the range 8..15. window is a caller\n supplied buffer of that size. Except for special applications where it is\n assured that deflate was used with small window sizes, windowBits must be 15\n and a 32K byte window must be supplied to be able to decompress general\n deflate streams.\n\n See inflateBack() for the usage of these routines.\n\n inflateBackInit will return Z_OK on success, Z_STREAM_ERROR if any of\n the parameters are invalid, Z_MEM_ERROR if the internal state could not be\n allocated, or Z_VERSION_ERROR if the version of the library does not match\n the version of the header file.\n*/\n\ntypedef unsigned (*in_func)(void FAR *,\n z_const unsigned char FAR * FAR *);\ntypedef int (*out_func)(void FAR *, unsigned char FAR *, unsigned);\n\nZEXTERN int ZEXPORT inflateBack(z_streamp strm,\n in_func in, void FAR *in_desc,\n out_func out, void FAR *out_desc);\n/*\n inflateBack() does a raw inflate with a single call using a call-back\n interface for input and output. This is potentially more efficient than\n inflate() for file i/o applications, in that it avoids copying between the\n output and the sliding window by simply making the window itself the output\n buffer. inflate() can be faster on modern CPUs when used with large\n buffers. inflateBack() trusts the application to not change the output\n buffer passed by the output function, at least until inflateBack() returns.\n\n inflateBackInit() must be called first to allocate the internal state\n and to initialize the state with the user-provided window buffer.\n inflateBack() may then be used multiple times to inflate a complete, raw\n deflate stream with each call. inflateBackEnd() is then called to free the\n allocated state.\n\n A raw deflate stream is one with no zlib or gzip header or trailer.\n This routine would normally be used in a utility that reads zip or gzip\n files and writes out uncompressed files. The utility would decode the\n header and process the trailer on its own, hence this routine expects only\n the raw deflate stream to decompress. This is different from the default\n behavior of inflate(), which expects a zlib header and trailer around the\n deflate stream.\n\n inflateBack() uses two subroutines supplied by the caller that are then\n called by inflateBack() for input and output. inflateBack() calls those\n routines until it reads a complete deflate stream and writes out all of the\n uncompressed data, or until it encounters an error. The function's\n parameters and return types are defined above in the in_func and out_func\n typedefs. inflateBack() will call in(in_desc, &buf) which should return the\n number of bytes of provided input, and a pointer to that input in buf. If\n there is no input available, in() must return zero -- buf is ignored in that\n case -- and inflateBack() will return a buffer error. inflateBack() will\n call out(out_desc, buf, len) to write the uncompressed data buf[0..len-1].\n out() should return zero on success, or non-zero on failure. If out()\n returns non-zero, inflateBack() will return with an error. Neither in() nor\n out() are permitted to change the contents of the window provided to\n inflateBackInit(), which is also the buffer that out() uses to write from.\n The length written by out() will be at most the window size. Any non-zero\n amount of input may be provided by in().\n\n For convenience, inflateBack() can be provided input on the first call by\n setting strm->next_in and strm->avail_in. If that input is exhausted, then\n in() will be called. Therefore strm->next_in must be initialized before\n calling inflateBack(). If strm->next_in is Z_NULL, then in() will be called\n immediately for input. If strm->next_in is not Z_NULL, then strm->avail_in\n must also be initialized, and then if strm->avail_in is not zero, input will\n initially be taken from strm->next_in[0 .. strm->avail_in - 1].\n\n The in_desc and out_desc parameters of inflateBack() is passed as the\n first parameter of in() and out() respectively when they are called. These\n descriptors can be optionally used to pass any information that the caller-\n supplied in() and out() functions need to do their job.\n\n On return, inflateBack() will set strm->next_in and strm->avail_in to\n pass back any unused input that was provided by the last in() call. The\n return values of inflateBack() can be Z_STREAM_END on success, Z_BUF_ERROR\n if in() or out() returned an error, Z_DATA_ERROR if there was a format error\n in the deflate stream (in which case strm->msg is set to indicate the nature\n of the error), or Z_STREAM_ERROR if the stream was not properly initialized.\n In the case of Z_BUF_ERROR, an input or output error can be distinguished\n using strm->next_in which will be Z_NULL only if in() returned an error. If\n strm->next_in is not Z_NULL, then the Z_BUF_ERROR was due to out() returning\n non-zero. (in() will always be called before out(), so strm->next_in is\n assured to be defined if out() returns non-zero.) Note that inflateBack()\n cannot return Z_OK.\n*/\n\nZEXTERN int ZEXPORT inflateBackEnd(z_streamp strm);\n/*\n All memory allocated by inflateBackInit() is freed.\n\n inflateBackEnd() returns Z_OK on success, or Z_STREAM_ERROR if the stream\n state was inconsistent.\n*/\n\nZEXTERN uLong ZEXPORT zlibCompileFlags(void);\n/* Return flags indicating compile-time options.\n\n Type sizes, two bits each, 00 = 16 bits, 01 = 32, 10 = 64, 11 = other:\n 1.0: size of uInt\n 3.2: size of uLong\n 5.4: size of voidpf (pointer)\n 7.6: size of z_off_t\n\n Compiler, assembler, and debug options:\n 8: ZLIB_DEBUG\n 9: ASMV or ASMINF -- use ASM code\n 10: ZLIB_WINAPI -- exported functions use the WINAPI calling convention\n 11: 0 (reserved)\n\n One-time table building (smaller code, but not thread-safe if true):\n 12: BUILDFIXED -- build static block decoding tables when needed\n 13: DYNAMIC_CRC_TABLE -- build CRC calculation tables when needed\n 14,15: 0 (reserved)\n\n Library content (indicates missing functionality):\n 16: NO_GZCOMPRESS -- gz* functions cannot compress (to avoid linking\n deflate code when not needed)\n 17: NO_GZIP -- deflate can't write gzip streams, and inflate can't detect\n and decode gzip streams (to avoid linking crc code)\n 18-19: 0 (reserved)\n\n Operation variations (changes in library functionality):\n 20: PKZIP_BUG_WORKAROUND -- slightly more permissive inflate\n 21: FASTEST -- deflate algorithm with only one, lowest compression level\n 22,23: 0 (reserved)\n\n The sprintf variant used by gzprintf (zero is best):\n 24: 0 = vs*, 1 = s* -- 1 means limited to 20 arguments after the format\n 25: 0 = *nprintf, 1 = *printf -- 1 means gzprintf() not secure!\n 26: 0 = returns value, 1 = void -- 1 means inferred string length returned\n\n Remainder:\n 27-31: 0 (reserved)\n */\n\n#ifndef Z_SOLO\n\n /* utility functions */\n\n/*\n The following utility functions are implemented on top of the basic\n stream-oriented functions. To simplify the interface, some default options\n are assumed (compression level and memory usage, standard memory allocation\n functions). The source code of these utility functions can be modified if\n you need special options.\n*/\n\nZEXTERN int ZEXPORT compress(Bytef *dest, uLongf *destLen,\n const Bytef *source, uLong sourceLen);\n/*\n Compresses the source buffer into the destination buffer. sourceLen is\n the byte length of the source buffer. Upon entry, destLen is the total size\n of the destination buffer, which must be at least the value returned by\n compressBound(sourceLen). Upon exit, destLen is the actual size of the\n compressed data. compress() is equivalent to compress2() with a level\n parameter of Z_DEFAULT_COMPRESSION.\n\n compress returns Z_OK if success, Z_MEM_ERROR if there was not\n enough memory, Z_BUF_ERROR if there was not enough room in the output\n buffer.\n*/\n\nZEXTERN int ZEXPORT compress2(Bytef *dest, uLongf *destLen,\n const Bytef *source, uLong sourceLen,\n int level);\n/*\n Compresses the source buffer into the destination buffer. The level\n parameter has the same meaning as in deflateInit. sourceLen is the byte\n length of the source buffer. Upon entry, destLen is the total size of the\n destination buffer, which must be at least the value returned by\n compressBound(sourceLen). Upon exit, destLen is the actual size of the\n compressed data.\n\n compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough\n memory, Z_BUF_ERROR if there was not enough room in the output buffer,\n Z_STREAM_ERROR if the level parameter is invalid.\n*/\n\nZEXTERN uLong ZEXPORT compressBound(uLong sourceLen);\n/*\n compressBound() returns an upper bound on the compressed size after\n compress() or compress2() on sourceLen bytes. It would be used before a\n compress() or compress2() call to allocate the destination buffer.\n*/\n\nZEXTERN int ZEXPORT uncompress(Bytef *dest, uLongf *destLen,\n const Bytef *source, uLong sourceLen);\n/*\n Decompresses the source buffer into the destination buffer. sourceLen is\n the byte length of the source buffer. Upon entry, destLen is the total size\n of the destination buffer, which must be large enough to hold the entire\n uncompressed data. (The size of the uncompressed data must have been saved\n previously by the compressor and transmitted to the decompressor by some\n mechanism outside the scope of this compression library.) Upon exit, destLen\n is the actual size of the uncompressed data.\n\n uncompress returns Z_OK if success, Z_MEM_ERROR if there was not\n enough memory, Z_BUF_ERROR if there was not enough room in the output\n buffer, or Z_DATA_ERROR if the input data was corrupted or incomplete. In\n the case where there is not enough room, uncompress() will fill the output\n buffer with the uncompressed data up to that point.\n*/\n\nZEXTERN int ZEXPORT uncompress2(Bytef *dest, uLongf *destLen,\n const Bytef *source, uLong *sourceLen);\n/*\n Same as uncompress, except that sourceLen is a pointer, where the\n length of the source is *sourceLen. On return, *sourceLen is the number of\n source bytes consumed.\n*/\n\n /* gzip file access functions */\n\n/*\n This library supports reading and writing files in gzip (.gz) format with\n an interface similar to that of stdio, using the functions that start with\n \"gz\". The gzip format is different from the zlib format. gzip is a gzip\n wrapper, documented in RFC 1952, wrapped around a deflate stream.\n*/\n\ntypedef struct gzFile_s *gzFile; /* semi-opaque gzip file descriptor */\n\n/*\nZEXTERN gzFile ZEXPORT gzopen(const char *path, const char *mode);\n\n Open the gzip (.gz) file at path for reading and decompressing, or\n compressing and writing. The mode parameter is as in fopen (\"rb\" or \"wb\")\n but can also include a compression level (\"wb9\") or a strategy: 'f' for\n filtered data as in \"wb6f\", 'h' for Huffman-only compression as in \"wb1h\",\n 'R' for run-length encoding as in \"wb1R\", or 'F' for fixed code compression\n as in \"wb9F\". (See the description of deflateInit2 for more information\n about the strategy parameter.) 'T' will request transparent writing or\n appending with no compression and not using the gzip format.\n\n \"a\" can be used instead of \"w\" to request that the gzip stream that will\n be written be appended to the file. \"+\" will result in an error, since\n reading and writing to the same gzip file is not supported. The addition of\n \"x\" when writing will create the file exclusively, which fails if the file\n already exists. On systems that support it, the addition of \"e\" when\n reading or writing will set the flag to close the file on an execve() call.\n\n These functions, as well as gzip, will read and decode a sequence of gzip\n streams in a file. The append function of gzopen() can be used to create\n such a file. (Also see gzflush() for another way to do this.) When\n appending, gzopen does not test whether the file begins with a gzip stream,\n nor does it look for the end of the gzip streams to begin appending. gzopen\n will simply append a gzip stream to the existing file.\n\n gzopen can be used to read a file which is not in gzip format; in this\n case gzread will directly read from the file without decompression. When\n reading, this will be detected automatically by looking for the magic two-\n byte gzip header.\n\n gzopen returns NULL if the file could not be opened, if there was\n insufficient memory to allocate the gzFile state, or if an invalid mode was\n specified (an 'r', 'w', or 'a' was not provided, or '+' was provided).\n errno can be checked to determine if the reason gzopen failed was that the\n file could not be opened.\n*/\n\nZEXTERN gzFile ZEXPORT gzdopen(int fd, const char *mode);\n/*\n Associate a gzFile with the file descriptor fd. File descriptors are\n obtained from calls like open, dup, creat, pipe or fileno (if the file has\n been previously opened with fopen). The mode parameter is as in gzopen.\n\n The next call of gzclose on the returned gzFile will also close the file\n descriptor fd, just like fclose(fdopen(fd, mode)) closes the file descriptor\n fd. If you want to keep fd open, use fd = dup(fd_keep); gz = gzdopen(fd,\n mode);. The duplicated descriptor should be saved to avoid a leak, since\n gzdopen does not close fd if it fails. If you are using fileno() to get the\n file descriptor from a FILE *, then you will have to use dup() to avoid\n double-close()ing the file descriptor. Both gzclose() and fclose() will\n close the associated file descriptor, so they need to have different file\n descriptors.\n\n gzdopen returns NULL if there was insufficient memory to allocate the\n gzFile state, if an invalid mode was specified (an 'r', 'w', or 'a' was not\n provided, or '+' was provided), or if fd is -1. The file descriptor is not\n used until the next gz* read, write, seek, or close operation, so gzdopen\n will not detect if fd is invalid (unless fd is -1).\n*/\n\nZEXTERN int ZEXPORT gzbuffer(gzFile file, unsigned size);\n/*\n Set the internal buffer size used by this library's functions for file to\n size. The default buffer size is 8192 bytes. This function must be called\n after gzopen() or gzdopen(), and before any other calls that read or write\n the file. The buffer memory allocation is always deferred to the first read\n or write. Three times that size in buffer space is allocated. A larger\n buffer size of, for example, 64K or 128K bytes will noticeably increase the\n speed of decompression (reading).\n\n The new buffer size also affects the maximum length for gzprintf().\n\n gzbuffer() returns 0 on success, or -1 on failure, such as being called\n too late.\n*/\n\nZEXTERN int ZEXPORT gzsetparams(gzFile file, int level, int strategy);\n/*\n Dynamically update the compression level and strategy for file. See the\n description of deflateInit2 for the meaning of these parameters. Previously\n provided data is flushed before applying the parameter changes.\n\n gzsetparams returns Z_OK if success, Z_STREAM_ERROR if the file was not\n opened for writing, Z_ERRNO if there is an error writing the flushed data,\n or Z_MEM_ERROR if there is a memory allocation error.\n*/\n\nZEXTERN int ZEXPORT gzread(gzFile file, voidp buf, unsigned len);\n/*\n Read and decompress up to len uncompressed bytes from file into buf. If\n the input file is not in gzip format, gzread copies the given number of\n bytes into the buffer directly from the file.\n\n After reaching the end of a gzip stream in the input, gzread will continue\n to read, looking for another gzip stream. Any number of gzip streams may be\n concatenated in the input file, and will all be decompressed by gzread().\n If something other than a gzip stream is encountered after a gzip stream,\n that remaining trailing garbage is ignored (and no error is returned).\n\n gzread can be used to read a gzip file that is being concurrently written.\n Upon reaching the end of the input, gzread will return with the available\n data. If the error code returned by gzerror is Z_OK or Z_BUF_ERROR, then\n gzclearerr can be used to clear the end of file indicator in order to permit\n gzread to be tried again. Z_OK indicates that a gzip stream was completed\n on the last gzread. Z_BUF_ERROR indicates that the input file ended in the\n middle of a gzip stream. Note that gzread does not return -1 in the event\n of an incomplete gzip stream. This error is deferred until gzclose(), which\n will return Z_BUF_ERROR if the last gzread ended in the middle of a gzip\n stream. Alternatively, gzerror can be used before gzclose to detect this\n case.\n\n gzread returns the number of uncompressed bytes actually read, less than\n len for end of file, or -1 for error. If len is too large to fit in an int,\n then nothing is read, -1 is returned, and the error state is set to\n Z_STREAM_ERROR.\n*/\n\nZEXTERN z_size_t ZEXPORT gzfread(voidp buf, z_size_t size, z_size_t nitems,\n gzFile file);\n/*\n Read and decompress up to nitems items of size size from file into buf,\n otherwise operating as gzread() does. This duplicates the interface of\n stdio's fread(), with size_t request and return types. If the library\n defines size_t, then z_size_t is identical to size_t. If not, then z_size_t\n is an unsigned integer type that can contain a pointer.\n\n gzfread() returns the number of full items read of size size, or zero if\n the end of the file was reached and a full item could not be read, or if\n there was an error. gzerror() must be consulted if zero is returned in\n order to determine if there was an error. If the multiplication of size and\n nitems overflows, i.e. the product does not fit in a z_size_t, then nothing\n is read, zero is returned, and the error state is set to Z_STREAM_ERROR.\n\n In the event that the end of file is reached and only a partial item is\n available at the end, i.e. the remaining uncompressed data length is not a\n multiple of size, then the final partial item is nevertheless read into buf\n and the end-of-file flag is set. The length of the partial item read is not\n provided, but could be inferred from the result of gztell(). This behavior\n is the same as the behavior of fread() implementations in common libraries,\n but it prevents the direct use of gzfread() to read a concurrently written\n file, resetting and retrying on end-of-file, when size is not 1.\n*/\n\nZEXTERN int ZEXPORT gzwrite(gzFile file, voidpc buf, unsigned len);\n/*\n Compress and write the len uncompressed bytes at buf to file. gzwrite\n returns the number of uncompressed bytes written or 0 in case of error.\n*/\n\nZEXTERN z_size_t ZEXPORT gzfwrite(voidpc buf, z_size_t size,\n z_size_t nitems, gzFile file);\n/*\n Compress and write nitems items of size size from buf to file, duplicating\n the interface of stdio's fwrite(), with size_t request and return types. If\n the library defines size_t, then z_size_t is identical to size_t. If not,\n then z_size_t is an unsigned integer type that can contain a pointer.\n\n gzfwrite() returns the number of full items written of size size, or zero\n if there was an error. If the multiplication of size and nitems overflows,\n i.e. the product does not fit in a z_size_t, then nothing is written, zero\n is returned, and the error state is set to Z_STREAM_ERROR.\n*/\n\nZEXTERN int ZEXPORTVA gzprintf(gzFile file, const char *format, ...);\n/*\n Convert, format, compress, and write the arguments (...) to file under\n control of the string format, as in fprintf. gzprintf returns the number of\n uncompressed bytes actually written, or a negative zlib error code in case\n of error. The number of uncompressed bytes written is limited to 8191, or\n one less than the buffer size given to gzbuffer(). The caller should assure\n that this limit is not exceeded. If it is exceeded, then gzprintf() will\n return an error (0) with nothing written. In this case, there may also be a\n buffer overflow with unpredictable consequences, which is possible only if\n zlib was compiled with the insecure functions sprintf() or vsprintf(),\n because the secure snprintf() or vsnprintf() functions were not available.\n This can be determined using zlibCompileFlags().\n*/\n\nZEXTERN int ZEXPORT gzputs(gzFile file, const char *s);\n/*\n Compress and write the given null-terminated string s to file, excluding\n the terminating null character.\n\n gzputs returns the number of characters written, or -1 in case of error.\n*/\n\nZEXTERN char * ZEXPORT gzgets(gzFile file, char *buf, int len);\n/*\n Read and decompress bytes from file into buf, until len-1 characters are\n read, or until a newline character is read and transferred to buf, or an\n end-of-file condition is encountered. If any characters are read or if len\n is one, the string is terminated with a null character. If no characters\n are read due to an end-of-file or len is less than one, then the buffer is\n left untouched.\n\n gzgets returns buf which is a null-terminated string, or it returns NULL\n for end-of-file or in case of error. If there was an error, the contents at\n buf are indeterminate.\n*/\n\nZEXTERN int ZEXPORT gzputc(gzFile file, int c);\n/*\n Compress and write c, converted to an unsigned char, into file. gzputc\n returns the value that was written, or -1 in case of error.\n*/\n\nZEXTERN int ZEXPORT gzgetc(gzFile file);\n/*\n Read and decompress one byte from file. gzgetc returns this byte or -1\n in case of end of file or error. This is implemented as a macro for speed.\n As such, it does not do all of the checking the other functions do. I.e.\n it does not check to see if file is NULL, nor whether the structure file\n points to has been clobbered or not.\n*/\n\nZEXTERN int ZEXPORT gzungetc(int c, gzFile file);\n/*\n Push c back onto the stream for file to be read as the first character on\n the next read. At least one character of push-back is always allowed.\n gzungetc() returns the character pushed, or -1 on failure. gzungetc() will\n fail if c is -1, and may fail if a character has been pushed but not read\n yet. If gzungetc is used immediately after gzopen or gzdopen, at least the\n output buffer size of pushed characters is allowed. (See gzbuffer above.)\n The pushed character will be discarded if the stream is repositioned with\n gzseek() or gzrewind().\n*/\n\nZEXTERN int ZEXPORT gzflush(gzFile file, int flush);\n/*\n Flush all pending output to file. The parameter flush is as in the\n deflate() function. The return value is the zlib error number (see function\n gzerror below). gzflush is only permitted when writing.\n\n If the flush parameter is Z_FINISH, the remaining data is written and the\n gzip stream is completed in the output. If gzwrite() is called again, a new\n gzip stream will be started in the output. gzread() is able to read such\n concatenated gzip streams.\n\n gzflush should be called only when strictly necessary because it will\n degrade compression if called too often.\n*/\n\n/*\nZEXTERN z_off_t ZEXPORT gzseek(gzFile file,\n z_off_t offset, int whence);\n\n Set the starting position to offset relative to whence for the next gzread\n or gzwrite on file. The offset represents a number of bytes in the\n uncompressed data stream. The whence parameter is defined as in lseek(2);\n the value SEEK_END is not supported.\n\n If the file is opened for reading, this function is emulated but can be\n extremely slow. If the file is opened for writing, only forward seeks are\n supported; gzseek then compresses a sequence of zeroes up to the new\n starting position.\n\n gzseek returns the resulting offset location as measured in bytes from\n the beginning of the uncompressed stream, or -1 in case of error, in\n particular if the file is opened for writing and the new starting position\n would be before the current position.\n*/\n\nZEXTERN int ZEXPORT gzrewind(gzFile file);\n/*\n Rewind file. This function is supported only for reading.\n\n gzrewind(file) is equivalent to (int)gzseek(file, 0L, SEEK_SET).\n*/\n\n/*\nZEXTERN z_off_t ZEXPORT gztell(gzFile file);\n\n Return the starting position for the next gzread or gzwrite on file.\n This position represents a number of bytes in the uncompressed data stream,\n and is zero when starting, even if appending or reading a gzip stream from\n the middle of a file using gzdopen().\n\n gztell(file) is equivalent to gzseek(file, 0L, SEEK_CUR)\n*/\n\n/*\nZEXTERN z_off_t ZEXPORT gzoffset(gzFile file);\n\n Return the current compressed (actual) read or write offset of file. This\n offset includes the count of bytes that precede the gzip stream, for example\n when appending or when using gzdopen() for reading. When reading, the\n offset does not include as yet unused buffered input. This information can\n be used for a progress indicator. On error, gzoffset() returns -1.\n*/\n\nZEXTERN int ZEXPORT gzeof(gzFile file);\n/*\n Return true (1) if the end-of-file indicator for file has been set while\n reading, false (0) otherwise. Note that the end-of-file indicator is set\n only if the read tried to go past the end of the input, but came up short.\n Therefore, just like feof(), gzeof() may return false even if there is no\n more data to read, in the event that the last read request was for the exact\n number of bytes remaining in the input file. This will happen if the input\n file size is an exact multiple of the buffer size.\n\n If gzeof() returns true, then the read functions will return no more data,\n unless the end-of-file indicator is reset by gzclearerr() and the input file\n has grown since the previous end of file was detected.\n*/\n\nZEXTERN int ZEXPORT gzdirect(gzFile file);\n/*\n Return true (1) if file is being copied directly while reading, or false\n (0) if file is a gzip stream being decompressed.\n\n If the input file is empty, gzdirect() will return true, since the input\n does not contain a gzip stream.\n\n If gzdirect() is used immediately after gzopen() or gzdopen() it will\n cause buffers to be allocated to allow reading the file to determine if it\n is a gzip file. Therefore if gzbuffer() is used, it should be called before\n gzdirect().\n\n When writing, gzdirect() returns true (1) if transparent writing was\n requested (\"wT\" for the gzopen() mode), or false (0) otherwise. (Note:\n gzdirect() is not needed when writing. Transparent writing must be\n explicitly requested, so the application already knows the answer. When\n linking statically, using gzdirect() will include all of the zlib code for\n gzip file reading and decompression, which may not be desired.)\n*/\n\nZEXTERN int ZEXPORT gzclose(gzFile file);\n/*\n Flush all pending output for file, if necessary, close file and\n deallocate the (de)compression state. Note that once file is closed, you\n cannot call gzerror with file, since its structures have been deallocated.\n gzclose must not be called more than once on the same file, just as free\n must not be called more than once on the same allocation.\n\n gzclose will return Z_STREAM_ERROR if file is not valid, Z_ERRNO on a\n file operation error, Z_MEM_ERROR if out of memory, Z_BUF_ERROR if the\n last read ended in the middle of a gzip stream, or Z_OK on success.\n*/\n\nZEXTERN int ZEXPORT gzclose_r(gzFile file);\nZEXTERN int ZEXPORT gzclose_w(gzFile file);\n/*\n Same as gzclose(), but gzclose_r() is only for use when reading, and\n gzclose_w() is only for use when writing or appending. The advantage to\n using these instead of gzclose() is that they avoid linking in zlib\n compression or decompression code that is not used when only reading or only\n writing respectively. If gzclose() is used, then both compression and\n decompression code will be included the application when linking to a static\n zlib library.\n*/\n\nZEXTERN const char * ZEXPORT gzerror(gzFile file, int *errnum);\n/*\n Return the error message for the last error which occurred on file.\n errnum is set to zlib error number. If an error occurred in the file system\n and not in the compression library, errnum is set to Z_ERRNO and the\n application may consult errno to get the exact error code.\n\n The application must not modify the returned string. Future calls to\n this function may invalidate the previously returned string. If file is\n closed, then the string previously returned by gzerror will no longer be\n available.\n\n gzerror() should be used to distinguish errors from end-of-file for those\n functions above that do not distinguish those cases in their return values.\n*/\n\nZEXTERN void ZEXPORT gzclearerr(gzFile file);\n/*\n Clear the error and end-of-file flags for file. This is analogous to the\n clearerr() function in stdio. This is useful for continuing to read a gzip\n file that is being written concurrently.\n*/\n\n#endif /* !Z_SOLO */\n\n /* checksum functions */\n\n/*\n These functions are not related to compression but are exported\n anyway because they might be useful in applications using the compression\n library.\n*/\n\nZEXTERN uLong ZEXPORT adler32(uLong adler, const Bytef *buf, uInt len);\n/*\n Update a running Adler-32 checksum with the bytes buf[0..len-1] and\n return the updated checksum. An Adler-32 value is in the range of a 32-bit\n unsigned integer. If buf is Z_NULL, this function returns the required\n initial value for the checksum.\n\n An Adler-32 checksum is almost as reliable as a CRC-32 but can be computed\n much faster.\n\n Usage example:\n\n uLong adler = adler32(0L, Z_NULL, 0);\n\n while (read_buffer(buffer, length) != EOF) {\n adler = adler32(adler, buffer, length);\n }\n if (adler != original_adler) error();\n*/\n\nZEXTERN uLong ZEXPORT adler32_z(uLong adler, const Bytef *buf,\n z_size_t len);\n/*\n Same as adler32(), but with a size_t length.\n*/\n\n/*\nZEXTERN uLong ZEXPORT adler32_combine(uLong adler1, uLong adler2,\n z_off_t len2);\n\n Combine two Adler-32 checksums into one. For two sequences of bytes, seq1\n and seq2 with lengths len1 and len2, Adler-32 checksums were calculated for\n each, adler1 and adler2. adler32_combine() returns the Adler-32 checksum of\n seq1 and seq2 concatenated, requiring only adler1, adler2, and len2. Note\n that the z_off_t type (like off_t) is a signed integer. If len2 is\n negative, the result has no meaning or utility.\n*/\n\nZEXTERN uLong ZEXPORT crc32(uLong crc, const Bytef *buf, uInt len);\n/*\n Update a running CRC-32 with the bytes buf[0..len-1] and return the\n updated CRC-32. A CRC-32 value is in the range of a 32-bit unsigned integer.\n If buf is Z_NULL, this function returns the required initial value for the\n crc. Pre- and post-conditioning (one's complement) is performed within this\n function so it shouldn't be done by the application.\n\n Usage example:\n\n uLong crc = crc32(0L, Z_NULL, 0);\n\n while (read_buffer(buffer, length) != EOF) {\n crc = crc32(crc, buffer, length);\n }\n if (crc != original_crc) error();\n*/\n\nZEXTERN uLong ZEXPORT crc32_z(uLong crc, const Bytef *buf,\n z_size_t len);\n/*\n Same as crc32(), but with a size_t length.\n*/\n\n/*\nZEXTERN uLong ZEXPORT crc32_combine(uLong crc1, uLong crc2, z_off_t len2);\n\n Combine two CRC-32 check values into one. For two sequences of bytes,\n seq1 and seq2 with lengths len1 and len2, CRC-32 check values were\n calculated for each, crc1 and crc2. crc32_combine() returns the CRC-32\n check value of seq1 and seq2 concatenated, requiring only crc1, crc2, and\n len2.\n*/\n\n/*\nZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t len2);\n\n Return the operator corresponding to length len2, to be used with\n crc32_combine_op().\n*/\n\nZEXTERN uLong ZEXPORT crc32_combine_op(uLong crc1, uLong crc2, uLong op);\n/*\n Give the same result as crc32_combine(), using op in place of len2. op is\n is generated from len2 by crc32_combine_gen(). This will be faster than\n crc32_combine() if the generated op is used more than once.\n*/\n\n\n /* various hacks, don't look :) */\n\n/* deflateInit and inflateInit are macros to allow checking the zlib version\n * and the compiler's view of z_stream:\n */\nZEXTERN int ZEXPORT deflateInit_(z_streamp strm, int level,\n const char *version, int stream_size);\nZEXTERN int ZEXPORT inflateInit_(z_streamp strm,\n const char *version, int stream_size);\nZEXTERN int ZEXPORT deflateInit2_(z_streamp strm, int level, int method,\n int windowBits, int memLevel,\n int strategy, const char *version,\n int stream_size);\nZEXTERN int ZEXPORT inflateInit2_(z_streamp strm, int windowBits,\n const char *version, int stream_size);\nZEXTERN int ZEXPORT inflateBackInit_(z_streamp strm, int windowBits,\n unsigned char FAR *window,\n const char *version,\n int stream_size);\n#ifdef Z_PREFIX_SET\n# define z_deflateInit(strm, level) \\\n deflateInit_((strm), (level), ZLIB_VERSION, (int)sizeof(z_stream))\n# define z_inflateInit(strm) \\\n inflateInit_((strm), ZLIB_VERSION, (int)sizeof(z_stream))\n# define z_deflateInit2(strm, level, method, windowBits, memLevel, strategy) \\\n deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\\\n (strategy), ZLIB_VERSION, (int)sizeof(z_stream))\n# define z_inflateInit2(strm, windowBits) \\\n inflateInit2_((strm), (windowBits), ZLIB_VERSION, \\\n (int)sizeof(z_stream))\n# define z_inflateBackInit(strm, windowBits, window) \\\n inflateBackInit_((strm), (windowBits), (window), \\\n ZLIB_VERSION, (int)sizeof(z_stream))\n#else\n# define deflateInit(strm, level) \\\n deflateInit_((strm), (level), ZLIB_VERSION, (int)sizeof(z_stream))\n# define inflateInit(strm) \\\n inflateInit_((strm), ZLIB_VERSION, (int)sizeof(z_stream))\n# define deflateInit2(strm, level, method, windowBits, memLevel, strategy) \\\n deflateInit2_((strm),(level),(method),(windowBits),(memLevel),\\\n (strategy), ZLIB_VERSION, (int)sizeof(z_stream))\n# define inflateInit2(strm, windowBits) \\\n inflateInit2_((strm), (windowBits), ZLIB_VERSION, \\\n (int)sizeof(z_stream))\n# define inflateBackInit(strm, windowBits, window) \\\n inflateBackInit_((strm), (windowBits), (window), \\\n ZLIB_VERSION, (int)sizeof(z_stream))\n#endif\n\n#ifndef Z_SOLO\n\n/* gzgetc() macro and its supporting function and exposed data structure. Note\n * that the real internal state is much larger than the exposed structure.\n * This abbreviated structure exposes just enough for the gzgetc() macro. The\n * user should not mess with these exposed elements, since their names or\n * behavior could change in the future, perhaps even capriciously. They can\n * only be used by the gzgetc() macro. You have been warned.\n */\nstruct gzFile_s {\n unsigned have;\n unsigned char *next;\n z_off64_t pos;\n};\nZEXTERN int ZEXPORT gzgetc_(gzFile file); /* backward compatibility */\n#ifdef Z_PREFIX_SET\n# undef z_gzgetc\n# define z_gzgetc(g) \\\n ((g)->have ? ((g)->have--, (g)->pos++, *((g)->next)++) : (gzgetc)(g))\n#else\n# define gzgetc(g) \\\n ((g)->have ? ((g)->have--, (g)->pos++, *((g)->next)++) : (gzgetc)(g))\n#endif\n\n/* provide 64-bit offset functions if _LARGEFILE64_SOURCE defined, and/or\n * change the regular functions to 64 bits if _FILE_OFFSET_BITS is 64 (if\n * both are true, the application gets the *64 functions, and the regular\n * functions are changed to 64 bits) -- in case these are set on systems\n * without large file support, _LFS64_LARGEFILE must also be true\n */\n#ifdef Z_LARGE64\n ZEXTERN gzFile ZEXPORT gzopen64(const char *, const char *);\n ZEXTERN z_off64_t ZEXPORT gzseek64(gzFile, z_off64_t, int);\n ZEXTERN z_off64_t ZEXPORT gztell64(gzFile);\n ZEXTERN z_off64_t ZEXPORT gzoffset64(gzFile);\n ZEXTERN uLong ZEXPORT adler32_combine64(uLong, uLong, z_off64_t);\n ZEXTERN uLong ZEXPORT crc32_combine64(uLong, uLong, z_off64_t);\n ZEXTERN uLong ZEXPORT crc32_combine_gen64(z_off64_t);\n#endif\n\n#if !defined(ZLIB_INTERNAL) && defined(Z_WANT64)\n# ifdef Z_PREFIX_SET\n# define z_gzopen z_gzopen64\n# define z_gzseek z_gzseek64\n# define z_gztell z_gztell64\n# define z_gzoffset z_gzoffset64\n# define z_adler32_combine z_adler32_combine64\n# define z_crc32_combine z_crc32_combine64\n# define z_crc32_combine_gen z_crc32_combine_gen64\n# else\n# define gzopen gzopen64\n# define gzseek gzseek64\n# define gztell gztell64\n# define gzoffset gzoffset64\n# define adler32_combine adler32_combine64\n# define crc32_combine crc32_combine64\n# define crc32_combine_gen crc32_combine_gen64\n# endif\n# ifndef Z_LARGE64\n ZEXTERN gzFile ZEXPORT gzopen64(const char *, const char *);\n ZEXTERN z_off_t ZEXPORT gzseek64(gzFile, z_off_t, int);\n ZEXTERN z_off_t ZEXPORT gztell64(gzFile);\n ZEXTERN z_off_t ZEXPORT gzoffset64(gzFile);\n ZEXTERN uLong ZEXPORT adler32_combine64(uLong, uLong, z_off_t);\n ZEXTERN uLong ZEXPORT crc32_combine64(uLong, uLong, z_off_t);\n ZEXTERN uLong ZEXPORT crc32_combine_gen64(z_off_t);\n# endif\n#else\n ZEXTERN gzFile ZEXPORT gzopen(const char *, const char *);\n ZEXTERN z_off_t ZEXPORT gzseek(gzFile, z_off_t, int);\n ZEXTERN z_off_t ZEXPORT gztell(gzFile);\n ZEXTERN z_off_t ZEXPORT gzoffset(gzFile);\n ZEXTERN uLong ZEXPORT adler32_combine(uLong, uLong, z_off_t);\n ZEXTERN uLong ZEXPORT crc32_combine(uLong, uLong, z_off_t);\n ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t);\n#endif\n\n#else /* Z_SOLO */\n\n ZEXTERN uLong ZEXPORT adler32_combine(uLong, uLong, z_off_t);\n ZEXTERN uLong ZEXPORT crc32_combine(uLong, uLong, z_off_t);\n ZEXTERN uLong ZEXPORT crc32_combine_gen(z_off_t);\n\n#endif /* !Z_SOLO */\n\n/* undocumented functions */\nZEXTERN const char * ZEXPORT zError(int);\nZEXTERN int ZEXPORT inflateSyncPoint(z_streamp);\nZEXTERN const z_crc_t FAR * ZEXPORT get_crc_table(void);\nZEXTERN int ZEXPORT inflateUndermine(z_streamp, int);\nZEXTERN int ZEXPORT inflateValidate(z_streamp, int);\nZEXTERN unsigned long ZEXPORT inflateCodesUsed(z_streamp);\nZEXTERN int ZEXPORT inflateResetKeep(z_streamp);\nZEXTERN int ZEXPORT deflateResetKeep(z_streamp);\n#if defined(_WIN32) && !defined(Z_SOLO)\nZEXTERN gzFile ZEXPORT gzopen_w(const wchar_t *path,\n const char *mode);\n#endif\n#if defined(STDC) || defined(Z_HAVE_STDARG_H)\n# ifndef Z_SOLO\nZEXTERN int ZEXPORTVA gzvprintf(gzFile file,\n const char *format,\n va_list va);\n# endif\n#endif\n\n#ifdef __cplusplus\n}\n#endif\n\n#endif /* ZLIB_H */\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zlib.pc.cmakein", "content": "prefix=@CMAKE_INSTALL_PREFIX@\nexec_prefix=@CMAKE_INSTALL_PREFIX@\nlibdir=@INSTALL_LIB_DIR@\nsharedlibdir=@INSTALL_LIB_DIR@\nincludedir=@INSTALL_INC_DIR@\n\nName: zlib\nDescription: zlib compression library\nVersion: @VERSION@\n\nRequires:\nLibs: -L${libdir} -L${sharedlibdir} -lz\nCflags: -I${includedir}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zlib.pc.in", "content": "prefix=@prefix@\nexec_prefix=@exec_prefix@\nlibdir=@libdir@\nsharedlibdir=@sharedlibdir@\nincludedir=@includedir@\n\nName: zlib\nDescription: zlib compression library\nVersion: @VERSION@\n\nRequires:\nLibs: -L${libdir} -L${sharedlibdir} -lz\nCflags: -I${includedir}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zutil.c", "content": "/* zutil.c -- target dependent utility functions for the compression library\n * Copyright (C) 1995-2017 Jean-loup Gailly\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* @(#) $Id$ */\n\n#include \"zutil.h\"\n#ifndef Z_SOLO\n# include \"gzguts.h\"\n#endif\n\nz_const char * const z_errmsg[10] = {\n (z_const char *)\"need dictionary\", /* Z_NEED_DICT 2 */\n (z_const char *)\"stream end\", /* Z_STREAM_END 1 */\n (z_const char *)\"\", /* Z_OK 0 */\n (z_const char *)\"file error\", /* Z_ERRNO (-1) */\n (z_const char *)\"stream error\", /* Z_STREAM_ERROR (-2) */\n (z_const char *)\"data error\", /* Z_DATA_ERROR (-3) */\n (z_const char *)\"insufficient memory\", /* Z_MEM_ERROR (-4) */\n (z_const char *)\"buffer error\", /* Z_BUF_ERROR (-5) */\n (z_const char *)\"incompatible version\",/* Z_VERSION_ERROR (-6) */\n (z_const char *)\"\"\n};\n\n\nconst char * ZEXPORT zlibVersion(void) {\n return ZLIB_VERSION;\n}\n\nuLong ZEXPORT zlibCompileFlags(void) {\n uLong flags;\n\n flags = 0;\n switch ((int)(sizeof(uInt))) {\n case 2: break;\n case 4: flags += 1; break;\n case 8: flags += 2; break;\n default: flags += 3;\n }\n switch ((int)(sizeof(uLong))) {\n case 2: break;\n case 4: flags += 1 << 2; break;\n case 8: flags += 2 << 2; break;\n default: flags += 3 << 2;\n }\n switch ((int)(sizeof(voidpf))) {\n case 2: break;\n case 4: flags += 1 << 4; break;\n case 8: flags += 2 << 4; break;\n default: flags += 3 << 4;\n }\n switch ((int)(sizeof(z_off_t))) {\n case 2: break;\n case 4: flags += 1 << 6; break;\n case 8: flags += 2 << 6; break;\n default: flags += 3 << 6;\n }\n#ifdef ZLIB_DEBUG\n flags += 1 << 8;\n#endif\n /*\n#if defined(ASMV) || defined(ASMINF)\n flags += 1 << 9;\n#endif\n */\n#ifdef ZLIB_WINAPI\n flags += 1 << 10;\n#endif\n#ifdef BUILDFIXED\n flags += 1 << 12;\n#endif\n#ifdef DYNAMIC_CRC_TABLE\n flags += 1 << 13;\n#endif\n#ifdef NO_GZCOMPRESS\n flags += 1L << 16;\n#endif\n#ifdef NO_GZIP\n flags += 1L << 17;\n#endif\n#ifdef PKZIP_BUG_WORKAROUND\n flags += 1L << 20;\n#endif\n#ifdef FASTEST\n flags += 1L << 21;\n#endif\n#if defined(STDC) || defined(Z_HAVE_STDARG_H)\n# ifdef NO_vsnprintf\n flags += 1L << 25;\n# ifdef HAS_vsprintf_void\n flags += 1L << 26;\n# endif\n# else\n# ifdef HAS_vsnprintf_void\n flags += 1L << 26;\n# endif\n# endif\n#else\n flags += 1L << 24;\n# ifdef NO_snprintf\n flags += 1L << 25;\n# ifdef HAS_sprintf_void\n flags += 1L << 26;\n# endif\n# else\n# ifdef HAS_snprintf_void\n flags += 1L << 26;\n# endif\n# endif\n#endif\n return flags;\n}\n\n#ifdef ZLIB_DEBUG\n#include \n# ifndef verbose\n# define verbose 0\n# endif\nint ZLIB_INTERNAL z_verbose = verbose;\n\nvoid ZLIB_INTERNAL z_error(char *m) {\n fprintf(stderr, \"%s\\n\", m);\n exit(1);\n}\n#endif\n\n/* exported to allow conversion of error code to string for compress() and\n * uncompress()\n */\nconst char * ZEXPORT zError(int err) {\n return ERR_MSG(err);\n}\n\n#if defined(_WIN32_WCE) && _WIN32_WCE < 0x800\n /* The older Microsoft C Run-Time Library for Windows CE doesn't have\n * errno. We define it as a global variable to simplify porting.\n * Its value is always 0 and should not be used.\n */\n int errno = 0;\n#endif\n\n#ifndef HAVE_MEMCPY\n\nvoid ZLIB_INTERNAL zmemcpy(Bytef* dest, const Bytef* source, uInt len) {\n if (len == 0) return;\n do {\n *dest++ = *source++; /* ??? to be unrolled */\n } while (--len != 0);\n}\n\nint ZLIB_INTERNAL zmemcmp(const Bytef* s1, const Bytef* s2, uInt len) {\n uInt j;\n\n for (j = 0; j < len; j++) {\n if (s1[j] != s2[j]) return 2*(s1[j] > s2[j])-1;\n }\n return 0;\n}\n\nvoid ZLIB_INTERNAL zmemzero(Bytef* dest, uInt len) {\n if (len == 0) return;\n do {\n *dest++ = 0; /* ??? to be unrolled */\n } while (--len != 0);\n}\n#endif\n\n#ifndef Z_SOLO\n\n#ifdef SYS16BIT\n\n#ifdef __TURBOC__\n/* Turbo C in 16-bit mode */\n\n# define MY_ZCALLOC\n\n/* Turbo C malloc() does not allow dynamic allocation of 64K bytes\n * and farmalloc(64K) returns a pointer with an offset of 8, so we\n * must fix the pointer. Warning: the pointer must be put back to its\n * original form in order to free it, use zcfree().\n */\n\n#define MAX_PTR 10\n/* 10*64K = 640K */\n\nlocal int next_ptr = 0;\n\ntypedef struct ptr_table_s {\n voidpf org_ptr;\n voidpf new_ptr;\n} ptr_table;\n\nlocal ptr_table table[MAX_PTR];\n/* This table is used to remember the original form of pointers\n * to large buffers (64K). Such pointers are normalized with a zero offset.\n * Since MSDOS is not a preemptive multitasking OS, this table is not\n * protected from concurrent access. This hack doesn't work anyway on\n * a protected system like OS/2. Use Microsoft C instead.\n */\n\nvoidpf ZLIB_INTERNAL zcalloc(voidpf opaque, unsigned items, unsigned size) {\n voidpf buf;\n ulg bsize = (ulg)items*size;\n\n (void)opaque;\n\n /* If we allocate less than 65520 bytes, we assume that farmalloc\n * will return a usable pointer which doesn't have to be normalized.\n */\n if (bsize < 65520L) {\n buf = farmalloc(bsize);\n if (*(ush*)&buf != 0) return buf;\n } else {\n buf = farmalloc(bsize + 16L);\n }\n if (buf == NULL || next_ptr >= MAX_PTR) return NULL;\n table[next_ptr].org_ptr = buf;\n\n /* Normalize the pointer to seg:0 */\n *((ush*)&buf+1) += ((ush)((uch*)buf-0) + 15) >> 4;\n *(ush*)&buf = 0;\n table[next_ptr++].new_ptr = buf;\n return buf;\n}\n\nvoid ZLIB_INTERNAL zcfree(voidpf opaque, voidpf ptr) {\n int n;\n\n (void)opaque;\n\n if (*(ush*)&ptr != 0) { /* object < 64K */\n farfree(ptr);\n return;\n }\n /* Find the original pointer */\n for (n = 0; n < next_ptr; n++) {\n if (ptr != table[n].new_ptr) continue;\n\n farfree(table[n].org_ptr);\n while (++n < next_ptr) {\n table[n-1] = table[n];\n }\n next_ptr--;\n return;\n }\n Assert(0, \"zcfree: ptr not found\");\n}\n\n#endif /* __TURBOC__ */\n\n\n#ifdef M_I86\n/* Microsoft C in 16-bit mode */\n\n# define MY_ZCALLOC\n\n#if (!defined(_MSC_VER) || (_MSC_VER <= 600))\n# define _halloc halloc\n# define _hfree hfree\n#endif\n\nvoidpf ZLIB_INTERNAL zcalloc(voidpf opaque, uInt items, uInt size) {\n (void)opaque;\n return _halloc((long)items, size);\n}\n\nvoid ZLIB_INTERNAL zcfree(voidpf opaque, voidpf ptr) {\n (void)opaque;\n _hfree(ptr);\n}\n\n#endif /* M_I86 */\n\n#endif /* SYS16BIT */\n\n\n#ifndef MY_ZCALLOC /* Any system without a special alloc function */\n\n#ifndef STDC\nextern voidp malloc(uInt size);\nextern voidp calloc(uInt items, uInt size);\nextern void free(voidpf ptr);\n#endif\n\nvoidpf ZLIB_INTERNAL zcalloc(voidpf opaque, unsigned items, unsigned size) {\n (void)opaque;\n return sizeof(uInt) > 2 ? (voidpf)malloc(items * size) :\n (voidpf)calloc(items, size);\n}\n\nvoid ZLIB_INTERNAL zcfree(voidpf opaque, voidpf ptr) {\n (void)opaque;\n free(ptr);\n}\n\n#endif /* MY_ZCALLOC */\n\n#endif /* !Z_SOLO */\n" }, { "path": "internal/scalibrextract/filesystem/vendored/testdata/thirdparty/zlib/zutil.h", "content": "/* zutil.h -- internal interface and configuration of the compression library\n * Copyright (C) 1995-2022 Jean-loup Gailly, Mark Adler\n * For conditions of distribution and use, see copyright notice in zlib.h\n */\n\n/* WARNING: this file should *not* be used by applications. It is\n part of the implementation of the compression library and is\n subject to change. Applications should only use zlib.h.\n */\n\n/* @(#) $Id$ */\n\n#ifndef ZUTIL_H\n#define ZUTIL_H\n\n#ifdef HAVE_HIDDEN\n# define ZLIB_INTERNAL __attribute__((visibility (\"hidden\")))\n#else\n# define ZLIB_INTERNAL\n#endif\n\n#include \"zlib.h\"\n\n#if defined(STDC) && !defined(Z_SOLO)\n# if !(defined(_WIN32_WCE) && defined(_MSC_VER))\n# include \n# endif\n# include \n# include \n#endif\n\n#ifndef local\n# define local static\n#endif\n/* since \"static\" is used to mean two completely different things in C, we\n define \"local\" for the non-static meaning of \"static\", for readability\n (compile with -Dlocal if your debugger can't find static symbols) */\n\ntypedef unsigned char uch;\ntypedef uch FAR uchf;\ntypedef unsigned short ush;\ntypedef ush FAR ushf;\ntypedef unsigned long ulg;\n\n#if !defined(Z_U8) && !defined(Z_SOLO) && defined(STDC)\n# include \n# if (ULONG_MAX == 0xffffffffffffffff)\n# define Z_U8 unsigned long\n# elif (ULLONG_MAX == 0xffffffffffffffff)\n# define Z_U8 unsigned long long\n# elif (UINT_MAX == 0xffffffffffffffff)\n# define Z_U8 unsigned\n# endif\n#endif\n\nextern z_const char * const z_errmsg[10]; /* indexed by 2-zlib_error */\n/* (size given to avoid silly warnings with Visual C++) */\n\n#define ERR_MSG(err) z_errmsg[Z_NEED_DICT-(err)]\n\n#define ERR_RETURN(strm,err) \\\n return (strm->msg = ERR_MSG(err), (err))\n/* To be used only when the state is known to be valid */\n\n /* common constants */\n\n#ifndef DEF_WBITS\n# define DEF_WBITS MAX_WBITS\n#endif\n/* default windowBits for decompression. MAX_WBITS is for compression only */\n\n#if MAX_MEM_LEVEL >= 8\n# define DEF_MEM_LEVEL 8\n#else\n# define DEF_MEM_LEVEL MAX_MEM_LEVEL\n#endif\n/* default memLevel */\n\n#define STORED_BLOCK 0\n#define STATIC_TREES 1\n#define DYN_TREES 2\n/* The three kinds of block type */\n\n#define MIN_MATCH 3\n#define MAX_MATCH 258\n/* The minimum and maximum match lengths */\n\n#define PRESET_DICT 0x20 /* preset dictionary flag in zlib header */\n\n /* target dependencies */\n\n#if defined(MSDOS) || (defined(WINDOWS) && !defined(WIN32))\n# define OS_CODE 0x00\n# ifndef Z_SOLO\n# if defined(__TURBOC__) || defined(__BORLANDC__)\n# if (__STDC__ == 1) && (defined(__LARGE__) || defined(__COMPACT__))\n /* Allow compilation with ANSI keywords only enabled */\n void _Cdecl farfree( void *block );\n void *_Cdecl farmalloc( unsigned long nbytes );\n# else\n# include \n# endif\n# else /* MSC or DJGPP */\n# include \n# endif\n# endif\n#endif\n\n#ifdef AMIGA\n# define OS_CODE 1\n#endif\n\n#if defined(VAXC) || defined(VMS)\n# define OS_CODE 2\n# define F_OPEN(name, mode) \\\n fopen((name), (mode), \"mbc=60\", \"ctx=stm\", \"rfm=fix\", \"mrs=512\")\n#endif\n\n#ifdef __370__\n# if __TARGET_LIB__ < 0x20000000\n# define OS_CODE 4\n# elif __TARGET_LIB__ < 0x40000000\n# define OS_CODE 11\n# else\n# define OS_CODE 8\n# endif\n#endif\n\n#if defined(ATARI) || defined(atarist)\n# define OS_CODE 5\n#endif\n\n#ifdef OS2\n# define OS_CODE 6\n# if defined(M_I86) && !defined(Z_SOLO)\n# include \n# endif\n#endif\n\n#if defined(MACOS) || defined(TARGET_OS_MAC)\n# define OS_CODE 7\n# ifndef Z_SOLO\n# if defined(__MWERKS__) && __dest_os != __be_os && __dest_os != __win32_os\n# include /* for fdopen */\n# else\n# ifndef fdopen\n# define fdopen(fd,mode) NULL /* No fdopen() */\n# endif\n# endif\n# endif\n#endif\n\n#ifdef __acorn\n# define OS_CODE 13\n#endif\n\n#if defined(WIN32) && !defined(__CYGWIN__)\n# define OS_CODE 10\n#endif\n\n#ifdef _BEOS_\n# define OS_CODE 16\n#endif\n\n#ifdef __TOS_OS400__\n# define OS_CODE 18\n#endif\n\n#ifdef __APPLE__\n# define OS_CODE 19\n#endif\n\n#if defined(_BEOS_) || defined(RISCOS)\n# define fdopen(fd,mode) NULL /* No fdopen() */\n#endif\n\n#if (defined(_MSC_VER) && (_MSC_VER > 600)) && !defined __INTERIX\n# if defined(_WIN32_WCE)\n# define fdopen(fd,mode) NULL /* No fdopen() */\n# else\n# define fdopen(fd,type) _fdopen(fd,type)\n# endif\n#endif\n\n#if defined(__BORLANDC__) && !defined(MSDOS)\n #pragma warn -8004\n #pragma warn -8008\n #pragma warn -8066\n#endif\n\n/* provide prototypes for these when building zlib without LFS */\n#if !defined(_WIN32) && \\\n (!defined(_LARGEFILE64_SOURCE) || _LFS64_LARGEFILE-0 == 0)\n ZEXTERN uLong ZEXPORT adler32_combine64(uLong, uLong, z_off_t);\n ZEXTERN uLong ZEXPORT crc32_combine64(uLong, uLong, z_off_t);\n ZEXTERN uLong ZEXPORT crc32_combine_gen64(z_off_t);\n#endif\n\n /* common defaults */\n\n#ifndef OS_CODE\n# define OS_CODE 3 /* assume Unix */\n#endif\n\n#ifndef F_OPEN\n# define F_OPEN(name, mode) fopen((name), (mode))\n#endif\n\n /* functions */\n\n#if defined(pyr) || defined(Z_SOLO)\n# define NO_MEMCPY\n#endif\n#if defined(SMALL_MEDIUM) && !defined(_MSC_VER) && !defined(__SC__)\n /* Use our own functions for small and medium model with MSC <= 5.0.\n * You may have to use the same strategy for Borland C (untested).\n * The __SC__ check is for Symantec.\n */\n# define NO_MEMCPY\n#endif\n#if defined(STDC) && !defined(HAVE_MEMCPY) && !defined(NO_MEMCPY)\n# define HAVE_MEMCPY\n#endif\n#ifdef HAVE_MEMCPY\n# ifdef SMALL_MEDIUM /* MSDOS small or medium model */\n# define zmemcpy _fmemcpy\n# define zmemcmp _fmemcmp\n# define zmemzero(dest, len) _fmemset(dest, 0, len)\n# else\n# define zmemcpy memcpy\n# define zmemcmp memcmp\n# define zmemzero(dest, len) memset(dest, 0, len)\n# endif\n#else\n void ZLIB_INTERNAL zmemcpy(Bytef* dest, const Bytef* source, uInt len);\n int ZLIB_INTERNAL zmemcmp(const Bytef* s1, const Bytef* s2, uInt len);\n void ZLIB_INTERNAL zmemzero(Bytef* dest, uInt len);\n#endif\n\n/* Diagnostic functions */\n#ifdef ZLIB_DEBUG\n# include \n extern int ZLIB_INTERNAL z_verbose;\n extern void ZLIB_INTERNAL z_error(char *m);\n# define Assert(cond,msg) {if(!(cond)) z_error(msg);}\n# define Trace(x) {if (z_verbose>=0) fprintf x ;}\n# define Tracev(x) {if (z_verbose>0) fprintf x ;}\n# define Tracevv(x) {if (z_verbose>1) fprintf x ;}\n# define Tracec(c,x) {if (z_verbose>0 && (c)) fprintf x ;}\n# define Tracecv(c,x) {if (z_verbose>1 && (c)) fprintf x ;}\n#else\n# define Assert(cond,msg)\n# define Trace(x)\n# define Tracev(x)\n# define Tracevv(x)\n# define Tracec(c,x)\n# define Tracecv(c,x)\n#endif\n\n#ifndef Z_SOLO\n voidpf ZLIB_INTERNAL zcalloc(voidpf opaque, unsigned items,\n unsigned size);\n void ZLIB_INTERNAL zcfree(voidpf opaque, voidpf ptr);\n#endif\n\n#define ZALLOC(strm, items, size) \\\n (*((strm)->zalloc))((strm)->opaque, (items), (size))\n#define ZFREE(strm, addr) (*((strm)->zfree))((strm)->opaque, (voidpf)(addr))\n#define TRY_FREE(s, p) {if (p) ZFREE(s, p);}\n\n/* Reverse the bytes in a 32-bit value */\n#define ZSWAP32(q) ((((q) >> 24) & 0xff) + (((q) >> 8) & 0xff00) + \\\n (((q) & 0xff00) << 8) + (((q) & 0xff) << 24))\n\n#endif /* ZUTIL_H */\n" }, { "path": "internal/scalibrextract/filesystem/vendored/vendored.go", "content": "// Package vendored provides an extractor for vendored C/C++ code.\npackage vendored\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\n\t//nolint:gosec //md5 used to identify files, not for security purposes\n\t\"crypto/md5\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/fs\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\n\tcpb \"github.com/google/osv-scalibr/binary/proto/config_go_proto\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem\"\n\tscalibrfs \"github.com/google/osv-scalibr/fs\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/plugin\"\n\t\"github.com/google/osv-scalibr/purl\"\n\t\"osv.dev/bindings/go/api\"\n\t\"osv.dev/bindings/go/osvdev\"\n)\n\nvar (\n\tvendoredLibNames = map[string]struct{}{\n\t\t\"3rdparty\": {},\n\t\t\"dep\": {},\n\t\t\"deps\": {},\n\t\t\"thirdparty\": {},\n\t\t\"third-party\": {},\n\t\t\"third_party\": {},\n\t\t\"libs\": {},\n\t\t\"external\": {},\n\t\t\"externals\": {},\n\t\t\"vendor\": {},\n\t\t\"vendored\": {},\n\t}\n\n\tfileExts = []string{\n\t\t\".hpp\",\n\t\t\".h\",\n\t\t\".hh\",\n\t\t\".cc\",\n\t\t\".c\",\n\t\t\".cpp\",\n\t}\n)\n\nconst (\n\t// Name is the unique name of this extractor.\n\tName = \"filesystem/vendored\"\n)\n\nconst (\n\t// This value may need to be tweaked, or be provided as a configurable flag.\n\tdetermineVersionThreshold = 0.15\n\tmaxDetermineVersionFiles = 10000\n)\n\ntype Config struct {\n\t// ScanGitDir determines whether a vendored library with a git directory is scanned or not,\n\t// this is used to avoid duplicate results, once from git scanning, once from vendoredDir scanning\n\tScanGitDir bool\n\tOSVClient *osvdev.OSVClient\n}\n\ntype Extractor struct {\n\t// ScanGitDir determines whether a vendored library with a git directory is scanned or not,\n\t// this is used to avoid duplicate results, once from git scanning, once from vendoredDir scanning\n\tScanGitDir bool\n\tOSVClient *osvdev.OSVClient\n}\n\n// New returns a new instance of the extractor.\nfunc New(_ *cpb.PluginConfig) (filesystem.Extractor, error) {\n\treturn &Extractor{}, nil\n}\n\n// Name of the extractor.\nfunc (e *Extractor) Name() string { return Name }\n\n// Version of the extractor.\nfunc (e *Extractor) Version() int { return 0 }\n\n// Requirements of the extractor.\nfunc (e *Extractor) Requirements() *plugin.Capabilities {\n\treturn &plugin.Capabilities{\n\t\tExtractFromDirs: true,\n\t}\n}\n\n// FileRequired returns true for likely directories to contain vendored c/c++ code\nfunc (e *Extractor) FileRequired(fapi filesystem.FileAPI) bool {\n\t// Check if parent directory is one of the vendoredLibName\n\t// Clean first before Dir call to avoid trailing slashes causing problems\n\tparentDir := filepath.Base(filepath.Dir(filepath.Clean(fapi.Path())))\n\t_, ok := vendoredLibNames[parentDir]\n\tif !ok {\n\t\treturn false\n\t}\n\n\t// Stat costs performance, so perform it after the name check\n\tstat, err := fapi.Stat()\n\tif err != nil {\n\t\treturn false\n\t}\n\n\treturn stat.IsDir()\n}\n\n// Extract determines the most likely package version from the directory and returns them as\n// commit hash inventory entries\nfunc (e *Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) {\n\tvar packages []*extractor.Package\n\n\tresults, err := e.queryDetermineVersions(ctx, input.Path, input.FS, e.ScanGitDir)\n\tif err != nil {\n\t\treturn inventory.Inventory{}, err\n\t}\n\n\tif len(results.GetMatches()) > 0 && results.GetMatches()[0].GetScore() > determineVersionThreshold {\n\t\tmatch := results.GetMatches()[0]\n\t\t// r.Infof(\"Identified %s as %s at %s.\\n\", libPath, match.RepoInfo.Address, match.RepoInfo.Commit)\n\t\tpackages = append(packages, &extractor.Package{\n\t\t\tSourceCode: &extractor.SourceCodeIdentifier{\n\t\t\t\tCommit: match.GetRepoInfo().GetCommit(),\n\t\t\t},\n\t\t\tLocation: extractor.LocationFromPath(input.Path),\n\t\t})\n\t}\n\n\treturn inventory.Inventory{\n\t\tPackages: packages,\n\t}, nil\n}\n\n// ToPURL converts an inventory created by this extractor into a PURL.\nfunc (e *Extractor) ToPURL(_ *extractor.Package) *purl.PackageURL {\n\treturn nil\n}\n\n// Ecosystem returns an empty string as all inventories are commit hashes\nfunc (e *Extractor) Ecosystem(_ *extractor.Package) string {\n\treturn \"\"\n}\n\nfunc (e *Extractor) queryDetermineVersions(ctx context.Context, repoDir string, fsys scalibrfs.FS, scanGitDir bool) (*api.VersionMatchList, error) {\n\tvar hashes []*api.FileHash\n\n\terr := fs.WalkDir(fsys, repoDir, func(p string, d fs.DirEntry, _ error) error {\n\t\tif d.IsDir() {\n\t\t\tif !scanGitDir {\n\t\t\t\tif _, err := fsys.Stat(filepath.Join(p, \".git\")); err == nil {\n\t\t\t\t\t// Found a git repo, stop here as otherwise we may get duplicated\n\t\t\t\t\t// results with our regular git commit scanning.\n\t\t\t\t\treturn filepath.SkipDir\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif _, ok := vendoredLibNames[strings.ToLower(d.Name())]; ok {\n\t\t\t\t// Ignore nested vendored libraries, as they can cause bad matches.\n\t\t\t\treturn filepath.SkipDir\n\t\t\t}\n\n\t\t\treturn nil\n\t\t}\n\n\t\tif !slices.Contains(fileExts, filepath.Ext(p)) {\n\t\t\treturn nil\n\t\t}\n\n\t\tfile, err := fsys.Open(p)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tbuf := bytes.NewBuffer(nil)\n\t\t_, err = io.Copy(buf, file)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\thash := md5.Sum(buf.Bytes()) //nolint:gosec\n\t\thashes = append(hashes, &api.FileHash{\n\t\t\tFilePath: strings.ReplaceAll(p, repoDir, \"\"),\n\t\t\tHash: hash[:],\n\t\t})\n\t\tif len(hashes) > maxDetermineVersionFiles {\n\t\t\treturn errors.New(\"too many files to hash\")\n\t\t}\n\n\t\treturn nil\n\t})\n\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed during hashing: %w\", err)\n\t}\n\n\tresult, err := e.OSVClient.ExperimentalDetermineVersion(ctx, &api.DetermineVersionParameters{\n\t\tQuery: &api.VersionQuery{\n\t\t\tName: filepath.Base(repoDir),\n\t\t\tFileHashes: hashes,\n\t\t},\n\t})\n\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to determine versions: %w\", err)\n\t}\n\n\treturn result, nil\n}\n\nvar _ filesystem.Extractor = &Extractor{}\n\ntype configurable interface {\n\tConfigure(config Config)\n}\n\nfunc (e *Extractor) Configure(config Config) {\n\te.ScanGitDir = config.ScanGitDir\n\te.OSVClient = config.OSVClient\n}\n\nvar _ configurable = &Extractor{}\n\nfunc Configure(plug plugin.Plugin, config Config) {\n\tus, ok := plug.(configurable)\n\n\tif ok {\n\t\tus.Configure(config)\n\t}\n}\n" }, { "path": "internal/scalibrextract/filesystem/vendored/vendored_test.go", "content": "package vendored_test\n\nimport (\n\t\"io/fs\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/simplefileapi\"\n\t\"github.com/google/osv-scalibr/testing/extracttest\"\n\t\"github.com/google/osv-scalibr/testing/fakefs\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"osv.dev/bindings/go/osvdev\"\n)\n\nfunc TestExtractor_FileRequired(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\tpath string\n\t\tisDir bool\n\t\twantRequired bool\n\t}{\n\t\t{\n\t\t\tname: \"Empty_path\",\n\t\t\tpath: filepath.FromSlash(\"\"),\n\t\t\tisDir: false,\n\t\t\twantRequired: false,\n\t\t},\n\t\t{\n\t\t\tname: \"single_directory_not_under_vendor_dir\",\n\t\t\tpath: filepath.FromSlash(\"test_dir/\"),\n\t\t\tisDir: true,\n\t\t\twantRequired: false,\n\t\t},\n\t\t{\n\t\t\tname: \"vendored_dir_itself_should_not_match\",\n\t\t\tpath: filepath.FromSlash(\"vendor/\"),\n\t\t\tisDir: true,\n\t\t\twantRequired: false,\n\t\t},\n\t\t{\n\t\t\tname: \"vendored_dir_itself_should_not_match_(no_trailing_slash)\",\n\t\t\tpath: filepath.FromSlash(\"vendor\"),\n\t\t\tisDir: true,\n\t\t\twantRequired: false,\n\t\t},\n\t\t{\n\t\t\tname: \"vendored_dir_with_child_non_directory_should_not_match\",\n\t\t\tpath: filepath.FromSlash(\"vendor/abcd\"),\n\t\t\tisDir: false,\n\t\t\twantRequired: false,\n\t\t},\n\t\t{\n\t\t\tname: \"vendored_dir_with_child_directory_should_match\",\n\t\t\tpath: filepath.FromSlash(\"vendor/abcd/\"),\n\t\t\tisDir: true,\n\t\t\twantRequired: true,\n\t\t},\n\t\t{\n\t\t\tname: \"vendored_dir_with_child_directory_should_match\",\n\t\t\tpath: filepath.FromSlash(\"thirdparty/efgh/\"),\n\t\t\tisDir: true,\n\t\t\twantRequired: true,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\textr := vendored.Extractor{}\n\n\t\t\tpermission := fs.ModePerm\n\t\t\tif tt.isDir {\n\t\t\t\tpermission = fs.ModePerm | fs.ModeDir\n\t\t\t}\n\t\t\tisRequired := extr.FileRequired(simplefileapi.New(tt.path, fakefs.FakeFileInfo{\n\t\t\t\tFileName: filepath.Base(tt.path),\n\t\t\t\tFileMode: permission,\n\t\t\t\tFileSize: 1000,\n\t\t\t}))\n\n\t\t\tif isRequired != tt.wantRequired {\n\t\t\t\tt.Fatalf(\"FileRequired(%s): got %v, want %v\", tt.path, isRequired, tt.wantRequired)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestExtractor_Extract(t *testing.T) {\n\tt.Parallel()\n\n\tif runtime.GOOS == \"windows\" {\n\t\t// TODO: Reenable when #657 is resolved.\n\t\ttestutility.Skip(t, \"Temporarily disabled until #657 is resolved\")\n\t}\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\n\ttests := []extracttest.TestTableEntry{\n\t\t{\n\t\t\tName: \"zlib_test\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/thirdparty/zlib\",\n\t\t\t\tFakeScanRoot: cwd,\n\t\t\t},\n\t\t\tWantPackages: []*extractor.Package{\n\t\t\t\t{\n\t\t\t\t\tSourceCode: &extractor.SourceCodeIdentifier{\n\t\t\t\t\t\tCommit: \"09155eaa2f9270dc4ed1fa13e2b4b2613e6e4851\",\n\t\t\t\t\t},\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"testdata/thirdparty/zlib\"),\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\textr := vendored.Extractor{\n\t\t\t\tOSVClient: osvdev.DefaultClient(),\n\t\t\t}\n\n\t\t\tscanInput := extracttest.GenerateScanInputMock(t, tt.InputConfig)\n\t\t\tdefer extracttest.CloseTestScanInput(t, scanInput)\n\n\t\t\tgot, err := extr.Extract(t.Context(), &scanInput)\n\n\t\t\tif diff := cmp.Diff(tt.WantErr, err, cmpopts.EquateErrors()); diff != \"\" {\n\t\t\t\tt.Errorf(\"%s.Extract(%q) error diff (-want +got):\\n%s\", extr.Name(), tt.InputConfig.Path, diff)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif diff := cmp.Diff(tt.WantPackages, got.Packages, cmpopts.SortSlices(extracttest.PackageCmpLess)); diff != \"\" {\n\t\t\t\tt.Errorf(\"%s.Extract(%q) diff (-want +got):\\n%s\", extr.Name(), tt.InputConfig.Path, diff)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/scalibrextract/language/javascript/nodemodules/extractor.go", "content": "// Package nodemodules provides an extractor for node_modules directories by reading the .package-lock.json file.\npackage nodemodules\n\nimport (\n\t\"context\"\n\t\"path/filepath\"\n\n\tcpb \"github.com/google/osv-scalibr/binary/proto/config_go_proto\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/plugin\"\n)\n\nconst (\n\t// Name is the unique name of this extractor.\n\tName = \"javascript/nodemodules\"\n)\n\ntype Extractor struct {\n\tactualExtractor packagelockjson.Extractor\n}\n\n// New returns a new instance of the extractor.\nfunc New(_ *cpb.PluginConfig) (filesystem.Extractor, error) {\n\treturn &Extractor{}, nil\n}\n\n// Name of the extractor.\nfunc (e Extractor) Name() string { return Name }\n\n// Version of the extractor.\nfunc (e Extractor) Version() int { return 0 }\n\n// Requirements of the extractor.\nfunc (e Extractor) Requirements() *plugin.Capabilities {\n\treturn &plugin.Capabilities{}\n}\n\n// FileRequired returns true for .package-lock.json files under node_modules\nfunc (e Extractor) FileRequired(fapi filesystem.FileAPI) bool {\n\treturn filepath.Base(filepath.Dir(fapi.Path())) == \"node_modules\" && filepath.Base(fapi.Path()) == \".package-lock.json\"\n}\n\n// Extract extracts packages from yarn.lock files passed through the scan input.\nfunc (e Extractor) Extract(ctx context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) {\n\treturn e.actualExtractor.Extract(ctx, input)\n}\n\nvar _ filesystem.Extractor = Extractor{}\n" }, { "path": "internal/scalibrextract/language/osv/osvscannerjson/extractor.go", "content": "// Package osvscannerjson extracts osv-scanner's json output.\npackage osvscannerjson\n\nimport (\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"path/filepath\"\n\n\tcpb \"github.com/google/osv-scalibr/binary/proto/config_go_proto\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/plugin\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nconst (\n\t// Name is the unique name of this extractor.\n\tName = \"osv/osvscannerjson\"\n)\n\n// Extractor extracts osv packages from osv-scanner json output.\ntype Extractor struct{}\n\n// Name of the extractor.\nfunc (e Extractor) Name() string { return Name }\n\n// Version of the extractor.\nfunc (e Extractor) Version() int { return 0 }\n\n// Requirements of the extractor.\nfunc (e Extractor) Requirements() *plugin.Capabilities {\n\treturn &plugin.Capabilities{}\n}\n\nfunc New(_ *cpb.PluginConfig) (filesystem.Extractor, error) {\n\treturn Extractor{}, nil\n}\n\n// FileRequired returns true only for osv-scanner-custom.json files,\n// since this is specific to the osv-scanner JSON output\nfunc (e Extractor) FileRequired(fapi filesystem.FileAPI) bool {\n\treturn filepath.Base(fapi.Path()) == \"osv-scanner-custom.json\"\n}\n\n// Extract extracts packages from yarn.lock files passed through the scan input.\nfunc (e Extractor) Extract(_ context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) {\n\tparsedResults := models.VulnerabilityResults{}\n\terr := json.NewDecoder(input.Reader).Decode(&parsedResults)\n\n\tif err != nil {\n\t\treturn inventory.Inventory{}, fmt.Errorf(\"could not extract from %s: %w\", input.Path, err)\n\t}\n\n\tpackages := []*extractor.Package{}\n\tfor _, res := range parsedResults.Results {\n\t\tfor _, pkg := range res.Packages {\n\t\t\tinv := extractor.Package{\n\t\t\t\tName: pkg.Package.Name,\n\t\t\t\tVersion: pkg.Package.Version,\n\t\t\t\tMetadata: &Metadata{\n\t\t\t\t\tEcosystem: pkg.Package.Ecosystem,\n\t\t\t\t\tSourceInfo: res.Source,\n\t\t\t\t},\n\t\t\t\tPURLType: \"placeholder\",\n\t\t\t\tLocation: extractor.LocationFromPath(input.Path),\n\t\t\t\tPlugins: []string{\"osv/osvscannerjson\"},\n\t\t\t}\n\t\t\tif pkg.Package.Commit != \"\" {\n\t\t\t\tinv.SourceCode = &extractor.SourceCodeIdentifier{\n\t\t\t\t\tCommit: pkg.Package.Commit,\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tpackages = append(packages, &inv)\n\t\t}\n\t}\n\n\treturn inventory.Inventory{\n\t\tPackages: packages,\n\t}, nil\n}\n\nvar _ filesystem.Extractor = Extractor{}\n" }, { "path": "internal/scalibrextract/language/osv/osvscannerjson/extractor_test.go", "content": "package osvscannerjson_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/testing/extracttest\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc TestExtractor_Extract(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []extracttest.TestTableEntry{\n\t\t{\n\t\t\tName: \"invalid_yaml\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/not-json.txt\",\n\t\t\t},\n\t\t\tWantErr: extracttest.ContainsErrStr{Str: \"could not extract from\"},\n\t\t},\n\t\t{\n\t\t\tName: \"empty\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/empty.json\",\n\t\t\t},\n\t\t\tWantPackages: []*extractor.Package{},\n\t\t},\n\t\t{\n\t\t\tName: \"one_package\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/one-package.json\",\n\t\t\t},\n\t\t\tWantPackages: []*extractor.Package{\n\t\t\t\t{\n\t\t\t\t\tName: \"activesupport\",\n\t\t\t\t\tVersion: \"7.0.7\",\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"testdata/one-package.json\"),\n\t\t\t\t\tPURLType: \"placeholder\",\n\t\t\t\t\tPlugins: []string{\"osv/osvscannerjson\"},\n\t\t\t\t\tMetadata: &osvscannerjson.Metadata{\n\t\t\t\t\t\tEcosystem: \"RubyGems\",\n\t\t\t\t\t\tSourceInfo: models.SourceInfo{\n\t\t\t\t\t\t\tPath: \"/path/to/Gemfile.lock\",\n\t\t\t\t\t\t\tType: \"lockfile\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"one_package_with_commit\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/one-package-commit.json\",\n\t\t\t},\n\t\t\tWantPackages: []*extractor.Package{\n\t\t\t\t{\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"testdata/one-package-commit.json\"),\n\t\t\t\t\tPURLType: \"placeholder\",\n\t\t\t\t\tPlugins: []string{\"osv/osvscannerjson\"},\n\t\t\t\t\tSourceCode: &extractor.SourceCodeIdentifier{\n\t\t\t\t\t\tCommit: \"9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52\",\n\t\t\t\t\t},\n\t\t\t\t\tMetadata: &osvscannerjson.Metadata{\n\t\t\t\t\t\tSourceInfo: models.SourceInfo{\n\t\t\t\t\t\t\tPath: \"/path/to/Gemfile.lock\",\n\t\t\t\t\t\t\tType: \"lockfile\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"multiple_packages\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/multiple-packages-with-vulns.json\",\n\t\t\t},\n\t\t\tWantPackages: []*extractor.Package{\n\t\t\t\t{\n\t\t\t\t\tName: \"crossbeam-utils\",\n\t\t\t\t\tVersion: \"0.6.6\",\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"testdata/multiple-packages-with-vulns.json\"),\n\t\t\t\t\tPURLType: \"placeholder\",\n\t\t\t\t\tPlugins: []string{\"osv/osvscannerjson\"},\n\t\t\t\t\tMetadata: &osvscannerjson.Metadata{\n\t\t\t\t\t\tEcosystem: \"crates.io\",\n\t\t\t\t\t\tSourceInfo: models.SourceInfo{\n\t\t\t\t\t\t\tPath: \"/path/to/Cargo.lock\",\n\t\t\t\t\t\t\tType: \"lockfile\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"memoffset\",\n\t\t\t\t\tVersion: \"0.5.6\",\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"testdata/multiple-packages-with-vulns.json\"),\n\t\t\t\t\tPURLType: \"placeholder\",\n\t\t\t\t\tPlugins: []string{\"osv/osvscannerjson\"},\n\t\t\t\t\tMetadata: &osvscannerjson.Metadata{\n\t\t\t\t\t\tEcosystem: \"crates.io\",\n\t\t\t\t\t\tSourceInfo: models.SourceInfo{\n\t\t\t\t\t\t\tPath: \"/path/to/Cargo.lock\",\n\t\t\t\t\t\t\tType: \"lockfile\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"smallvec\",\n\t\t\t\t\tVersion: \"1.6.0\",\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"testdata/multiple-packages-with-vulns.json\"),\n\t\t\t\t\tPURLType: \"placeholder\",\n\t\t\t\t\tPlugins: []string{\"osv/osvscannerjson\"},\n\t\t\t\t\tMetadata: &osvscannerjson.Metadata{\n\t\t\t\t\t\tEcosystem: \"crates.io\",\n\t\t\t\t\t\tSourceInfo: models.SourceInfo{\n\t\t\t\t\t\t\tPath: \"/path/to/Cargo.lock\",\n\t\t\t\t\t\t\tType: \"lockfile\",\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\textr := osvscannerjson.Extractor{}\n\n\t\t\tscanInput := extracttest.GenerateScanInputMock(t, tt.InputConfig)\n\t\t\tdefer extracttest.CloseTestScanInput(t, scanInput)\n\n\t\t\tgot, err := extr.Extract(t.Context(), &scanInput)\n\n\t\t\tif diff := cmp.Diff(tt.WantErr, err, cmpopts.EquateErrors()); diff != \"\" {\n\t\t\t\tt.Errorf(\"%s.Extract(%q) error diff (-want +got):\\n%s\", extr.Name(), tt.InputConfig.Path, diff)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif diff := cmp.Diff(tt.WantPackages, got.Packages, cmpopts.SortSlices(extracttest.PackageCmpLess)); diff != \"\" {\n\t\t\t\tt.Errorf(\"%s.Extract(%q) diff (-want +got):\\n%s\", extr.Name(), tt.InputConfig.Path, diff)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/scalibrextract/language/osv/osvscannerjson/metadata.go", "content": "package osvscannerjson\n\nimport \"github.com/google/osv-scanner/v2/pkg/models\"\n\n// Metadata holds the metadata for osvscanner.json\ntype Metadata struct {\n\tEcosystem string\n\tSourceInfo models.SourceInfo\n}\n" }, { "path": "internal/scalibrextract/language/osv/osvscannerjson/testdata/empty.json", "content": "{\n \"results\": []\n}" }, { "path": "internal/scalibrextract/language/osv/osvscannerjson/testdata/multiple-packages-with-vulns.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/Cargo.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"crossbeam-utils\",\n \"version\": \"0.6.6\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-08-11T21:55:33Z\",\n \"published\": \"2022-02-16T22:36:21Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-qc84-gqf4-9926\",\n \"aliases\": [\n \"CVE-2022-23639\"\n ],\n \"summary\": \"crossbeam-utils Race Condition vulnerability\",\n \"details\": \"### Impact\\n\\nThe affected version of this crate incorrectly assumed that the alignment of `{i,u}64` was always the same as `Atomic{I,U}64`. \\n\\nHowever, the alignment of `{i,u}64` on a 32-bit target can be smaller than `Atomic{I,U}64`.\\n\\nThis can cause the following problems:\\n\\n- Unaligned memory accesses\\n- Data race\\n\\nCrates using `fetch_*` methods with `AtomicCell\\u003c{i,u}64\\u003e` are affected by this issue.\\n\\n32-bit targets without `Atomic{I,U}64` and 64-bit targets are not affected by this issue.\\n32-bit targets with `Atomic{I,U}64` and `{i,u}64` have the same alignment are also not affected by this issue.\\n\\nThe following is a complete list of the builtin targets that may be affected. (last update: nightly-2022-02-11)\\n\\n- armv7-apple-ios (tier 3)\\n- armv7s-apple-ios (tier 3)\\n- i386-apple-ios (tier 3)\\n- i586-unknown-linux-gnu\\n- i586-unknown-linux-musl\\n- i686-apple-darwin (tier 3)\\n- i686-linux-android\\n- i686-unknown-freebsd\\n- i686-unknown-haiku (tier 3)\\n- i686-unknown-linux-gnu\\n- i686-unknown-linux-musl\\n- i686-unknown-netbsd (tier 3)\\n- i686-unknown-openbsd (tier 3)\\n- i686-wrs-vxworks (tier 3)\\n\\n([script to get list](https://gist.github.com/taiki-e/3c7891e8c5f5e0cbcb44d7396aabfe10))\\n\\n### Patches\\n\\nThis has been fixed in crossbeam-utils 0.8.7.\\n\\nAffected 0.8.x releases have been yanked.\\n\\n### References\\n\\nhttps://github.com/crossbeam-rs/crossbeam/pull/781 \\n\\n### License\\n\\nThis advisory is in the public domain.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"crossbeam-utils\",\n \"purl\": \"pkg:cargo/crossbeam-utils\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-qc84-gqf4-9926/GHSA-qc84-gqf4-9926.json\"\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-23639\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/crossbeam-rs/crossbeam/pull/781\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/crossbeam-rs/crossbeam\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/crossbeam-rs/crossbeam/releases/tag/crossbeam-utils-0.8.7\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0041.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-362\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-02-16T22:36:21Z\",\n \"nvd_published_at\": \"2022-02-15T19:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2022-08-04T13:56:30Z\",\n \"published\": \"2022-02-05T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2022-0041\",\n \"aliases\": [\n \"GHSA-qc84-gqf4-9926\",\n \"CVE-2022-23639\"\n ],\n \"summary\": \"Unsoundness of AtomicCell\\u003c*64\\u003e arithmetics on 32-bit targets that support Atomic*64\",\n \"details\": \"## Impact\\n\\nAffected versions of this crate incorrectly assumed that the alignment of {i,u}64 was always the same as Atomic{I,U}64.\\n\\nHowever, the alignment of {i,u}64 on a 32-bit target can be smaller than Atomic{I,U}64.\\n\\nThis can cause the following problems:\\n\\n- Unaligned memory accesses\\n- Data race\\n\\nCrates using fetch_* methods with AtomicCell\\u003c{i,u}64\\u003e are affected by this issue.\\n\\n32-bit targets without Atomic{I,U}64 and 64-bit targets are not affected by this issue.\\n\\n32-bit targets with Atomic{I,U}64 and {i,u}64 have the same alignment are also not affected by this issue.\\n\\nThe following is a complete list of the builtin targets that may be affected. (last update: nightly-2022-02-11)\\n\\n- armv7-apple-ios (tier 3)\\n- armv7s-apple-ios (tier 3)\\n- i386-apple-ios (tier 3)\\n- i586-unknown-linux-gnu\\n- i586-unknown-linux-musl\\n- i686-apple-darwin (tier 3)\\n- i686-linux-android\\n- i686-unknown-freebsd\\n- i686-unknown-haiku (tier 3)\\n- i686-unknown-linux-gnu\\n- i686-unknown-linux-musl\\n- i686-unknown-netbsd (tier 3)\\n- i686-unknown-openbsd (tier 3)\\n- i686-wrs-vxworks (tier 3)\\n\\n([script to get list](https://gist.github.com/taiki-e/3c7891e8c5f5e0cbcb44d7396aabfe10))\\n\\n## Patches\\n\\nThis has been fixed in crossbeam-utils 0.8.7.\\n\\nAffected 0.8.x releases have been yanked.\\n\\nThanks to @taiki-e\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"crossbeam-utils\",\n \"purl\": \"pkg:cargo/crossbeam-utils\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.7\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"memory-corruption\"\n ],\n \"cvss\": null,\n \"informational\": \"unsound\",\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0041.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/crossbeam-utils\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2022-0041.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/crossbeam-rs/crossbeam/pull/781\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-qc84-gqf4-9926\",\n \"RUSTSEC-2022-0041\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"memoffset\",\n \"version\": \"0.5.6\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-06-21T22:06:29Z\",\n \"published\": \"2023-06-21T22:06:29Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wfg4-322g-9vqv\",\n \"summary\": \"memoffset allows reading uninitialized memory\",\n \"details\": \"memoffset allows attempt of reading data from address `0` with arbitrary type. This behavior is an undefined behavior because address `0` to `std::mem::size_of\\u003cT\\u003e` may not have valid bit-pattern with `T`. Old implementation dereferences uninitialized memory obtained from `std::mem::align_of`. Older implementation prior to it allows using uninitialized data obtained from `std::mem::uninitialized` with arbitrary type then compute offset by taking the address of field-projection. This may also result in an undefined behavior for \\\"father\\\" that includes (directly or transitively) type that [does not allow to be uninitialized](https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html).\\n\\nThis flaw was corrected by using `std::ptr::addr_of` in \\u003chttps://github.com/Gilnaa/memoffset/pull/50\\u003e.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"memoffset\",\n \"purl\": \"pkg:cargo/memoffset\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.6.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-wfg4-322g-9vqv/GHSA-wfg4-322g-9vqv.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Gilnaa/memoffset/issues/24\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/Gilnaa/memoffset/pull/50\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/Gilnaa/memoffset\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0045.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-06-21T22:06:29Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"modified\": \"2023-07-08T12:30:19Z\",\n \"published\": \"2023-06-21T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0045\",\n \"aliases\": [\n \"GHSA-wfg4-322g-9vqv\"\n ],\n \"summary\": \"memoffset allows reading uninitialized memory\",\n \"details\": \"memoffset allows attempt of reading data from address `0` with arbitrary type. This behavior is an undefined behavior because address `0` to `std::mem::size_of\\u003cT\\u003e` may not have valid bit-pattern with `T`. Old implementation dereferences uninitialized memory obtained from `std::mem::align_of`. Older implementation prior to it allows using uninitialized data obtained from `std::mem::uninitialized` with arbitrary type then compute offset by taking the address of field-projection. This may also result in an undefined behavior for \\\"father\\\" that includes (directly or transitively) type that [does not allow to be uninitialized](https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html).\\n\\nThis flaw was corrected by using `std::ptr::addr_of` in \\u003chttps://github.com/Gilnaa/memoffset/pull/50\\u003e.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"memoffset\",\n \"purl\": \"pkg:cargo/memoffset\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.6.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"memory-corruption\"\n ],\n \"cvss\": null,\n \"informational\": \"unsound\",\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0045.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"memoffset::offset_of\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/memoffset\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0045.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/Gilnaa/memoffset/issues/24\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wfg4-322g-9vqv\",\n \"RUSTSEC-2023-0045\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"smallvec\",\n \"version\": \"1.6.0\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-06-13T20:51:42Z\",\n \"published\": \"2022-05-24T17:40:21Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-43w2-9j62-hq99\",\n \"aliases\": [\n \"CVE-2021-25900\"\n ],\n \"summary\": \"Buffer overflow in SmallVec::insert_many\",\n \"details\": \"A bug in the SmallVec::insert_many method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap. This bug was only triggered if the iterator passed to insert_many yielded more items than the lower bound returned from its size_hint method.\\n\\nThe flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of insert_many to use less unsafe code, so it is easier to verify its correctness.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"smallvec\",\n \"purl\": \"pkg:cargo/smallvec\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.3\"\n },\n {\n \"fixed\": \"0.6.14\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-43w2-9j62-hq99/GHSA-43w2-9j62-hq99.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"smallvec::SmallVec::insert_many\"\n ]\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"smallvec\",\n \"purl\": \"pkg:cargo/smallvec\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.6.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-43w2-9j62-hq99/GHSA-43w2-9j62-hq99.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"smallvec::SmallVec::insert_many\"\n ]\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-25900\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/servo/rust-smallvec/issues/252\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/servo/rust-smallvec\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2021-0003.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-787\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-06-17T00:20:48Z\",\n \"nvd_published_at\": \"2021-01-26T18:16:00Z\",\n \"severity\": \"CRITICAL\"\n }\n },\n {\n \"modified\": \"2023-06-13T13:10:24Z\",\n \"published\": \"2021-01-08T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2021-0003\",\n \"aliases\": [\n \"CVE-2021-25900\",\n \"GHSA-43w2-9j62-hq99\"\n ],\n \"summary\": \"Buffer overflow in SmallVec::insert_many\",\n \"details\": \"A bug in the `SmallVec::insert_many` method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap.\\n\\nThis bug was only triggered if the iterator passed to `insert_many` yielded more items than the lower bound returned from its `size_hint` method.\\n \\nThe flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of `insert_many` to use less unsafe code, so it is easier to verify its correctness.\\n\\nThank you to Yechan Bae (@Qwaz) and the Rust group at Georgia Tech’s SSLab for finding and reporting this bug.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"smallvec\",\n \"purl\": \"pkg:cargo/smallvec\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.3\"\n },\n {\n \"fixed\": \"0.6.14\"\n },\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.6.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0003.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"smallvec::SmallVec::insert_many\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"severity\": [\n {\n \"type\": \"CVSS_V3\",\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/smallvec\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2021-0003.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/servo/rust-smallvec/issues/252\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-43w2-9j62-hq99\",\n \"RUSTSEC-2021-0003\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}" }, { "path": "internal/scalibrextract/language/osv/osvscannerjson/testdata/not-json.txt", "content": "this is not valid json! (I think)\n" }, { "path": "internal/scalibrextract/language/osv/osvscannerjson/testdata/one-package-commit.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/Gemfile.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"commit\": \"9a6bd55c9d0722cb101fe85a3b22d89e4ff4fe52\"\n },\n \"vulnerabilities\": [],\n \"groups\": []\n }\n ]\n }\n ]\n}" }, { "path": "internal/scalibrextract/language/osv/osvscannerjson/testdata/one-package.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"/path/to/Gemfile.lock\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"activesupport\",\n \"version\": \"7.0.7\",\n \"ecosystem\": \"RubyGems\"\n },\n \"vulnerabilities\": [],\n \"groups\": []\n }\n ]\n }\n ]\n}" }, { "path": "internal/scalibrextract/vcs/gitcommitdirect/extractor.go", "content": "// Package gitcommitdirect provides an dummy extractor that returns a preset list of commits\npackage gitcommitdirect\n\nimport (\n\t\"context\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/standalone\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/plugin\"\n)\n\nconst (\n\t// Name is the unique name of this extractor.\n\tName = \"vcs/gitcommitdirect\"\n)\n\n// Extractor extracts git repository hashes including submodule hashes.\n// This extractor will not return an error, and will just return no results if we fail to extract\ntype Extractor struct {\n\tcommits []string\n}\n\n// New returns a new instance of the extractor.\nfunc New(commits []string) standalone.Extractor {\n\treturn &Extractor{\n\t\tcommits: commits,\n\t}\n}\n\n// Name of the extractor.\nfunc (e *Extractor) Name() string { return Name }\n\n// Version of the extractor.\nfunc (e *Extractor) Version() int { return 0 }\n\n// Requirements of the extractor.\nfunc (e *Extractor) Requirements() *plugin.Capabilities {\n\treturn &plugin.Capabilities{}\n}\n\nfunc (e *Extractor) Extract(_ context.Context, _ *standalone.ScanInput) (inventory.Inventory, error) {\n\tpkgs := make([]*extractor.Package, 0, len(e.commits))\n\tfor _, commit := range e.commits {\n\t\tpkgs = append(pkgs, &extractor.Package{\n\t\t\tSourceCode: &extractor.SourceCodeIdentifier{Commit: commit},\n\t\t})\n\t}\n\n\treturn inventory.Inventory{\n\t\tPackages: pkgs,\n\t}, nil\n}\n\nvar _ standalone.Extractor = &Extractor{}\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/extractor.go", "content": "// Package gitrepo provides an extractor for git repositories and submodules.\npackage gitrepo\n\nimport (\n\t\"context\"\n\t\"path\"\n\t\"path/filepath\"\n\n\t\"github.com/go-git/go-git/v5\"\n\tcpb \"github.com/google/osv-scalibr/binary/proto/config_go_proto\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/plugin\"\n\t\"github.com/google/osv-scalibr/purl\"\n)\n\nconst (\n\t// Name is the unique name of this extractor.\n\tName = \"vcs/gitrepo\"\n)\n\n// Extractor extracts git repository hashes including submodule hashes.\n// This extractor will not return an error, and will just return no results if we fail to extract\ntype Extractor struct{}\n\nfunc getCommitSHA(repo *git.Repository) (string, error) {\n\thead, err := repo.Head()\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\treturn head.Hash().String(), nil\n}\n\nfunc getSubmodules(repo *git.Repository) (submodules []*git.SubmoduleStatus, err error) {\n\tworktree, err := repo.Worktree()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tss, err := worktree.Submodules()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tfor _, s := range ss {\n\t\tstatus, err := s.Status()\n\t\tif err != nil {\n\t\t\tcontinue\n\t\t}\n\t\tsubmodules = append(submodules, status)\n\t}\n\n\treturn submodules, nil\n}\n\nfunc createCommitQueryInventory(commit string, location string) *extractor.Package {\n\treturn &extractor.Package{\n\t\tSourceCode: &extractor.SourceCodeIdentifier{\n\t\t\tCommit: commit,\n\t\t},\n\t\tLocation: extractor.LocationFromPath(location),\n\t}\n}\n\n// New returns a new instance of the extractor.\nfunc New(_ *cpb.PluginConfig) (filesystem.Extractor, error) {\n\treturn &Extractor{}, nil\n}\n\n// Name of the extractor.\nfunc (e *Extractor) Name() string { return Name }\n\n// Version of the extractor.\nfunc (e *Extractor) Version() int { return 0 }\n\n// Requirements of the extractor.\nfunc (e *Extractor) Requirements() *plugin.Capabilities {\n\treturn &plugin.Capabilities{\n\t\tExtractFromDirs: true,\n\t}\n}\n\n// FileRequired returns true for git repositories .git dirs\nfunc (e *Extractor) FileRequired(fapi filesystem.FileAPI) bool {\n\tif filepath.Base(fapi.Path()) != \".git\" {\n\t\treturn false\n\t}\n\n\t// Stat costs performance, so perform it after the name check\n\tstat, err := fapi.Stat()\n\tif err != nil {\n\t\treturn false\n\t}\n\n\treturn stat.IsDir()\n}\n\n// Extract extracts git commits from HEAD and from submodules\nfunc (e *Extractor) Extract(_ context.Context, input *filesystem.ScanInput) (inventory.Inventory, error) {\n\t// The input path is the .git directory, but git.PlainOpen expects the actual directory containing the .git dir.\n\t// So call filepath.Dir to get the parent path\n\t// Assume this is fully on a real filesystem\n\t// TODO: Make this support virtual filesystems\n\trepo, err := git.PlainOpen(path.Join(input.Root, filepath.Dir(input.Path)))\n\tif err != nil {\n\t\treturn inventory.Inventory{}, err\n\t}\n\n\tvar inv inventory.Inventory\n\n\tcommitSHA, err := getCommitSHA(repo)\n\n\t// If error is not nil, then ignore this and continue, as it is not fatal.\n\t// The error could be because there are no commits in the repository\n\tif err == nil {\n\t\tinv.Packages = append(inv.Packages, createCommitQueryInventory(commitSHA, input.Path))\n\t}\n\n\t// If we can't get submodules, just return with what we have.\n\tsubmodules, err := getSubmodules(repo)\n\tif err != nil {\n\t\treturn inv, err\n\t}\n\n\tfor _, s := range submodules {\n\t\t// r.Infof(\"Scanning submodule %s at commit %s\\n\", s.Path, s.Expected.String())\n\t\tinv.Packages = append(inv.Packages, createCommitQueryInventory(s.Expected.String(), path.Join(input.Path, s.Path)))\n\t}\n\n\treturn inv, nil\n}\n\n// ToPURL converts an inventory created by this extractor into a PURL.\nfunc (e *Extractor) ToPURL(_ *extractor.Package) *purl.PackageURL {\n\treturn nil\n}\n\n// Ecosystem returns an empty string as all inventories are commit hashes\nfunc (e *Extractor) Ecosystem(_ *extractor.Package) string {\n\treturn \"\"\n}\n\nvar _ filesystem.Extractor = &Extractor{}\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/extractor_test.go", "content": "package gitrepo_test\n\nimport (\n\t\"os\"\n\t\"path\"\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/go-cmp/cmp/cmpopts\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/testing/extracttest\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo\"\n)\n\nfunc TestExtractor_Extract(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []extracttest.TestTableEntry{\n\t\t{\n\t\t\tName: \"Not_a_git_dir\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/example-not-git/.git\",\n\t\t\t},\n\t\t\tWantErr: extracttest.ContainsErrStr{Str: \"repository does not exist\"},\n\t\t},\n\t\t{\n\t\t\tName: \"example_git\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/example-git/.git\",\n\t\t\t},\n\t\t\tWantPackages: []*extractor.Package{\n\t\t\t\t{\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"testdata/example-git/.git\"),\n\t\t\t\t\tSourceCode: &extractor.SourceCodeIdentifier{\n\t\t\t\t\t\tCommit: \"862ac4bd2703b622e85f29f55a2fd8cd6caf8182\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tName: \"Clean_git_repository_with_no_commits\",\n\t\t\tInputConfig: extracttest.ScanInputMockConfig{\n\t\t\t\tPath: \"testdata/example-clean/.git\",\n\t\t\t},\n\t\t\tWantPackages: nil,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.Name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\textr := gitrepo.Extractor{}\n\t\t\tparent := filepath.Dir(tt.InputConfig.Path)\n\t\t\terr := os.Rename(path.Join(parent, \"git-hidden\"), path.Join(parent, \".git\"))\n\t\t\tif err != nil {\n\t\t\t\tt.Errorf(\"can't find git-hidden folder\")\n\t\t\t}\n\n\t\t\tdefer func() {\n\t\t\t\terr = os.Rename(path.Join(parent, \".git\"), path.Join(parent, \"git-hidden\"))\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Fatalf(\"failed to restore .git to original git-hidden: %v\", err)\n\t\t\t\t}\n\t\t\t}()\n\n\t\t\tscanInput := extracttest.GenerateScanInputMock(t, tt.InputConfig)\n\t\t\tdefer extracttest.CloseTestScanInput(t, scanInput)\n\n\t\t\tgot, err := extr.Extract(t.Context(), &scanInput)\n\n\t\t\tif diff := cmp.Diff(tt.WantErr, err, cmpopts.EquateErrors()); diff != \"\" {\n\t\t\t\tt.Errorf(\"%s.Extract(%q) error diff (-want +got):\\n%s\", extr.Name(), tt.InputConfig.Path, diff)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif diff := cmp.Diff(tt.WantPackages, got.Packages, cmpopts.SortSlices(extracttest.PackageCmpLess)); diff != \"\" {\n\t\t\t\tt.Errorf(\"%s.Extract(%q) diff (-want +got):\\n%s\", extr.Name(), tt.InputConfig.Path, diff)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-clean/git-hidden/HEAD", "content": "ref: refs/heads/main\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-clean/git-hidden/config", "content": "[core]\n\trepositoryformatversion = 0\n\tfilemode = true\n\tbare = false\n\tlogallrefupdates = true\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-clean/git-hidden/description", "content": "Unnamed repository; edit this file 'description' to name the repository.\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-clean/git-hidden/info/exclude", "content": "# git ls-files --others --exclude-from=.git/info/exclude\n# Lines that start with '#' are comments.\n# For a project mostly in C, the following would be a good set of\n# exclude patterns (uncomment them if you want to use them):\n# *.[oa]\n# *~\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/a.txt", "content": "test file\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/COMMIT_EDITMSG", "content": "Example commit\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/HEAD", "content": "ref: refs/heads/main\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/config", "content": "[core]\n\trepositoryformatversion = 0\n\tfilemode = true\n\tbare = false\n\tlogallrefupdates = true\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/description", "content": "Unnamed repository; edit this file 'description' to name the repository.\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/info/exclude", "content": "# git ls-files --others --exclude-from=.git/info/exclude\n# Lines that start with '#' are comments.\n# For a project mostly in C, the following would be a good set of\n# exclude patterns (uncomment them if you want to use them):\n# *.[oa]\n# *~\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/logs/HEAD", "content": "0000000000000000000000000000000000000000 862ac4bd2703b622e85f29f55a2fd8cd6caf8182 Rex P 1696388400 +1100\tcommit (initial): Example commit\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/logs/refs/heads/main", "content": "0000000000000000000000000000000000000000 862ac4bd2703b622e85f29f55a2fd8cd6caf8182 Rex P 1696388400 +1100\tcommit (initial): Example commit\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-git/git-hidden/refs/heads/main", "content": "862ac4bd2703b622e85f29f55a2fd8cd6caf8182\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-not-git/a.txt", "content": "test file\n" }, { "path": "internal/scalibrextract/vcs/gitrepo/testdata/example-not-git/git-hidden/b.txt", "content": "test file 2\n" }, { "path": "internal/scalibrplugin/__snapshots__/resolve_test.snap", "content": "\n[TestResolve_AllPresets - 1]\nbaseimage\ncis/generic-linux/etcpasswdpermissions\ncpp/conanlock\ncve/cve-2020-11978\ncve/cve-2020-16846\ncve/cve-2022-33891\ncve/cve-2023-38408\ncve/cve-2023-6019\ncve/cve-2024-2912\ndart/pubspec\ndotnet/depsjson\ndotnet/packagesconfig\ndotnet/packageslockjson\nerlang/mixlock\nfilesystem/vendored\ngo/binary\ngo/gomod\ngovulncheck/binary\nhaskell/cabal\nhaskell/stacklock\njava/archive\njava/gradlelockfile\njava/gradleverificationmetadataxml\njava/pomxml\njavascript/bunlock\njavascript/nodemodules\njavascript/packagelockjson\njavascript/pnpmlock\njavascript/yarnlock\nlicense/depsdev\nos/apk\nos/dpkg\nosv/osvscannerjson\nphp/composerlock\npython/pdmlock\npython/pipfilelock\npython/poetrylock\npython/pylock\npython/requirements\npython/uvlock\npython/wheelegg\nr/renvlock\nruby/gemfilelock\nrust/cargoauditable\nrust/cargolock\nsbom/cdx\nsbom/spdx\ntransitivedependency/pomxml\ntransitivedependency/requirements\nvcs/gitrepo\nvex/os-duplicate/apk\nvex/os-duplicate/dpkg\nvulnmatch/osvdev\nvulnmatch/osvlocal\nweakcredentials/codeserver\nweakcredentials/etcshadow\nweakcredentials/filebrowser\nweakcredentials/winlocal\n---\n\n[TestResolve_Annotators_Presets/artifact - 1]\nbaseimage\ngo/binary\njava/archive\njavascript/nodemodules\nos/apk\nos/dpkg\npython/wheelegg\nrust/cargoauditable\nvex/os-duplicate/apk\nvex/os-duplicate/dpkg\n---\n\n[TestResolve_Detectors_Presets/cis - 1]\ncis/generic-linux/etcpasswdpermissions\n---\n\n[TestResolve_Detectors_Presets/govulncheck - 1]\ngovulncheck/binary\n---\n\n[TestResolve_Detectors_Presets/untested - 1]\ncve/cve-2020-11978\ncve/cve-2020-16846\ncve/cve-2022-33891\ncve/cve-2023-38408\ncve/cve-2023-6019\ncve/cve-2024-2912\n---\n\n[TestResolve_Detectors_Presets/weakcreds - 1]\nweakcredentials/codeserver\nweakcredentials/etcshadow\nweakcredentials/filebrowser\nweakcredentials/winlocal\n---\n\n[TestResolve_Enrichers_Presets/artifact - 1]\nbaseimage\ngo/binary\njava/archive\njavascript/nodemodules\nos/apk\nos/dpkg\npython/wheelegg\nrust/cargoauditable\nvex/os-duplicate/apk\nvex/os-duplicate/dpkg\n---\n\n[TestResolve_Enrichers_Presets/licenses - 1]\nlicense/depsdev\n---\n\n[TestResolve_Enrichers_Presets/transitive - 1]\n\n---\n\n[TestResolve_Enrichers_Presets/vulns - 1]\nvulnmatch/osvdev\nvulnmatch/osvlocal\n---\n\n[TestResolve_Extractors_Presets/artifact - 1]\nbaseimage\ngo/binary\njava/archive\njavascript/nodemodules\nos/apk\nos/dpkg\npython/wheelegg\nrust/cargoauditable\nvex/os-duplicate/apk\nvex/os-duplicate/dpkg\n---\n\n[TestResolve_Extractors_Presets/directory - 1]\nfilesystem/vendored\nvcs/gitrepo\n---\n\n[TestResolve_Extractors_Presets/lockfile - 1]\ncpp/conanlock\ndart/pubspec\ndotnet/depsjson\ndotnet/packagesconfig\ndotnet/packageslockjson\nerlang/mixlock\ngo/gomod\nhaskell/cabal\nhaskell/stacklock\njava/gradlelockfile\njava/gradleverificationmetadataxml\njava/pomxml\njavascript/bunlock\njavascript/packagelockjson\njavascript/pnpmlock\njavascript/yarnlock\nos/apk\nos/dpkg\nosv/osvscannerjson\nphp/composerlock\npython/pdmlock\npython/pipfilelock\npython/poetrylock\npython/pylock\npython/requirements\npython/uvlock\nr/renvlock\nruby/gemfilelock\nrust/cargolock\n---\n\n[TestResolve_Extractors_Presets/sbom - 1]\nsbom/cdx\nsbom/spdx\n---\n" }, { "path": "internal/scalibrplugin/presets.go", "content": "package scalibrplugin\n\nimport (\n\t\"fmt\"\n\n\tannotatorlist \"github.com/google/osv-scalibr/annotator/list\"\n\tapkanno \"github.com/google/osv-scalibr/annotator/osduplicate/apk\"\n\tdpkganno \"github.com/google/osv-scalibr/annotator/osduplicate/dpkg\"\n\tcpb \"github.com/google/osv-scalibr/binary/proto/config_go_proto\"\n\tdetectors \"github.com/google/osv-scalibr/detector/list\"\n\t\"github.com/google/osv-scalibr/enricher\"\n\t\"github.com/google/osv-scalibr/enricher/baseimage\"\n\t\"github.com/google/osv-scalibr/enricher/enricherlist\"\n\ttransitivedependencypomxml \"github.com/google/osv-scalibr/enricher/transitivedependency/pomxml\"\n\ttransitivedependencyrequirements \"github.com/google/osv-scalibr/enricher/transitivedependency/requirements\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/cpp/conanlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dart/pubspec\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/depsjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packagesconfig\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/erlang/mixlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/haskell/cabal\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/haskell/stacklock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/archive\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/gradlelockfile\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/gradleverificationmetadataxml\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/bunlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/pnpmlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/yarnlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/php/composerlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/pdmlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/pipfilelock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/poetrylock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/pylock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/uvlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/r/renvlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/ruby/gemfilelock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargoauditable\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock\"\n\textractors \"github.com/google/osv-scalibr/extractor/filesystem/list\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/os/apk\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n\t\"github.com/google/osv-scanner/v2/internal/depsdev\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n)\n\nvar detectorPresets = map[string]detectors.InitMap{\n\t\"cis\": detectors.CIS,\n\t\"govulncheck\": detectors.Govulncheck,\n\t\"untested\": detectors.Untested,\n\t\"weakcreds\": detectors.Weakcredentials,\n}\n\nvar ExtractorPresets = map[string]extractors.InitMap{\n\t\"sbom\": {\n\t\tspdx.Name: {spdx.New},\n\t\tcdx.Name: {cdx.New},\n\t},\n\t\"lockfile\": {\n\t\t// C\n\t\tconanlock.Name: {conanlock.New},\n\n\t\t// Erlang\n\t\tmixlock.Name: {mixlock.New},\n\n\t\t// Flutter\n\t\tpubspec.Name: {pubspec.New},\n\n\t\t// Go\n\t\tgomod.Name: {gomod.New},\n\n\t\t// Java\n\t\tgradlelockfile.Name: {gradlelockfile.New},\n\t\tgradleverificationmetadataxml.Name: {gradleverificationmetadataxml.New},\n\t\tpomxml.Name: {pomxml.New},\n\n\t\t// Javascript\n\t\tpackagelockjson.Name: {packagelockjson.New},\n\t\tpnpmlock.Name: {pnpmlock.New},\n\t\tyarnlock.Name: {yarnlock.New},\n\t\tbunlock.Name: {bunlock.New},\n\n\t\t// PHP\n\t\tcomposerlock.Name: {composerlock.New},\n\n\t\t// Python\n\t\tpipfilelock.Name: {pipfilelock.New},\n\t\tpdmlock.Name: {pdmlock.New},\n\t\tpoetrylock.Name: {poetrylock.New},\n\t\tpylock.Name: {pylock.New},\n\t\trequirements.Name: {requirements.New},\n\t\tuvlock.Name: {uvlock.New},\n\n\t\t// R\n\t\trenvlock.Name: {renvlock.New},\n\n\t\t// Ruby\n\t\tgemfilelock.Name: {gemfilelock.New},\n\n\t\t// Rust\n\t\tcargolock.Name: {cargolock.New},\n\n\t\t// NuGet\n\t\tdepsjson.Name: {depsjson.New},\n\t\tpackagesconfig.Name: {packagesconfig.New},\n\t\tpackageslockjson.Name: {packageslockjson.New},\n\n\t\t// Haskell\n\t\tcabal.Name: {cabal.New},\n\t\tstacklock.Name: {stacklock.New},\n\n\t\tosvscannerjson.Name: {osvscannerjson.New},\n\n\t\t// --- OS \"lockfiles\" ---\n\t\t// These have very strict FileRequired paths, so we can safely enable them for source scanning as well.\n\t\t// Alpine\n\t\tapk.Name: {apk.New},\n\t\t// Debian\n\t\tdpkg.Name: {dpkg.New},\n\t},\n\t\"directory\": {\n\t\tgitrepo.Name: {gitrepo.New},\n\t\tvendored.Name: {vendored.New},\n\t},\n\t\"artifact\": {\n\t\t// --- Project artifacts ---\n\t\t// Python\n\t\twheelegg.Name: {wheelegg.New},\n\t\t// Java\n\t\tarchive.Name: {archive.New},\n\t\t// Go\n\t\tgobinary.Name: {gobinary.New},\n\t\t// Javascript\n\t\tnodemodules.Name: {nodemodules.New},\n\t\t// Rust\n\t\tcargoauditable.Name: {cargoauditable.New},\n\n\t\t// --- OS packages ---\n\t\t// Alpine\n\t\tapk.Name: {apk.New},\n\t\t// Debian\n\t\tdpkg.Name: {dpkg.New},\n\t},\n}\n\nvar enricherPresets = map[string]enricherlist.InitMap{\n\t\"artifact\": {\n\t\tbaseimage.Name: {baseImageEnricher},\n\t},\n\t\"vulns\": enricherlist.VulnMatching,\n\t\"licenses\": enricherlist.License,\n\t\"transitive\": {\n\t\ttransitivedependencyrequirements.Name: {transitivedependencyrequirements.New},\n\t\ttransitivedependencypomxml.Name: {transitivedependencypomxml.New},\n\t},\n}\n\nvar annotatorPresets = map[string]annotatorlist.InitMap{\n\t\"artifact\": {\n\t\tapkanno.Name: {apkanno.New},\n\t\tdpkganno.Name: {dpkganno.New},\n\t},\n}\n\nfunc baseImageEnricher(_ *cpb.PluginConfig) (enricher.Enricher, error) {\n\t// The grpc client **does not** make any requests. It starts in an IDLE state until\n\t// the first function call is made. This means we can safely initialize the client even in offline mode,\n\t// and the enricher plugin will be filtered out in offline mode.\n\tinsightsClient, err := datasource.NewInsightsAlphaClient(depsdev.DepsdevAPI, \"osv-scanner_scan/\"+version.OSVVersion)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to connect to insights server: %w\", err)\n\t}\n\n\tbaseImageEnricher, err := baseimage.New(&baseimage.Config{\n\t\tClient: baseimage.NewClientGRPC(insightsClient),\n\t})\n\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"unable to initialize base image enricher: %w\", err)\n\t}\n\n\treturn baseImageEnricher, nil\n}\n" }, { "path": "internal/scalibrplugin/resolve.go", "content": "// Package scalibrplugin provides functions related to resolving scalibr plugins\npackage scalibrplugin\n\nimport (\n\t\"fmt\"\n\t\"slices\"\n\n\tcpb \"github.com/google/osv-scalibr/binary/proto/config_go_proto\"\n\t\"github.com/google/osv-scalibr/enricher\"\n\t\"github.com/google/osv-scalibr/plugin\"\n\t\"github.com/google/osv-scalibr/plugin/list\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo\"\n)\n\nfunc resolveFromName(name string, cfg *cpb.PluginConfig) (plugin.Plugin, error) {\n\tplug, err := list.FromName(name, cfg)\n\n\tif err == nil {\n\t\treturn plug, nil\n\t}\n\n\tswitch name {\n\t// Javascript\n\tcase nodemodules.Name:\n\t\treturn nodemodules.New(cfg)\n\t// Directories\n\tcase vendored.Name:\n\t\treturn vendored.New(cfg)\n\tcase gitrepo.Name:\n\t\treturn gitrepo.New(cfg)\n\tcase osvscannerjson.Name:\n\t\treturn osvscannerjson.New(cfg)\n\tdefault:\n\t\treturn nil, fmt.Errorf(\"not an exact name for a plugin: %q\", name)\n\t}\n}\n\nfunc Resolve(enabledPlugins []string, disabledPlugins []string, cfg *cpb.PluginConfig) []plugin.Plugin {\n\tplugins := make(map[string]bool)\n\n\tfor i, exts := range [][]string{enabledPlugins, disabledPlugins} {\n\t\tenabled := i == 0\n\n\t\tfor _, pluginOrPreset := range exts {\n\t\t\twasAPreset := false\n\t\t\tif names, ok := ExtractorPresets[pluginOrPreset]; ok {\n\t\t\t\tfor name := range names {\n\t\t\t\t\tplugins[name] = enabled\n\t\t\t\t}\n\t\t\t\twasAPreset = true\n\t\t\t}\n\n\t\t\tif names, ok := detectorPresets[pluginOrPreset]; ok {\n\t\t\t\tfor name := range names {\n\t\t\t\t\tplugins[name] = enabled\n\t\t\t\t}\n\t\t\t\twasAPreset = true\n\t\t\t}\n\n\t\t\tif names, ok := annotatorPresets[pluginOrPreset]; ok {\n\t\t\t\tfor name := range names {\n\t\t\t\t\tplugins[name] = enabled\n\t\t\t\t}\n\t\t\t\twasAPreset = true\n\t\t\t}\n\n\t\t\tif names, ok := enricherPresets[pluginOrPreset]; ok {\n\t\t\t\tfor name := range names {\n\t\t\t\t\tplugins[name] = enabled\n\t\t\t\t}\n\t\t\t\twasAPreset = true\n\t\t\t}\n\n\t\t\tif !wasAPreset {\n\t\t\t\tplugins[pluginOrPreset] = enabled\n\t\t\t}\n\t\t}\n\t}\n\n\tasSlice := make([]plugin.Plugin, 0, len(plugins))\n\n\tfor name, value := range plugins {\n\t\tif name != \"\" && value {\n\t\t\tplug, err := resolveFromName(name, cfg)\n\n\t\t\tif err != nil {\n\t\t\t\tcmdlogger.Errorf(\"%s\", err)\n\n\t\t\t\t// mark the plugin as disabled in case\n\t\t\t\t// it is required by any other plugins\n\t\t\t\tplugins[name] = false\n\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tasSlice = append(asSlice, plug)\n\t\t}\n\t}\n\n\treturn filterPluginsMissingRequiredPlugins(plugins, asSlice)\n}\n\nfunc filterPluginsMissingRequiredPlugins(pluginStatues map[string]bool, loaded []plugin.Plugin) []plugin.Plugin {\n\tplugins := make([]plugin.Plugin, 0, len(loaded))\n\n\tfor _, plug := range loaded {\n\t\ten, ok := plug.(enricher.Enricher)\n\n\t\t// if the \"loaded\" status of any plugin required by an enricher \"contains\" false,\n\t\t// then that plugin is disabled and so the enricher requirements are not met\n\t\tif ok && slices.ContainsFunc(en.RequiredPlugins(), func(name string) bool {\n\t\t\treturn !pluginStatues[name]\n\t\t}) {\n\t\t\tcontinue\n\t\t}\n\n\t\tplugins = append(plugins, plug)\n\t}\n\n\treturn plugins\n}\n" }, { "path": "internal/scalibrplugin/resolve_test.go", "content": "package scalibrplugin_test\n\nimport (\n\t\"slices\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\tapkanno \"github.com/google/osv-scalibr/annotator/osduplicate/apk\"\n\tdpkganno \"github.com/google/osv-scalibr/annotator/osduplicate/dpkg\"\n\tcpb \"github.com/google/osv-scalibr/binary/proto/config_go_proto\"\n\t\"github.com/google/osv-scalibr/detector/cis/generic_linux/etcpasswdpermissions\"\n\t\"github.com/google/osv-scalibr/detector/govulncheck/binary\"\n\t\"github.com/google/osv-scalibr/detector/weakcredentials/codeserver\"\n\t\"github.com/google/osv-scalibr/detector/weakcredentials/etcshadow\"\n\t\"github.com/google/osv-scalibr/detector/weakcredentials/filebrowser\"\n\t\"github.com/google/osv-scalibr/detector/weakcredentials/winlocal\"\n\t\"github.com/google/osv-scalibr/enricher/baseimage\"\n\ttransitivedependencypomxml \"github.com/google/osv-scalibr/enricher/transitivedependency/pomxml\"\n\ttransitivedependencyrequirements \"github.com/google/osv-scalibr/enricher/transitivedependency/requirements\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/golang/gobinary\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/archive\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/php/composerlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/wheelegg\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargoauditable\"\n\tchromeextensions \"github.com/google/osv-scalibr/extractor/filesystem/misc/chrome/extensions\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/os/apk\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/javascript/nodemodules\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrplugin\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestResolve(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tenabled []string\n\t\tdisabled []string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant []string\n\t}{\n\t\t{\n\t\t\tname: \"nothing_enabled_or_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: nil,\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t{\n\t\t\tname: \"empty_strings_are_ignored\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"\"},\n\t\t\t\tdisabled: []string{\"\"},\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"one_extractor_and_one_detector_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name, etcshadow.Name},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{composerlock.Name, etcshadow.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"one_extractor_and_one_detector_enabled_and_different_detector_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name, etcshadow.Name},\n\t\t\t\tdisabled: []string{binary.Name},\n\t\t\t},\n\t\t\twant: []string{composerlock.Name, etcshadow.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"one_extractor_and_one_detector_enabled_and_different_extractor_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name, etcshadow.Name},\n\t\t\t\tdisabled: []string{binary.Name, chromeextensions.Name},\n\t\t\t},\n\t\t\twant: []string{composerlock.Name, etcshadow.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"one_extractor_enabled_and_one_detector_enabled_and_same_detector_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name, etcshadow.Name},\n\t\t\t\tdisabled: []string{etcshadow.Name},\n\t\t\t},\n\t\t\twant: []string{composerlock.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"one_extractor_enabled_and_one_detector_enabled_and_same_extractor_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name, etcshadow.Name},\n\t\t\t\tdisabled: []string{composerlock.Name},\n\t\t\t},\n\t\t\twant: []string{etcshadow.Name},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"some_extractors_and_one_detector_preset_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name, \"weakcreds\", nodemodules.Name},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tcodeserver.Name,\n\t\t\t\tcomposerlock.Name,\n\t\t\t\tetcshadow.Name,\n\t\t\t\tfilebrowser.Name,\n\t\t\t\tnodemodules.Name,\n\t\t\t\twinlocal.Name,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_different_preset_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"weakcreds\"},\n\t\t\t\tdisabled: []string{\"artifact\"},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tcodeserver.Name,\n\t\t\t\tetcshadow.Name,\n\t\t\t\tfilebrowser.Name,\n\t\t\t\twinlocal.Name,\n\t\t\t},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"multiple_presets_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"weakcreds\", \"sbom\"},\n\t\t\t\tdisabled: []string{},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tcdx.Name,\n\t\t\t\tcodeserver.Name,\n\t\t\t\tetcshadow.Name,\n\t\t\t\tfilebrowser.Name,\n\t\t\t\tspdx.Name,\n\t\t\t\twinlocal.Name,\n\t\t\t},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"plugin_that_does_not_exist\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"???\"},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := scalibrplugin.Resolve(tt.args.enabled, tt.args.disabled, &cpb.PluginConfig{})\n\n\t\t\tslices.Sort(tt.want)\n\n\t\t\tgotNames := make([]string, 0, len(got))\n\t\t\tfor _, plug := range got {\n\t\t\t\tgotNames = append(gotNames, plug.Name())\n\t\t\t}\n\n\t\t\tslices.Sort(gotNames)\n\n\t\t\tif diff := cmp.Diff(tt.want, gotNames); diff != \"\" {\n\t\t\t\tt.Errorf(\"Resolve() diff (-want +got): %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestResolve_Detectors(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tenabled []string\n\t\tdisabled []string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant []string\n\t}{\n\t\t{\n\t\t\tname: \"nothing_enabled_or_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: nil,\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t{\n\t\t\tname: \"empty_strings_are_ignored\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"\"},\n\t\t\t\tdisabled: []string{\"\"},\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t{\n\t\t\tname: \"one_detector_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{etcshadow.Name},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{etcshadow.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"one_detector_enabled_and_different_detector_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{etcshadow.Name},\n\t\t\t\tdisabled: []string{binary.Name},\n\t\t\t},\n\t\t\twant: []string{etcshadow.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"one_detector_enabled_and_same_detector_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{etcshadow.Name},\n\t\t\t\tdisabled: []string{etcshadow.Name},\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"weakcreds\"},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tcodeserver.Name,\n\t\t\t\tetcshadow.Name,\n\t\t\t\tfilebrowser.Name,\n\t\t\t\twinlocal.Name,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_different_preset_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"weakcreds\"},\n\t\t\t\tdisabled: []string{\"untested\"},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tcodeserver.Name,\n\t\t\t\tetcshadow.Name,\n\t\t\t\tfilebrowser.Name,\n\t\t\t\twinlocal.Name,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_same_preset_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"weakcreds\"},\n\t\t\t\tdisabled: []string{\"weakcreds\"},\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_some_detectors_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"weakcreds\"},\n\t\t\t\tdisabled: []string{codeserver.Name, filebrowser.Name},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tetcshadow.Name,\n\t\t\t\twinlocal.Name,\n\t\t\t},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"multiple_presets_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"weakcreds\", \"cis\"},\n\t\t\t\tdisabled: []string{},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tcodeserver.Name,\n\t\t\t\tetcshadow.Name,\n\t\t\t\tfilebrowser.Name,\n\t\t\t\twinlocal.Name,\n\t\t\t\tetcpasswdpermissions.Name,\n\t\t\t},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"multiple_detectors_enabled_and_one_disabled_preset\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\n\t\t\t\t\tetcshadow.Name,\n\t\t\t\t\tfilebrowser.Name,\n\t\t\t\t\tetcpasswdpermissions.Name,\n\t\t\t\t},\n\t\t\t\tdisabled: []string{\"weakcreds\"},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tetcpasswdpermissions.Name,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_detectors_enabled_and_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\n\t\t\t\t\tetcshadow.Name,\n\t\t\t\t\tfilebrowser.Name,\n\t\t\t\t\tetcpasswdpermissions.Name,\n\t\t\t\t},\n\t\t\t\tdisabled: []string{\n\t\t\t\t\tcodeserver.Name,\n\t\t\t\t\twinlocal.Name,\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tetcshadow.Name,\n\t\t\t\tfilebrowser.Name,\n\t\t\t\tetcpasswdpermissions.Name,\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := scalibrplugin.Resolve(tt.args.enabled, tt.args.disabled, &cpb.PluginConfig{})\n\n\t\t\tslices.Sort(tt.want)\n\n\t\t\tgotNames := make([]string, 0, len(got))\n\t\t\tfor _, plug := range got {\n\t\t\t\tgotNames = append(gotNames, plug.Name())\n\t\t\t}\n\n\t\t\tslices.Sort(gotNames)\n\n\t\t\tif diff := cmp.Diff(tt.want, gotNames); diff != \"\" {\n\t\t\t\tt.Errorf(\"Resolve() diff (-want +got): %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestResolve_RequiredPlugins(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tenabled []string\n\t\tdisabled []string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant []string\n\t}{\n\t\t{\n\t\t\tname: \"one_enricher_without_its_required_plugin\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{transitivedependencyrequirements.Name},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t{\n\t\t\tname: \"one_enricher_with_its_required_plugin_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{transitivedependencyrequirements.Name},\n\t\t\t\tdisabled: []string{requirements.Name},\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"transitive_enrichers_preset_without_any_required_plugin_enabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"transitive\"},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t{\n\t\t\tname: \"transitive_enrichers_preset_without_one_required_plugin_enabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"transitive\", requirements.Name},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{transitivedependencyrequirements.Name, requirements.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"transitive_enrichers_preset_with_all_required_plugin_enabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\n\t\t\t\t\t\"transitive\",\n\t\t\t\t\trequirements.Name,\n\t\t\t\t\tpomxml.Name,\n\t\t\t\t},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\ttransitivedependencyrequirements.Name,\n\t\t\t\trequirements.Name,\n\t\t\t\ttransitivedependencypomxml.Name,\n\t\t\t\tpomxml.Name,\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := scalibrplugin.Resolve(tt.args.enabled, tt.args.disabled, &cpb.PluginConfig{})\n\n\t\t\tslices.Sort(tt.want)\n\n\t\t\tgotNames := make([]string, 0, len(got))\n\t\t\tfor _, plug := range got {\n\t\t\t\tgotNames = append(gotNames, plug.Name())\n\t\t\t}\n\n\t\t\tslices.Sort(gotNames)\n\n\t\t\tif diff := cmp.Diff(tt.want, gotNames); diff != \"\" {\n\t\t\t\tt.Errorf(\"Resolve() diff (-want +got): %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestResolve_AllPresets(t *testing.T) {\n\tt.Parallel()\n\n\tgot := scalibrplugin.Resolve([]string{\n\t\t\"cis\",\n\t\t\"govulncheck\",\n\t\t\"untested\",\n\t\t\"weakcreds\",\n\t\t\"sbom\",\n\t\t\"lockfile\",\n\t\t\"directory\",\n\t\t\"artifact\",\n\t\t\"vulns\",\n\t\t\"licenses\",\n\t\t\"transitive\",\n\t}, []string{}, &cpb.PluginConfig{})\n\n\tgotNames := make([]string, 0, len(got))\n\tfor _, detector := range got {\n\t\tgotNames = append(gotNames, detector.Name())\n\t}\n\n\tslices.Sort(gotNames)\n\n\ttestutility.NewSnapshot().MatchText(t, strings.Join(gotNames, \"\\n\"))\n}\n\nfunc TestResolve_Extractors(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tenabled []string\n\t\tdisabled []string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant []string\n\t}{\n\t\t//\n\t\t{\n\t\t\tname: \"one_extractor_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{composerlock.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"one_extractor_enabled_and_different_extractor_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name},\n\t\t\t\tdisabled: []string{packageslockjson.Name},\n\t\t\t},\n\t\t\twant: []string{composerlock.Name},\n\t\t},\n\t\t{\n\t\t\tname: \"one_extractor_enabled_and_same_extractor_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{composerlock.Name},\n\t\t\t\tdisabled: []string{composerlock.Name},\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"artifact\"},\n\t\t\t\tdisabled: nil,\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tapk.Name,\n\t\t\t\tarchive.Name,\n\t\t\t\tbaseimage.Name,\n\t\t\t\tcargoauditable.Name,\n\t\t\t\tdpkg.Name,\n\t\t\t\tgobinary.Name,\n\t\t\t\tnodemodules.Name,\n\t\t\t\twheelegg.Name,\n\t\t\t\tapkanno.Name,\n\t\t\t\tdpkganno.Name,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_different_preset_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"artifact\"},\n\t\t\t\tdisabled: []string{\"directory\"},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tapk.Name,\n\t\t\t\tarchive.Name,\n\t\t\t\tbaseimage.Name,\n\t\t\t\tcargoauditable.Name,\n\t\t\t\tdpkg.Name,\n\t\t\t\tgobinary.Name,\n\t\t\t\tnodemodules.Name,\n\t\t\t\twheelegg.Name,\n\t\t\t\tapkanno.Name,\n\t\t\t\tdpkganno.Name,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_same_preset_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"artifact\"},\n\t\t\t\tdisabled: []string{\"artifact\"},\n\t\t\t},\n\t\t\twant: []string{},\n\t\t},\n\t\t{\n\t\t\tname: \"one_preset_enabled_and_some_extractors_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"artifact\"},\n\t\t\t\tdisabled: []string{wheelegg.Name, archive.Name, cargoauditable.Name},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tapk.Name,\n\t\t\t\tbaseimage.Name,\n\t\t\t\tdpkg.Name,\n\t\t\t\tgobinary.Name,\n\t\t\t\tnodemodules.Name,\n\t\t\t\tapkanno.Name,\n\t\t\t\tdpkganno.Name,\n\t\t\t},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"multiple_presets_enabled_and_nothing_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\"artifact\", \"directory\"},\n\t\t\t\tdisabled: []string{},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tapk.Name,\n\t\t\t\tarchive.Name,\n\t\t\t\tbaseimage.Name,\n\t\t\t\tcargoauditable.Name,\n\t\t\t\tdpkg.Name,\n\t\t\t\tgitrepo.Name,\n\t\t\t\tgobinary.Name,\n\t\t\t\tnodemodules.Name,\n\t\t\t\tvendored.Name,\n\t\t\t\twheelegg.Name,\n\t\t\t\tapkanno.Name,\n\t\t\t\tdpkganno.Name,\n\t\t\t},\n\t\t},\n\t\t//\n\t\t{\n\t\t\tname: \"multiple_extractors_enabled_and_one_disabled_preset\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\n\t\t\t\t\tspdx.Name,\n\t\t\t\t\tarchive.Name,\n\t\t\t\t\tgobinary.Name,\n\t\t\t\t},\n\t\t\t\tdisabled: []string{\"sbom\"},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tarchive.Name,\n\t\t\t\tgobinary.Name,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_extractors_enabled_and_disabled\",\n\t\t\targs: args{\n\t\t\t\tenabled: []string{\n\t\t\t\t\tspdx.Name,\n\t\t\t\t\tarchive.Name,\n\t\t\t\t\tgobinary.Name,\n\t\t\t\t\tcargoauditable.Name,\n\t\t\t\t},\n\t\t\t\tdisabled: []string{\n\t\t\t\t\tcdx.Name,\n\t\t\t\t\twheelegg.Name,\n\t\t\t\t\tgobinary.Name,\n\t\t\t\t\tapk.Name,\n\t\t\t\t\tapkanno.Name,\n\t\t\t\t\tdpkganno.Name,\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tspdx.Name,\n\t\t\t\tarchive.Name,\n\t\t\t\tcargoauditable.Name,\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := scalibrplugin.Resolve(tt.args.enabled, tt.args.disabled, &cpb.PluginConfig{})\n\n\t\t\tslices.Sort(tt.want)\n\n\t\t\tgotNames := make([]string, 0, len(got))\n\t\t\tfor _, plug := range got {\n\t\t\t\tgotNames = append(gotNames, plug.Name())\n\t\t\t}\n\n\t\t\tslices.Sort(gotNames)\n\n\t\t\tif diff := cmp.Diff(tt.want, gotNames); diff != \"\" {\n\t\t\t\tt.Errorf(\"Resolve() diff (-want +got): %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestResolve_Detectors_Presets(t *testing.T) {\n\tt.Parallel()\n\n\tfor _, preset := range []string{\"cis\", \"govulncheck\", \"untested\", \"weakcreds\"} {\n\t\tt.Run(preset, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := scalibrplugin.Resolve([]string{preset}, []string{}, &cpb.PluginConfig{})\n\n\t\t\tgotNames := make([]string, 0, len(got))\n\t\t\tfor _, detector := range got {\n\t\t\t\tgotNames = append(gotNames, detector.Name())\n\t\t\t}\n\n\t\t\tslices.Sort(gotNames)\n\n\t\t\ttestutility.NewSnapshot().MatchText(t, strings.Join(gotNames, \"\\n\"))\n\t\t})\n\t}\n}\n\nfunc TestResolve_Extractors_Presets(t *testing.T) {\n\tt.Parallel()\n\n\tfor _, preset := range []string{\"sbom\", \"lockfile\", \"directory\", \"artifact\"} {\n\t\tt.Run(preset, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := scalibrplugin.Resolve([]string{preset}, []string{}, &cpb.PluginConfig{})\n\n\t\t\tgotNames := make([]string, 0, len(got))\n\t\t\tfor _, extractor := range got {\n\t\t\t\tgotNames = append(gotNames, extractor.Name())\n\t\t\t}\n\n\t\t\tslices.Sort(gotNames)\n\n\t\t\ttestutility.NewSnapshot().MatchText(t, strings.Join(gotNames, \"\\n\"))\n\t\t})\n\t}\n}\n\nfunc TestResolve_Enrichers_Presets(t *testing.T) {\n\tt.Parallel()\n\n\tfor _, preset := range []string{\"artifact\", \"vulns\", \"licenses\", \"transitive\"} {\n\t\tt.Run(preset, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := scalibrplugin.Resolve([]string{preset}, []string{}, &cpb.PluginConfig{})\n\n\t\t\tgotNames := make([]string, 0, len(got))\n\t\t\tfor _, detector := range got {\n\t\t\t\tgotNames = append(gotNames, detector.Name())\n\t\t\t}\n\n\t\t\tslices.Sort(gotNames)\n\n\t\t\ttestutility.NewSnapshot().MatchText(t, strings.Join(gotNames, \"\\n\"))\n\t\t})\n\t}\n}\n\nfunc TestResolve_Annotators_Presets(t *testing.T) {\n\tt.Parallel()\n\n\tfor _, preset := range []string{\"artifact\"} {\n\t\tt.Run(preset, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := scalibrplugin.Resolve([]string{preset}, []string{}, &cpb.PluginConfig{})\n\n\t\t\tgotNames := make([]string, 0, len(got))\n\t\t\tfor _, detector := range got {\n\t\t\t\tgotNames = append(gotNames, detector.Name())\n\t\t\t}\n\n\t\t\tslices.Sort(gotNames)\n\n\t\t\ttestutility.NewSnapshot().MatchText(t, strings.Join(gotNames, \"\\n\"))\n\t\t})\n\t}\n}\n" }, { "path": "internal/scalibrplugin/testmain_test.go", "content": "package scalibrplugin_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "internal/sourceanalysis/__snapshots__/go_test.snap", "content": "\n[Test_matchAnalysisWithPackageVulns - 1]\n[\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"GO-2021-0053\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"Improper Input Validation in GoGo Protobuf\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"schema_version\": \"1.3.0\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-2h6c-j3gf-xp9r\",\n \"GO-2023-1558\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"GO-2023-1558\": {\n \"called\": true,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ],\n \"versions\": [\n \"1.0.0\"\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2023-23626\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1284\",\n \"CWE-754\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-10T19:52:45Z\",\n \"nvd_published_at\": \"2023-02-09T21:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"details\": \"### Impact\\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\\n\\nThis happen when the `size` is a not a multiple of `8` or is negative.\\nThere were already a note in the `NewBitfield` documentation:\\n\\u003e ```\\n\\u003e Panics if size is not a multiple of 8.\\n\\u003e ````\\n\\nBut it incomplete and missing from `FromBytes`'s documentation.\\n\\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\\n\\n### Patches\\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\n\\n### Workarounds\\n- Ensure `size%8 == 0 \\u0026\\u0026 size \\u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\\n\\n### References\\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\\n\",\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-02-10T19:52:45Z\",\n \"published\": \"2023-02-10T19:52:45Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23626\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ipfs/go-bitfield\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"IPFS go-bitfield vulnerable to DoS via malformed size arguments\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/ipfs/go-bitfield\",\n \"symbols\": [\n \"FromBytes\",\n \"NewBitfield\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ],\n \"schema_version\": \"1.3.0\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"golang.org/x/image\",\n \"version\": \"0.4.0\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-qgc7-mgm3-q253\",\n \"GO-2023-1572\"\n ],\n \"aliases\": null,\n \"experimental_analysis\": {\n \"GO-2023-1572\": {\n \"called\": false,\n \"unimportant\": false\n }\n },\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T13:59:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2023-02-17T13:59:44Z\",\n \"published\": \"2023-02-17T13:59:44Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41727\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"Uncontrolled Resource Consumption\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1572.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/image/tiff\",\n \"symbols\": [\n \"Decode\",\n \"DecodeConfig\",\n \"decoder.ifdUint\",\n \"newDecoder\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2023-02-16T22:25:24Z\",\n \"published\": \"2023-02-16T22:25:24Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n }\n ],\n \"schema_version\": \"1.3.0\"\n }\n ]\n }\n]\n---\n\n[Test_matchEmptyAnalysisWithPackageVulns - 1]\n[\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"Improper Input Validation in GoGo Protobuf\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"schema_version\": \"1.3.0\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-2h6c-j3gf-xp9r\",\n \"GO-2023-1558\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ],\n \"versions\": [\n \"1.0.0\"\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2023-23626\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1284\",\n \"CWE-754\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-10T19:52:45Z\",\n \"nvd_published_at\": \"2023-02-09T21:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"details\": \"### Impact\\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\\n\\nThis happen when the `size` is a not a multiple of `8` or is negative.\\nThere were already a note in the `NewBitfield` documentation:\\n\\u003e ```\\n\\u003e Panics if size is not a multiple of 8.\\n\\u003e ````\\n\\nBut it incomplete and missing from `FromBytes`'s documentation.\\n\\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\\n\\n### Patches\\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\n\\n### Workarounds\\n- Ensure `size%8 == 0 \\u0026\\u0026 size \\u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\\n\\n### References\\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\\n\",\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-02-10T19:52:45Z\",\n \"published\": \"2023-02-10T19:52:45Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23626\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ipfs/go-bitfield\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"IPFS go-bitfield vulnerable to DoS via malformed size arguments\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ],\n \"schema_version\": \"1.3.0\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"golang.org/x/image\",\n \"version\": \"0.4.0\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-qgc7-mgm3-q253\",\n \"GO-2023-1572\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T13:59:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2023-02-17T13:59:44Z\",\n \"published\": \"2023-02-17T13:59:44Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41727\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"Uncontrolled Resource Consumption\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1572.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2023-02-16T22:25:24Z\",\n \"published\": \"2023-02-16T22:25:24Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n }\n ],\n \"schema_version\": \"1.3.0\"\n }\n ]\n }\n]\n---\n" }, { "path": "internal/sourceanalysis/__snapshots__/integration_test.snap", "content": "\n[Test_runGovulncheck - 1]\n{\n \"GO-2021-0053\": [\n {\n \"osv\": \"GO-2021-0053\",\n \"fixed_version\": \"v1.3.2\",\n \"trace\": [\n {\n \"module\": \"github.com/gogo/protobuf\",\n \"version\": \"v1.3.1\"\n }\n ]\n },\n {\n \"osv\": \"GO-2021-0053\",\n \"fixed_version\": \"v1.3.2\",\n \"trace\": [\n {\n \"module\": \"github.com/gogo/protobuf\",\n \"version\": \"v1.3.1\",\n \"package\": \"github.com/gogo/protobuf/plugin/unmarshal\"\n }\n ]\n }\n ],\n \"GO-2023-1558\": [\n {\n \"osv\": \"GO-2023-1558\",\n \"fixed_version\": \"v1.1.0\",\n \"trace\": [\n {\n \"module\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"v1.0.0\"\n }\n ]\n },\n {\n \"osv\": \"GO-2023-1558\",\n \"fixed_version\": \"v1.1.0\",\n \"trace\": [\n {\n \"module\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"v1.0.0\",\n \"package\": \"github.com/ipfs/go-bitfield\"\n }\n ]\n },\n {\n \"osv\": \"GO-2023-1558\",\n \"fixed_version\": \"v1.1.0\",\n \"trace\": [\n {\n \"module\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"v1.0.0\",\n \"package\": \"github.com/ipfs/go-bitfield\",\n \"function\": \"NewBitfield\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 12,\n \"column\": 6\n }\n },\n {\n \"module\": \"github.com/ossf-tests/osv-e2e\",\n \"package\": \"github.com/ossf-tests/osv-e2e\",\n \"function\": \"main\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 16,\n \"column\": 22\n }\n }\n ]\n }\n ],\n \"GO-2023-2382\": [\n {\n \"osv\": \"GO-2023-2382\",\n \"fixed_version\": \"v1.20.12\",\n \"trace\": [\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\"\n }\n ]\n },\n {\n \"osv\": \"GO-2023-2382\",\n \"fixed_version\": \"v1.20.12\",\n \"trace\": [\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http/internal\"\n }\n ]\n },\n {\n \"osv\": \"GO-2023-2382\",\n \"fixed_version\": \"v1.20.12\",\n \"trace\": [\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http/internal\",\n \"function\": \"Read\",\n \"receiver\": \"*chunkedReader\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 26\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"readLocked\",\n \"receiver\": \"*body\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 21\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"Read\",\n \"receiver\": \"bodyLocked\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 24\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"io\",\n \"function\": \"copyBuffer\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 21\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"io\",\n \"function\": \"Copy\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 19\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"Close\",\n \"receiver\": \"*body\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 19\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"finishRequest\",\n \"receiver\": \"*response\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 17\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"serve\",\n \"receiver\": \"*conn\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 18\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"Serve\",\n \"receiver\": \"*Server\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 3\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"ListenAndServe\",\n \"receiver\": \"*Server\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": -1\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"ListenAndServe\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 30\n }\n },\n {\n \"module\": \"github.com/ossf-tests/osv-e2e\",\n \"package\": \"github.com/ossf-tests/osv-e2e\",\n \"function\": \"main\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": -1,\n \"column\": 28\n }\n }\n ]\n }\n ]\n}\n---\n" }, { "path": "internal/sourceanalysis/__snapshots__/rust_test.snap", "content": "\n[Test_functionsFromDWARF/Parsing_DWARF_medium.o - 1]\n{\n \"\\u0026T::fmt\": {},\n \"alloc::alloc::Global::deallocate\": {},\n \"alloc::alloc::Global::grow\": {},\n \"alloc::alloc::Global::grow_impl\": {},\n \"alloc::alloc::box_free\": {},\n \"alloc::alloc::dealloc\": {},\n \"alloc::alloc::realloc\": {},\n \"alloc::raw_vec::RawVec::current_memory\": {},\n \"alloc::raw_vec::RawVec::drop\": {},\n \"alloc::raw_vec::RawVec::grow_amortized\": {},\n \"alloc::raw_vec::RawVec::ptr\": {},\n \"alloc::raw_vec::RawVec::reserve_for_push\": {},\n \"alloc::raw_vec::RawVec::set_ptr_and_cap\": {},\n \"alloc::raw_vec::finish_grow\": {},\n \"alloc::raw_vec::handle_reserve\": {},\n \"alloc::rc::is_dangling\": {},\n \"alloc::sync::Arc::drop\": {},\n \"alloc::sync::Arc::drop_slow\": {},\n \"alloc::sync::Arc::get_mut_unchecked\": {},\n \"alloc::sync::Arc::inner\": {},\n \"alloc::sync::Weak::drop\": {},\n \"alloc::sync::Weak::inner\": {},\n \"alloc::vec::Vec::as_mut_ptr\": {},\n \"alloc::vec::Vec::drop\": {},\n \"alloc::vec::Vec::new\": {},\n \"alloc::vec::Vec::push\": {},\n \"arrayvec::ArrayVec::clear\": {},\n \"arrayvec::ArrayVec::drop\": {},\n \"arrayvec::ArrayVec::len\": {},\n \"arrayvec::ArrayVec::pop\": {},\n \"arrayvec::ArrayVec::set_len\": {},\n \"core::alloc::layout::Layout::array\": {},\n \"core::alloc::layout::Layout::array::inner\": {},\n \"core::alloc::layout::Layout::for_value_raw\": {},\n \"core::cmp::Ord::max\": {},\n \"core::cmp::max\": {},\n \"core::core_arch::x86::sse2::mm_load_si128\": {},\n \"core::core_arch::x86::sse2::mm_movemask_epi8\": {},\n \"core::fmt::Arguments::new_v1\": {},\n \"core::fmt::Arguments::new_v1_formatted\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for i32\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for usize\\u003e::fmt\": {},\n \"core::mem::drop\": {},\n \"core::mem::maybe_uninit::MaybeUninit::assume_init\": {},\n \"core::mem::size_of_val_raw\": {},\n \"core::num::\\u003cimpl isize\\u003e::wrapping_neg\": {},\n \"core::num::\\u003cimpl isize\\u003e::wrapping_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_mul\": {},\n \"core::panicking::assert_failed\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::add\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::as_ref\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::guaranteed_eq\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::is_null\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::offset\": {},\n \"core::ptr::drop_in_place\\u003c\\u0026usize\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(alloc::string::String,usize)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(regex::dfa::State,u32)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::string::String]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::vec::Vec\\u003c(usize,u16)\\u003e]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::vec::Vec]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[core::option::Option\\u003calloc::string::String\\u003e]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[regex::dfa::State]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[regex::prog::Inst]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[regex_syntax::hir::literal::Literal]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::ahocorasick::AhoCorasick\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::api::SearchKind\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::api::Searcher\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::pattern::Patterns\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::rabinkarp::RabinKarp\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::teddy::runtime::Teddy\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[(char,char)]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[usize]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003ccrossbeam_epoch::sync::queue::Node\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::ops::function::Fn\\u003c()\\u003e+Output = core::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e+core::panic::unwind_safe::UnwindSafe+core::marker::Send+core::marker::Sync+core::panic::unwind_safe::RefUnwindSafe\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cregex::pool::Pool\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(usize,u16)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::vec::Vec\\u003c(usize,u16)\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003ccore::option::Option\\u003calloc::string::String\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003ccore::option::Option\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex::backtrack::Job\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex::dfa::State\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex::pikevm::FollowEpsilon\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex::prog::Inst\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex_syntax::hir::literal::Literal\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::string::String\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003c[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003ccrossbeam_epoch::internal::Global\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cdyn aho_corasick::ahocorasick::AcAutomaton\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cregex::exec::ExecReadOnly\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cstd::collections::hash::map::HashMap\\u003calloc::string::String,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003c[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003ccrossbeam_epoch::internal::Global\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cdyn aho_corasick::ahocorasick::AcAutomaton\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cregex::exec::ExecReadOnly\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cstd::collections::hash::map::HashMap\\u003calloc::string::String,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c(usize,u16)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::vec::Vec\\u003c(usize,u16)\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003ccore::option::Option\\u003calloc::string::String\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003ccore::option::Option\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex::backtrack::Job\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex::dfa::State\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex::pikevm::FollowEpsilon\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex::prog::Inst\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex_syntax::hir::literal::Literal\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003carrayvec::ArrayVec\\u003c[crossbeam_epoch::deferred::Deferred; 64]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003calloc::vec::Vec\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003caho_corasick::ahocorasick::AhoCorasick\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003cregex::re_unicode::Regex,regex::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::atomic::Owned\\u003ccrossbeam_epoch::sync::queue::Node\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::collector::Collector\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::internal::Bag\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::internal::Global\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::sync::list::List\\u003ccrossbeam_epoch::internal::Local\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::sync::queue::Queue\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cdyn aho_corasick::ahocorasick::AcAutomaton\\u003e\": {},\n \"core::ptr::drop_in_place\\u003chashbrown::map::HashMap\\u003calloc::string::String,usize,std::collections::hash::map::RandomState\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003chashbrown::map::HashMap\\u003cregex::dfa::State,u32,std::collections::hash::map::RandomState\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003chashbrown::raw::RawTable\\u003c(alloc::string::String,usize)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003chashbrown::raw::RawTable\\u003c(regex::dfa::State,u32)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cmemchr::cow::CowBytes\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cmemchr::cow::Imp\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cmemchr::memmem::Finder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cmemchr::memmem::Searcher\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::backtrack::Cache\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::Cache\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::CacheInner\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::State\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::StateMap\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::Transitions\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::error::Error\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::exec::Exec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::exec::ExecReadOnly\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::exec::ProgramCacheInner\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::literal::imp::LiteralSearcher\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::literal::imp::Matcher\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::literal::imp::Memmem\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::literal::imp::SingleByteSet\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::pikevm::Cache\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::pikevm::Threads\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::pool::Pool\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::prog::Inst\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::prog::InstRanges\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::prog::Program\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::re_unicode::Regex\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::sparse::SparseSet\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex_syntax::hir::literal::Literal\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::collections::hash::map::HashMap\\u003calloc::string::String,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::collections::hash::map::HashMap\\u003cregex::dfa::State,u32\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sync::mutex::Mutex\\u003calloc::vec::Vec\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::drop_in_place\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::offset\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::sub\": {},\n \"core::ptr::non_null::NonNull::as_ref\": {},\n \"core::ptr::read\": {},\n \"core::ptr::write\": {},\n \"core::result::Result::branch\": {},\n \"core::result::Result::fmt\": {},\n \"core::result::Result::from_residual\": {},\n \"core::result::Result::map\": {},\n \"core::result::Result::map_err\": {},\n \"core::result::Result::unwrap\": {},\n \"core::sync::atomic::AtomicUsize::compare_exchange\": {},\n \"core::sync::atomic::AtomicUsize::fetch_sub\": {},\n \"core::sync::atomic::AtomicUsize::load\": {},\n \"core::sync::atomic::atomic_compare_exchange\": {},\n \"core::sync::atomic::atomic_load\": {},\n \"core::sync::atomic::atomic_sub\": {},\n \"crossbeam_epoch::atomic::Atomic::compare_and_set\": {},\n \"crossbeam_epoch::atomic::Atomic::load\": {},\n \"crossbeam_epoch::atomic::Owned::drop\": {},\n \"crossbeam_epoch::atomic::Shared::as_raw\": {},\n \"crossbeam_epoch::atomic::Shared::deref\": {},\n \"crossbeam_epoch::atomic::Shared::tag\": {},\n \"crossbeam_epoch::atomic::decompose_data\": {},\n \"crossbeam_epoch::deferred::Deferred::new\": {},\n \"crossbeam_epoch::deferred::Deferred::new::call\": {},\n \"crossbeam_epoch::guard::Guard::defer_destroy\": {},\n \"crossbeam_epoch::guard::Guard::defer_unchecked\": {},\n \"crossbeam_epoch::guard::Guard::defer_unchecked::{{closure}}\": {},\n \"crossbeam_epoch::sync::list::List::drop\": {},\n \"crossbeam_epoch::sync::queue::Queue::drop\": {},\n \"crossbeam_epoch::sync::queue::Queue::pop_internal\": {},\n \"crossbeam_epoch::sync::queue::Queue::pop_internal::{{closure}}\": {},\n \"crossbeam_epoch::sync::queue::Queue::try_pop\": {},\n \"hashbrown::raw::Bucket::drop\": {},\n \"hashbrown::raw::Bucket::next_n\": {},\n \"hashbrown::raw::RawIter::next\": {},\n \"hashbrown::raw::RawIterRange::new\": {},\n \"hashbrown::raw::RawIterRange::next_impl\": {},\n \"hashbrown::raw::RawTable::data_end\": {},\n \"hashbrown::raw::RawTable::drop\": {},\n \"hashbrown::raw::RawTable::drop_elements\": {},\n \"hashbrown::raw::RawTable::free_buckets\": {},\n \"hashbrown::raw::RawTable::is_empty\": {},\n \"hashbrown::raw::RawTable::iter\": {},\n \"hashbrown::raw::RawTable::len\": {},\n \"hashbrown::raw::RawTableInner::buckets\": {},\n \"hashbrown::raw::RawTableInner::free_buckets\": {},\n \"hashbrown::raw::RawTableInner::is_empty_singleton\": {},\n \"hashbrown::raw::TableLayout::calculate_layout_for\": {},\n \"hashbrown::raw::bitmask::BitMask::invert\": {},\n \"hashbrown::raw::bitmask::BitMask::lowest_set_bit\": {},\n \"hashbrown::raw::bitmask::BitMask::remove_lowest_bit\": {},\n \"hashbrown::raw::sse2::Group::load_aligned\": {},\n \"hashbrown::raw::sse2::Group::match_empty_or_deleted\": {},\n \"hashbrown::raw::sse2::Group::match_full\": {},\n \"test_rust_2::another_func\": {},\n \"test_rust_2::exported_func\": {}\n}\n---\n\n[Test_functionsFromDWARF/Parsing_DWARF_simple.o - 1]\n{\n \"core::fmt::Arguments::new_v1\": {},\n \"test_rust_2::a_cool_func_name\": {}\n}\n---\n\n[Test_functionsFromDWARF/Parsing_DWARF_test-rust-2 - 1]\n{\n \"\\u0026T::as_ref\": {},\n \"\\u0026T::fmt\": {},\n \"\\u0026[u8]::spec_new_impl\": {},\n \"\\u0026mut I::len\": {},\n \"\\u0026mut T::fmt\": {},\n \"\\u0026mut W::write_char\": {},\n \"\\u0026mut W::write_fmt\": {},\n \"\\u0026mut W::write_str\": {},\n \"\\u0026std::io::stdio::Stderr::write_fmt\": {},\n \"\\u0026std::io::stdio::Stdout::write_fmt\": {},\n \"\\u0026str::into_searcher\": {},\n \"\\u0026str::is_prefix_of\": {},\n \"\\u0026str::is_suffix_of\": {},\n \"\\u0026u32::shl\": {},\n \"\\u0026u8::bitand\": {},\n \"\\u0026u8::shr\": {},\n \"()::fmt\": {},\n \"*const T::fmt\": {},\n \"*mut T::fmt\": {},\n \"\\u003cT as alloc::slice::hack::ConvertVec\\u003e::to_vec::DropGuard::drop\": {},\n \"\\u003calloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e as core::convert::From\\u003calloc::string::String\\u003e\\u003e::from::StringError::description\": {},\n \"\\u003calloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e as core::convert::From\\u003calloc::string::String\\u003e\\u003e::from::StringError::fmt\": {},\n \"\\u003calloc::vec::drain::Drain as core::ops::drop::Drop\\u003e::drop::DropGuard::drop\": {},\n \"\\u003calloc::vec::into_iter::IntoIter as core::ops::drop::Drop\\u003e::drop::DropGuard::drop\": {},\n \"\\u003cdyn core::any::Any+core::marker::Send\\u003e::downcast_ref\": {},\n \"\\u003cdyn core::any::Any\\u003e::downcast_ref\": {},\n \"\\u003cdyn core::any::Any\\u003e::is\": {},\n \"F::into_searcher\": {},\n \"I::into_iter\": {},\n \"T::clone\": {},\n \"T::from_elem\": {},\n \"T::into\": {},\n \"T::spec_eq\": {},\n \"T::spec_ne\": {},\n \"T::spec_new_impl\": {},\n \"T::to_vec\": {},\n \"T::type_id\": {},\n \"[A]::equal\": {},\n \"[T]::fmt\": {},\n \"addr2line::Context::find_frames\": {},\n \"addr2line::Context::find_units\": {},\n \"addr2line::Context::find_units_range\": {},\n \"addr2line::Context::find_units_range::{{closure}}\": {},\n \"addr2line::Context::from_dwarf\": {},\n \"addr2line::FrameIter::next\": {},\n \"addr2line::FrameIter::next::{{closure}}\": {},\n \"addr2line::LocationRangeUnitIter::new\": {},\n \"addr2line::LocationRangeUnitIter::new::{{closure}}\": {},\n \"addr2line::RangeAttributes::for_each_range\": {},\n \"addr2line::RangeAttributes::for_each_range::{{closure}}\": {},\n \"addr2line::ResDwarf::find_unit\": {},\n \"addr2line::ResDwarf::parse\": {},\n \"addr2line::ResDwarf::parse::{{closure}}\": {},\n \"addr2line::ResUnit::find_function_or_location\": {},\n \"addr2line::ResUnit::find_function_or_location::{{closure}}\": {},\n \"addr2line::ResUnit::find_location\": {},\n \"addr2line::ResUnit::parse_functions\": {},\n \"addr2line::ResUnit::parse_functions::{{closure}}\": {},\n \"addr2line::ResUnit::parse_lines\": {},\n \"addr2line::ResUnit::parse_lines::{{closure}}\": {},\n \"addr2line::ResUnit::render_file\": {},\n \"addr2line::function::Function::find_inlined_functions\": {},\n \"addr2line::function::Function::find_inlined_functions::{{closure}}\": {},\n \"addr2line::function::Function::parse\": {},\n \"addr2line::function::Function::parse::{{closure}}\": {},\n \"addr2line::function::Function::parse_children\": {},\n \"addr2line::function::Function::skip\": {},\n \"addr2line::function::Functions::find_address\": {},\n \"addr2line::function::Functions::find_address::{{closure}}\": {},\n \"addr2line::function::Functions::parse\": {},\n \"addr2line::function::Functions::parse::{{closure}}\": {},\n \"addr2line::function::InlinedFunction::parse\": {},\n \"addr2line::function::InlinedFunction::parse::{{closure}}\": {},\n \"addr2line::function::name_attr\": {},\n \"addr2line::function::name_entry\": {},\n \"addr2line::lazy::LazyCell::borrow_with\": {},\n \"alloc::alloc::Global::alloc_impl\": {},\n \"alloc::alloc::Global::allocate\": {},\n \"alloc::alloc::Global::allocate_zeroed\": {},\n \"alloc::alloc::Global::deallocate\": {},\n \"alloc::alloc::Global::grow\": {},\n \"alloc::alloc::Global::grow_impl\": {},\n \"alloc::alloc::Global::shrink\": {},\n \"alloc::alloc::alloc\": {},\n \"alloc::alloc::alloc_zeroed\": {},\n \"alloc::alloc::box_free\": {},\n \"alloc::alloc::dealloc\": {},\n \"alloc::alloc::exchange_malloc\": {},\n \"alloc::alloc::handle_alloc_error\": {},\n \"alloc::alloc::handle_alloc_error::rt_error\": {},\n \"alloc::alloc::realloc\": {},\n \"alloc::borrow::Cow::as_ref\": {},\n \"alloc::borrow::Cow::deref\": {},\n \"alloc::borrow::Cow::into_owned\": {},\n \"alloc::boxed::Box::fmt\": {},\n \"alloc::boxed::Box::from_raw\": {},\n \"alloc::boxed::Box::from_raw_in\": {},\n \"alloc::boxed::Box::into_raw\": {},\n \"alloc::boxed::Box::into_raw_with_allocator\": {},\n \"alloc::boxed::Box::into_unique\": {},\n \"alloc::boxed::Box::leak\": {},\n \"alloc::boxed::Box::new\": {},\n \"alloc::boxed::Box::next\": {},\n \"alloc::boxed::Box::size_hint\": {},\n \"alloc::boxed::Box\\u003c[T],A\\u003e::clone\": {},\n \"alloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e::from\": {},\n \"alloc::collections::btree::map::BTreeMap::drop\": {},\n \"alloc::collections::btree::map::BTreeMap::get\": {},\n \"alloc::collections::btree::map::BTreeMap::into_iter\": {},\n \"alloc::collections::btree::map::IntoIter::drop\": {},\n \"alloc::collections::btree::map::IntoIter::dying_next\": {},\n \"alloc::collections::btree::mem::replace\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e,alloc::collections::btree::node::marker::KV\\u003e\\u003e::next_leaf_edge\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\\u003e,alloc::collections::btree::node::marker::Edge\\u003e\\u003e::deallocating_end\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\\u003e,alloc::collections::btree::node::marker::Edge\\u003e\\u003e::deallocating_next\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\\u003e,alloc::collections::btree::node::marker::Edge\\u003e\\u003e::deallocating_next_unchecked\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\\u003e,alloc::collections::btree::node::marker::Edge\\u003e\\u003e::deallocating_next_unchecked::{{closure}}\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e\\u003e::first_leaf_edge\": {},\n \"alloc::collections::btree::navigate::LazyLeafRange::init_front\": {},\n \"alloc::collections::btree::navigate::LazyLeafRange\\u003calloc::collections::btree::node::marker::Dying,K,V\\u003e::deallocating_end\": {},\n \"alloc::collections::btree::navigate::LazyLeafRange\\u003calloc::collections::btree::node::marker::Dying,K,V\\u003e::deallocating_next_unchecked\": {},\n \"alloc::collections::btree::navigate::LazyLeafRange\\u003calloc::collections::btree::node::marker::Dying,K,V\\u003e::take_front\": {},\n \"alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef,alloc::collections::btree::node::marker::Edge\\u003e::right_kv\": {},\n \"alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::Internal\\u003e,alloc::collections::btree::node::marker::Edge\\u003e::descend\": {},\n \"alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e,Type\\u003e::force\": {},\n \"alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,NodeType\\u003e,alloc::collections::btree::node::marker::KV\\u003e::drop_key_val\": {},\n \"alloc::collections::btree::node::NodeRef::ascend\": {},\n \"alloc::collections::btree::node::NodeRef::ascend::{{closure}}\": {},\n \"alloc::collections::btree::node::NodeRef::len\": {},\n \"alloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e::force\": {},\n \"alloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e::deallocate_and_ascend\": {},\n \"alloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Immut,K,V,Type\\u003e::keys\": {},\n \"alloc::collections::btree::search::\\u003cimpl alloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e\\u003e::search_tree\": {},\n \"alloc::collections::btree::search::\\u003cimpl alloc::collections::btree::node::NodeRef\\u003e::find_key_index\": {},\n \"alloc::collections::btree::search::\\u003cimpl alloc::collections::btree::node::NodeRef\\u003e::search_node\": {},\n \"alloc::ffi::c_str::CString::as_bytes_with_nul\": {},\n \"alloc::ffi::c_str::CString::clone\": {},\n \"alloc::ffi::c_str::CString::deref\": {},\n \"alloc::ffi::c_str::CString::drop\": {},\n \"alloc::ffi::c_str::CString::from_vec_unchecked\": {},\n \"alloc::ffi::c_str::CString::new\": {},\n \"alloc::ffi::c_str::CString::new::spec_new_impl_bytes\": {},\n \"alloc::ffi::c_str::NulError::fmt\": {},\n \"alloc::fmt::format\": {},\n \"alloc::fmt::format::format_inner\": {},\n \"alloc::fmt::format::{{closure}}\": {},\n \"alloc::raw_vec::RawVec::allocate_in\": {},\n \"alloc::raw_vec::RawVec::capacity\": {},\n \"alloc::raw_vec::RawVec::current_memory\": {},\n \"alloc::raw_vec::RawVec::drop\": {},\n \"alloc::raw_vec::RawVec::grow_amortized\": {},\n \"alloc::raw_vec::RawVec::grow_exact\": {},\n \"alloc::raw_vec::RawVec::needs_to_grow\": {},\n \"alloc::raw_vec::RawVec::ptr\": {},\n \"alloc::raw_vec::RawVec::reserve\": {},\n \"alloc::raw_vec::RawVec::reserve::do_reserve_and_handle\": {},\n \"alloc::raw_vec::RawVec::reserve_exact\": {},\n \"alloc::raw_vec::RawVec::reserve_for_push\": {},\n \"alloc::raw_vec::RawVec::set_ptr_and_cap\": {},\n \"alloc::raw_vec::RawVec::shrink\": {},\n \"alloc::raw_vec::RawVec::shrink_to_fit\": {},\n \"alloc::raw_vec::RawVec::try_reserve_exact\": {},\n \"alloc::raw_vec::RawVec::with_capacity_in\": {},\n \"alloc::raw_vec::RawVec::with_capacity_zeroed_in\": {},\n \"alloc::raw_vec::capacity_overflow\": {},\n \"alloc::raw_vec::finish_grow\": {},\n \"alloc::raw_vec::handle_reserve\": {},\n \"alloc::rc::is_dangling\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::sort_by\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::sort_by::{{closure}}\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::sort_by_key\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::sort_by_key::{{closure}}\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::to_vec\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::to_vec_in\": {},\n \"alloc::slice::\\u003cimpl alloc::borrow::ToOwned for [T]\\u003e::to_owned\": {},\n \"alloc::slice::hack::to_vec\": {},\n \"alloc::slice::insert_head\": {},\n \"alloc::slice::insert_head::InsertionHole::drop\": {},\n \"alloc::slice::merge\": {},\n \"alloc::slice::merge::MergeHole::drop\": {},\n \"alloc::slice::merge::get_and_increment\": {},\n \"alloc::slice::merge_sort\": {},\n \"alloc::slice::merge_sort::collapse\": {},\n \"alloc::str::\\u003cimpl alloc::borrow::ToOwned for str\\u003e::to_owned\": {},\n \"alloc::string::String::deref\": {},\n \"alloc::string::String::fmt\": {},\n \"alloc::string::String::from\": {},\n \"alloc::string::String::from_utf8_lossy\": {},\n \"alloc::string::String::from_utf8_unchecked\": {},\n \"alloc::string::String::index\": {},\n \"alloc::string::String::new\": {},\n \"alloc::string::String::push\": {},\n \"alloc::string::String::push_str\": {},\n \"alloc::string::String::with_capacity\": {},\n \"alloc::string::String::write_char\": {},\n \"alloc::string::String::write_str\": {},\n \"alloc::sync::Arc::allocate_for_layout\": {},\n \"alloc::sync::Arc::allocate_for_layout::{{closure}}\": {},\n \"alloc::sync::Arc::clone\": {},\n \"alloc::sync::Arc::deref\": {},\n \"alloc::sync::Arc::drop\": {},\n \"alloc::sync::Arc::drop_slow\": {},\n \"alloc::sync::Arc::get_mut_unchecked\": {},\n \"alloc::sync::Arc::inner\": {},\n \"alloc::sync::Arc::new\": {},\n \"alloc::sync::Arc::new_uninit\": {},\n \"alloc::sync::Arc::new_uninit::{{closure}}\": {},\n \"alloc::sync::Arc::try_allocate_for_layout\": {},\n \"alloc::sync::Weak::drop\": {},\n \"alloc::sync::Weak::inner\": {},\n \"alloc::vec::Vec::append_elements\": {},\n \"alloc::vec::Vec::as_mut_ptr\": {},\n \"alloc::vec::Vec::as_ptr\": {},\n \"alloc::vec::Vec::capacity\": {},\n \"alloc::vec::Vec::clone\": {},\n \"alloc::vec::Vec::drain\": {},\n \"alloc::vec::Vec::drop\": {},\n \"alloc::vec::Vec::extend\": {},\n \"alloc::vec::Vec::extend_desugared\": {},\n \"alloc::vec::Vec::extend_from_slice\": {},\n \"alloc::vec::Vec::extend_with\": {},\n \"alloc::vec::Vec::fmt\": {},\n \"alloc::vec::Vec::from_iter\": {},\n \"alloc::vec::Vec::index\": {},\n \"alloc::vec::Vec::index_mut\": {},\n \"alloc::vec::Vec::insert\": {},\n \"alloc::vec::Vec::into_boxed_slice\": {},\n \"alloc::vec::Vec::into_iter\": {},\n \"alloc::vec::Vec::is_empty\": {},\n \"alloc::vec::Vec::len\": {},\n \"alloc::vec::Vec::new\": {},\n \"alloc::vec::Vec::pop\": {},\n \"alloc::vec::Vec::push\": {},\n \"alloc::vec::Vec::remove\": {},\n \"alloc::vec::Vec::reserve\": {},\n \"alloc::vec::Vec::reserve_exact\": {},\n \"alloc::vec::Vec::resize\": {},\n \"alloc::vec::Vec::set_len\": {},\n \"alloc::vec::Vec::shrink_to_fit\": {},\n \"alloc::vec::Vec::spare_capacity_mut\": {},\n \"alloc::vec::Vec::spec_extend\": {},\n \"alloc::vec::Vec::spec_extend::{{closure}}\": {},\n \"alloc::vec::Vec::truncate\": {},\n \"alloc::vec::Vec::with_capacity\": {},\n \"alloc::vec::Vec::with_capacity_in\": {},\n \"alloc::vec::drain::Drain::drop\": {},\n \"alloc::vec::drain::Drain::next\": {},\n \"alloc::vec::drain::Drain::size_hint\": {},\n \"alloc::vec::from_elem\": {},\n \"alloc::vec::into_iter::IntoIter::drop\": {},\n \"alloc::vec::into_iter::IntoIter::next\": {},\n \"alloc::vec::into_iter::IntoIter::next_back\": {},\n \"alloc::vec::set_len_on_drop::SetLenOnDrop::drop\": {},\n \"alloc::vec::set_len_on_drop::SetLenOnDrop::increment_len\": {},\n \"char::fmt\": {},\n \"char::into_searcher\": {},\n \"char::is_prefix_of\": {},\n \"char::is_suffix_of\": {},\n \"core::alloc::layout::Layout::array\": {},\n \"core::alloc::layout::Layout::array::inner\": {},\n \"core::alloc::layout::Layout::size\": {},\n \"core::any::TypeId::eq\": {},\n \"core::array::\\u003cimpl core::clone::Clone for [T; N]\\u003e::clone\": {},\n \"core::array::\\u003cimpl core::ops::index::Index for [T; N]\\u003e::index\": {},\n \"core::array::equality::\\u003cimpl core::cmp::PartialEq\\u003c[A; N]\\u003e for \\u0026[B]\\u003e::ne\": {},\n \"core::array::equality::\\u003cimpl core::cmp::PartialEq\\u003c[A; N]\\u003e for [B]\\u003e::ne\": {},\n \"core::array::equality::\\u003cimpl core::cmp::PartialEq\\u003c[B; N]\\u003e for [A; N]\\u003e::eq\": {},\n \"core::array::equality::\\u003cimpl core::cmp::PartialEq\\u003c[B; N]\\u003e for [A; N]\\u003e::ne\": {},\n \"core::bool::\\u003cimpl bool\\u003e::then\": {},\n \"core::cell::BorrowMutError::fmt\": {},\n \"core::cell::BorrowRefMut::drop\": {},\n \"core::cell::BorrowRefMut::new\": {},\n \"core::cell::Cell::get\": {},\n \"core::cell::Cell::replace\": {},\n \"core::cell::Cell::set\": {},\n \"core::cell::Cell::take\": {},\n \"core::cell::RefCell::borrow_mut\": {},\n \"core::cell::RefCell::try_borrow_mut\": {},\n \"core::char::EscapeDebug::next\": {},\n \"core::char::EscapeDebug::size_hint\": {},\n \"core::char::EscapeDefault::len\": {},\n \"core::char::EscapeDefault::next\": {},\n \"core::char::EscapeDefault::size_hint\": {},\n \"core::char::EscapeUnicode::next\": {},\n \"core::char::convert::char_try_from_u32\": {},\n \"core::char::convert::from_digit\": {},\n \"core::char::convert::from_u32\": {},\n \"core::char::from_digit\": {},\n \"core::char::from_u32\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::encode_utf8\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::escape_debug\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::escape_debug_ext\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::escape_unicode\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::is_control\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::is_digit\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::is_grapheme_extended\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::len_utf8\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::to_digit\": {},\n \"core::char::methods::encode_utf8_raw\": {},\n \"core::char::methods::len_utf8\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for \\u0026T\\u003e::clone\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for bool\\u003e::clone\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for u32\\u003e::clone\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for u64\\u003e::clone\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for u8\\u003e::clone\": {},\n \"core::cmp::Ord::max\": {},\n \"core::cmp::Ord::min\": {},\n \"core::cmp::PartialEq::ne\": {},\n \"core::cmp::PartialOrd::ge\": {},\n \"core::cmp::PartialOrd::le\": {},\n \"core::cmp::PartialOrd::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for i64\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for isize\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for u32\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for u64\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for usize\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for u16\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for u32\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for u64\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for u8\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for usize\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq\\u003c\\u0026B\\u003e for \\u0026A\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq\\u003c\\u0026B\\u003e for \\u0026A\\u003e::ne\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for i64\\u003e::partial_cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for isize\\u003e::partial_cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for u16\\u003e::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for u64\\u003e::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for u8\\u003e::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for usize\\u003e::gt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for usize\\u003e::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for usize\\u003e::partial_cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd\\u003c\\u0026B\\u003e for \\u0026A\\u003e::ge\": {},\n \"core::cmp::max\": {},\n \"core::cmp::max_by\": {},\n \"core::cmp::min\": {},\n \"core::convert::num::\\u003cimpl core::convert::From for u16\\u003e::from\": {},\n \"core::convert::num::\\u003cimpl core::convert::From for u32\\u003e::from\": {},\n \"core::convert::num::\\u003cimpl core::convert::From for u64\\u003e::from\": {},\n \"core::convert::num::\\u003cimpl core::convert::From for usize\\u003e::from\": {},\n \"core::core_arch::simd::i32x4::new\": {},\n \"core::core_arch::x86::pclmulqdq::mm_clmulepi64_si128\": {},\n \"core::core_arch::x86::sse2::mm_and_si128\": {},\n \"core::core_arch::x86::sse2::mm_cvtsi32_si128\": {},\n \"core::core_arch::x86::sse2::mm_loadu_si128\": {},\n \"core::core_arch::x86::sse2::mm_pause\": {},\n \"core::core_arch::x86::sse2::mm_srli_si128\": {},\n \"core::core_arch::x86::sse2::mm_srli_si128_impl\": {},\n \"core::core_arch::x86::sse2::mm_xor_si128\": {},\n \"core::core_arch::x86::sse41::mm_extract_epi32\": {},\n \"core::error::Error::cause\": {},\n \"core::error::Error::provide\": {},\n \"core::error::Error::type_id\": {},\n \"core::ffi::c_str::CStr::from_ptr\": {},\n \"core::fmt::ArgumentV1::as_usize\": {},\n \"core::fmt::Arguments::as_str\": {},\n \"core::fmt::Arguments::estimated_capacity\": {},\n \"core::fmt::Arguments::fmt\": {},\n \"core::fmt::Arguments::new_v1\": {},\n \"core::fmt::Arguments::new_v1_formatted\": {},\n \"core::fmt::Error::fmt\": {},\n \"core::fmt::Formatter::alternate\": {},\n \"core::fmt::Formatter::debug_list\": {},\n \"core::fmt::Formatter::debug_lower_hex\": {},\n \"core::fmt::Formatter::debug_struct\": {},\n \"core::fmt::Formatter::debug_struct_field1_finish\": {},\n \"core::fmt::Formatter::debug_struct_field2_finish\": {},\n \"core::fmt::Formatter::debug_tuple\": {},\n \"core::fmt::Formatter::debug_tuple_field1_finish\": {},\n \"core::fmt::Formatter::debug_tuple_field2_finish\": {},\n \"core::fmt::Formatter::debug_upper_hex\": {},\n \"core::fmt::Formatter::new\": {},\n \"core::fmt::Formatter::pad\": {},\n \"core::fmt::Formatter::pad_integral\": {},\n \"core::fmt::Formatter::pad_integral::write_prefix\": {},\n \"core::fmt::Formatter::padding\": {},\n \"core::fmt::Formatter::sign_aware_zero_pad\": {},\n \"core::fmt::Formatter::sign_plus\": {},\n \"core::fmt::Formatter::wrap_buf\": {},\n \"core::fmt::Formatter::write_char\": {},\n \"core::fmt::Formatter::write_fmt\": {},\n \"core::fmt::Formatter::write_str\": {},\n \"core::fmt::PostPadding::write\": {},\n \"core::fmt::USIZE_MARKER::{{closure}}\": {},\n \"core::fmt::Write::write_char\": {},\n \"core::fmt::Write::write_fmt\": {},\n \"core::fmt::builders::DebugInner::entry\": {},\n \"core::fmt::builders::DebugInner::entry::{{closure}}\": {},\n \"core::fmt::builders::DebugInner::is_pretty\": {},\n \"core::fmt::builders::DebugList::entries\": {},\n \"core::fmt::builders::DebugList::finish\": {},\n \"core::fmt::builders::DebugList::finish::{{closure}}\": {},\n \"core::fmt::builders::DebugSet::entry\": {},\n \"core::fmt::builders::DebugStruct::field\": {},\n \"core::fmt::builders::DebugStruct::field::{{closure}}\": {},\n \"core::fmt::builders::DebugStruct::finish\": {},\n \"core::fmt::builders::DebugStruct::finish::{{closure}}\": {},\n \"core::fmt::builders::DebugStruct::is_pretty\": {},\n \"core::fmt::builders::DebugTuple::field\": {},\n \"core::fmt::builders::DebugTuple::field::{{closure}}\": {},\n \"core::fmt::builders::DebugTuple::finish\": {},\n \"core::fmt::builders::DebugTuple::finish::{{closure}}\": {},\n \"core::fmt::builders::DebugTuple::is_pretty\": {},\n \"core::fmt::builders::PadAdapter::wrap\": {},\n \"core::fmt::builders::PadAdapter::wrap::{{closure}}\": {},\n \"core::fmt::builders::PadAdapter::write_str\": {},\n \"core::fmt::builders::debug_list_new\": {},\n \"core::fmt::builders::debug_struct_new\": {},\n \"core::fmt::builders::debug_tuple_new\": {},\n \"core::fmt::getcount\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for i32\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for u16\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for u64\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for u8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for usize\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for i16\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for i32\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for i64\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for i8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for u8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for usize\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for i16\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for i32\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for i64\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for i8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for u8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for usize\\u003e::fmt\": {},\n \"core::fmt::num::GenericRadix::fmt_int\": {},\n \"core::fmt::num::LowerHex::digit\": {},\n \"core::fmt::num::UpperHex::digit\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for i32\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for u16\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for u32\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for u64\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for u8\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for usize\\u003e::fmt\": {},\n \"core::fmt::num::imp::fmt_u64\": {},\n \"core::fmt::pointer_fmt_inner\": {},\n \"core::fmt::run\": {},\n \"core::fmt::write\": {},\n \"core::hint::black_box\": {},\n \"core::hint::spin_loop\": {},\n \"core::intrinsics::copy\": {},\n \"core::intrinsics::copy_nonoverlapping\": {},\n \"core::iter::adapters::cloned::Cloned::fold\": {},\n \"core::iter::adapters::cloned::Cloned::next\": {},\n \"core::iter::adapters::copied::Copied::len\": {},\n \"core::iter::adapters::copied::Copied::next\": {},\n \"core::iter::adapters::copied::Copied::try_fold\": {},\n \"core::iter::adapters::copied::Copied::try_rfold\": {},\n \"core::iter::adapters::copied::copy_try_fold::{{closure}}\": {},\n \"core::iter::adapters::enumerate::Enumerate::next\": {},\n \"core::iter::adapters::enumerate::Enumerate::try_fold\": {},\n \"core::iter::adapters::enumerate::Enumerate::try_fold::enumerate::{{closure}}\": {},\n \"core::iter::adapters::filter::Filter::count\": {},\n \"core::iter::adapters::filter::Filter::count::to_usize::{{closure}}\": {},\n \"core::iter::adapters::filter::Filter::next\": {},\n \"core::iter::adapters::filter::Filter::try_fold\": {},\n \"core::iter::adapters::filter::filter_try_fold::{{closure}}\": {},\n \"core::iter::adapters::filter_map::FilterMap::next\": {},\n \"core::iter::adapters::map::Map::fold\": {},\n \"core::iter::adapters::map::Map::next\": {},\n \"core::iter::adapters::map::map_fold::{{closure}}\": {},\n \"core::iter::adapters::peekable::Peekable::next\": {},\n \"core::iter::adapters::peekable::Peekable::peek\": {},\n \"core::iter::adapters::peekable::Peekable::peek::{{closure}}\": {},\n \"core::iter::adapters::rev::Rev::next\": {},\n \"core::iter::adapters::rev::Rev::try_fold\": {},\n \"core::iter::adapters::take::Take::advance_by\": {},\n \"core::iter::adapters::take::Take::next\": {},\n \"core::iter::adapters::take::Take::nth\": {},\n \"core::iter::adapters::take::Take::size_hint\": {},\n \"core::iter::adapters::take_while::TakeWhile::next\": {},\n \"core::iter::adapters::take_while::TakeWhile::try_fold\": {},\n \"core::iter::adapters::take_while::TakeWhile::try_fold::check::{{closure}}\": {},\n \"core::iter::range::\\u003cimpl core::iter::traits::double_ended::DoubleEndedIterator for core::ops::range::Range\\u003e::next_back\": {},\n \"core::iter::range::\\u003cimpl core::iter::traits::iterator::Iterator for core::ops::range::Range\\u003e::next\": {},\n \"core::iter::sources::from_fn::FromFn::clone\": {},\n \"core::iter::sources::from_fn::FromFn::next\": {},\n \"core::iter::sources::once::Once::next\": {},\n \"core::iter::sources::once::Once::size_hint\": {},\n \"core::iter::traits::double_ended::DoubleEndedIterator::try_rfold\": {},\n \"core::iter::traits::exact_size::ExactSizeIterator::len\": {},\n \"core::iter::traits::iterator::Iterator::advance_by\": {},\n \"core::iter::traits::iterator::Iterator::all\": {},\n \"core::iter::traits::iterator::Iterator::all::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::any\": {},\n \"core::iter::traits::iterator::Iterator::any::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::collect\": {},\n \"core::iter::traits::iterator::Iterator::eq\": {},\n \"core::iter::traits::iterator::Iterator::eq::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::eq_by\": {},\n \"core::iter::traits::iterator::Iterator::find\": {},\n \"core::iter::traits::iterator::Iterator::find::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::find_map\": {},\n \"core::iter::traits::iterator::Iterator::find_map::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::fold\": {},\n \"core::iter::traits::iterator::Iterator::for_each\": {},\n \"core::iter::traits::iterator::Iterator::for_each::call::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::max\": {},\n \"core::iter::traits::iterator::Iterator::max_by\": {},\n \"core::iter::traits::iterator::Iterator::max_by::fold::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::nth\": {},\n \"core::iter::traits::iterator::Iterator::reduce\": {},\n \"core::iter::traits::iterator::Iterator::rposition\": {},\n \"core::iter::traits::iterator::Iterator::rposition::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::sum\": {},\n \"core::iter::traits::iterator::Iterator::try_fold\": {},\n \"core::mem::drop\": {},\n \"core::mem::manually_drop::ManuallyDrop::new\": {},\n \"core::mem::maybe_uninit::MaybeUninit::assume_init\": {},\n \"core::mem::maybe_uninit::MaybeUninit::assume_init_drop\": {},\n \"core::mem::maybe_uninit::MaybeUninit::assume_init_read\": {},\n \"core::mem::maybe_uninit::MaybeUninit::write\": {},\n \"core::mem::maybe_uninit::MaybeUninit::write_slice\": {},\n \"core::mem::replace\": {},\n \"core::mem::swap\": {},\n \"core::mem::swap_simple\": {},\n \"core::mem::take\": {},\n \"core::mem::zeroed\": {},\n \"core::num::\\u003cimpl core::str::traits::FromStr for u64\\u003e::from_str\": {},\n \"core::num::\\u003cimpl i64\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl i64\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl isize\\u003e::wrapping_neg\": {},\n \"core::num::\\u003cimpl isize\\u003e::wrapping_sub\": {},\n \"core::num::\\u003cimpl u16\\u003e::from_le_bytes\": {},\n \"core::num::\\u003cimpl u16\\u003e::from_ne_bytes\": {},\n \"core::num::\\u003cimpl u16\\u003e::unchecked_add\": {},\n \"core::num::\\u003cimpl u32\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl u32\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_be\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_be_bytes\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_le_bytes\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_ne_bytes\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_str_radix\": {},\n \"core::num::\\u003cimpl u32\\u003e::leading_zeros\": {},\n \"core::num::\\u003cimpl u32\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl u32\\u003e::overflowing_mul\": {},\n \"core::num::\\u003cimpl u32\\u003e::saturating_add\": {},\n \"core::num::\\u003cimpl u32\\u003e::swap_bytes\": {},\n \"core::num::\\u003cimpl u32\\u003e::wrapping_shr\": {},\n \"core::num::\\u003cimpl u32\\u003e::wrapping_sub\": {},\n \"core::num::\\u003cimpl u64\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl u64\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl u64\\u003e::checked_sub\": {},\n \"core::num::\\u003cimpl u64\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl u64\\u003e::overflowing_mul\": {},\n \"core::num::\\u003cimpl u64\\u003e::overflowing_sub\": {},\n \"core::num::\\u003cimpl u64\\u003e::unchecked_add\": {},\n \"core::num::\\u003cimpl u64\\u003e::wrapping_add\": {},\n \"core::num::\\u003cimpl u64\\u003e::wrapping_div\": {},\n \"core::num::\\u003cimpl u64\\u003e::wrapping_mul\": {},\n \"core::num::\\u003cimpl u8\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl u8\\u003e::is_utf8_char_boundary\": {},\n \"core::num::\\u003cimpl u8\\u003e::overflowing_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::leading_zeros\": {},\n \"core::num::\\u003cimpl usize\\u003e::next_power_of_two\": {},\n \"core::num::\\u003cimpl usize\\u003e::one_less_than_next_power_of_two\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::saturating_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::saturating_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::unchecked_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::unchecked_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::wrapping_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::wrapping_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::wrapping_sub\": {},\n \"core::num::can_not_overflow\": {},\n \"core::num::error::IntErrorKind::fmt\": {},\n \"core::num::error::ParseIntError::fmt\": {},\n \"core::num::from_str_radix\": {},\n \"core::num::wrapping::Wrapping::add\": {},\n \"core::num::wrapping::Wrapping::add_assign\": {},\n \"core::num::wrapping::Wrapping::div\": {},\n \"core::num::wrapping::Wrapping::mul\": {},\n \"core::ops::function::Fn::call\": {},\n \"core::ops::function::FnMut::call_mut\": {},\n \"core::ops::function::FnOnce::call_once\": {},\n \"core::ops::function::FnOnce::call_once{{vtable.shim}}\": {},\n \"core::ops::function::impls::\\u003cimpl core::ops::function::FnMut for \\u0026mut F\\u003e::call_mut\": {},\n \"core::ops::function::impls::\\u003cimpl core::ops::function::FnOnce for \\u0026mut F\\u003e::call_once\": {},\n \"core::ops::range::Range::fmt\": {},\n \"core::ops::range::Range::get\": {},\n \"core::ops::range::Range::get_unchecked\": {},\n \"core::ops::range::Range::get_unchecked_mut\": {},\n \"core::ops::range::Range::index\": {},\n \"core::ops::range::Range::index_mut\": {},\n \"core::ops::range::Range::spec_next\": {},\n \"core::ops::range::Range::spec_next_back\": {},\n \"core::ops::range::RangeFrom::get\": {},\n \"core::ops::range::RangeFrom::get_unchecked\": {},\n \"core::ops::range::RangeFrom::get_unchecked_mut\": {},\n \"core::ops::range::RangeFrom::index\": {},\n \"core::ops::range::RangeFrom::index_mut\": {},\n \"core::ops::range::RangeInclusive::index\": {},\n \"core::ops::range::RangeInclusive::into_slice_range\": {},\n \"core::ops::range::RangeTo::get\": {},\n \"core::ops::range::RangeTo::index\": {},\n \"core::option::IntoIter::next\": {},\n \"core::option::IntoIter::size_hint\": {},\n \"core::option::Item::next\": {},\n \"core::option::Item::size_hint\": {},\n \"core::option::Option::and_then\": {},\n \"core::option::Option::as_deref\": {},\n \"core::option::Option::as_ref\": {},\n \"core::option::Option::branch\": {},\n \"core::option::Option::clone\": {},\n \"core::option::Option::eq\": {},\n \"core::option::Option::expect\": {},\n \"core::option::Option::fmt\": {},\n \"core::option::Option::from_residual\": {},\n \"core::option::Option::get_or_insert\": {},\n \"core::option::Option::get_or_insert_with\": {},\n \"core::option::Option::insert\": {},\n \"core::option::Option::is_none\": {},\n \"core::option::Option::is_some\": {},\n \"core::option::Option::map\": {},\n \"core::option::Option::map_or_else\": {},\n \"core::option::Option::ok_or\": {},\n \"core::option::Option::ok_or_else\": {},\n \"core::option::Option::or_else\": {},\n \"core::option::Option::read_error\": {},\n \"core::option::Option::take\": {},\n \"core::option::Option::unwrap\": {},\n \"core::option::Option::unwrap_or\": {},\n \"core::option::Option::unwrap_or_else\": {},\n \"core::option::Option\\u003c\\u0026T\\u003e::cloned\": {},\n \"core::option::Option\\u003c\\u0026T\\u003e::copied\": {},\n \"core::option::expect_failed\": {},\n \"core::panic::location::Location::fmt\": {},\n \"core::panic::panic_info::PanicInfo::can_unwind\": {},\n \"core::panic::panic_info::PanicInfo::fmt\": {},\n \"core::panic::panic_info::PanicInfo::internal_constructor\": {},\n \"core::panic::panic_info::PanicInfo::location\": {},\n \"core::panic::panic_info::PanicInfo::message\": {},\n \"core::panicking::assert_failed\": {},\n \"core::panicking::assert_failed_inner\": {},\n \"core::panicking::panic\": {},\n \"core::panicking::panic_bounds_check\": {},\n \"core::panicking::panic_display\": {},\n \"core::panicking::panic_fmt\": {},\n \"core::panicking::panic_no_unwind\": {},\n \"core::panicking::panic_str\": {},\n \"core::pin::Pin::clone\": {},\n \"core::ptr::align_offset\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::add\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::align_offset\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::align_offset::rt_impl\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::copy_to_nonoverlapping\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::guaranteed_eq\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::is_null\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::offset\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::read\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::sub\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::sub_ptr\": {},\n \"core::ptr::drop_in_place\\u003c\\u0026mut std::io::Write::write_fmt::Adapter\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(smallvec::SmallVec\\u003c[u64; 16]\\u003e,usize)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(usize,std::backtrace_rs::symbolize::gimli::Mapping)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cT\": {},\n \"core::ptr::drop_in_place\\u003c[(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[addr2line::LineSequence]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[addr2line::ResUnit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::string::String]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::vec::Vec]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[gimli::read::abbrev::Abbreviation]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[libflate::gzip::ExtraSubField]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::Context\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::FrameIter\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::FrameIterFrames\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::FrameIterState\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::LineSequence\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::Lines\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::ResDwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::ResUnit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::Lines,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::borrow::Cow\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::LineRow]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::LineSequence]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::function::FunctionAddress]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::function::InlinedFunctionAddress]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[alloc::string::String]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003caddr2line::ResDwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::any::Any+core::marker::Send\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::iter::traits::iterator::Iterator+Item = u8\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cpanic_unwind::real_imp::Exception\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cstd::io::error::Custom\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::collections::btree::map::BTreeMap\\u003cu64,gimli::read::abbrev::Abbreviation\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::collections::btree::map::IntoIter\\u003cu64,gimli::read::abbrev::Abbreviation\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::ffi::c_str::CString\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::ffi::c_str::NulError\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c\\u0026addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(*mut u8,unsafe extern \\\"C\\\" fn(*mut u8))\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::LineRow\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::LineSequence\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::ResUnit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::UnitRange\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::function::FunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::function::InlinedFunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::slice::merge_sort::Run\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::abbrev::Abbreviation\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::abbrev::AttributeSpecification\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::line::FileEntry\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::line::FileEntryFormat\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::unit::AttributeValue\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003clibflate::deflate::symbol::build_bitwidth_codes::RunLength\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003clibflate::gzip::ExtraSubField\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003clibflate::huffman::Code\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cstd::backtrace_rs::symbolize::gimli::LibrarySegment\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003caddr2line::LineSequence\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003caddr2line::UnitRange\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003caddr2line::function::FunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003caddr2line::function::InlinedFunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003caddr2line::LineSequence\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003caddr2line::UnitRange\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003caddr2line::function::FunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003caddr2line::function::InlinedFunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::string::String\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003ccore::mem::maybe_uninit::MaybeUninit\\u003cstd::thread::Inner\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cstd::sync::mutex::Mutex\\u003calloc::vec::Vec\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cstd::thread::Inner\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::ArcInner\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003ccore::mem::maybe_uninit::MaybeUninit\\u003cstd::thread::Inner\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cstd::sync::mutex::Mutex\\u003calloc::vec::Vec\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cstd::thread::Inner\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c\\u0026addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::LineRow\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::LineSequence\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::ResUnit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::UnitRange\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::function::FunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::function::InlinedFunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::slice::merge_sort::Run\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::abbrev::Abbreviation\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::abbrev::AttributeSpecification\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::line::FileEntry\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::line::FileEntryFormat\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::unit::AttributeValue\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003clibflate::deflate::symbol::build_bitwidth_codes::RunLength\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003clibflate::gzip::ExtraSubField\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003clibflate::huffman::Code\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cstd::backtrace_rs::symbolize::gimli::LibrarySegment\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::drain::Drain\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::drain::Drain\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::into_iter::IntoIter\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::into_iter::IntoIter\\u003c\\u0026addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::into_iter::IntoIter\\u003c(*mut u8,unsafe extern \\\"C\\\" fn(*mut u8))\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::into_iter::IntoIter\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::set_len_on_drop::SetLenOnDrop\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::BorrowRefMut\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::Cell\\u003ccore::option::Option\\u003cstd::thread::Thread\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefCell\\u003ccore::option::Option\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefMut\\u003ccore::option::Option\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefMut\\u003cstd::io::buffered::linewriter::LineWriter\\u003cstd::io::stdio::StdoutRaw\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefMut\\u003cstd::io::stdio::StderrRaw\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003calloc::vec::Vec\\u003calloc::vec::Vec\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::Lines,gimli::read::Error\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003cstd::thread::Thread\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::iter::adapters::rev::Rev\\u003calloc::vec::into_iter::IntoIter\\u003c\\u0026addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003c(usize,std::backtrace_rs::symbolize::gimli::Mapping)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::boxed::Box\\u003caddr2line::ResDwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::ffi::c_str::CString\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::sync::Arc\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::Lines,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cgimli::read::line::IncompleteLineProgram\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003clibflate::gzip::ExtraField\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::io::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::path::PathBuf\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::thread::Thread\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::pin::Pin\\u003calloc::sync::Arc\\u003cstd::thread::Inner\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003c(),std::io::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003caddr2line::Lines,gimli::read::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003cstd::ffi::os_str::OsString,std::io::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003cstd::path::PathBuf,std::io::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::slice::sort::CopyOnDrop\\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::abbrev::Abbreviation\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::abbrev::Abbreviations\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::abbrev::Attributes\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::dwarf::Unit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::line::IncompleteLineProgram\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::line::LineProgramHeader\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::line::LineRows\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,gimli::read::line::IncompleteLineProgram\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::bit::BitReader\\u003c\\u0026[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::deflate::decode::Decoder\\u003c\\u0026[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::deflate::symbol::Decoder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::Decoder\\u003c\\u0026[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::ExtraField\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::ExtraSubField\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::Header\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::HeaderBuilder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::MultiDecoder\\u003c\\u0026[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::huffman::Decoder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::huffman::DecoderBuilder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::huffman::Encoder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate_lz77::Lz77Decoder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cpanic_unwind::real_imp::Exception\\u003e\": {},\n \"core::ptr::drop_in_place\\u003csmallvec::SmallVec\\u003c[u64; 16]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::print::BacktraceFrameFmt\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::Context\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::Library\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::Mapping\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::elf::Object\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::stash::Stash\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::ffi::os_str::OsString\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::fs::File\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::Write::write_fmt::Adapter\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::buffered::bufwriter::BufWriter\\u003cstd::io::stdio::StdoutRaw\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::buffered::linewriter::LineWriter\\u003cstd::io::stdio::StdoutRaw\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::error::Custom\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::error::Error\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::error::ErrorData\\u003calloc::boxed::Box\\u003cstd::io::error::Custom\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::error::repr_bitpacked::Repr\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::stdio::StderrLock\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::stdio::StdoutLock\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::os::fd::owned::OwnedFd\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::panicking::begin_panic_handler::PanicPayload\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::path::PathBuf\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sync::mutex::Mutex\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sync::once::Waiter\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sync::once::WaiterQueue\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys::unix::fd::FileDesc\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys::unix::fs::File\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys::unix::os_str::Buf\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::backtrace::_print_fmt::{{closure}}\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::mutex::StaticMutexGuard\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::remutex::ReentrantMutexGuard\\u003ccore::cell::RefCell\\u003cstd::io::buffered::linewriter::LineWriter\\u003cstd::io::stdio::StdoutRaw\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::remutex::ReentrantMutexGuard\\u003ccore::cell::RefCell\\u003cstd::io::stdio::StderrRaw\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::rwlock::StaticRwLockReadGuard\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::thread_info::set::{{closure}}\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::thread::Inner\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::thread::Thread\\u003e\": {},\n \"core::ptr::drop_in_placecore::iter::traits::iterator::Iterator::for_each::call\\u003cu8,\\u003calloc::vec::Vec\": {},\n \"core::ptr::metadata::from_raw_parts_mut\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::add\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::guaranteed_eq\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::is_null\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::offset\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::sub\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::sub_ptr\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::with_addr\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_add\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_byte_offset\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_byte_sub\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_offset\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_sub\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::write\": {},\n \"core::ptr::non_null::NonNull::as_ref\": {},\n \"core::ptr::null_mut\": {},\n \"core::ptr::read\": {},\n \"core::ptr::read_volatile\": {},\n \"core::ptr::swap\": {},\n \"core::ptr::write\": {},\n \"core::result::Result::and_then\": {},\n \"core::result::Result::as_mut\": {},\n \"core::result::Result::as_ref\": {},\n \"core::result::Result::branch\": {},\n \"core::result::Result::eq\": {},\n \"core::result::Result::expect\": {},\n \"core::result::Result::from_residual\": {},\n \"core::result::Result::is_err\": {},\n \"core::result::Result::is_ok\": {},\n \"core::result::Result::map\": {},\n \"core::result::Result::map_err\": {},\n \"core::result::Result::ok\": {},\n \"core::result::Result::unwrap\": {},\n \"core::result::Result::unwrap_or\": {},\n \"core::result::Result::unwrap_or_default\": {},\n \"core::result::Result::unwrap_or_else\": {},\n \"core::result::Result\\u003cT,()\\u003e::read_error\": {},\n \"core::result::unwrap_failed\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::align_to\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::as_chunks\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::binary_search_by\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::binary_search_by_key\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::binary_search_by_key::{{closure}}\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::chunks_exact\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::copy_from_slice\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::copy_from_slice::len_mismatch_fail\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::ends_with\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::first\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::get\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::get_unchecked\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::get_unchecked_mut\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::is_empty\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::iter\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::iter_mut\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::last\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::last_mut\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::reverse\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::reverse::revswap\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::sort_unstable_by_key\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::sort_unstable_by_key::{{closure}}\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_at\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_at_mut\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_at_mut_unchecked\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_at_unchecked\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_last\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::starts_with\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::swap\": {},\n \"core::slice::cmp::\\u003cimpl core::cmp::PartialEq\\u003c[B]\\u003e for [A]\\u003e::eq\": {},\n \"core::slice::index::\\u003cimpl core::ops::index::Index for [T]\\u003e::index\": {},\n \"core::slice::index::\\u003cimpl core::ops::index::IndexMut for [T]\\u003e::index_mut\": {},\n \"core::slice::index::range\": {},\n \"core::slice::index::slice_end_index_len_fail\": {},\n \"core::slice::index::slice_end_index_len_fail_rt\": {},\n \"core::slice::index::slice_index_order_fail\": {},\n \"core::slice::index::slice_index_order_fail_rt\": {},\n \"core::slice::index::slice_start_index_len_fail\": {},\n \"core::slice::index::slice_start_index_len_fail_rt\": {},\n \"core::slice::iter::\\u003cimpl core::iter::traits::collect::IntoIterator for \\u0026[T]\\u003e::into_iter\": {},\n \"core::slice::iter::Chunks::next\": {},\n \"core::slice::iter::ChunksExact::new\": {},\n \"core::slice::iter::ChunksExact::next\": {},\n \"core::slice::iter::Iter::any\": {},\n \"core::slice::iter::Iter::as_slice\": {},\n \"core::slice::iter::Iter::find\": {},\n \"core::slice::iter::Iter::find_map\": {},\n \"core::slice::iter::Iter::len\": {},\n \"core::slice::iter::Iter::make_slice\": {},\n \"core::slice::iter::Iter::new\": {},\n \"core::slice::iter::Iter::next\": {},\n \"core::slice::iter::Iter::next_back\": {},\n \"core::slice::iter::Iter::position\": {},\n \"core::slice::iter::Iter::post_inc_start\": {},\n \"core::slice::iter::Iter::pre_dec_end\": {},\n \"core::slice::iter::Iter::rposition\": {},\n \"core::slice::iter::Iter::size_hint\": {},\n \"core::slice::iter::IterMut::new\": {},\n \"core::slice::iter::IterMut::next\": {},\n \"core::slice::iter::IterMut::next_back\": {},\n \"core::slice::iter::IterMut::pre_dec_end\": {},\n \"core::slice::memchr::contains_zero_byte\": {},\n \"core::slice::memchr::memchr\": {},\n \"core::slice::memchr::memchr_aligned\": {},\n \"core::slice::memchr::memchr_naive\": {},\n \"core::slice::memchr::repeat_byte\": {},\n \"core::slice::sort::CopyOnDrop::drop\": {},\n \"core::slice::sort::break_patterns\": {},\n \"core::slice::sort::break_patterns::{{closure}}\": {},\n \"core::slice::sort::choose_pivot\": {},\n \"core::slice::sort::choose_pivot::{{closure}}\": {},\n \"core::slice::sort::heapsort\": {},\n \"core::slice::sort::heapsort::{{closure}}\": {},\n \"core::slice::sort::insertion_sort\": {},\n \"core::slice::sort::partial_insertion_sort\": {},\n \"core::slice::sort::partition\": {},\n \"core::slice::sort::partition_equal\": {},\n \"core::slice::sort::partition_in_blocks\": {},\n \"core::slice::sort::partition_in_blocks::width\": {},\n \"core::slice::sort::quicksort\": {},\n \"core::slice::sort::recurse\": {},\n \"core::slice::sort::shift_head\": {},\n \"core::slice::sort::shift_tail\": {},\n \"core::str::\\u003cimpl str\\u003e::bytes\": {},\n \"core::str::\\u003cimpl str\\u003e::char_indices\": {},\n \"core::str::\\u003cimpl str\\u003e::chars\": {},\n \"core::str::\\u003cimpl str\\u003e::contains\": {},\n \"core::str::\\u003cimpl str\\u003e::ends_with\": {},\n \"core::str::\\u003cimpl str\\u003e::find\": {},\n \"core::str::\\u003cimpl str\\u003e::floor_char_boundary\": {},\n \"core::str::\\u003cimpl str\\u003e::floor_char_boundary::{{closure}}\": {},\n \"core::str::\\u003cimpl str\\u003e::get\": {},\n \"core::str::\\u003cimpl str\\u003e::get_unchecked\": {},\n \"core::str::\\u003cimpl str\\u003e::is_char_boundary\": {},\n \"core::str::\\u003cimpl str\\u003e::is_empty\": {},\n \"core::str::\\u003cimpl str\\u003e::parse\": {},\n \"core::str::\\u003cimpl str\\u003e::split\": {},\n \"core::str::\\u003cimpl str\\u003e::starts_with\": {},\n \"core::str::\\u003cimpl str\\u003e::trim_start_matches\": {},\n \"core::str::converts::from_utf8\": {},\n \"core::str::count::char_count_general_case\": {},\n \"core::str::count::char_count_general_case::{{closure}}\": {},\n \"core::str::count::contains_non_continuation_byte\": {},\n \"core::str::count::count_chars\": {},\n \"core::str::count::do_count_chars\": {},\n \"core::str::count::sum_bytes_in_usize\": {},\n \"core::str::error::Utf8Error::error_len\": {},\n \"core::str::error::Utf8Error::fmt\": {},\n \"core::str::iter::Bytes::any\": {},\n \"core::str::iter::Bytes::next\": {},\n \"core::str::iter::Bytes::rposition\": {},\n \"core::str::iter::CharIndices::next\": {},\n \"core::str::iter::Chars::as_str\": {},\n \"core::str::iter::Chars::count\": {},\n \"core::str::iter::Chars::next\": {},\n \"core::str::iter::Split::next\": {},\n \"core::str::iter::SplitInclusive::next\": {},\n \"core::str::iter::SplitInternal::get_end\": {},\n \"core::str::iter::SplitInternal::next\": {},\n \"core::str::iter::SplitInternal::next_inclusive\": {},\n \"core::str::lossy::Utf8Chunks::next\": {},\n \"core::str::lossy::Utf8Chunks::next::safe_get\": {},\n \"core::str::pattern::CharPredicateSearcher::next_match\": {},\n \"core::str::pattern::CharSearcher::next_match\": {},\n \"core::str::pattern::MultiCharEqPattern::into_searcher\": {},\n \"core::str::pattern::MultiCharEqSearcher::next\": {},\n \"core::str::pattern::Pattern::is_contained_in\": {},\n \"core::str::pattern::Searcher::next_match\": {},\n \"core::str::pattern::Searcher::next_reject\": {},\n \"core::str::pattern::StrSearcher::new\": {},\n \"core::str::pattern::StrSearcher::next\": {},\n \"core::str::pattern::StrSearcher::next_match\": {},\n \"core::str::pattern::TwoWaySearcher::byteset_contains\": {},\n \"core::str::pattern::TwoWaySearcher::byteset_create\": {},\n \"core::str::pattern::TwoWaySearcher::byteset_create::{{closure}}\": {},\n \"core::str::pattern::TwoWaySearcher::maximal_suffix\": {},\n \"core::str::pattern::TwoWaySearcher::new\": {},\n \"core::str::pattern::TwoWaySearcher::next\": {},\n \"core::str::pattern::TwoWaySearcher::reverse_maximal_suffix\": {},\n \"core::str::slice_error_fail\": {},\n \"core::str::slice_error_fail_rt\": {},\n \"core::str::traits::\\u003cimpl core::cmp::PartialEq for str\\u003e::eq\": {},\n \"core::str::traits::\\u003cimpl core::ops::index::Index for str\\u003e::index\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\\u003e::get\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\\u003e::get_unchecked\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\\u003e::index\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\\u003e::get\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\\u003e::get_unchecked\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\\u003e::index\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeInclusive\\u003e::index\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeTo\\u003e::get\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeTo\\u003e::index\": {},\n \"core::str::traits::str_index_overflow_fail\": {},\n \"core::str::validations::contains_nonascii\": {},\n \"core::str::validations::next_code_point\": {},\n \"core::str::validations::run_utf8_validation\": {},\n \"core::str::validations::utf8_acc_cont_byte\": {},\n \"core::str::validations::utf8_char_width\": {},\n \"core::str::validations::utf8_first_byte\": {},\n \"core::str::validations::utf8_is_cont_byte\": {},\n \"core::sync::atomic::AtomicBool::load\": {},\n \"core::sync::atomic::AtomicBool::store\": {},\n \"core::sync::atomic::AtomicBool::swap\": {},\n \"core::sync::atomic::AtomicPtr::compare_exchange\": {},\n \"core::sync::atomic::AtomicPtr::load\": {},\n \"core::sync::atomic::AtomicPtr::swap\": {},\n \"core::sync::atomic::AtomicU32::compare_exchange\": {},\n \"core::sync::atomic::AtomicU32::compare_exchange_weak\": {},\n \"core::sync::atomic::AtomicU32::fetch_add\": {},\n \"core::sync::atomic::AtomicU32::fetch_sub\": {},\n \"core::sync::atomic::AtomicU32::load\": {},\n \"core::sync::atomic::AtomicU32::swap\": {},\n \"core::sync::atomic::AtomicU64::compare_exchange_weak\": {},\n \"core::sync::atomic::AtomicU64::load\": {},\n \"core::sync::atomic::AtomicU8::load\": {},\n \"core::sync::atomic::AtomicU8::store\": {},\n \"core::sync::atomic::AtomicUsize::compare_exchange\": {},\n \"core::sync::atomic::AtomicUsize::fetch_add\": {},\n \"core::sync::atomic::AtomicUsize::fetch_sub\": {},\n \"core::sync::atomic::AtomicUsize::load\": {},\n \"core::sync::atomic::AtomicUsize::store\": {},\n \"core::sync::atomic::atomic_add\": {},\n \"core::sync::atomic::atomic_compare_exchange\": {},\n \"core::sync::atomic::atomic_compare_exchange_weak\": {},\n \"core::sync::atomic::atomic_load\": {},\n \"core::sync::atomic::atomic_store\": {},\n \"core::sync::atomic::atomic_sub\": {},\n \"core::sync::atomic::atomic_swap\": {},\n \"core::time::Duration::new\": {},\n \"core::unicode::printable::check\": {},\n \"core::unicode::printable::is_printable\": {},\n \"core::unicode::unicode_data::cc::lookup\": {},\n \"core::unicode::unicode_data::decode_length\": {},\n \"core::unicode::unicode_data::decode_prefix_sum\": {},\n \"core::unicode::unicode_data::grapheme_extend::lookup\": {},\n \"core::unicode::unicode_data::skip_search\": {},\n \"core::unicode::unicode_data::skip_search::{{closure}}\": {},\n \"crc32fast::Hasher::default\": {},\n \"crc32fast::Hasher::internal_new_baseline\": {},\n \"crc32fast::Hasher::new\": {},\n \"crc32fast::Hasher::new_with_initial\": {},\n \"crc32fast::Hasher::new_with_initial_len\": {},\n \"crc32fast::Hasher::new_with_initial_len::{{closure}}\": {},\n \"crc32fast::Hasher::update\": {},\n \"crc32fast::baseline::State::update\": {},\n \"crc32fast::baseline::update_fast_16\": {},\n \"crc32fast::baseline::update_slow\": {},\n \"crc32fast::specialized::pclmulqdq::State::update\": {},\n \"crc32fast::specialized::pclmulqdq::calculate\": {},\n \"crc32fast::specialized::pclmulqdq::get\": {},\n \"crc32fast::specialized::pclmulqdq::reduce128\": {},\n \"gimli::common::DebugInfoOffset::cmp\": {},\n \"gimli::common::DebugInfoOffset::eq\": {},\n \"gimli::common::DebugInfoOffset::partial_cmp\": {},\n \"gimli::common::DebugLineOffset::clone\": {},\n \"gimli::common::DwarfFileType::eq\": {},\n \"gimli::common::Encoding::clone\": {},\n \"gimli::common::Format::eq\": {},\n \"gimli::common::Format::initial_length_size\": {},\n \"gimli::common::LineEncoding::clone\": {},\n \"gimli::constants::DwChildren::eq\": {},\n \"gimli::constants::DwForm::eq\": {},\n \"gimli::constants::DwLnct::eq\": {},\n \"gimli::constants::DwTag::eq\": {},\n \"gimli::leb128::low_bits_of_byte\": {},\n \"gimli::leb128::read::signed\": {},\n \"gimli::leb128::read::u16\": {},\n \"gimli::leb128::read::unsigned\": {},\n \"gimli::read::Error::clone\": {},\n \"gimli::read::Section::load\": {},\n \"gimli::read::abbrev::Abbreviation::attributes\": {},\n \"gimli::read::abbrev::Abbreviation::has_children\": {},\n \"gimli::read::abbrev::Abbreviation::parse\": {},\n \"gimli::read::abbrev::Abbreviation::parse_attributes\": {},\n \"gimli::read::abbrev::Abbreviation::parse_has_children\": {},\n \"gimli::read::abbrev::Abbreviation::parse_tag\": {},\n \"gimli::read::abbrev::Abbreviation::tag\": {},\n \"gimli::read::abbrev::Abbreviations::get\": {},\n \"gimli::read::abbrev::Abbreviations::parse\": {},\n \"gimli::read::abbrev::AttributeSpecification::form\": {},\n \"gimli::read::abbrev::AttributeSpecification::implicit_const_value\": {},\n \"gimli::read::abbrev::AttributeSpecification::name\": {},\n \"gimli::read::abbrev::AttributeSpecification::parse\": {},\n \"gimli::read::abbrev::AttributeSpecification::parse_form\": {},\n \"gimli::read::abbrev::DebugAbbrev::abbreviations\": {},\n \"gimli::read::addr::DebugAddr::get_address\": {},\n \"gimli::read::aranges::ArangeEntry::parse\": {},\n \"gimli::read::aranges::ArangeEntryIter::next\": {},\n \"gimli::read::aranges::ArangeHeader::parse\": {},\n \"gimli::read::aranges::ArangeHeaderIter::next\": {},\n \"gimli::read::aranges::DebugAranges::header\": {},\n \"gimli::read::aranges::DebugAranges::headers\": {},\n \"gimli::read::dwarf::Dwarf::address\": {},\n \"gimli::read::dwarf::Dwarf::attr_address\": {},\n \"gimli::read::dwarf::Dwarf::attr_ranges_offset\": {},\n \"gimli::read::dwarf::Dwarf::attr_string\": {},\n \"gimli::read::dwarf::Dwarf::load\": {},\n \"gimli::read::dwarf::Dwarf::load_sup\": {},\n \"gimli::read::dwarf::Dwarf::ranges\": {},\n \"gimli::read::dwarf::Dwarf::ranges_offset\": {},\n \"gimli::read::dwarf::Dwarf::ranges_offset_from_raw\": {},\n \"gimli::read::dwarf::Dwarf::sup\": {},\n \"gimli::read::dwarf::Dwarf::unit\": {},\n \"gimli::read::dwarf::Dwarf::units\": {},\n \"gimli::read::dwarf::Unit::encoding\": {},\n \"gimli::read::dwarf::Unit::entries_raw\": {},\n \"gimli::read::dwarf::Unit::new\": {},\n \"gimli::read::endian_slice::EndianSlice::empty\": {},\n \"gimli::read::endian_slice::EndianSlice::find\": {},\n \"gimli::read::endian_slice::EndianSlice::find::{{closure}}\": {},\n \"gimli::read::endian_slice::EndianSlice::is_empty\": {},\n \"gimli::read::endian_slice::EndianSlice::offset_from\": {},\n \"gimli::read::endian_slice::EndianSlice::offset_id\": {},\n \"gimli::read::endian_slice::EndianSlice::read_slice\": {},\n \"gimli::read::endian_slice::EndianSlice::skip\": {},\n \"gimli::read::endian_slice::EndianSlice::split\": {},\n \"gimli::read::endian_slice::EndianSlice::to_string_lossy\": {},\n \"gimli::read::endian_slice::EndianSlice::truncate\": {},\n \"gimli::read::line::DebugLine::program\": {},\n \"gimli::read::line::FileEntry::clone\": {},\n \"gimli::read::line::FileEntry::directory\": {},\n \"gimli::read::line::FileEntry::parse\": {},\n \"gimli::read::line::FileEntry::path_name\": {},\n \"gimli::read::line::FileEntryFormat::parse\": {},\n \"gimli::read::line::IncompleteLineProgram::add_file\": {},\n \"gimli::read::line::IncompleteLineProgram::clone\": {},\n \"gimli::read::line::IncompleteLineProgram::rows\": {},\n \"gimli::read::line::LineInstruction::parse\": {},\n \"gimli::read::line::LineInstructions::next_instruction\": {},\n \"gimli::read::line::LineProgramHeader::clone\": {},\n \"gimli::read::line::LineProgramHeader::directory\": {},\n \"gimli::read::line::LineProgramHeader::file\": {},\n \"gimli::read::line::LineProgramHeader::parse\": {},\n \"gimli::read::line::LineProgramHeader::parse::{{closure}}\": {},\n \"gimli::read::line::LineRow::address\": {},\n \"gimli::read::line::LineRow::adjust_opcode\": {},\n \"gimli::read::line::LineRow::apply_operation_advance\": {},\n \"gimli::read::line::LineRow::end_sequence\": {},\n \"gimli::read::line::LineRow::exec_special_opcode\": {},\n \"gimli::read::line::LineRow::execute\": {},\n \"gimli::read::line::LineRow::file_index\": {},\n \"gimli::read::line::LineRow::line\": {},\n \"gimli::read::line::LineRow::new\": {},\n \"gimli::read::line::LineRow::reset\": {},\n \"gimli::read::line::LineRows::new\": {},\n \"gimli::read::line::LineRows::next_row\": {},\n \"gimli::read::line::parse_attribute\": {},\n \"gimli::read::line::parse_directory_v5\": {},\n \"gimli::read::line::parse_file_v5\": {},\n \"gimli::read::loclists::\\u003cimpl gimli::common::DebugLocListsBase\\u003e::default_for_encoding_and_file\": {},\n \"gimli::read::reader::Reader::read_address\": {},\n \"gimli::read::reader::Reader::read_i8\": {},\n \"gimli::read::reader::Reader::read_initial_length\": {},\n \"gimli::read::reader::Reader::read_length\": {},\n \"gimli::read::reader::Reader::read_null_terminated_slice\": {},\n \"gimli::read::reader::Reader::read_offset\": {},\n \"gimli::read::reader::Reader::read_sized_offset\": {},\n \"gimli::read::reader::Reader::read_sleb128\": {},\n \"gimli::read::reader::Reader::read_u16\": {},\n \"gimli::read::reader::Reader::read_u32\": {},\n \"gimli::read::reader::Reader::read_u64\": {},\n \"gimli::read::reader::Reader::read_u8\": {},\n \"gimli::read::reader::Reader::read_u8_array\": {},\n \"gimli::read::reader::Reader::read_uint\": {},\n \"gimli::read::reader::Reader::read_uleb128\": {},\n \"gimli::read::reader::Reader::read_uleb128_u16\": {},\n \"gimli::read::reader::Reader::read_word\": {},\n \"gimli::read::rnglists::Range::add_base_address\": {},\n \"gimli::read::rnglists::RangeLists::get_offset\": {},\n \"gimli::read::rnglists::RangeLists::get_offset::{{closure}}\": {},\n \"gimli::read::rnglists::RangeLists::ranges\": {},\n \"gimli::read::rnglists::RangeLists::raw_ranges\": {},\n \"gimli::read::rnglists::RawRange::is_base_address\": {},\n \"gimli::read::rnglists::RawRange::is_end\": {},\n \"gimli::read::rnglists::RawRange::parse\": {},\n \"gimli::read::rnglists::RawRngListEntry::parse\": {},\n \"gimli::read::rnglists::RawRngListIter::next\": {},\n \"gimli::read::rnglists::RngListIter::get_address\": {},\n \"gimli::read::rnglists::RngListIter::next\": {},\n \"gimli::read::str::\\u003cimpl gimli::common::DebugStrOffsetsBase\\u003e::default_for_encoding_and_file\": {},\n \"gimli::read::str::DebugLineStr::get_str\": {},\n \"gimli::read::str::DebugStr::get_str\": {},\n \"gimli::read::str::DebugStrOffsets::get_str_offset\": {},\n \"gimli::read::unit::Attribute::exprloc_value\": {},\n \"gimli::read::unit::Attribute::offset_value\": {},\n \"gimli::read::unit::Attribute::u16_value\": {},\n \"gimli::read::unit::Attribute::u8_value\": {},\n \"gimli::read::unit::Attribute::udata_value\": {},\n \"gimli::read::unit::Attribute::value\": {},\n \"gimli::read::unit::AttributeValue::clone\": {},\n \"gimli::read::unit::AttributeValue::exprloc_value\": {},\n \"gimli::read::unit::AttributeValue::offset_value\": {},\n \"gimli::read::unit::AttributeValue::u16_value\": {},\n \"gimli::read::unit::AttributeValue::u8_value\": {},\n \"gimli::read::unit::AttributeValue::udata_value\": {},\n \"gimli::read::unit::AttrsIter::next\": {},\n \"gimli::read::unit::DebugInfoUnitHeadersIter::next\": {},\n \"gimli::read::unit::DebuggingInformationEntry::attrs\": {},\n \"gimli::read::unit::DebuggingInformationEntry::has_children\": {},\n \"gimli::read::unit::DebuggingInformationEntry::parse\": {},\n \"gimli::read::unit::EntriesCursor::next_dfs\": {},\n \"gimli::read::unit::EntriesCursor::next_entry\": {},\n \"gimli::read::unit::EntriesRaw::is_empty\": {},\n \"gimli::read::unit::EntriesRaw::next_depth\": {},\n \"gimli::read::unit::EntriesRaw::next_offset\": {},\n \"gimli::read::unit::EntriesRaw::read_abbreviation\": {},\n \"gimli::read::unit::EntriesRaw::read_attribute\": {},\n \"gimli::read::unit::UnitHeader::abbreviations\": {},\n \"gimli::read::unit::UnitHeader::entries\": {},\n \"gimli::read::unit::UnitHeader::entries_raw\": {},\n \"gimli::read::unit::UnitHeader::header_size\": {},\n \"gimli::read::unit::UnitHeader::is_valid_offset\": {},\n \"gimli::read::unit::UnitHeader::length_including_self\": {},\n \"gimli::read::unit::UnitHeader::range_from\": {},\n \"gimli::read::unit::length_u16_value\": {},\n \"gimli::read::unit::length_u32_value\": {},\n \"gimli::read::unit::length_u8_value\": {},\n \"gimli::read::unit::length_uleb128_value\": {},\n \"gimli::read::unit::parse_attribute\": {},\n \"gimli::read::unit::parse_debug_abbrev_offset\": {},\n \"gimli::read::unit::parse_dwo_id\": {},\n \"gimli::read::unit::parse_unit_header\": {},\n \"gimli::read::unit::parse_unit_type\": {},\n \"i32::is_minus_one\": {},\n \"isize::is_minus_one\": {},\n \"libc::unix::linux_like::linux::gnu::\\u003cimpl libc::unix::linux_like::linux::gnu::b64::x86_64::siginfo_t\\u003e::si_addr\": {},\n \"libc::unix::linux_like::linux::makedev\": {},\n \"libflate::bit::BitReader::check_last_error\": {},\n \"libflate::bit::BitReader::fill_next_u8\": {},\n \"libflate::bit::BitReader::peek_bits_unchecked\": {},\n \"libflate::bit::BitReader::read_bit\": {},\n \"libflate::bit::BitReader::read_bits\": {},\n \"libflate::bit::BitReader::read_bits_unchecked\": {},\n \"libflate::bit::BitReader::reset\": {},\n \"libflate::bit::BitReader::set_last_error\": {},\n \"libflate::bit::BitReader::skip_bits\": {},\n \"libflate::checksum::Crc32::new\": {},\n \"libflate::checksum::Crc32::update\": {},\n \"libflate::deflate::decode::Decoder::read\": {},\n \"libflate::deflate::decode::Decoder::read_compressed_block\": {},\n \"libflate::deflate::decode::Decoder::read_non_compressed_block\": {},\n \"libflate::deflate::decode::Decoder::read_non_compressed_block::{{closure}}\": {},\n \"libflate::deflate::decode::Decoder::reset\": {},\n \"libflate::deflate::symbol::Decoder::decode_distance\": {},\n \"libflate::deflate::symbol::Decoder::decode_literal_or_length\": {},\n \"libflate::deflate::symbol::Decoder::decode_unchecked\": {},\n \"libflate::deflate::symbol::DynamicHuffmanCodec::load\": {},\n \"libflate::deflate::symbol::DynamicHuffmanCodec::load::{{closure}}\": {},\n \"libflate::deflate::symbol::FixedHuffmanCodec::load\": {},\n \"libflate::deflate::symbol::FixedHuffmanCodec::load::{{closure}}\": {},\n \"libflate::deflate::symbol::load_bitwidthes\": {},\n \"libflate::deflate::symbol::load_bitwidthes::{{closure}}\": {},\n \"libflate::gzip::CompressionLevel::clone\": {},\n \"libflate::gzip::CompressionLevel::from_u8\": {},\n \"libflate::gzip::CompressionLevel::to_u8\": {},\n \"libflate::gzip::Decoder::as_inner_mut\": {},\n \"libflate::gzip::Decoder::new\": {},\n \"libflate::gzip::Decoder::read\": {},\n \"libflate::gzip::Decoder::reset\": {},\n \"libflate::gzip::ExtraField::clone\": {},\n \"libflate::gzip::ExtraField::read_from\": {},\n \"libflate::gzip::ExtraField::write_to\": {},\n \"libflate::gzip::ExtraSubField::clone\": {},\n \"libflate::gzip::ExtraSubField::read_from\": {},\n \"libflate::gzip::ExtraSubField::write_to\": {},\n \"libflate::gzip::Header::clone\": {},\n \"libflate::gzip::Header::crc16\": {},\n \"libflate::gzip::Header::flags\": {},\n \"libflate::gzip::Header::read_from\": {},\n \"libflate::gzip::Header::write_to\": {},\n \"libflate::gzip::HeaderBuilder::finish\": {},\n \"libflate::gzip::HeaderBuilder::new\": {},\n \"libflate::gzip::MultiDecoder::as_inner_mut\": {},\n \"libflate::gzip::MultiDecoder::new\": {},\n \"libflate::gzip::MultiDecoder::read\": {},\n \"libflate::gzip::Os::from_u8\": {},\n \"libflate::gzip::Os::to_u8\": {},\n \"libflate::gzip::read_cstring\": {},\n \"libflate::huffman::Builder::restore_canonical_huffman_codes\": {},\n \"libflate::huffman::Builder::restore_canonical_huffman_codes::{{closure}}\": {},\n \"libflate::huffman::Code::fmt\": {},\n \"libflate::huffman::Code::inverse_endian\": {},\n \"libflate::huffman::Decoder::decode\": {},\n \"libflate::huffman::Decoder::decode_unchecked\": {},\n \"libflate::huffman::DecoderBuilder::finish\": {},\n \"libflate::huffman::DecoderBuilder::from_bitwidthes\": {},\n \"libflate::huffman::DecoderBuilder::new\": {},\n \"libflate::huffman::DecoderBuilder::safely_peek_bitwidth\": {},\n \"libflate::huffman::DecoderBuilder::set_mapping\": {},\n \"libflate_lz77::Lz77Decoder::buffer\": {},\n \"libflate_lz77::Lz77Decoder::decode\": {},\n \"libflate_lz77::Lz77Decoder::extend_from_reader\": {},\n \"libflate_lz77::Lz77Decoder::read\": {},\n \"libflate_lz77::Lz77Decoder::truncate_old_buffer\": {},\n \"miniz_oxide::inflate::TINFLStatus::eq\": {},\n \"object::elf::CompressionHeader64::ch_size\": {},\n \"object::elf::Sym64::st_name\": {},\n \"object::elf::Sym64::st_type\": {},\n \"object::elf::Sym64::st_value\": {},\n \"object::endian::Endian::read_u32_bytes\": {},\n \"object::endian::U32Bytes::get\": {},\n \"object::pod::from_bytes\": {},\n \"object::pod::slice_from_bytes\": {},\n \"object::read::elf::file::FileHeader::endian\": {},\n \"object::read::elf::file::FileHeader::is_big_endian\": {},\n \"object::read::elf::file::FileHeader::is_supported\": {},\n \"object::read::elf::file::FileHeader::parse\": {},\n \"object::read::elf::file::FileHeader::section_0\": {},\n \"object::read::elf::file::FileHeader::section_headers\": {},\n \"object::read::elf::file::FileHeader::section_strings\": {},\n \"object::read::elf::file::FileHeader::sections\": {},\n \"object::read::elf::file::FileHeader::shnum\": {},\n \"object::read::elf::file::FileHeader::shstrndx\": {},\n \"object::read::elf::note::Note::name\": {},\n \"object::read::elf::note::NoteIterator::new\": {},\n \"object::read::elf::note::NoteIterator::next\": {},\n \"object::read::elf::section::SectionHeader::data\": {},\n \"object::read::elf::section::SectionHeader::data_as_array\": {},\n \"object::read::elf::section::SectionHeader::file_range\": {},\n \"object::read::elf::section::SectionHeader::name\": {},\n \"object::read::elf::section::SectionHeader::notes\": {},\n \"object::read::elf::section::SectionTable::iter\": {},\n \"object::read::elf::section::SectionTable::section\": {},\n \"object::read::elf::section::SectionTable::section_by_name\": {},\n \"object::read::elf::section::SectionTable::section_by_name::{{closure}}\": {},\n \"object::read::elf::section::SectionTable::section_name\": {},\n \"object::read::elf::section::SectionTable::symbols\": {},\n \"object::read::elf::section::SectionTable::symbols::{{closure}}\": {},\n \"object::read::elf::symbol::SymbolTable::iter\": {},\n \"object::read::elf::symbol::SymbolTable::parse\": {},\n \"object::read::elf::symbol::SymbolTable::parse::{{closure}}\": {},\n \"object::read::read_ref::ReadRef::read\": {},\n \"object::read::read_ref::ReadRef::read_at\": {},\n \"object::read::read_ref::ReadRef::read_bytes\": {},\n \"object::read::read_ref::ReadRef::read_slice\": {},\n \"object::read::read_ref::ReadRef::read_slice_at\": {},\n \"object::read::util::Bytes::read\": {},\n \"object::read::util::Bytes::read_at\": {},\n \"object::read::util::Bytes::read_bytes\": {},\n \"object::read::util::Bytes::read_bytes_at\": {},\n \"object::read::util::Bytes::read_slice\": {},\n \"object::read::util::Bytes::skip\": {},\n \"object::read::util::StringTable::get\": {},\n \"object::read::util::align\": {},\n \"panic_unwind::real_imp::cleanup\": {},\n \"panic_unwind::real_imp::panic\": {},\n \"panic_unwind::real_imp::panic::exception_cleanup\": {},\n \"rle_decode_fast::append_from_within\": {},\n \"rle_decode_fast::lookbehind_length_fail\": {},\n \"rle_decode_fast::rle_decode\": {},\n \"rustc_demangle::Demangle::fmt\": {},\n \"rustc_demangle::DemangleStyle::fmt\": {},\n \"rustc_demangle::SizeLimitExhausted::fmt\": {},\n \"rustc_demangle::SizeLimitedFmtAdapter::write_str\": {},\n \"rustc_demangle::demangle\": {},\n \"rustc_demangle::demangle::{{closure}}\": {},\n \"rustc_demangle::is_ascii_punctuation\": {},\n \"rustc_demangle::is_symbol_like\": {},\n \"rustc_demangle::is_symbol_like::{{closure}}\": {},\n \"rustc_demangle::legacy::Demangle::fmt\": {},\n \"rustc_demangle::legacy::Demangle::fmt::{{closure}}\": {},\n \"rustc_demangle::legacy::demangle\": {},\n \"rustc_demangle::legacy::demangle::{{closure}}\": {},\n \"rustc_demangle::legacy::is_rust_hash\": {},\n \"rustc_demangle::legacy::is_rust_hash::{{closure}}\": {},\n \"rustc_demangle::try_demangle\": {},\n \"rustc_demangle::v0::Demangle::fmt\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_str_chars\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}::{{closure}}\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}::{{closure}}::utf8_len_from_first_byte\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_uint\": {},\n \"rustc_demangle::v0::Ident::fmt\": {},\n \"rustc_demangle::v0::Ident::fmt::{{closure}}\": {},\n \"rustc_demangle::v0::Ident::punycode_decode\": {},\n \"rustc_demangle::v0::Ident::try_small_punycode_decode\": {},\n \"rustc_demangle::v0::Ident::try_small_punycode_decode::{{closure}}\": {},\n \"rustc_demangle::v0::ParseError::message\": {},\n \"rustc_demangle::v0::Parser::backref\": {},\n \"rustc_demangle::v0::Parser::digit_10\": {},\n \"rustc_demangle::v0::Parser::digit_62\": {},\n \"rustc_demangle::v0::Parser::disambiguator\": {},\n \"rustc_demangle::v0::Parser::eat\": {},\n \"rustc_demangle::v0::Parser::hex_nibbles\": {},\n \"rustc_demangle::v0::Parser::ident\": {},\n \"rustc_demangle::v0::Parser::ident::{{closure}}\": {},\n \"rustc_demangle::v0::Parser::integer_62\": {},\n \"rustc_demangle::v0::Parser::namespace\": {},\n \"rustc_demangle::v0::Parser::next\": {},\n \"rustc_demangle::v0::Parser::opt_integer_62\": {},\n \"rustc_demangle::v0::Parser::peek\": {},\n \"rustc_demangle::v0::Parser::pop_depth\": {},\n \"rustc_demangle::v0::Parser::push_depth\": {},\n \"rustc_demangle::v0::Printer::eat\": {},\n \"rustc_demangle::v0::Printer::eat::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::in_binder\": {},\n \"rustc_demangle::v0::Printer::pop_depth\": {},\n \"rustc_demangle::v0::Printer::print\": {},\n \"rustc_demangle::v0::Printer::print_backref\": {},\n \"rustc_demangle::v0::Printer::print_const\": {},\n \"rustc_demangle::v0::Printer::print_const::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::print_const_str_literal\": {},\n \"rustc_demangle::v0::Printer::print_const_uint\": {},\n \"rustc_demangle::v0::Printer::print_dyn_trait\": {},\n \"rustc_demangle::v0::Printer::print_generic_arg\": {},\n \"rustc_demangle::v0::Printer::print_lifetime_from_index\": {},\n \"rustc_demangle::v0::Printer::print_path\": {},\n \"rustc_demangle::v0::Printer::print_path::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::print_path_maybe_open_generics\": {},\n \"rustc_demangle::v0::Printer::print_path_maybe_open_generics::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::print_quoted_escaped_chars\": {},\n \"rustc_demangle::v0::Printer::print_sep_list\": {},\n \"rustc_demangle::v0::Printer::print_type\": {},\n \"rustc_demangle::v0::Printer::print_type::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::skipping_printing\": {},\n \"rustc_demangle::v0::basic_type\": {},\n \"rustc_demangle::v0::demangle\": {},\n \"rustc_demangle::v0::demangle::{{closure}}\": {},\n \"smallvec::SmallVec::deref\": {},\n \"smallvec::SmallVec::drop\": {},\n \"smallvec::SmallVec::fmt\": {},\n \"smallvec::SmallVec::insert_many\": {},\n \"smallvec::SmallVec::push\": {},\n \"smallvec::SmallVec::set_len\": {},\n \"smallvec::SmallVec::spilled\": {},\n \"smallvec::SmallVec::triple\": {},\n \"smallvec::SmallVecData::heap\": {},\n \"smallvec::SmallVecData::inline\": {},\n \"std::alloc::default_alloc_error_hook\": {},\n \"std::backtrace_rs::backtrace::Frame::ip\": {},\n \"std::backtrace_rs::backtrace::libunwind::Frame::ip\": {},\n \"std::backtrace_rs::backtrace::libunwind::trace\": {},\n \"std::backtrace_rs::backtrace::libunwind::trace::trace_fn\": {},\n \"std::backtrace_rs::backtrace::trace_unsynchronized\": {},\n \"std::backtrace_rs::print::BacktraceFmt::new\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::drop\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::print_fileline\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::print_raw\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::print_raw_generic\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::print_raw_with_column\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::symbol\": {},\n \"std::backtrace_rs::print::PrintFmt::eq\": {},\n \"std::backtrace_rs::symbolize::ResolveWhat::address_or_ip\": {},\n \"std::backtrace_rs::symbolize::Symbol::colno\": {},\n \"std::backtrace_rs::symbolize::Symbol::filename_raw\": {},\n \"std::backtrace_rs::symbolize::Symbol::lineno\": {},\n \"std::backtrace_rs::symbolize::Symbol::name\": {},\n \"std::backtrace_rs::symbolize::SymbolName::as_str\": {},\n \"std::backtrace_rs::symbolize::SymbolName::as_str::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::SymbolName::fmt\": {},\n \"std::backtrace_rs::symbolize::format_symbol_name\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma::{{closure}}::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::mapping_for_lib\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::mapping_for_lib::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::new\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::with_global\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::with_global::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Context::new\": {},\n \"std::backtrace_rs::symbolize::gimli::Context::new::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Mapping::mk\": {},\n \"std::backtrace_rs::symbolize::gimli::Mapping::mk::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Mapping::mk_or_other\": {},\n \"std::backtrace_rs::symbolize::gimli::Symbol::colno\": {},\n \"std::backtrace_rs::symbolize::gimli::Symbol::filename_raw\": {},\n \"std::backtrace_rs::symbolize::gimli::Symbol::lineno\": {},\n \"std::backtrace_rs::symbolize::gimli::Symbol::name\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::\\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\\u003e::new\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::\\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\\u003e::new::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::\\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\\u003e::new_debug\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::\\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\\u003e::new_debug::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::build_id\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debugaltlink_path\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debugaltlink_path::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debuglink_path\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debuglink_path::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::parse\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::parse::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::search_symtab\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::section\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::section::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::section_header\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::debug_path_exists\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::decompress_zlib\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::hex\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::locate_build_id\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::locate_debugaltlink\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::locate_debuglink\": {},\n \"std::backtrace_rs::symbolize::gimli::libs_dl_iterate_phdr::callback\": {},\n \"std::backtrace_rs::symbolize::gimli::libs_dl_iterate_phdr::native_libraries\": {},\n \"std::backtrace_rs::symbolize::gimli::mmap\": {},\n \"std::backtrace_rs::symbolize::gimli::mmap::Mmap::drop\": {},\n \"std::backtrace_rs::symbolize::gimli::mmap::Mmap::map\": {},\n \"std::backtrace_rs::symbolize::gimli::resolve\": {},\n \"std::backtrace_rs::symbolize::gimli::resolve::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::stash::Stash::allocate\": {},\n \"std::backtrace_rs::symbolize::gimli::stash::Stash::new\": {},\n \"std::backtrace_rs::symbolize::gimli::stash::Stash::set_mmap_aux\": {},\n \"std::backtrace_rs::symbolize::resolve_frame_unsynchronized\": {},\n \"std::env::current_dir\": {},\n \"std::env::current_exe\": {},\n \"std::env::var_os\": {},\n \"std::ffi::os_str::OsStr::display\": {},\n \"std::ffi::os_str::OsStr::eq\": {},\n \"std::ffi::os_str::OsStr::to_os_string\": {},\n \"std::ffi::os_str::OsStr::to_owned\": {},\n \"std::ffi::os_str::OsStr::to_str\": {},\n \"std::ffi::os_str::OsString::eq\": {},\n \"std::ffi::os_str::OsString::push\": {},\n \"std::ffi::os_str::OsString::with_capacity\": {},\n \"std::fs::File::metadata\": {},\n \"std::fs::File::open\": {},\n \"std::fs::FileType::is_dir\": {},\n \"std::fs::FileType::is_file\": {},\n \"std::fs::Metadata::is_dir\": {},\n \"std::fs::Metadata::is_file\": {},\n \"std::fs::OpenOptions::open\": {},\n \"std::fs::canonicalize\": {},\n \"std::fs::metadata\": {},\n \"std::fs::read_link\": {},\n \"std::io::Read::read_exact\": {},\n \"std::io::Read::read_to_end\": {},\n \"std::io::Take::read\": {},\n \"std::io::Take::read_buf\": {},\n \"std::io::Write::write_all\": {},\n \"std::io::Write::write_fmt\": {},\n \"std::io::Write::write_fmt::Adapter::write_str\": {},\n \"std::io::buffered::bufwriter::BufWriter::drop\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::consume\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::done\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::drop\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::remaining\": {},\n \"std::io::buffered::bufwriter::BufWriter::spare_capacity\": {},\n \"std::io::buffered::bufwriter::BufWriter::with_capacity\": {},\n \"std::io::buffered::bufwriter::BufWriter::write_all\": {},\n \"std::io::buffered::bufwriter::BufWriter::write_all_cold\": {},\n \"std::io::buffered::bufwriter::BufWriter::write_to_buffer_unchecked\": {},\n \"std::io::buffered::linewriter::LineWriter::new\": {},\n \"std::io::buffered::linewriter::LineWriter::with_capacity\": {},\n \"std::io::buffered::linewriter::LineWriter::write_all\": {},\n \"std::io::buffered::linewritershim::LineWriterShim::buffered\": {},\n \"std::io::buffered::linewritershim::LineWriterShim::flush_if_completed_line\": {},\n \"std::io::buffered::linewritershim::LineWriterShim::write_all\": {},\n \"std::io::default_read_exact\": {},\n \"std::io::default_read_to_end\": {},\n \"std::io::error::\\u003cimpl core::fmt::Debug for std::io::error::repr_bitpacked::Repr\\u003e::fmt\": {},\n \"std::io::error::Custom::fmt\": {},\n \"std::io::error::Error::fmt\": {},\n \"std::io::error::Error::from\": {},\n \"std::io::error::Error::from_raw_os_error\": {},\n \"std::io::error::Error::kind\": {},\n \"std::io::error::Error::last_os_error\": {},\n \"std::io::error::Error::new\": {},\n \"std::io::error::ErrorKind::eq\": {},\n \"std::io::error::ErrorKind::fmt\": {},\n \"std::io::error::repr_bitpacked::Repr::data\": {},\n \"std::io::error::repr_bitpacked::Repr::drop\": {},\n \"std::io::error::repr_bitpacked::Repr::new_custom\": {},\n \"std::io::error::repr_bitpacked::Repr::new_os\": {},\n \"std::io::error::repr_bitpacked::decode_repr\": {},\n \"std::io::error::repr_bitpacked::kind_from_prim\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026[u8]\\u003e::read\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026[u8]\\u003e::read_buf\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026[u8]\\u003e::read_exact\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026mut R\\u003e::read\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026mut R\\u003e::read_buf\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026mut R\\u003e::read_exact\": {},\n \"std::io::impls::\\u003cimpl std::io::Write for \\u0026mut W\\u003e::write_all\": {},\n \"std::io::impls::\\u003cimpl std::io::Write for alloc::vec::Vec\\u003e::write_all\": {},\n \"std::io::readbuf::BorrowedBuf::filled\": {},\n \"std::io::readbuf::BorrowedCursor::append\": {},\n \"std::io::readbuf::BorrowedCursor::init_ref\": {},\n \"std::io::readbuf::BorrowedCursor::set_init\": {},\n \"std::io::stdio::Stderr::lock\": {},\n \"std::io::stdio::Stderr::write_fmt\": {},\n \"std::io::stdio::StderrLock::write_all\": {},\n \"std::io::stdio::StderrRaw::write_all\": {},\n \"std::io::stdio::Stdout::lock\": {},\n \"std::io::stdio::Stdout::write_fmt\": {},\n \"std::io::stdio::StdoutLock::write_all\": {},\n \"std::io::stdio::StdoutRaw::write\": {},\n \"std::io::stdio::StdoutRaw::write_all\": {},\n \"std::io::stdio::cleanup\": {},\n \"std::io::stdio::cleanup::{{closure}}\": {},\n \"std::io::stdio::eprint\": {},\n \"std::io::stdio::handle_ebadf\": {},\n \"std::io::stdio::print\": {},\n \"std::io::stdio::print_to\": {},\n \"std::io::stdio::stdout\": {},\n \"std::io::stdio::stdout::{{closure}}\": {},\n \"std::os::fd::owned::OwnedFd::drop\": {},\n \"std::panic::BacktraceStyle::as_usize\": {},\n \"std::panic::BacktraceStyle::from_usize\": {},\n \"std::panic::get_backtrace_style\": {},\n \"std::panic::get_backtrace_style::{{closure}}\": {},\n \"std::panic::set_backtrace_style\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::fill\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::fill::{{closure}}\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::get\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::new\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::take_box\": {},\n \"std::panicking::begin_panic_handler::StrPanicPayload::get\": {},\n \"std::panicking::begin_panic_handler::StrPanicPayload::take_box\": {},\n \"std::panicking::begin_panic_handler::{{closure}}\": {},\n \"std::panicking::default_hook\": {},\n \"std::panicking::default_hook::{{closure}}\": {},\n \"std::panicking::panic_count::increase\": {},\n \"std::panicking::panic_count::increase::{{closure}}\": {},\n \"std::panicking::rust_panic_with_hook\": {},\n \"std::path::\\u003cimpl core::convert::AsRef\\u003cstd::path::Path\\u003e for std::ffi::os_str::OsString\\u003e::as_ref\": {},\n \"std::path::Component::eq\": {},\n \"std::path::Components::as_path\": {},\n \"std::path::Components::clone\": {},\n \"std::path::Components::eq\": {},\n \"std::path::Components::finished\": {},\n \"std::path::Components::has_root\": {},\n \"std::path::Components::include_cur_dir\": {},\n \"std::path::Components::is_sep_byte\": {},\n \"std::path::Components::len_before_body\": {},\n \"std::path::Components::next\": {},\n \"std::path::Components::next_back\": {},\n \"std::path::Components::parse_next_component\": {},\n \"std::path::Components::parse_next_component::{{closure}}\": {},\n \"std::path::Components::parse_next_component_back\": {},\n \"std::path::Components::parse_next_component_back::{{closure}}\": {},\n \"std::path::Components::parse_single_component\": {},\n \"std::path::Components::prefix_len\": {},\n \"std::path::Components::prefix_remaining\": {},\n \"std::path::Components::prefix_verbatim\": {},\n \"std::path::Components::trim_left\": {},\n \"std::path::Components::trim_right\": {},\n \"std::path::Display::fmt\": {},\n \"std::path::Path::components\": {},\n \"std::path::Path::has_root\": {},\n \"std::path::Path::is_absolute\": {},\n \"std::path::Path::is_dir\": {},\n \"std::path::Path::is_dir::{{closure}}\": {},\n \"std::path::Path::is_file\": {},\n \"std::path::Path::is_file::{{closure}}\": {},\n \"std::path::Path::parent\": {},\n \"std::path::Path::parent::{{closure}}\": {},\n \"std::path::Path::strip_prefix\": {},\n \"std::path::Path::strip_prefix::{{closure}}\": {},\n \"std::path::Path::to_str\": {},\n \"std::path::PathBuf::deref\": {},\n \"std::path::PathBuf::eq\": {},\n \"std::path::PathBuf::from\": {},\n \"std::path::PathBuf::push\": {},\n \"std::path::PathBuf::push::{{closure}}\": {},\n \"std::path::Prefix::clone\": {},\n \"std::path::Prefix::eq\": {},\n \"std::path::Prefix::len\": {},\n \"std::path::PrefixComponent::eq\": {},\n \"std::path::State::clone\": {},\n \"std::path::State::eq\": {},\n \"std::path::State::partial_cmp\": {},\n \"std::path::StripPrefixError::fmt\": {},\n \"std::path::has_physical_root\": {},\n \"std::path::iter_after\": {},\n \"std::personality::dwarf::DwarfReader::read\": {},\n \"std::personality::dwarf::DwarfReader::read_sleb128\": {},\n \"std::personality::dwarf::DwarfReader::read_uleb128\": {},\n \"std::personality::dwarf::eh::find_eh_action\": {},\n \"std::personality::dwarf::eh::read_encoded_pointer\": {},\n \"std::personality::dwarf::eh::round_up\": {},\n \"std::personality::gcc::find_eh_action\": {},\n \"std::personality::gcc::find_eh_action::{{closure}}\": {},\n \"std::personality::gcc::rust_eh_personality_impl\": {},\n \"std::process::abort\": {},\n \"std::rt::cleanup::{{closure}}\": {},\n \"std::rt::lang_start_internal::{{closure}}\": {},\n \"std::sync::once::Once::call_inner\": {},\n \"std::sync::once::Once::call_once::{{closure}}\": {},\n \"std::sync::once::Once::call_once_force\": {},\n \"std::sync::once::Once::call_once_force::{{closure}}\": {},\n \"std::sync::once::Once::is_completed\": {},\n \"std::sync::once::WaiterQueue::drop\": {},\n \"std::sync::once::wait\": {},\n \"std::sync::once_lock::OnceLock::get\": {},\n \"std::sync::once_lock::OnceLock::get_or_init\": {},\n \"std::sync::once_lock::OnceLock::get_or_init::{{closure}}\": {},\n \"std::sync::once_lock::OnceLock::get_or_try_init\": {},\n \"std::sync::once_lock::OnceLock::initialize\": {},\n \"std::sync::once_lock::OnceLock::initialize::{{closure}}\": {},\n \"std::sync::once_lock::OnceLock::is_initialized\": {},\n \"std::sys::common::alloc::realloc_fallback\": {},\n \"std::sys::unix::abort_internal\": {},\n \"std::sys::unix::alloc::\\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\\u003e::alloc\": {},\n \"std::sys::unix::alloc::\\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\\u003e::alloc_zeroed\": {},\n \"std::sys::unix::alloc::\\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\\u003e::dealloc\": {},\n \"std::sys::unix::alloc::\\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\\u003e::realloc\": {},\n \"std::sys::unix::alloc::aligned_malloc\": {},\n \"std::sys::unix::args::imp::ARGV_INIT_ARRAY::init_wrapper\": {},\n \"std::sys::unix::cleanup\": {},\n \"std::sys::unix::cvt\": {},\n \"std::sys::unix::cvt_r\": {},\n \"std::sys::unix::decode_error_kind\": {},\n \"std::sys::unix::fd::FileDesc::write\": {},\n \"std::sys::unix::fs::File::file_attr\": {},\n \"std::sys::unix::fs::File::open\": {},\n \"std::sys::unix::fs::File::open_c\": {},\n \"std::sys::unix::fs::File::open_c::{{closure}}\": {},\n \"std::sys::unix::fs::FileType::is\": {},\n \"std::sys::unix::fs::FileType::is_dir\": {},\n \"std::sys::unix::fs::FileType::is_file\": {},\n \"std::sys::unix::fs::canonicalize\": {},\n \"std::sys::unix::fs::cstr\": {},\n \"std::sys::unix::fs::readlink\": {},\n \"std::sys::unix::fs::stat\": {},\n \"std::sys::unix::fs::try_statx\": {},\n \"std::sys::unix::fs::try_statx::statx\": {},\n \"std::sys::unix::futex::futex_wait\": {},\n \"std::sys::unix::futex::futex_wait::{{closure}}\": {},\n \"std::sys::unix::futex::futex_wake\": {},\n \"std::sys::unix::futex::futex_wake_all\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::lock\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::lock_contended\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::spin\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::try_lock\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::unlock\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::wake\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::read\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::read_contended\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::read_unlock\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::spin_read\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::spin_read::{{closure}}\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::spin_until\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::wake_writer\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::wake_writer_or_readers\": {},\n \"std::sys::unix::locks::futex_rwlock::has_reached_max_readers\": {},\n \"std::sys::unix::locks::futex_rwlock::is_read_lockable\": {},\n \"std::sys::unix::locks::futex_rwlock::is_unlocked\": {},\n \"std::sys::unix::memchr::memrchr\": {},\n \"std::sys::unix::memchr::memrchr::memrchr_specific\": {},\n \"std::sys::unix::os::current_exe\": {},\n \"std::sys::unix::os::env_read_lock\": {},\n \"std::sys::unix::os::errno\": {},\n \"std::sys::unix::os::error_string\": {},\n \"std::sys::unix::os::getcwd\": {},\n \"std::sys::unix::os::getenv\": {},\n \"std::sys::unix::os::page_size\": {},\n \"std::sys::unix::os_str::Buf::push_slice\": {},\n \"std::sys::unix::os_str::Buf::with_capacity\": {},\n \"std::sys::unix::os_str::Slice::fmt\": {},\n \"std::sys::unix::os_str::Slice::to_owned\": {},\n \"std::sys::unix::os_str::Slice::to_str\": {},\n \"std::sys::unix::path::is_sep_byte\": {},\n \"std::sys::unix::stack_overflow::imp::cleanup\": {},\n \"std::sys::unix::stack_overflow::imp::drop_handler\": {},\n \"std::sys::unix::stack_overflow::imp::signal_handler\": {},\n \"std::sys::unix::stdio::Stderr::write\": {},\n \"std::sys::unix::stdio::Stdout::write\": {},\n \"std::sys::unix::stdio::is_ebadf\": {},\n \"std::sys::unix::thread_local_dtor::register_dtor\": {},\n \"std::sys::unix::thread_local_key::create\": {},\n \"std::sys::unix::thread_local_key::destroy\": {},\n \"std::sys::unix::thread_local_key::get\": {},\n \"std::sys::unix::thread_local_key::set\": {},\n \"std::sys::unix::time::SystemTime::sub_time\": {},\n \"std::sys::unix::time::Timespec::checked_add_duration\": {},\n \"std::sys::unix::time::Timespec::partial_cmp\": {},\n \"std::sys::unix::time::Timespec::sub_timespec\": {},\n \"std::sys::unix::time::Timespec::to_timespec\": {},\n \"std::sys::unix::time::inner::\\u003cimpl std::sys::unix::time::SystemTime\\u003e::now\": {},\n \"std::sys::unix::time::inner::\\u003cimpl std::sys::unix::time::Timespec\\u003e::now\": {},\n \"std::sys_common::backtrace::_print::DisplayBacktrace::fmt\": {},\n \"std::sys_common::backtrace::_rust_begin_short_backtrace\": {},\n \"std::sys_common::backtrace::_rust_end_short_backtrace\": {},\n \"std::sys_common::backtrace::lock\": {},\n \"std::sys_common::backtrace::output_filename\": {},\n \"std::sys_common::backtrace::print\": {},\n \"std::sys_common::backtrace::print_fmt\": {},\n \"std::sys_common::backtrace::print_fmt::{{closure}}\": {},\n \"std::sys_common::backtrace::print_fmt::{{closure}}::{{closure}}\": {},\n \"std::sys_common::backtrace::print_fmt::{{closure}}::{{closure}}::{{closure}}\": {},\n \"std::sys_common::memchr::memrchr\": {},\n \"std::sys_common::mutex::MovableMutex::raw_lock\": {},\n \"std::sys_common::mutex::MovableMutex::raw_unlock\": {},\n \"std::sys_common::mutex::MovableMutex::try_lock\": {},\n \"std::sys_common::mutex::StaticMutex::lock\": {},\n \"std::sys_common::mutex::StaticMutexGuard::drop\": {},\n \"std::sys_common::remutex::ReentrantMutex::increment_lock_count\": {},\n \"std::sys_common::remutex::ReentrantMutex::lock\": {},\n \"std::sys_common::remutex::ReentrantMutex::try_lock\": {},\n \"std::sys_common::remutex::ReentrantMutexGuard::drop\": {},\n \"std::sys_common::rwlock::StaticRwLock::read\": {},\n \"std::sys_common::rwlock::StaticRwLockReadGuard::drop\": {},\n \"std::sys_common::thread_info::THREAD_INFO::_getit\": {},\n \"std::sys_common::thread_info::THREAD_INFO::_getit::destroy\": {},\n \"std::sys_common::thread_info::ThreadInfo::with\": {},\n \"std::sys_common::thread_info::ThreadInfo::with::{{closure}}\": {},\n \"std::sys_common::thread_info::ThreadInfo::with::{{closure}}::{{closure}}\": {},\n \"std::sys_common::thread_info::current_thread\": {},\n \"std::sys_common::thread_info::current_thread::{{closure}}\": {},\n \"std::sys_common::thread_info::stack_guard\": {},\n \"std::sys_common::thread_info::stack_guard::{{closure}}\": {},\n \"std::sys_common::thread_local_dtor::register_dtor_fallback\": {},\n \"std::sys_common::thread_local_dtor::register_dtor_fallback::run_dtors\": {},\n \"std::sys_common::thread_local_key::StaticKey::get\": {},\n \"std::sys_common::thread_local_key::StaticKey::key\": {},\n \"std::sys_common::thread_local_key::StaticKey::lazy_init\": {},\n \"std::sys_common::thread_local_key::StaticKey::set\": {},\n \"std::sys_common::thread_parker::futex::Parker::new\": {},\n \"std::sys_common::thread_parker::futex::Parker::park\": {},\n \"std::sys_common::thread_parker::futex::Parker::unpark\": {},\n \"std::thread::Thread::clone\": {},\n \"std::thread::Thread::cname\": {},\n \"std::thread::Thread::name\": {},\n \"std::thread::Thread::new\": {},\n \"std::thread::Thread::unpark\": {},\n \"std::thread::ThreadId::new\": {},\n \"std::thread::ThreadId::new::exhausted\": {},\n \"std::thread::current\": {},\n \"std::thread::local::AccessError::fmt\": {},\n \"std::thread::local::LocalKey::try_with\": {},\n \"std::thread::local::LocalKey::with\": {},\n \"std::thread::local::fast::Key::register_dtor\": {},\n \"std::thread::park\": {},\n \"std::time::SystemTime::duration_since\": {},\n \"std::time::SystemTime::elapsed\": {},\n \"std::time::SystemTime::now\": {},\n \"str::fmt\": {},\n \"test_rust_2::C::test_aabbee\": {},\n \"test_rust_2::main\": {},\n \"test_rust_2::other_item_123\": {},\n \"u16::div\": {},\n \"u16::forward_unchecked\": {},\n \"u16::to_u64\": {},\n \"u16::to_u8\": {},\n \"u32::add\": {},\n \"u32::checked_add\": {},\n \"u32::checked_mul\": {},\n \"u32::div\": {},\n \"u32::shl\": {},\n \"u32::to_u64\": {},\n \"u32::to_u8\": {},\n \"u64::add\": {},\n \"u64::checked_add\": {},\n \"u64::checked_mul\": {},\n \"u64::div\": {},\n \"u64::forward_unchecked\": {},\n \"u64::from_u32\": {},\n \"u64::mul\": {},\n \"u64::to_u64\": {},\n \"u64::to_u8\": {},\n \"u8::bitand\": {},\n \"u8::div\": {},\n \"u8::from_elem\": {},\n \"u8::rem\": {},\n \"u8::to_u64\": {},\n \"usize::add\": {},\n \"usize::add_assign\": {},\n \"usize::backward_unchecked\": {},\n \"usize::div\": {},\n \"usize::forward_unchecked\": {},\n \"usize::from_u64\": {},\n \"usize::from_u8\": {},\n \"usize::get\": {},\n \"usize::get_unchecked\": {},\n \"usize::get_unchecked_mut\": {},\n \"usize::index\": {},\n \"usize::index_mut\": {},\n \"usize::sub\": {},\n \"usize::sum\": {},\n \"usize::sum::{{closure}}\": {},\n \"usize::to_u8\": {}\n}\n---\n" }, { "path": "internal/sourceanalysis/go.go", "content": "// Package sourceanalysis provides functionality for performing source analysis on code.\npackage sourceanalysis\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/sourceanalysis/govulncheck\"\n\t\"github.com/google/osv-scanner/v2/internal/url\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"golang.org/x/vuln/scan\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n)\n\nfunc goAnalysis(pkgs []models.PackageVulns, source models.SourceInfo) {\n\t// TODO: This will be moved to enrichers which does have context.\n\tcmd := exec.CommandContext(context.TODO(), \"go\", \"version\")\n\t_, err := cmd.Output()\n\tif err != nil {\n\t\tcmdlogger.Infof(\"Skipping call analysis on Go code since Go is not installed.\")\n\t\treturn\n\t}\n\n\t// Set GOVERSION to the Go version in go.mod.\n\tvar goVersion string\n\tfor _, pkg := range pkgs {\n\t\tif pkg.Package.Name == \"stdlib\" {\n\t\t\tgoVersion = pkg.Package.Version\n\t\t\tbreak\n\t\t}\n\t}\n\n\tvulns, vulnsByID := vulnsFromAllPkgs(pkgs)\n\t// Filter out advisories with no symbol information first\n\t// This is purely an optimisation step, further filtering is done in matchAnalysisWithPackageVulns function\n\tfilteredVulns := []*osvschema.Vulnerability{}\n\tfor _, vuln := range vulns {\n\t\tif vulnHasImportsField(vuln, nil) {\n\t\t\tfilteredVulns = append(filteredVulns, vuln)\n\t\t}\n\t}\n\n\tres, err := runGovulncheck(filepath.Dir(source.Path), filteredVulns, goVersion)\n\tif err != nil {\n\t\t// TODO: Better method to identify the type of error and give advice specific to the error\n\t\tcmdlogger.Errorf(\n\t\t\t\"Failed to run code analysis (govulncheck) on '%s' because %s\\n\"+\n\t\t\t\t\"(the Go toolchain is required)\", source.Path, err.Error(),\n\t\t)\n\n\t\treturn\n\t}\n\tmatchAnalysisWithPackageVulns(pkgs, res, vulnsByID)\n}\n\nfunc matchAnalysisWithPackageVulns(pkgs []models.PackageVulns, idToFindings map[string][]*govulncheck.Finding, vulnsByID map[string]*osvschema.Vulnerability) {\n\tidToModuleToCalled := map[string]map[string]bool{}\n\tfor id, findings := range idToFindings {\n\t\tidToModuleToCalled[id] = map[string]bool{}\n\t\tfor _, f := range findings {\n\t\t\tmodulePath := f.Trace[0].Module\n\t\t\tcalled := f.Trace[0].Function != \"\"\n\t\t\tidToModuleToCalled[f.OSV][modulePath] = called\n\t\t}\n\t}\n\n\tfor _, pv := range pkgs {\n\t\t// Use index to keep reference to original element in slice\n\t\tfor groupIdx := range pv.Groups {\n\t\t\tfor _, vulnID := range pv.Groups[groupIdx].IDs {\n\t\t\t\tanalysis := &pv.Groups[groupIdx].ExperimentalAnalysis\n\t\t\t\tif *analysis == nil {\n\t\t\t\t\t*analysis = make(map[string]models.AnalysisInfo)\n\t\t\t\t}\n\n\t\t\t\tmoduleToCalled, ok := idToModuleToCalled[vulnID]\n\t\t\t\tif !ok { // If vulnerability not found, check if it contains any source information\n\t\t\t\t\tfillNotImportedAnalysisInfo(vulnsByID, vulnID, pv, analysis)\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\n\t\t\t\tpkg := pv.Package\n\t\t\t\tif !vulnHasImportsField(vulnsByID[vulnID], &pkg) && moduleToCalled[pv.Package.Name] {\n\t\t\t\t\t// Vuln entry does not have any symbol information, therefore called being true is not useful\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\n\t\t\t\t(*analysis)[vulnID] = models.AnalysisInfo{\n\t\t\t\t\tCalled: moduleToCalled[pv.Package.Name],\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc vulnHasImportsField(vuln *osvschema.Vulnerability, pkg *models.PackageInfo) bool {\n\tif vuln == nil {\n\t\treturn false\n\t}\n\tfor _, affected := range vuln.GetAffected() {\n\t\tif pkg != nil {\n\t\t\t// TODO: Compare versions to see if this is the correct affected element\n\t\t\t// ver, err := semantic.Parse(pv.Package.Version, semantic.SemverVersion)\n\t\t\tif affected.GetPackage().GetName() != pkg.Name {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t}\n\t\tif affected.GetEcosystemSpecific() == nil {\n\t\t\tcontinue\n\t\t}\n\t\t_, hasImportsField := affected.GetEcosystemSpecific().GetFields()[\"imports\"]\n\t\tif hasImportsField {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\n// fillNotImportedAnalysisInfo checks for any source information in advisories, and sets called to false\nfunc fillNotImportedAnalysisInfo(vulnsByID map[string]*osvschema.Vulnerability, vulnID string, pv models.PackageVulns, analysis *map[string]models.AnalysisInfo) {\n\tif vulnHasImportsField(vulnsByID[vulnID], &pv.Package) {\n\t\t// If there is source information, then analysis has been performed, and\n\t\t// code does not import the vulnerable package, so definitely not called\n\t\t(*analysis)[vulnID] = models.AnalysisInfo{\n\t\t\tCalled: false,\n\t\t}\n\t}\n}\n\nfunc runGovulncheck(moddir string, vulns []*osvschema.Vulnerability, goVersion string) (map[string][]*govulncheck.Finding, error) {\n\t// Create a temporary directory containing all the vulnerabilities that\n\t// are passed in to check against govulncheck.\n\t//\n\t// This enables OSV scanner to supply the OSV vulnerabilities to run\n\t// against govulncheck and manage the database separately from vuln.go.dev.\n\tdbdir, err := os.MkdirTemp(\"\", \"\")\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tdefer func() {\n\t\trerr := os.RemoveAll(dbdir)\n\t\tif err == nil {\n\t\t\terr = rerr\n\t\t}\n\t}()\n\n\tfor _, vuln := range vulns {\n\t\tdat, err := protojson.Marshal(vuln)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tif err := os.WriteFile(fmt.Sprintf(\"%s/%s.json\", dbdir, vuln.GetId()), dat, 0600); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\t// this only errors if the file path is not absolute,\n\t// which paths from os.MkdirTemp should always be\n\tdbdirURL, _ := url.FromFilePath(dbdir)\n\n\t// Run govulncheck on the module at moddir and vulnerability database that\n\t// was just created.\n\tcmd := scan.Command(context.Background(), \"-db\", dbdirURL.String(), \"-C\", moddir, \"-json\", \"./...\")\n\tvar b bytes.Buffer\n\tcmd.Stdout = &b\n\tcmd.Env = append(os.Environ(), \"GOVERSION=go\"+goVersion)\n\tif err := cmd.Start(); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := cmd.Wait(); err != nil {\n\t\treturn nil, err\n\t}\n\n\t// Group the output of govulncheck based on the OSV ID.\n\th := &osvHandler{\n\t\tidToFindings: map[string][]*govulncheck.Finding{},\n\t}\n\tif err := handleJSON(bytes.NewReader(b.Bytes()), h); err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn h.idToFindings, nil\n}\n\ntype osvHandler struct {\n\tidToFindings map[string][]*govulncheck.Finding\n}\n\nfunc (h *osvHandler) Finding(f *govulncheck.Finding) {\n\th.idToFindings[f.OSV] = append(h.idToFindings[f.OSV], f)\n}\n\nfunc handleJSON(from io.Reader, to *osvHandler) error {\n\tdec := json.NewDecoder(from)\n\tfor dec.More() {\n\t\tmsg := govulncheck.Message{}\n\t\t// decode the next message in the stream\n\t\tif err := dec.Decode(&msg); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif msg.Finding != nil {\n\t\t\tto.Finding(msg.Finding)\n\t\t}\n\t}\n\n\treturn nil\n}\n" }, { "path": "internal/sourceanalysis/go_test.go", "content": "package sourceanalysis\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/sourceanalysis/govulncheck\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc Test_matchAnalysisWithPackageVulns(t *testing.T) {\n\tt.Parallel()\n\n\tpkgs := testutility.LoadJSONFixture[[]models.PackageVulns](t, \"testdata/json/input.json\")\n\tgvcResByVulnID := testutility.LoadJSONFixture[map[string][]*govulncheck.Finding](t, \"testdata/json/govulncheckinput.json\")\n\tvulnsByID := testutility.LoadVulnMapFixture(t, \"testdata/json/vulnbyid.json\")\n\n\tmatchAnalysisWithPackageVulns(pkgs, gvcResByVulnID, vulnsByID)\n\n\ttestutility.NewSnapshot().MatchJSON(t, pkgs)\n}\n\nfunc Test_matchEmptyAnalysisWithPackageVulns(t *testing.T) {\n\tt.Parallel()\n\n\tpkgs := testutility.LoadJSONFixture[[]models.PackageVulns](t, \"testdata/json/input-no-call-data.json\")\n\t// When there is no ecosystem specific data, govulncheck will return no results\n\tgvcResByVulnID := map[string][]*govulncheck.Finding{}\n\tvulnsByID := testutility.LoadVulnMapFixture(t, \"testdata/json/vulnbyid-no-call-data.json\")\n\n\tmatchAnalysisWithPackageVulns(pkgs, gvcResByVulnID, vulnsByID)\n\n\ttestutility.NewSnapshot().MatchJSON(t, pkgs)\n}\n" }, { "path": "internal/sourceanalysis/govulncheck/result.go", "content": "// Package govulncheck provides data structures for govulncheck results.\n// Copied from\n// https://github.com/golang/vuln/blob/267a472bf377fa105988693c2a597d2b8de36ad8/internal/govulncheck/result.go\n// and modified.\npackage govulncheck\n\n// Message is an entry in the output stream. It will always have exactly one\n// field filled in.\ntype Message struct {\n\tFinding *Finding `json:\"finding,omitempty\"`\n\n\t// The Config, Progress, and OSV fields from the JSON output are removed, since they\n\t// are not used.\n}\n\n// Finding represents a single finding.\ntype Finding struct {\n\t// OSV is the id of the detected vulnerability.\n\tOSV string `json:\"osv,omitempty\"`\n\n\t// FixedVersion is the module version where the vulnerability was\n\t// fixed. This is empty if a fix is not available.\n\t//\n\t// If there are multiple fixed versions in the OSV report, this will\n\t// be the fixed version in the latest range event for the OSV report.\n\t//\n\t// For example, if the range events are\n\t// {introduced: 0, fixed: 1.0.0} and {introduced: 1.1.0}, the fixed version\n\t// will be empty.\n\t//\n\t// For the stdlib, we will show the fixed version closest to the\n\t// Go version that is used. For example, if a fix is available in 1.17.5 and\n\t// 1.18.5, and the GOVERSION is 1.17.3, 1.17.5 will be returned as the\n\t// fixed version.\n\tFixedVersion string `json:\"fixed_version,omitempty\"`\n\n\t// Trace contains an entry for each frame in the trace.\n\t//\n\t// Frames are sorted starting from the imported vulnerable symbol\n\t// until the entry point. The first frame in Frames should match\n\t// Symbol.\n\t//\n\t// In binary mode, trace will contain a single-frame with no position\n\t// information.\n\t//\n\t// When a package is imported but no vulnerable symbol is called, the trace\n\t// will contain a single-frame with no symbol or position information.\n\tTrace []*Frame `json:\"trace,omitempty\"`\n}\n\n// Frame represents an entry in a finding trace.\ntype Frame struct {\n\t// Module is the module path of the module containing this symbol.\n\t//\n\t// Importable packages in the standard library will have the path \"stdlib\".\n\tModule string `json:\"module\"`\n\n\t// Version is the module version from the build graph.\n\tVersion string `json:\"version,omitempty\"`\n\n\t// Package is the import path.\n\tPackage string `json:\"package,omitempty\"`\n\n\t// Function is the function name.\n\tFunction string `json:\"function,omitempty\"`\n\n\t// Receiver is the receiver type if the called symbol is a method.\n\t//\n\t// The client can create the final symbol name by\n\t// prepending Receiver to FuncName.\n\tReceiver string `json:\"receiver,omitempty\"`\n\n\t// Position describes an arbitrary source position\n\t// including the file, line, and column location.\n\t// A Position is valid if the line number is > 0.\n\tPosition *Position `json:\"position,omitempty\"`\n}\n\n// Position is a copy of token.Position used to marshal/unmarshal\n// JSON correctly.\ntype Position struct {\n\tFilename string `json:\"filename,omitempty\"` // filename, if any\n\tOffset int `json:\"offset\"` // offset, starting at 0\n\tLine int `json:\"line\"` // line number, starting at 1\n\tColumn int `json:\"column\"` // column number, starting at 1 (byte count)\n}\n" }, { "path": "internal/sourceanalysis/integration_test.go", "content": "package sourceanalysis\n\nimport (\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n)\n\nvar testdataDir = \"testdata/go-integration\"\n\nfunc Test_runGovulncheck(t *testing.T) {\n\tt.Parallel()\n\tentries, err := os.ReadDir(testdataDir)\n\tif err != nil {\n\t\tt.Errorf(\"failed to read testdata dir: %v\", err)\n\t}\n\n\tvulns := []*osvschema.Vulnerability{}\n\tfor _, de := range entries {\n\t\tif !de.Type().IsRegular() {\n\t\t\tcontinue\n\t\t}\n\n\t\tif !strings.HasSuffix(de.Name(), \".json\") {\n\t\t\tcontinue\n\t\t}\n\n\t\tfn := filepath.Join(testdataDir, de.Name())\n\t\tfile, err := os.Open(fn)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"failed to open fixture vuln files: %v\", err)\n\t\t}\n\t\tdefer file.Close()\n\n\t\tfileBytes, err := os.ReadFile(fn)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"failed to read fixture vuln file (%q): %v\", fn, err)\n\t\t}\n\n\t\tnewVuln := &osvschema.Vulnerability{}\n\t\terr = protojson.Unmarshal(fileBytes, newVuln)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"failed to decode fixture vuln file (%q): %v\", fn, err)\n\t\t}\n\t\tvulns = append(vulns, newVuln)\n\t}\n\n\tres, err := runGovulncheck(filepath.Join(testdataDir, \"test-project\"), vulns, \"1.19\")\n\tif err != nil {\n\t\tt.Errorf(\"failed to run RunGoVulnCheck: %v\", err)\n\t}\n\n\tres[\"GO-2023-1558\"][2].Trace[0].Position.Filename = \"\"\n\tres[\"GO-2023-1558\"][2].Trace[1].Position.Filename = \"\"\n\tres[\"GO-2023-1558\"][2].Trace[0].Position.Offset = -1\n\tres[\"GO-2023-1558\"][2].Trace[1].Position.Offset = -1\n\n\tfor _, traceItem := range res[\"GO-2023-2382\"][2].Trace {\n\t\ttraceItem.Position.Filename = \"\"\n\t\ttraceItem.Position.Offset = -1\n\t\ttraceItem.Position.Line = -1 // This number differs between go versions\n\n\t\tif traceItem.Function == \"ListenAndServe\" && traceItem.Receiver == \"*Server\" {\n\t\t\ttraceItem.Position.Column = -1 // This number differs between go versions\n\t\t}\n\t}\n\n\ttestutility.NewSnapshot().MatchJSON(t, res)\n}\n" }, { "path": "internal/sourceanalysis/rust.go", "content": "package sourceanalysis\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"debug/dwarf\"\n\t\"debug/elf\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"log\"\n\t\"os\"\n\t\"os/exec\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/thirdparty/ar\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ianlancetaylor/demangle\"\n)\n\nconst (\n\t// RustFlagsEnv defines the flags that are required for effective source analysis:\n\t// - opt-level=3 (Use the highest optimisation level (default with --release))\n\t// - debuginfo=1 (Include DWARF debug info which is extracted to find which funcs are called)\n\t// - embed-bitcode=yes (Required to enable LTO)\n\t// - lto (Enable full link time optimisation, this allows unused dynamic dispatch calls to be optimised out)\n\t// - codegen-units=1 (Build everything in one codegen unit, increases build time but enables more optimisations\n\t// and make libraries only generate one object file)\n\tRustFlagsEnv = \"RUSTFLAGS=-C opt-level=3 -C debuginfo=1 -C embed-bitcode=yes -C lto -C codegen-units=1 -C strip=none\"\n\tRustLibExtension = \".rcgu.o/\"\n)\n\nfunc rustAnalysis(pkgs []models.PackageVulns, source models.SourceInfo) {\n\tbinaryPaths, err := rustBuildSource(source)\n\tif err != nil {\n\t\tcmdlogger.Errorf(\"failed to build cargo/rust project from source: %s\", err)\n\t\treturn\n\t}\n\n\t// This map stores 3 states for each vuln ID\n\t// - There is function level vuln info, but it **wasn't** called (false)\n\t// - There is function level vuln info, and it **is** called (true)\n\t// - There is **no** functional level vuln info, so we don't know whether it is called (doesn't exist)\n\tisCalledVulnMap := map[string]bool{}\n\n\tfor _, path := range binaryPaths {\n\t\tvar readAt io.ReaderAt\n\t\tif strings.HasSuffix(path, \".rlib\") {\n\t\t\t// Is a library, so need an extra step to extract the object binary file before passing to parseDWARFData\n\t\t\tbuf, err := extractRlibArchive(path)\n\t\t\tif err != nil {\n\t\t\t\tcmdlogger.Errorf(\"failed to analyse '%s': %s\", path, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\treadAt = bytes.NewReader(buf.Bytes())\n\t\t} else {\n\t\t\tf, err := os.Open(path)\n\t\t\tif err != nil {\n\t\t\t\tcmdlogger.Errorf(\"failed to read binary '%s': %s\", path, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\t// This is fine to defer til the end of the function as there's\n\t\t\t// generally single digit number of binaries in a project\n\t\t\tdefer f.Close()\n\t\t\treadAt = f\n\t\t}\n\n\t\tcalls, err := functionsFromDWARF(readAt)\n\t\tif err != nil {\n\t\t\tcmdlogger.Errorf(\"failed to analyse '%s': %s\", path, err)\n\t\t\tcontinue\n\t\t}\n\n\t\tfor _, pv := range pkgs {\n\t\t\tfor _, v := range pv.Vulnerabilities {\n\t\t\t\tfor _, a := range v.GetAffected() {\n\t\t\t\t\t// Example of RUSTSEC function level information:\n\t\t\t\t\t//\n\t\t\t\t\t// \"affects\": {\n\t\t\t\t\t// \"os\": [],\n\t\t\t\t\t// \"functions\": [\n\t\t\t\t\t// \"smallvec::SmallVec::grow\"\n\t\t\t\t\t// ],\n\t\t\t\t\t// \"arch\": []\n\t\t\t\t\t// }\n\t\t\t\t\tecosystemSpecific := a.GetEcosystemSpecific()\n\t\t\t\t\tif ecosystemSpecific == nil {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tecosystemAffectsVal, ok := ecosystemSpecific.GetFields()[\"affects\"]\n\t\t\t\t\tif !ok || ecosystemAffectsVal == nil || ecosystemAffectsVal.GetStructValue() == nil {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tecosystemAffects := ecosystemAffectsVal.GetStructValue().AsMap()\n\t\t\t\t\taffectedFunctions, ok := ecosystemAffects[\"functions\"].([]any)\n\t\t\t\t\tif !ok {\n\t\t\t\t\t\tcontinue\n\t\t\t\t\t}\n\t\t\t\t\tfor _, f := range affectedFunctions {\n\t\t\t\t\t\tif funcName, ok := f.(string); ok {\n\t\t\t\t\t\t\t_, called := calls[funcName]\n\t\t\t\t\t\t\t// Once one advisory marks this vuln as called, always mark as called\n\t\t\t\t\t\t\tisCalledVulnMap[v.GetId()] = isCalledVulnMap[v.GetId()] || called\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tfor _, pv := range pkgs {\n\t\t\tfor groupIdx := range pv.Groups {\n\t\t\t\tfor _, vulnID := range pv.Groups[groupIdx].IDs {\n\t\t\t\t\tanalysis := &pv.Groups[groupIdx].ExperimentalAnalysis\n\t\t\t\t\tif *analysis == nil {\n\t\t\t\t\t\t*analysis = make(map[string]models.AnalysisInfo)\n\t\t\t\t\t}\n\n\t\t\t\t\tcalled, hasFuncInfo := isCalledVulnMap[vulnID]\n\t\t\t\t\tif hasFuncInfo {\n\t\t\t\t\t\t(*analysis)[vulnID] = models.AnalysisInfo{\n\t\t\t\t\t\t\tCalled: called,\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc functionsFromDWARF(readAt io.ReaderAt) (map[string]struct{}, error) {\n\toutput := map[string]struct{}{}\n\tfile, err := elf.NewFile(readAt)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to read binary: %w\", err)\n\t}\n\tdwarfData, err := file.DWARF()\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to extract debug symbols from binary: %w\", err)\n\t}\n\tentryReader := dwarfData.Reader()\n\n\tfor {\n\t\tentry, err := entryReader.Next()\n\t\tif errors.Is(err, io.EOF) || entry == nil {\n\t\t\t// We've reached the end of DWARF entries\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"error parsing binary DWARF data: %w\", err)\n\t\t}\n\n\t\t// We only care about contents in functions\n\t\tif entry.Tag != dwarf.TagSubprogram {\n\t\t\tcontinue\n\t\t}\n\t\t// Go through fields\n\t\tfor _, field := range entry.Field {\n\t\t\t// We only care about linkage names (including function names)\n\t\t\tif field.Attr != dwarf.AttrLinkageName {\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tval, err := demangle.ToString(field.Val.(string), demangle.NoClones)\n\t\t\tif err != nil {\n\t\t\t\t// most likely not a rust function, so just ignore it\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tval = cleanRustFunctionSymbols(val)\n\t\t\toutput[val] = struct{}{}\n\t\t}\n\t}\n\n\treturn output, nil\n}\n\n// extractRlibArchive return the file path to a temporary ELF Object file extracted from the given rlib.\n//\n// It is the callers responsibility to remove the temporary file\nfunc extractRlibArchive(rlibPath string) (bytes.Buffer, error) {\n\tbuf := bytes.Buffer{}\n\trlibFile, err := os.Open(rlibPath)\n\tif err != nil {\n\t\treturn bytes.Buffer{}, fmt.Errorf(\"failed to open .rlib file '%s': %w\", rlibPath, err)\n\t}\n\n\treader, err := ar.NewReader(rlibFile)\n\tif err != nil {\n\t\treturn bytes.Buffer{}, fmt.Errorf(\".rlib file '%s' is not valid ar archive: %w\", rlibPath, err)\n\t}\n\tfor {\n\t\theader, err := reader.Next()\n\t\tif err != nil {\n\t\t\tlog.Fatalf(\"%v\", err)\n\t\t}\n\t\tif header.Name == \"//\" { // \"//\" is used in GNU ar format as a store for long file names\n\t\t\tfileBuf := bytes.Buffer{}\n\t\t\t// Ignore the error here as it's likely\n\t\t\t_, err = io.Copy(&fileBuf, reader)\n\t\t\tif err != nil {\n\t\t\t\treturn bytes.Buffer{}, fmt.Errorf(\"failed to read // store in ar archive: %w\", err)\n\t\t\t}\n\n\t\t\tfilename := strings.TrimSpace(fileBuf.String())\n\n\t\t\t// There should only be one file (since we set codegen-units=1)\n\t\t\tif !strings.HasSuffix(filename, RustLibExtension) {\n\t\t\t\t// TODO: Verify this, and return an error here instead.\n\t\t\t\tcmdlogger.Warnf(\"rlib archive contents were unexpected: %s\\n\", filename)\n\t\t\t}\n\t\t}\n\t\t// /0 indicates the first file mentioned in the \"//\" store\n\t\tif header.Name == \"/0\" || strings.HasSuffix(header.Name, RustLibExtension) {\n\t\t\tbreak\n\t\t}\n\t}\n\t_, err = io.Copy(&buf, reader)\n\tif err != nil {\n\t\treturn bytes.Buffer{}, fmt.Errorf(\"failed to read from archive '%s': %w\", rlibPath, err)\n\t}\n\n\treturn buf, nil\n}\n\nfunc rustBuildSource(source models.SourceInfo) ([]string, error) {\n\tprojectBaseDir := filepath.Dir(source.Path)\n\n\t// TODO: This will be moved to enrichers which does have context.\n\tcmd := exec.CommandContext(context.TODO(), \"cargo\", \"build\", \"--workspace\", \"--all-targets\", \"--release\")\n\tcmd.Env = append(cmd.Environ(), RustFlagsEnv)\n\tcmd.Dir = projectBaseDir\n\tif errors.Is(cmd.Err, exec.ErrDot) {\n\t\tcmd.Err = nil\n\t}\n\n\tstdoutBuffer := bytes.Buffer{}\n\tstderrBuffer := bytes.Buffer{}\n\tcmd.Stdout = &stdoutBuffer\n\tcmd.Stderr = &stderrBuffer\n\n\tcmdlogger.Infof(\"Begin building rust/cargo project\")\n\n\tif err := cmd.Run(); err != nil {\n\t\tcmdlogger.Errorf(\"cargo stdout:\\n%s\", stdoutBuffer.String())\n\t\tcmdlogger.Errorf(\"cargo stderr:\\n%s\", stderrBuffer.String())\n\n\t\treturn nil, fmt.Errorf(\"failed to run `%v`: %w\", cmd.String(), err)\n\t}\n\n\toutputDir := filepath.Join(projectBaseDir, \"target\", \"release\")\n\tentries, err := os.ReadDir(outputDir)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to read \\\"%s\\\" dir: %w\", outputDir, err)\n\t}\n\n\tresultBinaryPaths := []string{}\n\tfor _, de := range entries {\n\t\t// We only want .d files, which is generated for each output binary from cargo\n\t\t// These files contains a string to the full path of output binary/library file.\n\t\t// This is a reasonably reliable way to identify the output in a cross-platform way.\n\t\tif de.IsDir() || !strings.HasSuffix(de.Name(), \".d\") {\n\t\t\tcontinue\n\t\t}\n\n\t\tfile, err := os.ReadFile(filepath.Join(outputDir, de.Name()))\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to read \\\"%s\\\": %w\", filepath.Join(outputDir, de.Name()), err)\n\t\t}\n\n\t\tfileSplit := strings.Split(string(file), \": \")\n\t\tif len(fileSplit) != 2 {\n\t\t\t// TODO: this can probably be fixed with more effort\n\t\t\treturn nil, errors.New(\"file path contains ': ', which is unsupported\")\n\t\t}\n\t\tresultBinaryPaths = append(resultBinaryPaths, fileSplit[0])\n\t}\n\n\treturn resultBinaryPaths, nil\n}\n\n// cleanRustFunctionSymbols takes in demanged rust symbols and makes them fit format of\n// the common function level advisory information\nfunc cleanRustFunctionSymbols(val string) string {\n\t// Used to remove generics from functions and types as they are not included in function calls\n\t// in advisories:\n\t// E.g.: `smallvec::SmallVec::new` => `smallvec::SmallVec::new`\n\t//\n\t// Usage: antiGenericRegex.ReplaceAllString(val, \"\")\n\tvar antiGenericRegex = cachedregexp.MustCompile(`<[\\w,]+>`)\n\tval = antiGenericRegex.ReplaceAllString(val, \"\")\n\n\t// Used to remove fully qualified trait implementation indicators from the function type,\n\t// since those are generally not included in advisory:\n\t// E.g.: `::read` => `libflate::gzip::MultiDecoder::read`\n\tvar antiTraitImplRegex = cachedregexp.MustCompile(`<(.*) as .*>`)\n\tval = antiTraitImplRegex.ReplaceAllString(val, \"$1\")\n\n\treturn val\n}\n" }, { "path": "internal/sourceanalysis/rust_test.go", "content": "package sourceanalysis\n\nimport (\n\t\"bytes\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"reflect\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc Test_extractRlibArchive(t *testing.T) {\n\tt.Parallel()\n\tentries, err := os.ReadDir(\"testdata/rust/archives\")\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tfor _, file := range entries {\n\t\tfilename := file.Name()\n\t\tt.Run(\"Extract Rlib \"+filename, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tbuf, err := extractRlibArchive(filepath.Join(\"testdata/rust/archives\", filename))\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\n\t\t\texpectedFileName := strings.Replace(filename, \".rlib\", \".o\", 1)\n\t\t\texpectedBuf, err := os.ReadFile(filepath.Join(\"testdata/rust/objs\", expectedFileName))\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tif !bytes.Equal(buf.Bytes(), expectedBuf) {\n\t\t\t\tt.Fatalf(\"Extracted not identical to expected: %s\", filepath.Join(\"testdata/rust/archives\", filename))\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc Test_functionsFromDWARF(t *testing.T) {\n\tt.Parallel()\n\tentries, err := os.ReadDir(\"testdata/rust/objs\")\n\tif err != nil {\n\t\tt.Error(err)\n\t}\n\tfor _, file := range entries {\n\t\tfilename := file.Name()\n\t\tt.Run(\"Parsing DWARF \"+filename, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tbuf, err := os.ReadFile(filepath.Join(\"testdata/rust/objs\", filename))\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\t\t\tfunctions, err := functionsFromDWARF(bytes.NewReader(buf))\n\t\t\tif err != nil {\n\t\t\t\tt.Error(err)\n\t\t\t}\n\n\t\t\ttestutility.NewSnapshot().MatchJSON(t, functions)\n\t\t})\n\t}\n}\n\nfunc Test_rustBuildSource(t *testing.T) {\n\ttestutility.SkipIfNotAcceptanceTesting(t, \"Requires rust toolchain to be installed\")\n\ttestutility.SkipIfShort(t)\n\n\tt.Parallel()\n\n\tcwd := testutility.GetCurrentWorkingDirectory(t)\n\n\ttype args struct {\n\t\tsource models.SourceInfo\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant []string\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\targs: args{\n\t\t\t\tsource: models.SourceInfo{\n\t\t\t\t\tPath: \"testdata/rust/rust-project/Cargo.lock\",\n\t\t\t\t\tType: \"lockfile\",\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: []string{\n\t\t\t\tcwd + filepath.FromSlash(\"/testdata/rust/rust-project/target/release/test-project\") + testutility.ValueIfOnWindows(\".exe\", \"\"),\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tgot, err := rustBuildSource(tt.args.source)\n\t\tif (err != nil) != tt.wantErr {\n\t\t\tt.Errorf(\"rustBuildSource() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\treturn\n\t\t}\n\t\tif !reflect.DeepEqual(got, tt.want) {\n\t\t\tt.Errorf(\"rustBuildSource() = %v, want %v\", got, tt.want)\n\t\t}\n\t}\n}\n" }, { "path": "internal/sourceanalysis/sourceanalysis.go", "content": "package sourceanalysis\n\nimport (\n\t\"path/filepath\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\n// vulnsFromAllPkgs returns the flattened list of unique vulnerabilities\nfunc vulnsFromAllPkgs(pkgs []models.PackageVulns) ([]*osvschema.Vulnerability, map[string]*osvschema.Vulnerability) {\n\tflatVulns := map[string]*osvschema.Vulnerability{}\n\tfor _, pv := range pkgs {\n\t\tfor _, vuln := range pv.Vulnerabilities {\n\t\t\tflatVulns[vuln.GetId()] = vuln\n\t\t}\n\t}\n\n\tvulns := make([]*osvschema.Vulnerability, 0, len(flatVulns))\n\tfor _, v := range flatVulns {\n\t\tvulns = append(vulns, v)\n\t}\n\n\treturn vulns, flatVulns\n}\n\n// Run runs the language specific analyzers on the code given packages and source info\nfunc Run(source models.SourceInfo, pkgs []models.PackageVulns, callAnalysis map[string]bool) {\n\t// GoVulnCheck\n\tif source.Type == \"lockfile\" && filepath.Base(source.Path) == \"go.mod\" && callAnalysis[\"go\"] {\n\t\tgoAnalysis(pkgs, source)\n\t}\n\n\tif source.Type == \"lockfile\" && filepath.Base(source.Path) == \"Cargo.lock\" && callAnalysis[\"rust\"] {\n\t\trustAnalysis(pkgs, source)\n\t}\n}\n" }, { "path": "internal/sourceanalysis/testdata/go-integration/.goignore", "content": "test-project\n" }, { "path": "internal/sourceanalysis/testdata/go-integration/GO-2021-0053.json", "content": "{\n \"id\": \"GO-2021-0053\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"ecosystem\": \"Go\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"schema_version\": \"1.3.1\"\n}" }, { "path": "internal/sourceanalysis/testdata/go-integration/GO-2023-1558.json", "content": "{\n \"id\": \"GO-2023-1558\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"ecosystem\": \"Go\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/ipfs/go-bitfield\",\n \"symbols\": [\n \"FromBytes\",\n \"NewBitfield\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ],\n \"credits\": [\n {\n \"name\": \"Jorropo\"\n }\n ],\n \"schema_version\": \"1.3.1\"\n}" }, { "path": "internal/sourceanalysis/testdata/go-integration/GO-2023-2382.json", "content": "{\n \"schema_version\": \"1.3.1\",\n \"id\": \"GO-2023-2382\",\n \"modified\": \"2023-12-06T16:22:36Z\",\n \"published\": \"2023-12-06T16:22:36Z\",\n \"aliases\": [\n \"CVE-2023-39326\"\n ],\n \"summary\": \"Denial of service via chunk extensions in net/http\",\n \"details\": \"A malicious HTTP sender can use chunk extensions to cause a receiver reading from a request or response body to read many more bytes from the network than are in the body.\\n\\nA malicious HTTP client can further exploit this to cause a server to automatically read a large amount of data (up to about 1GiB) when a handler fails to read the entire body of a request.\\n\\nChunk extensions are a little-used HTTP feature which permit including additional metadata in a request or response body sent using the chunked encoding. The net/http chunked encoding reader discards this metadata. A sender can exploit this by inserting a large metadata segment with each byte transferred. The chunk reader now produces an error if the ratio of real body to encoded bytes grows too small.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"stdlib\",\n \"ecosystem\": \"Go\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.20.12\"\n },\n {\n \"introduced\": \"1.21.0-0\"\n },\n {\n \"fixed\": \"1.21.5\"\n }\n ]\n }\n ],\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http/internal\",\n \"symbols\": [\n \"chunkedReader.Read\",\n \"chunkedReader.beginChunk\",\n \"readChunkLine\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/64433\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/547335\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-dev/c/6ypN5EjibjM/m/KmLVYH_uAgAJ\"\n }\n ],\n \"credits\": [\n {\n \"name\": \"Bartek Nowotarski\"\n }\n ],\n \"database_specific\": {\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-2382\"\n }\n}" }, { "path": "internal/sourceanalysis/testdata/go-integration/test-project/go.mod", "content": "module github.com/ossf-tests/osv-e2e\n\ngo 1.19\n\nrequire github.com/gogo/protobuf v1.3.1\n\nrequire github.com/ipfs/go-bitfield v1.0.0\n\nrequire golang.org/x/image v0.4.0 // indirect\n" }, { "path": "internal/sourceanalysis/testdata/go-integration/test-project/go.sum", "content": "github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=\ngithub.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=\ngithub.com/ipfs/go-bitfield v1.0.0 h1:y/XHm2GEmD9wKngheWNNCNL0pzrWXZwCdQGv1ikXknQ=\ngithub.com/ipfs/go-bitfield v1.0.0/go.mod h1:N/UiujQy+K+ceU1EF5EkVd1TNqevLrCQMIcAEPrdtus=\ngithub.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=\ngithub.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=\ngithub.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=\ngolang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=\ngolang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=\ngolang.org/x/image v0.4.0 h1:x1RWAiZIvERqkltrFjtQP1ycmiR5pmhjtCfVOtdURuQ=\ngolang.org/x/image v0.4.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4=\ngolang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=\ngolang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=\ngolang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=\ngolang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=\ngolang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=\ngolang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=\ngolang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=\ngolang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=\ngolang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=\ngolang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=\ngolang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=\ngolang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=\ngolang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=\ngolang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=\ngolang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=\ngolang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=\ngolang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=\ngolang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=\n" }, { "path": "internal/sourceanalysis/testdata/go-integration/test-project/main.go", "content": "package main\n\nimport (\n\t\"log\"\n\t\"net/http\"\n\n\t\"github.com/gogo/protobuf/plugin/unmarshal\"\n\t\"github.com/gogo/protobuf/version\"\n\t\"github.com/ipfs/go-bitfield\"\n)\n\nfunc main() {\n\tprint(version.AtLeast(\"v1.2.3\"))\n\tunmarshal.NewUnmarshal()\n\n\tbitfield.NewBitfield(14)\n\n\t// Test stdlib\n\terr := http.ListenAndServe(\":8080\", nil)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n}\n" }, { "path": "internal/sourceanalysis/testdata/go-integration/test-project/osv-scanner.toml", "content": "[[PackageOverrides]]\nname = \"github.com/ipfs/go-bitfield\"\necosystem = \"Go\"\nignore = true\nreason = \"This is an intentionally vulnerable test project\"\n\n[[PackageOverrides]]\nname = \"github.com/gogo/protobuf\"\necosystem = \"Go\"\nignore = true\nreason = \"This is an intentionally vulnerable test project\"\n\n[[PackageOverrides]]\nname = \"golang.org/x/image\"\necosystem = \"Go\"\nignore = true\nreason = \"This is an intentionally vulnerable test project\"\n\n[[PackageOverrides]]\nname = \"stdlib\"\necosystem = \"Go\"\nignore = true\nreason = \"This is an intentionally vulnerable test project\"\n" }, { "path": "internal/sourceanalysis/testdata/json/govulncheckinput.json", "content": "{\n \"GHSA-c3h9-896r-86jm\": [\n {\n \"osv\": \"GHSA-c3h9-896r-86jm\",\n \"trace\": [\n {\n \"module\": \"github.com/gogo/protobuf\",\n \"version\": \"v1.3.1\",\n \"package\": \"github.com/gogo/protobuf/proto\",\n \"function\": \"RegisterEnum\",\n \"position\": {\n \"filename\": \"/go/pkg/mod/github.com/gogo/protobuf@v1.3.1/proto/properties.go\",\n \"offset\": 14200,\n \"line\": 518,\n \"column\": 6\n }\n },\n {\n \"module\": \"github.com/gogo/protobuf\",\n \"version\": \"v1.3.1\",\n \"package\": \"github.com/gogo/protobuf/protoc-gen-gogo/descriptor\",\n \"function\": \"init#1\",\n \"position\": {\n \"filename\": \"/go/pkg/mod/github.com/gogo/protobuf@v1.3.1/protoc-gen-gogo/descriptor/descriptor.pb.go\",\n \"offset\": 98891,\n \"line\": 2668,\n \"column\": 20\n }\n },\n {\n \"module\": \"github.com/gogo/protobuf\",\n \"version\": \"v1.3.1\",\n \"package\": \"github.com/gogo/protobuf/protoc-gen-gogo/descriptor\",\n \"function\": \"init\",\n \"position\": {\n \"filename\": \"/go/pkg/mod/github.com/gogo/protobuf@v1.3.1/protoc-gen-gogo/descriptor/descriptor.go\",\n \"offset\": 1932,\n \"line\": 37,\n \"column\": 1\n }\n },\n {\n \"module\": \"github.com/gogo/protobuf\",\n \"version\": \"v1.3.1\",\n \"package\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"function\": \"init\",\n \"position\": {\n \"filename\": \"/go/pkg/mod/github.com/gogo/protobuf@v1.3.1/plugin/unmarshal/unmarshal.go\",\n \"offset\": 5007,\n \"line\": 184,\n \"column\": 2\n }\n },\n {\n \"module\": \"github.com/ossf-tests/osv-e2e\",\n \"package\": \"github.com/ossf-tests/osv-e2e\",\n \"function\": \"init\",\n \"position\": {\n \"filename\": \"/Documents/Project/osv-scanner/internal/sourceanalysis/testdata/go-integration/test-project/main.go\",\n \"offset\": 44,\n \"line\": 7,\n \"column\": 2\n }\n }\n ]\n }\n ],\n \"GO-2021-0053\": [\n {\n \"osv\": \"GO-2021-0053\",\n \"fixed_version\": \"v1.3.2\",\n \"trace\": [\n {\n \"module\": \"github.com/gogo/protobuf\",\n \"version\": \"v1.3.1\"\n }\n ]\n },\n {\n \"osv\": \"GO-2021-0053\",\n \"fixed_version\": \"v1.3.2\",\n \"trace\": [\n {\n \"module\": \"github.com/gogo/protobuf\",\n \"version\": \"v1.3.1\",\n \"package\": \"github.com/gogo/protobuf/plugin/unmarshal\"\n }\n ]\n }\n ],\n \"GO-2023-1558\": [\n {\n \"osv\": \"GO-2023-1558\",\n \"fixed_version\": \"v1.1.0\",\n \"trace\": [\n {\n \"module\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"v1.0.0\"\n }\n ]\n },\n {\n \"osv\": \"GO-2023-1558\",\n \"fixed_version\": \"v1.1.0\",\n \"trace\": [\n {\n \"module\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"v1.0.0\",\n \"package\": \"github.com/ipfs/go-bitfield\"\n }\n ]\n },\n {\n \"osv\": \"GO-2023-1558\",\n \"fixed_version\": \"v1.1.0\",\n \"trace\": [\n {\n \"module\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"v1.0.0\",\n \"package\": \"github.com/ipfs/go-bitfield\",\n \"function\": \"NewBitfield\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 12,\n \"column\": 6\n }\n },\n {\n \"module\": \"github.com/ossf-tests/osv-e2e\",\n \"package\": \"github.com/ossf-tests/osv-e2e\",\n \"function\": \"main\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 16,\n \"column\": 22\n }\n }\n ]\n }\n ],\n \"GO-2023-2382\": [\n {\n \"osv\": \"GO-2023-2382\",\n \"fixed_version\": \"v1.20.12\",\n \"trace\": [\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http/internal\"\n }\n ]\n },\n {\n \"osv\": \"GO-2023-2382\",\n \"fixed_version\": \"v1.20.12\",\n \"trace\": [\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http/internal\"\n }\n ]\n },\n {\n \"osv\": \"GO-2023-2382\",\n \"fixed_version\": \"v1.20.12\",\n \"trace\": [\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http/internal\",\n \"function\": \"Read\",\n \"receiver\": \"*chunkedReader\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 97,\n \"column\": 26\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"readLocked\",\n \"receiver\": \"*body\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 839,\n \"column\": 21\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"Read\",\n \"receiver\": \"bodyLocked\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 1038,\n \"column\": 24\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"io\",\n \"function\": \"copyBuffer\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 430,\n \"column\": 21\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"io\",\n \"function\": \"Copy\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 389,\n \"column\": 19\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"Close\",\n \"receiver\": \"*body\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 1002,\n \"column\": 19\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"finishRequest\",\n \"receiver\": \"*response\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 1670,\n \"column\": 17\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"serve\",\n \"receiver\": \"*conn\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 2015,\n \"column\": 18\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"Serve\",\n \"receiver\": \"*Server\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 3086,\n \"column\": 3\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"ListenAndServe\",\n \"receiver\": \"*Server\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 2985,\n \"column\": 18\n }\n },\n {\n \"module\": \"stdlib\",\n \"version\": \"v1.19.0\",\n \"package\": \"net/http\",\n \"function\": \"ListenAndServe\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 3239,\n \"column\": 30\n }\n },\n {\n \"module\": \"github.com/ossf-tests/osv-e2e\",\n \"package\": \"github.com/ossf-tests/osv-e2e\",\n \"function\": \"main\",\n \"position\": {\n \"filename\": \"\\u003cAny value\\u003e\",\n \"offset\": -1,\n \"line\": 19,\n \"column\": 28\n }\n }\n ]\n }\n ]\n}\n" }, { "path": "internal/sourceanalysis/testdata/json/input-no-call-data.json", "content": "[\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"summary\": \"Improper Input Validation in GoGo Protobuf\",\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-02-10T19:52:45Z\",\n \"published\": \"2023-02-10T19:52:45Z\",\n \"aliases\": [\n \"CVE-2023-23626\"\n ],\n \"summary\": \"IPFS go-bitfield vulnerable to DoS via malformed size arguments\",\n \"details\": \"### Impact\\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\\n\\nThis happen when the `size` is a not a multiple of `8` or is negative.\\nThere were already a note in the `NewBitfield` documentation:\\n\\u003e ```\\n\\u003e Panics if size is not a multiple of 8.\\n\\u003e ````\\n\\nBut it incomplete and missing from `FromBytes`'s documentation.\\n\\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\\n\\n### Patches\\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\n\\n### Workarounds\\n- Ensure `size%8 == 0 \\u0026\\u0026 size \\u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\\n\\n### References\\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23626\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ipfs/go-bitfield\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1284\",\n \"CWE-754\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-10T19:52:45Z\",\n \"nvd_published_at\": \"2023-02-09T21:15:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"summary\": \"\",\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-2h6c-j3gf-xp9r\",\n \"GO-2023-1558\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"golang.org/x/image\",\n \"version\": \"0.4.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2023-02-17T13:59:44Z\",\n \"published\": \"2023-02-17T13:59:44Z\",\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41727\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T13:59:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2023-02-16T22:25:24Z\",\n \"published\": \"2023-02-16T22:25:24Z\",\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"summary\": \"\",\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1572.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-qgc7-mgm3-q253\",\n \"GO-2023-1572\"\n ]\n }\n ]\n }\n]" }, { "path": "internal/sourceanalysis/testdata/json/input.json", "content": "[\n {\n \"package\": {\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"summary\": \"Improper Input Validation in GoGo Protobuf\",\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-02-10T19:52:45Z\",\n \"published\": \"2023-02-10T19:52:45Z\",\n \"aliases\": [\n \"CVE-2023-23626\"\n ],\n \"summary\": \"IPFS go-bitfield vulnerable to DoS via malformed size arguments\",\n \"details\": \"### Impact\\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\\n\\nThis happen when the `size` is a not a multiple of `8` or is negative.\\nThere were already a note in the `NewBitfield` documentation:\\n\\u003e ```\\n\\u003e Panics if size is not a multiple of 8.\\n\\u003e ````\\n\\nBut it incomplete and missing from `FromBytes`'s documentation.\\n\\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\\n\\n### Patches\\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\n\\n### Workarounds\\n- Ensure `size%8 == 0 \\u0026\\u0026 size \\u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\\n\\n### References\\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23626\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ipfs/go-bitfield\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1284\",\n \"CWE-754\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-10T19:52:45Z\",\n \"nvd_published_at\": \"2023-02-09T21:15:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"summary\": \"\",\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/ipfs/go-bitfield\",\n \"symbols\": [\n \"FromBytes\",\n \"NewBitfield\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-2h6c-j3gf-xp9r\",\n \"GO-2023-1558\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"golang.org/x/image\",\n \"version\": \"0.4.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2023-02-17T13:59:44Z\",\n \"published\": \"2023-02-17T13:59:44Z\",\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41727\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T13:59:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2023-02-16T22:25:24Z\",\n \"published\": \"2023-02-16T22:25:24Z\",\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"summary\": \"\",\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1572.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/image/tiff\",\n \"symbols\": [\n \"Decode\",\n \"DecodeConfig\",\n \"decoder.ifdUint\",\n \"newDecoder\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-qgc7-mgm3-q253\",\n \"GO-2023-1572\"\n ]\n }\n ]\n }\n]" }, { "path": "internal/sourceanalysis/testdata/json/output-no-call-data.json", "content": "[\n {\n \"groups\": [\n {\n \"experimentalAnalysis\": {},\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ]\n }\n ],\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\"\n },\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"Improper Input Validation in GoGo Protobuf\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"\"\n }\n ]\n },\n {\n \"groups\": [\n {\n \"experimentalAnalysis\": {},\n \"ids\": [\n \"GHSA-2h6c-j3gf-xp9r\",\n \"GO-2023-1558\"\n ]\n }\n ],\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"1.0.0\"\n },\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ],\n \"versions\": [\n \"1.0.0\"\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2023-23626\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1284\",\n \"CWE-754\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-10T19:52:45Z\",\n \"nvd_published_at\": \"2023-02-09T21:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"details\": \"### Impact\\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\\n\\nThis happen when the `size` is a not a multiple of `8` or is negative.\\nThere were already a note in the `NewBitfield` documentation:\\n\\u003e ```\\n\\u003e Panics if size is not a multiple of 8.\\n\\u003e ````\\n\\nBut it incomplete and missing from `FromBytes`'s documentation.\\n\\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\\n\\n### Patches\\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\n\\n### Workarounds\\n- Ensure `size%8 == 0 \\u0026\\u0026 size \\u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\\n\\n### References\\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\\n\",\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-02-10T19:52:45Z\",\n \"published\": \"2023-02-10T19:52:45Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23626\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ipfs/go-bitfield\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"IPFS go-bitfield vulnerable to DoS via malformed size arguments\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"\"\n }\n ]\n },\n {\n \"groups\": [\n {\n \"experimentalAnalysis\": {},\n \"ids\": [\n \"GHSA-qgc7-mgm3-q253\",\n \"GO-2023-1572\"\n ]\n }\n ],\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"version\": \"0.4.0\"\n },\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T13:59:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2023-02-17T13:59:44Z\",\n \"published\": \"2023-02-17T13:59:44Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41727\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"Uncontrolled Resource Consumption\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1572.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2023-02-16T22:25:24Z\",\n \"published\": \"2023-02-16T22:25:24Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"\"\n }\n ]\n }\n]" }, { "path": "internal/sourceanalysis/testdata/json/output.json", "content": "[\n {\n \"groups\": [\n {\n \"experimentalAnalysis\": {\n \"GO-2021-0053\": {\n \"called\": false\n }\n },\n \"ids\": [\n \"GHSA-c3h9-896r-86jm\",\n \"GO-2021-0053\"\n ]\n }\n ],\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"version\": \"1.3.1\"\n },\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"Improper Input Validation in GoGo Protobuf\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"\"\n }\n ]\n },\n {\n \"groups\": [\n {\n \"experimentalAnalysis\": {\n \"GO-2023-1558\": {\n \"called\": true\n }\n },\n \"ids\": [\n \"GHSA-2h6c-j3gf-xp9r\",\n \"GO-2023-1558\"\n ]\n }\n ],\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"version\": \"1.0.0\"\n },\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ],\n \"versions\": [\n \"1.0.0\"\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2023-23626\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1284\",\n \"CWE-754\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-10T19:52:45Z\",\n \"nvd_published_at\": \"2023-02-09T21:15:00Z\",\n \"severity\": \"MODERATE\"\n },\n \"details\": \"### Impact\\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\\n\\nThis happen when the `size` is a not a multiple of `8` or is negative.\\nThere were already a note in the `NewBitfield` documentation:\\n\\u003e ```\\n\\u003e Panics if size is not a multiple of 8.\\n\\u003e ````\\n\\nBut it incomplete and missing from `FromBytes`'s documentation.\\n\\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\\n\\n### Patches\\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\n\\n### Workarounds\\n- Ensure `size%8 == 0 \\u0026\\u0026 size \\u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\\n\\n### References\\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\\n\",\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-02-10T19:52:45Z\",\n \"published\": \"2023-02-10T19:52:45Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23626\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ipfs/go-bitfield\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"IPFS go-bitfield vulnerable to DoS via malformed size arguments\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/ipfs/go-bitfield\",\n \"symbols\": [\n \"FromBytes\",\n \"NewBitfield\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"\"\n }\n ]\n },\n {\n \"groups\": [\n {\n \"experimentalAnalysis\": {\n \"GO-2023-1572\": {\n \"called\": false\n }\n },\n \"ids\": [\n \"GHSA-qgc7-mgm3-q253\",\n \"GO-2023-1572\"\n ]\n }\n ],\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"version\": \"0.4.0\"\n },\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T13:59:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2023-02-17T13:59:44Z\",\n \"published\": \"2023-02-17T13:59:44Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41727\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"Uncontrolled Resource Consumption\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1572.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/image/tiff\",\n \"symbols\": [\n \"Decode\",\n \"DecodeConfig\",\n \"decoder.ifdUint\",\n \"newDecoder\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2023-02-16T22:25:24Z\",\n \"published\": \"2023-02-16T22:25:24Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n }\n ],\n \"schema_version\": \"1.3.0\",\n \"summary\": \"\"\n }\n ]\n }\n]" }, { "path": "internal/sourceanalysis/testdata/json/vulnbyid-no-call-data.json", "content": "{\n \"GHSA-2h6c-j3gf-xp9r\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-02-10T19:52:45Z\",\n \"published\": \"2023-02-10T19:52:45Z\",\n \"aliases\": [\n \"CVE-2023-23626\"\n ],\n \"summary\": \"IPFS go-bitfield vulnerable to DoS via malformed size arguments\",\n \"details\": \"### Impact\\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\\n\\nThis happen when the `size` is a not a multiple of `8` or is negative.\\nThere were already a note in the `NewBitfield` documentation:\\n\\u003e ```\\n\\u003e Panics if size is not a multiple of 8.\\n\\u003e ````\\n\\nBut it incomplete and missing from `FromBytes`'s documentation.\\n\\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\\n\\n### Patches\\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\n\\n### Workarounds\\n- Ensure `size%8 == 0 \\u0026\\u0026 size \\u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\\n\\n### References\\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23626\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ipfs/go-bitfield\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1284\",\n \"CWE-754\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-10T19:52:45Z\",\n \"nvd_published_at\": \"2023-02-09T21:15:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n \"GHSA-c3h9-896r-86jm\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"summary\": \"Improper Input Validation in GoGo Protobuf\",\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n \"GHSA-qgc7-mgm3-q253\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2023-02-17T13:59:44Z\",\n \"published\": \"2023-02-17T13:59:44Z\",\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41727\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T13:59:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n \"GO-2021-0053\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ]\n },\n \"GO-2023-1558\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"summary\": \"\",\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ]\n },\n \"GO-2023-1572\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:25:24Z\",\n \"aliases\": [\n \"CVE-2022-41727\",\n \"GHSA-qgc7-mgm3-q253\"\n ],\n \"summary\": \"\",\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1572.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n }\n ]\n }\n}" }, { "path": "internal/sourceanalysis/testdata/json/vulnbyid.json", "content": "{\n \"GHSA-2h6c-j3gf-xp9r\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-2h6c-j3gf-xp9r\",\n \"modified\": \"2023-02-10T19:52:45Z\",\n \"published\": \"2023-02-10T19:52:45Z\",\n \"aliases\": [\n \"CVE-2023-23626\"\n ],\n \"summary\": \"IPFS go-bitfield vulnerable to DoS via malformed size arguments\",\n \"details\": \"### Impact\\nWhen feeding untrusted user input into the size parameter of `NewBitfield` and `FromBytes` functions, an attacker can trigger `panic`s.\\n\\nThis happen when the `size` is a not a multiple of `8` or is negative.\\nThere were already a note in the `NewBitfield` documentation:\\n\\u003e ```\\n\\u003e Panics if size is not a multiple of 8.\\n\\u003e ````\\n\\nBut it incomplete and missing from `FromBytes`'s documentation.\\n\\nThis has been replaced by returning an `(Bitfield, error)` and returning a non nil error if the size is wrong.\\n\\n### Patches\\n- https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\\n\\n### Workarounds\\n- Ensure `size%8 == 0 \\u0026\\u0026 size \\u003e= 0` yourself before calling `NewBitfield` or `FromBytes`\\n\\n### References\\n- https://github.com/ipfs/go-unixfs/security/advisories/GHSA-q264-w97q-q778\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"1.0.0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"versions\": [\n \"1.0.0\"\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-2h6c-j3gf-xp9r/GHSA-2h6c-j3gf-xp9r.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2023-23626\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/ipfs/go-bitfield\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-1284\",\n \"CWE-754\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-10T19:52:45Z\",\n \"nvd_published_at\": \"2023-02-09T21:15:00Z\",\n \"severity\": \"MODERATE\"\n }\n },\n \"GHSA-c3h9-896r-86jm\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-c3h9-896r-86jm\",\n \"modified\": \"2022-03-28T20:28:00Z\",\n \"published\": \"2022-03-28T20:28:00Z\",\n \"aliases\": [\n \"CVE-2021-3121\"\n ],\n \"summary\": \"Improper Input Validation in GoGo Protobuf\",\n \"details\": \"An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the \\\"skippy peanut butter\\\" issue.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-c3h9-896r-86jm/GHSA-c3h9-896r-86jm.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2021-3121\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://discuss.hashicorp.com/t/hcsec-2021-23-consul-exposed-to-denial-of-service-in-gogo-protobuf-dependency/29025\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/gogo/protobuf\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/gogo/protobuf/compare/v1.3.1...v1.3.2\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r68032132c0399c29d6cdc7bd44918535da54060a10a12b1591328bff@%3Cnotifications.skywalking.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/r88d69555cb74a129a7bf84838073b61259b4a3830190e05a3b87994e@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.apache.org/thread.html/rc1e9ff22c5641d73701ba56362fb867d40ed287cca000b131dcf4a44@%3Ccommits.pulsar.apache.org%3E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://security.netapp.com/advisory/ntap-20210219-0006/\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-129\",\n \"CWE-20\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2022-03-28T20:28:00Z\",\n \"nvd_published_at\": \"2021-01-11T06:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n \"GHSA-qgc7-mgm3-q253\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GHSA-qgc7-mgm3-q253\",\n \"modified\": \"2023-02-17T13:59:44Z\",\n \"published\": \"2023-02-17T13:59:44Z\",\n \"aliases\": [\n \"CVE-2022-41727\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-qgc7-mgm3-q253/GHSA-qgc7-mgm3-q253.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41727\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T13:59:44Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n \"GO-2021-0053\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2021-0053\",\n \"modified\": \"2023-02-10T16:51:38Z\",\n \"published\": \"2021-04-14T20:04:52Z\",\n \"aliases\": [\n \"CVE-2021-3121\",\n \"GHSA-c3h9-896r-86jm\"\n ],\n \"summary\": \"\",\n \"details\": \"Due to improper bounds checking, maliciously crafted input to generated Unmarshal methods can cause an out-of-bounds panic. If parsing messages from untrusted parties, this may be used as a denial of service vector.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/gogo/protobuf\",\n \"purl\": \"pkg:golang/github.com/gogo/protobuf\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.3.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2021-0053.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2021-0053\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/gogo/protobuf/plugin/unmarshal\",\n \"symbols\": [\n \"unmarshal.Generate\",\n \"unmarshal.field\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc\"\n }\n ]\n },\n \"GO-2023-1558\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2023-1558\",\n \"modified\": \"2023-02-14T19:41:21Z\",\n \"published\": \"2023-02-14T19:41:21Z\",\n \"aliases\": [\n \"CVE-2023-23626\",\n \"GHSA-2h6c-j3gf-xp9r\"\n ],\n \"summary\": \"\",\n \"details\": \"When feeding untrusted user input into the size parameter of `NewBitfield` and FromBytes functions, an attacker can trigger panics.\\n\\nThis happens when the size is a not a multiple of 8 or is negative.\\n\\nA workaround is to ensure size%8 == 0 \\u0026\\u0026 size \\u003e= 0 yourself before calling NewBitfield or FromBytes.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"github.com/ipfs/go-bitfield\",\n \"purl\": \"pkg:golang/github.com/ipfs/go-bitfield\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.1.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1558.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1558\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"github.com/ipfs/go-bitfield\",\n \"symbols\": [\n \"FromBytes\",\n \"NewBitfield\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/ipfs/go-bitfield/security/advisories/GHSA-2h6c-j3gf-xp9r\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://github.com/ipfs/go-bitfield/commit/5e1d256fe043fc4163343ccca83862c69c52e579\"\n }\n ]\n },\n \"GO-2023-1572\": {\n \"schema_version\": \"1.3.0\",\n \"id\": \"GO-2023-1572\",\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:25:24Z\",\n \"aliases\": [\n \"CVE-2022-41727\",\n \"GHSA-qgc7-mgm3-q253\"\n ],\n \"summary\": \"\",\n \"details\": \"An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/image\",\n \"purl\": \"pkg:golang/golang.org/x/image\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.5.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1572.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1572\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/image/tiff\",\n \"symbols\": [\n \"Decode\",\n \"DecodeConfig\",\n \"decoder.ifdUint\",\n \"newDecoder\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/58003\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468195\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o\"\n }\n ]\n }\n}" }, { "path": "internal/sourceanalysis/testdata/rust/functions/medium.json", "content": "{\n \"\\u0026T::fmt\": {},\n \"alloc::alloc::Global::deallocate\": {},\n \"alloc::alloc::Global::grow\": {},\n \"alloc::alloc::Global::grow_impl\": {},\n \"alloc::alloc::box_free\": {},\n \"alloc::alloc::dealloc\": {},\n \"alloc::alloc::realloc\": {},\n \"alloc::raw_vec::RawVec::current_memory\": {},\n \"alloc::raw_vec::RawVec::drop\": {},\n \"alloc::raw_vec::RawVec::grow_amortized\": {},\n \"alloc::raw_vec::RawVec::ptr\": {},\n \"alloc::raw_vec::RawVec::reserve_for_push\": {},\n \"alloc::raw_vec::RawVec::set_ptr_and_cap\": {},\n \"alloc::raw_vec::finish_grow\": {},\n \"alloc::raw_vec::handle_reserve\": {},\n \"alloc::rc::is_dangling\": {},\n \"alloc::sync::Arc::drop\": {},\n \"alloc::sync::Arc::drop_slow\": {},\n \"alloc::sync::Arc::get_mut_unchecked\": {},\n \"alloc::sync::Arc::inner\": {},\n \"alloc::sync::Weak::drop\": {},\n \"alloc::sync::Weak::inner\": {},\n \"alloc::vec::Vec::as_mut_ptr\": {},\n \"alloc::vec::Vec::drop\": {},\n \"alloc::vec::Vec::new\": {},\n \"alloc::vec::Vec::push\": {},\n \"arrayvec::ArrayVec::clear\": {},\n \"arrayvec::ArrayVec::drop\": {},\n \"arrayvec::ArrayVec::len\": {},\n \"arrayvec::ArrayVec::pop\": {},\n \"arrayvec::ArrayVec::set_len\": {},\n \"core::alloc::layout::Layout::array\": {},\n \"core::alloc::layout::Layout::array::inner\": {},\n \"core::alloc::layout::Layout::for_value_raw\": {},\n \"core::cmp::Ord::max\": {},\n \"core::cmp::max\": {},\n \"core::core_arch::x86::sse2::mm_load_si128\": {},\n \"core::core_arch::x86::sse2::mm_movemask_epi8\": {},\n \"core::fmt::Arguments::new_v1\": {},\n \"core::fmt::Arguments::new_v1_formatted\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for i32\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for usize\\u003e::fmt\": {},\n \"core::mem::drop\": {},\n \"core::mem::maybe_uninit::MaybeUninit::assume_init\": {},\n \"core::mem::size_of_val_raw\": {},\n \"core::num::\\u003cimpl isize\\u003e::wrapping_neg\": {},\n \"core::num::\\u003cimpl isize\\u003e::wrapping_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_mul\": {},\n \"core::panicking::assert_failed\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::add\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::as_ref\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::guaranteed_eq\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::is_null\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::offset\": {},\n \"core::ptr::drop_in_place\\u003c\\u0026usize\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(alloc::string::String,usize)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(regex::dfa::State,u32)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::string::String]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::vec::Vec\\u003c(usize,u16)\\u003e]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::vec::Vec]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[core::option::Option\\u003calloc::string::String\\u003e]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[regex::dfa::State]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[regex::prog::Inst]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[regex_syntax::hir::literal::Literal]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::ahocorasick::AhoCorasick\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::api::SearchKind\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::api::Searcher\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::pattern::Patterns\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::rabinkarp::RabinKarp\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caho_corasick::packed::teddy::runtime::Teddy\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[(char,char)]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[usize]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003ccrossbeam_epoch::sync::queue::Node\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::ops::function::Fn\\u003c()\\u003e+Output = core::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e+core::panic::unwind_safe::UnwindSafe+core::marker::Send+core::marker::Sync+core::panic::unwind_safe::RefUnwindSafe\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cregex::pool::Pool\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(usize,u16)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::vec::Vec\\u003c(usize,u16)\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003ccore::option::Option\\u003calloc::string::String\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003ccore::option::Option\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex::backtrack::Job\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex::dfa::State\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex::pikevm::FollowEpsilon\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex::prog::Inst\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cregex_syntax::hir::literal::Literal\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::string::String\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003c[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003ccrossbeam_epoch::internal::Global\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cdyn aho_corasick::ahocorasick::AcAutomaton\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cregex::exec::ExecReadOnly\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cstd::collections::hash::map::HashMap\\u003calloc::string::String,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003c[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003ccrossbeam_epoch::internal::Global\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cdyn aho_corasick::ahocorasick::AcAutomaton\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cregex::exec::ExecReadOnly\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cstd::collections::hash::map::HashMap\\u003calloc::string::String,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c(usize,u16)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::vec::Vec\\u003c(usize,u16)\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003ccore::option::Option\\u003calloc::string::String\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003ccore::option::Option\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex::backtrack::Job\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex::dfa::State\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex::pikevm::FollowEpsilon\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex::prog::Inst\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cregex_syntax::hir::literal::Literal\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003carrayvec::ArrayVec\\u003c[crossbeam_epoch::deferred::Deferred; 64]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003calloc::vec::Vec\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003caho_corasick::ahocorasick::AhoCorasick\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003cregex::re_unicode::Regex,regex::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::atomic::Owned\\u003ccrossbeam_epoch::sync::queue::Node\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::collector::Collector\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::internal::Bag\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::internal::Global\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::sync::list::List\\u003ccrossbeam_epoch::internal::Local\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccrossbeam_epoch::sync::queue::Queue\\u003ccrossbeam_epoch::internal::SealedBag\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cdyn aho_corasick::ahocorasick::AcAutomaton\\u003e\": {},\n \"core::ptr::drop_in_place\\u003chashbrown::map::HashMap\\u003calloc::string::String,usize,std::collections::hash::map::RandomState\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003chashbrown::map::HashMap\\u003cregex::dfa::State,u32,std::collections::hash::map::RandomState\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003chashbrown::raw::RawTable\\u003c(alloc::string::String,usize)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003chashbrown::raw::RawTable\\u003c(regex::dfa::State,u32)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cmemchr::cow::CowBytes\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cmemchr::cow::Imp\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cmemchr::memmem::Finder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cmemchr::memmem::Searcher\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::backtrack::Cache\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::Cache\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::CacheInner\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::State\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::StateMap\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::dfa::Transitions\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::error::Error\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::exec::Exec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::exec::ExecReadOnly\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::exec::ProgramCacheInner\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::literal::imp::LiteralSearcher\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::literal::imp::Matcher\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::literal::imp::Memmem\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::literal::imp::SingleByteSet\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::pikevm::Cache\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::pikevm::Threads\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::pool::Pool\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::prog::Inst\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::prog::InstRanges\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::prog::Program\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::re_unicode::Regex\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex::sparse::SparseSet\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cregex_syntax::hir::literal::Literal\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::collections::hash::map::HashMap\\u003calloc::string::String,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::collections::hash::map::HashMap\\u003cregex::dfa::State,u32\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sync::mutex::Mutex\\u003calloc::vec::Vec\\u003calloc::boxed::Box\\u003ccore::panic::unwind_safe::AssertUnwindSafe\\u003ccore::cell::RefCell\\u003cregex::exec::ProgramCacheInner\\u003e\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::drop_in_place\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::offset\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::sub\": {},\n \"core::ptr::non_null::NonNull::as_ref\": {},\n \"core::ptr::read\": {},\n \"core::ptr::write\": {},\n \"core::result::Result::branch\": {},\n \"core::result::Result::fmt\": {},\n \"core::result::Result::from_residual\": {},\n \"core::result::Result::map\": {},\n \"core::result::Result::map_err\": {},\n \"core::result::Result::unwrap\": {},\n \"core::sync::atomic::AtomicUsize::compare_exchange\": {},\n \"core::sync::atomic::AtomicUsize::fetch_sub\": {},\n \"core::sync::atomic::AtomicUsize::load\": {},\n \"core::sync::atomic::atomic_compare_exchange\": {},\n \"core::sync::atomic::atomic_load\": {},\n \"core::sync::atomic::atomic_sub\": {},\n \"crossbeam_epoch::atomic::Atomic::compare_and_set\": {},\n \"crossbeam_epoch::atomic::Atomic::load\": {},\n \"crossbeam_epoch::atomic::Owned::drop\": {},\n \"crossbeam_epoch::atomic::Shared::as_raw\": {},\n \"crossbeam_epoch::atomic::Shared::deref\": {},\n \"crossbeam_epoch::atomic::Shared::tag\": {},\n \"crossbeam_epoch::atomic::decompose_data\": {},\n \"crossbeam_epoch::deferred::Deferred::new\": {},\n \"crossbeam_epoch::deferred::Deferred::new::call\": {},\n \"crossbeam_epoch::guard::Guard::defer_destroy\": {},\n \"crossbeam_epoch::guard::Guard::defer_unchecked\": {},\n \"crossbeam_epoch::guard::Guard::defer_unchecked::{{closure}}\": {},\n \"crossbeam_epoch::sync::list::List::drop\": {},\n \"crossbeam_epoch::sync::queue::Queue::drop\": {},\n \"crossbeam_epoch::sync::queue::Queue::pop_internal\": {},\n \"crossbeam_epoch::sync::queue::Queue::pop_internal::{{closure}}\": {},\n \"crossbeam_epoch::sync::queue::Queue::try_pop\": {},\n \"hashbrown::raw::Bucket::drop\": {},\n \"hashbrown::raw::Bucket::next_n\": {},\n \"hashbrown::raw::RawIter::next\": {},\n \"hashbrown::raw::RawIterRange::new\": {},\n \"hashbrown::raw::RawIterRange::next_impl\": {},\n \"hashbrown::raw::RawTable::data_end\": {},\n \"hashbrown::raw::RawTable::drop\": {},\n \"hashbrown::raw::RawTable::drop_elements\": {},\n \"hashbrown::raw::RawTable::free_buckets\": {},\n \"hashbrown::raw::RawTable::is_empty\": {},\n \"hashbrown::raw::RawTable::iter\": {},\n \"hashbrown::raw::RawTable::len\": {},\n \"hashbrown::raw::RawTableInner::buckets\": {},\n \"hashbrown::raw::RawTableInner::free_buckets\": {},\n \"hashbrown::raw::RawTableInner::is_empty_singleton\": {},\n \"hashbrown::raw::TableLayout::calculate_layout_for\": {},\n \"hashbrown::raw::bitmask::BitMask::invert\": {},\n \"hashbrown::raw::bitmask::BitMask::lowest_set_bit\": {},\n \"hashbrown::raw::bitmask::BitMask::remove_lowest_bit\": {},\n \"hashbrown::raw::sse2::Group::load_aligned\": {},\n \"hashbrown::raw::sse2::Group::match_empty_or_deleted\": {},\n \"hashbrown::raw::sse2::Group::match_full\": {},\n \"test_rust_2::another_func\": {},\n \"test_rust_2::exported_func\": {}\n}\n" }, { "path": "internal/sourceanalysis/testdata/rust/functions/simple.json", "content": "{\n \"core::fmt::Arguments::new_v1\": {},\n \"test_rust_2::a_cool_func_name\": {}\n}\n" }, { "path": "internal/sourceanalysis/testdata/rust/functions/test-rust-2.json", "content": "{\n \"\\u0026T::as_ref\": {},\n \"\\u0026T::fmt\": {},\n \"\\u0026[u8]::spec_new_impl\": {},\n \"\\u0026mut I::len\": {},\n \"\\u0026mut T::fmt\": {},\n \"\\u0026mut W::write_char\": {},\n \"\\u0026mut W::write_fmt\": {},\n \"\\u0026mut W::write_str\": {},\n \"\\u0026std::io::stdio::Stderr::write_fmt\": {},\n \"\\u0026std::io::stdio::Stdout::write_fmt\": {},\n \"\\u0026str::into_searcher\": {},\n \"\\u0026str::is_prefix_of\": {},\n \"\\u0026str::is_suffix_of\": {},\n \"\\u0026u32::shl\": {},\n \"\\u0026u8::bitand\": {},\n \"\\u0026u8::shr\": {},\n \"()::fmt\": {},\n \"*const T::fmt\": {},\n \"*mut T::fmt\": {},\n \"\\u003cT as alloc::slice::hack::ConvertVec\\u003e::to_vec::DropGuard::drop\": {},\n \"\\u003calloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e as core::convert::From\\u003calloc::string::String\\u003e\\u003e::from::StringError::description\": {},\n \"\\u003calloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e as core::convert::From\\u003calloc::string::String\\u003e\\u003e::from::StringError::fmt\": {},\n \"\\u003calloc::vec::drain::Drain as core::ops::drop::Drop\\u003e::drop::DropGuard::drop\": {},\n \"\\u003calloc::vec::into_iter::IntoIter as core::ops::drop::Drop\\u003e::drop::DropGuard::drop\": {},\n \"\\u003cdyn core::any::Any+core::marker::Send\\u003e::downcast_ref\": {},\n \"\\u003cdyn core::any::Any\\u003e::downcast_ref\": {},\n \"\\u003cdyn core::any::Any\\u003e::is\": {},\n \"F::into_searcher\": {},\n \"I::into_iter\": {},\n \"T::clone\": {},\n \"T::from_elem\": {},\n \"T::into\": {},\n \"T::spec_eq\": {},\n \"T::spec_ne\": {},\n \"T::spec_new_impl\": {},\n \"T::to_vec\": {},\n \"T::type_id\": {},\n \"[A]::equal\": {},\n \"[T]::fmt\": {},\n \"addr2line::Context::find_frames\": {},\n \"addr2line::Context::find_units\": {},\n \"addr2line::Context::find_units_range\": {},\n \"addr2line::Context::find_units_range::{{closure}}\": {},\n \"addr2line::Context::from_dwarf\": {},\n \"addr2line::FrameIter::next\": {},\n \"addr2line::FrameIter::next::{{closure}}\": {},\n \"addr2line::LocationRangeUnitIter::new\": {},\n \"addr2line::LocationRangeUnitIter::new::{{closure}}\": {},\n \"addr2line::RangeAttributes::for_each_range\": {},\n \"addr2line::RangeAttributes::for_each_range::{{closure}}\": {},\n \"addr2line::ResDwarf::find_unit\": {},\n \"addr2line::ResDwarf::parse\": {},\n \"addr2line::ResDwarf::parse::{{closure}}\": {},\n \"addr2line::ResUnit::find_function_or_location\": {},\n \"addr2line::ResUnit::find_function_or_location::{{closure}}\": {},\n \"addr2line::ResUnit::find_location\": {},\n \"addr2line::ResUnit::parse_functions\": {},\n \"addr2line::ResUnit::parse_functions::{{closure}}\": {},\n \"addr2line::ResUnit::parse_lines\": {},\n \"addr2line::ResUnit::parse_lines::{{closure}}\": {},\n \"addr2line::ResUnit::render_file\": {},\n \"addr2line::function::Function::find_inlined_functions\": {},\n \"addr2line::function::Function::find_inlined_functions::{{closure}}\": {},\n \"addr2line::function::Function::parse\": {},\n \"addr2line::function::Function::parse::{{closure}}\": {},\n \"addr2line::function::Function::parse_children\": {},\n \"addr2line::function::Function::skip\": {},\n \"addr2line::function::Functions::find_address\": {},\n \"addr2line::function::Functions::find_address::{{closure}}\": {},\n \"addr2line::function::Functions::parse\": {},\n \"addr2line::function::Functions::parse::{{closure}}\": {},\n \"addr2line::function::InlinedFunction::parse\": {},\n \"addr2line::function::InlinedFunction::parse::{{closure}}\": {},\n \"addr2line::function::name_attr\": {},\n \"addr2line::function::name_entry\": {},\n \"addr2line::lazy::LazyCell::borrow_with\": {},\n \"alloc::alloc::Global::alloc_impl\": {},\n \"alloc::alloc::Global::allocate\": {},\n \"alloc::alloc::Global::allocate_zeroed\": {},\n \"alloc::alloc::Global::deallocate\": {},\n \"alloc::alloc::Global::grow\": {},\n \"alloc::alloc::Global::grow_impl\": {},\n \"alloc::alloc::Global::shrink\": {},\n \"alloc::alloc::alloc\": {},\n \"alloc::alloc::alloc_zeroed\": {},\n \"alloc::alloc::box_free\": {},\n \"alloc::alloc::dealloc\": {},\n \"alloc::alloc::exchange_malloc\": {},\n \"alloc::alloc::handle_alloc_error\": {},\n \"alloc::alloc::handle_alloc_error::rt_error\": {},\n \"alloc::alloc::realloc\": {},\n \"alloc::borrow::Cow::as_ref\": {},\n \"alloc::borrow::Cow::deref\": {},\n \"alloc::borrow::Cow::into_owned\": {},\n \"alloc::boxed::Box::fmt\": {},\n \"alloc::boxed::Box::from_raw\": {},\n \"alloc::boxed::Box::from_raw_in\": {},\n \"alloc::boxed::Box::into_raw\": {},\n \"alloc::boxed::Box::into_raw_with_allocator\": {},\n \"alloc::boxed::Box::into_unique\": {},\n \"alloc::boxed::Box::leak\": {},\n \"alloc::boxed::Box::new\": {},\n \"alloc::boxed::Box::next\": {},\n \"alloc::boxed::Box::size_hint\": {},\n \"alloc::boxed::Box\\u003c[T],A\\u003e::clone\": {},\n \"alloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e::from\": {},\n \"alloc::collections::btree::map::BTreeMap::drop\": {},\n \"alloc::collections::btree::map::BTreeMap::get\": {},\n \"alloc::collections::btree::map::BTreeMap::into_iter\": {},\n \"alloc::collections::btree::map::IntoIter::drop\": {},\n \"alloc::collections::btree::map::IntoIter::dying_next\": {},\n \"alloc::collections::btree::mem::replace\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e,alloc::collections::btree::node::marker::KV\\u003e\\u003e::next_leaf_edge\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\\u003e,alloc::collections::btree::node::marker::Edge\\u003e\\u003e::deallocating_end\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\\u003e,alloc::collections::btree::node::marker::Edge\\u003e\\u003e::deallocating_next\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\\u003e,alloc::collections::btree::node::marker::Edge\\u003e\\u003e::deallocating_next_unchecked\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::Leaf\\u003e,alloc::collections::btree::node::marker::Edge\\u003e\\u003e::deallocating_next_unchecked::{{closure}}\": {},\n \"alloc::collections::btree::navigate::\\u003cimpl alloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e\\u003e::first_leaf_edge\": {},\n \"alloc::collections::btree::navigate::LazyLeafRange::init_front\": {},\n \"alloc::collections::btree::navigate::LazyLeafRange\\u003calloc::collections::btree::node::marker::Dying,K,V\\u003e::deallocating_end\": {},\n \"alloc::collections::btree::navigate::LazyLeafRange\\u003calloc::collections::btree::node::marker::Dying,K,V\\u003e::deallocating_next_unchecked\": {},\n \"alloc::collections::btree::navigate::LazyLeafRange\\u003calloc::collections::btree::node::marker::Dying,K,V\\u003e::take_front\": {},\n \"alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef,alloc::collections::btree::node::marker::Edge\\u003e::right_kv\": {},\n \"alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::Internal\\u003e,alloc::collections::btree::node::marker::Edge\\u003e::descend\": {},\n \"alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e,Type\\u003e::force\": {},\n \"alloc::collections::btree::node::Handle\\u003calloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,NodeType\\u003e,alloc::collections::btree::node::marker::KV\\u003e::drop_key_val\": {},\n \"alloc::collections::btree::node::NodeRef::ascend\": {},\n \"alloc::collections::btree::node::NodeRef::ascend::{{closure}}\": {},\n \"alloc::collections::btree::node::NodeRef::len\": {},\n \"alloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e::force\": {},\n \"alloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Dying,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e::deallocate_and_ascend\": {},\n \"alloc::collections::btree::node::NodeRef\\u003calloc::collections::btree::node::marker::Immut,K,V,Type\\u003e::keys\": {},\n \"alloc::collections::btree::search::\\u003cimpl alloc::collections::btree::node::NodeRef\\u003cBorrowType,K,V,alloc::collections::btree::node::marker::LeafOrInternal\\u003e\\u003e::search_tree\": {},\n \"alloc::collections::btree::search::\\u003cimpl alloc::collections::btree::node::NodeRef\\u003e::find_key_index\": {},\n \"alloc::collections::btree::search::\\u003cimpl alloc::collections::btree::node::NodeRef\\u003e::search_node\": {},\n \"alloc::ffi::c_str::CString::as_bytes_with_nul\": {},\n \"alloc::ffi::c_str::CString::clone\": {},\n \"alloc::ffi::c_str::CString::deref\": {},\n \"alloc::ffi::c_str::CString::drop\": {},\n \"alloc::ffi::c_str::CString::from_vec_unchecked\": {},\n \"alloc::ffi::c_str::CString::new\": {},\n \"alloc::ffi::c_str::CString::new::spec_new_impl_bytes\": {},\n \"alloc::ffi::c_str::NulError::fmt\": {},\n \"alloc::fmt::format\": {},\n \"alloc::fmt::format::format_inner\": {},\n \"alloc::fmt::format::{{closure}}\": {},\n \"alloc::raw_vec::RawVec::allocate_in\": {},\n \"alloc::raw_vec::RawVec::capacity\": {},\n \"alloc::raw_vec::RawVec::current_memory\": {},\n \"alloc::raw_vec::RawVec::drop\": {},\n \"alloc::raw_vec::RawVec::grow_amortized\": {},\n \"alloc::raw_vec::RawVec::grow_exact\": {},\n \"alloc::raw_vec::RawVec::needs_to_grow\": {},\n \"alloc::raw_vec::RawVec::ptr\": {},\n \"alloc::raw_vec::RawVec::reserve\": {},\n \"alloc::raw_vec::RawVec::reserve::do_reserve_and_handle\": {},\n \"alloc::raw_vec::RawVec::reserve_exact\": {},\n \"alloc::raw_vec::RawVec::reserve_for_push\": {},\n \"alloc::raw_vec::RawVec::set_ptr_and_cap\": {},\n \"alloc::raw_vec::RawVec::shrink\": {},\n \"alloc::raw_vec::RawVec::shrink_to_fit\": {},\n \"alloc::raw_vec::RawVec::try_reserve_exact\": {},\n \"alloc::raw_vec::RawVec::with_capacity_in\": {},\n \"alloc::raw_vec::RawVec::with_capacity_zeroed_in\": {},\n \"alloc::raw_vec::capacity_overflow\": {},\n \"alloc::raw_vec::finish_grow\": {},\n \"alloc::raw_vec::handle_reserve\": {},\n \"alloc::rc::is_dangling\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::sort_by\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::sort_by::{{closure}}\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::sort_by_key\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::sort_by_key::{{closure}}\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::to_vec\": {},\n \"alloc::slice::\\u003cimpl [T]\\u003e::to_vec_in\": {},\n \"alloc::slice::\\u003cimpl alloc::borrow::ToOwned for [T]\\u003e::to_owned\": {},\n \"alloc::slice::hack::to_vec\": {},\n \"alloc::slice::insert_head\": {},\n \"alloc::slice::insert_head::InsertionHole::drop\": {},\n \"alloc::slice::merge\": {},\n \"alloc::slice::merge::MergeHole::drop\": {},\n \"alloc::slice::merge::get_and_increment\": {},\n \"alloc::slice::merge_sort\": {},\n \"alloc::slice::merge_sort::collapse\": {},\n \"alloc::str::\\u003cimpl alloc::borrow::ToOwned for str\\u003e::to_owned\": {},\n \"alloc::string::String::deref\": {},\n \"alloc::string::String::fmt\": {},\n \"alloc::string::String::from\": {},\n \"alloc::string::String::from_utf8_lossy\": {},\n \"alloc::string::String::from_utf8_unchecked\": {},\n \"alloc::string::String::index\": {},\n \"alloc::string::String::new\": {},\n \"alloc::string::String::push\": {},\n \"alloc::string::String::push_str\": {},\n \"alloc::string::String::with_capacity\": {},\n \"alloc::string::String::write_char\": {},\n \"alloc::string::String::write_str\": {},\n \"alloc::sync::Arc::allocate_for_layout\": {},\n \"alloc::sync::Arc::allocate_for_layout::{{closure}}\": {},\n \"alloc::sync::Arc::clone\": {},\n \"alloc::sync::Arc::deref\": {},\n \"alloc::sync::Arc::drop\": {},\n \"alloc::sync::Arc::drop_slow\": {},\n \"alloc::sync::Arc::get_mut_unchecked\": {},\n \"alloc::sync::Arc::inner\": {},\n \"alloc::sync::Arc::new\": {},\n \"alloc::sync::Arc::new_uninit\": {},\n \"alloc::sync::Arc::new_uninit::{{closure}}\": {},\n \"alloc::sync::Arc::try_allocate_for_layout\": {},\n \"alloc::sync::Weak::drop\": {},\n \"alloc::sync::Weak::inner\": {},\n \"alloc::vec::Vec::append_elements\": {},\n \"alloc::vec::Vec::as_mut_ptr\": {},\n \"alloc::vec::Vec::as_ptr\": {},\n \"alloc::vec::Vec::capacity\": {},\n \"alloc::vec::Vec::clone\": {},\n \"alloc::vec::Vec::drain\": {},\n \"alloc::vec::Vec::drop\": {},\n \"alloc::vec::Vec::extend\": {},\n \"alloc::vec::Vec::extend_desugared\": {},\n \"alloc::vec::Vec::extend_from_slice\": {},\n \"alloc::vec::Vec::extend_with\": {},\n \"alloc::vec::Vec::fmt\": {},\n \"alloc::vec::Vec::from_iter\": {},\n \"alloc::vec::Vec::index\": {},\n \"alloc::vec::Vec::index_mut\": {},\n \"alloc::vec::Vec::insert\": {},\n \"alloc::vec::Vec::into_boxed_slice\": {},\n \"alloc::vec::Vec::into_iter\": {},\n \"alloc::vec::Vec::is_empty\": {},\n \"alloc::vec::Vec::len\": {},\n \"alloc::vec::Vec::new\": {},\n \"alloc::vec::Vec::pop\": {},\n \"alloc::vec::Vec::push\": {},\n \"alloc::vec::Vec::remove\": {},\n \"alloc::vec::Vec::reserve\": {},\n \"alloc::vec::Vec::reserve_exact\": {},\n \"alloc::vec::Vec::resize\": {},\n \"alloc::vec::Vec::set_len\": {},\n \"alloc::vec::Vec::shrink_to_fit\": {},\n \"alloc::vec::Vec::spare_capacity_mut\": {},\n \"alloc::vec::Vec::spec_extend\": {},\n \"alloc::vec::Vec::spec_extend::{{closure}}\": {},\n \"alloc::vec::Vec::truncate\": {},\n \"alloc::vec::Vec::with_capacity\": {},\n \"alloc::vec::Vec::with_capacity_in\": {},\n \"alloc::vec::drain::Drain::drop\": {},\n \"alloc::vec::drain::Drain::next\": {},\n \"alloc::vec::drain::Drain::size_hint\": {},\n \"alloc::vec::from_elem\": {},\n \"alloc::vec::into_iter::IntoIter::drop\": {},\n \"alloc::vec::into_iter::IntoIter::next\": {},\n \"alloc::vec::into_iter::IntoIter::next_back\": {},\n \"alloc::vec::set_len_on_drop::SetLenOnDrop::drop\": {},\n \"alloc::vec::set_len_on_drop::SetLenOnDrop::increment_len\": {},\n \"char::fmt\": {},\n \"char::into_searcher\": {},\n \"char::is_prefix_of\": {},\n \"char::is_suffix_of\": {},\n \"core::alloc::layout::Layout::array\": {},\n \"core::alloc::layout::Layout::array::inner\": {},\n \"core::alloc::layout::Layout::size\": {},\n \"core::any::TypeId::eq\": {},\n \"core::array::\\u003cimpl core::clone::Clone for [T; N]\\u003e::clone\": {},\n \"core::array::\\u003cimpl core::ops::index::Index for [T; N]\\u003e::index\": {},\n \"core::array::equality::\\u003cimpl core::cmp::PartialEq\\u003c[A; N]\\u003e for \\u0026[B]\\u003e::ne\": {},\n \"core::array::equality::\\u003cimpl core::cmp::PartialEq\\u003c[A; N]\\u003e for [B]\\u003e::ne\": {},\n \"core::array::equality::\\u003cimpl core::cmp::PartialEq\\u003c[B; N]\\u003e for [A; N]\\u003e::eq\": {},\n \"core::array::equality::\\u003cimpl core::cmp::PartialEq\\u003c[B; N]\\u003e for [A; N]\\u003e::ne\": {},\n \"core::bool::\\u003cimpl bool\\u003e::then\": {},\n \"core::cell::BorrowMutError::fmt\": {},\n \"core::cell::BorrowRefMut::drop\": {},\n \"core::cell::BorrowRefMut::new\": {},\n \"core::cell::Cell::get\": {},\n \"core::cell::Cell::replace\": {},\n \"core::cell::Cell::set\": {},\n \"core::cell::Cell::take\": {},\n \"core::cell::RefCell::borrow_mut\": {},\n \"core::cell::RefCell::try_borrow_mut\": {},\n \"core::char::EscapeDebug::next\": {},\n \"core::char::EscapeDebug::size_hint\": {},\n \"core::char::EscapeDefault::len\": {},\n \"core::char::EscapeDefault::next\": {},\n \"core::char::EscapeDefault::size_hint\": {},\n \"core::char::EscapeUnicode::next\": {},\n \"core::char::convert::char_try_from_u32\": {},\n \"core::char::convert::from_digit\": {},\n \"core::char::convert::from_u32\": {},\n \"core::char::from_digit\": {},\n \"core::char::from_u32\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::encode_utf8\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::escape_debug\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::escape_debug_ext\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::escape_unicode\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::is_control\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::is_digit\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::is_grapheme_extended\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::len_utf8\": {},\n \"core::char::methods::\\u003cimpl char\\u003e::to_digit\": {},\n \"core::char::methods::encode_utf8_raw\": {},\n \"core::char::methods::len_utf8\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for \\u0026T\\u003e::clone\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for bool\\u003e::clone\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for u32\\u003e::clone\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for u64\\u003e::clone\": {},\n \"core::clone::impls::\\u003cimpl core::clone::Clone for u8\\u003e::clone\": {},\n \"core::cmp::Ord::max\": {},\n \"core::cmp::Ord::min\": {},\n \"core::cmp::PartialEq::ne\": {},\n \"core::cmp::PartialOrd::ge\": {},\n \"core::cmp::PartialOrd::le\": {},\n \"core::cmp::PartialOrd::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for i64\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for isize\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for u32\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for u64\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::Ord for usize\\u003e::cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for u16\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for u32\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for u64\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for u8\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq for usize\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq\\u003c\\u0026B\\u003e for \\u0026A\\u003e::eq\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialEq\\u003c\\u0026B\\u003e for \\u0026A\\u003e::ne\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for i64\\u003e::partial_cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for isize\\u003e::partial_cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for u16\\u003e::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for u64\\u003e::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for u8\\u003e::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for usize\\u003e::gt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for usize\\u003e::lt\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd for usize\\u003e::partial_cmp\": {},\n \"core::cmp::impls::\\u003cimpl core::cmp::PartialOrd\\u003c\\u0026B\\u003e for \\u0026A\\u003e::ge\": {},\n \"core::cmp::max\": {},\n \"core::cmp::max_by\": {},\n \"core::cmp::min\": {},\n \"core::convert::num::\\u003cimpl core::convert::From for u16\\u003e::from\": {},\n \"core::convert::num::\\u003cimpl core::convert::From for u32\\u003e::from\": {},\n \"core::convert::num::\\u003cimpl core::convert::From for u64\\u003e::from\": {},\n \"core::convert::num::\\u003cimpl core::convert::From for usize\\u003e::from\": {},\n \"core::core_arch::simd::i32x4::new\": {},\n \"core::core_arch::x86::pclmulqdq::mm_clmulepi64_si128\": {},\n \"core::core_arch::x86::sse2::mm_and_si128\": {},\n \"core::core_arch::x86::sse2::mm_cvtsi32_si128\": {},\n \"core::core_arch::x86::sse2::mm_loadu_si128\": {},\n \"core::core_arch::x86::sse2::mm_pause\": {},\n \"core::core_arch::x86::sse2::mm_srli_si128\": {},\n \"core::core_arch::x86::sse2::mm_srli_si128_impl\": {},\n \"core::core_arch::x86::sse2::mm_xor_si128\": {},\n \"core::core_arch::x86::sse41::mm_extract_epi32\": {},\n \"core::error::Error::cause\": {},\n \"core::error::Error::provide\": {},\n \"core::error::Error::type_id\": {},\n \"core::ffi::c_str::CStr::from_ptr\": {},\n \"core::fmt::ArgumentV1::as_usize\": {},\n \"core::fmt::Arguments::as_str\": {},\n \"core::fmt::Arguments::estimated_capacity\": {},\n \"core::fmt::Arguments::fmt\": {},\n \"core::fmt::Arguments::new_v1\": {},\n \"core::fmt::Arguments::new_v1_formatted\": {},\n \"core::fmt::Error::fmt\": {},\n \"core::fmt::Formatter::alternate\": {},\n \"core::fmt::Formatter::debug_list\": {},\n \"core::fmt::Formatter::debug_lower_hex\": {},\n \"core::fmt::Formatter::debug_struct\": {},\n \"core::fmt::Formatter::debug_struct_field1_finish\": {},\n \"core::fmt::Formatter::debug_struct_field2_finish\": {},\n \"core::fmt::Formatter::debug_tuple\": {},\n \"core::fmt::Formatter::debug_tuple_field1_finish\": {},\n \"core::fmt::Formatter::debug_tuple_field2_finish\": {},\n \"core::fmt::Formatter::debug_upper_hex\": {},\n \"core::fmt::Formatter::new\": {},\n \"core::fmt::Formatter::pad\": {},\n \"core::fmt::Formatter::pad_integral\": {},\n \"core::fmt::Formatter::pad_integral::write_prefix\": {},\n \"core::fmt::Formatter::padding\": {},\n \"core::fmt::Formatter::sign_aware_zero_pad\": {},\n \"core::fmt::Formatter::sign_plus\": {},\n \"core::fmt::Formatter::wrap_buf\": {},\n \"core::fmt::Formatter::write_char\": {},\n \"core::fmt::Formatter::write_fmt\": {},\n \"core::fmt::Formatter::write_str\": {},\n \"core::fmt::PostPadding::write\": {},\n \"core::fmt::USIZE_MARKER::{{closure}}\": {},\n \"core::fmt::Write::write_char\": {},\n \"core::fmt::Write::write_fmt\": {},\n \"core::fmt::builders::DebugInner::entry\": {},\n \"core::fmt::builders::DebugInner::entry::{{closure}}\": {},\n \"core::fmt::builders::DebugInner::is_pretty\": {},\n \"core::fmt::builders::DebugList::entries\": {},\n \"core::fmt::builders::DebugList::finish\": {},\n \"core::fmt::builders::DebugList::finish::{{closure}}\": {},\n \"core::fmt::builders::DebugSet::entry\": {},\n \"core::fmt::builders::DebugStruct::field\": {},\n \"core::fmt::builders::DebugStruct::field::{{closure}}\": {},\n \"core::fmt::builders::DebugStruct::finish\": {},\n \"core::fmt::builders::DebugStruct::finish::{{closure}}\": {},\n \"core::fmt::builders::DebugStruct::is_pretty\": {},\n \"core::fmt::builders::DebugTuple::field\": {},\n \"core::fmt::builders::DebugTuple::field::{{closure}}\": {},\n \"core::fmt::builders::DebugTuple::finish\": {},\n \"core::fmt::builders::DebugTuple::finish::{{closure}}\": {},\n \"core::fmt::builders::DebugTuple::is_pretty\": {},\n \"core::fmt::builders::PadAdapter::wrap\": {},\n \"core::fmt::builders::PadAdapter::wrap::{{closure}}\": {},\n \"core::fmt::builders::PadAdapter::write_str\": {},\n \"core::fmt::builders::debug_list_new\": {},\n \"core::fmt::builders::debug_struct_new\": {},\n \"core::fmt::builders::debug_tuple_new\": {},\n \"core::fmt::getcount\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for i32\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for u16\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for u64\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for u8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::Debug for usize\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for i16\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for i32\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for i64\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for i8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for u8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::LowerHex for usize\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for i16\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for i32\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for i64\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for i8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for u8\\u003e::fmt\": {},\n \"core::fmt::num::\\u003cimpl core::fmt::UpperHex for usize\\u003e::fmt\": {},\n \"core::fmt::num::GenericRadix::fmt_int\": {},\n \"core::fmt::num::LowerHex::digit\": {},\n \"core::fmt::num::UpperHex::digit\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for i32\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for u16\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for u32\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for u64\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for u8\\u003e::fmt\": {},\n \"core::fmt::num::imp::\\u003cimpl core::fmt::Display for usize\\u003e::fmt\": {},\n \"core::fmt::num::imp::fmt_u64\": {},\n \"core::fmt::pointer_fmt_inner\": {},\n \"core::fmt::run\": {},\n \"core::fmt::write\": {},\n \"core::hint::black_box\": {},\n \"core::hint::spin_loop\": {},\n \"core::intrinsics::copy\": {},\n \"core::intrinsics::copy_nonoverlapping\": {},\n \"core::iter::adapters::cloned::Cloned::fold\": {},\n \"core::iter::adapters::cloned::Cloned::next\": {},\n \"core::iter::adapters::copied::Copied::len\": {},\n \"core::iter::adapters::copied::Copied::next\": {},\n \"core::iter::adapters::copied::Copied::try_fold\": {},\n \"core::iter::adapters::copied::Copied::try_rfold\": {},\n \"core::iter::adapters::copied::copy_try_fold::{{closure}}\": {},\n \"core::iter::adapters::enumerate::Enumerate::next\": {},\n \"core::iter::adapters::enumerate::Enumerate::try_fold\": {},\n \"core::iter::adapters::enumerate::Enumerate::try_fold::enumerate::{{closure}}\": {},\n \"core::iter::adapters::filter::Filter::count\": {},\n \"core::iter::adapters::filter::Filter::count::to_usize::{{closure}}\": {},\n \"core::iter::adapters::filter::Filter::next\": {},\n \"core::iter::adapters::filter::Filter::try_fold\": {},\n \"core::iter::adapters::filter::filter_try_fold::{{closure}}\": {},\n \"core::iter::adapters::filter_map::FilterMap::next\": {},\n \"core::iter::adapters::map::Map::fold\": {},\n \"core::iter::adapters::map::Map::next\": {},\n \"core::iter::adapters::map::map_fold::{{closure}}\": {},\n \"core::iter::adapters::peekable::Peekable::next\": {},\n \"core::iter::adapters::peekable::Peekable::peek\": {},\n \"core::iter::adapters::peekable::Peekable::peek::{{closure}}\": {},\n \"core::iter::adapters::rev::Rev::next\": {},\n \"core::iter::adapters::rev::Rev::try_fold\": {},\n \"core::iter::adapters::take::Take::advance_by\": {},\n \"core::iter::adapters::take::Take::next\": {},\n \"core::iter::adapters::take::Take::nth\": {},\n \"core::iter::adapters::take::Take::size_hint\": {},\n \"core::iter::adapters::take_while::TakeWhile::next\": {},\n \"core::iter::adapters::take_while::TakeWhile::try_fold\": {},\n \"core::iter::adapters::take_while::TakeWhile::try_fold::check::{{closure}}\": {},\n \"core::iter::range::\\u003cimpl core::iter::traits::double_ended::DoubleEndedIterator for core::ops::range::Range\\u003e::next_back\": {},\n \"core::iter::range::\\u003cimpl core::iter::traits::iterator::Iterator for core::ops::range::Range\\u003e::next\": {},\n \"core::iter::sources::from_fn::FromFn::clone\": {},\n \"core::iter::sources::from_fn::FromFn::next\": {},\n \"core::iter::sources::once::Once::next\": {},\n \"core::iter::sources::once::Once::size_hint\": {},\n \"core::iter::traits::double_ended::DoubleEndedIterator::try_rfold\": {},\n \"core::iter::traits::exact_size::ExactSizeIterator::len\": {},\n \"core::iter::traits::iterator::Iterator::advance_by\": {},\n \"core::iter::traits::iterator::Iterator::all\": {},\n \"core::iter::traits::iterator::Iterator::all::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::any\": {},\n \"core::iter::traits::iterator::Iterator::any::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::collect\": {},\n \"core::iter::traits::iterator::Iterator::eq\": {},\n \"core::iter::traits::iterator::Iterator::eq::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::eq_by\": {},\n \"core::iter::traits::iterator::Iterator::find\": {},\n \"core::iter::traits::iterator::Iterator::find::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::find_map\": {},\n \"core::iter::traits::iterator::Iterator::find_map::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::fold\": {},\n \"core::iter::traits::iterator::Iterator::for_each\": {},\n \"core::iter::traits::iterator::Iterator::for_each::call::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::max\": {},\n \"core::iter::traits::iterator::Iterator::max_by\": {},\n \"core::iter::traits::iterator::Iterator::max_by::fold::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::nth\": {},\n \"core::iter::traits::iterator::Iterator::reduce\": {},\n \"core::iter::traits::iterator::Iterator::rposition\": {},\n \"core::iter::traits::iterator::Iterator::rposition::check::{{closure}}\": {},\n \"core::iter::traits::iterator::Iterator::sum\": {},\n \"core::iter::traits::iterator::Iterator::try_fold\": {},\n \"core::mem::drop\": {},\n \"core::mem::manually_drop::ManuallyDrop::new\": {},\n \"core::mem::maybe_uninit::MaybeUninit::assume_init\": {},\n \"core::mem::maybe_uninit::MaybeUninit::assume_init_drop\": {},\n \"core::mem::maybe_uninit::MaybeUninit::assume_init_read\": {},\n \"core::mem::maybe_uninit::MaybeUninit::write\": {},\n \"core::mem::maybe_uninit::MaybeUninit::write_slice\": {},\n \"core::mem::replace\": {},\n \"core::mem::swap\": {},\n \"core::mem::swap_simple\": {},\n \"core::mem::take\": {},\n \"core::mem::zeroed\": {},\n \"core::num::\\u003cimpl core::str::traits::FromStr for u64\\u003e::from_str\": {},\n \"core::num::\\u003cimpl i64\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl i64\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl isize\\u003e::wrapping_neg\": {},\n \"core::num::\\u003cimpl isize\\u003e::wrapping_sub\": {},\n \"core::num::\\u003cimpl u16\\u003e::from_le_bytes\": {},\n \"core::num::\\u003cimpl u16\\u003e::from_ne_bytes\": {},\n \"core::num::\\u003cimpl u16\\u003e::unchecked_add\": {},\n \"core::num::\\u003cimpl u32\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl u32\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_be\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_be_bytes\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_le_bytes\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_ne_bytes\": {},\n \"core::num::\\u003cimpl u32\\u003e::from_str_radix\": {},\n \"core::num::\\u003cimpl u32\\u003e::leading_zeros\": {},\n \"core::num::\\u003cimpl u32\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl u32\\u003e::overflowing_mul\": {},\n \"core::num::\\u003cimpl u32\\u003e::saturating_add\": {},\n \"core::num::\\u003cimpl u32\\u003e::swap_bytes\": {},\n \"core::num::\\u003cimpl u32\\u003e::wrapping_shr\": {},\n \"core::num::\\u003cimpl u32\\u003e::wrapping_sub\": {},\n \"core::num::\\u003cimpl u64\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl u64\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl u64\\u003e::checked_sub\": {},\n \"core::num::\\u003cimpl u64\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl u64\\u003e::overflowing_mul\": {},\n \"core::num::\\u003cimpl u64\\u003e::overflowing_sub\": {},\n \"core::num::\\u003cimpl u64\\u003e::unchecked_add\": {},\n \"core::num::\\u003cimpl u64\\u003e::wrapping_add\": {},\n \"core::num::\\u003cimpl u64\\u003e::wrapping_div\": {},\n \"core::num::\\u003cimpl u64\\u003e::wrapping_mul\": {},\n \"core::num::\\u003cimpl u8\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl u8\\u003e::is_utf8_char_boundary\": {},\n \"core::num::\\u003cimpl u8\\u003e::overflowing_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::checked_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::leading_zeros\": {},\n \"core::num::\\u003cimpl usize\\u003e::next_power_of_two\": {},\n \"core::num::\\u003cimpl usize\\u003e::one_less_than_next_power_of_two\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::overflowing_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::saturating_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::saturating_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::unchecked_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::unchecked_sub\": {},\n \"core::num::\\u003cimpl usize\\u003e::wrapping_add\": {},\n \"core::num::\\u003cimpl usize\\u003e::wrapping_mul\": {},\n \"core::num::\\u003cimpl usize\\u003e::wrapping_sub\": {},\n \"core::num::can_not_overflow\": {},\n \"core::num::error::IntErrorKind::fmt\": {},\n \"core::num::error::ParseIntError::fmt\": {},\n \"core::num::from_str_radix\": {},\n \"core::num::wrapping::Wrapping::add\": {},\n \"core::num::wrapping::Wrapping::add_assign\": {},\n \"core::num::wrapping::Wrapping::div\": {},\n \"core::num::wrapping::Wrapping::mul\": {},\n \"core::ops::function::Fn::call\": {},\n \"core::ops::function::FnMut::call_mut\": {},\n \"core::ops::function::FnOnce::call_once\": {},\n \"core::ops::function::FnOnce::call_once{{vtable.shim}}\": {},\n \"core::ops::function::impls::\\u003cimpl core::ops::function::FnMut for \\u0026mut F\\u003e::call_mut\": {},\n \"core::ops::function::impls::\\u003cimpl core::ops::function::FnOnce for \\u0026mut F\\u003e::call_once\": {},\n \"core::ops::range::Range::fmt\": {},\n \"core::ops::range::Range::get\": {},\n \"core::ops::range::Range::get_unchecked\": {},\n \"core::ops::range::Range::get_unchecked_mut\": {},\n \"core::ops::range::Range::index\": {},\n \"core::ops::range::Range::index_mut\": {},\n \"core::ops::range::Range::spec_next\": {},\n \"core::ops::range::Range::spec_next_back\": {},\n \"core::ops::range::RangeFrom::get\": {},\n \"core::ops::range::RangeFrom::get_unchecked\": {},\n \"core::ops::range::RangeFrom::get_unchecked_mut\": {},\n \"core::ops::range::RangeFrom::index\": {},\n \"core::ops::range::RangeFrom::index_mut\": {},\n \"core::ops::range::RangeInclusive::index\": {},\n \"core::ops::range::RangeInclusive::into_slice_range\": {},\n \"core::ops::range::RangeTo::get\": {},\n \"core::ops::range::RangeTo::index\": {},\n \"core::option::IntoIter::next\": {},\n \"core::option::IntoIter::size_hint\": {},\n \"core::option::Item::next\": {},\n \"core::option::Item::size_hint\": {},\n \"core::option::Option::and_then\": {},\n \"core::option::Option::as_deref\": {},\n \"core::option::Option::as_ref\": {},\n \"core::option::Option::branch\": {},\n \"core::option::Option::clone\": {},\n \"core::option::Option::eq\": {},\n \"core::option::Option::expect\": {},\n \"core::option::Option::fmt\": {},\n \"core::option::Option::from_residual\": {},\n \"core::option::Option::get_or_insert\": {},\n \"core::option::Option::get_or_insert_with\": {},\n \"core::option::Option::insert\": {},\n \"core::option::Option::is_none\": {},\n \"core::option::Option::is_some\": {},\n \"core::option::Option::map\": {},\n \"core::option::Option::map_or_else\": {},\n \"core::option::Option::ok_or\": {},\n \"core::option::Option::ok_or_else\": {},\n \"core::option::Option::or_else\": {},\n \"core::option::Option::read_error\": {},\n \"core::option::Option::take\": {},\n \"core::option::Option::unwrap\": {},\n \"core::option::Option::unwrap_or\": {},\n \"core::option::Option::unwrap_or_else\": {},\n \"core::option::Option\\u003c\\u0026T\\u003e::cloned\": {},\n \"core::option::Option\\u003c\\u0026T\\u003e::copied\": {},\n \"core::option::expect_failed\": {},\n \"core::panic::location::Location::fmt\": {},\n \"core::panic::panic_info::PanicInfo::can_unwind\": {},\n \"core::panic::panic_info::PanicInfo::fmt\": {},\n \"core::panic::panic_info::PanicInfo::internal_constructor\": {},\n \"core::panic::panic_info::PanicInfo::location\": {},\n \"core::panic::panic_info::PanicInfo::message\": {},\n \"core::panicking::assert_failed\": {},\n \"core::panicking::assert_failed_inner\": {},\n \"core::panicking::panic\": {},\n \"core::panicking::panic_bounds_check\": {},\n \"core::panicking::panic_display\": {},\n \"core::panicking::panic_fmt\": {},\n \"core::panicking::panic_no_unwind\": {},\n \"core::panicking::panic_str\": {},\n \"core::pin::Pin::clone\": {},\n \"core::ptr::align_offset\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::add\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::align_offset\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::align_offset::rt_impl\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::copy_to_nonoverlapping\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::guaranteed_eq\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::is_null\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::offset\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::read\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::sub\": {},\n \"core::ptr::const_ptr::\\u003cimpl *const T\\u003e::sub_ptr\": {},\n \"core::ptr::drop_in_place\\u003c\\u0026mut std::io::Write::write_fmt::Adapter\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(smallvec::SmallVec\\u003c[u64; 16]\\u003e,usize)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c(usize,std::backtrace_rs::symbolize::gimli::Mapping)\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cT\": {},\n \"core::ptr::drop_in_place\\u003c[(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[addr2line::LineSequence]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[addr2line::ResUnit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::string::String]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[alloc::vec::Vec]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[gimli::read::abbrev::Abbreviation]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003c[libflate::gzip::ExtraSubField]\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::Context\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::FrameIter\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::FrameIterFrames\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::FrameIterState\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::LineSequence\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::Lines\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::ResDwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::ResUnit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::Lines,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003caddr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::borrow::Cow\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::LineRow]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::LineSequence]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::function::FunctionAddress]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[addr2line::function::InlinedFunctionAddress]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[alloc::string::String]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003c[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003caddr2line::ResDwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::any::Any+core::marker::Send\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::error::Error+core::marker::Send+core::marker::Sync\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cdyn core::iter::traits::iterator::Iterator+Item = u8\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cpanic_unwind::real_imp::Exception\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::boxed::Box\\u003cstd::io::error::Custom\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::collections::btree::map::BTreeMap\\u003cu64,gimli::read::abbrev::Abbreviation\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::collections::btree::map::IntoIter\\u003cu64,gimli::read::abbrev::Abbreviation\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::ffi::c_str::CString\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::ffi::c_str::NulError\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c\\u0026addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(*mut u8,unsafe extern \\\"C\\\" fn(*mut u8))\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::LineRow\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::LineSequence\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::ResUnit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::UnitRange\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::function::FunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003caddr2line::function::InlinedFunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::slice::merge_sort::Run\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::abbrev::Abbreviation\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::abbrev::AttributeSpecification\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::line::FileEntry\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::line::FileEntryFormat\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cgimli::read::unit::AttributeValue\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003clibflate::deflate::symbol::build_bitwidth_codes::RunLength\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003clibflate::gzip::ExtraSubField\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003clibflate::huffman::Code\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cstd::backtrace_rs::symbolize::gimli::LibrarySegment\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::raw_vec::RawVec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003caddr2line::LineSequence\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003caddr2line::UnitRange\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003caddr2line::function::FunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::insert_head::InsertionHole\\u003caddr2line::function::InlinedFunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003caddr2line::LineSequence\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003caddr2line::UnitRange\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003caddr2line::function::FunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::slice::merge::MergeHole\\u003caddr2line::function::InlinedFunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::string::String\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003ccore::mem::maybe_uninit::MaybeUninit\\u003cstd::thread::Inner\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cstd::sync::mutex::Mutex\\u003calloc::vec::Vec\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Arc\\u003cstd::thread::Inner\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::ArcInner\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003ccore::mem::maybe_uninit::MaybeUninit\\u003cstd::thread::Inner\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cstd::sync::mutex::Mutex\\u003calloc::vec::Vec\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::sync::Weak\\u003cstd::thread::Inner\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c\\u0026addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c(gimli::common::DebugInfoOffset,gimli::common::DebugArangesOffset)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c(gimli::read::unit::UnitOffset,addr2line::lazy::LazyCell\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::LineRow\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::LineSequence\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::ResUnit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::UnitRange\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::function::FunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003caddr2line::function::InlinedFunctionAddress\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::slice::merge_sort::Run\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::abbrev::Abbreviation\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::abbrev::AttributeSpecification\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::line::FileEntry\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::line::FileEntryFormat\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cgimli::read::unit::AttributeValue\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003clibflate::deflate::symbol::build_bitwidth_codes::RunLength\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003clibflate::gzip::ExtraSubField\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003clibflate::huffman::Code\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cstd::backtrace_rs::symbolize::gimli::LibrarySegment\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::Vec\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::drain::Drain\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::drain::Drain\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::into_iter::IntoIter\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::into_iter::IntoIter\\u003c\\u0026addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::into_iter::IntoIter\\u003c(*mut u8,unsafe extern \\\"C\\\" fn(*mut u8))\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::into_iter::IntoIter\\u003c(u16,u8)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003calloc::vec::set_len_on_drop::SetLenOnDrop\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::BorrowRefMut\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::Cell\\u003ccore::option::Option\\u003cstd::thread::Thread\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefCell\\u003ccore::option::Option\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefMut\\u003ccore::option::Option\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefMut\\u003cstd::io::buffered::linewriter::LineWriter\\u003cstd::io::stdio::StdoutRaw\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::RefMut\\u003cstd::io::stdio::StderrRaw\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003calloc::vec::Vec\\u003calloc::vec::Vec\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::Lines,gimli::read::Error\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::cell::UnsafeCell\\u003ccore::option::Option\\u003cstd::thread::Thread\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::iter::adapters::rev::Rev\\u003calloc::vec::into_iter::IntoIter\\u003c\\u0026addr2line::function::InlinedFunction\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003c(usize,std::backtrace_rs::symbolize::gimli::Mapping)\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::boxed::Box\\u003caddr2line::ResDwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::ffi::c_str::CString\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::string::String\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003calloc::sync::Arc\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::Lines,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003ccore::result::Result\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cgimli::read::line::IncompleteLineProgram\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003clibflate::gzip::ExtraField\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::io::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::path::PathBuf\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::option::Option\\u003cstd::thread::Thread\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::pin::Pin\\u003calloc::sync::Arc\\u003cstd::thread::Inner\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003c(),std::io::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003caddr2line::Lines,gimli::read::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003caddr2line::function::Function\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003caddr2line::function::Functions\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e,gimli::read::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003cstd::ffi::os_str::OsString,std::io::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::result::Result\\u003cstd::path::PathBuf,std::io::error::Error\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003ccore::slice::sort::CopyOnDrop\\u003cstd::backtrace_rs::symbolize::gimli::elf::ParsedSym\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::abbrev::Abbreviation\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::abbrev::Abbreviations\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::abbrev::Attributes\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::dwarf::Dwarf\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::dwarf::Unit\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::line::IncompleteLineProgram\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::line::LineProgramHeader\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cgimli::read::line::LineRows\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,gimli::read::line::IncompleteLineProgram\\u003cgimli::read::endian_slice::EndianSlice\\u003cgimli::endianity::LittleEndian\\u003e,usize\\u003e,usize\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::bit::BitReader\\u003c\\u0026[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::deflate::decode::Decoder\\u003c\\u0026[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::deflate::symbol::Decoder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::Decoder\\u003c\\u0026[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::ExtraField\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::ExtraSubField\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::Header\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::HeaderBuilder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::gzip::MultiDecoder\\u003c\\u0026[u8]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::huffman::Decoder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::huffman::DecoderBuilder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate::huffman::Encoder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003clibflate_lz77::Lz77Decoder\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cpanic_unwind::real_imp::Exception\\u003e\": {},\n \"core::ptr::drop_in_place\\u003csmallvec::SmallVec\\u003c[u64; 16]\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::print::BacktraceFrameFmt\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::Context\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::Library\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::Mapping\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::elf::Object\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::mmap::Mmap\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::backtrace_rs::symbolize::gimli::stash::Stash\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::ffi::os_str::OsString\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::fs::File\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::Write::write_fmt::Adapter\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::buffered::bufwriter::BufWriter\\u003cstd::io::stdio::StdoutRaw\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::buffered::linewriter::LineWriter\\u003cstd::io::stdio::StdoutRaw\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::error::Custom\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::error::Error\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::error::ErrorData\\u003calloc::boxed::Box\\u003cstd::io::error::Custom\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::error::repr_bitpacked::Repr\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::stdio::StderrLock\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::io::stdio::StdoutLock\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::os::fd::owned::OwnedFd\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::panicking::begin_panic_handler::PanicPayload\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::path::PathBuf\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sync::mutex::Mutex\\u003calloc::vec::Vec\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sync::once::Waiter\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sync::once::WaiterQueue\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys::unix::fd::FileDesc\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys::unix::fs::File\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys::unix::os_str::Buf\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::backtrace::_print_fmt::{{closure}}\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::mutex::StaticMutexGuard\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::remutex::ReentrantMutexGuard\\u003ccore::cell::RefCell\\u003cstd::io::buffered::linewriter::LineWriter\\u003cstd::io::stdio::StdoutRaw\\u003e\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::remutex::ReentrantMutexGuard\\u003ccore::cell::RefCell\\u003cstd::io::stdio::StderrRaw\\u003e\\u003e\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::rwlock::StaticRwLockReadGuard\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::thread_info::ThreadInfo\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::sys_common::thread_info::set::{{closure}}\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::thread::Inner\\u003e\": {},\n \"core::ptr::drop_in_place\\u003cstd::thread::Thread\\u003e\": {},\n \"core::ptr::drop_in_placecore::iter::traits::iterator::Iterator::for_each::call\\u003cu8,\\u003calloc::vec::Vec\": {},\n \"core::ptr::metadata::from_raw_parts_mut\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::add\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::guaranteed_eq\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::is_null\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::offset\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::sub\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::sub_ptr\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::with_addr\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_add\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_byte_offset\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_byte_sub\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_offset\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::wrapping_sub\": {},\n \"core::ptr::mut_ptr::\\u003cimpl *mut T\\u003e::write\": {},\n \"core::ptr::non_null::NonNull::as_ref\": {},\n \"core::ptr::null_mut\": {},\n \"core::ptr::read\": {},\n \"core::ptr::read_volatile\": {},\n \"core::ptr::swap\": {},\n \"core::ptr::write\": {},\n \"core::result::Result::and_then\": {},\n \"core::result::Result::as_mut\": {},\n \"core::result::Result::as_ref\": {},\n \"core::result::Result::branch\": {},\n \"core::result::Result::eq\": {},\n \"core::result::Result::expect\": {},\n \"core::result::Result::from_residual\": {},\n \"core::result::Result::is_err\": {},\n \"core::result::Result::is_ok\": {},\n \"core::result::Result::map\": {},\n \"core::result::Result::map_err\": {},\n \"core::result::Result::ok\": {},\n \"core::result::Result::unwrap\": {},\n \"core::result::Result::unwrap_or\": {},\n \"core::result::Result::unwrap_or_default\": {},\n \"core::result::Result::unwrap_or_else\": {},\n \"core::result::Result\\u003cT,()\\u003e::read_error\": {},\n \"core::result::unwrap_failed\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::align_to\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::as_chunks\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::binary_search_by\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::binary_search_by_key\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::binary_search_by_key::{{closure}}\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::chunks_exact\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::copy_from_slice\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::copy_from_slice::len_mismatch_fail\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::ends_with\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::first\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::get\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::get_unchecked\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::get_unchecked_mut\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::is_empty\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::iter\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::iter_mut\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::last\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::last_mut\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::reverse\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::reverse::revswap\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::sort_unstable_by_key\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::sort_unstable_by_key::{{closure}}\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_at\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_at_mut\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_at_mut_unchecked\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_at_unchecked\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::split_last\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::starts_with\": {},\n \"core::slice::\\u003cimpl [T]\\u003e::swap\": {},\n \"core::slice::cmp::\\u003cimpl core::cmp::PartialEq\\u003c[B]\\u003e for [A]\\u003e::eq\": {},\n \"core::slice::index::\\u003cimpl core::ops::index::Index for [T]\\u003e::index\": {},\n \"core::slice::index::\\u003cimpl core::ops::index::IndexMut for [T]\\u003e::index_mut\": {},\n \"core::slice::index::range\": {},\n \"core::slice::index::slice_end_index_len_fail\": {},\n \"core::slice::index::slice_end_index_len_fail_rt\": {},\n \"core::slice::index::slice_index_order_fail\": {},\n \"core::slice::index::slice_index_order_fail_rt\": {},\n \"core::slice::index::slice_start_index_len_fail\": {},\n \"core::slice::index::slice_start_index_len_fail_rt\": {},\n \"core::slice::iter::\\u003cimpl core::iter::traits::collect::IntoIterator for \\u0026[T]\\u003e::into_iter\": {},\n \"core::slice::iter::Chunks::next\": {},\n \"core::slice::iter::ChunksExact::new\": {},\n \"core::slice::iter::ChunksExact::next\": {},\n \"core::slice::iter::Iter::any\": {},\n \"core::slice::iter::Iter::as_slice\": {},\n \"core::slice::iter::Iter::find\": {},\n \"core::slice::iter::Iter::find_map\": {},\n \"core::slice::iter::Iter::len\": {},\n \"core::slice::iter::Iter::make_slice\": {},\n \"core::slice::iter::Iter::new\": {},\n \"core::slice::iter::Iter::next\": {},\n \"core::slice::iter::Iter::next_back\": {},\n \"core::slice::iter::Iter::position\": {},\n \"core::slice::iter::Iter::post_inc_start\": {},\n \"core::slice::iter::Iter::pre_dec_end\": {},\n \"core::slice::iter::Iter::rposition\": {},\n \"core::slice::iter::Iter::size_hint\": {},\n \"core::slice::iter::IterMut::new\": {},\n \"core::slice::iter::IterMut::next\": {},\n \"core::slice::iter::IterMut::next_back\": {},\n \"core::slice::iter::IterMut::pre_dec_end\": {},\n \"core::slice::memchr::contains_zero_byte\": {},\n \"core::slice::memchr::memchr\": {},\n \"core::slice::memchr::memchr_aligned\": {},\n \"core::slice::memchr::memchr_naive\": {},\n \"core::slice::memchr::repeat_byte\": {},\n \"core::slice::sort::CopyOnDrop::drop\": {},\n \"core::slice::sort::break_patterns\": {},\n \"core::slice::sort::break_patterns::{{closure}}\": {},\n \"core::slice::sort::choose_pivot\": {},\n \"core::slice::sort::choose_pivot::{{closure}}\": {},\n \"core::slice::sort::heapsort\": {},\n \"core::slice::sort::heapsort::{{closure}}\": {},\n \"core::slice::sort::insertion_sort\": {},\n \"core::slice::sort::partial_insertion_sort\": {},\n \"core::slice::sort::partition\": {},\n \"core::slice::sort::partition_equal\": {},\n \"core::slice::sort::partition_in_blocks\": {},\n \"core::slice::sort::partition_in_blocks::width\": {},\n \"core::slice::sort::quicksort\": {},\n \"core::slice::sort::recurse\": {},\n \"core::slice::sort::shift_head\": {},\n \"core::slice::sort::shift_tail\": {},\n \"core::str::\\u003cimpl str\\u003e::bytes\": {},\n \"core::str::\\u003cimpl str\\u003e::char_indices\": {},\n \"core::str::\\u003cimpl str\\u003e::chars\": {},\n \"core::str::\\u003cimpl str\\u003e::contains\": {},\n \"core::str::\\u003cimpl str\\u003e::ends_with\": {},\n \"core::str::\\u003cimpl str\\u003e::find\": {},\n \"core::str::\\u003cimpl str\\u003e::floor_char_boundary\": {},\n \"core::str::\\u003cimpl str\\u003e::floor_char_boundary::{{closure}}\": {},\n \"core::str::\\u003cimpl str\\u003e::get\": {},\n \"core::str::\\u003cimpl str\\u003e::get_unchecked\": {},\n \"core::str::\\u003cimpl str\\u003e::is_char_boundary\": {},\n \"core::str::\\u003cimpl str\\u003e::is_empty\": {},\n \"core::str::\\u003cimpl str\\u003e::parse\": {},\n \"core::str::\\u003cimpl str\\u003e::split\": {},\n \"core::str::\\u003cimpl str\\u003e::starts_with\": {},\n \"core::str::\\u003cimpl str\\u003e::trim_start_matches\": {},\n \"core::str::converts::from_utf8\": {},\n \"core::str::count::char_count_general_case\": {},\n \"core::str::count::char_count_general_case::{{closure}}\": {},\n \"core::str::count::contains_non_continuation_byte\": {},\n \"core::str::count::count_chars\": {},\n \"core::str::count::do_count_chars\": {},\n \"core::str::count::sum_bytes_in_usize\": {},\n \"core::str::error::Utf8Error::error_len\": {},\n \"core::str::error::Utf8Error::fmt\": {},\n \"core::str::iter::Bytes::any\": {},\n \"core::str::iter::Bytes::next\": {},\n \"core::str::iter::Bytes::rposition\": {},\n \"core::str::iter::CharIndices::next\": {},\n \"core::str::iter::Chars::as_str\": {},\n \"core::str::iter::Chars::count\": {},\n \"core::str::iter::Chars::next\": {},\n \"core::str::iter::Split::next\": {},\n \"core::str::iter::SplitInclusive::next\": {},\n \"core::str::iter::SplitInternal::get_end\": {},\n \"core::str::iter::SplitInternal::next\": {},\n \"core::str::iter::SplitInternal::next_inclusive\": {},\n \"core::str::lossy::Utf8Chunks::next\": {},\n \"core::str::lossy::Utf8Chunks::next::safe_get\": {},\n \"core::str::pattern::CharPredicateSearcher::next_match\": {},\n \"core::str::pattern::CharSearcher::next_match\": {},\n \"core::str::pattern::MultiCharEqPattern::into_searcher\": {},\n \"core::str::pattern::MultiCharEqSearcher::next\": {},\n \"core::str::pattern::Pattern::is_contained_in\": {},\n \"core::str::pattern::Searcher::next_match\": {},\n \"core::str::pattern::Searcher::next_reject\": {},\n \"core::str::pattern::StrSearcher::new\": {},\n \"core::str::pattern::StrSearcher::next\": {},\n \"core::str::pattern::StrSearcher::next_match\": {},\n \"core::str::pattern::TwoWaySearcher::byteset_contains\": {},\n \"core::str::pattern::TwoWaySearcher::byteset_create\": {},\n \"core::str::pattern::TwoWaySearcher::byteset_create::{{closure}}\": {},\n \"core::str::pattern::TwoWaySearcher::maximal_suffix\": {},\n \"core::str::pattern::TwoWaySearcher::new\": {},\n \"core::str::pattern::TwoWaySearcher::next\": {},\n \"core::str::pattern::TwoWaySearcher::reverse_maximal_suffix\": {},\n \"core::str::slice_error_fail\": {},\n \"core::str::slice_error_fail_rt\": {},\n \"core::str::traits::\\u003cimpl core::cmp::PartialEq for str\\u003e::eq\": {},\n \"core::str::traits::\\u003cimpl core::ops::index::Index for str\\u003e::index\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\\u003e::get\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\\u003e::get_unchecked\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::Range\\u003e::index\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\\u003e::get\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\\u003e::get_unchecked\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeFrom\\u003e::index\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeInclusive\\u003e::index\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeTo\\u003e::get\": {},\n \"core::str::traits::\\u003cimpl core::slice::index::SliceIndex for core::ops::range::RangeTo\\u003e::index\": {},\n \"core::str::traits::str_index_overflow_fail\": {},\n \"core::str::validations::contains_nonascii\": {},\n \"core::str::validations::next_code_point\": {},\n \"core::str::validations::run_utf8_validation\": {},\n \"core::str::validations::utf8_acc_cont_byte\": {},\n \"core::str::validations::utf8_char_width\": {},\n \"core::str::validations::utf8_first_byte\": {},\n \"core::str::validations::utf8_is_cont_byte\": {},\n \"core::sync::atomic::AtomicBool::load\": {},\n \"core::sync::atomic::AtomicBool::store\": {},\n \"core::sync::atomic::AtomicBool::swap\": {},\n \"core::sync::atomic::AtomicPtr::compare_exchange\": {},\n \"core::sync::atomic::AtomicPtr::load\": {},\n \"core::sync::atomic::AtomicPtr::swap\": {},\n \"core::sync::atomic::AtomicU32::compare_exchange\": {},\n \"core::sync::atomic::AtomicU32::compare_exchange_weak\": {},\n \"core::sync::atomic::AtomicU32::fetch_add\": {},\n \"core::sync::atomic::AtomicU32::fetch_sub\": {},\n \"core::sync::atomic::AtomicU32::load\": {},\n \"core::sync::atomic::AtomicU32::swap\": {},\n \"core::sync::atomic::AtomicU64::compare_exchange_weak\": {},\n \"core::sync::atomic::AtomicU64::load\": {},\n \"core::sync::atomic::AtomicU8::load\": {},\n \"core::sync::atomic::AtomicU8::store\": {},\n \"core::sync::atomic::AtomicUsize::compare_exchange\": {},\n \"core::sync::atomic::AtomicUsize::fetch_add\": {},\n \"core::sync::atomic::AtomicUsize::fetch_sub\": {},\n \"core::sync::atomic::AtomicUsize::load\": {},\n \"core::sync::atomic::AtomicUsize::store\": {},\n \"core::sync::atomic::atomic_add\": {},\n \"core::sync::atomic::atomic_compare_exchange\": {},\n \"core::sync::atomic::atomic_compare_exchange_weak\": {},\n \"core::sync::atomic::atomic_load\": {},\n \"core::sync::atomic::atomic_store\": {},\n \"core::sync::atomic::atomic_sub\": {},\n \"core::sync::atomic::atomic_swap\": {},\n \"core::time::Duration::new\": {},\n \"core::unicode::printable::check\": {},\n \"core::unicode::printable::is_printable\": {},\n \"core::unicode::unicode_data::cc::lookup\": {},\n \"core::unicode::unicode_data::decode_length\": {},\n \"core::unicode::unicode_data::decode_prefix_sum\": {},\n \"core::unicode::unicode_data::grapheme_extend::lookup\": {},\n \"core::unicode::unicode_data::skip_search\": {},\n \"core::unicode::unicode_data::skip_search::{{closure}}\": {},\n \"crc32fast::Hasher::default\": {},\n \"crc32fast::Hasher::internal_new_baseline\": {},\n \"crc32fast::Hasher::new\": {},\n \"crc32fast::Hasher::new_with_initial\": {},\n \"crc32fast::Hasher::new_with_initial_len\": {},\n \"crc32fast::Hasher::new_with_initial_len::{{closure}}\": {},\n \"crc32fast::Hasher::update\": {},\n \"crc32fast::baseline::State::update\": {},\n \"crc32fast::baseline::update_fast_16\": {},\n \"crc32fast::baseline::update_slow\": {},\n \"crc32fast::specialized::pclmulqdq::State::update\": {},\n \"crc32fast::specialized::pclmulqdq::calculate\": {},\n \"crc32fast::specialized::pclmulqdq::get\": {},\n \"crc32fast::specialized::pclmulqdq::reduce128\": {},\n \"gimli::common::DebugInfoOffset::cmp\": {},\n \"gimli::common::DebugInfoOffset::eq\": {},\n \"gimli::common::DebugInfoOffset::partial_cmp\": {},\n \"gimli::common::DebugLineOffset::clone\": {},\n \"gimli::common::DwarfFileType::eq\": {},\n \"gimli::common::Encoding::clone\": {},\n \"gimli::common::Format::eq\": {},\n \"gimli::common::Format::initial_length_size\": {},\n \"gimli::common::LineEncoding::clone\": {},\n \"gimli::constants::DwChildren::eq\": {},\n \"gimli::constants::DwForm::eq\": {},\n \"gimli::constants::DwLnct::eq\": {},\n \"gimli::constants::DwTag::eq\": {},\n \"gimli::leb128::low_bits_of_byte\": {},\n \"gimli::leb128::read::signed\": {},\n \"gimli::leb128::read::u16\": {},\n \"gimli::leb128::read::unsigned\": {},\n \"gimli::read::Error::clone\": {},\n \"gimli::read::Section::load\": {},\n \"gimli::read::abbrev::Abbreviation::attributes\": {},\n \"gimli::read::abbrev::Abbreviation::has_children\": {},\n \"gimli::read::abbrev::Abbreviation::parse\": {},\n \"gimli::read::abbrev::Abbreviation::parse_attributes\": {},\n \"gimli::read::abbrev::Abbreviation::parse_has_children\": {},\n \"gimli::read::abbrev::Abbreviation::parse_tag\": {},\n \"gimli::read::abbrev::Abbreviation::tag\": {},\n \"gimli::read::abbrev::Abbreviations::get\": {},\n \"gimli::read::abbrev::Abbreviations::parse\": {},\n \"gimli::read::abbrev::AttributeSpecification::form\": {},\n \"gimli::read::abbrev::AttributeSpecification::implicit_const_value\": {},\n \"gimli::read::abbrev::AttributeSpecification::name\": {},\n \"gimli::read::abbrev::AttributeSpecification::parse\": {},\n \"gimli::read::abbrev::AttributeSpecification::parse_form\": {},\n \"gimli::read::abbrev::DebugAbbrev::abbreviations\": {},\n \"gimli::read::addr::DebugAddr::get_address\": {},\n \"gimli::read::aranges::ArangeEntry::parse\": {},\n \"gimli::read::aranges::ArangeEntryIter::next\": {},\n \"gimli::read::aranges::ArangeHeader::parse\": {},\n \"gimli::read::aranges::ArangeHeaderIter::next\": {},\n \"gimli::read::aranges::DebugAranges::header\": {},\n \"gimli::read::aranges::DebugAranges::headers\": {},\n \"gimli::read::dwarf::Dwarf::address\": {},\n \"gimli::read::dwarf::Dwarf::attr_address\": {},\n \"gimli::read::dwarf::Dwarf::attr_ranges_offset\": {},\n \"gimli::read::dwarf::Dwarf::attr_string\": {},\n \"gimli::read::dwarf::Dwarf::load\": {},\n \"gimli::read::dwarf::Dwarf::load_sup\": {},\n \"gimli::read::dwarf::Dwarf::ranges\": {},\n \"gimli::read::dwarf::Dwarf::ranges_offset\": {},\n \"gimli::read::dwarf::Dwarf::ranges_offset_from_raw\": {},\n \"gimli::read::dwarf::Dwarf::sup\": {},\n \"gimli::read::dwarf::Dwarf::unit\": {},\n \"gimli::read::dwarf::Dwarf::units\": {},\n \"gimli::read::dwarf::Unit::encoding\": {},\n \"gimli::read::dwarf::Unit::entries_raw\": {},\n \"gimli::read::dwarf::Unit::new\": {},\n \"gimli::read::endian_slice::EndianSlice::empty\": {},\n \"gimli::read::endian_slice::EndianSlice::find\": {},\n \"gimli::read::endian_slice::EndianSlice::find::{{closure}}\": {},\n \"gimli::read::endian_slice::EndianSlice::is_empty\": {},\n \"gimli::read::endian_slice::EndianSlice::offset_from\": {},\n \"gimli::read::endian_slice::EndianSlice::offset_id\": {},\n \"gimli::read::endian_slice::EndianSlice::read_slice\": {},\n \"gimli::read::endian_slice::EndianSlice::skip\": {},\n \"gimli::read::endian_slice::EndianSlice::split\": {},\n \"gimli::read::endian_slice::EndianSlice::to_string_lossy\": {},\n \"gimli::read::endian_slice::EndianSlice::truncate\": {},\n \"gimli::read::line::DebugLine::program\": {},\n \"gimli::read::line::FileEntry::clone\": {},\n \"gimli::read::line::FileEntry::directory\": {},\n \"gimli::read::line::FileEntry::parse\": {},\n \"gimli::read::line::FileEntry::path_name\": {},\n \"gimli::read::line::FileEntryFormat::parse\": {},\n \"gimli::read::line::IncompleteLineProgram::add_file\": {},\n \"gimli::read::line::IncompleteLineProgram::clone\": {},\n \"gimli::read::line::IncompleteLineProgram::rows\": {},\n \"gimli::read::line::LineInstruction::parse\": {},\n \"gimli::read::line::LineInstructions::next_instruction\": {},\n \"gimli::read::line::LineProgramHeader::clone\": {},\n \"gimli::read::line::LineProgramHeader::directory\": {},\n \"gimli::read::line::LineProgramHeader::file\": {},\n \"gimli::read::line::LineProgramHeader::parse\": {},\n \"gimli::read::line::LineProgramHeader::parse::{{closure}}\": {},\n \"gimli::read::line::LineRow::address\": {},\n \"gimli::read::line::LineRow::adjust_opcode\": {},\n \"gimli::read::line::LineRow::apply_operation_advance\": {},\n \"gimli::read::line::LineRow::end_sequence\": {},\n \"gimli::read::line::LineRow::exec_special_opcode\": {},\n \"gimli::read::line::LineRow::execute\": {},\n \"gimli::read::line::LineRow::file_index\": {},\n \"gimli::read::line::LineRow::line\": {},\n \"gimli::read::line::LineRow::new\": {},\n \"gimli::read::line::LineRow::reset\": {},\n \"gimli::read::line::LineRows::new\": {},\n \"gimli::read::line::LineRows::next_row\": {},\n \"gimli::read::line::parse_attribute\": {},\n \"gimli::read::line::parse_directory_v5\": {},\n \"gimli::read::line::parse_file_v5\": {},\n \"gimli::read::loclists::\\u003cimpl gimli::common::DebugLocListsBase\\u003e::default_for_encoding_and_file\": {},\n \"gimli::read::reader::Reader::read_address\": {},\n \"gimli::read::reader::Reader::read_i8\": {},\n \"gimli::read::reader::Reader::read_initial_length\": {},\n \"gimli::read::reader::Reader::read_length\": {},\n \"gimli::read::reader::Reader::read_null_terminated_slice\": {},\n \"gimli::read::reader::Reader::read_offset\": {},\n \"gimli::read::reader::Reader::read_sized_offset\": {},\n \"gimli::read::reader::Reader::read_sleb128\": {},\n \"gimli::read::reader::Reader::read_u16\": {},\n \"gimli::read::reader::Reader::read_u32\": {},\n \"gimli::read::reader::Reader::read_u64\": {},\n \"gimli::read::reader::Reader::read_u8\": {},\n \"gimli::read::reader::Reader::read_u8_array\": {},\n \"gimli::read::reader::Reader::read_uint\": {},\n \"gimli::read::reader::Reader::read_uleb128\": {},\n \"gimli::read::reader::Reader::read_uleb128_u16\": {},\n \"gimli::read::reader::Reader::read_word\": {},\n \"gimli::read::rnglists::Range::add_base_address\": {},\n \"gimli::read::rnglists::RangeLists::get_offset\": {},\n \"gimli::read::rnglists::RangeLists::get_offset::{{closure}}\": {},\n \"gimli::read::rnglists::RangeLists::ranges\": {},\n \"gimli::read::rnglists::RangeLists::raw_ranges\": {},\n \"gimli::read::rnglists::RawRange::is_base_address\": {},\n \"gimli::read::rnglists::RawRange::is_end\": {},\n \"gimli::read::rnglists::RawRange::parse\": {},\n \"gimli::read::rnglists::RawRngListEntry::parse\": {},\n \"gimli::read::rnglists::RawRngListIter::next\": {},\n \"gimli::read::rnglists::RngListIter::get_address\": {},\n \"gimli::read::rnglists::RngListIter::next\": {},\n \"gimli::read::str::\\u003cimpl gimli::common::DebugStrOffsetsBase\\u003e::default_for_encoding_and_file\": {},\n \"gimli::read::str::DebugLineStr::get_str\": {},\n \"gimli::read::str::DebugStr::get_str\": {},\n \"gimli::read::str::DebugStrOffsets::get_str_offset\": {},\n \"gimli::read::unit::Attribute::exprloc_value\": {},\n \"gimli::read::unit::Attribute::offset_value\": {},\n \"gimli::read::unit::Attribute::u16_value\": {},\n \"gimli::read::unit::Attribute::u8_value\": {},\n \"gimli::read::unit::Attribute::udata_value\": {},\n \"gimli::read::unit::Attribute::value\": {},\n \"gimli::read::unit::AttributeValue::clone\": {},\n \"gimli::read::unit::AttributeValue::exprloc_value\": {},\n \"gimli::read::unit::AttributeValue::offset_value\": {},\n \"gimli::read::unit::AttributeValue::u16_value\": {},\n \"gimli::read::unit::AttributeValue::u8_value\": {},\n \"gimli::read::unit::AttributeValue::udata_value\": {},\n \"gimli::read::unit::AttrsIter::next\": {},\n \"gimli::read::unit::DebugInfoUnitHeadersIter::next\": {},\n \"gimli::read::unit::DebuggingInformationEntry::attrs\": {},\n \"gimli::read::unit::DebuggingInformationEntry::has_children\": {},\n \"gimli::read::unit::DebuggingInformationEntry::parse\": {},\n \"gimli::read::unit::EntriesCursor::next_dfs\": {},\n \"gimli::read::unit::EntriesCursor::next_entry\": {},\n \"gimli::read::unit::EntriesRaw::is_empty\": {},\n \"gimli::read::unit::EntriesRaw::next_depth\": {},\n \"gimli::read::unit::EntriesRaw::next_offset\": {},\n \"gimli::read::unit::EntriesRaw::read_abbreviation\": {},\n \"gimli::read::unit::EntriesRaw::read_attribute\": {},\n \"gimli::read::unit::UnitHeader::abbreviations\": {},\n \"gimli::read::unit::UnitHeader::entries\": {},\n \"gimli::read::unit::UnitHeader::entries_raw\": {},\n \"gimli::read::unit::UnitHeader::header_size\": {},\n \"gimli::read::unit::UnitHeader::is_valid_offset\": {},\n \"gimli::read::unit::UnitHeader::length_including_self\": {},\n \"gimli::read::unit::UnitHeader::range_from\": {},\n \"gimli::read::unit::length_u16_value\": {},\n \"gimli::read::unit::length_u32_value\": {},\n \"gimli::read::unit::length_u8_value\": {},\n \"gimli::read::unit::length_uleb128_value\": {},\n \"gimli::read::unit::parse_attribute\": {},\n \"gimli::read::unit::parse_debug_abbrev_offset\": {},\n \"gimli::read::unit::parse_dwo_id\": {},\n \"gimli::read::unit::parse_unit_header\": {},\n \"gimli::read::unit::parse_unit_type\": {},\n \"i32::is_minus_one\": {},\n \"isize::is_minus_one\": {},\n \"libc::unix::linux_like::linux::gnu::\\u003cimpl libc::unix::linux_like::linux::gnu::b64::x86_64::siginfo_t\\u003e::si_addr\": {},\n \"libc::unix::linux_like::linux::makedev\": {},\n \"libflate::bit::BitReader::check_last_error\": {},\n \"libflate::bit::BitReader::fill_next_u8\": {},\n \"libflate::bit::BitReader::peek_bits_unchecked\": {},\n \"libflate::bit::BitReader::read_bit\": {},\n \"libflate::bit::BitReader::read_bits\": {},\n \"libflate::bit::BitReader::read_bits_unchecked\": {},\n \"libflate::bit::BitReader::reset\": {},\n \"libflate::bit::BitReader::set_last_error\": {},\n \"libflate::bit::BitReader::skip_bits\": {},\n \"libflate::checksum::Crc32::new\": {},\n \"libflate::checksum::Crc32::update\": {},\n \"libflate::deflate::decode::Decoder::read\": {},\n \"libflate::deflate::decode::Decoder::read_compressed_block\": {},\n \"libflate::deflate::decode::Decoder::read_non_compressed_block\": {},\n \"libflate::deflate::decode::Decoder::read_non_compressed_block::{{closure}}\": {},\n \"libflate::deflate::decode::Decoder::reset\": {},\n \"libflate::deflate::symbol::Decoder::decode_distance\": {},\n \"libflate::deflate::symbol::Decoder::decode_literal_or_length\": {},\n \"libflate::deflate::symbol::Decoder::decode_unchecked\": {},\n \"libflate::deflate::symbol::DynamicHuffmanCodec::load\": {},\n \"libflate::deflate::symbol::DynamicHuffmanCodec::load::{{closure}}\": {},\n \"libflate::deflate::symbol::FixedHuffmanCodec::load\": {},\n \"libflate::deflate::symbol::FixedHuffmanCodec::load::{{closure}}\": {},\n \"libflate::deflate::symbol::load_bitwidthes\": {},\n \"libflate::deflate::symbol::load_bitwidthes::{{closure}}\": {},\n \"libflate::gzip::CompressionLevel::clone\": {},\n \"libflate::gzip::CompressionLevel::from_u8\": {},\n \"libflate::gzip::CompressionLevel::to_u8\": {},\n \"libflate::gzip::Decoder::as_inner_mut\": {},\n \"libflate::gzip::Decoder::new\": {},\n \"libflate::gzip::Decoder::read\": {},\n \"libflate::gzip::Decoder::reset\": {},\n \"libflate::gzip::ExtraField::clone\": {},\n \"libflate::gzip::ExtraField::read_from\": {},\n \"libflate::gzip::ExtraField::write_to\": {},\n \"libflate::gzip::ExtraSubField::clone\": {},\n \"libflate::gzip::ExtraSubField::read_from\": {},\n \"libflate::gzip::ExtraSubField::write_to\": {},\n \"libflate::gzip::Header::clone\": {},\n \"libflate::gzip::Header::crc16\": {},\n \"libflate::gzip::Header::flags\": {},\n \"libflate::gzip::Header::read_from\": {},\n \"libflate::gzip::Header::write_to\": {},\n \"libflate::gzip::HeaderBuilder::finish\": {},\n \"libflate::gzip::HeaderBuilder::new\": {},\n \"libflate::gzip::MultiDecoder::as_inner_mut\": {},\n \"libflate::gzip::MultiDecoder::new\": {},\n \"libflate::gzip::MultiDecoder::read\": {},\n \"libflate::gzip::Os::from_u8\": {},\n \"libflate::gzip::Os::to_u8\": {},\n \"libflate::gzip::read_cstring\": {},\n \"libflate::huffman::Builder::restore_canonical_huffman_codes\": {},\n \"libflate::huffman::Builder::restore_canonical_huffman_codes::{{closure}}\": {},\n \"libflate::huffman::Code::fmt\": {},\n \"libflate::huffman::Code::inverse_endian\": {},\n \"libflate::huffman::Decoder::decode\": {},\n \"libflate::huffman::Decoder::decode_unchecked\": {},\n \"libflate::huffman::DecoderBuilder::finish\": {},\n \"libflate::huffman::DecoderBuilder::from_bitwidthes\": {},\n \"libflate::huffman::DecoderBuilder::new\": {},\n \"libflate::huffman::DecoderBuilder::safely_peek_bitwidth\": {},\n \"libflate::huffman::DecoderBuilder::set_mapping\": {},\n \"libflate_lz77::Lz77Decoder::buffer\": {},\n \"libflate_lz77::Lz77Decoder::decode\": {},\n \"libflate_lz77::Lz77Decoder::extend_from_reader\": {},\n \"libflate_lz77::Lz77Decoder::read\": {},\n \"libflate_lz77::Lz77Decoder::truncate_old_buffer\": {},\n \"miniz_oxide::inflate::TINFLStatus::eq\": {},\n \"object::elf::CompressionHeader64::ch_size\": {},\n \"object::elf::Sym64::st_name\": {},\n \"object::elf::Sym64::st_type\": {},\n \"object::elf::Sym64::st_value\": {},\n \"object::endian::Endian::read_u32_bytes\": {},\n \"object::endian::U32Bytes::get\": {},\n \"object::pod::from_bytes\": {},\n \"object::pod::slice_from_bytes\": {},\n \"object::read::elf::file::FileHeader::endian\": {},\n \"object::read::elf::file::FileHeader::is_big_endian\": {},\n \"object::read::elf::file::FileHeader::is_supported\": {},\n \"object::read::elf::file::FileHeader::parse\": {},\n \"object::read::elf::file::FileHeader::section_0\": {},\n \"object::read::elf::file::FileHeader::section_headers\": {},\n \"object::read::elf::file::FileHeader::section_strings\": {},\n \"object::read::elf::file::FileHeader::sections\": {},\n \"object::read::elf::file::FileHeader::shnum\": {},\n \"object::read::elf::file::FileHeader::shstrndx\": {},\n \"object::read::elf::note::Note::name\": {},\n \"object::read::elf::note::NoteIterator::new\": {},\n \"object::read::elf::note::NoteIterator::next\": {},\n \"object::read::elf::section::SectionHeader::data\": {},\n \"object::read::elf::section::SectionHeader::data_as_array\": {},\n \"object::read::elf::section::SectionHeader::file_range\": {},\n \"object::read::elf::section::SectionHeader::name\": {},\n \"object::read::elf::section::SectionHeader::notes\": {},\n \"object::read::elf::section::SectionTable::iter\": {},\n \"object::read::elf::section::SectionTable::section\": {},\n \"object::read::elf::section::SectionTable::section_by_name\": {},\n \"object::read::elf::section::SectionTable::section_by_name::{{closure}}\": {},\n \"object::read::elf::section::SectionTable::section_name\": {},\n \"object::read::elf::section::SectionTable::symbols\": {},\n \"object::read::elf::section::SectionTable::symbols::{{closure}}\": {},\n \"object::read::elf::symbol::SymbolTable::iter\": {},\n \"object::read::elf::symbol::SymbolTable::parse\": {},\n \"object::read::elf::symbol::SymbolTable::parse::{{closure}}\": {},\n \"object::read::read_ref::ReadRef::read\": {},\n \"object::read::read_ref::ReadRef::read_at\": {},\n \"object::read::read_ref::ReadRef::read_bytes\": {},\n \"object::read::read_ref::ReadRef::read_slice\": {},\n \"object::read::read_ref::ReadRef::read_slice_at\": {},\n \"object::read::util::Bytes::read\": {},\n \"object::read::util::Bytes::read_at\": {},\n \"object::read::util::Bytes::read_bytes\": {},\n \"object::read::util::Bytes::read_bytes_at\": {},\n \"object::read::util::Bytes::read_slice\": {},\n \"object::read::util::Bytes::skip\": {},\n \"object::read::util::StringTable::get\": {},\n \"object::read::util::align\": {},\n \"panic_unwind::real_imp::cleanup\": {},\n \"panic_unwind::real_imp::panic\": {},\n \"panic_unwind::real_imp::panic::exception_cleanup\": {},\n \"rle_decode_fast::append_from_within\": {},\n \"rle_decode_fast::lookbehind_length_fail\": {},\n \"rle_decode_fast::rle_decode\": {},\n \"rustc_demangle::Demangle::fmt\": {},\n \"rustc_demangle::DemangleStyle::fmt\": {},\n \"rustc_demangle::SizeLimitExhausted::fmt\": {},\n \"rustc_demangle::SizeLimitedFmtAdapter::write_str\": {},\n \"rustc_demangle::demangle\": {},\n \"rustc_demangle::demangle::{{closure}}\": {},\n \"rustc_demangle::is_ascii_punctuation\": {},\n \"rustc_demangle::is_symbol_like\": {},\n \"rustc_demangle::is_symbol_like::{{closure}}\": {},\n \"rustc_demangle::legacy::Demangle::fmt\": {},\n \"rustc_demangle::legacy::Demangle::fmt::{{closure}}\": {},\n \"rustc_demangle::legacy::demangle\": {},\n \"rustc_demangle::legacy::demangle::{{closure}}\": {},\n \"rustc_demangle::legacy::is_rust_hash\": {},\n \"rustc_demangle::legacy::is_rust_hash::{{closure}}\": {},\n \"rustc_demangle::try_demangle\": {},\n \"rustc_demangle::v0::Demangle::fmt\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_str_chars\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}::{{closure}}\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_str_chars::{{closure}}::{{closure}}::utf8_len_from_first_byte\": {},\n \"rustc_demangle::v0::HexNibbles::try_parse_uint\": {},\n \"rustc_demangle::v0::Ident::fmt\": {},\n \"rustc_demangle::v0::Ident::fmt::{{closure}}\": {},\n \"rustc_demangle::v0::Ident::punycode_decode\": {},\n \"rustc_demangle::v0::Ident::try_small_punycode_decode\": {},\n \"rustc_demangle::v0::Ident::try_small_punycode_decode::{{closure}}\": {},\n \"rustc_demangle::v0::ParseError::message\": {},\n \"rustc_demangle::v0::Parser::backref\": {},\n \"rustc_demangle::v0::Parser::digit_10\": {},\n \"rustc_demangle::v0::Parser::digit_62\": {},\n \"rustc_demangle::v0::Parser::disambiguator\": {},\n \"rustc_demangle::v0::Parser::eat\": {},\n \"rustc_demangle::v0::Parser::hex_nibbles\": {},\n \"rustc_demangle::v0::Parser::ident\": {},\n \"rustc_demangle::v0::Parser::ident::{{closure}}\": {},\n \"rustc_demangle::v0::Parser::integer_62\": {},\n \"rustc_demangle::v0::Parser::namespace\": {},\n \"rustc_demangle::v0::Parser::next\": {},\n \"rustc_demangle::v0::Parser::opt_integer_62\": {},\n \"rustc_demangle::v0::Parser::peek\": {},\n \"rustc_demangle::v0::Parser::pop_depth\": {},\n \"rustc_demangle::v0::Parser::push_depth\": {},\n \"rustc_demangle::v0::Printer::eat\": {},\n \"rustc_demangle::v0::Printer::eat::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::in_binder\": {},\n \"rustc_demangle::v0::Printer::pop_depth\": {},\n \"rustc_demangle::v0::Printer::print\": {},\n \"rustc_demangle::v0::Printer::print_backref\": {},\n \"rustc_demangle::v0::Printer::print_const\": {},\n \"rustc_demangle::v0::Printer::print_const::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::print_const_str_literal\": {},\n \"rustc_demangle::v0::Printer::print_const_uint\": {},\n \"rustc_demangle::v0::Printer::print_dyn_trait\": {},\n \"rustc_demangle::v0::Printer::print_generic_arg\": {},\n \"rustc_demangle::v0::Printer::print_lifetime_from_index\": {},\n \"rustc_demangle::v0::Printer::print_path\": {},\n \"rustc_demangle::v0::Printer::print_path::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::print_path_maybe_open_generics\": {},\n \"rustc_demangle::v0::Printer::print_path_maybe_open_generics::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::print_quoted_escaped_chars\": {},\n \"rustc_demangle::v0::Printer::print_sep_list\": {},\n \"rustc_demangle::v0::Printer::print_type\": {},\n \"rustc_demangle::v0::Printer::print_type::{{closure}}\": {},\n \"rustc_demangle::v0::Printer::skipping_printing\": {},\n \"rustc_demangle::v0::basic_type\": {},\n \"rustc_demangle::v0::demangle\": {},\n \"rustc_demangle::v0::demangle::{{closure}}\": {},\n \"smallvec::SmallVec::deref\": {},\n \"smallvec::SmallVec::drop\": {},\n \"smallvec::SmallVec::fmt\": {},\n \"smallvec::SmallVec::insert_many\": {},\n \"smallvec::SmallVec::push\": {},\n \"smallvec::SmallVec::set_len\": {},\n \"smallvec::SmallVec::spilled\": {},\n \"smallvec::SmallVec::triple\": {},\n \"smallvec::SmallVecData::heap\": {},\n \"smallvec::SmallVecData::inline\": {},\n \"std::alloc::default_alloc_error_hook\": {},\n \"std::backtrace_rs::backtrace::Frame::ip\": {},\n \"std::backtrace_rs::backtrace::libunwind::Frame::ip\": {},\n \"std::backtrace_rs::backtrace::libunwind::trace\": {},\n \"std::backtrace_rs::backtrace::libunwind::trace::trace_fn\": {},\n \"std::backtrace_rs::backtrace::trace_unsynchronized\": {},\n \"std::backtrace_rs::print::BacktraceFmt::new\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::drop\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::print_fileline\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::print_raw\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::print_raw_generic\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::print_raw_with_column\": {},\n \"std::backtrace_rs::print::BacktraceFrameFmt::symbol\": {},\n \"std::backtrace_rs::print::PrintFmt::eq\": {},\n \"std::backtrace_rs::symbolize::ResolveWhat::address_or_ip\": {},\n \"std::backtrace_rs::symbolize::Symbol::colno\": {},\n \"std::backtrace_rs::symbolize::Symbol::filename_raw\": {},\n \"std::backtrace_rs::symbolize::Symbol::lineno\": {},\n \"std::backtrace_rs::symbolize::Symbol::name\": {},\n \"std::backtrace_rs::symbolize::SymbolName::as_str\": {},\n \"std::backtrace_rs::symbolize::SymbolName::as_str::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::SymbolName::fmt\": {},\n \"std::backtrace_rs::symbolize::format_symbol_name\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::avma_to_svma::{{closure}}::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::mapping_for_lib\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::mapping_for_lib::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::new\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::with_global\": {},\n \"std::backtrace_rs::symbolize::gimli::Cache::with_global::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Context::new\": {},\n \"std::backtrace_rs::symbolize::gimli::Context::new::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Mapping::mk\": {},\n \"std::backtrace_rs::symbolize::gimli::Mapping::mk::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::Mapping::mk_or_other\": {},\n \"std::backtrace_rs::symbolize::gimli::Symbol::colno\": {},\n \"std::backtrace_rs::symbolize::gimli::Symbol::filename_raw\": {},\n \"std::backtrace_rs::symbolize::gimli::Symbol::lineno\": {},\n \"std::backtrace_rs::symbolize::gimli::Symbol::name\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::\\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\\u003e::new\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::\\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\\u003e::new::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::\\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\\u003e::new_debug\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::\\u003cimpl std::backtrace_rs::symbolize::gimli::Mapping\\u003e::new_debug::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::build_id\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debugaltlink_path\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debugaltlink_path::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debuglink_path\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::gnu_debuglink_path::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::parse\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::parse::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::search_symtab\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::section\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::section::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::Object::section_header\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::debug_path_exists\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::decompress_zlib\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::hex\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::locate_build_id\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::locate_debugaltlink\": {},\n \"std::backtrace_rs::symbolize::gimli::elf::locate_debuglink\": {},\n \"std::backtrace_rs::symbolize::gimli::libs_dl_iterate_phdr::callback\": {},\n \"std::backtrace_rs::symbolize::gimli::libs_dl_iterate_phdr::native_libraries\": {},\n \"std::backtrace_rs::symbolize::gimli::mmap\": {},\n \"std::backtrace_rs::symbolize::gimli::mmap::Mmap::drop\": {},\n \"std::backtrace_rs::symbolize::gimli::mmap::Mmap::map\": {},\n \"std::backtrace_rs::symbolize::gimli::resolve\": {},\n \"std::backtrace_rs::symbolize::gimli::resolve::{{closure}}\": {},\n \"std::backtrace_rs::symbolize::gimli::stash::Stash::allocate\": {},\n \"std::backtrace_rs::symbolize::gimli::stash::Stash::new\": {},\n \"std::backtrace_rs::symbolize::gimli::stash::Stash::set_mmap_aux\": {},\n \"std::backtrace_rs::symbolize::resolve_frame_unsynchronized\": {},\n \"std::env::current_dir\": {},\n \"std::env::current_exe\": {},\n \"std::env::var_os\": {},\n \"std::ffi::os_str::OsStr::display\": {},\n \"std::ffi::os_str::OsStr::eq\": {},\n \"std::ffi::os_str::OsStr::to_os_string\": {},\n \"std::ffi::os_str::OsStr::to_owned\": {},\n \"std::ffi::os_str::OsStr::to_str\": {},\n \"std::ffi::os_str::OsString::eq\": {},\n \"std::ffi::os_str::OsString::push\": {},\n \"std::ffi::os_str::OsString::with_capacity\": {},\n \"std::fs::File::metadata\": {},\n \"std::fs::File::open\": {},\n \"std::fs::FileType::is_dir\": {},\n \"std::fs::FileType::is_file\": {},\n \"std::fs::Metadata::is_dir\": {},\n \"std::fs::Metadata::is_file\": {},\n \"std::fs::OpenOptions::open\": {},\n \"std::fs::canonicalize\": {},\n \"std::fs::metadata\": {},\n \"std::fs::read_link\": {},\n \"std::io::Read::read_exact\": {},\n \"std::io::Read::read_to_end\": {},\n \"std::io::Take::read\": {},\n \"std::io::Take::read_buf\": {},\n \"std::io::Write::write_all\": {},\n \"std::io::Write::write_fmt\": {},\n \"std::io::Write::write_fmt::Adapter::write_str\": {},\n \"std::io::buffered::bufwriter::BufWriter::drop\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::consume\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::done\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::drop\": {},\n \"std::io::buffered::bufwriter::BufWriter::flush_buf::BufGuard::remaining\": {},\n \"std::io::buffered::bufwriter::BufWriter::spare_capacity\": {},\n \"std::io::buffered::bufwriter::BufWriter::with_capacity\": {},\n \"std::io::buffered::bufwriter::BufWriter::write_all\": {},\n \"std::io::buffered::bufwriter::BufWriter::write_all_cold\": {},\n \"std::io::buffered::bufwriter::BufWriter::write_to_buffer_unchecked\": {},\n \"std::io::buffered::linewriter::LineWriter::new\": {},\n \"std::io::buffered::linewriter::LineWriter::with_capacity\": {},\n \"std::io::buffered::linewriter::LineWriter::write_all\": {},\n \"std::io::buffered::linewritershim::LineWriterShim::buffered\": {},\n \"std::io::buffered::linewritershim::LineWriterShim::flush_if_completed_line\": {},\n \"std::io::buffered::linewritershim::LineWriterShim::write_all\": {},\n \"std::io::default_read_exact\": {},\n \"std::io::default_read_to_end\": {},\n \"std::io::error::\\u003cimpl core::fmt::Debug for std::io::error::repr_bitpacked::Repr\\u003e::fmt\": {},\n \"std::io::error::Custom::fmt\": {},\n \"std::io::error::Error::fmt\": {},\n \"std::io::error::Error::from\": {},\n \"std::io::error::Error::from_raw_os_error\": {},\n \"std::io::error::Error::kind\": {},\n \"std::io::error::Error::last_os_error\": {},\n \"std::io::error::Error::new\": {},\n \"std::io::error::ErrorKind::eq\": {},\n \"std::io::error::ErrorKind::fmt\": {},\n \"std::io::error::repr_bitpacked::Repr::data\": {},\n \"std::io::error::repr_bitpacked::Repr::drop\": {},\n \"std::io::error::repr_bitpacked::Repr::new_custom\": {},\n \"std::io::error::repr_bitpacked::Repr::new_os\": {},\n \"std::io::error::repr_bitpacked::decode_repr\": {},\n \"std::io::error::repr_bitpacked::kind_from_prim\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026[u8]\\u003e::read\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026[u8]\\u003e::read_buf\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026[u8]\\u003e::read_exact\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026mut R\\u003e::read\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026mut R\\u003e::read_buf\": {},\n \"std::io::impls::\\u003cimpl std::io::Read for \\u0026mut R\\u003e::read_exact\": {},\n \"std::io::impls::\\u003cimpl std::io::Write for \\u0026mut W\\u003e::write_all\": {},\n \"std::io::impls::\\u003cimpl std::io::Write for alloc::vec::Vec\\u003e::write_all\": {},\n \"std::io::readbuf::BorrowedBuf::filled\": {},\n \"std::io::readbuf::BorrowedCursor::append\": {},\n \"std::io::readbuf::BorrowedCursor::init_ref\": {},\n \"std::io::readbuf::BorrowedCursor::set_init\": {},\n \"std::io::stdio::Stderr::lock\": {},\n \"std::io::stdio::Stderr::write_fmt\": {},\n \"std::io::stdio::StderrLock::write_all\": {},\n \"std::io::stdio::StderrRaw::write_all\": {},\n \"std::io::stdio::Stdout::lock\": {},\n \"std::io::stdio::Stdout::write_fmt\": {},\n \"std::io::stdio::StdoutLock::write_all\": {},\n \"std::io::stdio::StdoutRaw::write\": {},\n \"std::io::stdio::StdoutRaw::write_all\": {},\n \"std::io::stdio::cleanup\": {},\n \"std::io::stdio::cleanup::{{closure}}\": {},\n \"std::io::stdio::eprint\": {},\n \"std::io::stdio::handle_ebadf\": {},\n \"std::io::stdio::print\": {},\n \"std::io::stdio::print_to\": {},\n \"std::io::stdio::stdout\": {},\n \"std::io::stdio::stdout::{{closure}}\": {},\n \"std::os::fd::owned::OwnedFd::drop\": {},\n \"std::panic::BacktraceStyle::as_usize\": {},\n \"std::panic::BacktraceStyle::from_usize\": {},\n \"std::panic::get_backtrace_style\": {},\n \"std::panic::get_backtrace_style::{{closure}}\": {},\n \"std::panic::set_backtrace_style\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::fill\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::fill::{{closure}}\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::get\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::new\": {},\n \"std::panicking::begin_panic_handler::PanicPayload::take_box\": {},\n \"std::panicking::begin_panic_handler::StrPanicPayload::get\": {},\n \"std::panicking::begin_panic_handler::StrPanicPayload::take_box\": {},\n \"std::panicking::begin_panic_handler::{{closure}}\": {},\n \"std::panicking::default_hook\": {},\n \"std::panicking::default_hook::{{closure}}\": {},\n \"std::panicking::panic_count::increase\": {},\n \"std::panicking::panic_count::increase::{{closure}}\": {},\n \"std::panicking::rust_panic_with_hook\": {},\n \"std::path::\\u003cimpl core::convert::AsRef\\u003cstd::path::Path\\u003e for std::ffi::os_str::OsString\\u003e::as_ref\": {},\n \"std::path::Component::eq\": {},\n \"std::path::Components::as_path\": {},\n \"std::path::Components::clone\": {},\n \"std::path::Components::eq\": {},\n \"std::path::Components::finished\": {},\n \"std::path::Components::has_root\": {},\n \"std::path::Components::include_cur_dir\": {},\n \"std::path::Components::is_sep_byte\": {},\n \"std::path::Components::len_before_body\": {},\n \"std::path::Components::next\": {},\n \"std::path::Components::next_back\": {},\n \"std::path::Components::parse_next_component\": {},\n \"std::path::Components::parse_next_component::{{closure}}\": {},\n \"std::path::Components::parse_next_component_back\": {},\n \"std::path::Components::parse_next_component_back::{{closure}}\": {},\n \"std::path::Components::parse_single_component\": {},\n \"std::path::Components::prefix_len\": {},\n \"std::path::Components::prefix_remaining\": {},\n \"std::path::Components::prefix_verbatim\": {},\n \"std::path::Components::trim_left\": {},\n \"std::path::Components::trim_right\": {},\n \"std::path::Display::fmt\": {},\n \"std::path::Path::components\": {},\n \"std::path::Path::has_root\": {},\n \"std::path::Path::is_absolute\": {},\n \"std::path::Path::is_dir\": {},\n \"std::path::Path::is_dir::{{closure}}\": {},\n \"std::path::Path::is_file\": {},\n \"std::path::Path::is_file::{{closure}}\": {},\n \"std::path::Path::parent\": {},\n \"std::path::Path::parent::{{closure}}\": {},\n \"std::path::Path::strip_prefix\": {},\n \"std::path::Path::strip_prefix::{{closure}}\": {},\n \"std::path::Path::to_str\": {},\n \"std::path::PathBuf::deref\": {},\n \"std::path::PathBuf::eq\": {},\n \"std::path::PathBuf::from\": {},\n \"std::path::PathBuf::push\": {},\n \"std::path::PathBuf::push::{{closure}}\": {},\n \"std::path::Prefix::clone\": {},\n \"std::path::Prefix::eq\": {},\n \"std::path::Prefix::len\": {},\n \"std::path::PrefixComponent::eq\": {},\n \"std::path::State::clone\": {},\n \"std::path::State::eq\": {},\n \"std::path::State::partial_cmp\": {},\n \"std::path::StripPrefixError::fmt\": {},\n \"std::path::has_physical_root\": {},\n \"std::path::iter_after\": {},\n \"std::personality::dwarf::DwarfReader::read\": {},\n \"std::personality::dwarf::DwarfReader::read_sleb128\": {},\n \"std::personality::dwarf::DwarfReader::read_uleb128\": {},\n \"std::personality::dwarf::eh::find_eh_action\": {},\n \"std::personality::dwarf::eh::read_encoded_pointer\": {},\n \"std::personality::dwarf::eh::round_up\": {},\n \"std::personality::gcc::find_eh_action\": {},\n \"std::personality::gcc::find_eh_action::{{closure}}\": {},\n \"std::personality::gcc::rust_eh_personality_impl\": {},\n \"std::process::abort\": {},\n \"std::rt::cleanup::{{closure}}\": {},\n \"std::rt::lang_start_internal::{{closure}}\": {},\n \"std::sync::once::Once::call_inner\": {},\n \"std::sync::once::Once::call_once::{{closure}}\": {},\n \"std::sync::once::Once::call_once_force\": {},\n \"std::sync::once::Once::call_once_force::{{closure}}\": {},\n \"std::sync::once::Once::is_completed\": {},\n \"std::sync::once::WaiterQueue::drop\": {},\n \"std::sync::once::wait\": {},\n \"std::sync::once_lock::OnceLock::get\": {},\n \"std::sync::once_lock::OnceLock::get_or_init\": {},\n \"std::sync::once_lock::OnceLock::get_or_init::{{closure}}\": {},\n \"std::sync::once_lock::OnceLock::get_or_try_init\": {},\n \"std::sync::once_lock::OnceLock::initialize\": {},\n \"std::sync::once_lock::OnceLock::initialize::{{closure}}\": {},\n \"std::sync::once_lock::OnceLock::is_initialized\": {},\n \"std::sys::common::alloc::realloc_fallback\": {},\n \"std::sys::unix::abort_internal\": {},\n \"std::sys::unix::alloc::\\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\\u003e::alloc\": {},\n \"std::sys::unix::alloc::\\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\\u003e::alloc_zeroed\": {},\n \"std::sys::unix::alloc::\\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\\u003e::dealloc\": {},\n \"std::sys::unix::alloc::\\u003cimpl core::alloc::global::GlobalAlloc for std::alloc::System\\u003e::realloc\": {},\n \"std::sys::unix::alloc::aligned_malloc\": {},\n \"std::sys::unix::args::imp::ARGV_INIT_ARRAY::init_wrapper\": {},\n \"std::sys::unix::cleanup\": {},\n \"std::sys::unix::cvt\": {},\n \"std::sys::unix::cvt_r\": {},\n \"std::sys::unix::decode_error_kind\": {},\n \"std::sys::unix::fd::FileDesc::write\": {},\n \"std::sys::unix::fs::File::file_attr\": {},\n \"std::sys::unix::fs::File::open\": {},\n \"std::sys::unix::fs::File::open_c\": {},\n \"std::sys::unix::fs::File::open_c::{{closure}}\": {},\n \"std::sys::unix::fs::FileType::is\": {},\n \"std::sys::unix::fs::FileType::is_dir\": {},\n \"std::sys::unix::fs::FileType::is_file\": {},\n \"std::sys::unix::fs::canonicalize\": {},\n \"std::sys::unix::fs::cstr\": {},\n \"std::sys::unix::fs::readlink\": {},\n \"std::sys::unix::fs::stat\": {},\n \"std::sys::unix::fs::try_statx\": {},\n \"std::sys::unix::fs::try_statx::statx\": {},\n \"std::sys::unix::futex::futex_wait\": {},\n \"std::sys::unix::futex::futex_wait::{{closure}}\": {},\n \"std::sys::unix::futex::futex_wake\": {},\n \"std::sys::unix::futex::futex_wake_all\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::lock\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::lock_contended\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::spin\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::try_lock\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::unlock\": {},\n \"std::sys::unix::locks::futex_mutex::Mutex::wake\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::read\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::read_contended\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::read_unlock\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::spin_read\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::spin_read::{{closure}}\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::spin_until\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::wake_writer\": {},\n \"std::sys::unix::locks::futex_rwlock::RwLock::wake_writer_or_readers\": {},\n \"std::sys::unix::locks::futex_rwlock::has_reached_max_readers\": {},\n \"std::sys::unix::locks::futex_rwlock::is_read_lockable\": {},\n \"std::sys::unix::locks::futex_rwlock::is_unlocked\": {},\n \"std::sys::unix::memchr::memrchr\": {},\n \"std::sys::unix::memchr::memrchr::memrchr_specific\": {},\n \"std::sys::unix::os::current_exe\": {},\n \"std::sys::unix::os::env_read_lock\": {},\n \"std::sys::unix::os::errno\": {},\n \"std::sys::unix::os::error_string\": {},\n \"std::sys::unix::os::getcwd\": {},\n \"std::sys::unix::os::getenv\": {},\n \"std::sys::unix::os::page_size\": {},\n \"std::sys::unix::os_str::Buf::push_slice\": {},\n \"std::sys::unix::os_str::Buf::with_capacity\": {},\n \"std::sys::unix::os_str::Slice::fmt\": {},\n \"std::sys::unix::os_str::Slice::to_owned\": {},\n \"std::sys::unix::os_str::Slice::to_str\": {},\n \"std::sys::unix::path::is_sep_byte\": {},\n \"std::sys::unix::stack_overflow::imp::cleanup\": {},\n \"std::sys::unix::stack_overflow::imp::drop_handler\": {},\n \"std::sys::unix::stack_overflow::imp::signal_handler\": {},\n \"std::sys::unix::stdio::Stderr::write\": {},\n \"std::sys::unix::stdio::Stdout::write\": {},\n \"std::sys::unix::stdio::is_ebadf\": {},\n \"std::sys::unix::thread_local_dtor::register_dtor\": {},\n \"std::sys::unix::thread_local_key::create\": {},\n \"std::sys::unix::thread_local_key::destroy\": {},\n \"std::sys::unix::thread_local_key::get\": {},\n \"std::sys::unix::thread_local_key::set\": {},\n \"std::sys::unix::time::SystemTime::sub_time\": {},\n \"std::sys::unix::time::Timespec::checked_add_duration\": {},\n \"std::sys::unix::time::Timespec::partial_cmp\": {},\n \"std::sys::unix::time::Timespec::sub_timespec\": {},\n \"std::sys::unix::time::Timespec::to_timespec\": {},\n \"std::sys::unix::time::inner::\\u003cimpl std::sys::unix::time::SystemTime\\u003e::now\": {},\n \"std::sys::unix::time::inner::\\u003cimpl std::sys::unix::time::Timespec\\u003e::now\": {},\n \"std::sys_common::backtrace::_print::DisplayBacktrace::fmt\": {},\n \"std::sys_common::backtrace::_rust_begin_short_backtrace\": {},\n \"std::sys_common::backtrace::_rust_end_short_backtrace\": {},\n \"std::sys_common::backtrace::lock\": {},\n \"std::sys_common::backtrace::output_filename\": {},\n \"std::sys_common::backtrace::print\": {},\n \"std::sys_common::backtrace::print_fmt\": {},\n \"std::sys_common::backtrace::print_fmt::{{closure}}\": {},\n \"std::sys_common::backtrace::print_fmt::{{closure}}::{{closure}}\": {},\n \"std::sys_common::backtrace::print_fmt::{{closure}}::{{closure}}::{{closure}}\": {},\n \"std::sys_common::memchr::memrchr\": {},\n \"std::sys_common::mutex::MovableMutex::raw_lock\": {},\n \"std::sys_common::mutex::MovableMutex::raw_unlock\": {},\n \"std::sys_common::mutex::MovableMutex::try_lock\": {},\n \"std::sys_common::mutex::StaticMutex::lock\": {},\n \"std::sys_common::mutex::StaticMutexGuard::drop\": {},\n \"std::sys_common::remutex::ReentrantMutex::increment_lock_count\": {},\n \"std::sys_common::remutex::ReentrantMutex::lock\": {},\n \"std::sys_common::remutex::ReentrantMutex::try_lock\": {},\n \"std::sys_common::remutex::ReentrantMutexGuard::drop\": {},\n \"std::sys_common::rwlock::StaticRwLock::read\": {},\n \"std::sys_common::rwlock::StaticRwLockReadGuard::drop\": {},\n \"std::sys_common::thread_info::THREAD_INFO::_getit\": {},\n \"std::sys_common::thread_info::THREAD_INFO::_getit::destroy\": {},\n \"std::sys_common::thread_info::ThreadInfo::with\": {},\n \"std::sys_common::thread_info::ThreadInfo::with::{{closure}}\": {},\n \"std::sys_common::thread_info::ThreadInfo::with::{{closure}}::{{closure}}\": {},\n \"std::sys_common::thread_info::current_thread\": {},\n \"std::sys_common::thread_info::current_thread::{{closure}}\": {},\n \"std::sys_common::thread_info::stack_guard\": {},\n \"std::sys_common::thread_info::stack_guard::{{closure}}\": {},\n \"std::sys_common::thread_local_dtor::register_dtor_fallback\": {},\n \"std::sys_common::thread_local_dtor::register_dtor_fallback::run_dtors\": {},\n \"std::sys_common::thread_local_key::StaticKey::get\": {},\n \"std::sys_common::thread_local_key::StaticKey::key\": {},\n \"std::sys_common::thread_local_key::StaticKey::lazy_init\": {},\n \"std::sys_common::thread_local_key::StaticKey::set\": {},\n \"std::sys_common::thread_parker::futex::Parker::new\": {},\n \"std::sys_common::thread_parker::futex::Parker::park\": {},\n \"std::sys_common::thread_parker::futex::Parker::unpark\": {},\n \"std::thread::Thread::clone\": {},\n \"std::thread::Thread::cname\": {},\n \"std::thread::Thread::name\": {},\n \"std::thread::Thread::new\": {},\n \"std::thread::Thread::unpark\": {},\n \"std::thread::ThreadId::new\": {},\n \"std::thread::ThreadId::new::exhausted\": {},\n \"std::thread::current\": {},\n \"std::thread::local::AccessError::fmt\": {},\n \"std::thread::local::LocalKey::try_with\": {},\n \"std::thread::local::LocalKey::with\": {},\n \"std::thread::local::fast::Key::register_dtor\": {},\n \"std::thread::park\": {},\n \"std::time::SystemTime::duration_since\": {},\n \"std::time::SystemTime::elapsed\": {},\n \"std::time::SystemTime::now\": {},\n \"str::fmt\": {},\n \"test_rust_2::C::test_aabbee\": {},\n \"test_rust_2::main\": {},\n \"test_rust_2::other_item_123\": {},\n \"u16::div\": {},\n \"u16::forward_unchecked\": {},\n \"u16::to_u64\": {},\n \"u16::to_u8\": {},\n \"u32::add\": {},\n \"u32::checked_add\": {},\n \"u32::checked_mul\": {},\n \"u32::div\": {},\n \"u32::shl\": {},\n \"u32::to_u64\": {},\n \"u32::to_u8\": {},\n \"u64::add\": {},\n \"u64::checked_add\": {},\n \"u64::checked_mul\": {},\n \"u64::div\": {},\n \"u64::forward_unchecked\": {},\n \"u64::from_u32\": {},\n \"u64::mul\": {},\n \"u64::to_u64\": {},\n \"u64::to_u8\": {},\n \"u8::bitand\": {},\n \"u8::div\": {},\n \"u8::from_elem\": {},\n \"u8::rem\": {},\n \"u8::to_u64\": {},\n \"usize::add\": {},\n \"usize::add_assign\": {},\n \"usize::backward_unchecked\": {},\n \"usize::div\": {},\n \"usize::forward_unchecked\": {},\n \"usize::from_u64\": {},\n \"usize::from_u8\": {},\n \"usize::get\": {},\n \"usize::get_unchecked\": {},\n \"usize::get_unchecked_mut\": {},\n \"usize::index\": {},\n \"usize::index_mut\": {},\n \"usize::sub\": {},\n \"usize::sum\": {},\n \"usize::sum::{{closure}}\": {},\n \"usize::to_u8\": {}\n}\n" }, { "path": "internal/sourceanalysis/testdata/rust/rust-project/.gitignore", "content": "target/\n" }, { "path": "internal/sourceanalysis/testdata/rust/rust-project/Cargo.toml", "content": "[package]\nname = \"test-project\"\nversion = \"0.1.0\"\nedition = \"2021\"\n\n# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html\n\n[dependencies]\n# smallvec = \"=0.6.13\"\n" }, { "path": "internal/sourceanalysis/testdata/rust/rust-project/src/main.rs", "content": "fn main() {\n println!(\"Hello, world!\");\n test_func();\n}\n\nfn test_func() {\n println!(\"test func\")\n}\n" }, { "path": "internal/sourceanalysis/testmain_test.go", "content": "package sourceanalysis_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "internal/spdx/gen.go", "content": "//go:build generate\n\n//go:generate go run gen.go\n\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"go/format\"\n\t\"io/ioutil\"\n\t\"net/http\"\n\t\"strings\"\n)\n\ntype License struct {\n\tSPDXID string `json:\"licenseId\"`\n}\n\nfunc main() {\n\tresp, err := http.Get(\"https://raw.githubusercontent.com/spdx/license-list-data/main/json/licenses.json\")\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\tdefer resp.Body.Close()\n\n\tbody, err := ioutil.ReadAll(resp.Body)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\tvar licenseList struct {\n\t\tLicenses []License `json:\"licenses\"`\n\t}\n\terr = json.Unmarshal(body, &licenseList)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\n\toutput := \"// Code generated by gen.go. DO NOT EDIT.\\n\\n package spdx\\nvar IDs = map[string]bool{\\n\"\n\tfor _, license := range licenseList.Licenses {\n\t\toutput += fmt.Sprintf(\"%q: true,\\n\", strings.ToLower(license.SPDXID))\n\t}\n\toutput += \"}\"\n\tformatted, err := format.Source([]byte(output))\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\terr = ioutil.WriteFile(\"licenses.go\", formatted, 0644)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n}\n" }, { "path": "internal/spdx/licenses.go", "content": "// Code generated by gen.go. DO NOT EDIT.\n\npackage spdx\n\nvar IDs = map[string]bool{\n\t\"0bsd\": true,\n\t\"3d-slicer-1.0\": true,\n\t\"aal\": true,\n\t\"abstyles\": true,\n\t\"adacore-doc\": true,\n\t\"adobe-2006\": true,\n\t\"adobe-display-postscript\": true,\n\t\"adobe-glyph\": true,\n\t\"adobe-utopia\": true,\n\t\"adsl\": true,\n\t\"advanced-cryptics-dictionary\": true,\n\t\"afl-1.1\": true,\n\t\"afl-1.2\": true,\n\t\"afl-2.0\": true,\n\t\"afl-2.1\": true,\n\t\"afl-3.0\": true,\n\t\"afmparse\": true,\n\t\"agpl-1.0\": true,\n\t\"agpl-1.0-only\": true,\n\t\"agpl-1.0-or-later\": true,\n\t\"agpl-3.0\": true,\n\t\"agpl-3.0-only\": true,\n\t\"agpl-3.0-or-later\": true,\n\t\"aladdin\": true,\n\t\"alglib-documentation\": true,\n\t\"amd-newlib\": true,\n\t\"amdplpa\": true,\n\t\"aml\": true,\n\t\"aml-glslang\": true,\n\t\"ampas\": true,\n\t\"antlr-pd\": true,\n\t\"antlr-pd-fallback\": true,\n\t\"any-osi\": true,\n\t\"any-osi-perl-modules\": true,\n\t\"apache-1.0\": true,\n\t\"apache-1.1\": true,\n\t\"apache-2.0\": true,\n\t\"apafml\": true,\n\t\"apl-1.0\": true,\n\t\"app-s2p\": true,\n\t\"apsl-1.0\": true,\n\t\"apsl-1.1\": true,\n\t\"apsl-1.2\": true,\n\t\"apsl-2.0\": true,\n\t\"arphic-1999\": true,\n\t\"artistic-1.0\": true,\n\t\"artistic-1.0-cl8\": true,\n\t\"artistic-1.0-perl\": true,\n\t\"artistic-2.0\": true,\n\t\"artistic-dist\": true,\n\t\"aspell-ru\": true,\n\t\"aswf-digital-assets-1.0\": true,\n\t\"aswf-digital-assets-1.1\": true,\n\t\"baekmuk\": true,\n\t\"bahyph\": true,\n\t\"barr\": true,\n\t\"bcrypt-solar-designer\": true,\n\t\"beerware\": true,\n\t\"bitstream-charter\": true,\n\t\"bitstream-vera\": true,\n\t\"bittorrent-1.0\": true,\n\t\"bittorrent-1.1\": true,\n\t\"blessing\": true,\n\t\"blueoak-1.0.0\": true,\n\t\"boehm-gc\": true,\n\t\"boehm-gc-without-fee\": true,\n\t\"bola-1.1\": true,\n\t\"borceux\": true,\n\t\"brian-gladman-2-clause\": true,\n\t\"brian-gladman-3-clause\": true,\n\t\"bsd-1-clause\": true,\n\t\"bsd-2-clause\": true,\n\t\"bsd-2-clause-darwin\": true,\n\t\"bsd-2-clause-first-lines\": true,\n\t\"bsd-2-clause-freebsd\": true,\n\t\"bsd-2-clause-netbsd\": true,\n\t\"bsd-2-clause-patent\": true,\n\t\"bsd-2-clause-pkgconf-disclaimer\": true,\n\t\"bsd-2-clause-views\": true,\n\t\"bsd-3-clause\": true,\n\t\"bsd-3-clause-acpica\": true,\n\t\"bsd-3-clause-attribution\": true,\n\t\"bsd-3-clause-clear\": true,\n\t\"bsd-3-clause-flex\": true,\n\t\"bsd-3-clause-hp\": true,\n\t\"bsd-3-clause-lbnl\": true,\n\t\"bsd-3-clause-modification\": true,\n\t\"bsd-3-clause-no-military-license\": true,\n\t\"bsd-3-clause-no-nuclear-license\": true,\n\t\"bsd-3-clause-no-nuclear-license-2014\": true,\n\t\"bsd-3-clause-no-nuclear-warranty\": true,\n\t\"bsd-3-clause-open-mpi\": true,\n\t\"bsd-3-clause-sun\": true,\n\t\"bsd-3-clause-tso\": true,\n\t\"bsd-4-clause\": true,\n\t\"bsd-4-clause-shortened\": true,\n\t\"bsd-4-clause-uc\": true,\n\t\"bsd-4.3reno\": true,\n\t\"bsd-4.3tahoe\": true,\n\t\"bsd-advertising-acknowledgement\": true,\n\t\"bsd-attribution-hpnd-disclaimer\": true,\n\t\"bsd-inferno-nettverk\": true,\n\t\"bsd-mark-modifications\": true,\n\t\"bsd-protection\": true,\n\t\"bsd-source-beginning-file\": true,\n\t\"bsd-source-code\": true,\n\t\"bsd-systemics\": true,\n\t\"bsd-systemics-w3works\": true,\n\t\"bsl-1.0\": true,\n\t\"buddy\": true,\n\t\"busl-1.1\": true,\n\t\"bzip2-1.0.5\": true,\n\t\"bzip2-1.0.6\": true,\n\t\"c-uda-1.0\": true,\n\t\"cal-1.0\": true,\n\t\"cal-1.0-combined-work-exception\": true,\n\t\"caldera\": true,\n\t\"caldera-no-preamble\": true,\n\t\"capec-tou\": true,\n\t\"catharon\": true,\n\t\"catosl-1.1\": true,\n\t\"cc-by-1.0\": true,\n\t\"cc-by-2.0\": true,\n\t\"cc-by-2.5\": true,\n\t\"cc-by-2.5-au\": true,\n\t\"cc-by-3.0\": true,\n\t\"cc-by-3.0-at\": true,\n\t\"cc-by-3.0-au\": true,\n\t\"cc-by-3.0-de\": true,\n\t\"cc-by-3.0-igo\": true,\n\t\"cc-by-3.0-nl\": true,\n\t\"cc-by-3.0-us\": true,\n\t\"cc-by-4.0\": true,\n\t\"cc-by-nc-1.0\": true,\n\t\"cc-by-nc-2.0\": true,\n\t\"cc-by-nc-2.5\": true,\n\t\"cc-by-nc-3.0\": true,\n\t\"cc-by-nc-3.0-de\": true,\n\t\"cc-by-nc-4.0\": true,\n\t\"cc-by-nc-nd-1.0\": true,\n\t\"cc-by-nc-nd-2.0\": true,\n\t\"cc-by-nc-nd-2.5\": true,\n\t\"cc-by-nc-nd-3.0\": true,\n\t\"cc-by-nc-nd-3.0-de\": true,\n\t\"cc-by-nc-nd-3.0-igo\": true,\n\t\"cc-by-nc-nd-4.0\": true,\n\t\"cc-by-nc-sa-1.0\": true,\n\t\"cc-by-nc-sa-2.0\": true,\n\t\"cc-by-nc-sa-2.0-de\": true,\n\t\"cc-by-nc-sa-2.0-fr\": true,\n\t\"cc-by-nc-sa-2.0-uk\": true,\n\t\"cc-by-nc-sa-2.5\": true,\n\t\"cc-by-nc-sa-3.0\": true,\n\t\"cc-by-nc-sa-3.0-de\": true,\n\t\"cc-by-nc-sa-3.0-igo\": true,\n\t\"cc-by-nc-sa-4.0\": true,\n\t\"cc-by-nd-1.0\": true,\n\t\"cc-by-nd-2.0\": true,\n\t\"cc-by-nd-2.5\": true,\n\t\"cc-by-nd-3.0\": true,\n\t\"cc-by-nd-3.0-de\": true,\n\t\"cc-by-nd-4.0\": true,\n\t\"cc-by-sa-1.0\": true,\n\t\"cc-by-sa-2.0\": true,\n\t\"cc-by-sa-2.0-uk\": true,\n\t\"cc-by-sa-2.1-jp\": true,\n\t\"cc-by-sa-2.5\": true,\n\t\"cc-by-sa-3.0\": true,\n\t\"cc-by-sa-3.0-at\": true,\n\t\"cc-by-sa-3.0-de\": true,\n\t\"cc-by-sa-3.0-igo\": true,\n\t\"cc-by-sa-4.0\": true,\n\t\"cc-pddc\": true,\n\t\"cc-pdm-1.0\": true,\n\t\"cc-sa-1.0\": true,\n\t\"cc0-1.0\": true,\n\t\"cddl-1.0\": true,\n\t\"cddl-1.1\": true,\n\t\"cdl-1.0\": true,\n\t\"cdla-permissive-1.0\": true,\n\t\"cdla-permissive-2.0\": true,\n\t\"cdla-sharing-1.0\": true,\n\t\"cecill-1.0\": true,\n\t\"cecill-1.1\": true,\n\t\"cecill-2.0\": true,\n\t\"cecill-2.1\": true,\n\t\"cecill-b\": true,\n\t\"cecill-c\": true,\n\t\"cern-ohl-1.1\": true,\n\t\"cern-ohl-1.2\": true,\n\t\"cern-ohl-p-2.0\": true,\n\t\"cern-ohl-s-2.0\": true,\n\t\"cern-ohl-w-2.0\": true,\n\t\"cfitsio\": true,\n\t\"check-cvs\": true,\n\t\"checkmk\": true,\n\t\"clartistic\": true,\n\t\"clips\": true,\n\t\"cmu-mach\": true,\n\t\"cmu-mach-nodoc\": true,\n\t\"cnri-jython\": true,\n\t\"cnri-python\": true,\n\t\"cnri-python-gpl-compatible\": true,\n\t\"coil-1.0\": true,\n\t\"community-spec-1.0\": true,\n\t\"condor-1.1\": true,\n\t\"copyleft-next-0.3.0\": true,\n\t\"copyleft-next-0.3.1\": true,\n\t\"cornell-lossless-jpeg\": true,\n\t\"cpal-1.0\": true,\n\t\"cpl-1.0\": true,\n\t\"cpol-1.02\": true,\n\t\"cronyx\": true,\n\t\"crossword\": true,\n\t\"cryptoswift\": true,\n\t\"crystalstacker\": true,\n\t\"cua-opl-1.0\": true,\n\t\"cube\": true,\n\t\"curl\": true,\n\t\"cve-tou\": true,\n\t\"d-fsl-1.0\": true,\n\t\"dec-3-clause\": true,\n\t\"diffmark\": true,\n\t\"dl-de-by-2.0\": true,\n\t\"dl-de-zero-2.0\": true,\n\t\"doc\": true,\n\t\"docbook-dtd\": true,\n\t\"docbook-schema\": true,\n\t\"docbook-stylesheet\": true,\n\t\"docbook-xml\": true,\n\t\"dotseqn\": true,\n\t\"drl-1.0\": true,\n\t\"drl-1.1\": true,\n\t\"dsdp\": true,\n\t\"dtoa\": true,\n\t\"dvipdfm\": true,\n\t\"ecl-1.0\": true,\n\t\"ecl-2.0\": true,\n\t\"ecos-2.0\": true,\n\t\"efl-1.0\": true,\n\t\"efl-2.0\": true,\n\t\"egenix\": true,\n\t\"elastic-2.0\": true,\n\t\"entessa\": true,\n\t\"epics\": true,\n\t\"epl-1.0\": true,\n\t\"epl-2.0\": true,\n\t\"erlpl-1.1\": true,\n\t\"esa-pl-permissive-2.4\": true,\n\t\"esa-pl-strong-copyleft-2.4\": true,\n\t\"esa-pl-weak-copyleft-2.4\": true,\n\t\"etalab-2.0\": true,\n\t\"eudatagrid\": true,\n\t\"eupl-1.0\": true,\n\t\"eupl-1.1\": true,\n\t\"eupl-1.2\": true,\n\t\"eurosym\": true,\n\t\"fair\": true,\n\t\"fbm\": true,\n\t\"fdk-aac\": true,\n\t\"ferguson-twofish\": true,\n\t\"frameworx-1.0\": true,\n\t\"freebsd-doc\": true,\n\t\"freeimage\": true,\n\t\"fsfap\": true,\n\t\"fsfap-no-warranty-disclaimer\": true,\n\t\"fsful\": true,\n\t\"fsfullr\": true,\n\t\"fsfullrsd\": true,\n\t\"fsfullrwd\": true,\n\t\"fsl-1.1-alv2\": true,\n\t\"fsl-1.1-mit\": true,\n\t\"ftl\": true,\n\t\"furuseth\": true,\n\t\"fwlw\": true,\n\t\"game-programming-gems\": true,\n\t\"gcr-docs\": true,\n\t\"gd\": true,\n\t\"generic-xts\": true,\n\t\"gfdl-1.1\": true,\n\t\"gfdl-1.1-invariants-only\": true,\n\t\"gfdl-1.1-invariants-or-later\": true,\n\t\"gfdl-1.1-no-invariants-only\": true,\n\t\"gfdl-1.1-no-invariants-or-later\": true,\n\t\"gfdl-1.1-only\": true,\n\t\"gfdl-1.1-or-later\": true,\n\t\"gfdl-1.2\": true,\n\t\"gfdl-1.2-invariants-only\": true,\n\t\"gfdl-1.2-invariants-or-later\": true,\n\t\"gfdl-1.2-no-invariants-only\": true,\n\t\"gfdl-1.2-no-invariants-or-later\": true,\n\t\"gfdl-1.2-only\": true,\n\t\"gfdl-1.2-or-later\": true,\n\t\"gfdl-1.3\": true,\n\t\"gfdl-1.3-invariants-only\": true,\n\t\"gfdl-1.3-invariants-or-later\": true,\n\t\"gfdl-1.3-no-invariants-only\": true,\n\t\"gfdl-1.3-no-invariants-or-later\": true,\n\t\"gfdl-1.3-only\": true,\n\t\"gfdl-1.3-or-later\": true,\n\t\"giftware\": true,\n\t\"gl2ps\": true,\n\t\"glide\": true,\n\t\"glulxe\": true,\n\t\"glwtpl\": true,\n\t\"gnuplot\": true,\n\t\"gpl-1.0\": true,\n\t\"gpl-1.0+\": true,\n\t\"gpl-1.0-only\": true,\n\t\"gpl-1.0-or-later\": true,\n\t\"gpl-2.0\": true,\n\t\"gpl-2.0+\": true,\n\t\"gpl-2.0-only\": true,\n\t\"gpl-2.0-or-later\": true,\n\t\"gpl-2.0-with-autoconf-exception\": true,\n\t\"gpl-2.0-with-bison-exception\": true,\n\t\"gpl-2.0-with-classpath-exception\": true,\n\t\"gpl-2.0-with-font-exception\": true,\n\t\"gpl-2.0-with-gcc-exception\": true,\n\t\"gpl-3.0\": true,\n\t\"gpl-3.0+\": true,\n\t\"gpl-3.0-only\": true,\n\t\"gpl-3.0-or-later\": true,\n\t\"gpl-3.0-with-autoconf-exception\": true,\n\t\"gpl-3.0-with-gcc-exception\": true,\n\t\"graphics-gems\": true,\n\t\"gsoap-1.3b\": true,\n\t\"gtkbook\": true,\n\t\"gutmann\": true,\n\t\"haskellreport\": true,\n\t\"hdf5\": true,\n\t\"hdparm\": true,\n\t\"hidapi\": true,\n\t\"hippocratic-2.1\": true,\n\t\"hp-1986\": true,\n\t\"hp-1989\": true,\n\t\"hpnd\": true,\n\t\"hpnd-dec\": true,\n\t\"hpnd-doc\": true,\n\t\"hpnd-doc-sell\": true,\n\t\"hpnd-export-us\": true,\n\t\"hpnd-export-us-acknowledgement\": true,\n\t\"hpnd-export-us-modify\": true,\n\t\"hpnd-export2-us\": true,\n\t\"hpnd-fenneberg-livingston\": true,\n\t\"hpnd-inria-imag\": true,\n\t\"hpnd-intel\": true,\n\t\"hpnd-kevlin-henney\": true,\n\t\"hpnd-markus-kuhn\": true,\n\t\"hpnd-merchantability-variant\": true,\n\t\"hpnd-mit-disclaimer\": true,\n\t\"hpnd-netrek\": true,\n\t\"hpnd-pbmplus\": true,\n\t\"hpnd-sell-mit-disclaimer-xserver\": true,\n\t\"hpnd-sell-regexpr\": true,\n\t\"hpnd-sell-variant\": true,\n\t\"hpnd-sell-variant-critical-systems\": true,\n\t\"hpnd-sell-variant-mit-disclaimer\": true,\n\t\"hpnd-sell-variant-mit-disclaimer-rev\": true,\n\t\"hpnd-smc\": true,\n\t\"hpnd-uc\": true,\n\t\"hpnd-uc-export-us\": true,\n\t\"htmltidy\": true,\n\t\"hyphen-bulgarian\": true,\n\t\"ibm-pibs\": true,\n\t\"icu\": true,\n\t\"iec-code-components-eula\": true,\n\t\"ijg\": true,\n\t\"ijg-short\": true,\n\t\"imagemagick\": true,\n\t\"imatix\": true,\n\t\"imlib2\": true,\n\t\"info-zip\": true,\n\t\"inner-net-2.0\": true,\n\t\"innosetup\": true,\n\t\"intel\": true,\n\t\"intel-acpi\": true,\n\t\"interbase-1.0\": true,\n\t\"ipa\": true,\n\t\"ipl-1.0\": true,\n\t\"isc\": true,\n\t\"isc-veillard\": true,\n\t\"iso-permission\": true,\n\t\"jam\": true,\n\t\"jasper-2.0\": true,\n\t\"jove\": true,\n\t\"jpl-image\": true,\n\t\"jpnic\": true,\n\t\"json\": true,\n\t\"kastrup\": true,\n\t\"kazlib\": true,\n\t\"knuth-ctan\": true,\n\t\"lal-1.2\": true,\n\t\"lal-1.3\": true,\n\t\"latex2e\": true,\n\t\"latex2e-translated-notice\": true,\n\t\"leptonica\": true,\n\t\"lgpl-2.0\": true,\n\t\"lgpl-2.0+\": true,\n\t\"lgpl-2.0-only\": true,\n\t\"lgpl-2.0-or-later\": true,\n\t\"lgpl-2.1\": true,\n\t\"lgpl-2.1+\": true,\n\t\"lgpl-2.1-only\": true,\n\t\"lgpl-2.1-or-later\": true,\n\t\"lgpl-3.0\": true,\n\t\"lgpl-3.0+\": true,\n\t\"lgpl-3.0-only\": true,\n\t\"lgpl-3.0-or-later\": true,\n\t\"lgpllr\": true,\n\t\"libpng\": true,\n\t\"libpng-1.6.35\": true,\n\t\"libpng-2.0\": true,\n\t\"libselinux-1.0\": true,\n\t\"libtiff\": true,\n\t\"libutil-david-nugent\": true,\n\t\"liliq-p-1.1\": true,\n\t\"liliq-r-1.1\": true,\n\t\"liliq-rplus-1.1\": true,\n\t\"linux-man-pages-1-para\": true,\n\t\"linux-man-pages-copyleft\": true,\n\t\"linux-man-pages-copyleft-2-para\": true,\n\t\"linux-man-pages-copyleft-var\": true,\n\t\"linux-openib\": true,\n\t\"loop\": true,\n\t\"lpd-document\": true,\n\t\"lpl-1.0\": true,\n\t\"lpl-1.02\": true,\n\t\"lppl-1.0\": true,\n\t\"lppl-1.1\": true,\n\t\"lppl-1.2\": true,\n\t\"lppl-1.3a\": true,\n\t\"lppl-1.3c\": true,\n\t\"lsof\": true,\n\t\"lucida-bitmap-fonts\": true,\n\t\"lzma-sdk-9.11-to-9.20\": true,\n\t\"lzma-sdk-9.22\": true,\n\t\"mackerras-3-clause\": true,\n\t\"mackerras-3-clause-acknowledgment\": true,\n\t\"magaz\": true,\n\t\"mailprio\": true,\n\t\"makeindex\": true,\n\t\"man2html\": true,\n\t\"martin-birgmeier\": true,\n\t\"mcphee-slideshow\": true,\n\t\"metamail\": true,\n\t\"minpack\": true,\n\t\"mips\": true,\n\t\"miros\": true,\n\t\"mit\": true,\n\t\"mit-0\": true,\n\t\"mit-advertising\": true,\n\t\"mit-click\": true,\n\t\"mit-cmu\": true,\n\t\"mit-enna\": true,\n\t\"mit-feh\": true,\n\t\"mit-festival\": true,\n\t\"mit-khronos-old\": true,\n\t\"mit-modern-variant\": true,\n\t\"mit-open-group\": true,\n\t\"mit-stk\": true,\n\t\"mit-testregex\": true,\n\t\"mit-wu\": true,\n\t\"mitnfa\": true,\n\t\"mmixware\": true,\n\t\"mmpl-1.0.1\": true,\n\t\"motosoto\": true,\n\t\"mpeg-ssg\": true,\n\t\"mpi-permissive\": true,\n\t\"mpich2\": true,\n\t\"mpl-1.0\": true,\n\t\"mpl-1.1\": true,\n\t\"mpl-2.0\": true,\n\t\"mpl-2.0-no-copyleft-exception\": true,\n\t\"mplus\": true,\n\t\"ms-lpl\": true,\n\t\"ms-pl\": true,\n\t\"ms-rl\": true,\n\t\"mtll\": true,\n\t\"mulanpsl-1.0\": true,\n\t\"mulanpsl-2.0\": true,\n\t\"multics\": true,\n\t\"mup\": true,\n\t\"naist-2003\": true,\n\t\"nasa-1.3\": true,\n\t\"naumen\": true,\n\t\"nbpl-1.0\": true,\n\t\"ncbi-pd\": true,\n\t\"ncgl-uk-2.0\": true,\n\t\"ncl\": true,\n\t\"ncsa\": true,\n\t\"net-snmp\": true,\n\t\"netcdf\": true,\n\t\"newsletr\": true,\n\t\"ngpl\": true,\n\t\"ngrep\": true,\n\t\"nicta-1.0\": true,\n\t\"nist-pd\": true,\n\t\"nist-pd-fallback\": true,\n\t\"nist-pd-tnt\": true,\n\t\"nist-software\": true,\n\t\"nlod-1.0\": true,\n\t\"nlod-2.0\": true,\n\t\"nlpl\": true,\n\t\"nokia\": true,\n\t\"nosl\": true,\n\t\"noweb\": true,\n\t\"npl-1.0\": true,\n\t\"npl-1.1\": true,\n\t\"nposl-3.0\": true,\n\t\"nrl\": true,\n\t\"ntia-pd\": true,\n\t\"ntp\": true,\n\t\"ntp-0\": true,\n\t\"nunit\": true,\n\t\"o-uda-1.0\": true,\n\t\"oar\": true,\n\t\"occt-pl\": true,\n\t\"oclc-2.0\": true,\n\t\"odbl-1.0\": true,\n\t\"odc-by-1.0\": true,\n\t\"offis\": true,\n\t\"ofl-1.0\": true,\n\t\"ofl-1.0-no-rfn\": true,\n\t\"ofl-1.0-rfn\": true,\n\t\"ofl-1.1\": true,\n\t\"ofl-1.1-no-rfn\": true,\n\t\"ofl-1.1-rfn\": true,\n\t\"ogc-1.0\": true,\n\t\"ogdl-taiwan-1.0\": true,\n\t\"ogl-canada-2.0\": true,\n\t\"ogl-uk-1.0\": true,\n\t\"ogl-uk-2.0\": true,\n\t\"ogl-uk-3.0\": true,\n\t\"ogtsl\": true,\n\t\"oldap-1.1\": true,\n\t\"oldap-1.2\": true,\n\t\"oldap-1.3\": true,\n\t\"oldap-1.4\": true,\n\t\"oldap-2.0\": true,\n\t\"oldap-2.0.1\": true,\n\t\"oldap-2.1\": true,\n\t\"oldap-2.2\": true,\n\t\"oldap-2.2.1\": true,\n\t\"oldap-2.2.2\": true,\n\t\"oldap-2.3\": true,\n\t\"oldap-2.4\": true,\n\t\"oldap-2.5\": true,\n\t\"oldap-2.6\": true,\n\t\"oldap-2.7\": true,\n\t\"oldap-2.8\": true,\n\t\"olfl-1.3\": true,\n\t\"oml\": true,\n\t\"openmdw-1.0\": true,\n\t\"openpbs-2.3\": true,\n\t\"openssl\": true,\n\t\"openssl-standalone\": true,\n\t\"openvision\": true,\n\t\"opl-1.0\": true,\n\t\"opl-uk-3.0\": true,\n\t\"opubl-1.0\": true,\n\t\"osc-1.0\": true,\n\t\"oset-pl-2.1\": true,\n\t\"osl-1.0\": true,\n\t\"osl-1.1\": true,\n\t\"osl-2.0\": true,\n\t\"osl-2.1\": true,\n\t\"osl-3.0\": true,\n\t\"ossp\": true,\n\t\"padl\": true,\n\t\"paratype-free-font-1.3\": true,\n\t\"parity-6.0.0\": true,\n\t\"parity-7.0.0\": true,\n\t\"pddl-1.0\": true,\n\t\"php-3.0\": true,\n\t\"php-3.01\": true,\n\t\"pixar\": true,\n\t\"pkgconf\": true,\n\t\"plexus\": true,\n\t\"pnmstitch\": true,\n\t\"polyform-noncommercial-1.0.0\": true,\n\t\"polyform-small-business-1.0.0\": true,\n\t\"postgresql\": true,\n\t\"ppl\": true,\n\t\"psf-2.0\": true,\n\t\"psfrag\": true,\n\t\"psutils\": true,\n\t\"python-2.0\": true,\n\t\"python-2.0.1\": true,\n\t\"python-ldap\": true,\n\t\"qhull\": true,\n\t\"qpl-1.0\": true,\n\t\"qpl-1.0-inria-2004\": true,\n\t\"radvd\": true,\n\t\"rdisc\": true,\n\t\"rhecos-1.1\": true,\n\t\"rpl-1.1\": true,\n\t\"rpl-1.5\": true,\n\t\"rpsl-1.0\": true,\n\t\"rsa-md\": true,\n\t\"rscpl\": true,\n\t\"ruby\": true,\n\t\"ruby-pty\": true,\n\t\"sax-pd\": true,\n\t\"sax-pd-2.0\": true,\n\t\"saxpath\": true,\n\t\"scea\": true,\n\t\"schemereport\": true,\n\t\"sendmail\": true,\n\t\"sendmail-8.23\": true,\n\t\"sendmail-open-source-1.1\": true,\n\t\"sgi-b-1.0\": true,\n\t\"sgi-b-1.1\": true,\n\t\"sgi-b-2.0\": true,\n\t\"sgi-opengl\": true,\n\t\"sgmlug-pm\": true,\n\t\"sgp4\": true,\n\t\"shl-0.5\": true,\n\t\"shl-0.51\": true,\n\t\"simpl-2.0\": true,\n\t\"sissl\": true,\n\t\"sissl-1.2\": true,\n\t\"sl\": true,\n\t\"sleepycat\": true,\n\t\"smail-gpl\": true,\n\t\"smlnj\": true,\n\t\"smppl\": true,\n\t\"snia\": true,\n\t\"snprintf\": true,\n\t\"sofa\": true,\n\t\"softsurfer\": true,\n\t\"soundex\": true,\n\t\"spencer-86\": true,\n\t\"spencer-94\": true,\n\t\"spencer-99\": true,\n\t\"spl-1.0\": true,\n\t\"ssh-keyscan\": true,\n\t\"ssh-openssh\": true,\n\t\"ssh-short\": true,\n\t\"ssleay-standalone\": true,\n\t\"sspl-1.0\": true,\n\t\"standardml-nj\": true,\n\t\"sugarcrm-1.1.3\": true,\n\t\"sul-1.0\": true,\n\t\"sun-ppp\": true,\n\t\"sun-ppp-2000\": true,\n\t\"sunpro\": true,\n\t\"swl\": true,\n\t\"swrule\": true,\n\t\"symlinks\": true,\n\t\"tapr-ohl-1.0\": true,\n\t\"tcl\": true,\n\t\"tcp-wrappers\": true,\n\t\"tekhvc\": true,\n\t\"termreadkey\": true,\n\t\"tgppl-1.0\": true,\n\t\"thirdeye\": true,\n\t\"threeparttable\": true,\n\t\"tmate\": true,\n\t\"torque-1.1\": true,\n\t\"tosl\": true,\n\t\"tpdl\": true,\n\t\"tpl-1.0\": true,\n\t\"trustedqsl\": true,\n\t\"ttwl\": true,\n\t\"ttyp0\": true,\n\t\"tu-berlin-1.0\": true,\n\t\"tu-berlin-2.0\": true,\n\t\"ubuntu-font-1.0\": true,\n\t\"ucar\": true,\n\t\"ucl-1.0\": true,\n\t\"ulem\": true,\n\t\"umich-merit\": true,\n\t\"unicode-3.0\": true,\n\t\"unicode-dfs-2015\": true,\n\t\"unicode-dfs-2016\": true,\n\t\"unicode-tou\": true,\n\t\"unixcrypt\": true,\n\t\"unlicense\": true,\n\t\"unlicense-libtelnet\": true,\n\t\"unlicense-libwhirlpool\": true,\n\t\"unrar\": true,\n\t\"upl-1.0\": true,\n\t\"urt-rle\": true,\n\t\"vim\": true,\n\t\"vixie-cron\": true,\n\t\"vostrom\": true,\n\t\"vsl-1.0\": true,\n\t\"w3c\": true,\n\t\"w3c-19980720\": true,\n\t\"w3c-20150513\": true,\n\t\"w3m\": true,\n\t\"watcom-1.0\": true,\n\t\"widget-workshop\": true,\n\t\"wordnet\": true,\n\t\"wsuipa\": true,\n\t\"wtfnmfpl\": true,\n\t\"wtfpl\": true,\n\t\"wwl\": true,\n\t\"wxwindows\": true,\n\t\"x11\": true,\n\t\"x11-distribute-modifications-variant\": true,\n\t\"x11-no-permit-persons\": true,\n\t\"x11-swapped\": true,\n\t\"xdebug-1.03\": true,\n\t\"xerox\": true,\n\t\"xfig\": true,\n\t\"xfree86-1.1\": true,\n\t\"xinetd\": true,\n\t\"xkeyboard-config-zinoviev\": true,\n\t\"xlock\": true,\n\t\"xnet\": true,\n\t\"xpp\": true,\n\t\"xskat\": true,\n\t\"xzoom\": true,\n\t\"ypl-1.0\": true,\n\t\"ypl-1.1\": true,\n\t\"zed\": true,\n\t\"zeeff\": true,\n\t\"zend-2.0\": true,\n\t\"zimbra-1.3\": true,\n\t\"zimbra-1.4\": true,\n\t\"zlib\": true,\n\t\"zlib-acknowledgement\": true,\n\t\"zpl-1.1\": true,\n\t\"zpl-2.0\": true,\n\t\"zpl-2.1\": true,\n}\n" }, { "path": "internal/spdx/satisfies.go", "content": "// Package spdx provides functionality for parsing and evaluating SPDX license expressions.\npackage spdx\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\ntype node interface {\n\t// satisfiedBy checks if the given licenses satisfy the license expression represented by this node\n\tsatisfiedBy(licenses []string) bool\n}\n\n// nodeBranch represents a node in the tree that has two children, which should be\n// evaluated with the operator to determine if the license expression is satisfied\ntype nodeBranch struct {\n\tleft node\n\toperator string\n\tright node\n}\n\nfunc (n nodeBranch) satisfiedBy(licenses []string) bool {\n\tswitch n.operator {\n\tcase \"AND\":\n\t\treturn n.left.satisfiedBy(licenses) && n.right.satisfiedBy(licenses)\n\tcase \"OR\":\n\t\treturn n.left.satisfiedBy(licenses) || n.right.satisfiedBy(licenses)\n\t}\n\n\treturn false\n}\n\nvar _ node = nodeBranch{}\n\n// nodeLeaf represents a leaf node in the tree, which holds a single license id\ntype nodeLeaf struct {\n\tvalue string\n}\n\nfunc (n nodeLeaf) satisfiedBy(licenses []string) bool {\n\tv := strings.ToLower(n.value)\n\n\tfor _, l := range licenses {\n\t\tif v == strings.ToLower(l) {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nvar _ node = nodeLeaf{}\n\ntype tokens struct {\n\ttokens []string\n}\n\n// peek returns the next token in the list of tokens, or otherwise an empty string\nfunc (ts *tokens) peek() string {\n\tif len(ts.tokens) == 0 {\n\t\treturn \"\"\n\t}\n\n\treturn ts.tokens[0]\n}\n\n// next returns the next token in the list of tokens, removing it from the list in the process\nfunc (ts *tokens) next() string {\n\ttoken := ts.tokens[0]\n\tts.tokens = ts.tokens[1:]\n\n\treturn token\n}\n\n// allowed represents the tokens that are allowed to come after a particular token\nvar allowed = map[string][]string{\n\t\"WITH\": {\"EXP\"},\n\t\"AND\": {\"EXP\", \"(\"},\n\t\"OR\": {\"EXP\", \"(\"},\n\t\"(\": {\"EXP\", \"(\"},\n\t\")\": {\")\", \"AND\", \"OR\", \"END\"},\n\t\"EXP\": {\"WITH\", \"AND\", \"OR\", \")\", \"END\"},\n\t\"END\": {},\n}\n\n// nextAndIsNextNextValid returns both the next token, and checks if the token after that one is valid\nfunc (ts *tokens) nextAndIsNextNextValid() (string, error) {\n\tnext := ts.next()\n\n\treturn next, ts.isNextValid(next)\n}\n\n// isNextValid checks if the next token is valid to come after the given the current token\nfunc (ts *tokens) isNextValid(cur string) error {\n\tallowedNext := allowed[cur]\n\n\t// license expressions are implied as being not one of the other tokens\n\tif allowedNext == nil {\n\t\tcur = \"EXP\"\n\t\tallowedNext = allowed[cur]\n\t}\n\n\tnext := \"END\"\n\n\tif len(ts.tokens) > 0 {\n\t\tnext = ts.peek()\n\t}\n\n\t// license expressions are implied as being not one of the other tokens\n\tif _, ok := allowed[next]; !ok {\n\t\tnext = \"EXP\"\n\t}\n\n\tif slices.Contains(allowedNext, next) {\n\t\treturn nil\n\t}\n\n\treturn fmt.Errorf(\"unexpected %s after %s\", next, cur)\n}\n\n// tokenise breaks down the given spdx license expression into tokens\nfunc tokenise(license models.License) tokens {\n\tvar ts tokens\n\tcurrent := \"\"\n\n\tfor _, c := range string(license) {\n\t\tswitch c {\n\t\tcase '(', ')', ' ':\n\t\t\t// check if we've been accumulating a token, before processing the current character\n\t\t\tif current != \"\" {\n\t\t\t\tts.tokens = append(ts.tokens, current)\n\t\t\t}\n\t\t\tcurrent = \"\"\n\n\t\t\t// spaces are only used to separate tokens, but are not tokens themselves\n\t\t\tif c != ' ' {\n\t\t\t\tts.tokens = append(ts.tokens, string(c))\n\t\t\t}\n\t\tdefault:\n\t\t\tcurrent += string(c)\n\t\t}\n\t}\n\n\t// before returning, make sure we add the last token we were accumulating\n\tif current != \"\" {\n\t\tts.tokens = append(ts.tokens, current)\n\t}\n\n\treturn ts\n}\n\n// parse constructs an ast tree from the given tokens\nfunc parse(tokens *tokens) (node, error) {\n\treturn parseOr(tokens)\n}\n\nfunc parseOr(tokens *tokens) (node, error) {\n\tleft, err := parseAnd(tokens)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tfor tokens.peek() == \"OR\" {\n\t\toperator, err := tokens.nextAndIsNextNextValid()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tright, err := parseAnd(tokens)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tleft = nodeBranch{\n\t\t\tleft: left,\n\t\t\toperator: operator,\n\t\t\tright: right,\n\t\t}\n\t}\n\n\treturn left, nil\n}\n\nfunc parseAnd(tokens *tokens) (node, error) {\n\tleft, err := parseExpression(tokens)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tfor tokens.peek() == \"AND\" {\n\t\toperator, err := tokens.nextAndIsNextNextValid()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tright, err := parseExpression(tokens)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tleft = nodeBranch{\n\t\t\tleft: left,\n\t\t\toperator: operator,\n\t\t\tright: right,\n\t\t}\n\t}\n\n\treturn left, nil\n}\n\nfunc parseExpression(tokens *tokens) (node, error) {\n\tnext, err := tokens.nextAndIsNextNextValid()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tif next == \"(\" {\n\t\texpr, err := parseOr(tokens)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tif tokens.peek() != \")\" {\n\t\t\treturn nil, errors.New(\"missing closing bracket\")\n\t\t}\n\n\t\t_, err = tokens.nextAndIsNextNextValid()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\treturn expr, nil\n\t}\n\n\t// currently WITH expressions are just treated as part of the license\n\tif tokens.peek() == \"WITH\" {\n\t\tnex2, err := tokens.nextAndIsNextNextValid()\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tnext += \" \" + nex2 + \" \" + tokens.next()\n\t}\n\n\treturn nodeLeaf{value: next}, nil\n}\n\n// Satisfies checks if the given license expression is satisfied by the allowed licenses\nfunc Satisfies(license models.License, allowlist []string) (bool, error) {\n\ttokens := tokenise(license)\n\tnod, err := parse(&tokens)\n\n\tif err != nil {\n\t\treturn false, err\n\t}\n\n\treturn nod.satisfiedBy(allowlist), nil\n}\n" }, { "path": "internal/spdx/satisfies_test.go", "content": "package spdx_test\n\nimport (\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/spdx\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc namer(t *testing.T, license models.License, licenses []string, expected bool) string {\n\tt.Helper()\n\n\tname := string(license) + \" is\"\n\n\tif !expected {\n\t\tname += \" not\"\n\t}\n\n\treturn name + \" satisfied by \" + strings.Join(licenses, \", \")\n}\n\nfunc TestSatisfies(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tlicense models.License\n\t\tpass [][]string\n\t\tfail [][]string\n\t}{\n\t\t// simple\n\t\t{\n\t\t\tlicense: \"MIT\",\n\t\t\tpass: [][]string{{\"MIT\"}, {\"MIT\", \"Apache-2.0\"}},\n\t\t\tfail: [][]string{{\"Apache-2.0\"}},\n\t\t},\n\t\t{\n\t\t\tlicense: \"Apache-2.0\",\n\t\t\tpass: [][]string{{\"Apache-2.0\"}, {\"MIT\", \"Apache-2.0\"}},\n\t\t\tfail: [][]string{{\"MIT\"}},\n\t\t},\n\t\t// WITH expressions (ignored)\n\t\t{\n\t\t\tlicense: \"GPL-2.0-or-later WITH Bison-exception-2.2\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"GPL-2.0-or-later WITH Bison-exception-2.2\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Bison-exception-2.2\"},\n\t\t\t\t{\"GPL-2.0-or-later\"},\n\t\t\t\t{\"GPL-2.0-or-later\", \"Bison-exception-2.2\"},\n\t\t\t\t{\"GPL-1.0\"},\n\t\t\t},\n\t\t},\n\t\t// OR expressions\n\t\t{\n\t\t\tlicense: \"MIT OR Apache-2.0\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"MIT\"},\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t\t{\"Apache-2.0\", \"MIT\"},\n\t\t\t\t{\"Apache-1.0\", \"MIT\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Apache-1.0\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"LGPL-2.1-only OR MIT OR BSD-3-Clause\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"LGPL-2.1-only\"},\n\t\t\t\t{\"MIT\"},\n\t\t\t\t{\"BSD-3-Clause\"},\n\t\t\t\t{\"Apache-2.0\", \"MIT\"},\n\t\t\t\t{\"LGPL-2.1-only\", \"MIT\", \"BSD-3-Clause\"},\n\t\t\t\t{\"LGPL-2.1-only\", \"BSD-3-Clause\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t},\n\t\t},\n\t\t// AND expressions\n\t\t{\n\t\t\tlicense: \"MIT AND Apache-2.0\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"Apache-2.0\", \"MIT\"},\n\t\t\t\t{\"Apache-2.0\", \"Apache-1.0\", \"MIT\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"MIT\"},\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t\t{\"Apache-1.0\"},\n\t\t\t\t{\"Apache-1.0\", \"MIT\"},\n\t\t\t},\n\t\t},\n\t\t// AND & OR expressions\n\t\t{\n\t\t\tlicense: \"LGPL-2.1-only OR BSD-3-Clause AND MIT\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"LGPL-2.1-only\"},\n\t\t\t\t{\"BSD-3-Clause\", \"MIT\"},\n\t\t\t\t{\"LGPL-2.1-only\", \"BSD-3-Clause\", \"MIT\"},\n\t\t\t\t{\"LGPL-2.1-only\", \"BSD-3-Clause\"},\n\t\t\t\t{\"LGPL-2.1-only\", \"MIT\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t\t{\"BSD-3-Clause\"},\n\t\t\t\t{\"MIT\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"MIT AND LGPL-2.1-only OR BSD-3-Clause\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"BSD-3-Clause\"},\n\t\t\t\t{\"BSD-3-Clause\", \"MIT\"},\n\t\t\t\t{\"LGPL-2.1-only\", \"BSD-3-Clause\", \"MIT\"},\n\t\t\t\t{\"LGPL-2.1-only\", \"BSD-3-Clause\"},\n\t\t\t\t{\"LGPL-2.1-only\", \"MIT\"},\n\t\t\t\t{\"MIT\", \"LGPL-2.1-only\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t\t{\"LGPL-2.1-only\"},\n\t\t\t\t{\"MIT\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"A OR B AND C OR D\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"A\"},\n\t\t\t\t{\"B\", \"C\"},\n\t\t\t\t{\"D\"},\n\t\t\t\t{\"A\", \"B\", \"C\"},\n\t\t\t\t{\"B\", \"C\", \"D\"},\n\t\t\t\t{\"A\", \"D\"},\n\t\t\t\t{\"A\", \"B\", \"C\", \"D\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"B\"},\n\t\t\t\t{\"C\"},\n\t\t\t\t{\"E\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"MIT AND LGPL-2.1-or-later OR BSD-3-Clause\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"BSD-3-Clause\"},\n\t\t\t\t{\"MIT\", \"LGPL-2.1-or-later\"},\n\t\t\t\t{\"MIT\", \"BSD-3-Clause\"},\n\t\t\t\t{\"LGPL-2.1-or-later\", \"BSD-3-Clause\"},\n\t\t\t\t{\"MIT\", \"LGPL-2.1-or-later\", \"BSD-3-Clause\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t\t{\"MIT\"},\n\t\t\t\t{\"LGPL-2.1-or-later\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"BSD-3-Clause OR MIT AND LGPL-2.1-or-later\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"BSD-3-Clause\"},\n\t\t\t\t{\"MIT\", \"LGPL-2.1-or-later\"},\n\t\t\t\t{\"MIT\", \"BSD-3-Clause\"},\n\t\t\t\t{\"LGPL-2.1-or-later\", \"BSD-3-Clause\"},\n\t\t\t\t{\"MIT\", \"LGPL-2.1-or-later\", \"BSD-3-Clause\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t\t{\"MIT\"},\n\t\t\t\t{\"LGPL-2.1-or-later\"},\n\t\t\t},\n\t\t},\n\t\t// parentheses\n\t\t{\n\t\t\tlicense: \"MIT AND (LGPL-2.1-or-later OR BSD-3-Clause)\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"MIT\", \"LGPL-2.1-or-later\"},\n\t\t\t\t{\"MIT\", \"BSD-3-Clause\"},\n\t\t\t\t{\"MIT\", \"LGPL-2.1-or-later\", \"BSD-3-Clause\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t\t{\"MIT\"},\n\t\t\t\t{\"LGPL-2.1-or-later\"},\n\t\t\t\t{\"BSD-3-Clause\"},\n\t\t\t\t{\"LGPL-2.1-or-later\", \"BSD-3-Clause\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"(BSD-3-Clause OR LGPL-2.1-or-later) AND MIT\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"MIT\", \"LGPL-2.1-or-later\"},\n\t\t\t\t{\"MIT\", \"BSD-3-Clause\"},\n\t\t\t\t{\"MIT\", \"LGPL-2.1-or-later\", \"BSD-3-Clause\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"Apache-2.0\"},\n\t\t\t\t{\"MIT\"},\n\t\t\t\t{\"LGPL-2.1-or-later\"},\n\t\t\t\t{\"BSD-3-Clause\"},\n\t\t\t\t{\"LGPL-2.1-or-later\", \"BSD-3-Clause\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"(A OR B) AND (C OR D)\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"A\", \"C\"},\n\t\t\t\t{\"A\", \"D\"},\n\t\t\t\t{\"B\", \"C\"},\n\t\t\t\t{\"B\", \"D\"},\n\t\t\t\t{\"A\", \"C\", \"D\"},\n\t\t\t\t{\"B\", \"C\", \"D\"},\n\t\t\t\t{\"A\", \"B\", \"C\"},\n\t\t\t\t{\"A\", \"B\", \"D\"},\n\t\t\t\t{\"A\", \"B\", \"C\", \"D\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"A\"},\n\t\t\t\t{\"B\"},\n\t\t\t\t{\"C\"},\n\t\t\t\t{\"D\"},\n\t\t\t\t{\"A\", \"B\"},\n\t\t\t\t{\"C\", \"D\"},\n\t\t\t\t{\"E\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"A AND (B OR C AND D)\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"A\", \"B\"},\n\t\t\t\t{\"A\", \"C\", \"D\"},\n\t\t\t\t{\"A\", \"B\", \"C\", \"D\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"A\"},\n\t\t\t\t{\"B\"},\n\t\t\t\t{\"C\"},\n\t\t\t\t{\"D\"},\n\t\t\t\t{\"A\", \"C\"},\n\t\t\t\t{\"A\", \"D\"},\n\t\t\t\t{\"C\", \"D\"},\n\t\t\t\t{\"B\", \"C\", \"D\"},\n\t\t\t\t{\"E\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"A AND ((B OR C) AND D)\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"A\", \"B\", \"D\"},\n\t\t\t\t{\"A\", \"C\", \"D\"},\n\t\t\t\t{\"A\", \"B\", \"C\", \"D\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"A\"},\n\t\t\t\t{\"B\"},\n\t\t\t\t{\"C\"},\n\t\t\t\t{\"D\"},\n\t\t\t\t{\"A\", \"B\"},\n\t\t\t\t{\"A\", \"C\"},\n\t\t\t\t{\"A\", \"D\"},\n\t\t\t\t{\"C\", \"D\"},\n\t\t\t\t{\"B\", \"C\", \"D\"},\n\t\t\t\t{\"E\"},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tlicense: \"A AND B AND C OR D AND E OR F\",\n\t\t\tpass: [][]string{\n\t\t\t\t{\"A\", \"B\", \"C\", \"D\", \"E\", \"F\"},\n\t\t\t\t{\"A\", \"B\", \"C\", \"D\", \"E\"},\n\t\t\t\t{\"A\", \"B\", \"C\"},\n\t\t\t\t{\"D\", \"E\"},\n\t\t\t\t{\"F\"},\n\t\t\t},\n\t\t\tfail: [][]string{\n\t\t\t\t{\"A\"},\n\t\t\t\t{\"B\"},\n\t\t\t\t{\"C\"},\n\t\t\t\t{\"D\"},\n\t\t\t\t{\"E\"},\n\t\t\t\t{\"A\", \"C\"},\n\t\t\t\t{\"A\", \"D\"},\n\t\t\t\t{\"A\", \"E\"},\n\t\t\t\t{\"B\", \"C\"},\n\t\t\t\t{\"B\", \"D\"},\n\t\t\t\t{\"B\", \"E\"},\n\t\t\t\t{\"C\", \"C\"},\n\t\t\t\t{\"C\", \"D\"},\n\t\t\t\t{\"C\", \"E\"},\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tfor _, variant := range tt.pass {\n\t\t\tt.Run(namer(t, tt.license, variant, true), func(t *testing.T) {\n\t\t\t\tt.Parallel()\n\n\t\t\t\tgot, err := spdx.Satisfies(tt.license, variant)\n\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Errorf(\"Satisfies(\\\"%s\\\") = %v, want %v\", tt.license, err, nil)\n\t\t\t\t}\n\n\t\t\t\tif !got {\n\t\t\t\t\tt.Errorf(\"Satisfies(\\\"%s\\\") = %v, want %v\", tt.license, got, true)\n\t\t\t\t}\n\t\t\t})\n\t\t}\n\n\t\tfor _, variant := range tt.fail {\n\t\t\tt.Run(namer(t, tt.license, variant, false), func(t *testing.T) {\n\t\t\t\tt.Parallel()\n\n\t\t\t\tgot, err := spdx.Satisfies(tt.license, variant)\n\n\t\t\t\tif err != nil {\n\t\t\t\t\tt.Errorf(\"Satisfies(\\\"%s\\\") = %v, want %v\", tt.license, err, nil)\n\t\t\t\t}\n\n\t\t\t\tif got {\n\t\t\t\t\tt.Errorf(\"Satisfies(\\\"%s\\\") = %v, want %v\", tt.license, got, false)\n\t\t\t\t}\n\t\t\t})\n\t\t}\n\t}\n}\n\nfunc TestSatisfies_Invalid(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tlicense models.License\n\t\twantErr string\n\t}{\n\t\t// brackets must be paired\n\t\t{\"(A AND B\", \"missing closing bracket\"},\n\t\t{\"(((A AND B))\", \"missing closing bracket\"},\n\t\t{\"(A AND B OR (A AND C)\", \"missing closing bracket\"},\n\t\t// \"WITH\" must only be followed by a license expression\n\t\t{\"A WITH(\", \"unexpected ( after WITH\"},\n\t\t{\"A WITH (\", \"unexpected ( after WITH\"},\n\t\t{\"A WITH WITH\", \"unexpected WITH after WITH\"}, //nolint:dupword\n\t\t{\"A WITH AND\", \"unexpected AND after WITH\"},\n\t\t{\"A WITH OR\", \"unexpected OR after WITH\"},\n\t\t{\"A WITH)\", \"unexpected ) after WITH\"},\n\t\t{\"A WITH )\", \"unexpected ) after WITH\"},\n\t\t{\"A WITH\", \"unexpected END after WITH\"},\n\t\t{\"A WITH \", \"unexpected END after WITH\"},\n\t\t// \"AND\" must only be followed by a license expression or \"(\"\n\t\t{\"A AND WITH\", \"unexpected WITH after AND\"},\n\t\t{\"A AND AND\", \"unexpected AND after AND\"}, //nolint:dupword\n\t\t{\"A AND OR\", \"unexpected OR after AND\"},\n\t\t{\"A AND )\", \"unexpected ) after AND\"},\n\t\t{\"A AND)\", \"unexpected ) after AND\"},\n\t\t{\"A AND\", \"unexpected END after AND\"},\n\t\t{\"A AND \", \"unexpected END after AND\"},\n\t\t// \"OR\" must only be followed by a license expression or \"(\"\n\t\t{\"A OR WITH\", \"unexpected WITH after OR\"},\n\t\t{\"A OR AND\", \"unexpected AND after OR\"},\n\t\t{\"A OR OR\", \"unexpected OR after OR\"}, //nolint:dupword\n\t\t{\"A OR )\", \"unexpected ) after OR\"},\n\t\t{\"A OR)\", \"unexpected ) after OR\"},\n\t\t{\"A OR\", \"unexpected END after OR\"},\n\t\t{\"A OR \", \"unexpected END after OR\"},\n\t\t// \"(\" must only be followed by a license expression or \"(\"\n\t\t{\"(WITH\", \"unexpected WITH after (\"},\n\t\t{\"( WITH\", \"unexpected WITH after (\"},\n\t\t{\"(AND\", \"unexpected AND after (\"},\n\t\t{\"( AND\", \"unexpected AND after (\"},\n\t\t{\"(OR\", \"unexpected OR after (\"},\n\t\t{\"( OR\", \"unexpected OR after (\"},\n\t\t{\"()\", \"unexpected ) after (\"},\n\t\t{\"( )\", \"unexpected ) after (\"},\n\t\t{\"(\", \"unexpected END after (\"},\n\t\t{\"( \", \"unexpected END after (\"},\n\t\t// \")\" must only be followed by a license expression, \")\", \"WITH\", \"AND\", or \"OR\"\n\t\t{\"(A)(\", \"unexpected ( after )\"},\n\t\t{\"(A) (\", \"unexpected ( after )\"},\n\t\t{\"( A ) (\", \"unexpected ( after )\"},\n\t\t{\"(A)Apache-2.0\", \"unexpected EXP after )\"},\n\t\t{\"(A)MIT\", \"unexpected EXP after )\"},\n\t\t{\"(A) MIT\", \"unexpected EXP after )\"},\n\t\t{\"( A ) MIT\", \"unexpected EXP after )\"},\n\t\t{\"(A)WITH\", \"unexpected WITH after )\"},\n\t\t{\"(A) WITH\", \"unexpected WITH after )\"},\n\t\t{\"( A ) WITH\", \"unexpected WITH after )\"},\n\t\t// a license expression must only be followed by \"WITH\", \"AND\", \"OR\", or nothing\n\t\t{\"MIT (\", \"unexpected ( after EXP\"},\n\t\t{\"MIT(\", \"unexpected ( after EXP\"},\n\t\t{\"Apache2.0(\", \"unexpected ( after EXP\"},\n\t\t{\"MIT Apache2.0\", \"unexpected EXP after EXP\"},\n\t\t// nested errors\n\t\t{\"A AND (OR\", \"unexpected OR after (\"},\n\t\t{\"A OR (AND\", \"unexpected AND after (\"},\n\t\t{\"A OR AND (()\", \"unexpected AND after OR\"},\n\t\t{\"A OR (()\", \"unexpected ) after (\"},\n\t\t{\"A OR (B AND A OR (OR)\", \"unexpected OR after (\"},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(string(tt.license), func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot, err := spdx.Satisfies(tt.license, []string{})\n\n\t\t\tif got {\n\t\t\t\tt.Errorf(\"Satisfies(\\\"%s\\\") = %v, want %v\", tt.license, got, false)\n\t\t\t}\n\n\t\t\tif err == nil {\n\t\t\t\tt.Fatalf(\"Satisfies(\\\"%s\\\") = %v, want %v\", tt.license, err, tt.wantErr)\n\t\t\t}\n\n\t\t\tif !strings.Contains(err.Error(), tt.wantErr) {\n\t\t\t\tt.Errorf(\"Satisfies(\\\"%s\\\") = %v, want %v\", tt.license, err, tt.wantErr)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/spdx/verify.go", "content": "package spdx\n\nimport \"strings\"\n\n// Unrecognized filters licenses for non-spdx identifiers. The \"unknown\" string is\n// also treated as a valid identifier.\nfunc Unrecognized(licenses []string) (unrecognized []string) {\n\tfor _, license := range licenses {\n\t\tl := strings.ToLower(license)\n\t\tif !IDs[l] && l != \"unknown\" {\n\t\t\tunrecognized = append(unrecognized, license)\n\t\t}\n\t}\n\n\treturn unrecognized\n}\n" }, { "path": "internal/spdx/verify_test.go", "content": "package spdx_test\n\nimport (\n\t\"reflect\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/spdx\"\n)\n\nfunc TestUnrecognized(t *testing.T) {\n\tt.Parallel()\n\ttests := []struct {\n\t\tname string\n\t\tlicenses []string\n\t\twant []string\n\t}{\n\t\t{\n\t\t\tname: \"all_recognized_licenses\",\n\t\t\tlicenses: []string{\"agpl-1.0\", \"MIT\", \"apache-1.0\", \"UNKNOWN\"},\n\t\t\twant: nil,\n\t\t}, {\n\t\t\tname: \"all_unrecognized_licenses\",\n\t\t\tlicenses: []string{\"agpl1.0\", \"unrecognized license\", \"apache1.0\"},\n\t\t\twant: []string{\"agpl1.0\", \"unrecognized license\", \"apache1.0\"},\n\t\t}, {\n\t\t\tname: \"some_recognized,_some_unrecognized_licenses\",\n\t\t\tlicenses: []string{\"agpl-1.0\", \"unrecognized license\", \"apache-1.0\"},\n\t\t\twant: []string{\"unrecognized license\"},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tif got := spdx.Unrecognized(tt.licenses); !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"Unrecognized() = %v,\\nwant %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/testlogger/handler.go", "content": "// Package testlogger provides a slog handler which can handle t.Parallel() tests while being a global logging handler,\n// redirecting it to the correct underlying logger for each test thread.\n//\n// This package also muffles certain log messages to reduce noise in the snapshots\n// and to keep the snapshots consistent across runs.\npackage testlogger\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"context\"\n\t\"log/slog\"\n\t\"os\"\n\t\"runtime/debug\"\n\t\"strings\"\n\t\"sync\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n)\n\nvar stdLogger = cmdlogger.New(os.Stdin, os.Stdout)\n\n// Handler can be set as the global logging handler before the test starts, and individual test cases can add their\n// own instance/implementation of the cmdlogger.CmdLogger interface.\ntype Handler struct {\n\tloggerMap sync.Map // map[string]cmdlogger.CmdLogger\n}\n\nfunc (tl *Handler) getLogger() cmdlogger.CmdLogger {\n\tkey := getCallerInstance()\n\n\tif key == \"\" {\n\t\treturn stdLogger\n\t}\n\n\tval, ok := tl.loggerMap.Load(key)\n\tif !ok {\n\t\tpanic(\"logger not found: \" + key)\n\t}\n\n\treturn val.(cmdlogger.CmdLogger)\n}\n\n// AddInstance adds a \"global\" logger to this specific test run.\nfunc (tl *Handler) AddInstance(logger cmdlogger.CmdLogger) {\n\tkey := getCallerInstance()\n\tprev, _ := tl.loggerMap.Swap(key, logger)\n\tif prev != nil {\n\t\t// This is used as a safety check for incorrect usage of the Handler, and should never happen\n\t\t// during actual tests if Delete() is correctly called at the end of a test.\n\t\tpanic(\"same logger being added twice\")\n\t}\n}\n\n// Delete removes the logger created by AddInstance()\n// This **must** be called before a test ends, as the same memory address may be reused.\nfunc (tl *Handler) Delete() {\n\ttl.loggerMap.Delete(getCallerInstance())\n}\n\n// SendEverythingToStderr tells the logger to send all logs to stderr regardless\n// of their level.\n//\n// This is useful if we're expecting to output structured data to stdout such\n// as JSON, which cannot be mixed with other output.\nfunc (tl *Handler) SendEverythingToStderr() {\n\ttl.getLogger().SendEverythingToStderr()\n}\n\nfunc (tl *Handler) SetLevel(level slog.Leveler) {\n\ttl.getLogger().SetLevel(level)\n}\n\nfunc (tl *Handler) Enabled(ctx context.Context, level slog.Level) bool {\n\treturn tl.getLogger().Enabled(ctx, level)\n}\n\nfunc (tl *Handler) Handle(ctx context.Context, record slog.Record) error {\n\tfor _, prefix := range []string{\n\t\t\"Starting filesystem walk for root:\",\n\t\t\"End status: \",\n\t\t\"Neither CPE nor PURL found for package\",\n\t\t\"Invalid PURL\",\n\t\t\"os-release[ID] not set, fallback to\",\n\t\t// TODO(another-rex): We should allow overriding of these values to avoid this issue.\n\t\t\"VERSION_ID not set in os-release\",\n\t\t\"VERSION_CODENAME and VERSION_ID not set in os-release\",\n\t\t\"VERSION_CODENAME not set in os-release, fallback to VERSION_ID\",\n\t\t\"osrelease.ParseOsRelease(): file does not exist\",\n\t\t\"Status: new inodes:\",\n\t\t\"Created image content file:\",\n\t\t\"interpreting as regex/glob and not absolute path\",\n\t} {\n\t\tif strings.HasPrefix(record.Message, prefix) {\n\t\t\treturn nil\n\t\t}\n\t}\n\n\tl := tl.getLogger()\n\tif l == stdLogger {\n\t\t// This is to be safe as we currently do not have any non muffled goroutine logs\n\t\t// When we do, this makes sure that we are aware and can add exceptions to them.\n\t\tpanic(\"noop logger found when logging non-muffled messages\")\n\t}\n\n\treturn l.Handle(ctx, record)\n}\n\nfunc (tl *Handler) SetHasErrored() {\n\ttl.getLogger().SetHasErrored()\n}\n\n// HasErrored returns true if there have been any calls to Handle with\n// a level of [slog.LevelError]\nfunc (tl *Handler) HasErrored() bool {\n\treturn tl.getLogger().HasErrored()\n}\n\n// HasErroredBecauseInvalidConfig returns true if there have been any calls to\n// Handle with a level of [slog.LevelError] due to a config file being invalid\nfunc (tl *Handler) HasErroredBecauseInvalidConfig() bool {\n\treturn tl.getLogger().HasErroredBecauseInvalidConfig()\n}\n\nfunc (tl *Handler) WithAttrs(attrs []slog.Attr) slog.Handler {\n\treturn tl.getLogger().WithAttrs(attrs)\n}\n\nfunc (tl *Handler) WithGroup(g string) slog.Handler {\n\treturn tl.getLogger().WithGroup(g)\n}\n\nvar _ cmdlogger.CmdLogger = &Handler{}\n\nfunc New() *Handler {\n\treturn &Handler{\n\t\tloggerMap: sync.Map{},\n\t}\n}\n\n// getCallerInstance finds in the call stack the memory address of the initial test runner call.\n// It will look something like this:\n//\n// `testing.tRunner(0x12345678, 0x98765432)`\n//\n// This is safe to be used as a key, as the first pointer address must be unique\n// while this test is running, and will only be reused after the test exists and that address is garbage collected.\n//\n// This uses debug.Stack(), which will create a buffer big enough to fit the entire stack trace.\n// If there is deep recursion, this will have a significant performance cost.\n//\n// Caveat: This cannot get the stack trace if called from a goroutine, and will return \"\"\nfunc getCallerInstance() string {\n\tstack := debug.Stack()\n\tsc := bufio.NewScanner(bytes.NewReader(stack))\n\tfor sc.Scan() {\n\t\tif strings.HasPrefix(sc.Text(), \"testing.tRunner(\") {\n\t\t\treturn sc.Text()\n\t\t}\n\t\tif strings.HasPrefix(sc.Text(), \"created by \") && strings.Contains(sc.Text(), \" in goroutine \") {\n\t\t\treturn \"\"\n\t\t}\n\t}\n\n\treturn \"\"\n}\n" }, { "path": "internal/testlogger/markers.go", "content": "package testlogger\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n)\n\nconst BeginDirectoryScan = \"---Begin Directory Scan---\"\nconst EndDirectoryScan = \"---End Directory Scan---\"\n\n// BeginDirScanMarker prints out a directory scanning marker during testing to allow snapshots to sort\n// the scanning order to allow for unsorted file walks.\nfunc BeginDirScanMarker() {\n\tif testing.Testing() {\n\t\tcmdlogger.Infof(BeginDirectoryScan)\n\t}\n}\n\n// EndDirScanMarker prints out a directory scanning marker during testing to mark the end of directory walks\nfunc EndDirScanMarker() {\n\tif testing.Testing() {\n\t\tcmdlogger.Infof(EndDirectoryScan)\n\t}\n}\n" }, { "path": "internal/testutility/fixture.go", "content": "// Package testutility provides utility functions for tests.\npackage testutility\n\nimport (\n\t\"encoding/json\"\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n)\n\n// load returns the contents of the fixture file after applying any replacements if on Windows\nfunc load(t *testing.T, path string, windowsReplacements map[string]string) []byte {\n\tt.Helper()\n\n\tvar file []byte\n\tvar err error\n\n\tfile, err = os.ReadFile(path)\n\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to open fixture: %s\", err)\n\t}\n\n\treturn []byte(applyWindowsReplacements(string(file), windowsReplacements))\n}\n\n// LoadJSONFixture returns the contents of the fixture file parsed as JSON\nfunc LoadJSONFixture[V any](t *testing.T, path string) V {\n\tt.Helper()\n\n\treturn LoadJSONFixtureWithWindowsReplacements[V](t, path, map[string]string{})\n}\n\n// LoadJSONFixtureWithWindowsReplacements returns the contents of the fixture\n// file parsed as JSON after applying any replacements if running on Windows\nfunc LoadJSONFixtureWithWindowsReplacements[V any](\n\tt *testing.T,\n\tpath string,\n\treplacements map[string]string,\n) V {\n\tt.Helper()\n\n\tfile := load(t, path, replacements)\n\n\tvar elem V\n\terr := json.Unmarshal(file, &elem)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unmarshal val: %s\", err)\n\t}\n\n\treturn elem\n}\n\n// LoadVulnMapFixture returns the contents of the fixture file parsed as a map of vulnerability IDs to vulnerabilities\nfunc LoadVulnMapFixture(t *testing.T, path string) map[string]*osvschema.Vulnerability {\n\tt.Helper()\n\n\tfile := load(t, path, map[string]string{})\n\n\tvar raw map[string]json.RawMessage\n\terr := json.Unmarshal(file, &raw)\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to unmarshal val: %s\", err)\n\t}\n\n\tvulns := make(map[string]*osvschema.Vulnerability)\n\tfor id, rawVuln := range raw {\n\t\tvuln := &osvschema.Vulnerability{}\n\t\tif err := protojson.Unmarshal(rawVuln, vuln); err != nil {\n\t\t\tt.Fatalf(\"Failed to unmarshal vuln %s: %s\", id, err)\n\t\t}\n\t\tvulns[id] = vuln\n\t}\n\n\treturn vulns\n}\n" }, { "path": "internal/testutility/jsonreplace.go", "content": "package testutility\n\nimport (\n\t\"strconv\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"github.com/tidwall/gjson\"\n\t\"github.com/tidwall/sjson\"\n)\n\ntype JSONReplaceRule struct {\n\tPath string\n\tReplaceFunc func(toReplace gjson.Result) any\n}\n\nvar (\n\t// OnlyIDVulnsRule simplifies vulnerabilities to only their ID\n\tOnlyIDVulnsRule = JSONReplaceRule{\n\t\tPath: \"results.#.packages.#.vulnerabilities\",\n\t\tReplaceFunc: func(toReplace gjson.Result) any {\n\t\t\treturn toReplace.Get(\"#.id\").Value()\n\t\t},\n\t}\n\t// GroupsAsArrayLen replaces the groups array with its length\n\tGroupsAsArrayLen = JSONReplaceRule{\n\t\tPath: \"results.#.packages.#.groups\",\n\t\tReplaceFunc: func(toReplace gjson.Result) any {\n\t\t\tif toReplace.IsArray() {\n\t\t\t\treturn len(toReplace.Array())\n\t\t\t}\n\n\t\t\treturn 0\n\t\t},\n\t}\n\t// OnlyFirstBaseImage simplifies the array of base images to only the first one\n\tOnlyFirstBaseImage = JSONReplaceRule{\n\t\tPath: \"image_metadata.base_images.#\",\n\t\tReplaceFunc: func(toReplace gjson.Result) any {\n\t\t\tif toReplace.IsArray() && len(toReplace.Array()) >= 1 {\n\t\t\t\treturn toReplace.Array()[0].Value()\n\t\t\t}\n\n\t\t\treturn struct{}{}\n\t\t},\n\t}\n\t// AnyDiffID truncates diff ids in image layer metadata to just `sha256:...`\n\tAnyDiffID = JSONReplaceRule{\n\t\tPath: \"image_metadata.layer_metadata.#.diff_id\",\n\t\tReplaceFunc: func(toReplace gjson.Result) any {\n\t\t\tif len(toReplace.String()) > 7 {\n\t\t\t\treturn toReplace.String()[:7] + \"...\"\n\t\t\t}\n\n\t\t\treturn \"\"\n\t\t},\n\t}\n\t// ShortenHistoryCommandLength truncates COMMAND data to 28 characters\n\tShortenHistoryCommandLength = JSONReplaceRule{\n\t\tPath: \"image_metadata.layer_metadata.#.command\",\n\t\tReplaceFunc: func(toReplace gjson.Result) any {\n\t\t\tif len(toReplace.String()) > 28 {\n\t\t\t\treturn toReplace.String()[:25] + \"...\"\n\t\t\t}\n\n\t\t\treturn toReplace.String()\n\t\t},\n\t}\n\t// NormalizeHistoryCommand replaces COMMAND data to be consistent\n\t// across different versions of docker\n\tNormalizeHistoryCommand = JSONReplaceRule{\n\t\tPath: \"image_metadata.layer_metadata.#.command\",\n\t\tReplaceFunc: func(toReplace gjson.Result) any {\n\t\t\tstr := toReplace.String()\n\t\t\tnopMatcher := cachedregexp.MustCompile(`^/bin/sh -c #\\(nop\\)\\s+`)\n\t\t\trunMatcher := cachedregexp.MustCompile(`^/bin/sh -c\\s+`)\n\t\t\tstr = nopMatcher.ReplaceAllLiteralString(str, \"\")\n\t\t\tstr = runMatcher.ReplaceAllString(str, \"RUN \\\\0\")\n\n\t\t\treturn str\n\t\t},\n\t}\n\n\t// NormalizeCreateDateSPDX replaces the created date with a placeholder date\n\tNormalizeCreateDateSPDX = JSONReplaceRule{\n\t\tPath: \"creationInfo.created\",\n\t\tReplaceFunc: func(_ gjson.Result) any {\n\t\t\treturn \"2025-01-01T01:01:01Z\"\n\t\t},\n\t}\n\n\tReplacePartialFingerprintHash = JSONReplaceRule{\n\t\tPath: \"runs.#.results.#.partialFingerprints.primaryLocationLineHash\",\n\t\tReplaceFunc: func(toReplace gjson.Result) any {\n\t\t\tif len(toReplace.String()) > 0 {\n\t\t\t\treturn \"[line-hash]\"\n\t\t\t}\n\n\t\t\treturn \"[empty]\"\n\t\t},\n\t}\n)\n\nfunc expandArrayPaths(t *testing.T, jsonInput string, path string) []string {\n\tt.Helper()\n\n\t// split on the first intermediate #, if present\n\tpathToArray, restOfPath, hasArrayPlaceholder := strings.Cut(path, \".#.\")\n\n\t// if there is no intermediate placeholder, check for (and cut) a terminal one\n\tif !hasArrayPlaceholder {\n\t\tpathToArray, hasArrayPlaceholder = strings.CutSuffix(path, \".#\")\n\t}\n\n\t// if there are no array placeholders in the path, just return it\n\tif !hasArrayPlaceholder {\n\t\treturn []string{path}\n\t}\n\n\tr := gjson.Get(jsonInput, pathToArray)\n\n\t// skip properties that are not arrays\n\tif !r.IsArray() {\n\t\treturn []string{}\n\t}\n\n\t// if property exists and is actually an array, build out the path to each item\n\t// within that array\n\tpaths := make([]string, 0, len(r.Array()))\n\n\tfor i := range r.Array() {\n\t\tstatic := pathToArray + \".\" + strconv.Itoa(i)\n\n\t\tif restOfPath != \"\" {\n\t\t\tstatic += \".\" + restOfPath\n\t\t}\n\t\tpaths = append(paths, expandArrayPaths(t, jsonInput, static)...)\n\t}\n\n\treturn paths\n}\n\n// ReplaceJSONInput takes a gjson path and replaces all elements the path matches with the output of matcher\nfunc ReplaceJSONInput(t *testing.T, jsonInput string, path string, replacer func(toReplace gjson.Result) any) string {\n\tt.Helper()\n\n\tvar err error\n\tjson := jsonInput\n\tfor _, pathElem := range expandArrayPaths(t, jsonInput, path) {\n\t\tres := gjson.Get(jsonInput, pathElem)\n\n\t\tif !res.Exists() {\n\t\t\tcontinue\n\t\t}\n\n\t\t// optimistically replace the element, since we know at this point it does exist\n\t\tjson, err = sjson.SetOptions(json, pathElem, replacer(res), &sjson.Options{Optimistic: true})\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to set element\")\n\t\t}\n\t}\n\n\treturn json\n}\n" }, { "path": "internal/testutility/jsonreplace_test.go", "content": "package testutility\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"maps\"\n\t\"slices\"\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/tidwall/gjson\"\n)\n\nfunc Test_replaceJSONInput(t *testing.T) {\n\tt.Parallel()\n\n\tmatcher := func(_ gjson.Result) any {\n\t\treturn \"\"\n\t}\n\n\ttests := []struct {\n\t\tinput string\n\t\toutputs map[string]string\n\t}{\n\t\t{\n\t\t\tinput: `{}`,\n\t\t\toutputs: map[string]string{\"\": `{}`, \"arr.#\": `{}`},\n\t\t},\n\t\t{\n\t\t\tinput: `{ \"foo\": \"bar\" }`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"does.not.exist\": `{ \"foo\": \"bar\" }`,\n\t\t\t\t\"foo.is.string\": `{ \"foo\": \"bar\" }`,\n\t\t\t\t\"foo.#\": `{ \"foo\": \"bar\" }`,\n\t\t\t\t\"#\": `{ \"foo\": \"bar\" }`,\n\t\t\t\t\"foo\": `{ \"foo\": \"\" }`,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tinput: `{ \"foo\": { \"inner\": \"bar\" } }`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"foo.inner\": `{ \"foo\": { \"inner\": \"\" } }`,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tinput: `{ \"arr\": [1, 2, 3] }`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"arr\": `{ \"arr\": \"\" }`,\n\t\t\t\t\"arr.1\": `{ \"arr\": [1, \"\", 3] }`,\n\t\t\t\t\"arr.#\": `{ \"arr\": [\"\", \"\", \"\"] }`,\n\n\t\t\t\t\"arr.#(>2)\": `{ \"arr\": [1, 2, \"\"] }`,\n\t\t\t\t\"arr.#(>1)\": `{ \"arr\": [1, \"\", 3] }`,\n\t\t\t\t\"arr.#(>1)#\": `{ \"arr\": [1, \"\", \"\"] }`,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tinput: `{ \"arr\": [{\"v\": 1}, {\"v\": 2}, {\"v\": 3}] }`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"arr\": `{ \"arr\": \"\" }`,\n\t\t\t\t\"arr.0.v\": `{ \"arr\": [{\"v\": \"\"}, {\"v\": 2}, {\"v\": 3}] }`,\n\t\t\t\t\"arr.1.v\": `{ \"arr\": [{\"v\": 1}, {\"v\": \"\"}, {\"v\": 3}] }`,\n\t\t\t\t\"arr.#\": `{ \"arr\": [\"\", \"\", \"\"] }`,\n\t\t\t\t\"arr.#.v\": `{ \"arr\": [{\"v\": \"\"}, {\"v\": \"\"}, {\"v\": \"\"}] }`,\n\n\t\t\t\t\"arr.#.v.#\": `{ \"arr\": [{\"v\": 1}, {\"v\": 2}, {\"v\": 3}] }`,\n\t\t\t\t\"arr.#.#.#\": `{ \"arr\": [{\"v\": 1}, {\"v\": 2}, {\"v\": 3}] }`,\n\t\t\t\t\"arr.#.#\": `{ \"arr\": [{\"v\": 1}, {\"v\": 2}, {\"v\": 3}] }`,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tinput: `{\n\t\t\t\t\"arr\": [\n\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t{ \"v\": [{\"v\": 3}, {\"v\": 4}] },\n\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] }\n\t\t\t\t]\n\t\t\t}`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"arr\": `{ \"arr\": \"\" }`,\n\t\t\t\t\"arr.0.v.0.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 2}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 3}, {\"v\": 4}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.1.v.1.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 3}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.1.v.2.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 3}, {\"v\": 4}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\n\t\t\t\t\"arr.#\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t\"\",\n\t\t\t\t\t\t\"\",\n\t\t\t\t\t\t\"\"\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.1.v.#\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{ \"v\": [\"\", \"\"] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.#\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [\"\", \"\"] },\n\t\t\t\t\t\t{ \"v\": [\"\", \"\"] },\n\t\t\t\t\t\t{ \"v\": [\"\", \"\"] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\n\t\t\t\t\"arr.#.v.0.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 2}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 4}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 6}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.1.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 3}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": \"\"}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.#.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.1.v.#.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tinput: `{\n\t\t\t\t\"arr\": [\n\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t{ \"v\": [{\"v\": 3}, {\"v\": 4}] },\n\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] },\n\t\t\t\t\t{ \"v\": [{\"v\": 7}] }\n\t\t\t\t]\n\t\t\t}`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"arr.#.v.0.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 2}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 4}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 6}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.1.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 3}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 7}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.#.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.1.v.#.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 7}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tinput: `{\n\t\t\t\t\"arr\": [\n\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t{},\n\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] },\n\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t{ \"v\": [{\"v\": 7}] }\n\t\t\t\t]\n\t\t\t}`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"arr.#.v.0.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 2}] },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 6}] },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.1.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 7}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.#.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.1.v.#.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": 7}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\n\t\t\t\t\"arr.#\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t\"\",\n\t\t\t\t\t\t\"\",\n\t\t\t\t\t\t\"\",\n\t\t\t\t\t\t\"\",\n\t\t\t\t\t\t\"\",\n\t\t\t\t\t\t\"\",\n\t\t\t\t\t\t\"\"\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": \"\" },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": \"\" },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": \"\" },\n\t\t\t\t\t\t{ \"v\": \"\" },\n\t\t\t\t\t\t{ \"v\": \"\" }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.#\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [\"\", \"\"] },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": [\"\", \"\"] },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t\t{ \"v\": [\"\"] },\n\t\t\t\t\t\t{ \"v\": [\"\"] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tinput: `{\n\t\t\t\t\"arr\": [\n\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t{},\n\t\t\t\t\t{ \"v\": [{\"v\": 5}, {\"v\": 6}] },\n\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t{ \"v\": [{\"v\": 7}] }\n\t\t\t\t]\n\t\t\t}`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"arr.#.v.#(v>=3).v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": 6}] },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.#(v>=3)#\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": [\"\", \"\"] },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t\t{ \"v\": [\"\"] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t\t\"arr.#.v.#(v>=3)#.v\": `{\n\t\t\t\t\t\"arr\": [\n\t\t\t\t\t\t{ \"v\": [{\"v\": 1}, {\"v\": 2}] },\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}, {\"v\": \"\"}] },\n\t\t\t\t\t\t{ \"foo\": \"bar\" },\n\t\t\t\t\t\t{ \"v\": [] },\n\t\t\t\t\t\t{ \"v\": [{\"foo\": \"bar\"}] },\n\t\t\t\t\t\t{ \"v\": [{\"v\": \"\"}] }\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t},\n\t\t},\n\n\t\t{\n\t\t\tinput: `{\n\t\t\t\t\"results\": [\n\t\t\t\t\t{},\n\t\t\t\t\t{\n\t\t\t\t\t\t\"vulns\": [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\"id\": \"GHSA-9f46-5r25-5wfm\",\n\t\t\t\t\t\t\t\t\"modified\": \"2024-02-16T08:21:35.601880Z\"\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t]\n\t\t\t\t\t},\n\t\t\t\t\t{},\n\t\t\t\t\t{},\n\t\t\t\t\t{}\n\t\t\t\t]\n\t\t\t}`,\n\t\t\toutputs: map[string]string{\n\t\t\t\t\"results.#.vulns.#.modified\": `{\n\t\t\t\t\t\"results\": [\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\"vulns\": [\n\t\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t\t\"id\": \"GHSA-9f46-5r25-5wfm\",\n\t\t\t\t\t\t\t\t\t\"modified\": \"\"\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t]\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{},\n\t\t\t\t\t\t{}\n\t\t\t\t\t]\n\t\t\t\t}`,\n\t\t\t},\n\t\t},\n\t}\n\tfor i, tt := range tests {\n\t\tpaths := slices.AppendSeq(make([]string, 0, len(tt.outputs)), maps.Keys(tt.outputs))\n\t\tslices.Sort(paths)\n\n\t\tfor _, path := range paths {\n\t\t\tt.Run(fmt.Sprintf(\"%d-%s\", i, path), func(t *testing.T) {\n\t\t\t\tt.Parallel()\n\n\t\t\t\tgot := ReplaceJSONInput(t, tt.input, path, matcher)\n\t\t\t\tif !gjson.Valid(got) {\n\t\t\t\t\tt.Fatalf(\"Output not valid: \\n%s\", got)\n\t\t\t\t}\n\n\t\t\t\tif !gjson.Valid(tt.outputs[path]) {\n\t\t\t\t\tt.Fatalf(\"Want field is not valid JSON: \\n%s\", tt.outputs[path])\n\t\t\t\t}\n\n\t\t\t\tvar wantPretty bytes.Buffer\n\t\t\t\tvar gotPretty bytes.Buffer\n\n\t\t\t\t_ = json.Indent(&wantPretty, []byte(tt.outputs[path]), \"\", \" \")\n\t\t\t\t_ = json.Indent(&gotPretty, []byte(got), \"\", \" \")\n\n\t\t\t\tif diff := cmp.Diff(wantPretty.String(), gotPretty.String()); diff != \"\" {\n\t\t\t\t\tt.Errorf(\"ReplaceJSONInput() diff (-want +got): %s\", diff)\n\t\t\t\t}\n\t\t\t})\n\t\t}\n\t}\n}\n\nfunc Test_replaceJSONInput_More(t *testing.T) {\n\tt.Parallel()\n\n\t// A nested JSON structure with arrays\n\tnestedArray := `{\n \"items\": [\n {\n \"subStruct\": {\n \"subitems\": [\n {\n \"anotherSubStruct\": \"original value 1\"\n },\n {\n \"anotherSubStruct\": \"original value 2\"\n }\n ]\n }\n },\n {\n \"subStruct\": {\n \"subitems\": [\n {\n \"anotherSubStruct\": \"original value 3\"\n },\n {\n \"anotherSubStruct\": \"original value 4\"\n }\n ]\n }\n }\n ]\n }`\n\t// A simple JSON structure\n\tsimpleStruct := `{\n \"test\": {\n \"field\": \"original value\"\n }\n }`\n\n\ttype args struct {\n\t\tjsonInput string\n\t\tpath string\n\t\tmatcher func(toReplace gjson.Result) any\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant string\n\t}{\n\t\t{\n\t\t\tname: \"Nested_json_replacement\",\n\t\t\targs: args{\n\t\t\t\tjsonInput: nestedArray,\n\t\t\t\tpath: \"items.#.subStruct.subitems.#.anotherSubStruct\",\n\t\t\t\tmatcher: func(_ gjson.Result) any {\n\t\t\t\t\treturn \"\"\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: `{\n \"items\": [\n {\n \"subStruct\": {\n \"subitems\": [\n {\n \"anotherSubStruct\": \"\"\n },\n {\n \"anotherSubStruct\": \"\"\n }\n ]\n }\n },\n {\n \"subStruct\": {\n \"subitems\": [\n {\n \"anotherSubStruct\": \"\"\n },\n {\n \"anotherSubStruct\": \"\"\n }\n ]\n }\n }\n ]\n }`,\n\t\t},\n\t\t{\n\t\t\tname: \"simple_json_replacement\",\n\t\t\targs: args{\n\t\t\t\tjsonInput: simpleStruct,\n\t\t\t\tpath: \"test.field\",\n\t\t\t\tmatcher: func(_ gjson.Result) any {\n\t\t\t\t\treturn \"\"\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: `{\n \"test\": {\n \"field\": \"\"\n }\n }`,\n\t\t},\n\t\t{\n\t\t\tname: \"nested_json_array_element_replacement\",\n\t\t\targs: args{\n\t\t\t\tjsonInput: nestedArray,\n\t\t\t\tpath: \"items.#.subStruct.subitems.#\",\n\t\t\t\tmatcher: func(res gjson.Result) any {\n\t\t\t\t\treturn res.Get(\"anotherSubStruct\").Value()\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: `{\n \"items\": [\n {\n \"subStruct\": {\n \"subitems\": [\n \"original value 1\",\n \"original value 2\"\n ]\n }\n },\n {\n \"subStruct\": {\n \"subitems\": [\n \"original value 3\",\n \"original value 4\"\n ]\n }\n }\n ]\n }`,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgot := ReplaceJSONInput(t, tt.args.jsonInput, tt.args.path, tt.args.matcher)\n\t\t\tif !gjson.Valid(got) {\n\t\t\t\tt.Fatalf(\"Output not valid: \\n%s\", got)\n\t\t\t}\n\n\t\t\tif !gjson.Valid(tt.want) {\n\t\t\t\tt.Fatalf(\"Want field is not valid JSON: \\n%s\", tt.want)\n\t\t\t}\n\n\t\t\tvar wantPretty bytes.Buffer\n\t\t\tvar gotPretty bytes.Buffer\n\n\t\t\t_ = json.Indent(&wantPretty, []byte(tt.want), \"\", \"\\t\")\n\t\t\t_ = json.Indent(&gotPretty, []byte(got), \"\", \"\\t\")\n\n\t\t\tif diff := cmp.Diff(wantPretty.String(), gotPretty.String()); diff != \"\" {\n\t\t\t\tt.Errorf(\"ReplaceJSONInput() diff (-want +got): %s\", diff)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/testutility/mock_http.go", "content": "package testutility\n\nimport (\n\t\"log\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"os\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n)\n\ntype MockHTTPServer struct {\n\t*httptest.Server\n\n\tmu sync.Mutex\n\tresponse map[string][]byte // path -> response\n\tauthorization string // expected Authorization header contents\n}\n\n// NewMockHTTPServer starts and returns a new simple HTTP Server for mocking basic requests.\n// The Server will automatically be shut down with Close() in the test Cleanup function.\n//\n// Use the SetResponse / SetResponseFromFile to set the responses for specific URL paths.\nfunc NewMockHTTPServer(t *testing.T) *MockHTTPServer {\n\tt.Helper()\n\tmock := &MockHTTPServer{response: make(map[string][]byte)}\n\tmock.Server = httptest.NewServer(mock)\n\tt.Cleanup(func() { mock.Close() })\n\n\treturn mock\n}\n\n// SetResponse sets the Server's response for the URL path to be response bytes.\nfunc (m *MockHTTPServer) SetResponse(t *testing.T, path string, response []byte) {\n\tt.Helper()\n\tm.mu.Lock()\n\tdefer m.mu.Unlock()\n\tpath = strings.TrimPrefix(path, \"/\")\n\tm.response[path] = response\n}\n\n// SetResponseFromFile sets the Server's response for the URL path to be the contents of the file at filename.\nfunc (m *MockHTTPServer) SetResponseFromFile(t *testing.T, path string, filename string) {\n\tt.Helper()\n\tb, err := os.ReadFile(filename)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to read response file: %v\", err)\n\t}\n\tm.SetResponse(t, path, b)\n}\n\n// SetAuthorization sets the contents of the 'Authorization' header the server expects for all endpoints.\n//\n// The incoming requests' headers must match the auth string exactly, otherwise the server will respond with 401 Unauthorized.\n// If authorization is unset or empty, the server will not require authorization.\nfunc (m *MockHTTPServer) SetAuthorization(t *testing.T, auth string) {\n\tt.Helper()\n\tm.mu.Lock()\n\tdefer m.mu.Unlock()\n\tm.authorization = auth\n}\n\n// ServeHTTP is the http.Handler for the underlying httptest.Server.\nfunc (m *MockHTTPServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {\n\tm.mu.Lock()\n\twantAuth := m.authorization\n\tresp, ok := m.response[strings.TrimPrefix(r.URL.EscapedPath(), \"/\")]\n\tm.mu.Unlock()\n\n\tif wantAuth != \"\" && r.Header.Get(\"Authorization\") != wantAuth {\n\t\tw.WriteHeader(http.StatusUnauthorized)\n\t\tresp = []byte(\"unauthorized\")\n\t} else if !ok {\n\t\tw.WriteHeader(http.StatusNotFound)\n\t\tresp = []byte(\"not found\")\n\t}\n\n\tif _, err := w.Write(resp); err != nil {\n\t\tlog.Fatalf(\"Write: %v\", err)\n\t}\n}\n" }, { "path": "internal/testutility/normalize.go", "content": "package testutility\n\nimport (\n\t\"bufio\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n)\n\n// normalizeFilePathsOnOutput tries to ensure lines in the given `output` are\n// less than 250 characters by normalizing any file paths that are present\nfunc normalizeFilePathsOnOutput(t *testing.T, output string) string {\n\tt.Helper()\n\n\tbuilder := strings.Builder{}\n\tscanner := bufio.NewScanner(strings.NewReader(output))\n\tfor scanner.Scan() {\n\t\ttext := scanner.Text()\n\t\tif len(text) <= 250 {\n\t\t\ttext = normalizeFilePaths(t, text)\n\t\t}\n\n\t\t// Always replace \\\\ because it could be in a long SARIF/JSON output\n\t\ttext = strings.ReplaceAll(text, \"\\\\\\\\\", \"/\")\n\t\tbuilder.WriteString(text)\n\t\tbuilder.WriteString(\"\\n\")\n\t}\n\n\t// Match ending new line\n\tif strings.HasSuffix(output, \"\\n\") {\n\t\treturn builder.String()\n\t}\n\n\treturn strings.TrimSuffix(builder.String(), \"\\n\")\n}\n\n// normalizeFilePaths attempts to normalize any file paths in the given `output`\n// so that they can be compared reliably regardless of the file path separator\n// being used.\n//\n// Namely, escaped forward slashes are replaced with backslashes.\nfunc normalizeFilePaths(t *testing.T, output string) string {\n\tt.Helper()\n\treturn strings.ReplaceAll(strings.ReplaceAll(output, \"\\\\\\\\\", \"/\"), \"\\\\\", \"/\")\n}\n\n// normalizeRootDirectory attempts to replace references to the current working\n// directory with \"\", in order to reduce the noise of the cmp diff\nfunc normalizeRootDirectory(t *testing.T, str string) string {\n\tt.Helper()\n\n\tcwd := normalizeFilePaths(t, GetCurrentWorkingDirectory(t))\n\n\t// file uris with Windows end up with three slashes, so we normalize that too\n\tstr = strings.ReplaceAll(str, \"file:///\"+cwd, \"file://\")\n\tstr = strings.ReplaceAll(str, cwd, \"\")\n\n\t// Replace versions without the root as well\n\tstr = strings.ReplaceAll(str, pathWithoutRoot(t, cwd), \"\")\n\n\treturn str\n}\n\n// normalizeUserCacheDirectory attempts to replace references to the current working\n// directory with \"\", in order to reduce the noise of the cmp diff\nfunc normalizeUserCacheDirectory(t *testing.T, str string) string {\n\tt.Helper()\n\n\tcacheDir, err := os.UserCacheDir()\n\tif err != nil {\n\t\tt.Errorf(\"could not get user cache (%v) - results and diff might be inaccurate!\", err)\n\t}\n\n\tcacheDir = normalizeFilePaths(t, cacheDir)\n\n\t// file uris with Windows end up with three slashes, so we normalize that too\n\tstr = strings.ReplaceAll(str, \"file:///\"+cacheDir, \"file://\")\n\n\treturn strings.ReplaceAll(str, cacheDir, \"\")\n}\n\n// normalizeTempDirectory attempts to replace references to the temp directory\n// with \"\", to ensure tests pass across different OSs\nfunc normalizeTempDirectory(t *testing.T, str string) string {\n\tt.Helper()\n\n\t//nolint:gocritic // ensure that the directory doesn't end with a trailing slash\n\ttempDir := normalizeFilePaths(t, filepath.Join(os.TempDir()))\n\tre := cachedregexp.MustCompile(regexp.QuoteMeta(tempDir+`/osv-scanner-test-`) + `\\d+`)\n\tstr = re.ReplaceAllString(str, \"\")\n\n\t// Replace versions without the root as well\n\tre = cachedregexp.MustCompile(regexp.QuoteMeta(pathWithoutRoot(t, tempDir)+`/osv-scanner-test-`) + `\\d+`)\n\n\treturn re.ReplaceAllString(str, \"\")\n}\n\n// normalizeErrors attempts to replace error messages on alternative OSs with their\n// known linux equivalents, to ensure tests pass across different OSs\nfunc normalizeErrors(t *testing.T, str string) string {\n\tt.Helper()\n\n\tstr = strings.ReplaceAll(str, \"The filename, directory name, or volume label syntax is incorrect.\", \"no such file or directory\")\n\tstr = strings.ReplaceAll(str, \"The system cannot find the path specified.\", \"no such file or directory\")\n\tstr = strings.ReplaceAll(str, \"The system cannot find the file specified.\", \"no such file or directory\")\n\tstr = strings.ReplaceAll(str, \"CreateFile\", \"lstat\")\n\tstr = strings.ReplaceAll(str, \"\\nstat ./testdata/\", \"\\nlstat ./testdata/\")\n\tstr = strings.ReplaceAll(str, \"GetFileAttributesEx\", \"stat\")\n\n\treturn str\n}\n\n// removeUntestableLines remove some lines from the output that are not testable\nfunc removeUntestableLines(t *testing.T, str string) string {\n\tt.Helper()\n\n\treplacer := regexp.MustCompile(`Image not found locally, pulling docker image .*\\.\\.\\.\\n`)\n\tstr = replacer.ReplaceAllLiteralString(str, \"\")\n\n\treturn str\n}\n\n// normalizeSnapshot applies a series of normalizes to the buffer from a std stream like stdout and stderr\nfunc normalizeSnapshot(t *testing.T, str string) string {\n\tt.Helper()\n\n\tfor _, normalizer := range []func(t *testing.T, str string) string{\n\t\tnormalizeFilePathsOnOutput,\n\t\tnormalizeRootDirectory,\n\t\tnormalizeTempDirectory,\n\t\tnormalizeUserCacheDirectory,\n\t\tnormalizeErrors,\n\t\tremoveUntestableLines,\n\t} {\n\t\tstr = normalizer(t, str)\n\t}\n\n\treturn str\n}\n\nfunc pathWithoutRoot(t *testing.T, str string) string {\n\tt.Helper()\n\n\t// Replace versions without the root as well\n\tvar root string\n\tif runtime.GOOS == \"windows\" {\n\t\troot = filepath.VolumeName(str) + \"\\\\\"\n\t}\n\n\tif strings.HasPrefix(str, \"/\") {\n\t\troot = \"/\"\n\t}\n\n\treturn str[len(root):]\n}\n" }, { "path": "internal/testutility/snapshot.go", "content": "package testutility\n\nimport (\n\t\"encoding/json\"\n\t\"testing\"\n\n\t\"github.com/gkampitakis/go-snaps/snaps\"\n)\n\ntype Snapshot struct {\n\twindowsReplacements map[string]string\n}\n\n// NewSnapshot creates a snapshot that can be passed around within tests\nfunc NewSnapshot() Snapshot {\n\treturn Snapshot{windowsReplacements: map[string]string{}}\n}\n\n// WithWindowsReplacements adds a map of strings with values that they should be\n// replaced within before comparing the snapshot when running on Windows\nfunc (s Snapshot) WithWindowsReplacements(replacements map[string]string) Snapshot {\n\ts.windowsReplacements = replacements\n\n\treturn s\n}\n\n// WithCRLFReplacement adds a Windows replacement for \"\\r\\n\" to \"\\n\".\n// This should be called after WithWindowsReplacements if used together.\nfunc (s Snapshot) WithCRLFReplacement() Snapshot {\n\ts.windowsReplacements[\"\\r\\n\"] = \"\\n\"\n\n\treturn s\n}\n\n// MatchJSON asserts the existing snapshot matches what was gotten in the test,\n// after being marshalled as JSON\nfunc (s Snapshot) MatchJSON(t *testing.T, got any) {\n\tt.Helper()\n\n\tj, err := json.MarshalIndent(got, \"\", \" \")\n\n\tif err != nil {\n\t\tt.Fatalf(\"Failed to marshal JSON: %s\", err)\n\t}\n\n\tsnaps.MatchSnapshot(t, normalizeRootDirectory(t, applyWindowsReplacements(string(j), s.windowsReplacements)))\n}\n\n// MatchText asserts the existing snapshot matches what was gotten in the test\nfunc (s Snapshot) MatchText(t *testing.T, got string) {\n\tt.Helper()\n\n\tsnaps.MatchSnapshot(t, normalizeSnapshot(t, applyWindowsReplacements(got, s.windowsReplacements)))\n}\n" }, { "path": "internal/testutility/utility.go", "content": "package testutility\n\nimport (\n\t\"flag\"\n\t\"fmt\"\n\t\"math/rand\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/gkampitakis/go-snaps/snaps\"\n)\n\n// GetCurrentWorkingDirectory returns the current working directory, raising\n// a fatal error if it cannot be retrieved for some reason\nfunc GetCurrentWorkingDirectory(t *testing.T) string {\n\tt.Helper()\n\n\tdir, err := os.Getwd()\n\tif err != nil {\n\t\tt.Fatalf(\"failed to get current directory: %v\", err)\n\t}\n\n\treturn dir\n}\n\n// applyWindowsReplacements will replace any matching strings if on Windows\nfunc applyWindowsReplacements(content string, replacements map[string]string) string {\n\tif runtime.GOOS == \"windows\" {\n\t\tfor match, replacement := range replacements {\n\t\t\tcontent = strings.ReplaceAll(content, match, replacement)\n\t\t}\n\t}\n\n\treturn content\n}\n\n// CleanSnapshots ensures that snapshots are relevant and sorted for consistency\nfunc CleanSnapshots(m *testing.M) {\n\tdirty, err := snaps.Clean(m, snaps.CleanOpts{Sort: true})\n\n\tif err != nil {\n\t\tfmt.Println(\"Error cleaning snaps:\", err)\n\t\tos.Exit(1)\n\t}\n\tif dirty {\n\t\tfmt.Println(\"Some snapshots were outdated.\")\n\t\tos.Exit(1)\n\t}\n}\n\n// Skip is equivalent to t.Log followed by t.SkipNow, but allows tracking of\n// what snapshots are skipped so that they're not marked as obsolete\nfunc Skip(t *testing.T, args ...any) {\n\tt.Helper()\n\n\tsnaps.Skip(t, args...)\n}\n\n// isThisTestRunTarget tries to determine if the currently running test has been\n// targeted with the -run flag, by comparing the flags value to [testing.T.Name]\n//\n// Since this just does a direct comparison, it will not match for regex patterns\nfunc isThisTestRunTarget(t *testing.T) bool {\n\tt.Helper()\n\n\trunOnly, _, _ := strings.Cut(flag.Lookup(\"test.run\").Value.String(), \"/\")\n\trunOnlyWithNoRegex := strings.Trim(runOnly, \"^$\")\n\n\treturn runOnly == t.Name() || runOnlyWithNoRegex == t.Name()\n}\n\n// IsAcceptanceTesting returns true if the test suite is being run with acceptance tests enabled\nfunc IsAcceptanceTesting() bool {\n\treturn os.Getenv(\"TEST_ACCEPTANCE\") == \"true\"\n}\n\n// SkipIfNotAcceptanceTesting marks the test as skipped unless the test suite is\n// being run with acceptance tests enabled, as indicated by IsAcceptanceTesting,\n// or the test is being run specifically with the -run flag\n// This is used to skip tests that could require external dependencies other than go\nfunc SkipIfNotAcceptanceTesting(t *testing.T, reason string) {\n\tt.Helper()\n\n\tif !IsAcceptanceTesting() && !isThisTestRunTarget(t) {\n\t\tSkip(t, \"Skipping extended test: \", reason)\n\t}\n}\n\n// SkipIfShort marks the test as skipped if the short flag is set\n// or the test is being run specifically with the -run flag\nfunc SkipIfShort(t *testing.T) {\n\tt.Helper()\n\n\tif testing.Short() && !isThisTestRunTarget(t) {\n\t\tSkip(t, \"Skipping long test: \", \"Takes a while to run\")\n\t}\n}\n\nfunc ValueIfOnWindows(win, or string) string {\n\tif runtime.GOOS == \"windows\" {\n\t\treturn win\n\t}\n\n\treturn or\n}\n\nfunc fixedLengthTempDir(parent string) (string, error) {\n\tn := rand.Int63n(1_000_000_000_000) //nolint:gosec // 10^12\n\tsuffix := fmt.Sprintf(\"%0*d\", 12, n)\n\n\tname := \"osv-scanner-test-\" + suffix\n\tpath := filepath.Join(parent, name)\n\n\treturn path, os.Mkdir(path, 0o700)\n}\n\n// CreateTestDir makes a temporary directory for use in testing that involves\n// writing and reading files from disk, which is automatically cleaned up\n// when testing finishes\nfunc CreateTestDir(t *testing.T) string {\n\tt.Helper()\n\n\tp, err := fixedLengthTempDir(os.TempDir())\n\tif err != nil {\n\t\tt.Fatalf(\"could not create test directory: %v\", err)\n\t}\n\n\t// ensure the test directory is removed when we're done testing\n\tt.Cleanup(func() {\n\t\t_ = os.RemoveAll(p)\n\t})\n\n\treturn p\n}\n" }, { "path": "internal/thirdparty/ar/COPYING", "content": "Copyright (c) 2013 Blake Smith \n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in\nall copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\nTHE SOFTWARE." }, { "path": "internal/thirdparty/ar/reader.go", "content": "// Copyright (c) 2013 Blake Smith \n\n// Permission is hereby granted, free of charge, to any person obtaining a copy\n// of this software and associated documentation files (the \"Software\"), to deal\n// in the Software without restriction, including without limitation the rights\n// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n// copies of the Software, and to permit persons to whom the Software is\n// furnished to do so, subject to the following conditions:\n\n// The above copyright notice and this permission notice shall be included in\n// all copies or substantial portions of the Software.\n\n// THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN\n// THE SOFTWARE.\n\n// Modified under Apache License\n\npackage ar\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"io\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nconst (\n\tHeaderByteSize = 60\n\tArSignature = \"!\\n\"\n)\n\ntype Header struct {\n\tName string\n\tSize int\n}\n\ntype slicer []byte\n\nfunc (sp *slicer) next(n int) []byte {\n\ts := *sp\n\n\tb := s[0:n]\n\t*sp = s[n:]\n\n\treturn b\n}\n\n// Provides read access to an ar archive.\n// Call next to skip files\n//\n// Example:\n//\treader := NewReader(f)\n//\tvar buf bytes.Buffer\n//\tfor {\n//\t\t_, err := reader.Next()\n//\t\tif err == io.EOF {\n//\t\t\tbreak\n//\t\t}\n//\t\tif err != nil {\n//\t\t\tt.Errorf(err.Error())\n//\t\t}\n//\t\tio.Copy(&buf, reader)\n//\t}\n\ntype Reader struct {\n\tr io.Reader\n\tbytesToRead int\n\tpad int\n}\n\n// Copies read data to r. Strips the global ar header.\nfunc NewReader(r io.Reader) (*Reader, error) {\n\tsigBuf := bytes.Buffer{}\n\t_, _ = io.CopyN(&sigBuf, r, 8) // Discard global header\n\n\tif sigBuf.String() != ArSignature {\n\t\treturn nil, errors.New(\"not an rlib archive\")\n\t}\n\n\treturn &Reader{r: r}, nil\n}\n\n// Call Next() to skip to the next file in the archive file.\n// Returns a Header which contains the metadata about the\n// file in the archive.\nfunc (rd *Reader) Next() (*Header, error) {\n\terr := rd.skipUnread()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\treturn rd.readHeader()\n}\n\n// Read data from the current entry in the archive.\nfunc (rd *Reader) Read(b []byte) (n int, err error) {\n\tif rd.bytesToRead == 0 {\n\t\treturn 0, io.EOF\n\t}\n\tif len(b) > rd.bytesToRead {\n\t\tb = b[0:rd.bytesToRead]\n\t}\n\tn, err = rd.r.Read(b)\n\trd.bytesToRead -= n\n\n\treturn\n}\n\nfunc (rd *Reader) skipUnread() error {\n\tbytesToSkip := int64(rd.bytesToRead + rd.pad)\n\trd.bytesToRead, rd.pad = 0, 0\n\tif seeker, ok := rd.r.(io.Seeker); ok {\n\t\t_, err := seeker.Seek(bytesToSkip, io.SeekCurrent)\n\t\treturn err\n\t}\n\n\t_, err := io.CopyN(io.Discard, rd.r, bytesToSkip)\n\n\treturn err\n}\n\nfunc (rd *Reader) readHeader() (*Header, error) {\n\theaderBuf := make([]byte, HeaderByteSize)\n\tif _, err := io.ReadFull(rd.r, headerBuf); err != nil {\n\t\treturn nil, err\n\t}\n\n\theader := new(Header)\n\ts := slicer(headerBuf)\n\n\theader.Name = byteToString(s.next(16))\n\t// Skip the next 4 fields, we only need name and size\n\ts.next(12 + 6 + 6 + 8)\n\theader.Size = byteToDecimal(s.next(10))\n\n\trd.bytesToRead = header.Size\n\trd.pad = header.Size % 2\n\n\treturn header, nil\n}\n\nfunc byteToString(b []byte) string {\n\treturn strings.TrimRight(string(b), \" \")\n}\n\nfunc byteToDecimal(b []byte) int {\n\tn, _ := strconv.Atoi(byteToString(b))\n\treturn n\n}\n" }, { "path": "internal/thirdparty/xml/atom_test.go", "content": "// Copyright 2011 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\npackage xml\n\nimport \"time\"\n\nvar atomValue = &Feed{\n\tXMLName: Name{\"http://www.w3.org/2005/Atom\", \"feed\"},\n\tTitle: \"Example Feed\",\n\tLink: []Link{{Href: \"http://example.org/\"}},\n\tUpdated: ParseTime(\"2003-12-13T18:30:02Z\"),\n\tAuthor: Person{Name: \"John Doe\"},\n\tID: \"urn:uuid:60a76c80-d399-11d9-b93C-0003939e0af6\",\n\n\tEntry: []Entry{\n\t\t{\n\t\t\tTitle: \"Atom-Powered Robots Run Amok\",\n\t\t\tLink: []Link{{Href: \"http://example.org/2003/12/13/atom03\"}},\n\t\t\tID: \"urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a\",\n\t\t\tUpdated: ParseTime(\"2003-12-13T18:30:02Z\"),\n\t\t\tSummary: NewText(\"Some text.\"),\n\t\t},\n\t},\n}\n\nvar atomXML = `` +\n\t`` +\n\t`Example Feed` +\n\t`urn:uuid:60a76c80-d399-11d9-b93C-0003939e0af6` +\n\t`` +\n\t`John Doe` +\n\t`` +\n\t`Atom-Powered Robots Run Amok` +\n\t`urn:uuid:1225c695-cfb8-4ebb-aaaa-80da344efa6a` +\n\t`` +\n\t`2003-12-13T18:30:02Z` +\n\t`` +\n\t`Some text.` +\n\t`` +\n\t``\n\nfunc ParseTime(str string) time.Time {\n\tt, err := time.Parse(time.RFC3339, str)\n\tif err != nil {\n\t\tpanic(err)\n\t}\n\treturn t\n}\n\nfunc NewText(text string) Text {\n\treturn Text{\n\t\tBody: text,\n\t}\n}\n" }, { "path": "internal/thirdparty/xml/marshal.go", "content": "// Copyright 2011 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\npackage xml\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"encoding\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"reflect\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nconst (\n\t// Header is a generic XML header suitable for use with the output of [Marshal].\n\t// This is not automatically added to any output of this package,\n\t// it is provided as a convenience.\n\tHeader = `` + \"\\n\"\n)\n\n// Marshal returns the XML encoding of v.\n//\n// Marshal handles an array or slice by marshaling each of the elements.\n// Marshal handles a pointer by marshaling the value it points at or, if the\n// pointer is nil, by writing nothing. Marshal handles an interface value by\n// marshaling the value it contains or, if the interface value is nil, by\n// writing nothing. Marshal handles all other data by writing one or more XML\n// elements containing the data.\n//\n// The name for the XML elements is taken from, in order of preference:\n// - the tag on the XMLName field, if the data is a struct\n// - the value of the XMLName field of type [Name]\n// - the tag of the struct field used to obtain the data\n// - the name of the struct field used to obtain the data\n// - the name of the marshaled type\n//\n// The XML element for a struct contains marshaled elements for each of the\n// exported fields of the struct, with these exceptions:\n// - the XMLName field, described above, is omitted.\n// - a field with tag \"-\" is omitted.\n// - a field with tag \"name,attr\" becomes an attribute with\n// the given name in the XML element.\n// - a field with tag \",attr\" becomes an attribute with the\n// field name in the XML element.\n// - a field with tag \",chardata\" is written as character data,\n// not as an XML element.\n// - a field with tag \",cdata\" is written as character data\n// wrapped in one or more tags, not as an XML element.\n// - a field with tag \",innerxml\" is written verbatim, not subject\n// to the usual marshaling procedure.\n// - a field with tag \",comment\" is written as an XML comment, not\n// subject to the usual marshaling procedure. It must not contain\n// the \"--\" string within it.\n// - a field with a tag including the \"omitempty\" option is omitted\n// if the field value is empty. The empty values are false, 0, any\n// nil pointer or interface value, and any array, slice, map, or\n// string of length zero.\n// - an anonymous struct field is handled as if the fields of its\n// value were part of the outer struct.\n// - a field implementing [Marshaler] is written by calling its MarshalXML\n// method.\n// - a field implementing [encoding.TextMarshaler] is written by encoding the\n// result of its MarshalText method as text.\n//\n// If a field uses a tag \"a>b>c\", then the element c will be nested inside\n// parent elements a and b. Fields that appear next to each other that name\n// the same parent will be enclosed in one XML element.\n//\n// If the XML name for a struct field is defined by both the field tag and the\n// struct's XMLName field, the names must match.\n//\n// See [MarshalIndent] for an example.\n//\n// Marshal will return an error if asked to marshal a channel, function, or map.\nfunc Marshal(v any) ([]byte, error) {\n\tvar b bytes.Buffer\n\tenc := NewEncoder(&b)\n\tif err := enc.Encode(v); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := enc.Close(); err != nil {\n\t\treturn nil, err\n\t}\n\treturn b.Bytes(), nil\n}\n\n// Marshaler is the interface implemented by objects that can marshal\n// themselves into valid XML elements.\n//\n// MarshalXML encodes the receiver as zero or more XML elements.\n// By convention, arrays or slices are typically encoded as a sequence\n// of elements, one per entry.\n// Using start as the element tag is not required, but doing so\n// will enable [Unmarshal] to match the XML elements to the correct\n// struct field.\n// One common implementation strategy is to construct a separate\n// value with a layout corresponding to the desired XML and then\n// to encode it using e.EncodeElement.\n// Another common strategy is to use repeated calls to e.EncodeToken\n// to generate the XML output one token at a time.\n// The sequence of encoded tokens must make up zero or more valid\n// XML elements.\ntype Marshaler interface {\n\tMarshalXML(e *Encoder, start StartElement) error\n}\n\n// MarshalerAttr is the interface implemented by objects that can marshal\n// themselves into valid XML attributes.\n//\n// MarshalXMLAttr returns an XML attribute with the encoded value of the receiver.\n// Using name as the attribute name is not required, but doing so\n// will enable [Unmarshal] to match the attribute to the correct\n// struct field.\n// If MarshalXMLAttr returns the zero attribute [Attr]{}, no attribute\n// will be generated in the output.\n// MarshalXMLAttr is used only for struct fields with the\n// \"attr\" option in the field tag.\ntype MarshalerAttr interface {\n\tMarshalXMLAttr(name Name) (Attr, error)\n}\n\n// MarshalIndent works like [Marshal], but each XML element begins on a new\n// indented line that starts with prefix and is followed by one or more\n// copies of indent according to the nesting depth.\nfunc MarshalIndent(v any, prefix, indent string) ([]byte, error) {\n\tvar b bytes.Buffer\n\tenc := NewEncoder(&b)\n\tenc.Indent(prefix, indent)\n\tif err := enc.Encode(v); err != nil {\n\t\treturn nil, err\n\t}\n\tif err := enc.Close(); err != nil {\n\t\treturn nil, err\n\t}\n\treturn b.Bytes(), nil\n}\n\n// An Encoder writes XML data to an output stream.\ntype Encoder struct {\n\tp printer\n}\n\n// NewEncoder returns a new encoder that writes to w.\nfunc NewEncoder(w io.Writer) *Encoder {\n\te := &Encoder{printer{w: bufio.NewWriter(w)}}\n\te.p.encoder = e\n\treturn e\n}\n\n// Indent sets the encoder to generate XML in which each element\n// begins on a new indented line that starts with prefix and is followed by\n// one or more copies of indent according to the nesting depth.\nfunc (enc *Encoder) Indent(prefix, indent string) {\n\tenc.p.prefix = prefix\n\tenc.p.indent = indent\n}\n\n// Encode writes the XML encoding of v to the stream.\n//\n// See the documentation for [Marshal] for details about the conversion\n// of Go values to XML.\n//\n// Encode calls [Encoder.Flush] before returning.\nfunc (enc *Encoder) Encode(v any) error {\n\terr := enc.p.marshalValue(reflect.ValueOf(v), nil, nil)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn enc.p.w.Flush()\n}\n\n// EncodeElement writes the XML encoding of v to the stream,\n// using start as the outermost tag in the encoding.\n//\n// See the documentation for [Marshal] for details about the conversion\n// of Go values to XML.\n//\n// EncodeElement calls [Encoder.Flush] before returning.\nfunc (enc *Encoder) EncodeElement(v any, start StartElement) error {\n\terr := enc.p.marshalValue(reflect.ValueOf(v), nil, &start)\n\tif err != nil {\n\t\treturn err\n\t}\n\treturn enc.p.w.Flush()\n}\n\nvar (\n\tbegComment = []byte(\"\")\n\tendProcInst = []byte(\"?>\")\n)\n\n// EncodeToken writes the given XML token to the stream.\n// It returns an error if [StartElement] and [EndElement] tokens are not properly matched.\n//\n// EncodeToken does not call [Encoder.Flush], because usually it is part of a larger operation\n// such as [Encoder.Encode] or [Encoder.EncodeElement] (or a custom [Marshaler]'s MarshalXML invoked\n// during those), and those will call Flush when finished.\n// Callers that create an Encoder and then invoke EncodeToken directly, without\n// using Encode or EncodeElement, need to call Flush when finished to ensure\n// that the XML is written to the underlying writer.\n//\n// EncodeToken allows writing a [ProcInst] with Target set to \"xml\" only as the first token\n// in the stream.\nfunc (enc *Encoder) EncodeToken(t Token) error {\n\n\tp := &enc.p\n\tswitch t := t.(type) {\n\tcase StartElement:\n\t\tif err := p.writeStart(&t); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase EndElement:\n\t\tif err := p.writeEnd(t.Name, t.Empty); err != nil {\n\t\t\treturn err\n\t\t}\n\tcase CharData:\n\t\tif t.cdata {\n\t\t\tp.Write(cdataStart)\n\t\t}\n\t\tif t.origin != nil {\n\t\t\t// Write the original text if there are escape sequences replaced.\n\t\t\tp.Write(t.origin)\n\t\t} else {\n\t\t\tescapeText(p, t.data, false)\n\t\t}\n\t\tif t.cdata {\n\t\t\tp.Write(cdataEnd)\n\t\t}\n\tcase Comment:\n\t\tif bytes.Contains(t, endComment) {\n\t\t\treturn fmt.Errorf(\"xml: EncodeToken of Comment containing --> marker\")\n\t\t}\n\t\tp.WriteString(\"\")\n\t\treturn p.cachedWriteError()\n\tcase ProcInst:\n\t\t// First token to be encoded which is also a ProcInst with target of xml\n\t\t// is the xml declaration. The only ProcInst where target of xml is allowed.\n\t\tif t.Target == \"xml\" && p.w.Buffered() != 0 {\n\t\t\treturn fmt.Errorf(\"xml: EncodeToken of ProcInst xml target only valid for xml declaration, first token encoded\")\n\t\t}\n\t\tif !isNameString(t.Target) {\n\t\t\treturn fmt.Errorf(\"xml: EncodeToken of ProcInst with invalid Target\")\n\t\t}\n\t\tif bytes.Contains(t.Inst, endProcInst) {\n\t\t\treturn fmt.Errorf(\"xml: EncodeToken of ProcInst containing ?> marker\")\n\t\t}\n\t\tp.WriteString(\" 0 {\n\t\t\tp.WriteByte(' ')\n\t\t\tp.Write(t.Inst)\n\t\t}\n\t\tp.WriteString(\"?>\")\n\tcase Directive:\n\t\tif !isValidDirective(t) {\n\t\t\treturn fmt.Errorf(\"xml: EncodeToken of Directive containing wrong < or > markers\")\n\t\t}\n\t\tp.WriteString(\"\")\n\tdefault:\n\t\treturn fmt.Errorf(\"xml: EncodeToken of invalid token type\")\n\n\t}\n\treturn p.cachedWriteError()\n}\n\n// isValidDirective reports whether dir is a valid directive text,\n// meaning angle brackets are matched, ignoring comments and strings.\nfunc isValidDirective(dir Directive) bool {\n\tvar (\n\t\tdepth int\n\t\tinquote uint8\n\t\tincomment bool\n\t)\n\tfor i, c := range dir {\n\t\tswitch {\n\t\tcase incomment:\n\t\t\tif c == '>' {\n\t\t\t\tif n := 1 + i - len(endComment); n >= 0 && bytes.Equal(dir[n:i+1], endComment) {\n\t\t\t\t\tincomment = false\n\t\t\t\t}\n\t\t\t}\n\t\t\t// Just ignore anything in comment\n\t\tcase inquote != 0:\n\t\t\tif c == inquote {\n\t\t\t\tinquote = 0\n\t\t\t}\n\t\t\t// Just ignore anything within quotes\n\t\tcase c == '\\'' || c == '\"':\n\t\t\tinquote = c\n\t\tcase c == '<':\n\t\t\tif i+len(begComment) < len(dir) && bytes.Equal(dir[i:i+len(begComment)], begComment) {\n\t\t\t\tincomment = true\n\t\t\t} else {\n\t\t\t\tdepth++\n\t\t\t}\n\t\tcase c == '>':\n\t\t\tif depth == 0 {\n\t\t\t\treturn false\n\t\t\t}\n\t\t\tdepth--\n\t\t}\n\t}\n\treturn depth == 0 && inquote == 0 && !incomment\n}\n\n// Flush flushes any buffered XML to the underlying writer.\n// See the [Encoder.EncodeToken] documentation for details about when it is necessary.\nfunc (enc *Encoder) Flush() error {\n\treturn enc.p.w.Flush()\n}\n\n// Close the Encoder, indicating that no more data will be written. It flushes\n// any buffered XML to the underlying writer and returns an error if the\n// written XML is invalid (e.g. by containing unclosed elements).\nfunc (enc *Encoder) Close() error {\n\treturn enc.p.Close()\n}\n\ntype printer struct {\n\tw *bufio.Writer\n\tencoder *Encoder\n\tseq int\n\tindent string\n\tprefix string\n\tdepth int\n\tindentedIn bool\n\tputNewline bool\n\tattrNS map[string]string // map prefix -> name space\n\tattrPrefix map[string]string // map name space -> prefix\n\tprefixes []string\n\ttags []Name\n\tclosed bool\n\terr error\n}\n\n// createAttrPrefix finds the name space prefix attribute to use for the given name space,\n// defining a new prefix if necessary. It returns the prefix.\nfunc (p *printer) createAttrPrefix(url string) string {\n\tif prefix := p.attrPrefix[url]; prefix != \"\" {\n\t\treturn prefix\n\t}\n\n\t// The \"http://www.w3.org/XML/1998/namespace\" name space is predefined as \"xml\"\n\t// and must be referred to that way.\n\t// (The \"http://www.w3.org/2000/xmlns/\" name space is also predefined as \"xmlns\",\n\t// but users should not be trying to use that one directly - that's our job.)\n\tif url == xmlURL {\n\t\treturn xmlPrefix\n\t}\n\n\t// Need to define a new name space.\n\tif p.attrPrefix == nil {\n\t\tp.attrPrefix = make(map[string]string)\n\t\tp.attrNS = make(map[string]string)\n\t}\n\n\t// Pick a name. We try to use the final element of the path\n\t// but fall back to _.\n\tprefix := strings.TrimRight(url, \"/\")\n\tif i := strings.LastIndex(prefix, \"/\"); i >= 0 {\n\t\tprefix = prefix[i+1:]\n\t}\n\tif prefix == \"\" || !isName([]byte(prefix)) || strings.Contains(prefix, \":\") {\n\t\tprefix = \"_\"\n\t}\n\t// xmlanything is reserved and any variant of it regardless of\n\t// case should be matched, so:\n\t// (('X'|'x') ('M'|'m') ('L'|'l'))\n\t// See Section 2.3 of https://www.w3.org/TR/REC-xml/\n\tif len(prefix) >= 3 && strings.EqualFold(prefix[:3], \"xml\") {\n\t\tprefix = \"_\" + prefix\n\t}\n\tif p.attrNS[prefix] != \"\" {\n\t\t// Name is taken. Find a better one.\n\t\tfor p.seq++; ; p.seq++ {\n\t\t\tif id := prefix + \"_\" + strconv.Itoa(p.seq); p.attrNS[id] == \"\" {\n\t\t\t\tprefix = id\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\tp.attrPrefix[url] = prefix\n\tp.attrNS[prefix] = url\n\n\tp.WriteString(`xmlns:`)\n\tp.WriteString(prefix)\n\tp.WriteString(`=\"`)\n\tEscapeText(p, []byte(url))\n\tp.WriteString(`\" `)\n\n\tp.prefixes = append(p.prefixes, prefix)\n\n\treturn prefix\n}\n\n// deleteAttrPrefix removes an attribute name space prefix.\nfunc (p *printer) deleteAttrPrefix(prefix string) {\n\tdelete(p.attrPrefix, p.attrNS[prefix])\n\tdelete(p.attrNS, prefix)\n}\n\nfunc (p *printer) markPrefix() {\n\tp.prefixes = append(p.prefixes, \"\")\n}\n\nfunc (p *printer) popPrefix() {\n\tfor len(p.prefixes) > 0 {\n\t\tprefix := p.prefixes[len(p.prefixes)-1]\n\t\tp.prefixes = p.prefixes[:len(p.prefixes)-1]\n\t\tif prefix == \"\" {\n\t\t\tbreak\n\t\t}\n\t\tp.deleteAttrPrefix(prefix)\n\t}\n}\n\nvar (\n\tmarshalerType = reflect.TypeFor[Marshaler]()\n\tmarshalerAttrType = reflect.TypeFor[MarshalerAttr]()\n\ttextMarshalerType = reflect.TypeFor[encoding.TextMarshaler]()\n)\n\n// marshalValue writes one or more XML elements representing val.\n// If val was obtained from a struct field, finfo must have its details.\nfunc (p *printer) marshalValue(val reflect.Value, finfo *fieldInfo, startTemplate *StartElement) error {\n\tif startTemplate != nil && startTemplate.Name.Local == \"\" {\n\t\treturn fmt.Errorf(\"xml: EncodeElement of StartElement with missing name\")\n\t}\n\n\tif !val.IsValid() {\n\t\treturn nil\n\t}\n\tif finfo != nil && finfo.flags&fOmitEmpty != 0 && isEmptyValue(val) {\n\t\treturn nil\n\t}\n\n\t// Drill into interfaces and pointers.\n\t// This can turn into an infinite loop given a cyclic chain,\n\t// but it matches the Go 1 behavior.\n\tfor val.Kind() == reflect.Interface || val.Kind() == reflect.Pointer {\n\t\tif val.IsNil() {\n\t\t\treturn nil\n\t\t}\n\t\tval = val.Elem()\n\t}\n\n\tkind := val.Kind()\n\ttyp := val.Type()\n\n\t// Check for marshaler.\n\tif val.CanInterface() && typ.Implements(marshalerType) {\n\t\treturn p.marshalInterface(val.Interface().(Marshaler), defaultStart(typ, finfo, startTemplate))\n\t}\n\tif val.CanAddr() {\n\t\tpv := val.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(marshalerType) {\n\t\t\treturn p.marshalInterface(pv.Interface().(Marshaler), defaultStart(pv.Type(), finfo, startTemplate))\n\t\t}\n\t}\n\n\t// Check for text marshaler.\n\tif val.CanInterface() && typ.Implements(textMarshalerType) {\n\t\treturn p.marshalTextInterface(val.Interface().(encoding.TextMarshaler), defaultStart(typ, finfo, startTemplate))\n\t}\n\tif val.CanAddr() {\n\t\tpv := val.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(textMarshalerType) {\n\t\t\treturn p.marshalTextInterface(pv.Interface().(encoding.TextMarshaler), defaultStart(pv.Type(), finfo, startTemplate))\n\t\t}\n\t}\n\n\t// Slices and arrays iterate over the elements. They do not have an enclosing tag.\n\tif (kind == reflect.Slice || kind == reflect.Array) && typ.Elem().Kind() != reflect.Uint8 {\n\t\tfor i, n := 0, val.Len(); i < n; i++ {\n\t\t\tif err := p.marshalValue(val.Index(i), finfo, startTemplate); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t}\n\n\ttinfo, err := getTypeInfo(typ)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Create start element.\n\t// Precedence for the XML element name is:\n\t// 0. startTemplate\n\t// 1. XMLName field in underlying struct;\n\t// 2. field name/tag in the struct field; and\n\t// 3. type name\n\tvar start StartElement\n\n\tif startTemplate != nil {\n\t\tstart.Name = startTemplate.Name\n\t\tstart.Attr = append(start.Attr, startTemplate.Attr...)\n\t\tstart.Empty = startTemplate.Empty\n\t} else if tinfo.xmlname != nil {\n\t\txmlname := tinfo.xmlname\n\t\tif xmlname.name != \"\" {\n\t\t\tstart.Name.Space, start.Name.Local = xmlname.xmlns, xmlname.name\n\t\t} else {\n\t\t\tfv := xmlname.value(val, dontInitNilPointers)\n\t\t\tif v, ok := fv.Interface().(Name); ok && v.Local != \"\" {\n\t\t\t\tstart.Name = v\n\t\t\t}\n\t\t}\n\t}\n\tif start.Name.Local == \"\" && finfo != nil {\n\t\tstart.Name.Space, start.Name.Local = finfo.xmlns, finfo.name\n\t}\n\tif start.Name.Local == \"\" {\n\t\tname := typ.Name()\n\t\tif i := strings.IndexByte(name, '['); i >= 0 {\n\t\t\t// Truncate generic instantiation name. See issue 48318.\n\t\t\tname = name[:i]\n\t\t}\n\t\tif name == \"\" {\n\t\t\treturn &UnsupportedTypeError{typ}\n\t\t}\n\t\tstart.Name.Local = name\n\t}\n\n\t// Attributes\n\tfor i := range tinfo.fields {\n\t\tfinfo := &tinfo.fields[i]\n\t\tif finfo.flags&fAttr == 0 {\n\t\t\tcontinue\n\t\t}\n\t\tfv := finfo.value(val, dontInitNilPointers)\n\n\t\tif finfo.flags&fOmitEmpty != 0 && (!fv.IsValid() || isEmptyValue(fv)) {\n\t\t\tcontinue\n\t\t}\n\n\t\tif fv.Kind() == reflect.Interface && fv.IsNil() {\n\t\t\tcontinue\n\t\t}\n\n\t\tname := Name{Space: finfo.xmlns, Local: finfo.name}\n\t\tif err := p.marshalAttr(&start, name, fv); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\t// If an empty name was found, namespace is overridden with an empty space\n\tif tinfo.xmlname != nil && start.Name.Space == \"\" &&\n\t\ttinfo.xmlname.xmlns == \"\" && tinfo.xmlname.name == \"\" &&\n\t\tlen(p.tags) != 0 && p.tags[len(p.tags)-1].Space != \"\" {\n\t\tstart.Attr = append(start.Attr, Attr{Name{\"\", xmlnsPrefix}, \"\", \"\"})\n\t}\n\tif err := p.writeStart(&start); err != nil {\n\t\treturn err\n\t}\n\n\tif val.Kind() == reflect.Struct {\n\t\terr = p.marshalStruct(tinfo, val)\n\t} else {\n\t\ts, b, err1 := p.marshalSimple(typ, val)\n\t\tif err1 != nil {\n\t\t\terr = err1\n\t\t} else if b != nil {\n\t\t\tEscapeText(p, b)\n\t\t} else {\n\t\t\tp.EscapeString(s, false)\n\t\t}\n\t}\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tif err := p.writeEnd(start.Name, start.Empty); err != nil {\n\t\treturn err\n\t}\n\n\treturn p.cachedWriteError()\n}\n\n// marshalAttr marshals an attribute with the given name and value, adding to start.Attr.\nfunc (p *printer) marshalAttr(start *StartElement, name Name, val reflect.Value) error {\n\tif val.CanInterface() && val.Type().Implements(marshalerAttrType) {\n\t\tattr, err := val.Interface().(MarshalerAttr).MarshalXMLAttr(name)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif attr.Name.Local != \"\" {\n\t\t\tstart.Attr = append(start.Attr, attr)\n\t\t}\n\t\treturn nil\n\t}\n\n\tif val.CanAddr() {\n\t\tpv := val.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(marshalerAttrType) {\n\t\t\tattr, err := pv.Interface().(MarshalerAttr).MarshalXMLAttr(name)\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif attr.Name.Local != \"\" {\n\t\t\t\tstart.Attr = append(start.Attr, attr)\n\t\t\t}\n\t\t\treturn nil\n\t\t}\n\t}\n\n\tif val.CanInterface() && val.Type().Implements(textMarshalerType) {\n\t\ttext, err := val.Interface().(encoding.TextMarshaler).MarshalText()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tstart.Attr = append(start.Attr, Attr{name, string(text), \"\"})\n\t\treturn nil\n\t}\n\n\tif val.CanAddr() {\n\t\tpv := val.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(textMarshalerType) {\n\t\t\ttext, err := pv.Interface().(encoding.TextMarshaler).MarshalText()\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tstart.Attr = append(start.Attr, Attr{name, string(text), \"\"})\n\t\t\treturn nil\n\t\t}\n\t}\n\n\t// Dereference or skip nil pointer, interface values.\n\tswitch val.Kind() {\n\tcase reflect.Pointer, reflect.Interface:\n\t\tif val.IsNil() {\n\t\t\treturn nil\n\t\t}\n\t\tval = val.Elem()\n\t}\n\n\t// Walk slices.\n\tif val.Kind() == reflect.Slice && val.Type().Elem().Kind() != reflect.Uint8 {\n\t\tn := val.Len()\n\t\tfor i := 0; i < n; i++ {\n\t\t\tif err := p.marshalAttr(start, name, val.Index(i)); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t}\n\t\treturn nil\n\t}\n\n\tif val.Type() == attrType {\n\t\tstart.Attr = append(start.Attr, val.Interface().(Attr))\n\t\treturn nil\n\t}\n\n\ts, b, err := p.marshalSimple(val.Type(), val)\n\tif err != nil {\n\t\treturn err\n\t}\n\tif b != nil {\n\t\ts = string(b)\n\t}\n\tstart.Attr = append(start.Attr, Attr{name, s, \"\"})\n\treturn nil\n}\n\n// defaultStart returns the default start element to use,\n// given the reflect type, field info, and start template.\nfunc defaultStart(typ reflect.Type, finfo *fieldInfo, startTemplate *StartElement) StartElement {\n\tvar start StartElement\n\t// Precedence for the XML element name is as above,\n\t// except that we do not look inside structs for the first field.\n\tif startTemplate != nil {\n\t\tstart.Name = startTemplate.Name\n\t\tstart.Attr = append(start.Attr, startTemplate.Attr...)\n\t} else if finfo != nil && finfo.name != \"\" {\n\t\tstart.Name.Local = finfo.name\n\t\tstart.Name.Space = finfo.xmlns\n\t} else if typ.Name() != \"\" {\n\t\tstart.Name.Local = typ.Name()\n\t} else {\n\t\t// Must be a pointer to a named type,\n\t\t// since it has the Marshaler methods.\n\t\tstart.Name.Local = typ.Elem().Name()\n\t}\n\treturn start\n}\n\n// marshalInterface marshals a Marshaler interface value.\nfunc (p *printer) marshalInterface(val Marshaler, start StartElement) error {\n\t// Push a marker onto the tag stack so that MarshalXML\n\t// cannot close the XML tags that it did not open.\n\tp.tags = append(p.tags, Name{})\n\tn := len(p.tags)\n\n\terr := val.MarshalXML(p.encoder, start)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// Make sure MarshalXML closed all its tags. p.tags[n-1] is the mark.\n\tif len(p.tags) > n {\n\t\treturn fmt.Errorf(\"xml: %s.MarshalXML wrote invalid XML: <%s> not closed\", receiverType(val), p.tags[len(p.tags)-1].Local)\n\t}\n\tp.tags = p.tags[:n-1]\n\treturn nil\n}\n\n// marshalTextInterface marshals a TextMarshaler interface value.\nfunc (p *printer) marshalTextInterface(val encoding.TextMarshaler, start StartElement) error {\n\tif err := p.writeStart(&start); err != nil {\n\t\treturn err\n\t}\n\ttext, err := val.MarshalText()\n\tif err != nil {\n\t\treturn err\n\t}\n\tEscapeText(p, text)\n\treturn p.writeEnd(start.Name, start.Empty)\n}\n\n// writeStart writes the given start element.\nfunc (p *printer) writeStart(start *StartElement) error {\n\tif start.Name.Local == \"\" {\n\t\treturn fmt.Errorf(\"xml: start tag with no name\")\n\t}\n\n\tp.tags = append(p.tags, start.Name)\n\tp.markPrefix()\n\n\tp.writeIndent(1)\n\tp.WriteByte('<')\n\tp.WriteString(start.Name.Local)\n\n\tif start.Name.Space != \"\" {\n\t\tp.WriteString(` xmlns=\"`)\n\t\tp.EscapeString(start.Name.Space, false)\n\t\tp.WriteByte('\"')\n\t}\n\n\t// Attributes\n\tfor _, attr := range start.Attr {\n\t\tname := attr.Name\n\t\tif name.Local == \"\" {\n\t\t\tcontinue\n\t\t}\n\n\t\tif attr.Diff == \"\" {\n\t\t\tp.WriteByte(' ')\n\t\t} else {\n\t\t\tp.WriteString(attr.Diff)\n\t\t}\n\n\t\tif name.Space != \"\" {\n\t\t\tp.WriteString(p.createAttrPrefix(name.Space))\n\t\t\tp.WriteByte(':')\n\t\t}\n\t\tp.WriteString(name.Local)\n\t\tp.WriteString(`=\"`)\n\t\tp.EscapeString(attr.Value, true)\n\t\tp.WriteByte('\"')\n\t}\n\n\tp.WriteString(start.Diff)\n\tif start.Empty {\n\t\tp.WriteByte('/')\n\t}\n\n\tp.WriteByte('>')\n\treturn nil\n}\n\nfunc (p *printer) writeEnd(name Name, empty bool) error {\n\tif name.Local == \"\" {\n\t\treturn fmt.Errorf(\"xml: end tag with no name\")\n\t}\n\tif len(p.tags) == 0 || p.tags[len(p.tags)-1].Local == \"\" {\n\t\treturn fmt.Errorf(\"xml: end tag without start tag\", name.Local)\n\t}\n\tif top := p.tags[len(p.tags)-1]; top != name {\n\t\tif top.Local != name.Local {\n\t\t\treturn fmt.Errorf(\"xml: end tag does not match start tag <%s>\", name.Local, top.Local)\n\t\t}\n\t\treturn fmt.Errorf(\"xml: end tag in namespace %s does not match start tag <%s> in namespace %s\", name.Local, name.Space, top.Local, top.Space)\n\t}\n\tp.tags = p.tags[:len(p.tags)-1]\n\n\tif !empty {\n\t\tp.writeIndent(-1)\n\t\tp.WriteByte('<')\n\t\tp.WriteByte('/')\n\t\tp.WriteString(name.Local)\n\t\tp.WriteByte('>')\n\t}\n\tp.popPrefix()\n\treturn nil\n}\n\nfunc (p *printer) marshalSimple(typ reflect.Type, val reflect.Value) (string, []byte, error) {\n\tswitch val.Kind() {\n\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n\t\treturn strconv.FormatInt(val.Int(), 10), nil, nil\n\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:\n\t\treturn strconv.FormatUint(val.Uint(), 10), nil, nil\n\tcase reflect.Float32, reflect.Float64:\n\t\treturn strconv.FormatFloat(val.Float(), 'g', -1, val.Type().Bits()), nil, nil\n\tcase reflect.String:\n\t\treturn val.String(), nil, nil\n\tcase reflect.Bool:\n\t\treturn strconv.FormatBool(val.Bool()), nil, nil\n\tcase reflect.Array:\n\t\tif typ.Elem().Kind() != reflect.Uint8 {\n\t\t\tbreak\n\t\t}\n\t\t// [...]byte\n\t\tvar bytes []byte\n\t\tif val.CanAddr() {\n\t\t\tbytes = val.Bytes()\n\t\t} else {\n\t\t\tbytes = make([]byte, val.Len())\n\t\t\treflect.Copy(reflect.ValueOf(bytes), val)\n\t\t}\n\t\treturn \"\", bytes, nil\n\tcase reflect.Slice:\n\t\tif typ.Elem().Kind() != reflect.Uint8 {\n\t\t\tbreak\n\t\t}\n\t\t// []byte\n\t\treturn \"\", val.Bytes(), nil\n\t}\n\treturn \"\", nil, &UnsupportedTypeError{typ}\n}\n\nvar ddBytes = []byte(\"--\")\n\n// indirect drills into interfaces and pointers, returning the pointed-at value.\n// If it encounters a nil interface or pointer, indirect returns that nil value.\n// This can turn into an infinite loop given a cyclic chain,\n// but it matches the Go 1 behavior.\nfunc indirect(vf reflect.Value) reflect.Value {\n\tfor vf.Kind() == reflect.Interface || vf.Kind() == reflect.Pointer {\n\t\tif vf.IsNil() {\n\t\t\treturn vf\n\t\t}\n\t\tvf = vf.Elem()\n\t}\n\treturn vf\n}\n\nfunc (p *printer) marshalStruct(tinfo *typeInfo, val reflect.Value) error {\n\ts := parentStack{p: p}\n\tfor i := range tinfo.fields {\n\t\tfinfo := &tinfo.fields[i]\n\t\tif finfo.flags&fAttr != 0 {\n\t\t\tcontinue\n\t\t}\n\t\tvf := finfo.value(val, dontInitNilPointers)\n\t\tif !vf.IsValid() {\n\t\t\t// The field is behind an anonymous struct field that's\n\t\t\t// nil. Skip it.\n\t\t\tcontinue\n\t\t}\n\n\t\tswitch finfo.flags & fMode {\n\t\tcase fCDATA, fCharData:\n\t\t\temit := EscapeText\n\t\t\tif finfo.flags&fMode == fCDATA {\n\t\t\t\temit = emitCDATA\n\t\t\t}\n\t\t\tif err := s.trim(finfo.parents); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif vf.CanInterface() && vf.Type().Implements(textMarshalerType) {\n\t\t\t\tdata, err := vf.Interface().(encoding.TextMarshaler).MarshalText()\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif err := emit(p, data); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tif vf.CanAddr() {\n\t\t\t\tpv := vf.Addr()\n\t\t\t\tif pv.CanInterface() && pv.Type().Implements(textMarshalerType) {\n\t\t\t\t\tdata, err := pv.Interface().(encoding.TextMarshaler).MarshalText()\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\tif err := emit(p, data); err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tvar scratch [64]byte\n\t\t\tvf = indirect(vf)\n\t\t\tswitch vf.Kind() {\n\t\t\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n\t\t\t\tif err := emit(p, strconv.AppendInt(scratch[:0], vf.Int(), 10)); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:\n\t\t\t\tif err := emit(p, strconv.AppendUint(scratch[:0], vf.Uint(), 10)); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\tcase reflect.Float32, reflect.Float64:\n\t\t\t\tif err := emit(p, strconv.AppendFloat(scratch[:0], vf.Float(), 'g', -1, vf.Type().Bits())); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\tcase reflect.Bool:\n\t\t\t\tif err := emit(p, strconv.AppendBool(scratch[:0], vf.Bool())); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\tcase reflect.String:\n\t\t\t\tif err := emit(p, []byte(vf.String())); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\tcase reflect.Slice:\n\t\t\t\tif elem, ok := vf.Interface().([]byte); ok {\n\t\t\t\t\tif err := emit(p, elem); err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tcontinue\n\n\t\tcase fComment:\n\t\t\tif err := s.trim(finfo.parents); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tvf = indirect(vf)\n\t\t\tk := vf.Kind()\n\t\t\tif !(k == reflect.String || k == reflect.Slice && vf.Type().Elem().Kind() == reflect.Uint8) {\n\t\t\t\treturn fmt.Errorf(\"xml: bad type for comment field of %s\", val.Type())\n\t\t\t}\n\t\t\tif vf.Len() == 0 {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tp.writeIndent(0)\n\t\t\tp.WriteString(\"\" is invalid grammar. Make it \"- -->\"\n\t\t\t\tp.WriteByte(' ')\n\t\t\t}\n\t\t\tp.WriteString(\"-->\")\n\t\t\tcontinue\n\n\t\tcase fInnerXML:\n\t\t\tvf = indirect(vf)\n\t\t\tiface := vf.Interface()\n\t\t\tswitch raw := iface.(type) {\n\t\t\tcase []byte:\n\t\t\t\tp.Write(raw)\n\t\t\t\tcontinue\n\t\t\tcase string:\n\t\t\t\tp.WriteString(raw)\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\tcase fElement, fElement | fAny:\n\t\t\tif err := s.trim(finfo.parents); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif len(finfo.parents) > len(s.stack) {\n\t\t\t\tif vf.Kind() != reflect.Pointer && vf.Kind() != reflect.Interface || !vf.IsNil() {\n\t\t\t\t\tif err := s.push(finfo.parents[len(s.stack):]); err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif err := p.marshalValue(vf, finfo, nil); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\ts.trim(nil)\n\treturn p.cachedWriteError()\n}\n\n// Write implements io.Writer\nfunc (p *printer) Write(b []byte) (n int, err error) {\n\tif p.closed && p.err == nil {\n\t\tp.err = errors.New(\"use of closed Encoder\")\n\t}\n\tif p.err == nil {\n\t\tn, p.err = p.w.Write(b)\n\t}\n\treturn n, p.err\n}\n\n// WriteString implements io.StringWriter\nfunc (p *printer) WriteString(s string) (n int, err error) {\n\tif p.closed && p.err == nil {\n\t\tp.err = errors.New(\"use of closed Encoder\")\n\t}\n\tif p.err == nil {\n\t\tn, p.err = p.w.WriteString(s)\n\t}\n\treturn n, p.err\n}\n\n// WriteByte implements io.ByteWriter\nfunc (p *printer) WriteByte(c byte) error {\n\tif p.closed && p.err == nil {\n\t\tp.err = errors.New(\"use of closed Encoder\")\n\t}\n\tif p.err == nil {\n\t\tp.err = p.w.WriteByte(c)\n\t}\n\treturn p.err\n}\n\n// Close the Encoder, indicating that no more data will be written. It flushes\n// any buffered XML to the underlying writer and returns an error if the\n// written XML is invalid (e.g. by containing unclosed elements).\nfunc (p *printer) Close() error {\n\tif p.closed {\n\t\treturn nil\n\t}\n\tp.closed = true\n\tif err := p.w.Flush(); err != nil {\n\t\treturn err\n\t}\n\tif len(p.tags) > 0 {\n\t\treturn fmt.Errorf(\"unclosed tag <%s>\", p.tags[len(p.tags)-1].Local)\n\t}\n\treturn nil\n}\n\n// return the bufio Writer's cached write error\nfunc (p *printer) cachedWriteError() error {\n\t_, err := p.Write(nil)\n\treturn err\n}\n\nfunc (p *printer) writeIndent(depthDelta int) {\n\tif len(p.prefix) == 0 && len(p.indent) == 0 {\n\t\treturn\n\t}\n\tif depthDelta < 0 {\n\t\tp.depth--\n\t\tif p.indentedIn {\n\t\t\tp.indentedIn = false\n\t\t\treturn\n\t\t}\n\t\tp.indentedIn = false\n\t}\n\tif p.putNewline {\n\t\tp.WriteByte('\\n')\n\t} else {\n\t\tp.putNewline = true\n\t}\n\tif len(p.prefix) > 0 {\n\t\tp.WriteString(p.prefix)\n\t}\n\tif len(p.indent) > 0 {\n\t\tfor i := 0; i < p.depth; i++ {\n\t\t\tp.WriteString(p.indent)\n\t\t}\n\t}\n\tif depthDelta > 0 {\n\t\tp.depth++\n\t\tp.indentedIn = true\n\t}\n}\n\ntype parentStack struct {\n\tp *printer\n\tstack []string\n}\n\n// trim updates the XML context to match the longest common prefix of the stack\n// and the given parents. A closing tag will be written for every parent\n// popped. Passing a zero slice or nil will close all the elements.\nfunc (s *parentStack) trim(parents []string) error {\n\tsplit := 0\n\tfor ; split < len(parents) && split < len(s.stack); split++ {\n\t\tif parents[split] != s.stack[split] {\n\t\t\tbreak\n\t\t}\n\t}\n\tfor i := len(s.stack) - 1; i >= split; i-- {\n\t\tif err := s.p.writeEnd(Name{Local: s.stack[i]}, false); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\ts.stack = s.stack[:split]\n\treturn nil\n}\n\n// push adds parent elements to the stack and writes open tags.\nfunc (s *parentStack) push(parents []string) error {\n\tfor i := 0; i < len(parents); i++ {\n\t\tif err := s.p.writeStart(&StartElement{Name: Name{Local: parents[i]}}); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\ts.stack = append(s.stack, parents...)\n\treturn nil\n}\n\n// UnsupportedTypeError is returned when [Marshal] encounters a type\n// that cannot be converted into XML.\ntype UnsupportedTypeError struct {\n\tType reflect.Type\n}\n\nfunc (e *UnsupportedTypeError) Error() string {\n\treturn \"xml: unsupported type: \" + e.Type.String()\n}\n\nfunc isEmptyValue(v reflect.Value) bool {\n\tswitch v.Kind() {\n\tcase reflect.Array, reflect.Map, reflect.Slice, reflect.String:\n\t\treturn v.Len() == 0\n\tcase reflect.Bool,\n\t\treflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,\n\t\treflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr,\n\t\treflect.Float32, reflect.Float64,\n\t\treflect.Interface, reflect.Pointer:\n\t\treturn v.IsZero()\n\t}\n\treturn false\n}\n" }, { "path": "internal/thirdparty/xml/marshal_test.go", "content": "// Copyright 2011 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\npackage xml\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"reflect\"\n\t\"strconv\"\n\t\"strings\"\n\t\"sync\"\n\t\"testing\"\n\t\"time\"\n)\n\ntype DriveType int\n\nconst (\n\tHyperDrive DriveType = iota\n\tImprobabilityDrive\n)\n\ntype Passenger struct {\n\tName []string `xml:\"name\"`\n\tWeight float32 `xml:\"weight\"`\n}\n\ntype Ship struct {\n\tXMLName struct{} `xml:\"spaceship\"`\n\n\tName string `xml:\"name,attr\"`\n\tPilot string `xml:\"pilot,attr\"`\n\tDrive DriveType `xml:\"drive\"`\n\tAge uint `xml:\"age\"`\n\tPassenger []*Passenger `xml:\"passenger\"`\n\tsecret string\n}\n\ntype NamedType string\n\ntype Port struct {\n\tXMLName struct{} `xml:\"port\"`\n\tType string `xml:\"type,attr,omitempty\"`\n\tComment string `xml:\",comment\"`\n\tNumber string `xml:\",chardata\"`\n}\n\ntype Domain struct {\n\tXMLName struct{} `xml:\"domain\"`\n\tCountry string `xml:\",attr,omitempty\"`\n\tName []byte `xml:\",chardata\"`\n\tComment []byte `xml:\",comment\"`\n}\n\ntype Book struct {\n\tXMLName struct{} `xml:\"book\"`\n\tTitle string `xml:\",chardata\"`\n}\n\ntype Event struct {\n\tXMLName struct{} `xml:\"event\"`\n\tYear int `xml:\",chardata\"`\n}\n\ntype Movie struct {\n\tXMLName struct{} `xml:\"movie\"`\n\tLength uint `xml:\",chardata\"`\n}\n\ntype Pi struct {\n\tXMLName struct{} `xml:\"pi\"`\n\tApproximation float32 `xml:\",chardata\"`\n}\n\ntype Universe struct {\n\tXMLName struct{} `xml:\"universe\"`\n\tVisible float64 `xml:\",chardata\"`\n}\n\ntype Particle struct {\n\tXMLName struct{} `xml:\"particle\"`\n\tHasMass bool `xml:\",chardata\"`\n}\n\ntype Departure struct {\n\tXMLName struct{} `xml:\"departure\"`\n\tWhen time.Time `xml:\",chardata\"`\n}\n\ntype SecretAgent struct {\n\tXMLName struct{} `xml:\"agent\"`\n\tHandle string `xml:\"handle,attr\"`\n\tIdentity string\n\tObfuscate string `xml:\",innerxml\"`\n}\n\ntype NestedItems struct {\n\tXMLName struct{} `xml:\"result\"`\n\tItems []string `xml:\">item\"`\n\tItem1 []string `xml:\"Items>item1\"`\n}\n\ntype NestedOrder struct {\n\tXMLName struct{} `xml:\"result\"`\n\tField1 string `xml:\"parent>c\"`\n\tField2 string `xml:\"parent>b\"`\n\tField3 string `xml:\"parent>a\"`\n}\n\ntype MixedNested struct {\n\tXMLName struct{} `xml:\"result\"`\n\tA string `xml:\"parent1>a\"`\n\tB string `xml:\"b\"`\n\tC string `xml:\"parent1>parent2>c\"`\n\tD string `xml:\"parent1>d\"`\n}\n\ntype NilTest struct {\n\tA any `xml:\"parent1>parent2>a\"`\n\tB any `xml:\"parent1>b\"`\n\tC any `xml:\"parent1>parent2>c\"`\n}\n\ntype Service struct {\n\tXMLName struct{} `xml:\"service\"`\n\tDomain *Domain `xml:\"host>domain\"`\n\tPort *Port `xml:\"host>port\"`\n\tExtra1 any\n\tExtra2 any `xml:\"host>extra2\"`\n}\n\nvar nilStruct *Ship\n\ntype EmbedA struct {\n\tEmbedC\n\tEmbedB EmbedB\n\tFieldA string\n\tembedD\n}\n\ntype EmbedB struct {\n\tFieldB string\n\t*EmbedC\n}\n\ntype EmbedC struct {\n\tFieldA1 string `xml:\"FieldA>A1\"`\n\tFieldA2 string `xml:\"FieldA>A2\"`\n\tFieldB string\n\tFieldC string\n}\n\ntype embedD struct {\n\tfieldD string\n\tFieldE string // Promoted and visible when embedD is embedded.\n}\n\ntype NameCasing struct {\n\tXMLName struct{} `xml:\"casing\"`\n\tXy string\n\tXY string\n\tXyA string `xml:\"Xy,attr\"`\n\tXYA string `xml:\"XY,attr\"`\n}\n\ntype NamePrecedence struct {\n\tXMLName Name `xml:\"Parent\"`\n\tFromTag XMLNameWithoutTag `xml:\"InTag\"`\n\tFromNameVal XMLNameWithoutTag\n\tFromNameTag XMLNameWithTag\n\tInFieldName string\n}\n\ntype XMLNameWithTag struct {\n\tXMLName Name `xml:\"InXMLNameTag\"`\n\tValue string `xml:\",chardata\"`\n}\n\ntype XMLNameWithoutTag struct {\n\tXMLName Name\n\tValue string `xml:\",chardata\"`\n}\n\ntype NameInField struct {\n\tFoo Name `xml:\"ns foo\"`\n}\n\ntype AttrTest struct {\n\tInt int `xml:\",attr\"`\n\tNamed int `xml:\"int,attr\"`\n\tFloat float64 `xml:\",attr\"`\n\tUint8 uint8 `xml:\",attr\"`\n\tBool bool `xml:\",attr\"`\n\tStr string `xml:\",attr\"`\n\tBytes []byte `xml:\",attr\"`\n}\n\ntype AttrsTest struct {\n\tAttrs []Attr `xml:\",any,attr\"`\n\tInt int `xml:\",attr\"`\n\tNamed int `xml:\"int,attr\"`\n\tFloat float64 `xml:\",attr\"`\n\tUint8 uint8 `xml:\",attr\"`\n\tBool bool `xml:\",attr\"`\n\tStr string `xml:\",attr\"`\n\tBytes []byte `xml:\",attr\"`\n}\n\ntype OmitAttrTest struct {\n\tInt int `xml:\",attr,omitempty\"`\n\tNamed int `xml:\"int,attr,omitempty\"`\n\tFloat float64 `xml:\",attr,omitempty\"`\n\tUint8 uint8 `xml:\",attr,omitempty\"`\n\tBool bool `xml:\",attr,omitempty\"`\n\tStr string `xml:\",attr,omitempty\"`\n\tBytes []byte `xml:\",attr,omitempty\"`\n\tPStr *string `xml:\",attr,omitempty\"`\n}\n\ntype OmitFieldTest struct {\n\tInt int `xml:\",omitempty\"`\n\tNamed int `xml:\"int,omitempty\"`\n\tFloat float64 `xml:\",omitempty\"`\n\tUint8 uint8 `xml:\",omitempty\"`\n\tBool bool `xml:\",omitempty\"`\n\tStr string `xml:\",omitempty\"`\n\tBytes []byte `xml:\",omitempty\"`\n\tPStr *string `xml:\",omitempty\"`\n\tPtr *PresenceTest `xml:\",omitempty\"`\n}\n\ntype AnyTest struct {\n\tXMLName struct{} `xml:\"a\"`\n\tNested string `xml:\"nested>value\"`\n\tAnyField AnyHolder `xml:\",any\"`\n}\n\ntype AnyOmitTest struct {\n\tXMLName struct{} `xml:\"a\"`\n\tNested string `xml:\"nested>value\"`\n\tAnyField *AnyHolder `xml:\",any,omitempty\"`\n}\n\ntype AnySliceTest struct {\n\tXMLName struct{} `xml:\"a\"`\n\tNested string `xml:\"nested>value\"`\n\tAnyField []AnyHolder `xml:\",any\"`\n}\n\ntype AnyHolder struct {\n\tXMLName Name\n\tXML string `xml:\",innerxml\"`\n}\n\ntype RecurseA struct {\n\tA string\n\tB *RecurseB\n}\n\ntype RecurseB struct {\n\tA *RecurseA\n\tB string\n}\n\ntype PresenceTest struct {\n\tExists *struct{}\n}\n\ntype IgnoreTest struct {\n\tPublicSecret string `xml:\"-\"`\n}\n\ntype MyBytes []byte\n\ntype Data struct {\n\tBytes []byte\n\tAttr []byte `xml:\",attr\"`\n\tCustom MyBytes\n}\n\ntype Plain struct {\n\tV any\n}\n\ntype MyInt int\n\ntype EmbedInt struct {\n\tMyInt\n}\n\ntype Strings struct {\n\tX []string `xml:\"A>B,omitempty\"`\n}\n\ntype PointerFieldsTest struct {\n\tXMLName Name `xml:\"dummy\"`\n\tName *string `xml:\"name,attr\"`\n\tAge *uint `xml:\"age,attr\"`\n\tEmpty *string `xml:\"empty,attr\"`\n\tContents *string `xml:\",chardata\"`\n}\n\ntype ChardataEmptyTest struct {\n\tXMLName Name `xml:\"test\"`\n\tContents *string `xml:\",chardata\"`\n}\n\ntype PointerAnonFields struct {\n\t*MyInt\n\t*NamedType\n}\n\ntype MyMarshalerTest struct {\n}\n\nvar _ Marshaler = (*MyMarshalerTest)(nil)\n\nfunc (m *MyMarshalerTest) MarshalXML(e *Encoder, start StartElement) error {\n\te.EncodeToken(start)\n\te.EncodeToken(CharData{data: []byte(\"hello world\")})\n\te.EncodeToken(EndElement{start.Name, false})\n\treturn nil\n}\n\ntype MyMarshalerAttrTest struct {\n}\n\nvar _ MarshalerAttr = (*MyMarshalerAttrTest)(nil)\n\nfunc (m *MyMarshalerAttrTest) MarshalXMLAttr(name Name) (Attr, error) {\n\treturn Attr{name, \"hello world\", \"\"}, nil\n}\n\nfunc (m *MyMarshalerAttrTest) UnmarshalXMLAttr(attr Attr) error {\n\treturn nil\n}\n\ntype MarshalerStruct struct {\n\tFoo MyMarshalerAttrTest `xml:\",attr\"`\n}\n\ntype InnerStruct struct {\n\tXMLName Name `xml:\"testns outer\"`\n}\n\ntype OuterStruct struct {\n\tInnerStruct\n\tIntAttr int `xml:\"int,attr\"`\n}\n\ntype OuterNamedStruct struct {\n\tInnerStruct\n\tXMLName Name `xml:\"outerns test\"`\n\tIntAttr int `xml:\"int,attr\"`\n}\n\ntype OuterNamedOrderedStruct struct {\n\tXMLName Name `xml:\"outerns test\"`\n\tInnerStruct\n\tIntAttr int `xml:\"int,attr\"`\n}\n\ntype OuterOuterStruct struct {\n\tOuterStruct\n}\n\ntype NestedAndChardata struct {\n\tAB []string `xml:\"A>B\"`\n\tChardata string `xml:\",chardata\"`\n}\n\ntype NestedAndComment struct {\n\tAB []string `xml:\"A>B\"`\n\tComment string `xml:\",comment\"`\n}\n\ntype CDataTest struct {\n\tChardata string `xml:\",cdata\"`\n}\n\ntype NestedAndCData struct {\n\tAB []string `xml:\"A>B\"`\n\tCDATA string `xml:\",cdata\"`\n}\n\nfunc ifaceptr(x any) any {\n\treturn &x\n}\n\nfunc stringptr(x string) *string {\n\treturn &x\n}\n\ntype T1 struct{}\ntype T2 struct{}\n\ntype IndirComment struct {\n\tT1 T1\n\tComment *string `xml:\",comment\"`\n\tT2 T2\n}\n\ntype DirectComment struct {\n\tT1 T1\n\tComment string `xml:\",comment\"`\n\tT2 T2\n}\n\ntype IfaceComment struct {\n\tT1 T1\n\tComment any `xml:\",comment\"`\n\tT2 T2\n}\n\ntype IndirChardata struct {\n\tT1 T1\n\tChardata *string `xml:\",chardata\"`\n\tT2 T2\n}\n\ntype DirectChardata struct {\n\tT1 T1\n\tChardata string `xml:\",chardata\"`\n\tT2 T2\n}\n\ntype IfaceChardata struct {\n\tT1 T1\n\tChardata any `xml:\",chardata\"`\n\tT2 T2\n}\n\ntype IndirCDATA struct {\n\tT1 T1\n\tCDATA *string `xml:\",cdata\"`\n\tT2 T2\n}\n\ntype DirectCDATA struct {\n\tT1 T1\n\tCDATA string `xml:\",cdata\"`\n\tT2 T2\n}\n\ntype IfaceCDATA struct {\n\tT1 T1\n\tCDATA any `xml:\",cdata\"`\n\tT2 T2\n}\n\ntype IndirInnerXML struct {\n\tT1 T1\n\tInnerXML *string `xml:\",innerxml\"`\n\tT2 T2\n}\n\ntype DirectInnerXML struct {\n\tT1 T1\n\tInnerXML string `xml:\",innerxml\"`\n\tT2 T2\n}\n\ntype IfaceInnerXML struct {\n\tT1 T1\n\tInnerXML any `xml:\",innerxml\"`\n\tT2 T2\n}\n\ntype IndirElement struct {\n\tT1 T1\n\tElement *string\n\tT2 T2\n}\n\ntype DirectElement struct {\n\tT1 T1\n\tElement string\n\tT2 T2\n}\n\ntype IfaceElement struct {\n\tT1 T1\n\tElement any\n\tT2 T2\n}\n\ntype IndirOmitEmpty struct {\n\tT1 T1\n\tOmitEmpty *string `xml:\",omitempty\"`\n\tT2 T2\n}\n\ntype DirectOmitEmpty struct {\n\tT1 T1\n\tOmitEmpty string `xml:\",omitempty\"`\n\tT2 T2\n}\n\ntype IfaceOmitEmpty struct {\n\tT1 T1\n\tOmitEmpty any `xml:\",omitempty\"`\n\tT2 T2\n}\n\ntype IndirAny struct {\n\tT1 T1\n\tAny *string `xml:\",any\"`\n\tT2 T2\n}\n\ntype DirectAny struct {\n\tT1 T1\n\tAny string `xml:\",any\"`\n\tT2 T2\n}\n\ntype IfaceAny struct {\n\tT1 T1\n\tAny any `xml:\",any\"`\n\tT2 T2\n}\n\ntype Generic[T any] struct {\n\tX T\n}\n\nvar (\n\tnameAttr = \"Sarah\"\n\tageAttr = uint(12)\n\tcontentsAttr = \"lorem ipsum\"\n\tempty = \"\"\n)\n\n// Unless explicitly stated as such (or *Plain), all of the\n// tests below are two-way tests. When introducing new tests,\n// please try to make them two-way as well to ensure that\n// marshaling and unmarshaling are as symmetrical as feasible.\nvar marshalTests = []struct {\n\tValue any\n\tExpectXML string\n\tMarshalOnly bool\n\tMarshalError string\n\tUnmarshalOnly bool\n\tUnmarshalError string\n}{\n\t// Test nil marshals to nothing\n\t{Value: nil, ExpectXML: ``, MarshalOnly: true},\n\t{Value: nilStruct, ExpectXML: ``, MarshalOnly: true},\n\n\t// Test value types\n\t{Value: &Plain{true}, ExpectXML: `true`},\n\t{Value: &Plain{false}, ExpectXML: `false`},\n\t{Value: &Plain{int(42)}, ExpectXML: `42`},\n\t{Value: &Plain{int8(42)}, ExpectXML: `42`},\n\t{Value: &Plain{int16(42)}, ExpectXML: `42`},\n\t{Value: &Plain{int32(42)}, ExpectXML: `42`},\n\t{Value: &Plain{uint(42)}, ExpectXML: `42`},\n\t{Value: &Plain{uint8(42)}, ExpectXML: `42`},\n\t{Value: &Plain{uint16(42)}, ExpectXML: `42`},\n\t{Value: &Plain{uint32(42)}, ExpectXML: `42`},\n\t{Value: &Plain{float32(1.25)}, ExpectXML: `1.25`},\n\t{Value: &Plain{float64(1.25)}, ExpectXML: `1.25`},\n\t{Value: &Plain{uintptr(0xFFDD)}, ExpectXML: `65501`},\n\t{Value: &Plain{\"gopher\"}, ExpectXML: `gopher`},\n\t{Value: &Plain{[]byte(\"gopher\")}, ExpectXML: `gopher`},\n\t{Value: &Plain{\"\"}, ExpectXML: `</>`},\n\t{Value: &Plain{[]byte(\"\")}, ExpectXML: `</>`},\n\t{Value: &Plain{[3]byte{'<', '/', '>'}}, ExpectXML: `</>`},\n\t{Value: &Plain{NamedType(\"potato\")}, ExpectXML: `potato`},\n\t{Value: &Plain{[]int{1, 2, 3}}, ExpectXML: `123`},\n\t{Value: &Plain{[3]int{1, 2, 3}}, ExpectXML: `123`},\n\t{Value: ifaceptr(true), MarshalOnly: true, ExpectXML: `true`},\n\n\t// Test time.\n\t{\n\t\tValue: &Plain{time.Unix(1e9, 123456789).UTC()},\n\t\tExpectXML: `2001-09-09T01:46:40.123456789Z`,\n\t},\n\n\t// A pointer to struct{} may be used to test for an element's presence.\n\t{\n\t\tValue: &PresenceTest{new(struct{})},\n\t\tExpectXML: ``,\n\t},\n\t{\n\t\tValue: &PresenceTest{},\n\t\tExpectXML: ``,\n\t},\n\n\t// A []byte field is only nil if the element was not found.\n\t{\n\t\tValue: &Data{},\n\t\tExpectXML: ``,\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tValue: &Data{Bytes: []byte{}, Custom: MyBytes{}, Attr: []byte{}},\n\t\tExpectXML: ``,\n\t\tUnmarshalOnly: true,\n\t},\n\n\t// Check that []byte works, including named []byte types.\n\t{\n\t\tValue: &Data{Bytes: []byte(\"ab\"), Custom: MyBytes(\"cd\"), Attr: []byte{'v'}},\n\t\tExpectXML: `abcd`,\n\t},\n\n\t// Test innerxml\n\t{\n\t\tValue: &SecretAgent{\n\t\t\tHandle: \"007\",\n\t\t\tIdentity: \"James Bond\",\n\t\t\tObfuscate: \"\",\n\t\t},\n\t\tExpectXML: `James Bond`,\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tValue: &SecretAgent{\n\t\t\tHandle: \"007\",\n\t\t\tIdentity: \"James Bond\",\n\t\t\tObfuscate: \"James Bond\",\n\t\t},\n\t\tExpectXML: `James Bond`,\n\t\tUnmarshalOnly: true,\n\t},\n\n\t// Test structs\n\t{Value: &Port{Type: \"ssl\", Number: \"443\"}, ExpectXML: `443`},\n\t{Value: &Port{Number: \"443\"}, ExpectXML: `443`},\n\t{Value: &Port{Type: \"\"}, ExpectXML: ``},\n\t{Value: &Port{Number: \"443\", Comment: \"https\"}, ExpectXML: `443`},\n\t{Value: &Port{Number: \"443\", Comment: \"add space-\"}, ExpectXML: `443`, MarshalOnly: true},\n\t{Value: &Domain{Name: []byte(\"google.com&friends\")}, ExpectXML: `google.com&friends`},\n\t{Value: &Domain{Name: []byte(\"google.com\"), Comment: []byte(\" &friends \")}, ExpectXML: `google.com`},\n\t{Value: &Book{Title: \"Pride & Prejudice\"}, ExpectXML: `Pride & Prejudice`},\n\t{Value: &Event{Year: -3114}, ExpectXML: `-3114`},\n\t{Value: &Movie{Length: 13440}, ExpectXML: `13440`},\n\t{Value: &Pi{Approximation: 3.14159265}, ExpectXML: `3.1415927`},\n\t{Value: &Universe{Visible: 9.3e13}, ExpectXML: `9.3e+13`},\n\t{Value: &Particle{HasMass: true}, ExpectXML: `true`},\n\t{Value: &Departure{When: ParseTime(\"2013-01-09T00:15:00-09:00\")}, ExpectXML: `2013-01-09T00:15:00-09:00`},\n\t{Value: atomValue, ExpectXML: atomXML},\n\t{Value: &Generic[int]{1}, ExpectXML: `1`},\n\t{\n\t\tValue: &Ship{\n\t\t\tName: \"Heart of Gold\",\n\t\t\tPilot: \"Computer\",\n\t\t\tAge: 1,\n\t\t\tDrive: ImprobabilityDrive,\n\t\t\tPassenger: []*Passenger{\n\t\t\t\t{\n\t\t\t\t\tName: []string{\"Zaphod\", \"Beeblebrox\"},\n\t\t\t\t\tWeight: 7.25,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: []string{\"Trisha\", \"McMillen\"},\n\t\t\t\t\tWeight: 5.5,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: []string{\"Ford\", \"Prefect\"},\n\t\t\t\t\tWeight: 7,\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: []string{\"Arthur\", \"Dent\"},\n\t\t\t\t\tWeight: 6.75,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tExpectXML: `` +\n\t\t\t`` + strconv.Itoa(int(ImprobabilityDrive)) + `` +\n\t\t\t`1` +\n\t\t\t`` +\n\t\t\t`Zaphod` +\n\t\t\t`Beeblebrox` +\n\t\t\t`7.25` +\n\t\t\t`` +\n\t\t\t`` +\n\t\t\t`Trisha` +\n\t\t\t`McMillen` +\n\t\t\t`5.5` +\n\t\t\t`` +\n\t\t\t`` +\n\t\t\t`Ford` +\n\t\t\t`Prefect` +\n\t\t\t`7` +\n\t\t\t`` +\n\t\t\t`` +\n\t\t\t`Arthur` +\n\t\t\t`Dent` +\n\t\t\t`6.75` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\n\t// Test a>b\n\t{\n\t\tValue: &NestedItems{Items: nil, Item1: nil},\n\t\tExpectXML: `` +\n\t\t\t`` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &NestedItems{Items: []string{}, Item1: []string{}},\n\t\tExpectXML: `` +\n\t\t\t`` +\n\t\t\t`` +\n\t\t\t``,\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tValue: &NestedItems{Items: nil, Item1: []string{\"A\"}},\n\t\tExpectXML: `` +\n\t\t\t`` +\n\t\t\t`A` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &NestedItems{Items: []string{\"A\", \"B\"}, Item1: nil},\n\t\tExpectXML: `` +\n\t\t\t`` +\n\t\t\t`A` +\n\t\t\t`B` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &NestedItems{Items: []string{\"A\", \"B\"}, Item1: []string{\"C\"}},\n\t\tExpectXML: `` +\n\t\t\t`` +\n\t\t\t`A` +\n\t\t\t`B` +\n\t\t\t`C` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &NestedOrder{Field1: \"C\", Field2: \"B\", Field3: \"A\"},\n\t\tExpectXML: `` +\n\t\t\t`` +\n\t\t\t`C` +\n\t\t\t`B` +\n\t\t\t`A` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &NilTest{A: \"A\", B: nil, C: \"C\"},\n\t\tExpectXML: `` +\n\t\t\t`` +\n\t\t\t`A` +\n\t\t\t`C` +\n\t\t\t`` +\n\t\t\t``,\n\t\tMarshalOnly: true, // Uses interface{}\n\t},\n\t{\n\t\tValue: &MixedNested{A: \"A\", B: \"B\", C: \"C\", D: \"D\"},\n\t\tExpectXML: `` +\n\t\t\t`A` +\n\t\t\t`B` +\n\t\t\t`` +\n\t\t\t`C` +\n\t\t\t`D` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &Service{Port: &Port{Number: \"80\"}},\n\t\tExpectXML: `80`,\n\t},\n\t{\n\t\tValue: &Service{},\n\t\tExpectXML: ``,\n\t},\n\t{\n\t\tValue: &Service{Port: &Port{Number: \"80\"}, Extra1: \"A\", Extra2: \"B\"},\n\t\tExpectXML: `` +\n\t\t\t`80` +\n\t\t\t`A` +\n\t\t\t`B` +\n\t\t\t``,\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tValue: &Service{Port: &Port{Number: \"80\"}, Extra2: \"example\"},\n\t\tExpectXML: `` +\n\t\t\t`80` +\n\t\t\t`example` +\n\t\t\t``,\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tValue: &struct {\n\t\t\tXMLName struct{} `xml:\"space top\"`\n\t\t\tA string `xml:\"x>a\"`\n\t\t\tB string `xml:\"x>b\"`\n\t\t\tC string `xml:\"space x>c\"`\n\t\t\tC1 string `xml:\"space1 x>c\"`\n\t\t\tD1 string `xml:\"space1 x>d\"`\n\t\t}{\n\t\t\tA: \"a\",\n\t\t\tB: \"b\",\n\t\t\tC: \"c\",\n\t\t\tC1: \"c1\",\n\t\t\tD1: \"d1\",\n\t\t},\n\t\tExpectXML: `` +\n\t\t\t`abc` +\n\t\t\t`c1` +\n\t\t\t`d1` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &struct {\n\t\t\tXMLName Name\n\t\t\tA string `xml:\"x>a\"`\n\t\t\tB string `xml:\"x>b\"`\n\t\t\tC string `xml:\"space x>c\"`\n\t\t\tC1 string `xml:\"space1 x>c\"`\n\t\t\tD1 string `xml:\"space1 x>d\"`\n\t\t}{\n\t\t\tXMLName: Name{\n\t\t\t\tSpace: \"space0\",\n\t\t\t\tLocal: \"top\",\n\t\t\t},\n\t\t\tA: \"a\",\n\t\t\tB: \"b\",\n\t\t\tC: \"c\",\n\t\t\tC1: \"c1\",\n\t\t\tD1: \"d1\",\n\t\t},\n\t\tExpectXML: `` +\n\t\t\t`ab` +\n\t\t\t`c` +\n\t\t\t`c1` +\n\t\t\t`d1` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &struct {\n\t\t\tXMLName struct{} `xml:\"top\"`\n\t\t\tB string `xml:\"space x>b\"`\n\t\t\tB1 string `xml:\"space1 x>b\"`\n\t\t}{\n\t\t\tB: \"b\",\n\t\t\tB1: \"b1\",\n\t\t},\n\t\tExpectXML: `` +\n\t\t\t`b` +\n\t\t\t`b1` +\n\t\t\t``,\n\t},\n\n\t// Test struct embedding\n\t{\n\t\tValue: &EmbedA{\n\t\t\tEmbedC: EmbedC{\n\t\t\t\tFieldA1: \"\", // Shadowed by A.A\n\t\t\t\tFieldA2: \"\", // Shadowed by A.A\n\t\t\t\tFieldB: \"A.C.B\",\n\t\t\t\tFieldC: \"A.C.C\",\n\t\t\t},\n\t\t\tEmbedB: EmbedB{\n\t\t\t\tFieldB: \"A.B.B\",\n\t\t\t\tEmbedC: &EmbedC{\n\t\t\t\t\tFieldA1: \"A.B.C.A1\",\n\t\t\t\t\tFieldA2: \"A.B.C.A2\",\n\t\t\t\t\tFieldB: \"\", // Shadowed by A.B.B\n\t\t\t\t\tFieldC: \"A.B.C.C\",\n\t\t\t\t},\n\t\t\t},\n\t\t\tFieldA: \"A.A\",\n\t\t\tembedD: embedD{\n\t\t\t\tFieldE: \"A.D.E\",\n\t\t\t},\n\t\t},\n\t\tExpectXML: `` +\n\t\t\t`A.C.B` +\n\t\t\t`A.C.C` +\n\t\t\t`` +\n\t\t\t`A.B.B` +\n\t\t\t`` +\n\t\t\t`A.B.C.A1` +\n\t\t\t`A.B.C.A2` +\n\t\t\t`` +\n\t\t\t`A.B.C.C` +\n\t\t\t`` +\n\t\t\t`A.A` +\n\t\t\t`A.D.E` +\n\t\t\t``,\n\t},\n\n\t// Anonymous struct pointer field which is nil\n\t{\n\t\tValue: &EmbedB{},\n\t\tExpectXML: ``,\n\t},\n\n\t// Other kinds of nil anonymous fields\n\t{\n\t\tValue: &PointerAnonFields{},\n\t\tExpectXML: ``,\n\t},\n\n\t// Test that name casing matters\n\t{\n\t\tValue: &NameCasing{Xy: \"mixed\", XY: \"upper\", XyA: \"mixedA\", XYA: \"upperA\"},\n\t\tExpectXML: `mixedupper`,\n\t},\n\n\t// Test the order in which the XML element name is chosen\n\t{\n\t\tValue: &NamePrecedence{\n\t\t\tFromTag: XMLNameWithoutTag{Value: \"A\"},\n\t\t\tFromNameVal: XMLNameWithoutTag{XMLName: Name{Local: \"InXMLName\"}, Value: \"B\"},\n\t\t\tFromNameTag: XMLNameWithTag{Value: \"C\"},\n\t\t\tInFieldName: \"D\",\n\t\t},\n\t\tExpectXML: `` +\n\t\t\t`A` +\n\t\t\t`B` +\n\t\t\t`C` +\n\t\t\t`D` +\n\t\t\t``,\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tValue: &NamePrecedence{\n\t\t\tXMLName: Name{Local: \"Parent\"},\n\t\t\tFromTag: XMLNameWithoutTag{XMLName: Name{Local: \"InTag\"}, Value: \"A\"},\n\t\t\tFromNameVal: XMLNameWithoutTag{XMLName: Name{Local: \"FromNameVal\"}, Value: \"B\"},\n\t\t\tFromNameTag: XMLNameWithTag{XMLName: Name{Local: \"InXMLNameTag\"}, Value: \"C\"},\n\t\t\tInFieldName: \"D\",\n\t\t},\n\t\tExpectXML: `` +\n\t\t\t`A` +\n\t\t\t`B` +\n\t\t\t`C` +\n\t\t\t`D` +\n\t\t\t``,\n\t\tUnmarshalOnly: true,\n\t},\n\n\t// xml.Name works in a plain field as well.\n\t{\n\t\tValue: &NameInField{Name{Space: \"ns\", Local: \"foo\"}},\n\t\tExpectXML: ``,\n\t},\n\t{\n\t\tValue: &NameInField{Name{Space: \"ns\", Local: \"foo\"}},\n\t\tExpectXML: ``,\n\t\tUnmarshalOnly: true,\n\t},\n\n\t// Marshaling zero xml.Name uses the tag or field name.\n\t{\n\t\tValue: &NameInField{},\n\t\tExpectXML: ``,\n\t\tMarshalOnly: true,\n\t},\n\n\t// Test attributes\n\t{\n\t\tValue: &AttrTest{\n\t\t\tInt: 8,\n\t\t\tNamed: 9,\n\t\t\tFloat: 23.5,\n\t\t\tUint8: 255,\n\t\t\tBool: true,\n\t\t\tStr: \"str\",\n\t\t\tBytes: []byte(\"byt\"),\n\t\t},\n\t\tExpectXML: ``,\n\t},\n\t{\n\t\tValue: &AttrTest{Bytes: []byte{}},\n\t\tExpectXML: ``,\n\t},\n\t{\n\t\tValue: &AttrsTest{\n\t\t\tAttrs: []Attr{\n\t\t\t\t{Name: Name{Local: \"Answer\"}, Value: \"42\"},\n\t\t\t\t{Name: Name{Local: \"Int\"}, Value: \"8\"},\n\t\t\t\t{Name: Name{Local: \"int\"}, Value: \"9\"},\n\t\t\t\t{Name: Name{Local: \"Float\"}, Value: \"23.5\"},\n\t\t\t\t{Name: Name{Local: \"Uint8\"}, Value: \"255\"},\n\t\t\t\t{Name: Name{Local: \"Bool\"}, Value: \"true\"},\n\t\t\t\t{Name: Name{Local: \"Str\"}, Value: \"str\"},\n\t\t\t\t{Name: Name{Local: \"Bytes\"}, Value: \"byt\"},\n\t\t\t},\n\t\t},\n\t\tExpectXML: ``,\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tValue: &AttrsTest{\n\t\t\tAttrs: []Attr{\n\t\t\t\t{Name: Name{Local: \"Answer\"}, Value: \"42\"},\n\t\t\t},\n\t\t\tInt: 8,\n\t\t\tNamed: 9,\n\t\t\tFloat: 23.5,\n\t\t\tUint8: 255,\n\t\t\tBool: true,\n\t\t\tStr: \"str\",\n\t\t\tBytes: []byte(\"byt\"),\n\t\t},\n\t\tExpectXML: ``,\n\t},\n\t{\n\t\tValue: &AttrsTest{\n\t\t\tAttrs: []Attr{\n\t\t\t\t{Name: Name{Local: \"Int\"}, Value: \"0\"},\n\t\t\t\t{Name: Name{Local: \"int\"}, Value: \"0\"},\n\t\t\t\t{Name: Name{Local: \"Float\"}, Value: \"0\"},\n\t\t\t\t{Name: Name{Local: \"Uint8\"}, Value: \"0\"},\n\t\t\t\t{Name: Name{Local: \"Bool\"}, Value: \"false\"},\n\t\t\t\t{Name: Name{Local: \"Str\"}},\n\t\t\t\t{Name: Name{Local: \"Bytes\"}},\n\t\t\t},\n\t\t\tBytes: []byte{},\n\t\t},\n\t\tExpectXML: ``,\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tValue: &OmitAttrTest{\n\t\t\tInt: 8,\n\t\t\tNamed: 9,\n\t\t\tFloat: 23.5,\n\t\t\tUint8: 255,\n\t\t\tBool: true,\n\t\t\tStr: \"str\",\n\t\t\tBytes: []byte(\"byt\"),\n\t\t\tPStr: &empty,\n\t\t},\n\t\tExpectXML: ``,\n\t},\n\t{\n\t\tValue: &OmitAttrTest{},\n\t\tExpectXML: ``,\n\t},\n\n\t// pointer fields\n\t{\n\t\tValue: &PointerFieldsTest{Name: &nameAttr, Age: &ageAttr, Contents: &contentsAttr},\n\t\tExpectXML: `lorem ipsum`,\n\t\tMarshalOnly: true,\n\t},\n\n\t// empty chardata pointer field\n\t{\n\t\tValue: &ChardataEmptyTest{},\n\t\tExpectXML: ``,\n\t\tMarshalOnly: true,\n\t},\n\n\t// omitempty on fields\n\t{\n\t\tValue: &OmitFieldTest{\n\t\t\tInt: 8,\n\t\t\tNamed: 9,\n\t\t\tFloat: 23.5,\n\t\t\tUint8: 255,\n\t\t\tBool: true,\n\t\t\tStr: \"str\",\n\t\t\tBytes: []byte(\"byt\"),\n\t\t\tPStr: &empty,\n\t\t\tPtr: &PresenceTest{},\n\t\t},\n\t\tExpectXML: `` +\n\t\t\t`8` +\n\t\t\t`9` +\n\t\t\t`23.5` +\n\t\t\t`255` +\n\t\t\t`true` +\n\t\t\t`str` +\n\t\t\t`byt` +\n\t\t\t`` +\n\t\t\t`` +\n\t\t\t``,\n\t},\n\t{\n\t\tValue: &OmitFieldTest{},\n\t\tExpectXML: ``,\n\t},\n\n\t// Test \",any\"\n\t{\n\t\tExpectXML: `knownunknown`,\n\t\tValue: &AnyTest{\n\t\t\tNested: \"known\",\n\t\t\tAnyField: AnyHolder{\n\t\t\t\tXMLName: Name{Local: \"other\"},\n\t\t\t\tXML: \"unknown\",\n\t\t\t},\n\t\t},\n\t},\n\t{\n\t\tValue: &AnyTest{Nested: \"known\",\n\t\t\tAnyField: AnyHolder{\n\t\t\t\tXML: \"\",\n\t\t\t\tXMLName: Name{Local: \"AnyField\"},\n\t\t\t},\n\t\t},\n\t\tExpectXML: `known`,\n\t},\n\t{\n\t\tExpectXML: `b`,\n\t\tValue: &AnyOmitTest{\n\t\t\tNested: \"b\",\n\t\t},\n\t},\n\t{\n\t\tExpectXML: `bei`,\n\t\tValue: &AnySliceTest{\n\t\t\tNested: \"b\",\n\t\t\tAnyField: []AnyHolder{\n\t\t\t\t{\n\t\t\t\t\tXMLName: Name{Local: \"c\"},\n\t\t\t\t\tXML: \"e\",\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tXMLName: Name{Space: \"f\", Local: \"g\"},\n\t\t\t\t\tXML: \"i\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t},\n\t{\n\t\tExpectXML: `b`,\n\t\tValue: &AnySliceTest{\n\t\t\tNested: \"b\",\n\t\t},\n\t},\n\n\t// Test recursive types.\n\t{\n\t\tValue: &RecurseA{\n\t\t\tA: \"a1\",\n\t\t\tB: &RecurseB{\n\t\t\t\tA: &RecurseA{\"a2\", nil},\n\t\t\t\tB: \"b1\",\n\t\t\t},\n\t\t},\n\t\tExpectXML: `a1a2b1`,\n\t},\n\n\t// Test ignoring fields via \"-\" tag\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IgnoreTest{},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IgnoreTest{PublicSecret: \"can't tell\"},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `ignore me`,\n\t\tValue: &IgnoreTest{},\n\t\tUnmarshalOnly: true,\n\t},\n\n\t// Test escaping.\n\t{\n\t\tExpectXML: `dquote: "; squote: '; ampersand: &; less: <; greater: >;`,\n\t\tValue: &AnyTest{\n\t\t\tNested: `dquote: \"; squote: '; ampersand: &; less: <; greater: >;`,\n\t\t\tAnyField: AnyHolder{XMLName: Name{Local: \"empty\"}},\n\t\t},\n\t},\n\t{\n\t\tExpectXML: `newline: ; cr: ; tab: ;`,\n\t\tValue: &AnyTest{\n\t\t\tNested: \"newline: \\n; cr: \\r; tab: \\t;\",\n\t\t\tAnyField: AnyHolder{XMLName: Name{Local: \"AnyField\"}},\n\t\t},\n\t},\n\t{\n\t\tExpectXML: \"1\\r2\\r\\n3\\n\\r4\\n5\",\n\t\tValue: &AnyTest{\n\t\t\tNested: \"1\\n2\\n3\\n\\n4\\n5\",\n\t\t},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `42`,\n\t\tValue: &EmbedInt{\n\t\t\tMyInt: 42,\n\t\t},\n\t},\n\t// Test outputting CDATA-wrapped text.\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &CDataTest{},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &CDataTest{\n\t\t\tChardata: \"http://example.com/tests/1?foo=1&bar=baz\",\n\t\t},\n\t},\n\t{\n\t\tExpectXML: `!]]>`,\n\t\tValue: &CDataTest{\n\t\t\tChardata: \"Literal !\",\n\t\t},\n\t},\n\t{\n\t\tExpectXML: ` Literal!]]>`,\n\t\tValue: &CDataTest{\n\t\t\tChardata: \" Literal!\",\n\t\t},\n\t},\n\t{\n\t\tExpectXML: ` Literal! Literal!]]>`,\n\t\tValue: &CDataTest{\n\t\t\tChardata: \" Literal! Literal!\",\n\t\t},\n\t},\n\t{\n\t\tExpectXML: `]]]]>]]>`,\n\t\tValue: &CDataTest{\n\t\t\tChardata: \"]]>\",\n\t\t},\n\t},\n\n\t// Test omitempty with parent chain; see golang.org/issue/4168.\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &Strings{},\n\t},\n\t// Custom marshalers.\n\t{\n\t\tExpectXML: `hello world`,\n\t\tValue: &MyMarshalerTest{},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &MarshalerStruct{},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &OuterStruct{IntAttr: 10},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &OuterNamedStruct{XMLName: Name{Space: \"outerns\", Local: \"test\"}, IntAttr: 10},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &OuterNamedOrderedStruct{XMLName: Name{Space: \"outerns\", Local: \"test\"}, IntAttr: 10},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &OuterOuterStruct{OuterStruct{IntAttr: 10}},\n\t},\n\t{\n\t\tExpectXML: `test`,\n\t\tValue: &NestedAndChardata{AB: make([]string, 2), Chardata: \"test\"},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &NestedAndComment{AB: make([]string, 2), Comment: \"test\"},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &NestedAndCData{AB: make([]string, 2), CDATA: \"test\"},\n\t},\n\t// Test pointer indirection in various kinds of fields.\n\t// https://golang.org/issue/19063\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirComment{Comment: stringptr(\"hi\")},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirComment{Comment: stringptr(\"\")},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirComment{Comment: nil},\n\t\tMarshalError: \"xml: bad type for comment field of xml.IndirComment\",\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirComment{Comment: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceComment{Comment: \"hi\"},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceComment{Comment: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceComment{Comment: nil},\n\t\tMarshalError: \"xml: bad type for comment field of xml.IfaceComment\",\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceComment{Comment: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectComment{Comment: string(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectComment{Comment: string(\"\")},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IndirChardata{Chardata: stringptr(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirChardata{Chardata: stringptr(\"hi\")},\n\t\tUnmarshalOnly: true, // marshals without CDATA\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirChardata{Chardata: stringptr(\"\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirChardata{Chardata: nil},\n\t\tMarshalOnly: true, // unmarshal leaves Chardata=stringptr(\"\")\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceChardata{Chardata: string(\"hi\")},\n\t\tUnmarshalError: \"cannot unmarshal into interface {}\",\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceChardata{Chardata: string(\"hi\")},\n\t\tUnmarshalOnly: true, // marshals without CDATA\n\t\tUnmarshalError: \"cannot unmarshal into interface {}\",\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceChardata{Chardata: string(\"\")},\n\t\tUnmarshalError: \"cannot unmarshal into interface {}\",\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceChardata{Chardata: nil},\n\t\tUnmarshalError: \"cannot unmarshal into interface {}\",\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &DirectChardata{Chardata: string(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectChardata{Chardata: string(\"hi\")},\n\t\tUnmarshalOnly: true, // marshals without CDATA\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectChardata{Chardata: string(\"\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirCDATA{CDATA: stringptr(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IndirCDATA{CDATA: stringptr(\"hi\")},\n\t\tUnmarshalOnly: true, // marshals with CDATA\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirCDATA{CDATA: stringptr(\"\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirCDATA{CDATA: nil},\n\t\tMarshalOnly: true, // unmarshal leaves CDATA=stringptr(\"\")\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceCDATA{CDATA: string(\"hi\")},\n\t\tUnmarshalError: \"cannot unmarshal into interface {}\",\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceCDATA{CDATA: string(\"hi\")},\n\t\tUnmarshalOnly: true, // marshals with CDATA\n\t\tUnmarshalError: \"cannot unmarshal into interface {}\",\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceCDATA{CDATA: string(\"\")},\n\t\tUnmarshalError: \"cannot unmarshal into interface {}\",\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceCDATA{CDATA: nil},\n\t\tUnmarshalError: \"cannot unmarshal into interface {}\",\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectCDATA{CDATA: string(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &DirectCDATA{CDATA: string(\"hi\")},\n\t\tUnmarshalOnly: true, // marshals with CDATA\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectCDATA{CDATA: string(\"\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirInnerXML{InnerXML: stringptr(\"\")},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirInnerXML{InnerXML: stringptr(\"\")},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirInnerXML{InnerXML: nil},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirInnerXML{InnerXML: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceInnerXML{InnerXML: \"\"},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceInnerXML{InnerXML: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceInnerXML{InnerXML: nil},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceInnerXML{InnerXML: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectInnerXML{InnerXML: string(\"\")},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectInnerXML{InnerXML: string(\"\")},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectInnerXML{InnerXML: string(\"\")},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectInnerXML{InnerXML: string(\"\")},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IndirElement{Element: stringptr(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirElement{Element: stringptr(\"\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirElement{Element: nil},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceElement{Element: \"hi\"},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceElement{Element: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceElement{Element: nil},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceElement{Element: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &DirectElement{Element: string(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectElement{Element: string(\"\")},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IndirOmitEmpty{OmitEmpty: stringptr(\"hi\")},\n\t},\n\t{\n\t\t// Note: Changed in Go 1.8 to include element (because x.OmitEmpty != nil).\n\t\tExpectXML: ``,\n\t\tValue: &IndirOmitEmpty{OmitEmpty: stringptr(\"\")},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirOmitEmpty{OmitEmpty: stringptr(\"\")},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirOmitEmpty{OmitEmpty: nil},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceOmitEmpty{OmitEmpty: \"hi\"},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceOmitEmpty{OmitEmpty: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceOmitEmpty{OmitEmpty: nil},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceOmitEmpty{OmitEmpty: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &DirectOmitEmpty{OmitEmpty: string(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectOmitEmpty{OmitEmpty: string(\"\")},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IndirAny{Any: stringptr(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirAny{Any: stringptr(\"\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirAny{Any: nil},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceAny{Any: \"hi\"},\n\t\tMarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceAny{Any: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceAny{Any: nil},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceAny{Any: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &DirectAny{Any: string(\"hi\")},\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectAny{Any: string(\"\")},\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IndirAny{Any: stringptr(\"hi\")},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirAny{Any: stringptr(\"\")},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IndirAny{Any: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &IfaceAny{Any: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceAny{Any: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &IfaceAny{Any: nil},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: `hi`,\n\t\tValue: &DirectAny{Any: string(\"hi\")},\n\t\tUnmarshalOnly: true,\n\t},\n\t{\n\t\tExpectXML: ``,\n\t\tValue: &DirectAny{Any: string(\"\")},\n\t\tUnmarshalOnly: true,\n\t},\n}\n\nfunc TestMarshal(t *testing.T) {\n\tfor idx, test := range marshalTests {\n\t\tif test.UnmarshalOnly {\n\t\t\tcontinue\n\t\t}\n\n\t\tt.Run(fmt.Sprintf(\"%d\", idx), func(t *testing.T) {\n\t\t\tdata, err := Marshal(test.Value)\n\t\t\tif err != nil {\n\t\t\t\tif test.MarshalError == \"\" {\n\t\t\t\t\tt.Errorf(\"marshal(%#v): %s\", test.Value, err)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tif !strings.Contains(err.Error(), test.MarshalError) {\n\t\t\t\t\tt.Errorf(\"marshal(%#v): %s, want %q\", test.Value, err, test.MarshalError)\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif test.MarshalError != \"\" {\n\t\t\t\tt.Errorf(\"Marshal succeeded, want error %q\", test.MarshalError)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif got, want := string(data), test.ExpectXML; got != want {\n\t\t\t\tif strings.Contains(want, \"\\n\") {\n\t\t\t\t\tt.Errorf(\"marshal(%#v):\\nHAVE:\\n%s\\nWANT:\\n%s\", test.Value, got, want)\n\t\t\t\t} else {\n\t\t\t\t\tt.Errorf(\"marshal(%#v):\\nhave %#q\\nwant %#q\", test.Value, got, want)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n\ntype AttrParent struct {\n\tX string `xml:\"X>Y,attr\"`\n}\n\ntype BadAttr struct {\n\tName map[string]string `xml:\"name,attr\"`\n}\n\nvar marshalErrorTests = []struct {\n\tValue any\n\tErr string\n\tKind reflect.Kind\n}{\n\t{\n\t\tValue: make(chan bool),\n\t\tErr: \"xml: unsupported type: chan bool\",\n\t\tKind: reflect.Chan,\n\t},\n\t{\n\t\tValue: map[string]string{\n\t\t\t\"question\": \"What do you get when you multiply six by nine?\",\n\t\t\t\"answer\": \"42\",\n\t\t},\n\t\tErr: \"xml: unsupported type: map[string]string\",\n\t\tKind: reflect.Map,\n\t},\n\t{\n\t\tValue: map[*Ship]bool{nil: false},\n\t\tErr: \"xml: unsupported type: map[*xml.Ship]bool\",\n\t\tKind: reflect.Map,\n\t},\n\t{\n\t\tValue: &Domain{Comment: []byte(\"f--bar\")},\n\t\tErr: `xml: comments must not contain \"--\"`,\n\t},\n\t// Reject parent chain with attr, never worked; see golang.org/issue/5033.\n\t{\n\t\tValue: &AttrParent{},\n\t\tErr: `xml: X>Y chain not valid with attr flag`,\n\t},\n\t{\n\t\tValue: BadAttr{map[string]string{\"X\": \"Y\"}},\n\t\tErr: `xml: unsupported type: map[string]string`,\n\t},\n}\n\nvar marshalIndentTests = []struct {\n\tValue any\n\tPrefix string\n\tIndent string\n\tExpectXML string\n}{\n\t{\n\t\tValue: &SecretAgent{\n\t\t\tHandle: \"007\",\n\t\t\tIdentity: \"James Bond\",\n\t\t\tObfuscate: \"\",\n\t\t},\n\t\tPrefix: \"\",\n\t\tIndent: \"\\t\",\n\t\tExpectXML: \"\\n\\tJames Bond\\n\",\n\t},\n}\n\nfunc TestMarshalErrors(t *testing.T) {\n\tfor idx, test := range marshalErrorTests {\n\t\tdata, err := Marshal(test.Value)\n\t\tif err == nil {\n\t\t\tt.Errorf(\"#%d: marshal(%#v) = [success] %q, want error %v\", idx, test.Value, data, test.Err)\n\t\t\tcontinue\n\t\t}\n\t\tif err.Error() != test.Err {\n\t\t\tt.Errorf(\"#%d: marshal(%#v) = [error] %v, want %v\", idx, test.Value, err, test.Err)\n\t\t}\n\t\tif test.Kind != reflect.Invalid {\n\t\t\tif kind := err.(*UnsupportedTypeError).Type.Kind(); kind != test.Kind {\n\t\t\t\tt.Errorf(\"#%d: marshal(%#v) = [error kind] %s, want %s\", idx, test.Value, kind, test.Kind)\n\t\t\t}\n\t\t}\n\t}\n}\n\n// Do invertibility testing on the various structures that we test\nfunc TestUnmarshal(t *testing.T) {\n\tfor i, test := range marshalTests {\n\t\tif test.MarshalOnly {\n\t\t\tcontinue\n\t\t}\n\t\tif _, ok := test.Value.(*Plain); ok {\n\t\t\tcontinue\n\t\t}\n\t\tif test.ExpectXML == ``+\n\t\t\t`b`+\n\t\t\t`b1`+\n\t\t\t`` {\n\t\t\t// TODO(rogpeppe): re-enable this test in\n\t\t\t// https://go-review.googlesource.com/#/c/5910/\n\t\t\tcontinue\n\t\t}\n\n\t\tvt := reflect.TypeOf(test.Value)\n\t\tdest := reflect.New(vt.Elem()).Interface()\n\t\terr := Unmarshal([]byte(test.ExpectXML), dest)\n\n\t\tt.Run(fmt.Sprintf(\"%d\", i), func(t *testing.T) {\n\t\t\tswitch fix := dest.(type) {\n\t\t\tcase *Feed:\n\t\t\t\tfix.Author.InnerXML = \"\"\n\t\t\t\tfor i := range fix.Entry {\n\t\t\t\t\tfix.Entry[i].Author.InnerXML = \"\"\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif err != nil {\n\t\t\t\tif test.UnmarshalError == \"\" {\n\t\t\t\t\tt.Errorf(\"unmarshal(%#v): %s\", test.ExpectXML, err)\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tif !strings.Contains(err.Error(), test.UnmarshalError) {\n\t\t\t\t\tt.Errorf(\"unmarshal(%#v): %s, want %q\", test.ExpectXML, err, test.UnmarshalError)\n\t\t\t\t}\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif got, want := dest, test.Value; !reflect.DeepEqual(got, want) {\n\t\t\t\tt.Errorf(\"unmarshal(%q):\\nhave %#v\\nwant %#v\", test.ExpectXML, got, want)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestMarshalIndent(t *testing.T) {\n\tfor i, test := range marshalIndentTests {\n\t\tdata, err := MarshalIndent(test.Value, test.Prefix, test.Indent)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"#%d: Error: %s\", i, err)\n\t\t\tcontinue\n\t\t}\n\t\tif got, want := string(data), test.ExpectXML; got != want {\n\t\t\tt.Errorf(\"#%d: MarshalIndent:\\nGot:%s\\nWant:\\n%s\", i, got, want)\n\t\t}\n\t}\n}\n\ntype limitedBytesWriter struct {\n\tw io.Writer\n\tremain int // until writes fail\n}\n\nfunc (lw *limitedBytesWriter) Write(p []byte) (n int, err error) {\n\tif lw.remain <= 0 {\n\t\tprintln(\"error\")\n\t\treturn 0, errors.New(\"write limit hit\")\n\t}\n\tif len(p) > lw.remain {\n\t\tp = p[:lw.remain]\n\t\tn, _ = lw.w.Write(p)\n\t\tlw.remain = 0\n\t\treturn n, errors.New(\"write limit hit\")\n\t}\n\tn, err = lw.w.Write(p)\n\tlw.remain -= n\n\treturn n, err\n}\n\nfunc TestMarshalWriteErrors(t *testing.T) {\n\tvar buf bytes.Buffer\n\tconst writeCap = 1024\n\tw := &limitedBytesWriter{&buf, writeCap}\n\tenc := NewEncoder(w)\n\tvar err error\n\tvar i int\n\tconst n = 4000\n\tfor i = 1; i <= n; i++ {\n\t\terr = enc.Encode(&Passenger{\n\t\t\tName: []string{\"Alice\", \"Bob\"},\n\t\t\tWeight: 5,\n\t\t})\n\t\tif err != nil {\n\t\t\tbreak\n\t\t}\n\t}\n\tif err == nil {\n\t\tt.Error(\"expected an error\")\n\t}\n\tif i == n {\n\t\tt.Errorf(\"expected to fail before the end\")\n\t}\n\tif buf.Len() != writeCap {\n\t\tt.Errorf(\"buf.Len() = %d; want %d\", buf.Len(), writeCap)\n\t}\n}\n\nfunc TestMarshalWriteIOErrors(t *testing.T) {\n\tenc := NewEncoder(errWriter{})\n\n\texpectErr := \"unwritable\"\n\terr := enc.Encode(&Passenger{})\n\tif err == nil || err.Error() != expectErr {\n\t\tt.Errorf(\"EscapeTest = [error] %v, want %v\", err, expectErr)\n\t}\n}\n\nfunc TestMarshalFlush(t *testing.T) {\n\tvar buf strings.Builder\n\tenc := NewEncoder(&buf)\n\tif err := enc.EncodeToken(CharData{data: []byte(\"hello world\")}); err != nil {\n\t\tt.Fatalf(\"enc.EncodeToken: %v\", err)\n\t}\n\tif buf.Len() > 0 {\n\t\tt.Fatalf(\"enc.EncodeToken caused actual write: %q\", buf.String())\n\t}\n\tif err := enc.Flush(); err != nil {\n\t\tt.Fatalf(\"enc.Flush: %v\", err)\n\t}\n\tif buf.String() != \"hello world\" {\n\t\tt.Fatalf(\"after enc.Flush, buf.String() = %q, want %q\", buf.String(), \"hello world\")\n\t}\n}\n\nfunc BenchmarkMarshal(b *testing.B) {\n\tb.ReportAllocs()\n\tb.RunParallel(func(pb *testing.PB) {\n\t\tfor pb.Next() {\n\t\t\tMarshal(atomValue)\n\t\t}\n\t})\n}\n\nfunc BenchmarkUnmarshal(b *testing.B) {\n\tb.ReportAllocs()\n\txml := []byte(atomXML)\n\tb.RunParallel(func(pb *testing.PB) {\n\t\tfor pb.Next() {\n\t\t\tUnmarshal(xml, &Feed{})\n\t\t}\n\t})\n}\n\n// golang.org/issue/6556\nfunc TestStructPointerMarshal(t *testing.T) {\n\ttype A struct {\n\t\tXMLName string `xml:\"a\"`\n\t\tB []any\n\t}\n\ttype C struct {\n\t\tXMLName Name\n\t\tValue string `xml:\"value\"`\n\t}\n\n\ta := new(A)\n\ta.B = append(a.B, &C{\n\t\tXMLName: Name{Local: \"c\"},\n\t\tValue: \"x\",\n\t})\n\n\tb, err := Marshal(a)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tif x := string(b); x != \"x\" {\n\t\tt.Fatal(x)\n\t}\n\tvar v A\n\terr = Unmarshal(b, &v)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n}\n\nvar encodeTokenTests = []struct {\n\tdesc string\n\ttoks []Token\n\twant string\n\terr string\n}{{\n\tdesc: \"start element with name space\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"local\"}, nil, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"start element with no name\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"\"}, nil, false, \"\"},\n\t},\n\terr: \"xml: start tag with no name\",\n}, {\n\tdesc: \"end element with no name\",\n\ttoks: []Token{\n\t\tEndElement{Name{\"space\", \"\"}, false},\n\t},\n\terr: \"xml: end tag with no name\",\n}, {\n\tdesc: \"empty element\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, nil, true, \"\"},\n\t\tEndElement{Name{\"\", \"foo\"}, true},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"empty element with extra space\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, nil, true, \" \"},\n\t\tEndElement{Name{\"\", \"foo\"}, true},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"char data\",\n\ttoks: []Token{\n\t\tCharData{data: []byte(\"foo\")},\n\t},\n\twant: `foo`,\n}, {\n\tdesc: \"char data with tab and newline characters\",\n\ttoks: []Token{\n\t\tCharData{data: []byte(\" \\t\\n\")},\n\t},\n\twant: \" \\t\\n\",\n}, {\n\tdesc: \"comment\",\n\ttoks: []Token{\n\t\tComment(\"foo\"),\n\t},\n\twant: ``,\n}, {\n\tdesc: \"comment with invalid content\",\n\ttoks: []Token{\n\t\tComment(\"foo-->\"),\n\t},\n\terr: \"xml: EncodeToken of Comment containing --> marker\",\n}, {\n\tdesc: \"proc instruction\",\n\ttoks: []Token{\n\t\tProcInst{\"Target\", []byte(\"Instruction\")},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"proc instruction with empty target\",\n\ttoks: []Token{\n\t\tProcInst{\"\", []byte(\"Instruction\")},\n\t},\n\terr: \"xml: EncodeToken of ProcInst with invalid Target\",\n}, {\n\tdesc: \"proc instruction with bad content\",\n\ttoks: []Token{\n\t\tProcInst{\"\", []byte(\"Instruction?>\")},\n\t},\n\terr: \"xml: EncodeToken of ProcInst with invalid Target\",\n}, {\n\tdesc: \"directive\",\n\ttoks: []Token{\n\t\tDirective(\"foo\"),\n\t},\n\twant: ``,\n}, {\n\tdesc: \"more complex directive\",\n\ttoks: []Token{\n\t\tDirective(\"DOCTYPE doc [ '> ]\"),\n\t},\n\twant: `'> ]>`,\n}, {\n\tdesc: \"directive instruction with bad name\",\n\ttoks: []Token{\n\t\tDirective(\"foo>\"),\n\t},\n\terr: \"xml: EncodeToken of Directive containing wrong < or > markers\",\n}, {\n\tdesc: \"end tag without start tag\",\n\ttoks: []Token{\n\t\tEndElement{Name{\"foo\", \"bar\"}, false},\n\t},\n\terr: \"xml: end tag without start tag\",\n}, {\n\tdesc: \"mismatching end tag local name\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, nil, false, \"\"},\n\t\tEndElement{Name{\"\", \"bar\"}, false},\n\t},\n\terr: \"xml: end tag does not match start tag \",\n\twant: ``,\n}, {\n\tdesc: \"mismatching end tag namespace\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, nil, false, \"\"},\n\t\tEndElement{Name{\"another\", \"foo\"}, false},\n\t},\n\terr: \"xml: end tag in namespace another does not match start tag in namespace space\",\n\twant: ``,\n}, {\n\tdesc: \"start element with explicit namespace\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"local\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"x\"}, \"space\", \"\"},\n\t\t\t{Name{\"space\", \"foo\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"start element with explicit namespace and colliding prefix\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"local\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"x\"}, \"space\", \"\"},\n\t\t\t{Name{\"space\", \"foo\"}, \"value\", \"\"},\n\t\t\t{Name{\"x\", \"bar\"}, \"other\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"start element using previously defined namespace\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"local\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"x\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"space\", \"x\"}, \"y\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"nested name space with same prefix\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"x\"}, \"space1\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"x\"}, \"space2\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"space1\", \"a\"}, \"space1 value\", \"\"},\n\t\t\t{Name{\"space2\", \"b\"}, \"space2 value\", \"\"},\n\t\t}, false, \"\"},\n\t\tEndElement{Name{\"\", \"foo\"}, false},\n\t\tEndElement{Name{\"\", \"foo\"}, false},\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"space1\", \"a\"}, \"space1 value\", \"\"},\n\t\t\t{Name{\"space2\", \"b\"}, \"space2 value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"start element defining several prefixes for the same name space\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"a\"}, \"space\", \"\"},\n\t\t\t{Name{\"xmlns\", \"b\"}, \"space\", \"\"},\n\t\t\t{Name{\"space\", \"x\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"nested element redefines name space\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"x\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"y\"}, \"space\", \"\"},\n\t\t\t{Name{\"space\", \"a\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"nested element creates alias for default name space\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"y\"}, \"space\", \"\"},\n\t\t\t{Name{\"space\", \"a\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"nested element defines default name space with existing prefix\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"x\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"space\", \"\"},\n\t\t\t{Name{\"space\", \"a\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"nested element uses empty attribute name space when default ns defined\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"attr\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"redefine xmlns\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"foo\", \"xmlns\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"xmlns with explicit name space #1\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xml\", \"xmlns\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"xmlns with explicit name space #2\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{xmlURL, \"xmlns\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"empty name space declaration is ignored\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"xmlns\", \"foo\"}, \"\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"attribute with no name is ignored\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"namespace URL with non-valid name\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"/34\", \"foo\"}, []Attr{\n\t\t\t{Name{\"/34\", \"x\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"nested element resets default namespace to empty\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"\", \"\"},\n\t\t\t{Name{\"\", \"x\"}, \"value\", \"\"},\n\t\t\t{Name{\"space\", \"x\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"nested element requires empty default name space\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"\", \"foo\"}, nil, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"attribute uses name space from xmlns\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"some/space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"attr\"}, \"value\", \"\"},\n\t\t\t{Name{\"some/space\", \"other\"}, \"other value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"default name space should not be used by attributes\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"space\", \"\"},\n\t\t\t{Name{\"xmlns\", \"bar\"}, \"space\", \"\"},\n\t\t\t{Name{\"space\", \"baz\"}, \"foo\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"space\", \"baz\"}, nil, false, \"\"},\n\t\tEndElement{Name{\"space\", \"baz\"}, false},\n\t\tEndElement{Name{\"space\", \"foo\"}, false},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"default name space not used by attributes, not explicitly defined\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"space\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"space\", \"\"},\n\t\t\t{Name{\"space\", \"baz\"}, \"foo\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"space\", \"baz\"}, nil, false, \"\"},\n\t\tEndElement{Name{\"space\", \"baz\"}, false},\n\t\tEndElement{Name{\"space\", \"foo\"}, false},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"impossible xmlns declaration\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"xmlns\"}, \"space\", \"\"},\n\t\t}, false, \"\"},\n\t\tStartElement{Name{\"space\", \"bar\"}, []Attr{\n\t\t\t{Name{\"space\", \"attr\"}, \"value\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"reserved namespace prefix -- all lower case\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"http://www.w3.org/2001/xmlSchema-instance\", \"nil\"}, \"true\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"reserved namespace prefix -- all upper case\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"http://www.w3.org/2001/XMLSchema-instance\", \"nil\"}, \"true\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"reserved namespace prefix -- all mixed case\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"http://www.w3.org/2001/XmLSchema-instance\", \"nil\"}, \"true\", \"\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"start element with attributes separated by newline\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, []Attr{\n\t\t\t{Name{\"\", \"abc\"}, \"123\", \"\"},\n\t\t\t{Name{\"\", \"xyz\"}, \"456\", \"\\n\"},\n\t\t}, false, \"\"},\n\t},\n\twant: ``,\n}}\n\nfunc TestEncodeToken(t *testing.T) {\nloop:\n\tfor i, tt := range encodeTokenTests {\n\t\tvar buf strings.Builder\n\t\tenc := NewEncoder(&buf)\n\t\tvar err error\n\t\tfor j, tok := range tt.toks {\n\t\t\terr = enc.EncodeToken(tok)\n\t\t\tif err != nil && j < len(tt.toks)-1 {\n\t\t\t\tt.Errorf(\"#%d %s token #%d: %v\", i, tt.desc, j, err)\n\t\t\t\tcontinue loop\n\t\t\t}\n\t\t}\n\t\terrorf := func(f string, a ...any) {\n\t\t\tt.Errorf(\"#%d %s token #%d:%s\", i, tt.desc, len(tt.toks)-1, fmt.Sprintf(f, a...))\n\t\t}\n\t\tswitch {\n\t\tcase tt.err != \"\" && err == nil:\n\t\t\terrorf(\" expected error; got none\")\n\t\t\tcontinue\n\t\tcase tt.err == \"\" && err != nil:\n\t\t\terrorf(\" got error: %v\", err)\n\t\t\tcontinue\n\t\tcase tt.err != \"\" && err != nil && tt.err != err.Error():\n\t\t\terrorf(\" error mismatch; got %v, want %v\", err, tt.err)\n\t\t\tcontinue\n\t\t}\n\t\tif err := enc.Flush(); err != nil {\n\t\t\terrorf(\" %v\", err)\n\t\t\tcontinue\n\t\t}\n\t\tif got := buf.String(); got != tt.want {\n\t\t\terrorf(\"\\ngot %v\\nwant %v\", got, tt.want)\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\nfunc TestProcInstEncodeToken(t *testing.T) {\n\tvar buf bytes.Buffer\n\tenc := NewEncoder(&buf)\n\n\tif err := enc.EncodeToken(ProcInst{\"xml\", []byte(\"Instruction\")}); err != nil {\n\t\tt.Fatalf(\"enc.EncodeToken: expected to be able to encode xml target ProcInst as first token, %s\", err)\n\t}\n\n\tif err := enc.EncodeToken(ProcInst{\"Target\", []byte(\"Instruction\")}); err != nil {\n\t\tt.Fatalf(\"enc.EncodeToken: expected to be able to add non-xml target ProcInst\")\n\t}\n\n\tif err := enc.EncodeToken(ProcInst{\"xml\", []byte(\"Instruction\")}); err == nil {\n\t\tt.Fatalf(\"enc.EncodeToken: expected to not be allowed to encode xml target ProcInst when not first token\")\n\t}\n}\n\nfunc TestDecodeEncode(t *testing.T) {\n\tvar in, out bytes.Buffer\n\tin.WriteString(`\n\n\n\n`)\n\tdec := NewDecoder(&in)\n\tenc := NewEncoder(&out)\n\tfor tok, err := dec.Token(); err == nil; tok, err = dec.Token() {\n\t\terr = enc.EncodeToken(tok)\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"enc.EncodeToken: Unable to encode token (%#v), %v\", tok, err)\n\t\t}\n\t}\n}\n\n// Issue 9796. Used to fail with GORACE=\"halt_on_error=1\" -race.\nfunc TestRace9796(t *testing.T) {\n\ttype A struct{}\n\ttype B struct {\n\t\tC []A `xml:\"X>Y\"`\n\t}\n\tvar wg sync.WaitGroup\n\tfor i := 0; i < 2; i++ {\n\t\twg.Add(1)\n\t\tgo func() {\n\t\t\tMarshal(B{[]A{{}}})\n\t\t\twg.Done()\n\t\t}()\n\t}\n\twg.Wait()\n}\n\nfunc TestIsValidDirective(t *testing.T) {\n\ttestOK := []string{\n\t\t\"<>\",\n\t\t\"< < > >\",\n\t\t\"' '>' >\",\n\t\t\" ]>\",\n\t\t\" '<' ' doc ANY> ]>\",\n\t\t\">>> a < comment --> [ ] >\",\n\t}\n\ttestKO := []string{\n\t\t\"<\",\n\t\t\">\",\n\t\t\"\",\n\t\t\"< > > < < >\",\n\t\t\" -->\",\n\t\t\"\",\n\t\t\"'\",\n\t\t\"\",\n\t}\n\tfor _, s := range testOK {\n\t\tif !isValidDirective(Directive(s)) {\n\t\t\tt.Errorf(\"Directive %q is expected to be valid\", s)\n\t\t}\n\t}\n\tfor _, s := range testKO {\n\t\tif isValidDirective(Directive(s)) {\n\t\t\tt.Errorf(\"Directive %q is expected to be invalid\", s)\n\t\t}\n\t}\n}\n\n// Issue 11719. EncodeToken used to silently eat tokens with an invalid type.\nfunc TestSimpleUseOfEncodeToken(t *testing.T) {\n\tvar buf strings.Builder\n\tenc := NewEncoder(&buf)\n\tif err := enc.EncodeToken(&StartElement{Name: Name{\"\", \"object1\"}}); err == nil {\n\t\tt.Errorf(\"enc.EncodeToken: pointer type should be rejected\")\n\t}\n\tif err := enc.EncodeToken(&EndElement{Name: Name{\"\", \"object1\"}}); err == nil {\n\t\tt.Errorf(\"enc.EncodeToken: pointer type should be rejected\")\n\t}\n\tif err := enc.EncodeToken(StartElement{Name: Name{\"\", \"object2\"}}); err != nil {\n\t\tt.Errorf(\"enc.EncodeToken: StartElement %s\", err)\n\t}\n\tif err := enc.EncodeToken(EndElement{Name: Name{\"\", \"object2\"}}); err != nil {\n\t\tt.Errorf(\"enc.EncodeToken: EndElement %s\", err)\n\t}\n\tif err := enc.EncodeToken(Universe{}); err == nil {\n\t\tt.Errorf(\"enc.EncodeToken: invalid type not caught\")\n\t}\n\tif err := enc.Flush(); err != nil {\n\t\tt.Errorf(\"enc.Flush: %s\", err)\n\t}\n\tif buf.Len() == 0 {\n\t\tt.Errorf(\"enc.EncodeToken: empty buffer\")\n\t}\n\twant := \"\"\n\tif buf.String() != want {\n\t\tt.Errorf(\"enc.EncodeToken: expected %q; got %q\", want, buf.String())\n\t}\n}\n\n// Issue 16158. Decoder.unmarshalAttr ignores the return value of copyValue.\nfunc TestIssue16158(t *testing.T) {\n\tconst data = ``\n\terr := Unmarshal([]byte(data), &struct {\n\t\tB byte `xml:\"b,attr,omitempty\"`\n\t}{})\n\tif err == nil {\n\t\tt.Errorf(\"Unmarshal: expected error, got nil\")\n\t}\n}\n\n// Issue 20953. Crash on invalid XMLName attribute.\n\ntype InvalidXMLName struct {\n\tXMLName Name `xml:\"error\"`\n\tType struct {\n\t\tXMLName Name `xml:\"type,attr\"`\n\t}\n}\n\nfunc TestInvalidXMLName(t *testing.T) {\n\tvar buf bytes.Buffer\n\tenc := NewEncoder(&buf)\n\tif err := enc.Encode(InvalidXMLName{}); err == nil {\n\t\tt.Error(\"unexpected success\")\n\t} else if want := \"invalid tag\"; !strings.Contains(err.Error(), want) {\n\t\tt.Errorf(\"error %q does not contain %q\", err, want)\n\t}\n}\n\n// Issue 50164. Crash on zero value XML attribute.\ntype LayerOne struct {\n\tXMLName Name `xml:\"l1\"`\n\n\tValue *float64 `xml:\"value,omitempty\"`\n\t*LayerTwo `xml:\",omitempty\"`\n}\n\ntype LayerTwo struct {\n\tValueTwo *int `xml:\"value_two,attr,omitempty\"`\n}\n\nfunc TestMarshalZeroValue(t *testing.T) {\n\tproofXml := `1.2345`\n\tvar l1 LayerOne\n\terr := Unmarshal([]byte(proofXml), &l1)\n\tif err != nil {\n\t\tt.Fatalf(\"unmarshal XML error: %v\", err)\n\t}\n\twant := float64(1.2345)\n\tgot := *l1.Value\n\tif got != want {\n\t\tt.Fatalf(\"unexpected unmarshal result, want %f but got %f\", want, got)\n\t}\n\n\t// Marshal again (or Encode again)\n\t// In issue 50164, here `Marshal(l1)` will panic because of the zero value of xml attribute ValueTwo `value_two`.\n\tanotherXML, err := Marshal(l1)\n\tif err != nil {\n\t\tt.Fatalf(\"marshal XML error: %v\", err)\n\t}\n\tif string(anotherXML) != proofXml {\n\t\tt.Fatalf(\"unexpected unmarshal result, want %q but got %q\", proofXml, anotherXML)\n\t}\n}\n\nvar closeTests = []struct {\n\tdesc string\n\ttoks []Token\n\twant string\n\terr string\n}{{\n\tdesc: \"unclosed start element\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, nil, false, \"\"},\n\t},\n\twant: ``,\n\terr: \"unclosed tag \",\n}, {\n\tdesc: \"closed element\",\n\ttoks: []Token{\n\t\tStartElement{Name{\"\", \"foo\"}, nil, false, \"\"},\n\t\tEndElement{Name{\"\", \"foo\"}, false},\n\t},\n\twant: ``,\n}, {\n\tdesc: \"directive\",\n\ttoks: []Token{\n\t\tDirective(\"foo\"),\n\t},\n\twant: ``,\n}}\n\nfunc TestClose(t *testing.T) {\n\tfor _, tt := range closeTests {\n\t\ttt := tt\n\t\tt.Run(tt.desc, func(t *testing.T) {\n\t\t\tvar out strings.Builder\n\t\t\tenc := NewEncoder(&out)\n\t\t\tfor j, tok := range tt.toks {\n\t\t\t\tif err := enc.EncodeToken(tok); err != nil {\n\t\t\t\t\tt.Fatalf(\"token #%d: %v\", j, err)\n\t\t\t\t}\n\t\t\t}\n\t\t\terr := enc.Close()\n\t\t\tswitch {\n\t\t\tcase tt.err != \"\" && err == nil:\n\t\t\t\tt.Error(\" expected error; got none\")\n\t\t\tcase tt.err == \"\" && err != nil:\n\t\t\t\tt.Errorf(\" got error: %v\", err)\n\t\t\tcase tt.err != \"\" && err != nil && tt.err != err.Error():\n\t\t\t\tt.Errorf(\" error mismatch; got %v, want %v\", err, tt.err)\n\t\t\t}\n\t\t\tif got := out.String(); got != tt.want {\n\t\t\t\tt.Errorf(\"\\ngot %v\\nwant %v\", got, tt.want)\n\t\t\t}\n\t\t\tt.Log(enc.p.closed)\n\t\t\tif err := enc.EncodeToken(Directive(\"foo\")); err == nil {\n\t\t\t\tt.Errorf(\"unexpected success when encoding after Close\")\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/thirdparty/xml/read.go", "content": "// Copyright 2009 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\npackage xml\n\nimport (\n\t\"bytes\"\n\t\"encoding\"\n\t\"errors\"\n\t\"fmt\"\n\t\"reflect\"\n\t\"runtime\"\n\t\"strconv\"\n\t\"strings\"\n)\n\n// BUG(rsc): Mapping between XML elements and data structures is inherently flawed:\n// an XML element is an order-dependent collection of anonymous\n// values, while a data structure is an order-independent collection\n// of named values.\n// See [encoding/json] for a textual representation more suitable\n// to data structures.\n\n// Unmarshal parses the XML-encoded data and stores the result in\n// the value pointed to by v, which must be an arbitrary struct,\n// slice, or string. Well-formed data that does not fit into v is\n// discarded.\n//\n// Because Unmarshal uses the reflect package, it can only assign\n// to exported (upper case) fields. Unmarshal uses a case-sensitive\n// comparison to match XML element names to tag values and struct\n// field names.\n//\n// Unmarshal maps an XML element to a struct using the following rules.\n// In the rules, the tag of a field refers to the value associated with the\n// key 'xml' in the struct field's tag (see the example above).\n//\n// - If the struct has a field of type []byte or string with tag\n// \",innerxml\", Unmarshal accumulates the raw XML nested inside the\n// element in that field. The rest of the rules still apply.\n//\n// - If the struct has a field named XMLName of type Name,\n// Unmarshal records the element name in that field.\n//\n// - If the XMLName field has an associated tag of the form\n// \"name\" or \"namespace-URL name\", the XML element must have\n// the given name (and, optionally, name space) or else Unmarshal\n// returns an error.\n//\n// - If the XML element has an attribute whose name matches a\n// struct field name with an associated tag containing \",attr\" or\n// the explicit name in a struct field tag of the form \"name,attr\",\n// Unmarshal records the attribute value in that field.\n//\n// - If the XML element has an attribute not handled by the previous\n// rule and the struct has a field with an associated tag containing\n// \",any,attr\", Unmarshal records the attribute value in the first\n// such field.\n//\n// - If the XML element contains character data, that data is\n// accumulated in the first struct field that has tag \",chardata\".\n// The struct field may have type []byte or string.\n// If there is no such field, the character data is discarded.\n//\n// - If the XML element contains comments, they are accumulated in\n// the first struct field that has tag \",comment\". The struct\n// field may have type []byte or string. If there is no such\n// field, the comments are discarded.\n//\n// - If the XML element contains a sub-element whose name matches\n// the prefix of a tag formatted as \"a\" or \"a>b>c\", unmarshal\n// will descend into the XML structure looking for elements with the\n// given names, and will map the innermost elements to that struct\n// field. A tag starting with \">\" is equivalent to one starting\n// with the field name followed by \">\".\n//\n// - If the XML element contains a sub-element whose name matches\n// a struct field's XMLName tag and the struct field has no\n// explicit name tag as per the previous rule, unmarshal maps\n// the sub-element to that struct field.\n//\n// - If the XML element contains a sub-element whose name matches a\n// field without any mode flags (\",attr\", \",chardata\", etc), Unmarshal\n// maps the sub-element to that struct field.\n//\n// - If the XML element contains a sub-element that hasn't matched any\n// of the above rules and the struct has a field with tag \",any\",\n// unmarshal maps the sub-element to that struct field.\n//\n// - An anonymous struct field is handled as if the fields of its\n// value were part of the outer struct.\n//\n// - A struct field with tag \"-\" is never unmarshaled into.\n//\n// If Unmarshal encounters a field type that implements the Unmarshaler\n// interface, Unmarshal calls its UnmarshalXML method to produce the value from\n// the XML element. Otherwise, if the value implements\n// [encoding.TextUnmarshaler], Unmarshal calls that value's UnmarshalText method.\n//\n// Unmarshal maps an XML element to a string or []byte by saving the\n// concatenation of that element's character data in the string or\n// []byte. The saved []byte is never nil.\n//\n// Unmarshal maps an attribute value to a string or []byte by saving\n// the value in the string or slice.\n//\n// Unmarshal maps an attribute value to an [Attr] by saving the attribute,\n// including its name, in the Attr.\n//\n// Unmarshal maps an XML element or attribute value to a slice by\n// extending the length of the slice and mapping the element or attribute\n// to the newly created value.\n//\n// Unmarshal maps an XML element or attribute value to a bool by\n// setting it to the boolean value represented by the string. Whitespace\n// is trimmed and ignored.\n//\n// Unmarshal maps an XML element or attribute value to an integer or\n// floating-point field by setting the field to the result of\n// interpreting the string value in decimal. There is no check for\n// overflow. Whitespace is trimmed and ignored.\n//\n// Unmarshal maps an XML element to a Name by recording the element\n// name.\n//\n// Unmarshal maps an XML element to a pointer by setting the pointer\n// to a freshly allocated value and then mapping the element to that value.\n//\n// A missing element or empty attribute value will be unmarshaled as a zero value.\n// If the field is a slice, a zero value will be appended to the field. Otherwise, the\n// field will be set to its zero value.\nfunc Unmarshal(data []byte, v any) error {\n\treturn NewDecoder(bytes.NewReader(data)).Decode(v)\n}\n\n// Decode works like [Unmarshal], except it reads the decoder\n// stream to find the start element.\nfunc (d *Decoder) Decode(v any) error {\n\treturn d.DecodeElement(v, nil)\n}\n\n// DecodeElement works like [Unmarshal] except that it takes\n// a pointer to the start XML element to decode into v.\n// It is useful when a client reads some raw XML tokens itself\n// but also wants to defer to [Unmarshal] for some elements.\nfunc (d *Decoder) DecodeElement(v any, start *StartElement) error {\n\tval := reflect.ValueOf(v)\n\tif val.Kind() != reflect.Pointer {\n\t\treturn errors.New(\"non-pointer passed to Unmarshal\")\n\t}\n\n\tif val.IsNil() {\n\t\treturn errors.New(\"nil pointer passed to Unmarshal\")\n\t}\n\treturn d.unmarshal(val.Elem(), start, 0)\n}\n\n// An UnmarshalError represents an error in the unmarshaling process.\ntype UnmarshalError string\n\nfunc (e UnmarshalError) Error() string { return string(e) }\n\n// Unmarshaler is the interface implemented by objects that can unmarshal\n// an XML element description of themselves.\n//\n// UnmarshalXML decodes a single XML element\n// beginning with the given start element.\n// If it returns an error, the outer call to Unmarshal stops and\n// returns that error.\n// UnmarshalXML must consume exactly one XML element.\n// One common implementation strategy is to unmarshal into\n// a separate value with a layout matching the expected XML\n// using d.DecodeElement, and then to copy the data from\n// that value into the receiver.\n// Another common strategy is to use d.Token to process the\n// XML object one token at a time.\n// UnmarshalXML may not use d.RawToken.\ntype Unmarshaler interface {\n\tUnmarshalXML(d *Decoder, start StartElement) error\n}\n\n// UnmarshalerAttr is the interface implemented by objects that can unmarshal\n// an XML attribute description of themselves.\n//\n// UnmarshalXMLAttr decodes a single XML attribute.\n// If it returns an error, the outer call to [Unmarshal] stops and\n// returns that error.\n// UnmarshalXMLAttr is used only for struct fields with the\n// \"attr\" option in the field tag.\ntype UnmarshalerAttr interface {\n\tUnmarshalXMLAttr(attr Attr) error\n}\n\n// receiverType returns the receiver type to use in an expression like \"%s.MethodName\".\nfunc receiverType(val any) string {\n\tt := reflect.TypeOf(val)\n\tif t.Name() != \"\" {\n\t\treturn t.String()\n\t}\n\treturn \"(\" + t.String() + \")\"\n}\n\n// unmarshalInterface unmarshals a single XML element into val.\n// start is the opening tag of the element.\nfunc (d *Decoder) unmarshalInterface(val Unmarshaler, start *StartElement) error {\n\t// Record that decoder must stop at end tag corresponding to start.\n\td.pushEOF()\n\n\td.unmarshalDepth++\n\terr := val.UnmarshalXML(d, *start)\n\td.unmarshalDepth--\n\tif err != nil {\n\t\td.popEOF()\n\t\treturn err\n\t}\n\n\tif !d.popEOF() {\n\t\treturn fmt.Errorf(\"xml: %s.UnmarshalXML did not consume entire <%s> element\", receiverType(val), start.Name.Local)\n\t}\n\n\treturn nil\n}\n\n// unmarshalTextInterface unmarshals a single XML element into val.\n// The chardata contained in the element (but not its children)\n// is passed to the text unmarshaler.\nfunc (d *Decoder) unmarshalTextInterface(val encoding.TextUnmarshaler) error {\n\tvar buf []byte\n\tdepth := 1\n\tfor depth > 0 {\n\t\tt, err := d.Token()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tswitch t := t.(type) {\n\t\tcase CharData:\n\t\t\tif depth == 1 {\n\t\t\t\tbuf = append(buf, t.data...)\n\t\t\t}\n\t\tcase StartElement:\n\t\t\tdepth++\n\t\tcase EndElement:\n\t\t\tdepth--\n\t\t}\n\t}\n\treturn val.UnmarshalText(buf)\n}\n\n// unmarshalAttr unmarshals a single XML attribute into val.\nfunc (d *Decoder) unmarshalAttr(val reflect.Value, attr Attr) error {\n\tif val.Kind() == reflect.Pointer {\n\t\tif val.IsNil() {\n\t\t\tval.Set(reflect.New(val.Type().Elem()))\n\t\t}\n\t\tval = val.Elem()\n\t}\n\tif val.CanInterface() && val.Type().Implements(unmarshalerAttrType) {\n\t\t// This is an unmarshaler with a non-pointer receiver,\n\t\t// so it's likely to be incorrect, but we do what we're told.\n\t\treturn val.Interface().(UnmarshalerAttr).UnmarshalXMLAttr(attr)\n\t}\n\tif val.CanAddr() {\n\t\tpv := val.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(unmarshalerAttrType) {\n\t\t\treturn pv.Interface().(UnmarshalerAttr).UnmarshalXMLAttr(attr)\n\t\t}\n\t}\n\n\t// Not an UnmarshalerAttr; try encoding.TextUnmarshaler.\n\tif val.CanInterface() && val.Type().Implements(textUnmarshalerType) {\n\t\t// This is an unmarshaler with a non-pointer receiver,\n\t\t// so it's likely to be incorrect, but we do what we're told.\n\t\treturn val.Interface().(encoding.TextUnmarshaler).UnmarshalText([]byte(attr.Value))\n\t}\n\tif val.CanAddr() {\n\t\tpv := val.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(textUnmarshalerType) {\n\t\t\treturn pv.Interface().(encoding.TextUnmarshaler).UnmarshalText([]byte(attr.Value))\n\t\t}\n\t}\n\n\tif val.Type().Kind() == reflect.Slice && val.Type().Elem().Kind() != reflect.Uint8 {\n\t\t// Slice of element values.\n\t\t// Grow slice.\n\t\tn := val.Len()\n\t\tval.Grow(1)\n\t\tval.SetLen(n + 1)\n\n\t\t// Recur to read element into slice.\n\t\tif err := d.unmarshalAttr(val.Index(n), attr); err != nil {\n\t\t\tval.SetLen(n)\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t}\n\n\tif val.Type() == attrType {\n\t\tval.Set(reflect.ValueOf(attr))\n\t\treturn nil\n\t}\n\n\treturn copyValue(val, []byte(attr.Value))\n}\n\nvar (\n\tattrType = reflect.TypeFor[Attr]()\n\tunmarshalerType = reflect.TypeFor[Unmarshaler]()\n\tunmarshalerAttrType = reflect.TypeFor[UnmarshalerAttr]()\n\ttextUnmarshalerType = reflect.TypeFor[encoding.TextUnmarshaler]()\n)\n\nconst (\n\tmaxUnmarshalDepth = 10000\n\tmaxUnmarshalDepthWasm = 5000 // go.dev/issue/56498\n)\n\nvar errUnmarshalDepth = errors.New(\"exceeded max depth\")\n\n// Unmarshal a single XML element into val.\nfunc (d *Decoder) unmarshal(val reflect.Value, start *StartElement, depth int) error {\n\tif depth >= maxUnmarshalDepth || runtime.GOARCH == \"wasm\" && depth >= maxUnmarshalDepthWasm {\n\t\treturn errUnmarshalDepth\n\t}\n\t// Find start element if we need it.\n\tif start == nil {\n\t\tfor {\n\t\t\ttok, err := d.Token()\n\t\t\tif err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tif t, ok := tok.(StartElement); ok {\n\t\t\t\tstart = &t\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n\n\t// Load value from interface, but only if the result will be\n\t// usefully addressable.\n\tif val.Kind() == reflect.Interface && !val.IsNil() {\n\t\te := val.Elem()\n\t\tif e.Kind() == reflect.Pointer && !e.IsNil() {\n\t\t\tval = e\n\t\t}\n\t}\n\n\tif val.Kind() == reflect.Pointer {\n\t\tif val.IsNil() {\n\t\t\tval.Set(reflect.New(val.Type().Elem()))\n\t\t}\n\t\tval = val.Elem()\n\t}\n\n\tif val.CanInterface() && val.Type().Implements(unmarshalerType) {\n\t\t// This is an unmarshaler with a non-pointer receiver,\n\t\t// so it's likely to be incorrect, but we do what we're told.\n\t\treturn d.unmarshalInterface(val.Interface().(Unmarshaler), start)\n\t}\n\n\tif val.CanAddr() {\n\t\tpv := val.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(unmarshalerType) {\n\t\t\treturn d.unmarshalInterface(pv.Interface().(Unmarshaler), start)\n\t\t}\n\t}\n\n\tif val.CanInterface() && val.Type().Implements(textUnmarshalerType) {\n\t\treturn d.unmarshalTextInterface(val.Interface().(encoding.TextUnmarshaler))\n\t}\n\n\tif val.CanAddr() {\n\t\tpv := val.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(textUnmarshalerType) {\n\t\t\treturn d.unmarshalTextInterface(pv.Interface().(encoding.TextUnmarshaler))\n\t\t}\n\t}\n\n\tvar (\n\t\tdata []byte\n\t\tsaveData reflect.Value\n\t\tcomment []byte\n\t\tsaveComment reflect.Value\n\t\tsaveXML reflect.Value\n\t\tsaveXMLIndex int\n\t\tsaveXMLData []byte\n\t\tsaveAny reflect.Value\n\t\tsv reflect.Value\n\t\ttinfo *typeInfo\n\t\terr error\n\t)\n\n\tswitch v := val; v.Kind() {\n\tdefault:\n\t\treturn errors.New(\"unknown type \" + v.Type().String())\n\n\tcase reflect.Interface:\n\t\t// TODO: For now, simply ignore the field. In the near\n\t\t// future we may choose to unmarshal the start\n\t\t// element on it, if not nil.\n\t\treturn d.Skip()\n\n\tcase reflect.Slice:\n\t\ttyp := v.Type()\n\t\tif typ.Elem().Kind() == reflect.Uint8 {\n\t\t\t// []byte\n\t\t\tsaveData = v\n\t\t\tbreak\n\t\t}\n\n\t\t// Slice of element values.\n\t\t// Grow slice.\n\t\tn := v.Len()\n\t\tv.Grow(1)\n\t\tv.SetLen(n + 1)\n\n\t\t// Recur to read element into slice.\n\t\tif err := d.unmarshal(v.Index(n), start, depth+1); err != nil {\n\t\t\tv.SetLen(n)\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\n\tcase reflect.Bool, reflect.Float32, reflect.Float64, reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64, reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr, reflect.String:\n\t\tsaveData = v\n\n\tcase reflect.Struct:\n\t\ttyp := v.Type()\n\t\tif typ == nameType {\n\t\t\tv.Set(reflect.ValueOf(start.Name))\n\t\t\tbreak\n\t\t}\n\n\t\tsv = v\n\t\ttinfo, err = getTypeInfo(typ)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\n\t\t// Validate and assign element name.\n\t\tif tinfo.xmlname != nil {\n\t\t\tfinfo := tinfo.xmlname\n\t\t\tif finfo.name != \"\" && finfo.name != start.Name.Local {\n\t\t\t\treturn UnmarshalError(\"expected element type <\" + finfo.name + \"> but have <\" + start.Name.Local + \">\")\n\t\t\t}\n\t\t\tif finfo.xmlns != \"\" && finfo.xmlns != start.Name.Space {\n\t\t\t\te := \"expected element <\" + finfo.name + \"> in name space \" + finfo.xmlns + \" but have \"\n\t\t\t\tif start.Name.Space == \"\" {\n\t\t\t\t\te += \"no name space\"\n\t\t\t\t} else {\n\t\t\t\t\te += start.Name.Space\n\t\t\t\t}\n\t\t\t\treturn UnmarshalError(e)\n\t\t\t}\n\t\t\tfv := finfo.value(sv, initNilPointers)\n\t\t\tif _, ok := fv.Interface().(Name); ok {\n\t\t\t\tfv.Set(reflect.ValueOf(start.Name))\n\t\t\t}\n\t\t}\n\n\t\t// Assign attributes.\n\t\tfor _, a := range start.Attr {\n\t\t\thandled := false\n\t\t\tany := -1\n\t\t\tfor i := range tinfo.fields {\n\t\t\t\tfinfo := &tinfo.fields[i]\n\t\t\t\tswitch finfo.flags & fMode {\n\t\t\t\tcase fAttr:\n\t\t\t\t\tstrv := finfo.value(sv, initNilPointers)\n\t\t\t\t\tif a.Name.Local == finfo.name && (finfo.xmlns == \"\" || finfo.xmlns == a.Name.Space) {\n\t\t\t\t\t\tif err := d.unmarshalAttr(strv, a); err != nil {\n\t\t\t\t\t\t\treturn err\n\t\t\t\t\t\t}\n\t\t\t\t\t\thandled = true\n\t\t\t\t\t}\n\n\t\t\t\tcase fAny | fAttr:\n\t\t\t\t\tif any == -1 {\n\t\t\t\t\t\tany = i\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif !handled && any >= 0 {\n\t\t\t\tfinfo := &tinfo.fields[any]\n\t\t\t\tstrv := finfo.value(sv, initNilPointers)\n\t\t\t\tif err := d.unmarshalAttr(strv, a); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// Determine whether we need to save character data or comments.\n\t\tfor i := range tinfo.fields {\n\t\t\tfinfo := &tinfo.fields[i]\n\t\t\tswitch finfo.flags & fMode {\n\t\t\tcase fCDATA, fCharData:\n\t\t\t\tif !saveData.IsValid() {\n\t\t\t\t\tsaveData = finfo.value(sv, initNilPointers)\n\t\t\t\t}\n\n\t\t\tcase fComment:\n\t\t\t\tif !saveComment.IsValid() {\n\t\t\t\t\tsaveComment = finfo.value(sv, initNilPointers)\n\t\t\t\t}\n\n\t\t\tcase fAny, fAny | fElement:\n\t\t\t\tif !saveAny.IsValid() {\n\t\t\t\t\tsaveAny = finfo.value(sv, initNilPointers)\n\t\t\t\t}\n\n\t\t\tcase fInnerXML:\n\t\t\t\tif !saveXML.IsValid() {\n\t\t\t\t\tsaveXML = finfo.value(sv, initNilPointers)\n\t\t\t\t\tif d.saved == nil {\n\t\t\t\t\t\tsaveXMLIndex = 0\n\t\t\t\t\t\td.saved = new(bytes.Buffer)\n\t\t\t\t\t} else {\n\t\t\t\t\t\tsaveXMLIndex = d.savedOffset()\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\t// Find end element.\n\t// Process sub-elements along the way.\nLoop:\n\tfor {\n\t\tvar savedOffset int\n\t\tif saveXML.IsValid() {\n\t\t\tsavedOffset = d.savedOffset()\n\t\t}\n\t\ttok, err := d.Token()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tswitch t := tok.(type) {\n\t\tcase StartElement:\n\t\t\tconsumed := false\n\t\t\tif sv.IsValid() {\n\t\t\t\t// unmarshalPath can call unmarshal, so we need to pass the depth through so that\n\t\t\t\t// we can continue to enforce the maximum recursion limit.\n\t\t\t\tconsumed, err = d.unmarshalPath(tinfo, sv, nil, &t, depth)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tif !consumed && saveAny.IsValid() {\n\t\t\t\t\tconsumed = true\n\t\t\t\t\tif err := d.unmarshal(saveAny, &t, depth+1); err != nil {\n\t\t\t\t\t\treturn err\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\tif !consumed {\n\t\t\t\tif err := d.Skip(); err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t}\n\n\t\tcase EndElement:\n\t\t\tif saveXML.IsValid() {\n\t\t\t\tsaveXMLData = d.saved.Bytes()[saveXMLIndex:savedOffset]\n\t\t\t\tif saveXMLIndex == 0 {\n\t\t\t\t\td.saved = nil\n\t\t\t\t}\n\t\t\t}\n\t\t\tbreak Loop\n\n\t\tcase CharData:\n\t\t\tif saveData.IsValid() {\n\t\t\t\tdata = append(data, t.data...)\n\t\t\t}\n\n\t\tcase Comment:\n\t\t\tif saveComment.IsValid() {\n\t\t\t\tcomment = append(comment, t...)\n\t\t\t}\n\t\t}\n\t}\n\n\tif saveData.IsValid() && saveData.CanInterface() && saveData.Type().Implements(textUnmarshalerType) {\n\t\tif err := saveData.Interface().(encoding.TextUnmarshaler).UnmarshalText(data); err != nil {\n\t\t\treturn err\n\t\t}\n\t\tsaveData = reflect.Value{}\n\t}\n\n\tif saveData.IsValid() && saveData.CanAddr() {\n\t\tpv := saveData.Addr()\n\t\tif pv.CanInterface() && pv.Type().Implements(textUnmarshalerType) {\n\t\t\tif err := pv.Interface().(encoding.TextUnmarshaler).UnmarshalText(data); err != nil {\n\t\t\t\treturn err\n\t\t\t}\n\t\t\tsaveData = reflect.Value{}\n\t\t}\n\t}\n\n\tif err := copyValue(saveData, data); err != nil {\n\t\treturn err\n\t}\n\n\tswitch t := saveComment; t.Kind() {\n\tcase reflect.String:\n\t\tt.SetString(string(comment))\n\tcase reflect.Slice:\n\t\tt.Set(reflect.ValueOf(comment))\n\t}\n\n\tswitch t := saveXML; t.Kind() {\n\tcase reflect.String:\n\t\tt.SetString(string(saveXMLData))\n\tcase reflect.Slice:\n\t\tif t.Type().Elem().Kind() == reflect.Uint8 {\n\t\t\tt.Set(reflect.ValueOf(saveXMLData))\n\t\t}\n\t}\n\n\treturn nil\n}\n\nfunc copyValue(dst reflect.Value, src []byte) (err error) {\n\tdst0 := dst\n\n\tif dst.Kind() == reflect.Pointer {\n\t\tif dst.IsNil() {\n\t\t\tdst.Set(reflect.New(dst.Type().Elem()))\n\t\t}\n\t\tdst = dst.Elem()\n\t}\n\n\t// Save accumulated data.\n\tswitch dst.Kind() {\n\tcase reflect.Invalid:\n\t\t// Probably a comment.\n\tdefault:\n\t\treturn errors.New(\"cannot unmarshal into \" + dst0.Type().String())\n\tcase reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:\n\t\tif len(src) == 0 {\n\t\t\tdst.SetInt(0)\n\t\t\treturn nil\n\t\t}\n\t\titmp, err := strconv.ParseInt(strings.TrimSpace(string(src)), 10, dst.Type().Bits())\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdst.SetInt(itmp)\n\tcase reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64, reflect.Uintptr:\n\t\tif len(src) == 0 {\n\t\t\tdst.SetUint(0)\n\t\t\treturn nil\n\t\t}\n\t\tutmp, err := strconv.ParseUint(strings.TrimSpace(string(src)), 10, dst.Type().Bits())\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdst.SetUint(utmp)\n\tcase reflect.Float32, reflect.Float64:\n\t\tif len(src) == 0 {\n\t\t\tdst.SetFloat(0)\n\t\t\treturn nil\n\t\t}\n\t\tftmp, err := strconv.ParseFloat(strings.TrimSpace(string(src)), dst.Type().Bits())\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdst.SetFloat(ftmp)\n\tcase reflect.Bool:\n\t\tif len(src) == 0 {\n\t\t\tdst.SetBool(false)\n\t\t\treturn nil\n\t\t}\n\t\tvalue, err := strconv.ParseBool(strings.TrimSpace(string(src)))\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tdst.SetBool(value)\n\tcase reflect.String:\n\t\tdst.SetString(string(src))\n\tcase reflect.Slice:\n\t\tif len(src) == 0 {\n\t\t\t// non-nil to flag presence\n\t\t\tsrc = []byte{}\n\t\t}\n\t\tdst.SetBytes(src)\n\t}\n\treturn nil\n}\n\n// unmarshalPath walks down an XML structure looking for wanted\n// paths, and calls unmarshal on them.\n// The consumed result tells whether XML elements have been consumed\n// from the Decoder until start's matching end element, or if it's\n// still untouched because start is uninteresting for sv's fields.\nfunc (d *Decoder) unmarshalPath(tinfo *typeInfo, sv reflect.Value, parents []string, start *StartElement, depth int) (consumed bool, err error) {\n\trecurse := false\nLoop:\n\tfor i := range tinfo.fields {\n\t\tfinfo := &tinfo.fields[i]\n\t\tif finfo.flags&fElement == 0 || len(finfo.parents) < len(parents) || finfo.xmlns != \"\" && finfo.xmlns != start.Name.Space {\n\t\t\tcontinue\n\t\t}\n\t\tfor j := range parents {\n\t\t\tif parents[j] != finfo.parents[j] {\n\t\t\t\tcontinue Loop\n\t\t\t}\n\t\t}\n\t\tif len(finfo.parents) == len(parents) && finfo.name == start.Name.Local {\n\t\t\t// It's a perfect match, unmarshal the field.\n\t\t\treturn true, d.unmarshal(finfo.value(sv, initNilPointers), start, depth+1)\n\t\t}\n\t\tif len(finfo.parents) > len(parents) && finfo.parents[len(parents)] == start.Name.Local {\n\t\t\t// It's a prefix for the field. Break and recurse\n\t\t\t// since it's not ok for one field path to be itself\n\t\t\t// the prefix for another field path.\n\t\t\trecurse = true\n\n\t\t\t// We can reuse the same slice as long as we\n\t\t\t// don't try to append to it.\n\t\t\tparents = finfo.parents[:len(parents)+1]\n\t\t\tbreak\n\t\t}\n\t}\n\tif !recurse {\n\t\t// We have no business with this element.\n\t\treturn false, nil\n\t}\n\t// The element is not a perfect match for any field, but one\n\t// or more fields have the path to this element as a parent\n\t// prefix. Recurse and attempt to match these.\n\tfor {\n\t\tvar tok Token\n\t\ttok, err = d.Token()\n\t\tif err != nil {\n\t\t\treturn true, err\n\t\t}\n\t\tswitch t := tok.(type) {\n\t\tcase StartElement:\n\t\t\t// the recursion depth of unmarshalPath is limited to the path length specified\n\t\t\t// by the struct field tag, so we don't increment the depth here.\n\t\t\tconsumed2, err := d.unmarshalPath(tinfo, sv, parents, &t, depth)\n\t\t\tif err != nil {\n\t\t\t\treturn true, err\n\t\t\t}\n\t\t\tif !consumed2 {\n\t\t\t\tif err := d.Skip(); err != nil {\n\t\t\t\t\treturn true, err\n\t\t\t\t}\n\t\t\t}\n\t\tcase EndElement:\n\t\t\treturn true, nil\n\t\t}\n\t}\n}\n\n// Skip reads tokens until it has consumed the end element\n// matching the most recent start element already consumed,\n// skipping nested structures.\n// It returns nil if it finds an end element matching the start\n// element; otherwise it returns an error describing the problem.\nfunc (d *Decoder) Skip() error {\n\tvar depth int64\n\tfor {\n\t\ttok, err := d.Token()\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tswitch tok.(type) {\n\t\tcase StartElement:\n\t\t\tdepth++\n\t\tcase EndElement:\n\t\t\tif depth == 0 {\n\t\t\t\treturn nil\n\t\t\t}\n\t\t\tdepth--\n\t\t}\n\t}\n}\n" }, { "path": "internal/thirdparty/xml/read_test.go", "content": "// Copyright 2009 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\npackage xml\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"io\"\n\t\"reflect\"\n\t\"runtime\"\n\t\"strings\"\n\t\"testing\"\n\t\"time\"\n)\n\n// Stripped down Atom feed data structures.\n\nfunc TestUnmarshalFeed(t *testing.T) {\n\tvar f Feed\n\tif err := Unmarshal([]byte(atomFeedString), &f); err != nil {\n\t\tt.Fatalf(\"Unmarshal: %s\", err)\n\t}\n\tif !reflect.DeepEqual(f, atomFeed) {\n\t\tt.Fatalf(\"have %#v\\nwant %#v\", f, atomFeed)\n\t}\n}\n\n// hget http://codereview.appspot.com/rss/mine/rsc\nconst atomFeedString = `\n\nCode Review - My issueshttp://codereview.appspot.com/rietveld<>rietveld: an attempt at pubsubhubbub\n2009-10-04T01:35:58+00:00email-address-removedurn:md5:134d9179c41f806be79b3a5f7877d19a\n An attempt at adding pubsubhubbub support to Rietveld.\nhttp://code.google.com/p/pubsubhubbub\nhttp://code.google.com/p/rietveld/issues/detail?id=155\n\nThe server side of the protocol is trivial:\n 1. add a &lt;link rel=&quot;hub&quot; href=&quot;hub-server&quot;&gt; tag to all\n feeds that will be pubsubhubbubbed.\n 2. every time one of those feeds changes, tell the hub\n with a simple POST request.\n\nI have tested this by adding debug prints to a local hub\nserver and checking that the server got the right publish\nrequests.\n\nI can&#39;t quite get the server to work, but I think the bug\nis not in my code. I think that the server expects to be\nable to grab the feed and see the feed&#39;s actual URL in\nthe link rel=&quot;self&quot;, but the default value for that drops\nthe :port from the URL, and I cannot for the life of me\nfigure out how to get the Atom generator deep inside\ndjango not to do that, or even where it is doing that,\nor even what code is running to generate the Atom feed.\n(I thought I knew but I added some assert False statements\nand it kept running!)\n\nIgnoring that particular problem, I would appreciate\nfeedback on the right way to get the two values at\nthe top of feeds.py marked NOTE(rsc).\n\n\nrietveld: correct tab handling\n2009-10-03T23:02:17+00:00email-address-removedurn:md5:0a2a4f19bb815101f0ba2904aed7c35a\n This fixes the buggy tab rendering that can be seen at\nhttp://codereview.appspot.com/116075/diff/1/2\n\nThe fundamental problem was that the tab code was\nnot being told what column the text began in, so it\ndidn&#39;t know where to put the tab stops. Another problem\nwas that some of the code assumed that string byte\noffsets were the same as column offsets, which is only\ntrue if there are no tabs.\n\nIn the process of fixing this, I cleaned up the arguments\nto Fold and ExpandTabs and renamed them Break and\n_ExpandTabs so that I could be sure that I found all the\ncall sites. I also wanted to verify that ExpandTabs was\nnot being used from outside intra_region_diff.py.\n\n\n \t `\n\ntype Feed struct {\n\tXMLName Name `xml:\"http://www.w3.org/2005/Atom feed\"`\n\tTitle string `xml:\"title\"`\n\tID string `xml:\"id\"`\n\tLink []Link `xml:\"link\"`\n\tUpdated time.Time `xml:\"updated,attr\"`\n\tAuthor Person `xml:\"author\"`\n\tEntry []Entry `xml:\"entry\"`\n}\n\ntype Entry struct {\n\tTitle string `xml:\"title\"`\n\tID string `xml:\"id\"`\n\tLink []Link `xml:\"link\"`\n\tUpdated time.Time `xml:\"updated\"`\n\tAuthor Person `xml:\"author\"`\n\tSummary Text `xml:\"summary\"`\n}\n\ntype Link struct {\n\tRel string `xml:\"rel,attr,omitempty\"`\n\tHref string `xml:\"href,attr\"`\n}\n\ntype Person struct {\n\tName string `xml:\"name\"`\n\tURI string `xml:\"uri\"`\n\tEmail string `xml:\"email\"`\n\tInnerXML string `xml:\",innerxml\"`\n}\n\ntype Text struct {\n\tType string `xml:\"type,attr,omitempty\"`\n\tBody string `xml:\",chardata\"`\n}\n\nvar atomFeed = Feed{\n\tXMLName: Name{\"http://www.w3.org/2005/Atom\", \"feed\"},\n\tTitle: \"Code Review - My issues\",\n\tLink: []Link{\n\t\t{Rel: \"alternate\", Href: \"http://codereview.appspot.com/\"},\n\t\t{Rel: \"self\", Href: \"http://codereview.appspot.com/rss/mine/rsc\"},\n\t},\n\tID: \"http://codereview.appspot.com/\",\n\tUpdated: ParseTime(\"2009-10-04T01:35:58+00:00\"),\n\tAuthor: Person{\n\t\tName: \"rietveld<>\",\n\t\tInnerXML: \"rietveld<>\",\n\t},\n\tEntry: []Entry{\n\t\t{\n\t\t\tTitle: \"rietveld: an attempt at pubsubhubbub\\n\",\n\t\t\tLink: []Link{\n\t\t\t\t{Rel: \"alternate\", Href: \"http://codereview.appspot.com/126085\"},\n\t\t\t},\n\t\t\tUpdated: ParseTime(\"2009-10-04T01:35:58+00:00\"),\n\t\t\tAuthor: Person{\n\t\t\t\tName: \"email-address-removed\",\n\t\t\t\tInnerXML: \"email-address-removed\",\n\t\t\t},\n\t\t\tID: \"urn:md5:134d9179c41f806be79b3a5f7877d19a\",\n\t\t\tSummary: Text{\n\t\t\t\tType: \"html\",\n\t\t\t\tBody: `\n An attempt at adding pubsubhubbub support to Rietveld.\nhttp://code.google.com/p/pubsubhubbub\nhttp://code.google.com/p/rietveld/issues/detail?id=155\n\nThe server side of the protocol is trivial:\n 1. add a <link rel="hub" href="hub-server"> tag to all\n feeds that will be pubsubhubbubbed.\n 2. every time one of those feeds changes, tell the hub\n with a simple POST request.\n\nI have tested this by adding debug prints to a local hub\nserver and checking that the server got the right publish\nrequests.\n\nI can't quite get the server to work, but I think the bug\nis not in my code. I think that the server expects to be\nable to grab the feed and see the feed's actual URL in\nthe link rel="self", but the default value for that drops\nthe :port from the URL, and I cannot for the life of me\nfigure out how to get the Atom generator deep inside\ndjango not to do that, or even where it is doing that,\nor even what code is running to generate the Atom feed.\n(I thought I knew but I added some assert False statements\nand it kept running!)\n\nIgnoring that particular problem, I would appreciate\nfeedback on the right way to get the two values at\nthe top of feeds.py marked NOTE(rsc).\n\n\n`,\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tTitle: \"rietveld: correct tab handling\\n\",\n\t\t\tLink: []Link{\n\t\t\t\t{Rel: \"alternate\", Href: \"http://codereview.appspot.com/124106\"},\n\t\t\t},\n\t\t\tUpdated: ParseTime(\"2009-10-03T23:02:17+00:00\"),\n\t\t\tAuthor: Person{\n\t\t\t\tName: \"email-address-removed\",\n\t\t\t\tInnerXML: \"email-address-removed\",\n\t\t\t},\n\t\t\tID: \"urn:md5:0a2a4f19bb815101f0ba2904aed7c35a\",\n\t\t\tSummary: Text{\n\t\t\t\tType: \"html\",\n\t\t\t\tBody: `\n This fixes the buggy tab rendering that can be seen at\nhttp://codereview.appspot.com/116075/diff/1/2\n\nThe fundamental problem was that the tab code was\nnot being told what column the text began in, so it\ndidn't know where to put the tab stops. Another problem\nwas that some of the code assumed that string byte\noffsets were the same as column offsets, which is only\ntrue if there are no tabs.\n\nIn the process of fixing this, I cleaned up the arguments\nto Fold and ExpandTabs and renamed them Break and\n_ExpandTabs so that I could be sure that I found all the\ncall sites. I also wanted to verify that ExpandTabs was\nnot being used from outside intra_region_diff.py.\n\n\n`,\n\t\t\t},\n\t\t},\n\t},\n}\n\nconst pathTestString = `\n\n 1\n \n \n A\n \n \n B\n \n \n C\n D\n \n <_>\n E\n \n \n 2\n\n`\n\ntype PathTestItem struct {\n\tValue string\n}\n\ntype PathTestA struct {\n\tItems []PathTestItem `xml:\">Item1\"`\n\tBefore, After string\n}\n\ntype PathTestB struct {\n\tOther []PathTestItem `xml:\"Items>Item1\"`\n\tBefore, After string\n}\n\ntype PathTestC struct {\n\tValues1 []string `xml:\"Items>Item1>Value\"`\n\tValues2 []string `xml:\"Items>Item2>Value\"`\n\tBefore, After string\n}\n\ntype PathTestSet struct {\n\tItem1 []PathTestItem\n}\n\ntype PathTestD struct {\n\tOther PathTestSet `xml:\"Items\"`\n\tBefore, After string\n}\n\ntype PathTestE struct {\n\tUnderline string `xml:\"Items>_>Value\"`\n\tBefore, After string\n}\n\nvar pathTests = []any{\n\t&PathTestA{Items: []PathTestItem{{\"A\"}, {\"D\"}}, Before: \"1\", After: \"2\"},\n\t&PathTestB{Other: []PathTestItem{{\"A\"}, {\"D\"}}, Before: \"1\", After: \"2\"},\n\t&PathTestC{Values1: []string{\"A\", \"C\", \"D\"}, Values2: []string{\"B\"}, Before: \"1\", After: \"2\"},\n\t&PathTestD{Other: PathTestSet{Item1: []PathTestItem{{\"A\"}, {\"D\"}}}, Before: \"1\", After: \"2\"},\n\t&PathTestE{Underline: \"E\", Before: \"1\", After: \"2\"},\n}\n\nfunc TestUnmarshalPaths(t *testing.T) {\n\tfor _, pt := range pathTests {\n\t\tv := reflect.New(reflect.TypeOf(pt).Elem()).Interface()\n\t\tif err := Unmarshal([]byte(pathTestString), v); err != nil {\n\t\t\tt.Fatalf(\"Unmarshal: %s\", err)\n\t\t}\n\t\tif !reflect.DeepEqual(v, pt) {\n\t\t\tt.Fatalf(\"have %#v\\nwant %#v\", v, pt)\n\t\t}\n\t}\n}\n\ntype BadPathTestA struct {\n\tFirst string `xml:\"items>item1\"`\n\tOther string `xml:\"items>item2\"`\n\tSecond string `xml:\"items\"`\n}\n\ntype BadPathTestB struct {\n\tOther string `xml:\"items>item2>value\"`\n\tFirst string `xml:\"items>item1\"`\n\tSecond string `xml:\"items>item1>value\"`\n}\n\ntype BadPathTestC struct {\n\tFirst string\n\tSecond string `xml:\"First\"`\n}\n\ntype BadPathTestD struct {\n\tBadPathEmbeddedA\n\tBadPathEmbeddedB\n}\n\ntype BadPathEmbeddedA struct {\n\tFirst string\n}\n\ntype BadPathEmbeddedB struct {\n\tSecond string `xml:\"First\"`\n}\n\nvar badPathTests = []struct {\n\tv, e any\n}{\n\t{&BadPathTestA{}, &TagPathError{reflect.TypeFor[BadPathTestA](), \"First\", \"items>item1\", \"Second\", \"items\"}},\n\t{&BadPathTestB{}, &TagPathError{reflect.TypeFor[BadPathTestB](), \"First\", \"items>item1\", \"Second\", \"items>item1>value\"}},\n\t{&BadPathTestC{}, &TagPathError{reflect.TypeFor[BadPathTestC](), \"First\", \"\", \"Second\", \"First\"}},\n\t{&BadPathTestD{}, &TagPathError{reflect.TypeFor[BadPathTestD](), \"First\", \"\", \"Second\", \"First\"}},\n}\n\nfunc TestUnmarshalBadPaths(t *testing.T) {\n\tfor _, tt := range badPathTests {\n\t\terr := Unmarshal([]byte(pathTestString), tt.v)\n\t\tif !reflect.DeepEqual(err, tt.e) {\n\t\t\tt.Fatalf(\"Unmarshal with %#v didn't fail properly:\\nhave %#v,\\nwant %#v\", tt.v, err, tt.e)\n\t\t}\n\t}\n}\n\nconst OK = \"OK\"\nconst withoutNameTypeData = `\n\n`\n\ntype TestThree struct {\n\tXMLName Name `xml:\"Test3\"`\n\tAttr string `xml:\",attr\"`\n}\n\nfunc TestUnmarshalWithoutNameType(t *testing.T) {\n\tvar x TestThree\n\tif err := Unmarshal([]byte(withoutNameTypeData), &x); err != nil {\n\t\tt.Fatalf(\"Unmarshal: %s\", err)\n\t}\n\tif x.Attr != OK {\n\t\tt.Fatalf(\"have %v\\nwant %v\", x.Attr, OK)\n\t}\n}\n\nfunc TestUnmarshalAttr(t *testing.T) {\n\ttype ParamVal struct {\n\t\tInt int `xml:\"int,attr\"`\n\t}\n\n\ttype ParamPtr struct {\n\t\tInt *int `xml:\"int,attr\"`\n\t}\n\n\ttype ParamStringPtr struct {\n\t\tInt *string `xml:\"int,attr\"`\n\t}\n\n\tx := []byte(``)\n\n\tp1 := &ParamPtr{}\n\tif err := Unmarshal(x, p1); err != nil {\n\t\tt.Fatalf(\"Unmarshal: %s\", err)\n\t}\n\tif p1.Int == nil {\n\t\tt.Fatalf(\"Unmarshal failed in to *int field\")\n\t} else if *p1.Int != 1 {\n\t\tt.Fatalf(\"Unmarshal with %s failed:\\nhave %#v,\\n want %#v\", x, p1.Int, 1)\n\t}\n\n\tp2 := &ParamVal{}\n\tif err := Unmarshal(x, p2); err != nil {\n\t\tt.Fatalf(\"Unmarshal: %s\", err)\n\t}\n\tif p2.Int != 1 {\n\t\tt.Fatalf(\"Unmarshal with %s failed:\\nhave %#v,\\n want %#v\", x, p2.Int, 1)\n\t}\n\n\tp3 := &ParamStringPtr{}\n\tif err := Unmarshal(x, p3); err != nil {\n\t\tt.Fatalf(\"Unmarshal: %s\", err)\n\t}\n\tif p3.Int == nil {\n\t\tt.Fatalf(\"Unmarshal failed in to *string field\")\n\t} else if *p3.Int != \"1\" {\n\t\tt.Fatalf(\"Unmarshal with %s failed:\\nhave %#v,\\n want %#v\", x, p3.Int, 1)\n\t}\n}\n\ntype Tables struct {\n\tHTable string `xml:\"http://www.w3.org/TR/html4/ table\"`\n\tFTable string `xml:\"http://www.w3schools.com/furniture table\"`\n}\n\nvar tables = []struct {\n\txml string\n\ttab Tables\n\tns string\n}{\n\t{\n\t\txml: `` +\n\t\t\t`hello
` +\n\t\t\t`world
` +\n\t\t\t``,\n\t\ttab: Tables{\"hello\", \"world\"},\n\t},\n\t{\n\t\txml: `` +\n\t\t\t`world
` +\n\t\t\t`hello
` +\n\t\t\t``,\n\t\ttab: Tables{\"hello\", \"world\"},\n\t},\n\t{\n\t\txml: `` +\n\t\t\t`world` +\n\t\t\t`hello` +\n\t\t\t``,\n\t\ttab: Tables{\"hello\", \"world\"},\n\t},\n\t{\n\t\txml: `` +\n\t\t\t`bogus
` +\n\t\t\t``,\n\t\ttab: Tables{},\n\t},\n\t{\n\t\txml: `` +\n\t\t\t`only
` +\n\t\t\t``,\n\t\ttab: Tables{HTable: \"only\"},\n\t\tns: \"http://www.w3.org/TR/html4/\",\n\t},\n\t{\n\t\txml: `` +\n\t\t\t`only
` +\n\t\t\t``,\n\t\ttab: Tables{FTable: \"only\"},\n\t\tns: \"http://www.w3schools.com/furniture\",\n\t},\n\t{\n\t\txml: `` +\n\t\t\t`only
` +\n\t\t\t``,\n\t\ttab: Tables{},\n\t\tns: \"something else entirely\",\n\t},\n}\n\nfunc TestUnmarshalNS(t *testing.T) {\n\tfor i, tt := range tables {\n\t\tvar dst Tables\n\t\tvar err error\n\t\tif tt.ns != \"\" {\n\t\t\td := NewDecoder(strings.NewReader(tt.xml))\n\t\t\td.DefaultSpace = tt.ns\n\t\t\terr = d.Decode(&dst)\n\t\t} else {\n\t\t\terr = Unmarshal([]byte(tt.xml), &dst)\n\t\t}\n\t\tif err != nil {\n\t\t\tt.Errorf(\"#%d: Unmarshal: %v\", i, err)\n\t\t\tcontinue\n\t\t}\n\t\twant := tt.tab\n\t\tif dst != want {\n\t\t\tt.Errorf(\"#%d: dst=%+v, want %+v\", i, dst, want)\n\t\t}\n\t}\n}\n\nfunc TestMarshalNS(t *testing.T) {\n\tdst := Tables{\"hello\", \"world\"}\n\tdata, err := Marshal(&dst)\n\tif err != nil {\n\t\tt.Fatalf(\"Marshal: %v\", err)\n\t}\n\twant := `hello
world
`\n\tstr := string(data)\n\tif str != want {\n\t\tt.Errorf(\"have: %q\\nwant: %q\\n\", str, want)\n\t}\n}\n\ntype TableAttrs struct {\n\tTAttr TAttr\n}\n\ntype TAttr struct {\n\tHTable string `xml:\"http://www.w3.org/TR/html4/ table,attr\"`\n\tFTable string `xml:\"http://www.w3schools.com/furniture table,attr\"`\n\tLang string `xml:\"http://www.w3.org/XML/1998/namespace lang,attr,omitempty\"`\n\tOther1 string `xml:\"http://golang.org/xml/ other,attr,omitempty\"`\n\tOther2 string `xml:\"http://golang.org/xmlfoo/ other,attr,omitempty\"`\n\tOther3 string `xml:\"http://golang.org/json/ other,attr,omitempty\"`\n\tOther4 string `xml:\"http://golang.org/2/json/ other,attr,omitempty\"`\n}\n\nvar tableAttrs = []struct {\n\txml string\n\ttab TableAttrs\n\tns string\n}{\n\t{\n\t\txml: ``,\n\t\ttab: TableAttrs{TAttr{HTable: \"hello\", FTable: \"world\"}},\n\t},\n\t{\n\t\txml: ``,\n\t\ttab: TableAttrs{TAttr{HTable: \"hello\", FTable: \"world\"}},\n\t},\n\t{\n\t\txml: ``,\n\t\ttab: TableAttrs{TAttr{HTable: \"hello\", FTable: \"world\"}},\n\t},\n\t{\n\t\t// Default space does not apply to attribute names.\n\t\txml: ``,\n\t\ttab: TableAttrs{TAttr{HTable: \"hello\", FTable: \"\"}},\n\t},\n\t{\n\t\t// Default space does not apply to attribute names.\n\t\txml: ``,\n\t\ttab: TableAttrs{TAttr{HTable: \"\", FTable: \"world\"}},\n\t},\n\t{\n\t\txml: ``,\n\t\ttab: TableAttrs{},\n\t},\n\t{\n\t\t// Default space does not apply to attribute names.\n\t\txml: ``,\n\t\ttab: TableAttrs{TAttr{HTable: \"hello\", FTable: \"\"}},\n\t\tns: \"http://www.w3schools.com/furniture\",\n\t},\n\t{\n\t\t// Default space does not apply to attribute names.\n\t\txml: ``,\n\t\ttab: TableAttrs{TAttr{HTable: \"\", FTable: \"world\"}},\n\t\tns: \"http://www.w3.org/TR/html4/\",\n\t},\n\t{\n\t\txml: ``,\n\t\ttab: TableAttrs{},\n\t\tns: \"something else entirely\",\n\t},\n}\n\nfunc TestUnmarshalNSAttr(t *testing.T) {\n\tfor i, tt := range tableAttrs {\n\t\tvar dst TableAttrs\n\t\tvar err error\n\t\tif tt.ns != \"\" {\n\t\t\td := NewDecoder(strings.NewReader(tt.xml))\n\t\t\td.DefaultSpace = tt.ns\n\t\t\terr = d.Decode(&dst)\n\t\t} else {\n\t\t\terr = Unmarshal([]byte(tt.xml), &dst)\n\t\t}\n\t\tif err != nil {\n\t\t\tt.Errorf(\"#%d: Unmarshal: %v\", i, err)\n\t\t\tcontinue\n\t\t}\n\t\twant := tt.tab\n\t\tif dst != want {\n\t\t\tt.Errorf(\"#%d: dst=%+v, want %+v\", i, dst, want)\n\t\t}\n\t}\n}\n\nfunc TestMarshalNSAttr(t *testing.T) {\n\tsrc := TableAttrs{TAttr{\"hello\", \"world\", \"en_US\", \"other1\", \"other2\", \"other3\", \"other4\"}}\n\tdata, err := Marshal(&src)\n\tif err != nil {\n\t\tt.Fatalf(\"Marshal: %v\", err)\n\t}\n\twant := ``\n\tstr := string(data)\n\tif str != want {\n\t\tt.Errorf(\"Marshal:\\nhave: %#q\\nwant: %#q\\n\", str, want)\n\t}\n\n\tvar dst TableAttrs\n\tif err := Unmarshal(data, &dst); err != nil {\n\t\tt.Errorf(\"Unmarshal: %v\", err)\n\t}\n\n\tif dst != src {\n\t\tt.Errorf(\"Unmarshal = %q, want %q\", dst, src)\n\t}\n}\n\ntype MyCharData struct {\n\tbody string\n}\n\nfunc (m *MyCharData) UnmarshalXML(d *Decoder, start StartElement) error {\n\tfor {\n\t\tt, err := d.Token()\n\t\tif err == io.EOF { // found end of element\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tif char, ok := t.(CharData); ok {\n\t\t\tm.body += string(char.data)\n\t\t}\n\t}\n\treturn nil\n}\n\nvar _ Unmarshaler = (*MyCharData)(nil)\n\nfunc (m *MyCharData) UnmarshalXMLAttr(attr Attr) error {\n\tpanic(\"must not call\")\n}\n\ntype MyAttr struct {\n\tattr string\n}\n\nfunc (m *MyAttr) UnmarshalXMLAttr(attr Attr) error {\n\tm.attr = attr.Value\n\treturn nil\n}\n\nvar _ UnmarshalerAttr = (*MyAttr)(nil)\n\ntype MyStruct struct {\n\tData *MyCharData\n\tAttr *MyAttr `xml:\",attr\"`\n\n\tData2 MyCharData\n\tAttr2 MyAttr `xml:\",attr\"`\n}\n\nfunc TestUnmarshaler(t *testing.T) {\n\txml := `\n\t\t\n\t\thello world\n\t\thowdy world\n\t\t\n\t`\n\n\tvar m MyStruct\n\tif err := Unmarshal([]byte(xml), &m); err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif m.Data == nil || m.Attr == nil || m.Data.body != \"hello world\" || m.Attr.attr != \"attr1\" || m.Data2.body != \"howdy world\" || m.Attr2.attr != \"attr2\" {\n\t\tt.Errorf(\"m=%#+v\\n\", m)\n\t}\n}\n\ntype Pea struct {\n\tCotelydon string\n}\n\ntype Pod struct {\n\tPea any `xml:\"Pea\"`\n}\n\n// https://golang.org/issue/6836\nfunc TestUnmarshalIntoInterface(t *testing.T) {\n\tpod := new(Pod)\n\tpod.Pea = new(Pea)\n\txml := `Green stuff`\n\terr := Unmarshal([]byte(xml), pod)\n\tif err != nil {\n\t\tt.Fatalf(\"failed to unmarshal %q: %v\", xml, err)\n\t}\n\tpea, ok := pod.Pea.(*Pea)\n\tif !ok {\n\t\tt.Fatalf(\"unmarshaled into wrong type: have %T want *Pea\", pod.Pea)\n\t}\n\thave, want := pea.Cotelydon, \"Green stuff\"\n\tif have != want {\n\t\tt.Errorf(\"failed to unmarshal into interface, have %q want %q\", have, want)\n\t}\n}\n\ntype X struct {\n\tD string `xml:\",comment\"`\n}\n\n// Issue 11112. Unmarshal must reject invalid comments.\nfunc TestMalformedComment(t *testing.T) {\n\ttestData := []string{\n\t\t\"\",\n\t\t\"\",\n\t\t\"\",\n\t\t\"\",\n\t}\n\tfor i, test := range testData {\n\t\tdata := []byte(test)\n\t\tv := new(X)\n\t\tif err := Unmarshal(data, v); err == nil {\n\t\t\tt.Errorf(\"%d: unmarshal should reject invalid comments\", i)\n\t\t}\n\t}\n}\n\ntype IXField struct {\n\tFive int `xml:\"five\"`\n\tNotInnerXML []string `xml:\",innerxml\"`\n}\n\n// Issue 15600. \",innerxml\" on a field that can't hold it.\nfunc TestInvalidInnerXMLType(t *testing.T) {\n\tv := new(IXField)\n\tif err := Unmarshal([]byte(`5`), v); err != nil {\n\t\tt.Errorf(\"Unmarshal failed: got %v\", err)\n\t}\n\tif v.Five != 5 {\n\t\tt.Errorf(\"Five = %v, want 5\", v.Five)\n\t}\n\tif v.NotInnerXML != nil {\n\t\tt.Errorf(\"NotInnerXML = %v, want nil\", v.NotInnerXML)\n\t}\n}\n\ntype Child struct {\n\tG struct {\n\t\tI int\n\t}\n}\n\ntype ChildToEmbed struct {\n\tX bool\n}\n\ntype Parent struct {\n\tI int\n\tIPtr *int\n\tIs []int\n\tIPtrs []*int\n\tF float32\n\tFPtr *float32\n\tFs []float32\n\tFPtrs []*float32\n\tB bool\n\tBPtr *bool\n\tBs []bool\n\tBPtrs []*bool\n\tBytes []byte\n\tBytesPtr *[]byte\n\tS string\n\tSPtr *string\n\tSs []string\n\tSPtrs []*string\n\tMyI MyInt\n\tChild Child\n\tChildren []Child\n\tChildPtr *Child\n\tChildToEmbed\n}\n\nconst (\n\temptyXML = `\n\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n`\n)\n\n// golang.org/issues/13417\nfunc TestUnmarshalEmptyValues(t *testing.T) {\n\t// Test first with a zero-valued dst.\n\tv := new(Parent)\n\tif err := Unmarshal([]byte(emptyXML), v); err != nil {\n\t\tt.Fatalf(\"zero: Unmarshal failed: got %v\", err)\n\t}\n\n\tzBytes, zInt, zStr, zFloat, zBool := []byte{}, 0, \"\", float32(0), false\n\twant := &Parent{\n\t\tIPtr: &zInt,\n\t\tIs: []int{zInt},\n\t\tIPtrs: []*int{&zInt},\n\t\tFPtr: &zFloat,\n\t\tFs: []float32{zFloat},\n\t\tFPtrs: []*float32{&zFloat},\n\t\tBPtr: &zBool,\n\t\tBs: []bool{zBool},\n\t\tBPtrs: []*bool{&zBool},\n\t\tBytes: []byte{},\n\t\tBytesPtr: &zBytes,\n\t\tSPtr: &zStr,\n\t\tSs: []string{zStr},\n\t\tSPtrs: []*string{&zStr},\n\t\tChildren: []Child{{}},\n\t\tChildPtr: new(Child),\n\t\tChildToEmbed: ChildToEmbed{},\n\t}\n\tif !reflect.DeepEqual(v, want) {\n\t\tt.Fatalf(\"zero: Unmarshal:\\nhave: %#+v\\nwant: %#+v\", v, want)\n\t}\n\n\t// Test with a pre-populated dst.\n\t// Multiple addressable copies, as pointer-to fields will replace value during unmarshal.\n\tvBytes0, vInt0, vStr0, vFloat0, vBool0 := []byte(\"x\"), 1, \"x\", float32(1), true\n\tvBytes1, vInt1, vStr1, vFloat1, vBool1 := []byte(\"x\"), 1, \"x\", float32(1), true\n\tvInt2, vStr2, vFloat2, vBool2 := 1, \"x\", float32(1), true\n\tv = &Parent{\n\t\tI: vInt0,\n\t\tIPtr: &vInt1,\n\t\tIs: []int{vInt0},\n\t\tIPtrs: []*int{&vInt2},\n\t\tF: vFloat0,\n\t\tFPtr: &vFloat1,\n\t\tFs: []float32{vFloat0},\n\t\tFPtrs: []*float32{&vFloat2},\n\t\tB: vBool0,\n\t\tBPtr: &vBool1,\n\t\tBs: []bool{vBool0},\n\t\tBPtrs: []*bool{&vBool2},\n\t\tBytes: vBytes0,\n\t\tBytesPtr: &vBytes1,\n\t\tS: vStr0,\n\t\tSPtr: &vStr1,\n\t\tSs: []string{vStr0},\n\t\tSPtrs: []*string{&vStr2},\n\t\tMyI: MyInt(vInt0),\n\t\tChild: Child{G: struct{ I int }{I: vInt0}},\n\t\tChildren: []Child{{G: struct{ I int }{I: vInt0}}},\n\t\tChildPtr: &Child{G: struct{ I int }{I: vInt0}},\n\t\tChildToEmbed: ChildToEmbed{X: vBool0},\n\t}\n\tif err := Unmarshal([]byte(emptyXML), v); err != nil {\n\t\tt.Fatalf(\"populated: Unmarshal failed: got %v\", err)\n\t}\n\n\twant = &Parent{\n\t\tIPtr: &zInt,\n\t\tIs: []int{vInt0, zInt},\n\t\tIPtrs: []*int{&vInt0, &zInt},\n\t\tFPtr: &zFloat,\n\t\tFs: []float32{vFloat0, zFloat},\n\t\tFPtrs: []*float32{&vFloat0, &zFloat},\n\t\tBPtr: &zBool,\n\t\tBs: []bool{vBool0, zBool},\n\t\tBPtrs: []*bool{&vBool0, &zBool},\n\t\tBytes: []byte{},\n\t\tBytesPtr: &zBytes,\n\t\tSPtr: &zStr,\n\t\tSs: []string{vStr0, zStr},\n\t\tSPtrs: []*string{&vStr0, &zStr},\n\t\tChild: Child{G: struct{ I int }{I: vInt0}}, // I should == zInt0? (zero value)\n\t\tChildren: []Child{{G: struct{ I int }{I: vInt0}}, {}},\n\t\tChildPtr: &Child{G: struct{ I int }{I: vInt0}}, // I should == zInt0? (zero value)\n\t}\n\tif !reflect.DeepEqual(v, want) {\n\t\tt.Fatalf(\"populated: Unmarshal:\\nhave: %#+v\\nwant: %#+v\", v, want)\n\t}\n}\n\ntype WhitespaceValuesParent struct {\n\tBFalse bool\n\tBTrue bool\n\tI int\n\tINeg int\n\tI8 int8\n\tI8Neg int8\n\tI16 int16\n\tI16Neg int16\n\tI32 int32\n\tI32Neg int32\n\tI64 int64\n\tI64Neg int64\n\tUI uint\n\tUI8 uint8\n\tUI16 uint16\n\tUI32 uint32\n\tUI64 uint64\n\tF32 float32\n\tF32Neg float32\n\tF64 float64\n\tF64Neg float64\n}\n\nconst whitespaceValuesXML = `\n\n false \n true \n 266703 \n -266703 \n 112 \n -112 \n 6703 \n -6703 \n 266703 \n -266703 \n 266703 \n -266703 \n 266703 \n 112 \n 6703 \n 266703 \n 266703 \n 266.703 \n -266.703 \n 266.703 \n -266.703 \n\n`\n\n// golang.org/issues/22146\nfunc TestUnmarshalWhitespaceValues(t *testing.T) {\n\tv := WhitespaceValuesParent{}\n\tif err := Unmarshal([]byte(whitespaceValuesXML), &v); err != nil {\n\t\tt.Fatalf(\"whitespace values: Unmarshal failed: got %v\", err)\n\t}\n\n\twant := WhitespaceValuesParent{\n\t\tBFalse: false,\n\t\tBTrue: true,\n\t\tI: 266703,\n\t\tINeg: -266703,\n\t\tI8: 112,\n\t\tI8Neg: -112,\n\t\tI16: 6703,\n\t\tI16Neg: -6703,\n\t\tI32: 266703,\n\t\tI32Neg: -266703,\n\t\tI64: 266703,\n\t\tI64Neg: -266703,\n\t\tUI: 266703,\n\t\tUI8: 112,\n\t\tUI16: 6703,\n\t\tUI32: 266703,\n\t\tUI64: 266703,\n\t\tF32: 266.703,\n\t\tF32Neg: -266.703,\n\t\tF64: 266.703,\n\t\tF64Neg: -266.703,\n\t}\n\tif v != want {\n\t\tt.Fatalf(\"whitespace values: Unmarshal:\\nhave: %#+v\\nwant: %#+v\", v, want)\n\t}\n}\n\ntype WhitespaceAttrsParent struct {\n\tBFalse bool `xml:\",attr\"`\n\tBTrue bool `xml:\",attr\"`\n\tI int `xml:\",attr\"`\n\tINeg int `xml:\",attr\"`\n\tI8 int8 `xml:\",attr\"`\n\tI8Neg int8 `xml:\",attr\"`\n\tI16 int16 `xml:\",attr\"`\n\tI16Neg int16 `xml:\",attr\"`\n\tI32 int32 `xml:\",attr\"`\n\tI32Neg int32 `xml:\",attr\"`\n\tI64 int64 `xml:\",attr\"`\n\tI64Neg int64 `xml:\",attr\"`\n\tUI uint `xml:\",attr\"`\n\tUI8 uint8 `xml:\",attr\"`\n\tUI16 uint16 `xml:\",attr\"`\n\tUI32 uint32 `xml:\",attr\"`\n\tUI64 uint64 `xml:\",attr\"`\n\tF32 float32 `xml:\",attr\"`\n\tF32Neg float32 `xml:\",attr\"`\n\tF64 float64 `xml:\",attr\"`\n\tF64Neg float64 `xml:\",attr\"`\n}\n\nconst whitespaceAttrsXML = `\n\n\n`\n\n// golang.org/issues/22146\nfunc TestUnmarshalWhitespaceAttrs(t *testing.T) {\n\tv := WhitespaceAttrsParent{}\n\tif err := Unmarshal([]byte(whitespaceAttrsXML), &v); err != nil {\n\t\tt.Fatalf(\"whitespace attrs: Unmarshal failed: got %v\", err)\n\t}\n\n\twant := WhitespaceAttrsParent{\n\t\tBFalse: false,\n\t\tBTrue: true,\n\t\tI: 266703,\n\t\tINeg: -266703,\n\t\tI8: 112,\n\t\tI8Neg: -112,\n\t\tI16: 6703,\n\t\tI16Neg: -6703,\n\t\tI32: 266703,\n\t\tI32Neg: -266703,\n\t\tI64: 266703,\n\t\tI64Neg: -266703,\n\t\tUI: 266703,\n\t\tUI8: 112,\n\t\tUI16: 6703,\n\t\tUI32: 266703,\n\t\tUI64: 266703,\n\t\tF32: 266.703,\n\t\tF32Neg: -266.703,\n\t\tF64: 266.703,\n\t\tF64Neg: -266.703,\n\t}\n\tif v != want {\n\t\tt.Fatalf(\"whitespace attrs: Unmarshal:\\nhave: %#+v\\nwant: %#+v\", v, want)\n\t}\n}\n\n// golang.org/issues/53350\nfunc TestUnmarshalIntoNil(t *testing.T) {\n\ttype T struct {\n\t\tA int `xml:\"A\"`\n\t}\n\n\tvar nilPointer *T\n\terr := Unmarshal([]byte(\"1\"), nilPointer)\n\n\tif err == nil {\n\t\tt.Fatalf(\"no error in unmarshaling\")\n\t}\n\n}\n\nfunc TestCVE202228131(t *testing.T) {\n\ttype nested struct {\n\t\tParent *nested `xml:\",any\"`\n\t}\n\tvar n nested\n\terr := Unmarshal(bytes.Repeat([]byte(\"\"), maxUnmarshalDepth+1), &n)\n\tif err == nil {\n\t\tt.Fatal(\"Unmarshal did not fail\")\n\t} else if !errors.Is(err, errUnmarshalDepth) {\n\t\tt.Fatalf(\"Unmarshal unexpected error: got %q, want %q\", err, errUnmarshalDepth)\n\t}\n}\n\nfunc TestCVE202230633(t *testing.T) {\n\tif testing.Short() || runtime.GOARCH == \"wasm\" {\n\t\tt.Skip(\"test requires significant memory\")\n\t}\n\tdefer func() {\n\t\tp := recover()\n\t\tif p != nil {\n\t\t\tt.Fatal(\"Unmarshal panicked\")\n\t\t}\n\t}()\n\tvar example struct {\n\t\tThings []string\n\t}\n\tUnmarshal(bytes.Repeat([]byte(\"\"), 17_000_000), &example)\n}\n" }, { "path": "internal/thirdparty/xml/typeinfo.go", "content": "// Copyright 2011 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\npackage xml\n\nimport (\n\t\"fmt\"\n\t\"reflect\"\n\t\"strings\"\n\t\"sync\"\n)\n\n// typeInfo holds details for the xml representation of a type.\ntype typeInfo struct {\n\txmlname *fieldInfo\n\tfields []fieldInfo\n}\n\n// fieldInfo holds details for the xml representation of a single field.\ntype fieldInfo struct {\n\tidx []int\n\tname string\n\txmlns string\n\tflags fieldFlags\n\tparents []string\n}\n\ntype fieldFlags int\n\nconst (\n\tfElement fieldFlags = 1 << iota\n\tfAttr\n\tfCDATA\n\tfCharData\n\tfInnerXML\n\tfComment\n\tfAny\n\n\tfOmitEmpty\n\n\tfMode = fElement | fAttr | fCDATA | fCharData | fInnerXML | fComment | fAny\n\n\txmlName = \"XMLName\"\n)\n\nvar tinfoMap sync.Map // map[reflect.Type]*typeInfo\n\nvar nameType = reflect.TypeFor[Name]()\n\n// getTypeInfo returns the typeInfo structure with details necessary\n// for marshaling and unmarshaling typ.\nfunc getTypeInfo(typ reflect.Type) (*typeInfo, error) {\n\tif ti, ok := tinfoMap.Load(typ); ok {\n\t\treturn ti.(*typeInfo), nil\n\t}\n\n\ttinfo := &typeInfo{}\n\tif typ.Kind() == reflect.Struct && typ != nameType {\n\t\tn := typ.NumField()\n\t\tfor i := 0; i < n; i++ {\n\t\t\tf := typ.Field(i)\n\t\t\tif (!f.IsExported() && !f.Anonymous) || f.Tag.Get(\"xml\") == \"-\" {\n\t\t\t\tcontinue // Private field\n\t\t\t}\n\n\t\t\t// For embedded structs, embed its fields.\n\t\t\tif f.Anonymous {\n\t\t\t\tt := f.Type\n\t\t\t\tif t.Kind() == reflect.Pointer {\n\t\t\t\t\tt = t.Elem()\n\t\t\t\t}\n\t\t\t\tif t.Kind() == reflect.Struct {\n\t\t\t\t\tinner, err := getTypeInfo(t)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn nil, err\n\t\t\t\t\t}\n\t\t\t\t\tif tinfo.xmlname == nil {\n\t\t\t\t\t\ttinfo.xmlname = inner.xmlname\n\t\t\t\t\t}\n\t\t\t\t\tfor _, finfo := range inner.fields {\n\t\t\t\t\t\tfinfo.idx = append([]int{i}, finfo.idx...)\n\t\t\t\t\t\tif err := addFieldInfo(typ, tinfo, &finfo); err != nil {\n\t\t\t\t\t\t\treturn nil, err\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tfinfo, err := structFieldInfo(typ, &f)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\n\t\t\tif f.Name == xmlName {\n\t\t\t\ttinfo.xmlname = finfo\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\t// Add the field if it doesn't conflict with other fields.\n\t\t\tif err := addFieldInfo(typ, tinfo, finfo); err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t}\n\t}\n\n\tti, _ := tinfoMap.LoadOrStore(typ, tinfo)\n\treturn ti.(*typeInfo), nil\n}\n\n// structFieldInfo builds and returns a fieldInfo for f.\nfunc structFieldInfo(typ reflect.Type, f *reflect.StructField) (*fieldInfo, error) {\n\tfinfo := &fieldInfo{idx: f.Index}\n\n\t// Split the tag from the xml namespace if necessary.\n\ttag := f.Tag.Get(\"xml\")\n\tif ns, t, ok := strings.Cut(tag, \" \"); ok {\n\t\tfinfo.xmlns, tag = ns, t\n\t}\n\n\t// Parse flags.\n\ttokens := strings.Split(tag, \",\")\n\tif len(tokens) == 1 {\n\t\tfinfo.flags = fElement\n\t} else {\n\t\ttag = tokens[0]\n\t\tfor _, flag := range tokens[1:] {\n\t\t\tswitch flag {\n\t\t\tcase \"attr\":\n\t\t\t\tfinfo.flags |= fAttr\n\t\t\tcase \"cdata\":\n\t\t\t\tfinfo.flags |= fCDATA\n\t\t\tcase \"chardata\":\n\t\t\t\tfinfo.flags |= fCharData\n\t\t\tcase \"innerxml\":\n\t\t\t\tfinfo.flags |= fInnerXML\n\t\t\tcase \"comment\":\n\t\t\t\tfinfo.flags |= fComment\n\t\t\tcase \"any\":\n\t\t\t\tfinfo.flags |= fAny\n\t\t\tcase \"omitempty\":\n\t\t\t\tfinfo.flags |= fOmitEmpty\n\t\t\t}\n\t\t}\n\n\t\t// Validate the flags used.\n\t\tvalid := true\n\t\tswitch mode := finfo.flags & fMode; mode {\n\t\tcase 0:\n\t\t\tfinfo.flags |= fElement\n\t\tcase fAttr, fCDATA, fCharData, fInnerXML, fComment, fAny, fAny | fAttr:\n\t\t\tif f.Name == xmlName || tag != \"\" && mode != fAttr {\n\t\t\t\tvalid = false\n\t\t\t}\n\t\tdefault:\n\t\t\t// This will also catch multiple modes in a single field.\n\t\t\tvalid = false\n\t\t}\n\t\tif finfo.flags&fMode == fAny {\n\t\t\tfinfo.flags |= fElement\n\t\t}\n\t\tif finfo.flags&fOmitEmpty != 0 && finfo.flags&(fElement|fAttr) == 0 {\n\t\t\tvalid = false\n\t\t}\n\t\tif !valid {\n\t\t\treturn nil, fmt.Errorf(\"xml: invalid tag in field %s of type %s: %q\",\n\t\t\t\tf.Name, typ, f.Tag.Get(\"xml\"))\n\t\t}\n\t}\n\n\t// Use of xmlns without a name is not allowed.\n\tif finfo.xmlns != \"\" && tag == \"\" {\n\t\treturn nil, fmt.Errorf(\"xml: namespace without name in field %s of type %s: %q\",\n\t\t\tf.Name, typ, f.Tag.Get(\"xml\"))\n\t}\n\n\tif f.Name == xmlName {\n\t\t// The XMLName field records the XML element name. Don't\n\t\t// process it as usual because its name should default to\n\t\t// empty rather than to the field name.\n\t\tfinfo.name = tag\n\t\treturn finfo, nil\n\t}\n\n\tif tag == \"\" {\n\t\t// If the name part of the tag is completely empty, get\n\t\t// default from XMLName of underlying struct if feasible,\n\t\t// or field name otherwise.\n\t\tif xmlname := lookupXMLName(f.Type); xmlname != nil {\n\t\t\tfinfo.xmlns, finfo.name = xmlname.xmlns, xmlname.name\n\t\t} else {\n\t\t\tfinfo.name = f.Name\n\t\t}\n\t\treturn finfo, nil\n\t}\n\n\t// Prepare field name and parents.\n\tparents := strings.Split(tag, \">\")\n\tif parents[0] == \"\" {\n\t\tparents[0] = f.Name\n\t}\n\tif parents[len(parents)-1] == \"\" {\n\t\treturn nil, fmt.Errorf(\"xml: trailing '>' in field %s of type %s\", f.Name, typ)\n\t}\n\tfinfo.name = parents[len(parents)-1]\n\tif len(parents) > 1 {\n\t\tif (finfo.flags & fElement) == 0 {\n\t\t\treturn nil, fmt.Errorf(\"xml: %s chain not valid with %s flag\", tag, strings.Join(tokens[1:], \",\"))\n\t\t}\n\t\tfinfo.parents = parents[:len(parents)-1]\n\t}\n\n\t// If the field type has an XMLName field, the names must match\n\t// so that the behavior of both marshaling and unmarshaling\n\t// is straightforward and unambiguous.\n\tif finfo.flags&fElement != 0 {\n\t\tftyp := f.Type\n\t\txmlname := lookupXMLName(ftyp)\n\t\tif xmlname != nil && xmlname.name != finfo.name {\n\t\t\treturn nil, fmt.Errorf(\"xml: name %q in tag of %s.%s conflicts with name %q in %s.XMLName\",\n\t\t\t\tfinfo.name, typ, f.Name, xmlname.name, ftyp)\n\t\t}\n\t}\n\treturn finfo, nil\n}\n\n// lookupXMLName returns the fieldInfo for typ's XMLName field\n// in case it exists and has a valid xml field tag, otherwise\n// it returns nil.\nfunc lookupXMLName(typ reflect.Type) (xmlname *fieldInfo) {\n\tfor typ.Kind() == reflect.Pointer {\n\t\ttyp = typ.Elem()\n\t}\n\tif typ.Kind() != reflect.Struct {\n\t\treturn nil\n\t}\n\tfor i, n := 0, typ.NumField(); i < n; i++ {\n\t\tf := typ.Field(i)\n\t\tif f.Name != xmlName {\n\t\t\tcontinue\n\t\t}\n\t\tfinfo, err := structFieldInfo(typ, &f)\n\t\tif err == nil && finfo.name != \"\" {\n\t\t\treturn finfo\n\t\t}\n\t\t// Also consider errors as a non-existent field tag\n\t\t// and let getTypeInfo itself report the error.\n\t\tbreak\n\t}\n\treturn nil\n}\n\n// addFieldInfo adds finfo to tinfo.fields if there are no\n// conflicts, or if conflicts arise from previous fields that were\n// obtained from deeper embedded structures than finfo. In the latter\n// case, the conflicting entries are dropped.\n// A conflict occurs when the path (parent + name) to a field is\n// itself a prefix of another path, or when two paths match exactly.\n// It is okay for field paths to share a common, shorter prefix.\nfunc addFieldInfo(typ reflect.Type, tinfo *typeInfo, newf *fieldInfo) error {\n\tvar conflicts []int\nLoop:\n\t// First, figure all conflicts. Most working code will have none.\n\tfor i := range tinfo.fields {\n\t\toldf := &tinfo.fields[i]\n\t\tif oldf.flags&fMode != newf.flags&fMode {\n\t\t\tcontinue\n\t\t}\n\t\tif oldf.xmlns != \"\" && newf.xmlns != \"\" && oldf.xmlns != newf.xmlns {\n\t\t\tcontinue\n\t\t}\n\t\tminl := min(len(newf.parents), len(oldf.parents))\n\t\tfor p := 0; p < minl; p++ {\n\t\t\tif oldf.parents[p] != newf.parents[p] {\n\t\t\t\tcontinue Loop\n\t\t\t}\n\t\t}\n\t\tif len(oldf.parents) > len(newf.parents) {\n\t\t\tif oldf.parents[len(newf.parents)] == newf.name {\n\t\t\t\tconflicts = append(conflicts, i)\n\t\t\t}\n\t\t} else if len(oldf.parents) < len(newf.parents) {\n\t\t\tif newf.parents[len(oldf.parents)] == oldf.name {\n\t\t\t\tconflicts = append(conflicts, i)\n\t\t\t}\n\t\t} else {\n\t\t\tif newf.name == oldf.name && newf.xmlns == oldf.xmlns {\n\t\t\t\tconflicts = append(conflicts, i)\n\t\t\t}\n\t\t}\n\t}\n\t// Without conflicts, add the new field and return.\n\tif conflicts == nil {\n\t\ttinfo.fields = append(tinfo.fields, *newf)\n\t\treturn nil\n\t}\n\n\t// If any conflict is shallower, ignore the new field.\n\t// This matches the Go field resolution on embedding.\n\tfor _, i := range conflicts {\n\t\tif len(tinfo.fields[i].idx) < len(newf.idx) {\n\t\t\treturn nil\n\t\t}\n\t}\n\n\t// Otherwise, if any of them is at the same depth level, it's an error.\n\tfor _, i := range conflicts {\n\t\toldf := &tinfo.fields[i]\n\t\tif len(oldf.idx) == len(newf.idx) {\n\t\t\tf1 := typ.FieldByIndex(oldf.idx)\n\t\t\tf2 := typ.FieldByIndex(newf.idx)\n\t\t\treturn &TagPathError{typ, f1.Name, f1.Tag.Get(\"xml\"), f2.Name, f2.Tag.Get(\"xml\")}\n\t\t}\n\t}\n\n\t// Otherwise, the new field is shallower, and thus takes precedence,\n\t// so drop the conflicting fields from tinfo and append the new one.\n\tfor c := len(conflicts) - 1; c >= 0; c-- {\n\t\ti := conflicts[c]\n\t\tcopy(tinfo.fields[i:], tinfo.fields[i+1:])\n\t\ttinfo.fields = tinfo.fields[:len(tinfo.fields)-1]\n\t}\n\ttinfo.fields = append(tinfo.fields, *newf)\n\treturn nil\n}\n\n// A TagPathError represents an error in the unmarshaling process\n// caused by the use of field tags with conflicting paths.\ntype TagPathError struct {\n\tStruct reflect.Type\n\tField1, Tag1 string\n\tField2, Tag2 string\n}\n\nfunc (e *TagPathError) Error() string {\n\treturn fmt.Sprintf(\"%s field %q with tag %q conflicts with field %q with tag %q\", e.Struct, e.Field1, e.Tag1, e.Field2, e.Tag2)\n}\n\nconst (\n\tinitNilPointers = true\n\tdontInitNilPointers = false\n)\n\n// value returns v's field value corresponding to finfo.\n// It's equivalent to v.FieldByIndex(finfo.idx), but when passed\n// initNilPointers, it initializes and dereferences pointers as necessary.\n// When passed dontInitNilPointers and a nil pointer is reached, the function\n// returns a zero reflect.Value.\nfunc (finfo *fieldInfo) value(v reflect.Value, shouldInitNilPointers bool) reflect.Value {\n\tfor i, x := range finfo.idx {\n\t\tif i > 0 {\n\t\t\tt := v.Type()\n\t\t\tif t.Kind() == reflect.Pointer && t.Elem().Kind() == reflect.Struct {\n\t\t\t\tif v.IsNil() {\n\t\t\t\t\tif !shouldInitNilPointers {\n\t\t\t\t\t\treturn reflect.Value{}\n\t\t\t\t\t}\n\t\t\t\t\tv.Set(reflect.New(v.Type().Elem()))\n\t\t\t\t}\n\t\t\t\tv = v.Elem()\n\t\t\t}\n\t\t}\n\t\tv = v.Field(x)\n\t}\n\treturn v\n}\n" }, { "path": "internal/thirdparty/xml/xml.go", "content": "// Copyright 2009 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// Package xml implements a simple XML 1.0 parser that\n// understands XML name spaces.\n//\n// Marshalling self-closing tags are not supported in Go.\n// https://github.com/golang/go/issues/21399\n// With the current implementation, self-closing tags are expanded\n// to both StartElement and EndElement.\n// We would like to have our own implementation of decoder so that\n// self-closing tags are read and written with minimum diff.\npackage xml\n\n// References:\n// Annotated XML spec: https://www.xml.com/axml/testaxml.htm\n// XML name spaces: https://www.w3.org/TR/REC-xml-names/\n\nimport (\n\t\"bufio\"\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"strconv\"\n\t\"strings\"\n\t\"unicode\"\n\t\"unicode/utf8\"\n)\n\n// A SyntaxError represents a syntax error in the XML input stream.\ntype SyntaxError struct {\n\tMsg string\n\tLine int\n}\n\nfunc (e *SyntaxError) Error() string {\n\treturn \"XML syntax error on line \" + strconv.Itoa(e.Line) + \": \" + e.Msg\n}\n\n// A Name represents an XML name (Local) annotated\n// with a name space identifier (Space).\n// In tokens returned by [Decoder.Token], the Space identifier\n// is given as a canonical URL, not the short prefix used\n// in the document being parsed.\ntype Name struct {\n\tSpace, Local string\n}\n\n// An Attr represents an attribute in an XML element (Name=Value).\ntype Attr struct {\n\tName Name\n\tValue string\n\tDiff string // Diff whitespace between two attributes\n}\n\n// A Token is an interface holding one of the token types:\n// [StartElement], [EndElement], [CharData], [Comment], [ProcInst], or [Directive].\ntype Token any\n\n// A StartElement represents an XML start element.\ntype StartElement struct {\n\tName Name\n\tAttr []Attr\n\n\tEmpty bool // Whether this is an empty element\n\tDiff string // Any extra space for empty element\n}\n\n// Copy creates a new copy of StartElement.\nfunc (e StartElement) Copy() StartElement {\n\tattrs := make([]Attr, len(e.Attr))\n\tcopy(attrs, e.Attr)\n\te.Attr = attrs\n\treturn e\n}\n\n// End returns the corresponding XML end element.\nfunc (e StartElement) End() EndElement {\n\treturn EndElement{e.Name, e.Empty}\n}\n\n// An EndElement represents an XML end element.\ntype EndElement struct {\n\tName Name\n\tEmpty bool\n}\n\n// A CharData represents XML character data (raw text).\n// XML escape sequences are replaced by the characters they represent in data.\n// origin holds the original text that escape sequences are not changed.\n// cdata indicates whether text 'CDATA' is in the raw text.\ntype CharData struct {\n\tdata []byte\n\torigin []byte\n\tcdata bool\n}\n\n// Copy creates a new copy of CharData.\nfunc (c CharData) Copy() CharData {\n\treturn CharData{bytes.Clone(c.data), bytes.Clone(c.origin), c.cdata}\n}\n\n// A Comment represents an XML comment of the form .\n// The bytes do not include the comment markers.\ntype Comment []byte\n\n// Copy creates a new copy of Comment.\nfunc (c Comment) Copy() Comment { return Comment(bytes.Clone(c)) }\n\n// A ProcInst represents an XML processing instruction of the form \ntype ProcInst struct {\n\tTarget string\n\tInst []byte\n}\n\n// Copy creates a new copy of ProcInst.\nfunc (p ProcInst) Copy() ProcInst {\n\tp.Inst = bytes.Clone(p.Inst)\n\treturn p\n}\n\n// A Directive represents an XML directive of the form .\n// The bytes do not include the markers.\ntype Directive []byte\n\n// Copy creates a new copy of Directive.\nfunc (d Directive) Copy() Directive { return Directive(bytes.Clone(d)) }\n\n// CopyToken returns a copy of a Token.\nfunc CopyToken(t Token) Token {\n\tswitch v := t.(type) {\n\tcase CharData:\n\t\treturn v.Copy()\n\tcase Comment:\n\t\treturn v.Copy()\n\tcase Directive:\n\t\treturn v.Copy()\n\tcase ProcInst:\n\t\treturn v.Copy()\n\tcase StartElement:\n\t\treturn v.Copy()\n\t}\n\treturn t\n}\n\n// A TokenReader is anything that can decode a stream of XML tokens, including a\n// [Decoder].\n//\n// When Token encounters an error or end-of-file condition after successfully\n// reading a token, it returns the token. It may return the (non-nil) error from\n// the same call or return the error (and a nil token) from a subsequent call.\n// An instance of this general case is that a TokenReader returning a non-nil\n// token at the end of the token stream may return either io.EOF or a nil error.\n// The next Read should return nil, [io.EOF].\n//\n// Implementations of Token are discouraged from returning a nil token with a\n// nil error. Callers should treat a return of nil, nil as indicating that\n// nothing happened; in particular it does not indicate EOF.\ntype TokenReader interface {\n\tToken() (Token, error)\n}\n\n// A Decoder represents an XML parser reading a particular input stream.\n// The parser assumes that its input is encoded in UTF-8.\ntype Decoder struct {\n\t// Strict defaults to true, enforcing the requirements\n\t// of the XML specification.\n\t// If set to false, the parser allows input containing common\n\t// mistakes:\n\t//\t* If an element is missing an end tag, the parser invents\n\t//\t end tags as necessary to keep the return values from Token\n\t//\t properly balanced.\n\t//\t* In attribute values and character data, unknown or malformed\n\t//\t character entities (sequences beginning with &) are left alone.\n\t//\n\t// Setting:\n\t//\n\t//\td.Strict = false\n\t//\td.AutoClose = xml.HTMLAutoClose\n\t//\td.Entity = xml.HTMLEntity\n\t//\n\t// creates a parser that can handle typical HTML.\n\t//\n\t// Strict mode does not enforce the requirements of the XML name spaces TR.\n\t// In particular it does not reject name space tags using undefined prefixes.\n\t// Such tags are recorded with the unknown prefix as the name space URL.\n\tStrict bool\n\n\t// When Strict == false, AutoClose indicates a set of elements to\n\t// consider closed immediately after they are opened, regardless\n\t// of whether an end element is present.\n\tAutoClose []string\n\n\t// Entity can be used to map non-standard entity names to string replacements.\n\t// The parser behaves as if these standard mappings are present in the map,\n\t// regardless of the actual map content:\n\t//\n\t//\t\"lt\": \"<\",\n\t//\t\"gt\": \">\",\n\t//\t\"amp\": \"&\",\n\t//\t\"apos\": \"'\",\n\t//\t\"quot\": `\"`,\n\tEntity map[string]string\n\n\t// CharsetReader, if non-nil, defines a function to generate\n\t// charset-conversion readers, converting from the provided\n\t// non-UTF-8 charset into UTF-8. If CharsetReader is nil or\n\t// returns an error, parsing stops with an error. One of the\n\t// CharsetReader's result values must be non-nil.\n\tCharsetReader func(charset string, input io.Reader) (io.Reader, error)\n\n\t// DefaultSpace sets the default name space used for unadorned tags,\n\t// as if the entire XML stream were wrapped in an element containing\n\t// the attribute xmlns=\"DefaultSpace\".\n\tDefaultSpace string\n\n\tr io.ByteReader\n\tt TokenReader\n\tbuf bytes.Buffer\n\tsaved *bytes.Buffer\n\tstk *stack\n\tfree *stack\n\tneedClose bool\n\ttoClose Name\n\tnextToken Token\n\tnextByte int\n\tns map[string]string\n\terr error\n\tline int\n\tlinestart int64\n\toffset int64\n\tunmarshalDepth int\n}\n\n// NewDecoder creates a new XML parser reading from r.\n// If r does not implement [io.ByteReader], NewDecoder will\n// do its own buffering.\nfunc NewDecoder(r io.Reader) *Decoder {\n\td := &Decoder{\n\t\tns: make(map[string]string),\n\t\tnextByte: -1,\n\t\tline: 1,\n\t\tStrict: true,\n\t}\n\td.switchToReader(r)\n\treturn d\n}\n\n// NewTokenDecoder creates a new XML parser using an underlying token stream.\nfunc NewTokenDecoder(t TokenReader) *Decoder {\n\t// Is it already a Decoder?\n\tif d, ok := t.(*Decoder); ok {\n\t\treturn d\n\t}\n\td := &Decoder{\n\t\tns: make(map[string]string),\n\t\tt: t,\n\t\tnextByte: -1,\n\t\tline: 1,\n\t\tStrict: true,\n\t}\n\treturn d\n}\n\n// Token returns the next XML token in the input stream.\n// At the end of the input stream, Token returns nil, [io.EOF].\n//\n// Slices of bytes in the returned token data refer to the\n// parser's internal buffer and remain valid only until the next\n// call to Token. To acquire a copy of the bytes, call [CopyToken]\n// or the token's Copy method.\n//\n// Token expands self-closing elements such as
\n// into separate start and end elements returned by successive calls.\n//\n// Token guarantees that the [StartElement] and [EndElement]\n// tokens it returns are properly nested and matched:\n// if Token encounters an unexpected end element\n// or EOF before all expected end elements,\n// it will return an error.\n//\n// If [Decoder.CharsetReader] is called and returns an error,\n// the error is wrapped and returned.\n//\n// Token implements XML name spaces as described by\n// https://www.w3.org/TR/REC-xml-names/. Each of the\n// [Name] structures contained in the Token has the Space\n// set to the URL identifying its name space when known.\n// If Token encounters an unrecognized name space prefix,\n// it uses the prefix as the Space rather than report an error.\nfunc (d *Decoder) Token() (Token, error) {\n\tvar t Token\n\tvar err error\n\tif d.stk != nil && d.stk.kind == stkEOF {\n\t\treturn nil, io.EOF\n\t}\n\tif d.nextToken != nil {\n\t\tt = d.nextToken\n\t\td.nextToken = nil\n\t} else {\n\t\tif t, err = d.rawToken(); t == nil && err != nil {\n\t\t\tif err == io.EOF && d.stk != nil && d.stk.kind != stkEOF {\n\t\t\t\terr = d.syntaxError(\"unexpected EOF\")\n\t\t\t}\n\t\t\treturn nil, err\n\t\t}\n\t\t// We still have a token to process, so clear any\n\t\t// errors (e.g. EOF) and proceed.\n\t\terr = nil\n\t}\n\tif !d.Strict {\n\t\tif t1, ok := d.autoClose(t); ok {\n\t\t\td.nextToken = t\n\t\t\tt = t1\n\t\t}\n\t}\n\tswitch t1 := t.(type) {\n\tcase StartElement:\n\t\t// In XML name spaces, the translations listed in the\n\t\t// attributes apply to the element name and\n\t\t// to the other attribute names, so process\n\t\t// the translations first.\n\t\tfor _, a := range t1.Attr {\n\t\t\tif a.Name.Space == xmlnsPrefix {\n\t\t\t\tv, ok := d.ns[a.Name.Local]\n\t\t\t\td.pushNs(a.Name.Local, v, ok)\n\t\t\t\td.ns[a.Name.Local] = a.Value\n\t\t\t}\n\t\t\tif a.Name.Space == \"\" && a.Name.Local == xmlnsPrefix {\n\t\t\t\t// Default space for untagged names\n\t\t\t\tv, ok := d.ns[\"\"]\n\t\t\t\td.pushNs(\"\", v, ok)\n\t\t\t\td.ns[\"\"] = a.Value\n\t\t\t}\n\t\t}\n\n\t\td.pushElement(t1.Name)\n\t\td.translate(&t1.Name, true)\n\t\tfor i := range t1.Attr {\n\t\t\td.translate(&t1.Attr[i].Name, false)\n\t\t}\n\t\tt = t1\n\n\tcase EndElement:\n\t\tif !d.popElement(&t1) {\n\t\t\treturn nil, d.err\n\t\t}\n\t\tt = t1\n\t}\n\treturn t, err\n}\n\nconst (\n\txmlURL = \"http://www.w3.org/XML/1998/namespace\"\n\txmlnsPrefix = \"xmlns\"\n\txmlPrefix = \"xml\"\n)\n\n// Apply name space translation to name n.\n// The default name space (for Space==\"\")\n// applies only to element names, not to attribute names.\nfunc (d *Decoder) translate(n *Name, isElementName bool) {\n\tswitch {\n\tcase n.Space == xmlnsPrefix:\n\t\treturn\n\tcase n.Space == \"\" && !isElementName:\n\t\treturn\n\tcase n.Space == xmlPrefix:\n\t\tn.Space = xmlURL\n\tcase n.Space == \"\" && n.Local == xmlnsPrefix:\n\t\treturn\n\t}\n\tif v, ok := d.ns[n.Space]; ok {\n\t\tn.Space = v\n\t} else if n.Space == \"\" {\n\t\tn.Space = d.DefaultSpace\n\t}\n}\n\nfunc (d *Decoder) switchToReader(r io.Reader) {\n\t// Get efficient byte at a time reader.\n\t// Assume that if reader has its own\n\t// ReadByte, it's efficient enough.\n\t// Otherwise, use bufio.\n\tif rb, ok := r.(io.ByteReader); ok {\n\t\td.r = rb\n\t} else {\n\t\td.r = bufio.NewReader(r)\n\t}\n}\n\n// Parsing state - stack holds old name space translations\n// and the current set of open elements. The translations to pop when\n// ending a given tag are *below* it on the stack, which is\n// more work but forced on us by XML.\ntype stack struct {\n\tnext *stack\n\tkind int\n\tname Name\n\tok bool\n}\n\nconst (\n\tstkStart = iota\n\tstkNs\n\tstkEOF\n)\n\nfunc (d *Decoder) push(kind int) *stack {\n\ts := d.free\n\tif s != nil {\n\t\td.free = s.next\n\t} else {\n\t\ts = new(stack)\n\t}\n\ts.next = d.stk\n\ts.kind = kind\n\td.stk = s\n\treturn s\n}\n\nfunc (d *Decoder) pop() *stack {\n\ts := d.stk\n\tif s != nil {\n\t\td.stk = s.next\n\t\ts.next = d.free\n\t\td.free = s\n\t}\n\treturn s\n}\n\n// Record that after the current element is finished\n// (that element is already pushed on the stack)\n// Token should return EOF until popEOF is called.\nfunc (d *Decoder) pushEOF() {\n\t// Walk down stack to find Start.\n\t// It might not be the top, because there might be stkNs\n\t// entries above it.\n\tstart := d.stk\n\tfor start.kind != stkStart {\n\t\tstart = start.next\n\t}\n\t// The stkNs entries below a start are associated with that\n\t// element too; skip over them.\n\tfor start.next != nil && start.next.kind == stkNs {\n\t\tstart = start.next\n\t}\n\ts := d.free\n\tif s != nil {\n\t\td.free = s.next\n\t} else {\n\t\ts = new(stack)\n\t}\n\ts.kind = stkEOF\n\ts.next = start.next\n\tstart.next = s\n}\n\n// Undo a pushEOF.\n// The element must have been finished, so the EOF should be at the top of the stack.\nfunc (d *Decoder) popEOF() bool {\n\tif d.stk == nil || d.stk.kind != stkEOF {\n\t\treturn false\n\t}\n\td.pop()\n\treturn true\n}\n\n// Record that we are starting an element with the given name.\nfunc (d *Decoder) pushElement(name Name) {\n\ts := d.push(stkStart)\n\ts.name = name\n}\n\n// Record that we are changing the value of ns[local].\n// The old value is url, ok.\nfunc (d *Decoder) pushNs(local string, url string, ok bool) {\n\ts := d.push(stkNs)\n\ts.name.Local = local\n\ts.name.Space = url\n\ts.ok = ok\n}\n\n// Creates a SyntaxError with the current line number.\nfunc (d *Decoder) syntaxError(msg string) error {\n\treturn &SyntaxError{Msg: msg, Line: d.line}\n}\n\n// Record that we are ending an element with the given name.\n// The name must match the record at the top of the stack,\n// which must be a pushElement record.\n// After popping the element, apply any undo records from\n// the stack to restore the name translations that existed\n// before we saw this element.\nfunc (d *Decoder) popElement(t *EndElement) bool {\n\ts := d.pop()\n\tname := t.Name\n\tswitch {\n\tcase s == nil || s.kind != stkStart:\n\t\td.err = d.syntaxError(\"unexpected end element \")\n\t\treturn false\n\tcase s.name.Local != name.Local:\n\t\tif !d.Strict {\n\t\t\td.needClose = true\n\t\t\td.toClose = t.Name\n\t\t\tt.Name = s.name\n\t\t\treturn true\n\t\t}\n\t\td.err = d.syntaxError(\"element <\" + s.name.Local + \"> closed by \")\n\t\treturn false\n\tcase s.name.Space != name.Space:\n\t\tns := name.Space\n\t\tif name.Space == \"\" {\n\t\t\tns = `\"\"`\n\t\t}\n\t\td.err = d.syntaxError(\"element <\" + s.name.Local + \"> in space \" + s.name.Space +\n\t\t\t\" closed by in space \" + ns)\n\t\treturn false\n\t}\n\n\td.translate(&t.Name, true)\n\n\t// Pop stack until a Start or EOF is on the top, undoing the\n\t// translations that were associated with the element we just closed.\n\tfor d.stk != nil && d.stk.kind != stkStart && d.stk.kind != stkEOF {\n\t\ts := d.pop()\n\t\tif s.ok {\n\t\t\td.ns[s.name.Local] = s.name.Space\n\t\t} else {\n\t\t\tdelete(d.ns, s.name.Local)\n\t\t}\n\t}\n\n\treturn true\n}\n\n// If the top element on the stack is autoclosing and\n// t is not the end tag, invent the end tag.\nfunc (d *Decoder) autoClose(t Token) (Token, bool) {\n\tif d.stk == nil || d.stk.kind != stkStart {\n\t\treturn nil, false\n\t}\n\tfor _, s := range d.AutoClose {\n\t\tif strings.EqualFold(s, d.stk.name.Local) {\n\t\t\t// This one should be auto closed if t doesn't close it.\n\t\t\tet, ok := t.(EndElement)\n\t\t\tif !ok || !strings.EqualFold(et.Name.Local, d.stk.name.Local) {\n\t\t\t\treturn EndElement{d.stk.name, et.Empty}, true\n\t\t\t}\n\t\t\tbreak\n\t\t}\n\t}\n\treturn nil, false\n}\n\nvar errRawToken = errors.New(\"xml: cannot use RawToken from UnmarshalXML method\")\n\n// RawToken is like [Decoder.Token] but does not verify that\n// start and end elements match and does not translate\n// name space prefixes to their corresponding URLs.\nfunc (d *Decoder) RawToken() (Token, error) {\n\tif d.unmarshalDepth > 0 {\n\t\treturn nil, errRawToken\n\t}\n\treturn d.rawToken()\n}\n\nfunc (d *Decoder) rawToken() (Token, error) {\n\tif d.t != nil {\n\t\treturn d.t.Token()\n\t}\n\tif d.err != nil {\n\t\treturn nil, d.err\n\t}\n\tif d.needClose {\n\t\t// The last element we read was self-closing and\n\t\t// we returned just the StartElement half.\n\t\t// Return the EndElement half now.\n\t\td.needClose = false\n\t\treturn EndElement{d.toClose, true}, nil\n\t}\n\n\tb, ok := d.getc()\n\tif !ok {\n\t\treturn nil, d.err\n\t}\n\n\tif b != '<' {\n\t\t// Text section.\n\t\td.ungetc(b)\n\t\tdata, origin := d.text(-1, false)\n\t\tif data == nil {\n\t\t\treturn nil, d.err\n\t\t}\n\t\treturn CharData{data: data, origin: origin}, nil\n\t}\n\n\tif b, ok = d.mustgetc(); !ok {\n\t\treturn nil, d.err\n\t}\n\tswitch b {\n\tcase '/':\n\t\t// ' {\n\t\t\td.err = d.syntaxError(\"invalid characters between \")\n\t\t\treturn nil, d.err\n\t\t}\n\t\treturn EndElement{name, false}, nil\n\n\tcase '?':\n\t\t// ' {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tb0 = b\n\t\t}\n\t\tdata := d.buf.Bytes()\n\t\tdata = data[0 : len(data)-2] // chop ?>\n\n\t\tif target == \"xml\" {\n\t\t\tcontent := string(data)\n\t\t\tver := procInst(\"version\", content)\n\t\t\tif ver != \"\" && ver != \"1.0\" {\n\t\t\t\td.err = fmt.Errorf(\"xml: unsupported version %q; only version 1.0 is supported\", ver)\n\t\t\t\treturn nil, d.err\n\t\t\t}\n\t\t\tenc := procInst(\"encoding\", content)\n\t\t\tif enc != \"\" && enc != \"utf-8\" && enc != \"UTF-8\" && !strings.EqualFold(enc, \"utf-8\") {\n\t\t\t\tif d.CharsetReader == nil {\n\t\t\t\t\td.err = fmt.Errorf(\"xml: encoding %q declared but Decoder.CharsetReader is nil\", enc)\n\t\t\t\t\treturn nil, d.err\n\t\t\t\t}\n\t\t\t\tnewr, err := d.CharsetReader(enc, d.r.(io.Reader))\n\t\t\t\tif err != nil {\n\t\t\t\t\td.err = fmt.Errorf(\"xml: opening charset %q: %w\", enc, err)\n\t\t\t\t\treturn nil, d.err\n\t\t\t\t}\n\t\t\t\tif newr == nil {\n\t\t\t\t\tpanic(\"CharsetReader returned a nil Reader for charset \" + enc)\n\t\t\t\t}\n\t\t\t\td.switchToReader(newr)\n\t\t\t}\n\t\t}\n\t\treturn ProcInst{target, data}, nil\n\n\tcase '!':\n\t\t// ' {\n\t\t\t\t\t\td.err = d.syntaxError(\n\t\t\t\t\t\t\t`invalid sequence \"--\" not allowed in comments`)\n\t\t\t\t\t\treturn nil, d.err\n\t\t\t\t\t}\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t\tb0, b1 = b1, b\n\t\t\t}\n\t\t\tdata := d.buf.Bytes()\n\t\t\tdata = data[0 : len(data)-3] // chop -->\n\t\t\treturn Comment(data), nil\n\n\t\tcase '[': // .\n\t\t\tdata, origin := d.text(-1, true)\n\t\t\tif data == nil {\n\t\t\t\treturn nil, d.err\n\t\t\t}\n\t\t\treturn CharData{data: data, origin: origin, cdata: true}, nil\n\t\t}\n\n\t\t// Probably a directive: , , etc.\n\t\t// We don't care, but accumulate for caller. Quoted angle\n\t\t// brackets do not count for nesting.\n\t\td.buf.Reset()\n\t\td.buf.WriteByte(b)\n\t\tinquote := uint8(0)\n\t\tdepth := 0\n\t\tfor {\n\t\t\tif b, ok = d.mustgetc(); !ok {\n\t\t\t\treturn nil, d.err\n\t\t\t}\n\t\t\tif inquote == 0 && b == '>' && depth == 0 {\n\t\t\t\tbreak\n\t\t\t}\n\t\tHandleB:\n\t\t\td.buf.WriteByte(b)\n\t\t\tswitch {\n\t\t\tcase b == inquote:\n\t\t\t\tinquote = 0\n\n\t\t\tcase inquote != 0:\n\t\t\t\t// in quotes, no special action\n\n\t\t\tcase b == '\\'' || b == '\"':\n\t\t\t\tinquote = b\n\n\t\t\tcase b == '>' && inquote == 0:\n\t\t\t\tdepth--\n\n\t\t\tcase b == '<' && inquote == 0:\n\t\t\t\t// Look for `\n\nvar testEntity = map[string]string{\"äŊ•\": \"What\", \"is-it\": \"is it?\"}\n\nvar rawTokens = []Token{\n\tCharData{data: []byte(\"\\n\")},\n\tProcInst{\"xml\", []byte(`version=\"1.0\" encoding=\"UTF-8\"`)},\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"`),\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"body\"}, []Attr{{Name{\"xmlns\", \"foo\"}, \"ns1\", \"\"}, {Name{\"\", \"xmlns\"}, \"ns2\", \"\"}, {Name{\"xmlns\", \"tag\"}, \"ns3\", \"\"}}, false, \"\"},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"\", \"hello\"}, []Attr{{Name{\"\", \"lang\"}, \"en\", \"\"}}, false, \"\"},\n\tCharData{data: []byte(\"World <>'\\\" į™ŊéĩŦįŋ”\"), origin: []byte(\"World <>'" 白鵬įŋ”\")},\n\tEndElement{Name{\"\", \"hello\"}, false},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"\", \"query\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"What is it?\"), origin: []byte(\"&äŊ•; &is-it;\")},\n\tEndElement{Name{\"\", \"query\"}, false},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"\", \"goodbye\"}, []Attr{}, true, \" \"},\n\tEndElement{Name{\"\", \"goodbye\"}, true},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"\", \"outer\"}, []Attr{{Name{\"foo\", \"attr\"}, \"value\", \"\"}, {Name{\"xmlns\", \"tag\"}, \"ns4\", \"\"}}, false, \"\"},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"\", \"inner\"}, []Attr{}, true, \"\"},\n\tEndElement{Name{\"\", \"inner\"}, true},\n\tCharData{data: []byte(\"\\n \")},\n\tEndElement{Name{\"\", \"outer\"}, false},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"tag\", \"name\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"\\n \")},\n\tCharData{data: []byte(\"Some text here.\"), cdata: true},\n\tCharData{data: []byte(\"\\n \")},\n\tEndElement{Name{\"tag\", \"name\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tEndElement{Name{\"\", \"body\"}, false},\n\tComment(\" missing final newline \"),\n}\n\nvar cookedTokens = []Token{\n\tCharData{data: []byte(\"\\n\")},\n\tProcInst{\"xml\", []byte(`version=\"1.0\" encoding=\"UTF-8\"`)},\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\"`),\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"ns2\", \"body\"}, []Attr{{Name{\"xmlns\", \"foo\"}, \"ns1\", \"\"}, {Name{\"\", \"xmlns\"}, \"ns2\", \"\"}, {Name{\"xmlns\", \"tag\"}, \"ns3\", \"\"}}, false, \"\"},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"ns2\", \"hello\"}, []Attr{{Name{\"\", \"lang\"}, \"en\", \"\"}}, false, \"\"},\n\tCharData{data: []byte(\"World <>'\\\" į™ŊéĩŦįŋ”\"), origin: []byte(\"World <>'" 白鵬įŋ”\")},\n\tEndElement{Name{\"ns2\", \"hello\"}, false},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"ns2\", \"query\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"What is it?\"), origin: []byte(\"&äŊ•; &is-it;\")},\n\tEndElement{Name{\"ns2\", \"query\"}, false},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"ns2\", \"goodbye\"}, []Attr{}, true, \" \"},\n\tEndElement{Name{\"ns2\", \"goodbye\"}, true},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"ns2\", \"outer\"}, []Attr{{Name{\"ns1\", \"attr\"}, \"value\", \"\"}, {Name{\"xmlns\", \"tag\"}, \"ns4\", \"\"}}, false, \"\"},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"ns2\", \"inner\"}, []Attr{}, true, \"\"},\n\tEndElement{Name{\"ns2\", \"inner\"}, true},\n\tCharData{data: []byte(\"\\n \")},\n\tEndElement{Name{\"ns2\", \"outer\"}, false},\n\tCharData{data: []byte(\"\\n \")},\n\tStartElement{Name{\"ns3\", \"name\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"\\n \")},\n\tCharData{data: []byte(\"Some text here.\"), cdata: true},\n\tCharData{data: []byte(\"\\n \")},\n\tEndElement{Name{\"ns3\", \"name\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tEndElement{Name{\"ns2\", \"body\"}, false},\n\tComment(\" missing final newline \"),\n}\n\nconst testInputAltEncoding = `\n\nVALUE`\n\nvar rawTokensAltEncoding = []Token{\n\tCharData{data: []byte(\"\\n\")},\n\tProcInst{\"xml\", []byte(`version=\"1.0\" encoding=\"x-testing-uppercase\"`)},\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"value\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n}\n\nvar xmlInput = []string{\n\t// unexpected EOF cases\n\t\"<\",\n\t\"\",\n\t\"\",\n\t\"\",\n\t//\t\"\",\t// let the Token() caller handle\n\t\"\",\n\t\"\",\n\t\"\",\n\t\"\",\n\t\" c;\",\n\t\"\",\n\t\"\",\n\t\"\",\n\t//\t\"\",\t// let the Token() caller handle\n\t\"\",\n\t\"\",\n\t\"cdata]]>\",\n}\n\nfunc TestRawToken(t *testing.T) {\n\td := NewDecoder(strings.NewReader(testInput))\n\td.Entity = testEntity\n\ttestRawToken(t, d, testInput, rawTokens)\n}\n\nconst nonStrictInput = `\nnon&entity\n&unknown;entity\n{\n&#zzz;\n&ãĒぞえ3;\n<-gt;\n&;\n&0a;\n`\n\nvar nonStrictTokens = []Token{\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"non&entity\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"&unknown;entity\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"{\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"&#zzz;\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"&ãĒぞえ3;\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"<-gt;\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"&;\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n\tStartElement{Name{\"\", \"tag\"}, []Attr{}, false, \"\"},\n\tCharData{data: []byte(\"&0a;\")},\n\tEndElement{Name{\"\", \"tag\"}, false},\n\tCharData{data: []byte(\"\\n\")},\n}\n\nfunc TestNonStrictRawToken(t *testing.T) {\n\td := NewDecoder(strings.NewReader(nonStrictInput))\n\td.Strict = false\n\ttestRawToken(t, d, nonStrictInput, nonStrictTokens)\n}\n\ntype downCaser struct {\n\tt *testing.T\n\tr io.ByteReader\n}\n\nfunc (d *downCaser) ReadByte() (c byte, err error) {\n\tc, err = d.r.ReadByte()\n\tif c >= 'A' && c <= 'Z' {\n\t\tc += 'a' - 'A'\n\t}\n\treturn\n}\n\nfunc (d *downCaser) Read(p []byte) (int, error) {\n\td.t.Fatalf(\"unexpected Read call on downCaser reader\")\n\tpanic(\"unreachable\")\n}\n\nfunc TestRawTokenAltEncoding(t *testing.T) {\n\td := NewDecoder(strings.NewReader(testInputAltEncoding))\n\td.CharsetReader = func(charset string, input io.Reader) (io.Reader, error) {\n\t\tif charset != \"x-testing-uppercase\" {\n\t\t\tt.Fatalf(\"unexpected charset %q\", charset)\n\t\t}\n\t\treturn &downCaser{t, input.(io.ByteReader)}, nil\n\t}\n\ttestRawToken(t, d, testInputAltEncoding, rawTokensAltEncoding)\n}\n\nfunc TestRawTokenAltEncodingNoConverter(t *testing.T) {\n\td := NewDecoder(strings.NewReader(testInputAltEncoding))\n\ttoken, err := d.RawToken()\n\tif token == nil {\n\t\tt.Fatalf(\"expected a token on first RawToken call\")\n\t}\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\ttoken, err = d.RawToken()\n\tif token != nil {\n\t\tt.Errorf(\"expected a nil token; got %#v\", token)\n\t}\n\tif err == nil {\n\t\tt.Fatalf(\"expected an error on second RawToken call\")\n\t}\n\tconst encoding = \"x-testing-uppercase\"\n\tif !strings.Contains(err.Error(), encoding) {\n\t\tt.Errorf(\"expected error to contain %q; got error: %v\",\n\t\t\tencoding, err)\n\t}\n}\n\nfunc testRawToken(t *testing.T, d *Decoder, raw string, rawTokens []Token) {\n\tlastEnd := int64(0)\n\tfor i, want := range rawTokens {\n\t\tstart := d.InputOffset()\n\t\thave, err := d.RawToken()\n\t\tend := d.InputOffset()\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"token %d: unexpected error: %s\", i, err)\n\t\t}\n\t\tif !reflect.DeepEqual(have, want) {\n\t\t\tvar shave, swant string\n\t\t\tif _, ok := have.(CharData); ok {\n\t\t\t\tshave = fmt.Sprintf(\"CharData(%q)\", have)\n\t\t\t} else {\n\t\t\t\tshave = fmt.Sprintf(\"%#v\", have)\n\t\t\t}\n\t\t\tif _, ok := want.(CharData); ok {\n\t\t\t\tswant = fmt.Sprintf(\"CharData(%q)\", want)\n\t\t\t} else {\n\t\t\t\tswant = fmt.Sprintf(\"%#v\", want)\n\t\t\t}\n\t\t\tt.Errorf(\"token %d = %s, want %s\", i, shave, swant)\n\t\t}\n\n\t\t// Check that InputOffset returned actual token.\n\t\tswitch {\n\t\tcase start < lastEnd:\n\t\t\tt.Errorf(\"token %d: position [%d,%d) for %T is before previous token\", i, start, end, have)\n\t\tcase start >= end:\n\t\t\t// Special case: EndElement can be synthesized.\n\t\t\tif start == end && end == lastEnd {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tt.Errorf(\"token %d: position [%d,%d) for %T is empty\", i, start, end, have)\n\t\tcase end > int64(len(raw)):\n\t\t\tt.Errorf(\"token %d: position [%d,%d) for %T extends beyond input\", i, start, end, have)\n\t\tdefault:\n\t\t\ttext := raw[start:end]\n\t\t\tif strings.ContainsAny(text, \"<>\") && (!strings.HasPrefix(text, \"<\") || !strings.HasSuffix(text, \">\")) {\n\t\t\t\tt.Errorf(\"token %d: misaligned raw token %#q for %T\", i, text, have)\n\t\t\t}\n\t\t}\n\t\tlastEnd = end\n\t}\n}\n\n// Ensure that directives (specifically !DOCTYPE) include the complete\n// text of any nested directives, noting that < and > do not change\n// nesting depth if they are in single or double quotes.\n\nvar nestedDirectivesInput = `\n]>\n\">]>\n]>\n'>]>\n]>\n'>]>\n]>\n`\n\nvar nestedDirectivesTokens = []Token{\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE []`),\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE [\">]`),\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE []`),\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE ['>]`),\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE []`),\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE ['>]`),\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE []`),\n\tCharData{data: []byte(\"\\n\")},\n}\n\nfunc TestNestedDirectives(t *testing.T) {\n\td := NewDecoder(strings.NewReader(nestedDirectivesInput))\n\n\tfor i, want := range nestedDirectivesTokens {\n\t\thave, err := d.Token()\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"token %d: unexpected error: %s\", i, err)\n\t\t}\n\t\tif !reflect.DeepEqual(have, want) {\n\t\t\tt.Errorf(\"token %d = %#v want %#v\", i, have, want)\n\t\t}\n\t}\n}\n\nfunc TestToken(t *testing.T) {\n\td := NewDecoder(strings.NewReader(testInput))\n\td.Entity = testEntity\n\n\tfor i, want := range cookedTokens {\n\t\thave, err := d.Token()\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"token %d: unexpected error: %s\", i, err)\n\t\t}\n\t\tif !reflect.DeepEqual(have, want) {\n\t\t\tt.Errorf(\"token %d = %#v want %#v\", i, have, want)\n\t\t}\n\t}\n}\n\nfunc TestSyntax(t *testing.T) {\n\tfor i := range xmlInput {\n\t\td := NewDecoder(strings.NewReader(xmlInput[i]))\n\t\tvar err error\n\t\tfor _, err = d.Token(); err == nil; _, err = d.Token() {\n\t\t}\n\t\tif _, ok := err.(*SyntaxError); !ok {\n\t\t\tt.Fatalf(`xmlInput \"%s\": expected SyntaxError not received`, xmlInput[i])\n\t\t}\n\t}\n}\n\nfunc TestInputLinePos(t *testing.T) {\n\ttestInput := `\n \n\n`\n\tlinePos := [][]int{\n\t\t{1, 7},\n\t\t{2, 1},\n\t\t{3, 4},\n\t\t{3, 6},\n\t\t{6, 7},\n\t\t{7, 1},\n\t\t{8, 4},\n\t\t{10, 4},\n\t\t{10, 10},\n\t\t{11, 1},\n\t\t{11, 8},\n\t}\n\tdec := NewDecoder(strings.NewReader(testInput))\n\tfor _, want := range linePos {\n\t\tif _, err := dec.Token(); err != nil {\n\t\t\tt.Errorf(\"Unexpected error: %v\", err)\n\t\t\tcontinue\n\t\t}\n\n\t\tgotLine, gotCol := dec.InputPos()\n\t\tif gotLine != want[0] || gotCol != want[1] {\n\t\t\tt.Errorf(\"dec.InputPos() = %d,%d, want %d,%d\", gotLine, gotCol, want[0], want[1])\n\t\t}\n\t}\n}\n\ntype allScalars struct {\n\tTrue1 bool\n\tTrue2 bool\n\tFalse1 bool\n\tFalse2 bool\n\tInt int\n\tInt8 int8\n\tInt16 int16\n\tInt32 int32\n\tInt64 int64\n\tUint int\n\tUint8 uint8\n\tUint16 uint16\n\tUint32 uint32\n\tUint64 uint64\n\tUintptr uintptr\n\tFloat32 float32\n\tFloat64 float64\n\tString string\n\tPtrString *string\n}\n\nvar all = allScalars{\n\tTrue1: true,\n\tTrue2: true,\n\tFalse1: false,\n\tFalse2: false,\n\tInt: 1,\n\tInt8: -2,\n\tInt16: 3,\n\tInt32: -4,\n\tInt64: 5,\n\tUint: 6,\n\tUint8: 7,\n\tUint16: 8,\n\tUint32: 9,\n\tUint64: 10,\n\tUintptr: 11,\n\tFloat32: 13.0,\n\tFloat64: 14.0,\n\tString: \"15\",\n\tPtrString: &sixteen,\n}\n\nvar sixteen = \"16\"\n\nconst testScalarsInput = `\n\ttrue\n\t1\n\tfalse\n\t0\n\t1\n\t-2\n\t3\n\t-4\n\t5\n\t6\n\t7\n\t8\n\t9\n\t10\n\t11\n\t12.0\n\t13.0\n\t14.0\n\t15\n\t16\n`\n\nfunc TestAllScalars(t *testing.T) {\n\tvar a allScalars\n\terr := Unmarshal([]byte(testScalarsInput), &a)\n\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tif !reflect.DeepEqual(a, all) {\n\t\tt.Errorf(\"have %+v want %+v\", a, all)\n\t}\n}\n\ntype item struct {\n\tFieldA string\n}\n\nfunc TestIssue569(t *testing.T) {\n\tdata := `abcd`\n\tvar i item\n\terr := Unmarshal([]byte(data), &i)\n\n\tif err != nil || i.FieldA != \"abcd\" {\n\t\tt.Fatal(\"Expecting abcd\")\n\t}\n}\n\nfunc TestUnquotedAttrs(t *testing.T) {\n\tdata := \"\"\n\td := NewDecoder(strings.NewReader(data))\n\td.Strict = false\n\ttoken, err := d.Token()\n\tif _, ok := err.(*SyntaxError); ok {\n\t\tt.Errorf(\"Unexpected error: %v\", err)\n\t}\n\tif token.(StartElement).Name.Local != \"tag\" {\n\t\tt.Errorf(\"Unexpected tag name: %v\", token.(StartElement).Name.Local)\n\t}\n\tattr := token.(StartElement).Attr[0]\n\tif attr.Value != \"azAZ09:-_\" {\n\t\tt.Errorf(\"Unexpected attribute value: %v\", attr.Value)\n\t}\n\tif attr.Name.Local != \"attr\" {\n\t\tt.Errorf(\"Unexpected attribute name: %v\", attr.Name.Local)\n\t}\n}\n\nfunc TestValuelessAttrs(t *testing.T) {\n\ttests := [][3]string{\n\t\t{\"

\", \"p\", \"nowrap\"},\n\t\t{\"

\", \"p\", \"nowrap\"},\n\t\t{\"\", \"input\", \"checked\"},\n\t\t{\"\", \"input\", \"checked\"},\n\t}\n\tfor _, test := range tests {\n\t\td := NewDecoder(strings.NewReader(test[0]))\n\t\td.Strict = false\n\t\ttoken, err := d.Token()\n\t\tif _, ok := err.(*SyntaxError); ok {\n\t\t\tt.Errorf(\"Unexpected error: %v\", err)\n\t\t}\n\t\tif token.(StartElement).Name.Local != test[1] {\n\t\t\tt.Errorf(\"Unexpected tag name: %v\", token.(StartElement).Name.Local)\n\t\t}\n\t\tattr := token.(StartElement).Attr[0]\n\t\tif attr.Value != test[2] {\n\t\t\tt.Errorf(\"Unexpected attribute value: %v\", attr.Value)\n\t\t}\n\t\tif attr.Name.Local != test[2] {\n\t\t\tt.Errorf(\"Unexpected attribute name: %v\", attr.Name.Local)\n\t\t}\n\t}\n}\n\nfunc TestCopyTokenCharData(t *testing.T) {\n\tdata := []byte(\"same data\")\n\tvar tok1 Token = CharData{data: data}\n\ttok2 := CopyToken(tok1)\n\tif !reflect.DeepEqual(tok1, tok2) {\n\t\tt.Error(\"CopyToken(CharData) != CharData\")\n\t}\n\tdata[1] = 'o'\n\tif reflect.DeepEqual(tok1, tok2) {\n\t\tt.Error(\"CopyToken(CharData) uses same buffer.\")\n\t}\n}\n\nfunc TestCopyTokenStartElement(t *testing.T) {\n\telt := StartElement{Name{\"\", \"hello\"}, []Attr{{Name{\"\", \"lang\"}, \"en\", \"\"}}, false, \"\"}\n\tvar tok1 Token = elt\n\ttok2 := CopyToken(tok1)\n\tif tok1.(StartElement).Attr[0].Value != \"en\" {\n\t\tt.Error(\"CopyToken overwrote Attr[0]\")\n\t}\n\tif !reflect.DeepEqual(tok1, tok2) {\n\t\tt.Error(\"CopyToken(StartElement) != StartElement\")\n\t}\n\ttok1.(StartElement).Attr[0] = Attr{Name{\"\", \"lang\"}, \"de\", \"\"}\n\tif reflect.DeepEqual(tok1, tok2) {\n\t\tt.Error(\"CopyToken(CharData) uses same buffer.\")\n\t}\n}\n\nfunc TestCopyTokenComment(t *testing.T) {\n\tdata := []byte(\"\")\n\tvar tok1 Token = Comment(data)\n\ttok2 := CopyToken(tok1)\n\tif !reflect.DeepEqual(tok1, tok2) {\n\t\tt.Error(\"CopyToken(Comment) != Comment\")\n\t}\n\tdata[1] = 'o'\n\tif reflect.DeepEqual(tok1, tok2) {\n\t\tt.Error(\"CopyToken(Comment) uses same buffer.\")\n\t}\n}\n\nfunc TestSyntaxErrorLineNum(t *testing.T) {\n\ttestInput := \"

Foo

\\n\\n

Bar\\n\"\n\td := NewDecoder(strings.NewReader(testInput))\n\tvar err error\n\tfor _, err = d.Token(); err == nil; _, err = d.Token() {\n\t}\n\tsynerr, ok := err.(*SyntaxError)\n\tif !ok {\n\t\tt.Error(\"Expected SyntaxError.\")\n\t}\n\tif synerr.Line != 3 {\n\t\tt.Error(\"SyntaxError didn't have correct line number.\")\n\t}\n}\n\nfunc TestTrailingRawToken(t *testing.T) {\n\tinput := ` `\n\td := NewDecoder(strings.NewReader(input))\n\tvar err error\n\tfor _, err = d.RawToken(); err == nil; _, err = d.RawToken() {\n\t}\n\tif err != io.EOF {\n\t\tt.Fatalf(\"d.RawToken() = _, %v, want _, io.EOF\", err)\n\t}\n}\n\nfunc TestTrailingToken(t *testing.T) {\n\tinput := ` `\n\td := NewDecoder(strings.NewReader(input))\n\tvar err error\n\tfor _, err = d.Token(); err == nil; _, err = d.Token() {\n\t}\n\tif err != io.EOF {\n\t\tt.Fatalf(\"d.Token() = _, %v, want _, io.EOF\", err)\n\t}\n}\n\nfunc TestEntityInsideCDATA(t *testing.T) {\n\tinput := ``\n\td := NewDecoder(strings.NewReader(input))\n\tvar err error\n\tfor _, err = d.Token(); err == nil; _, err = d.Token() {\n\t}\n\tif err != io.EOF {\n\t\tt.Fatalf(\"d.Token() = _, %v, want _, io.EOF\", err)\n\t}\n}\n\nvar characterTests = []struct {\n\tin string\n\terr string\n}{\n\t{\"\\x12\", \"illegal character code U+0012\"},\n\t{\"\\x0b\", \"illegal character code U+000B\"},\n\t{\"\\xef\\xbf\\xbe\", \"illegal character code U+FFFE\"},\n\t{\"\\r\\n\\x07\", \"illegal character code U+0007\"},\n\t{\"what's up\", \"expected attribute name in element\"},\n\t{\"&abc\\x01;\", \"invalid character entity &abc (no semicolon)\"},\n\t{\"&\\x01;\", \"invalid character entity & (no semicolon)\"},\n\t{\"&\\xef\\xbf\\xbe;\", \"invalid character entity &\\uFFFE;\"},\n\t{\"&hello;\", \"invalid character entity &hello;\"},\n}\n\nfunc TestDisallowedCharacters(t *testing.T) {\n\n\tfor i, tt := range characterTests {\n\t\td := NewDecoder(strings.NewReader(tt.in))\n\t\tvar err error\n\n\t\tfor err == nil {\n\t\t\t_, err = d.Token()\n\t\t}\n\t\tsynerr, ok := err.(*SyntaxError)\n\t\tif !ok {\n\t\t\tt.Fatalf(\"input %d d.Token() = _, %v, want _, *SyntaxError\", i, err)\n\t\t}\n\t\tif synerr.Msg != tt.err {\n\t\t\tt.Fatalf(\"input %d synerr.Msg wrong: want %q, got %q\", i, tt.err, synerr.Msg)\n\t\t}\n\t}\n}\n\nfunc TestIsInCharacterRange(t *testing.T) {\n\tinvalid := []rune{\n\t\tutf8.MaxRune + 1,\n\t\t0xD800, // surrogate min\n\t\t0xDFFF, // surrogate max\n\t\t-1,\n\t}\n\tfor _, r := range invalid {\n\t\tif isInCharacterRange(r) {\n\t\t\tt.Errorf(\"rune %U considered valid\", r)\n\t\t}\n\t}\n}\n\nvar procInstTests = []struct {\n\tinput string\n\texpect [2]string\n}{\n\t{`version=\"1.0\" encoding=\"utf-8\"`, [2]string{\"1.0\", \"utf-8\"}},\n\t{`version=\"1.0\" encoding='utf-8'`, [2]string{\"1.0\", \"utf-8\"}},\n\t{`version=\"1.0\" encoding='utf-8' `, [2]string{\"1.0\", \"utf-8\"}},\n\t{`version=\"1.0\" encoding=utf-8`, [2]string{\"1.0\", \"\"}},\n\t{`encoding=\"FOO\" `, [2]string{\"\", \"FOO\"}},\n\t{`version=2.0 version=\"1.0\" encoding=utf-7 encoding='utf-8'`, [2]string{\"1.0\", \"utf-8\"}},\n\t{`version= encoding=`, [2]string{\"\", \"\"}},\n\t{`encoding=\"version=1.0\"`, [2]string{\"\", \"version=1.0\"}},\n\t{``, [2]string{\"\", \"\"}},\n\t// TODO: what's the right approach to handle these nested cases?\n\t{`encoding=\"version='1.0'\"`, [2]string{\"1.0\", \"version='1.0'\"}},\n\t{`version=\"encoding='utf-8'\"`, [2]string{\"encoding='utf-8'\", \"utf-8\"}},\n}\n\nfunc TestProcInstEncoding(t *testing.T) {\n\tfor _, test := range procInstTests {\n\t\tif got := procInst(\"version\", test.input); got != test.expect[0] {\n\t\t\tt.Errorf(\"procInst(version, %q) = %q; want %q\", test.input, got, test.expect[0])\n\t\t}\n\t\tif got := procInst(\"encoding\", test.input); got != test.expect[1] {\n\t\t\tt.Errorf(\"procInst(encoding, %q) = %q; want %q\", test.input, got, test.expect[1])\n\t\t}\n\t}\n}\n\n// Ensure that directives with comments include the complete\n// text of any nested directives.\n\nvar directivesWithCommentsInput = `\n]>\n]>\n --> --> []>\n`\n\nvar directivesWithCommentsTokens = []Token{\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE [ ]`),\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE [ ]`),\n\tCharData{data: []byte(\"\\n\")},\n\tDirective(`DOCTYPE [ ]`),\n\tCharData{data: []byte(\"\\n\")},\n}\n\nfunc TestDirectivesWithComments(t *testing.T) {\n\td := NewDecoder(strings.NewReader(directivesWithCommentsInput))\n\n\tfor i, want := range directivesWithCommentsTokens {\n\t\thave, err := d.Token()\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"token %d: unexpected error: %s\", i, err)\n\t\t}\n\t\tif !reflect.DeepEqual(have, want) {\n\t\t\tt.Errorf(\"token %d = %#v want %#v\", i, have, want)\n\t\t}\n\t}\n}\n\n// Writer whose Write method always returns an error.\ntype errWriter struct{}\n\nfunc (errWriter) Write(p []byte) (n int, err error) { return 0, fmt.Errorf(\"unwritable\") }\n\nfunc TestEscapeTextIOErrors(t *testing.T) {\n\texpectErr := \"unwritable\"\n\terr := EscapeText(errWriter{}, []byte{'A'})\n\n\tif err == nil || err.Error() != expectErr {\n\t\tt.Errorf(\"have %v, want %v\", err, expectErr)\n\t}\n}\n\nfunc TestEscapeTextInvalidChar(t *testing.T) {\n\tinput := []byte(\"A \\x00 terminated string.\")\n\texpected := \"A \\uFFFD terminated string.\"\n\n\tbuff := new(strings.Builder)\n\tif err := EscapeText(buff, input); err != nil {\n\t\tt.Fatalf(\"have %v, want nil\", err)\n\t}\n\ttext := buff.String()\n\n\tif text != expected {\n\t\tt.Errorf(\"have %v, want %v\", text, expected)\n\t}\n}\n\nfunc TestIssue5880(t *testing.T) {\n\ttype T []byte\n\tdata, err := Marshal(T{192, 168, 0, 1})\n\tif err != nil {\n\t\tt.Errorf(\"Marshal error: %v\", err)\n\t}\n\tif !utf8.Valid(data) {\n\t\tt.Errorf(\"Marshal generated invalid UTF-8: %x\", data)\n\t}\n}\n\nfunc TestIssue8535(t *testing.T) {\n\n\ttype ExampleConflict struct {\n\t\tXMLName Name `xml:\"example\"`\n\t\tLink string `xml:\"link\"`\n\t\tAtomLink string `xml:\"http://www.w3.org/2005/Atom link\"` // Same name in a different name space\n\t}\n\ttestCase := `\n\t\t\tExample\n\t\t\thttp://example.com/default \n\t\t\thttp://example.com/home \n\t\t\thttp://example.com/ns\n\t\t`\n\n\tvar dest ExampleConflict\n\td := NewDecoder(strings.NewReader(testCase))\n\tif err := d.Decode(&dest); err != nil {\n\t\tt.Fatal(err)\n\t}\n}\n\nfunc TestEncodeXMLNS(t *testing.T) {\n\ttestCases := []struct {\n\t\tf func() ([]byte, error)\n\t\twant string\n\t\tok bool\n\t}{\n\t\t{encodeXMLNS1, `hello world`, true},\n\t\t{encodeXMLNS2, `hello world`, true},\n\t\t{encodeXMLNS3, `hello world`, true},\n\t\t{encodeXMLNS4, `hello world`, false},\n\t}\n\n\tfor i, tc := range testCases {\n\t\tif b, err := tc.f(); err == nil {\n\t\t\tif got, want := string(b), tc.want; got != want {\n\t\t\t\tt.Errorf(\"%d: got %s, want %s \\n\", i, got, want)\n\t\t\t}\n\t\t} else {\n\t\t\tt.Errorf(\"%d: marshal failed with %s\", i, err)\n\t\t}\n\t}\n}\n\nfunc encodeXMLNS1() ([]byte, error) {\n\n\ttype T struct {\n\t\tXMLName Name `xml:\"Test\"`\n\t\tNs string `xml:\"xmlns,attr\"`\n\t\tBody string\n\t}\n\n\ts := &T{Ns: \"http://example.com/ns\", Body: \"hello world\"}\n\treturn Marshal(s)\n}\n\nfunc encodeXMLNS2() ([]byte, error) {\n\n\ttype Test struct {\n\t\tBody string `xml:\"http://example.com/ns body\"`\n\t}\n\n\ts := &Test{Body: \"hello world\"}\n\treturn Marshal(s)\n}\n\nfunc encodeXMLNS3() ([]byte, error) {\n\n\ttype Test struct {\n\t\tXMLName Name `xml:\"http://example.com/ns Test\"`\n\t\tBody string\n\t}\n\n\t//s := &Test{XMLName: Name{\"http://example.com/ns\",\"\"}, Body: \"hello world\"} is unusable as the \"-\" is missing\n\t// as documentation states\n\ts := &Test{Body: \"hello world\"}\n\treturn Marshal(s)\n}\n\nfunc encodeXMLNS4() ([]byte, error) {\n\n\ttype Test struct {\n\t\tNs string `xml:\"xmlns,attr\"`\n\t\tBody string\n\t}\n\n\ts := &Test{Ns: \"http://example.com/ns\", Body: \"hello world\"}\n\treturn Marshal(s)\n}\n\nfunc TestIssue11405(t *testing.T) {\n\ttestCases := []string{\n\t\t\"\",\n\t\t\"\",\n\t\t\"\",\n\t}\n\tfor _, tc := range testCases {\n\t\td := NewDecoder(strings.NewReader(tc))\n\t\tvar err error\n\t\tfor {\n\t\t\t_, err = d.Token()\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif _, ok := err.(*SyntaxError); !ok {\n\t\t\tt.Errorf(\"%s: Token: Got error %v, want SyntaxError\", tc, err)\n\t\t}\n\t}\n}\n\nfunc TestIssue12417(t *testing.T) {\n\ttestCases := []struct {\n\t\ts string\n\t\tok bool\n\t}{\n\t\t{``, true},\n\t\t{``, true},\n\t\t{``, true},\n\t\t{``, false},\n\t}\n\tfor _, tc := range testCases {\n\t\td := NewDecoder(strings.NewReader(tc.s))\n\t\tvar err error\n\t\tfor {\n\t\t\t_, err = d.Token()\n\t\t\tif err != nil {\n\t\t\t\tif err == io.EOF {\n\t\t\t\t\terr = nil\n\t\t\t\t}\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif err != nil && tc.ok {\n\t\t\tt.Errorf(\"%q: Encoding charset: expected no error, got %s\", tc.s, err)\n\t\t\tcontinue\n\t\t}\n\t\tif err == nil && !tc.ok {\n\t\t\tt.Errorf(\"%q: Encoding charset: expected error, got nil\", tc.s)\n\t\t}\n\t}\n}\n\nfunc TestIssue7113(t *testing.T) {\n\ttype C struct {\n\t\tXMLName Name `xml:\"\"` // Sets empty namespace\n\t}\n\n\ttype D struct {\n\t\tXMLName Name `xml:\"d\"`\n\t}\n\n\ttype A struct {\n\t\tXMLName Name `xml:\"\"`\n\t\tC C `xml:\"\"`\n\t\tD D\n\t}\n\n\tvar a A\n\tstructSpace := \"b\"\n\txmlTest := ``\n\tt.Log(xmlTest)\n\terr := Unmarshal([]byte(xmlTest), &a)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\tif a.XMLName.Space != structSpace {\n\t\tt.Errorf(\"overidding with empty namespace: unmarshaling, got %s, want %s\\n\", a.XMLName.Space, structSpace)\n\t}\n\tif len(a.C.XMLName.Space) != 0 {\n\t\tt.Fatalf(\"overidding with empty namespace: unmarshaling, got %s, want empty\\n\", a.C.XMLName.Space)\n\t}\n\n\tvar b []byte\n\tb, err = Marshal(&a)\n\tif err != nil {\n\t\tt.Fatal(err)\n\t}\n\tif len(a.C.XMLName.Space) != 0 {\n\t\tt.Errorf(\"overidding with empty namespace: marshaling, got %s in C tag which should be empty\\n\", a.C.XMLName.Space)\n\t}\n\tif string(b) != xmlTest {\n\t\tt.Fatalf(\"overidding with empty namespace: marshaling, got %s, want %s\\n\", b, xmlTest)\n\t}\n\tvar c A\n\terr = Unmarshal(b, &c)\n\tif err != nil {\n\t\tt.Fatalf(\"second Unmarshal failed: %s\", err)\n\t}\n\tif c.XMLName.Space != \"b\" {\n\t\tt.Errorf(\"overidding with empty namespace: after marshaling & unmarshaling, XML name space: got %s, want %s\\n\", a.XMLName.Space, structSpace)\n\t}\n\tif len(c.C.XMLName.Space) != 0 {\n\t\tt.Errorf(\"overidding with empty namespace: after marshaling & unmarshaling, got %s, want empty\\n\", a.C.XMLName.Space)\n\t}\n}\n\nfunc TestIssue20396(t *testing.T) {\n\n\tvar attrError = UnmarshalError(\"XML syntax error on line 1: expected attribute name in element\")\n\n\ttestCases := []struct {\n\t\ts string\n\t\twantErr error\n\t}{\n\t\t{``, // Issue 20396\n\t\t\tUnmarshalError(\"XML syntax error on line 1: expected element name after <\")},\n\t\t{``, attrError},\n\t\t{``, attrError},\n\t\t{``, nil},\n\t\t{`1`,\n\t\t\tUnmarshalError(\"XML syntax error on line 1: expected element name after <\")},\n\t\t{`1`, attrError},\n\t\t{`1`, attrError},\n\t\t{`1`, nil},\n\t}\n\n\tvar dest string\n\tfor _, tc := range testCases {\n\t\tif got, want := Unmarshal([]byte(tc.s), &dest), tc.wantErr; got != want {\n\t\t\tif got == nil {\n\t\t\t\tt.Errorf(\"%s: Unexpected success, want %v\", tc.s, want)\n\t\t\t} else if want == nil {\n\t\t\t\tt.Errorf(\"%s: Unexpected error, got %v\", tc.s, got)\n\t\t\t} else if got.Error() != want.Error() {\n\t\t\t\tt.Errorf(\"%s: got %v, want %v\", tc.s, got, want)\n\t\t\t}\n\t\t}\n\t}\n}\n\nfunc TestIssue20685(t *testing.T) {\n\ttestCases := []struct {\n\t\ts string\n\t\tok bool\n\t}{\n\t\t{`one`, false},\n\t\t{`one`, true},\n\t\t{`one`, false},\n\t\t{`one`, false},\n\t\t{`one`, false},\n\t\t{`one`, false},\n\t\t{`one`, false},\n\t}\n\tfor _, tc := range testCases {\n\t\td := NewDecoder(strings.NewReader(tc.s))\n\t\tvar err error\n\t\tfor {\n\t\t\t_, err = d.Token()\n\t\t\tif err != nil {\n\t\t\t\tif err == io.EOF {\n\t\t\t\t\terr = nil\n\t\t\t\t}\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif err != nil && tc.ok {\n\t\t\tt.Errorf(\"%q: Closing tag with namespace : expected no error, got %s\", tc.s, err)\n\t\t\tcontinue\n\t\t}\n\t\tif err == nil && !tc.ok {\n\t\t\tt.Errorf(\"%q: Closing tag with namespace : expected error, got nil\", tc.s)\n\t\t}\n\t}\n}\n\nfunc tokenMap(mapping func(t Token) Token) func(TokenReader) TokenReader {\n\treturn func(src TokenReader) TokenReader {\n\t\treturn mapper{\n\t\t\tt: src,\n\t\t\tf: mapping,\n\t\t}\n\t}\n}\n\ntype mapper struct {\n\tt TokenReader\n\tf func(Token) Token\n}\n\nfunc (m mapper) Token() (Token, error) {\n\ttok, err := m.t.Token()\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn m.f(tok), nil\n}\n\nfunc TestNewTokenDecoderIdempotent(t *testing.T) {\n\td := NewDecoder(strings.NewReader(`
`))\n\td2 := NewTokenDecoder(d)\n\tif d != d2 {\n\t\tt.Error(\"NewTokenDecoder did not detect underlying Decoder\")\n\t}\n}\n\nfunc TestWrapDecoder(t *testing.T) {\n\td := NewDecoder(strings.NewReader(`[Re-enter Clown with a letter, and FABIAN]`))\n\tm := tokenMap(func(t Token) Token {\n\t\tswitch tok := t.(type) {\n\t\tcase StartElement:\n\t\t\tif tok.Name.Local == \"quote\" {\n\t\t\t\ttok.Name.Local = \"blocking\"\n\t\t\t\treturn tok\n\t\t\t}\n\t\tcase EndElement:\n\t\t\tif tok.Name.Local == \"quote\" {\n\t\t\t\ttok.Name.Local = \"blocking\"\n\t\t\t\treturn tok\n\t\t\t}\n\t\t}\n\t\treturn t\n\t})\n\n\td = NewTokenDecoder(m(d))\n\n\to := struct {\n\t\tXMLName Name `xml:\"blocking\"`\n\t\tChardata string `xml:\",chardata\"`\n\t}{}\n\n\tif err := d.Decode(&o); err != nil {\n\t\tt.Fatal(\"Got unexpected error while decoding:\", err)\n\t}\n\n\tif o.Chardata != \"[Re-enter Clown with a letter, and FABIAN]\" {\n\t\tt.Fatalf(\"Got unexpected chardata: `%s`\\n\", o.Chardata)\n\t}\n}\n\ntype tokReader struct{}\n\nfunc (tokReader) Token() (Token, error) {\n\treturn StartElement{}, nil\n}\n\ntype Failure struct{}\n\nfunc (Failure) UnmarshalXML(*Decoder, StartElement) error {\n\treturn nil\n}\n\nfunc TestTokenUnmarshaler(t *testing.T) {\n\tdefer func() {\n\t\tif r := recover(); r != nil {\n\t\t\tt.Error(\"Unexpected panic using custom token unmarshaler\")\n\t\t}\n\t}()\n\n\td := NewTokenDecoder(tokReader{})\n\td.Decode(&Failure{})\n}\n\nfunc testRoundTrip(t *testing.T, input string) {\n\td := NewDecoder(strings.NewReader(input))\n\tvar tokens []Token\n\tvar buf bytes.Buffer\n\te := NewEncoder(&buf)\n\tfor {\n\t\ttok, err := d.Token()\n\t\tif err == io.EOF {\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"invalid input: %v\", err)\n\t\t}\n\t\tif err := e.EncodeToken(tok); err != nil {\n\t\t\tt.Fatalf(\"failed to re-encode input: %v\", err)\n\t\t}\n\t\ttokens = append(tokens, CopyToken(tok))\n\t}\n\tif err := e.Flush(); err != nil {\n\t\tt.Fatal(err)\n\t}\n\n\td = NewDecoder(&buf)\n\tfor {\n\t\ttok, err := d.Token()\n\t\tif err == io.EOF {\n\t\t\tbreak\n\t\t}\n\t\tif err != nil {\n\t\t\tt.Fatalf(\"failed to decode output: %v\", err)\n\t\t}\n\t\tif len(tokens) == 0 {\n\t\t\tt.Fatalf(\"unexpected token: %#v\", tok)\n\t\t}\n\t\ta, b := tokens[0], tok\n\t\tif !reflect.DeepEqual(a, b) {\n\t\t\tt.Fatalf(\"token mismatch: %#v vs %#v\", a, b)\n\t\t}\n\t\ttokens = tokens[1:]\n\t}\n\tif len(tokens) > 0 {\n\t\tt.Fatalf(\"lost tokens: %#v\", tokens)\n\t}\n}\n\nfunc TestRoundTrip(t *testing.T) {\n\ttests := map[string]string{\n\t\t\"trailing colon\": ``,\n\t\t\"comments in directives\": `--x --> > --x ]>`,\n\t}\n\tfor name, input := range tests {\n\t\tt.Run(name, func(t *testing.T) { testRoundTrip(t, input) })\n\t}\n}\n\nfunc TestParseErrors(t *testing.T) {\n\twithDefaultHeader := func(s string) string {\n\t\treturn `` + s\n\t}\n\ttests := []struct {\n\t\tsrc string\n\t\terr string\n\t}{\n\t\t{withDefaultHeader(``), `unexpected end element `},\n\t\t{withDefaultHeader(``), `element in space x closed by in space y`},\n\t\t{withDefaultHeader(``), `expected target name after `), `invalid sequence `), `invalid sequence `), `invalid baz`),\n\t\t\t`element in space zzz closed by in space \"\"`},\n\t\t{withDefaultHeader(\"\\xf1\"), `invalid UTF-8`},\n\n\t\t// Header-related errors.\n\t\t{``, `unsupported version \"1.1\"; only version 1.0 is supported`},\n\n\t\t// Cases below are for \"no errors\".\n\t\t{withDefaultHeader(``), ``},\n\t\t{withDefaultHeader(``), ``},\n\t}\n\n\tfor _, test := range tests {\n\t\td := NewDecoder(strings.NewReader(test.src))\n\t\tvar err error\n\t\tfor {\n\t\t\t_, err = d.Token()\n\t\t\tif err != nil {\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif test.err == \"\" {\n\t\t\tif err != io.EOF {\n\t\t\t\tt.Errorf(\"parse %s: have %q error, expected none\", test.src, err)\n\t\t\t}\n\t\t\tcontinue\n\t\t}\n\t\t// Inv: err != nil\n\t\tif err == io.EOF {\n\t\t\tt.Errorf(\"parse %s: unexpected EOF\", test.src)\n\t\t\tcontinue\n\t\t}\n\t\tif !strings.Contains(err.Error(), test.err) {\n\t\t\tt.Errorf(\"parse %s: can't find %q error substring\\nerror: %q\", test.src, test.err, err)\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\nconst testInputHTMLAutoClose = `\n
\n

\n

\n

\n
\n

\n

\n
abc

`\n\nfunc BenchmarkHTMLAutoClose(b *testing.B) {\n\tb.RunParallel(func(p *testing.PB) {\n\t\tfor p.Next() {\n\t\t\td := NewDecoder(strings.NewReader(testInputHTMLAutoClose))\n\t\t\td.Strict = false\n\t\t\td.AutoClose = HTMLAutoClose\n\t\t\td.Entity = HTMLEntity\n\t\t\tfor {\n\t\t\t\t_, err := d.Token()\n\t\t\t\tif err != nil {\n\t\t\t\t\tif err == io.EOF {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\t\t\t\t\tb.Fatalf(\"unexpected error: %v\", err)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t})\n}\n\nfunc TestHTMLAutoClose(t *testing.T) {\n\twantTokens := []Token{\n\t\tProcInst{\"xml\", []byte(`version=\"1.0\" encoding=\"UTF-8\"`)},\n\t\tCharData{data: []byte(\"\\n\")},\n\t\tStartElement{Name{\"\", \"br\"}, []Attr{}, false, \"\"},\n\t\tEndElement{Name{\"\", \"br\"}, false},\n\t\tCharData{data: []byte(\"\\n\")},\n\t\tStartElement{Name{\"\", \"br\"}, []Attr{}, true, \"\"},\n\t\tEndElement{Name{\"\", \"br\"}, true},\n\t\tStartElement{Name{\"\", \"br\"}, []Attr{}, true, \"\"},\n\t\tEndElement{Name{\"\", \"br\"}, true},\n\t\tCharData{data: []byte(\"\\n\")},\n\t\tStartElement{Name{\"\", \"br\"}, []Attr{}, false, \"\"},\n\t\tEndElement{Name{\"\", \"br\"}, false},\n\t\tStartElement{Name{\"\", \"br\"}, []Attr{}, false, \"\"},\n\t\tEndElement{Name{\"\", \"br\"}, false},\n\t\tCharData{data: []byte(\"\\n\")},\n\t\tStartElement{Name{\"\", \"br\"}, []Attr{}, false, \"\"},\n\t\tEndElement{Name{\"\", \"br\"}, false},\n\t\tCharData{data: []byte(\"\\n\")},\n\t\tStartElement{Name{\"\", \"BR\"}, []Attr{}, false, \"\"},\n\t\tEndElement{Name{\"\", \"BR\"}, false},\n\t\tCharData{data: []byte(\"\\n\")},\n\t\tStartElement{Name{\"\", \"BR\"}, []Attr{}, true, \"\"},\n\t\tEndElement{Name{\"\", \"BR\"}, true},\n\t\tStartElement{Name{\"\", \"BR\"}, []Attr{}, true, \"\"},\n\t\tEndElement{Name{\"\", \"BR\"}, true},\n\t\tCharData{data: []byte(\"\\n\")},\n\t\tStartElement{Name{\"\", \"Br\"}, []Attr{}, false, \"\"},\n\t\tEndElement{Name{\"\", \"Br\"}, false},\n\t\tCharData{data: []byte(\"\\n\")},\n\t\tStartElement{Name{\"\", \"BR\"}, []Attr{}, false, \"\"},\n\t\tEndElement{Name{\"\", \"BR\"}, false},\n\t\tStartElement{Name{\"\", \"span\"}, []Attr{{Name: Name{\"\", \"id\"}, Value: \"test\"}}, false, \"\"},\n\t\tCharData{data: []byte(\"abc\")},\n\t\tEndElement{Name{\"\", \"span\"}, false},\n\t\tStartElement{Name{\"\", \"br\"}, []Attr{}, true, \"\"},\n\t\tEndElement{Name{\"\", \"br\"}, true},\n\t\tStartElement{Name{\"\", \"br\"}, []Attr{}, true, \"\"},\n\t\tEndElement{Name{\"\", \"br\"}, true},\n\t}\n\n\td := NewDecoder(strings.NewReader(testInputHTMLAutoClose))\n\td.Strict = false\n\td.AutoClose = HTMLAutoClose\n\td.Entity = HTMLEntity\n\tvar haveTokens []Token\n\tfor {\n\t\ttok, err := d.Token()\n\t\tif err != nil {\n\t\t\tif err == io.EOF {\n\t\t\t\tbreak\n\t\t\t}\n\t\t\tt.Fatalf(\"unexpected error: %v\", err)\n\t\t}\n\t\thaveTokens = append(haveTokens, CopyToken(tok))\n\t}\n\tif len(haveTokens) != len(wantTokens) {\n\t\tt.Errorf(\"tokens count mismatch: have %d, want %d\", len(haveTokens), len(wantTokens))\n\t}\n\tfor i, want := range wantTokens {\n\t\tif i >= len(haveTokens) {\n\t\t\tt.Errorf(\"token[%d] expected %#v, have no token\", i, want)\n\t\t} else {\n\t\t\thave := haveTokens[i]\n\t\t\tif !reflect.DeepEqual(have, want) {\n\t\t\t\tt.Errorf(\"token[%d] mismatch:\\nhave: %#v\\nwant: %#v\", i, have, want)\n\t\t\t}\n\t\t}\n\t}\n}\n" }, { "path": "internal/tui/dependency-graph.go", "content": "package tui\n\nimport (\n\t\"fmt\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"charm.land/lipgloss/v2\"\n\t\"deps.dev/util/resolve\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n)\n\ntype chainGraphNode struct {\n\tvk resolve.VersionKey\n\tisDirect bool // if this is a direct dependency\n\tdependents []*chainGraphNode\n\t// in this representation, the dependents are the children of this node\n\t// so the root of the tree is rendered at the bottom\n}\n\ntype ChainGraph struct {\n\t*chainGraphNode\n}\n\nfunc subgraphEdges(sg *resolution.DependencySubgraph, direct resolve.NodeID) []resolve.Edge {\n\t// find the shortest chain of edges from direct to the vulnerable node, excluding the root->direct edge.\n\t// return them in reverse order, with edges[0].To = sg.Dependency\n\tedges := make([]resolve.Edge, 0, sg.Nodes[0].Distance-1)\n\tnID := direct\n\tfor nID != sg.Dependency {\n\t\tn := sg.Nodes[nID]\n\t\tidx := slices.IndexFunc(n.Children, func(e resolve.Edge) bool { return sg.Nodes[e.To].Distance == n.Distance-1 })\n\t\tif idx < 0 {\n\t\t\tbreak\n\t\t}\n\t\tedge := n.Children[idx]\n\t\tedges = append(edges, edge)\n\t\tnID = edge.To\n\t}\n\tslices.Reverse(edges)\n\n\treturn edges\n}\n\n// FindChainGraphs constructs a graph of the shortest paths from each direct dependency to each unique vulnerable node\nfunc FindChainGraphs(subgraphs []*resolution.DependencySubgraph) []ChainGraph {\n\t// Construct the ChainGraphs\n\tret := make([]ChainGraph, 0, len(subgraphs))\n\tfor _, sg := range subgraphs {\n\t\tnodes := make(map[resolve.NodeID]*chainGraphNode)\n\t\tisDirect := func(nID resolve.NodeID) bool {\n\t\t\treturn slices.ContainsFunc(sg.Nodes[nID].Parents, func(e resolve.Edge) bool { return e.From == 0 })\n\t\t}\n\t\t// Create and add the vulnerable node to the returned graphs\n\t\tn := &chainGraphNode{\n\t\t\tvk: sg.Nodes[sg.Dependency].Version,\n\t\t\tdependents: nil,\n\t\t\tisDirect: isDirect(sg.Dependency),\n\t\t}\n\t\tret = append(ret, ChainGraph{n})\n\t\tnodes[sg.Dependency] = n\n\t\tfor _, startEdge := range sg.Nodes[0].Children {\n\t\t\t// Going up the chain, add the node to the previous' children if it's not there already\n\t\t\tfor _, e := range subgraphEdges(sg, startEdge.To) {\n\t\t\t\tp := nodes[e.To]\n\t\t\t\tn, ok := nodes[e.From]\n\t\t\t\tif !ok {\n\t\t\t\t\tn = &chainGraphNode{\n\t\t\t\t\t\tvk: sg.Nodes[e.From].Version,\n\t\t\t\t\t\tdependents: nil,\n\t\t\t\t\t\tisDirect: isDirect(e.From),\n\t\t\t\t\t}\n\t\t\t\t\tnodes[e.From] = n\n\t\t\t\t}\n\t\t\t\tif !slices.Contains(p.dependents, n) {\n\t\t\t\t\tp.dependents = append(p.dependents, n)\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn ret\n}\n\nfunc (c ChainGraph) String() string {\n\tif c.chainGraphNode == nil {\n\t\treturn \"\"\n\t}\n\ts, _ := c.subString(true)\n\t// Fill in the missing whitespace\n\tw := lipgloss.Width(s)\n\th := lipgloss.Height(s)\n\t// need to use w+1 to force lipgloss to place whitespace\n\treturn lipgloss.Place(w+1, h, lipgloss.Left, lipgloss.Top, s)\n}\n\nvar (\n\tdirectNodeStyle = lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color(\"12\")).Margin(0, 1) // blue text\n\tvulnNodeStyle = lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color(\"15\")).Background(lipgloss.Color(\"1\")).Padding(0, 1) // white on red background\n\tdirectVulnNodeStyle = lipgloss.NewStyle().Bold(true).Foreground(lipgloss.Color(\"15\")).Background(lipgloss.Color(\"5\")).Padding(0, 1) // white on purple background\n)\n\n// recursive construction of the visualized tree\n// returns the subtree and the offset for where a child should connect to this\nfunc (c *chainGraphNode) subString(isVuln bool) (string, int) {\n\tnodeStr := fmt.Sprintf(\"%s@%s\", c.vk.Name, c.vk.Version)\n\tswitch {\n\tcase isVuln && c.isDirect:\n\t\tnodeStr = directVulnNodeStyle.Render(nodeStr)\n\tcase isVuln:\n\t\tnodeStr = vulnNodeStyle.Render(nodeStr)\n\tcase c.isDirect:\n\t\tnodeStr = directNodeStyle.Render(nodeStr)\n\t}\n\tnodeOffset := lipgloss.Width(nodeStr) / 2\n\n\t// No children, just show the text\n\tif len(c.dependents) == 0 {\n\t\treturn nodeStr, nodeOffset\n\t}\n\n\t// one child, add a single line connecting this to the child above it\n\tif len(c.dependents) == 1 {\n\t\tchildStr, childCenter := c.dependents[0].subString(false)\n\t\tif nodeOffset > childCenter {\n\t\t\t// left-pad the child if the parent is wider\n\t\t\tchildStr = lipgloss.JoinHorizontal(lipgloss.Bottom, strings.Repeat(\" \", nodeOffset-childCenter), childStr)\n\t\t\tchildCenter = nodeOffset\n\t\t}\n\t\tnodeStr = strings.Repeat(\" \", childCenter-nodeOffset) + nodeStr\n\t\tjoinerStr := strings.Repeat(\" \", childCenter) + \"│\"\n\n\t\treturn fmt.Sprintf(\"%s\\n%s\\n%s\", childStr, joinerStr, nodeStr), childCenter\n\t}\n\n\t// multiple children:\n\t// Join the children together on one line\n\tnChilds := len(c.dependents)\n\tpaddedChildStrings := make([]string, 0, 2*nChilds) // string of children, with padding strings in between\n\tchildOffsets := make([]int, 0, nChilds) // where above the children to connect the lines to them\n\twidth := 0\n\tfor _, ch := range c.dependents {\n\t\tstr, off := ch.subString(false)\n\t\tpaddedChildStrings = append(paddedChildStrings, str, \" \")\n\t\tchildOffsets = append(childOffsets, width+off)\n\t\twidth += lipgloss.Width(str) + 1\n\t}\n\tjoinedChildren := lipgloss.JoinHorizontal(lipgloss.Bottom, paddedChildStrings...)\n\n\t// create the connecting line\n\t// connector bits: ┌ ─ â”ŧ ┐ â”Ŧ ┴ ┘ └\n\tfirstOffset := childOffsets[0]\n\tlastOffset := childOffsets[nChilds-1]\n\tvar midOffset int // where on the line to connect the parent\n\tif nChilds%2 == 0 {\n\t\t// if there's an even number of children, connect between the middle two\n\t\tmidOffset = (childOffsets[nChilds/2-1] + childOffsets[nChilds/2]) / 2\n\t} else {\n\t\t// otherwise, connect inline with the middle child\n\t\tmidOffset = childOffsets[nChilds/2]\n\t}\n\n\tline := make([]rune, lastOffset+1)\n\toffsetIdx := 0\n\tfor i := range line {\n\t\tswitch {\n\t\tcase i < firstOffset:\n\t\t\tline[i] = ' '\n\t\tcase i == firstOffset:\n\t\t\tline[i] = '└'\n\t\t\toffsetIdx++\n\t\tcase i == lastOffset:\n\t\t\tline[i] = '┘'\n\t\t\toffsetIdx++\n\t\tcase i == midOffset:\n\t\t\tif i == childOffsets[offsetIdx] {\n\t\t\t\tline[i] = 'â”ŧ'\n\t\t\t\toffsetIdx++\n\t\t\t} else {\n\t\t\t\tline[i] = 'â”Ŧ'\n\t\t\t}\n\t\tcase i == childOffsets[offsetIdx]:\n\t\t\tline[i] = '┴'\n\t\t\toffsetIdx++\n\t\tdefault:\n\t\t\tline[i] = '─'\n\t\t}\n\t}\n\n\t// join everything together\n\tlinedChildren := fmt.Sprintf(\"%s\\n%s\", joinedChildren, string(line))\n\tif nodeOffset > midOffset {\n\t\t// left-pad the children if the parent is wider\n\t\tlinedChildren = lipgloss.JoinHorizontal(lipgloss.Bottom, strings.Repeat(\" \", nodeOffset-midOffset), linedChildren)\n\t\tmidOffset = nodeOffset\n\t}\n\n\tnodeStr = strings.Repeat(\" \", midOffset-nodeOffset) + nodeStr\n\n\treturn fmt.Sprintf(\"%s\\n%s\", linedChildren, nodeStr), midOffset\n}\n" }, { "path": "internal/tui/in-place-info.go", "content": "package tui\n\nimport (\n\t\"fmt\"\n\n\t\"charm.land/bubbles/v2/key\"\n\t\"charm.land/bubbles/v2/table\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"charm.land/lipgloss/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n)\n\n// A ViewModel showing the table of package upgrades and fixed vulnerabilities, for in-place upgrades.\n// Pressing 'enter' on a row shows the vulnerability details\ntype inPlaceInfo struct {\n\ttable.Model\n\n\tvulns []*resolution.Vulnerability\n\tcurrVulnInfo ViewModel\n\n\twidth int\n\theight int\n}\n\n//revive:disable-next-line:unexported-return\nfunc NewInPlaceInfo(res remediation.InPlaceResult) *inPlaceInfo {\n\tinfo := inPlaceInfo{width: ViewMinWidth, height: ViewMinHeight} // placeholder dimensions\n\tcols := []table.Column{\n\t\t{Title: \"PACKAGE\"},\n\t\t{Title: \"VERSION CHANGE\"},\n\t\t{Title: \"FIXED VULN\"},\n\t}\n\tfor i := range cols {\n\t\tcols[i].Width = lipgloss.Width(cols[i].Title)\n\t}\n\n\trows := make([]table.Row, 0, len(res.Patches))\n\tfor _, patch := range res.Patches {\n\t\t// Make a new row for each vulnerability\n\t\t// I wanted to have this as one entry with multiple vulnerabilities,\n\t\t// but tables don't let you have multi-line rows.\n\n\t\t// Put the package name only on the first row\n\t\trow := table.Row{\n\t\t\tpatch.Pkg.Name,\n\t\t\tfmt.Sprintf(\"%s → %s\", patch.OrigVersion, patch.NewVersion),\n\t\t\tpatch.ResolvedVulns[0].OSV.GetId(),\n\t\t}\n\t\t// Set each column to their widest element\n\t\tfor i, s := range row {\n\t\t\tif w := lipgloss.Width(s); w > cols[i].Width {\n\t\t\t\tcols[i].Width = w\n\t\t\t}\n\t\t}\n\t\trows = append(rows, row)\n\t\tinfo.vulns = append(info.vulns, &patch.ResolvedVulns[0])\n\n\t\t// use blank package name / bump for other vulns from same patch\n\t\tfor i, v := range patch.ResolvedVulns[1:] {\n\t\t\trow := table.Row{\n\t\t\t\t\"\",\n\t\t\t\t\"\",\n\t\t\t\tv.OSV.GetId(),\n\t\t\t}\n\t\t\trows = append(rows, row)\n\t\t\tinfo.vulns = append(info.vulns, &patch.ResolvedVulns[i+1])\n\t\t\tif w := lipgloss.Width(row[2]); w > cols[2].Width {\n\t\t\t\tcols[2].Width = w\n\t\t\t}\n\t\t}\n\t}\n\n\t// centre the version change strings\n\tcols[1].Title = lipgloss.PlaceHorizontal(cols[1].Width, lipgloss.Center, cols[1].Title)\n\tfor _, row := range rows {\n\t\trow[1] = lipgloss.PlaceHorizontal(cols[1].Width, lipgloss.Center, row[1])\n\t}\n\n\tst := table.DefaultStyles()\n\tst.Header = st.Header.Bold(false).BorderStyle(lipgloss.NormalBorder()).BorderBottom(true)\n\tst.Selected = st.Selected.Foreground(ColorPrimary)\n\n\tinfo.Model = table.New(\n\t\ttable.WithColumns(cols),\n\t\ttable.WithRows(rows),\n\t\ttable.WithWidth(info.width),\n\t\ttable.WithHeight(info.height),\n\t\ttable.WithFocused(true),\n\t\ttable.WithStyles(st),\n\t\ttable.WithKeyMap(table.KeyMap{\n\t\t\tLineUp: Keys.Up,\n\t\t\tLineDown: Keys.Down,\n\t\t\tPageUp: Keys.Left,\n\t\t\tPageDown: Keys.Right,\n\t\t}),\n\t)\n\n\treturn &info\n}\n\nfunc (ip *inPlaceInfo) Resize(w, h int) {\n\tip.width = w\n\tip.height = h\n\tip.SetWidth(w)\n\tip.SetHeight(h)\n\tif ip.currVulnInfo != nil {\n\t\tip.currVulnInfo.Resize(w, h)\n\t}\n}\n\nfunc (ip *inPlaceInfo) Update(msg tea.Msg) (ViewModel, tea.Cmd) {\n\tvar cmd tea.Cmd\n\tif ip.currVulnInfo != nil {\n\t\tip.currVulnInfo, cmd = ip.currVulnInfo.Update(msg)\n\t\treturn ip, cmd\n\t}\n\tif msg, ok := msg.(tea.KeyPressMsg); ok {\n\t\tswitch {\n\t\tcase key.Matches(msg, Keys.Quit):\n\t\t\treturn ip, CloseViewModel\n\t\tcase key.Matches(msg, Keys.Select):\n\t\t\tvuln := ip.vulns[ip.Cursor()]\n\t\t\tip.currVulnInfo = NewVulnInfo(vuln)\n\t\t\tip.currVulnInfo.Resize(ip.Width(), ip.Height())\n\n\t\t\treturn ip, nil\n\t\t}\n\t}\n\tip.Model, cmd = ip.Model.Update(msg)\n\n\treturn ip, cmd\n}\n\nfunc (ip *inPlaceInfo) View() string {\n\tif ip.currVulnInfo != nil {\n\t\treturn ip.currVulnInfo.View()\n\t}\n\t// place the table in the centre of the view\n\treturn lipgloss.Place(ip.width, ip.height, lipgloss.Center, lipgloss.Center, ip.Model.View())\n}\n" }, { "path": "internal/tui/relock-info.go", "content": "package tui\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"charm.land/bubbles/v2/key\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"charm.land/lipgloss/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n)\n\n// A ViewModel showing the dependency changes, the removed, and added vulnerabilities\n// resulting from a proposed relock patch\ntype relockInfo struct {\n\tfixedHeight float64\n\tfixedList *vulnList\n\taddedList *vulnList\n\taddedFocused bool\n}\n\n//revive:disable-next-line:unexported-return\nfunc NewRelockInfo(change resolution.Difference) *relockInfo {\n\tinfo := relockInfo{fixedHeight: 1}\n\tpreamble := strings.Builder{}\n\tpreamble.WriteString(\"The following upgrades:\\n\")\n\tfor _, dep := range change.Deps {\n\t\tfmt.Fprintf(&preamble, \" %s@%s (%s) → @%s (%s)\\n\",\n\t\t\tdep.Pkg.Name, dep.OrigRequire, dep.OrigResolved, dep.NewRequire, dep.NewResolved)\n\t}\n\tpreamble.WriteString(\"Will resolve the following:\")\n\tfixedVulns := make([]*resolution.Vulnerability, len(change.RemovedVulns))\n\tfor i := range change.RemovedVulns {\n\t\tfixedVulns[i] = &change.RemovedVulns[i]\n\t}\n\tinfo.fixedList = NewVulnList(fixedVulns, preamble.String())\n\n\tif len(change.AddedVulns) == 0 {\n\t\treturn &info\n\t}\n\n\t// Create a second list showing introduced vulns\n\tnewVulns := make([]*resolution.Vulnerability, len(change.AddedVulns))\n\tfor i := range change.AddedVulns {\n\t\tnewVulns[i] = &change.AddedVulns[i]\n\t}\n\tinfo.addedList = NewVulnList(newVulns, \"But will introduce the following new vulns:\")\n\tinfo.addedList.Blur()\n\n\t// divide two lists by roughly how many lines each would have\n\tconst fixedMinHeight = 0.5\n\tconst fixedMaxHeight = 0.8\n\tfixed := float64(len(change.Deps) + len(fixedVulns))\n\tadded := float64(len(newVulns))\n\tinfo.fixedHeight = fixed / (fixed + added)\n\tif info.fixedHeight < fixedMinHeight {\n\t\tinfo.fixedHeight = fixedMinHeight\n\t}\n\tif info.fixedHeight > fixedMaxHeight {\n\t\tinfo.fixedHeight = fixedMaxHeight\n\t}\n\n\treturn &info\n}\n\nfunc (r *relockInfo) Resize(w, h int) {\n\tfixedHeight := int(r.fixedHeight * float64(h))\n\tr.fixedList.Resize(w, fixedHeight)\n\tif r.addedList != nil {\n\t\tr.addedList.Resize(w, h-fixedHeight)\n\t}\n}\n\nfunc (r *relockInfo) Update(msg tea.Msg) (ViewModel, tea.Cmd) {\n\tvar cmds []tea.Cmd\n\n\t// check if we're trying to scroll past the end of one of the lists\n\tif msg, ok := msg.(tea.KeyPressMsg); ok && r.addedList != nil {\n\t\t// scrolling up out of the added list\n\t\tif r.addedFocused &&\n\t\t\tr.addedList.Index() == 0 &&\n\t\t\tkey.Matches(msg, Keys.Up) {\n\t\t\tr.addedFocused = false\n\t\t\tr.addedList.Blur()\n\t\t\tr.fixedList.Focus()\n\n\t\t\treturn r, nil\n\t\t}\n\t\t// scrolling down out of fixed list\n\t\tif !r.addedFocused &&\n\t\t\tr.fixedList.Index() == len(r.fixedList.Items())-1 &&\n\t\t\tkey.Matches(msg, Keys.Down) {\n\t\t\tr.addedFocused = true\n\t\t\tr.addedList.Focus()\n\t\t\tr.fixedList.Blur()\n\n\t\t\treturn r, nil\n\t\t}\n\t}\n\n\t// do normal updates\n\tl, cmd := r.fixedList.Update(msg)\n\tr.fixedList = l.(*vulnList)\n\tcmds = append(cmds, cmd)\n\n\tif r.addedList != nil {\n\t\tl, cmd := r.addedList.Update(msg)\n\t\tr.addedList = l.(*vulnList)\n\t\tcmds = append(cmds, cmd)\n\t}\n\n\treturn r, tea.Batch(cmds...)\n}\n\nfunc (r *relockInfo) View() string {\n\tif r.addedList == nil || r.fixedList.currVulnInfo != nil {\n\t\treturn r.fixedList.View()\n\t}\n\tif r.addedList.currVulnInfo != nil {\n\t\treturn r.addedList.View()\n\t}\n\n\treturn lipgloss.JoinVertical(lipgloss.Center, r.fixedList.View(), r.addedList.View())\n}\n" }, { "path": "internal/tui/severity.go", "content": "package tui\n\nimport (\n\t\"fmt\"\n\t\"image/color\"\n\n\t\"charm.land/lipgloss/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/severity\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nvar (\n\tseverityColor = map[string]color.Color{\n\t\t\"UNKNOWN\": lipgloss.Color(\"243\"), // grey\n\t\t\"NONE\": lipgloss.Color(\"243\"), // grey\n\t\t\"LOW\": lipgloss.Color(\"28\"), // green\n\t\t\"MEDIUM\": lipgloss.Color(\"208\"), // orange\n\t\t\"HIGH\": lipgloss.Color(\"160\"), // red\n\t\t\"CRITICAL\": lipgloss.Color(\"88\"), // dark red\n\t}\n\tseverityStyle = lipgloss.NewStyle().\n\t\t\tForeground(lipgloss.Color(\"15\")). // white\n\t\t\tBold(true).\n\t\t\tAlign(lipgloss.Center)\n)\n\nfunc RenderSeverity(severities []*osvschema.Severity) string {\n\ttext := \"UNKNOWN\"\n\tscore, rating, _ := severity.CalculateOverallScore(severities)\n\tif rating != \"UNKNOWN\" {\n\t\ttext = fmt.Sprintf(\"%1.1f %s\", score, rating)\n\t}\n\n\treturn severityStyle.Width(16).Background(severityColor[rating]).Render(text)\n}\n\nfunc RenderSeverityShort(severities []*osvschema.Severity) string {\n\tscore, rating, _ := severity.CalculateOverallScore(severities)\n\tscoreStr := fmt.Sprintf(\"%1.1f\", score)\n\tif rating == \"UNKNOWN\" {\n\t\tscoreStr = \"???\"\n\t}\n\n\treturn severityStyle.Width(5).Background(severityColor[rating]).Render(scoreStr)\n}\n" }, { "path": "internal/tui/styles.go", "content": "package tui\n\nimport (\n\t\"charm.land/lipgloss/v2\"\n\t\"charm.land/lipgloss/v2/compat\"\n)\n\nvar (\n\tColorPrimary = lipgloss.Color(\"#e62129\") // Red, from the OSV logo :)\n\tColorDisabled = compat.AdaptiveColor{ // Grey\n\t\tLight: lipgloss.Color(\"250\"),\n\t\tDark: lipgloss.Color(\"238\"),\n\t}\n)\n\nvar (\n\tSelectedTextStyle = lipgloss.NewStyle().Foreground(ColorPrimary)\n\tDisabledTextStyle = lipgloss.NewStyle().Foreground(ColorDisabled)\n)\n\n// View dimensions\n// width / height refers to the internal text area of the view\n// i.e. excluding the border and the padding\nconst (\n\tViewMinHeight = 20 // the minimum internal height the view can be\n\tViewVPad = 1 // the vertical padding of the view\n\n\tViewMinWidth = 60 // the minimum internal width the view can be\n\tViewWidthPct = 0.4 // percentage of terminal internal width the main view should occupy\n\tViewHPad = 2 // the horizontal padding of the view\n)\n" }, { "path": "internal/tui/tui.go", "content": "// Package tui provides a terminal user interface for guided remediation.\npackage tui\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\t\"time\"\n\n\t\"charm.land/bubbles/v2/key\"\n\t\"charm.land/bubbles/v2/spinner\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"charm.land/lipgloss/v2\"\n)\n\ntype KeyMap struct {\n\tUp key.Binding\n\tDown key.Binding\n\tLeft key.Binding\n\tRight key.Binding\n\tSelect key.Binding\n\tSwitchView key.Binding\n\tHelp key.Binding\n\tQuit key.Binding\n}\n\nfunc (k KeyMap) ShortHelp() []key.Binding {\n\treturn []key.Binding{k.Help, k.Quit}\n}\n\nfunc (k KeyMap) FullHelp() [][]key.Binding {\n\treturn [][]key.Binding{\n\t\t{k.Up, k.Down},\n\t\t{k.Select, k.SwitchView},\n\t\t{k.Help, k.Quit},\n\t}\n}\n\nvar Keys = KeyMap{\n\tUp: key.NewBinding(\n\t\tkey.WithKeys(\"up\"),\n\t\tkey.WithHelp(\"↑\", \"move up\"),\n\t),\n\tDown: key.NewBinding(\n\t\tkey.WithKeys(\"down\"),\n\t\tkey.WithHelp(\"↓\", \"move down\"),\n\t),\n\tLeft: key.NewBinding(\n\t\tkey.WithKeys(\"left\"),\n\t),\n\tRight: key.NewBinding(\n\t\tkey.WithKeys(\"right\"),\n\t),\n\tSelect: key.NewBinding(\n\t\tkey.WithKeys(\"enter\"),\n\t\tkey.WithHelp(\"enter\", \"select option\"),\n\t),\n\tSwitchView: key.NewBinding(\n\t\tkey.WithKeys(\"tab\", \"i\"),\n\t\tkey.WithHelp(\"i/tab\", \"switch views\"),\n\t),\n\tHelp: key.NewBinding(\n\t\tkey.WithKeys(\"h\"),\n\t\tkey.WithHelp(\"h\", \"toggle help\"),\n\t),\n\tQuit: key.NewBinding(\n\t\tkey.WithKeys(\"q\", \"esc\"),\n\t\tkey.WithHelp(\"q/esc\", \"exit\"),\n\t),\n}\n\n// NewSpinner creates a stylised spinner\nfunc NewSpinner() spinner.Model {\n\tsp := spinner.New(spinner.WithSpinner(spinner.Line))\n\t// Spinner.FPS is actually the duration of each frame, not the frames per second\n\tsp.Spinner.FPS = 200 * time.Millisecond\n\n\treturn sp\n}\n\n// RenderSelectorOption provides an inline selector renderer, for layouts that don't fit neatly into a list/table\nfunc RenderSelectorOption(\n\tselected bool, // whether this line is currently highlighted\n\tcursor string, // the cursor to display before the line, if it's selected\n\tformat string, // format string for the content. Should only use `%v` specifier\n\targs ...any, // args for the format string. These will be highlighted if the line is selected\n) string {\n\tif !selected {\n\t\tcursor = strings.Repeat(\" \", lipgloss.Width(cursor))\n\t} else {\n\t\tcursor = SelectedTextStyle.Render(cursor)\n\t\tfor i := range args {\n\t\t\targs[i] = SelectedTextStyle.Render(fmt.Sprintf(\"%v\", args[i]))\n\t\t}\n\t}\n\n\treturn fmt.Sprintf(cursor+format, args...)\n}\n\n// ViewModel provides a tea-like model for representing the secondary info panel\n// which allows for resizing\ntype ViewModel interface {\n\tUpdate(msg tea.Msg) (ViewModel, tea.Cmd)\n\tView() string\n\tResize(w, h int)\n}\n\n// ViewModelCloseMsg provides a message to close the ViewModel\ntype ViewModelCloseMsg struct{}\n\nvar CloseViewModel tea.Cmd = func() tea.Msg { return ViewModelCloseMsg{} }\n" }, { "path": "internal/tui/vuln-info.go", "content": "package tui\n\nimport (\n\t\"fmt\"\n\t\"os\"\n\t\"strings\"\n\n\t\"charm.land/bubbles/v2/key\"\n\t\"charm.land/bubbles/v2/viewport\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"charm.land/glamour/v2\"\n\t\"charm.land/glamour/v2/ansi\"\n\t\"charm.land/glamour/v2/styles\"\n\t\"charm.land/lipgloss/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/muesli/reflow/wordwrap\"\n)\n\n// ViewModel to display the details of a specific vulnerability\ntype vulnInfo struct {\n\tvuln *resolution.Vulnerability\n\tchainGraphs []ChainGraph\n\n\twidth int\n\theight int\n\tcursor int\n\n\tnumDetailLines int // number of lines to show for details in the main view\n\tmdStyle ansi.StyleConfig // markdown styling for details\n\n\tviewport viewport.Model // used for scrolling onlyDetails & onlyGraphs views\n\tonlyDetails bool // if the details screen is open\n\tonlyGraphs bool // if the affected screen is open\n}\n\nvar (\n\tvulnInfoHeadingStyle = lipgloss.NewStyle().\n\t\t\t\tBold(true).\n\t\t\t\tWidth(10).\n\t\t\t\tMarginRight(2).\n\t\t\t\tForeground(ColorPrimary)\n\thighlightedVulnInfoHeadingStyle = vulnInfoHeadingStyle.Reverse(true)\n)\n\n//revive:disable-next-line:unexported-return\nfunc NewVulnInfo(vuln *resolution.Vulnerability) *vulnInfo {\n\tv := vulnInfo{\n\t\tvuln: vuln,\n\t\twidth: ViewMinWidth,\n\t\theight: ViewMinHeight,\n\t\tcursor: 0,\n\t\tnumDetailLines: 5,\n\t\tviewport: viewport.New(viewport.WithWidth(ViewMinWidth), viewport.WithHeight(20)),\n\t}\n\tv.viewport.KeyMap = viewport.KeyMap{\n\t\tUp: Keys.Up,\n\t\tDown: Keys.Down,\n\t\tPageUp: Keys.Left,\n\t\tPageDown: Keys.Right,\n\t}\n\n\t// remove the padding/margins from the default markdown style\n\tif lipgloss.HasDarkBackground(os.Stdin, os.Stdout) {\n\t\tv.mdStyle = styles.DarkStyleConfig\n\t} else {\n\t\tv.mdStyle = styles.LightStyleConfig\n\t}\n\t*v.mdStyle.Document.Margin = 0\n\tv.mdStyle.Document.BlockPrefix = \"\"\n\n\tv.chainGraphs = FindChainGraphs(vuln.Subgraphs)\n\n\treturn &v\n}\n\nfunc (v *vulnInfo) Resize(w, h int) {\n\tv.width = w\n\tv.height = h\n\tv.viewport.SetWidth(w)\n\tv.viewport.SetHeight(h)\n\tif v.onlyDetails {\n\t\tv.viewport.SetContent(v.detailsOnlyView())\n\t}\n}\n\nfunc (v *vulnInfo) Update(msg tea.Msg) (ViewModel, tea.Cmd) {\n\tif v.onlyDetails || v.onlyGraphs {\n\t\tif msg, ok := msg.(tea.KeyPressMsg); ok {\n\t\t\tif key.Matches(msg, Keys.Quit) {\n\t\t\t\tv.onlyDetails = false\n\t\t\t\tv.onlyGraphs = false\n\n\t\t\t\treturn v, nil\n\t\t\t}\n\t\t}\n\t\tvar cmd tea.Cmd\n\t\tv.viewport, cmd = v.viewport.Update(msg)\n\n\t\treturn v, cmd\n\t}\n\tif msg, ok := msg.(tea.KeyPressMsg); ok {\n\t\tswitch {\n\t\tcase key.Matches(msg, Keys.Quit):\n\t\t\treturn nil, nil\n\t\tcase key.Matches(msg, Keys.Down):\n\t\t\tif v.cursor < 4 {\n\t\t\t\tv.cursor++\n\t\t\t}\n\t\tcase key.Matches(msg, Keys.Up):\n\t\t\tif v.cursor > 0 {\n\t\t\t\tv.cursor--\n\t\t\t}\n\t\tcase key.Matches(msg, Keys.Select):\n\t\t\tif v.cursor == 3 {\n\t\t\t\tv.onlyDetails = true\n\t\t\t\tv.viewport.SetContent(v.detailsOnlyView())\n\t\t\t\tv.viewport.GotoTop()\n\t\t\t}\n\t\t\tif v.cursor == 4 {\n\t\t\t\tv.onlyGraphs = true\n\t\t\t\tv.viewport.SetContent(v.graphOnlyView())\n\t\t\t\tv.viewport.GotoTop()\n\t\t\t}\n\t\t}\n\t}\n\n\treturn v, nil\n}\n\nfunc (v *vulnInfo) View() string {\n\tif v.onlyDetails || v.onlyGraphs {\n\t\treturn v.viewport.View()\n\t}\n\n\tdetailWidth := v.width - (vulnInfoHeadingStyle.GetWidth() + vulnInfoHeadingStyle.GetMarginRight())\n\n\tvID := v.vuln.OSV.GetId()\n\tsev := RenderSeverity(v.vuln.OSV.GetSeverity())\n\tsum := wordwrap.String(v.vuln.OSV.GetSummary(), detailWidth)\n\n\tvar det string\n\tr, err := glamour.NewTermRenderer(\n\t\tglamour.WithStyles(v.mdStyle),\n\t\tglamour.WithWordWrap(detailWidth),\n\t)\n\tif err == nil {\n\t\tdet, err = r.Render(v.vuln.OSV.GetDetails())\n\t}\n\tif err != nil {\n\t\tdet = v.fallbackDetails(detailWidth)\n\t}\n\tdet = lipgloss.NewStyle().MaxHeight(v.numDetailLines).Render(det)\n\n\ts := strings.Builder{}\n\ts.WriteString(lipgloss.JoinHorizontal(lipgloss.Top,\n\t\tv.headingStyle(0).Render(\"ID:\"), vID))\n\ts.WriteString(\"\\n\")\n\ts.WriteString(lipgloss.JoinHorizontal(lipgloss.Top,\n\t\tv.headingStyle(1).Render(\"Severity:\"), sev))\n\ts.WriteString(\"\\n\")\n\ts.WriteString(lipgloss.JoinHorizontal(lipgloss.Top,\n\t\tv.headingStyle(2).Render(\"Summary:\"), sum))\n\ts.WriteString(\"\\n\")\n\ts.WriteString(lipgloss.JoinHorizontal(lipgloss.Top,\n\t\tv.headingStyle(3).Render(\"Details:\"), det))\n\ts.WriteString(\"\\n\")\n\ts.WriteString(v.headingStyle(4).Render(\"Affected:\"))\n\ts.WriteString(\"\\n\")\n\tif len(v.chainGraphs) == 0 {\n\t\ts.WriteString(\"ERROR: could not resolve any affected paths\\n\")\n\t\treturn s.String()\n\t}\n\ts.WriteString(lipgloss.NewStyle().MaxWidth(v.width).Render(v.chainGraphs[0].String()))\n\ts.WriteString(\"\\n\")\n\tif len(v.chainGraphs) > 1 {\n\t\ts.WriteString(DisabledTextStyle.Render(fmt.Sprintf(\"+%d other paths\", len(v.chainGraphs)-1)))\n\t\ts.WriteString(\"\\n\")\n\t}\n\n\treturn s.String()\n}\n\nfunc (v *vulnInfo) detailsOnlyView() string {\n\ts := strings.Builder{}\n\ts.WriteString(vulnInfoHeadingStyle.Render(\"Details:\"))\n\ts.WriteString(\"\\n\")\n\tvar det string\n\tr, err := glamour.NewTermRenderer(\n\t\tglamour.WithStyles(v.mdStyle),\n\t\tglamour.WithWordWrap(v.width),\n\t)\n\tif err == nil {\n\t\tdet, err = r.Render(v.vuln.OSV.GetDetails())\n\t}\n\tif err != nil {\n\t\tdet = v.fallbackDetails(v.width)\n\t}\n\ts.WriteString(det)\n\n\treturn s.String()\n}\n\nfunc (v *vulnInfo) graphOnlyView() string {\n\t// TODO: some graphs still get clipped on the right side\n\t// need horizontal scrolling, but that's not supported by the bubbles viewport\n\t// and it's difficult to implement\n\ts := strings.Builder{}\n\ts.WriteString(vulnInfoHeadingStyle.Render(\"Affected:\"))\n\tstrs := make([]string, 0, 2*len(v.chainGraphs)) // 2x to include padding newlines between graphs\n\tfor _, g := range v.chainGraphs {\n\t\tstrs = append(strs, \"\\n\", g.String())\n\t}\n\ts.WriteString(lipgloss.JoinVertical(lipgloss.Center, strs...))\n\n\treturn s.String()\n}\n\nfunc (v *vulnInfo) headingStyle(idx int) lipgloss.Style {\n\tif idx == v.cursor {\n\t\treturn highlightedVulnInfoHeadingStyle\n\t}\n\n\treturn vulnInfoHeadingStyle\n}\n\nfunc (v *vulnInfo) fallbackDetails(width int) string {\n\t// Use raw details if markdown rendering fails for whatever reason\n\treturn wordwrap.String(v.vuln.OSV.GetDetails(), width)\n}\n" }, { "path": "internal/tui/vuln-list.go", "content": "package tui\n\nimport (\n\t\"cmp\"\n\t\"fmt\"\n\t\"io\"\n\t\"slices\"\n\n\t\"charm.land/bubbles/v2/key\"\n\t\"charm.land/bubbles/v2/list\"\n\ttea \"charm.land/bubbletea/v2\"\n\t\"charm.land/lipgloss/v2\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/severity\"\n\t\"github.com/muesli/reflow/truncate\"\n)\n\n// A ViewModel list of vulnerabilities,\n// selectable to show details\ntype vulnList struct {\n\t// There is a table model that could be used for this instead,\n\t// but there is much less control over the styling of the cells\n\tlist.Model\n\n\tpreamble string // text to write above vuln list\n\tcurrVulnInfo ViewModel // selected vulnerability\n\n\tdelegate list.ItemDelegate // default item renderer\n\tblurred bool // whether the cursor should be hidden and input disabled\n}\n\n//revive:disable-next-line:unexported-return\nfunc NewVulnList(vulns []*resolution.Vulnerability, preamble string) *vulnList {\n\tvl := vulnList{preamble: preamble}\n\t// Sort the vulns by descending severity, then ID\n\tvulns = slices.Clone(vulns)\n\tslices.SortFunc(vulns, func(a, b *resolution.Vulnerability) int {\n\t\taScoreFloat, aRating, _ := severity.CalculateOverallScore(a.OSV.GetSeverity())\n\t\taScore := int(aScoreFloat * 10) // CVSS scores are only to 1dp\n\t\tif aRating == \"UNKNOWN\" {\n\t\t\taScore = 999 // Sort unknown before critical\n\t\t}\n\t\tbScoreFloat, bRating, _ := severity.CalculateOverallScore(b.OSV.GetSeverity())\n\t\tbScore := int(bScoreFloat * 10) // CVSS scores are only to 1dp\n\t\tif bRating == \"UNKNOWN\" {\n\t\t\tbScore = 999 // Sort unknown before critical\n\t\t}\n\n\t\tif c := cmp.Compare(aScore, bScore); c != 0 {\n\t\t\treturn -c\n\t\t}\n\n\t\treturn cmp.Compare(a.OSV.GetId(), b.OSV.GetId())\n\t})\n\titems := make([]list.Item, 0, len(vulns))\n\tdelegate := vulnListItemDelegate{idWidth: 0}\n\tfor _, v := range vulns {\n\t\titems = append(items, vulnListItem{v})\n\t\tif w := lipgloss.Width(v.OSV.GetId()); w > delegate.idWidth {\n\t\t\tdelegate.idWidth = w\n\t\t}\n\t}\n\tl := list.New(items, delegate, ViewMinWidth, ViewMinHeight-vl.preambleHeight())\n\tl.SetFilteringEnabled(false)\n\tl.SetShowStatusBar(false)\n\tl.SetShowHelp(false)\n\tl.DisableQuitKeybindings()\n\tl.KeyMap = list.KeyMap{\n\t\tCursorUp: Keys.Up,\n\t\tCursorDown: Keys.Down,\n\t\tNextPage: Keys.Right,\n\t\tPrevPage: Keys.Left,\n\t}\n\tl.Styles.TitleBar = lipgloss.NewStyle().PaddingLeft(2).Width(ViewMinWidth).BorderStyle(lipgloss.NormalBorder()).BorderBottom(true)\n\tl.Styles.Title = lipgloss.NewStyle()\n\tl.Title = fmt.Sprintf(\"%s %s %s\",\n\t\tlipgloss.NewStyle().Width(delegate.idWidth).Render(\"VULN ID\"),\n\t\t\" SEV \", // intentional spacing, scores always 5 wide\n\t\t\"SUMMARY\",\n\t)\n\tvl.Model = l\n\tvl.delegate = delegate\n\n\treturn &vl\n}\n\nfunc (v *vulnList) preambleHeight() int {\n\tif len(v.preamble) == 0 {\n\t\treturn 0\n\t}\n\n\treturn lipgloss.Height(v.preamble)\n}\n\nfunc (v *vulnList) Resize(w, h int) {\n\tv.SetWidth(w)\n\tv.SetHeight(h - v.preambleHeight())\n\tv.Styles.TitleBar = v.Styles.TitleBar.Width(w)\n\tif v.currVulnInfo != nil {\n\t\tv.currVulnInfo.Resize(w, h)\n\t}\n}\n\nfunc (v *vulnList) Update(msg tea.Msg) (ViewModel, tea.Cmd) {\n\tif v.blurred {\n\t\treturn v, nil\n\t}\n\tvar cmd tea.Cmd\n\tif v.currVulnInfo != nil {\n\t\tv.currVulnInfo, cmd = v.currVulnInfo.Update(msg)\n\t\treturn v, cmd\n\t}\n\tif msg, ok := msg.(tea.KeyPressMsg); ok {\n\t\tswitch {\n\t\tcase key.Matches(msg, Keys.Quit):\n\t\t\treturn v, CloseViewModel\n\t\tcase key.Matches(msg, Keys.Select):\n\t\t\tvuln := v.SelectedItem().(vulnListItem)\n\t\t\tv.currVulnInfo = NewVulnInfo(vuln.Vulnerability)\n\t\t\tv.currVulnInfo.Resize(v.Width(), v.Height())\n\n\t\t\treturn v, nil\n\t\t}\n\t}\n\tif v.currVulnInfo == nil {\n\t\tv.Model, cmd = v.Model.Update(msg)\n\t}\n\n\treturn v, cmd\n}\n\nfunc (v *vulnList) View() string {\n\tif v.currVulnInfo != nil {\n\t\treturn v.currVulnInfo.View()\n\t}\n\tstr := v.Model.View()\n\tif len(v.preamble) > 0 {\n\t\tstr = lipgloss.JoinVertical(lipgloss.Left, v.preamble, str)\n\t}\n\n\treturn str\n}\n\nfunc (v *vulnList) Blur() {\n\tv.blurred = true\n\tv.SetDelegate(blurredDelegate{v.delegate})\n}\n\nfunc (v *vulnList) Focus() {\n\tv.blurred = false\n\tv.SetDelegate(v.delegate)\n}\n\n// Helpers for the list.Model\ntype vulnListItem struct {\n\t*resolution.Vulnerability\n}\n\nfunc (v vulnListItem) FilterValue() string {\n\treturn v.OSV.GetId()\n}\n\ntype vulnListItemDelegate struct {\n\tidWidth int\n}\n\nfunc (d vulnListItemDelegate) Height() int { return 1 }\nfunc (d vulnListItemDelegate) Spacing() int { return 0 }\nfunc (d vulnListItemDelegate) Update(tea.Msg, *list.Model) tea.Cmd { return nil }\n\nfunc (d vulnListItemDelegate) Render(w io.Writer, m list.Model, index int, listItem list.Item) {\n\tvuln, ok := listItem.(vulnListItem)\n\tif !ok {\n\t\treturn\n\t}\n\tcursor := \" \"\n\tidStyle := lipgloss.NewStyle().Width(d.idWidth).Align(lipgloss.Left)\n\tif index == m.Index() {\n\t\tcursor = SelectedTextStyle.Render(\">\")\n\t\tidStyle = idStyle.Inherit(SelectedTextStyle)\n\t}\n\tid := idStyle.Render(vuln.OSV.GetId())\n\tsev := RenderSeverityShort(vuln.OSV.GetSeverity())\n\tstr := fmt.Sprintf(\"%s %s %s \", cursor, id, sev)\n\tfmt.Fprint(w, str)\n\tfmt.Fprint(w, truncate.StringWithTail(vuln.OSV.GetSummary(), uint(m.Width()-lipgloss.Width(str)), \"â€Ļ\")) //nolint:gosec\n}\n\n// workaround item delegate wrapper to stop the selected item from being shown as selected\ntype blurredDelegate struct {\n\tlist.ItemDelegate\n}\n\nfunc (d blurredDelegate) Render(w io.Writer, m list.Model, _ int, listItem list.Item) {\n\td.ItemDelegate.Render(w, m, -1, listItem)\n}\n" }, { "path": "internal/url/url.go", "content": "// Copyright 2019 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n// Package url provides functionality for converting file paths to file URLs.\n//\n// Code copied from\n// https://github.com/golang/go/blob/7c2b69080a0b9e35174cc9c93497b6e7176f8275/src/cmd/go/internal/web/url.go\n// TODO(golang.org/issue/32456): If accepted, move these functions into the\n// net/url package.\npackage url\n\nimport (\n\t\"errors\"\n\t\"net/url\"\n\t\"path/filepath\"\n\t\"strings\"\n)\n\nvar errNotAbsolute = errors.New(\"path is not absolute\")\n\nfunc FromFilePath(path string) (*url.URL, error) {\n\tif !filepath.IsAbs(path) {\n\t\treturn nil, errNotAbsolute\n\t}\n\n\t// If path has a Windows volume name, convert the volume to a host and prefix\n\t// per https://blogs.msdn.microsoft.com/ie/2006/12/06/file-uris-in-windows/.\n\tif vol := filepath.VolumeName(path); vol != \"\" {\n\t\tif strings.HasPrefix(vol, `\\\\`) {\n\t\t\tpath = filepath.ToSlash(path[2:])\n\t\t\ti := strings.IndexByte(path, '/')\n\n\t\t\tif i < 0 {\n\t\t\t\t// A degenerate case.\n\t\t\t\t// \\\\host.example.com (without a share name)\n\t\t\t\t// becomes\n\t\t\t\t// file://host.example.com/\n\t\t\t\treturn &url.URL{\n\t\t\t\t\tScheme: \"file\",\n\t\t\t\t\tHost: path,\n\t\t\t\t\tPath: \"/\",\n\t\t\t\t}, nil\n\t\t\t}\n\n\t\t\t// \\\\host.example.com\\Share\\path\\to\\file\n\t\t\t// becomes\n\t\t\t// file://host.example.com/Share/path/to/file\n\t\t\treturn &url.URL{\n\t\t\t\tScheme: \"file\",\n\t\t\t\tHost: path[:i],\n\t\t\t\tPath: filepath.ToSlash(path[i:]),\n\t\t\t}, nil\n\t\t}\n\n\t\t// C:\\path\\to\\file\n\t\t// becomes\n\t\t// file:///C:/path/to/file\n\t\treturn &url.URL{\n\t\t\tScheme: \"file\",\n\t\t\tPath: \"/\" + filepath.ToSlash(path),\n\t\t}, nil\n\t}\n\n\t// /path/to/file\n\t// becomes\n\t// file:///path/to/file\n\treturn &url.URL{\n\t\tScheme: \"file\",\n\t\tPath: filepath.ToSlash(path),\n\t}, nil\n}\n" }, { "path": "internal/url/url_other_test.go", "content": "// Copyright 2019 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\n//go:build !windows\n\npackage url\n\n// Code copied from https://github.com/golang/go/blob/7c2b69080a0b9e35174cc9c93497b6e7176f8275/src/cmd/go/internal/web/url_other_test.go\n\nvar urlTests = []struct {\n\turl string\n\tfilePath string\n\tcanonicalURL string // If empty, assume equal to url.\n\twantErr string\n}{\n\t// Examples from RFC 8089:\n\t{\n\t\turl: `file:///path/to/file`,\n\t\tfilePath: `/path/to/file`,\n\t},\n\t{\n\t\turl: `file:/path/to/file`,\n\t\tfilePath: `/path/to/file`,\n\t\tcanonicalURL: `file:///path/to/file`,\n\t},\n\t{\n\t\turl: `file://localhost/path/to/file`,\n\t\tfilePath: `/path/to/file`,\n\t\tcanonicalURL: `file:///path/to/file`,\n\t},\n\n\t// We reject non-local files.\n\t{\n\t\turl: `file://host.example.com/path/to/file`,\n\t\twantErr: \"file URL specifies non-local host\",\n\t},\n}\n" }, { "path": "internal/url/url_test.go", "content": "// Copyright 2019 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\npackage url\n\nimport (\n\t\"testing\"\n)\n\n// Code copied from https://github.com/golang/go/blob/7c2b69080a0b9e35174cc9c93497b6e7176f8275/src/cmd/go/internal/web/url_test.go\n\nfunc TestURLFromFilePath(t *testing.T) {\n\tt.Parallel()\n\n\tfor _, tc := range urlTests {\n\t\tif tc.filePath == \"\" {\n\t\t\tcontinue\n\t\t}\n\n\t\tt.Run(tc.filePath, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tu, err := FromFilePath(tc.filePath)\n\t\t\tif err != nil {\n\t\t\t\tif err.Error() == tc.wantErr {\n\t\t\t\t\treturn\n\t\t\t\t}\n\t\t\t\tif tc.wantErr == \"\" {\n\t\t\t\t\tt.Fatalf(\"urlFromFilePath(%v): %v; want \", tc.filePath, err)\n\t\t\t\t} else {\n\t\t\t\t\tt.Fatalf(\"urlFromFilePath(%v): %v; want %s\", tc.filePath, err, tc.wantErr)\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif tc.wantErr != \"\" {\n\t\t\t\tt.Fatalf(\"urlFromFilePath(%v) = ; want error: %s\", tc.filePath, tc.wantErr)\n\t\t\t}\n\n\t\t\twantURL := tc.url\n\t\t\tif tc.canonicalURL != \"\" {\n\t\t\t\twantURL = tc.canonicalURL\n\t\t\t}\n\t\t\tif u.String() != wantURL {\n\t\t\t\tt.Errorf(\"urlFromFilePath(%v) = %v; want %s\", tc.filePath, u, wantURL)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/url/url_windows_test.go", "content": "// Copyright 2019 The Go Authors. All rights reserved.\n// Use of this source code is governed by a BSD-style\n// license that can be found in the LICENSE file.\n\npackage url\n\n// Code copied from https://github.com/golang/go/blob/7c2b69080a0b9e35174cc9c93497b6e7176f8275/src/cmd/go/internal/web/url_windows_test.go\n\nvar urlTests = []struct {\n\turl string\n\tfilePath string\n\tcanonicalURL string // If empty, assume equal to url.\n\twantErr string\n}{\n\t// Examples from https://blogs.msdn.microsoft.com/ie/2006/12/06/file-uris-in-windows/:\n\n\t{\n\t\turl: `file://laptop/My%20Documents/FileSchemeURIs.doc`,\n\t\tfilePath: `\\\\laptop\\My Documents\\FileSchemeURIs.doc`,\n\t},\n\t{\n\t\turl: `file:///C:/Documents%20and%20Settings/davris/FileSchemeURIs.doc`,\n\t\tfilePath: `C:\\Documents and Settings\\davris\\FileSchemeURIs.doc`,\n\t},\n\t{\n\t\turl: `file:///D:/Program%20Files/Viewer/startup.htm`,\n\t\tfilePath: `D:\\Program Files\\Viewer\\startup.htm`,\n\t},\n\t{\n\t\turl: `file:///C:/Program%20Files/Music/Web%20Sys/main.html?REQUEST=RADIO`,\n\t\tfilePath: `C:\\Program Files\\Music\\Web Sys\\main.html`,\n\t\tcanonicalURL: `file:///C:/Program%20Files/Music/Web%20Sys/main.html`,\n\t},\n\t{\n\t\turl: `file://applib/products/a-b/abc_9/4148.920a/media/start.swf`,\n\t\tfilePath: `\\\\applib\\products\\a-b\\abc_9\\4148.920a\\media\\start.swf`,\n\t},\n\t{\n\t\turl: `file:////applib/products/a%2Db/abc%5F9/4148.920a/media/start.swf`,\n\t\twantErr: \"file URL missing drive letter\",\n\t},\n\t{\n\t\turl: `C:\\Program Files\\Music\\Web Sys\\main.html?REQUEST=RADIO`,\n\t\twantErr: \"non-file URL\",\n\t},\n\n\t// The example \"file://D:\\Program Files\\Viewer\\startup.htm\" errors out in\n\t// url.Parse, so we substitute a slash-based path for testing instead.\n\t{\n\t\turl: `file://D:/Program Files/Viewer/startup.htm`,\n\t\twantErr: \"file URL encodes volume in host field: too few slashes?\",\n\t},\n\n\t// The blog post discourages the use of non-ASCII characters because they\n\t// depend on the user's current codepage. However, when we are working with Go\n\t// strings we assume UTF-8 encoding, and our url package refuses to encode\n\t// URLs to non-ASCII strings.\n\t{\n\t\turl: `file:///C:/exampleㄓ.txt`,\n\t\tfilePath: `C:\\exampleㄓ.txt`,\n\t\tcanonicalURL: `file:///C:/example%E3%84%93.txt`,\n\t},\n\t{\n\t\turl: `file:///C:/example%E3%84%93.txt`,\n\t\tfilePath: `C:\\exampleㄓ.txt`,\n\t},\n\n\t// Examples from RFC 8089:\n\n\t// We allow the drive-letter variation from section E.2, because it is\n\t// simpler to support than not to. However, we do not generate the shorter\n\t// form in the reverse direction.\n\t{\n\t\turl: `file:c:/path/to/file`,\n\t\tfilePath: `c:\\path\\to\\file`,\n\t\tcanonicalURL: `file:///c:/path/to/file`,\n\t},\n\n\t// We encode the UNC share name as the authority following section E.3.1,\n\t// because that is what the Microsoft blog post explicitly recommends.\n\t{\n\t\turl: `file://host.example.com/Share/path/to/file.txt`,\n\t\tfilePath: `\\\\host.example.com\\Share\\path\\to\\file.txt`,\n\t},\n\n\t// We decline the four- and five-slash variations from section E.3.2.\n\t// The paths in these URLs would change meaning under path.Clean.\n\t{\n\t\turl: `file:////host.example.com/path/to/file`,\n\t\twantErr: \"file URL missing drive letter\",\n\t},\n\t{\n\t\turl: `file://///host.example.com/path/to/file`,\n\t\twantErr: \"file URL missing drive letter\",\n\t},\n}\n" }, { "path": "internal/utility/depgroup/devgroup.go", "content": "// Package depgroups provides functionality for working with dependency groups.\npackage depgroups\n\nimport (\n\t\"slices\"\n\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n)\n\n// IsDevGroup returns if any string in groups indicates the development dependency group for the specified ecosystem.\nfunc IsDevGroup(sys osvconstants.Ecosystem, groups []string) bool {\n\tvar dev string\n\tswitch sys {\n\tcase osvconstants.EcosystemPackagist, osvconstants.EcosystemNPM, osvconstants.EcosystemPyPI, osvconstants.EcosystemPub:\n\t\tdev = \"dev\"\n\tcase osvconstants.EcosystemConanCenter:\n\t\tdev = \"build-requires\"\n\tcase osvconstants.EcosystemMaven:\n\t\tdev = \"test\"\n\tdefault:\n\t\t// We are not able to report development dependencies for these ecosystems.\n\t\treturn false\n\t}\n\n\treturn slices.Contains(groups, dev)\n}\n" }, { "path": "internal/utility/maven/maven.go", "content": "// Package maven provides utility functions for working with Maven projects.\npackage maven\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"deps.dev/util/maven\"\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/datasource\"\n)\n\nconst (\n\tOriginManagement = \"management\"\n\tOriginParent = \"parent\"\n\tOriginPlugin = \"plugin\"\n\tOriginProfile = \"profile\"\n)\n\n// MaxParent sets a limit on the number of parents to avoid indefinite loop.\nconst MaxParent = 100\n\n// MergeParents parses local accessible parent pom.xml or fetches it from\n// upstream, merges into root project, then interpolate the properties.\n// result holds the merged Maven project.\n// current holds the current parent project to merge.\n// start indicates the index of the current parent project, which is used to\n// check if the packaging has to be `pom`.\n// allowLocal indicates whether parsing local parent pom.xml is allowed.\n// path holds the path to the current pom.xml, which is used to compute the\n// relative path of parent.\nfunc MergeParents(ctx context.Context, mavenClient *datasource.MavenRegistryAPIClient, result *maven.Project, current maven.Parent, start int, path string, allowLocal bool) error {\n\tcurrentPath := path\n\tvisited := make(map[maven.ProjectKey]bool, MaxParent)\n\tfor n := start; n < MaxParent; n++ {\n\t\tif current.GroupID == \"\" || current.ArtifactID == \"\" || current.Version == \"\" {\n\t\t\tbreak\n\t\t}\n\t\tif visited[current.ProjectKey] {\n\t\t\t// A cycle of parents is detected\n\t\t\treturn errors.New(\"a cycle of parents is detected\")\n\t\t}\n\t\tvisited[current.ProjectKey] = true\n\n\t\tvar proj maven.Project\n\t\tparentFound := false\n\t\tif allowLocal {\n\t\t\tif parentPath := ParentPOMPath(currentPath, string(current.RelativePath)); parentPath != \"\" {\n\t\t\t\tcurrentPath = parentPath\n\t\t\t\tf, err := os.Open(parentPath)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"failed to open parent file %s: %w\", parentPath, err)\n\t\t\t\t}\n\t\t\t\terr = datasource.NewMavenDecoder(f).Decode(&proj)\n\t\t\t\tf.Close()\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn fmt.Errorf(\"failed to unmarshal project: %w\", err)\n\t\t\t\t}\n\t\t\t\tif ProjectKey(proj) == current.ProjectKey && proj.Packaging == \"pom\" {\n\t\t\t\t\t// Only mark parent is found when the identifiers and packaging are exptected.\n\t\t\t\t\tparentFound = true\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif !parentFound {\n\t\t\t// Once we fetch a parent pom.xml from upstream, we should not\n\t\t\t// allow parsing parent pom.xml locally anymore.\n\t\t\tallowLocal = false\n\n\t\t\tvar err error\n\t\t\tif proj, err = mavenClient.GetProject(ctx, string(current.GroupID), string(current.ArtifactID), string(current.Version)); err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to get Maven project %s:%s:%s: %w\", current.GroupID, current.ArtifactID, current.Version, err)\n\t\t\t}\n\t\t\tif n > 0 && proj.Packaging != \"pom\" {\n\t\t\t\t// A parent project should only be of \"pom\" packaging type.\n\t\t\t\treturn fmt.Errorf(\"invalid packaging for parent project %s\", proj.Packaging)\n\t\t\t}\n\t\t\tif ProjectKey(proj) != current.ProjectKey {\n\t\t\t\t// The identifiers in parent does not match what we want.\n\t\t\t\treturn fmt.Errorf(\"parent identifiers mismatch: %v, expect %v\", proj.ProjectKey, current.ProjectKey)\n\t\t\t}\n\t\t}\n\t\t// Empty JDK and ActivationOS indicates merging the default profiles.\n\t\tif err := result.MergeProfiles(\"\", maven.ActivationOS{}); err != nil {\n\t\t\treturn fmt.Errorf(\"failed to merge profiles: %w\", err)\n\t\t}\n\t\tfor _, repo := range proj.Repositories {\n\t\t\tif err := mavenClient.AddRegistry(datasource.MavenRegistry{\n\t\t\t\tURL: string(repo.URL),\n\t\t\t\tID: string(repo.ID),\n\t\t\t\tReleasesEnabled: repo.Releases.Enabled.Boolean(),\n\t\t\t\tSnapshotsEnabled: repo.Snapshots.Enabled.Boolean(),\n\t\t\t}); err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to add registry %s: %w\", repo.URL, err)\n\t\t\t}\n\t\t}\n\t\tresult.MergeParent(proj)\n\t\tcurrent = proj.Parent\n\t}\n\t// Interpolate the project to resolve the properties.\n\treturn result.Interpolate()\n}\n\n// ProjectKey returns a project key with empty groupId/version\n// filled by corresponding fields in parent.\nfunc ProjectKey(proj maven.Project) maven.ProjectKey {\n\tif proj.GroupID == \"\" {\n\t\tproj.GroupID = proj.Parent.GroupID\n\t}\n\tif proj.Version == \"\" {\n\t\tproj.Version = proj.Parent.Version\n\t}\n\n\treturn proj.ProjectKey\n}\n\n// ParentPOMPath resolves the path to the parent POM in the same manner as Maven.\n//\n// That is, it first looks for the parent POM in the 'relativePath' directory,\n// then in the parent directory, and finally in the remote repository.\nfunc ParentPOMPath(currentPath, relativePath string) string {\n\tif relativePath == \"\" {\n\t\trelativePath = \"../pom.xml\"\n\t}\n\tpath := filepath.Join(filepath.Dir(currentPath), relativePath)\n\tif info, err := os.Stat(path); err == nil {\n\t\tif !info.IsDir() {\n\t\t\treturn path\n\t\t}\n\t\t// Current path is a directory, so look for pom.xml in the directory.\n\t\tpath = filepath.Join(path, \"pom.xml\")\n\t\tif _, err := os.Stat(path); err == nil {\n\t\t\treturn path\n\t\t}\n\t}\n\n\treturn \"\"\n}\n\n// GetDependencyManagement returns managed dependencies in the specified Maven project by fetching remote pom.xml.\nfunc GetDependencyManagement(ctx context.Context, client *datasource.MavenRegistryAPIClient, groupID, artifactID, version maven.String) (maven.DependencyManagement, error) {\n\troot := maven.Parent{ProjectKey: maven.ProjectKey{GroupID: groupID, ArtifactID: artifactID, Version: version}}\n\tvar result maven.Project\n\t// To get dependency management from another project, we need the\n\t// project with parents merged, so we call MergeParents by passing\n\t// an empty project.\n\tif err := MergeParents(ctx, client.WithoutRegistries(), &result, root, 0, \"\", false); err != nil {\n\t\treturn maven.DependencyManagement{}, err\n\t}\n\n\treturn result.DependencyManagement, nil\n}\n\n// CompareVersions compares two Maven semver versions with special behaviour for specific packages,\n// producing more desirable ordering using non-standard comparison.\nfunc CompareVersions(vk resolve.VersionKey, a *semver.Version, b *semver.Version) int {\n\tif a == nil || b == nil {\n\t\tif a == nil {\n\t\t\treturn -1\n\t\t}\n\n\t\treturn 1\n\t}\n\n\tif vk.Name == \"com.google.guava:guava\" {\n\t\t// com.google.guava:guava has 'flavors' with versions ending with -jre or -android.\n\t\t// https://github.com/google/guava/wiki/ReleasePolicy#flavors\n\t\t// To preserve the flavor in updates, we make the opposite flavor considered the earliest versions.\n\n\t\t// Old versions have '22.0' and '22.0-android', and even older version don't have any flavors.\n\t\t// Only check for the android flavor, and assume its jre otherwise.\n\t\twantAndroid := strings.HasSuffix(vk.Version, \"-android\")\n\n\t\taIsAndroid := strings.HasSuffix(a.String(), \"-android\")\n\t\tbIsAndroid := strings.HasSuffix(b.String(), \"-android\")\n\n\t\tif aIsAndroid == bIsAndroid {\n\t\t\treturn a.Compare(b)\n\t\t}\n\n\t\tif aIsAndroid == wantAndroid {\n\t\t\treturn 1\n\t\t}\n\n\t\treturn -1\n\t}\n\n\t// Old versions of apache commons-* libraries (commons-io:commons-io, commons-math:commons-math, etc.)\n\t// used date-based versions (e.g. 20040118.003354), which naturally sort after the more recent semver versions.\n\t// We manually force the date versions to come before the others to prevent downgrades.\n\tif strings.HasPrefix(vk.Name, \"commons-\") {\n\t\t// All date-based versions of these packages seem to be in the years 2002-2005.\n\t\t// It's extremely unlikely we'd see any versions dated before 1999 or after 2010.\n\t\t// It's also unlikely we'd see any major versions of these packages reach up to 200.0.0.\n\t\t// Checking if the version starts with \"200\" should therefore be sufficient to determine if it's a year.\n\t\taCal := strings.HasPrefix(a.String(), \"200\")\n\t\tbCal := strings.HasPrefix(b.String(), \"200\")\n\n\t\tif aCal == bCal {\n\t\t\treturn a.Compare(b)\n\t\t}\n\n\t\tif aCal {\n\t\t\treturn -1\n\t\t}\n\n\t\treturn 1\n\t}\n\n\treturn a.Compare(b)\n}\n" }, { "path": "internal/utility/maven/maven_test.go", "content": "package maven_test\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/semver\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/maven\"\n)\n\nfunc TestParentPOMPath(t *testing.T) {\n\tt.Parallel()\n\ttests := []struct {\n\t\tcurrentPath, relativePath string\n\t\twant string\n\t}{\n\t\t// testdata\n\t\t// |- maven\n\t\t// | |- my-app\n\t\t// | | |- pom.xml\n\t\t// | |- parent\n\t\t// | | |- pom.xml\n\t\t// |- pom.xml\n\t\t{\n\t\t\t// Parent path is specified correctly.\n\t\t\tcurrentPath: filepath.Join(\"testdata\", \"my-app\", \"pom.xml\"),\n\t\t\trelativePath: \"../parent/pom.xml\",\n\t\t\twant: filepath.Join(\"testdata\", \"parent\", \"pom.xml\"),\n\t\t},\n\t\t{\n\t\t\t// Wrong file name is specified in relative path.\n\t\t\tcurrentPath: filepath.Join(\"testdata\", \"my-app\", \"pom.xml\"),\n\t\t\trelativePath: \"../parent/abc.xml\",\n\t\t\twant: \"\",\n\t\t},\n\t\t{\n\t\t\t// Wrong directory is specified in relative path.\n\t\t\tcurrentPath: filepath.Join(\"testdata\", \"my-app\", \"pom.xml\"),\n\t\t\trelativePath: \"../not-found/pom.xml\",\n\t\t\twant: \"\",\n\t\t},\n\t\t{\n\t\t\t// Only directory is specified.\n\t\t\tcurrentPath: filepath.Join(\"testdata\", \"my-app\", \"pom.xml\"),\n\t\t\trelativePath: \"../parent\",\n\t\t\twant: filepath.Join(\"testdata\", \"parent\", \"pom.xml\"),\n\t\t},\n\t\t{\n\t\t\t// Parent relative path is default to '../pom.xml'.\n\t\t\tcurrentPath: filepath.Join(\"testdata\", \"my-app\", \"pom.xml\"),\n\t\t\trelativePath: \"\",\n\t\t\twant: filepath.Join(\"testdata\", \"pom.xml\"),\n\t\t},\n\t\t{\n\t\t\t// No pom.xml is found even in the default path.\n\t\t\tcurrentPath: filepath.Join(\"testdata\", \"pom.xml\"),\n\t\t\trelativePath: \"\",\n\t\t\twant: \"\",\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tgot := maven.ParentPOMPath(tt.currentPath, tt.relativePath)\n\t\tif got != tt.want {\n\t\t\tt.Errorf(\"ParentPOMPath(%s, %s): got %s, want %s\", tt.currentPath, tt.relativePath, got, tt.want)\n\t\t}\n\t}\n}\n\nfunc TestCompareVersions(t *testing.T) {\n\tt.Parallel()\n\n\tversionKey := func(name string, version string) resolve.VersionKey {\n\t\treturn resolve.VersionKey{\n\t\t\tPackageKey: resolve.PackageKey{\n\t\t\t\tSystem: resolve.Maven,\n\t\t\t\tName: name,\n\t\t\t},\n\t\t\tVersion: version,\n\t\t}\n\t}\n\tsemVer := func(version string) *semver.Version {\n\t\tparsed, _ := resolve.Maven.Semver().Parse(version)\n\t\treturn parsed\n\t}\n\n\ttests := []struct {\n\t\tvk resolve.VersionKey\n\t\ta, b *semver.Version\n\t\twant int\n\t}{\n\t\t{\n\t\t\tversionKey(\"abc:xyz\", \"1.0.0\"),\n\t\t\tsemVer(\"1.2.3\"),\n\t\t\tsemVer(\"1.2.3\"),\n\t\t\t0,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"abc:xyz\", \"1.0.0\"),\n\t\t\tsemVer(\"1.2.3\"),\n\t\t\tsemVer(\"2.3.4\"),\n\t\t\t-1,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"com.google.guava:guava\", \"1.0.0\"),\n\t\t\tsemVer(\"1.2.3\"),\n\t\t\tsemVer(\"2.3.4\"),\n\t\t\t-1,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"com.google.guava:guava\", \"1.0.0\"),\n\t\t\tsemVer(\"1.2.3-jre\"),\n\t\t\tsemVer(\"2.3.4-jre\"),\n\t\t\t-1,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"com.google.guava:guava\", \"1.0.0\"),\n\t\t\tsemVer(\"1.2.3-android\"),\n\t\t\tsemVer(\"2.3.4-android\"),\n\t\t\t-1,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"com.google.guava:guava\", \"1.0.0\"),\n\t\t\tsemVer(\"2.3.4-android\"),\n\t\t\tsemVer(\"1.2.3-jre\"),\n\t\t\t-1,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"com.google.guava:guava\", \"1.0.0-jre\"),\n\t\t\tsemVer(\"1.2.3-android\"),\n\t\t\tsemVer(\"1.2.3-jre\"),\n\t\t\t-1,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"com.google.guava:guava\", \"1.0.0-android\"),\n\t\t\tsemVer(\"1.2.3-android\"),\n\t\t\tsemVer(\"1.2.3-jre\"),\n\t\t\t1,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"commons-io:commons-io\", \"1.0.0\"),\n\t\t\tsemVer(\"1.2.3\"),\n\t\t\tsemVer(\"2.3.4\"),\n\t\t\t-1,\n\t\t},\n\t\t{\n\t\t\tversionKey(\"commons-io:commons-io\", \"1.0.0\"),\n\t\t\tsemVer(\"1.2.3\"),\n\t\t\tsemVer(\"20010101.000000\"),\n\t\t\t1,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tgot := maven.CompareVersions(tt.vk, tt.a, tt.b)\n\t\tif got != tt.want {\n\t\t\tt.Errorf(\"CompareVersions(%v, %v, %v): got %b, want %b\", tt.vk, tt.a, tt.b, got, tt.want)\n\t\t}\n\t}\n}\n" }, { "path": "internal/utility/maven/testdata/my-app/pom.xml", "content": "\n\n\n org.test\n my-app\n 1.0.0\n\n\n" }, { "path": "internal/utility/maven/testdata/parent/pom.xml", "content": "\n\n\n org.test\n parent-pom\n 1.0.0\n\n\n" }, { "path": "internal/utility/maven/testdata/pom.xml", "content": "\n\n\n org.test\n test\n 1.0.0\n\n\n" }, { "path": "internal/utility/purl/composer.go", "content": "package purl\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc FromComposer(packageInfo models.PackageInfo) (namespace string, name string, err error) {\n\tnameParts := strings.Split(packageInfo.Name, \"/\")\n\tif len(nameParts) != 2 {\n\t\terr = fmt.Errorf(\"invalid packagist package_name (%s)\", packageInfo.Name)\n\n\t\treturn\n\t}\n\tnamespace = nameParts[0]\n\tname = nameParts[1]\n\n\treturn\n}\n" }, { "path": "internal/utility/purl/composer_test.go", "content": "package purl_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/utility/purl\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n)\n\nfunc TestComposerExtraction_shouldExtractPackages(t *testing.T) {\n\tt.Parallel()\n\ttestCase := struct {\n\t\tpackageInfo models.PackageInfo\n\t\texpectedNamespace string\n\t\texpectedName string\n\t}{\n\t\tpackageInfo: models.PackageInfo{\n\t\t\tName: \"symfony/yaml\",\n\t\t\tVersion: \"7.0.0\",\n\t\t\tEcosystem: string(osvconstants.EcosystemPackagist),\n\t\t\tCommit: \"\",\n\t\t},\n\t\texpectedNamespace: \"symfony\",\n\t\texpectedName: \"yaml\",\n\t}\n\n\tnamespace, name, err := purl.FromComposer(testCase.packageInfo)\n\n\tif err != nil {\n\t\tt.Errorf(\"Extraction didn't succeed, package has been wrongfully filtered\")\n\t}\n\tif namespace != testCase.expectedNamespace {\n\t\tt.Errorf(\"got %s; want %s\", namespace, testCase.expectedNamespace)\n\t}\n\tif name != testCase.expectedName {\n\t\tt.Errorf(\"got %s; want %s\", name, testCase.expectedName)\n\t}\n}\n\nfunc TestComposerExtraction_shouldFilterPackages(t *testing.T) {\n\tt.Parallel()\n\ttestCases := []struct {\n\t\tname string\n\t\tpackageInfo models.PackageInfo\n\t}{\n\t\t{\n\t\t\tname: \"when_package_contains_less_than_2_parts\",\n\t\t\tpackageInfo: models.PackageInfo{\n\t\t\t\tName: \"symfony\",\n\t\t\t\tVersion: \"7.0.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemPackagist),\n\t\t\t\tCommit: \"\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"when_package_have_no_name\",\n\t\t\tpackageInfo: models.PackageInfo{\n\t\t\t\tName: \"\",\n\t\t\t\tVersion: \"7.0.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemPackagist),\n\t\t\t\tCommit: \"\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range testCases {\n\t\ttestCase := test\n\t\tt.Run(testCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t_, _, err := purl.FromComposer(testCase.packageInfo)\n\n\t\t\tif err == nil {\n\t\t\t\tt.Errorf(\"Package %v should have been filtered\\n\", testCase.packageInfo)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/utility/purl/golang.go", "content": "package purl\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc FromGo(packageInfo models.PackageInfo) (namespace string, name string, err error) {\n\tnameParts := strings.Split(packageInfo.Name, \"/\")\n\tif len(nameParts) == 0 || len(packageInfo.Name) == 0 {\n\t\terr = fmt.Errorf(\"invalid golang package_name (%s)\", packageInfo.Name)\n\n\t\treturn\n\t}\n\n\tif len(nameParts) > 1 {\n\t\tnamespace = strings.Join(nameParts[:len(nameParts)-1], \"/\")\n\t}\n\tname = nameParts[len(nameParts)-1]\n\n\treturn\n}\n" }, { "path": "internal/utility/purl/golang_test.go", "content": "package purl_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/utility/purl\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n)\n\nfunc TestGolangExtraction_shouldExtractPackages(t *testing.T) {\n\tt.Parallel()\n\ttestCases := []struct {\n\t\tname string\n\t\tpackageInfo models.PackageInfo\n\t\texpectedNamespace string\n\t\texpectedName string\n\t}{\n\t\t{\n\t\t\tname: \"when_package_comes_from_go_registry\",\n\t\t\tpackageInfo: models.PackageInfo{\n\t\t\t\tName: \"golang.org/x/mod\",\n\t\t\t\tVersion: \"v0.14.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemGo),\n\t\t\t\tCommit: \"\",\n\t\t\t},\n\t\t\texpectedNamespace: \"golang.org/x\",\n\t\t\texpectedName: \"mod\",\n\t\t},\n\t\t{\n\t\t\tname: \"when_package_comes_from_github\",\n\t\t\tpackageInfo: models.PackageInfo{\n\t\t\t\tName: \"github.com/urfave/cli/v2\",\n\t\t\t\tVersion: \"v2.26.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemGo),\n\t\t\t\tCommit: \"\",\n\t\t\t},\n\t\t\texpectedNamespace: \"github.com/urfave/cli\",\n\t\t\texpectedName: \"v2\",\n\t\t},\n\t\t{\n\t\t\tname: \"when_package_uses_a_domain\",\n\t\t\tpackageInfo: models.PackageInfo{\n\t\t\t\tName: \"go.opencensus.io\",\n\t\t\t\tVersion: \"v0.24.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemGo),\n\t\t\t\tCommit: \"\",\n\t\t\t},\n\t\t\texpectedNamespace: \"\",\n\t\t\texpectedName: \"go.opencensus.io\",\n\t\t},\n\t}\n\n\tfor _, test := range testCases {\n\t\ttestCase := test\n\t\tt.Run(testCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tnamespace, name, err := purl.FromGo(testCase.packageInfo)\n\n\t\t\tif err != nil {\n\t\t\t\tt.Errorf(\"Extraction didn't succeed, package has been wrongfully filtered\")\n\t\t\t}\n\t\t\tif namespace != testCase.expectedNamespace {\n\t\t\t\tt.Errorf(\"got %s; want %s\", namespace, testCase.expectedNamespace)\n\t\t\t}\n\t\t\tif name != testCase.expectedName {\n\t\t\t\tt.Errorf(\"got %s; want %s\", name, testCase.expectedName)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc TestGolangExtraction_shouldFilterPackages(t *testing.T) {\n\tt.Parallel()\n\ttestCases := []struct {\n\t\tname string\n\t\tpackageInfo models.PackageInfo\n\t}{\n\t\t{\n\t\t\tname: \"when_package_have_no_name\",\n\t\t\tpackageInfo: models.PackageInfo{\n\t\t\t\tName: \"\",\n\t\t\t\tVersion: \"v2.26.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemGo),\n\t\t\t\tCommit: \"\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range testCases {\n\t\ttestCase := test\n\t\tt.Run(testCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t_, _, err := purl.FromGo(testCase.packageInfo)\n\n\t\t\tif err == nil {\n\t\t\t\tt.Errorf(\"Package %v should have been filtered\\n\", testCase.packageInfo)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/utility/purl/maven.go", "content": "package purl\n\nimport (\n\t\"fmt\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc FromMaven(packageInfo models.PackageInfo) (namespace string, name string, err error) {\n\tnameParts := strings.Split(packageInfo.Name, \":\")\n\tif len(nameParts) != 2 {\n\t\terr = fmt.Errorf(\"invalid maven package_name(%s)\", packageInfo.Name)\n\t\treturn\n\t}\n\tnamespace = nameParts[0]\n\tname = nameParts[1]\n\n\treturn\n}\n" }, { "path": "internal/utility/purl/maven_test.go", "content": "package purl_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/utility/purl\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n)\n\nfunc TestMavenExtraction_shouldExtractPackages(t *testing.T) {\n\tt.Parallel()\n\ttestCase := struct {\n\t\tpackageInfo models.PackageInfo\n\t\texpectedNamespace string\n\t\texpectedName string\n\t}{\n\t\tpackageInfo: models.PackageInfo{\n\t\t\tName: \"log4j:log4j-core\",\n\t\t\tVersion: \"1.2.17\",\n\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\tCommit: \"\",\n\t\t},\n\t\texpectedNamespace: \"log4j\",\n\t\texpectedName: \"log4j-core\",\n\t}\n\n\tnamespace, name, err := purl.FromMaven(testCase.packageInfo)\n\n\tif err != nil {\n\t\tt.Errorf(\"Extraction didn't succeed, package has been wrongfully filtered\")\n\t}\n\tif namespace != testCase.expectedNamespace {\n\t\tt.Errorf(\"got %s; want %s\", namespace, testCase.expectedNamespace)\n\t}\n\tif name != testCase.expectedName {\n\t\tt.Errorf(\"got %s; want %s\", name, testCase.expectedName)\n\t}\n}\n\nfunc TestMavenExtraction_shouldFilterPackages(t *testing.T) {\n\tt.Parallel()\n\ttestCases := []struct {\n\t\tname string\n\t\tpackageInfo models.PackageInfo\n\t}{\n\t\t{\n\t\t\tname: \"when_package_contains_less_than_2_parts\",\n\t\t\tpackageInfo: models.PackageInfo{\n\t\t\t\tName: \"log4j\",\n\t\t\t\tVersion: \"1.2.17\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t\tCommit: \"\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"when_package_have_no_name\",\n\t\t\tpackageInfo: models.PackageInfo{\n\t\t\t\tName: \"\",\n\t\t\t\tVersion: \"1.2.17\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t\tCommit: \"\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, test := range testCases {\n\t\ttestCase := test\n\t\tt.Run(testCase.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t_, _, err := purl.FromMaven(testCase.packageInfo)\n\n\t\t\tif err == nil {\n\t\t\t\tt.Errorf(\"Package %v should have been filtered\\n\", testCase.packageInfo)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/utility/purl/package_grouper.go", "content": "package purl\n\nimport (\n\t\"slices\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\n// Group takes a list of packages, and group them in a map using their PURL\n// as key It is a way to have only one instance of each package, even if some has\n// been detected multiple times. If the function fails to create a PURL from a\n// package, it generates an error, continue to group the other packages and\n// reports both grouped packages and all generated errors.\nfunc Group(packageSources []models.PackageSource) (map[string]models.PackageVulns, []error) {\n\tuniquePackages := make(map[string]models.PackageVulns)\n\terrors := make([]error, 0)\n\n\tfor _, packageSource := range packageSources {\n\t\tfor _, pkg := range packageSource.Packages {\n\t\t\tpackageURL, err := FromPackage(pkg.Package)\n\t\t\tif err != nil {\n\t\t\t\terrors = append(errors, err)\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tpackageVulns, packageExists := uniquePackages[packageURL.ToString()]\n\t\t\tif packageExists {\n\t\t\t\t// Entry already exists, we need to merge slices which are not expected to be the exact same\n\t\t\t\tpackageVulns.DepGroups = append(packageVulns.DepGroups, pkg.DepGroups...)\n\n\t\t\t\tuniquePackages[packageURL.ToString()] = packageVulns\n\t\t\t} else {\n\t\t\t\t// Entry does not exist yet, lets create it\n\t\t\t\tnewPackageVuln := models.PackageVulns{\n\t\t\t\t\tPackage: models.PackageInfo{\n\t\t\t\t\t\tName: pkg.Package.Name,\n\t\t\t\t\t\tVersion: pkg.Package.Version,\n\t\t\t\t\t\tEcosystem: pkg.Package.Ecosystem,\n\t\t\t\t\t\tDeprecated: pkg.Package.Deprecated,\n\t\t\t\t\t},\n\t\t\t\t\tDepGroups: slices.Clone(pkg.DepGroups),\n\t\t\t\t\tVulnerabilities: slices.Clone(pkg.Vulnerabilities),\n\t\t\t\t\tGroups: slices.Clone(pkg.Groups),\n\t\t\t\t\tLicenses: slices.Clone(pkg.Licenses),\n\t\t\t\t\tLicenseViolations: slices.Clone(pkg.LicenseViolations),\n\t\t\t\t}\n\n\t\t\t\tuniquePackages[packageURL.ToString()] = newPackageVuln\n\t\t\t}\n\t\t}\n\t}\n\n\treturn uniquePackages, errors\n}\n" }, { "path": "internal/utility/purl/package_grouper_test.go", "content": "package purl_test\n\nimport (\n\t\"reflect\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/utility/purl\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nfunc TestGroupPackageByPURL_ShouldUnifyPackages(t *testing.T) {\n\tt.Parallel()\n\tinput := []models.PackageSource{\n\t\t{\n\t\t\tSource: models.SourceInfo{\n\t\t\t\tPath: \"/dir/lockfile.xml\",\n\t\t\t\tType: \"\",\n\t\t\t},\n\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t{\n\t\t\t\t\tPackage: models.PackageInfo{\n\t\t\t\t\t\tName: \"foo.bar:the-first-package\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t\t\t},\n\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t{Id: \"GHSA-456\"},\n\t\t\t\t\t},\n\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIDs: []string{\"GHSA-456\"},\n\t\t\t\t\t\t\tAliases: []string{\"GHSA-456\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tDepGroups: []string{\"build\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPackage: models.PackageInfo{\n\t\t\t\t\t\tName: \"foo.bar:the-first-package\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t\t\t},\n\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t{Id: \"GHSA-456\"},\n\t\t\t\t\t},\n\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIDs: []string{\"GHSA-456\"},\n\t\t\t\t\t\t\tAliases: []string{\"GHSA-456\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPackage: models.PackageInfo{\n\t\t\t\t\t\tName: \"foo.bar:the-first-package\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t\t\t},\n\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t{Id: \"GHSA-456\"},\n\t\t\t\t\t},\n\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIDs: []string{\"GHSA-456\"},\n\t\t\t\t\t\t\tAliases: []string{\"GHSA-456\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPackage: models.PackageInfo{\n\t\t\t\t\t\tName: \"foo.bar:package-2\",\n\t\t\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tSource: models.SourceInfo{\n\t\t\t\tPath: \"/dir2/lockfile.json\",\n\t\t\t\tType: \"\",\n\t\t\t},\n\t\t\tPackages: []models.PackageVulns{\n\t\t\t\t{\n\t\t\t\t\tPackage: models.PackageInfo{\n\t\t\t\t\t\tName: \"foo.bar:the-first-package\",\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t\t\t},\n\t\t\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t\t\t{Id: \"GHSA-456\"},\n\t\t\t\t\t},\n\t\t\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tIDs: []string{\"GHSA-456\"},\n\t\t\t\t\t\t\tAliases: []string{\"GHSA-456\"},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tDepGroups: []string{\"test\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tPackage: models.PackageInfo{\n\t\t\t\t\t\tName: \"foo.bar:package-2\",\n\t\t\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tresult, errors := purl.Group(input)\n\n\texpected := map[string]models.PackageVulns{\n\t\t\"pkg:maven/foo.bar/the-first-package@1.0.0\": {\n\t\t\tPackage: models.PackageInfo{\n\t\t\t\tName: \"foo.bar:the-first-package\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t},\n\t\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t\t{Id: \"GHSA-456\"},\n\t\t\t},\n\t\t\tGroups: []models.GroupInfo{\n\t\t\t\t{\n\t\t\t\t\tIDs: []string{\"GHSA-456\"},\n\t\t\t\t\tAliases: []string{\"GHSA-456\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\tDepGroups: []string{\"build\", \"test\"},\n\t\t},\n\t\t\"pkg:maven/foo.bar/package-2@1.0.0\": {\n\t\t\tPackage: models.PackageInfo{\n\t\t\t\tName: \"foo.bar:package-2\",\n\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t},\n\t\t},\n\t}\n\n\tif len(errors) > 0 {\n\t\tt.Errorf(\"Unexpected errors: %v\", errors)\n\t}\n\tif len(result) != len(expected) {\n\t\tt.Errorf(\"Expected %d packages, got %d\", len(expected), len(result))\n\t}\n\tfor expectedPURL, expectedInfo := range expected {\n\t\tinfo, exists := result[expectedPURL]\n\n\t\tif !exists {\n\t\t\tt.Errorf(\"Expected package %s to be in the results\", expectedPURL)\n\t\t}\n\t\tif !reflect.DeepEqual(info, expectedInfo) {\n\t\t\tt.Errorf(\"Expected package %s to be %v, got %v\", expectedPURL, expectedInfo, info)\n\t\t}\n\t}\n}\n" }, { "path": "internal/utility/purl/purl.go", "content": "// Package purl provides functionality for working with PURLs.\npackage purl\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/google/osv-scalibr/inventory/osvecosystem\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"github.com/package-url/packageurl-go\"\n)\n\ntype ParameterExtractor func(packageInfo models.PackageInfo) (namespace string, name string, err error)\n\nvar EcosystemToPURLMapper = map[osvconstants.Ecosystem]string{\n\tosvconstants.EcosystemMaven: packageurl.TypeMaven,\n\tosvconstants.EcosystemGo: packageurl.TypeGolang,\n\tosvconstants.EcosystemPackagist: packageurl.TypeComposer,\n\tosvconstants.EcosystemPyPI: packageurl.TypePyPi,\n\tosvconstants.EcosystemRubyGems: packageurl.TypeGem,\n\tosvconstants.EcosystemNuGet: packageurl.TypeNuget,\n\tosvconstants.EcosystemNPM: packageurl.TypeNPM,\n\tosvconstants.EcosystemConanCenter: packageurl.TypeConan,\n\tosvconstants.EcosystemCratesIO: packageurl.TypeCargo,\n\tosvconstants.EcosystemPub: packageurl.TypePub,\n\tosvconstants.EcosystemHex: packageurl.TypeHex,\n\tosvconstants.EcosystemCRAN: packageurl.TypeCran,\n}\n\nvar ecosystemPURLExtractor = map[osvconstants.Ecosystem]ParameterExtractor{\n\tosvconstants.EcosystemMaven: FromMaven,\n\tosvconstants.EcosystemGo: FromGo,\n\tosvconstants.EcosystemPackagist: FromComposer,\n}\n\nfunc FromPackage(packageInfo models.PackageInfo) (*packageurl.PackageURL, error) {\n\tvar namespace string\n\tvar name string\n\tversion := packageInfo.Version\n\teco, err := osvecosystem.Parse(packageInfo.Ecosystem)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\tpurlType, typeExists := EcosystemToPURLMapper[eco.Ecosystem]\n\tparameterExtractor, extractorExists := ecosystemPURLExtractor[eco.Ecosystem]\n\n\tif !typeExists {\n\t\treturn nil, fmt.Errorf(\"unable to determine purl type of %s@%s (%s)\", packageInfo.Name, packageInfo.Version, packageInfo.Ecosystem)\n\t}\n\n\tif extractorExists {\n\t\tvar err error\n\t\tnamespace, name, err = parameterExtractor(packageInfo)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t} else {\n\t\tname = packageInfo.Name\n\t}\n\n\treturn packageurl.NewPackageURL(purlType, namespace, name, version, nil, \"\"), nil\n}\n" }, { "path": "internal/utility/purl/purl_to_package.go", "content": "package purl\n\nimport (\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"github.com/package-url/packageurl-go\"\n)\n\n// used like so: purlEcosystems[PkgURL.Type][PkgURL.Namespace]\n// * means it should match any namespace string\nvar purlEcosystems = map[string]map[string]osvconstants.Ecosystem{\n\t\"apk\": {\"alpine\": osvconstants.EcosystemAlpine},\n\t\"cargo\": {\"*\": osvconstants.EcosystemCratesIO},\n\t\"composer\": {\"*\": osvconstants.EcosystemPackagist},\n\t\"conan\": {\"*\": osvconstants.EcosystemConanCenter},\n\t\"cran\": {\"*\": osvconstants.EcosystemCRAN},\n\t\"deb\": {\n\t\t\"debian\": osvconstants.EcosystemDebian,\n\t\t\"ubuntu\": osvconstants.EcosystemUbuntu,\n\t},\n\t\"gem\": {\"*\": osvconstants.EcosystemRubyGems},\n\t// We don't yet have a GIT ecosystem which aligns with the generic type better.\n\t// \"generic\": {\"*\": osvconstants.EcosystemOSSFuzz},\n\t\"github\": {\"*\": osvconstants.EcosystemGitHubActions},\n\t\"golang\": {\"*\": osvconstants.EcosystemGo},\n\t\"hackage\": {\"*\": osvconstants.EcosystemHackage},\n\t\"hex\": {\"*\": osvconstants.EcosystemHex},\n\t\"k8s\": {\"*\": osvconstants.EcosystemKubernetes},\n\t\"maven\": {\"*\": osvconstants.EcosystemMaven},\n\t\"npm\": {\"*\": osvconstants.EcosystemNPM},\n\t\"nuget\": {\"*\": osvconstants.EcosystemNuGet},\n\t\"pub\": {\"*\": osvconstants.EcosystemPub},\n\t\"pypi\": {\"*\": osvconstants.EcosystemPyPI},\n\t\"swift\": {\"*\": osvconstants.EcosystemSwiftURL},\n}\n\nfunc getPURLEcosystem(pkgURL packageurl.PackageURL) osvconstants.Ecosystem {\n\tecoMap, ok := purlEcosystems[pkgURL.Type]\n\tif !ok {\n\t\treturn osvconstants.Ecosystem(\"\")\n\t}\n\n\twildcardRes, hasWildcard := ecoMap[\"*\"]\n\tif hasWildcard {\n\t\treturn wildcardRes\n\t}\n\n\tecosystem, ok := ecoMap[pkgURL.Namespace]\n\tif !ok {\n\t\treturn osvconstants.Ecosystem(\"\")\n\t}\n\n\treturn ecosystem\n}\n\n// ToPackage converts a Package URL string to models.PackageInfo\nfunc ToPackage(purl string) (models.PackageInfo, error) {\n\tparsedPURL, err := packageurl.FromString(purl)\n\tif err != nil {\n\t\treturn models.PackageInfo{}, err\n\t}\n\tecosystem := getPURLEcosystem(parsedPURL)\n\n\t// PackageInfo expects the full namespace in the name for ecosystems that specify it.\n\tname := parsedPURL.Name\n\tif parsedPURL.Namespace != \"\" {\n\t\tswitch ecosystem {\n\t\tcase osvconstants.EcosystemMaven:\n\t\t\t// Maven uses : to separate namespace and package\n\t\t\tname = parsedPURL.Namespace + \":\" + parsedPURL.Name\n\t\tcase osvconstants.EcosystemDebian, osvconstants.EcosystemAlpine, osvconstants.EcosystemUbuntu:\n\t\t\t// Debian and Alpine repeats their namespace in PURL, so don't add it to the name\n\t\t\tname = parsedPURL.Name\n\t\tdefault:\n\t\t\tname = parsedPURL.Namespace + \"/\" + parsedPURL.Name\n\t\t}\n\t}\n\n\treturn models.PackageInfo{\n\t\tName: name,\n\t\tEcosystem: string(ecosystem),\n\t\tVersion: parsedPURL.Version,\n\t}, nil\n}\n" }, { "path": "internal/utility/purl/purl_to_package_test.go", "content": "package purl_test\n\nimport (\n\t\"reflect\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/utility/purl\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n)\n\nfunc TestPURLToPackage(t *testing.T) {\n\tt.Parallel()\n\ttype args struct {\n\t\tpurl string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant models.PackageInfo\n\t\twantErr bool\n\t}{\n\t\t{\n\t\t\tname: \"valid_PURL\",\n\t\t\targs: args{\n\t\t\t\tpurl: \"pkg:cargo/memoffset@0.6.1\",\n\t\t\t},\n\t\t\twant: models.PackageInfo{\n\t\t\t\tName: \"memoffset\",\n\t\t\t\tVersion: \"0.6.1\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemCratesIO),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"valid_PURL_golang\",\n\t\t\targs: args{\n\t\t\t\tpurl: \"pkg:golang/github.com/gogo/protobuf@5.6.0\",\n\t\t\t},\n\t\t\twant: models.PackageInfo{\n\t\t\t\tName: \"github.com/gogo/protobuf\",\n\t\t\t\tVersion: \"5.6.0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemGo),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"valid_PURL_maven\",\n\t\t\targs: args{\n\t\t\t\tpurl: \"pkg:maven/org.hdrhistogram/HdrHistogram@2.1.12\",\n\t\t\t},\n\t\t\twant: models.PackageInfo{\n\t\t\t\tName: \"org.hdrhistogram:HdrHistogram\",\n\t\t\t\tVersion: \"2.1.12\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemMaven),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"valid_PURL_Debian\",\n\t\t\targs: args{\n\t\t\t\tpurl: \"pkg:deb/debian/nginx@2.36.1-8+deb11u1\",\n\t\t\t},\n\t\t\twant: models.PackageInfo{\n\t\t\t\tName: \"nginx\",\n\t\t\t\tVersion: \"2.36.1-8+deb11u1\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemDebian),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"valid_PURL_Ubuntu\",\n\t\t\targs: args{\n\t\t\t\tpurl: \"pkg:deb/ubuntu/docker.io@20.10.12-0ubuntu2\",\n\t\t\t},\n\t\t\twant: models.PackageInfo{\n\t\t\t\tName: \"docker.io\",\n\t\t\t\tVersion: \"20.10.12-0ubuntu2\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemUbuntu),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"valid_PURL_alpine\",\n\t\t\targs: args{\n\t\t\t\tpurl: \"pkg:apk/alpine/zlib@1.2.13-r0?arch=x86_64upstream=zlib&distro=alpine-3.17.2\",\n\t\t\t},\n\t\t\twant: models.PackageInfo{\n\t\t\t\tName: \"zlib\",\n\t\t\t\tVersion: \"1.2.13-r0\",\n\t\t\t\tEcosystem: string(osvconstants.EcosystemAlpine),\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"invalid_PURL\",\n\t\t\targs: args{\n\t\t\t\tpurl: \"pkg-golang/github.com/gogo/protobuf.0\",\n\t\t\t},\n\t\t\twant: models.PackageInfo{},\n\t\t\twantErr: true,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tgot, err := purl.ToPackage(tt.args.purl)\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"PURLToPackage() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\t\t\tif !reflect.DeepEqual(got, tt.want) {\n\t\t\t\tt.Errorf(\"PURLToPackage() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/utility/results/results.go", "content": "// Package results provides utility functions for working with scan results.\npackage results\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\n// ShortCommitLen is the number of characters to display a git commit\nconst ShortCommitLen = 8\n\nfunc PkgToString(pkgInfo models.PackageInfo) string {\n\tif pkgInfo.Commit != \"\" {\n\t\tif pkgInfo.Name != \"\" {\n\t\t\t// https://github.com/google/osv-scanner@12345678\n\t\t\treturn fmt.Sprint(pkgInfo.Name, \"@\", GetShortCommit(pkgInfo.Commit))\n\t\t}\n\t\t// 1234567890abcdefghij1234567890abcdefghij\n\t\treturn pkgInfo.Commit\n\t}\n\n\t// abc@v1.2.3\n\treturn fmt.Sprint(pkgInfo.Name, \"@\", pkgInfo.Version)\n}\n\nfunc GetShortCommit(commit string) string {\n\tif len(commit) > ShortCommitLen {\n\t\treturn commit[:ShortCommitLen]\n\t}\n\n\treturn commit\n}\n" }, { "path": "internal/utility/semverlike/version-semver-like.go", "content": "// Package semverlike provides functionality to parse and compare version strings\n// that are similar to semantic versioning, but with more flexibility.\n// It is currently used to parse go mod versions to determine if a patch version exists.\npackage semverlike\n\nimport (\n\t\"fmt\"\n\t\"math/big\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n)\n\n// Components are individual components of each semver segment.\ntype Components []*big.Int\n\nfunc (components *Components) Fetch(n int) *big.Int {\n\tif len(*components) <= n {\n\t\treturn big.NewInt(0)\n\t}\n\n\treturn (*components)[n]\n}\n\nfunc (components *Components) Cmp(b Components) int {\n\tnumberOfComponents := max(len(*components), len(b))\n\n\tfor i := range numberOfComponents {\n\t\tdiff := components.Fetch(i).Cmp(b.Fetch(i))\n\n\t\tif diff != 0 {\n\t\t\treturn diff\n\t\t}\n\t}\n\n\treturn 0\n}\n\n// Version is a version that is _like_ a version as defined by the\n// Semantic Version specification, except with potentially unlimited numeric\n// components and a leading \"v\"\ntype Version struct {\n\tLeadingV bool\n\tComponents Components\n\tBuild string\n\tOriginal string\n}\n\nfunc (v *Version) fetchComponentsAndBuild(maxComponents int) (Components, string) {\n\tif len(v.Components) <= maxComponents {\n\t\treturn v.Components, v.Build\n\t}\n\n\tcomps := v.Components[:maxComponents]\n\textra := v.Components[maxComponents:]\n\n\tvar build strings.Builder\n\n\tbuild.WriteString(v.Build)\n\n\tfor _, c := range extra {\n\t\tfmt.Fprintf(&build, \".%d\", c)\n\t}\n\n\treturn comps, build.String()\n}\n\nfunc ParseSemverLikeVersion(line string, maxComponents int) Version {\n\tv := parseSemverLike(line)\n\n\tcomponents, build := v.fetchComponentsAndBuild(maxComponents)\n\n\treturn Version{\n\t\tLeadingV: v.LeadingV,\n\t\tComponents: components,\n\t\tBuild: build,\n\t\tOriginal: v.Original,\n\t}\n}\n\nfunc parseSemverLike(line string) Version {\n\tvar components []*big.Int\n\toriginStr := line\n\n\tnumberReg := cachedregexp.MustCompile(`\\d`)\n\n\tcurrentCom := \"\"\n\tfoundBuild := false\n\n\tleadingV := strings.HasPrefix(line, \"v\")\n\tline = strings.TrimPrefix(line, \"v\")\n\n\tfor _, c := range line {\n\t\tif foundBuild {\n\t\t\tcurrentCom += string(c)\n\n\t\t\tcontinue\n\t\t}\n\n\t\t// this is part of a component version\n\t\tif numberReg.MatchString(string(c)) {\n\t\t\tcurrentCom += string(c)\n\n\t\t\tcontinue\n\t\t}\n\n\t\t// at this point, we:\n\t\t// 1. might be parsing a component (as foundBuild != true)\n\t\t// 2. we're not looking at a part of a component (as c != number)\n\t\t//\n\t\t// so c must be either:\n\t\t// 1. a component terminator (.), or\n\t\t// 2. the start of the build string\n\t\t//\n\t\t// either way, we will be terminating the current component being\n\t\t// parsed (if any), so let's do that first\n\t\tif currentCom != \"\" {\n\t\t\tv, _ := new(big.Int).SetString(currentCom, 10)\n\n\t\t\tcomponents = append(components, v)\n\t\t\tcurrentCom = \"\"\n\t\t}\n\n\t\t// a component terminator means there might be another component\n\t\t// afterwards, so don't start parsing the build string just yet\n\t\tif c == '.' {\n\t\t\tcontinue\n\t\t}\n\n\t\t// anything else is part of the build string\n\t\tfoundBuild = true\n\t\tcurrentCom = string(c)\n\t}\n\n\t// if we looped over everything without finding a build string,\n\t// then what we were currently parsing is actually a component\n\tif !foundBuild && currentCom != \"\" {\n\t\tv, _ := new(big.Int).SetString(currentCom, 10)\n\n\t\tcomponents = append(components, v)\n\t\tcurrentCom = \"\"\n\t}\n\n\treturn Version{\n\t\tLeadingV: leadingV,\n\t\tComponents: components,\n\t\tBuild: currentCom,\n\t\tOriginal: originStr,\n\t}\n}\n" }, { "path": "internal/utility/severity/severity.go", "content": "// Package severity provides functionality for calculating vulnerability severity.\npackage severity\n\nimport (\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\tgocvss20 \"github.com/pandatix/go-cvss/20\"\n\tgocvss30 \"github.com/pandatix/go-cvss/30\"\n\tgocvss31 \"github.com/pandatix/go-cvss/31\"\n\tgocvss40 \"github.com/pandatix/go-cvss/40\"\n)\n\n// Rating represents the severity level of a vulnerability.\ntype Rating string\n\nconst (\n\tCriticalRating Rating = \"CRITICAL\"\n\tHighRating Rating = \"HIGH\"\n\tMediumRating Rating = \"MEDIUM\"\n\tLowRating Rating = \"LOW\"\n\tUnknownRating Rating = \"UNKNOWN\"\n)\n\nfunc CalculateScore(severity *osvschema.Severity) (float64, string, error) {\n\tscore := -1.0\n\trating := string(UnknownRating)\n\tvar err error\n\tswitch severity.GetType() {\n\tcase osvschema.Severity_UNSPECIFIED:\n\t\t// UNSPECIFIED has no score information\n\tcase osvschema.Severity_CVSS_V2:\n\t\tvar vec *gocvss20.CVSS20\n\t\tvec, err = gocvss20.ParseVector(severity.GetScore())\n\t\tif err == nil {\n\t\t\tscore = vec.BaseScore()\n\t\t\t// CVSS 2.0 does not define a rating, use CVSS 3.0's rating instead\n\t\t\trating, err = gocvss30.Rating(score)\n\t\t}\n\tcase osvschema.Severity_CVSS_V3:\n\t\tswitch {\n\t\tcase strings.HasPrefix(severity.GetScore(), \"CVSS:3.0\"):\n\t\t\tvar vec *gocvss30.CVSS30\n\t\t\tvec, err = gocvss30.ParseVector(severity.GetScore())\n\t\t\tif err == nil {\n\t\t\t\tscore = vec.BaseScore()\n\t\t\t\trating, err = gocvss30.Rating(score)\n\t\t\t}\n\t\tcase strings.HasPrefix(severity.GetScore(), \"CVSS:3.1\"):\n\t\t\tvar vec *gocvss31.CVSS31\n\t\t\tvec, err = gocvss31.ParseVector(severity.GetScore())\n\t\t\tif err == nil {\n\t\t\t\tscore = vec.BaseScore()\n\t\t\t\trating, err = gocvss31.Rating(score)\n\t\t\t}\n\t\t}\n\tcase osvschema.Severity_CVSS_V4:\n\t\tvar vec *gocvss40.CVSS40\n\t\tvec, err = gocvss40.ParseVector(severity.GetScore())\n\t\tif err == nil {\n\t\t\tscore = vec.Score()\n\t\t\trating, err = gocvss40.Rating(score)\n\t\t}\n\tcase osvschema.Severity_Ubuntu:\n\t\trating = severity.GetScore()\n\t}\n\n\treturn score, rating, err\n}\n\nfunc CalculateOverallScore(severities []*osvschema.Severity) (float64, string, error) {\n\tmaxScore := -1.0\n\tmaxRating := string(UnknownRating)\n\n\tfor _, severity := range severities {\n\t\tscore, rating, err := CalculateScore(severity)\n\t\tif err != nil {\n\t\t\treturn -1, string(UnknownRating), err\n\t\t}\n\t\tif score > maxScore {\n\t\t\tmaxScore = score\n\t\t\tmaxRating = rating\n\t\t}\n\t}\n\n\treturn maxScore, maxRating, nil\n}\n\nfunc CalculateRating(score string) (Rating, error) {\n\t// All CSVs' rating methods are identical.\n\tparsedScore, err := strconv.ParseFloat(score, 64)\n\tif err != nil {\n\t\treturn UnknownRating, err\n\t}\n\n\trating, err := gocvss30.Rating(parsedScore)\n\tif err != nil || rating == \"NONE\" {\n\t\trating = string(UnknownRating)\n\t}\n\n\treturn Rating(rating), err\n}\n" }, { "path": "internal/utility/severity/severity_test.go", "content": "package severity_test\n\nimport (\n\t\"math\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/utility/severity\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nfunc TestSeverity_CalculateScore(t *testing.T) {\n\tt.Parallel()\n\n\ttype result struct {\n\t\tscore float64\n\t\trating string\n\t}\n\ttests := []struct {\n\t\tname string\n\t\tsev *osvschema.Severity\n\t\twant result\n\t}{\n\t\t{\n\t\t\tname: \"Empty_Severity_Type\",\n\t\t\tsev: &osvschema.Severity{},\n\t\t\twant: result{\n\t\t\t\tscore: -1,\n\t\t\t\trating: \"UNKNOWN\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"CVSS_v2.0\",\n\t\t\tsev: &osvschema.Severity{\n\t\t\t\tType: osvschema.Severity_CVSS_V2,\n\t\t\t\tScore: \"AV:L/AC:M/Au:N/C:N/I:P/A:C/E:H/RL:U/RC:C/CDP:LM/TD:M/CR:L/IR:M/AR:H\",\n\t\t\t},\n\t\t\twant: result{\n\t\t\t\tscore: 5.4,\n\t\t\t\trating: \"MEDIUM\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"CVSS_v3.0\",\n\t\t\tsev: &osvschema.Severity{\n\t\t\t\tType: osvschema.Severity_CVSS_V3,\n\t\t\t\tScore: \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:U/CR:L/IR:L/AR:H/MAV:P/MAC:H/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H\",\n\t\t\t},\n\t\t\twant: result{\n\t\t\t\tscore: 10.0,\n\t\t\t\trating: \"CRITICAL\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"CVSS_v3.1\",\n\t\t\tsev: &osvschema.Severity{\n\t\t\t\tType: osvschema.Severity_CVSS_V3,\n\t\t\t\tScore: \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:T/RC:U/CR:L/IR:L/AR:H/MAV:P/MAC:H/MPR:H/MUI:R/MS:C/MC:H/MI:H/MA:H\",\n\t\t\t},\n\t\t\twant: result{\n\t\t\t\tscore: 10.0,\n\t\t\t\trating: \"CRITICAL\",\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"CVSS_v4.0\",\n\t\t\tsev: &osvschema.Severity{\n\t\t\t\tType: osvschema.Severity_CVSS_V4,\n\t\t\t\tScore: \"CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:L/IR:L/AR:L/MAV:P/MAC:H/MAT:P/MPR:H/MUI:A/MVC:N/MVI:N/MVA:N/MSC:N/MSI:N/MSA:N/S:N/AU:N/R:A/V:D/RE:L/U:Clear\",\n\t\t\t},\n\t\t\twant: result{\n\t\t\t\tscore: 0.0,\n\t\t\t\trating: \"NONE\",\n\t\t\t},\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tgotScore, gotRating, err := severity.CalculateScore(tt.sev)\n\t\t\tif err != nil {\n\t\t\t\tt.Errorf(\"CalculateScore() error: %v\", err)\n\t\t\t}\n\t\t\t// CVSS scores are only supposed to be to 1 decimal place.\n\t\t\t// Multiply and round to get around potential precision issues.\n\t\t\tif math.Round(10*gotScore) != math.Round(10*tt.want.score) || gotRating != tt.want.rating {\n\t\t\t\tt.Errorf(\"CalculateScore() = (%.1f, %s), want (%.1f, %s)\", gotScore, gotRating, tt.want.score, tt.want.rating)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/utility/vulns/vulnerabilities.go", "content": "// Package vulns provides utility functions for working with vulnerabilities.\npackage vulns\n\nimport \"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\nfunc Include(vs []*osvschema.Vulnerability, vulnerability *osvschema.Vulnerability) bool {\n\tfor _, vuln := range vs {\n\t\tif vuln.GetId() == vulnerability.GetId() {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n" }, { "path": "internal/utility/vulns/vulnerabilities_test.go", "content": "package vulns_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nfunc TestVulnerabilities_Includes(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tosv *osvschema.Vulnerability\n\t}\n\ttests := []struct {\n\t\tname string\n\t\tvs []*osvschema.Vulnerability\n\t\targs args\n\t\twant bool\n\t}{\n\t\t{\n\t\t\tname: \"\",\n\t\t\tvs: []*osvschema.Vulnerability{\n\t\t\t\t{\n\t\t\t\t\tId: \"GHSA-1\",\n\t\t\t\t\tAliases: []string{},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tosv: &osvschema.Vulnerability{\n\t\t\t\t\tId: \"GHSA-2\",\n\t\t\t\t\tAliases: []string{},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"\",\n\t\t\tvs: []*osvschema.Vulnerability{\n\t\t\t\t{\n\t\t\t\t\tId: \"GHSA-1\",\n\t\t\t\t\tAliases: []string{},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tosv: &osvschema.Vulnerability{\n\t\t\t\t\tId: \"GHSA-1\",\n\t\t\t\t\tAliases: []string{},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"\",\n\t\t\tvs: []*osvschema.Vulnerability{\n\t\t\t\t{\n\t\t\t\t\tId: \"GHSA-1\",\n\t\t\t\t\tAliases: []string{\"GHSA-2\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tosv: &osvschema.Vulnerability{\n\t\t\t\t\tId: \"GHSA-2\",\n\t\t\t\t\tAliases: []string{},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"\",\n\t\t\tvs: []*osvschema.Vulnerability{\n\t\t\t\t{\n\t\t\t\t\tId: \"GHSA-1\",\n\t\t\t\t\tAliases: []string{},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tosv: &osvschema.Vulnerability{\n\t\t\t\t\tId: \"GHSA-2\",\n\t\t\t\t\tAliases: []string{\"GHSA-1\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"\",\n\t\t\tvs: []*osvschema.Vulnerability{\n\t\t\t\t{\n\t\t\t\t\tId: \"GHSA-1\",\n\t\t\t\t\tAliases: []string{\"CVE-1\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tosv: &osvschema.Vulnerability{\n\t\t\t\t\tId: \"GHSA-2\",\n\t\t\t\t\tAliases: []string{\"CVE-1\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"\",\n\t\t\tvs: []*osvschema.Vulnerability{\n\t\t\t\t{\n\t\t\t\t\tId: \"GHSA-1\",\n\t\t\t\t\tAliases: []string{\"CVE-2\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\targs: args{\n\t\t\t\tosv: &osvschema.Vulnerability{\n\t\t\t\t\tId: \"GHSA-2\",\n\t\t\t\t\tAliases: []string{\"CVE-2\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: false,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\n\t\t\tif got := vulns.Include(tt.vs, tt.args.osv); got != tt.want {\n\t\t\t\tt.Errorf(\"Includes() = %v, want %v\", got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "internal/utility/vulns/vulnerability.go", "content": "package vulns\n\nimport (\n\t\"slices\"\n\t\"sort\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/inventory/osvecosystem\"\n\t\"github.com/google/osv-scalibr/semantic\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nfunc eventVersion(e *osvschema.Event) string {\n\tif e.GetIntroduced() != \"\" {\n\t\treturn e.GetIntroduced()\n\t}\n\n\tif e.GetFixed() != \"\" {\n\t\treturn e.GetFixed()\n\t}\n\n\tif e.GetLimit() != \"\" {\n\t\treturn e.GetLimit()\n\t}\n\n\tif e.GetLastAffected() != \"\" {\n\t\treturn e.GetLastAffected()\n\t}\n\n\treturn \"\"\n}\n\nfunc rangeContainsVersion(ar *osvschema.Range, pkg *extractor.Package) bool {\n\tif ar.GetType() != osvschema.Range_ECOSYSTEM && ar.GetType() != osvschema.Range_SEMVER {\n\t\treturn false\n\t}\n\t// todo: we should probably warn here\n\tif len(ar.GetEvents()) == 0 {\n\t\treturn false\n\t}\n\n\tvp := semantic.MustParse(imodels.Version(pkg), string(imodels.Ecosystem(pkg).Ecosystem))\n\n\tsort.Slice(ar.GetEvents(), func(i, j int) bool {\n\t\ta := ar.GetEvents()[i]\n\t\tb := ar.GetEvents()[j]\n\n\t\tif a.GetIntroduced() == \"0\" {\n\t\t\treturn true\n\t\t}\n\n\t\tif b.GetIntroduced() == \"0\" {\n\t\t\treturn false\n\t\t}\n\n\t\t// Ignore errors as we assume the version is correct\n\t\torder, _ := semantic.MustParse(eventVersion(a), string(imodels.Ecosystem(pkg).Ecosystem)).CompareStr((eventVersion(b)))\n\n\t\treturn order < 0\n\t})\n\n\tvar affected bool\n\tfor _, e := range ar.GetEvents() {\n\t\tif affected {\n\t\t\tif e.GetFixed() != \"\" {\n\t\t\t\torder, _ := vp.CompareStr(e.GetFixed())\n\t\t\t\taffected = order < 0\n\t\t\t} else if e.GetLastAffected() != \"\" {\n\t\t\t\torder, _ := vp.CompareStr(e.GetLastAffected())\n\t\t\t\taffected = e.GetLastAffected() == imodels.Version(pkg) || order <= 0\n\t\t\t}\n\t\t} else if e.GetIntroduced() != \"\" {\n\t\t\torder, _ := vp.CompareStr(e.GetIntroduced())\n\t\t\taffected = e.GetIntroduced() == \"0\" || order >= 0\n\t\t}\n\t}\n\n\treturn affected\n}\n\n// rangeAffectsVersion checks if the given version is within the range\n// specified by the events of any \"Ecosystem\" or \"Semver\" type ranges\nfunc rangeAffectsVersion(a []*osvschema.Range, pkg *extractor.Package) bool {\n\tfor _, r := range a {\n\t\tif r.GetType() != osvschema.Range_ECOSYSTEM && r.GetType() != osvschema.Range_SEMVER {\n\t\t\treturn false\n\t\t}\n\t\tif rangeContainsVersion(r, pkg) {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc AffectsEcosystem(v *osvschema.Vulnerability, ecosystemAffected osvecosystem.Parsed) bool {\n\tfor _, affected := range v.GetAffected() {\n\t\tif osvecosystem.MustParse(affected.GetPackage().GetEcosystem()).Equal(ecosystemAffected) {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\n// NormalizeRepo applies some reasonable transformations to repository urls to\n// ensure accurate results when determining if two repository urls are referencing\n// the same repository.\n//\n// Specifically, common protocols are removed from the start of the url and the\n// \".git\" suffix if present\nfunc NormalizeRepo(repo string) string {\n\trepo = strings.TrimPrefix(repo, \"https://\")\n\trepo = strings.TrimPrefix(repo, \"http://\")\n\trepo = strings.TrimPrefix(repo, \"git://\")\n\n\treturn strings.TrimSuffix(repo, \".git\")\n}\n\nfunc hasGitRangeForRepo(affected *osvschema.Affected, repo string) bool {\n\tfor _, r := range affected.GetRanges() {\n\t\tif r.GetType() == osvschema.Range_GIT && NormalizeRepo(r.GetRepo()) == NormalizeRepo(repo) {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc IsAffected(v *osvschema.Vulnerability, pkg *extractor.Package) bool {\n\tfor _, affected := range v.GetAffected() {\n\t\t// assume we're dealing with a git-source package whose name is the git repository, and that the version is the tag\n\t\t// the underlying commit has been resolved to (somehow), meaning we can check if it's in the versions listed by the advisory\n\t\tif imodels.Ecosystem(pkg).IsEmpty() && imodels.Commit(pkg) != \"\" && imodels.Version(pkg) != \"\" {\n\t\t\tif hasGitRangeForRepo(affected, imodels.Name(pkg)) && slices.Contains(affected.GetVersions(), imodels.Version(pkg)) {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\n\t\t// Assume vulnerability has already been validated\n\t\tif affected.GetPackage() == nil {\n\t\t\tcontinue\n\t\t}\n\t\tif osvecosystem.MustParse(affected.GetPackage().GetEcosystem()).Equal(imodels.Ecosystem(pkg)) &&\n\t\t\taffected.GetPackage().GetName() == imodels.Name(pkg) {\n\t\t\tif len(affected.GetRanges()) == 0 && len(affected.GetVersions()) == 0 {\n\t\t\t\tcmdlogger.Warnf(\"%s does not have any ranges or versions - this is probably a mistake!\", v.GetId())\n\n\t\t\t\tcontinue\n\t\t\t}\n\n\t\t\tif slices.Contains(affected.GetVersions(), imodels.Version(pkg)) {\n\t\t\t\treturn true\n\t\t\t}\n\n\t\t\tif rangeAffectsVersion(affected.GetRanges(), pkg) {\n\t\t\t\treturn true\n\t\t\t}\n\n\t\t\t// if a package does not have a version, assume it is vulnerable\n\t\t\t// as false positives are better than false negatives here\n\t\t\tif imodels.Version(pkg) == \"\" {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\n\treturn false\n}\n\n// PackageKey uniquely identifies a package in a vulnerability.\ntype PackageKey struct {\n\tName string\n\tEcosystem string\n\tPurl string\n}\n\n// NewPackageKey creates a PackageKey from osvschema.Package.\nfunc NewPackageKey(pkg *osvschema.Package) PackageKey {\n\treturn PackageKey{\n\t\tName: pkg.GetName(),\n\t\tEcosystem: pkg.GetEcosystem(),\n\t\tPurl: pkg.GetPurl(),\n\t}\n}\n\n// GetFixedVersions returns a map of fixed versions for each package, or a map of empty slices if no fixed versions are available\nfunc GetFixedVersions(v *osvschema.Vulnerability) map[PackageKey][]string {\n\toutput := map[PackageKey][]string{}\n\tfor _, a := range v.GetAffected() {\n\t\tif a.GetPackage() == nil {\n\t\t\tcontinue\n\t\t}\n\t\tpackageKey := NewPackageKey(a.GetPackage())\n\t\tpackageKey.Purl = \"\"\n\t\tfor _, r := range a.GetRanges() {\n\t\t\tfor _, e := range r.GetEvents() {\n\t\t\t\tif e.GetFixed() != \"\" {\n\t\t\t\t\toutput[packageKey] = append(output[packageKey], e.GetFixed())\n\t\t\t\t\tif strings.Contains(packageKey.Ecosystem, \":\") {\n\t\t\t\t\t\tunversionedKey := packageKey\n\t\t\t\t\t\tunversionedKey.Ecosystem = strings.Split(packageKey.Ecosystem, \":\")[0]\n\t\t\t\t\t\toutput[unversionedKey] = append(output[unversionedKey], e.GetFixed())\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn output\n}\n" }, { "path": "internal/utility/vulns/vulnerability_test.go", "content": "package vulns_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg/metadata\"\n\t\"github.com/google/osv-scalibr/inventory/osvecosystem\"\n\t\"github.com/google/osv-scalibr/purl\"\n\t\"github.com/google/osv-scanner/v2/internal/utility/vulns\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\nfunc expectIsAffected(t *testing.T, vuln *osvschema.Vulnerability, version string, expectAffected bool) {\n\tt.Helper()\n\n\tpkg := &extractor.Package{\n\t\tName: \"my-package\",\n\t\tVersion: version,\n\t\tPURLType: purl.TypeNPM,\n\t}\n\n\tif vulns.IsAffected(vuln, pkg) != expectAffected {\n\t\tif expectAffected {\n\t\t\tt.Errorf(\"Expected OSV to affect package version %s but it did not\", version)\n\t\t} else {\n\t\t\tt.Errorf(\"Expected OSV not to affect package version %s but it did\", version)\n\t\t}\n\t}\n}\n\nfunc buildOSVWithAffected(affected ...*osvschema.Affected) *osvschema.Vulnerability {\n\treturn &osvschema.Vulnerability{\n\t\tId: \"1\",\n\t\tPublished: nil,\n\t\tModified: nil,\n\t\tDetails: \"This is an open source vulnerability!\",\n\t\tAffected: affected,\n\t}\n}\n\nfunc buildEcosystemAffectsRange(events ...*osvschema.Event) *osvschema.Range {\n\treturn &osvschema.Range{Type: osvschema.Range_ECOSYSTEM, Events: events}\n}\n\nfunc buildSemverAffectsRange(events ...*osvschema.Event) *osvschema.Range {\n\treturn &osvschema.Range{Type: osvschema.Range_SEMVER, Events: events}\n}\n\nfunc TestOSV_AffectsEcosystem(t *testing.T) {\n\tt.Parallel()\n\n\ttype AffectsTest struct {\n\t\tAffected []*osvschema.Affected\n\t\tEcosystem string\n\t\tExpected bool\n\t}\n\n\ttests := []AffectsTest{\n\t\t{Affected: nil, Ecosystem: \"Go\", Expected: false},\n\t\t{Affected: nil, Ecosystem: \"npm\", Expected: false},\n\t\t{Affected: nil, Ecosystem: \"PyPI\", Expected: false},\n\t\t{Affected: nil, Ecosystem: \"\", Expected: false},\n\t\t{\n\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t{Package: &osvschema.Package{Ecosystem: \"crates.io\"}},\n\t\t\t\t{Package: &osvschema.Package{Ecosystem: \"npm\"}},\n\t\t\t\t{Package: &osvschema.Package{Ecosystem: \"PyPI\"}},\n\t\t\t},\n\t\t\tEcosystem: \"Packagist\",\n\t\t\tExpected: false,\n\t\t},\n\t\t{\n\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t{Package: &osvschema.Package{Ecosystem: \"NuGet\"}},\n\t\t\t},\n\t\t\tEcosystem: \"NuGet\",\n\t\t\tExpected: true,\n\t\t},\n\t\t{\n\t\t\tAffected: []*osvschema.Affected{\n\t\t\t\t{Package: &osvschema.Package{Ecosystem: \"npm\"}},\n\t\t\t\t{Package: &osvschema.Package{Ecosystem: \"npm\"}},\n\t\t\t},\n\t\t\tEcosystem: \"npm\",\n\t\t\tExpected: true,\n\t\t},\n\t}\n\n\tfor i, tt := range tests {\n\t\tvuln := &osvschema.Vulnerability{\n\t\t\tId: \"1\",\n\t\t\tPublished: nil,\n\t\t\tModified: nil,\n\t\t\tDetails: \"This is an open source vulnerability!\",\n\t\t\tAffected: tt.Affected,\n\t\t}\n\n\t\tif vulns.AffectsEcosystem(vuln, osvecosystem.MustParse(tt.Ecosystem)) != tt.Expected {\n\t\t\tt.Errorf(\n\t\t\t\t\"Test #%d: Expected OSV to return %t but it returned %t\",\n\t\t\t\ti,\n\t\t\t\ttt.Expected,\n\t\t\t\t!tt.Expected,\n\t\t\t)\n\t\t}\n\t}\n\n\t// test when the OSV doesn't have an \"Affected\"\n\tvuln := &osvschema.Vulnerability{\n\t\tId: \"1\",\n\t\tPublished: nil,\n\t\tModified: nil,\n\t\tDetails: \"This is an open source vulnerability!\",\n\t\tAffected: nil,\n\t}\n\n\tif vulns.AffectsEcosystem(vuln, osvecosystem.MustParse(\"npm\")) {\n\t\tt.Errorf(\n\t\t\t\"Expected OSV to report 'false' when it doesn't have an Affected, but it reported true!\",\n\t\t)\n\t}\n}\n\nfunc TestOSV_IsAffected_AffectsWithEcosystem_DifferentEcosystem(t *testing.T) {\n\tt.Parallel()\n\n\tvuln := buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemPyPI), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(&osvschema.Event{Introduced: \"0\"}),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.1\", \"2.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n}\n\nfunc TestOSV_IsAffected_AffectsWithEcosystem_SingleAffected(t *testing.T) {\n\tt.Parallel()\n\n\tvar vuln *osvschema.Vulnerability\n\n\t// \"Introduced: 0\" means everything is affected\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(&osvschema.Event{Introduced: \"0\"}),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.1\", \"2.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n\n\t// \"Fixed: 1\" means all versions after this are not vulnerable\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n\n\t// multiple fixes and introduced\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t\t&osvschema.Event{Introduced: \"2.1.0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"3.2.0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0rc2\", \"2.0.1\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"2.1.1\", \"2.3.4\", \"3.0.0\", \"3.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"3.2.0\", \"3.2.1\", \"4.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n\n\t// \"LastAffected: 1\" means all versions after this are not vulnerable\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{LastAffected: \"1\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\", \"1.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.1\", \"1.1.0\", \"2.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n\n\t// mix of fixes, last_known_affected, and introduced\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t\t&osvschema.Event{Introduced: \"2.1.0\"},\n\t\t\t\t\t&osvschema.Event{LastAffected: \"3.1.9\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0rc2\", \"2.0.1\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"2.1.1\", \"2.3.4\", \"3.0.0\", \"3.0.0-rc\", \"3.1.9\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"3.2.0\", \"3.2.1\", \"4.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n}\n\nfunc TestOSV_IsAffected_AffectsWithEcosystem_MultipleAffected(t *testing.T) {\n\tt.Parallel()\n\n\tvuln := buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"2.1.0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"3.2.0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"3.3.0\"},\n\t\t\t\t\t&osvschema.Event{LastAffected: \"3.5.0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0rc2\", \"2.0.1\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"2.1.1\", \"2.3.4\", \"3.0.0\", \"3.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"3.2.0\", \"3.2.1\", \"4.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"3.3.1\", \"3.4.5\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n}\n\nfunc TestOSV_IsAffected_AffectsWithEcosystem_Unsorted(t *testing.T) {\n\tt.Parallel()\n\n\tvuln := buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Introduced: \"2.1.0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t\t&osvschema.Event{LastAffected: \"3.1.9\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0rc2\", \"2.0.1\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"2.1.1\", \"2.3.4\", \"3.0.0\", \"3.0.0-rc\", \"3.1.9\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"3.2.0\", \"3.2.1\", \"4.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n\n\t// zeros with build strings\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\t// golang.org/x/sys\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Fixed: \"0.0.0-20220412211240-33da011f77ad\"},\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t&osvschema.Affected{\n\t\t\t// golang.org/x/net\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildEcosystemAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0.0.0-20180925071336-cf3bd585ca2a\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.14.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"0.0.0-20180925071336-cf3bd585ca2a\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n}\n\nfunc TestOSV_IsAffected_AffectsWithSemver_DifferentEcosystem(t *testing.T) {\n\tt.Parallel()\n\n\tvuln := buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemPyPI), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(&osvschema.Event{Introduced: \"0\"}),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.1\", \"2.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n}\n\nfunc TestOSV_IsAffected_AffectsWithSemver_SingleAffected(t *testing.T) {\n\tt.Parallel()\n\n\tvar vuln *osvschema.Vulnerability\n\n\t// \"Introduced: 0\" means everything is affected\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(&osvschema.Event{Introduced: \"0\"}),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"v1.0.0\", \"v1.1.1\", \"v2.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\t// \"Fixed: 1\" means all versions after this are not vulnerable\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1.0.0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// multiple fixes and introduced\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t\t&osvschema.Event{Introduced: \"2.1.0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"3.2.0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0rc2\", \"2.0.1\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"2.1.1\", \"2.3.4\", \"3.0.0\", \"3.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"3.2.0\", \"3.2.1\", \"4.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n\n\t// \"LastAffected: 1\" means all versions after this are not vulnerable\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{LastAffected: \"1.0.0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\", \"1.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.1\", \"1.1.0\", \"2.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// mix of fixes, last_known_affected, and introduced\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t\t&osvschema.Event{Introduced: \"2.1.0\"},\n\t\t\t\t\t&osvschema.Event{LastAffected: \"3.1.9\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0rc2\", \"2.0.1\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"2.1.1\", \"2.3.4\", \"3.0.0\", \"3.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"3.2.0\", \"3.2.1\", \"4.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n}\n\nfunc TestOSV_IsAffected_AffectsWithSemver_MultipleAffected(t *testing.T) {\n\tt.Parallel()\n\n\tvuln := buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"2.1.0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"3.2.0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"3.3.0\"},\n\t\t\t\t\t&osvschema.Event{LastAffected: \"3.5.0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0rc2\", \"2.0.1\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"2.1.1\", \"2.3.4\", \"3.0.0\", \"3.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"3.2.0\", \"3.2.1\", \"4.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"3.3.1\", \"3.4.5\", \"3.5.0\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n}\n\nfunc TestOSV_IsAffected_AffectsWithSemver_Unsorted(t *testing.T) {\n\tt.Parallel()\n\n\t// mix of fixes, last_known_affected, and introduced\n\tvuln := buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t\t&osvschema.Event{Introduced: \"2.1.0\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"1\"},\n\t\t\t\t\t&osvschema.Event{LastAffected: \"3.1.9\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.1.0\", \"0.0.0.1\", \"1.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"1.0.0\", \"1.1.0\", \"2.0.0rc2\", \"2.0.1\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"2.1.1\", \"2.3.4\", \"3.0.0\", \"3.0.0-rc\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\tfor _, v := range []string{\"3.2.0\", \"3.2.1\", \"4.0.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n\n\t// zeros with build strings\n\tvuln = buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\t// golang.org/x/sys\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Fixed: \"0.0.0-20220412211240-33da011f77ad\"},\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t\t&osvschema.Affected{\n\t\t\t// golang.org/x/net\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0.0.0-20180925071336-cf3bd585ca2a\"},\n\t\t\t\t\t&osvschema.Event{Fixed: \"0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tfor _, v := range []string{\"0.0.0\", \"0.14.0\"} {\n\t\texpectIsAffected(t, vuln, v, false)\n\t}\n\n\tfor _, v := range []string{\"0.0.0-20180925071336-cf3bd585ca2a\"} {\n\t\texpectIsAffected(t, vuln, v, true)\n\t}\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n}\n\nfunc TestOSV_IsAffected_OnlyVersions(t *testing.T) {\n\tt.Parallel()\n\n\tvuln := buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: string(osvconstants.EcosystemNPM), Name: \"my-package\"},\n\t\t\tVersions: []string{\"1.0.0\"},\n\t\t},\n\t)\n\n\texpectIsAffected(t, vuln, \"0.0.0\", false)\n\texpectIsAffected(t, vuln, \"1.0.0\", true)\n\texpectIsAffected(t, vuln, \"1.0.0-beta1\", false)\n\texpectIsAffected(t, vuln, \"1.1.0\", false)\n\n\t// an empty version should always be treated as affected\n\texpectIsAffected(t, vuln, \"\", true)\n}\n\nfunc TestOSV_EcosystemsWithSuffix(t *testing.T) {\n\tt.Parallel()\n\n\tvuln := buildOSVWithAffected(\n\t\t&osvschema.Affected{\n\t\t\tPackage: &osvschema.Package{Ecosystem: \"Debian:12\", Name: \"my-package\"},\n\t\t\tRanges: []*osvschema.Range{\n\t\t\t\tbuildSemverAffectsRange(\n\t\t\t\t\t&osvschema.Event{Introduced: \"0\"},\n\t\t\t\t),\n\t\t\t},\n\t\t},\n\t)\n\n\tpkg := &extractor.Package{\n\t\tName: \"my-package\",\n\t\tVersion: \"0.0.0\",\n\t\tPURLType: purl.TypeDebian,\n\t\tMetadata: &metadata.Metadata{\n\t\t\tOSID: \"Debian\",\n\t\t\tOSVersionID: \"12\",\n\t\t},\n\t}\n\n\tif !vulns.IsAffected(vuln, pkg) {\n\t\tt.Errorf(\"Expected OSV to affect package version %s but it did not\", \"0.0.0\")\n\t}\n}\n" }, { "path": "internal/version/version.go", "content": "// Package version stores the version of osv-scanner.\npackage version\n\n// OSVVersion is the current release version, you should update this variable when doing a release\nconst OSVVersion = \"2.3.4\"\n" }, { "path": "osv-scanner.toml", "content": "\n" }, { "path": "pkg/models/cyclonedx.go", "content": "// Package models provides data models for osv-scanner.\npackage models\n\ntype CycloneDXVersion int\n\nconst (\n\tCycloneDXVersion14 CycloneDXVersion = iota\n\tCycloneDXVersion15\n\tCycloneDXVersion16\n)\n" }, { "path": "pkg/models/image.go", "content": "package models\n\nimport \"github.com/opencontainers/go-digest\"\n\ntype ImageOriginDetails struct {\n\tIndex int `json:\"index\"`\n}\n\ntype ImageMetadata struct {\n\tOS string `json:\"os\"`\n\tLayerMetadata []LayerMetadata `json:\"layer_metadata\"`\n\tBaseImages [][]BaseImageDetails `json:\"base_images\"`\n}\n\ntype BaseImageDetails struct {\n\tName string `json:\"name\"`\n\t// TODO: Not yet filled in\n\tTags []string `json:\"tags\"`\n}\n\ntype LayerMetadata struct {\n\tDiffID digest.Digest `json:\"diff_id\"`\n\tCommand string `json:\"command\"`\n\tIsEmpty bool `json:\"is_empty\"`\n\tBaseImageIndex int `json:\"base_image_index\"`\n}\n" }, { "path": "pkg/models/results.go", "content": "package models\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/inventory/vex\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n)\n\n// VulnerabilityResults is the top-level struct for the results of a scan\ntype VulnerabilityResults struct {\n\tResults []PackageSource `json:\"results\"`\n\tExperimentalAnalysisConfig ExperimentalAnalysisConfig `json:\"experimental_config\"`\n\tExperimentalGenericFindings []*inventory.GenericFinding `json:\"experimental_generic_findings,omitempty\"`\n\tImageMetadata *ImageMetadata `json:\"image_metadata,omitempty\"`\n\tLicenseSummary []LicenseCount `json:\"license_summary,omitempty\"`\n}\n\ntype LicenseCount struct {\n\tName License `json:\"name\"`\n\tCount int `json:\"count\"`\n}\n\n// ExperimentalAnalysisConfig is an experimental type intended to contain the\n// types of analysis performed on packages found by the scanner.\ntype ExperimentalAnalysisConfig struct {\n\tLicenses ExperimentalLicenseConfig `json:\"licenses\"`\n}\n\ntype ExperimentalLicenseConfig struct {\n\tSummary bool `json:\"summary\"`\n\tAllowlist []License `json:\"allowlist\"`\n}\n\n// Flatten the grouped/nested vulnerability results into one flat array.\nfunc (vulns *VulnerabilityResults) Flatten() []VulnerabilityFlattened {\n\tresults := []VulnerabilityFlattened{}\n\tfor _, res := range vulns.Results {\n\t\tfor _, pkg := range res.Packages {\n\t\t\tfor _, v := range pkg.Vulnerabilities {\n\t\t\t\tresults = append(results, VulnerabilityFlattened{\n\t\t\t\t\tSource: res.Source,\n\t\t\t\t\tPackage: pkg.Package,\n\t\t\t\t\tDepGroups: pkg.DepGroups,\n\t\t\t\t\tVulnerability: v,\n\t\t\t\t\tGroupInfo: getGroupInfoForVuln(pkg.Groups, v.GetId()),\n\t\t\t\t})\n\t\t\t}\n\t\t\tif len(pkg.LicenseViolations) > 0 {\n\t\t\t\tresults = append(results, VulnerabilityFlattened{\n\t\t\t\t\tSource: res.Source,\n\t\t\t\t\tPackage: pkg.Package,\n\t\t\t\t\tDepGroups: pkg.DepGroups,\n\t\t\t\t\tLicenses: pkg.Licenses,\n\t\t\t\t\tLicenseViolations: pkg.LicenseViolations,\n\t\t\t\t})\n\t\t\t}\n\t\t\tif pkg.Package.Deprecated {\n\t\t\t\tresults = append(results, VulnerabilityFlattened{\n\t\t\t\t\tSource: res.Source,\n\t\t\t\t\tPackage: pkg.Package,\n\t\t\t\t\tDeprecated: pkg.Package.Deprecated,\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\n\treturn results\n}\n\nfunc getGroupInfoForVuln(groups []GroupInfo, vulnID string) GroupInfo {\n\t// groupIdx should never be -1 since vulnerabilities should always be in one group\n\tgroupIdx := slices.IndexFunc(groups, func(g GroupInfo) bool { return slices.Contains(g.IDs, vulnID) })\n\treturn groups[groupIdx]\n}\n\n// VulnerabilityFlattened is a flattened version of the VulnerabilityResults\n// TODO: rename this to IssueFlattened or similar in the next major release as\n// it now contains license violations.\ntype VulnerabilityFlattened struct {\n\tSource SourceInfo\n\tPackage PackageInfo\n\tDepGroups []string\n\tVulnerability *osvschema.Vulnerability\n\tGroupInfo GroupInfo\n\tLicenses []License\n\tLicenseViolations []License\n\tDeprecated bool\n}\n\n// MarshalJSON implements the json.Marshaler interface.\n// It is required because the Vulnerability field is a proto message,\n// which requires protojson to marshal, while the rest of the struct uses\n// the standard encoding/json library.\nfunc (v *VulnerabilityFlattened) MarshalJSON() ([]byte, error) {\n\t// Use alias to avoid recursion.\n\ttype alias VulnerabilityFlattened\n\n\t// Pre-process the custom field.\n\tvar rawVulnerability json.RawMessage\n\tif v.Vulnerability != nil {\n\t\tunstableJSON, err := protojson.Marshal(v.Vulnerability)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"failed to marshal Vulnerability: %w\", err)\n\t\t}\n\t\tvar vuln any\n\t\tif err := json.Unmarshal(unstableJSON, &vuln); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tb, err := json.MarshalIndent(vuln, \"\", \" \")\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\trawVulnerability = b\n\t}\n\n\t// Marshal a temporary struct that combines the standard\n\t// fields (from the alias) with the custom-handled field.\n\treturn json.Marshal(&struct {\n\t\t*alias\n\n\t\tVulnerability json.RawMessage `json:\"Vulnerability\"`\n\t}{\n\t\talias: (*alias)(v),\n\t\tVulnerability: rawVulnerability,\n\t})\n}\n\n// UnmarshalJSON implements the json.Unmarshaler interface.\n// It is required because the Vulnerability field is a proto message,\n// which requires protojson to unmarshal, while the rest of the struct uses\n// the standard encoding/json library.\nfunc (v *VulnerabilityFlattened) UnmarshalJSON(data []byte) error {\n\t// Unmarshal into a temporary struct with Vulnerability as json.RawMessage.\n\t// Use an alias to avoid an infinite recursion loop.\n\ttype alias VulnerabilityFlattened\n\ttmp := &struct {\n\t\t*alias\n\n\t\tVulnerability json.RawMessage `json:\"Vulnerability\"`\n\t}{\n\t\talias: (*alias)(v),\n\t}\n\n\tif err := json.Unmarshal(data, &tmp); err != nil {\n\t\treturn err\n\t}\n\n\t// If there is a vulnerability, unmarshal it using protojson.\n\tif len(tmp.Vulnerability) > 0 && string(tmp.Vulnerability) != \"null\" {\n\t\tv.Vulnerability = &osvschema.Vulnerability{}\n\t\tif err := protojson.Unmarshal(tmp.Vulnerability, v.Vulnerability); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// SourceType categorizes packages based on the extractor that extracted\n// the \"source\", for use in the output.\ntype SourceType string\n\nconst (\n\tSourceTypeUnknown SourceType = \"unknown\"\n\tSourceTypeOSPackage SourceType = \"os\"\n\tSourceTypeProjectPackage SourceType = \"lockfile\"\n\tSourceTypeArtifact SourceType = \"artifact\"\n\tSourceTypeSBOM SourceType = \"sbom\"\n\tSourceTypeGit SourceType = \"git\"\n)\n\ntype SourceInfo struct {\n\tPath string `json:\"path\"`\n\tType SourceType `json:\"type\"`\n}\n\ntype Metadata struct {\n\tRepoURL string `json:\"repo_url\"`\n\tDepGroups []string `json:\"-\"`\n}\n\nfunc (s SourceInfo) String() string {\n\treturn string(s.Type) + \":\" + s.Path\n}\n\n// PackageSource represents Vulnerabilities associated with a Source\ntype PackageSource struct {\n\tSource SourceInfo `json:\"source\"`\n\t// Place Annotations in PackageSource instead of SourceInfo as we need SourceInfo to be mappable\n\tExperimentalPES []*vex.PackageExploitabilitySignal `json:\"experimental_pes,omitempty\"`\n\tPackages []PackageVulns `json:\"packages\"`\n}\n\n// License is an SPDX license.\ntype License string\n\n// PackageVulns grouped by package\n// TODO: rename this to be Package as it now includes license information too.\ntype PackageVulns struct {\n\tPackage PackageInfo `json:\"package\"`\n\tDepGroups []string `json:\"dependency_groups,omitempty\"`\n\tVulnerabilities []*osvschema.Vulnerability `json:\"vulnerabilities,omitempty\"`\n\tGroups []GroupInfo `json:\"groups,omitempty\"`\n\tLicenses []License `json:\"licenses,omitempty\"`\n\tLicenseViolations []License `json:\"license_violations,omitempty\"`\n}\n\n// MarshalJSON implements the json.Marshaler interface.\n// It is required because the Vulnerabilities field is a slice of proto messages,\n// which requires protojson to marshal, while the rest of the struct uses\n// the standard encoding/json library.\nfunc (p *PackageVulns) MarshalJSON() ([]byte, error) {\n\t// Use alias to avoid recursion.\n\ttype alias PackageVulns\n\n\t// Pre-process the custom field.\n\tvar rawVulnerabilities []json.RawMessage\n\tif len(p.Vulnerabilities) > 0 {\n\t\trawVulnerabilities = make([]json.RawMessage, 0, len(p.Vulnerabilities))\n\t\tfor _, vuln := range p.Vulnerabilities {\n\t\t\tunstableJSON, err := protojson.Marshal(vuln)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, fmt.Errorf(\"failed to marshal vulnerability: %w\", err)\n\t\t\t}\n\t\t\tvar vuln any\n\t\t\tif err := json.Unmarshal(unstableJSON, &vuln); err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\tb, err := json.MarshalIndent(vuln, \"\", \" \")\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\trawVulnerabilities = append(rawVulnerabilities, b)\n\t\t}\n\t}\n\n\t// Marshal a temporary struct that combines the standard\n\t// fields (from the alias) with the custom-handled field.\n\treturn json.Marshal(&struct {\n\t\t*alias\n\n\t\tVulnerabilities []json.RawMessage `json:\"vulnerabilities,omitempty\"`\n\t}{\n\t\talias: (*alias)(p),\n\t\tVulnerabilities: rawVulnerabilities,\n\t})\n}\n\n// UnmarshalJSON implements the json.Unmarshaler interface.\n// It is required because the Vulnerabilities field is a slice of proto messages,\n// which requires protojson to unmarshal, while the rest of the struct uses\n// the standard encoding/json library.\nfunc (p *PackageVulns) UnmarshalJSON(data []byte) error {\n\t// Use alias to avoid recursion.\n\ttype alias PackageVulns\n\n\t// Use temporary struct to combine standard fields (via alias)\n\t// and the manually processed field (via shadowing).\n\ttmp := &struct {\n\t\t*alias\n\n\t\tVulnerabilities []json.RawMessage `json:\"vulnerabilities,omitempty\"`\n\t}{\n\t\talias: (*alias)(p),\n\t}\n\n\t// Unmarshal into the temporary struct.\n\tif err := json.Unmarshal(data, &tmp); err != nil {\n\t\treturn err\n\t}\n\n\t// Manually process the custom field from RawMessage format.\n\tif len(tmp.Vulnerabilities) > 0 {\n\t\tp.Vulnerabilities = make([]*osvschema.Vulnerability, 0, len(tmp.Vulnerabilities))\n\t\tfor i, rawVuln := range tmp.Vulnerabilities {\n\t\t\tvuln := &osvschema.Vulnerability{}\n\t\t\tif err := protojson.Unmarshal(rawVuln, vuln); err != nil {\n\t\t\t\treturn fmt.Errorf(\"failed to protojson unmarshal vulnerability at index %d: %w\", i, err)\n\t\t\t}\n\t\t\tp.Vulnerabilities = append(p.Vulnerabilities, vuln)\n\t\t}\n\t}\n\n\treturn nil\n}\n\ntype GroupInfo struct {\n\t// IDs expected to be sorted in alphanumeric order\n\tIDs []string `json:\"ids\"`\n\t// Aliases include all aliases and IDs\n\tAliases []string `json:\"aliases\"`\n\t// Map of Vulnerability IDs to AnalysisInfo\n\tExperimentalAnalysis map[string]AnalysisInfo `json:\"experimental_analysis,omitempty\"`\n\tMaxSeverity string `json:\"max_severity\"`\n}\n\n// IsCalled returns true if any analysis performed determines that the vulnerability is being called\n// Also returns true if no analysis is performed\nfunc (groupInfo *GroupInfo) IsCalled() bool {\n\tif len(groupInfo.ExperimentalAnalysis) == 0 {\n\t\treturn true\n\t}\n\n\tfor _, analysis := range groupInfo.ExperimentalAnalysis {\n\t\tif analysis.Called {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc (groupInfo *GroupInfo) IsGroupUnimportant() bool {\n\tif len(groupInfo.ExperimentalAnalysis) == 0 {\n\t\treturn false\n\t}\n\n\tfor _, analysis := range groupInfo.ExperimentalAnalysis {\n\t\tif analysis.Unimportant {\n\t\t\treturn true\n\t\t}\n\t}\n\n\treturn false\n}\n\nfunc (groupInfo *GroupInfo) IndexString() string {\n\t// Assumes IDs is sorted\n\treturn strings.Join(groupInfo.IDs, \",\")\n}\n\ntype AnalysisInfo struct {\n\tCalled bool `json:\"called\"`\n\tUnimportant bool `json:\"unimportant\"`\n}\n\ntype PackageInfo struct {\n\tName string `json:\"name\"`\n\tOSPackageName string `json:\"os_package_name,omitempty\"`\n\tVersion string `json:\"version\"`\n\tEcosystem string `json:\"ecosystem\"`\n\tCommit string `json:\"commit,omitempty\"`\n\tDeprecated bool `json:\"deprecated,omitempty\"`\n\tImageOrigin *ImageOriginDetails `json:\"image_origin_details,omitempty\"`\n\tInventory *extractor.Package `json:\"-\"`\n}\n" }, { "path": "pkg/models/results_test.go", "content": "package models_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/go-cmp/cmp\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"google.golang.org/protobuf/testing/protocmp\"\n)\n\nfunc TestFlatten(t *testing.T) {\n\tt.Parallel()\n\t// Test case 1: When there are no vulnerabilities\n\tvulns := models.VulnerabilityResults{Results: []models.PackageSource{}}\n\texpectedFlattened := []models.VulnerabilityFlattened{}\n\tflattened := vulns.Flatten()\n\tif diff := cmp.Diff(expectedFlattened, flattened, protocmp.Transform()); diff != \"\" {\n\t\tt.Errorf(\"Flatten() returned unexpected result (-want +got):\\n%s\", diff)\n\t}\n\n\t// Test case 2: When there are vulnerabilities\n\tgroup := models.GroupInfo{IDs: []string{\"CVE-2021-1234\"}}\n\tpkg := models.PackageVulns{\n\t\tPackage: models.PackageInfo{Name: \"package\"},\n\t\tDepGroups: []string{\"dev\"},\n\t\tGroups: []models.GroupInfo{group},\n\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t{\n\t\t\t\tId: \"CVE-2021-1234\",\n\t\t\t\tSeverity: []*osvschema.Severity{\n\t\t\t\t\t{\n\t\t\t\t\t\tScore: \"1\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tLicenses: []models.License{models.License(\"MIT\")},\n\t}\n\tsource := models.PackageSource{Source: models.SourceInfo{Path: \"package\"}, Packages: []models.PackageVulns{pkg}}\n\tvulns = models.VulnerabilityResults{Results: []models.PackageSource{source}}\n\texpectedFlattened = []models.VulnerabilityFlattened{\n\t\t{\n\t\t\tSource: source.Source,\n\t\t\tPackage: pkg.Package,\n\t\t\tDepGroups: []string{\"dev\"},\n\t\t\tVulnerability: pkg.Vulnerabilities[0],\n\t\t\tGroupInfo: group,\n\t\t},\n\t}\n\tflattened = vulns.Flatten()\n\tif diff := cmp.Diff(expectedFlattened, flattened, protocmp.Transform()); diff != \"\" {\n\t\tt.Errorf(\"Flatten() returned unexpected result (-want +got):\\n%s\", diff)\n\t}\n\n\t// Test case 3: When there are no vulnerabilities and license violations\n\tgroup = models.GroupInfo{IDs: []string{\"CVE-2021-1234\"}}\n\tpkg = models.PackageVulns{\n\t\tPackage: models.PackageInfo{Name: \"package\"},\n\t\tDepGroups: []string{\"dev\"},\n\t\tGroups: []models.GroupInfo{group},\n\t\tLicenses: []models.License{\"MIT\"},\n\t\tLicenseViolations: []models.License{\"MIT\"},\n\t}\n\tsource = models.PackageSource{Source: models.SourceInfo{Path: \"package\"}, Packages: []models.PackageVulns{pkg}}\n\tvulns = models.VulnerabilityResults{Results: []models.PackageSource{source}}\n\texpectedFlattened = []models.VulnerabilityFlattened{\n\t\t{\n\t\t\tSource: source.Source,\n\t\t\tPackage: pkg.Package,\n\t\t\tDepGroups: []string{\"dev\"},\n\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t},\n\t}\n\tflattened = vulns.Flatten()\n\tif diff := cmp.Diff(expectedFlattened, flattened, protocmp.Transform()); diff != \"\" {\n\t\tt.Errorf(\"Flatten() returned unexpected result (-want +got):\\n%s\", diff)\n\t}\n\n\t// Test case 4: When there are vulnerabilities and license violations\n\tgroup = models.GroupInfo{IDs: []string{\"CVE-2021-1234\"}}\n\tpkg = models.PackageVulns{\n\t\tPackage: models.PackageInfo{Name: \"package\"},\n\t\tDepGroups: []string{\"dev\"},\n\t\tGroups: []models.GroupInfo{group},\n\t\tVulnerabilities: []*osvschema.Vulnerability{\n\t\t\t{\n\t\t\t\tId: \"CVE-2021-1234\",\n\t\t\t\tSeverity: []*osvschema.Severity{\n\t\t\t\t\t{\n\t\t\t\t\t\tScore: \"1\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tLicenses: []models.License{\"MIT\"},\n\t\tLicenseViolations: []models.License{\"MIT\"},\n\t}\n\tsource = models.PackageSource{Source: models.SourceInfo{Path: \"package\"}, Packages: []models.PackageVulns{pkg}}\n\tvulns = models.VulnerabilityResults{Results: []models.PackageSource{source}}\n\texpectedFlattened = []models.VulnerabilityFlattened{\n\t\t{\n\t\t\tSource: source.Source,\n\t\t\tPackage: pkg.Package,\n\t\t\tDepGroups: []string{\"dev\"},\n\t\t\tVulnerability: pkg.Vulnerabilities[0],\n\t\t\tGroupInfo: group,\n\t\t},\n\t\t{\n\t\t\tSource: source.Source,\n\t\t\tPackage: pkg.Package,\n\t\t\tDepGroups: []string{\"dev\"},\n\t\t\tLicenses: []models.License{\"MIT\"},\n\t\t\tLicenseViolations: []models.License{\"MIT\"},\n\t\t},\n\t}\n\tflattened = vulns.Flatten()\n\tif diff := cmp.Diff(expectedFlattened, flattened, protocmp.Transform()); diff != \"\" {\n\t\tt.Errorf(\"Flatten() returned unexpected result (-want +got):\\n%s\", diff)\n\t}\n}\n" }, { "path": "pkg/osvscanner/__snapshots__/filter_internal_test.snap", "content": "\n[Test_filterResults/filter_everything - 1]\n{\n \"results\": [],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[Test_filterResults/filter_nothing - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/a/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n },\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n },\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Segmentation fault in time\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Potential segfault in the time crate\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/b/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"golang.org/x/net\",\n \"version\": \"0.1.0\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ],\n \"aliases\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ],\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"GO-2022-1144\"\n ],\n \"aliases\": [\n \"GO-2022-1144\"\n ],\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"aliases\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net/http2/h2c\",\n \"purl\": \"pkg:golang/golang.org/x/net/http2/h2c\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n },\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41721\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-20T22:40:06Z\",\n \"nvd_published_at\": \"2023-01-13T23:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"id\": \"GHSA-fxg5-wq6x-vr4w\",\n \"modified\": \"2023-01-24T18:56:46Z\",\n \"published\": \"2023-01-14T00:30:23Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41721\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://cs.opensource.google/go/x/net\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/447396\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"golang.org/x/net/http2/h2c vulnerable to request smuggling attack\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1495.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2/h2c\",\n \"symbols\": [\n \"h2cHandler.ServeHTTP\",\n \"h2cUpgrade\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41721\",\n \"GHSA-fxg5-wq6x-vr4w\"\n ],\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler.\\n\\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"id\": \"GO-2023-1495\",\n \"modified\": \"2023-01-31T21:39:17Z\",\n \"published\": \"2023-01-13T22:39:40Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/447396\"\n }\n ],\n \"schema_version\": \"1.4.0\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\",\n \"symbols\": [\n \"ListenAndServe\",\n \"ListenAndServeTLS\",\n \"Serve\",\n \"ServeTLS\",\n \"Server.ListenAndServe\",\n \"Server.ListenAndServeTLS\",\n \"Server.Serve\",\n \"Server.ServeTLS\",\n \"http2Server.ServeConn\",\n \"http2serverConn.canonicalHeader\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.18.9\"\n },\n {\n \"introduced\": \"1.19.0\"\n },\n {\n \"fixed\": \"1.19.4\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n },\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\",\n \"symbols\": [\n \"Server.ServeConn\",\n \"serverConn.canonicalHeader\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.4.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41717\",\n \"GHSA-xrjj-mj9h-534m\"\n ],\n \"details\": \"An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\\n\\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.\",\n \"id\": \"GO-2022-1144\",\n \"modified\": \"2023-01-31T21:39:15Z\",\n \"published\": \"2022-12-08T19:01:21Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56350\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455717\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455635\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ\"\n }\n ],\n \"schema_version\": \"1.4.0\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41723\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T14:00:02Z\",\n \"nvd_published_at\": \"2023-02-28T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"id\": \"GHSA-vvpx-j8f3-3w6h\",\n \"modified\": \"2023-03-09T21:20:44Z\",\n \"published\": \"2023-02-17T14:00:02Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41723\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuln.go.dev/ID/GO-2023-1571.json\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Uncontrolled Resource Consumption\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\"\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.6\"\n },\n {\n \"introduced\": \"1.20.0\"\n },\n {\n \"fixed\": \"1.20.1\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n },\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\"\n },\n {\n \"path\": \"golang.org/x/net/http2/hpack\",\n \"symbols\": [\n \"Decoder.DecodeFull\",\n \"Decoder.Write\",\n \"Decoder.parseFieldLiteral\",\n \"Decoder.readString\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41723\",\n \"GHSA-vvpx-j8f3-3w6h\"\n ],\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"id\": \"GO-2023-1571\",\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:31:36Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n }\n ],\n \"schema_version\": \"1.4.0\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/c/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"ascii\",\n \"version\": \"0.8.7\",\n \"ecosystem\": \"crates.io\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"aliases\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"max_severity\": \"\"\n },\n {\n \"ids\": [\n \"RUSTSEC-2023-0015\"\n ],\n \"aliases\": [\n \"RUSTSEC-2023-0015\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.6.0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-28T20:30:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\\n\",\n \"id\": \"GHSA-mrrw-grhq-86gf\",\n \"modified\": \"2023-02-28T20:30:10Z\",\n \"published\": \"2023-02-28T20:30:10Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Ascii (crate) allows out-of-bounds array indexing in safe code\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [\n \"memory-corruption\"\n ],\n \"cvss\": null,\n \"informational\": \"unsound\",\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.6.1-0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\",\n \"id\": \"RUSTSEC-2023-0015\",\n \"modified\": \"2023-02-25T15:13:09Z\",\n \"published\": \"2023-02-25T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/ascii\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Ascii allows out-of-bounds array indexing in safe code\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n },\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n },\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n },\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Segmentation fault in time\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Potential segfault in the time crate\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[Test_filterResults/filter_partially - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/a/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"unixodbc\",\n \"version\": \"2.3.11-2\",\n \"ecosystem\": \"Debian:10\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-2024-1013\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"ecosystem_specific\": {\n \"urgency\": \"unimportant\"\n },\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"unixodbc\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ],\n \"type\": \"ECOSYSTEM\"\n }\n ]\n }\n ],\n \"details\": \"An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.\",\n \"id\": \"CVE-2024-1013\",\n \"modified\": \"2024-03-18T12:38:25Z\",\n \"published\": \"2024-03-18T11:15:09Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2260823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/CVE-2024-1013\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lurcher/unixODBC/pull/157\"\n }\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"chromium\",\n \"version\": \"73.0.3683.75-1\",\n \"ecosystem\": \"Debian:10\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-2024-3847\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"ecosystem_specific\": {\n \"urgency\": \"low\"\n },\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"chromium\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ],\n \"type\": \"ECOSYSTEM\"\n }\n ]\n },\n {\n \"ecosystem_specific\": {\n \"urgency\": \"low\"\n },\n \"package\": {\n \"ecosystem\": \"Debian:11\",\n \"name\": \"chromium\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ],\n \"type\": \"ECOSYSTEM\"\n }\n ]\n }\n ],\n \"details\": \"Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)\",\n \"id\": \"CVE-2024-3847\",\n \"modified\": \"2024-05-03T03:16:29Z\",\n \"published\": \"2024-04-17T08:15:10Z\",\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.chromium.org/issues/328690293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/\"\n }\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/b/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"golang.org/x/net\",\n \"version\": \"0.1.0\",\n \"ecosystem\": \"Go\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"aliases\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json\"\n },\n \"ecosystem_specific\": {\n \"urgency\": \"unimportant\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41723\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T14:00:02Z\",\n \"nvd_published_at\": \"2023-02-28T18:15:00Z\",\n \"severity\": \"HIGH\"\n },\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"id\": \"GHSA-vvpx-j8f3-3w6h\",\n \"modified\": \"2023-03-09T21:20:44Z\",\n \"published\": \"2023-02-17T14:00:02Z\",\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41723\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuln.go.dev/ID/GO-2023-1571.json\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Uncontrolled Resource Consumption\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\"\n }\n ],\n \"urgency\": \"low\"\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.6\"\n },\n {\n \"introduced\": \"1.20.0\"\n },\n {\n \"fixed\": \"1.20.1\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n },\n {\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\"\n },\n {\n \"path\": \"golang.org/x/net/http2/hpack\",\n \"symbols\": [\n \"Decoder.DecodeFull\",\n \"Decoder.Write\",\n \"Decoder.parseFieldLiteral\",\n \"Decoder.readString\"\n ]\n }\n ]\n },\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2022-41723\",\n \"GHSA-vvpx-j8f3-3w6h\"\n ],\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"id\": \"GO-2023-1571\",\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:31:36Z\",\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n }\n ],\n \"schema_version\": \"1.4.0\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/c/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"ascii\",\n \"version\": \"0.8.7\",\n \"ecosystem\": \"crates.io\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"aliases\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.6.0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-28T20:30:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n },\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\\n\",\n \"id\": \"GHSA-mrrw-grhq-86gf\",\n \"modified\": \"2023-02-28T20:30:10Z\",\n \"published\": \"2023-02-28T20:30:10Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Ascii (crate) allows out-of-bounds array indexing in safe code\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n },\n {\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n },\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Segmentation fault in time\"\n },\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n },\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ],\n \"type\": \"SEMVER\"\n }\n ]\n }\n ],\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ],\n \"schema_version\": \"1.4.0\",\n \"summary\": \"Potential segfault in the time crate\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n" }, { "path": "pkg/osvscanner/__snapshots__/osvscanner_test.snap", "content": "\n[TestDoScan/Test_curl_git_scanning - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"\",\n \"type\": \"unknown\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"\",\n \"version\": \"\",\n \"ecosystem\": \"\",\n \"commit\": \"33dffa3909a67e1b5d22647128ab7eb6e53fd0c7\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-2025-63675\"\n ],\n \"aliases\": [\n \"CVE-2025-63675\",\n \"GHSA-97w9-v595-3h5q\"\n ],\n \"max_severity\": \"8.8\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"affected\": [\n {\n \"database_specific\": {\n \"source\": \"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63675.json\"\n },\n \"ranges\": [\n {\n \"database_specific\": {\n \"versions\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"1.2.4\"\n }\n ]\n },\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"last_affected\": \"33dffa3909a67e1b5d22647128ab7eb6e53fd0c7\"\n }\n ],\n \"repo\": \"https://github.com/netinvent/cryptidy\",\n \"type\": \"GIT\"\n }\n ],\n \"versions\": [\n \"v1.0.4\",\n \"v1.0.5\",\n \"v1.0.7\",\n \"v1.1.0\",\n \"v1.2.0\",\n \"v1.2.1\",\n \"v1.2.2\",\n \"v1.2.3\",\n \"v1.2.4\"\n ]\n }\n ],\n \"aliases\": [\n \"GHSA-97w9-v595-3h5q\"\n ],\n \"details\": \"cryptidy through 1.2.4 allows code execution via untrusted data because pickle.loads is used. This occurs in aes_decrypt_message in symmetric_encryption.py.\",\n \"id\": \"CVE-2025-63675\",\n \"modified\": \"2026-03-14T12:45:39.021698Z\",\n \"published\": \"2025-10-31T07:15:38.283Z\",\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/netinvent/cryptidy/blob/cebc9ffd54cc20679d15a1a43ca9a5da645b0c58/cryptidy/symmetric_encryption.py#L220-L238\"\n },\n {\n \"type\": \"EVIDENCE\",\n \"url\": \"https://github.com/javiermorales36/cryptidy-analysis\"\n }\n ],\n \"schema_version\": \"1.7.5\",\n \"severity\": [\n {\n \"score\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\n \"type\": \"CVSS_V3\"\n }\n ]\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n" }, { "path": "pkg/osvscanner/__snapshots__/vulnerability_result_internal_test.snap", "content": "\n[Test_assembleResult/group_vulnerabilities - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-1\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-123\"\n },\n {\n \"aliases\": [\n \"CVE-123\"\n ],\n \"id\": \"GHSA-123\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"other-dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-3\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-456\"\n ],\n \"aliases\": [\n \"GHSA-456\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-456\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[Test_assembleResult/group_vulnerabilities_with_all_packages_included - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-1\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-123\"\n },\n {\n \"aliases\": [\n \"CVE-123\"\n ],\n \"id\": \"GHSA-123\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"pkg-2\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n }\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"other-dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-3\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-456\"\n ],\n \"aliases\": [\n \"GHSA-456\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-456\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": null\n }\n }\n}\n---\n\n[Test_assembleResult/group_vulnerabilities_with_license_allowlist - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-1\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\",\n \"0BSD\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-123\"\n },\n {\n \"aliases\": [\n \"CVE-123\"\n ],\n \"id\": \"GHSA-123\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"other-dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-3\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-456\"\n ],\n \"aliases\": [\n \"GHSA-456\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"UNKNOWN\"\n ],\n \"license_violations\": [\n \"UNKNOWN\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-456\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"MIT\",\n \"0BSD\"\n ]\n }\n }\n}\n---\n\n[Test_assembleResult/group_vulnerabilities_with_license_allowlist_and_all_packages - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-1\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\",\n \"0BSD\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-123\"\n },\n {\n \"aliases\": [\n \"CVE-123\"\n ],\n \"id\": \"GHSA-123\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"pkg-2\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"other-dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-3\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-456\"\n ],\n \"aliases\": [\n \"GHSA-456\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"UNKNOWN\"\n ],\n \"license_violations\": [\n \"UNKNOWN\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-456\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"MIT\",\n \"0BSD\"\n ]\n }\n }\n}\n---\n\n[Test_assembleResult/group_vulnerabilities_with_license_allowlist_and_license_override - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-1\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\",\n \"0BSD\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-123\"\n },\n {\n \"aliases\": [\n \"CVE-123\"\n ],\n \"id\": \"GHSA-123\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"other-dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-3\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-456\"\n ],\n \"aliases\": [\n \"GHSA-456\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-456\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": false,\n \"allowlist\": [\n \"MIT\",\n \"0BSD\"\n ]\n }\n }\n}\n---\n\n[Test_assembleResult/group_vulnerabilities_with_licenses - 1]\n{\n \"results\": [\n {\n \"source\": {\n \"path\": \"dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-1\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"aliases\": [\n \"CVE-123\",\n \"GHSA-123\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"MIT\",\n \"0BSD\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-123\"\n },\n {\n \"aliases\": [\n \"CVE-123\"\n ],\n \"id\": \"GHSA-123\"\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"pkg-2\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"licenses\": [\n \"MIT\"\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"other-dir/package-lock.json\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"pkg-3\",\n \"version\": \"1.0.0\",\n \"ecosystem\": \"npm\"\n },\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-456\"\n ],\n \"aliases\": [\n \"GHSA-456\"\n ],\n \"max_severity\": \"\"\n }\n ],\n \"licenses\": [\n \"UNKNOWN\"\n ],\n \"vulnerabilities\": [\n {\n \"id\": \"GHSA-456\"\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"licenses\": {\n \"summary\": true,\n \"allowlist\": []\n }\n }\n}\n---\n" }, { "path": "pkg/osvscanner/exclude.go", "content": "package osvscanner\n\nimport (\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"regexp\"\n\t\"runtime\"\n\t\"strings\"\n\n\t\"github.com/gobwas/glob\"\n\t\"github.com/google/osv-scanner/v2/internal/cachedregexp\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n)\n\n// excludePatterns holds parsed patterns for excluding paths during scanning.\n// Supports three types of patterns:\n// - dirsToSkip: exact directory names to skip\n// - globPattern: glob patterns (g:pattern syntax)\n// - regexPattern: regex patterns (r:pattern syntax)\ntype excludePatterns struct {\n\tdirsToSkip []string // Exact directory names to skip\n\tglobPattern glob.Glob // Combined glob pattern using {p1,p2,...} syntax\n\tregexPattern *regexp.Regexp // Combined regex pattern using (p1|p2|...) syntax\n}\n\n// parseExcludePatterns parses the exclude patterns from command line.\n// Pattern syntax (matching --lockfile flag style):\n// - \"dirname\" or \":dirname\" -> exact directory name (dirsToSkip)\n// - \"g:pattern\" -> glob pattern (globPattern)\n// - \"r:pattern\" -> regex pattern (regexPattern)\n//\n// The \":\" prefix is an escape hatch for directory names containing colons.\nfunc parseExcludePatterns(patterns []string) (*excludePatterns, error) {\n\tvar dirsToSkip []string\n\tvar globPatterns []string\n\tvar regexPatterns []string\n\n\tfor _, p := range patterns {\n\t\tpatternType, pattern := parseExcludeArg(p)\n\n\t\tswitch patternType {\n\t\tcase \"\":\n\t\t\t// Exact directory name\n\t\t\tdirsToSkip = append(dirsToSkip, pattern)\n\t\tcase \"g\":\n\t\t\tglobPatterns = append(globPatterns, pattern)\n\t\tcase \"r\":\n\t\t\tregexPatterns = append(regexPatterns, pattern)\n\t\tdefault:\n\t\t\treturn nil, fmt.Errorf(\"unknown pattern type %q in %q; use g: for glob or r: for regex\", patternType, p)\n\t\t}\n\t}\n\n\tresult := &excludePatterns{\n\t\tdirsToSkip: dirsToSkip,\n\t}\n\n\t// Compile glob patterns using {p1,p2,...} syntax\n\tif len(globPatterns) > 0 {\n\t\tvar combined string\n\t\tif len(globPatterns) == 1 {\n\t\t\tcombined = globPatterns[0]\n\t\t} else {\n\t\t\tcombined = \"{\" + strings.Join(globPatterns, \",\") + \"}\"\n\t\t}\n\t\tg, err := glob.Compile(combined, '/')\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"invalid glob pattern %q: %w\", combined, err)\n\t\t}\n\t\tresult.globPattern = g\n\t}\n\n\t// Compile regex patterns using (p1|p2|...) syntax\n\tif len(regexPatterns) > 0 {\n\t\tvar combined string\n\t\tif len(regexPatterns) == 1 {\n\t\t\tcombined = regexPatterns[0]\n\t\t} else {\n\t\t\tcombined = \"(\" + strings.Join(regexPatterns, \"|\") + \")\"\n\t\t}\n\t\tr, err := cachedregexp.Compile(combined)\n\t\tif err != nil {\n\t\t\treturn nil, fmt.Errorf(\"invalid regex pattern %q: %w\", combined, err)\n\t\t}\n\t\tresult.regexPattern = r\n\t}\n\n\treturn result, nil\n}\n\n// parseExcludeArg parses a single exclude argument.\n// Returns (patternType, pattern) where:\n// - patternType is \"\" for exact match, \"g\" for glob, \"r\" for regex, or the unknown prefix\n// - pattern is the actual pattern to use\n//\n// Unknown prefixes are returned as-is so the caller can provide appropriate error messages.\nfunc parseExcludeArg(arg string) (string, string) {\n\t// Handle Windows absolute paths (e.g., C:\\path)\n\tif runtime.GOOS == \"windows\" {\n\t\tif strings.HasPrefix(arg, \"r:\") || strings.HasPrefix(arg, \"g:\") {\n\t\t\tcmdlogger.Warnf(\"interpreting as regex/glob and not absolute path: %s\", arg)\n\t\t} else if filepath.IsAbs(arg) {\n\t\t\treturn \"\", arg\n\t\t}\n\t}\n\n\tpatternType, pattern, found := strings.Cut(arg, \":\")\n\tif !found {\n\t\t// No colon found, treat as exact directory name\n\t\treturn \"\", arg\n\t}\n\n\t// Empty prefix means exact match (escape hatch for paths with colons)\n\t// \"g\" prefix means glob pattern\n\t// \"r\" prefix means regex pattern\n\t// Return all prefixes (including unknown ones) to let the caller handle validation\n\treturn patternType, pattern\n}\n" }, { "path": "pkg/osvscanner/exclude_test.go", "content": "package osvscanner\n\nimport (\n\t\"testing\"\n)\n\nfunc Test_parseExcludeArg(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\targ string\n\t\twantPatternType string\n\t\twantPattern string\n\t}{\n\t\t{\"exact_directory_name\", \"test\", \"\", \"test\"},\n\t\t{\"exact_with_colon_escape\", \":test\", \"\", \"test\"},\n\t\t{\"glob_pattern\", \"g:**/test/**\", \"g\", \"**/test/**\"},\n\t\t{\"regex_pattern\", \"r:\\\\.git\", \"r\", \"\\\\.git\"},\n\t\t{\"regex_with_pipe\", \"r:node_modules|vendor\", \"r\", \"node_modules|vendor\"},\n\t\t{\"empty_string\", \"\", \"\", \"\"},\n\t\t{\"directory_with_colon_escape\", \":my:project\", \"\", \"my:project\"},\n\t\t{\"single_letter_dir\", \"g\", \"\", \"g\"},\n\t\t{\"path_like_glob\", \"test/path\", \"\", \"test/path\"},\n\t\t{\"unknown_prefix_returns_prefix\", \"x:pattern\", \"x\", \"pattern\"},\n\t\t// Windows specific tests - these will run on Linux too but result might depend on OS\n\t\t// We expect r: to be regex on ALL platforms now with the fix (since it falls through on Linux, and matches explicit check on Windows)\n\t\t{\"windows_regex_lower_r\", `r:pattern`, \"r\", \"pattern\"},\n\t\t{\"windows_glob_lower_g\", `g:pattern`, \"g\", \"pattern\"},\n\t\t{\"windows_regex_simple\", `r:foo`, \"r\", \"foo\"},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tpatternType, pattern := parseExcludeArg(tt.arg)\n\t\t\tif patternType != tt.wantPatternType {\n\t\t\t\tt.Errorf(\"parseExcludeArg(%q) patternType = %q, want %q\", tt.arg, patternType, tt.wantPatternType)\n\t\t\t}\n\t\t\tif pattern != tt.wantPattern {\n\t\t\t\tt.Errorf(\"parseExcludeArg(%q) pattern = %q, want %q\", tt.arg, pattern, tt.wantPattern)\n\t\t\t}\n\t\t})\n\t}\n}\n\nfunc Test_parseExcludePatterns(t *testing.T) {\n\tt.Parallel()\n\ttests := []struct {\n\t\tname string\n\t\tpatterns []string\n\t\twantErr bool\n\t\tdirsCount int\n\t\tglobTestPath string\n\t\tregexTestPath string\n\t}{\n\t\t{\n\t\t\tname: \"single_exact_directory\",\n\t\t\tpatterns: []string{\"test\"},\n\t\t\tdirsCount: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_exact_directories\",\n\t\t\tpatterns: []string{\"test\", \"docs\", \"vendor\"},\n\t\t\tdirsCount: 3,\n\t\t},\n\t\t{\n\t\t\tname: \"single_glob_pattern\",\n\t\t\tpatterns: []string{\"g:**/test/**\"},\n\t\t\tglobTestPath: \"foo/test/bar\",\n\t\t},\n\t\t{\n\t\t\tname: \"single_regex_pattern\",\n\t\t\tpatterns: []string{\"r:\\\\.git\"},\n\t\t\tregexTestPath: \".git\",\n\t\t},\n\t\t{\n\t\t\tname: \"mixed_patterns\",\n\t\t\tpatterns: []string{\"vendor\", \"g:**/test/**\", \"r:node_modules\"},\n\t\t\tdirsCount: 1,\n\t\t\tglobTestPath: \"foo/test/bar\",\n\t\t\tregexTestPath: \"node_modules\",\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_glob_patterns\",\n\t\t\tpatterns: []string{\"g:**/test/**\", \"g:**/docs/**\"},\n\t\t\tglobTestPath: \"foo/docs/readme\",\n\t\t},\n\t\t{\n\t\t\tname: \"multiple_regex_patterns\",\n\t\t\tpatterns: []string{\"r:\\\\.git\", \"r:\\\\.cache\"},\n\t\t\tregexTestPath: \".cache\",\n\t\t},\n\t\t{\n\t\t\tname: \"empty_patterns\",\n\t\t\tpatterns: []string{},\n\t\t},\n\t\t{\n\t\t\tname: \"invalid_glob\",\n\t\t\tpatterns: []string{\"g:[\"},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"invalid_regex\",\n\t\t\tpatterns: []string{\"r:[invalid\"},\n\t\t\twantErr: true,\n\t\t},\n\t\t{\n\t\t\tname: \"colon_escape_for_exact_match\",\n\t\t\tpatterns: []string{\":my:project\"},\n\t\t\tdirsCount: 1,\n\t\t},\n\t\t{\n\t\t\tname: \"unknown_prefix_returns_error\",\n\t\t\tpatterns: []string{\"x:pattern\"},\n\t\t\twantErr: true,\n\t\t},\n\t}\n\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tresult, err := parseExcludePatterns(tt.patterns)\n\n\t\t\tif (err != nil) != tt.wantErr {\n\t\t\t\tt.Errorf(\"parseExcludePatterns() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tif tt.wantErr {\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\t// Check dirs count\n\t\t\tif len(result.dirsToSkip) != tt.dirsCount {\n\t\t\t\tt.Errorf(\"parseExcludePatterns() dirsToSkip count = %d, want %d\", len(result.dirsToSkip), tt.dirsCount)\n\t\t\t}\n\n\t\t\t// Check glob pattern presence and matching\n\t\t\twantGlob := tt.globTestPath != \"\"\n\t\t\tif (result.globPattern != nil) != wantGlob {\n\t\t\t\tt.Errorf(\"parseExcludePatterns() globPattern present = %v, want %v\", result.globPattern != nil, wantGlob)\n\t\t\t}\n\t\t\tif wantGlob && result.globPattern != nil {\n\t\t\t\tif !result.globPattern.Match(tt.globTestPath) {\n\t\t\t\t\tt.Errorf(\"globPattern.Match(%q) = false, want true\", tt.globTestPath)\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check regex pattern presence and matching\n\t\t\twantRegex := tt.regexTestPath != \"\"\n\t\t\tif (result.regexPattern != nil) != wantRegex {\n\t\t\t\tt.Errorf(\"parseExcludePatterns() regexPattern present = %v, want %v\", result.regexPattern != nil, wantRegex)\n\t\t\t}\n\t\t\tif wantRegex && result.regexPattern != nil {\n\t\t\t\tif !result.regexPattern.MatchString(tt.regexTestPath) {\n\t\t\t\t\tt.Errorf(\"regexPattern.MatchString(%q) = false, want true\", tt.regexTestPath)\n\t\t\t\t}\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/osvscanner/filter.go", "content": "// Package osvscanner provides the main logic for the OSV-Scanner.\npackage osvscanner\n\nimport (\n\t\"fmt\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels/results\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\n// filterUnscannablePackages removes packages that don't have enough information to be scanned or\n// are not a supported ecosystem, and returns the list of removed packages (if --all-packages flag is passed in)\n// e,g, local packages that specified by path\nfunc filterUnscannablePackages(scanResults *results.ScanResults, actions ScannerActions) []*extractor.Package {\n\tpackageResults := make([]*extractor.Package, 0, len(scanResults.PackageScanResults))\n\tfilteredPsr := make([]*extractor.Package, 0, len(scanResults.PackageScanResults))\n\tfor _, psr := range scanResults.PackageScanResults {\n\t\tswitch {\n\t\t// If **none** of the cases match, skip this package since it's not scannable\n\t\tcase !imodels.Ecosystem(psr).IsEmpty() && imodels.Name(psr) != \"\" && imodels.Version(psr) != \"\":\n\t\tcase imodels.Commit(psr) != \"\":\n\t\tdefault:\n\t\t\tif actions.ShowAllPackages {\n\t\t\t\tfilteredPsr = append(filteredPsr, psr)\n\t\t\t}\n\n\t\t\tcontinue\n\t\t}\n\n\t\tswitch {\n\t\t// If **any** of the following cases are true, skip this package\n\t\tcase imodels.Ecosystem(psr).Ecosystem == osvconstants.EcosystemMaven && imodels.Name(psr) == \"unknown\", // Is Maven with package name unknown\n\t\t\timodels.Ecosystem(psr).GetValidity() != nil && !imodels.Ecosystem(psr).IsEmpty(): // Is invalid and not empty\n\t\t\tif actions.ShowAllPackages {\n\t\t\t\tfilteredPsr = append(filteredPsr, psr)\n\t\t\t}\n\n\t\t\tcontinue\n\t\t}\n\n\t\tpackageResults = append(packageResults, psr)\n\t}\n\n\tif len(packageResults) != len(scanResults.PackageScanResults) {\n\t\tcmdlogger.Infof(\"Filtered %d local/unscannable package/s from the scan.\", len(scanResults.PackageScanResults)-len(packageResults))\n\t}\n\n\tscanResults.PackageScanResults = packageResults\n\n\treturn filteredPsr\n}\n\n// filterNonContainerRelevantPackages removes packages that are not relevant when doing container scanning\nfunc filterNonContainerRelevantPackages(scanResults *results.ScanResults) {\n\tpackageResults := make([]*extractor.Package, 0, len(scanResults.PackageScanResults))\n\tfor _, psr := range scanResults.PackageScanResults {\n\t\t// Almost all packages with linux as a SourceName are kernel packages\n\t\t// which does not apply within a container, as containers use the host's kernel\n\t\tif imodels.Name(psr) == \"linux\" {\n\t\t\tcontinue\n\t\t}\n\n\t\tpackageResults = append(packageResults, psr)\n\t}\n\n\tif len(packageResults) != len(scanResults.PackageScanResults) {\n\t\tcmdlogger.Infof(\"Filtered %d non container relevant package/s from the scan.\", len(scanResults.PackageScanResults)-len(packageResults))\n\t}\n\n\tscanResults.PackageScanResults = packageResults\n}\n\n// filterIgnoredPackages removes ignore scanned packages according to config. Returns filtered scanned packages.\nfunc filterIgnoredPackages(scanResults *results.ScanResults) {\n\tconfigManager := &scanResults.ConfigManager\n\n\tout := make([]*extractor.Package, 0, len(scanResults.PackageScanResults))\n\tfor _, psr := range scanResults.PackageScanResults {\n\t\tconfigToUse := configManager.Get(imodels.Location(psr))\n\n\t\tif ignore, ignoreLine := configToUse.ShouldIgnorePackage(psr); ignore {\n\t\t\tpkgString := fmt.Sprintf(\"%s/%s/%s\", imodels.Ecosystem(psr).String(), imodels.Name(psr), imodels.Version(psr))\n\n\t\t\treason := ignoreLine.Reason\n\t\t\tif reason == \"\" {\n\t\t\t\treason = \"(no reason given)\"\n\t\t\t}\n\t\t\tcmdlogger.Infof(\"Package %s has been filtered out because: %s\", pkgString, reason)\n\n\t\t\tcontinue\n\t\t}\n\t\tout = append(out, psr)\n\t}\n\n\tif len(out) != len(scanResults.PackageScanResults) {\n\t\tcmdlogger.Infof(\"Filtered %d ignored package/s from the scan.\", len(scanResults.PackageScanResults)-len(out))\n\t}\n\n\tscanResults.PackageScanResults = out\n}\n\n// Filters results according to config, preserving order. Returns total number of vulnerabilities removed.\nfunc filterResults(vulnResults *models.VulnerabilityResults, configManager *config.Manager, allPackages bool) int {\n\tremovedCount := 0\n\tnewResults := []models.PackageSource{} // Want 0 vulnerabilities to show in JSON as an empty list, not null.\n\tfor _, pkgSrc := range vulnResults.Results {\n\t\tconfigToUse := configManager.Get(pkgSrc.Source.Path)\n\t\tvar newPackages []models.PackageVulns\n\t\tfor _, pkgVulns := range pkgSrc.Packages {\n\t\t\tnewVulns := filterPackageVulns(pkgVulns, configToUse)\n\t\t\tremovedCount += len(pkgVulns.Vulnerabilities) - len(newVulns.Vulnerabilities)\n\t\t\tif allPackages || len(newVulns.Vulnerabilities) > 0 || len(pkgVulns.LicenseViolations) > 0 || pkgVulns.Package.Deprecated {\n\t\t\t\tnewPackages = append(newPackages, newVulns)\n\t\t\t}\n\t\t}\n\t\t// Don't want to include the package source at all if there are no vulns.\n\t\tif len(newPackages) > 0 {\n\t\t\tpkgSrc.Packages = newPackages\n\t\t\tnewResults = append(newResults, pkgSrc)\n\t\t}\n\t}\n\tvulnResults.Results = newResults\n\n\treturn removedCount\n}\n\n// Filters package-grouped vulnerabilities according to config, preserving ordering. Returns filtered package vulnerabilities.\nfunc filterPackageVulns(pkgVulns models.PackageVulns, configToUse config.Config) models.PackageVulns {\n\tignoredVulns := map[string]struct{}{}\n\n\t// Iterate over groups first to remove all aliases of ignored vulnerabilities.\n\tvar newGroups []models.GroupInfo\n\tfor _, group := range pkgVulns.Groups {\n\t\tignore := false\n\t\tfor _, id := range group.Aliases {\n\t\t\tvar ignoreLine *config.IgnoreEntry\n\t\t\tif ignore, ignoreLine = configToUse.ShouldIgnore(id); ignore {\n\t\t\t\tfor _, id := range group.Aliases {\n\t\t\t\t\tignoredVulns[id] = struct{}{}\n\t\t\t\t}\n\n\t\t\t\treason := ignoreLine.Reason\n\n\t\t\t\tif reason == \"\" {\n\t\t\t\t\treason = \"(no reason given)\"\n\t\t\t\t}\n\n\t\t\t\t// NB: This only prints the first reason encountered in all the aliases.\n\t\t\t\tswitch len(group.Aliases) {\n\t\t\t\tcase 1:\n\t\t\t\t\tcmdlogger.Infof(\"%s has been filtered out because: %s\", ignoreLine.ID, reason)\n\t\t\t\tcase 2:\n\t\t\t\t\tcmdlogger.Infof(\"%s and 1 alias have been filtered out because: %s\", ignoreLine.ID, reason)\n\t\t\t\tdefault:\n\t\t\t\t\tcmdlogger.Infof(\"%s and %d aliases have been filtered out because: %s\", ignoreLine.ID, len(group.Aliases)-1, reason)\n\t\t\t\t}\n\n\t\t\t\tignoreLine.MarkAsUsed()\n\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t\tif !ignore {\n\t\t\tnewGroups = append(newGroups, group)\n\t\t}\n\t}\n\n\tvar newVulns []*osvschema.Vulnerability\n\tif len(newGroups) > 0 { // If there are no groups left then there would be no vulnerabilities.\n\t\tfor _, vuln := range pkgVulns.Vulnerabilities {\n\t\t\tif _, filtered := ignoredVulns[vuln.GetId()]; !filtered {\n\t\t\t\tnewVulns = append(newVulns, vuln)\n\t\t\t}\n\t\t}\n\t}\n\n\t// Passed by value. We don't want to alter the original PackageVulns.\n\tpkgVulns.Groups = newGroups\n\tpkgVulns.Vulnerabilities = newVulns\n\n\treturn pkgVulns\n}\n" }, { "path": "pkg/osvscanner/filter_internal_test.go", "content": "package osvscanner\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n)\n\nfunc Test_filterResults(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\tpath string\n\t\twant int\n\t}{\n\t\t{\n\t\t\tname: \"filter_everything\",\n\t\t\tpath: \"testdata/filter/all\",\n\t\t\twant: 15,\n\t\t},\n\t\t{\n\t\t\tname: \"filter_nothing\",\n\t\t\tpath: \"testdata/filter/none\",\n\t\t\twant: 0,\n\t\t},\n\t\t{\n\t\t\tname: \"filter_partially\",\n\t\t\tpath: \"testdata/filter/some\",\n\t\t\twant: 10,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t// configManager looks for osv-scanner.toml in the source path.\n\t\t\t// Sources in the test input should point to files/folders in the testdata folder for this to work correctly.\n\t\t\tconfigManager := config.Manager{\n\t\t\t\tDefaultConfig: config.Config{},\n\t\t\t\tConfigMap: make(map[string]config.Config),\n\t\t\t}\n\n\t\t\tgot := testutility.LoadJSONFixture[models.VulnerabilityResults](t, filepath.Join(tt.path, \"input.json\"))\n\t\t\tfiltered := filterResults(&got, &configManager, false)\n\n\t\t\ttestutility.NewSnapshot().MatchJSON(t, got)\n\n\t\t\tif filtered != tt.want {\n\t\t\t\tt.Errorf(\"filterResults() = %v, want %v\", filtered, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/osvscanner/internal/imagehelpers/imagehelpers.go", "content": "// Package imagehelpers provides helper functions for working with container images.\npackage imagehelpers\n\nimport (\n\t\"bufio\"\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"os/exec\"\n\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels/results\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/opencontainers/go-digest\"\n)\n\nfunc BuildImageMetadata(scanResults *results.ScanResults) *models.ImageMetadata {\n\tif scanResults.ImageMetadata == nil {\n\t\treturn nil\n\t}\n\n\tlayerMetadata := make([]models.LayerMetadata, 0, len(scanResults.ImageMetadata.GetLayerMetadata()))\n\tfor _, cl := range scanResults.ImageMetadata.GetLayerMetadata() {\n\t\tlayerMetadata = append(layerMetadata, models.LayerMetadata{\n\t\t\tDiffID: digest.Digest(cl.GetDiffId()),\n\t\t\tCommand: cl.GetCommand(),\n\t\t\tIsEmpty: cl.GetIsEmpty(),\n\t\t\tBaseImageIndex: int(cl.GetBaseImageIndex()),\n\t\t})\n\t}\n\n\tbaseImages := make([][]models.BaseImageDetails, 0, len(scanResults.ImageMetadata.GetBaseImageChains()))\n\n\tfor _, chain := range scanResults.ImageMetadata.GetBaseImageChains() {\n\t\tbaseImageChain := make([]models.BaseImageDetails, 0, len(chain.GetBaseImages()))\n\t\tfor _, imgs := range chain.GetBaseImages() {\n\t\t\tbaseImageChain = append(baseImageChain, models.BaseImageDetails{\n\t\t\t\tName: imgs.GetRepository(),\n\t\t\t})\n\t\t}\n\t\tbaseImages = append(baseImages, baseImageChain)\n\t}\n\n\timgMetadata := models.ImageMetadata{\n\t\tOS: scanResults.ImageMetadata.GetOsInfo()[\"PRETTY_NAME\"],\n\t\tLayerMetadata: layerMetadata,\n\t\tBaseImages: baseImages,\n\t}\n\n\treturn &imgMetadata\n}\n\n// ExportDockerImage will execute the docker binary to export an image to a temporary file in the tarball OCI format.\n//\n// If ExportDockerImage does not error, the temporary file needs to be cleaned up by the caller, otherwise, it will be\n// cleaned automatically by this function.\n//\n// ExportDockerImage will first try to locate the image locally, and if not found, attempt to pull the image from the docker registry.\nfunc ExportDockerImage(ctx context.Context, dockerImageName string) (string, error) {\n\ttempImageFile, err := os.CreateTemp(\"\", \"docker-image-*.tar\")\n\tif err != nil {\n\t\tcmdlogger.Errorf(\"Failed to create temporary file: %s\", err)\n\t\treturn \"\", err\n\t}\n\n\terr = tempImageFile.Close()\n\tif err != nil {\n\t\t_ = os.RemoveAll(tempImageFile.Name())\n\n\t\treturn \"\", err\n\t}\n\n\t// Check if image exists locally, if not, pull from the cloud.\n\tcmdlogger.Infof(\"Checking if docker image (%q) exists locally...\", dockerImageName)\n\t// TODO: Pass through context here.\n\tcmd := exec.CommandContext(ctx, \"docker\", \"images\", \"-q\", dockerImageName)\n\toutput, err := cmd.Output()\n\tif err != nil || string(output) == \"\" {\n\t\tcmdlogger.Infof(\"Image not found locally, pulling docker image (%q)...\", dockerImageName)\n\t\terr = runCommandLogError(ctx, \"docker\", \"pull\", \"-q\", dockerImageName)\n\t\tif err != nil {\n\t\t\t_ = os.RemoveAll(tempImageFile.Name())\n\n\t\t\treturn \"\", fmt.Errorf(\"failed to pull container image: %w\", err)\n\t\t}\n\t}\n\n\tcmdlogger.Infof(\"Saving docker image (%q) to temporary file...\", dockerImageName)\n\terr = runCommandLogError(ctx, \"docker\", \"save\", \"-o\", tempImageFile.Name(), dockerImageName)\n\tif err != nil {\n\t\t_ = os.RemoveAll(tempImageFile.Name())\n\n\t\treturn \"\", err\n\t}\n\n\treturn tempImageFile.Name(), nil\n}\n\nfunc runCommandLogError(ctx context.Context, name string, args ...string) error {\n\tcmd := exec.CommandContext(ctx, name, args...)\n\n\t// Get stderr for debugging when docker fails\n\tstderr, err := cmd.StderrPipe()\n\tif err != nil {\n\t\tcmdlogger.Errorf(\"Failed to get stderr: %s\", err)\n\t\treturn err\n\t}\n\n\terr = cmd.Start()\n\tif err != nil {\n\t\tcmdlogger.Errorf(\"Failed to run docker command (%q): %s\", cmd.String(), err)\n\t\treturn err\n\t}\n\t// This has to be captured before cmd.Wait() is called, as cmd.Wait() closes the stderr pipe.\n\tvar stderrLines []string\n\tscanner := bufio.NewScanner(stderr)\n\tfor scanner.Scan() {\n\t\tstderrLines = append(stderrLines, scanner.Text())\n\t}\n\n\terr = cmd.Wait()\n\tif err != nil {\n\t\tcmdlogger.Errorf(\"Docker command exited with code (%q): %d\\nSTDERR:\", cmd.String(), cmd.ProcessState.ExitCode())\n\t\tfor _, line := range stderrLines {\n\t\t\tcmdlogger.Errorf(\"> %s\", line)\n\t\t}\n\n\t\treturn errors.New(\"failed to run docker command\")\n\t}\n\n\treturn nil\n}\n" }, { "path": "pkg/osvscanner/internal/scanners/lockfile.go", "content": "// Package scanners provides functionality for scanning lockfiles.\npackage scanners\n\nimport (\n\t\"errors\"\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scalibr/extractor/filesystem\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/cpp/conanlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dart/pubspec\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/depsjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packagesconfig\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/dotnet/packageslockjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/erlang/mixlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/golang/gomod\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/haskell/cabal\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/haskell/stacklock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/gradlelockfile\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/gradleverificationmetadataxml\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/java/pomxml\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/bunlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/pnpmlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/yarnlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/php/composerlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/pdmlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/pipfilelock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/poetrylock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/pylock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/requirements\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/python/uvlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/r/renvlock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/ruby/gemfilelock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/rust/cargolock\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/os/apk\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/os/dpkg\"\n\t\"github.com/google/osv-scalibr/plugin\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/language/osv/osvscannerjson\"\n)\n\n// OSV-Scanner and OSV-Scalibr has different plugin/override naming conventions.\nvar osvscannerScalibrExtractionMapping = map[string][]string{\n\t\"apk-installed\": {apk.Name},\n\t\"dpkg-status\": {dpkg.Name},\n\t\"pubspec.lock\": {pubspec.Name},\n\t\"pnpm-lock.yaml\": {pnpmlock.Name},\n\t\"yarn.lock\": {yarnlock.Name},\n\t\"package-lock.json\": {packagelockjson.Name},\n\t\"pom.xml\": {pomxml.Name},\n\t\"buildscript-gradle.lockfile\": {gradlelockfile.Name},\n\t\"gradle.lockfile\": {gradlelockfile.Name},\n\t\"verification-metadata.xml\": {gradleverificationmetadataxml.Name},\n\t\"poetry.lock\": {poetrylock.Name},\n\t\"Pipfile.lock\": {pipfilelock.Name},\n\t\"pdm.lock\": {pdmlock.Name},\n\t\"pylock.toml\": {pylock.Name},\n\t\"requirements.txt\": {requirements.Name},\n\t\"uv.lock\": {uvlock.Name},\n\t\"Cargo.lock\": {cargolock.Name},\n\t\"composer.lock\": {composerlock.Name},\n\t\"mix.lock\": {mixlock.Name},\n\t\"renv.lock\": {renvlock.Name},\n\t\"deps.json\": {depsjson.Name},\n\t\"packages.config\": {packagesconfig.Name},\n\t\"packages.lock.json\": {packageslockjson.Name},\n\t\"conan.lock\": {conanlock.Name},\n\t\"go.mod\": {gomod.Name},\n\t\"bun.lock\": {bunlock.Name},\n\t\"Gemfile.lock\": {gemfilelock.Name},\n\t\"gems.locked\": {gemfilelock.Name},\n\t\"cabal.project.freeze\": {cabal.Name},\n\t\"stack.yaml.lock\": {stacklock.Name},\n\t// \"Package.resolved\": {packageresolved.Name},\n}\n\n// ParseLockfilePath returns (parseAs, path)\nfunc ParseLockfilePath(scanArg string) (string, string) {\n\tif runtime.GOOS == \"windows\" && filepath.IsAbs(scanArg) {\n\t\treturn \"\", scanArg\n\t}\n\n\tparseAs, path, found := strings.Cut(scanArg, \":\")\n\tif !found {\n\t\tpath = parseAs\n\t\tparseAs = \"\"\n\t}\n\n\treturn parseAs, path\n}\n\n// ParseAsToPlugin finds the parseAs extractor in the list of pluginsToUse\nfunc ParseAsToPlugin(parseAs string, pluginsToUse []plugin.Plugin) (filesystem.Extractor, error) {\n\tswitch parseAs {\n\tcase \"\": // No specific parseAs specified\n\t\treturn nil, errors.New(\"no parseAs specified\")\n\tcase \"osv-scanner\":\n\t\treturn osvscannerjson.Extractor{}, nil\n\tdefault:\n\t\t// Find and extract with the extractor of parseAs\n\t\tif names, ok := osvscannerScalibrExtractionMapping[parseAs]; ok && len(names) > 0 {\n\t\t\ti := slices.IndexFunc(pluginsToUse, func(plug plugin.Plugin) bool {\n\t\t\t\t_, ok = plug.(filesystem.Extractor)\n\n\t\t\t\treturn ok && slices.Contains(names, plug.Name())\n\t\t\t})\n\t\t\tif i < 0 {\n\t\t\t\treturn nil, fmt.Errorf(\"could not determine extractor, requested %s\", parseAs)\n\t\t\t}\n\n\t\t\tfsysExtractor, ok := pluginsToUse[i].(filesystem.Extractor)\n\t\t\tif !ok {\n\t\t\t\treturn nil, fmt.Errorf(\"invalid extractor name %s\", parseAs)\n\t\t\t}\n\n\t\t\treturn fsysExtractor, nil\n\t\t}\n\n\t\treturn nil, fmt.Errorf(\"could not determine extractor, requested %s\", parseAs)\n\t}\n}\n" }, { "path": "pkg/osvscanner/invsort.go", "content": "package osvscanner\n\nimport (\n\t\"cmp\"\n\t\"fmt\"\n\n\t\"github.com/google/osv-scalibr/converter\"\n\t\"github.com/google/osv-scalibr/extractor\"\n)\n\n// InventorySort is a comparator function for Inventories, to be used in\n// tests with cmp.Diff to disregard the order in which the Inventories\n// are reported.\nfunc inventorySort(a, b *extractor.Package) int {\n\taLoc := a.Location.PathOrEmpty()\n\tbLoc := b.Location.PathOrEmpty()\n\n\tvar aExtr, bExtr string\n\tvar aPURL, bPURL string\n\n\taPURLStruct := converter.ToPURL(a)\n\tbPURLStruct := converter.ToPURL(b)\n\n\tif aPURLStruct != nil {\n\t\taPURL = aPURLStruct.String()\n\t}\n\n\tif bPURLStruct != nil {\n\t\tbPURL = bPURLStruct.String()\n\t}\n\n\taSourceCode := fmt.Sprintf(\"%v\", a.SourceCode)\n\tbSourceCode := fmt.Sprintf(\"%v\", b.SourceCode)\n\n\treturn cmp.Or(\n\t\tcmp.Compare(aLoc, bLoc),\n\t\tcmp.Compare(a.Name, b.Name),\n\t\tcmp.Compare(a.Version, b.Version),\n\t\tcmp.Compare(aSourceCode, bSourceCode),\n\t\tcmp.Compare(aExtr, bExtr),\n\t\tcmp.Compare(aPURL, bPURL),\n\t)\n}\n" }, { "path": "pkg/osvscanner/osvscanner.go", "content": "package osvscanner\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"log/slog\"\n\t\"maps\"\n\t\"net/http\"\n\t\"os\"\n\t\"slices\"\n\t\"sort\"\n\t\"time\"\n\n\tscalibr \"github.com/google/osv-scalibr\"\n\t\"github.com/google/osv-scalibr/artifact/image/layerscanning/image\"\n\t\"github.com/google/osv-scalibr/binary/proto\"\n\t\"github.com/google/osv-scalibr/clients/datasource\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\tscalibrlog \"github.com/google/osv-scalibr/log\"\n\t\"github.com/google/osv-scalibr/plugin\"\n\t\"github.com/google/osv-scalibr/stats\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/licensematcher\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/localmatcher\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientinterfaces\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/depsdev\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels/results\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner/internal/imagehelpers\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"osv.dev/bindings/go/osvdev\"\n)\n\ntype ScannerActions struct {\n\tExperimentalScannerActions\n\n\tLockfilePaths []string\n\tDirectoryPaths []string\n\tGitCommits []string\n\tRecursive bool\n\tIncludeGitRoot bool\n\tNoIgnore bool\n\tImage string\n\tIsImageArchive bool\n\tConfigOverridePath string\n\tCallAnalysisStates map[string]bool\n\tShowAllPackages bool\n\tShowAllVulns bool\n\n\t// local databases\n\tCompareOffline bool\n\tDownloadDatabases bool\n\tLocalDBPath string\n\n\t// license scanning\n\tScanLicensesSummary bool\n\tScanLicensesAllowlist []string\n\n\t// Deprecated: in favor of LockfilePaths\n\tSBOMPaths []string\n}\n\ntype ExperimentalScannerActions struct {\n\tExcludePatterns []string\n\tTransitiveScanning TransitiveScanningActions\n\n\tPluginsEnabled []string\n\tPluginsDisabled []string\n\tPluginsNoDefaults bool\n\n\t// Currently unused.\n\t// TODO(another-rex): Use or wrap this\n\tStatsCollector stats.Collector\n\n\tHTTPClient *http.Client\n\n\t// Report deprecated packages as findings\n\tFlagDeprecatedPackages bool\n\n\t// Allows specifying user agent\n\tRequestUserAgent string\n}\n\ntype TransitiveScanningActions struct {\n\tDisabled bool\n\tNativeDataSource bool\n\tMavenRegistry string\n}\n\ntype ExternalAccessors struct {\n\t// Matchers\n\tVulnMatcher clientinterfaces.VulnerabilityMatcher\n\tLicenseMatcher clientinterfaces.LicenseMatcher\n\n\t// Required for vendored Extractor\n\tOSVDevClient *osvdev.OSVClient\n}\n\n// ErrNoPackagesFound for when no packages are found during a scan.\nvar ErrNoPackagesFound = errors.New(\"no packages found in scan\")\n\n// ErrVulnerabilitiesFound includes vulnerabilities, license violations, and package deprecation,\n// however, will not be raised if only uncalled vulnerabilities are found.\nvar ErrVulnerabilitiesFound = errors.New(\"vulnerabilities found\")\n\n// ErrAPIFailed describes errors related to querying API endpoints.\n// TODO(v2): Actually use this error\nvar ErrAPIFailed = errors.New(\"API query failed\")\n\nfunc initializeExternalAccessors(actions ScannerActions) (ExternalAccessors, error) {\n\texternalAccessors := ExternalAccessors{}\n\tvar err error\n\n\tuserAgent := \"osv-scanner-api\"\n\tif actions.RequestUserAgent != \"\" {\n\t\tuserAgent = actions.RequestUserAgent\n\t}\n\n\t// Offline Mode\n\t// ------------\n\tif actions.CompareOffline {\n\t\t// --- Vulnerability Matcher ---\n\t\texternalAccessors.VulnMatcher, err =\n\t\t\tlocalmatcher.NewLocalMatcher(actions.LocalDBPath,\n\t\t\t\tuserAgent, actions.DownloadDatabases)\n\t\tif err != nil {\n\t\t\treturn ExternalAccessors{}, err\n\t\t}\n\n\t\treturn externalAccessors, nil\n\t}\n\n\t// Online Mode\n\t// -----------\n\t// --- Vulnerability Matcher ---\n\texternalAccessors.VulnMatcher = osvmatcher.New(5*time.Minute, userAgent, actions.HTTPClient)\n\n\t// --- License Matcher ---\n\tif len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary {\n\t\tdepsDevAPIClient, err := datasource.NewCachedInsightsClient(depsdev.DepsdevAPI, userAgent)\n\t\tif err != nil {\n\t\t\treturn ExternalAccessors{}, err\n\t\t}\n\n\t\texternalAccessors.LicenseMatcher = &licensematcher.DepsDevLicenseMatcher{\n\t\t\tClient: depsDevAPIClient,\n\t\t}\n\t}\n\n\t// --- OSV.dev Client ---\n\t// We create a separate client from VulnMatcher to keep things clean.\n\texternalAccessors.OSVDevClient = osvdev.DefaultClient()\n\texternalAccessors.OSVDevClient.Config.UserAgent = userAgent\n\n\treturn externalAccessors, nil\n}\n\n// DoScan performs the osv scanner action, with optional reporter to output information\nfunc DoScan(actions ScannerActions) (models.VulnerabilityResults, error) {\n\t// --- Sanity check flags ----\n\t// TODO(v2): Move the logic of the offline flag changing other flags into here from the main.go/scan.go\n\tif actions.CompareOffline {\n\t\tif actions.ScanLicensesSummary {\n\t\t\treturn models.VulnerabilityResults{}, errors.New(\"cannot retrieve licenses locally\")\n\t\t}\n\t}\n\n\tif !actions.CompareOffline && actions.DownloadDatabases {\n\t\treturn models.VulnerabilityResults{}, errors.New(\"databases can only be downloaded when running in offline mode\")\n\t}\n\n\tscanResult := results.ScanResults{\n\t\tConfigManager: config.Manager{\n\t\t\tDefaultConfig: config.Config{},\n\t\t\tConfigMap: make(map[string]config.Config),\n\t\t},\n\t}\n\n\t// --- Setup Config ---\n\tif actions.ConfigOverridePath != \"\" {\n\t\terr := scanResult.ConfigManager.UseOverride(actions.ConfigOverridePath)\n\t\tif err != nil {\n\t\t\tcmdlogger.Errorf(\"Failed to read config file: %s\", err)\n\t\t\treturn models.VulnerabilityResults{}, err\n\t\t}\n\t}\n\n\t// --- Setup Accessors/Clients ---\n\taccessors, err := initializeExternalAccessors(actions)\n\tif err != nil {\n\t\treturn models.VulnerabilityResults{}, fmt.Errorf(\"failed to initialize accessors: %w\", err)\n\t}\n\n\t// ----- Perform Scanning -----\n\tpackagesAndFindings, err := scan(accessors, actions)\n\tif err != nil {\n\t\treturn models.VulnerabilityResults{}, err\n\t}\n\n\tscanResult.PackageScanResults = packagesAndFindings.Packages\n\tscanResult.Inventory = *packagesAndFindings\n\n\t// ----- Filtering -----\n\tunscannablePackages := filterUnscannablePackages(&scanResult, actions)\n\tfilterIgnoredPackages(&scanResult)\n\n\t// ----- Custom Overrides -----\n\toverrideGoVersion(&scanResult)\n\n\t// --- Make Vulnerability Requests ---\n\tif accessors.VulnMatcher != nil {\n\t\terr = makeVulnRequestWithMatcher(&scanResult, accessors.VulnMatcher)\n\t\tif err != nil {\n\t\t\treturn models.VulnerabilityResults{}, err\n\t\t}\n\t}\n\n\t// --- Make License Requests ---\n\tif accessors.LicenseMatcher != nil {\n\t\terr = accessors.LicenseMatcher.MatchLicenses(context.Background(), scanResult.PackageScanResults)\n\t\tif err != nil {\n\t\t\treturn models.VulnerabilityResults{}, err\n\t\t}\n\t}\n\n\tif len(unscannablePackages) > 0 {\n\t\tscanResult.PackageScanResults = slices.Concat(scanResult.PackageScanResults, unscannablePackages)\n\t}\n\n\treturn finalizeScanResult(scanResult, actions)\n}\n\nfunc DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error) {\n\tscanResult := results.ScanResults{\n\t\tConfigManager: config.Manager{\n\t\t\tDefaultConfig: config.Config{},\n\t\t\tConfigMap: make(map[string]config.Config),\n\t\t},\n\t}\n\n\tif actions.ConfigOverridePath != \"\" {\n\t\terr := scanResult.ConfigManager.UseOverride(actions.ConfigOverridePath)\n\t\tif err != nil {\n\t\t\tcmdlogger.Errorf(\"Failed to read config file: %s\", err)\n\t\t\treturn models.VulnerabilityResults{}, err\n\t\t}\n\t}\n\n\t// --- Setup Accessors/Clients ---\n\taccessors, err := initializeExternalAccessors(actions)\n\tif err != nil {\n\t\treturn models.VulnerabilityResults{}, fmt.Errorf(\"failed to initialize accessors: %w\", err)\n\t}\n\n\tplugins := getPlugins(\n\t\t[]string{\"artifact\"},\n\t\taccessors,\n\t\tactions,\n\t)\n\n\t// technically having one detector enabled would also be sufficient, but we're\n\t// not mentioning them to avoid confusion since they're still in their infancy\n\tif countNotEnrichers(plugins) == 0 {\n\t\treturn models.VulnerabilityResults{}, errors.New(\"at least one extractor must be enabled\")\n\t}\n\n\t// --- Initialize Image To Scan ---'\n\n\t// TODO: Setup context at the start of the run\n\tctx := context.TODO()\n\n\tvar img *image.Image\n\tif actions.IsImageArchive {\n\t\tcmdlogger.Infof(\"Scanning local image tarball %q\", actions.Image)\n\t\timg, err = image.FromTarball(actions.Image, image.DefaultConfig())\n\t} else if actions.Image != \"\" {\n\t\tpath, exportErr := imagehelpers.ExportDockerImage(ctx, actions.Image)\n\t\tif exportErr != nil {\n\t\t\treturn models.VulnerabilityResults{}, exportErr\n\t\t}\n\t\tdefer os.Remove(path)\n\n\t\timg, err = image.FromTarball(path, image.DefaultConfig())\n\t\tcmdlogger.Infof(\"Scanning image %q\", actions.Image)\n\t}\n\tif err != nil {\n\t\treturn models.VulnerabilityResults{}, err\n\t}\n\n\tdefer func() {\n\t\terr := img.CleanUp()\n\t\tif err != nil {\n\t\t\tcmdlogger.Errorf(\"Failed to clean up image: %s\", err)\n\t\t}\n\t}()\n\n\tcapabilities := &plugin.Capabilities{\n\t\tDirectFS: true,\n\t\tRunningSystem: false,\n\t\tNetwork: plugin.NetworkOnline,\n\t\tOS: plugin.OSLinux,\n\t\tAllowUnsafePlugins: true,\n\t}\n\n\tif actions.CompareOffline {\n\t\tcapabilities.Network = plugin.NetworkOffline\n\t}\n\n\tplugins = plugin.FilterByCapabilities(plugins, capabilities)\n\tlogUnsafePlugins(plugins)\n\n\t// --- Do Scalibr Scan ---\n\tscanner := scalibr.New()\n\tscalibrSR, err := scanner.ScanContainer(context.Background(), img, &scalibr.ScanConfig{\n\t\tPlugins: plugins,\n\t\tCapabilities: capabilities,\n\t\tStoreAbsolutePath: true,\n\t\tExplicitPlugins: true,\n\t})\n\tif err != nil {\n\t\treturn models.VulnerabilityResults{}, fmt.Errorf(\"failed to scan container image: %w\", err)\n\t}\n\n\tif inventoryIsEmpty(scalibrSR.Inventory) {\n\t\treturn models.VulnerabilityResults{}, ErrNoPackagesFound\n\t}\n\n\t// --- Save Scalibr Scan Results ---\n\tscanResult.PackageScanResults = make([]*extractor.Package, len(scalibrSR.Inventory.Packages))\n\tfor i, pkgs := range scalibrSR.Inventory.Packages {\n\t\tscanResult.PackageScanResults[i] = pkgs\n\t\tscanResult.PackageScanResults[i].ExploitabilitySignals = pkgs.ExploitabilitySignals\n\t}\n\n\t// --- Fill Image Metadata ---\n\tpssr, err := proto.ScanResultToProto(scalibrSR)\n\tif err != nil {\n\t\treturn models.VulnerabilityResults{}, fmt.Errorf(\"failed to serialize scan results to proto: %w\", err)\n\t}\n\n\tif len(pssr.GetInventory().GetContainerImageMetadata()) > 0 {\n\t\tscanResult.ImageMetadata = pssr.GetInventory().GetContainerImageMetadata()[0]\n\t} else {\n\t\tcmdlogger.Warnf(\"No container image metadata found in scan results\")\n\t}\n\n\tscanResult.Inventory = scalibrSR.Inventory\n\n\t// ----- Filtering -----\n\tunscannablePackages := filterUnscannablePackages(&scanResult, actions)\n\tfilterIgnoredPackages(&scanResult)\n\n\tfilterNonContainerRelevantPackages(&scanResult)\n\n\t// --- Make Vulnerability Requests ---\n\tif accessors.VulnMatcher != nil {\n\t\terr = makeVulnRequestWithMatcher(&scanResult, accessors.VulnMatcher)\n\t\tif err != nil {\n\t\t\treturn models.VulnerabilityResults{}, err\n\t\t}\n\t}\n\n\t// --- Make License Requests ---\n\tif accessors.LicenseMatcher != nil {\n\t\terr = accessors.LicenseMatcher.MatchLicenses(context.Background(), scanResult.PackageScanResults)\n\t\tif err != nil {\n\t\t\treturn models.VulnerabilityResults{}, err\n\t\t}\n\t}\n\n\tif len(unscannablePackages) > 0 {\n\t\tscanResult.PackageScanResults = slices.Concat(scanResult.PackageScanResults, unscannablePackages)\n\t}\n\n\treturn finalizeScanResult(scanResult, actions)\n}\n\nfunc finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) (models.VulnerabilityResults, error) {\n\tvulnerabilityResults := buildVulnerabilityResults(actions, &scanResult)\n\n\tif actions.ScanLicensesSummary {\n\t\tvulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult)\n\t}\n\n\tfiltered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages)\n\tif filtered > 0 {\n\t\tcmdlogger.Infof(\n\t\t\t\"Filtered %d %s from output\",\n\t\t\tfiltered,\n\t\t\toutput.Form(filtered, \"vulnerability\", \"vulnerabilities\"),\n\t\t)\n\t}\n\n\tif unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 {\n\t\tconfigFiles := slices.Collect(maps.Keys(unusedIgnoredEntries))\n\t\tslices.Sort(configFiles)\n\n\t\tfor _, configFile := range configFiles {\n\t\t\tcmdlogger.Warnf(\"%s has unused ignores:\", configFile)\n\n\t\t\tfor _, iv := range unusedIgnoredEntries[configFile] {\n\t\t\t\tcmdlogger.Warnf(\" - %s\", iv.ID)\n\t\t\t}\n\t\t}\n\t}\n\n\treturn vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns)\n}\n\nfunc buildLicenseSummary(scanResult *results.ScanResults) []models.LicenseCount {\n\tvar licenseSummary []models.LicenseCount\n\n\tcounts := make(map[string]int)\n\tfor _, pkg := range scanResult.PackageScanResults {\n\t\tfor _, l := range pkg.Licenses {\n\t\t\tcounts[l] += 1\n\t\t}\n\t}\n\n\tif len(counts) == 0 {\n\t\t// No packages found.\n\t\treturn []models.LicenseCount{}\n\t}\n\n\tlicenses := slices.AppendSeq(make([]string, 0, len(counts)), maps.Keys(counts))\n\n\t// Sort the license count in descending count order with the UNKNOWN\n\t// license last.\n\tsort.Slice(licenses, func(i, j int) bool {\n\t\tif licenses[i] == \"UNKNOWN\" {\n\t\t\treturn false\n\t\t}\n\t\tif licenses[j] == \"UNKNOWN\" {\n\t\t\treturn true\n\t\t}\n\t\tif counts[licenses[i]] == counts[licenses[j]] {\n\t\t\treturn licenses[i] < licenses[j]\n\t\t}\n\n\t\treturn counts[licenses[i]] > counts[licenses[j]]\n\t})\n\n\tlicenseSummary = make([]models.LicenseCount, len(licenses))\n\tfor i, license := range licenses {\n\t\tlicenseSummary[i].Name = models.License(license)\n\t\tlicenseSummary[i].Count = counts[license]\n\t}\n\n\treturn licenseSummary\n}\n\n// determineReturnErr determines whether we found a \"vulnerability\" or not,\n// and therefore whether we should return a ErrVulnerabilityFound error.\nfunc determineReturnErr(vulnResults models.VulnerabilityResults, showAllVulns bool) error {\n\tif len(vulnResults.Results) > 0 {\n\t\tvar vuln bool\n\t\tonlyUnimportantVuln := true\n\t\tvar licenseViolation bool\n\t\tdeprecated := false\n\t\tfor _, vf := range vulnResults.Flatten() {\n\t\t\tif vf.Vulnerability != nil && vf.Vulnerability.GetId() != \"\" {\n\t\t\t\tvuln = true\n\t\t\t\t// TODO(gongh): rewrite the logic once we support reachability analysis for container scanning.\n\t\t\t\tif vf.GroupInfo.IsCalled() && !vf.GroupInfo.IsGroupUnimportant() {\n\t\t\t\t\tonlyUnimportantVuln = false\n\t\t\t\t}\n\t\t\t}\n\t\t\tif len(vf.LicenseViolations) > 0 {\n\t\t\t\tlicenseViolation = true\n\t\t\t}\n\t\t\tif vf.Deprecated {\n\t\t\t\tdeprecated = true\n\t\t\t}\n\t\t}\n\n\t\tif !vuln && !licenseViolation && !deprecated {\n\t\t\treturn nil\n\t\t}\n\n\t\tonlyUnimportantVuln = onlyUnimportantVuln && vuln && !licenseViolation && !deprecated\n\n\t\t// If the user didn't enable showing all vulns and we only found unimportant ones,\n\t\t// we should return without error.\n\t\tif !showAllVulns && onlyUnimportantVuln {\n\t\t\t// There is no error.\n\t\t\treturn nil\n\t\t}\n\n\t\treturn ErrVulnerabilitiesFound\n\t}\n\n\treturn nil\n}\n\n// TODO(V2): Add context\nfunc makeVulnRequestWithMatcher(\n\tscanResults *results.ScanResults,\n\tmatcher clientinterfaces.VulnerabilityMatcher,\n) error {\n\tres, err := matcher.MatchVulnerabilities(context.Background(), scanResults.PackageScanResults)\n\tif err != nil {\n\t\tcmdlogger.Errorf(\"error when retrieving vulns: %v\", err)\n\t\tif res == nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\tfor i, vulns := range res {\n\t\tfor _, vuln := range vulns {\n\t\t\tscanResults.Inventory.PackageVulns = append(scanResults.Inventory.PackageVulns, &inventory.PackageVuln{\n\t\t\t\tVulnerability: vuln,\n\t\t\t\tPackage: scanResults.PackageScanResults[i],\n\t\t\t})\n\t\t}\n\t}\n\n\treturn nil\n}\n\n// Overrides Go version using osv-scanner.toml\nfunc overrideGoVersion(scanResults *results.ScanResults) {\n\tfor i, pkg := range scanResults.PackageScanResults {\n\t\tif imodels.Name(pkg) == \"stdlib\" && imodels.Ecosystem(pkg).Ecosystem == osvconstants.EcosystemGo {\n\t\t\tconfigToUse := scanResults.ConfigManager.Get(imodels.Location(pkg))\n\t\t\tif configToUse.GoVersionOverride != \"\" {\n\t\t\t\tscanResults.PackageScanResults[i].Version = configToUse.GoVersionOverride\n\t\t\t}\n\n\t\t\tcontinue\n\t\t}\n\t}\n}\n\n// SetLogger sets the global slog handler for the cmdlogger.\nfunc SetLogger(handler slog.Handler) {\n\tbaseHandler := cmdlogger.NewOverride(handler)\n\tlogger := slog.New(baseHandler)\n\tcmdlogger.GlobalLogger = logger\n\tscalibrlog.SetLogger(&cmdlogger.ScalibrAdapter{Logger: logger})\n}\n\n// inventoryIsEmpty ignores image metadata when checking if an inventory is empty\nfunc inventoryIsEmpty(i inventory.Inventory) bool {\n\tif len(i.Packages) != 0 {\n\t\treturn false\n\t}\n\tif len(i.PackageVulns) != 0 {\n\t\treturn false\n\t}\n\tif len(i.GenericFindings) != 0 {\n\t\treturn false\n\t}\n\tif len(i.Secrets) != 0 {\n\t\treturn false\n\t}\n\n\treturn true\n}\n" }, { "path": "pkg/osvscanner/osvscanner_test.go", "content": "package osvscanner_test\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"log/slog\"\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner\"\n)\n\n// TestDoScan_LogHandlerOverride tests that the SetLogger override works correctly\n//\n//nolint:paralleltest // No parallel test since slog.SetDefault sets global behavior\nfunc TestDoScan_LogHandlerOverride(t *testing.T) {\n\t// Restore default slog behavior at the ned of the test\n\tdefaultHandler := slog.Default()\n\tdefer func() {\n\t\tslog.SetDefault(defaultHandler)\n\t}()\n\n\tactions := osvscanner.ScannerActions{\n\t\tDirectoryPaths: []string{\"../../cmd/osv-scanner/testdata/locks-many/Gemfile.lock\"},\n\t}\n\n\toutput := bytes.NewBuffer(nil)\n\tslog.SetDefault(slog.New(slog.NewTextHandler(output, nil)))\n\n\t_, _ = osvscanner.DoScan(actions)\n\n\t// Test that normally logging is output correctly to the default slog handler.\n\tif output.Len() == 0 {\n\t\tt.Errorf(\"output.Len() = %d, want %d\", output.Len(), 0)\n\t}\n\n\t// Clear output buffer for next run\n\toutput.Truncate(0)\n\n\t// Test if output is overridden\n\taltOutput := bytes.NewBuffer(nil)\n\tosvscanner.SetLogger(slog.NewTextHandler(altOutput, nil))\n\n\t_, _ = osvscanner.DoScan(actions)\n\n\t// Normal slog output should be empty.\n\tif output.Len() != 0 {\n\t\tt.Errorf(\"output.Len() = %d, want %d\", output.Len(), 0)\n\t\tt.Errorf(\"Got: %s\", output.String())\n\t}\n\n\t// altOutput should contain data now instead.\n\tif altOutput.Len() == 0 {\n\t\tt.Errorf(\"altOutput.Len() = %d, want %d\", altOutput.Len(), 0)\n\t}\n}\n\nfunc TestDoScan(t *testing.T) {\n\tt.Parallel()\n\n\ttype args struct {\n\t\tactions osvscanner.ScannerActions\n\t}\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t\twant models.VulnerabilityResults\n\t\twantErr error\n\t}{\n\t\t{\n\t\t\tname: \"Test_curl_git_scanning\",\n\t\t\targs: args{\n\t\t\t\tactions: osvscanner.ScannerActions{\n\t\t\t\t\tGitCommits: []string{\"33dffa3909a67e1b5d22647128ab7eb6e53fd0c7\"},\n\t\t\t\t},\n\t\t\t},\n\t\t\twant: models.VulnerabilityResults{},\n\t\t\twantErr: osvscanner.ErrVulnerabilitiesFound,\n\t\t},\n\t\t// TODO: Add test cases.\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\tgot, err := osvscanner.DoScan(tt.args.actions)\n\t\t\tif !errors.Is(err, tt.wantErr) {\n\t\t\t\tt.Errorf(\"DoScan() error = %v, wantErr %v\", err, tt.wantErr)\n\t\t\t\treturn\n\t\t\t}\n\n\t\t\tsnap := testutility.NewSnapshot()\n\t\t\tsnap.MatchJSON(t, got)\n\t\t})\n\t}\n}\n" }, { "path": "pkg/osvscanner/scan.go", "content": "package osvscanner\n\nimport (\n\t\"context\"\n\t\"errors\"\n\t\"fmt\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"runtime\"\n\t\"slices\"\n\t\"strings\"\n\n\tscalibr \"github.com/google/osv-scalibr\"\n\tcpb \"github.com/google/osv-scalibr/binary/proto/config_go_proto\"\n\t\"github.com/google/osv-scalibr/enricher\"\n\t\"github.com/google/osv-scalibr/enricher/packagedeprecation\"\n\t\"github.com/google/osv-scalibr/enricher/reachability/java\"\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/simplefileapi\"\n\t\"github.com/google/osv-scalibr/fs\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/plugin\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/filesystem/vendored\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitcommitdirect\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrextract/vcs/gitrepo\"\n\t\"github.com/google/osv-scanner/v2/internal/scalibrplugin\"\n\t\"github.com/google/osv-scanner/v2/internal/testlogger\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner/internal/scanners\"\n)\n\nvar ErrExtractorNotFound = errors.New(\"could not determine extractor suitable to this file\")\n\nfunc logUnsafePlugins(plugins []plugin.Plugin) {\n\tfor _, plug := range plugins {\n\t\tif plug.Requirements() != nil && plug.Requirements().AllowUnsafePlugins {\n\t\t\tcmdlogger.Warnf(\"Warning: plugin %s can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.\", plug.Name())\n\t\t}\n\t}\n}\n\nfunc configurePlugins(plugins []plugin.Plugin, accessors ExternalAccessors, actions ScannerActions) {\n\tfor _, plug := range plugins {\n\t\tvendored.Configure(plug, vendored.Config{\n\t\t\t// Only attempt to vendor check git directories if we are not skipping scanning root git directories\n\t\t\tScanGitDir: !actions.IncludeGitRoot,\n\t\t\tOSVClient: accessors.OSVDevClient,\n\t\t})\n\t}\n}\n\nfunc getPlugins(defaultPlugins []string, accessors ExternalAccessors, actions ScannerActions) []plugin.Plugin {\n\tcfg := &cpb.PluginConfig{\n\t\tUserAgent: actions.RequestUserAgent,\n\t\tPluginSpecific: []*cpb.PluginSpecificConfig{\n\t\t\t{\n\t\t\t\tConfig: &cpb.PluginSpecificConfig_PomXmlNet{\n\t\t\t\t\tPomXmlNet: &cpb.POMXMLNetConfig{\n\t\t\t\t\t\tUpstreamRegistry: actions.TransitiveScanning.MavenRegistry,\n\t\t\t\t\t\tDepsDevRequirements: !actions.TransitiveScanning.NativeDataSource,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t{\n\t\t\t\tConfig: &cpb.PluginSpecificConfig_PythonRequirementsTransitive{\n\t\t\t\t\tPythonRequirementsTransitive: &cpb.PythonRequirementsTransitiveConfig{\n\t\t\t\t\t\tDepsDevRequirements: !actions.TransitiveScanning.NativeDataSource,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\n\tif !actions.PluginsNoDefaults {\n\t\tactions.PluginsEnabled = append(actions.PluginsEnabled, defaultPlugins...)\n\t}\n\n\tif !actions.TransitiveScanning.Disabled {\n\t\tactions.PluginsEnabled = append(actions.PluginsEnabled, \"transitive\")\n\t}\n\n\tif !actions.IncludeGitRoot {\n\t\tactions.PluginsDisabled = append(actions.PluginsDisabled, gitrepo.Name)\n\t}\n\n\tif accessors.OSVDevClient == nil {\n\t\tactions.PluginsDisabled = append(actions.PluginsDisabled, vendored.Name)\n\t}\n\n\tif actions.CallAnalysisStates[\"jar\"] {\n\t\tactions.PluginsEnabled = append(actions.PluginsEnabled, java.Name)\n\t}\n\n\tif actions.FlagDeprecatedPackages {\n\t\tactions.PluginsEnabled = append(actions.PluginsEnabled, packagedeprecation.Name)\n\t}\n\n\tplugins := scalibrplugin.Resolve(actions.PluginsEnabled, actions.PluginsDisabled, cfg)\n\n\tconfigurePlugins(plugins, accessors, actions)\n\n\treturn plugins\n}\n\n// countNotEnrichers counts the number of plugins that are not enricher.Enricher plugins\nfunc countNotEnrichers(plugins []plugin.Plugin) int {\n\tcount := 0\n\tfor _, plug := range plugins {\n\t\t_, ok := plug.(enricher.Enricher)\n\t\tif !ok {\n\t\t\tcount++\n\t\t}\n\t}\n\n\treturn count\n}\n\n// scan essentially converts ScannerActions into imodels.ScanResult by performing the extractions\nfunc scan(accessors ExternalAccessors, actions ScannerActions) (*inventory.Inventory, error) {\n\tvar inv inventory.Inventory\n\n\tplugins := getPlugins(\n\t\t[]string{\"lockfile\", \"sbom\", \"directory\"},\n\t\taccessors,\n\t\tactions,\n\t)\n\n\t// technically having one detector enabled would also be sufficient, but we're\n\t// not mentioning them to avoid confusion since they're still in their infancy\n\tif countNotEnrichers(plugins) == 0 {\n\t\treturn nil, errors.New(\"at least one extractor must be enabled\")\n\t}\n\n\tscanner := scalibr.New()\n\n\t// Build list of paths for each root\n\t// On linux this would return a map with just one entry of /\n\trootMap := map[string][]string{}\n\n\t// Also build a map of specific plugin overrides that the user specify\n\t// map[path]parseAs\n\toverrideMap := map[string]filesystem.Extractor{}\n\t// List of specific paths the user passes in so that we can check that they all get processed.\n\tspecificPaths := make([]string, 0, len(actions.LockfilePaths)+len(actions.SBOMPaths))\n\n\tstatsCollector := fileOpenedPrinter{\n\t\tfilesExtracted: make(map[string]struct{}),\n\t}\n\n\t// --- Directories ---\n\tfor _, path := range actions.DirectoryPaths {\n\t\tcmdlogger.Infof(\"Scanning dir %s\", path)\n\t\tif _, err := pathToRootMap(rootMap, path, actions.Recursive); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t}\n\n\t// --- Lockfiles ---\n\tfor _, lockfileElem := range actions.LockfilePaths {\n\t\tparseAs, path := scanners.ParseLockfilePath(lockfileElem)\n\t\tabsPath, err := pathToRootMap(rootMap, path, actions.Recursive)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tspecificPaths = append(specificPaths, absPath)\n\n\t\tif parseAs != \"\" {\n\t\t\tplug, err := scanners.ParseAsToPlugin(parseAs, plugins)\n\t\t\tif err != nil {\n\t\t\t\treturn nil, err\n\t\t\t}\n\t\t\toverrideMap[absPath] = plug\n\t\t}\n\t}\n\n\t// --- SBOMs (Deprecated) ---\n\t// none of the SBOM extractors need configuring\n\tsbomExtractors := scalibrplugin.Resolve([]string{\"sbom\"}, []string{}, &cpb.PluginConfig{})\n\nSBOMLoop:\n\tfor _, sbomPath := range actions.SBOMPaths {\n\t\tabsPath, err := pathToRootMap(rootMap, sbomPath, actions.Recursive)\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\t\tspecificPaths = append(specificPaths, absPath)\n\n\t\tfor _, se := range sbomExtractors {\n\t\t\t// All sbom extractors are filesystem extractors\n\t\t\tsbomExtractor := se.(filesystem.Extractor)\n\t\t\tif sbomExtractor.FileRequired(simplefileapi.New(absPath, nil)) {\n\t\t\t\toverrideMap[absPath] = sbomExtractor\n\t\t\t\tcontinue SBOMLoop\n\t\t\t}\n\t\t}\n\t\tcmdlogger.Errorf(\"Failed to parse SBOM %q: Invalid SBOM filename.\", sbomPath)\n\t\tcmdlogger.Errorf(\"If you believe this is a valid SBOM, make sure the filename follows format per your SBOMs specification.\")\n\n\t\treturn nil, fmt.Errorf(\"invalid SBOM filename: %s\", sbomPath)\n\t}\n\n\t// --- Add git commits directly ---\n\tgitDirectPlugin := gitcommitdirect.New(actions.GitCommits)\n\n\tif len(rootMap) == 0 && len(actions.GitCommits) > 0 {\n\t\t// Even if there's no actual paths, if we have git commits, still do the scan\n\t\trootMap = map[string][]string{\n\t\t\t\"/\": {},\n\t\t}\n\t}\n\n\ttestlogger.BeginDirScanMarker()\n\tosCapability := determineOS()\n\n\t// Parse exclude patterns (supports exact names, glob, and regex)\n\texcludePatterns, err := parseExcludePatterns(actions.ExcludePatterns)\n\tif err != nil {\n\t\treturn nil, fmt.Errorf(\"failed to parse exclude patterns: %w\", err)\n\t}\n\n\tcapabilities := plugin.Capabilities{\n\t\tDirectFS: true,\n\t\tRunningSystem: true,\n\t\tNetwork: plugin.NetworkOnline,\n\t\tOS: osCapability,\n\t\tAllowUnsafePlugins: true,\n\t}\n\n\tif actions.CompareOffline {\n\t\tcapabilities.Network = plugin.NetworkOffline\n\t}\n\n\tfilteredPlugins := append(plugin.FilterByCapabilities(plugins, &capabilities), gitDirectPlugin)\n\tlogUnsafePlugins(filteredPlugins)\n\n\t// For each root, run scalibr's scan() once.\n\tfor root, paths := range rootMap {\n\t\tsr := scanner.Scan(context.Background(), &scalibr.ScanConfig{\n\t\t\tPlugins: filteredPlugins,\n\t\t\tCapabilities: &capabilities,\n\t\t\tScanRoots: fs.RealFSScanRoots(root),\n\t\t\tPathsToExtract: paths,\n\t\t\tIgnoreSubDirs: !actions.Recursive,\n\t\t\tDirsToSkip: excludePatterns.dirsToSkip,\n\t\t\tSkipDirRegex: excludePatterns.regexPattern,\n\t\t\tSkipDirGlob: excludePatterns.globPattern,\n\t\t\tUseGitignore: !actions.NoIgnore,\n\t\t\tStats: &statsCollector,\n\t\t\tReadSymlinks: false,\n\t\t\tMaxInodes: 0,\n\t\t\tStoreAbsolutePath: true,\n\t\t\tPrintDurationAnalysis: false,\n\t\t\tErrorOnFSErrors: false,\n\t\t\tExplicitPlugins: true,\n\t\t\tExtractorOverride: func(api filesystem.FileAPI) []filesystem.Extractor {\n\t\t\t\text, ok := overrideMap[filepath.Join(root, filepath.FromSlash(api.Path()))]\n\t\t\t\tif ok {\n\t\t\t\t\treturn []filesystem.Extractor{ext}\n\t\t\t\t}\n\n\t\t\t\treturn []filesystem.Extractor{}\n\t\t\t},\n\t\t})\n\n\t\t// --- Check status of the run ---\n\t\tif sr.Status.Status == plugin.ScanStatusFailed {\n\t\t\treturn nil, errors.New(sr.Status.FailureReason)\n\t\t}\n\n\t\tfor _, status := range sr.PluginStatus {\n\t\t\tif status.Status.Status != plugin.ScanStatusSucceeded {\n\t\t\t\tbuilder := strings.Builder{}\n\t\t\t\tcriticalError := false\n\t\t\t\tfor _, fileError := range status.Status.FileErrors {\n\t\t\t\t\tif len(status.Status.FileErrors) > 1 {\n\t\t\t\t\t\t// If there is more than 1 file error, write them on new lines\n\t\t\t\t\t\tbuilder.WriteString(\"\\n\\t\")\n\t\t\t\t\t}\n\t\t\t\t\tfmt.Fprintf(&builder, \"%s: %s\", fileError.FilePath, fileError.ErrorMessage)\n\n\t\t\t\t\t// Check if the erroring file was a path specifically passed in (not a result of a file walk)\n\t\t\t\t\tif slices.Contains(specificPaths, filepath.Join(root, fileError.FilePath)) {\n\t\t\t\t\t\tcriticalError = true\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tmsg := status.Status.FailureReason\n\n\t\t\t\tif len(status.Status.FileErrors) > 0 {\n\t\t\t\t\tmsg = builder.String()\n\t\t\t\t}\n\n\t\t\t\tcmdlogger.Errorf(\"Error during extraction: (extracting as %s) %s\", status.Name, msg)\n\t\t\t\tif criticalError {\n\t\t\t\t\treturn nil, errors.New(\"extraction failed on specified lockfile\")\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tslices.SortFunc(sr.Inventory.Packages, inventorySort)\n\t\tinvsCompact := slices.CompactFunc(sr.Inventory.Packages, func(a, b *extractor.Package) bool {\n\t\t\treturn inventorySort(a, b) == 0\n\t\t})\n\t\tsr.Inventory.Packages = invsCompact\n\n\t\tinv.GenericFindings = append(inv.GenericFindings, sr.Inventory.GenericFindings...)\n\t\tinv.Packages = append(inv.Packages, sr.Inventory.Packages...)\n\t}\n\n\ttestlogger.EndDirScanMarker()\n\n\t// Check if specific paths have been extracted.\n\t// This allows us to error if a specific file provided by the user failed to extract, and return an error for them.\n\tfor _, path := range specificPaths {\n\t\tif _, ok := statsCollector.filesExtracted[path]; !ok {\n\t\t\treturn nil, fmt.Errorf(\"%w: %q\", ErrExtractorNotFound, path)\n\t\t}\n\t}\n\n\tif len(inv.Packages) == 0 {\n\t\treturn nil, ErrNoPackagesFound\n\t}\n\n\treturn &inv, nil\n}\n\n// pathToRootMap saves the absolute path into the root map, and returns the absolute path.\n// path is only saved if it does not fall under an existing path.\n// IMPORTANT: it does not remove existing paths already added to the rootMap, so add directories before specific files.\nfunc pathToRootMap(rootMap map[string][]string, path string, recursive bool) (string, error) {\n\tabsPath, err := filepath.Abs(path)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\n\tfi, err := os.Stat(absPath)\n\tif err != nil {\n\t\treturn \"\", fmt.Errorf(\"failed to resolve path: %w\", err)\n\t}\n\n\troot := getRootDir(absPath)\n\t// If path is a directory and we are not recursively scanning, then always add it as a target.\n\tif fi.IsDir() && !recursive {\n\t\trootMap[root] = append(rootMap[root], absPath)\n\t\treturn absPath, nil\n\t}\n\n\t// Otherwise, only add if it's not a descendent of an existing path\n\tfor _, existing := range rootMap[root] {\n\t\tif isDescendent(existing, absPath, recursive) {\n\t\t\treturn absPath, nil\n\t\t}\n\t}\n\trootMap[root] = append(rootMap[root], absPath)\n\n\treturn absPath, nil\n}\n\n// isDescendent returns whether `path` is either a descendent or a direct child of `potentialParent`\n// recursive = true: checks for descendents\n// recursive = false: checks for direct children\nfunc isDescendent(potentialParent, path string, recursive bool) bool {\n\trel, err := filepath.Rel(potentialParent, path)\n\tif err != nil {\n\t\t// This should never happen\n\t\treturn false\n\t}\n\n\tif rel == \".\" {\n\t\t// Same as an existing path, skip\n\t\treturn true\n\t}\n\n\tif strings.HasPrefix(rel, \"..\") {\n\t\treturn false\n\t}\n\n\tdepths := len(strings.Split(rel, string(filepath.Separator)))\n\tif recursive {\n\t\t// Descendant of existing dir, and we are recursively scanning, so skip\n\t\treturn true\n\t}\n\n\tif depths == 1 {\n\t\t// Direct child of existing dir, skip\n\t\treturn true\n\t}\n\n\treturn false\n}\n\n// getRootDir returns the root directory on each system.\n// On Unix systems, it'll be /\n// On Windows, it will most likely be the drive (e.g. C:\\)\nfunc getRootDir(path string) string {\n\tif runtime.GOOS == \"windows\" {\n\t\treturn filepath.VolumeName(path) + \"\\\\\"\n\t}\n\n\tif strings.HasPrefix(path, \"/\") {\n\t\treturn \"/\"\n\t}\n\n\treturn \"\"\n}\n\nfunc determineOS() plugin.OS {\n\tswitch runtime.GOOS {\n\tcase \"windows\":\n\t\treturn plugin.OSWindows\n\tcase \"darwin\":\n\t\treturn plugin.OSMac\n\tcase \"linux\":\n\t\treturn plugin.OSLinux\n\tdefault:\n\t\tcmdlogger.Warnf(\"Unknown OS \\\"%s\\\" - results might be inaccurate\", runtime.GOOS)\n\n\t\treturn plugin.OSAny\n\t}\n}\n" }, { "path": "pkg/osvscanner/scan_test.go", "content": "package osvscanner\n\nimport (\n\t\"path/filepath\"\n\t\"testing\"\n)\n\nfunc Test_isDescendent(t *testing.T) {\n\tt.Parallel()\n\n\ttests := []struct {\n\t\tname string\n\t\tpotentialParent string\n\t\tpath string\n\t\trecursive bool\n\t\twant bool\n\t}{\n\t\t{\n\t\t\tname: \"same_path\",\n\t\t\tpotentialParent: \"/a/b\",\n\t\t\tpath: \"/a/b\",\n\t\t\trecursive: true,\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"direct_child,_recursive\",\n\t\t\tpotentialParent: \"/a/b\",\n\t\t\tpath: \"/a/b/c\",\n\t\t\trecursive: true,\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"direct_child,_non-recursive\",\n\t\t\tpotentialParent: \"/a/b\",\n\t\t\tpath: \"/a/b/c\",\n\t\t\trecursive: false,\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"grandchild,_recursive\",\n\t\t\tpotentialParent: \"/a/b\",\n\t\t\tpath: \"/a/b/c/d\",\n\t\t\trecursive: true,\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"grandchild,_non-recursive\",\n\t\t\tpotentialParent: \"/a/b\",\n\t\t\tpath: \"/a/b/c/d\",\n\t\t\trecursive: false,\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"not_a_descendent\",\n\t\t\tpotentialParent: \"/a/b\",\n\t\t\tpath: \"/a/c\",\n\t\t\trecursive: true,\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"different_root\",\n\t\t\tpotentialParent: \"/a/b\",\n\t\t\tpath: \"/x/y\",\n\t\t\trecursive: true,\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"relative_path,_direct_child,_recursive\",\n\t\t\tpotentialParent: \"a/b\",\n\t\t\tpath: \"a/b/c\",\n\t\t\trecursive: true,\n\t\t\twant: true,\n\t\t},\n\t\t{\n\t\t\tname: \"relative_path,_grandchild,_non-recursive\",\n\t\t\tpotentialParent: \"a/b\",\n\t\t\tpath: \"a/b/c/d\",\n\t\t\trecursive: false,\n\t\t\twant: false,\n\t\t},\n\t\t{\n\t\t\tname: \"relative_path,_not_a_descendent\",\n\t\t\tpotentialParent: \"a/b\",\n\t\t\tpath: \"a/c\",\n\t\t\trecursive: true,\n\t\t\twant: false,\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\t// Normalize paths for the current OS\n\t\t\tpotentialParent := filepath.FromSlash(tt.potentialParent)\n\t\t\tpath := filepath.FromSlash(tt.path)\n\t\t\tif got := isDescendent(potentialParent, path, tt.recursive); got != tt.want {\n\t\t\t\tt.Errorf(\"isDescendent(%q, %q, %v) = %v, want %v\", tt.potentialParent, tt.path, tt.recursive, got, tt.want)\n\t\t\t}\n\t\t})\n\t}\n}\n" }, { "path": "pkg/osvscanner/stats.go", "content": "package osvscanner\n\nimport (\n\t\"path/filepath\"\n\n\t\"github.com/google/osv-scalibr/stats\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n)\n\ntype fileOpenedPrinter struct {\n\tstats.NoopCollector\n\n\tfilesExtracted map[string]struct{}\n}\n\nvar _ stats.Collector = &fileOpenedPrinter{}\n\nfunc (c *fileOpenedPrinter) AfterExtractorRun(_ string, extractorstats *stats.AfterExtractorStats) {\n\tif c.filesExtracted == nil {\n\t\tc.filesExtracted = make(map[string]struct{})\n\t}\n\n\tsystemPath := filepath.Join(extractorstats.Root, filepath.FromSlash(extractorstats.Path))\n\tc.filesExtracted[systemPath] = struct{}{}\n\tif extractorstats.Error != nil { // Don't log scanned if error occurred\n\t\treturn\n\t}\n\n\tpkgsFound := len(extractorstats.Inventory.Packages)\n\n\tcmdlogger.Infof(\n\t\t\"Scanned %s file and found %d %s\",\n\t\tsystemPath,\n\t\tpkgsFound,\n\t\toutput.Form(pkgsFound, \"package\", \"packages\"),\n\t)\n}\n" }, { "path": "pkg/osvscanner/testdata/filter/.gitignore", "content": "out.json" }, { "path": "pkg/osvscanner/testdata/filter/all/configs/a/osv-scanner.toml", "content": "# An entry for every vulnerability (including aliases)\n\n[[IgnoredVulns]]\nid = \"GHSA-mc8h-8q98-g5hr\"\nreason = \"Ignore 1\"\n# Alias of RUSTSEC-2023-0018\n\n[[IgnoredVulns]]\nid = \"RUSTSEC-2023-0018\"\nreason = \"Redundant Ignore 1\"\n# Redundant ignore statement - Alias of GHSA-mc8h-8q98-g5hr\n\n[[IgnoredVulns]]\nid = \"GHSA-wcg3-cvx6-7396\"\nreason = \"Ignore 2\"\n# Alias of RUSTSEC-2020-0071\n\n[[IgnoredVulns]]\nid = \"RUSTSEC-2020-0071\"\nreason = \"Redundant Ignore 2\"\n# Redundant ignore statement - Alias of GHSA-wcg3-cvx6-7396\n" }, { "path": "pkg/osvscanner/testdata/filter/all/configs/b/osv-scanner.toml", "content": "# One entry for each vulnerability group\n\n[[IgnoredVulns]]\nid = \"GHSA-fxg5-wq6x-vr4w\"\nreason = \"Ignore 1\"\n# Alias of GO-2023-1495\n\n[[IgnoredVulns]]\nid = \"GO-2022-1144\"\nreason = \"Ignore 2\"\n# Alias of GHSA-xrjj-mj9h-534m\n\n[[IgnoredVulns]]\nid = \"CVE-2022-41723\"\nreason = \"Ignore 3\"\n# Alias of GHSA-vvpx-j8f3-3w6h and GO-2023-1571\n" }, { "path": "pkg/osvscanner/testdata/filter/all/configs/c/osv-scanner.toml", "content": "# One entry for each vulnerability group\n\n[[IgnoredVulns]]\nid = \"GHSA-mc8h-8q98-g5hr\"\nreason = \"Ignore 1\"\n# Alias of RUSTSEC-2023-0018\n\n[[IgnoredVulns]]\nid = \"RUSTSEC-2020-0071\"\nreason = \"Ignore 2\"\n# Alias of GHSA-wcg3-cvx6-7396\n\n[[IgnoredVulns]]\nid = \"RUSTSEC-2023-0015\"\nreason = \"Ignore 3\"\n# No aliases\n\n[[IgnoredVulns]]\nid = \"GHSA-mrrw-grhq-86gf\"\nreason = \"Ignore 4\"\n# No aliases\n" }, { "path": "pkg/osvscanner/testdata/filter/all/input.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"testdata/filter/all/configs/a/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"aliases\": null,\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\",\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\",\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/all/configs/b/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"golang.org/x/net\",\n \"version\": \"0.1.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-fxg5-wq6x-vr4w\",\n \"modified\": \"2023-01-24T18:56:46Z\",\n \"published\": \"2023-01-14T00:30:23Z\",\n \"aliases\": [\n \"CVE-2022-41721\"\n ],\n \"summary\": \"golang.org/x/net/http2/h2c vulnerable to request smuggling attack\",\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net/http2/h2c\",\n \"purl\": \"pkg:golang/golang.org/x/net/http2/h2c\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41721\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://cs.opensource.google/go/x/net\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/447396\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-20T22:40:06Z\",\n \"nvd_published_at\": \"2023-01-13T23:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1495\",\n \"modified\": \"2023-01-31T21:39:17Z\",\n \"published\": \"2023-01-13T22:39:40Z\",\n \"aliases\": [\n \"CVE-2022-41721\",\n \"GHSA-fxg5-wq6x-vr4w\"\n ],\n \"summary\": \"\",\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler.\\n\\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1495.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2/h2c\",\n \"symbols\": [\n \"h2cHandler.ServeHTTP\",\n \"h2cUpgrade\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/447396\"\n }\n ]\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2022-1144\",\n \"modified\": \"2023-01-31T21:39:15Z\",\n \"published\": \"2022-12-08T19:01:21Z\",\n \"aliases\": [\n \"CVE-2022-41717\",\n \"GHSA-xrjj-mj9h-534m\"\n ],\n \"summary\": \"\",\n \"details\": \"An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\\n\\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.18.9\"\n },\n {\n \"introduced\": \"1.19.0\"\n },\n {\n \"fixed\": \"1.19.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\",\n \"symbols\": [\n \"ListenAndServe\",\n \"ListenAndServeTLS\",\n \"Serve\",\n \"ServeTLS\",\n \"Server.ListenAndServe\",\n \"Server.ListenAndServeTLS\",\n \"Server.Serve\",\n \"Server.ServeTLS\",\n \"http2Server.ServeConn\",\n \"http2serverConn.canonicalHeader\"\n ]\n }\n ]\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.4.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\",\n \"symbols\": [\n \"Server.ServeConn\",\n \"serverConn.canonicalHeader\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56350\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455717\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455635\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ\"\n }\n ]\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-vvpx-j8f3-3w6h\",\n \"modified\": \"2023-03-09T21:20:44Z\",\n \"published\": \"2023-02-17T14:00:02Z\",\n \"aliases\": [\n \"CVE-2022-41723\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41723\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuln.go.dev/ID/GO-2023-1571.json\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T14:00:02Z\",\n \"nvd_published_at\": \"2023-02-28T18:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1571\",\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:31:36Z\",\n \"aliases\": [\n \"CVE-2022-41723\",\n \"GHSA-vvpx-j8f3-3w6h\"\n ],\n \"summary\": \"\",\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.6\"\n },\n {\n \"introduced\": \"1.20.0\"\n },\n {\n \"fixed\": \"1.20.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\"\n }\n ]\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\"\n },\n {\n \"path\": \"golang.org/x/net/http2/hpack\",\n \"symbols\": [\n \"Decoder.DecodeFull\",\n \"Decoder.Write\",\n \"Decoder.parseFieldLiteral\",\n \"Decoder.readString\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ],\n \"aliases\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ]\n },\n {\n \"ids\": [\n \"GO-2022-1144\"\n ],\n \"aliases\": [\n \"GO-2022-1144\"\n ]\n },\n {\n \"ids\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"aliases\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\",\n \"CVE-2022-41723\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/all/configs/c/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"ascii\",\n \"version\": \"0.8.7\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mrrw-grhq-86gf\",\n \"modified\": \"2023-02-28T20:30:10Z\",\n \"published\": \"2023-02-28T20:30:10Z\",\n \"aliases\": null,\n \"summary\": \"Ascii (crate) allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-28T20:30:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0015\",\n \"modified\": \"2023-02-25T15:13:09Z\",\n \"published\": \"2023-02-25T12:00:00Z\",\n \"aliases\": null,\n \"summary\": \"Ascii allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.1-0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"memory-corruption\"\n ],\n \"cvss\": null,\n \"informational\": \"unsound\",\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/ascii\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"aliases\": [\n \"GHSA-mrrw-grhq-86gf\"\n ]\n },\n {\n \"ids\": [\n \"RUSTSEC-2023-0015\"\n ],\n \"aliases\": [\n \"RUSTSEC-2023-0015\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"aliases\": null,\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\",\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\",\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}\n" }, { "path": "pkg/osvscanner/testdata/filter/all/want.json", "content": "{\n \"results\": [],\n \"experimental_config\": {\n \"call_analysis\": {\n \"enabled\": false\n },\n \"licenses\": {\n \"enabled\": false,\n \"allowlist\": null\n }\n }\n}\n" }, { "path": "pkg/osvscanner/testdata/filter/none/configs/a/no_config", "content": "" }, { "path": "pkg/osvscanner/testdata/filter/none/configs/b/osv-scanner.toml", "content": "# An empty config file\n" }, { "path": "pkg/osvscanner/testdata/filter/none/configs/c/osv-scanner.toml", "content": "# These vulnerabilities do not appear in this 'source'\n\n[[IgnoredVulns]]\nid = \"GHSA-fxg5-wq6x-vr4w\"\nreason = \"Ignore 1\"\n\n[[IgnoredVulns]]\nid = \"GO-2022-1144\"\nreason = \"Ignore 2\"\n\n[[IgnoredVulns]]\nid = \"GO-2023-1571\"\nreason = \"Ignore 3\"\n" }, { "path": "pkg/osvscanner/testdata/filter/none/input.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/a/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"aliases\": null,\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\",\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\",\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/b/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"golang.org/x/net\",\n \"version\": \"0.1.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-fxg5-wq6x-vr4w\",\n \"modified\": \"2023-01-24T18:56:46Z\",\n \"published\": \"2023-01-14T00:30:23Z\",\n \"aliases\": [\n \"CVE-2022-41721\"\n ],\n \"summary\": \"golang.org/x/net/http2/h2c vulnerable to request smuggling attack\",\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net/http2/h2c\",\n \"purl\": \"pkg:golang/golang.org/x/net/http2/h2c\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41721\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://cs.opensource.google/go/x/net\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/447396\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-20T22:40:06Z\",\n \"nvd_published_at\": \"2023-01-13T23:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1495\",\n \"modified\": \"2023-01-31T21:39:17Z\",\n \"published\": \"2023-01-13T22:39:40Z\",\n \"aliases\": [\n \"CVE-2022-41721\",\n \"GHSA-fxg5-wq6x-vr4w\"\n ],\n \"summary\": \"\",\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler.\\n\\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1495.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2/h2c\",\n \"symbols\": [\n \"h2cHandler.ServeHTTP\",\n \"h2cUpgrade\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/447396\"\n }\n ]\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2022-1144\",\n \"modified\": \"2023-01-31T21:39:15Z\",\n \"published\": \"2022-12-08T19:01:21Z\",\n \"aliases\": [\n \"CVE-2022-41717\",\n \"GHSA-xrjj-mj9h-534m\"\n ],\n \"summary\": \"\",\n \"details\": \"An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\\n\\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.18.9\"\n },\n {\n \"introduced\": \"1.19.0\"\n },\n {\n \"fixed\": \"1.19.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\",\n \"symbols\": [\n \"ListenAndServe\",\n \"ListenAndServeTLS\",\n \"Serve\",\n \"ServeTLS\",\n \"Server.ListenAndServe\",\n \"Server.ListenAndServeTLS\",\n \"Server.Serve\",\n \"Server.ServeTLS\",\n \"http2Server.ServeConn\",\n \"http2serverConn.canonicalHeader\"\n ]\n }\n ]\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.4.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\",\n \"symbols\": [\n \"Server.ServeConn\",\n \"serverConn.canonicalHeader\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56350\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455717\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455635\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ\"\n }\n ]\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-vvpx-j8f3-3w6h\",\n \"modified\": \"2023-03-09T21:20:44Z\",\n \"published\": \"2023-02-17T14:00:02Z\",\n \"aliases\": [\n \"CVE-2022-41723\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41723\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuln.go.dev/ID/GO-2023-1571.json\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T14:00:02Z\",\n \"nvd_published_at\": \"2023-02-28T18:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1571\",\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:31:36Z\",\n \"aliases\": [\n \"CVE-2022-41723\",\n \"GHSA-vvpx-j8f3-3w6h\"\n ],\n \"summary\": \"\",\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.6\"\n },\n {\n \"introduced\": \"1.20.0\"\n },\n {\n \"fixed\": \"1.20.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\"\n }\n ]\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\"\n },\n {\n \"path\": \"golang.org/x/net/http2/hpack\",\n \"symbols\": [\n \"Decoder.DecodeFull\",\n \"Decoder.Write\",\n \"Decoder.parseFieldLiteral\",\n \"Decoder.readString\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ],\n \"aliases\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ]\n },\n {\n \"ids\": [\n \"GO-2022-1144\"\n ],\n \"aliases\": [\n \"GO-2022-1144\"\n ]\n },\n {\n \"ids\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"aliases\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/c/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"ascii\",\n \"version\": \"0.8.7\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mrrw-grhq-86gf\",\n \"modified\": \"2023-02-28T20:30:10Z\",\n \"published\": \"2023-02-28T20:30:10Z\",\n \"aliases\": null,\n \"summary\": \"Ascii (crate) allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-28T20:30:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0015\",\n \"modified\": \"2023-02-25T15:13:09Z\",\n \"published\": \"2023-02-25T12:00:00Z\",\n \"aliases\": null,\n \"summary\": \"Ascii allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.1-0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"memory-corruption\"\n ],\n \"cvss\": null,\n \"informational\": \"unsound\",\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/ascii\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"aliases\": [\n \"GHSA-mrrw-grhq-86gf\"\n ]\n },\n {\n \"ids\": [\n \"RUSTSEC-2023-0015\"\n ],\n \"aliases\": [\n \"RUSTSEC-2023-0015\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"aliases\": null,\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\",\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\",\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}\n" }, { "path": "pkg/osvscanner/testdata/filter/none/want.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/a/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\",\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\",\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/b/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"golang.org/x/net\",\n \"version\": \"0.1.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-01-24T18:56:46Z\",\n \"published\": \"2023-01-14T00:30:23Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-fxg5-wq6x-vr4w\",\n \"aliases\": [\n \"CVE-2022-41721\"\n ],\n \"summary\": \"golang.org/x/net/http2/h2c vulnerable to request smuggling attack\",\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net/http2/h2c\",\n \"purl\": \"pkg:golang/golang.org/x/net/http2/h2c\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41721\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://cs.opensource.google/go/x/net\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/447396\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-20T22:40:06Z\",\n \"nvd_published_at\": \"2023-01-13T23:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2023-01-31T21:39:17Z\",\n \"published\": \"2023-01-13T22:39:40Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1495\",\n \"aliases\": [\n \"CVE-2022-41721\",\n \"GHSA-fxg5-wq6x-vr4w\"\n ],\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler.\\n\\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1495.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2/h2c\",\n \"symbols\": [\n \"h2cHandler.ServeHTTP\",\n \"h2cUpgrade\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/447396\"\n }\n ]\n },\n {\n \"modified\": \"2023-01-31T21:39:15Z\",\n \"published\": \"2022-12-08T19:01:21Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2022-1144\",\n \"aliases\": [\n \"CVE-2022-41717\",\n \"GHSA-xrjj-mj9h-534m\"\n ],\n \"details\": \"An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\\n\\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.18.9\"\n },\n {\n \"introduced\": \"1.19.0\"\n },\n {\n \"fixed\": \"1.19.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\",\n \"symbols\": [\n \"ListenAndServe\",\n \"ListenAndServeTLS\",\n \"Serve\",\n \"ServeTLS\",\n \"Server.ListenAndServe\",\n \"Server.ListenAndServeTLS\",\n \"Server.Serve\",\n \"Server.ServeTLS\",\n \"http2Server.ServeConn\",\n \"http2serverConn.canonicalHeader\"\n ]\n }\n ]\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.4.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\",\n \"symbols\": [\n \"Server.ServeConn\",\n \"serverConn.canonicalHeader\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56350\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455717\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455635\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ\"\n }\n ]\n },\n {\n \"modified\": \"2023-03-09T21:20:44Z\",\n \"published\": \"2023-02-17T14:00:02Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-vvpx-j8f3-3w6h\",\n \"aliases\": [\n \"CVE-2022-41723\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41723\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuln.go.dev/ID/GO-2023-1571.json\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T14:00:02Z\",\n \"nvd_published_at\": \"2023-02-28T18:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:31:36Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1571\",\n \"aliases\": [\n \"CVE-2022-41723\",\n \"GHSA-vvpx-j8f3-3w6h\"\n ],\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.6\"\n },\n {\n \"introduced\": \"1.20.0\"\n },\n {\n \"fixed\": \"1.20.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\"\n }\n ]\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\"\n },\n {\n \"path\": \"golang.org/x/net/http2/hpack\",\n \"symbols\": [\n \"Decoder.DecodeFull\",\n \"Decoder.Write\",\n \"Decoder.parseFieldLiteral\",\n \"Decoder.readString\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ],\n \"aliases\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ]\n },\n {\n \"ids\": [\n \"GO-2022-1144\"\n ],\n \"aliases\": [\n \"GO-2022-1144\"\n ]\n },\n {\n \"ids\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"aliases\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/none/configs/c/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"ascii\",\n \"version\": \"0.8.7\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-02-28T20:30:10Z\",\n \"published\": \"2023-02-28T20:30:10Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mrrw-grhq-86gf\",\n \"summary\": \"Ascii (crate) allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-28T20:30:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"modified\": \"2023-02-25T15:13:09Z\",\n \"published\": \"2023-02-25T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0015\",\n \"summary\": \"Ascii allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.1-0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"memory-corruption\"\n ],\n \"cvss\": null,\n \"informational\": \"unsound\",\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/ascii\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"aliases\": [\n \"GHSA-mrrw-grhq-86gf\"\n ]\n },\n {\n \"ids\": [\n \"RUSTSEC-2023-0015\"\n ],\n \"aliases\": [\n \"RUSTSEC-2023-0015\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\",\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\",\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"call_analysis\": {\n \"enabled\": false\n },\n \"licenses\": {\n \"enabled\": false,\n \"allowlist\": null\n }\n }\n}\n" }, { "path": "pkg/osvscanner/testdata/filter/some/configs/a/osv-scanner.toml", "content": "# Every vulnerability in this source is ignored. Should not show up at all after filtering.\n\n[[IgnoredVulns]]\nid = \"GHSA-mc8h-8q98-g5hr\"\nreason = \"Ignore 1\"\n# Alias of RUSTSEC-2023-0018\n\n[[IgnoredVulns]]\nid = \"RUSTSEC-2020-0071\"\nreason = \"Ignore 2\"\n# Alias of GHSA-wcg3-cvx6-7396\n" }, { "path": "pkg/osvscanner/testdata/filter/some/configs/b/osv-scanner.toml", "content": "# golang.org/x/net is the only vulnerable package, but has multiple unique vulnerabilities.\n# Ignore some vulnerabilities while keeping others. Package should remain in filtered output.\n\n[[IgnoredVulns]]\nid = \"GHSA-fxg5-wq6x-vr4w\"\nreason = \"Ignore 1\"\n# Alias of GO-2023-1495\n\n[[IgnoredVulns]]\nid = \"GO-2022-1144\"\nreason = \"Ignore 2\"\n# No aliases\n\n# GHSA-vvpx-j8f3-3w6h (and alias GO-2023-1571) should remain unfiltered.\n" }, { "path": "pkg/osvscanner/testdata/filter/some/configs/c/osv-scanner.toml", "content": "# Ignore all vulnerabilities from one package (remove_dir_all), one from one package (ascii), none from other (time).\n# remove_dir_all should be removed from filtered output, other two packages should remain with filtered vulns.\n\n# remove_dir_all:\n[[IgnoredVulns]]\nid = \"GHSA-mc8h-8q98-g5hr\"\nreason = \"Ignore 1\"\n# Alias of RUSTSEC-2023-0018\n\n# ascii:\n[[IgnoredVulns]]\nid = \"RUSTSEC-2023-0015\"\nreason = \"Ignore 2\"\n# No Aliases\n\n# Remaining packages/vulns:\n# ascii - GHSA-mrrw-grhq-86gf (no aliases)\n# time - GHSA-wcg3-cvx6-7396 (& alias RUSTSEC-2020-0071)\n" }, { "path": "pkg/osvscanner/testdata/filter/some/input.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/a/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"unixodbc\",\n \"version\": \"2.3.11-2\",\n \"ecosystem\": \"Debian:10\"\n },\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-2024-1013\",\n \"details\": \"An out-of-bounds stack write flaw was found in unixODBC on 64-bit architectures where the caller has 4 bytes and callee writes 8 bytes. This issue may go unnoticed on little-endian architectures, while big-endian architectures can be broken.\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"unixodbc\",\n \"ecosystem\": \"Debian:10\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"ecosystem_specific\": {\n \"urgency\": \"unimportant\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2260823\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://access.redhat.com/security/cve/CVE-2024-1013\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/lurcher/unixODBC/pull/157\"\n }\n ],\n \"modified\": \"2024-03-18T12:38:25Z\",\n \"published\": \"2024-03-18T11:15:09Z\"\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"CVE-2024-1013\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"chromium\",\n \"version\": \"73.0.3683.75-1\",\n \"ecosystem\": \"Debian:10\"\n },\n \"vulnerabilities\": [\n {\n \"id\": \"CVE-2024-3847\",\n \"details\": \"Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)\",\n \"affected\": [\n {\n \"package\": {\n \"name\": \"chromium\",\n \"ecosystem\": \"Debian:10\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"ecosystem_specific\": {\n \"urgency\": \"low\"\n }\n },\n {\n \"package\": {\n \"name\": \"chromium\",\n \"ecosystem\": \"Debian:11\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"ecosystem_specific\": {\n \"urgency\": \"low\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.chromium.org/issues/328690293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/\"\n }\n ],\n \"modified\": \"2024-05-03T03:16:29Z\",\n \"published\": \"2024-04-17T08:15:10Z\"\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"CVE-2024-3847\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"aliases\": null,\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\",\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\",\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/b/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"golang.org/x/net\",\n \"version\": \"0.1.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-fxg5-wq6x-vr4w\",\n \"modified\": \"2023-01-24T18:56:46Z\",\n \"published\": \"2023-01-14T00:30:23Z\",\n \"aliases\": [\n \"CVE-2022-41721\"\n ],\n \"summary\": \"golang.org/x/net/http2/h2c vulnerable to request smuggling attack\",\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net/http2/h2c\",\n \"purl\": \"pkg:golang/golang.org/x/net/http2/h2c\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fxg5-wq6x-vr4w/GHSA-fxg5-wq6x-vr4w.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41721\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://cs.opensource.google/go/x/net\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/447396\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-444\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-01-20T22:40:06Z\",\n \"nvd_published_at\": \"2023-01-13T23:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1495\",\n \"modified\": \"2023-01-31T21:39:17Z\",\n \"published\": \"2023-01-13T22:39:40Z\",\n \"aliases\": [\n \"CVE-2022-41721\",\n \"GHSA-fxg5-wq6x-vr4w\"\n ],\n \"summary\": \"\",\n \"details\": \"A request smuggling attack is possible when using MaxBytesHandler.\\n\\nWhen using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-20220524220425-1d687d428aca\"\n },\n {\n \"fixed\": \"0.1.1-0.20221104162952-702349b0e862\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1495.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1495\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2/h2c\",\n \"symbols\": [\n \"h2cHandler.ServeHTTP\",\n \"h2cUpgrade\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56352\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/447396\"\n }\n ]\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2022-1144\",\n \"modified\": \"2023-01-31T21:39:15Z\",\n \"published\": \"2022-12-08T19:01:21Z\",\n \"aliases\": [\n \"CVE-2022-41717\",\n \"GHSA-xrjj-mj9h-534m\"\n ],\n \"summary\": \"\",\n \"details\": \"An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests.\\n\\nHTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.18.9\"\n },\n {\n \"introduced\": \"1.19.0\"\n },\n {\n \"fixed\": \"1.19.4\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\",\n \"symbols\": [\n \"ListenAndServe\",\n \"ListenAndServeTLS\",\n \"Serve\",\n \"ServeTLS\",\n \"Server.ListenAndServe\",\n \"Server.ListenAndServeTLS\",\n \"Server.Serve\",\n \"Server.ServeTLS\",\n \"http2Server.ServeConn\",\n \"http2serverConn.canonicalHeader\"\n ]\n }\n ]\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.4.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2022-1144.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2022-1144\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\",\n \"symbols\": [\n \"Server.ServeConn\",\n \"serverConn.canonicalHeader\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/56350\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455717\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/455635\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ\"\n }\n ]\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-vvpx-j8f3-3w6h\",\n \"modified\": \"2023-03-09T21:20:44Z\",\n \"published\": \"2023-02-17T14:00:02Z\",\n \"aliases\": [\n \"CVE-2022-41723\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json\"\n },\n \"ecosystem_specific\": {\n \"urgency\": \"unimportant\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41723\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuln.go.dev/ID/GO-2023-1571.json\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T14:00:02Z\",\n \"nvd_published_at\": \"2023-02-28T18:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1571\",\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:31:36Z\",\n \"aliases\": [\n \"CVE-2022-41723\",\n \"GHSA-vvpx-j8f3-3w6h\"\n ],\n \"summary\": \"\",\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.6\"\n },\n {\n \"introduced\": \"1.20.0\"\n },\n {\n \"fixed\": \"1.20.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\"\n }\n ],\n \"urgency\": \"low\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\"\n },\n {\n \"path\": \"golang.org/x/net/http2/hpack\",\n \"symbols\": [\n \"Decoder.DecodeFull\",\n \"Decoder.Write\",\n \"Decoder.parseFieldLiteral\",\n \"Decoder.readString\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ],\n \"aliases\": [\n \"GHSA-fxg5-wq6x-vr4w\",\n \"GO-2023-1495\"\n ]\n },\n {\n \"ids\": [\n \"GO-2022-1144\"\n ],\n \"aliases\": [\n \"GO-2022-1144\"\n ]\n },\n {\n \"ids\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"aliases\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/c/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"ascii\",\n \"version\": \"0.8.7\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mrrw-grhq-86gf\",\n \"modified\": \"2023-02-28T20:30:10Z\",\n \"published\": \"2023-02-28T20:30:10Z\",\n \"aliases\": null,\n \"summary\": \"Ascii (crate) allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-28T20:30:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0015\",\n \"modified\": \"2023-02-25T15:13:09Z\",\n \"published\": \"2023-02-25T12:00:00Z\",\n \"aliases\": null,\n \"summary\": \"Ascii allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.1-0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"memory-corruption\"\n ],\n \"cvss\": null,\n \"informational\": \"unsound\",\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0015.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/ascii\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"aliases\": [\n \"GHSA-mrrw-grhq-86gf\"\n ]\n },\n {\n \"ids\": [\n \"RUSTSEC-2023-0015\"\n ],\n \"aliases\": [\n \"RUSTSEC-2023-0015\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"remove_dir_all\",\n \"version\": \"0.5.3\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mc8h-8q98-g5hr\",\n \"modified\": \"2023-02-24T16:23:59Z\",\n \"published\": \"2023-02-24T16:23:59Z\",\n \"aliases\": null,\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU) Race Condition in remove_dir_all\",\n \"details\": \"The `remove_dir_all` crate is a Rust library that offers additional features over the Rust standard library `fs::remove_dir_all` function. It suffers the same class of failure as the code it was layering over: TOCTOU race conditions, with the ability to cause arbitrary paths to be deleted by substituting a symlink for a path after the type of the path was checked.\\n\\nThanks to the Rust security team for identifying the problem and alerting us to it.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mc8h-8q98-g5hr/GHSA-mc8h-8q98-g5hr.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/security/advisories/GHSA-mc8h-8q98-g5hr\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-366\",\n \"CWE-367\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-24T16:23:59Z\",\n \"nvd_published_at\": null,\n \"severity\": \"LOW\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2023-0018\",\n \"modified\": \"2023-03-04T21:50:30Z\",\n \"published\": \"2023-02-24T12:00:00Z\",\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\"\n ],\n \"summary\": \"Race Condition Enabling Link Following and Time-of-check Time-of-use (TOCTOU)\",\n \"details\": \"The remove_dir_all crate is a Rust library that offers additional features over the Rust\\nstandard library fs::remove_dir_all function.\\n\\nIt was possible to trick a privileged process doing a recursive delete in an\\nattacker controlled directory into deleting privileged files, on all operating systems.\\n\\nFor instance, consider deleting a tree called 'etc' in a parent directory\\ncalled 'p'. Between calling `remove_dir_all(\\\"a\\\")` and remove_dir_all(\\\"a\\\")\\nactually starting its work, the attacker can move 'p' to 'p-prime', and\\nreplace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'\\nwhich is actually /etc, and now your system is broken. There are some\\nmitigations for this exact scenario, such as CWD relative file lookup, but\\nthey are not guaranteed - any code using absolute paths will not have that\\nprotection in place.\\n\\nThe same attack could be performed at any point in the directory tree being\\ndeleted: if 'a' contains a child directory called 'etc', attacking the\\ndeletion by replacing 'a' with a link is possible.\\n\\nThe new code in this release mitigates the attack within the directory tree\\nbeing deleted by using file-handle relative operations: to open 'a/etc', the\\npath 'etc' relative to 'a' is opened, where 'a' is represented by a file\\ndescriptor (Unix) or handle (Windows). With the exception of the entry points\\ninto the directory deletion logic, this is robust against manipulation of the\\ndirectory hierarchy, and remove_dir_all will only delete files and directories\\ncontained in the tree it is deleting.\\n\\nThe entry path however is a challenge - as described above, there are some\\npotential mitigations, but since using them must be done by the calling code,\\nit is hard to be confident about the security properties of the path based\\ninterface.\\n\\nThe new extension trait `RemoveDir` provides an interface where it is much\\nharder to get it wrong.\\n\\n`somedir.remove_dir_contents(\\\"name-of-child\\\")`.\\n\\nCallers can then make their own security evaluation about how to securely get\\na directory handle. That is still not particularly obvious, and we're going to\\nfollow up with a helper of some sort (probably in the `fs_at` crate). Once\\nthat is available, the path based entry points will get deprecated.\\n\\nIn the interim, processes that might run with elevated privileges should\\nfigure out how to securely identify the directory they are going to delete, to\\navoid the initial race. Pragmatically, other processes should be fine with the\\npath based entry points : this is the same interface `std::fs::remove_dir_all`\\noffers, and an unprivileged process running in an attacker controlled\\ndirectory can't do anything that the attacker can't already do.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"remove_dir_all\",\n \"purl\": \"pkg:cargo/remove_dir_all\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.8.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [],\n \"cvss\": null,\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2023-0018.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"remove_dir_all::ensure_empty_dir\",\n \"remove_dir_all::remove_dir_all\",\n \"remove_dir_all::remove_dir_contents\"\n ],\n \"os\": []\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/remove_dir_all\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0018.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://github.com/advisories/GHSA-mc8h-8q98-g5hr\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ],\n \"aliases\": [\n \"GHSA-mc8h-8q98-g5hr\",\n \"RUSTSEC-2023-0018\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n }\n ]\n}\n" }, { "path": "pkg/osvscanner/testdata/filter/some/want.json", "content": "{\n \"results\": [\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/a/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"chromium\",\n \"version\": \"73.0.3683.75-1\",\n \"ecosystem\": \"Debian:10\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2024-05-03T03:16:29Z\",\n \"published\": \"2024-04-17T08:15:10Z\",\n \"id\": \"CVE-2024-3847\",\n \"details\": \"Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Debian:10\",\n \"name\": \"chromium\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"ecosystem_specific\": {\n \"urgency\": \"low\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Debian:11\",\n \"name\": \"chromium\"\n },\n \"ranges\": [\n {\n \"type\": \"ECOSYSTEM\",\n \"events\": [\n {\n \"introduced\": \"0\"\n }\n ]\n }\n ],\n \"ecosystem_specific\": {\n \"urgency\": \"low\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ARTICLE\",\n \"url\": \"https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://issues.chromium.org/issues/328690293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWIVXXSVO5VB3NAZVFJ7CWVBN6W2735T/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IDLUD644WEWGOFKMZWC2K7Z4CQOKQYR7/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M4PCXKCOVBUUU6GOSN46DCPI4HMER3PJ/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PCWPUBGTBNT4EW32YNZMRIPB3Y4R6XL6/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UOC3HLIZCGMIJLJ6LME5UWUUIFLXEGRN/\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WEP5NJUWMDRLDQUKU4LFDUHF5PCYAPIO/\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"CVE-2024-3847\"\n ],\n \"aliases\": null,\n \"max_severity\": \"\"\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/b/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"golang.org/x/net\",\n \"version\": \"0.1.0\",\n \"ecosystem\": \"Go\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-03-09T21:20:44Z\",\n \"published\": \"2023-02-17T14:00:02Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-vvpx-j8f3-3w6h\",\n \"aliases\": [\n \"CVE-2022-41723\"\n ],\n \"summary\": \"Uncontrolled Resource Consumption\",\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-vvpx-j8f3-3w6h/GHSA-vvpx-j8f3-3w6h.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2022-41723\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://vuln.go.dev/ID/GO-2023-1571.json\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-400\"\n ],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-17T14:00:02Z\",\n \"nvd_published_at\": \"2023-02-28T18:15:00Z\",\n \"severity\": \"HIGH\"\n }\n },\n {\n \"modified\": \"2023-02-22T20:13:12Z\",\n \"published\": \"2023-02-16T22:31:36Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GO-2023-1571\",\n \"aliases\": [\n \"CVE-2022-41723\",\n \"GHSA-vvpx-j8f3-3w6h\"\n ],\n \"details\": \"A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"stdlib\",\n \"purl\": \"pkg:golang/stdlib\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"1.19.6\"\n },\n {\n \"introduced\": \"1.20.0\"\n },\n {\n \"fixed\": \"1.20.1\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"net/http\"\n }\n ],\n \"urgency\": \"low\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"Go\",\n \"name\": \"golang.org/x/net\",\n \"purl\": \"pkg:golang/golang.org/x/net\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0\"\n },\n {\n \"fixed\": \"0.7.0\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://vuln.go.dev/ID/GO-2023-1571.json\",\n \"url\": \"https://pkg.go.dev/vuln/GO-2023-1571\"\n },\n \"ecosystem_specific\": {\n \"imports\": [\n {\n \"path\": \"golang.org/x/net/http2\"\n },\n {\n \"path\": \"golang.org/x/net/http2/hpack\",\n \"symbols\": [\n \"Decoder.DecodeFull\",\n \"Decoder.Write\",\n \"Decoder.parseFieldLiteral\",\n \"Decoder.readString\"\n ]\n }\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"REPORT\",\n \"url\": \"https://go.dev/issue/57855\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468135\"\n },\n {\n \"type\": \"FIX\",\n \"url\": \"https://go.dev/cl/468295\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ],\n \"aliases\": [\n \"GHSA-vvpx-j8f3-3w6h\",\n \"GO-2023-1571\"\n ]\n }\n ]\n }\n ]\n },\n {\n \"source\": {\n \"path\": \"testdata/filter/some/configs/c/\",\n \"type\": \"lockfile\"\n },\n \"packages\": [\n {\n \"package\": {\n \"name\": \"ascii\",\n \"version\": \"0.8.7\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2023-02-28T20:30:10Z\",\n \"published\": \"2023-02-28T20:30:10Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-mrrw-grhq-86gf\",\n \"summary\": \"Ascii (crate) allows out-of-bounds array indexing in safe code\",\n \"details\": \"Affected version of this crate had implementation of `From\\u003c\\u0026mut AsciiStr\\u003e` for `\\u0026mut [u8]` and `\\u0026mut str`. This can result in out-of-bounds array indexing in safe code.\\n\\nThe flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.\\n\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"ascii\",\n \"purl\": \"pkg:cargo/ascii\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.6.0\"\n },\n {\n \"fixed\": \"0.9.3\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-mrrw-grhq-86gf/GHSA-mrrw-grhq-86gf.json\"\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/issues/64\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/tomprogrammer/rust-ascii\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2023-0015.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [],\n \"github_reviewed\": true,\n \"github_reviewed_at\": \"2023-02-28T20:30:10Z\",\n \"nvd_published_at\": null,\n \"severity\": \"MODERATE\"\n }\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-mrrw-grhq-86gf\"\n ],\n \"aliases\": [\n \"GHSA-mrrw-grhq-86gf\"\n ]\n }\n ]\n },\n {\n \"package\": {\n \"name\": \"time\",\n \"version\": \"0.1.45\",\n \"ecosystem\": \"crates.io\"\n },\n \"vulnerabilities\": [\n {\n \"modified\": \"2022-12-06T00:16:25Z\",\n \"published\": \"2021-08-25T20:56:46Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"GHSA-wcg3-cvx6-7396\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Segmentation fault in time\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nIn some versions of `time`, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods. In later versions, `time` will attempt to determine the number of threads running in the process. If the process is single-threaded, the call will proceed as its safety invariant is upheld.\\n\\nUsers and library authors with time in their dependency tree must perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and must upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nLibrary authors must ensure that the program only has one running thread at the time of calling any affected method. Binary authors may do the same and/or ensure that no other thread is actively mutating the environment.\\n\\n### References\\n\\n[time-rs/time#293](https://github.com/time-rs/time/issues/293).\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.1\"\n },\n {\n \"last_affected\": \"0.2\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n }\n },\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.2.7\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"source\": \"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-wcg3-cvx6-7396/GHSA-wcg3-cvx6-7396.json\"\n },\n \"ecosystem_specific\": {\n \"affected_functions\": [\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\"\n ]\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/security/advisories/GHSA-wcg3-cvx6-7396\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://nvd.nist.gov/vuln/detail/CVE-2020-26235\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://crates.io/crates/time/0.2.23\"\n },\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://github.com/time-rs/time\"\n },\n {\n \"type\": \"WEB\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n }\n ],\n \"database_specific\": {\n \"cwe_ids\": [\n \"CWE-476\"\n ],\n \"github_reviewed\": true,\n \"severity\": \"MODERATE\"\n }\n },\n {\n \"modified\": \"2023-02-08T15:06:38Z\",\n \"published\": \"2020-11-18T12:00:00Z\",\n \"schema_version\": \"1.4.0\",\n \"id\": \"RUSTSEC-2020-0071\",\n \"aliases\": [\n \"CVE-2020-26235\"\n ],\n \"summary\": \"Potential segfault in the time crate\",\n \"details\": \"### Impact\\n\\nUnix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.\\n\\nThe affected functions from time 0.2.7 through 0.2.22 are:\\n\\n- `time::UtcOffset::local_offset_at`\\n- `time::UtcOffset::try_local_offset_at`\\n- `time::UtcOffset::current_local_offset`\\n- `time::UtcOffset::try_current_local_offset`\\n- `time::OffsetDateTime::now_local`\\n- `time::OffsetDateTime::try_now_local`\\n\\nThe affected functions in time 0.1 (all versions) are:\\n\\n- `at`\\n- `at_utc`\\n- `now`\\n\\nNon-Unix targets (including Windows and wasm) are unaffected.\\n\\n### Patches\\n\\nPending a proper fix, the internal method that determines the local offset has been modified to always return `None` on the affected operating systems. This has the effect of returning an `Err` on the `try_*` methods and `UTC` on the non-`try_*` methods.\\n\\nUsers and library authors with time in their dependency tree should perform `cargo update`, which will pull in the updated, unaffected code.\\n\\nUsers of time 0.1 do not have a patch and should upgrade to an unaffected version: time 0.2.23 or greater or the 0.3 series.\\n\\n### Workarounds\\n\\nA possible workaround for crates affected through the transitive dependency in `chrono`, is to avoid using the default `oldtime` feature dependency of the `chrono` crate by disabling its `default-features` and manually specifying the required features instead.\\n\\n#### Examples:\\n\\n`Cargo.toml`: \\n\\n```toml\\nchrono = { version = \\\"0.4\\\", default-features = false, features = [\\\"serde\\\"] }\\n```\\n\\n```toml\\nchrono = { version = \\\"0.4.22\\\", default-features = false, features = [\\\"clock\\\"] }\\n```\\n\\nCommandline: \\n\\n```bash\\ncargo add chrono --no-default-features -F clock\\n```\\n\\nSources: \\n - [chronotope/chrono#602 (comment)](https://github.com/chronotope/chrono/issues/602#issuecomment-1242149249) \\n - [vityafx/serde-aux#21](https://github.com/vityafx/serde-aux/issues/21)\",\n \"affected\": [\n {\n \"package\": {\n \"ecosystem\": \"crates.io\",\n \"name\": \"time\",\n \"purl\": \"pkg:cargo/time\"\n },\n \"ranges\": [\n {\n \"type\": \"SEMVER\",\n \"events\": [\n {\n \"introduced\": \"0.0.0-0\"\n },\n {\n \"fixed\": \"0.2.0\"\n },\n {\n \"introduced\": \"0.2.1-0\"\n },\n {\n \"fixed\": \"0.2.1\"\n },\n {\n \"introduced\": \"0.2.2-0\"\n },\n {\n \"fixed\": \"0.2.2\"\n },\n {\n \"introduced\": \"0.2.3-0\"\n },\n {\n \"fixed\": \"0.2.3\"\n },\n {\n \"introduced\": \"0.2.4-0\"\n },\n {\n \"fixed\": \"0.2.4\"\n },\n {\n \"introduced\": \"0.2.5-0\"\n },\n {\n \"fixed\": \"0.2.5\"\n },\n {\n \"introduced\": \"0.2.6-0\"\n },\n {\n \"fixed\": \"0.2.6\"\n },\n {\n \"introduced\": \"0.2.7-0\"\n },\n {\n \"fixed\": \"0.2.23\"\n }\n ]\n }\n ],\n \"database_specific\": {\n \"categories\": [\n \"code-execution\",\n \"memory-corruption\"\n ],\n \"cvss\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\n \"informational\": null,\n \"source\": \"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0071.json\"\n },\n \"ecosystem_specific\": {\n \"affects\": {\n \"arch\": [],\n \"functions\": [\n \"time::OffsetDateTime::now_local\",\n \"time::OffsetDateTime::try_now_local\",\n \"time::UtcOffset::current_local_offset\",\n \"time::UtcOffset::local_offset_at\",\n \"time::UtcOffset::try_current_local_offset\",\n \"time::UtcOffset::try_local_offset_at\",\n \"time::at\",\n \"time::at_utc\",\n \"time::now\"\n ],\n \"os\": [\n \"linux\",\n \"redox\",\n \"solaris\",\n \"android\",\n \"ios\",\n \"macos\",\n \"netbsd\",\n \"openbsd\",\n \"freebsd\"\n ]\n }\n }\n }\n ],\n \"references\": [\n {\n \"type\": \"PACKAGE\",\n \"url\": \"https://crates.io/crates/time\"\n },\n {\n \"type\": \"ADVISORY\",\n \"url\": \"https://rustsec.org/advisories/RUSTSEC-2020-0071.html\"\n },\n {\n \"type\": \"REPORT\",\n \"url\": \"https://github.com/time-rs/time/issues/293\"\n }\n ]\n }\n ],\n \"groups\": [\n {\n \"ids\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ],\n \"aliases\": [\n \"GHSA-wcg3-cvx6-7396\",\n \"RUSTSEC-2020-0071\"\n ]\n }\n ]\n }\n ]\n }\n ],\n \"experimental_config\": {\n \"call_analysis\": {\n \"enabled\": false\n },\n \"licenses\": {\n \"enabled\": false,\n \"allowlist\": null\n }\n }\n}\n" }, { "path": "pkg/osvscanner/testmain_test.go", "content": "package osvscanner_test\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n)\n\nfunc TestMain(m *testing.M) {\n\tm.Run()\n\n\ttestutility.CleanSnapshots(m)\n}\n" }, { "path": "pkg/osvscanner/vulnerability_result.go", "content": "package osvscanner\n\nimport (\n\t\"path/filepath\"\n\t\"slices\"\n\t\"sort\"\n\t\"strings\"\n\n\t\"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx\"\n\tcdxmeta \"github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx/metadata\"\n\t\"github.com/google/osv-scalibr/inventory/vex\"\n\t\"github.com/google/osv-scanner/v2/internal/cmdlogger\"\n\t\"github.com/google/osv-scanner/v2/internal/grouper\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels/results\"\n\t\"github.com/google/osv-scanner/v2/internal/output\"\n\t\"github.com/google/osv-scanner/v2/internal/sourceanalysis\"\n\t\"github.com/google/osv-scanner/v2/internal/spdx\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/google/osv-scanner/v2/pkg/osvscanner/internal/imagehelpers\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvconstants\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\n// buildVulnerabilityResults takes the responses from the OSV API and the deps.dev API\n// and converts this into a VulnerabilityResults. As part is this, it groups\n// vulnerability information by source location.\n// TODO: This function is getting long, we should refactor it\nfunc buildVulnerabilityResults(\n\tactions ScannerActions,\n\tscanResults *results.ScanResults,\n) models.VulnerabilityResults {\n\tvulnResults := models.VulnerabilityResults{\n\t\tResults: []models.PackageSource{},\n\t\tImageMetadata: imagehelpers.BuildImageMetadata(scanResults),\n\t\tExperimentalGenericFindings: scanResults.Inventory.GenericFindings,\n\t}\n\n\ttype packageVulnsGroup struct {\n\t\tpvs []models.PackageVulns\n\t\tannotations []*vex.PackageExploitabilitySignal\n\t}\n\n\tgroupedBySource := map[models.SourceInfo]*packageVulnsGroup{}\n\n\tfor i, p := range scanResults.PackageScanResults {\n\t\tincludePackage := actions.ShowAllPackages\n\t\tvar pkg models.PackageVulns\n\n\t\tpkg.Package.Inventory = p\n\n\t\tif imodels.Commit(p) != \"\" {\n\t\t\tpkg.Package.Commit = imodels.Commit(p)\n\t\t\tpkg.Package.Name = imodels.Name(p)\n\t\t}\n\n\t\tpkg.Package.Name = imodels.Name(p)\n\t\tpkg.Package.Version = imodels.Version(p)\n\t\tpkg.Package.Ecosystem = imodels.Ecosystem(p).String()\n\t\tpkg.Package.OSPackageName = imodels.OSPackageName(p)\n\t\tpkg.Package.Deprecated = p.Deprecated\n\n\t\tif pkg.Package.Deprecated {\n\t\t\tincludePackage = true\n\t\t}\n\n\t\tif p.LayerMetadata != nil {\n\t\t\tpkg.Package.ImageOrigin = &models.ImageOriginDetails{\n\t\t\t\tIndex: p.LayerMetadata.Index,\n\t\t\t}\n\t\t}\n\t\tpkg.DepGroups = imodels.DepGroups(p)\n\t\tconfigToUse := scanResults.ConfigManager.Get(imodels.Location(p))\n\n\t\thaveCheckedIgnore := false\n\t\tfor _, vuln := range scanResults.Inventory.PackageVulns {\n\t\t\tif vuln.Package == p {\n\t\t\t\tif !haveCheckedIgnore {\n\t\t\t\t\tif configToUse.ShouldIgnorePackageVulnerabilities(p) {\n\t\t\t\t\t\tbreak\n\t\t\t\t\t}\n\n\t\t\t\t\thaveCheckedIgnore = true\n\t\t\t\t}\n\n\t\t\t\tincludePackage = true\n\t\t\t\tpkg.Vulnerabilities = append(pkg.Vulnerabilities, vuln.Vulnerability)\n\t\t\t}\n\t\t}\n\n\t\tpkg.Groups = grouper.Group(grouper.ConvertVulnerabilityToIDAliases(pkg.Vulnerabilities))\n\t\tfor i, group := range pkg.Groups {\n\t\t\tpkg.Groups[i].MaxSeverity = output.MaxSeverity(group, pkg)\n\t\t}\n\n\t\t// For Debian-based ecosystems, mark unimportant vulnerabilities within the package.\n\t\t// Debian ecosystems may be listed with a version number, such as \"Debian:10\".\n\t\tif strings.HasPrefix(pkg.Package.Ecosystem, string(osvconstants.EcosystemDebian)) ||\n\t\t\tstrings.HasPrefix(pkg.Package.Ecosystem, string(osvconstants.EcosystemUbuntu)) {\n\t\t\tsetUnimportant(&pkg)\n\t\t}\n\n\t\tif actions.CallAnalysisStates[\"jar\"] {\n\t\t\tsetUncalled(&pkg)\n\t\t}\n\n\t\tif actions.ScanLicensesSummary || len(actions.ScanLicensesAllowlist) > 0 {\n\t\t\tif override, entry := configToUse.ShouldOverridePackageLicense(p); override {\n\t\t\t\tif entry.License.Ignore {\n\t\t\t\t\tcmdlogger.Infof(\"ignoring license for package %s/%s/%s\", pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version)\n\t\t\t\t\tp.Licenses = []string{}\n\t\t\t\t} else {\n\t\t\t\t\tcmdlogger.Infof(\"overriding license for package %s/%s/%s with %s\", pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version, strings.Join(entry.License.Override, \",\"))\n\t\t\t\t\tp.Licenses = entry.License.Override\n\t\t\t\t}\n\t\t\t}\n\t\t\tif len(actions.ScanLicensesAllowlist) > 0 {\n\t\t\t\tpkg.Licenses = make([]models.License, len(p.Licenses))\n\t\t\t\tfor j, license := range p.Licenses {\n\t\t\t\t\tpkg.Licenses[j] = models.License(license)\n\t\t\t\t}\n\t\t\t\tfor _, license := range pkg.Licenses {\n\t\t\t\t\tsatisfies, err := spdx.Satisfies(license, actions.ScanLicensesAllowlist)\n\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tcmdlogger.Errorf(\"license %s for package %s/%s/%s is invalid: %s\", license, pkg.Package.Ecosystem, pkg.Package.Name, pkg.Package.Version, err)\n\t\t\t\t\t}\n\n\t\t\t\t\tif !satisfies {\n\t\t\t\t\t\tpkg.LicenseViolations = append(pkg.LicenseViolations, license)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tif len(pkg.LicenseViolations) > 0 {\n\t\t\t\t\tincludePackage = true\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif actions.ScanLicensesSummary {\n\t\t\t\tpkg.Licenses = make([]models.License, len(p.Licenses))\n\t\t\t\tfor j, license := range p.Licenses {\n\t\t\t\t\tpkg.Licenses[j] = models.License(license)\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Make sure licenses are overridden in the scan results.\n\t\t\tscanResults.PackageScanResults[i] = p\n\t\t}\n\t\tif includePackage {\n\t\t\tsource := models.SourceInfo{\n\t\t\t\tPath: filepath.ToSlash(imodels.Location(p)),\n\t\t\t\tType: imodels.SourceType(p),\n\t\t\t}\n\n\t\t\tif slices.Contains(p.Plugins, cdx.Name) {\n\t\t\t\tlocations := p.Metadata.(*cdxmeta.Metadata).CDXLocations\n\t\t\t\tif len(locations) > 0 {\n\t\t\t\t\tsource.Path = source.Path + \":\" + locations[0]\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif groupedBySource[source] == nil {\n\t\t\t\tgroupedBySource[source] = &packageVulnsGroup{}\n\t\t\t}\n\n\t\t\tgroupedBySource[source].pvs = append(groupedBySource[source].pvs, pkg)\n\t\t\t// Overwrite annotations as it should be the same for the same package.\n\t\t\tgroupedBySource[source].annotations = p.ExploitabilitySignals\n\t\t}\n\t}\n\n\t// TODO(v2): Move source analysis out of here.\n\tfor source, packages := range groupedBySource {\n\t\tsourceanalysis.Run(source, packages.pvs, actions.CallAnalysisStates)\n\t\tvulnResults.Results = append(vulnResults.Results, models.PackageSource{\n\t\t\tSource: source,\n\t\t\tExperimentalPES: packages.annotations,\n\t\t\tPackages: packages.pvs,\n\t\t})\n\t}\n\n\tsort.Slice(vulnResults.Results, func(i, j int) bool {\n\t\tif vulnResults.Results[i].Source.Path == vulnResults.Results[j].Source.Path {\n\t\t\treturn vulnResults.Results[i].Source.Type < vulnResults.Results[j].Source.Type\n\t\t}\n\n\t\treturn vulnResults.Results[i].Source.Path < vulnResults.Results[j].Source.Path\n\t})\n\n\tif len(actions.ScanLicensesAllowlist) > 0 || actions.ScanLicensesSummary {\n\t\tvulnResults.ExperimentalAnalysisConfig.Licenses.Summary = actions.ScanLicensesSummary\n\t\tallowlist := make([]models.License, len(actions.ScanLicensesAllowlist))\n\t\tfor i, l := range actions.ScanLicensesAllowlist {\n\t\t\tallowlist[i] = models.License(l)\n\t\t}\n\t\tvulnResults.ExperimentalAnalysisConfig.Licenses.Allowlist = allowlist\n\t}\n\n\treturn vulnResults\n}\n\nfunc setUncalled(pv *models.PackageVulns) {\n\t// Use index to keep reference to original element in slice\n\tfor groupIdx := range pv.Groups {\n\t\tfor _, vulnID := range pv.Groups[groupIdx].IDs {\n\t\t\tanalysis := &pv.Groups[groupIdx].ExperimentalAnalysis\n\t\t\tif *analysis == nil {\n\t\t\t\t*analysis = make(map[string]models.AnalysisInfo)\n\t\t\t}\n\n\t\t\tisUncalled := false\n\n\t\t\tfor _, e := range pv.Package.Inventory.ExploitabilitySignals {\n\t\t\t\tif e.Justification == vex.VulnerableCodeNotInExecutePath {\n\t\t\t\t\tisUncalled = true\n\t\t\t\t\tbreak\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t(*analysis)[vulnID] = models.AnalysisInfo{\n\t\t\t\tCalled: !isUncalled,\n\t\t\t\tUnimportant: (*analysis)[vulnID].Unimportant,\n\t\t\t}\n\t\t}\n\t}\n}\n\n// setUnimportant marks vulnerabilities in a PackageVulns as unimportant\n// within their respective groups' experimental analysis.\nfunc setUnimportant(pkg *models.PackageVulns) {\n\tfor _, vuln := range pkg.Vulnerabilities {\n\t\tif !isUnimportant(vuln) {\n\t\t\tcontinue\n\t\t}\n\t\tfor i, group := range pkg.Groups {\n\t\t\tif slices.Contains(group.IDs, vuln.GetId()) {\n\t\t\t\tif group.ExperimentalAnalysis == nil {\n\t\t\t\t\tpkg.Groups[i].ExperimentalAnalysis = make(map[string]models.AnalysisInfo)\n\t\t\t\t}\n\t\t\t\t// Set unimportant vulns as uncalled\n\t\t\t\tpkg.Groups[i].ExperimentalAnalysis[vuln.GetId()] = models.AnalysisInfo{\n\t\t\t\t\tUnimportant: true,\n\t\t\t\t\t// TODO(gongh@): Currently, call analysis is not supported for Linux distribution vulnerabilities.\n\t\t\t\t\t// Except explicitly set Called as true to not be counted as uncalled vulnerabilities.\n\t\t\t\t\t// Update this behavior when call analysis for Linux distributions is implemented.\n\t\t\t\t\tCalled: true,\n\t\t\t\t}\n\n\t\t\t\tbreak\n\t\t\t}\n\t\t}\n\t}\n}\n\n// isUnimportant checks if a Debian-based vulnerability is tagged as unimportant\n// Debian: https://security-team.debian.org/security_tracker.html#severity-levels\n// Ubuntu: https://ubuntu.com/security/cves/about#priority\nfunc isUnimportant(vuln *osvschema.Vulnerability) bool {\n\tfor _, severity := range vuln.GetSeverity() {\n\t\t// TODO(gongh@): remove checking empty severity type after all ubuntu records have a valid severity tag.\n\t\tif strings.HasPrefix(vuln.GetId(), \"UBUNTU-CVE-\") &&\n\t\t\t(severity.GetType() == osvschema.Severity_Ubuntu || severity.GetType() == osvschema.Severity_UNSPECIFIED) {\n\t\t\treturn severity.GetScore() == \"negligible\"\n\t\t}\n\t}\n\n\tfor _, affected := range vuln.GetAffected() {\n\t\tif es := affected.GetEcosystemSpecific(); es != nil {\n\t\t\tif fields := es.GetFields(); fields != nil {\n\t\t\t\tif urgency, ok := fields[\"urgency\"]; ok && urgency != nil {\n\t\t\t\t\tif urgency.GetStringValue() == \"unimportant\" {\n\t\t\t\t\t\treturn true\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\t// TODO (gongh@): Remove this once Ubuntu has fully moved all priority tags into the severity field.\n\t\t\t\tif priority, ok := fields[\"ubuntu_priority\"]; ok && priority != nil {\n\t\t\t\t\tif priority.GetStringValue() == \"negligible\" {\n\t\t\t\t\t\treturn true\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\n\treturn false\n}\n" }, { "path": "pkg/osvscanner/vulnerability_result_internal_test.go", "content": "package osvscanner\n\nimport (\n\t\"testing\"\n\n\t\"github.com/google/osv-scalibr/extractor\"\n\t\"github.com/google/osv-scalibr/extractor/filesystem/language/javascript/packagelockjson\"\n\t\"github.com/google/osv-scalibr/inventory\"\n\t\"github.com/google/osv-scalibr/purl\"\n\t\"github.com/google/osv-scanner/v2/internal/config\"\n\t\"github.com/google/osv-scanner/v2/internal/imodels/results\"\n\t\"github.com/google/osv-scanner/v2/internal/testutility\"\n\t\"github.com/google/osv-scanner/v2/pkg/models\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n)\n\n// makeScanResults returns a unique instance of results.ScanResults for use in tests,\n// to avoid mutations impacting other test cases\nfunc makeScanResults() *results.ScanResults {\n\tscanResults := &results.ScanResults{\n\t\tInventory: inventory.Inventory{\n\t\t\tPackages: []*extractor.Package{\n\t\t\t\t{\n\t\t\t\t\tName: \"pkg-1\",\n\t\t\t\t\tPURLType: purl.TypeNPM,\n\t\t\t\t\tPlugins: []string{packagelockjson.Name},\n\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"dir/package-lock.json\"),\n\t\t\t\t\tLicenses: []string{\"MIT\", \"0BSD\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"pkg-2\",\n\t\t\t\t\tPURLType: purl.TypeNPM,\n\t\t\t\t\tPlugins: []string{packagelockjson.Name},\n\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"dir/package-lock.json\"),\n\t\t\t\t\tLicenses: []string{\"MIT\"},\n\t\t\t\t},\n\t\t\t\t{\n\t\t\t\t\tName: \"pkg-3\",\n\t\t\t\t\tPURLType: purl.TypeNPM,\n\t\t\t\t\tPlugins: []string{packagelockjson.Name},\n\t\t\t\t\tVersion: \"1.0.0\",\n\t\t\t\t\tLocation: extractor.LocationFromPath(\"other-dir/package-lock.json\"),\n\t\t\t\t\tLicenses: []string{\"UNKNOWN\"},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tConfigManager: config.Manager{},\n\t}\n\n\t// add vulnerabilities, with pointer references to their impacted packages\n\tscanResults.Inventory.PackageVulns = []*inventory.PackageVuln{\n\t\t{\n\t\t\tVulnerability: &osvschema.Vulnerability{Id: \"GHSA-123\", Aliases: []string{\"CVE-123\"}},\n\t\t\tPackage: scanResults.Inventory.Packages[0],\n\t\t},\n\t\t{\n\t\t\tVulnerability: &osvschema.Vulnerability{Id: \"CVE-123\"},\n\t\t\tPackage: scanResults.Inventory.Packages[0],\n\t\t},\n\t\t{\n\t\t\tVulnerability: &osvschema.Vulnerability{Id: \"GHSA-456\"},\n\t\t\tPackage: scanResults.Inventory.Packages[2],\n\t\t},\n\t}\n\n\t// add the package scan results, with pointer references to their underlying packages\n\tfor _, pkg := range scanResults.Inventory.Packages {\n\t\tlicenses := make([]models.License, len(pkg.Licenses))\n\t\tfor i, lic := range pkg.Licenses {\n\t\t\tlicenses[i] = models.License(lic)\n\t\t}\n\n\t\tscanResults.PackageScanResults = append(scanResults.PackageScanResults, pkg)\n\t}\n\n\treturn scanResults\n}\n\nfunc Test_assembleResult(t *testing.T) {\n\tt.Parallel()\n\ttype args struct {\n\t\tactions ScannerActions\n\t\tscanResults *results.ScanResults\n\t\tconfig config.Manager\n\t}\n\n\tcallAnalysisStates := make(map[string]bool)\n\n\ttests := []struct {\n\t\tname string\n\t\targs args\n\t}{\n\t\t{\n\t\t\tname: \"group_vulnerabilities\",\n\t\t\targs: args{\n\t\t\t\tscanResults: makeScanResults(),\n\t\t\t\tactions: ScannerActions{\n\t\t\t\t\tShowAllPackages: false,\n\t\t\t\t\tScanLicensesAllowlist: nil,\n\t\t\t\t\tCallAnalysisStates: callAnalysisStates,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"group_vulnerabilities_with_all_packages_included\",\n\t\t\targs: args{\n\t\t\t\tscanResults: makeScanResults(),\n\t\t\t\tactions: ScannerActions{\n\t\t\t\t\tShowAllPackages: true,\n\t\t\t\t\tScanLicensesAllowlist: nil,\n\t\t\t\t\tCallAnalysisStates: callAnalysisStates,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"group_vulnerabilities_with_licenses\",\n\t\t\targs: args{\n\t\t\t\tscanResults: makeScanResults(),\n\t\t\t\tactions: ScannerActions{\n\t\t\t\t\tShowAllPackages: true,\n\t\t\t\t\tScanLicensesSummary: true,\n\t\t\t\t\tScanLicensesAllowlist: nil,\n\t\t\t\t\tCallAnalysisStates: callAnalysisStates,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"group_vulnerabilities_with_license_allowlist\",\n\t\t\targs: args{\n\t\t\t\tscanResults: makeScanResults(),\n\n\t\t\t\tactions: ScannerActions{\n\t\t\t\t\tShowAllPackages: false,\n\t\t\t\t\tScanLicensesAllowlist: []string{\"MIT\", \"0BSD\"},\n\t\t\t\t\tCallAnalysisStates: callAnalysisStates,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"group_vulnerabilities_with_license_allowlist_and_license_override\",\n\t\t\targs: args{\n\t\t\t\tscanResults: makeScanResults(),\n\t\t\t\tactions: ScannerActions{\n\t\t\t\t\tShowAllPackages: false,\n\t\t\t\t\tScanLicensesAllowlist: []string{\"MIT\", \"0BSD\"},\n\t\t\t\t\tCallAnalysisStates: callAnalysisStates,\n\t\t\t\t},\n\t\t\t\tconfig: config.Manager{\n\t\t\t\t\tOverrideConfig: &config.Config{\n\t\t\t\t\t\tPackageOverrides: []config.PackageOverrideEntry{\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tName: \"pkg-3\",\n\t\t\t\t\t\t\t\tEcosystem: \"npm\",\n\t\t\t\t\t\t\t\tLicense: config.License{\n\t\t\t\t\t\t\t\t\tOverride: []string{\"MIT\"},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tname: \"group_vulnerabilities_with_license_allowlist_and_all_packages\",\n\t\t\targs: args{\n\t\t\t\tscanResults: makeScanResults(),\n\t\t\t\tactions: ScannerActions{\n\t\t\t\t\tShowAllPackages: true,\n\t\t\t\t\tScanLicensesAllowlist: []string{\"MIT\", \"0BSD\"},\n\t\t\t\t\tCallAnalysisStates: callAnalysisStates,\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tfor _, tt := range tests {\n\t\tt.Run(tt.name, func(t *testing.T) {\n\t\t\tt.Parallel()\n\t\t\ttt.args.scanResults.ConfigManager = tt.args.config\n\t\t\tgot := buildVulnerabilityResults(tt.args.actions, tt.args.scanResults)\n\t\t\ttestutility.NewSnapshot().MatchJSON(t, got)\n\t\t})\n\t}\n}\n" }, { "path": "renovate.json", "content": "{\n \"$schema\": \"https://docs.renovatebot.com/renovate-schema.json\",\n \"extends\": [\"config:recommended\"],\n \"timezone\": \"Australia/Sydney\",\n \"schedule\": [\"before 6am on monday\"],\n \"labels\": [\"dependencies\"],\n \"postUpdateOptions\": [\"gomodTidy\"],\n \"osvVulnerabilityAlerts\": true,\n \"lockFileMaintenance\": {\n \"enabled\": true\n },\n \"packageRules\": [\n {\n \"matchUpdateTypes\": [\"major\"],\n \"groupName\": \"Major Updates\"\n },\n {\n \"matchCategories\": [\"golang\"],\n \"groupName\": \"osv-scanner minor\"\n },\n {\n \"matchFileNames\": [\".github/**\"],\n \"groupName\": \"workflows\"\n },\n {\n \"matchPackageNames\": [\"github.com/google/osv-scalibr\"],\n \"groupName\": \"osv-scalibr\",\n \"enabled\": false\n }\n ],\n \"ignorePaths\": [\"**/testdata/**\"],\n \"ignoreDeps\": [\"golang.org/x/vuln\"]\n}\n" }, { "path": "scripts/build.sh", "content": "#!/usr/bin/env bash\n\nset -e\n\ngo build ./cmd/osv-scanner/\n" }, { "path": "scripts/build_snapshot.sh", "content": "#!/usr/bin/env bash\n\nset -e\n\ngoreleaser build --clean --single-target --snapshot\n" }, { "path": "scripts/build_test_images.sh", "content": "#!/usr/bin/env bash\n\nset -e\n\n# this is inverted because docker build takes \"--no-cache\",\n# so \"false\" here means that the layer cache will be used\nno_layer_cache=false\n\nfunction build_docker_image_fixture {\n image_name=\"$1\"\n output_tar=\"cmd/osv-scanner/scan/image/testdata/$image_name.tar\"\n\n if [ ! -f \"$output_tar\" ]; then\n docker build cmd/osv-scanner/scan/image/testdata/ -f \"cmd/osv-scanner/scan/image/testdata/$image_name.Dockerfile\" -t \"osv-scanner/$image_name:latest\" --no-cache=\"$no_layer_cache\"\n docker image save \"osv-scanner/$image_name:latest\" -o \"$output_tar\"\n\n echo \"finished building $output_tar (did not exist)\"\n else\n echo \"skipped building $output_tar (already exists)\"\n fi\n}\n\nforce=false\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --force)\n force=true\n shift\n ;;\n --no-cache)\n no_layer_cache=true\n shift\n ;;\n *)\n echo \"Unknown argument: $1\"\n exit 1\n ;;\n esac\ndone\n\nfor dockerfile in cmd/osv-scanner/scan/image/testdata/*.Dockerfile; do\n image_name=$(basename \"$dockerfile\" .Dockerfile)\n\n if [ \"$force\" = true ]; then\n echo \"Removing existing tar file for $image_name...\"\n rm \"cmd/osv-scanner/scan/image/testdata/$image_name.tar\"\n fi\n\n build_docker_image_fixture \"$image_name\"\ndone\n" }, { "path": "scripts/examples/auto_guided_remediation.py", "content": "#!/usr/bin/env python3\n\"\"\"\nProof of concept demonstrating an automated guided remediation patching workflow.\nWe progressively try more and more patches until tests fail.\nRequires osv-scanner to be in your PATH.\n\"\"\"\n\nimport os.path\nimport re\nimport subprocess\nimport sys\nfrom typing import List, Tuple\n\nPATCH_STRATEGIES = [\n ['--strategy=in-place'], # Try every single transitive dependency upgrade without relocking or bumping direct dependencies.json.\n ['--strategy=relock'], # Relock the manifest and try direct dependency bumps.\n # This could also include things like:\n # '--min-severity=X' Minimum severity of vulnerabilities to consider.\n # '--max-depth=Y': Maximum (shortest) dependency depth\n # '--upgrade-config={major/minor/patch}': What level of package upgrades are allowed.\n # etc... which can help reduce/increase the scope of changes by prioritizing vulnerabilities according to these filters.\n # e.g. ['--strategy=relock', '--upgrade-config=minor', '--max-depth=5'], # Relock the manifest and try direct dependency bumps.\n # See `osv-scanner fix --help`.\n]\n\nif len(sys.argv) < 2:\n print(f'Usage: {sys.argv[0]} ')\n sys.exit(1)\n\ndirectory = sys.argv[1]\nosv_fix_args = sys.argv[2:]\n\n# check if the directory is within a git repo\nif subprocess.call(['git', '-C', directory, 'rev-parse']):\n print(f'{directory} is not part of a git repository')\n sys.exit(1)\n\nmanifest = os.path.join(directory, 'package.json')\nlockfile = os.path.join(directory, 'package-lock.json')\n\n\ndef run_fix(n_patches: int, avoid_pkgs: List[str], strategy: List[str]) -> Tuple[List[str], int, int]:\n # restore package.json & package-lock.json\n subprocess.check_call(['git', 'checkout', 'package.json', 'package-lock.json'], cwd=directory)\n # run osv-fix and parse changes\n cmd = ['osv-scanner', 'fix', '-M', manifest, '-L', lockfile] + osv_fix_args + strategy\n\n # 0 is a magic value that means we try all patches.\n if n_patches != 0:\n cmd.extend(['--apply-top', str(n_patches)])\n\n for pkg in avoid_pkgs:\n cmd.extend(['--upgrade-config', f'{pkg}:none'])\n\n try:\n output = subprocess.check_output(cmd, text=True)\n except subprocess.CalledProcessError as e:\n output = (e.stdout or '') + (e.stderr or '')\n\n upgraded = [m[1] for m in re.finditer(r'UPGRADED-PACKAGE: (.*),(.*),(.*)', output)]\n remaining_vulns = None\n unfixable_vulns = None\n\n match = re.search(r'REMAINING-VULNS:\\s*(\\d+)', output)\n if match:\n remaining_vulns = int(match.group(1))\n\n match = re.search(r'UNFIXABLE-VULNS:\\s*(\\d+)', output)\n if match:\n unfixable_vulns = int(match.group(1))\n\n return upgraded, remaining_vulns, unfixable_vulns\n\n\ndef run_loop(strategy: List[str]) -> Tuple[List[str], int, int, List[str]]:\n valid = []\n avoid = []\n # 0 is a special value meaning that we try applying every patch. This is\n # meant as a shortcut in case this would've succeeded anyway.\n n_patches = 0\n\n print('===== Attempting auto-patch with strategy', strategy, '=====')\n\n remaining = None\n total_unfixable = None\n\n while True:\n changes, remaining, unfixable = run_fix(n_patches, avoid, strategy)\n if changes == valid:\n # if the result of running osv-fix hasn't changed, then we've run out of patches to apply\n break\n\n print('===== Trying to upgrade:', changes, '=====')\n print('===== Current blocklist:', avoid, '=====')\n # check the install & tests\n if subprocess.call(['npm', 'ci'], cwd=directory) or subprocess.call(['npm', 'run', 'test'], cwd=directory): # tests failed\n if n_patches == 0:\n # First try with every single patch.\n # Record the unfixable count using this, as it represents the real\n # unfixable count if every possible package upgrade was allowed.\n total_unfixable = unfixable\n n_patches += 1\n continue\n\n print('===== Tests failed, blocklisting upgrades =====')\n # add each new package to the avoid list\n\n for c in changes:\n if c not in valid:\n avoid.append(c)\n print('===== Current blocklist:', avoid, '=====')\n else: # tests passed\n if n_patches == 0:\n valid = changes\n break\n\n # try now with the next patch\n valid = changes\n n_patches += 1\n\n if valid:\n print()\n print('===== The following packages have been changed and verified against the tests: =====')\n for v in valid:\n print(v)\n\n return valid, remaining, total_unfixable, avoid\n\n\nbest_strategy = None\nbest_changes = []\nbest_avoid = []\nbest_remaining = 10000000\nbest_unfixable = None\n\nfor strategy in PATCH_STRATEGIES:\n changes, remaining, unfixable, avoid = run_loop(strategy)\n if changes and remaining < best_remaining:\n best_strategy = strategy\n best_changes = changes\n best_avoid = avoid\n best_remaining = remaining\n best_unfixable = unfixable\n\nprint()\nprint('===== Auto-patch completed with the following changed packages =====')\nprint('Best strategy:', best_strategy)\nfor v in best_changes:\n print(v)\n\nprint('The follow packages cannot be upgraded due to failing tests:')\nfor v in best_avoid:\n print(v)\n\nprint()\nprint(best_remaining, 'vulnerabilities remain')\n\nif best_unfixable:\n print(best_unfixable, 'vulnerabilities are impossible to fix by package upgrades')\n" }, { "path": "scripts/generate_coverage_report.sh", "content": "#!/usr/bin/env bash\n\nset -e\n\n./scripts/run_tests.sh\n\ngo tool cover -html=coverage.out -o coverage.html\n" }, { "path": "scripts/generate_mock_resolution_universe/main.go", "content": "// Package main generates a mock resolution universe file for testing.\npackage main\n\n// Generate a MockResolutionClient universe file based on real packages encountered during in-place and/or relock updates.\n// Used for generating testdata.\n// Usage: go run ./generate_mock_resolution_universe -universeFile -vulnFile [list of manifests / lockfiles]\n// Will automatically attempt in-place updates and relock/relax updates on all supplied lockfiles/manifests,\n// And write all encountered package versions to a universe file, and all vulnerabilities for each package to a vulnerability file.\n// Lockfiles/manifests are assumed to be all from the same ecosystem.\n\nimport (\n\t\"bytes\"\n\t\"context\"\n\t\"encoding/gob\"\n\t\"encoding/json\"\n\t\"errors\"\n\t\"flag\"\n\t\"fmt\"\n\t\"maps\"\n\t\"net/http\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"slices\"\n\t\"strings\"\n\t\"time\"\n\n\tpb \"deps.dev/api/v3\"\n\t\"deps.dev/util/resolve\"\n\t\"deps.dev/util/resolve/dep\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientimpl/osvmatcher\"\n\t\"github.com/google/osv-scanner/v2/internal/clients/clientinterfaces\"\n\t\"github.com/google/osv-scanner/v2/internal/depsdev\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation\"\n\t\"github.com/google/osv-scanner/v2/internal/remediation/upgrade\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/client\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/clienttest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/depfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/lockfile\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/manifest\"\n\t\"github.com/google/osv-scanner/v2/internal/resolution/util\"\n\t\"github.com/google/osv-scanner/v2/internal/version\"\n\t\"github.com/ossf/osv-schema/bindings/go/osvschema\"\n\t\"go.yaml.in/yaml/v3\"\n\t\"golang.org/x/sync/errgroup\"\n\t\"google.golang.org/protobuf/encoding/protojson\"\n\t\"osv.dev/bindings/go/api\"\n\t\"osv.dev/bindings/go/osvdev\"\n)\n\nvar remediationOpts = remediation.Options{\n\tResolveOpts: resolution.ResolveOpts{\n\t\tMavenManagement: true,\n\t},\n\tDevDeps: true,\n\tMaxDepth: -1,\n\tUpgradeConfig: upgrade.NewConfig(),\n}\n\nconst userAgent = \"osv-scanner_generate_mock/\" + version.OSVVersion\n\nfunc vulnMatcher() clientinterfaces.VulnerabilityMatcher {\n\tconfig := osvdev.DefaultConfig()\n\tconfig.UserAgent = userAgent\n\n\treturn &osvmatcher.CachedOSVMatcher{\n\t\tClient: osvdev.OSVClient{\n\t\t\tHTTPClient: http.DefaultClient,\n\t\t\tConfig: config,\n\t\t\tBaseHostURL: osvdev.DefaultBaseURL,\n\t\t},\n\t\tInitialQueryTimeout: 5 * time.Minute,\n\t}\n}\n\nfunc doRelockRelax(ddCl *client.DepsDevClient, rw manifest.ReadWriter, filename string) error {\n\tcl := client.ResolutionClient{\n\t\tVulnerabilityMatcher: vulnMatcher(),\n\t\tDependencyClient: ddCl,\n\t}\n\n\tf, err := depfile.OpenLocalDepFile(filename)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\tmanif, err := rw.Read(f)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient.PreFetch(context.Background(), cl, manif.Requirements, manif.FilePath)\n\tres, err := resolution.Resolve(context.Background(), cl, manif, remediationOpts.ResolveOpts)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = remediation.ComputeRelaxPatches(context.Background(), cl, res, remediationOpts)\n\n\treturn err\n}\n\nfunc doOverride(ddCl *client.DepsDevClient, rw manifest.ReadWriter, filename string) error {\n\tcl := client.ResolutionClient{\n\t\tVulnerabilityMatcher: vulnMatcher(),\n\t\tDependencyClient: ddCl,\n\t}\n\n\tf, err := depfile.OpenLocalDepFile(filename)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\tmanif, err := rw.Read(f)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tclient.PreFetch(context.Background(), cl, manif.Requirements, manif.FilePath)\n\tres, err := resolution.Resolve(context.Background(), cl, manif, remediationOpts.ResolveOpts)\n\tif err != nil {\n\t\treturn err\n\t}\n\t_, err = remediation.ComputeOverridePatches(context.Background(), cl, res, remediationOpts)\n\n\treturn err\n}\n\nfunc doInPlace(ddCl *client.DepsDevClient, rw lockfile.ReadWriter, filename string) error {\n\tcl := client.ResolutionClient{\n\t\tVulnerabilityMatcher: vulnMatcher(),\n\t\tDependencyClient: ddCl,\n\t}\n\n\tf, err := depfile.OpenLocalDepFile(filename)\n\tif err != nil {\n\t\treturn err\n\t}\n\tdefer f.Close()\n\n\tg, err := rw.Read(f)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\t// In-place updating doesn't actually check the client for the packages in the lockfile.\n\t// For good measure, we do it here to load them into the cache.\n\tgroup := &errgroup.Group{}\n\tfor _, n := range g.Nodes {\n\t\tvk := n.Version\n\t\tgroup.Go(func() error {\n\t\t\t_, err := ddCl.Requirements(context.Background(), vk)\n\t\t\treturn err\n\t\t})\n\t}\n\t_ = group.Wait()\n\n\t_, err = remediation.ComputeInPlacePatches(context.Background(), cl, g, remediationOpts)\n\n\treturn err\n}\n\nfunc getCachedVersions(cl *client.DepsDevClient) (map[resolve.PackageKey][]string, error) {\n\t// Abuse the cache writing to get the list of encountered package versions.\n\tcachePath := filepath.Join(os.TempDir(), \"gr-cache\")\n\tif err := cl.WriteCache(cachePath); err != nil {\n\t\treturn nil, err\n\t}\n\tcacheFile := cachePath + \".resolve.deps\"\n\tdefer os.Remove(cacheFile)\n\tb, err := os.ReadFile(cacheFile)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\tvar cache depsdevAPICache\n\tdec := gob.NewDecoder(bytes.NewReader(b))\n\tif err := dec.Decode(&cache); err != nil {\n\t\treturn nil, err\n\t}\n\n\tpkgVers := make(map[resolve.PackageKey][]string)\n\tfor vk := range cache.RequirementsCache {\n\t\tpk := resolve.PackageKey{\n\t\t\tName: vk.Name,\n\t\t\tSystem: resolve.System(vk.System),\n\t\t}\n\t\tpkgVers[pk] = append(pkgVers[pk], vk.Version)\n\t}\n\n\treturn pkgVers, nil\n}\n\n// Copy the relevant cache format from the depsdev_api_cache\ntype depsdevAPICache struct {\n\tRequirementsCache map[struct {\n\t\tSystem pb.System\n\t\tName string\n\t\tVersion string\n\t}][]byte\n}\n\nfunc (t *depsdevAPICache) GobDecode(b []byte) error {\n\ttype c depsdevAPICache\n\tdec := gob.NewDecoder(bytes.NewReader(b))\n\n\treturn dec.Decode((*c)(t))\n}\n\nfunc makeUniverse(cl *client.DepsDevClient) (clienttest.ResolutionUniverse, clienttest.VulnerabilityMatcher, error) {\n\tpkgs, err := getCachedVersions(cl)\n\tif err != nil {\n\t\treturn clienttest.ResolutionUniverse{}, clienttest.VulnerabilityMatcher{}, err\n\t}\n\n\tpks := slices.AppendSeq(make([]resolve.PackageKey, 0, len(pkgs)), maps.Keys(pkgs))\n\tslices.SortFunc(pks, func(a, b resolve.PackageKey) int { return a.Compare(b) })\n\n\tif len(pks) == 0 {\n\t\treturn clienttest.ResolutionUniverse{}, clienttest.VulnerabilityMatcher{}, errors.New(\"no packages found in cache\")\n\t}\n\t// assume every package is the same system\n\tsystem := pks[0].System\n\n\t// Build the schema string.\n\tschema := &strings.Builder{}\n\tfor _, pk := range pks {\n\t\tvers := pkgs[pk]\n\t\tslices.SortFunc(vers, system.Semver().Compare)\n\t\tfmt.Fprintln(schema, pk.Name)\n\t\tfor _, v := range vers {\n\t\t\tfmt.Fprintln(schema, \"\\t\"+v)\n\t\t\treqs, err := cl.Requirements(context.Background(), resolve.VersionKey{\n\t\t\t\tPackageKey: pk,\n\t\t\t\tVersion: v,\n\t\t\t\tVersionType: resolve.Concrete,\n\t\t\t})\n\t\t\tif err != nil {\n\t\t\t\tcontinue\n\t\t\t}\n\t\t\tfor _, r := range reqs {\n\t\t\t\t// Don't bother writing Dev or Test dependencies.\n\t\t\t\tif r.Type.HasAttr(dep.Dev) || r.Type.HasAttr(dep.Test) {\n\t\t\t\t\tcontinue\n\t\t\t\t}\n\t\t\t\tstr := r.Name + \"@\" + r.Version\n\t\t\t\ttypeStr := typeString(r.Type)\n\t\t\t\tif typeStr != \"\" {\n\t\t\t\t\tstr = typeStr + \"|\" + str\n\t\t\t\t}\n\t\t\t\tfmt.Fprintf(schema, \"\\t\\t%s\\n\", str)\n\t\t\t}\n\t\t}\n\t}\n\n\t// Get all vulns for all versions of all packages.\n\t// It's easier to re-query this than to try to use the vulnerability client's cache.\n\tbatchQueries := make([]*api.Query, len(pks))\n\tfor i, pk := range pks {\n\t\tbatchQueries[i] = &api.Query{\n\t\t\tPackage: &osvschema.Package{\n\t\t\t\tName: pk.Name,\n\t\t\t\tEcosystem: string(util.OSVEcosystem[pk.System]),\n\t\t\t},\n\t\t}\n\t}\n\n\tbatchResp, err := osvdev.DefaultClient().QueryBatch(context.Background(), batchQueries)\n\tif err != nil {\n\t\treturn clienttest.ResolutionUniverse{}, clienttest.VulnerabilityMatcher{}, err\n\t}\n\n\tvulnerabilities := make([][]*osvschema.Vulnerability, len(batchResp.GetResults()))\n\tg, ctx := errgroup.WithContext(context.Background())\n\tg.SetLimit(1000)\n\n\tfor batchIdx, resp := range batchResp.GetResults() {\n\t\tvulnerabilities[batchIdx] = make([]*osvschema.Vulnerability, len(resp.GetVulns()))\n\t\tfor resultIdx, vuln := range resp.GetVulns() {\n\t\t\tg.Go(func() error {\n\t\t\t\t// exit early if another hydration request has already failed\n\t\t\t\t// results are thrown away later, so avoid needless work\n\t\t\t\tif ctx.Err() != nil {\n\t\t\t\t\treturn nil //nolint:nilerr // this value doesn't matter to errgroup.Wait()\n\t\t\t\t}\n\t\t\t\tvuln, err := osvdev.DefaultClient().GetVulnByID(ctx, vuln.GetId())\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn err\n\t\t\t\t}\n\t\t\t\tvulnerabilities[batchIdx][resultIdx] = vuln\n\n\t\t\t\treturn nil\n\t\t\t})\n\t\t}\n\t}\n\n\tif err := g.Wait(); err != nil {\n\t\treturn clienttest.ResolutionUniverse{}, clienttest.VulnerabilityMatcher{}, err\n\t}\n\n\tvar vulns []*osvschema.Vulnerability\n\tfor _, r := range vulnerabilities {\n\t\tvulns = append(vulns, r...)\n\t}\n\n\treturn clienttest.ResolutionUniverse{System: system.String(), Schema: schema.String()}, clienttest.VulnerabilityMatcher{Vulns: vulns}, nil\n}\n\n// These are just the relevant AttrKeys for our supported ecosystems.\nvar flagAttrs = [...]dep.AttrKey{dep.Dev, dep.Opt, dep.Test} // Keys without values\nvar valueAttrs = [...]dep.AttrKey{dep.Scope, dep.MavenClassifier, dep.MavenArtifactType, dep.MavenDependencyOrigin, dep.MavenExclusions, dep.KnownAs, dep.Selector}\n\nfunc typeString(t dep.Type) string {\n\t// dep.Type.String() is not the same format as what the universe schema wants.\n\t// Manually construct the valid string.\n\tvar parts []string\n\tfor _, attr := range flagAttrs {\n\t\tif t.HasAttr(attr) {\n\t\t\tparts = append(parts, attr.String())\n\t\t}\n\t}\n\n\tfor _, attr := range valueAttrs {\n\t\tif value, ok := t.GetAttr(attr); ok {\n\t\t\tparts = append(parts, attr.String(), strings.ReplaceAll(value, \"|\", \",\")) // Must convert the MavenExclusions separator.\n\t\t}\n\t}\n\n\treturn strings.Join(parts, \" \")\n}\n\nfunc run() error {\n\tuniverseFile := flag.String(\"universeFile\", \"universe.yaml\", \"output file for the resolution universe\")\n\tvulnFile := flag.String(\"vulnFile\", \"vulns.json\", \"output file for the vulnerabilities\")\n\tflag.Parse()\n\n\tcl, err := client.NewDepsDevClient(depsdev.DepsdevAPI, userAgent)\n\tif err != nil {\n\t\treturn err\n\t}\n\n\tgroup := &errgroup.Group{}\n\tfor _, filename := range flag.Args() {\n\t\tif io, err := manifest.GetReadWriter(filename, \"\"); err == nil {\n\t\t\tif remediation.SupportsRelax(io) {\n\t\t\t\tgroup.Go(func() error {\n\t\t\t\t\terr := doRelockRelax(cl, io, filename)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to relock/relax %s: %w\", filename, err)\n\t\t\t\t\t}\n\n\t\t\t\t\treturn nil\n\t\t\t\t})\n\t\t\t}\n\t\t\tif remediation.SupportsOverride(io) {\n\t\t\t\tgroup.Go(func() error {\n\t\t\t\t\terr := doOverride(cl, io, filename)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to relock/override %s: %w\", filename, err)\n\t\t\t\t\t}\n\n\t\t\t\t\treturn nil\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t\tif io, err := lockfile.GetReadWriter(filename); err == nil {\n\t\t\tif remediation.SupportsInPlace(io) {\n\t\t\t\tgroup.Go(func() error {\n\t\t\t\t\terr := doInPlace(cl, io, filename)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\treturn fmt.Errorf(\"failed to in-place update %s: %w\", filename, err)\n\t\t\t\t\t}\n\n\t\t\t\t\treturn nil\n\t\t\t\t})\n\t\t\t}\n\t\t}\n\t}\n\tif err := group.Wait(); err != nil {\n\t\tfmt.Fprintln(os.Stderr, err)\n\t}\n\n\tuniverse, vulns, err := makeUniverse(cl)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error making universe: %w\", err)\n\t}\n\n\tuFile, err := os.Create(*universeFile)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error creating universe file: %w\", err)\n\t}\n\tdefer uFile.Close()\n\n\tfmt.Fprintf(uFile, \"# Automatically generated by generate_mock_resolution_universe on %s. DO NOT EDIT.\\n\", time.Now().Format(time.RFC822))\n\tuEnc := yaml.NewEncoder(uFile)\n\tuEnc.SetIndent(2)\n\tif err := uEnc.Encode(universe); err != nil {\n\t\treturn fmt.Errorf(\"error encoding universe: %w\", err)\n\t}\n\n\tvFile, err := os.Create(*vulnFile)\n\tif err != nil {\n\t\treturn fmt.Errorf(\"error creating vuln file: %w\", err)\n\t}\n\tdefer vFile.Close()\n\n\t// Marshal each vulnerability using protojson to get human-readable timestamps\n\tvulnsJSON := make([]json.RawMessage, 0, len(vulns.Vulns))\n\tmarshaler := protojson.MarshalOptions{}\n\tfor _, v := range vulns.Vulns {\n\t\tjsonBytes, err := marshaler.Marshal(v)\n\t\tif err != nil {\n\t\t\treturn fmt.Errorf(\"error marshalling vuln to json: %w\", err)\n\t\t}\n\t\tvulnsJSON = append(vulnsJSON, jsonBytes)\n\t}\n\n\tvulnsData := map[string]any{\n\t\t\"vulns\": vulnsJSON,\n\t}\n\n\tvEnc := json.NewEncoder(vFile)\n\tvEnc.SetIndent(\"\", \" \")\n\tif err := vEnc.Encode(vulnsData); err != nil {\n\t\treturn fmt.Errorf(\"error encoding vulns: %w\", err)\n\t}\n\n\treturn nil\n}\n\nfunc main() {\n\tif err := run(); err != nil {\n\t\tfmt.Fprintln(os.Stderr, err)\n\t\tos.Exit(1)\n\t}\n}\n" }, { "path": "scripts/generators/GenerateMavenVersions.java", "content": "import org.apache.maven.artifact.versioning.ComparableVersion;\n\nimport org.json.JSONArray;\nimport org.json.JSONObject;\n\nimport java.io.*;\nimport java.net.URL;\nimport java.nio.channels.Channels;\nimport java.nio.channels.ReadableByteChannel;\nimport java.nio.charset.StandardCharsets;\nimport java.util.*;\nimport java.util.stream.Collectors;\nimport java.util.stream.IntStream;\nimport java.util.zip.ZipEntry;\nimport java.util.zip.ZipFile;\n\n/**\n * Script for generating a list of maven version comparison testdata based off\n * every version mentioned in the OSV Maven database, sorted using the native\n * Maven implementation.\n *

\n * To run this, you need to ensure copies of the following libraries are present\n * on the class path:\n *\n *

\n * The easiest way to do this is by putting the jars into a lib subfolder and then running:\n * \n * java -cp generators/lib/* generators/GenerateMavenVersions.java\n * \n */\npublic class GenerateMavenVersions {\n /**\n * An array of version comparisons that are known to be unsupported and so\n * should be commented out in the generated fixture.\n *

\n * Generally this is because the native implementation has a suspected bug\n * that causes the comparison to return incorrect results, and so supporting\n * such comparisons in the detector would in fact be wrong.\n */\n private static final String[] UNSUPPORTED_COMPARISONS = {\n \"0.0.0-2021-07-06T00-28-13-573087f7 < 0.0.0-2021-07-06T01-14-42-efe42242\",\n \"0.0.0-2021-12-06T00-08-57-89a33731 < 0.0.0-2021-12-06T01-21-56-e3888760\",\n \"0.0.0-2022-02-01T00-45-53-0300684a < 0.0.0-2022-02-01T05-45-16-7258ece0\",\n \"0.0.0-2022-02-28T00-18-39-7fe0d845 < 0.0.0-2022-02-28T04-15-47-83c97ebe\",\n \"0.0.0-2022-04-29T00-08-11-7086a3ec < 0.0.0-2022-04-29T01-20-09-b424f986\",\n \"0.0.0-2022-06-14T00-21-33-f21869a7 < 0.0.0-2022-06-14T02-56-29-1db980e0\",\n \"0.0.0-2022-08-16T00-14-19-aeae3dc3 < 0.0.0-2022-08-16T10-34-26-7a56f709\",\n \"0.0.0-2022-08-22T00-46-32-4652d3db < 0.0.0-2022-08-22T06-46-40-e7409ac5\",\n \"0.0.0-2022-10-31T00-42-12-322ba6b9 < 0.0.0-2022-10-31T01-23-06-c6652489\",\n \"0.0.0-2022-10-31T07-00-43-71eccd49 < 0.0.0-2022-10-31T07-05-43-97874976\",\n \"0.0.0-2022-12-01T00-02-29-fe8d6705 < 0.0.0-2022-12-01T01-56-22-5b442198\",\n \"0.0.0-2022-12-18T00-44-34-a222f475 < 0.0.0-2022-12-18T01-45-19-fec81751\",\n \"0.0.0-2023-03-20T00-52-15-4b4c0e7 < 0.0.0-2023-03-20T01-49-44-80e3135\"\n };\n\n public static boolean isUnsupportedComparison(String line) {\n return Arrays.stream(UNSUPPORTED_COMPARISONS).anyMatch(line::equals);\n }\n\n public static String uncomment(String line) {\n if(line.startsWith(\"#\")) {\n return line.substring(1);\n }\n\n if(line.startsWith(\"//\")) {\n return line.substring(2);\n }\n\n return line;\n }\n\n public static String downloadMavenDb() throws IOException {\n URL website = new URL(\"https://osv-vulnerabilities.storage.googleapis.com/Maven/all.zip\");\n String file = \"./maven-db.zip\";\n\n ReadableByteChannel rbc = Channels.newChannel(website.openStream());\n\n try(FileOutputStream fos = new FileOutputStream(file)) {\n fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE);\n }\n\n return file;\n }\n\n public static Map> fetchPackageVersions() throws IOException {\n String dbPath = downloadMavenDb();\n List osvs = loadOSVs(dbPath);\n\n Map> packages = new HashMap<>();\n\n osvs.forEach(osv -> osv.getJSONArray(\"affected\").forEach(aff -> {\n JSONObject affected = (JSONObject) aff;\n\n if(!affected.has(\"package\") || affected.getJSONObject(\"package\").getString(\"ecosystem\").equals(\"Maven\")) {\n return;\n }\n\n String pkgName = affected.getJSONObject(\"package\").getString(\"name\");\n\n if(!affected.has(\"versions\")) {\n return;\n }\n JSONArray versions = affected.getJSONArray(\"versions\");\n\n packages.putIfAbsent(pkgName, new ArrayList<>());\n\n if(versions.isEmpty()) {\n return;\n }\n\n versions.forEach(version -> packages.get(pkgName).add((String) version));\n }));\n\n packages.forEach((key, _ignore) -> packages.put(\n key,\n packages.get(key)\n .stream()\n .distinct()\n .sorted(Comparator.comparing(ComparableVersion::new))\n .collect(Collectors.toList())\n ));\n\n return packages;\n }\n\n public static List loadOSVs(String pathToDbZip) throws IOException {\n List osvs = new ArrayList<>();\n\n try(ZipFile zipFile = new ZipFile(pathToDbZip)) {\n Enumeration entries = zipFile.entries();\n\n while(entries.hasMoreElements()) {\n ZipEntry entry = entries.nextElement();\n InputStream stream = zipFile.getInputStream(entry);\n\n BufferedReader streamReader = new BufferedReader(new InputStreamReader(stream, StandardCharsets.UTF_8));\n StringBuilder responseStrBuilder = new StringBuilder();\n\n String inputStr;\n while((inputStr = streamReader.readLine()) != null) {\n responseStrBuilder.append(inputStr);\n }\n osvs.add(new JSONObject(responseStrBuilder.toString()));\n }\n }\n\n return osvs;\n }\n\n public static void writeToFile(String outfile, List lines) throws IOException {\n try(PrintWriter writer = new PrintWriter(outfile, StandardCharsets.UTF_8)) {\n lines.forEach(writer::println);\n }\n }\n\n public static boolean compareVers(String version1, String op, String version2) {\n ComparableVersion v1 = new ComparableVersion(version1);\n ComparableVersion v2 = new ComparableVersion(version2);\n\n int r = v1.compareTo(v2);\n\n if(op.equals(\"=\")) {\n return r == 0;\n }\n\n if(op.equals(\"<\")) {\n return r < 0;\n }\n\n if(op.equals(\">\")) {\n return r > 0;\n }\n\n throw new RuntimeException(\"unsupported comparison operator \" + op);\n }\n\n public static boolean compareVersions(List lines, String select) {\n boolean didAnyFail = false;\n\n for(String line : lines) {\n line = line.trim();\n\n if(line.isEmpty() || line.startsWith(\"#\") || line.startsWith(\"//\")) {\n String maybeUnsupported = uncomment(line).trim();\n\n if(isUnsupportedComparison(maybeUnsupported)) {\n System.out.printf(\"\\033[96mS\\033[0m: \\033[93m%s\\033[0m\\n\", maybeUnsupported);\n }\n\n continue;\n }\n\n String[] parts = line.split(\" \");\n String v1 = parts[0];\n String op = parts[1];\n String v2 = parts[2];\n\n boolean r = compareVers(v1, op, v2);\n\n if(!r) {\n didAnyFail = true;\n }\n\n if(select.equals(\"failures\") && r) {\n continue;\n }\n\n if(select.equals(\"successes\") && !r) {\n continue;\n }\n\n String color = r ? \"\\033[92m\" : \"\\033[91m\";\n String rs = r ? \"T\" : \"F\";\n\n System.out.printf(\"%s%s\\033[0m: \\033[93m%s\\033[0m\\n\", color, rs, line);\n }\n\n return didAnyFail;\n }\n\n public static boolean compareVersionsInFile(String filepath, String select) throws IOException {\n List lines = new ArrayList<>();\n\n try(BufferedReader br = new BufferedReader(new FileReader(filepath))) {\n String line = br.readLine();\n\n while(line != null) {\n lines.add(line);\n line = br.readLine();\n }\n }\n\n return compareVersions(lines, select);\n }\n\n public static List generateVersionCompares(List versions) {\n return IntStream.range(1, versions.size()).mapToObj(i -> {\n String currentVersion = versions.get(i);\n String previousVersion = versions.get(i - 1);\n String op = compareVers(currentVersion, \"=\", previousVersion) ? \"=\" : \"<\";\n\n String comparison = String.format(\"%s %s %s\", previousVersion, op, currentVersion);\n\n if(isUnsupportedComparison(comparison)) {\n comparison = \"# \" + comparison;\n }\n\n return comparison;\n }).collect(Collectors.toList());\n }\n\n public static List generatePackageCompares(Map> packages) {\n return packages\n .values()\n .stream()\n .map(GenerateMavenVersions::generateVersionCompares)\n .flatMap(Collection::stream)\n .distinct()\n .collect(Collectors.toList());\n }\n\n public static String getSelectFilter() {\n // set this to either \"failures\" or \"successes\" to only have those comparison results\n // printed; setting it to anything else will have all comparison results printed\n String value = System.getenv(\"VERSION_GENERATOR_PRINT\");\n\n if(value == null) {\n return \"failures\";\n }\n\n return value;\n }\n\n public static void main(String[] args) throws IOException {\n String outfile = \"internal/semantic/testdata/maven-versions-generated.txt\";\n Map> packages = fetchPackageVersions();\n\n writeToFile(outfile, generatePackageCompares(packages));\n\n String show = getSelectFilter();\n\n boolean didAnyFail = compareVersionsInFile(outfile, show);\n\n if(didAnyFail) {\n System.exit(1);\n }\n }\n}\n" }, { "path": "scripts/generators/generate-alpine-versions.py", "content": "#!/usr/bin/env python3\n\nimport atexit\nimport json\nimport operator\nimport os\nimport subprocess\nimport sys\nimport urllib.request\nimport zipfile\nfrom pathlib import Path\n\n# this requires being run on an OS with docker available to run an alpine container\n# through which apk can be invoked to compare versions natively.\n#\n# this generator will attempt to run an alpine container in the background\n# for the lifetime of the generator that will be used to exec apk; this is a lot faster\n# than running a dedicated container for each invocation, but does mean the container\n# may need to be cleaned up manually if the generator explodes in a way that prevents\n# it from stopping the container before exiting.\n#\n# this generator also uses cache to store the results of comparisons given the large\n# volume of packages and versions to compare, which is stored in the /tmp directory.\n\n# An array of version comparisons that are known to be unsupported and so\n# should be commented out in the generated fixture.\n#\n# Generally this is because the native implementation has a suspected bug\n# that causes the comparison to return incorrect results, and so supporting\n# such comparisons in the detector would in fact be wrong.\nUNSUPPORTED_COMPARISONS = []\n\n\ndef is_unsupported_comparison(line):\n return line in UNSUPPORTED_COMPARISONS\n\n\ndef uncomment(line):\n if line.startswith('#'):\n return line[1:]\n if line.startswith('//'):\n return line[2:]\n return line\n\n\ndef download_alpine_db():\n urllib.request.urlretrieve('https://osv-vulnerabilities.storage.googleapis.com/Alpine/all.zip', 'alpine-db.zip')\n\n\ndef extract_packages_with_versions(osvs):\n dict = {}\n\n for osv in osvs:\n for affected in osv['affected']:\n if 'package' not in affected or not affected['package']['ecosystem'].startswith('Alpine'):\n continue\n\n package = affected['package']['name']\n\n if package not in dict:\n dict[package] = []\n\n for version in affected.get('versions', []):\n dict[package].append(AlpineVersion(version))\n\n # deduplicate and sort the versions for each package\n for package in dict:\n dict[package] = sorted(list(dict.fromkeys(dict[package])))\n\n return dict\n\n\nclass AlpineVersionComparer:\n def __init__(self, cache_path, how):\n self.cache_path = Path(cache_path)\n self.cache = {}\n\n self._alpine_version = '3.10'\n self._compare_method = how\n self._docker_container = None\n self._load_cache()\n\n def _start_docker_container(self):\n \"\"\"\n Starts the Alpine docker container for use in comparing versions using apk,\n assigning the name of the container to `self._docker_container` if success.\n\n If a container has already been started, this does nothing.\n \"\"\"\n\n if self._docker_container is not None:\n return\n\n container_name = f'alpine-{self._alpine_version}-container'\n\n cmd = ['docker', 'run', '--rm', '--name', container_name, '-d', f'alpine:{self._alpine_version}', 'tail', '-f', '/dev/null']\n out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n\n if out.returncode != 0:\n raise Exception(f'failed to start {container_name} container: {out.stderr.decode(\"utf-8\")}')\n self._docker_container = container_name\n atexit.register(self._stop_docker_container)\n\n def _stop_docker_container(self):\n if self._docker_container is None:\n raise Exception(f'called to stop docker container when none was started')\n\n cmd = ['docker', 'stop', '-t', '0', self._docker_container]\n out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n\n if out.returncode != 0:\n raise Exception(f'failed to stop {self._docker_container} container: {out.stderr.decode(\"utf-8\")}')\n\n def _load_cache(self):\n if self.cache_path:\n self.cache_path.touch()\n with open(self.cache_path, 'r') as f:\n lines = f.readlines()\n\n for line in lines:\n line = line.strip()\n key, result = line.split(',')\n\n if result == 'True':\n self.cache[key] = True\n continue\n if result == 'False':\n self.cache[key] = False\n continue\n\n print(f\"ignoring invalid cache entry '{line}'\")\n\n def _save_to_cache(self, key, result):\n self.cache[key] = result\n if self.cache_path:\n self.cache_path.touch()\n with open(self.cache_path, 'a') as f:\n f.write(f'{key},{result}\\n')\n\n def _compare_command(self, a, b):\n if self._compare_method == 'run':\n return ['docker', 'run', '--rm', f'alpine:{self._alpine_version}', 'apk', 'version', '-t', a, b]\n\n self._start_docker_container()\n\n return ['docker', 'exec', self._docker_container, 'apk', 'version', '-t', a, b]\n\n def compare(self, a, op, b):\n key = f'{a} {op} {b}'\n if key in self.cache:\n return self.cache[key]\n\n out = subprocess.run(self._compare_command(a, b), stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n\n if out.returncode != 0:\n raise Exception(f'apk did not like comparing {a} {op} {b}: {out.stderr.decode(\"utf-8\")}')\n\n r = out.stdout.decode('utf-8').strip() == op\n self._save_to_cache(key, r)\n return r\n\n\nalpine_comparer = AlpineVersionComparer('/tmp/alpine-versions-generator-cache.csv', 'exec')\n\n\nclass AlpineVersion:\n def __str__(self):\n return self.version\n\n def __hash__(self):\n return hash(self.version)\n\n def __init__(self, version):\n self.version = version\n\n def __lt__(self, other):\n return alpine_comparer.compare(self.version, '<', other.version)\n\n def __gt__(self, other):\n return alpine_comparer.compare(self.version, '>', other.version)\n\n def __eq__(self, other):\n return alpine_comparer.compare(self.version, '=', other.version)\n\n\ndef compare(v1, relate, v2):\n ops = {'<': operator.lt, '=': operator.eq, '>': operator.gt}\n return ops[relate](v1, v2)\n\n\ndef compare_versions(lines, select='all'):\n has_any_failed = False\n\n for line in lines:\n line = line.strip()\n\n if line == '' or line.startswith('#') or line.startswith('//'):\n maybe_unsupported = uncomment(line).strip()\n\n if is_unsupported_comparison(maybe_unsupported):\n print(f'\\033[96mS\\033[0m: \\033[93m{maybe_unsupported}\\033[0m')\n continue\n\n v1, op, v2 = line.strip().split(' ')\n\n r = compare(AlpineVersion(v1), op, AlpineVersion(v2))\n\n if not r:\n has_any_failed = r\n\n if select == 'failures' and r:\n continue\n\n if select == 'successes' and not r:\n continue\n\n color = '\\033[92m' if r else '\\033[91m'\n rs = 'T' if r else 'F'\n print(f'{color}{rs}\\033[0m: \\033[93m{line}\\033[0m')\n return has_any_failed\n\n\ndef compare_versions_in_file(filepath, select='all'):\n with open(filepath) as f:\n lines = f.readlines()\n return compare_versions(lines, select)\n\n\ndef generate_version_compares(versions):\n comparisons = []\n for i, version in enumerate(versions):\n if i == 0:\n continue\n\n comparison = f'{versions[i - 1]} < {version}\\n'\n\n if is_unsupported_comparison(comparison.strip()):\n comparison = '# ' + comparison\n comparisons.append(comparison)\n return comparisons\n\n\ndef generate_package_compares(packages):\n comparisons = []\n for package in packages:\n versions = packages[package]\n comparisons.extend(generate_version_compares(versions))\n\n # return comparisons\n return list(dict.fromkeys(comparisons))\n\n\ndef fetch_packages_versions():\n download_alpine_db()\n osvs = []\n\n with zipfile.ZipFile('alpine-db.zip') as db:\n for fname in db.namelist():\n with db.open(fname) as osv:\n osvs.append(json.loads(osv.read().decode('utf-8')))\n\n return extract_packages_with_versions(osvs)\n\n\noutfile = 'internal/semantic/testdata/alpine-versions-generated.txt'\n\npacks = fetch_packages_versions()\nwith open(outfile, 'w') as f:\n f.writelines(generate_package_compares(packs))\n f.write('\\n')\n\n# set this to either \"failures\" or \"successes\" to only have those comparison results\n# printed; setting it to anything else will have all comparison results printed\nshow = os.environ.get('VERSION_GENERATOR_PRINT', 'failures')\n\ndid_any_fail = compare_versions_in_file(outfile, show)\n\nif did_any_fail:\n sys.exit(1)\n" }, { "path": "scripts/generators/generate-cran-versions.R", "content": "#!/usr/bin/env Rscript\n\ninstall.packages(\"jsonlite\", repos = 'https://cran.r-project.org')\n\nlibrary(utils)\nlibrary(jsonlite)\n\n# An array of version comparisons that are known to be unsupported and so\n# should be commented out in the generated fixture.\n#\n# Generally this is because the native implementation has a suspected bug\n# that causes the comparison to return incorrect results, and so supporting\n# such comparisons in the detector would in fact be wrong.\nUNSUPPORTED_COMPARISONS <- c()\n\ndownload_cran_db <- function() {\n url <- \"https://osv-vulnerabilities.storage.googleapis.com/CRAN/all.zip\"\n dest <- \"cran-db.zip\"\n download.file(url, dest, method = \"auto\")\n}\n\nextract_packages_with_versions <- function(osvs) {\n result <- list()\n\n for (osv in osvs) {\n for (affected in osv$affected) {\n if (is.null(affected[\"package\"]) || affected$package$ecosystem != \"CRAN\") {\n next\n }\n\n package <- affected$package$name\n\n if (!(package %in% names(result))) {\n result[[package]] <- list()\n }\n\n for (version in affected$versions) {\n tryCatch(\n {\n as.package_version(version)\n result[[package]] <- c(result[[package]], version)\n },\n error = function(e) {\n cat(sprintf(\"skipping invalid version %s for %s\\n\", version, package))\n }\n )\n }\n }\n }\n\n # deduplicate and sort the versions for each package\n for (package in names(result)) {\n result[[package]] <- sort(numeric_version(unique(result[[package]])))\n }\n\n return(result)\n}\n\nis_unsupported_comparison <- function(line) {\n line %in% UNSUPPORTED_COMPARISONS\n}\n\nuncomment <- function(line) {\n if (startsWith(line, \"#\")) {\n return(substr(line, 2, nchar(line)))\n }\n if (startsWith(line, \"//\")) {\n return(substr(line, 3, nchar(line)))\n }\n return(line)\n}\n\ncompare <- function(v1, relate, v2) {\n ops <- list('<' = function(result) result < 0,\n '=' = function(result) result == 0,\n '>' = function(result) result > 0)\n\n return(ops[[relate]](compareVersion(v1, v2)))\n}\n\ncompare_versions <- function(lines, select=\"all\") {\n has_any_failed <- FALSE\n\n for (line in lines) {\n line <- trimws(line)\n\n if (line == \"\" || grepl(\"^#\", line) || grepl(\"^//\", line)) {\n maybe_unsupported <- trimws(uncomment(line))\n\n if (is_unsupported_comparison(maybe_unsupported)) {\n cat(sprintf(\"\\033[96mS\\033[0m: \\033[93m%s\\033[0m\\n\", maybe_unsupported))\n }\n next\n }\n\n parts <- strsplit(trimws(line), \" \")[[1]]\n v1 <- parts[1]\n op <- parts[2]\n v2 <- parts[3]\n\n r <- compare(v1, op, v2)\n\n if (!r) {\n has_any_failed <- TRUE\n }\n\n if (select == \"failures\" && r) {\n next\n }\n\n if (select == \"successes\" && !r) {\n next\n }\n\n color <- ifelse(r, '\\033[92m', '\\033[91m')\n rs <- ifelse(r, \"T\", \"F\")\n cat(sprintf(\"%s%s\\033[0m: \\033[93m%s\\033[0m\\n\", color, rs, line))\n }\n return(has_any_failed)\n}\n\ncompare_versions_in_file <- function(filepath, select=\"all\") {\n lines <- readLines(filepath)\n return(compare_versions(lines, select))\n}\n\ngenerate_version_compares <- function(versions) {\n comparisons <- character()\n\n for (i in seq_along(versions)) {\n if (i == 1) {\n next\n }\n\n comparison <- sprintf(\"%s < %s\", versions[i - 1], versions[i])\n\n if (is_unsupported_comparison(trimws(comparison))) {\n comparison <- paste(\"#\", comparison)\n }\n\n comparisons <- c(comparisons, comparison)\n }\n\n return(comparisons)\n}\n\ngenerate_package_compares <- function(packages) {\n comparisons <- character()\n\n for (package in names(packages)) {\n versions <- packages[[package]]\n comparisons <- c(comparisons, generate_version_compares(versions))\n }\n\n # return unique comparisons\n return(unique(comparisons))\n}\n\nfetch_packages_versions <- function() {\n download_cran_db()\n osvs <- list()\n\n with_zip <- unzip(\"cran-db.zip\", list = TRUE)\n\n for (fname in with_zip$Name) {\n osv <- jsonlite::fromJSON(unzip(\"cran-db.zip\", files = fname, exdir = tempdir()), simplifyDataFrame = FALSE)\n osvs <- c(osvs, list(osv))\n }\n\n return(extract_packages_with_versions(osvs))\n}\n\noutfile <- \"internal/semantic/testdata/cran-versions-generated.txt\"\n\npacks <- fetch_packages_versions()\nwriteLines(generate_package_compares(packs), outfile, sep = \"\\n\")\ncat(\"\\n\")\n\n# set this to either \"failures\" or \"successes\" to only have those comparison results\n# printed; setting it to anything else will have all comparison results printed\nshow <- Sys.getenv(\"VERSION_GENERATOR_PRINT\", \"failures\")\n\ndid_any_fail <- compare_versions_in_file(outfile, show)\n\nif (did_any_fail) {\n q(status = 1)\n}\n" }, { "path": "scripts/generators/generate-debian-versions.py", "content": "#!/usr/bin/env python3\n\nimport json\nimport operator\nimport os\nimport subprocess\nimport sys\nimport urllib.request\nimport zipfile\nfrom pathlib import Path\n\n# this requires being run on an OS that has a version of \"dpkg\" which supports the\n# \"--compare-versions\" option; also make sure to consider the version of dpkg being\n# used in case there are changes to the comparing logic (last run with 1.19.7).\n#\n# also note that because of the large amount of versions being used there is\n# significant overhead in having to use a subprocess, so this generator caches\n# the results of said subprocess calls; a typical no-cache run takes about 5+\n# minutes whereas with the cache it only takes seconds.\n\n# An array of version comparisons that are known to be unsupported and so\n# should be commented out in the generated fixture.\n#\n# Generally this is because the native implementation has a suspected bug\n# that causes the comparison to return incorrect results, and so supporting\n# such comparisons in the detector would in fact be wrong.\nUNSUPPORTED_COMPARISONS = []\n\n\ndef is_unsupported_comparison(line):\n return line in UNSUPPORTED_COMPARISONS\n\n\ndef uncomment(line):\n if line.startswith('#'):\n return line[1:]\n if line.startswith('//'):\n return line[2:]\n return line\n\n\ndef download_debian_db():\n urllib.request.urlretrieve('https://osv-vulnerabilities.storage.googleapis.com/Debian/all.zip', 'debian-db.zip')\n\n\ndef extract_packages_with_versions(osvs):\n dict = {}\n\n for osv in osvs:\n for affected in osv['affected']:\n if 'package' not in affected or not affected['package']['ecosystem'].startswith('Debian'):\n continue\n\n package = affected['package']['name']\n\n if package not in dict:\n dict[package] = []\n\n for version in affected.get('versions', []):\n dict[package].append(DebianVersion(version))\n\n # deduplicate and sort the versions for each package\n for package in dict:\n dict[package] = sorted(list(dict.fromkeys(dict[package])))\n\n return dict\n\n\nclass DebianVersionComparer:\n def __init__(self, cache_path):\n self.cache_path = Path(cache_path)\n self.cache = {}\n\n self._load_cache()\n\n def _load_cache(self):\n if self.cache_path:\n self.cache_path.touch()\n with open(self.cache_path, 'r') as f:\n lines = f.readlines()\n\n for line in lines:\n line = line.strip()\n key, result = line.split(',')\n\n if result == 'True':\n self.cache[key] = True\n continue\n if result == 'False':\n self.cache[key] = False\n continue\n\n print(f\"ignoring invalid cache entry '{line}'\")\n\n def _save_to_cache(self, key, result):\n self.cache[key] = result\n if self.cache_path:\n self.cache_path.touch()\n with open(self.cache_path, 'a') as f:\n f.write(f'{key},{result}\\n')\n\n def compare(self, a, op, b):\n key = f'{a} {op} {b}'\n if key in self.cache:\n return self.cache[key]\n\n cmd = ['dpkg', '--compare-versions', a, op, b]\n out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n\n if out.stdout:\n print(out.stdout.decode('utf-8'))\n if out.stderr:\n print(out.stderr.decode('utf-8'))\n\n r = out.returncode == 0\n self._save_to_cache(key, r)\n return r\n\n\ndebian_comparer = DebianVersionComparer('/tmp/debian-versions-generator-cache.csv')\n\n\nclass DebianVersion:\n def __str__(self):\n return self.version\n\n def __hash__(self):\n return hash(self.version)\n\n def __init__(self, version):\n self.version = version\n\n def __lt__(self, other):\n return debian_comparer.compare(self.version, 'lt', other.version)\n\n def __gt__(self, other):\n return debian_comparer.compare(self.version, 'gt', other.version)\n\n def __eq__(self, other):\n return debian_comparer.compare(self.version, 'eq', other.version)\n\n\ndef compare(v1, relate, v2):\n ops = {'<': operator.lt, '=': operator.eq, '>': operator.gt}\n return ops[relate](v1, v2)\n\n\ndef compare_versions(lines, select='all'):\n has_any_failed = False\n\n for line in lines:\n line = line.strip()\n\n if line == '' or line.startswith('#') or line.startswith('//'):\n maybe_unsupported = uncomment(line).strip()\n\n if is_unsupported_comparison(maybe_unsupported):\n print(f'\\033[96mS\\033[0m: \\033[93m{maybe_unsupported}\\033[0m')\n continue\n\n v1, op, v2 = line.strip().split(' ')\n\n r = compare(DebianVersion(v1), op, DebianVersion(v2))\n\n if not r:\n has_any_failed = r\n\n if select == 'failures' and r:\n continue\n\n if select == 'successes' and not r:\n continue\n\n color = '\\033[92m' if r else '\\033[91m'\n rs = 'T' if r else 'F'\n print(f'{color}{rs}\\033[0m: \\033[93m{line}\\033[0m')\n return has_any_failed\n\n\ndef compare_versions_in_file(filepath, select='all'):\n with open(filepath) as f:\n lines = f.readlines()\n return compare_versions(lines, select)\n\n\ndef generate_version_compares(versions):\n comparisons = []\n for i, version in enumerate(versions):\n if i == 0:\n continue\n\n comparison = f'{versions[i - 1]} < {version}\\n'\n\n if is_unsupported_comparison(comparison.strip()):\n comparison = '# ' + comparison\n comparisons.append(comparison)\n return comparisons\n\n\ndef generate_package_compares(packages):\n comparisons = []\n for package in packages:\n versions = packages[package]\n comparisons.extend(generate_version_compares(versions))\n\n # return comparisons\n return list(dict.fromkeys(comparisons))\n\n\ndef fetch_packages_versions():\n download_debian_db()\n osvs = []\n\n with zipfile.ZipFile('debian-db.zip') as db:\n for fname in db.namelist():\n with db.open(fname) as osv:\n osvs.append(json.loads(osv.read().decode('utf-8')))\n\n return extract_packages_with_versions(osvs)\n\n\noutfile = 'internal/semantic/testdata/debian-versions-generated.txt'\n\npacks = fetch_packages_versions()\nwith open(outfile, 'w') as f:\n f.writelines(generate_package_compares(packs))\n f.write('\\n')\n\n# set this to either \"failures\" or \"successes\" to only have those comparison results\n# printed; setting it to anything else will have all comparison results printed\nshow = os.environ.get('VERSION_GENERATOR_PRINT', 'failures')\n\ndid_any_fail = compare_versions_in_file(outfile, show)\n\nif did_any_fail:\n sys.exit(1)\n" }, { "path": "scripts/generators/generate-packagist-versions.php", "content": "open($path, ZipArchive::RDONLY) === false) {\n throw new RuntimeException('failed to read zip archive');\n }\n\n return $zip;\n}\n\n/**\n * @throws JsonException\n * @throws RuntimeException\n */\nfunction fetchPackageVersions(): array\n{\n $dbPath = downloadPackagistDb();\n $dbZip = openDbZip($dbPath);\n\n $osvs = [];\n\n for ($i = 0; $i < $dbZip->numFiles; $i++) {\n $file = $dbZip->getFromIndex($i);\n\n if ($file === false) {\n throw new RuntimeException('failed to read a file from db zip');\n }\n\n $osvs[] = json_decode($file, true, 512, JSON_THROW_ON_ERROR);\n }\n\n $packages = [];\n\n foreach ($osvs as $osv) {\n foreach ($osv['affected'] as $affected) {\n if (!isset($affected['package']) || $affected['package']['ecosystem'] !== 'Packagist') {\n continue;\n }\n\n $package = $affected['package']['name'];\n\n if (!isset($packages[$package])) {\n $packages[$package] = [];\n }\n\n if (empty($affected['versions'])) {\n continue;\n }\n\n foreach ($affected['versions'] as $version) {\n $packages[$package][] = $version;\n }\n }\n }\n\n return array_map(static function ($versions) {\n $uniq = array_unique($versions);\n usort($uniq, static fn($a, $b) => version_compare(ltrim($a, \"vV\"), ltrim($b, \"vV\")));\n\n return $uniq;\n }, $packages);\n}\n\n/**\n * Normalizes the previous version such that it will compare \"correctly\" to the current version,\n * by ensuring that they both have the same \"v\" prefix (or lack of).\n *\n * Whether the \"v\" prefix is present on the normalized previous version depends on\n * its presences in the current version; this ensure we will have _some_ versions that\n * do have the \"v\" prefix, rather than it being present on _none_ or _all_ versions.\n *\n * @param string $currentVersion\n * @param string $previousVersion\n *\n * @return string\n */\nfunction normalizePrevVersion(string $currentVersion, string $previousVersion): string\n{\n if (str_starts_with($currentVersion, \"v\")) {\n $previousVersion = ltrim($previousVersion, \"vV\");\n\n return \"v$previousVersion\";\n }\n\n if (str_starts_with($currentVersion, \"V\")) {\n $previousVersion = ltrim($previousVersion, \"vV\");\n\n return \"V$previousVersion\";\n }\n\n return ltrim($previousVersion, \"vV\");\n}\n\nfunction generateVersionCompares(array $versions): array\n{\n $comparisons = [];\n\n foreach ($versions as $index => $version) {\n if ($index === 0) {\n continue;\n }\n\n $prevVersion = normalizePrevVersion($version, $versions[$index - 1]);\n $op = version_compare($prevVersion, $version) === 0 ? \"=\" : \"<\";\n\n $comparison = \"$prevVersion $op $version\";\n\n if (isUnsupportedComparison($comparison)) {\n $comparison = \"# $comparison\";\n }\n\n $comparisons[] = $comparison;\n }\n\n return $comparisons;\n}\n\nfunction generatePackageCompares(array $packages): array\n{\n $comparisons = [];\n\n foreach ($packages as $versions) {\n $comparisons[] = generateVersionCompares($versions);\n }\n\n return array_merge(...$comparisons);\n}\n\nfunction compareVersions(array $lines, string $select = \"all\"): bool\n{\n $hasAnyFailed = false;\n\n foreach ($lines as $line) {\n $line = trim($line);\n\n if (empty($line) || str_starts_with($line, \"#\") || str_starts_with($line, \"//\")) {\n $maybeUnsupported = trim(uncomment($line));\n\n if (isUnsupportedComparison($maybeUnsupported)) {\n echo \"\\033[96mS\\033[0m: \\033[93m$maybeUnsupported\\033[0m\\n\";\n }\n\n continue;\n }\n\n [$v1, $op, $v2] = explode(\" \", $line);\n\n $r = version_compare($v1, $v2, $op);\n\n if (!$r) {\n $hasAnyFailed = true;\n }\n\n if ($select === \"failures\" && $r === true) {\n continue;\n }\n\n if ($select === \"successes\" && $r !== true) {\n continue;\n }\n\n $color = $r ? \"\\033[92m\" : \"\\033[91m\";\n $rs = $r ? \"T\" : \"F\";\n echo \"$color$rs\\033[0m: \\033[93m$line\\033[0m\\n\";\n }\n\n return $hasAnyFailed;\n}\n\n$outfile = \"internal/semantic/testdata/packagist-versions-generated.txt\";\n\n/** @noinspection PhpUnhandledExceptionInspection */\n$packages = fetchPackageVersions();\n\nfile_put_contents($outfile, implode(\"\\n\", array_unique(generatePackageCompares($packages))) . \"\\n\");\n\n// set this to either \"failures\" or \"successes\" to only have those comparison results\n// printed; setting it to anything else will have all comparison results printed\n$show = getenv(\"VERSION_GENERATOR_PRINT\") ?: \"failures\";\n\n$didAnyFail = compareVersions(explode(\"\\n\", file_get_contents($outfile)), $show);\n\nif ($didAnyFail === true) {\n exit(1);\n}\n" }, { "path": "scripts/generators/generate-pypi-versions.py", "content": "#!/usr/bin/env python3\n\nimport json\nimport operator\nimport os\nimport packaging.version\nimport sys\nimport urllib.request\nimport zipfile\n\n# this requires you run \"pip install packaging\" - have to be careful about versions too\n# because of the \"legacy version\" stuff\n\n# An array of version comparisons that are known to be unsupported and so\n# should be commented out in the generated fixture.\n#\n# Generally this is because the native implementation has a suspected bug\n# that causes the comparison to return incorrect results, and so supporting\n# such comparisons in the detector would in fact be wrong.\nUNSUPPORTED_COMPARISONS = []\n\n\ndef is_unsupported_comparison(line):\n return line in UNSUPPORTED_COMPARISONS\n\n\ndef uncomment(line):\n if line.startswith('#'):\n return line[1:]\n if line.startswith('//'):\n return line[2:]\n return line\n\n\ndef download_pypi_db():\n urllib.request.urlretrieve('https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip', 'pypi-db.zip')\n\n\ndef extract_packages_with_versions(osvs):\n dict = {}\n\n for osv in osvs:\n for affected in osv['affected']:\n if 'package' not in affected or affected['package']['ecosystem'] != 'PyPI':\n continue\n\n package = affected['package']['name']\n\n if package not in dict:\n dict[package] = []\n\n for version in affected.get('versions', []):\n try:\n dict[package].append(packaging.version.parse(version))\n except packaging.version.InvalidVersion:\n print(f'skipping invalid version {version} for {package}')\n\n # deduplicate and sort the versions for each package\n for package in dict:\n dict[package] = sorted(list(dict.fromkeys(dict[package])))\n\n return dict\n\n\ndef compare(v1, relate, v2):\n ops = {'<': operator.lt, '=': operator.eq, '>': operator.gt}\n return ops[relate](v1, v2)\n\n\ndef compare_versions(lines, select='all'):\n has_any_failed = False\n\n for line in lines:\n line = line.strip()\n\n if line == '' or line.startswith('#') or line.startswith('//'):\n maybe_unsupported = uncomment(line).strip()\n\n if is_unsupported_comparison(maybe_unsupported):\n print(f'\\033[96mS\\033[0m: \\033[93m{maybe_unsupported}\\033[0m')\n continue\n\n v1, op, v2 = line.strip().split(' ')\n\n r = compare(packaging.version.parse(v1), op, packaging.version.parse(v2))\n\n if not r:\n has_any_failed = True\n\n if select == 'failures' and r:\n continue\n\n if select == 'successes' and not r:\n continue\n\n color = '\\033[92m' if r else '\\033[91m'\n rs = 'T' if r else 'F'\n print(f'{color}{rs}\\033[0m: \\033[93m{line}\\033[0m')\n return has_any_failed\n\n\ndef compare_versions_in_file(filepath, select='all'):\n with open(filepath) as f:\n lines = f.readlines()\n return compare_versions(lines, select)\n\n\ndef generate_version_compares(versions):\n comparisons = []\n for i, version in enumerate(versions):\n if i == 0:\n continue\n\n comparison = f'{versions[i - 1]} < {version}\\n'\n\n if is_unsupported_comparison(comparison.strip()):\n comparison = '# ' + comparison\n comparisons.append(comparison)\n return comparisons\n\n\ndef generate_package_compares(packages):\n comparisons = []\n for package in packages:\n versions = packages[package]\n comparisons.extend(generate_version_compares(versions))\n\n # return comparisons\n return list(dict.fromkeys(comparisons))\n\n\ndef fetch_packages_versions():\n download_pypi_db()\n osvs = []\n\n with zipfile.ZipFile('pypi-db.zip') as db:\n for fname in db.namelist():\n with db.open(fname) as osv:\n osvs.append(json.loads(osv.read().decode('utf-8')))\n\n return extract_packages_with_versions(osvs)\n\n\noutfile = 'internal/semantic/testdata/pypi-versions-generated.txt'\n\npacks = fetch_packages_versions()\nwith open(outfile, 'w') as f:\n f.writelines(generate_package_compares(packs))\n f.write('\\n')\n\n# set this to either \"failures\" or \"successes\" to only have those comparison results\n# printed; setting it to anything else will have all comparison results printed\nshow = os.environ.get('VERSION_GENERATOR_PRINT', 'failures')\n\ndid_any_fail = compare_versions_in_file(outfile, show)\n\nif did_any_fail:\n sys.exit(1)\n" }, { "path": "scripts/generators/generate-redhat-versions.py", "content": "#!/usr/bin/env python3\n\nimport json\nimport operator\nimport os\nimport subprocess\nimport sys\nimport urllib.request\nimport zipfile\nfrom pathlib import Path\n\n# this requires being run on an OS that has a version of \"rpm\" installed which\n# supports evaluating Lua expressions (most versions do); also make sure to consider\n# the version of rpm being used in case there are changes to the comparing logic\n# (last run with 1.19.7).\n#\n# note that both alpine and debian have a \"rpm\" package that supports this, which\n# can be installed using \"apk add rpm\" and \"apt install rpm\" respectively.\n#\n# also note that because of the large amount of versions being used there is\n# significant overhead in having to use a subprocess, so this generator caches\n# the results of said subprocess calls; a typical no-cache run takes about 5+\n# minutes whereas with the cache it only takes seconds.\n\n# An array of version comparisons that are known to be unsupported and so\n# should be commented out in the generated fixture.\n#\n# Generally this is because the native implementation has a suspected bug\n# that causes the comparison to return incorrect results, and so supporting\n# such comparisons in the detector would in fact be wrong.\nUNSUPPORTED_COMPARISONS = []\n\n\ndef is_unsupported_comparison(line):\n return line in UNSUPPORTED_COMPARISONS\n\n\ndef uncomment(line):\n if line.startswith('#'):\n return line[1:]\n if line.startswith('//'):\n return line[2:]\n return line\n\n\ndef download_redhat_db():\n urllib.request.urlretrieve('https://osv-vulnerabilities.storage.googleapis.com/Red%20Hat/all.zip', 'redhat-db.zip')\n\n\ndef extract_packages_with_versions(osvs):\n dict = {}\n\n for osv in osvs:\n for affected in osv['affected']:\n if 'package' not in affected or not affected['package']['ecosystem'].startswith('Red Hat'):\n continue\n\n package = affected['package']['name']\n\n if package not in dict:\n dict[package] = []\n\n for version in affected.get('versions', []):\n dict[package].append(RedHatVersion(version))\n\n for rang in affected.get('ranges', []):\n for event in rang['events']:\n if 'introduced' in event and event['introduced'] != '0':\n dict[package].append(RedHatVersion(event['introduced']))\n if 'fixed' in event:\n dict[package].append(RedHatVersion(event['fixed']))\n\n # deduplicate and sort the versions for each package\n for package in dict:\n dict[package] = sorted(list(dict.fromkeys(dict[package])))\n\n return dict\n\n\nclass RedHatVersionComparer:\n def __init__(self, cache_path):\n self.cache_path = Path(cache_path)\n self.cache = {}\n\n self._load_cache()\n\n def _load_cache(self):\n if self.cache_path:\n self.cache_path.touch()\n with open(self.cache_path, 'r') as f:\n lines = f.readlines()\n\n for line in lines:\n line = line.strip()\n key, result = line.split(',')\n\n if result == 'True':\n self.cache[key] = True\n continue\n if result == 'False':\n self.cache[key] = False\n continue\n\n print(f\"ignoring invalid cache entry '{line}'\")\n\n def _save_to_cache(self, key, result):\n self.cache[key] = result\n if self.cache_path:\n self.cache_path.touch()\n with open(self.cache_path, 'a') as f:\n f.write(f'{key},{result}\\n')\n\n def _compare1(self, a, op, b):\n cmd = ['rpm', '--eval', f'%{{lua:print(rpm.vercmp(\"{a}\", \"{b}\"))}}']\n out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n\n if out.returncode != 0 or out.stderr:\n raise Exception(f'rpm did not like comparing {a} {op} {b}: {out.stderr.decode(\"utf-8\")}')\n\n r = out.stdout.decode('utf-8').strip()\n\n if r == '0' and op == '=':\n return True\n elif r == '1' and op == '>':\n return True\n elif r == '-1' and op == '<':\n return True\n\n return False\n\n def _compare2(self, a, op, b):\n if op == '=':\n op = '==' # lua uses == for equality\n\n cmd = ['rpm', '--eval', f'%{{lua:print(rpm.ver(\"{a}\") {op} rpm.ver(\"{b}\"))}}']\n out = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)\n\n if out.returncode != 0 or out.stderr:\n raise Exception(f'rpm did not like comparing {a} {op} {b}: {out.stderr.decode(\"utf-8\")}')\n\n r = out.stdout.decode('utf-8').strip()\n\n if r == 'True':\n return True\n elif r == 'False':\n return False\n\n raise Exception(f'unexpected result from rpm: {r}')\n\n\n def compare(self, a, op, b):\n key = f'{a} {op} {b}'\n if key in self.cache:\n return self.cache[key]\n\n r = self._compare1(a, op, b)\n # r = self._compare2(a, op, b)\n\n self._save_to_cache(key, r)\n return r\n\n\nredhat_comparer = RedHatVersionComparer('/tmp/redhat-versions-generator-cache.csv')\n\n\nclass RedHatVersion:\n def __str__(self):\n return self.version\n\n def __hash__(self):\n return hash(self.version)\n\n def __init__(self, version):\n self.version = version\n\n def __lt__(self, other):\n return redhat_comparer.compare(self.version, '<', other.version)\n\n def __gt__(self, other):\n return redhat_comparer.compare(self.version, '>', other.version)\n\n def __eq__(self, other):\n return redhat_comparer.compare(self.version, '=', other.version)\n\n\ndef compare(v1, relate, v2):\n ops = {'<': operator.lt, '=': operator.eq, '>': operator.gt}\n return ops[relate](v1, v2)\n\n\ndef compare_versions(lines, select='all'):\n has_any_failed = False\n\n for line in lines:\n line = line.strip()\n\n if line == '' or line.startswith('#') or line.startswith('//'):\n maybe_unsupported = uncomment(line).strip()\n\n if is_unsupported_comparison(maybe_unsupported):\n print(f'\\033[96mS\\033[0m: \\033[93m{maybe_unsupported}\\033[0m')\n continue\n\n v1, op, v2 = line.strip().split(' ')\n\n r = compare(RedHatVersion(v1), op, RedHatVersion(v2))\n\n if not r:\n has_any_failed = r\n\n if select == 'failures' and r:\n continue\n\n if select == 'successes' and not r:\n continue\n\n color = '\\033[92m' if r else '\\033[91m'\n rs = 'T' if r else 'F'\n print(f'{color}{rs}\\033[0m: \\033[93m{line}\\033[0m')\n return has_any_failed\n\n\ndef compare_versions_in_file(filepath, select='all'):\n with open(filepath) as f:\n lines = f.readlines()\n return compare_versions(lines, select)\n\n\ndef generate_version_compares(versions):\n comparisons = []\n for i, version in enumerate(versions):\n if i == 0:\n continue\n\n comparison = f'{versions[i - 1]} < {version}\\n'\n\n if is_unsupported_comparison(comparison.strip()):\n comparison = '# ' + comparison\n comparisons.append(comparison)\n return comparisons\n\n\ndef generate_package_compares(packages):\n comparisons = []\n for package in packages:\n versions = packages[package]\n comparisons.extend(generate_version_compares(versions))\n\n # return comparisons\n return list(dict.fromkeys(comparisons))\n\n\ndef fetch_packages_versions():\n download_redhat_db()\n osvs = []\n\n with zipfile.ZipFile('redhat-db.zip') as db:\n for fname in db.namelist():\n with db.open(fname) as osv:\n osvs.append(json.loads(osv.read().decode('utf-8')))\n\n return extract_packages_with_versions(osvs)\n\n\noutfile = 'internal/semantic/testdata/redhat-versions-generated.txt'\n\npacks = fetch_packages_versions()\nwith open(outfile, 'w') as f:\n f.writelines(generate_package_compares(packs))\n f.write('\\n')\n\n# set this to either \"failures\" or \"successes\" to only have those comparison results\n# printed; setting it to anything else will have all comparison results printed\nshow = os.environ.get('VERSION_GENERATOR_PRINT', 'failures')\n\ndid_any_fail = compare_versions_in_file(outfile, show)\n\nif did_any_fail:\n sys.exit(1)\n" }, { "path": "scripts/generators/generate-rubygems-versions.rb", "content": "#!/usr/bin/env ruby\n\nrequire \"rubygems/version\"\nrequire \"open-uri\"\nrequire \"json\"\nrequire \"zip\"\n\n# An array of version comparisons that are known to be unsupported and so\n# should be commented out in the generated fixture.\n#\n# Generally this is because the native implementation has a suspected bug\n# that causes the comparison to return incorrect results, and so supporting\n# such comparisons in the detector would in fact be wrong.\n#\n# @type [Array]\nUNSUPPORTED_COMPARISONS = [].freeze\n\n# @param [String] line\n# @return [Boolean]\ndef is_unsupported_comparison?(line)\n UNSUPPORTED_COMPARISONS.include? line\nend\n\n# @param [String] line\n# @return [String]\ndef uncomment(line)\n line.sub(%r{^#|//}, \"\")\nend\n\ndef download_rubygems_db\n URI.open(\"https://osv-vulnerabilities.storage.googleapis.com/RubyGems/all.zip\") do |zip|\n File.binwrite(\"rubygems-db.zip\", zip.read)\n end\nend\n\ndef extract_packages_with_versions(osvs)\n packages = {}\n\n osvs.each do |osv|\n osv[\"affected\"].each do |affected|\n next unless affected.dig(\"package\", \"ecosystem\") == \"RubyGems\"\n\n package = affected[\"package\"][\"name\"]\n\n packages[package] ||= []\n affected.fetch(\"versions\", []).each do |version|\n packages[package] << Gem::Version.new(version)\n end\n end\n end\n\n packages.transform_values { |v| v.uniq.sort }\nend\n\ndef compare_version(v1, op, v2)\n op = \"==\" if op == \"=\"\n\n Gem::Version.new(v1).method(op).call(Gem::Version.new(v2))\nend\n\n# @param [Array] lines\n# @return [Boolean]\ndef compare_versions(lines, select = :all)\n has_any_failed = false\n\n lines.each do |line|\n line = line.strip\n\n if line.empty? || line.start_with?(\"#\") || line.start_with?(\"//\")\n maybe_unsupported = uncomment(line).strip\n\n puts \"\\033[96mS\\033[0m: \\033[93m#{maybe_unsupported}\\033[0m\" if is_unsupported_comparison?(maybe_unsupported)\n\n next\n end\n\n parts = line.split\n v1 = parts[0]\n op = parts[1]\n v2 = parts[2]\n\n r = compare_version(v1, op, v2)\n\n has_any_failed = true unless r\n\n next if select == :failures && r == true\n next if select == :successes && r != true\n\n color = r ? \"\\033[92m\" : \"\\033[91m\"\n rs = r ? \"T\" : \"F\"\n puts \"#{color}#{rs}\\033[0m: \\033[93m#{line}\\033[0m\"\n end\n\n has_any_failed\nend\n\ndef compare_versions_in_file(filepath, select = :all)\n compare_versions(File.readlines(filepath), select)\nend\n\ndef generate_version_compares(versions)\n comparisons = []\n\n versions.each_with_index do |version, i|\n next if i == 0\n\n op = \"<\"\n op = \"=\" if versions[i - 1] == version\n\n comparison = \"#{versions[i - 1]} #{op} #{version}\"\n comparison = \"# #{comparison}\" if is_unsupported_comparison?(comparison)\n\n comparisons << comparison\n end\n\n comparisons\nend\n\ndef generate_package_compares(packages)\n comparisons = []\n\n packages.each_value { |versions| comparisons.concat(generate_version_compares(versions)) }\n\n comparisons\nend\n\ndef fetch_packages_versions\n download_rubygems_db\n\n osvs = Zip::File.open(\"rubygems-db.zip\").map { |f| JSON.parse(f.get_input_stream.read) }\n\n extract_packages_with_versions(osvs)\nend\n\noutfile = \"internal/semantic/testdata/rubygems-versions-generated.txt\"\n\npacks = fetch_packages_versions\n\nFile.write(outfile, \"#{generate_package_compares(packs).uniq.join(\"\\n\")}\\n\")\n\n# set this to either \"failures\" or \"successes\" to only have those comparison results\n# printed; setting it to anything else will have all comparison results printed\nshow = ENV.fetch(\"VERSION_GENERATOR_PRINT\", :failures).to_sym\n\ndid_any_fail = compare_versions_in_file(outfile, show)\n\nexit(1) if did_any_fail\n" }, { "path": "scripts/report_uncleaned_snapshots.py", "content": "#!/usr/bin/env python\n\nimport os\nimport glob\n\n\ndef annotate_file(file, msg):\n if os.getenv('CI') is not None:\n print(f'::error file={file} msg={msg}')\n\n\ndef does_clean_snapshots(pkg_dir):\n try:\n with open(f'{pkg_dir}/testmain_test.go', 'r') as file:\n for _, line in enumerate(file):\n if '\ttestutility.CleanSnapshots(m)' in line:\n return True\n return False\n except FileNotFoundError:\n return False\n\n\ndef report_lack_of_snapshot_cleaning(directory):\n if os.path.exists(f'{directory}/testmain_test.go'):\n file = f'{directory}/testmain_test.go'\n\n annotate_file(file, 'Make sure that `TestMain` is calling `testutility.CleanSnapshots(m)` after the tests have been run')\n print(f'{file} is not calling `testutility.CleanSnapshots(m)`')\n else:\n try:\n file = list(glob.iglob(os.path.join(directory, '*_test.go')))[0]\n except IndexError:\n file = directory\n\n annotate_file(file, 'Please add a `testmain_test.go` file with a `TestMain` function that calls `testutility.CleanSnapshots(m)` after the tests have been run')\n print(f'{directory} does not have a `testmain_test.go` file with a `TestMain` function that calls `testutility.CleanSnapshots(m)` after the tests have been run')\n pass\n\n\nuncleaned_snapshots = False\nfor snapshot_dir in glob.iglob('**/__snapshots__/', recursive=True):\n parent_dir = os.path.dirname(snapshot_dir[:-1])\n\n if does_clean_snapshots(parent_dir):\n continue\n\n report_lack_of_snapshot_cleaning(parent_dir)\n uncleaned_snapshots = True\n\nif uncleaned_snapshots:\n print('')\n print(\"one or more packages are using snapshots but not ensuring they're cleaned up\")\n print('make sure these packages have a testmain_test.go file that defines a TestMain function that calls testutility.CleanSnapshots(m)')\n exit(1)\n" }, { "path": "scripts/run_formatters.sh", "content": "#!/usr/bin/env bash\n\nset -ex\n\n# use write unless we're in CI, since Prettier should always be safe to apply\nif [ -z \"$CI\" ]; then\n npx prettier@latest --write .\nelse\n npx prettier@latest --check .\nfi\n" }, { "path": "scripts/run_lints.sh", "content": "#!/usr/bin/env bash\n\nset -ex\n\nexport GOTOOLCHAIN=\"${GOTOOLCHAIN:-go1.26.1}\"\ngo run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(cat .golangci-lint-version) run ./... \"$@\"\n" }, { "path": "scripts/run_local_docs.sh", "content": "#!/usr/bin/env bash\n\nset -ex\n\ndocker build -t osv-scanner-docs -f ./docs/docs.Dockerfile ./docs\ndocker run -p 4000:4000 osv-scanner-docs\n" }, { "path": "scripts/run_tests.sh", "content": "#!/usr/bin/env bash\n\nset -e\n\nif [ \"$TEST_ACCEPTANCE\" = true ]; then\n scripts/build_test_images.sh\nfi\n\nif [ \"$DOCKER_TEST\" = true ]; then\n echo \"Building test image...\"\n docker build -f scripts/test_env.dockerfile -t osv-scanner-test .\n\n echo \"Running tests in container...\"\n # Network host is important to fix DNS resolution issues\n # Docker socket is exposed to access other docker commands for osv-scanner container scanning\n # alpinegomodcache is a named volume to cache go module downloads between runs\n # -it allows Ctrl-C commands to cancel a test\n docker run --rm -it \\\n --network host \\\n -v \"$(pwd):/src\" \\\n -v \"/var/run/docker.sock:/var/run/docker.sock\" \\\n -v \"alpinegomodcache:/go/pkg/mod\" \\\n -e TEST_ACCEPTANCE=\"$TEST_ACCEPTANCE\" \\\n -e UPDATE_SNAPS=\"$UPDATE_SNAPS\" \\\n -e TEST_VCR_MODE=\"$TEST_VCR_MODE\" \\\n osv-scanner-test \\\n sh -c \"git config --global --add safe.directory /src && ./scripts/run_tests.sh \\\"\\$@\\\"\" -- \"$@\"\n exit $?\nfi\n\n# If running in CI, test with coverage\nif [ -n \"$CI\" ]; then\n go test ./... -coverpkg=./... -coverprofile coverage.out \"$@\"\nelse\n # Use gotestsum which has a nicer test output\n go run gotest.tools/gotestsum@v1.13.0 ./... \"$@\"\nfi\n" }, { "path": "scripts/test_env.dockerfile", "content": "FROM golang:1.26.1-alpine3.23@sha256:2389ebfa5b7f43eeafbd6be0c3700cc46690ef842ad962f6c5bd6be49ed82039\n\nRUN apk --no-cache add \\\n npm \\\n maven \\\n docker-cli \\\n git \\\n build-base \\\n bash \\\n rust \\\n cargo\n\nWORKDIR /src\n" } ]